b"<html>\n<title> - OVERVIEW OF THE CYBER PROBLEM: A NATION DEPENDENT AND DEALING WITH RISK</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n                    OVERVIEW OF THE CYBER PROBLEM: A\n                      NATION DEPENDENT AND DEALING\n                               WITH RISK\n\n=======================================================================\n\n                                HEARING\n\n                                 of the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                 SCIENCE, AND RESEARCH, AND DEVELOPMENT\n\n                               before the\n\n                 SELECT COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 22, 2003\n\n                               __________\n\n                           Serial No. 108-13\n\n                               __________\n\n    Printed for the use of the Select Committee on Homeland Security\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 house\n\n                               __________\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n98-312                      WASHINGTON : 2005\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd0900012005\n?\n\n                 SELECT COMMITTEE ON HOMELAND SECURITY\n\n\n\n                 CHRISTOPHER COX, California, Chairman\n\nJENNIFER DUNN, Washington            JIM TURNER, Texas, Ranking Member\nC.W. BILL YOUNG, Florida             BENNIE G. THOMPSON, Mississippi\nDON YOUNG, Alaska                    LORETTA SANCHEZ, California\nF. JAMES SENSENBRENNER, JR.,         EDWARD J. MARKEY, Massachusetts\nWisconsin                            NORMAN D. DICKS, Washington\nW.J. (BILLY) TAUZIN, Louisiana       BARNEY FRANK, Massachusetts\nDAVID DREIER, California             JANE HARMAN, California\nDUNCAN HUNTER, California            BENJAMIN L. CARDIN, Maryland\nHAROLD ROGERS, Kentucky              LOUISE McINTOSH SLAUGHTER,\nSHERWOOD BOEHLERT, New York            New York\nLAMAR S. SMITH, Texas                PETER A. DeFAZIO, Oregon\nCURT WELDON, Pennsylvania            NITA M. LOWEY, New York\nCHRISTOPHER SHAYS, Connecticut       ROBERT E. ANDREWS, New Jersey\nPORTER J. GOSS, Florida              ELEANOR HOLMES NORTON,\nDAVE CAMP, Michigan                    District of Columbia\nLINCOLN DIAZ-BALART, Florida         ZOE LOFGREN, California\nBOB GOODLATTE, Virginia              KAREN McCARTHY, Missouri\nERNEST J. ISTOOK, JR., Oklahoma      SHEILA JACKSON-LEE, Texas\nPETER T. KING, New York              BILL PASCRELL, JR., New Jersey\nJOHN LINDER, Georgia                 DONNA M. CHRISTENSEN,\nJOHN B. SHADEGG, Arizona               U.S. Virgin Islands\nMARK E. SOUDER, Indiana              BOB ETHERIDGE, North Carolina\nMAC THORNBERRY, Texas                CHARLES GONZALEZ, Texas\nJIM GIBBONS, Nevada                  KEN LUCAS, Kentucky\nKAY GRANGER, Texas                   JAMES R. LANGEVIN, Rhode Island\nPETE SESSIONS, Texas                 KENDRICK B. MEEK, Florida\nJOHN E. SWEENEY, New York\n\n                      JOHN GANNON, Chief of Staff\n\n         UTTAM DHILLON, Chief Counsel and Deputy Staff Director\n\n                  STEVE NASH, Democrat Staff Director\n\n                    MICHAEL S. TWINCHEK, Chief Clerk\n\n                                 ______\n\n  SUBCOMMITTEE ON CYBERSECURITY, SCIENCE, AND RESEARCH AND DEVELOPMENT\n\n                    MAC THORNBERRY, Texas, Chairman\n\nPETE SESSIONS, Texas, Vice Chairman  ZOE LOFGREN, California\nSHERWOOD BOEHLERT, New York          LORETTA SANCHEZ, California\nLAMAR SMITH, Texas                   ROBERT E. ANDREWS, New Jersey\nCURT WELDON, Pennsylvania            SHEILA JACKSON-LEE, Texas\nDAVE CAMP, Michigan                  DONNA M. CHRISTENSEN,\nROBERT W. GOODLATTE, Virginia          U.S. Virgin Islands\nPETER KING, New York                 BOB ETHERIDGE, North Carolina\nJOHN LINDER, Georgia                 CHARLES GONZALEZ, Texas\nMARK SOUDER, Indiana                 KEN LUCAS, Kentucky\nJIM GIBBONS, Nevada                  JAMES R. LANGEVIN, Rhode Island\nKAY GRANGER, Texas                   KENDRICK B. MEEK, Florida\nCHRISTOPHER COX, CALIFORNIA, ex      JIM TURNER, Texas, ex officio\nofficio\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable Mac Thornberry, Chairman, Subcommittee on \n  Cybersecurity, Science, and Research and Development, and a \n  Representative in Congress From the State of Texas\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable Christopher Cox, Chairman, Select Committee on \n  Homeland Security, and a Representative in Congress From the \n  State of California\n  Prepared Statement.............................................     3\nThe Honorable Robert E. Andrews, a Representative in Congress \n  From the State of New Jersey...................................    36\nThe Honorable Sherwood Boehlert, a Representative in Congress \n  From the State of New York.....................................    34\nThe Honorable Bob Etheridge, a Representative in Congress From \n  the State of North Carolina....................................     6\nThe Honorable Jim Gibbons, a Representative in Congress From the \n  State of Nevada\n  Oral Statement.................................................    43\n  Prepared Statement.............................................     4\nThe Honorable James R. Langevin, a Representative in Congress \n  From the State of Rhode Island.................................    45\nThe Honorable Sheila Jackson-Lee, a Representative in Congress \n  From the State of Texas\n  Oral Statement.................................................    49\n  Prepared Statement.............................................     5\nThe Honorable Zoe Lofgren, a Representative in Congress From the \n  State of California............................................     1\nThe Honorable Pete Sessions, a Representative in Congress From \n  the State of Texas.............................................    45\nThe Honorable Lamar S. Smith, a Representative in Congress From \n  the State of Texas.............................................    39\nThe Honorable Jim Turner, a Representative in Congress From the \n  State of Texas.................................................    47\n\n                               WITNESSES\n\nMr. Alan Paller, Director of Research, The SANS Institute\n  Oral Statement.................................................    27\n  Prepared Statement.............................................    30\nMr. Richard D. Pethia, Director Cert Centers, Software \n  Engineering Institute, Carnegie Mellon University\n  Oral Statement.................................................    19\n  Prepared Statement.............................................    21\nMr. Bruce Schneier, Founder and Chief Technical Officer \n  Counterpane Internet Security, Inc.\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     8\n\n \nOVERVIEW OF THE CYBER PROBLEM: A NATION DEPENDENT AND DEALING WITH RISK\n\n                              ----------                              \n\n\n                        Wednesday, June 25, 2003\n\n                      U.S.House of Representatives,\n            Subcommittee on Cybersecurity, Science,\n                      and Research and Development,\n                     Select Committee on Homeland Security,\n                                                    Washington, DC.\n    The committee met, pursuant to call, at 11:30 a.m., in room \n345, Cannon House Office Building, Hon. Mac Thornberry \n[chairman of the subcommittee] presiding.\n    Present: Representatives Thornberry, Sessions, Boehlert, \nSmith, Gibbons, Lofgren, Andrews, Jackson-Lee, Christensen, \nEtheridge, Lucas, Langevin, and Turner [ex officio].\n    Mr. Thornberry. The hearing will come to order. The \nSubcommittee on Cybersecurity, Science, and Research and \nDevelopment is meeting today to hear testimony on an Overview \nof the Cyber Problem: A Nation Dependent and Dealing with Risk. \nAnd Ms. Lofgren and I ask unanimous consent that all members be \nable to submit written opening statements but that oral written \nstatements be waived beyond the Chairman and Ranking Member. \nWithout objection, it is so ordered.\n    We do have some time constraints on how long we can use \nthis room, so we want to keep our comments to a minimum and get \nright to it. Let me just say that this subcommittee is charged \nwith a number of homeland security responsibilities. One of the \nmost complex is this issue of cyber security: the online world \nof computers, networks, information, and the physical and \nvirtual lines that tie it all together. Obviously our country \nis becoming more and more dependent upon the Internet and \ninformation technologies. That growing dependence just as \nobviously leads to greater vulnerabilities, and part of our job \nin this subcommittee is to try to get our arms around those \nissues and see if there are other Federal actions that may need \nto be taken.\n    We are pleased to have a distinguished group of witnesses \nto help us get our arms around those issues today. Before \nyielding to them, let me yield to the distinguished Ranking \nMember, Ms. Lofgren.\n    Ms. Lofgren. Thank you, Mr. Chairman, and thanks for \ncalling this hearing today. I first want to offer an apology. \nAt noon I am chairing another meeting of the California \ndelegation and so will have to slip out for a while, but I want \nto assure the panelists that I have read their testimony and \nlook forward to working with them in the future.\n    I think this is an important hearing to scope out the \nelements of the challenges that we face, and I hope with regard \nto the DHS itself, that the witnesses will share their opinions \non the newly created Cybersecurity Division, talk about the \nmeetings they have had, if they have had; if you have concerns \nabout the placement of the division within DHS, please share \nthat. Will it have access to the Secretary? Sit buried too \ndeep? I have some skepticism about the DHS plan for \ncybersecurity. I fear that we are moving too slowly. If you \nthink that is correct, let me know. If my fears are misplaced, \nI would love to know that as well.\n    I would also--looking beyond DHS, I would hope that you \ncould enlighten us as to what steps the Federal Government \nmight take to encourage the private sector to make \ncybersecurity a higher priority. And I would especially like to \nwelcome Bruce Schneier, who I have known for many, many years \nand thank him for coming all the way out to be a panelist as \nwell as the two other really spectacular witnesses.\n    So, Mac, it is great working with you, and I look forward \nto the hearing.\n    [The information follows:]\n\n PREPARED STATEMENT THE HONORABLE MAC THORNBERRY, A REPRESENTATIVE IN \n                                CONGRESS\n\n    I want to welcome Members, witnesses, and guests to this hearing. \nThis subcommittee is charged with oversight of several important issues \nrelated to homeland security. One of the most complex and least \nunderstood resides in the world of ``cyberspace''--the on-line world of \ncomputers, networks, information, and the physical and virtual lines \nthat tie it all together.\n    Some have called cyberspace the information super highway. Its \nroads are becoming more crowded and more dangerous, and today's seat \nbelts and guard rails may not be adequate for the challenges that lie \nahead. Unlike our physical highways, however, governments do not own \nmost of the roads, and there is much that we do not know about how to \nmake them safe and secure for everyone to travel.\n    The steady rise in electronic commerce, e-government, and \nAmericans' everyday reliance on the Internet make it even more \nimportant that we better understand the threats, vulnerabilities, \nrisks, and recovery options. Even more importantly, the public and \nprivate sectors must establish new partnerships and better ways to \njointly establish appropriate rules of the road to promote commerce, \nprotect privacy, and make the Internet safer for all travelers.\n    We do not yet fully appreciate America's dependency on this \nborderless, virtual world, but we know it is growing--and it is growing \nfast. Only 90,000 Americans had Internet access in early 1993 (U.S. \nInternet Council, Apr. 1999). By 2002, the number of Internet users \nsurpassed 665 million (Computer Industry Almanac, Inc., Dec. 2002).\n    We don't know how all of the nation's critical infrastructures are \nlinked and dependent upon each other, but we know adversaries, \ncriminals, hackers, and terrorists are trying to figure out how to \nexploit our weaknesses. We may not fully appreciate the difference \nbetween a cyber crime and a cyber attack on our critical \ninfrastructure, but we know the immediate results have cost us billions \nof dollars in productivity and financial loss. According to the \nComputer Emergency Response Team at Carnegie Mellon University the \nnumber of vulnerabilities have doubled each year for the past five \nyears. According to Chief Security Officer Magazine, nine out of ten \nChief Security Officers indicate their companies have been victimized \nby cyber attacks in the past year. There may come a time when a cyber \nincident could also cost American lives, especially if there are \nconcurrent attacks on physical and virtual infrastructures.\n    The Homeland Security Act of 2002 gives the Department of Homeland \nSecurity a central role in working with the private sector and with \nstate, local, federal, and international entities to help secure \ncyberspace. Understanding threats to cyberspace, identifying \nvulnerabilities that could be exploited, and coordinating response and \nrecovery efforts needed to ensure services are delivered across our \ncritical infrastructure are some of the key functions for the new \nDepartment and the areas we will cover today. A panel of three academic \nand industry experts will help us understand three foundational \nissues--cyber threats, vulnerabilities, and response and recovery.\n        <bullet> Mr. Bruce Schneier is Founder and Chief Technical \n        Officer, Counterpane Internet Security, Inc., a consulting firm \n        specializing in cryptography and computer security. He will \n        focus on the cyber threats within the nation's critical \n        infrastructure.\n        <bullet> Mr. Richard Pethia is Director, CERT Centers, Software \n        Engineering Institute, Carnegie Mellon University. CERT has \n        provided a central response and coordination facility for \n        global information security incident response and \n        countermeasures for cyber threats and vulnerabilities since \n        1988. He will focus on the vulnerabilities facing the nation's \n        critical information infrastructure.\n        <bullet> Mr. Alan Paller is Director of Research, the SANS \n        Institute, a cooperative research organization that delivers \n        cybersecurity education to people who secure and manage \n        important information systems. He will focus on response and \n        recovery by the private sector and government to the threats \n        and vulnerabilities facing the nation's critical information \n        infrastructure.\n    Their testimony will help us put into perspective the industry, \nacademic, and government partnerships needed to help the Department of \nHomeland Security perform its mission as it relates to cyberspace. Our \nultimate goal is a superhighway that is safe, accessible, fast, and \nfree of unnecessary speed bumps.\n    Before yielding, I want to thank Eric Fischer and his team from the \nCongressional Research Service who have again done significant work to \nhelp prepare for this hearing. Finally, I want to thank my partner on \nthis subcommittee, Ms. Zoe Lofgren, for her leadership and expertise in \nthese issues. And I would yield to her at this time.\n\n PREPARED OPENING REMARKS OF THE HONORABLE CHRISTOPHER COX, CHAIRMAN, \n                 SELECT COMMITTEE ON HOMELAND COMMITTEE\n\nSince May 16th, what was thought to be a Trojan--named Stumbler, that \ncarry potential computer viruses, had been randomly scanning internet \nconnected machines. Private internet security companies, the FBI, and \nthe Department of Homeland Security have been tracking this rogue \nactivity since an employee at a defense contractor notified both the \nFBI and the CERT Coordination Center. What concerned most experts was \nthe ease with which this ``Stumbler'' could be reprogrammed to make it \nmore damaging.\n    The ``Perimeter Defense Model'' for computer security has been used \nsince the first mainframe operating systems were built. This model is \nprimarily based on the assumption that we need to protect computer \nsystems from the ``inside.'' Based on this underlying assumption, \ncybersecurity has emphasized ``firewalls'' and other mechanisms to keep \noutside attackers from penetrating our computer systems. The continued \ninvestigation has revealed that the attacker deliberately planted the \n``Stumbler'', clearly circumventing any internal firewalls.\n    We need new solutions to prepare for increasingly aggressive \nattacks on our cyber-information infrastructure. Our society is \nincreasingly interconnected. Our financial institutions, power plants, \nnuclear facilities, water treatment plants, factories, government \nagencies, borders, and other critical infrastructure rely upon \ninternet-based technologies for remote monitoring and control of the \nfacilities. While this capability has allowed for amazing advances and \nimprovements in the delivery of services, it also allows for potential \naccess of a cyber-terrorist to each network.\n    As we begin to look outside established paradigms and partner with \nthe private sector, we have to make securing our information \ninfrastructure an urgent priority. By harnessing the technical \nresources of the private industry and the intelligence capability of \nthe federal government, we begin a partnership that can prevent, \nprotect, and respond to a Cyberattack.\n    We lead the world in information technology. The exponential net \ngain of knowledge over the past decade has led to a pervasive \ndependence on information and communication systems that affects every \naspect of our lives. The good news is the potential this represents to \nimprove the quality of life around the world. But there is also bad \nnews; this growing reliance makes our cyberspace a viable target for \nterrorists. The very same information technology that has enabled this \ncountry to be a leader in the world market can be co-opted by \nterrorists and used against this country's infrastructure. This type of \ntechnology is no longer the exclusive domain of states. Non-state \nsponsored groups with limited technical capabilities have the capacity \nto inflict great harm to our safety and economy. A serious attack could \npotentially cripple our emergency response, health care delivery, \ntransportation, electric grids, and finance systems. A precision attack \nby a simple virus that would prevent for just one day our ability to \ncash a paycheck, prevent stocks from being traded or make a credit card \npurchase could bring much of our commerce to a halt. Consider the \nSaphire computer virus. It infected at least 75,000 hosts and caused \nnetwork outages, cancelled airline flights, interfered with elections, \ncaused ATM machines to fail, and shut down a 9-1-1 call center outside \nSeattle, which serves 14 fire departments, two police stations, and a \ncommunity of 164,000 people.\n    Essentially, every major critical infrastructure in this nation is \na public/private partnership and cyberspace is its ``nerve center.'' We \ncan not be successful in securing the vested common interest without a \ncoordinated and focused partnership between the federal government and \nthe private sector. The private sector brings to this partnership the \nexpertise and technical capability. The government, in turn, can \nprovide the intelligence information, set the standards, and provide \nthe corporate incentives to bridge this partnership.\n    Cyberspace challenges us with some urgency to define the role of \nthe federal government in this partnership to secure our infrastructure \nand make America safe. For this reason, I established this subcommittee \non Cybersecurity--the only such subcommittee in Congress. Cyberspace is \nindeed a new frontier that the United States must master. This \nCommittee enthusiastically supports the steps that the Department of \nHomeland Security has taken in establishing the National Cyber Security \nDivision (NCSD) under the Department's Information Analysis and \nInfrastructure Protection Directorate. Information exchange and \ncooperation will allow both the government and the private sector to \naddress awareness, training, technological improvements, vulnerability \nremediation and recovery operations. We will continue to look to \nenhance the capability of DHS to stand up this office, to coordinate \ngovernment Cyber programs and to partner with the private sector--all \nas a matter of the highest priority.\n    I thank Chairman Thornberry for his leadership of the Subcommittee \non Cybersecurity, Science, and Research and Development and I look \nforward to hearing from our three witnesses this morning.\n\n PREPARED STATEMENT OF THE HONORABLE JIM GIBBONS, A REPRESENTATIVE IN \n                   CONGRESS, FROM THE STATE OF NEVADA\n\nMr. Chairman, I would like to express to you my gratitude for \ntheopportunity to hear from our expert witnesses and for bringing us \ntogether to address the issues before us today.\nI would also like to thank Mr. Schneier, Mr. Pethia, and Mr. Paller for \ntaking time out of their busy schedules to prepare their testimony and \ncome before us today in an effort to make our country safer.\nThese gentlemen should be a great help in assisting us in understanding \nthe nature of the challenges before us.\nCertainly, the security of our cyber-infrastructure is extremely \nimportant to the safety of our country and our economy.\nThere is no doubt that our economy, the largest and most dynamic in the \nworld, is extremely dependent on our country's cyber-infrastructure, \nand it needs to be protected with extreme vigilance.\nHowever, I would like to express my concern about our understanding of \nthe nature of the threats to our cyber-infrastructure, and how we are \ngoing about addressing these threats.\nUnquestionably, an extremely wide variety and high volume of criminal \nthreats to our cyber-infrastructure exist. These threats range from \nbenign computer hacking committed by bored teenagers, to organized \ncriminals stealing and laundering billions of dollars around the world \nvia the internet.\nHowever, while examples of criminal attacks abound, the examples of \ncyber-terrorism, at this point, are sparse, and this begs the question: \nWhy?\nPresently, the internet seems to be an extremely valuable tool to \nterrorists for the same reason it is an extremely valuable tool to \nlegitimate commercial enterprises and private citizens: it is the \nsupreme medium for communication.\nTo my knowledge, the only known terrorism-oriented web-launched attack \non major infrastructure has occurred in Australia, where the individual \nresponsible dumped sewage into public waterways.\nWhile this certainly provides an example of the damage which can be \ncaused by malicious individuals, it is only a single example, and does \nnot seem to bear witness to the catastrophic cyber terrorism we often \nhear is at our doorstep.\nMy intent is not to dismiss the danger that is genuinely posed by our \ncyber vulnerabilities. It exists and is accepted.\nHowever, it is my great concern that the nature of the threat of cyber-\nterrorism is being overlooked, and therefore, being addressed \nimproperly.\nWe cannot properly devise an effective strategy to counter cyber-\nterrorism if we do not understand the nature of the capabilities of our \nenemies, and especially if we do not understand the nature of our own \nvulnerabilities.\nI welcome the comments of our witnesses today on the nature of our \ninfrastructure vulnerabilities, and specifically if these \nvulnerabilities are easily exploitable for mass-disruption attacks.\nFurther, I welcome comment on the nature of the intellectual and \nmateriel capabilities needed by a terrorist organization to succeed in \ncausing a major internet-based attack on our cyber-infrastructure, and \nespecially our physical infrastructure.\nIn seeking to understand how best to address the threat of cyber-\nterrorism, we must begin first by asking the right questions.\nThis must lead to an understanding of ourselves and our enemies, from \nwhich we can craft a successful strategy.\nI welcome the candor of our witnesses in addressing these concerns, and \nthank them in advance.\n\n       PREPARED STATEMENT OF THE HONORABLE SHEILA JACKSON-LEE, A \n           REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Chairman, I thank you for your efforts in creating this \nopportunity for this body to hear the testimony of the three panelists \ntoday. In our task of gauging the newly developed Department of \nHomeland Security against the projected needs of our nation, we must \nbegin our evaluation at the most basic levels. Critical infrastructure \nprotection is important to every member of our national and local \ncommunities. In order to implement a program of securing cyberspace at \na national level, we must follow a course of risk assessment, \neducation, and careful reaction at the local level to protect our \nschools, hospitals, and rescue facilities. These goals are part of the \nimpetus for the amendments that I offered as to the Department of \nHomeland Security Appropriations Act and to the Project BioShield Act \nso that funding mechanisms and the Secretary's discretion contain the \ncontrol provisions necessary to ensure the proper and effective \nallocation of resources to the places that have the most urgent needs.\n    Just as we must ward against the large threats to our critical \ninfrastructure, the small incidents must not be allowed to create a \nlarge problem.\n    In Houston last year, a 21-year-old man was sentenced to three \nyears in prison for a terrorist hoax concerning a plot to attack the \nopening ceremonies of the 2002 Winter Olympics in Salt Lake City. The \nHouston resident was sentenced by U.S. District Judge and ordered to \npay $5,200 in fines. The Judge told the Defendant that she had \nsentenced him to three years because he had failed to demonstrate he \nunderstood the seriousness of his crime and disruption he had caused to \nfederal agencies and private citizens.\n    The perpetrator told the FBI in Houston that he had intercepted e-\nmails between two terrorists plotting a missile attack during the \nopening Olympic ceremonies on February 8, 2002. The e-mails supposedly \ndetailed plans to attack Salt Lake City with missiles launched from \nnorthern Russia.\nHe later confessed to making up the story during questioning, telling \nagents that stress led him to tell his tale and that he had fabricated \nthe e-mails.\n    Just a few months ago, Federal prosecutors charged a University of \nTexas student with breaking into a school database and stealing more \nthan 55,000 student, faculty and staff names and Social Security \nnumbers in one of the nation's biggest cases of data theft involving a \nuniversity. The student, a twenty-year old junior studying natural \nsciences, turned himself in at the U.S. Secret Service office in \nAustin, Texas. He was charged with unauthorized access to a protected \ncomputer and using false identification with intent to commit a federal \noffense. This incident sent a wave of fear across the campus of the \nnation's largest university, causing students and staff to consider \nreplacing credit cards and freezing bank accounts. The student-\nperpetrator was released without bail and thereafter had limited access \nto computers. If convicted, the student faced as many as five years in \nprison and a $500,000 fine. After searching this student's Austin and \nHouston residences, Secret Service agents recovered the names and \nSocial Security numbers on a computer in his Austin home. According to \nthe indictment, Phillips wrote and executed a computer program in early \nMarch that enabled him to break into the university database that \ntracks staff attendance at training programs, reminding us how \nvulnerable we all are even when our Social Security number is misused. \nTo combat the vulnerability linked to Social Security numbers, the \nuniversity to limit its dependence on Social Security numbers as \ndatabase identifiers and instead use an electronic identification \nnumber that matches only to Social Security numbers in an encrypted \ndatabase. This data theft was probably the largest ever at a \nuniversity.\n    Therefore, since the threat to critical infrastructure is realized \nat a very local level, we must channel our resources and technology to \nthe first-responders and leaders in the local communities. The movement \nto securing our homeland needs to be expansive, not retractive. If our \nlocal hubs and first-responders are disabled by a terror threat, we \nwould have a hard time developing effective protective measures for our \nnation as a whole.\n    Mr. Chairman, again, I thank you for your time and effort in this \nmatter.\n\nPREPARED STATEMENT OF THE HONORABLE BOB ETHERIDGE, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF NORTH CAROLINA\n\n    Thank you, Chairman Thornberry and Ranking Member Lofgren, for \nholding this hearing. I would also like to welcome our witnesses to \nthis important hearing on cybersecurity. I am looking forward to \nhearing how industry and academia view this issue.\n    Cybersecurity is a critical, yet elusive, concept for many people \nto grasp. You cannot see cyberterrorists attacking a network. There are \nno burning buildings or collapsing structures. When a virus hits our \ncomputers we may experience the annoyance of slow e-mail, spam or the \ninability to access the Internet. What we do not see until later are \nthe costs in lost productivity and lost business in our electronically \nconnected world. Since the Y2K bugs were worked out at the change of \nthe millennium, cybersecurity has largely disappeared from the public \nconsciousness. Yet, it is critical that the Department of Homeland \nSecurity encourage and foster research into protecting our country from \nthese stealth attacks.\n    The Department must work in concert with private industry which not \nonly owns more than 80 percent of our critical cyber infrastructure but \nalso develops software products to run our businesses, our 911 \nemergency systems and our personal computers.\n    All of the witnesses today have made a number of suggestions for \nimproving our nation's critical cyber infrastructure, and I am \nencouraged that they assign a great deal of responsibility to \nbusinesses to police their own systems and cooperate with the federal \ngovernment in reporting attacks and breaches so that others may learn \nfrom the experience.\n    The Department of Homeland Security must promote science and math \neducation for our children who will be our future software programmers \nand cyberwarriors. In the 2001 Hart-Rudman report ``Road Map for \nNational Security: Imperative for Change,'' the authors state that the \ngreatest threat to our country, second only to the detonation of a \nweapon of mass destruction, would be ``a failure to manage properly \nscience, technology and education for the common good over the next \nquarter century.''\n    A number of studies have shown that American students sorely lag \nbehind their counterparts in other nations in science and math \neducation. Even though they use computers every day for homework or to \nplay games, many students who do go on to college do not enter \ntechnology fields because they see it as ``too hard.''\n    The federal government and private industry must work together with \nschools across the country to improve basic science and math education \nby providing teachers with the opportunities for advanced training in \nthese fields, the proper equipment for labs and experiments, and time \nto teach. Gifted teachers prove every day that students can learn and \ncome to love science and math. Our children are our future, and \ninvestment now in their education will provide benefits for many years \nto come.\n\n    Mr. Thornberry. I thank you, and I do want to thank the \nwitnesses, too. We have had some scheduling back and forth for \nthis hearing because of the full committee schedule, and I \nthank each of you for your flexibility and help in putting this \non.\n    Finally I also want to thank Eric Fischer and his team at \nthe Congressional Research Service who continue to help us in \npreparing for these hearings, as well as the folks in my office \nand Ms. Lofgren's office as well. Let me now turn to our \nwitnesses. First we have Mr. Bruce Schneier, Founder and Chief \nTechnical Officer of Counterpane Internet Security, Inc., a \nconsulting firm specializing in cryptography and computer \nsecurity. Mr. Schneier has written several books and articles. \nWe are pleased to have you with us today, and your full \nstatement will be made part of the record and you may summarize \nit as you see fit.\n\n   STATEMENT OF BRUCE SCHNEIER, FOUNDER AND CHIEF TECHNICAL \n          OFFICER, COUNTERPANE INTERNET SECURITY, INC.\n\n    Mr. Schneier. Thanks for having me. I am actually the \nFounder and CTO of Counterpane, but I am not here under the \nauspices of Counterpane. I am probably going to say things \ncounter to my company's interest, but I am here as a security \nexpert, as an author, as a lecturer. So I do want to make that \nclear.\n    I was asked to talk about risks, and I talk about this in \nmy written testimony. To summarize it very quickly, attacks are \ngetting worse. I mean, every year we are seeing worse and worse \nattacks, primarily because, you know, hackers are getting more \nclever, and the tools they are writing are more interesting. At \nthe same time, the expertise required to launch attacks is \ngoing down. Point/click interfaces--just as the word processors \nare easier to use, your hacker tools are easier to use.\n    There is a rise in crime, and I think this is a very \nimportant trend. We are seeing far more criminal activity on \nthe Net. My company does a lot of security monitoring, and a \nlot of times the hardest problem we have is finding the \ncriminal attacks amongst all the kids, amongst all the \nvandalism, amongst all the petty things.\n    Security is getting worse, and this is a hard thing to \nunderstand. I have written about it, and I urge you to read it. \nThe complexity of software, of systems, causes lots of \nvulnerabilities, and these are getting worse faster than we are \nimproving. Security products tend not to be very good. Software \nquality is abysmal. And I read the other testimonies you are \ngoing to hear, and we are all saying these sorts of things. The \neffect of this is that we are more and more insecure than we \nhave ever been.\n    You said that we are also relying on the Internet more. So \nwe are seeing more insecurities, yet it is more important; and \nthis is a problem that I actually can't solve. This is not a \ntechnology problem, and what I really want to say in sort of my \nfew minutes is how I need your help. This is a political \nproblem, not a technology problem. The problem is that each \ncompany, each individual, installs security products, does \nsecurity commensurate with their own risk. So a home user \ndoesn't have much risk, doesn't care much, won't do much. A \nbusiness will do whatever it has to do for its own risk. A \nsoftware company will produce as secure a software as it has \nto.\n    The problem is most of the risks we face as a Nation are \nresidual. So a company might have a risk to their business, but \nthere is ancillary risk borne by everybody else, and that \ncompany is not going to secure itself to the level of the \nancillary risk, only to the level of their risk. In economics \nit is called an externality. It is the effect of a decision \nthat is not taken into account in the decision.\n    So an example might be--in environmentalism, a plant might \npollute a river because it makes business sense, but the people \nliving downstream don't factor into their decision. Someone \nmight choose not to get married--a welfare mother might choose \nnot to get married because they will lose their welfare \nbenefits, so they are making a rational decision based on their \nown interests; yet the effects to society of unwed people \nliving together en masse, it doesn't factor in.\n    And computer security is largely stuck with these \nexternalities, and that is the basic problem I have. And the \nway we deal with this in society is we try to somehow take \nthose externalities and bring them into the decision. So laws \nand regulations are ways to do that. Liability is a way to do \nthat. These are ways to make the effects of the actions of an \nindividual organization, to make them responsible for them.\n    So for recommendations, I would like very much to see \ncybersecurity risks be subject to liabilities. To me it is \nabsolutely insane that Firestone can produce a tire with a \nsystemic flaw and be liable and for companies to produce \nsoftware with, you know, three systemic flaws per month and not \nbe liable. That just doesn't work. Liabilities will \ninstantaneously improve security, because it will make it in a \ncompany's best interest to improve security.\n    I would like to see the government use its own purchasing \npower to improve security. You guys have enormous procurement \npower. I would like you to secure your own networks, secure \nyour own systems, buy products and demand security. The nice \nthing about software is you do the work once, and everybody \nbenefits. If you do massive procurement and design--give us \nsecure systems, everybody will benefit.\n    This is not easy, all right? You are going to have other \nhearings. Software companies will tell you that liabilities \nwill hurt them. Well, of course it will. An auto manufacturer \nwill tell you the same thing. We would rather not be liable. We \nwould like to produce features on our cars and we don't care if \nthey crash.\n    I would like to see ISPs produce firewalls for their \nindividuals. They will tell you that will hurt our business. Of \ncourse it will. Just like a building will tell you to making \nour building to fire codes makes it more expensive. Well, yes, \nit does. The point of security is that it costs money, and \nunless we make it so that it is in business's best interest to \nspend it, they won't. We can solve the technical problems if \nthe business impetus is there. We can't do it without. And I am \npleased to take questions after the other two gentlemen.\n    Mr. Thornberry. Thank you very much. I appreciate your \ntestimony.\n    [The statement of Mr. Schneier follows:]\n\n  PREPARED STATEMENT MR. BRUCE SCHNEIER, FOUNDER AND CHIEF TECHNICAL \n              OFFICER COUNTERPANE INTERNET SECURITY, INC.\n\nMr. Chairman, members of the Committee, thank you for the opportunity \nto testify today regarding cybersecurity, particularly in its relation \nto homeland defense and our nation's critical infrastructure. My name \nis Bruce Schneier, and I have worked in the field of computer security \nfor my entire career. I am the author of seven books on the topic, \nincluding the best-selling Secrets and Lies: Digital Security in a \nNetworked World [1]. My newest book is entitled Beyond Fear: Thinking \nSensibly About Security in an Uncertain World [2], and will be \npublished in September. In 1999, I founded Counterpane Internet \nSecurity, Inc., where I hold the position of Chief Technical Officer. \nCounterpane Internet Security provides real-time security monitoring \nfor hundreds of organizations, including several offices of the federal \ngovernment.\n\nCyber Risks\nWhen I began my long career in computer security, it was a marginal \ndiscipline. The only interest was from the military and a few scattered \nprivacy advocates. The Internet has changed all that. The promise of \nthe Internet is to be a mirror of society. Everything we do in the real \nworld--all of our social and business interactions and transactions--we \nwant to do on the Internet: conduct private conversations, keep \npersonal papers, sign letters and contracts, speak anonymously, rely on \nthe integrity of information, gamble, vote, publish authenticated \ndocuments. All of these things require security. Computer security is a \nfundamental enabling technology of the Internet; it's what transforms \nthe Internet from an academic curiosity into a serious business tool. \nThe limits of security are the limits of the Internet. And no business \nor person is without these security needs.\nThe risks are real. Everyone talks about the direct risks: theft of \ntrade secrets, customer information, money. People also talk about the \nproductivity losses due to computer security problems. What's the loss \nto a company if its e-mail goes down for two days? Or if ten people \nhave to scramble to clean up after a particularly nasty intrusion? I've \nseen figures in the billions quoted for total losses from Internet \nepidemics like Nimda and the SQL Slammer; most of that is due to these \nproductivity losses.\n    More important are the indirect risks: loss of customers, damage to \nbrand, loss of goodwill. When a successful attack against a corporation \nis made public, the victim may experience a drop in stock price. When \nCD Universe suffered a large (and public) theft of credit card numbers \nin early 2000, it cost them dearly in their war for market share \nagainst Amazon.com and CDNow. In the aftermath of public corporate \nattacks, companies often spent more money and effort containing the \npublic relations problem than fixing the security problem. Financial \ninstitutions regularly keep successful attacks secret, so as not to \nworry their customer base.\n    And more indirect risks are coming as a result of litigation. \nEuropean countries have strict privacy laws; companies can be held \nliable if they do not take steps to protect the privacy of their \ncustomers. The U.S. has similar laws in particular industries--banking \nand healthcare--and there are bills in Congress to protect privacy more \ngenerally. We have not yet seen shareholder lawsuits against companies \nthat failed to adequately secure their networks and suffered the \nconsequences, but they're coming. Can company officers be held \npersonally liable if they fail to provide for network security? The \ncourts will be deciding this question in the next few years.\n    This hearing was convened to address another type of risk: the \nrisks of our nation's critical infrastructure that is largely in the \nhands of private companies. One of the great challenges of \ncybersecurity is the interdependencies between individual networks. The \nsecurity decisions one company makes about their own network can have \nfar-reaching effects across many networks, and this leads us to \ndifferent sorts of risks. I call these ancillary risks because their \neffects are ancillary to the particular network in question. Ancillary \nrisks abound in cyberspace. For example, home computer users are at \nrisk of attack and of having their machines taken over by others, but \nan ancillary risk is created when their attacked and taken-over \ncomputers can be used for further attacks against other networks. \nVulnerabilities in software create a risk for the corporation marketing \nthat software, but they also creates an ancillary risk for those who \nuse that software in their networks.\n    The cybersecurity risks to our nation are largely ancillary; \nbecause our critical infrastructure is largely in the hands of private \ncompanies, there are risks to our nation that go beyond what those \nprivate companies are worried about. The telephone network has value to \nthe telephone companies because that's how they get revenue, and those \ncompanies will secure their networks to that value. But the network has \nvalue to the country as a nationwide communications structure in \naddition to that, and there are ancillary risks as a result of that. \nCompanies put themselves at risk when they purchase and use insecure \nsoftware, but they also cause ancillary risks to everyone else on the \nInternet because that software is on a common network. These ancillary \nrisks turn out to be critical to the current insecurities of \ncyberspace, and addressing them will give us the only real way to \nimprove the situation.\n    As risky as the Internet is, companies have no choice but to be \nthere. The lures of new markets, new customers, new revenue sources, \nand new business models are just so great that companies have flocked \nto the Internet regardless of the risks. There is no alternative. \nGovernments feel the same sorts of pressures: better ways of \ninteracting with citizens, more efficient ways of disseminating \ninformation, greater involvement of citizens in government. The \nInternet is here to stay, and we're going to be using it for more and \nmore things regardless of the risks. This, more than anything else, is \nwhy computer security is so important.\n    Quantifying the Risks\n    Quantifying the risks is difficult, because we simply don't have \nthe data. Most of what we know is anecdotal, and what statistics we \nhave are difficult to generalize. In summary, cyberattacks are very \ncommon on the Internet. Corporations are broken into regularly, usually \nby hackers who have no motivation other than simple bragging rights. \nThere is considerable petty vandalism on the Internet, and sometimes \nthat vandalism becomes large-scale and system-wide. Crime is rising on \nthe Internet, both individual fraud and corporate crime. We know all \nthis is happening, because all surveys, corporate studies, and \nanecdotal evidence agree. We just don't know exact numbers.\n    For the past eight years, the Computer Security Institute has \nconducted an annual computer crime survey of U.S. corporations, \ngovernment agencies, and other organizations [3]. The details are a bit \nnumbing, but the general trends are that most networks are repeatedly \nand successfully attacked in a variety of ways, the monetary losses are \nconsiderable, and there's not much that technology can do to prevent \nit. In particular, the 2003 survey found the following:\n        <bullet> 56% of respondents reported ``unauthorized use of \n        computer systems'' in the last year. 29% said that they had no \n        such unauthorized uses, and 15% said that they didn't know. The \n        number of incidents was all over the map, and the number of \n        insider versus outsider incidents was roughly equal. 78% of \n        respondents reported their Internet connection as a frequent \n        point of attack (this has been steadily rising over the six \n        years), 18% reported remote dial-in as a frequent point of \n        attack (this has been declining), and 30% reported internal \n        systems as a frequent point of attack (also declining).\n        <bullet> The types of attack range from telecommunications \n        fraud to laptop theft to sabotage. 36% experienced a system \n        penetration, 42% a denial-of-service attack. 21% reported theft \n        of proprietary information, and 15% financial fraud. 21% \n        reported sabotage. 25% had their Web sites hacked (another 22% \n        didn't know), and 23% had their Web sites hacked ten or more \n        times (36% of the Web site hacks resulted in vandalism, 35% in \n        denial of service, and 6% included theft of transaction \n        information).\n        <bullet> One interesting thing highlighted by this survey is \n        that all of these attacks occurred despite the widespread \n        deployment of security technologies: 98% have firewalls, 73% an \n        intrusion detection system, 92% access control of some sort, \n        49% digital IDs. It seems that these much-touted security \n        products provide only partial security against attackers.\n    Unfortunately, the CSI data is based on voluntary responses to \nsurveys. The data only includes information about attacks that the \ncompanies knew about, and only those attacks that they are willing to \nadmit to in a survey. Undoubtedly, the real numbers of attacks are much \nhigher. And the people who complete the CSI survey are those \nexperienced in security; companies who are much less security savvy are \nnot included in this survey. These companies undoubtedly experience \neven more successful attacks and even higher losses.\n    The Honeynet Project is another source of data. This is an academic \nresearch project that measures actual computer attacks on the Internet. \nAccording to their most recent statistics [4], published in 2001, a \nrandom computer on the Internet is scanned dozens of times a day. The \naverage life expectancy of a default installation of a Linux Red Hat \n6.2 server--that is, the time before someone successfully hacks it--is \nless than 72 hours. A common home user setup, with Windows 98 and file \nsharing enabled, was successfully hacked five times in four days. \nSystems are subjected to hostile vulnerability scans dozens of times a \nday. And the fastest time for a server being hacked: 15 minutes after \nplugging it into the network. This data correlates with my own \nanecdotal experience of putting computers on an unsecured home \nbroadband network.\n    At Counterpane Internet Security, we keep our own statistics. In \n2002, we monitored several hundred computer networks in over thirty \ncountries. We processed 160 billion network events, in which we \nuncovered 105 million security alerts. Further processing yielded \n237,000 ``tickets'' which were investigated by our trained security \nanalysts, resulting in 19,000 customer contacts from immediate security \nincidents. Assuming our data is representative, a typical company in \nthe United States experiences 800 critical network security events--\nevents requiring immediate attention--each year. At Counterpane we're \nsmart and experienced enough to ensure that none of those events \nresults in financial losses for the companies we protect, but most \ncompanies do not have such vigilant cyber guards.\n    Cybersecurity Trends\n    Several cybersecurity trends are worth highlighting. First, over \nthe past few decades attacks on individual computers, early networks, \nand then the Internet have continually gotten more severe. Attack tools \nhave gotten more potent, more damaging, more effective. Attacks that \nwere once slow to implement are now automated. Attacks that used to be \ndefeatable by a single mechanism are now adaptive. Viruses, worms, and \nTrojans are more elaborate and intelligent; malicious programs that \nyears ago took weeks to spread across cyberspace, and last year took \nhours, today spread in minutes.\n    Second, over that same time period, the expertise required to \nlaunch those attacks has gone down. Many attack tools are easy to use. \nThey have point-and-click interfaces. They are automated. They don't \nrequire any expertise to operate. ``Root kits'' are both easier to use \nand more effective.\n    These two trends combine to exacerbate another trend: the rise of \ncrime in cyberspace. The vast majority of cyberspace attacks are \nnothing more than petty vandalism: the Internet equivalent of spray \npainting. The attackers aren't after anything except a cheap thrill and \nbragging rights. Sometimes they're bored teenagers. Sometimes they're \nsmart kids with no other outlet. But we're starting to see significant \nincreases in real crime on the Internet. Criminals, who often don't \nhave the computer expertise to break into networks, can employ these \neasy-to-use tools to commit crimes. Credit card thefts and other forms \nof fraud are on the rise. Identity theft is on the rise. Extortion is \non the rise. At Counterpane, often the hardest job we have is detecting \nthese criminal attacks among the hundreds of petty vandalism attacks. I \nexpect this trend to continue as more criminals discover the value of \ncommitting their frauds in cyberspace.\n    On the defensive side of things, cyberspace is becoming less secure \neven as security technologies improve. There are many reasons for this \nseemingly paradoxical phenomenon, but they can all be traced back to \nthe problem of complexity. As I have said elsewhere [5], complexity is \nthe worst enemy of security. The reasons are complex and can get very \ntechnical, but I can give you a flavor of the rationale: Complex \nsystems have more lines of code and therefore more security bugs. \nComplex systems have more interactions and therefore more potential for \ninsecurities. Complex systems are harder to test and therefore are more \nlikely to have untested portions. Complex systems are harder to design \nsecurely, implement securely, configure securely, and use securely. \nComplex systems are harder for users to understand. Everything about \ncomplexity leads towards lower security. As our computers and networks \nbecome more complex, they inherently become less secure.\n    Another trend is the ineffectiveness of security products. This is \nnot due to failures in technology, but more to failures of \nconfiguration and use. As amazing as it seems, the vast majority of \nsecurity products are simply not implemented in ways that are \neffective. The blame could be laid on the products themselves, which \nare too hard to use. The blame could be laid on the system \nadministrators, who often install security products without thinking \ntoo much about them. But the real blame is in the culture: security \nsimply isn't a priority in most organizations. Security is routinely \nignored, bypassed, or paid lip service to. Products are purchased \nbecause an organization wants to pass an audit or avoid litigation, but \nmuch less attention is paid to how they are used. It's as if a \nhomeowner bought an expensive door lock and installed it in a way that \ndidn't provide any security.\n    Along similar lines, the quality of software security is abysmal. \nProducts routinely ship with hundreds or thousands of security \nvulnerabilities. Again, there are technical reasons for this. As a \nscience, computer security is still in its infancy. We don't know, for \nexample, how to write secure software. We have some tricks, and we know \nhow to avoid some obvious problems, but we have no scientific theory of \nsecurity. It's still a black art and, although we're learning all the \ntime, we have a long way to go. But again, the real reason is that \nsecurity isn't a priority for software vendors. It's far better for a \ncompany if they ship an insecure product a year earlier than a more \nsecure product a year later.\n    The result of these trends is that security technologies are \nimproving slowly, not nearly fast enough to keep up with the new \ninsecurities brought about by the increasing complexity of systems. \nEvery year brings more new attacks, faster-spreading worms, and more \ndamaging malicious code. Software products--operating systems as well \nas applications software--continue to have more and more \nvulnerabilities. As long as the trends of increasing complexity and \nsecurity's low priority continue, cyberspace will continue to become \nless secure.\n    Complexity is something we can't change. The only thing we can \nchange is to make security a higher priority.\n    Cyberterrorism or ``Digital Pearl Harbor''\n    There is one often-discussed trend that I do not see: the rise of \ncyberterrorism [6]. An essay I wrote on this issue is included as \nAttachment #1. I believe that fears about cyberterrorism, or the \nlikelihood of a ``Digital Pearl Harbor,'' are largely the result of \ncompanies and organizations wanting to stoke the fears of people and of \nthe news media looking for sensationalist stories. Real terrorism--\nattacking the physical world via the Internet--is much harder than most \npeople think, and the effects of cyber attacks are far less terrorizing \nthan might seem at first. Cyberterrorism is simply not a problem that \nwe have to worry about.\n    This does not mean that large-scale cyberspace threats are not a \nproblem. A single vulnerability in a widely used software product can \naffect millions, and an attack that exploits that vulnerability can do \nmillions of dollars of damage overnight. Attacks against popular \nInternet services, or critical information services that use the \nInternet to move data around, can affect millions.\n    While people overplay the risks of cyberterrorism, they underplay \nthe risks of cyber-crime. Today credit card numbers are no longer being \nstolen one at a time out of purses and wallets; they're being stolen by \nthe millions out of databases. Internet fraud is big business, and it's \ngetting bigger.\n    And someday, cyberterrorism will become a real threat. Technology, \nespecially technology related to cyberspace, is fast-moving and its \neffects are far-reaching. Just as some unknown attacker used the \nphysical mail system to spread the anthrax virus, it is certainly \npossible that, someday, a terrorist may figure out how to kill large \nnumbers of people via the Internet. But that day is not coming soon, \nand even then the same terrorist would probably have a much easier time \nkilling the same number of people in a physical attack.\n\n    The Resilience of the Internet\n    Despite all of these risks, the Internet is reasonably safe from a \ncatastrophic collapse. As insecure as each individual component or \nnetwork that makes up the Internet is, as a whole it is surprisingly \nresilient. Often I have joked that the Internet ``just barely works,'' \nthat it is constantly being revised and upgraded, and that it's a minor \nmiracle that it functions at all.\n    The Internet has seen examples of what many people have in mind \nwhen they think about large-scale attacks or terrorism, only they've \nbeen the result of accidents rather than maliciousness. Telephone \nswitching stations shut down as the result of a software bug, leaving \nmillions without telephone service. Communications satellites \ntemporarily malfunctioned, disabling a nationwide pager network. On 9/\n11, the World Trade Center fell on much of lower Manhattan's \ncommunications network. What we've learned from these episodes is that \nthe effects are not devastating and they're only temporary; \ncommunications can be quickly restored, and people adapt until they are \nrestored.\n    Additionally, random events are still much more damaging than \nmalicious actions. In the closest example of a cyberterrorist attack \nwe've experienced, Vitek Boden hacked into a computer network and \nreleased a million liters of pollution into an Australian estuary. His \ndamage was cleaned up in a week. A couple of months later, a bird \nlanded on a transformer in the Ohio River valley, causing it to blow \nup; this set off a chain reaction that released about ten times as much \nsewage into the river. The cleanup was much more expensive and took \nsignificantly longer. Even today, random birds can do significantly \nmore damage than the concerted effort of someone intent on damage.\n\n    Security and Risk Management\n    Companies manage risks. They manage all sorts of risks; cyber risks \nare just one more. And there are many different ways to manage risks. A \ncompany might choose to mitigate the risk with technology or with \nprocedures. A company might choose to insure itself against the risk, \nor to accept the risk itself. The methods a company chooses in a \nparticular situation depend on the details of that situation. And \nfailures happen regularly; many companies manage their risks \nimproperly, pay for their mistakes, and then soldier on. Companies, \ntoo, are remarkably resilient.\n    To take a concrete example, consider a physical store and the risk \nof shoplifting. Most grocery stores accept the risk as a cost of doing \nbusiness. Clothing stores might put tags on their garments and sensors \nat the doorways; they mitigate the risk with technology. A jewelry \nstore might mitigate the risk through procedures: all merchandise stays \nlocked up, customers are not allowed to handle anything unattended, \netc. And that same jewelry store will carry theft insurance, another \nrisk management tool.\n    An appreciation of risk management is fundamental to understanding \nhow businesses approach computer security. Ask any network \nadministrator what he needs cybersecurity for, and he can describe the \nthreats: Web site defacements, corruption and loss of data due to \nnetwork penetrations, denial-of-service attacks, viruses, and Trojans. \nThe list of threats seems endless, and they're all real. Ask senior \nmanagement about cybersecurity, and you'll get a very different answer. \nHe'll talk about return on investment. He'll talk about risks. And \nwhile the cyber threats are great, the risks are much less so. What \nbusinesses need is adequate security at a reasonable cost.\n    Given the current state of affairs, businesses probably spend about \nthe right amount on security. The threats are real and the attacks are \nfrequent, but most of the time they're minor annoyances. Serious \nattacks are rare. Internet epidemics are rare. And on the other side of \nthe coin, computer security products are often far less effective than \nadvertised. Technology changes quickly, and it's hard to mitigate risks \nin such a rapidly changing environment. It is often more cost effective \nto weather the ill effects of bad security than to spend significant \nmoney trying to improve the level of security.\n\n    Externalities and Our Critical Infrastructure\n    If companies are so good at risk management, why not just let them \nmanage their own risks? Companies can decide whether or not to have a \nguard in their corporate offices, install an alarm system in their \nwarehouses, or buy kidnapping insurance for their key executives. \nShouldn't we simply let companies make their own security decisions \nbased on their own security risks? If they don't care whether they buy \nand use insecure software, if they don't bother installing security \nproducts correctly, if they don't implement good cybersecurity \npolicies, why is that anyone else's problem? If they decide that it's \ncheaper to weather all the Internet attacks than it is to improve their \nown security, isn't it their own business?\n    The flaw in that argument is the reason this hearing was convened: \nthe ancillary threats facing our nation's critical infrastructure. The \nrisks to that infrastructure are greater than the sum of the risks to \nthe individual companies. We need to protect ourselves against attack \nfrom an enemy military. We need to protect ourselves against a future \nwhere cyberterrorists may target our electronic infrastructure. We need \nto protect the underlying economic confidence in the Internet as a \nmechanism for commerce. We need to protect the Internet above the risks \nto individual pieces of it. Companies are good at risk management, but \nthey're only going to consider their own risks; the ancillary risks to \nour critical infrastructure will not be taken into account.\n    One easy example is credit card numbers. Company databases are \nregularly broken into and credit card numbers are stolen, sometimes \nhundreds of thousands at a time. Companies work to secure those \ndatabases, but not very hard, because most of the risk isn't shouldered \nby those companies. When an individual finds that his credit card \nnumber has been stolen and used fraudulently or, even worse, that his \nentire identity has been stolen and used fraudulently, cleaning up the \nmess can take considerable time and money. The company secures the \ndatabase based on its own internal risk; it does not secure the \ndatabase based on the aggregate risk of all the individuals whose \ninformation it stores.\n    Software security is another example. Software vendors do some \nsecurity testing on their products, but it's minimal because most of \nthe risk isn't their problem. When a vulnerability is discovered in a \nsoftware product, the vendor fixes the problem and issues a patch. This \ncosts some money, and there's some bad publicity. The real risk is \nshouldered by the companies and individuals who purchased and used the \nproduct, and that risk doesn't affect the vendor nearly as much. When \nthe SQL Slammer worm spread across the Internet in January 2003, \nworldwide losses were calculated in the tens of billions of dollars. \nBut the losses to Microsoft, whose software contained the vulnerability \nthat the Slammer used in the first place, were much, much less. Because \nmost of the risks to Microsoft are ancillary, security isn't nearly as \nhigh a priority for them as it should be.\n    This brings us to the fundamental problem of cybersecurity: It \nneeds to be improved, but those who can improve it--the companies that \nbuild computer hardware and write computer software, and the people and \ncompanies that own and administer the small networks that make up the \nInternet--are not motivated to do so.\n    More specifically: Our computers and networks are insecure, and \nthere every reason to believe that they will become less secure in the \nfuture. The threats and risks are significant, and there is every \nreason to believe that they will become more significant in the future. \nBut at the same time, because much of the risks are ancillary, software \nand hardware manufacturers don't spend a lot of money improving the \nsecurity of their products and private network owners don't spend a lot \nof money buying and installing security products on their networks.\n    In economics, an externality is an effect of a decision that is not \npart of the decision process. Most pollution, for example, is an \nexternality. A factory makes an economic decision about the amount of \npollution it dumps into a river based on its own economic motivations; \nthe health of the people living downstream is an externality. A welfare \nmother makes a decision whether to marry someone or live with him \nwithout marriage partly based on the economics of the welfare system; \nthe societal degradation of the institution of marriage is an \nexternality. Ancillary cyberrisks are an example of an externality.\n    There are several ways to deal with externalities. They can be \nregulated through a legal system: Laws and regulations which prohibit \ncertain actions and mandate others are a way to manage externalities. \nThey can be internalized through taxation or liabilities, both of which \nprovide economic incentives to take externalities into account. \nSometimes societal norms modify externalities. And so on. The \nparticular mechanism chosen will depend on politics, but the overall \ngoal is to bring the various externalities into the decision process.\n    I believe that externalities are the fundamental problem of \ncybersecurity. The security of a particular piece of the Internet may \nbe good enough for the organization controlling that piece, but the \nexternal effects of that ``good enough'' security may not be good \nenough for the nation as a whole. Our nation's critical infrastructure \nis becoming more and more dependent on a secure and functioning \nInternet, but there's no one organization in charge of keeping the \nInternet secure and functioning. Our software has very poor security, \nand there is no real incentive to make it better. We are increasingly \nvulnerable to attacks that affect everyone a little bit, but that no \none has enough incentive to fix.\n\n    Recommendations\n    This fundamental problem of cybersecurity is much more an economic \none than a technical one. Our nation's computer infrastructure could be \nmuch more secure if the business incentives were there to make it so--\nif the externalities were internalized, so to speak. Asking companies \nto improve their own security won't work. (We've tried this repeatedly; \nit's doomed to failure.) Trying to build a separate government network \nwon't work. (The whole point of cyberspace is that it is one large \ninterconnected network.) Hoping technology will improve won't work. (It \ndoesn't matter how good the technology is if people don't want to use \nit.)\n    The basic capitalist and democratic business process is capable of \nimproving cybersecurity, but only if the proper incentives are in \nplace. My general recommendation is that you pass laws and implement \nregulations designed to deal with the externalities in cybersecurity \ndecisions so that organizations are motivated to provide a higher level \nof security--one that is commensurate with the threat against our \nnation's critical infrastructure--and then step back and let the \nmechanisms of commercial innovation work to solve the problems and \nimprove security. Specifically:\n    1. Stop trying to find consensus. Over the years, we have seen \nseveral government cyberspace security plans and strategies come out of \nthe White House, the most recent one this year [7]. These documents all \nsuffer from an inability to risk offending any industry. In the most \nrecent strategy, for example, preliminary drafts included strong words \nabout wireless insecurity that were removed at the request of the \nwireless industry, which didn't want to look bad for not doing anything \nabout it. A recommendation that ISPs provide personal firewalls to all \nof their users was likewise removed, because the large ISPs didn't want \nto look bad for not already providing such a security feature. Unlike \nmany other governmental processes, security is harmed by consensus. \nCybersecurity requires hard choices. These choices will necessarily \ncome at the expense of some industries and some special interests. As \nlong as the government is unwilling to move counter to the interests of \nsome of its corporate constituents, huge insecurities will remain.\n    2. Expose computer hardware, software, and networks to liabilities. \nI have written extensively about the effect of liabilities on the \ncomputer industry [8]; one of my essays is included as Attachment #2. \nThe major reason companies don't worry about the externalities of their \nsecurity decisions--the effects of their insecure products and networks \non others--is that there is no real liability for their actions. \nLiability will immediately change the cost/benefit equation for \ncompanies, because they will have to bear financial responsibility for \nancillary risks borne by others as a result of their actions. With \nliabilities firmly in place, the best interests of software vendors, \nand the best interests of their shareholders, will be served by them \nspending the time and money necessary to make their products secure \nbefore release. The best interests of corporations, and the best \ninterests of their shareholders, will be served by them spending the \ntime and money necessary to secure their own networks. The insurance \nindustry will step in and force companies to improve their own security \nif they want liability coverage at a reasonable price. Liability is a \ncommon capitalistic mechanism to deal with externalities, and it will \ndo more to secure our nation's critical infrastructure than any other \naction.\n    3. Secure your own networks. Fund programs to secure government \nnetworks, both internal networks and publicly accessible networks. Only \nbuy secure hardware and software products. Before worrying about the \nsecurity of everyone else, get your own house in order. This does not \nmean that it's necessary to redo what is already being done in \nindustry. The government is a consumer of computer products, like any \nlarge corporation. The government does not need to develop its own \nsecurity products; everyone's security is better served if the \ngovernment buys commercial products. The government does not need to \ncreate its own organization to identify and analyze cyber threats; it \nis better off using the same commercial organizations that corporations \nuse. The threats against government are the same as the threats against \neveryone else, and the solutions are the same. The U.S. government, \nspecifically the Department of Homeland Security, should use and \nimprove the resources that are available to everyone, since everyone \nneeds those same resources.\n    4. Use your buying power to drive an increase in security. U.S. \ngovernment procurement can be a potent tool to drive research and \ndevelopment. If you demand more secure products, companies will \ndeliver. Standardize on a few good security products, and continually \nforce them to improve. There's a ``rising tide'' effect that will \nhappen; once companies deliver products to the increasingly demanding \nspecifications of the government, the same products will be made \navailable to private organizations as well. The U.S. government is an \nenormous consumer of computer hardware, software, systems, and \nservices. And because you're using the same commercial products that \neveryone else uses, those products will improve to the benefit of \neveryone. The money you spend on your own security will benefit \neveryone's security.\n    5. Invest in security research; invest in security education. As \nthe market starts demanding real security, companies will need to \nfigure out how to supply it. Research and education are critical to \nimproving the security of computers and networks. Here again, use your \nfinancial muscle to improve security for everyone. Research and \neducation in this important field need to be increased. The benefits \nwill be beyond anything we can imagine today.\n    6. Rationally prosecute cybercriminals. In our society, we rarely \nsolve security problems by technical means alone. We don't wear body \narmor or live in fortresses. Instead, we rely on the legal system to \nrationally prosecute criminals and act as a deterrent to future crimes. \nWe need to beef up law enforcement to deal with real computer crimes. \nThis does not mean charging sixteen-year-old kids as adults for what \nare basically 21st century pranks; this means going after those who \ncommit real crimes on the Internet.\n\n    Conclusion\n    None of this is easy. Every computer company you bring into this \nroom will tell you that liabilities will be bad for their industry. Of \ncourse they're going to tell you that; it's in their best interests not \nto be responsible for their own actions. The Department of Homeland \nSecurity will tell you that they need money for this and that massive \ngovernment security program. Of course they're going to tell you that; \nit's in their best interests to get as large a budget as they can. The \nFBI is going to tell you that extreme penalties are necessary for the \ncurrent crop of teenage cyberterrorists; they're trying to make the \nproblem seem more dire than it really is to improve their own image. If \nyou're going to help improve the security of our nation, you're going \nto have to look past everyone's individual self-interests toward the \nbest interests of everyone.\n    Our nation's cybersecurity risks are greater than those of any \nindividual corporation or government organization, and the only way to \nmanage those risks is to address them directly. I strongly recommend \nthat you put the interests of our nation's cybersecurity above the \ninterests of individual corporations or government organizations. The \nexternalities of rational corporate cybersecurity decisions are hurting \nus all. It's the job of government to look at the big picture and the \nneeds of society as a whole, and then to properly motivate individuals \nto satisfy those needs.\n    Thank you for the opportunity to appear before your committee \ntoday. I would be pleased to answer any questions.\n    References\n[1] Bruce Schneier, Secrets and Lies: Digital Security in a Networked \nWorld, John Wiley & Sons, 2000.\n[2] Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an \nUncertain World, Copernicus Books, 2003.\n[3] Computer Security Institute, ``2003 CSI/FBI Computer Crime and \nSecurity Survey,'' 2003. http://www.gocsi.com/press/20030528.html\n[4] Honeynet Project, :Know Your Enemy: Statistics,'' 22 July, 2001. \nhttp://www.honeynet.org/papers/stats/\n[5] Bruce Schneier, ``Software Complexity and Security,'' Crypto-Gram, \nMarch 15, 2000. http://www.counterpane.com./crypto-gram-0003.html\n[6] Bruce Schneier, ``The Risks of Cyberterrorism,'' Crypto-Gram, June \n15, 2003. http://www.counterpane.com./crypto-gram-0306.html\n[7] White House, National Strategy to Secure Cyberspace, Feb 2003. \nhttp://www.whitehouse.gov/pcipb/cyberspace--strategy.pdf\n[8] Bruce Schneier, ``Liability and Security,'' Crypto-Gram, April 15, \n2002. http://www.counterpane.com./crypto-gram-0204.html\n\nATTACHMENT #1\nThe Risks of Cyberterrorism\nBruce Schneier\nReprinted from: Crypto-Gram, June 15, 2003.\nhttp://www.counterpane.com./crypto-gram-0306.html\nThe threat of cyberterrorism is causing much alarm these days. We have \nbeen told to expect attacks since 9/11; that cyberterrorists would try \nto cripple our power system, disable air traffic control and emergency \nservices, open dams, or disrupt banking and communications. But so far, \nnothing's happened. Even during the war in Iraq, which was supposed to \nincrease the risk dramatically, nothing happened. The impending \ncyberwar was a big dud. Don't congratulate our vigilant security, \nthough; the alarm was caused by a misunderstanding of both the \nattackers and the attacks.\nThese attacks are very difficult to execute. The software systems \ncontrolling our nation's infrastructure are filled with \nvulnerabilities, but they're generally not the kinds of vulnerabilities \nthat cause catastrophic disruptions. The systems are designed to limit \nthe damage that occurs from errors and accidents. They have manual \noverrides. These systems have been proven to work; they've experienced \ndisruptions caused by accident and natural disaster. We've been through \nblackouts, telephone switch failures, and disruptions of air traffic \ncontrol computers. In 1999, a software bug knocked out a nationwide \npaging system for a day. The results might be annoying, and engineers \nmight spend days or weeks scrambling, but the effect on the general \npopulation has been minimal.\nThe worry is that a terrorist would cause a problem more serious than a \nnatural disaster, but this kind of thing is surprisingly hard to do. \nWorms and viruses have caused all sorts of network disruptions, but it \nhappened by accident. In January 2003, the SQL Slammer worm disrupted \n13,000 ATMs on the Bank of America's network. But before it happened, \nyou couldn't have found a security expert who understood that those \nsystems were dependent on that vulnerability. We simply don't \nunderstand the interactions well enough to predict which kinds of \nattacks could cause catastrophic results, and terrorist organizations \ndon't have that sort of knowledge either--even if they tried to hire \nexperts.\n    The closest example we have of this kind of thing comes from \nAustralia in 2000. Vitek Boden broke into the computer network of a \nsewage treatment plant along Australia's Sunshine Coast. Over the \ncourse of two months, he leaked hundreds of thousands of gallons of \nputrid sludge into nearby rivers and parks. Among the results were \nblack creek water, dead marine life, and a stench so unbearable that \nresidents complained. This is the only known case of someone hacking a \ndigital control system with the intent of causing environmental harm.\n    Despite our predilection for calling anything ``terrorism,'' these \nattacks are not. We know what terrorism is. It's someone blowing \nhimself up in a crowded restaurant, or flying an airplane into a \nskyscraper. It's not infecting computers with viruses, forcing air \ntraffic controllers to route planes manually, or shutting down a pager \nnetwork for a day. That causes annoyance and irritation, not terror.\n    This is a difficult message for some, because these days anyone who \ncauses widespread damage is being given the label ``terrorist.'' But \nimagine for a minute the leadership of al Qaeda sitting in a cave \nsomewhere, plotting the next move in their jihad against the United \nStates. One of the leaders jumps up and exclaims: ``I have an idea! \nWe'll disable their e-mail....'' Conventional terrorism--driving a \ntruckful of explosives into a nuclear power plant, for example--is \nstill easier and much more effective.\n    There are lots of hackers in the world--kids, mostly--who like to \nplay at politics and dress their own antics in the trappings of \nterrorism. They hack computers belonging to some other country \n(generally not government computers) and display a political message. \nWe've often seen this kind of thing when two countries squabble: China \nvs. Taiwan, India vs. Pakistan, England vs. Ireland, U.S. vs. China \n(during the 2001 crisis over the U.S. spy plane that crashed in Chinese \nterritory), the U.S. and Israel vs. various Arab countries. It's the \nequivalent of soccer hooligans taking out national frustrations on \nanother country's fans at a game. It's base and despicable, and it \ncauses real damage, but it's cyberhooliganism, not cyberterrorism.\n    There are several organizations that track attacks over the \nInternet. Over the last six months, less than 1% of all attacks \noriginated from countries on the U.S. government's Cyber Terrorist \nWatch List, while 35% originated from inside the United States. \nComputer security is still important. People overplay the risks of \ncyberterrorism, but they underplay the risks of cybercrime. Fraud and \nespionage are serious problems. Luckily, the same countermeasures aimed \nat cyberterrorists will also prevent hackers and criminals. If \norganizations secure their computer networks for the wrong reasons, it \nwill still be the right thing to do.\nATTACHMENT #2\nLiability and Security\nBruce Schneier\nReprinted from: Crypto-Gram, April 15, 2002.http://\nwww.counterpane.com./crypto-gram-0204.html\n    Today, computer security is at a crossroads. It's failing, \nregularly, and with increasingly serious results. I believe it will \nimprove eventually. In the near term, the consequences of insecurity \nwill get worse before they get better. And when they get better, the \nimprovement will be slow and will be met with considerable resistance. \nThe engine of this improvement will be liability--holding software \nmanufacturers accountable for the security and, more generally, the \nquality of their products--and the timetable for improvement depends \nwholly on how quickly security liability permeates cyberspace.\n    Network security is not a problem that technology can solve. \nSecurity has a technological component, but businesses approach \nsecurity as they do any other business risk: in terms of risk \nmanagement. Organizations optimize their activities to minimize their \ncost * risk product, and understanding those motivations is key to \nunderstanding computer security today.\n    For example, most organizations don't spend a lot of money on \nnetwork security. Why? Because the costs are significant: time, \nexpense, reduced functionality, frustrated end users. On the other \nhand, the costs of ignoring security and getting hacked are small: the \npossibility of bad press and angry customers, maybe some network \ndowntime, none of which is permanent. And there's some regulatory \npressure, from audits or lawsuits, that add additional costs. The \nresult: a smart organization does what everyone else does, and no more.\n    The same economic reasoning explains why software vendors don't \nspend a lot of effort securing their products. The costs of adding good \nsecurity are significant--large expenses, reduced functionality, \ndelayed product releases, annoyed users--while the costs of ignoring \nsecurity are minor: occasional bad press, and maybe some users \nswitching to competitors' products. Any smart software vendor will talk \nbig about security, but do as little as possible.\n    Think about why firewalls succeeded in the marketplace. It's not \nbecause they're effective; most firewalls are installed so poorly as \nnot to be effective, and there are many more effective security \nproducts that have never seen widespread deployment. Firewalls are \nubiquitous because auditors started demanding firewalls. This changed \nthe cost equation for businesses. The cost of adding a firewall was \nexpense and user annoyance, but the cost of not having a firewall was \nfailing an audit. And even worse, a company without a firewall could be \naccused of not following industry best practices in a lawsuit. The \nresult: everyone has a firewall, whether it does any good or not.\n    Network security is a business problem, and the only way to fix it \nis to concentrate on the business motivations. We need to change the \ncosts; security needs to affect an organization's bottom line in an \nobvious way. In order to improve computer security, the CEO must care. \nIn order for the CEO to care, it must affect the stock price and the \nshareholders.\n    I have a three-step program towards improving computer and network \nsecurity. None of the steps have anything to do with the technology; \nthey all have to do with businesses, economics, and people.\n    Step one: enforce liabilities. This is essential. Today there are \nno real consequences for having bad security, or having low-quality \nsoftware of any kind. In fact, the marketplace rewards low quality. \nMore precisely, it rewards early releases at the expense of almost all \nquality. If we expect CEOs to spend significant resources on security--\nespecially the security of their customers--they must be liable for \nmishandling their customers' data. If we expect software vendors to \nreduce features, lengthen development cycles, and invest in secure \nsoftware development processes, they must be liable for security \nvulnerabilities in their products.\n    Legislatures could impose liability on the computer industry, by \nforcing software manufacturers to live with the same product liability \nlaws that affect other industries. If software manufacturers produced a \ndefective product, they would be liable for damages. Even without this, \ncourts could start imposing liability-like penalties on software \nmanufacturers and users. This is starting to happen. A U.S. judge \nforced the Department of Interior to take its network offline, because \nit couldn't guarantee the safety of American Indian data it was \nentrusted with. Several cases have resulted in penalties against \ncompanies who used customer data in violation of their privacy \npromises, or who collected that data using misrepresentation or fraud. \nAnd judges have issued restraining orders against companies with \ninsecure networks that are used as conduits for attacks against others.\n    However it happens, liability changes everything. Currently, there \nis no reason for a software company not to offer more features, more \ncomplexity. Liability forces software companies to think twice before \nchanging something. Liability forces companies to protect the data \nthey're entrusted with.\n    Step two: allow parties to transfer liabilities. This will happen \nautomatically, because this is what insurance companies do. The \ninsurance industry turns variable-cost risks into fixed expenses. \nThey're going to move into cyber-insurance in a big way. And when they \ndo, they're going to drive the computer security industry. . .just like \nthey drive the security industry in the brick-and-mortar world.\n    A company doesn't buy security for its warehouse--strong locks, \nwindow bars, or an alarm system--because it makes it feel safe. It buys \nthat security because its insurance rates go down. The same thing will \nhold true for computer security. Once enough policies are being \nwritten, insurance companies will start charging different premiums for \ndifferent levels of security. Even without legislated liability, the \nCEO will start noticing how his insurance rates change. And once the \nCEO starts buying security products based on his insurance premiums, \nthe insurance industry will wield enormous power in the marketplace. \nThey will determine which security products are ubiquitous, and which \nare ignored. And since the insurance companies pay for the actual \nliability, they have a great incentive to be rational about risk \nanalysis and the effectiveness of security products.\n    And software companies will take notice, and will increase security \nin order to make the insurance for their products affordable.\n    Step three: provide mechanisms to reduce risk. This will happen \nautomatically, and be entirely market driven, because it's what the \ninsurance industry wants. Moreover, they want it done in standard \nmodels that they can build policies around. They're going to look to \nsecurity processes: processes of secure software development before \nsystems are released, and processes of protection, detection, and \nresponse for corporate networks and systems. And more and more, they're \ngoing to look towards outsourced services.\n    The insurance industry prefers security outsourcing, because they \ncan write policies around those services. It's much easier to design \ninsurance around a standard set of security services delivered by an \noutside vendor than it is to customize a policy for each individual \nnetwork.\n    Actually, this isn't a three-step program. It's a one-step program \nwith two inevitable consequences. Enforce liability, and everything \nelse will flow from it. It has to.\n    Much of Internet security is a common: an area used by a community \nas a whole. Like all commons, keeping it working benefits everyone, but \nany individual can benefit from exploiting it. (Think of the criminal \njustice system in the real world.) In our society we protect our \ncommons--our environment, healthy working conditions, safe food and \ndrug practices, lawful streets, sound accounting practices--by \nlegislating those goods and by making companies liable for taking undue \nadvantage of those commons. This kind of thinking is what gives us \nbridges that don't collapse, clean air and water, and sanitary \nrestaurants. We don't live in a ``buyer beware'' society; we hold \ncompanies liable for taking advantage of buyers.\n    There's no reason to treat software any differently from other \nproducts. Today Firestone can produce a tire with a single systemic \nflaw and they're liable, but Microsoft can produce an operating system \nwith multiple systemic flaws discovered per week and not be liable. \nThis makes no sense, and it's the primary reason security is so bad \ntoday.\n\n    Mr. Thornberry. And before turning to the next witness, let \nme thank the distinguished chairman of the Science Committee \nfor allowing us the use of your facilities. As we continue to \nbe homeless, we appreciate the chairman's generosity.\n    Our next witness is Richard Pethia, Director of CERT \nCenters, Software Engineering Institute, Carnegie Mellon \nUniversity. CERT provides the central response and coordination \nfacility for global information security instant response and \ncountermeasures for cyber threats and vulnerabilities since \n1988. We appreciate you being with us, sir. Your full statement \nwill also be made a part of the record, and please summarize it \nas you would like.\n\n                 STATEMENT OF RICHARD D. PETHIA\n\n    Mr. Pethia. First, thank you, Mr. Chairman, members of the \nsubcommittee, for the opportunity to testify on cybersecurity \nissues. It is something that we in Pittsburgh have been working \non for a number of years and feel very passionate about.\n    The current state of Internet security from our perspective \nis cause for concern. Security issues are not well understood. \nThey are rarely given high priority by many software \ndevelopers, vendors, network managers or consumers. At the same \ntime, however, computers have become such an integral part of \nAmerican government and business operation, that computer-\nrelated risk can no longer be separated from national defense, \ngeneral safety, health, business and privacy risks.\n    We are increasingly dependent on our computers and the \nnetworks that hook them together, or planes won't fly, freight \nwon't ship, oil won't pump, the things that--the physical \nthings in our lives are as critically dependent on these \nsystems are as things like financial transactions and business \ntransactions that we all recognize.\n    The data that we have and data from other groups in the \nsecurity field indicates that the attacks are going up year \nafter year. The damage is increasing, and that is happening \neven while government and the industry are actually investing \nincreasing amounts of money to deal with the problem.\n    There are a number of factors that contribute to this \nincreased vulnerability. First of all, we are connecting \neverything to everything else. For many good business reasons, \nwe are connecting more and more of our systems to the Internet. \nThe phone system, the Internet, are merging and we are building \na communications fabric where everything is tied together. And \na number of systems, where once secure because of their \nisolation, are now insecure because they are connected to this \nweb of computing that we have constructed.\n    Cyberspace and physical space are becoming one. Supervisory \ncontrol and data acquisition systems that control power grids, \nwater treatment and distribution plans, oil and chemical \nrefineries, other physical processes, are being linked to \ncommunications links in the Internet, and these systems are \nbecoming potential targets of individuals bent on causing \nmassive disruption and physical damage.\n    Engineering for ease of use is driving a dramatic increase \nin the use of computers, but at the same time it is not been \nmatched by engineering for ease of secure administration. The \nresult is increasing numbers of vulnerable computers. \nComprehensive security solutions are lacking. Engineering the \nsecurity of a large complex system is often more difficult than \nengineering the system itself, and many organizations just \ndon't have the skills.\n    The Internet at the same time has become a virtual breeding \nground for attackers. Intruders share information about \nvulnerable sites, about vulnerabilities in technology and \nattack tools. Internet attacks are difficult to trace, and the \nprotocols make it easy for attackers to hide their true \nidentity and location.\n    With all these factors, there are two others that I think \nare especially important to focus on. One is vulnerabilities in \nthe information technology products in the market today.\n    Last year we received reports of over 4,000 separate new \nvulnerabilities. Weaknesses in products that an attacker can \nexploit compromise a system. Some of these are deep-seated and \nare likely to be long-lived, in that they are the result of \narchitecture and design decisions that were made early in the \nproduct's development cycle, not decisions that can be changed \neasily.\n    Others are the result of weak implementation in testing \npractices, bugs in the program. They can be quickly corrected. \nHowever, both of these require that system operators take \naction to protect their systems, and with so many of these \nproblems being found every year, it is placing the system \noperators in a very hard spot. They have got a major challenge.\n    The second major rea of vulnerability includes weakness in \nthe management and operational practice of the system operators \nthemselves. Typical problems include things like poor or \nambiguous security policies, lack of security training for all \nlevels of staff, poor account and access management, poor \nphysical security, leading to open access to critical devices, \nlack of vulnerability management practices and lack of \nmonitoring or auditing to detect security weaknesses and \nattacks.\n    Putting these practices in place requires senior management \nunderstanding and commitment, and that is a condition that is \nstill missing in many organizations. Working our way out of \nthis vulnerable position will require a multipronged approach. \nFirst, hire quality products. Good software engineering \npractices can dramatically improve our ability to withstand \nattacks. We need operating systems and other products that are \nvirtually virus-proof. We need to reduce the implementation \nerrors that we have by at least two orders of magnitude, and we \nneed to have vendors ship products with high security default \nconfigurations.\n    We encourage the government to use its buying power to \ndemand such high-quality software. Acquisition processes must \nbe in place with more emphasis on security characteristics and \nperhaps the use of code integrity clauses that hold vendors \nmore accountable for defects in their release products. \nAcquisition professionals should be trained in government \nsecurity regulations and policies and also in the fundamentals \nof security concepts and architectures.\n    Also needed is wider adoption of security practices. Senior \nmanagement must be accountable for the use of the technology in \ntheir operation, and they must provide visible endorsement of \nsecurity improvement efforts and the resources needed to \nimplement those required improvements.\n    And in the long term, research has to be an essential \ncomponent of the answer. We need a unified and integrated \nframework for all information assurance analysis that leads to \na new generation of products that are fundamentally more secure \nthan those we have today. We need more rigorous methods to \nassess and manage risks and quantitative techniques to help us \nunderstand the cost/benefit analysis of doing that risk \nmitigation, along with simulation tools to analyze the cascade \neffects of attacks, accidents, and failures across our \ninterdependent systems.\n    We as a Nation need more qualified technical specialists. \nThe government scholarship programs that are in place need to \nbe expanded over the next 5 years to build an infrastructure \nthat will meet the long-term needs of trained security \nprofessionals, and also needed is more awareness and security \ntraining for all Internet and technology users.\n    So in conclusion, the incidents are almost doubling every \nyear, and the attack technology will evolve to support attacks \nthat are even more virulent and damaging. We can make \nsignificant progress by making changes in our software design \nand development practices, giving more management support to \nrisk management activities, increasing the number of trained \nsystem managers and administrators, and increasing research in \nthe secure and survivable systems. Thank you.\n    Mr. Thornberry. Thank you. Appreciate it.\n    [The statement of Mr. Pethia follows:]\n\n                PREPARED STATEMENT OF RICHARD D. PETHIA\n\n1. Introduction\nMr. Chairman and members of the Subcommittee: My name is Rich Pethia. I \nam the director of the CERT Centers, part of the Software Engineering \nInstitute, a federally funded research and development center operated \nby Carnegie Mellon University. We have 14 years of experience with \ncomputer and network security. The CERT Coordination Center (CERT/CC) \nwas established in 1988, after an Internet ``worm'' became the first \nInternet security incident to make headline news, acting as a wake-up \ncall for network security. In response, the CERT/CC was established at \nthe SEI. The center was activated in just two weeks, and we have worked \nhard to maintain our ability to react quickly. The CERT/CC staff has \nhandled well over 200,000 incidents and cataloged more than 8,000 \ncomputer vulnerabilities.\nThank you for the opportunity to testify on cyber security problem. \nToday I will discuss the vulnerability of information technology on the \nInternet and steps I believe we must take to better protect our \ncritical systems from future attacks.\nThe current state of Internet security is cause for concern. \nVulnerabilities associated with the Internet put users at risk. \nSecurity measures that were appropriate for mainframe computers and \nsmall, well-defined networks inside an organization are not effective \nfor the Internet, a complex, dynamic world of interconnected networks \nwith no clear boundaries and no central control. Security issues are \noften not well understood and are rarely given high priority by many \nsoftware developers, vendors, network managers, or consumers.\nGovernment, commercial, and educational organizations depend on \ncomputers to such an extent that day-to-day operations are \nsignificantly hindered when the computers are ``down.'' Currently many \nof the day-to-day operations depend upon connections to the Internet, \nand new connections are continuously being made to the Internet. Use of \nthe Internet enhances the ability of organizations to conduct their \nactivities in a cost-effective and efficient way. However, along with \nincreased capability and dependence comes increased vulnerability. It \nis easy to exploit the many security holes in the Internet and in the \nsoftware commonly used in conjunction with it; and it is easy to \ndisguise or hide the true origin and identity of the people doing the \nexploiting. Moreover, the Internet is easily accessible to anyone with \na computer and a network connection. Individuals and organizations \nworldwide can reach any point on the network without regard to national \nor geographic boundaries.\nComputers have become such an integral part of American business and \ngovernment that computer-related risks cannot be separated from general \nbusiness, health, and privacy risks. Valuable government and business \nassets are now at risk over the Internet. For example, customer and \npersonnel information may be exposed to intruders. Financial data, \nintellectual property, and strategic plans may be at risk. The \nwidespread use of databases leaves the privacy of individuals at risk. \nIncreased use of computers in safety-critical applications, including \nthe storage and processing of medical records data, increases the \nchance that accidents or attacks on computer systems can cost people \ntheir lives.\nTechniques that have worked in the past for securing isolated systems \nare not effective in the world of unbounded networks, mobile computing, \ndistributed applications, and dynamic computing that we live in today. \nToday there is rapid movement toward increased use of interconnected \nnetworks for a broad range of activities, including commerce, \neducation, entertainment, operation of government, and supporting the \ndelivery of health and other human services. Although this trend \npromises many benefits, it also poses many risks. In short, \ninterconnections are rapidly increasing and opportunities to exploit \nvulnerabilities in the interconnected systems are increasing as well.\n2. Key Factors in the Current State of Internet Security\nThe current state of Internet security is the result of many factors. A \nchange in any one of these can change the level of Internet security \nand survivability.\n<bullet> We are connecting everything with everything else. Because of \nthe dramatically lower cost of communication and ease of connecting to \nthe Internet, use of the Internet is replacing other forms of \nelectronic communication. As critical infrastructure operators strive \nto improve their efficiency and lower costs, they are connecting \nformerly isolated systems to the Internet to facilitate remote \nmaintenance functions and improve coordination across distributed \nsystems. Operations of the critical infrastructures are becoming \nincreasingly dependent on the Internet and are vulnerable to Internet \nbased attacks.\n<bullet> Cyber space and physical space are becoming one. Most \nthreatening of all is the link between cyber space and physical space. \nSupervisory control and data acquisition (SCADA) systems and other \nforms of networked computer systems have for years been used to control \npower grids, gas and oil distribution pipelines, water treatment and \ndistribution systems, hydroelectric and flood control dams, oil and \nchemical refineries, and other physical systems. Increasingly, these \ncontrol systems are being connected to communications links and \nnetworks to reduce operational costs by supporting remote maintenance, \nremote control, and remote update functions. These computer-controlled \nand network-connected systems are potential targets of individuals bent \non causing massive disruption and physical damage. This is not just \ntheory; actual attacks have caused major operational problems. Attacks \nagainst wastewater treatment systems in Australia, for example, led to \nthe release of hundreds of thousands of gallons of sludge.\n<bullet> There is a continuing movement to distributed, client-server, \nand heterogeneous configurations. As the technology is being \ndistributed, the management of the technology is often distributed as \nwell. In these cases, system administration and management often fall \nupon people who do not have the training, skill, resources, or interest \nneeded to operate their systems securely.\n<bullet> The Internet is becoming increasingly complex and dynamic, but \namong those connected to the Internet there is a lack of adequate \nknowledge about the network and about security. The rush to the \nInternet, coupled with a lack of understanding, is leading to the \nexposure of sensitive data and risk to safety-critical systems. \nMisconfigured or outdated operating systems, mail programs, and Web \nsites result in vulnerabilities that intruders can exploit. Just one \nnaive user with an easy-to-guess password increases an organization's \nrisk.\n<bullet> There is little evidence of improvement in the security \nfeatures of most products; developers are not devoting sufficient \neffort to apply lessons learned about the sources of vulnerabilities. \nThe CERT Coordination Center routinely receives reports of new \nvulnerabilities. In 1995 we received an average of 35 new reports each \nquarter, 140 for the year. By 2002, the number of annual reports \nreceived had skyrocketed to over 4000. We continue to see the same \ntypes of vulnerabilities in newer versions of products that we saw in \nearlier versions. Technology evolves so rapidly that vendors \nconcentrate on time to market, often minimizing that time by placing a \nlow priority on security features. Until their customers demand \nproducts that are more secure, the situation is unlikely to change.\n<bullet> When vendors release patches or upgrades to solve security \nproblems, organizations' systems often are not upgraded. The job may be \ntoo time-consuming, too complex, or just at too low a priority for the \nsystem administration staff to handle. With increased complexity comes \nthe introduction of more vulnerabilities, so solutions do not solve \nproblems for the long term--system maintenance is never-ending. Because \nmanagers do not fully understand the risks, they neither give security \na high enough priority nor assign adequate resources. Exacerbating the \nproblem is the fact that the need for system administrators with strong \nsecurity skills far exceeds the supply.\n<bullet> Engineering for ease of use is not being matched by \nengineering for ease of secure administration. Today's software \nproducts, workstations, and personal computers bring the power of the \ncomputer to increasing numbers of people who use that power to perform \ntheir work more efficiently and effectively. Products are so easy to \nuse that people with little technical knowledge or skill can install \nand operate them on their desktop computers. Unfortunately, it is \ndifficult to configure and operate many of these products securely. \nThis gap leads to increasing numbers of vulnerable systems.\n<bullet> As we face the complex and rapidly changing world of the \nInternet, comprehensive solutions are lacking. Among security-conscious \norganizations, there is increased reliance on ``silver bullet'' \nsolutions, such as firewalls and encryption. The organizations that \nhave applied a ``silver bullet'' are lulled into a false sense of \nsecurity and become less vigilant, but single solutions applied once \nare neither foolproof nor adequate. Solutions must be combined, and the \nsecurity situation must be constantly monitored as technology changes \nand new exploitation techniques are discovered.\n<bullet> Compared with other critical infrastructures, the Internet \nseems to be a virtual breeding ground for attackers. Although some \nattacks seem playful (for example, students experimenting with the \ncapability of the network) and some are clearly malicious, all have the \npotential of doing damage. Unfortunately, Internet attacks in general, \nand denial-of-service attacks in particular, remain easy to accomplish, \nhard to trace, and a low risk to the attacker. While some attacks \nrequire technical knowledge--the equivalent to that of a college \ngraduate who majored in computer science--many other successful attacks \nare carried out by technically unsophisticated intruders. Technically \ncompetent intruders duplicate and share their programs and information \nat little cost, thus enabling novice intruders to do the same damage as \nthe experts. In addition to being easy and cheap, Internet attacks can \nbe quick. In a matter of seconds, intruders can break into a system; \nhide evidence of the break-in; install their programs, leaving a ``back \ndoor'' so they can easily return to the now-compromised system; and \nbegin launching attacks at other sites.\n<bullet> Attackers can lie about their identity and location on the \nnetwork. Information on the Internet is transmitted in packets, each \ncontaining information about the origin and destination. Senders \nprovide their return address, but they can lie about it. Most of the \nInternet is designed merely to forward packets one step closer to their \ndestination with no attempt to make a record of their source. There is \nnot even a ``postmark'' to indicate generally where a packet \noriginated. It requires close cooperation among sites and up-to-date \nequipment to trace malicious packets during an attack. Moreover, the \nInternet is designed to allow packets to flow easily across \ngeographical, administrative, and political boundaries. Consequently, \ncooperation in tracing a single attack may involve multiple \norganizations and jurisdictions, most of which are not directly \naffected by the attack and may have little incentive to invest time and \nresources in the effort. This means that it is easy for an adversary to \nuse a foreign site to launch attacks at U.S. systems. The attacker \nenjoys the added safety of the need for international cooperation in \norder to trace the attack, compounded by impediments to legal \ninvestigations. We have seen U.S.-based attacks on U.S. sites gain this \nsafety by first breaking into one or more non-U.S. sites before coming \nback to attack the desired target in the U.S.\n3. Categories of vulnerabilities\nProtecting any complex system (hardware, software, people, and physical \nplant) and insuring its successful operation in the face of attacks, \naccidents and failures is a difficult task. Vulnerabilities (weaknesses \nthat can be exploited to compromise the operation of the system) can \ncreep into the system in a variety of areas. Deciding which \nvulnerabilities really matter and effectively dealing with them, are \nkey steps in an organization's risk management process.\nFor discussion, it is useful to separate sources of vulnerability into \ntwo major categories: weaknesses in the information technology (IT) \nproducts as supplied by the vendor(s); and weakness in the ways \norganizations manage and use the technology.\nIT Product Vulnerabilities\n    As stated above, the number of vulnerabilities in IT products \ndiscovered each year is increasing dramatically: from 140 reported to \nthe CERT/CC in 1995 to 4,129 reported in 2002. Each vulnerability \nrepresents a weakness in a product that can be exploited in some way to \nhelp an attacker achieve the objective of compromising a system.\n    Some of these vulnerabilities are deep-seated and difficult to \ncorrect because they are the result of architecture and design \ndecisions that were made early in the product's development cycle (e.g. \noperating system architectures that allow the unconstrained execution \nof application software and thereby allow the easy propagation of \nviruses). In these cases, the vulnerabilities can only be removed by \nchanging the basic architecture of the product. These types of \nfundamental changes often have consequences that affect other aspects \nof the product's operation. In some cases these side effects will cause \napplications that inter-operate with the product to ``break'' (i.e. the \nnew version of the product is no longer compatible with earlier \nversions and users may need to rewrite their applications). These types \nof vulnerability are typically long-lived and product users must find \nsome other way to protect themselves from attacks that attempt to \nexploit the vulnerability (e.g. invest in anti-virus software in order \nto detect and remove viruses before they operate on the vulnerable \nsystem).\nOther vulnerabilities are easier to correct since they are the result \nof low-level design decisions or implementation errors (bugs in the \nprograms). It is often that case that these types of vulnerability, \nonce discovered, can quickly be corrected by the vendor and the \ncorrections (oftentimes called ``patches'') made available to the \ncustomers. However, even though the corrections may be available \nquickly, it is not always the case that they can be deployed quickly. \nSystem operators need to insure that the corrections do not have \nunintended side-effects on their systems and typically test the \ncorrections before deployment. Also, in the case of a widely used \nproduct, system operators must often update the software used in \nthousands of computers to deploy the correction. This in itself is a \nlabor intensive and time consuming task.\nIn either case, IT product vulnerabilities are often long-lived with \nmany Internet connected systems vulnerable to a particular form of \nattack many months after vendors produce corrections to the \nvulnerability that was exploited by the attack.\nWeaknesses in Management and Operational Practice\nThe second major category of vulnerability includes weaknesses in the \nmanagement and operational practices of system operators. Factors that \nlead to weaknesses in operational practices include things like:\n        <bullet> Lack of, ambiguous or poorly enforced organizational \n        security policies and regulations; security roles and \n        responsibilities that are not clearly defined or lack of \n        accountability\n        <bullet> Failure to account for security when outsourcing IT \n        services\n        <bullet> Lack of security awareness training for all levels of \n        staff\n        <bullet> Poor account management or password management by all \n        users\n        <bullet> Poor physical security leading to open access to \n        important computers and network devices\n        <bullet> Weak configuration management practices that allow for \n        vulnerable configurations\n        <bullet> Weak authentication practices that allow attackers to \n        masquerade as valid system users\n        <bullet> Lack of vulnerability management practices that \n        require system administrators to quickly correct important \n        vulnerabilities\n        <bullet> Failure to use strong encryption when transmitting \n        sensitive information over the network.\n        <bullet> Lack of monitoring and auditing practices that can \n        detect attacker behavior before damage is done.\nWeaknesses in any of these areas open the doors for attackers and give \nthem opportunities to take advantage of the weaknesses to achieve their \ngoals. Managing the risk associated with this category of vulnerability \nrequires that organizations dedicate resources to the risk management \ntask. Operations must be continuously assessed and corrective actions \ntaken when needed.\n4. Recommended Actions\nWorking our way out of the vulnerable position we are in requires a \nmulti-pronged approach that helps us deal with the escalating near-term \nproblem while at the same time building stronger foundations for the \nfuture. The work that must be done includes achieving these changes:\n        <bullet> Higher quality information technology products with \n        security mechanisms that are better matched to the knowledge, \n        skills, and abilities of today's system managers, \n        administrators, and users\n        <bullet> Wider adoption of risk analysis and risk management \n        policies and practices that help organizations identify their \n        critical security needs, assess their operations and systems \n        against those needs, and implement security improvements \n        identified through the assessment process\n        <bullet> Expanded research programs that lead to fundamental \n        advances in computer security\n        <bullet> A larger number of technical specialists who have the \n        skills needed to secure large, complex systems\n        <bullet> Increased and ongoing awareness and understanding of \n        cyber-security issues, vulnerabilities, and threats by all \n        stakeholders in cyber space\nHigher quality products: In today's Internet environment, a security \napproach based on ``user beware'' is unacceptable. The systems are too \ncomplex and the attacks happen too fast for this approach to work. \nFortunately, good software engineering practices can dramatically \nimprove our ability to withstand attacks. The solutions required are a \ncombination of the following:\n        <bullet> Virus-resistant/virus-proof software--There is nothing \n        intrinsic about digital computers or software that makes them \n        vulnerable to viruses, which propagate and infect systems \n        because of design choices that have been made by computer and \n        software designers. Designs are susceptible to viruses and \n        their effects when they allow the import of executable code, in \n        one form or another, and allow the unconstrained execution of \n        that code on the machine that received it. Unconstrained \n        execution allows code developers to easily take full advantage \n        of a system's capabilities, but does so with the side effect of \n        making the system vulnerable to virus attack. To effectively \n        control viruses in the long term, vendors must provide systems \n        and software that constrain the execution of imported code, \n        especially code that comes from unknown or untrusted sources. \n        Some techniques to do this have been known for decades. Others, \n        such as ``sandbox'' techniques, are more recent.\n        <bullet> Reducing implementation errors by at least two orders \n        of magnitude--Most vulnerabilities in products come from \n        software implementation errors. They remain in products, \n        waiting to be discovered, and are fixed only after they are \n        found while in use. Worse, the same flaws continue to be \n        introduced in new products. Vendors need to be proactive, and \n        adopt known, effective software engineering practices that \n        dramatically reduce the number of flaws in software products.\n        <bullet> High-security default configurations--With the \n        complexity of today's products, properly configuring systems \n        and networks to use the strongest security built into the \n        products is difficult, even for people with strong technical \n        skills and training. Small mistakes can leave systems \n        vulnerable and put users at risk. Vendors can help reduce the \n        impact of security problems by shipping products with ``out of \n        the box'' configurations that have security options turned on \n        rather than require users to turn them on. The users can change \n        these ``default'' configurations if desired, but they would \n        have the benefit of starting from a secure base.\nTo encourage product vendors to produce the needed higher quality \nproducts, we encourage the government to use its buying power to demand \nhigher quality software. The government should consider upgrading its \ncontracting processes to include ``code integrity'' clauses, clauses \nthat hold vendors more accountable for defects in released products. \nIncluded here as well are upgraded acquisition processes that place \nmore emphasis on the security characteristics of systems being \nacquired. In addition, to support these new processes, training \nprograms for acquisition professionals should be developed that provide \ntraining not only in current government security regulations and \npolicies, but also in the fundamentals of security concepts and \narchitectures. This type of skill building is needed in order to ensure \nthat the government is acquiring systems that meet the spirit, as well \nas the letter, of the regulations.\nWider adoption of security practices: With our growing dependence on \ninformation networks and with the rapid changes in network technology \nand threats, it is critical that more organizations, large and small, \nadopt the use of effective information security risk assessments, \nmanagement policies, and practices. While there is often discussion and \ndebate over which particular body of practices might be in some way \n``best,'' it is clear that descriptions of effective practices and \npolicy templates are widely available from both government and private \nsources such as the National Institute of Standards and Technology, the \nNational Security Agency, and other agencies. What is often missing \ntoday is management commitment: senior management's visible endorsement \nof security improvement efforts and the provision of the resources \nneeded to implement the required improvements.\n\nExpanded research in information assurance: It is critical to maintain \na long-term view and invest in research toward systems and operational \ntechniques that yield networks capable of surviving attacks while \nprotecting sensitive data. In doing so, it is essential to seek \nfundamental technological solutions and to seek proactive, preventive \napproaches, not just reactive, curative approaches.\n\nThus, the research agenda should seek new approaches to system \nsecurity. These approaches should include design and implementation \nstrategies, recovery tactics, strategies to resist attacks, \nsurvivability trade-off analysis, and the development of security \narchitectures. Among the activities should be the creation of\n        <bullet> A unified and integrated framework for all information \n        assurance analysis and design\n        <bullet> Rigorous methods to assess and manage the risks \n        imposed by threats to information assets\n        <bullet> Quantitative techniques to determine the cost/benefit \n        of risk mitigation strategies\n        <bullet> Systematic methods and simulation tools to analyze \n        cascade effects of attacks, accidents, and failures across \n        interdependent systems\n        <bullet> New technologies for resisting attacks and for \n        recognizing and recovering from attacks, accidents, and \n        failures\nIn this research program, special emphasis should be placed on the \noverlap between the cyber world and the physical world, and the \nanalysis techniques developed should help policy and decision makers \nunderstand the physical impact and disruption of cyber attacks alone or \nof cyber attacks launched to amplify the impact of concurrent physical \nattacks.\nMore technical specialists: Government identification and support of \ncyber-security centers of excellence and the provision of scholarships \nthat support students working on degrees in these universities are \nsteps in the right direction. The current levels of support, however, \nare far short of what is required to produce the technical specialists \nwe need to secure our systems and networks. These programs should be \nexpanded over the next five years to build the university \ninfrastructure we will need for the long-term development of trained \nsecurity professionals.\nMore awareness and training for Internet users: The combination of easy \naccess and user-friendly interfaces have drawn users of all ages and \nfrom all walks of life to the Internet. As a result, many Internet \nusers have little understanding of Internet technology or the security \npractices they should adopt. To encourage ``safe computing,'' there are \nsteps we believe the government could take:\n        <bullet> Support the development of educational material and \n        programs about cyberspace for all users. There is a critical \n        need for education and increased awareness of the security \n        characteristics, threats, opportunities, and appropriate \n        behavior in cyberspace. Because the survivability of systems is \n        dependent on the security of systems at other sites, fixing \n        one's own systems is not sufficient to ensure those systems \n        will survive attacks. Home users and business users alike need \n        to be educated on how to operate their computers most securely, \n        and consumers need to be educated on how to select the products \n        they buy. Market pressure, in turn, will encourage vendors to \n        release products that are less vulnerable to compromise.\n        <bullet> Support programs that provide early training in \n        security practices and appropriate use. This training should be \n        integrated into general education about computing. Children \n        should learn early about acceptable and unacceptable behavior \n        when they begin using computers just as they are taught about \n        acceptable and unacceptable behavior when they begin using \n        libraries.\\1\\ Although this recommendation is aimed at \n        elementary and secondary school teachers, they themselves need \n        to be educated by security experts and professional \n        organizations. Parents need be educated as well and should \n        reinforce lessons in security and behavior on computer \n        networks.\n---------------------------------------------------------------------------\n    \\1\\ National Research Council, Computers at Risk: Safe Computing in \nthe Information Age, National Academy Press, 1991, recommendation 3c, \np. 37.\n\n5. Conclusion\nInterconnections across and among cyber and physical systems are \nincreasing. Our dependence on these interconnected systems is also \nrapidly increasing, and even short-term disruptions can have major \nconsequences. Cyber attacks are cheap, easy to launch, difficult to \ntrace, and hard to prosecute. Cyber attackers are using the \nconnectivity to exploit widespread vulnerabilities in systems to \nconduct criminal activities, compromise information, and launch denial-\nof-service attacks that seriously disrupt legitimate operations.\nReported attacks against Internet systems are almost doubling each year \nand attack technology will evolve to support attacks that are even more \nvirulent and damaging. Our current solutions are not keeping pace with \nthe increased strength and speed of attacks, and our information \ninfrastructures are at risk. Solutions are not simple, but must be \npursued aggressively to allow us to keep our information \ninfrastructures operating at acceptable levels of risk. However, we can \nmake significant progress by making changes in software design and \ndevelopment practices, increasing the number of trained system managers \nand administrators, improving the knowledge level of users, and \nincreasing research into secure and survivable systems. Additional \ngovernment support for research, development, and education in computer \nand network security would have a positive effect on the overall \nsecurity of the Internet.\nCERT\x07\n\n    Mr. Thornberry. Our final witness is Allan Paller, Director \nof Research at the SANS Institute of Cooperative Research, an \norganization that delivers education to people who secure and \nmanage important information systems. As the others, we will \ninclude your full statement as part of the record, and you are \nnow recognized to summarize it. Thank you again for being here.\n\n   STATEMENT OF ALLAN PALLER, DIRECTOR OF RESEARCH, THE SANS \n                           INSTITUTE\n\n    Mr. Paller. Thank you, Mr. Chairman. It is an honor to be \nhere, but I think we are even more thankful that someone of \nyour insight and foresight is chairing this subcommittee. I am \nnot sure the other witnesses here know that 6 months before \nSeptember 11th, you actually put a bill in the hopper to form a \nDepartment of Homeland Security to bring together the Federal \ninitiatives, and you spoke eloquently of the technical \ndimension. I am hoping that others get it earlier on this issue \nof cybersecurity than we all did on physical security and that \nwe get the connections right; and with your partner here, \nCongresswoman Lofgren, who represents easily the highest \nconcentration of security expertise anywhere in the world, and \ncomputer companies, and has shown real leadership on cyber \nissues--I think this could be a wonderful change in \npolicymaking in government, and we are looking forward to it.\n    With that as an introduction, we at SANS train the system \nand network administrators--38,000 of them--on the front lines, \nand so we feel the pain when these attacks come. So my job is \nboth to make some of what Bruce Schneier and Rich Pethia said \nreal in terms of real-world examples, but also to say where we \nhave succeeded and failed in trying to respond to them.\n    Five months ago today, we learned several big lessons with \na new worm, the fastest one ever. It was called Slammer, and it \nwas attacking machines--attacking addresses at the rate of 55 \nmillion every second, much faster than anything else had ever \ndone. So from that worm, we learned several things. One is that \nwe are in the middle of an arms race, that no matter how fast \nwe build defenses, the attackers are going to continue to build \nattacks. So this isn't a war we are going to finish and get on \nwith our lives. This is a war we are going to be fighting a \nlong time.\n    The second lesson is that government and industry \npartnerships actually work. We talk about them all the time as \nif they are important, but this was a case where it absolutely \nworked. I have written the details in my statement. But very \nbriefly, because the connections had already been established \nand the trust relationships were already in place between some \nof the leaders in homeland security and the private companies \nthat are getting attacked, there was instantaneous \ncommunication. They got together, got the word out fast enough, \nand protected a lot of people. So that was a very good example \nof where the public/private partnership can pay off and where \nhomeland security certainly gets an 'A'. We also learned the \nlimits to public/private partnerships, and I laid those out in \nmy written testimony.\n    Another lesson we learned is that the physical \ninfrastructure really is connected to the cyber structure. I am \nnot sure if people believed that before. They thought, OK, \ncyber attack. So my Web site went out. Who cares? It is just \nkids, right? But in this attack, the Bank of America ATM \nmachines stopped serving up money? If you had asked Bank of \nAmerica before that event ``Are your ATM machines connected to \nthe Internet?'', the answer was no, and yet they stopped. \nContinental Airlines couldn't schedule flights. Microsoft \ncouldn't even get its XPs authorized. You use that service to \nregister your new software. They couldn't do that because of \nthe attack. And Seattle's 911 system stopped answering. This is \nthe physical system. This is the critical infrastructure, and \nit is directly connected to the cyber network, and vulnerable \nto cyber attacks. So that was an education for us.\n    The fourth lesson that we learned, and I think the shocker, \nwas that computer savvy organizations like Bank of America and \nMicrosoft couldn't protect themselves. What Bruce and Rich were \nsaying about the software being bad. It was so bad that the \ncompany that made the software that was being attacked \nMicrosoft couldn't protect itself. So we are in a situation \nwhere users are getting software and hardware that is so hard \nto protect, that even the people who make it can't protect \nthemselves. I think those lessons are useful.\n    The DHS provided some leadership in another area, and \nCongressman Turner pointed it out in a speech he made at CSIS, \nI think last week. This is a fascinating good thing that is \nhappening, another 'A' for DHS. A consensus of a group of \ngovernment agencies [the National Security Agency and NIST and \nDHS] and private companies, companies from Intel to Mrs. \nField's Cookies are getting together to agree on what it means \nto have a safe system. That is important because if you don't \nagree on it, the vendors can't deliver it. If you have 50 \npeople all arguing about what a sears system is, the vendors \nare stuck. Because of that user agreement, Dell was able to \nannounce at the FTC hearings on June 4th--and Congressman \nTurner pointed this out publicly for the first time--that they \nwould start delivering safely configured systems. We are hoping \nthat is the first ``Volvo''. Remember, Volvo started delivering \nsafe cars, and every other car company said, ``Sure, if the \npublic wants safe cars, we will start delivering safe cars.'' \nWe are hoping that Dell's announcement is the beginning of a \nmovement of vendors to start delivering systems that can be \nkept secure. It is going to be hard, as Rich pointed out. It is \nnot a ``3 weeks and we are done project,'' but it is a \nbeginning.\n    You also asked a couple of other questions. You asked about \nlosses from these attacks; and you asked how we measure them? \nIn February of 2000, MafiaBoy attacked eBay and Yahoo and also \ntook down CNN and Dell. I was the expert witness in the \nMafiaBoy trial in Canada, so I have more data about it than I \notherwise would. I saw the data about exactly what the victims \nsaid the attack cost them--it was confidential, but it went \ninto the record. Remember that they were all hit exactly the \nsame way. They were all down for about the same amount of time. \nThey were all big organizations selling things on the Internet. \nSo you would think that the estimates/damage would be nearly \nthe same. They weren't. They ranged from zero to a few thousand \ndollars to one that said $5 million.\n    So when you try to estimate how much did this attack cost, \nwhich one are you going to use? Are you are going to multiply \nthe number of companies attacked by 5 million or zero? Until we \nhave a protocol for defining what we mean by the costs of an \nattack, we are not going to get answers that you are going to \nlike.\n    One of the things you can do to help is to ask DHS to \ncreate such a protocol; how are we going to define the cost?\n    You also asked about simulations and exercises in your \nletter. We haven't done much in simulations, so we don't know \nhow good they are. But we know exercises matter in this area of \ndisaster recovery. In this very institution, a fire drill found \nthat people turned the fire drill horns off in the computer \nroom. So when the fire drill went off, nobody in the computer \nroom did anything. You need to test emergency plans, or you \nwill never know what is wrong.\n    The more important thing that can happen in tests is that \nmayors and governors, the first responders, would get to know \nthe cyber people, and both groups would learn each other's \nneeds a little bit, and they won't have to exchange cards after \nthe attack comes. So I think the key benefit is that kind of \nsharing.\n    I want to close with a clarification of something that \nBruce put in his written testimony--I was sort of hoping he \nwould say it in his oral testimony so I could respond directly \nto it--but he didn't. In his statement he described an attack \nby Vitek Boden on the sewage system of Maroochy Shire in \nAustralia. Boden got into the computer system. He changed the \nvalve settings. He put back pressure on the sewage system, and \nhuman waste rose up in the streets of the city, like it does in \nyour sink. People who lived there said it felt like they were \nliving in a toilet. But Bruce pointed out that a bird landed on \na transformer a few weeks later and did more damage than Vitek \nBoden had done, so we shouldn't think about cyber attacks as \ncyber terrorism. We are going to have much more likelihood of \nphysical damage from terrorist attack than from a cyber attack. \nThat is absolutely true. But the difference between Boden's \nattack and the bird's accident is the bird isn't sitting around \nplanning how to automate the attack. The bird isn't sitting \naround loading up software, analyzing it. The bird isn't \ntesting, deciding how much damage it can do. The bird doesn't \nwant to hurt us.\n    We have seen, as you heard from the other witnesses, that \nthe attacks are getting worse. They are getting worse at a rate \nof, I think close, to an order of magnitude each year and a \nhalf. The bird isn't getting that much better, but the Vitek \nBodens of the world are getting that much better, and I think \nwe ought to be ready.\n    Thank you for your time.\n    Mr. Thornberry. Lots of subject matter for further \ndiscussion, which I suspect we will get to.\n    [The statement of Mr. Paller follows:]\n\n                   PREPARED STATEMENT OF ALAN PALLER\n\nChairman Thornberry, Congresswoman Lofgren, distinguished Members of \nthe Committee, I appreciate the opportunity to appear before you today. \nIt is particularly gratifying to us in the cybersecurity field, Mr. \nChairman, that a person with your foresight, vision and leadership in \nhomeland security has decided to take on the challenges of \ncybersecurity. I am not sure whether my colleagues are aware that six \nmonths before the September 11, 2001 attack, you introduced a bill in \nthe House of Representatives that called for consolidating the federal \nagencies responsible for protecting our homeland. You saw the threat \nclearly; you spoke eloquently of the technological dimension, but it \ntook a major attack before others were able to share your vision. I am \nvery hopeful that in the cybersecurity field progress can be made more \nquickly. With your leadership and that of Congresswoman Lofgren, who \nhas been one of the most effective Members of Congress on high tech \nissues and whose district includes one of the largest concentration of \ncomputer companies and cyber security expertise anywhere in the world, \nCongress can help the Department of Homeland Security lead a rapid \neffort to reduce this nation's vulnerability to cyber attacks, turn the \ntide against cyber attackers, and increase our speed and effectiveness \nin responding to and recovering from the attacks that do succeed.\nMy name is Alan Paller and I am director of research at the SANS \nInstitute. SANS is an educational institution. Last year, more than \n14,000 system administrators and computer security professionals, from \nnearly every government agency and large commercial organization in the \nUS and from 42 other countries, spent a week or more in SANS immersion \ntraining. They learned the details of attacks that will likely be \nlaunched against them, learned how to build and manage defenses for \nthose attacks, and learned how to respond once an attack has occurred. \nSANS 38,000 alumni are on the front lines in the fight against cyber \nattacks. Once they have returned to work, we continue to support them \nand more than 120,000 of their coworkers with early warnings of new \nattacks, weekly summaries of new vulnerabilities and a research program \nthat makes available more than 1,400 timely security research briefs.\nIn 2001, SANS created the Internet Storm Center, a powerful tool for \ndetecting rising Internet threats. Storm Center uses advanced data \ncorrelation and visualization techniques to analyze data collected from \nmore than 2,000 firewalls and intrusion detection systems in dozens of \ncountries. Experienced analysts constantly monitor the Storm Center \ndata feeds and search for anomalies. When a threat is detected, the \nteam immediately begins an extensive investigation to gauge the \nthreat's severity and impact. Critical alerts are disseminated to the \npublic via email and through the online press.\nIn my remarks today, I will share some of the successes and failures of \nthe defensive community in responding to large cyber attacks, and I'll \nsuggest ways that the lessons we learned might lead to effective \ninitiatives for the Department of Homeland Security in improving \nresponse, recovery, and prevention.\nFive months ago today, the Slammer worm attacked computers running \nMicrosoft's widely used database management system. A worm, for those \nnot steeped in the jargon of cyber security, is a malicious program \nthat spreads from computer to computer without requiring users to take \nany action at all. Slammer represented a significant advance in attack \ntechnology. At its peak it was scanning 55,000,000 systems per second \nand that was 100 times as fast as Code Red scanned in July, 2001. \nSlammer infected 90% of the systems that were vulnerable in the first \nten minutes of the attack and ultimately infected a total of 75,000 \nhosts. Slammer reminded the defensive community that we are engaged in \nan arms race with the attackers--one the attackers are likely to \ncontinue for many years. It did not contain a destructive payload; if \nit had thousands of organizations would have lost valuable data.\nSlammer's high intensity scanning continued to wreak havoc for days. It \nsurprised many people when it showed them that the computer systems \nthat make up the nation's critical infrastructure for banking and \ntransportation and emergency management - that some naively presumed to \nbe somehow separate and isolated - are actually connected to the \nInternet and can be significantly affected by Internet attacks. For \nexample, because of Slammer, Bank of America's ATM machines stopped \ndispensing money, Seattle's emergency 911 system stopped working, \nContinental Airlines had to cancel some flights because its electronic \ncheck-in system had problems, and Microsoft couldn't activate user \nlicenses for Windows XP. Those were just a sample of the more high \nprofile problems. Many other organizations were damaged by Slammer, but \nthey managed to stay out of the press. The cult of secrecy that \nsurrounds cyber attacks is part of the challenge we face in determining \ncosts and in helping people recover.\nOn a more positive note, Slammer brought our focus back to two valuable \nlessons. The first, learned in the summer of 2001 as we responded to \nthe Code Red worm:\n\n1. Federal and private security specialists, working together, can \ncreate a synergy that doesn't appear to exist when they act separately.\nSlammer did a lot of damage, but it did much less damage than it would \nhave if government and private industry had not worked together to \nfight it. A team of private sector experts from large internet service \nproviders (ISPs) discovered the worm when it started flooding their \nnetworks. Within minutes they contacted technical experts in government \nand CERT/CC (Computer Emergency Response Team Coordination Center), and \nthose three groups joined forces to analyze the problem. They learned \nthat the worm targeted a specific entry point on each computer, and \nthat they could stop most of the damage it was doing by blocking \ntraffic to that entry point. The ISPs reconfigured their networks to \nstop all network traffic destined for the worm's target entry point, \nand their customers--at least the ones that did not have their own \ninfected systems--stopped feeling the pain.\nFor Slammer, early discovery, effective analysis and widespread \nnotification led to immediate extensive filtering of the worm traffic, \nand that action protected many organizations from being overwhelmed. \nThis worked so well on Slammer that one might well ask why we do not \nuse the same approach on all large, automated attacks. The answer is \nthat two barriers get in the way and both can be eased by Department of \nHomeland Security initiatives.\nThe first barrier is that the high speed filtering used for Slammer \ndoes not work for many other attacks. Slammer exploited a special path \nthat could be blocked easily by existing network routers, without \nharming valid traffic. The Code Red worm, on the other hand, exploited \nthe path universally used to request web pages. Anyone who blocked that \npath would stop all web traffic to their site. For an organization that \nuses the web for business purposes, blocking that path could inflict \nmore damage than the worm could cause. To filter for Code Red and other \nworms that use popular paths, the network infrastructure used by large \ncompanies and ISPs needs to be upgraded so that it can selectively \nblock malicious traffic. That type of high-speed, intelligent filtering \nis not yet widely available from the network equipment manufacturers. \nThe Department of Homeland Security could help speed the availability \nof high speed filtering routers through research support and targeted \nprocurement.\nThe second barrier is that the government and the rest of the defensive \ncommunity cannot respond to attacks if they do not know that attacks \nare occurring. Slammer flooded huge numbers of systems, so it was easy \nto find. Attacks aimed at electric power grids or e-commerce sites or \nemergency response networks are not nearly as visible. Early warning \nfor targeted attacks is possible only if the first victims choose to \nreport the attacks rapidly. But just as people infected with \ncommunicable diseases are loathe to make spectacles of themselves, so \nvictims of cyber attacks can see insufficient benefit in making their \npain public even to government officials who promise not to tell \nothers.\nHow can we increase prompt reporting on cyber attacks? Let's take a \ncloser look at the medical analogy. People who become sick, even with a \nhighly communicable disease, do not usually call the Center for Disease \nControl. But their doctors do make the call, and the doctors maintain \nthe confidentiality of their patients' identities. In the cyber defense \narena, consulting companies serve as doctors to help companies analyze \ncyber attacks and recover from them. This year, the Department of \nHomeland Security (DHS) is spending millions of dollars to create a \nCyber Warning Information Network (CWIN) that connects organizations \nactive in cyber defense so they can get early access to important \ninformation. To ensure the ``doctors'' report attacks to the DHS, the \nDepartment could require that organizations that want access to CWIN \nmust commit to providing immediate notification to DHS whenever they or \none of their clients is attacked, without naming the victim.\n\nSlammer also reminded us of another significant lesson we learned in \nresponding to Code Red and Slapper and many other worms:\n\n2. A severe shortage of individuals with technical security skills \ncombined with a lack of management focus on security issues, prevents \nmany organizations from fully recovering from attacks and improving \ntheir security. Better training is a partial solution, but joint action \nby government and industry to standardize security configurations and \nautomate patching is already having a much larger impact.\nMost attacks that do a lot of damage, like Slammer and Code Red, \nexploit vulnerabilities that are widely understood and for which \nremedies are known. Therefore it is surprising that two years after the \nCode Red worm swept through the Internet infecting vulnerable systems, \n30,000 of those systems are still infected and still searching for \nother systems to infect. The problem is that many organizations that \nown computers have no one who understands how to secure those \ncomputers. When we find a Code Red infected system and ask why it \nhasn't been fixed, we usually hear that the system owner didn't know \nthat it is attacking other systems and also that there is no one with \nsecurity skills available to fix it.\nEven large organizations are security-challenged. Slammer's victims \nincluded several huge security-sensitive organizations; Bank of America \nand Microsoft are examples. Their systems were flooded because \nvulnerable software had not been patched and because they had not \nconfigured their firewalls to block unwanted traffic from the Internet. \nIt is unreasonable to blame the software users in this case, because \nMicrosoft made installing this particular patch an arduous task, much \nmore difficult than installing the underlying software in the first \nplace. And most users and system administrators had never been told \nthey should block the offending traffic at the firewall.\nTraining is part of the answer. Security-savvy system administrators \nare very effective at keeping their systems running smoothly while \nmaintaining their defenses, and several large organizations are now \nrequiring all system administrators to demonstrate their mastery of \nsecurity as a prerequisite for getting control of the systems. However, \nmost computers are not managed by system administrators. They are \nmanaged by busy people with other responsibilities. I do not believe it \nis fair or wise to expect that every graduate student or scientist or \nlibrarian who tries to install a workstation should become a security \nexpert. And what about the grandparents and teenagers and all the other \npeople who simply want their computers to work? We cannot ask them to \ndevelop and maintain the technical security skills needed to configure \ntheir systems safely and keep them secure.\nA better solution is to remove the pain of security by centralizing and \nstandardizing safe configuration and security patching. Large \norganizations can do that themselves, as the Department of Energy and \nothers are demonstrating. But few other organizations have the time and \ntalent. Only the companies that sell computers and software are \npositioned to make security configuration and patching inexpensive and \neffective.\nHappily for all of us, vendors are beginning to recognize that security \nis a critical market need, and they are putting their development \ndollars to work to help their clients with security. Three weeks ago at \na Federal Trade Commission workshop, Dell announced it would sell \nWindows 2000 systems configured in accordance with consensus security \nbenchmarks, improving security and reducing the security burden for \nDell customers. Similarly, Oracle and the Department of Energy are \npartnering to deliver safe configurations of Oracle software to all \nusers at all Department of Energy laboratories and offices. Other \nOracle users will benefit as Oracle makes the safer version available \nto the general public. Both of these efforts were facilitated by an \nextraordinary public-private partnership involving the National \nSecurity Agency, the Defense Information Systems Agency, the Department \nof Energy, NIST, FedCIRC, SANS, and the Center for Internet Security \n(CIS). The CIS partnership has developed consensus benchmarks for safe \nconfiguration of many common operating systems and applications. Dell, \nfor example, said that they would not have been able to create the new \nsafer version of Windows 2000 without the work of the CIS partnership.\nAnd automated patch delivery is maturing. For example, Red Hat delivers \nsecurity updates for its software automatically as does Microsoft for \nsome its Windows XP software.\nIt is common practice today for vendors to sell software and hardware \nwith insecure configurations. Most users are not security experts and \ntherefore are not aware of the configuration dangers, nor do they have \nthe knowledge to find and apply appropriate security patches. All that \nmeans that millions of computers are at risk, and each of those \nvulnerable systems can be used by attackers to launch major denial of \nservice attacks. With active leadership by the vendors and the federal \ngovernment, worms and automated attacks will be denied easy access to \nall these systems. So what can the Department of Homeland Security do \nto accelerate this beneficial trend? DHS can require its vendors to \ndeliver safe systems out of the box and ensure that patches are \ndelivered automatically. As other federal agencies and companies follow \nthe DHS lead, the market will reward vendors that take security burdens \noff their customers' shoulders.\n\nIn your letter of invitation, you also asked me to address the \nchallenges in estimating the damage done by cyber attacks and the \nstrengths and weaknesses of simulations and exercises for cyber \nsecurity. I'll answer both briefly because the general knowledge base \nabout both is limited.\n\nHow Much Do Cyber Attacks Cost The Victims?\nIn the MafiaBoy denial of service attack on eBay, Yahoo, Dell and \nseveral other marquee web sites in February of 2000, each victim \nconfidentially reported its actual losses to the FBI. I know a little \nabout that case because I was the expert witness for the prosecution in \nMafiaBoy's trial. The technical attack on each victim was basically \nidentical, and the outages were roughly the same length, but victims \nreported radically different estimates of damage. Their estimates \nranged from zero to $5,000,000 depending on whether they included lost \nrevenue, damage to reputation, management time, the direct costs of \nstaff involved in the investigation and recovery, or none of those. \nEstimating losses is much more of an art than a science.\nAnother example of the difficulty of estimating losses was illustrated \nby the Nimda worm that raged through the Internet seven days, nearly to \nthe minute, after the first airliner crashed into the World Trade \nCenter. I interviewed more than a dozen victims confidentially, and \nthey consistently told me the damage they incurred was between $300 and \n$700 per system--the actual cost of removing the infections from the \nsystems and reinstalling software and data. For 150,000 infected \nsystems, that adds up to about $75 million dollars. Yet within days of \nthe attack, an economics firm was telling the press that the price tag \nwas $835 million. Other people gave estimates exceeding $2 billion. \nBefore policy makers can rely on any damage assessments, a common \nprotocol for damage estimation is needed. DHS can help develop that \nprotocol.\n\nHow Important Are Simulations and Exercises?\nSimulations and exercises are both valuable for improving America's \neffectiveness in responding to cyber attacks. The mathematical models \nsimulating worms, created by organizations like CAIDA (Cooperative \nAssociation for Internet Data Analysis) at the University of \nCalifornia's San Diego Supercomputer Center, were instrumental in \ngiving policy makers effective projections of the numbers of systems \nthat would ultimately be infected by various worms. That kind of \nknowledge is extraordinarily valuable in the pressure cooker atmosphere \nof a worm infestation.\nSimulating attacks through real world exercises are just as important \nfor two reasons. The first reason is that emergency response systems \nrarely work as they were designed to operate. A few months ago a past \ndeputy director of the House Information Systems (now called House \nInformation Resource) told me a story about an exercise testing their \nfire emergency response plans. He wanted to ensure his organization \nwould respond appropriately if a fire broke out in the building, so he \nscheduled a fire drill. When the alarm went off, most people, following \npatterns most of us developed in grade school, left, but no one in the \ncomputer room reacted at all. In a real fire they would probably have \ndied. The problem: for some reason, in wiring the computer room, the \nelectricians disconnected the power to the horns that sounded alarms. \nThe computer room staff never heard the alarm. Without an exercise, no \none would have known.\nThe other reason to run exercises involves the cyber dimension of \nphysical attacks. Recall that in the aftermath of the September 11 \nattack, not only buildings were destroyed. The networks and systems of \nthe New York Stock Exchange and all of Wall Street were a shambles. \nWithout rapid reconstitution, the negative economic impact of the \nSeptember 11 attack would have been even greater than it was. Verizon \nstaff worked with the city's leaders 24 hours a day every day to \nrebuild the telephone and cyber networks needed to get trading \nrestarted on Wall Street. They did an extraordinary job under difficult \nconditions, and a substantial part of their success was made possible \nbecause Verizon had already built a strong relationship with the \nmayor's office and the emergency response teams through planning and \nexercising disaster recovery protocols. Most cyber teams have no such \nconnection with first responders and they need to know one another \nbefore an incident occurs..\nWe cannot have those groups exchanging business cards after an attack. \nThe first responders will do a better job of planning if they know the \ncyber experts who can help them recover their networks and the issues \nthose people will face when responding to emergencies. At the same \ntime, the cyber people will be better team members if they understand \nwhat the mayors and governors need and jointly develop the action \nplans. We need to give the cyber people a seat at the table when \nplanning for emergencies. These groups should learn from each other in \nadvance, test communication paths and their ability to work together, \nidentify problems and potential solutions, learn how long things take \nand how to speed them up. Exercises are the best way to make that \nhappen.\n\nWhat Can DHS Do?\nFinally, you asked about how the Department of Homeland Security should \nwork with the private sector in improving response and recovery. Let me \nsummarize two key suggestions that go beyond the recommendations I \ncovered earlier:\n\n1. A central goal of the Department's cyber initiative should be to \nprovide a single, technically savvy coordination point that the experts \ncan rally around in responding to major attacks. I have been extremely \nimpressed by the quality of people the Department has recruited to set \nup and run the new Cyber Security Tracking, Analysis, & Response Center \n(CSTARC). That group proved it can do extraordinary work in bringing \ntogether the public and private sector, both in responding to a \nvulnerability in sendmail and in the Slammer worm response. The key to \nCSTARC's long-term success is establishing a core group of very skilled \npeople who then build a network of experts inside and outside \ngovernment. Through exercises and responding to actual attacks, this \ncommunity of cyber first-responders can create protocols and allocate \nresponsibility for isolating malicious code, analyzing it, developing \nautomated diagnostic and repair tools, and disseminating the tools and \nknowledge to the right people very rapidly.\n2. As important as response and recovery are, prevention should have \nequal priority. DHS should allocate a large share of its time, \nattention, and budget to reducing the cyber vulnerabilities this nation \nfaces. DHS can help by encouraging and supporting development of \nconsensus benchmarks for safer configurations, but the Department's \ngreatest impact on vulnerability reduction will come from persuading \nvendors of software, hardware, and network services that the government \nis serious about buying and running safer systems. The federal \ngovernment is the only buyer large enough to get the attention of big \nvendors. DHS should make it clear, through both talk and action, that \nsuccess in selling to the federal government is contingent upon \ndelivering safely configured systems and automating the process of \nkeeping those systems secure over time.\nThank you again for inviting me today and for your leadership in \nholding these hearings. I would be happy to try to answer any questions \nyou might have.\n\n    Mr. Thornberry. Let me reserve my questions and turn to \nChairman Boehlert.\n    Mr. Boehlert. I thank all the witnesses for serving as \nresources. I really appreciate it. We have got a lot to learn. \nI am reminded of the story of the guy looking at his house \nburning down who turned around and said to the first person he \nsaw, Where do I buy a fire extinguisher?\n    I would agree with your analysis on the Chairman. He gets \nit. My concern is not enough people get it in positions of \nresponsibility. I think we are beginning to get it, and it is \nappropriate that we have this meeting in this room, the Science \nCommittee room, because in January of 2001 we introduced the \nCybersecurity Research and Development Act, a very significant \nundertaking calling for the authorization of a lot of money, \nhundreds of millions of dollars, at a time when we are \nstruggling to keep the budget balanced.\n    But quite frankly the response, except for people who get \nit--and Mr. Smith right next to me gets it--the response was a \nmuffled yawn; oh, we have got other things, bigger items on our \nagenda. 9/11 came. Then the House passed this new multimillion \ndollar--hundred million dollar authorization by a vote of, \nlike, 400 to 12. There were 12 that still don't get it.\n    So now we have this Cybersecurity Research and Development \nAct. We now have an agency with responsibility for coordinating \nthe cybersecurity efforts of the Federal Government, the \nNational Science Foundation. We have NIST engaged. DHS is \nengaged.\n    My question is, do you think enough people in this town get \nit? I know the President does. He couldn't add his signature \nfast enough to that legislation that we passed, but still we \nhad these massive authorizations, and the appropriations that \nare following are minimal.\n    And Dr. McCrery over at DHS, I mean, part of the education \nprocess with him, the new Under Secretary for Research and \nDevelopment, they have got to devote more resources to \ncybersecurity, because you can't build a building on the tenth \nfloor. You have got to start with the foundation. We don't have \nstudents in our great universities with advanced-degree \ncapability dealing with cybersecurity. There are a whole lot of \nproblems. Do you think that people in this town are beginning \nto get it? Not fast enough, but beginning to get it?\n    Mr. Paller. I get asked frequently ``How can I get the \nPresident of my company to pay attention to security?'' It \nhappens often. I had two speeches yesterday and it came up in \nboth of the speeches.\n    Executives get it, but they don't internalize it, because \nit hasn't touched them where they live yet. As soon as it does, \nas soon as it touches them, everything changes, just the way \neverything changed after 9/11. So, no, I don't think this town \ngets it, and I don't think argument is going to get them there. \nI wish it would. I wish this kind of publicity would do it, but \nI think it is events that educate people. I do think we need to \neducate them about the events. Too few people know about that \nSlammer worm and how much damage it did to the Seattle 911 \nsystem. I think we need to teach them so that they feel the \nevents are real. But, no, I don't think most people feel \ninternally that cyber threats matter to them at least not \nenough to invest in effective defenses.\n    Mr. Boehlert. So many people think in terms of \ncybersecurity and they think they want to protect themselves \nagainst some brilliant 15-year-old hacker, but it is so much \nmore than that. Quite frankly, I don't think it is far-fetched. \nIt is not stuff of Buck Rogers to suggest that the next war \ncould likely be fought without bullets and guns. It could be \nfought on computers.\n    Mr. Paller. There is no question that our nuclear systems, \nthat our electrical systems, that our infrastructure can be \nattacked through cyber means.\n    Mr. Boehlert. The whole economy is dependent on it.\n    Mr. Paller. And our banking system. But persuading people \nof that when it hasn't happened to them yet is just very \ndifficult.\n    Mr. Boehlert. You are a student. You watch what is \nhappening in this arena, particularly in areas of assigned \nresponsibility. Now, do you feel that under this new \nCybersecurity Research and Development Act, the Federal \nGovernment is moving in the right direction with having a \ncoordinated source of responsibility--the National Science \nFoundation for the R&D part of the effort and the education \npart of the effort--because if we don't train more people who \nhave more knowledge about this subject and get them in \npositions of responsibility, we are still going to take a ho-\nhum attitude.\n    Mr. Paller. That bill was wonderful, and Carl Land over at \nNSF is doing a great job at concentrating the funds. The money \nyou are spending on training students is very effective, but--\nappropriations are tiny, so we haven't yet seen how much good \nthat money can do.\n    Mr. Boehlert. Well, you are preaching to the choir here, \nbecause we are all going to push for a lot more appropriations.\n    Now, part of the problem has been--I remember talking a few \nyears ago to a high official of a major credit card company, \nand he casually dropped the thought that they lose about $100 \nmillion a year to fraud and abuse, and he said, But they view \nthat as an acceptable loss because it would cost them more than \n100 million to prevent the $100 million loss.\n    Well, I think that thinking is changing. But the problem \nhas been and the whole industry's effort has been to get a \nproduct to the market that is faster and cheaper, and security \nhasn't even been factored in. Do you see any trend changes that \ncustomers are demanding that security be built into the product \nand--for example, like I am demanding that I have air bags in \nmy car and seat belts, and am willing to pay a couple bucks \nmore for it. Do you see the market changing?\n    Mr. Paller. Yes.\n    Mr. Schneier. I don't very much, unfortunately. And the \nproblem is--I mean, I can hold two products; one is secure and \none isn't. They use the same marketing speak, the same words. \nYou, the consumer, can't tell the difference, and customers are \njust as happy with promises of security than reality as \nsecurity. There is not much difference. And what I find--and \nthis is--I am struggling with this. I mean, there are lots of \ngreat products. The average firewall out there is not installed \nproperly. You know, good software design practices are not \nbeing followed. I mean, we have a lot of things we could do we \nare not doing. Policy, no one has a good policy. They exist. We \ncan do this, but companies don't seem to be getting the \nmessage.\n    Slammer is a great example. It did lots of damage, all \nsorts of things. The average CEO never heard of it. It didn't \naffect him. Your comment on Visa I think is perfect. Visa is \nsaying, ``Look, we have these millions of dollars of losses it \nwill cost us more to fix than to eat.'' That is a perfectly \nrational thing for a business to do. You have a risk. You \neither fix it or accept it, depending on the value. Maybe you \ninsure it if that is cheaper.\n    And so my problem is not the technologies. There are \ntechnologies. Technologies can improve. Education is great, but \nunless there is a pull, unless businesses have it in their best \ninterest to produce this secure software, to build secure \nnetworks, they are just not going to do it. They are going to \nsay, like Visa, you know, the losses are not great enough. But \nif possible, there were criminal penalties, if there were \nliabilities for identity theft, if the losses were greater \nbecause of whatever government mechanisms we like--and \ndepending on your politics, you pick different mechanisms. It \ndoesn't matter which ones you pick. If we raise the penalties, \nthen the cost of fixing becomes comparatively cheaper and more \ncompanies will--Visa will say, hey, we are going to improve our \nsecurity, because now it is cheaper than letting it go, because \nthe penalties of letting it go are greater.\n    To me, the business process is broken. It is not the tech.\n    Mr. Thornberry. The gentleman from New Jersey, Mr. Andrews.\n    Mr. Andrews. Thank you, Mr. Chairman. I would like to thank \neach of the three witnesses for outstanding and substantive \ntestimony that has really added a lot to this discussion.\n    Mr. Schneier, I wanted to talk to you about your \nconclusions about what I believe you characterized as an \nexaggeration of the threat of cyber terrorism, if I read your \narticles correctly. I agree with you that the ability to use \nthe Internet as a tool of murder, a tool of death, is \nfictional, largely fictional. It may happen someday, but it is \nlargely fictional. Our concern, though, tends to be a \ncoordinated attack.\n    I notice in your June 15th article, in the second \nparagraph, you say: The software systems controlling our \nNation's infrastructure are filled with vulnerabilities. Our \nconcern, frankly, would be a coordinated terrorist attack \nwhere, for example, the telecommunications system would be \ncompromised in a city where simultaneously four or five \nexplosions might occur which would disable people from calling \nthe police, calling the ambulance, and so forth.\n    And then the third is secondary-level response, would be \nthe economic damage that will be done to the economy of that \narea. Do you agree that that is a viable threat?\n    Mr. Schneier. It definitely is. You think of 9/11, that is \nwhat happened. The World Trade Center fell on top of most of \nthe telecommunications infrastructure of lower Manhattan. So we \nsee that, and, you know, I would give--if I were a terrorist \nand reasonably clever, I would think of those sorts of things. \nSo for me, the cyber part is sort of in the noise--I mean, when \nyou fly a plane into a building, making people's phones not \nwork is kind of like the extra candles on the cake.\n    Mr. Andrews. Of course our concern is not that they would \nfly into the building and make someone's phones not work, but \nthat they would find a way through the cyberspace to make the \nphones not work and then couple that with a series of fairly \nlow-tech physical attacks that would create chaos and panic and \neconomic dislocation. Do you think that is a viable scenario?\n    Mr. Schneier. I think it is definitely worth worrying \nabout. And remember, attacks are getting worse. We are all \nsaying that. So even if I say, Look, it can't happen today, \ncall me back in 18 months and I will say, my God, this is a \nproblem.\n    Mr. Andrews. One of the common problems I saw from each of \nyou was the government's use of purchasing power to raise \nstandards of the cyber wall, if you will. I think Mr. Boehlert \nhas done an extraordinarily good job by taking care of the \nresearch piece in the legislation that he got enacted last \nyear. I think we are deficient in the use of that purchasing \nleverage, as well as we should. I have enormous faith in the \nprivate sector of this country in this area. I think this is \none area where the private firms, the small ones and the large \nones, the Microsofts and the ones we don't know the names of, \nhave done an extraordinary job in providing technological \nsolutions. And I think Mr. Schneier said a few minutes ago it \nis a business problem, not a technological problem, to make \nthose solutions even more viable.\n    How would each of the three of you suggest that we reorder \nthe Federal Government's purchasing specifications and use of \npurchasing leverage so as to enhance cyber protection for the \ncritical infrastructure providers not in the governmental \nsection? To put it in plain English--and then I will stop--is \nhow can we increase the quality and lower the price of a \nprotective product that Verizon could buy or that the people \nwho run the power grid could buy so they could make us more \nprotected?\n    Mr. Paller, would you like to start with that?\n    Mr. Paller. Sure. I actually see change in procurement \nhappening right now. You will hear an announcement in the next \nfew weeks that the Department of Energy just awarded a huge \ncontract to Oracle, and in it they required Oracle to deliver a \nsafely configured version of Oracle's database software. Oracle \nagree to it because DOE had a lot of money to spend, and what \nmade it possible was this consortium I talked about, and \nCongressman Turner talked about, that has created standards, \nbenchmarks, so that DOE could order software with those \nbenchmarks.\n    The key fact here is that, when I mentioned the DOE \ncontract to the CIO at Justice, who is also the chairman of the \nCIO Security Committee, his ears perked up, and he said, I have \ngot to get on that.\n    The hunger to use procurement for improved security is \nthere. The actions of the vendors are not quite there yet. They \nhonestly say ``We can't do that until you guys agree on what \nyou mean by 'safer,' '' and that agreement is what NSA and NIST \nand DHS have been taking a lead in creating. Once you get that \nkind of leadership, I think you will find that the buyers are \nhungry for safer systems and will use procurement to get them.\n    Mr. Andrews. So you see our role as setting viable and \nconstantly improving technological standards that the market \nwill meet if we set those standards correctly?\n    Mr. Paller. I see your role as encouraging the industry and \ngovernment to work together to do that.\n    Mr. Andrews. To do that, not to buy products that don't \nmeet those standards for our own use. Correct?\n    Mr. Paller. Yes.\n    Mr. Andrews. Mr. Pethia.\n    Mr. Pethia. I think--I have two parts to the solution from \nthe way I see it. First of all, the idea of standards I think \nis exactly on track. The problem with standards is the devil is \nalways in the details, and trying to have a set of standards \nthat actually demonstrate improved security is sometimes hard.\n    So I think in the short term there are obvious kinds of \nproduct problems we know about. We have seen them year after \nyear after year after year. We know about configuration \nweaknesses. We know about certain kind of coding errors. We \nknow about certain kinds of testing problems. Simply setting a \nset of standards to deal with that class of problem alone I \nthink is one step that takes us a long way towards a solution, \nand in fact we will probably get rid of about 80 percent of the \nvulnerabilities that we see out there.\n    Once we go beyond that, however, we are going to find that \nthe attackers will understand how to attack even those more \nsecure systems, and that second step requires additional \nresearch, because we don't know how to build--.\n    Mr. Andrews. My time is up. Thank you.\n    Mr. Schneier, if you want to--then my time is up.\n    Mr. Schneier. If you are a Fortune 500 company, you would \nstandardize in a few good products, you would write yourself a \nreally good purchase order and demand features that you want. \nThat is what you should do. The devils are in the details, but \nyou guys are a consumer of security. Unlike a lot of other \nareas of security, your problems are industry's problems. It is \nthe same threats, the same attack tools, same hackers. So \neverything you do immediately benefits us. It is not like you \nare buying a missile, where it is all your requirements and we \ndon't care.\n    So I would like you to--I mean, with the help of whoever--\ndevelop purchase orders, develop specifications that meet your \nsecurity needs, and demand them. I mean, you are going to buy a \nwhole lot of products, and companies will meet them. I agree \nindustry can do this if there is demand, and once you do, they \nare going to offer those same products to us. They are not \nstupid.\n    Mr. Andrews. Thank you very much.\n    Mr. Thornberry. Thank the gentleman.\n    The gentleman from Texas, Mr. Smith.\n    Mr. Smith. Thank you, Mr. Chairman.\n    Let me address my first question, I believe, to Mr. \nSchneier and Mr. Pethia, and this is a question that really \ncomes from a number of meetings that I have had with \nconstituent high-tech companies. I represent literally hundreds \nof high-tech firms and basically they tell me what I also hear \nhere in Washington at various briefings, and that is that a \ncyber attack in some shape or form, which we know had been \noccurring, are going to continue to occur and inevitably they \nare going to be successful or semi-successful one way or the \nother. Also, as we know, a cyber attack using cyberspace might \nbe in conjunction with a more conventional type of attack as \nwell.\n    But my point is this: They think we will be--that an attack \nwill be successful. We don't know whether yet it is going to be \nplanting viruses in computers, disabling energy grids in \nCalifornia or Texas or wherever, but their point is that we \nhave the technology available now, and in many many cases these \nindividual high-tech companies are giving the examples of that \nkind of--those kinds of solutions, but that the government is \nnot yet taking advantage of the high-tech solutions that are \navailable right now.\n    And I would like for you all to address really two \nquestions. One, to follow up on Mr. Andrews' questions, what \nkind of attack do you think is most likely? And, two, do we \nhave the capability to defend ourselves against it? And if not \nor if so, are we using all the high-tech kind of solutions that \nare available to the best of our ability?\n    Mr. Pethia. A likely attack, I don't know how to predict, \nother than the one lesson I think I learned from 9/11 is that \nwe have an adversary who is patient, who is willing to do \nhomework, who will do surveillance, who will find weaknesses, \nand wherever those weaknesses are that they think they can get \nthe biggest benefit of, they will take advantage of. But I \ndon't know how to predict human behavior beyond that, but I \nthink it is going to happen someday.\n    As far as do we have the technologies we need to protect \nourselves, the answer is yes and no, unfortunately. Today if \nyou are a very capable system operator and you are willing to \ninvest a lot of time and money and you are willing to do things \nlike install firewalls, intrusion detection systems, \nauthentication devices, one-time password technology, use \nencryption in the right way, et cetera, et cetera, et cetera, \nthen, yes, you can do a good job of protecting your systems. So \nthat part of the answer is yes.\n    But when you put all that together and understand how \nexpensive it is and how complicated it is and understand that \nany mistake in that whole configuration at any point can make \nyour systems as vulnerable as if you hadn't done anything, then \nthe answer, unfortunately, is no.\n    But we can secure our systems, but the problem is today it \nis just too hard and it is just too expensive.\n    Mr. Smith. Mr. Schneier.\n    Mr. Schneier. I agree with all of that. The great military \nstrategist von Clausewitz would call this a position of the \ninterior. All right. The defender is a unit, and he has to \ndefend against every possible attack. The attacker just has to \nfind one way in, one weakness. So in that way, the defender is \nat an enormous disadvantage.\n    All right. The attack that is likely to come is the attack \nyou didn't defend against, right? Because if I am the attacker, \nI am not going to attack you where you are defended. So sort of \nby definition, there are going to be weaknesses. Unless you \ndefend against absolutely everything, right, there will always \nbe a weak link.\n    I would assume the kind of attacks that are coming are the \nkinds of attacks you have already seen and then the new ones \nyou haven't seen yet. They are going to be all over the map. We \nprobably have the ability to defend against some of them. These \ncomments were really dead on. I mean, yes, you can--all right. \nIf you took your computer and you turned it off and buried it \nunderground, no one could attack it, but it is not terribly \nuseful. Essentially by the very fact of we are using our \ninfrastructure, we make it vulnerable. Right.\n    Your house would be more secure if there were no door, but \nyou need to put a door in. Therefore, there are insecurities. \nYou can put a lock on your door, now there are all sorts of \nproblems.\n    Are we doing everything we can? Of course not. Because \neverything we can doesn't make any sense to do. There is always \ngoing to be a balance. Right. What is the risk, and then how do \nwe defend against it rationally? And depending on who makes \nthat balance, you are going to see different sorts of things. \nRight.\n    The shed in my backyard doesn't have the same lock as my \nfront door. The risks are really different. And this is where I \nsort of talk about making the risks--getting the equation \nright. A lot of the risks we are facing are residual risks. \nThey are not risks that the companies are facing. So they are \ngoing to look at a lot of these measures, that great laundry \nlist, and say that is too expensive, too complicated. We don't \nhave that kind of risk. They don't. But we as a Nation do, and \nthat is what scares me.\n    Mr. Smith. Thank you for your answers on a complicated \nsubject. Thank you, Mr. Chairman.\n    Mr. Thornberry. Thank you.\n    Mr. Etheridge.\n    Mr. Etheridge. Thank you, Mr. Chairman.\n    And let me thank each of you for being here today. This is \nnot only very important but very instructive. Let me follow \nthat line, but in just a little different way; because on the \nfirst hearing, the Chairman will remember, I asked a question \nabout a number of our software now--because we are dealing with \ninternational companies--is done overseas. So in my State and \nnearly across the country now, we have talked a little bit \nabout banks and others, because they are hiring a lot of \nforeign firms to write software for the businesses. But \nrecently several banking firms have been instructed by their \nsecurity specialists to start advising financial institutions \nto certify the integrity of the software that is written \noverseas, as you can appreciate.\n    But me question is this: Do you believe software sabotage \nis a real threat? And number two, how will a company check the \nsoftware to ensure the integrity of it? Who wants to tackle \nthat one?\n    Mr. Pethia. I think the problem of malicious code embedded \nin software is a real problem, and I don't know that offshore \nhas anything to do with it. I think we have bad guys here as \nwell as offshore. The big problem, however, is detecting that \nmalicious code, and frankly, we don't have good ways to do \nthat.\n    Even in cases where the source code of the software is \navailable--and often it isn't--even there it is very difficult \nto take a huge application, which may have literally millions \nand millions and millions of lines of code, and find the 20 or \n30 that cause some back door to open to let the bad guy do what \nhe will do. So that is another area where I think we need a lot \nof research that helps us understand how to build software that \nis free of these kind of defects, or if they are there, that \nthey can be detected. Frankly, the industry or the academic \ncommunity doesn't know how to do that now.\n    Mr. Schneier. Well, and luckily you get virulent agreement \namong the panel here. Everything you said is right. I don't \nthink international makes it worse, although you can certainly \nimagine a concerted effort. I don't know, I am not impressed by \nthat. We see a lot of sabotage for personal gain, for \nextortion. I mean, I can mail you dozens of real criminal \ncases. He is right. It is very hard to detect this.\n    In a former life, I used to do consulting where I would \nlook at source code, and I would tell companies, figure you \nshould spend as much on evaluation as you spend on development. \nNow, of course, companies are never going to do that. It is \njust too much. But that is the sort of thing you have to think \nabout. And when you look at, you know, sort of high-risk code--\nnow, code in Boeing aircraft, some code that the military does, \nmaybe for nuclear launch codes--they do that. They will spend \nas much money on security and safety testing as they do on \nevery other aspect of the project, because it is really \nimportant for them.\n    Now we are sort of entering a world where every bit of code \nis slowly becoming that important; and, no, they are not ready \nto deal with that. That is going to be a big deal, and it is \ndefinitely worthy of concern.\n    Less from the, you know, I am going to take down the \nInternet and I think more crime. Again, I think the risk of \ncyber terrorism is overstated, and we grossly underestimate the \nrisks of cyber crime. We are seeing a lot more crime on the \nNet. So when I look at these attacks, I am worried about the \nones that are criminally motivated, I am going to put something \nin the code, and then I am going to call the company and say, \nhey, give me a million dollars and I will tell you where it is. \nThat kind of thing has been done.\n    Mr. Etheridge. Let me follow that up, because you indicated \nyou touched on this earlier, that the statistics indicate that \nabout 80 percent of the critical cyber infrastructure is in \nprivate hands. And I think in most of the testimony of almost \nall three of you, you had suggested that how you work on that \nis to encourage software vendors to create better products, and \nthat is really what we are about. And would you expand just a \nlittle bit more? You touched on it earlier about what the \nFederal Government can do.\n    Mr. Schneier. It is two things. We need to encourage \nsoftware vendors to produce better products. Then on the demand \nend, we need to encourage the consumers of those products to \nuse them securely. I mean, there are lots of secure products \nthat nobody is buying. And there are lots of insecure products \nthat everyone is buying. And the problem--the reason we are \nhere is because it is not in the best financial interest of \neither the software vendors or the network owners to increase \ntheir security.\n    Mr. Etheridge. Let me follow it up, because I think this is \ncritical. If there were--let's say I go out and buy a piece of \nequipment for my home. There is no coding today, whether I use \nthat in my home or whether I use it in business or if I am with \none of the largest banks, but if there were a code attached to \nit like a 1, 2, 3 to indicate a level of security or something \non it, as you do with some other things, is that the kind of \nthing you are talking about would have an impact?\n    Mr. Schneier. Well, I mean, completely finessing how you \nwould get that code, I mean, magically there and magically \naccurate--I mean, that would at least provide some indication \nof quality.\n    You know, what I want to see are the business processes \ngetting involved. As a security guy, I can talk with a security \nperson who says, yes, I am desperate for more security but when \nI go to my CEO or CFO they say the risk isn't that great, it is \ncheaper for us to ignore it than to fix it.\n    Well, that is because the risk is primarily in other \npeople's hands. If I am a company that owns a big database of \ncredit card numbers, if it is stolen, if there is identity \ntheft, it is not my problem. It is the problem of the people \nwhose identity was stolen. So I am not going to protect it to \nthe degree of the sum of the individual risk of my customers, \nbecause it is not my risk.\n    And, I mean, there are several ways we have dealt with this \nin other areas of society. You know, in environmentalism, we \npassed some regulations. We have used some economic incentives. \nIn things like automobile security, we have liability laws. We \nhave also changed public perception so that air bags are \nconsidered a good thing. All right, that was the industry \nitself using security as a marketing tool. All right. That also \nworks. Changes in technology work. If you--if there is a door--\na good example, our alarm systems. When they became wireless, \nthey became a lot more prevalent, because they were cheaper and \neasier to install. So as policymakers, you have several levers. \nAll right. You can deal with the regulation liabilities. You \ncan deal with putting money into technology and making that \nbetter. You can deal with social norms.\n    All right. You get to choose what levers you pull, and what \nthe levers do is, they affect the business motivations, which \nthen act both the supply, producing secure software, and the \ndemand, wanting secure software.\n    Mr. Etheridge. Thank you.\n    Mr. Thornberry. Thank the gentleman.\n    The gentleman from Nevada, Mr. Gibbons.\n    Mr. Gibbons. Thank you very much, Mr. Chairman.\n    And to our witnesses let me express my thanks as well, as \nmy colleagues have done, for your presence here today and the \ntestimony you have provided us. As I sit here, I have to admit \nthat I am probably one of the few people on this panel who is \nnot very well educated in computer technology, and it is an \nevolutionary process in my own mind to get my arms around it to \nunderstand a lot of this. And I presume that is pretty a much \nwidespread problem with the American public today. They know a \nlittle bit about it but not a lot.\n    The evolution of technology that is occurring in the \ncomputer industry is so rapid. Do we really have a real \nexpectation that what we create today will be an answer for a \n15-year-old's bright inquisitive effort to break it tomorrow? \nAre you comfortable with what you are saying today is the \nprotection and the security that we can create, will give us \nthe real barrier that we need to some mass disruption, some \nmass attack? Anybody want to take that on? I mean, it is a \nhypothetical.\n    Mr. Paller. My sense is that we can remove the vast \nmajority of the easy ways to break into our systems. Rich said \nabout 80 percent of the attacks--used well-known \nvulnerabilities. We can wipe those out. We are not yet wiping \nthose out, and we have to do so right away, and that raises the \nbar.\n    Next the research money that Chairman Boehlert was talking \nabout has to be invested to find better ways of testing the \ncode, of building more secure systems; but if we wait until we \nbuild the better systems, then we are simply leaving all of the \ndoors and windows open and just saying to the attackers, ``come \nget us.''\n    Mr. Gibbons. Well, then, Mr. Schneier, let me ask you a \nquestion; because if that is an answer that we have got to \ndevelop the research to provide for the capability of \npresenting the real serious or in-depth attack that we just \ntalked about, are our universities providing a level of \nexpertise and resources capable of being able to do that, or \nare our universities falling short in educating people?\n    Mr. Schneier. Some are. There is some great research being \ndone, some great education being done. It is not enough. The \ndemand for computer security far outstrips supply. If you know \nany kids who are going into computers, tell them security is a \nwhole way to make a whole lot of money, because there is a lot \nof demand for jobs, and there is great research out there, \nphenomenal work.\n    CERT is an institution coming out of Carnegie Mellon. They \nhave been doing phenomenal stuff since forever. You have to \nlook at it as two different attacks, and what Alan was saying \nis exactly right. Most criminals are opportunists. They are \ngetting a tool and using it. Most vulnerabilities being \nexploited are the obvious dumb ones.\n    So security is an arms race against professionals, all \nright, the people out to do real damage. Most of the attacks \nare low level--it is low-hanging fruit. We can do a lot to get \nrid of that and that really does raise the bar. After we have \ndone that, we have still got the arms race, and that is never \ngoing away; because you are right, you know, defense now, new \nattack, new defense, new attack, it is going to get worse. But \nthe last thing we want is for all the old attacks to work as \nwell as the new attacks.\n    Mr. Schneier. I sit at Counterpane. We monitor companies, \nwe monitor vulnerabilities, and the hardest thing we have is to \nget rid of the kids attacking and trying to find the real \nattacks.\n    Mr. Gibbons. Well, if we do have the capability today and \nif we do have the resources that would allow for someone to \nattempt or succeed in a mass disruption of our information \ntechnology systems around the country or in any community, why \nhave we not seen a major effort in this regard so far from the \nterrorist side? Not from our defensive side. Why have we not \nseen a terrorist really try this so far? Because we all we see \ntoday are the criminal-minded hackers.\n    Mr. Schneier. I have written about this. I believe the \nanswer is it is not terrorism. Sort of imagine Bin Laden \nsitting in his cave plotting the next attack against America, \nand he is not going to say, ``I know, let's disrupt their chat \nrooms.'' He is not going to say that.\n    He is going to say, ``Let's kill a lot of people, let's \ncause mayhem, let's cause terror.''\n    The Internet is important, but it is--it doesn't put bloody \nbodies on the front page of a paper, which if you are a \nterrorist is what you want to do. Eventually it might, but \ntoday, a terrorist is not--I don't see it as a way to cause \nterror.\n    Mr. Gibbons. If he interrupts our business systems, the \neconomy of this country is probably as critically important to \nthe lives and well-being of everybody in this Nation as \nanything we can think about today.\n    You interrupt the food supply, you interrupt the \ncommunications capability, people can't call a hospital, can't \nget an ambulance, you interrupt their ability to go to the \nstore, that is as much a terrorist act as flying a plane into a \nbuilding.\n    Mr. Schneier. But it is harder than you think. When the \nphone system went down in New York City after 9/11, people \npicked up their cell phones, people used their pagers. There \nare a lot of networks that got up in a few days.\n    Our infrastructure, even though vulnerable, is surprisingly \nresilient. You see bad effects. The strike on the West Coast \nclosed the ports and had monstrous effects on American \nindustry. That wasn't terrorism, that was labor relations. And, \nyes, an attack like that would cause those effects.\n    But, to me, and I am just trying to put myself in a \nterrorist mind-set, it doesn't feel like the best bang for my \nbuck. Maybe it is, and maybe we have just been lucky and that \nis another way to look at it. Eventually someone is going to \nthink exactly along your lines and do it. I mean, the question \nis not if, the question is when, and maybe it will be something \nwe can recover in a few days, maybe it will be something we \ncan't recover and businesses that require the Internet will go \nout of business for a month.\n    It is very hard to speculate. We all agree here that the \nproblem is getting worse. So if we are talking about 5 or 10 \nyears, certainly I think everything you are thinking gets a lot \nmore reasonable and a lot more likely.\n    One more point I want to make based on your first comment. \nI actually have a book I am going to hand out. This hearing has \nhomework. So I got a copy of this for all you guys, and you can \neither read it or give it somebody else to read. But I did a \nbook sort of on computer security, and a lot of things we are \ntalking about here, how to understand the issues. My mother \nread it, so don't be scared.\n    Mr. Andrews. Mr. Chairman, this is a flagrant violation of \nthe rules of Congress, to ask us questions and give us things \nto do. This is outrageous.\n    Mr. Schneier. No one said you can't give homework.\n    Mr. Gibbons. Well, gentlemen, thank you very much for your \nexpertise. And thank you, Mr. Chairman.\n    Mr. Thornberry. I thank the gentleman.\n    My response is we need all the help we can get from \nwhatever source.\n    The gentleman from Rhode Island, Mr. Langevin.\n    Mr. Langevin. Mr. Chairman, most of my questions have been \nanswered. I am going to submit some questions for the record, \nbut I will yield at this time.\n    Mr. Thornberry. The Chair thanks the gentleman.\n    The gentleman from Texas, Mr. Sessions, vice chairman of \nthe subcommittee.\n    Mr. Sessions. Thank you, Mr. Chairman, and I want to thank \nyou for not only planning, but putting together, what is a very \ninteresting hearing today.\n    I would like to switch gears a little bit, if I can, and go \nto what would be the bottom bullet for each one of your \ntestimonies and focus, if I can, for half a second on the \nattacker, who is the attacker, what is that level of \nsophistication?\n    The second part of the question is how it is reported to \nlaw enforcement, what are those piece parts towards trying to \ncatch the attacker?\n    Lastly, in that chain, success in working together to \nidentify the real threats versus what was said, to get rid of \nthe kids, to get the kid stuff out of the way for the real \nattack.\n    I am interested in this chain of information. I think from \na primary aspect of business, identification, working with law \nenforcement, successful prosecution, I am interested in that \nsummarization from any one of you.\n    Mr. Paller. Two things. One is the FBI has gotten \nextraordinarily good at catching some of these people. The ones \nthey catch are the ones who do stupid things like brag, \nhowever. So we are seeing lots and lots of successes, putting \npeople in jail, and they are going to jail for longer periods \nof time.\n    When you ask who these people, Mafia Boy, for example, was \na very angry, person what teachers would call a rotten kid--who \ndid a lot of damage independent of his cyber work. When he got \ncyber tools, he went after E-Bay and Yahoo! and took them all \ndown. It was part of acting out as a bad kid, but it did a lot \nof damage.\n    What we don't know is who the people are who will do the \nreally complex attacks. Because we don't know who they are, we \nactually have to build the defenses with more vigor than we \nwould if we could identify the attackers' targets and take them \nout. That is why this problem is so difficult, because they \ncould be everywhere attacking us.\n    I can offer answers to the other questions, but I will let \nother people speak.\n    Mr. Sessions. Does that mean it could be across the world, \nit could start someplace and go to another, and go to 10 places \nbefore it actually was able to be seen and we just can't figure \nout the chain?\n    Mr. Paller. I didn't mean that. I meant it could be a group \nof terrorists in Indonesia that right now is shooting guns at \npeople and figures out a way to get some money and uses that \nmoney to hire some hackers who don't know that they are being \nused by terrorist. We just don't know who they could be. Even \nthe smart hackers can be fooled into working for the bad guys. \nThey don't know who they are working for. Somebody claims to be \nfrom the NSA, how does a hacker know he is not? We don't have a \nclue where the attackers are. That is why we have to build the \nwalls so strong, instead of saying ``Let's go get those bad \nguys and take them out.''\n    Mr. Schneier. Chapter 4 talks about who the attackers are.\n    Mr. Sessions. I will read my homework.\n    Mr. Schneier. They range from the kids to foreign \ngovernments who are going to use cyberspace as a theater for \nwar, which is a perfectly reasonable thing. We do that kind of \nthing in our warfare. It would be crazy to assume that somebody \nwon't. They are all over the map.\n    How is it reported? Largely it isn't. This is where you \nstart to think about what are the risks. There are the direct \nlosses, the loss of whatever has been stolen. But, for many \ncompanies, the loss of face, the PR loss, reporting an attack \nis worse than the actual damage. If you are a bank and you have \nbeen hacked for a couple million dollars, you are likely to \nwant to keep it quiet. Why scare your customers?\n    Mr. Paller. Bruce, let me say something. I have testified \nhere and in the Senate about this issue, can we get companies \nto report? If we get rid of the Freedom of Information Act \nexclusion, can we get them to report?\n    The answer is, ``Hell no,'' but we were unable to prove \nthat until Congress got rid of the exclusion and then found out \ncompanies still are not reporting. Now, we know that getting \nrid of the FOIA problem wasn't enough. But there is a way you \ncan get them to report, and the analogy is medical. In medical \nreporting, people who get a disease don't call up CDC and say, \n``I have got a disease.'' They don't want to. It is just what \nBruce was talking about, ``It is embarrassing. I am not going \nto tell anybody.'' The doctors tell; the patient doesn't\n    I couldn't figure out for the longest time, but I recently \ndiscovered there are doctors in this field. They go into \ncompanies right after they are attacked and they clean up the \nmess under these contracts that are this long on \nconfidentiality clauses spelling out who you won't tell about \nour being attacked.\n    You guys are funding a big project at DHS called CWIN, the \nCyber Warning Information Network, and you are giving free \naccess to that system, to those ``doctors.'' I think there \ncould be a quid pro quo for their right to get access to CWIN; \nif you are a doctor and you are helping somebody, you don't \nhave to tell DHS who you are helping, but you must tell the \nspecifics of the attack, so DHS can see if it is hitting \nanybody else. I think you have that lever right now, meaning \nthese months, and it might actually help.\n    Mr. Schneier. That is a great example of aligning the \nbusiness processes to meet our technological needs, because \ncompanies don't want to report. And this will work. I mean, \nthat is a great example. Here you can use your buying power. \nYou can use your financial stick to get the data we need.\n    We need the data. I mean, all the data we have just plain \nstinks. We don't know how often attacks happen. It is all \nanecdotal.\n    In my testimony, I gave three pieces of data, I gave my \ndata and two other pieces of data. They are all mediocre, \nbecause companies don't report.\n    This is very much like the beginning of the AIDS crisis. We \ndidn't know, or the beginning of SARS in China, things were \njust not being reported.\n    There is a lot of success. The FBI has gotten way better. \nYou look 4 or 5 years ago, they were completely clueless. Now, \nthey are getting much better. It is attackers that make stupid \nmistakes. We tend not to find either the attackers that are \ngood and just plain vicious.\n    You only attack criminals. Criminals, there has to be some \nkind of financial pay off. There have been cases in England of \nextortion where the criminals were caught during the money \nhandoff. Criminals are dumb.\n    When you sort of ask the levels of the attackers, you have \nthe smart attackers who aren't criminals, they are like Mafia \nBoy, just a bad kid. You have the criminals who tend not to be \nthe good hackers, they are using somebody else's tools.\n    The real worries are going to be when you start combining \nthese things, right, the sort of quintessential criminal \nmastermind. These people are sort of rare, because if you are a \nmastermind, you tend to make more money in the private sector \nthan you do in the criminal sector.\n    But when you go to places like Russia, where you can \nactually make good money in the criminal sector if you are \nsmart, there is a worry. Of course, on the Internet, every \nplace is next door to every place else. If you own a warehouse \nin Des Moines, you just have to worry about criminals for whom \ndriving to Des Moines is a reasonable commute. If you have a \nnetwork in Des Moines, you have to worry about everybody on the \nplanet. That is big difference. I forget who, someone talked \nabout that. But that is an important difference.\n    Mr. Sessions. I thank the gentleman.\n    Mr. Thornberry. Does the distinguished ranking member wish \nto ask questions at this time?\n    Mr. Turner. Thank you, Mr. Chairman. Our primary \nresponsibility as a committee is to have oversight over the new \nDepartment of Homeland Security. As each of you know, the new \ndepartment inherited the functions that previously came from a \nlot of other places. In the area of cyber security, we know \nthat the National Infrastructure Protection Center at the FBI \nwas transferred to the new Department, as was the Critical \nInfrastructure Assurance Office of the Department of Commerce, \nthe Federal Computer Incident Response Center from the General \nServices Administration, and the National Communications System \nfrom the Department of Defense.\n    When that transfer occurred, we had several things happen. \nOne of which is, it appears to me, we lost some expertise, \nbecause the top-ranking individuals who were considered to be \nvery capable in the cyber security area left the government.\n    We also noticed that the budgets of the cybersecurity \nagencies transferred to the Department in fiscal year 2003 \ntotalled $180 million. According to the OMB, the current budget \nfor the transferred functions within the Department will drop \nto about $55 million.\n    In essence, the new cybersecurity responsibilities within \nthe Department, within the newly created Cyber Security \nDivision, will have in the neighborhood of 60 full-time \nemployees.\n    When you look at, as each of you I know do, from the \noutside, from the perspective of the private sector, the \nnonprofit community, and universities, at what this new \ndepartment is currently doing to carry out the functions that \nit has been given to evaluate the threat through cyberspace and \nto assess our vulnerabilities and to prepare to defend against \nthose threats, it would be easy to conclude that we are worse \noff today than we were a year ago before the new Department was \ncreated.\n    As observers of that new Department and the cybersecurity \nfunctions which have been merged within that Department, I \nwould like to know how each of you would grade the current \nstatus of the new Department in dealing with cyber security as \ncompared to the way things were handled by the government prior \nto the creation of the Department and the transfer of \ncybersecurity responsibilities to it. I will start with Mr. \nPaller.\n    Mr. Paller. A tough question. All right. The answer in my \nmind is that no organization will be able to have all the \nexpertise within itself, and some of the money that was lost in \nforming DHS is still being spent on cybersecurity. There is an \nextraordinary team at the FBI of cybersecurity analysts. There \nare some phenomenal cybersecurity people at the NSA. If the new \nDepartment gets itself organized and builds the trust of those \npeople in other agencies, and it is the public-facing part of a \ncoordinated government-wide effort, it will be wonderful. But \nif you try to build the entire capability inside DHS, I think \nit will just take so long that it won't do enough good soon \nenough to be effective.\n    So I guess my attitude is that we may be spending too \nlittle, but the way to find out is give them a lot of energy \nand a lot of visibility and get them moving fast and allow them \nto show what they can do with that money. Let them show us they \ncan do so much good with that money that we should double or \ntriple it, rather than saying right now we are not giving them \nenough. They are just people there and only have so many hours \nin the day.\n    Mr. Pethia. From my perspective, I think it is a positive \nstep to bring some of these functions together, because I think \nin the past they had a tendency to each go off in their \nseparate direction, and there wasn't as much coordination and \nsynergy and impact as there could have been. Having these \ngroups together, I think, is a very positive thing. I am \nconcerned about the budget level. I think it is a big job and \nthere is a lot of work to do there. I know an awful lot of \ndesire is to have folks rely on the private sector to make a \nlot of changes, but I think it is going to need a lot of \ncoordination and oversight.\n    I think the real thing to consider as we look at the \ndepartment in fixing this problem is going to be something we \nare going to work at for years. This is not a sprint, it is a \nmarathon. Having them have the time to get the right \nfoundations and structures in place, build their relationships \nwith the rest of the Federal Government and the private sector, \nI think that is the critical thing for them to do right now. \nThen, as that foundation is built, understand where to \nintelligently spend money for high impact is the next step. I \nhope that is what we will see next.\n    Mr. Schneier. I actually wrote an essay really answering \nyour question a few months ago. With the Chairman's permission, \nI will send it in afterwards.\n    Nix, is my answer. My intuition is that security can't be \nthe purview of one organization. It has to be diffuse. If you \nsort of think about your body fighting disease, there is no one \norgan in charge of disease fighting. There are lots of \ndifferent things done by lots of different organs in your body. \nA lot of them overlap. This are redundancies. All of these \nthings help our body's security against disease.\n    I actually like it when multiple organizations are working \non the same thing, because they are going to work on it \ndifferently. I like it when security is the responsibility of \neverybody, because everybody will do something. I don't like it \nwhen Department X can say well, security, that is Homeland's \npurview. We don't care.\n    On the other hand, coordination is essential. You need to \nbe able to work together, because a lot of these problems are \nbigger than any organization.\n    So I like it when the Department of Homeland Security \ncoordinates. I like it less when they subsume. The real answer \nis a little more complicated than that, and I will send it in \nfor the record, but that is my intuition.\n    There is good and bad here. The loss of funding is a \nperfect example of bad. There are actually few corporate \nmergers that work out well also. These sorts of things are \ncommon when corporations merge. We are seeing the same sorts of \nthings with DHS. Eventually, it could be a good thing, it could \nbe a bad thing. Right now, it is very mixed.\n    Mr. Turner. Thank you.\n    Mr. Thornberry. The gentlewoman from Texas, Ms. Jackson \nLee.\n    Ms. Jackson-Lee. Thank you very much, Mr. Chairman. I would \nlike to ask unanimous consent that my opening statement be \nsubmitted into the record.\n    I thank the panelists very much for their insight. I will \nbe brief with respect to the issues of this committee because I \nhave listened closely for the time that I was here. I apologize \nfor my delay. I had responsibilities elsewhere in the Congress.\n    I simply want to acknowledge that we have had the \nopportunity to be in field hearings across the country and have \nheard from those individuals who have to fight these issues \ndirectly with respect to port security and other issues and law \nenforcement who are on the ground, if you will. And the key \nstatement that they make is how much is on the Internet, the \nWeb, the voluminous information.\n    I recall right after the 1995, I believe, bombing in \nOklahoma City, that all of a sudden it seemed to be in vogue on \nhow to make bombs with fertilizer. As a Member of the House \nJudiciary Committee, it is likewise equally amazing at the \nnumber of recipes for creative drug use that can be found.\n    Then, of course, we go smack against this whole question of \nthe first amendment and the protection of a nonencrypted Web \nsystem.\n    So if I could ask Mr. Schneier to confront this head on, in \nterms of the backdrop of the constitutional protections, the \nindustries' concern, and the freedom of commerce, I guess, that \neverything goes. But that means that terrorist cells can \ncommunicate, while students are communicating, so terrorist \ncells are communicating, but it also means signals can be sent \nand it also means directions in code can be sent.\n    How do we confront that issue head on? You may have been \nanswering it over and over again, and here we go again.\n    Mr. Schneier. Actually, what I tend to do because I do get \nthese questions a lot, is I tend to write the answers down, so \nI don't have to do them much. And I have written about this. It \nis a very hard question, balancing secrecy and security, \nbecause there is a notion that secrecy is somehow equal to \nsecurity.\n    You talk about bombmaking tools and drug recipes, I assure \nyou, those things were available before the Internet, and you \nreally can't bottle them up. And you are right in that, you \nknow, all tools of our technology can be used for good and for \nill. I mean, we drive to work and criminals use cars as get \naway vehicles. You know, demolitions have good and bad uses. \nCell phones have good and bad uses. Even network security \nproducts have good and bad uses, and we are stuck with that. \nThat is the way the world works.\n    Everything we have ever built has uses for good and bad, \nand we as a society have to decide. We can live in a \ntotalitarian regime and decide no one should have access to a \nphotocopier or mimeograph, which was true in some countries in \nEastern Europe. Or we can say the good uses outweigh the bad \nuses.\n    I went to the Washington Monument yesterday because I got \nin a little early. I wanted to go up and see it since it was \nredone. I was looking at the security. You know something? We \nwould have a better job securing it, if we didn't let people \ninside. It would be more secure. But we believe that letting \npeople tour our national monuments is a worthy thing to do, and \nwe are accepting the security risk.\n    Ms. Jackson-Lee. Let me just say this. You are making what \ncan be a creative analogy, but we have put in place since 9/11 \nmore structures, more security, more metal detectors, more \nprocedures in going on airplanes, et cetera.\n    What I would say to you is we are going to have to contend \nwith this question of cyber security. We are going to have to \nbe more responsible. I am a person that believes totally in the \n1st amendment and all of its yeas and nays, all of the \npositives and negatives. But I do believe cyber security is an \nenormous challenge.\n    For example, as one of our witnesses in one of our hearings \nindicated, the economic collapse that could come about through \nthe tinkering why our financial system could be dastardly in \nits results. Certainly loss of life, the emotion of loss of \nlife, the absolute repugnant concept that we would lose lives \nin a terrorist act, certainly supersedes the thought as it \nrelates to an economic collapse, but that still would shut us \ndown.\n    I guess what I am putting on the record is we have enormous \nchallenges. If you have some suggestion or direction, I would \nbe interested in it. I would be delighted if you would put that \nin writing for us to be able to handle that. If you have one \nsentence on that response, then I yield back my time.\n    Mr. Schneier. The problem with secrecy is it is brittle. \nWhen you lose secrecy, you lose all securities. I prefer \nsecurity measures that are resilient. If my front door is \nprotected by a secret code, if someone knows the code, I have \nno security. If my front is protected by a guard and alarm, \nthen there is more resilience. There is no secrecy that I am \nrelying on for my security.\n    That is the intuition in the relationship between secrecy \nand security. Sometimes it is valuable. Most of the time, I \nbelieve it is a red herring. Openness is better. We need \nsecurity in addition.\n    Ms. Jackson-Lee. I see the red light. I just want to say \nthis: With all of my passion and commitment for the 1st \namendment, I believe that this committee and the Department of \nHomeland Security has a moral and dictated obligation to deal \nwith the question of cyber security, and we have got to \nconfront it. I hope we will have the experts to help us do so.\n    Thank you, Mr. Chairman.\n    Mr. Thornberry. I thank the gentlewoman.\n    It seems to me that all of you are pretty much in agreement \nthat attacks are getting worse and attacks are getting easier \nand that we could do a lot to deal with 80 percent of these \nattacks, say, relatively easily, and then we are better able to \nconcentrate on the more sophisticated ones.\n    I want to be clear. What is it that is required to solve \nthe 80 percent? We have talked some about incentives, \nliability, maybe taxes. Some people have talked about SEC \ndisclosures and other kinds ever incentives for private \ncompanies. Or is it incentives for the software, ISP's and so \nforth that have been talked about?\n    Just so I can be clear, first, how do we take care of the \n80 percent?\n    Mr. Pethia. Let me start. For me, the first big piece is to \ntake care of the, let me call them low-level defects in our \ninformation technologies. It can be done by vendors doing a \nbetter job of design and testing. The software engineering \ncommunity knows how to do a better job of that. We know how not \nto get these kinds of bugs embedded in our software. People can \nbe trained to do development, where they don't produce as many \nmistakes. We can do it with more concentrated testing. We can \ndo it with testing labs that are established to find these \nproblems before they are deployed out into the broad community, \nor even after things are deployed, to find them. And vendors do \nrespond to reported problems. They do fix them when you bring \nthem to their attention.\n    So, first of all, I think we have to pay attention to the \ninstalled base of software, and there is a variety of different \napproaches to do that.\n    The second thing is I think we need to do a better job, all \nof us, of working together. We have been talking about \ninformation sharing for a large number of years, but as Bruce \nsaid, it is often catch-as-catch-can; it is haphazard; it is \nanecdotal information.\n    We needed to build a national system of data collection, \nanalysis, indications and warnings, so we can begin to \nunderstand of all these things we see, which ones are serious \nand which ones are noise in the system. I think that is a \ncombination of a research effort, but it also requires that \norganizations that run major networks do a better job of \nmonitoring them.\n    I think we start to touch on privacy issues when we get \ninto that world. So we need to look at that balance between \nprivacy and the need to understand what is happening to us. So \nthere a set of policies and research questions there.\n    But I think those two things alone can get us to the 80 \npercent solution. And I don't think it is tens of years, I \nthink it is years, not tens of years, to do that.\n    Mr. Thornberry. Anyone else wish to address that?\n    Mr. Paller. Mr. Chairman, we can fix two sets of problems. \nOne is the vulnerabilities in machines that will be installed \nstarting tomorrow, and the other is the vulnerabilities in the \n150 million machines that are already there.\n    What Rich is talking about is looking at the machines that \nare going to be installed sometime after tomorrow. So we really \nhave to go after both of those sets of problems.\n    For the new machines, we either use regulation, as Bruce \nwould like us to do, or liability, or we make the market solve \nthe problem, and that is what I think Homeland Security can do.\n    Homeland Security can lead the Federal Government in \ncreating the procurement specifications that say, ``You can't \nsell us a system that has these certain vulnerabilities in it. \nWe know what they are. You just have to sign this statement \nsaying you have taken them out or you can't deliver the \nsystem.'' That would change the economics of the problem, and \nthey will start delivering safer systems. That helps with the \nforward-looking machines, the ones that get installed after you \nwrite that specification.\n    To go backwards to the installed base, I think we could \ntake a lesson from the Department of Transportation. DOT has \ndone an extraordinary job of wiping out vulnerabilities across \nthe Department. I think DHS can learn from the agencies that \nhave been successful. Homeland Security can be the model, and I \nthink that model will spread. But we need to do both and go \nafter new machines using procurement, and go after the old \nmachines using vulnerability remediation.\n    I need to add one more piece. People are building hardware \nwith vulnerabilities, and you are buying them right now, and \nwhen you move to wireless, you are goint to see vulnerabilities \nin billions of devices. Every one of those devices can be used \nas an attack tool. So this isn't something we need to spend the \nnext year and a half thinking about. We need to act now.\n    I will give you an example. Every one of your storage \ndevices, where you put your most important information, has \nsomething called IP management ports. The ports were put in for \nthe convenience of the guy who sold the storage system to you \nso he can help you fix it if it breaks.\n    Some of those IP ports come with known vulnerabilities, \nSANS and the FBI publish every year the top 20 Internet \nvulnerabilities. Storage devices come with many of these top 20 \nbuilt into the hardware.\n    Your procurement people are continuing to buy that stuff, \nbecause the people who buy it don't know it has common \nvulnerabilities. That needs visibility. Homeland Security \nshould be taking the lead on procurement programs, and then \nhelping, maybe through a partnership with the Government Reform \nCommittee, helping other agencies do the same thing.\n    Mr. Thornberry. Let me just throw in another wrinkle for \nyou, Mr. Schneier.\n    Mr. Schneier. I will take wrinkles.\n    Mr. Thornberry. I was in a meeting last week where a CEO of \nan information technology company said as bad as we think the \nsecurity problems are for us with 300 million users on the \nInternet, whatever it is, think about how much worse it is \ngoing to be if that triples. And if you think about wireless, \nplus the number of additional devices that are going to be \nusing the Internet, plus some natural growth in number of \npeople around the world, that it nearly makes the problem \ninsoluble.\n    Sometimes I worry, as you all have described, we are \ngetting further and further behind. Maybe we could do all of \nthese things and solve this 80 percent, but there are going to \nbe another 80 percent that takes its place in a way. How do we \ncatch up and stay up?\n    Mr. Schneier. It sounds like you got it.\n    Mr. Thornberry. But I don't like what I have got.\n    Mr. Schneier. Well, you know, sorry. A lot of it, the \nanalogy I use is, you know, is curing malaria by draining the \nswamp. You have got all of this swampland out there. It is \nhorribly insecure, and we are trying to improve security by \nfixing it. The problem, as you point out, is we are creating \nswampland at such an alarming rate, that we are falling behind.\n    Yes, you are right. You are 100 percent right. The thing \nabout these easy fixes, I mean the things we are talking about \nhere, is they are actually easy. It is not things we discovered \n2 years ago that need to be fixed. It is things we discovered \n20, 30, 40 years ago and no one has fixed.\n    The most common attack is something called a buffer \noverflow. It doesn't matter what it is. These were first \nidentified in the sixties. They were first used to attack \ncomputers in the seventies. There was a very famous attack in \n1989, which was a buffer overflow.\n    So here we are in 2003, and, still, the most common \nInternet attack is a buffer overflow. This is an easy one. We \nknow how to fix this. This is trivial to fix. These guys will \nteach classes in how to write code buffer overflows. This isn't \neven a hard problem.\n    So yes, we are creating new swampland, but the problems we \nare talking about here are so basic, they have been with us \nsince the beginning of computing, and there has never been the \nbusiness incentive to make them better. So once you do that, \nthere will be a change.\n    You are right, there will always be new vulnerabilities. We \nraise the bar, the bad guys will get smarter, guaranteed. But \nat least the ones who are not smarter, are out of business. We \nare better off than we were.\n    So we are not here with a message of hope. We are here with \na message of we can actually do better than we are doing.\n    Mr. Thornberry. Good point. Practicality. The alternative \nis to do nothing, which is to accept the vulnerabilities, and \nthat is not a good answer either.\n    Take the 80 percent. Let's talk for a second about the \nother 20 percent. Do any of you have suggestions as to the way \nFederal research dollars and efforts ought to be directed to \nhelp deal with that 20 percent?\n    Mr. Schneier. I can do that. Actually, you go. We'll flip \nfor it.\n    Mr. Pethia. Let me start. We have been talking a lot about \nsort of sticks we can use to encourage the right kind of \nbehavior, but I think there are incentives as well.\n    The Internet today is a result of the original DARPA \nprojects, the ARPA net, which was focused on building a \nresilient network that could withstand physical attack. And it \nhas done that job amazingly well. It has grown into this new \ninfrastructure, it has created a whole new industry.\n    I think we can do the same with security, if we think about \nnot Internet II, but maybe Internet III or Internet IV, where \nthe focus is not on resiliency from physical attack, or it is \nnot on what, as Internet II is, on higher speeds, let's have \nthe next grand project be focused on the ultimate high \nsecurity.\n    I think that mobilizes the research community, the \nindustrial base, and they all begun to work on this new common \nset of solutions, which is technologies that are significantly \nmore secure than the things we have today, from the beginning, \nsecurity that is designed in, as opposed to what we do today, \nwhich is try to bolt it on to the outside edges of \nfundamentally insecure projects.\n    Mr. Schneier. I like to see research money spent willy-\nnilly. I think the most best research, the most interesting \nthings, come out of the most surprising places. Because I write \nbooks and give lectures, I get a whole lot of people's term \npapers, and there is really cool stuff being done out there. \nSome of it is so interesting it never would have occurred to \nme.\n    If we are going to fund research, now we are talking about \nmany years ahead, we need to be broad. We need to recognize \nthat this is a critical area of our society and that we need to \nfund research programs at a variety of institutions, maybe even \ninternationally. There is great things being done in Europe and \nAsia. This problem is even bigger than our country. It is all \nthe same Internet.\n    I love the idea of procurement and research on a secure \nsurvival Internet. That is how we got the Internet. That is how \nwe will get a secure Net that is great.\n    And then keep in mind that we should just fund research \ninstitutions, universities, that are doing cutting edge work in \ncomputer security. Whether it is producing secure hardware and \nsoftware, like the computers we are going to install tomorrow, \nor backfilling and securing the computers we installed \nyesterday.\n    Research is good. Great stuff comes out of research. I love \nit when I see it, because it is creative, it is interesting, \nand it is looking at things that are off the horizon.\n    So I encourage lots of research, because you never know \nwhat is going to bear fruit.\n    Mr. Thornberry. Mr. Paller, I would like to ask you to \nanswer however you like and throw in another wrinkle, and, I \ndon't know how to say this, but do we need research on some of \nthe cultural aspects of security, whether people on a keyboard \nare really going to do it, use it? How does that play in to \nmaking the whole Internet secure? The people vulnerability, I \nguess, is the way I would put it?\n    Mr. Paller. It is really no fun to try to finish the job of \nfiguring out how to do the technical security work when you \nknow that having finished that, you still have an enormous \nvulnerability from people taking their laptop home, giving it \nto their 11-year-old, who downloads a really, really cool \nscreensaver that has a trojan in it that the hackers use to get \nright back into the House systems, because you have a VPN that \nruns from your laptop at home into the system in the House. We \nknow that is a problem. I would love to see research in solving \nit.\n    My sense is that it is a safe driving type of problem, \nmeaning it requires a long-term cultural change. This \nafternoon, for example, Bob Liskowsky and I are giving out \nawards to 10 kids from kindergarten to high school all over the \nUSA who created posters on improving computer security.\n    It is a tiny drop in a huge ocean, but a long time from now \nwe hope kids will talk about safe computing at home the way \nthey get mad at their parents for not wearing their seatbelts. \nIt took a long time for kids to tell their parents to put their \nseat belts on. I think research will help. I think visibility \nlike this subcommittee provides will help. It is a long-term \nprogram.\n    Mr. Thornberry. I guess the question is how much pain we \nhave to go through or how many people have to go through the \nwindshield before we do it.\n    Mr. Schneier. A lot.\n    Mr. Thornberry. Does the gentleman from Texas have other \nquestions?\n    Mr. Sessions. Yes, I do, Mr. Chairman. Thank you so much.\n    One of you gentleman has already accused our Chairman of \n``getting it,'' probably you, Bruce.\n    Mr. Schneier. I probably did.\n    Mr. Sessions. My question is, I have heard you allude to \nthe FBI as being perhaps short of being a center of excellence, \nbut you did accuse them of stepping up, understanding. Let me \ntee it up. Fighting city hall is hard. They are the experts. \nThey know everything. They are the ones that set the standard \nand tell you stop or go or maybe so. You never really get a lot \nof answers out of them.\n    Does our government, outside of this great subcommittee, \nthe government, the agencies, do they get it? Do they listen to \npeople? Do they respond? Or are they just at limitations with \nmoney or other things? Do they get it?\n    I am talking about the computer security experts in these \nagencies sharing information, talking with you, being leading \nedge, knowing what is wrong, aiming at the problem, talking \nabout things, leading to where our children understand it, all \nthose things.\n    Mr. Schneier. The computer security experts get it. We have \nany number of customers in local and Federal Governments. \nUniformly, computer security experts either in governments or \nindustries get it. The problem they have is going one level \nabove them, convincing their boss, convincing the CEO, \nconvincing whatever the legislature is that is appropriating \nfunds.\n    The security people always get it. I mean, they know the \nproblems, they understand it. It is one level above that we \nhave the problems at.\n    This is where you find that people tend not to get it. \nEither they downplay the risks, or they overreact. We have \nseen, I forget the State, but some kid hacked into a school \ncomputer and changed grades, and he is being tried as an adult. \nTo me that is huge overreaction. I mean, changing grades is an \nenormously big thing and should be dealt with as you would deal \nwith that, maybe expulsion, but he is still just a kid, he is a \ndumb kid. You don't want to destroy their life by making them a \nfelon.\n    So you need to temper. Even our prosecution, it has to be \nsane. I see a lot of what I think is insane prosecutions \nbecause we are overreacting.\n    I am reminded of the Wild West, when stealing a horse was \npunishable by hanging, because that was such an enormous part \nof the Wild West transportation infrastructure that the \npunishment exceeded the crime. We are seeing that again here.\n    So, you know, I see ``don't get it'' at different levels. I \nsee it at the level above the computer security people, the \nGovernors, the Mayors, who tend to downplay the risks, just \nlike corporate bosses do. And then I also see the prosecutors \neither, Federal or State, basically going to lynch kids.\n    I think both are bad. How is that for inflammatory?\n    Mr. Pethia. I would like to build on that. One of the \nthings I think is very positive in the government right now is \nthe whole list of regulations moving now to FISMA, and I think \nit has done a lot to have senior executives in the agencies \nbegin to understand that there is a problem there.\n    What I see though is we are starting to get stuck at the \npoint where people are worried about compliance with \nregulations or compliance with standards, which says they are \nnot quite far enough up that learning curve as we have to do.\n    The thing to remember about computer security is it is a \ndaily event. It is not just complying with a standard or a \nregulation, it is day-to-day having the awareness, to keep your \neyes open, to watch for that strange thing that is some \nindicator that your systems are being compromised.\n    So there I think we have to help the senior officials push \nup that next step, beyond compliance regulation, with a real \nunderstanding of there are critical assets that have to be \nprotected, they can be attacked in a number of different ways, \nand everybody has to be trained, aware and vigilant.\n    Mr. Paller. Let's bring these all back together. Yes, we \nhave to persuade them in. But right now, when they get an \nexpert in that expert comes with a price tag that is enormous, \nand when they ask, ``Is that enough?'', the expert will say \n``No!'' So you have a meeting with a guy who says, ``Spend $50 \nmillion, but it won't keep your system safe.'' And you say come \nback to me when you get a clue.\n    There are good models in governments. Congressman Smith was \ngetting at it when he said we have to make security cheaper. \nPeople in government are figuring out how to lower the cost of \nsecurity, and that is where we are going with using procurement \nto push vendors. The vendor push is not to put the costs on the \nvendor, the user still has to pay for it. The vendor push is to \nget the economies of scale that you get when the vendor does \ninitial security instead of making every user do it.\n    DOE's procurement is not trying to force Oracle out of \nbusiness. It is saying, ``Look, Oracle, if you deliver safe \nsystems, every one of the Energy labs can get those safe \nsystems, instead of making every Energy user become a security \nexpert before he ever installs the software.''\n    I think that the other discussions we were having about \npushing it back on the vendor to getting safer systems, allows \nsenior management to say, ``OK, I can see that working, let's \ndo that, let's get those vulnerabilities eliminated.'' And, in \nfact, FISMA requires the agencies actually test their systems. \nThat is what I meant by going back over the old systems and \nmaking sure the security controls are in place. I think there \nis reason for hope. I don't think we will win the war, but I \nthink there is reason for hope.\n    Mr. Sessions. I have one last question. I have not \nparticipated in it, but evidently Microsoft, the way I \nunderstand it, they have an open chat page about all their \nproducts, the design problems, and all these millions of users \ne-mail in.\n    Mr. Schneier. It sounds plausible.\n    Mr. Sessions. Somebody evidently designs a system where \nthey take user input and they fix things, and they have the \nuser community try to provide input about fixing software \nprograms.\n    My question is, in all these chat rooms and all this \nfeedback that comes from people, do they understand that if you \nare going to use this equipment that there is an ethics about \nit, or do they just think, hey, what I would say a \nskateboarder, whoever can do the next wild thing, go for it, \nand everybody sits there and applauds? Or is there an ethos \nwithin at all that is ever applied to these people?\n    Mr. Paller. I have never seen an ethos. There was a survey \ndone in Australia of how many kids in the 12th and 13th grades \nwere breaking into other people's computers 4 years ago, and it \nwas 3.2 percent of all the males. I don't think there is any \nethos being taught.\n    Mr. Schneier. But we should take heart in that. Most people \nare ethical. Most people are honest. The great majority of \npeople on our planet are honest. That is why society works. We \nwould just fall apart if that were not true. We are dealing \nwith the few. I mean, three percent is still three percent. \nCutting that down by a tenth would be really good.\n    This is how we eventually win, I believe. Sort of imagine \nwe are having this hearing about murder and how do we deal with \nmurder? It is happening. I mean, there are no technological \nfixes. What do we do?\n    All right, we don't prevent murder in our society by \nwearing body armor. We don't drive tanks, we don't live in \nfortresses. The reason murder is so low is that we have carrots \nand sticks. We teach ethics. We expect our children to behave \nethically. We reward them if they do, and there is a criminal \nsystem to punish them if they don't. That is really how we deal \nwith crime.\n    No one says we think everyone should wear a bulletproof \nvest walking around the street, no matter how bad the murder \nrate is. I mean, it is not something we do.\n    Now, this is very long-term, but in the end I think that is \ngoing to be the way out. But you still have to deal with the \nfew, and, of course, the problem on the Net is the magnitude, \nright? The few can do a whole lot of damage.\n    Mafia Boy, who we have brought up again and again, can \nattack dozens of web sites. The guy who wrote the Sequel \nSlammer Worm can have it spread across the Internet, some huge \nnumber of servers, in 15 minutes, in 20 minutes.\n    So we can, through education, through deterrence, make sure \nmost everyone is ethical. The few that are aren't can do so \nmuch damage, either out of maliciousness or even by accident, \nor out of carelessness, or out of, you know, dumb-kidness, that \nwe need to have these high walls.\n    There is in the military, I forget who it is, who looks at \nsociety, the danger in terms of how many people 10 armed men \ncould kill before being subdued. He will go through history and \ncalculate this. All right, that number is going up \nexponentially with technology.\n    The Internet has all the kinds of characteristics of that \nexponential growth. One guy can do a whole lot of damage. So \neven if we have everybody ethical on the planet except 10, we \nare at risk. That is a hard position to be in. It is no fun to \nbe here. This is the ugly side of technology.\n    Mr. Thornberry. But that is where we are, as you said \nearlier, in all sorts of areas.\n    I guess I have got one last question, because I don't think \nit has been touched on, and I am interested, Mr. Pethia, \nparticularly in your perspective, on the kinds of information \nthat government should provide to the private sector about \nthreats that are out there, warnings perhaps, obviously this is \npart of what this new part of the Department is going to focus \non.\n    But can you address that a little bit, as well as \naddressing how you have to weigh, how much information about \nthreats you put out there, versus the government's duty, if it \nhas that, to say watch out, this is coming, when, as you have \nall already described, when something starts going it goes \nquickly, and it is going quicker and quicker.\n    Mr. Pethia. I guess a couple of points. One of them is \ncertainly, I think, the government, and it has been doing it \nthrough my organization and through NIPC and through a number \nof others, when there are recognized new forms of attack, to \nmake sure that that is broadly and as quickly as possible sent \nout to the community so they know how to protect themselves. \nAnd a lot of that is with the hope people can react fast \nenough. As you say, these things are happening faster.\n    One of my big concerns, which is yet another issue, is that \nwe are reaching the limits of our reactive capability, I think \nnationally. We are all going to get incrementally better, but \nwe have already got the 80 percent. We are already going about \nas fast as we can.\n    So we have got to focus more on prevention. We have to look \nfor earlier signs of attack. We have got to look for earlier \nindicators that something bad is coming at us. And there, I \nthink, DHS ought to look at doing things like looking at the \nevolution of attack technology, and beginning to predict where \nit could go in the future, what we are likely to see in 6 \nmonths, 8 months, 12 months, what have you, and trying to get \nthat information out to the community.\n    Real threats, I mean real people doing bad things, getting \nas much information as they can out to the likely targets of \nthose classes of people, which industries are being attacked \nand how, so those industries now how to protect themselves.\n    Mr. Thornberry. Does anybody else wish to address that?\n    That is helpful.\n    Mr. Andrews. Mr. Chairman, if you could yield for a moment, \nI wanted to express my appreciation to you and the staff, the \nmajority and minority staff and the witnesses, for what I think \nhas been a profoundly important hearing. I very much appreciate \nwhat the witnesses have had to say.\n    What I wanted to suggest to you, Mr. Chairman, is that we \nconsider working with the Government Reform Committee, which \nhas primary jurisdiction over government purchasing, so the \nkind of purchase-based leverage that we have heard about from \neach of the three witnesses today, goes beyond what the \nDepartment of Homeland Security do, but reaches into every \naspect.\n    Frankly, the Department of Agriculture should be buying \nsoftware that is as good as it can get for reasons of \nbioterrorism. The Department of Transportation should be buying \nsoftware as good as it can get when it deals with issues of \noceanography. The Department of Education should be buying \nsoftware as good as it can get to protect the security of \nstudent records.\n    This not only has benefit in carrying out the missions of \nthose various departments, but it multiplies the leverage that \nthese witnesses have talked about here today, and I think would \nexpedite the process of raising the level of technology.\n    One thing that Mr. Schneier said that I thought was an \ninteresting analogy was the wireless burglar alarm systems in \nour homes. I would not have been able to afford a burglar alarm \nsystem 15 years ago, they were too expensive. Now, they are \nrelatively inexpensive.\n    That is the metaphor. I think that is the analogy we could \nachieve for the civilian sector, so when the CIO of a company \nhears from his or her outside consultant that you need to spend \nquite a bit of money to ramp up, it isn't nearly as much money \nas it is today. It fits those economies of scale.\n    I think it has been very powerful testimony. I thank you \nand the staff for an excellent hearing.\n    Mr. Thornberry. I thank the gentleman. I think you make a \nvery good point. I would simply add, I also don't dismiss the \nDepartment itself's information technology. I think one of the \nthings that I know is of interest to most members on this \nsubcommittee is how the Department gets its own IT up and \nrunning and the security there. We have further work to do \nthere, as well as working with the other departments.\n    Let me again thank each of our witnesses. I agree it has \nbeen very helpful for me. Let me say there may be written \nquestions that may be directed to you. We will try not to over \nburden you. At the same time, I want to offer each of you the \nopportunity to submit further comments if you think it would be \nhelpful to us, because most of us do read that stuff, and we \nare interested in learning and trying to find solutions to \nthese problems. I very much, again, appreciate your time and \nflexibility in being here today.\n    Let me, finally, announce that I think this room is going \nto be used for another hearing of the full Homeland Security \nimmediately after this, and they asked me to ask if we could \nclear the room so they can get ready for that hearing which \nbegins at 2:00. In the meantime, we have votes on the floor.\n    This hearing is adjourned.\n    [Whereupon, at 1:25 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"