[Senate Hearing 111-43]
[From the U.S. Government Publishing Office]
S. Hrg. 111-43
CYBERSECURITY: ASSESSING OUR
VULNERABILITIES AND DEVELOPING
AN EFFECTIVE RESPONSE
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
MARCH 19, 2009
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
U.S. GOVERNMENT PRINTING OFFICE
50-638 WASHINGTON : 2009
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii KAY BAILEY HUTCHISON, Texas,
JOHN F. KERRY, Massachusetts Ranking
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California JOHN ENSIGN, Nevada
BILL NELSON, Florida JIM DeMINT, South Carolina
MARIA CANTWELL, Washington JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas JOHNNY ISAKSON, Georgia
CLAIRE McCASKILL, Missouri DAVID VITTER, Louisiana
AMY KLOBUCHAR, Minnesota SAM BROWNBACK, Kansas
TOM UDALL, New Mexico MEL MARTINEZ, Florida
MARK WARNER, Virginia MIKE JOHANNS, Nebraska
MARK BEGICH, Alaska
Ellen L. Doneski, Chief of Staff
James Reid, Deputy Chief of Staff
Bruce H. Andrews, General Counsel
Christine D. Kurth, Republican Staff Director and General Counsel
Paul Nagle, Republican Chief Counsel
C O N T E N T S
----------
Page
Hearing held on March 19, 2009................................... 1
Statement of Senator Rockefeller................................. 1
Statement of Senator Cantwell.................................... 3
Statement of Senator Udall....................................... 3
Statement of Senator Nelson...................................... 43
Witnesses
Dr. James A. Lewis, Director and Senior Fellow, Technology and
Public Policy Program, Center for Strategic and International
Studies........................................................ 4
Prepared statement........................................... 6
Dr. Joseph M. Weiss, Managing Partner, Applied Control Solutions. 10
Prepared statement........................................... 12
Dr. Edward G. Amoroso, Senior Vice President and Chief Security
Officer, AT&T Inc.............................................. 24
Prepared statement........................................... 25
Dr. Eugene H. Spafford, Professor and Executive Director, Purdue
University Center For Education and Research in Information
Assurance and Security (CERIAS) and Chair of the U.S. Public
Policy Committee of the Association For Computing Machinery
(USACM)........................................................ 28
Prepared statement........................................... 30
Appendix
Response to written questions submitted to Hon. Olympia J. Snowe
by:............................................................
Dr. James A. Lewis........................................... 49
Dr. Joseph M. Weiss.......................................... 51
Dr. Edward G. Amoroso........................................ 57
Dr. Eugene H. Spafford....................................... 59
CYBERSECURITY: ASSESSING OUR
VULNERABILITIES AND DEVELOPING
AN EFFECTIVE RESPONSE
----------
THURSDAY, MARCH 19, 2009
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:02 a.m. in
Room SR-253, Russell Senate Office Building, Hon. John D.
Rockefeller IV, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
The Chairman. Good morning, everyone. We have a full quorum
present, so we're able to start this hearing.
Good morning, Senator Cantwell.
It's interesting to me, there are 10,000 other Committees
meeting, and I hope the witnesses understand that. Nobody ever
said we were a sane institution, but we prove it, particularly
in the early times, like this, when we're trying to confirm
people, and there are too many hearings, and people have to run
back and forth, and we've got four votes sometime this morning.
Anyway, I'm very glad that you're all here.
I was Chairman of the Intelligence Committee, so I'm
familiar with the Nation's cybersecurity threats and
vulnerabilities. And what I'd like to say is, very powerful, at
least to me. In the last 2 years; under two administrations,
two Directors of National Intelligence, before an open world-
threats hearing, which is an annual event in which all the
Intelligence Committees sort of bring their work together, Mike
McConnell, under President Bush, and Admiral Blair, under
President Obama, both said that the number-one security threat
to the United States of America was cybersecurity, or
cyberterror, however you want to phrase it. I regard it as a
profoundly and deeply troubling problem to which we are not
paying much attention. We have jurisdiction--part jurisdiction
in this committee. As do others, obviously. This is not going
to be the last of our hearings on this subject; we're going to
pursue this subject further.
The problem is, America is unacceptably exposed to massive
cybercrime, global espionage, and potential cyberattacks that
would very easily cripple our infrastructures. Anyone,
anywhere, can launch a cyberattack, for as long as the Internet
or other like instruments exist.
We currently have in place very sophisticated systems to
protect against cyber espionage, but it's very important for
people to know that cybersecurity is not just about protecting
our government networks from countries, terrorists, or hackers
who want our secrets. It's about protecting our Nation's
critical infrastructure from cyberattacks that could severely
impact commerce and the economy in absolutely devastating ways.
People just don't stop to think about it, don't know about it,
don't care about it, don't know what the word means.
For example, private-sector IT systems control virtually
all of this critical infrastructure; traffic lights, rail
networks. It would be very easy to make train switches so that
two trains collide, affect or disrupt water and electricity, or
release water from dams, where the computers are involved. How
our money moves, they could stop that. Any part of the country,
all of the country is vulnerable. How the Internet and
telephone communication systems work, attackers could handle
that rather easily. If healthcare reform is successful, this is
something which is just mind-boggling to me, IT systems will
play a critical role in the future of healthcare and will be at
risk as well. They can take an IT system and do what they want
with it. I'm not sure if they can change prescriptions that
doctors prescribe, but I think they can. I know that they can
send you to the wrong doctor or cancel your appointments.
Attackers can just take things that we do on a common everyday
basis, and could wreak havoc, and get into the minds of the
American people.
I've always believed that, with all the tragedy of 9/11,
that Al Qaeda does not necessarily exist just to bring down
tall buildings, but to get into the minds of the American
people and to bring them to their knees out of fear as a result
of something happening in a small place, or it was prosaic
event, but it was crushing and people panic. When Americans
panic, not very good things happen.
So, we need to get private-sector leaders and government
authorities on the same page on this enormous threat. We cannot
do this soon enough. We need a coordinated public-private
response. Currently, this does not exist.
President Obama talked about having a cybersecurity
advisor. That has not happened.
In broader terms, I think that the homeland security part.
This is sort of strange to say, but here we are, fighting in
Iraq and Afghanistan, and potentially in other places,
disruption is with us for years and years to come, and the wars
aren't the point. These cyberattacks can come from anywhere. We
tend to say, ``Well, what country do they come from?'' And
people say, ``Well, it's China.'' They say, ``It's Russia.''
Estonia and Latvia both had their power systems shut down.
Attackers can disrupt systems for a very short time, they don't
have to do it for a week, they could do it for a day and a
Nation or a country goes into panic.
The point is that anybody, some kid in Malawi, some kid in
the southern tip of Chile who's just mad, can do this. They can
and have figured out how to do it. We see regularly on
television the TV ad that the Department of Defense is being
hacked into, 3 million times a day. My honest assessment is
that most Americans see that, don't believe it. The number is
too big, and, ``Oh, by the way, it's the Department of Defense,
it's not me,'' is the sort of response that goes on.
There's this monumental disconnect between the American
people in many cases, the private sector, and protecting
ourselves. Being aware of, getting ready for, being ready to
respond to cyberattacks.
How's a small business going to do this? How are they going
to know about it? How are they going to afford to figure out
what to do? The bigger businesses are pretty good at it, but
there are a lot of bigger businesses that aren't very good at
it at all. Because the times are rough, and they figure there
are other things to do and it won't happen to them, which is
they classic American psyche, anyway.
I just want to put myself down as somebody who is very
concerned and is determined to make a difference in this
Committee on this subject. I've pushed for a national security
advisor who reports directly to the President, who would
coordinate such an interagency and public-private effort. How
do you do that? Well, you've got to have backup groups,
advisory groups. And we'll have to do that.
This is not just about providing a new powerful government
official, a tsar or anything like that, it's about transforming
the way the government, private sector, and the American people
tackle something called cyberterrorism, cyberattacks, as a
problem, and do it together.
I went over my time, Senator Cantwell, and I apologize, as
I do to you, Senator Udall.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Thank you, Mr. Chairman. And thank you
for holding this important hearing. I know that your passion
and understanding of these issues comes, not just form this
Committee, but your former chairmanship of the Intelligence
Committee, so we appreciate you calling together such a
distinguished group of witnesses. I look forward to hearing
their discussion, particularly from Dr. Lewis and Dr. Weiss,
about the electricity grid and the security issues related to
the electricity grid, and how we move forward with technology
that can help us, both on efficiency and security. So, I look
forward to those comments.
I look forward to your continued leadership, Mr. Chairman,
on this issue with this Committee, from the perspective of
continuing to move forward on technology, but to make sure that
security concerns are addressed.
And so, I'll stop with that and have questions for the
witnesses, but thank you, again, for holding this important
hearing.
The Chairman. Thank you very much.
Senator Udall?
STATEMENT OF HON. TOM UDALL,
U.S. SENATOR FROM NEW MEXICO
Senator Udall. Thank you very much, Chairman Rockefeller.
I, also, want to echo what Senator Cantwell said. I think we're
very lucky to have you as Chairman, and this expertise that
you've developed over time as chairman of the Intelligence
Committee, I think, is going to be shown here today. It's an
honor to be here and be serving with you. Thank you for your
dedication.
I come from a State that has two great national
laboratories: Los Alamos National Laboratory and Sandia
National Laboratories. They work somewhat in both of these
areas. So, as you proceed with your testimony addressing these
very important issues, I'm going to be asking about the kinds
of research you think should be done, either in national
laboratories or at academic institutions. It seems to me, at
least from what I've learned, talking with our chairman, is
that we really need to be ahead of the curve, we need to be out
in front of this. Where is it that we generate the new
knowledge and getting out on the cutting edge? So, that's going
to be one of the things that I talk about.
I also know that there has been some suggestion in your
testimony that we collaborate with other countries. And yet,
there are dangers in collaborating, and I think, with several
of you, I would like to explore that interaction that's there,
because clearly it--from my travels, anyway, countries insist
that we collaborate, but, at the same time, I know that there
are serious issues also facing that particular area.
So, thank you very much for being here, and I'm going to
shorten my statement and make sure that we get, Chairman
Rockefeller, quickly to the witnesses.
The Chairman. Good. Incidentally, this is not an
Intelligence hearing, this is a Commerce Committee hearing.
Every single thing that we're going to talk about here has to
do with commerce.
We have a very distinguished panel. We have Dr. James
Lewis, Director and Senior Fellow of the Technology/Policy
Program with the CSIS, which I don't have to spell out; Dr.
Joseph Weiss, Managing Partner for Applied Control Solutions;
Dr. Ed Amoroso, who is Chief Security Officer at AT&T, they
know something about this. He'll discuss cybersecurity from a
network operator's perspective. And Dr. Eugene Spafford,
Professor and Executive Director of the Purdue University,
Centers Education and Research and Information Assurance and
Security. That's a heck of a letterhead.
[Laughter.]
The Chairman. Dr. Lewis?
STATEMENT OF DR. JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW,
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND
INTERNATIONAL STUDIES
Dr. Lewis. Thank you, Mr. Chairman. And I thank the
Committee----
The Chairman. Yes, it should be sort of an orange.
Dr. Lewis. OK, I guess it's on. Well, that was a good
start.
Thank you. And I thank the Committee. Your opening remarks
were, I think, exactly on target.
The nature of our dependency on cyberspace is not always
recognized, although I have to say you've recognized it. We
tend to think of it is a military or homeland security problem,
but the primary vulnerability in cyberspace is economic.
In the 1990s, there was a debate over the value of
information technology, and some people said, ``We're spending
all this money, and we don't see any return.'' By the end of
the 1990s, the debate was over. There was conclusive evidence
that information technology spurred growth.
Why was there a delay? The delay was because there was a
lag between the time people bought it and the time they figured
out how to use it, how to apply it in new ways, how to
reorganize.
Just as companies had to change how they operated and were
organized, we must now change the Federal Government. It's no
surprise that adjustment takes time, but in this case, the
problem is compounded by the nature of the technology.
The Internet was designed to provide survivable
communications based on rapid and easy connectivity. It's
optimized for easy connection. It's built on implicit trust. It
has changed the world, but it is deeply flawed. That flaw is
security.
As the Internet is now configured and governed, it cannot
be secured. Right now, the attackers have the advantage in
cyberspace. As a Nation, we have not brought the full power of
the Federal Government to overcome this advantage.
Now, on the bright side, the U.S. has done more than other
countries when it comes to cybersecurity. There has been much
progress in the last 2 years compared to the previous decade.
And the Obama Administration has identified cybersecurity as an
important issue for national security.
But, while the United States has done more than other
countries, we also have more to lose. The risk is not what some
cybersecurity proponents would tell you. We're not talking
about explosions or mad hackers or bringing the U.S. to its
knees in a few hours. The real risk lies in the long-term
damage to our economic competitiveness and our technological
leadership.
Cyberconflict can disrupt key services, as you mentioned,
as in the case of an opponent who can access control systems.
I'm sure we'll hear more about that today. But, the real and
immediate damage comes from the theft of intellectual property
and the loss of advanced commercial and military technologies
to foreign competitors.
Cyberconflict is well suited to providing a competitive
edge to other nations. In this competition we are in now,
economic strength, technological leadership, and the ability to
innovate is as important as military force for national power.
A failure to secure America's information infrastructure
weakens the United States and makes our competitors stronger.
Changing this requires two sets of actions. The first is to
strengthen our national ability to innovate; the more
innovative nation is more secure. The second is to secure the
networks upon which we rely.
Let me give you two examples, quickly, of the connection
between cybersecurity and the economy:
The stimulus bill provides a significant increase in funds
for research. This will improve U.S. competitiveness. But, if
that research is conducted over insecure networks, we are
subsidizing, not only our own industry, but foreign industry,
as well.
The Smart Grid that is also in the stimulus bill makes
innovative use of advanced technologies to address energy
problems, but if the Smart Grid is not secure, it can be hacked
and used to disrupt the delivery of electricity.
In the past, we've viewed cybersecurity as a technical
problem. This was a mistake. Cybersecurity requires using all
the tools of U.S. power--diplomatic, military, intelligence,
enforcement--law enforcement and economic policy. CSIS put out
a report in 2008 that laid out a comprehensive strategy. But,
more than a comprehensive, a strategy will also need to be
coordinated.
Cybersecurity requires actions by many agencies, and our
current efforts are not sufficiently coordinated to provide
advantage, although the Obama Administration's 60-day review
may change this.
Congress can focus Federal efforts on the economic risk,
and it can ensure that regulatory efforts by agencies give full
weight to cybersecurity, something that is not now the case. It
can ensure that the Department of Commerce, which has a key
role in this, makes cybersecurity a priority.
Finally, Congress can tackle the daunting task of
modernizing our legal authorities, many of which were written
for technologies that were in use decades ago.
My testimony has discussed how information technology has
brought great benefits, but that these are accompanied by
unavoidable risks. We have an opportunity to secure cyberspace
and use it to renew economic growth, create more efficient
government, and build stronger national security. These are
attainable goals, and the Nation that finds new ways to use
cyberspace securely will gain competitive advantage.
I thank the Committee for its attention, and I'll be happy
to take any questions.
[The prepared statement of Dr. Lewis follows:]
Prepared Statement of Dr. James A. Lewis, Director and Senior Fellow,
Technology and Public Policy Program, Center for Strategic and
International Studies
I thank the Committee for the opportunity to testify on
vulnerabilities and effective defense in cyberspace. As America's
dependence on cyberspace grows, and as the scale and pace of conflict
in this new venue increases, the need to rethink national strategies
has become urgent. The free and secure use of cyberspace has become,
like freedom of the seas, a vital national interest for the United
States. This Committee can play an important role in developing and
guiding an adequate national approach to securing cyberspace.
The nature of our dependence on the use of cyberspace is not always
recognized. We tend to think of cybersecurity in military terms, or as
a problem of homeland security, but this is inadequate for
understanding the scope of the problem. Networked, digital information
technology provides the infrastructure for news ways to organize,
interact and create wealth--actions that can now take place in
cyberspace. Information technology lies at the center of an immense and
ongoing transformation in the global economy, in politics and society,
and in military affairs. It has transformed how people work, altering
business models, supply chains, customer interactions and production.
The use of cyberspace has become a central element in both economic and
national security.
You may recall that in the early 1990s, there was a debate over the
value of investing in information technology. Some economists noted
that American companies had spent millions of dollars on information
technology without any noticeable gains in productivity. The promise of
information technology, they asserted, was a mirage. The excesses and
rhetoric of the dot.com bubble only contributed to this perception.
But by the end of the 1990s, this debate was over. There was
conclusive evidence that spending on information technology brought
economic benefit. Information technology made a significant
contribution to American GDP growth--perhaps as much as a third of
total GDP growth. It turned out there was a lag, a delay between
spending on IT and the increase in growth. The reasons for this delay
were that companies had to figure out how to change their organizations
and their business practices to take advantage of the new and more
efficient processes enabled by IT. New technology layered over old
organizations does not provide much benefit.
We can draw two conclusions from this story. First, we are barely
into our second decade when it comes to exploiting the advantages that
digital network technologies provide. If this story was about cars, we
have moved from the Model T, introduced in 1908, to the Model A, which
appeared in 1927. This is progress, to be sure, but we are only at the
beginning of the story. We have not exploited the full potential of the
new technology for recovery and for future growth.
Second, just as there was a lag as companies took time to adjust
how they operated and were organized to make use of the new
technologies, we are facing a lag in adjusting law, regulation and
policy. To continue the car analogy, if the economy as a whole is
moving toward the Model A, the Federal Government is still comfortable
driving a Model T. The difficult task of modernizing the Federal
Government will challenge both the administration and the Congress.
A common element links both business and governmental stories
together. That element is security. It is no surprise that a new
technology that has immense economic and political effect requires
adjusting our security policies, and that we have lagged in doing so,
but in this case, the problem is compounded by the nature of the
technology itself.
The story of the Internet is well known. It was designed to provide
survivable communications based on rapid and easy connectivity across a
nation-spanning network. Its initial users were scientists and military
officials, small communities that knew and could trust each other. The
Internet is an open network optimized for easy connection and built on
implicit trust. It has changed the world, but it is also deeply flawed.
That flaw is security.
The Internet as it is currently configured and governed cannot be
fully secured. Changing this to gain the further advantages offered by
information technology will require a restructuring of governance,
practices and standards. Right now, however, the advantage lies with
the attacker. This has been apparent for years, but as a nation, we
have not brought the full power of the Federal Government to bear on
the problem, and what power we did bring was applied in a fragmented
and incoherent manner.
This is a harsh statement, and if it is any consolation to the
Committee, the United States has done a better job than any other
country in cybersecurity. The last twelve months have seen more
progress toward securing cyberspace than any previous year. More
importantly, the Obama Administration has identified cybersecurity as
one of the most important issues for national security and has begun to
move forward.
However, we should bear in mind that while the United States has
done more than other nations in terms of security, this is in no way
adequate. One reason for this can be termed asymmetric vulnerability.
We have more to lose than our opponents do. We are more reliant on
information technology and networks and it is a greater source of our
comparative advantage in economic competition and in national security.
As a nation, we have been quicker to take advantage of the Internet and
offer a ``target-rich'' environment to our opponents, who currently
rely on it less.
Over time, this will change. No country can ignore the benefits of
digital networks if it wishes its economy to be competitive, its
researchers effective and its nation to be secure. In the interim,
however, the United States is at greater risk than any other country.
The risk is not what some cybersecurity proponents would have you
believe. We are not talking about explosions, mad hackers, fatalities,
or bringing the United States to its knees in a few hours. These claims
are best left to Hollywood--entertaining, but a poor guide for policy.
The real risk lies in the long-term informational damage to our
economic competitiveness and technological leadership.
Our primary opponents in cyberspace--and we are already in a
conflict even if it often takes place largely outside of public view--
are nation-states and organized criminals (who sometimes work at the
behest of nation state). Cyber conflict involves illicit action to
penetrate computer networks. These penetrations may provide an opponent
the capability to disrupt the delivery of key services, as in the case
of an opponent who surreptitiously accesses the control system of a
critical utility or network. This potential threat is one that we need
to guard against. The real and immediate threat from conflict in
cyberspace, however, is illicit action to obtain access to sensitive
information--in other words, espionage and theft.
That cyber incidents are not comparable to attacks involving the
use of force does not mean that they are not damaging. Clearly, there
are potential military advantages that come from greater knowledge of
an opponent's intentions and capabilities, access to critical military
technologies, and the ability to disrupt and slow decision-making by
introducing uncertainty provides immediate advantage. Action in
cyberspace has become part of modern warfare.
More importantly, cyber conflict is well suited to producing
national advantage in the new kinds of competition that will shape
international relations in the future. In this competition, military
forces are only one source of power. Economic strength, technological
leadership and the ability to innovate will be as important as military
force in creating national power, particularly in competition with the
rising nations who wish to reduce U.S. influence without resorting to
open military conflict. The primary damage to U.S. national security
and economic strength from poor cybersecurity comes from the theft of
intellectual property and the loss of advanced commercial and military
technology to foreign competitors. A failure to secure America's
information infrastructure weakens the United States and makes our
competitors stronger.
2007 was perhaps the worst year for the United States when it comes
to cybersecurity--it may have been the long-awaited Electronic Pearl
Harbor, despite the lack of explosions or casualties. The Secretary of
Defense's unclassified e-mail was hacked. The Department of Commerce's
bureau for high tech trade had to go off-line after its networks were
penetrated. Foreign entities penetrated the networks of the Departments
of State and Energy, NASA and other Federal agencies, along with
networks at Federal contractors, the defense industry and major
companies. It is interesting to note that in the same period the
governments of the United Kingdom, France and Germany also experienced
major cyber incidents, which they attributed to China.
In response, the Bush Administration created the Comprehensive
National Cybersecurity Initiative (CNCI). While the initiative made
progress in securing Federal networks, the CNCI had major drawbacks. It
started too late, in the last year of the Bush Administration. It was
over-classified. Most importantly, despite its name, the Comprehensive
National Cybersecurity initiative was not comprehensive. The CNCI
focused on government networks, and while this is important, it is
inadequate. Cyberspace is a global commercial network. The CNCI did not
have an international component, it did not adequately address how to
secure critical infrastructure, and it ignored the ``dot.com'' space
where most commercial activity takes place. These were serious
shortcomings, and they point to crucial areas for work for the new
Administration.
Despite the CNCI, intense economic espionage made possible by the
Internet is eroding America's technological leadership and economic
strength. Repairing this situation requires two interrelated sets of
actions. The first is to strengthen our national ability to innovate.
Innovation is the process of coming up with news ideas, goods, and
services. It has become a central element in economic competition. A
more innovative nation will be stronger and more secure as it will have
a stronger economy and better technology. A purely defensive strategy
will not succeed. The second set of actions is to secure the networks
upon which we rely for commerce, innovation and security. Two examples
help demonstrate how these actions are related.
There is a strong connection between innovation and information
technology. Information technology lowers the cost of acquiring
information and creating new knowledge. It extends human capabilities
to count and observe. Digitizing knowledge and research increased the
productivity of the innovative efforts. Recognizing that research is a
fundamental source of innovation, the recent stimulus bill provided a
significant increase in funding for research in the hopes that this
would increase innovation in the United States and with it, growth and
competitiveness. This is a good idea, but there is one important caveat
to bear in mind. Much of the new information created by the additional
funding for research will be stored in computer databases. These
databases are usually networked and connected to the Internet. That
means they are vulnerable to penetration and the information stored on
them accessible by others. The end result, if we do not improve
cybersecurity, is that new Federal funding to increase research and
innovation will be a subsidy to foreign industry as much as our own.
Another stimulus-related problem involves an infrastructure
project, the Smart Grid. Smart Grid makes innovative use of advanced
meters to better manage the flow of electricity. These new meters use
computer technologies to make our national electrical network more
efficient. Unfortunately, if the new ``smart'' meters are not secure,
they can be ``hacked,'' taken over by attackers, and used to disrupt
the delivery of electricity. If the Smart Grid is built to existing
standards, however, it will not be secure. Worse, the United States
does not have a process that could deliver in a timely fashion the new
standards needed to guide the construction of secure Smart Grids. Years
of under-investment in infrastructure have put us in this unfortunate
situation.
These two examples show how recovery and growth, innovation and
cybersecurity are intertwined. In the past, we viewed cybersecurity as
a problem somehow separate from larger national issues, something that
could be safely ignored or left for consideration by technical experts.
This is no longer the case. Since the information infrastructure is now
a central pillar of our economy and since the untrammeled use of
cyberspace is crucial for economic and military security, we cannot
ignore it nor can we approach it as a technical problem. An effective
policy for this complicated strategic problem will engage many
different elements of the American government and requires using all
the tools of U.S. national power--diplomatic, military, intelligence,
law enforcement and economic policy. A national strategy that does not
take a comprehensive approach will fail--we have learned the hard way,
this from the experience of our previous national efforts, in 1998,
2003, and 2007.
CSIS established a Commission of recognized experts in 2007 to look
at what actions the Federal Government could take to improve
cybersecurity. The Commission released its report in December 2008. The
report laid out the elements of a comprehensive strategy. This
recommended strategy called for better integration of offensive and
defensive capabilities to create new modes of deterrence. It
recommended expanded international engagement to establish norms and
partnerships for securing cyberspace. It concluded that a voluntary,
industry led approach to national security was insufficient and
concluded that the Federal Government must require mandatory action to
improve cybersecurity. It called for improving our ability to
authenticate digital identities. Finally, the report determined that
the United States needs a coherent and comprehensive organizational and
policy framework to secure cyberspace.
Reorganizing government and adopting new practices to enable and
secure the use of cyberspace is one of the most difficult tasks in this
comprehensive approach. The United States will require a coordinated
effort by many agencies. We do not currently have a mechanism to do
this, although the sixty-day review of cybersecurity policy the Obama
administration is undertaking may provide one. None of the problems we
face in cyberspace are unsolvable, but they require a comprehensive
approach that has not been used in the past. In the litany of errors
and omissions that accompanies any account of previous U.S.
cybersecurity policies, the failure to seek broad international
engagement or to use the regulatory powers of the Federal Government
head the list (along with disorganization and diffusion of effort). You
have an opportunity to change this, working with the Executive Branch
and the private sector.
One important contribution that Congress can make is to ensure that
a national approach to securing cyberspace is forward looking. Congress
can focus Federal efforts on the importance of the economic and
commercial aspects of cybersecurity, and ensure that the regulatory
efforts of important agencies like the Federal Communications
Commission give full weight to cybersecurity--something that is not now
the case. It can ensure that elements of the Department of Commerce
which have crucial roles in securing cyberspace--the National Institute
of Standards and Technology and the National Telecommunications and
Information Administration--make security a priority. Finally, one of
the most daunting tasks before Congress lies in modernizing the range
of legal authorities concerning privacy, security, infrastructure
protection and the management of digital identities, many of which were
written decades ago for simpler technologies and times.
In considering these issues, it is worth recalling that the United
States has used a market-led approach to cybersecurity for more than a
decade. It has failed us. The CSIS Commission report concluded that
market forces alone would not provide adequate national security. This
is a major departure from previous thinking, which tended to approach
the question of regulation timidly and to defer to business interests
on matters of national security. Badly designed regulation is a
hindrance but no regulation in situations where there is market failure
is even worse. The CSIS Commission proposed a new regulatory approach
based on standards and an avoidance of prescriptive rules. The
Commission's recommendation is to begin with regulation for critical
infrastructure--if infrastructure is truly critical, we should not be
shy about mandating action to secure it.
My testimony has attempted to show that information technology has
brought great benefits, but that these are accompanied by unavoidable
(albeit smaller) costs that we have not done well in managing. Our goal
is to take the open network we have inherited and sufficiently secure
it to provide renewed economic growth, more efficient government, and
stronger national security. These are attainable goals, and the Nation
that finds new ways to use cyberspace securely will gain competitive
advantage. With a unified and forward-looking effort, that nation can
be the United States.
I thank the Committee for the opportunity to testify and will be
happy to take any questions.
The Chairman. Thank you very much, Dr. Lewis.
Dr. Weiss is next.
STATEMENT OF DR. JOSEPH M. WEISS, MANAGING PARTNER, APPLIED
CONTROL SOLUTIONS
Dr. Weiss. Good morning, Mr. Chairman and Members of the
Committee. I would like to thank the Committee for your
commitment to a comprehensive examination of the cybersecurity
of control systems utilized in our Nation's industrial
infrastructure, and what can be done to secure them. I also
want to thank you for the opportunity to be here today to
discuss this very important topic.
And I'd like to make one other point. What I think is more
important is not so much cybersecurity, but critical
infrastructure protection; whether the computer is working, we
need to make sure the system and the processes work.
I am a nuclear engineer that has been involved in control
systems for over 35 years, and control-system cybersecurity
since 2000. My focus has been on developing an understanding of
the complex technical and administrative issues associated with
cybersecurity of control systems and how they are different
than for corresponding business information-technology systems.
I've also been working with government organizations, end
users, equipment suppliers, domestic and international
standards organizations, national laboratories, including
Sandia and Los Alamos, and others, to develop standards and
solutions.
The convergence of mainstream IT and control systems
requires both IT and control-system expertise, which is why I'm
so glad you've invited me, so we can have a seat at the table.
One should view current control-system cybersecurity as
where mainstream IT was 15 years ago. It is in the formative
stage and needs support to leapfrog the previous IT learning
curve.
Control systems are a system of systems. While sharing
basic constructs with IT systems, control systems are
technologically, administratively, and functionally different
than IT, and this will have a significant effect on the Smart
Grid.
Vulnerability disclosure philosophies are different, and
can have devastating consequences to critical infrastructure. A
major concern is that there are very few control-system
cyberexperts. I believe, less than 100--with no formal
university curriculum----
The Chairman. Could you repeat that, the first----
Dr. Weiss. Yes.
The Chairman.--part of the sentence?
Dr. Weiss. I believe there are less than 100 people
worldwide who truly know and understand control-system
cybersecurity. And I can elaborate more, if you like.
The Chairman. No.
Dr. Weiss. And one of the things we do not have is any
formal university curricula. We also have no certifications. I
happen to have a professional engineering license. There are no
questions whatsoever on security. The CISSP has no questions
dealing with control systems. We're in the cracks.
And what's more, the lack of control-system security
expertise extends into the government arena, which is focused
on repackaging IT solutions that don't address the actual
control-system cyberevents that have occurred to date.
The issue at hand is the protection of the interdependent
critical infrastructures of electric power, water, oil, gas, et
cetera. In fact, before I came here, the Federal Aviation
Administration asked me to stop by and talk to them.
Control systems form the backbone of these infrastructures,
and the threat of a cyberattack is the central issue. I believe
the threat is increasing, not only because of nation-state
threat, which is probably what you're used to, but because the
economic downturn has created many disgruntled, but
knowledgeable, antagonists. Examples of this are the wireless
hack in Australia in 2000, where a sewage discharge valve was
opened. A disgruntled employee for a federally owned canal
system in California installed software that damaged a computer
used to divert water out of a local river. And literally in
yesterday's newspaper, in L.A. they indicted a disgruntled
engineering technician who disabled the leak-detection system
for three oil derricks off the coast of Southern California.
This was yesterday.
There are only a handful of control-system suppliers, and
they supply applications worldwide. The control systems
architectures and default passwords are common to each vendor.
Consequently, if one industry is vulnerable, they all could be.
The result of a coordinated cyberattack on any or some
combination of the critical infrastructures could be
devastating to the U.S. economy and security. We're talking
months to recover. We're not talking days.
It's an international problem, as North American control-
system suppliers provide systems globally, and non-North
American suppliers provide systems to North America. A number
of suppliers have source code development activities in
countries with dubious credentials.
The concern is real. There have been more than 125 control-
system cyberincidents I've been able to document, and they've
occurred in electric power, in transmission distribution, power
generation, including fossil, hydro, gas turbine, and nuclear
plants. They've also occurred in water, oil, gas, chemicals,
paper, and agribusiness. The impacts have ranged from trivial
to significant environmental damage to significant equipment
damage to deaths. We've already had a cyberincident in the
United States that has killed people.
The following recommendations provide steps to improve the
security and reliability of these critical systems:
First, understand the unique control-system cybersecurity
issues against all threats, intentional and unintentional. And
part of that also includes, not just the threats you'd think
of, we're also talking about things like EMP, electromagnetic
pulse, and other types of events. These have actually affected
control systems already.
Another one that may sound trivial but is terribly
important, and that's, How much is--how much security is enough
security? We don't know. We need to develop control-system
unique solutions, policies, and training based on actually
control-system cyberincidents. We have not yet connected the
dots, and we're starting to see similar events in similar
locations.
And for control systems, the U.S. CERT and the ISACs, you
know, the Information Sharing and Analysis Centers, do not work
for information sharing on control systems. We need an
information-sharing mechanism staffed by vetted control-system
experts. And I use the word ``vetted'' because, in the
commercial world, having a clearance doesn't help, and often
can hurt. It's very different. And we do need regulation. And I
can tell you what I believe the regulation should be, and
especially since you're Commerce.
The Chairman. You mean ``vetted'' is dangerous because
that----
Dr. Weiss. No, clearances are dangerous.
The Chairman. OK.
Dr. Weiss. For the--not for Department of Defense
applications, but for commercial industry.
But, what we need going on is regulation, and the
regulation is to mandate the NIST standards, and that's why, to
me, this is so important. You're Commerce. You have NIST. I was
part of the team that extended NIST SP 800-53 to address
control systems, and we actually used that to look backward in
time at actual control-system cyberevents to make sure it
worked.
And one other thing I should mention, one of the things
control systems do not have to date: forensics. We don't really
have a way of going back and analyzing control-system
cyberincidents. We have to read between the lines.
And finally, we need education and certifications that are
unique to the control-system world, so we have some confidence
that what is being done is being done by people who know and
understand the situation. And, as I mentioned before, we've
fallen between the cracks, and we really are looking for your
help. We feel this is important, and we need your help.
Thank you, and I look forward to taking questions.
[The prepared statement of Dr. Weiss follows:]
Prepared Statement of Dr. Joseph M. Weiss, Managing Partner,
Applied Control Solutions
Good afternoon, Mr. Chairman and Members of the Committee. I would
like to thank the Committee for your invitation to discuss the current
status of cyber security of the control systems utilized in our
Nation's critical infrastructure.
I am a nuclear engineer who has spent more than thirty years
working in the commercial power industry designing, developing,
implementing, and analyzing industrial instrumentation and control
systems. I have performed cybersecurity vulnerability assessments of
power plants, substations, electric utility control centers, and water
systems. I am a member of many groups working to improve the
reliability and availability of critical infrastructures and their
control systems, including the North American Electric Reliability
Council's (NERC) Control Systems Security Working Group (CSSWG), the
Instrumentation Systems and Automation Society (ISA) S99 Manufacturing
and Control Systems Security Committee, the National Institute of
Standards and Technology (NIST) Industry-Grid Working Group, Institute
for Electrical and Electronic Engineers (IEEE) Power Engineering
Society Substations Committee, International ElectroTechnical
Commission (IEC) Technical Committee 57 Working Group 15, and Council
on Large Electric Systems (CIGRE) Working Group D2.22-Treatment of
Information Security for Electric Power Utilities (EPUs). I would like
to state for the record that the views expressed in this testimony are
mine.
Until 2000, my focus strictly was to design and develop control
systems that were efficient, flexible, cost-effective, and remotely
accessible, without concern for cyber security. At about that time, the
idea of interconnecting control systems with other networked computing
systems started to gain a foothold as a means to help lower costs and
improve efficiency, by making available operations-related data for
management ``decision support.'' Systems of all kinds that were not
interconnected with others and thereby could not share information
(``islands of automation'') became viewed as an outmoded philosophy.
But at the same time, there was no corresponding appreciation for the
cyber security risks created. To a considerable extent, a lack of
appreciation for the potential security pitfalls of highly
interconnected systems is still prevalent today, as can be witnessed in
many articles on new control systems and control system conferences. As
such, the need for organizations to obtain information from operational
control system networks to enable ancillary business objectives has
often unknowingly led to increased cyber vulnerability of control
system assets themselves.
The timing of this hearing is fortuitous as the Stimulus Bill has
recently been approved which is stimulating work on the Smart Grid, the
North American Electric Reliability Corporation (NERC) Critical
Infrastructure Protection (CIP) cyber security standards are being
updated, the Chemical Facility Anti-Terrorism Standards (CFATS) is
being reviewed, and the water industry R&D Roadmap has been issued. In
each case, I believe there are shortcomings that can have significant
impacts on the security of our critical infrastructures if they are not
adequately addressed.
Introduction \1\
---------------------------------------------------------------------------
\1\ The testimony is based on the White Paper prepared for the
Center for Strategic and International Studies, ``Assuring Industrial
Control System (ICS) Cyber Security'', by Joe Weiss, dated August 25,
2008.
---------------------------------------------------------------------------
Industrial Control Systems (ICS) \2\ are an integral part of the
industrial infrastructure providing for the national good. While
sharing basic constructs with Information Technology (IT) business
systems, ICSs are technically, administratively, and functionally more
complex and unique than business IT systems. Critical infrastructure
protection focuses on protecting and maintaining a safe and reliable
supply of electric power, oil, water, gasoline, chemicals, food, etc.
Computer cyber vulnerabilities are important if they can affect the
safe, functional performance of these systems and processes. One should
view current ICS cyber security as where mainstream IT security was
fifteen years ago--it is in the formative stage and needs support to
leapfrog the previous IT learning curve.
---------------------------------------------------------------------------
\2\ It should be noted that many of the acronyms used in industrial
controls may be similar to acronyms used in government or other
applications but with different meanings. Examples are ICS, IED, and
IDS. In order to avoid confusion all acronyms have been spelled out the
first time they have been used.
---------------------------------------------------------------------------
The convergence of mainstream IT and ICS systems require both
mainstream and control system expertise. It is the successful
convergence of these systems and organizations that will enable the
promised secure productivity benefits. To ensure that ICS are
adequately represented, include subject matter experts with control
systems experience in all planning meetings that could affect these
systems.
Generally cyber security has been the purview of the Information
Technology (IT) department, while control system departments have
focused on equipment efficiency and reliability--not cyber security.
This has led to the current situation where some parts of the
organization are now sensitized to security while others are not as yet
aware of the need. Industry has made progress in identifying control
system cyber security as an issue while not appreciating the full
gravity of the matter. There is a significant difference between the
security philosophies of enterprise IT and ICS. The purpose of
enterprise security is to protect the data residing in the servers from
attack. The purpose of ICS security is to protect the ability of the
facility to safely and securely operate, regardless of what may befall
the rest of the network.
Cyber refers to electronic communications between systems and/or
individuals. This term applies to any electronic device with serial or
network connections. For this White Paper, the umbrella term ``cyber''
addresses all electronic impacts on ICS operation including:
intentional targeted attacks,
unintended consequences such as from viruses and worms,
unintentional impacts from inappropriate policies, design,
technologies, and/or testing,
Electro Magnetic Pulse (EMP),
Electro Magnetic Interference (EMI),
other electronic impacts.
The umbrella term ``ICS'' includes:
automated control systems (ACS),
distributed control systems (DCS),
programmable logic controllers (PLC),
supervisory control and data acquisition (SCADA) systems,
intelligent electronically operated field devices, such as
valves, controllers, instrumentation,
intelligent meters and other aspects of the Smart Grid,
networked-computing systems.
An ICS is actually a system of systems. A crude distinction between
mainstream IT and control systems is that IT uses ``physics to
manipulate data'' while an ICS uses ``data to manipulate physics.'' The
potential consequences from compromising an ICS can be devastating to
public health and safety, national security, and the economy.
Compromised ICS systems can, and have, led to extensive cascading power
outages, dangerous toxic chemical releases, and explosions. It is
therefore important to implement an ICS with security controls that
allow for reliable, safe, and flexible performance.
The design and operation of ICS and IT systems are different.
Different staffs within an organization conceive and support each
system. The IT designers are generally computer scientists skilled in
the IT world. They view ``the enemy of the IT system'' as an attacker
and design in extensive security checks and controls. The ICS designers
are generally engineers skilled in the field the ICS is controlling.
They view ``the enemy of the ICS'' not as an attacker, but rather
system failure. Therefore the ICS design uses the ``KISS'' principle
(keep it simple stupid) intentionally making systems idiot-proof. This
approach results in very reliable but paradoxically, cyber-vulnerable
systems. Moreover, the need for reliable, safe, flexible performance
precludes legacy ICS from being fully secured, in part because of
limited computing resources. This results in trade-off conflicts
between performance/safety and security. These differences in
fundamental approaches lead to conflicting technical, cultural, and
operational differences between ICS and IT that need addressing.
CIA Triad Model--Confidentiality, Availability, and Integrity
Confidentiality describes how the system or data is accessed
Integrity describes the accuracy or completeness of the data
Availability describes the reliability of accessing the
system or data
Traditional IT systems employ the best practices associated with
``Confidentiality, Integrity, Availability'' (CIA) triad model--in that
order of importance. The placement of rigorous end user access controls
and additional data encryption processes provide confidentiality for
critical information.
Traditional ICS systems employ the best practices associated with
``Confidentiality, Integrity, Availability'' (CIA) triad model--in the
reverse order; AIC- Availability, Integrity, Confidentiality. Extra
emphasis is placed on availability and message integrity.
The converged ICS/IT model would employ the best practices
associated with ``Confidentiality, Integrity, Availability'' (CIA)
triad model--in an equally balanced way. The compromise of any of the
triad will cause the system to fail and become unusable.
It is important to point out another major difference between IT
and ICS systems. In an IT system, the end user generally is a person,
in an ICS system the end user generally is a computer or other highly
intelligent control device. This distinction lies at the heart of the
issue around securing an ICS in a manner appropriate to current need.
IT systems strive to consolidate and centralize to achieve an
economy of scale to lower operational costs for the IT system. ICS
systems by necessity are distributed systems that insure the
availability and reliability of the ICS and the systems that the ICS
controls. This means that remote access is often available directly
from field devices reducing the effectiveness of firewalls at the
Central Demilitarized Zone (DMZ) and requiring additional protection at
remote locations. The limited computer processing power in the field
devices precludes use of many computer resource-intensive IT security
technologies such as remote authentication servers. Newer ICS designs
do, or will, employ advanced high-speed data networking technologies.
Thus, what used to be a single attack vector (the host) increases by
the number of smart field devices (Intelligent Electronic Devices
[IED], smart transmitters, smart drives, etc.).
The use of mainstream operating system environments such as
Windows, UNIX, and Linux for running ICS applications leave them just
as vulnerable as IT systems. While at the same time, the application of
mainstream IT security technical solutions and/or methods will help to
secure more modern ICS host computers and operator consoles (i.e.,
PCs). In technologies such as Virtual Private Networks (VPN) used to
secure communications to and from ICS networks, IT security focuses on
the strength of the encryption algorithm, while ICS security focuses on
what goes into the VPN. An example of this concern was demonstrated by
one of the Department of Energy's National Laboratories of how a hacker
can manipulate widely used ``middleware'' software running on current
mainstream computer systems without a great deal of difficulty. In this
sobering demonstration, using vulnerabilities in OPC code (``OLE for
Process Control''), the system appears to be functioning properly even
though it is not; while displaying incorrect information on, or
withholding correct information from, system operator consoles.
Certain mainstream IT security technologies adversely affect the
operation of ICS, such as having components freeze-up while using port
scanning tools or block encryption slowing down control system
operation--basic Denial of Service (DOS). IT systems are ``best
effort'' in that they get the task complete when they get the task
completed. ICS systems are ``deterministic'' in that they must do it
NOW and cannot wait for later as that will be too late.
To enable proper security, these examples demonstrate the mandate
to understand the ICS and control processes and to evaluate the impacts
of potential security process and actions upon those systems and
processes prior to implementation.
Figure 1 is used to illustrate the distinction between ICS and
business IT considerations. A person is shown (see yellow arrow for
location) at the bottom cylindrical torus to provide a perspective of
size. In this nuclear plant case, the box shown in the figure (on the
left side approximately one-quarter of the way up, see green arrow for
location) is one of two main coolant pumps each consuming enough power
to power approximately 30,000-50,000 homes. A power plant of this
design suffered a broadcast storm resulting in a DOS. In a typical
broadcast storm creating a DOS, the impact is disruption of
communications across a computer network, potentially resulting in
shutdown of computers as a consequence. This broadcast storm DOS
shutdown the equipment controlling the pumps eventually resulting in
the shutdown of the nuclear plant. The term DOS has a completely
different meaning when talking about desktops being shutdown compared
to major equipment in nuclear plants and other major facilities being
shutdown or compromised.
Figure 1--Nuclear Power Plant Denial of Service.
Need for Understanding
In the past, the people that implemented a system, whether Business
IT or ICS, were intimately familiar with the processes and systems
being automated. Today, few people possess this kind of system
knowledge. Rather they design and implement systems based upon design
concepts handed to them. In the case of an ICS, the designer and
implementer may not even know what the end device does, how it does it,
or even what it looks like. The system designer and implementer may not
be in the same country as the controlled device. This disconnect allows
for loss of understanding about the impacts of miss-operation of a
device, device failure, or improper communication with the device.
The more complex the ICS application, the more detailed knowledge
of the automated ICS processes are required: how it is designed and
operated; how it communicates; how it is interconnected with other
systems and ancillary computing assets. Only with this knowledge can
appreciation of the cyber vulnerabilities of the system as a whole can
begin. There is a current lack of ICS cyber security college curricula
and ICS cyber security professional certifications.
Figure 2 characterizes the relationship of the different types of
special technical skills needed for ICS cyber security expertise, and
the relative quantities of each at work in the industry today. Most
people now becoming involved with ICS cyber security typically come
from a mainstream IT background and not an ICS background. This
distinction needs to be better appreciated by government personnel
(e.g., DHS NCSD and S&T, DOE, EPA, etc.) responsible for ICS security.
This lack of appreciation has resulted in the repackaging of IT
business security techniques for control systems rather than addressing
the needs of field ICS devices that often have no security or lack the
capability to implement modern security mitigation technologies. This,
in some cases, inadvertently results in making ICS systems less
reliable without providing increased security. An example of the
uninformed use of mainstream IT technologies is utilizing port scanners
on PLC networks.
Figure 2--Relationship and Relative Availability of ICS Cyber
Security Expertise.
In figure 2, we see that IT encompasses a large realm, but does not
include ICS processes. It is true that IT evaluation and design models
can be used to develop an ICS; the major difference is that within the
Business IT model all tasks have a defined start and a defined end. In
the process control model, the process is a continuous loop. Generally,
the IT community avoids the continuous loop, while the ICS community
embraces the continuous loop. It is the continuous loop that enables an
ICS to operate efficiently and safely. As an example, automated meters
``read and record the value from a meter every second''. The meter will
happily read and record forever, and be proud that it is doing its
function.
A common misconception deals with the availability of knowledge
about an ICS. There are only a limited number of DCS, SCADA, and PLC
suppliers A few of the major suppliers include ABB, Areva, Alsthom,
Emerson, General Electric, Honeywell, Invensys, Metso Automation,
Rockwell Automation, Schneider, Siemens, Telvent, and Yokogawa.
Approximately half of the suppliers are US-based while the other half
are European or Asian-based. The U.S. suppliers provide systems to
North America and throughout the world, except to ``unfriendly''
countries. The ICS systems provided internationally are the same
systems provided in North America with the same architecture, same
default vendor passwords, and same training. Sales of electric industry
SCADA/Energy Management Systems include the system source code, meaning
that the software used in North American SCADA systems is available
world-wide. Some of the largest implementations of ICS systems
originating in the United States are implemented in the Middle East and
China. A number of North American control system suppliers have
development activities in countries with dubious credentials (e.g., a
major North American control system supplier has a major code writing
office in China and a European RTU manufacturer has code written in
Iran). There are cases where U.S. companies will remotely control
assets throughout the world from North America (and vice versa). The
non-North American-based ICS suppliers provide the same systems to
North America as those provided to countries NOT friendly to us. There
are cases where non-North American companies will remotely control
assets in North America from Europe or Asia. Additionally, ICS
engineers willingly share information. This truly is a global issue.
An example of information-sharing concerns is the SCADA Internet e-
mail-based discussion list from Australia where people from around the
world can discuss SCADA/control system issues. Unfortunately, this
includes questions from individuals from suspect countries about ICS
systems, processes, or devices they do not have, but that we do. This
approach works in a benign world--unfortunately, we don't live in one.
There is a reticence by commercial entities to share information
with the U.S. Government. Few ``public'' ICS cyber incidents have been
documented (probably less than 10), yet there have been more than 125
actual ICS incidents. Even the ``public'' cases may not be easily found
as they are buried in public documents such as the National
Transportation Safety Board (NTSB) report on the Bellingham, WA
Pipeline Disaster \3\ or nuclear plant Operating Experience Reports. An
interesting anecdote was a presentation made by a utility at the 2004
KEMA Control System Cyber Security Conference on an actual SCADA system
external attack. This event shut down the SCADA system for 2 weeks.
However, since power was not lost, the utility chose not to inform
local law enforcement, the FBI, or the Electric Sector ISAC since they
did not want their customers to know. This is one of the reasons it is
not possible to provide a credible business case for control system
cyber security.
---------------------------------------------------------------------------
\3\ ``Pipeline Accident Report Pipeline Rupture and Subsequent Fire
in Bellingham, Washington June 10, 1999'', National Transmission Safety
Board Report NTSB/PAR-02/02; PB2002-916502.
---------------------------------------------------------------------------
The prevailing perception is the government will not protect
confidential commercial information and organizations such as ISACs
will act as regulators. That is, if two organizations have the same
vulnerabilities and only one is willing to share the information, the
organization sharing the information will be punished as not being
cyber secure while the organization does not share will be viewed as
cyber secure by default. This has Sarbanes-Oxley implications as well.
It is one reason why the U.S. CERT, which is government-operated, does
not work as effectively as needed. Therefore, a ``Cyber Incident
Response Team (CIRT) for Control Systems'' by a global non-governmental
organization with credible control system expertise is required. This
organization would collect and disseminate information used to provide
the necessary business cases for implementing a comprehensive ICS
system security program. Models for this approach include CERT,
InfraGard, or FAA.\4\ Specific details can be provided if desired. The
InfraGard model for public-private information sharing requires more
sharing with the ICS community by the FBI so industry can protect
themselves if a cyberattack has been detected. The FBI's ``cone of
silence'' is not adequate. As identified by numerous government reports
following the 9/11 disaster, there is a need to ``connect the dots'' to
determine if there are patterns in events that should be followed-up.
In this case, the dots that need to be connected are with ICS cyber
incidents to determine if policies, technologies, and testing are
adequate to address these incidents.
---------------------------------------------------------------------------
\4\ http://asrs.arc.nasa.gov/overview/immunity.html.
---------------------------------------------------------------------------
Operationally, there are differences between mainstream IT and ICS
systems. Of primary concern is maintenance of systems. Like all
systems, periodic maintenance and tuning is required to insure
effective operation which must be scheduled in advance so as not to
cause system impacts. Shutting down a major industrial plant may cost
as much as several hundred thousand dollars per minute.
The current state of the IT world insures a high degree of
intelligence and processing capability on the part of the various
devices within an IT system. The standard implementation provides
centralized control points for authentication and authorization of IT
activities. The lifetime of the equipment in an IT network, typically,
ranges from 3 to 7 years before anticipated replacement and often does
not need to be in constant operation. By the very nature of the devices
and their intended function, ICS devices may be 15 to 20 years old,
perhaps older, before anticipated replacement. Since security was not
an initial design consideration, ICS devices do not have excess
computing capacity for what would have been considered unwanted or
unneeded applications.
As can be seen, device expectations are different for ICS and IT
systems, and this very difference generates two incredibly complex
problems: how to authenticate access, and how to patch or upgrade
software.
Of considerable importance is intra- and inter-systems
communication in both the IT and ICS realms. ICS systems are intended
to operate at all times, whether connected to other systems or not.
This independence makes the ICS very flexible, indeed. The age of the
equipment makes it difficult to authenticate communications properly.
Not just between servers, but between servers and devices, devices and
devices, workstations and devices, devices and people. The older
technologies do not have the ability, by want of adequate operating
systems, to access centralized authentication processes. By want of the
ability of the ICS network to be broken into very small chunks, the use
of centralized authentication is impractical, using the technologies of
today. In an IT network, the authentication rules take place in the
background and are hidden, for the most part, from the end user. In an
ICS network, the authentication rules take place in the foreground and
require interaction with the end user, causing delay and frustration.
Patching or upgrading an ICS has many pitfalls. The field device
must be taken out of service which may require stopping the process
being controlled. This in turn may cost many thousands of dollars and
impact thousands of people. An important issue is how to protect
unpatchable, unsecurable workstations such as those still running NT
Service Pack 4, Windows 95, and Windows 97. Many of these older
workstations were designed as part of plant equipment and control
system packages and cannot be replaced without replacing the systems.
Additionally, many Windows patches in the ICS world are not standard
Microsoft patches but have been modified by the ICS supplier.
Implementing a generic Microsoft patch can potentially do more harm
than the virus or worm against which it was meant to defend. As an
example, in 2003 when the Slammer worm was in the wild, one ICS
supplier sent a letter to all of their customers stating that the
generic Microsoft patch should not be installed as it WOULD shut down
the ICS. Another example was a water utility that patched a system at a
Water Treatment Plant with a patch from the operating system vendor.
Following the patch, they were able to start pumps, but were unable to
stop them!
The disconnection between senior management in charge of Operations
from senior management in charge of security is leading to vendors
being tasked to build new technology for reliability, not security
purposes. The mantra of ``from the plant floor to the Boardroom'' is
being followed without seriously asking the question of why an
executive in the Boardroom would want to control a valve in a plant or
open a breaker in a substation. Several years ago, a heat wave caused
failures of a large number of electric transformers. In order to
address this, the vendor installed temperature sensing and decided that
getting information out to the largest possible audience was the best
way to proceed. Consequently, the new transformer was built with a
Microsoft IIS webserver integrally built into the transformer (Figure
3). Cyber vulnerable technologies such as Bluetooth and wireless modems
are being built-in to ICS field devices. As one vendor claims: ``They
now have a Bluetooth connection for their new distribution recloser. If
your line folks and/or engineers would like to sit in the truck on
those rainy days checking on the recloser . . .'' This means it is
possible to get onto the SCADA network far downstream of the corporate
firewall. In many cases, it is not possible to bypass the vulnerable
remote access without disabling the ICS devices.
Figure 3--Distribution Transformer with Built-in Webserver.
A great concern is the integration of ICS systems with other
systems such as Geographical Information Systems (GIS) or customer
information systems. The unintended consequences of incompatible
software or inappropriate communications have caused significant cyber
incidents. This is an insidious problem because the individual systems
work as designed, while the vulnerability is the interconnection of
individually secure systems. In one case, the rebooting of a control
system workstation that was not even on the control system network
directly led to the automatic shutdown of a nuclear power plant. In
this case, both the workstation and the PLC worked exactly as
designed--two rights made a wrong. In another instance, incompatible
software turned a fossil power plant into a ``yo-yo'' causing it to
swing from maximum load to minimum load and back, within configured
parameters, for 3 hours causing extreme stress to the turbine rotor.
There are currently very few forensics to detect or prevent these
types of events, thus pointing to the need for additional or improved
monitoring and logging. This lack of ICS cyber forensics has two
aspects. The first is for performing forensics on COTS operating
systems (e.g., Windows). The second and more challenging issue is how
to perform cyber forensics on an antique 1200 baud modem to determine
if a cyber event has occurred. Technologies exist, but will removing a
hard drive actually impact the restart and operation of an ICS?
One final concern almost seems trivial but isn't. In most tabletop
exercises, the ultimate fix is to ``pull the plug'' (isolate the ICS
from all others). Unfortunately, in complex ICS implementations, it may
not be possible to know if the ICS really has been isolated.
Consequently, a very important issue is to determine how an
organization can tell if the ICS has been isolated and also if any
Trojans have been left that can affect restart.
Why Do We Care
It is often, but mistakenly, assumed that a cyber security incident
is always a premeditated targeted attack. However, NIST defines a Cyber
Incident \5\ as: ``An occurrence that actually or potentially
jeopardizes the confidentiality, integrity, or availability (CIA) of an
information system or the information the system processes, stores, or
transmits or that constitutes a violation or imminent threat of
violation of security policies, security procedures, or acceptable use
policies. Incidents may be intentional or unintentional.''
Unintentional compromises of CIA are significantly more prevalent and
can have severe consequences, but this does not seem to be part of many
current discussions of ICS cyber security. The direct cause of many ICS
cyber incidents are unintentional human error. This phenomenon must be
addressed by cyber security standards if they are to be effective. It
is important to note that protecting ICS from these unintentional
compromises also protects them from intentional compromise and outside
threat.
---------------------------------------------------------------------------
\5\ National Institute of Standards and Technology Federal
Information Processing Standards Publication 200, Minimum Security
Requirements for Federal Information and Information Systems, March
2006. http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-
march.pdf
---------------------------------------------------------------------------
Contacts throughout industry have shared details and adverse
affects of more than 125 confirmed ICS cyber security incidents to
date. The incidents are international in scope (North America, South
America, Europe, and Asia) and span multiple industrial infrastructures
including electric power, water, oil/gas, chemical, manufacturing, and
transportation. With respect to the electric power industry, cyber
incidents have occurred in transmission, distribution, and generation
including fossil, hydro, combustion turbine, and nuclear power plants.
Many of the ICS cyber incidents have resulted from the
interconnectivity of systems, not from lack of traditional IT security
approaches such as complex passwords or effective firewalls. Impacts,
whether intentional or unintentional, range from trivial to significant
environmental discharges, serious equipment damage, and even deaths.
Figure 4 shows the result of a Bellingham, WA, pipe rupture which
an investigation concluded was not caused by an intentional act.
Because of the detailed evaluation by NTSB, this is arguably the most
documented ICS cyber incident. According to the NTSB Final Report, the
SCADA system was the proximate cause of the event. Because of the
availability of that information, a detailed post-event analysis was
performed which provided a detailed time line, examination of the
event, actions taken and actions that SHOULD HAVE been taken.\6\
---------------------------------------------------------------------------
\6\ ``Bellingham, Washington Control System Cyber Security Case
Study'', Marshall Abrams, MITRE, Joe Weiss, Applied Control Solutions,
August 2007, http://csrc.nist.gov/groups/SMA/fisma/ics/documents/
Bellingham_Case_Study_report%2020sep071.pdf
---------------------------------------------------------------------------
Figure 4--Bellingham, WA Gasoline Pipeline Rupture.
Figure 5 is a picture of the Idaho National Laboratory (INL)
demonstration of the capability to intentionally destroy an electric
generator from a cyberattack.\7\
---------------------------------------------------------------------------
\7\ http://news.yahoo.com/s/ap/20070927/ap_on_go_ca_st_pe/
hacking_the_grid_13.
Figure 5--INL Demonstration of Destroying Large Equipment via a
---------------------------------------------------------------------------
cyberattack.
An attempt was made to categorize the severity of these events. The
prevailing view has been there have been no significant ICS cyber
incidents, but that industry will respond when a significant event
occurs. Consequently, a database of ICS cyber incidents was examined to
determine the level of severity of these incidents. Arbitrarily, three
levels of severity were developed based on impacts:
Severe
This represents failures, omissions, or errors in design,
configuration, or implementation of required programs and policies
which have the potential for major equipment and/or environmental
damage (more than millions of dollars); and/or extreme physical harm to
facilities' personnel or the public; and/or extreme economic impact
(bankruptcy).
Example: The Bellingham, WA gasoline pipeline rupture's impact was
3 killed, $45M damage, and bankruptcy of the Olympic Pipeline Company.
Forensics were not available to determine the actual root cause. This
incident would not have been prevented by mainstream IT security
policies or technologies.
Moderate
This represents failures, omissions, or errors in design,
configuration, or implementation of required programs and policies
which have the potential for moderate equipment and/or environmental
damage (up to hundreds of thousands of dollars) with at most some
physical harm to facility personnel or the public (no deaths).
Examples: (1) Maroochy (Australia) wireless hack caused an
environmental spill of moderate economic consequence. This incident
would not have been prevented by mainstream IT security policies or
technologies. (2) Browns Ferry 3 Nuclear Plant Broadcast Storm could
have been caused by a bad Programmable Logic Controller (PLC) card,
insufficient bandwidth, or caused by mainstream IT security testing.
Forensics were not available to determine the actual root cause. This
incident would not have been prevented by mainstream IT security
policies or technologies.
Minor
This represents failures, omissions, or errors in design,
configuration, or implementation of required programs and policies
which have the potential for minimal damage or economic impact (less
than $50,000) with no physical harm to facility personnel or the
public.
Example: Davis Besse Nuclear Plant cyber incident caused by a
contractor with a laptop contaminated by the Slammer worm plugging into
the plant Safety Parameter Display System. This incident could have
been prevented by mainstream IT security policies.
From the incident data base, many of the incidents would have been
judged to be Moderate or Severe. Most would not have been detected nor
prevented by traditional IT security approaches because they were
caused by the system interconnections or inappropriate policies or
testing--not by mainstream IT cyber vulnerabilities. In order to
improve security and avoid vast expenditures on systems and equipment
without real improvements in automation network security, there is a
critical need to examine previous ICS cyber incidents to determine if
there are patterns in these incidents, what technologies would detect
such events, and what policies should be followed. For mainstream IT
security approaches to be effective, they need to be combined with ICS
expertise that appreciates potential impact on facilities. Examination
of ISA SP99 requirements and risk definitions and tools such as the
Cyber Security Self-Assessment Tool (CS2SAT) \8\ make it clear that
consequences must be understood in terms of the effects on facilities,
major impact on equipment, environmental concerns, and public safety.
---------------------------------------------------------------------------
\8\ U.S. CERT Control Systems Security Program, http://
csrp.inl.gov/Self-Assessment_Tool.html.
---------------------------------------------------------------------------
One way to move toward cross-sector convergence in cyber security
ways and means is for all stakeholders to use the same terminology and
to eliminate duplicative or overlapping sets of security standards'
requirements. NIST offers a set of high-quality publications addressing
most of the relevant managerial, administrative, operational,
procedural, and technical considerations. Each of these publications,
such as SP 800-53, have been put through a significant international
public vetting process, including, to the extent possible, by
authorities in the national security domain. NIST offers its documents
to all organizations interested in using them as a basis for developing
in-common standards within the ICS community. The recent Nuclear
Regulatory Commission Draft Regulatory Guide 5022 specifically
references NIST SP 800-53 and other appropriate NIST documents.
Incentives versus Regulation
Because I am very familiar with the electric power industry, I will
focus on that segment. However, the information and experience from
this segment generalizes across the entire critical infrastructure.
When the EPRI Enterprise Infrastructure (cyber security) Program
was initiated in 2000, control system cyber security was essentially a
non-factor--it was a problem of omission. Immediately following 9/11,
the Federal Energy Regulatory Commission (FERC) attempted to provide
incentives for security improvements by issuing a letter that would
allow security upgrades to be included in the rate base. For various
reasons, very few utilities took advantage of the offer and little was
done. Consequently, in 2003 FERC approached the North American Electric
Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
Working Group with an ultimatum--do something or FERC would do it to
you. In order to preclude regulations, industry promised they would
produce cyber security requirements that would comprehensively secure
the electric enterprise. The electric industry eventually developed the
NERC CIP series of standards and the nuclear industry developed the
Nuclear Energy Institute (NEI) guidance documents (NEI-0404). Instead
of providing a comprehensive set of standards to protect the electric
infrastructure, the NERC CIPs and NEI-0404 were ambiguous and with
multiple exclusions. The industry went from being vulnerable because of
lack of knowledge to now being vulnerable because of excluding systems
and technologies and then claiming compliance. The electric industry
has demonstrated they cannot secure the electric infrastructure without
regulation. Other industrial verticals have similarly defaulted.
Therefore, regulation is needed.
Recommendations
Develop a clear understanding of ICS cyber security.
Develop a clear understanding of the associated impacts on
system reliability and safety on the part of industry,
government and private citizens.
Define ``cyber'' threats in the broadest possible terms
including intentional, unintentional, natural and other
electronic threats such as EMP.
Develop security technologies and best practices for the
field devices based upon actual and expected ICS cyber
incidents.
Develop academic curricula in ICS cyber security.
Leverage appropriate IT technologies and best practices for
securing workstations using commercial off-the-shelf (COTS)
operating systems.
Establish standard certification metrics for ICS processes,
systems, personnel, and cyber security.
Promote/mandate adoption of the NIST Risk Management
Framework for all infrastructures or at least the industrial
infrastructure subset.
Establish a global, non-governmental Computer Emergency
Response Team (CERT) for Control Systems staffed with control
system expertise for information sharing.
Establish a means for vetting experts rather than using
traditional security clearances.
Establish, promote, and support an open demonstration
facility dedicated to best practices for ICS systems.
Provide regulation and incentives for cyber security of
critical infrastructure industries.
Include Subject Matter Experts with control system
experience at high level cyber security planning sessions.
Change the culture of manufacturing in critical industries
so that security is considered as important as performance and
safety.
Summary
Recognize that first and foremost, ICS systems need to operate
safely, efficiently, and securely which will require regulation. ICS
cyber vulnerabilities are substantial and have already caused
significant impacts including deaths. Security needs to be incorporated
in a way that does not jeopardize the safety and performance of these
systems. One should view ICS cyber security as where mainstream IT
security was fifteen years ago--it is in the formative stage and needs
support to leapfrog the previous IT learning curve. There is a
convergence of mainstream IT and control systems that will require both
areas of expertise. To ensure that ICS are adequately represented,
include subject matter experts with control systems experience in all
planning meetings that could affect these systems. The prevailing
perception is the government will not protect confidential commercial
information and organizations such as ISACs will act as regulators.
This has Sarbanes-Oxley implications as well. It is one reason why the
U.S. CERT, which is government-operated, does not work as effectively
as needed and a ``CIRT for Control Systems'' by a global non-
governmental organization with credible control system expertise is
required.
The Chairman. Thank you very much, Dr. Weiss.
Dr. Amoroso?
STATEMENT OF DR. EDWARD G. AMOROSO, SENIOR VICE PRESIDENT AND
CHIEF SECURITY OFFICER, AT&T INC.
Dr. Amoroso. OK. So, first of all, thanks very much for the
invite. I do appreciate it.
Mr. Chairman, I'm an example of a person who's very much in
the trenches, day to day, working cybersecurity issues. My job
at AT&T is the realtime protection of our vast infrastructure,
so you can almost think of AT&T as a microcosm of the critical
infrastructure that we have in our country. I mean, we have,
you know, these wireless assets and Internet assets and
business and commercial-service assets, and certainly do have
our share of control systems, as well. So, day in, day out,
we're working very hard to protect our systems from hackers and
terrorists and criminals and all the things that really present
quite a challenge for our Nation.
Now, for me, personally, I was first introduced to the
topic when I joined Bell Laboratories in the early 1980s, and
AT&T was working cybersecurity issues in those days, mostly
with the Federal Government. You might remember that, in the
1980s, when you talked about cybersecurity--we didn't even have
that term then--you got a lot of blank stares, right? You might
get somebody in Washington interested, you might get a bank
interested, but certainly no businesses. We don't have a legacy
in this area. And I thought Dr. Weiss's comments were a good
example of, maybe, where we were in computers and networks
about 20 years ago, probably a good two-decade lag, perhaps, in
our control systems.
So, for me, personally, to get to the point where I have
the competence and capability to protect AT&T's infrastructure,
AT&T put me through 24 years of doing almost nothing but
cybersecurity. They paid for me to go get a Ph.D. in computer
science, they sent me to Columbia Business School to learn the
business issues, they put up with me writing four books on the
topic, so I've been through, you know, kind of a quarter of a
century of boot camp in cybersecurity, and I'm here to, maybe,
just provide a little bit of perspective and a couple of
suggestions on some things that I think are going to be
important for our country.
And I want to use an example. There's a particular type of
threat that you may be reading about. If you picked up the New
York Times today, then you saw there was an article on
``botnets,'' which has become a buzzword. These are pretty
nasty attack approaches. A ``botnet'' is something that
harnesses the power of all of our PCs in our homes. I think
just about everyone in this room would probably admit, perhaps
privately, that they don't administer their PC too well at
home. I know that I don't; and I do this for a living. When you
don't, it's very easy for attackers or terrorists or folks from
who the heck knows where can drop--to drop software onto your
PC that would, very unsuspectingly, be off doing things over
your broadband connection.
When you do this, when you do this on a large scale and set
up controllers to aim all of this energy, this cybersecurity,
cyberattack energy at an unsuspecting victim--could be a
civilian agency of the United States--the results can be pretty
lethal. It's like aiming a laser-guided weapon at a--at, as I
said, an unsuspecting victim; could shut down government. And
you reference earlier, Mr. Chairman, the experience that
Estonia had when that was done to them.
A couple of things by way recommendations. Number one, I
think it becomes imperative that, in our government procurement
process, that we start paying more attention to threats that
are valid today. I look, almost daily, at requests for proposal
and requests for information that come from Washington to the
private sector for products and services that we would be
selling them, and they generally don't have sufficient security
embedded in the set of requirements that come to us. I can't
tell you how many times we'll respond to a bid, and append it
with what we believe would be sufficient security to protect
the government. I think this is something we need to very
quickly address.
Second, I think it's imperative that we start building a
greater international cooperation. When we're off chasing one
of these things in realtime, chasing a botnet or trying very
hard to protect one of our customers, it's generally the case
that the attack is coming, as you referenced earlier, Mr.
Chairman, from around the world, and there really is no place
for us to turn. Certainly as a major carrier, one would think,
my goodness, it would probably be the case that AT&T could very
easily reach out to any number of international carriers or
countries or contacts, but that is not the case. There is no
easy way for us to go work with--you referenced China and
Russia, the two examples of countries where, if there's an
attack emanating from there, we have to work around it--not so
much with it, but around it. And that's something that I think
needs to be address very quickly.
Third recommendation is that it's pretty obvious that the
world is moving more and more toward a mobility base. I'll bet
everybody in this room has a mobile phone, you know, tucked in
their pocket, hopefully on vibrate. That's going to change the
game pretty significantly. When we think about the types of
attacks and problems that we see in the computer and network
area, they become all the more intense as mobility becomes a
fundamental piece of our society, if it hasn't already. I think
it's already a basic part of our critical infrastructure.
So, I think government and the private sector is going to
have to work more closely with the carriers, because we are
the--we are the--if you think about it, there's an attacker,
there's a victim, and what sits in between? The thing that sits
in between is the network.
So, we appreciate the invite to address the Committee, look
forward to working with you. We've prepared some remarks that I
hope you'll take a chance--take a moment to read. And look
forward to answering any questions you might have.
[The prepared statement of Dr. Amoroso follows:]
Prepared Statement of Dr. Edward G. Amoroso, Senior Vice President and
Chief Security Officer, AT&T Inc.
Good morning, my name is Edward Amoroso. I currently serve as
Senior Vice President and Chief Security Officer of AT&T. I have worked
in the area of cyber-security for the past 24 years, starting at Bell
Labs. My current responsibilities include design and operation of the
security systems and processes that protect AT&T's vast domestic and
international wired and wireless infrastructure. This infrastructure
supports AT&T's voice and data networks, and permits AT&T to provide
the Internet access, telephony, video entertainment, data transmission
and managed services that AT&T offers to its many millions of customers
around the globe.
My educational background includes a Bachelor's degree in physics
from Dickinson College, as well as Masters and PhD degrees in computer
science, both from the Stevens Institute of Technology, where I have
also served as an adjunct professor of computer science for the past
twenty years. I am a graduate of the Columbia Business School, and have
written four books and many articles on the topic of cyber-security.
On behalf of AT&T, I would like to thank the Committee for this
invitation to comment on the cyber-security challenges facing my
company, this Nation and the rest of the world. My comments include a
professional perspective on how and why cyber-security threats have
increased significantly over the past 5 years, as well as suggestions
on how these threats should be addressed.
I believe most citizens equate the issue of cyber-security with
viruses that find their way onto computers, or with the stories they
hear about so-called ``security breaches'' resulting from laptops being
lost or stolen. These are certainly problems, but from the perspective
of protecting the Nation's critical infrastructure, these issues are
not severe. Cyber-security is more about protecting the infrastructure
from intrusion by individuals or forces determined to disrupt the flow
of data and the storage of information. Motives might be mere mischief,
making a political statement, gaining business advantage, making
pecuniary gain, exposing a vulnerability or something more sinister.
In the mid-1990s, attacks on the infrastructure sometimes were
clumsy, or so sophisticated as to be admired, but they did not cause
lasting damage. But just as computing has advanced and evolved, so too
has the frequency and form of attacks. For a time, those determined to
intrude (call them hackers for simplicity-sake) were able to take
advantage of the fact that most consumers, businesses and government
agencies had not done a good job maintaining the security of their
operating systems and common applications (such as browsers and e-mail
applications) by applying security patches and running system security
programs. ``Patching'' has improved dramatically across the global
infrastructure, and anti-malware applications have become common place.
Thus, attackers now use ``phishing'' or ``pharming'' approaches,
whereby an unsuspecting victim is tricked into giving away passwords or
personal information, or allowing malware to be dropped onto machines--
even those that are properly patched. Last year the FBI announced that
revenues from cyber-crime, for the first time ever, exceeded drug
trafficking as the most lucrative illegal global business, estimated at
reaping more than $1 trillion annually in illicit profits.
Evolving and more lethal type of cyber-attacks can devastate
infrastructure. One form of attack uses ``botnets,'' which work by
harnessing the power of unprotected PCs from homes and businesses.
Malicious intruders, hackers and even terrorists are getting very good
at harnessing the power of PCs and aiming them at unsuspecting victims.
It has become so easy and rampant that the risk has grown
exponentially. The result is a laser-like cyber-attack on an
unsuspecting business or government system. Estonia, for example, was
the subject of a botnet attack 2 years ago, and the results were
catastrophic: The entire country was disconnected from the Internet,
and the event has come to be known as ``WWI'' for ``Web War I.''
For AT&T, cyber-security is the collective set of capabilities,
procedures and practices that protect our customers and the services we
offer them from the full spectrum of cyber-threats, including botnets.
This assures that the information, applications, and services our
customers want are secure, accurate, reliable and available wherever
and whenever they are desired. Cyber-security is a leading corporate
priority, and we are investing significant resources in making our
network and our customers more secure. To this end, strong cyber-
security is essential to maintaining the integrity and reliability of
the network, and well as protecting privacy of personal customer
information.
The technology within our network is rapidly evolving to support
new applications and services. This year alone, AT&T is investing more
than $18 billion in expanding the capabilities of our network and
infrastructure to meet the rapid global expansion of advanced
information technology and services, and to enhance reliability and
security. The size and scope of AT&T's global network, coupled with our
industry-leading cyber-security capabilities, gives us a unique
perspective into malicious cyber-activity. Our advanced network
technology currently transports more than 17 Petabytes a day of IP data
traffic, and we expect that to double every 18 months for the
foreseeable future. Our network technologies give us the capability to
analyze traffic flows to detect malicious cyber-activities, and, in
many cases, get very early indicators of attacks before they have the
opportunity to become major events. For example, we have implemented
the capability within our network to automatically detect and mitigate
most Distributed Denial of Service Attacks within our network
infrastructure before they affect service to our customers. Indeed,
part of the investment I described above is targeted to advancing our
attack mitigation capabilities. We doubled, and are now redoubling, our
ability to provide global coverage to scrub for denial-of-service
attacks. We went from one domestic scrubbing complex to multiple
locations across the United States, as well as nodes in Europe and
Asia. This gives us the ability to filter out attack traffic as close
to the source of the threat as possible.
To address the growing cyber threat to our nation, and in
particular the threat of botnets, three actions are recommended. First,
our Federal procurement process needs to be upgraded to implement
sufficient security protections to deal with large-scale cyber-attack.
The denial-ofservice threat, for example, is largely overlooked in most
civilian agency networks. On the other hand, private sector companies
like AT&T offer advanced services that can mitigate the threat of a
denial-of-service attacks before they arrive on an agency's doorstep.
Without a strategic emphasis to build strong cyber-security protections
into the Federal requirements development process, however, those
protections are unlikely to find their way into systems procurement
requirements.
A second recommended action involves international partnership
during a cyber-attack. When a botnet is aimed at some critical asset,
the servers controlling the attack might be scattered to the farthest
reaches of the globe. The local service provider is thus in the best
position to take suitable security action. But this requires
international cooperation that has been so far inadequate. Such a
course would be consistent with the recent recommendations by the
National Security Telecommunications Advisory Committee (NSTAC) that
international coordination receive prioritized attention. Specifically,
NSTAC recommended that the Federal Government pursue development of
international cyber-incident warning and responsible capabilities since
network attacks or incidents originating outside of the United States
raise increasing concerns about the security and availability of
domestic national security and emergency preparedness communications.
In many ways, the international paradigm reflects the flaws in the
current, domestic security paradigm--international coordination on
incident response remains largely ad hoc. The continuing absence of a
coordinated, scalable, international structure for response that
includes all relevant stakeholders undercuts efforts to develop
systemic solutions and responses.
Finally, our government should rethink its own relationship with
its network service providers. As attacks become more mobile and
network-based, the service provider has the best vantage point to
mitigate the threat. Too often, in our work at AT&T, we see government
and business systems designed with the service provider at arms-length.
This practice must be discouraged. In fact, agencies that run their own
cyber-security operation should be ready to justify such decision. They
cannot stop network threats such as botnets on their own.
To this end, we endorse the several NSTAC recommendations that
encourage such relationship rethinking. We believe that the public and
private sectors can and should create structures for timely and secure
sharing of cyber-security threat and response information between
government and industry, and between and among critical infrastructures
in a trusted, collaborative environment. In partnership with the
private sector, the government can and should create a secure and
responsive identity management framework to support cyber-based
identity processes and applications, thereby ensuring emergency
response access to critical infrastructure in support of disaster
recovery. In collaboration with industry, the government can and should
create a comprehensive incident-response architecture embracing
critical infrastructure facilities and core infrastructure services.
Perhaps most importantly, the government should collaborate with
industry on research and development efforts in pursuit of critical
cyber-security capabilities, and in furtherance of interoperable
identity management processes between government and the private
sector.
To conclude, I am pleased that this Committee is focusing on cyber-
security, and looking forward to working with you to develop practical
steps to ensure that cyber security does not threaten our Nation's
present and future well-being.
The Chairman. Thank you very much.
Dr. Amoroso. You bet.
The Chairman. You've written four books?
Dr. Amoroso. Yes.
The Chairman. Are they----
Dr. Amoroso. But, Dr. Spafford's books are actually better
than mine.
[Laughter.]
The Chairman. Are they? Well, then--I'm going to forget all
about yours, then.
[Laughter.]
The Chairman. Dr. Spafford?
STATEMENT OF DR. EUGENE H. SPAFFORD, PROFESSOR AND EXECUTIVE
DIRECTOR, PURDUE UNIVERSITY CENTER FOR EDUCATION AND RESEARCH
IN INFORMATION ASSURANCE AND SECURITY (CERIAS) AND CHAIR OF THE
U.S. PUBLIC POLICY COMMITTEE OF THE ASSOCIATION FOR COMPUTING
MACHINERY (USACM)
Dr. Spafford. Thank you, Mr. Chairman and Members of the
Committee.
To put some of my comments in a little bit of context, I've
been working in computing and computing security for about 30
years, and I have done that in a number of different kinds of
roles; certainly, as a researcher at a university; and some of
the things that we have invented, that I've invented with my
students, are in use worldwide right now, protecting systems.
They're common security tools and methods. The students
themselves have gone off to important roles. In fact, one of
our most recent Ph.D. graduates serves the Sergeant at Arms of
the Senate. And we have graduates who are working in a number
of different Federal agencies.
I have worked as a consultant and founder of commercial
firms. And I have worked as a consultant for Federal agencies,
including the U.S. Government Accountability Office, Air Force,
the National Security Agency, the FBI, the National Science
Foundation, and national labs. So, I have seen across a very
broad spectrum of the places where cyber is used, and some of
the problems involved.
And the simplest way to state this is, the Nation is under
attack, and it is a hostile attack, it is a continuing attack.
It has been going on for years, and we have largely been
ignoring it. The commercial losses, by best estimates, are in
the tens of billions of dollars per year. To put that in
context, imagine a Hurricane Katrina-style event occurring
every year and being ignored.
The classified largest--classified losses may be as large
or even larger, because some of the things that are at risk
can't really be easily valued in dollars. It's very difficult
to value our national security and protection.
There are a number of reasons why this has been ignored and
why the problem continues. I would invite you to look in my
written testimony; I have more material there.
But, one of the issues that we have to face is, this is not
primarily a network problem, it is a computing problem, it is
the endpoints, it is the computer systems people use, it is the
cell phones, the control nodes, and the other items, that
people are breaking into. The network is a conduit and has some
of its own problems, but computing is a much bigger problem
than simply the Internet.
Second, there are no single easy solutions. It is not
simply a technology problem, where we can come up with a fix
and apply it. Too many people think that's the case.
Security is a process. It's an ongoing process akin to
having policemen on the beat or having patrols off the coast.
We have to continue to fund and be vigilant and improve what we
do in defense.
Cybersecurity is a combination of technology, of policy,
and of knowledge and people. And we have problems in all three
areas. Again, I address some of this in my written testimony.
Part of the problem in policy is the fact that we haven't
done much at all to put up a deterrent. We do not strike back
at those who attack our systems. If they are criminal elements,
our law enforcement doesn't have the tools, the manpower, or,
very often, the authority to go after those individuals. And
so, they continue to make millions of dollars per week--some of
the credit card fraud--and they reinvest that in new tools, far
more than we are investing in development of defensive tools
here in this country.
For nation-state type of attacks, we don't apply any of the
kinds of diplomatic or economic pressures that we might be able
to do to try to discourage that behavior.
So, we're going to have to have some improvements in
technology. We're going to have to have improvements in the
knowledge and people involved. And this is an area I addressed
extensively in my written testimony.
But, let me say something about the technology, because
that's an area that I've worked in so much. The current view,
that security can be had by adding something on afterwards or
by applying patches to problems, simply won't work. It has not
worked. It will not work. If we continue our current approach
to producing and buying technology, we are going to continue to
be vulnerable.
We need to apply more funding and support to research. And
the research can't be near-term, let's-come-up-with-a-patch-
for-the-latest-botnet-or-the-latest-firewall-problem, but long-
term research as to how to fundamentally redesign some of the
systems we're using and the security involved. That funding has
to be continuing, and it should go toward some risky ideas,
because if we aren't approaching risky ideas, we're not likely
to come up with the breakthrough ideas that are necessary.
Such kinds of research are done at, largely, universities,
but also at the national labs, as has been noted, and many
independent firms that do have research arms. These not only
produce results and experience, but they produce people, people
who can go on and be faculty members, can be researchers to
found companies, serve in the government and other places.
So, our investment in research, even if the research
results don't always produce something that we can use, do have
a benefit in the long term for the country and the economy and
the knowledge base, but it must be significant and sustained
When I was a member of the PITAC, the report we issued in
2005 indicated that we believed at least a tripling of the
research budget at that time was necessary. There was actually
a slight decrease. Current funding could probably stand a many-
times-over increase.
Let me point out that this is not simply a Federal problem,
but a national problem. We're going to have to have other
parties step up. It's not something that the Federal Government
can solve all by itself. And it's actually an international
problem, as has been noted. We have friends around the world
whose banking systems, telecommunications systems, supply
systems, healthcare, and other public infrastructure, are
threatened. If the oil wells offshore from some of the
countries we're friends with are compromised because their
control systems are corrupted, it could have a devastating
impact on our economy. We cannot afford to be insular in our
thinking.
In closing, I included a well-known aphorism in my
testimony that I've seen attributed to a number of different
authors, John Dryden, the English playwright, being one of
them, that insanity is doing the same thing over and over again
and expecting different results. Our cybersecurity application,
particularly in the government, has been insane for years. You
have a chance to change that.
Thank you for your attention. I look forward to your
questions.
[The prepared statement of Dr. Spafford follows:]
Prepared Statement of Dr. Eugene H. Spafford, Professor and Executive
Director, Purdue University Center For Education and Research in
Information Assurance and Security (CERIAS) and Chair of the U.S.
Public Policy Committee of the Association For Computing
Machinery (USACM)
Introduction
Thank you Chairman Rockefeller and Ranking Member Hutchison for the
opportunity to testify at this hearing.
By way of self-introduction, I am a Professor at Purdue University.
I also have courtesy appointments in the departments of Electrical and
Computer Engineering, Philosophy, and Communication at Purdue, and I am
an adjunct professor at the University Texas at San Antonio. At Purdue,
I am also the Executive Director of the Center for Education and
Research in Information Assurance and Security (CERIAS). CERIAS is a
campus-wide multidisciplinary institute, with a mission to explore
important issues related to protecting computing and information
resources. We conduct advanced research in several major thrust areas,
we educate students at every level, and we have an active community
outreach program. CERIAS is the largest such center in the United
States, and we were recently ranked as the #1 such program in the
country. CERIAS also has a close working relationship with dozens of
other universities, major commercial firms and government laboratories.
Along with my role as an academic faculty member, I also serve on
several boards of technical advisors, and I have served as an advisor
to Federal law enforcement and defense agencies, including the FBI, the
Air Force and the NSA. I was also a member of the most recent
incarnation of the President's Information Technology Advisory
Committee (PITAC) from 2003 to 2005. I have been working in information
security for over 25 years.
I am also the Chair of USACM, the U.S. public policy committee of
the ACM. With over 90,000 members, ACM is the world's largest
educational and scientific computing society, uniting educators,
researchers and professionals to inspire dialogue, share resources and
address the field's challenges. USACM acts as the focal point for ACM's
interaction with the U.S. Congress and government organizations. It
seeks to educate and assist policy-makers on legislative and regulatory
matters of concern to the computing community.
USACM is a standing committee of the ACM. It tracks U.S. public
policy initiatives that may affect the membership of ACM and the public
at large, and provides expert input to policy-makers. This advice is in
the form of non-partisan scientific data, educational materials, and
technical analyses that enable policy-makers to reach better decisions.
Members of USACM come from a wide-variety of backgrounds including
industry, academia, government, and end users.
My testimony is as an expert in the field. My testimony does not
reflect official positions of either Purdue University or the ACM,
although I believe that my comments are consistent with values and
positions held by those organizations.
General Comments
Our country is currently under unrelenting attack. It has been
under attack for years, and too few people have heeded the warnings
posed by those of us near the front lines. Criminals and agents of
foreign powers have been probing our computing systems, defrauding our
citizens, stealing cutting-edge research and design materials,
corrupting critical systems, and snooping on government information.
Our systems have been compromised at banks, utilities, hospitals, law
enforcement agencies, every branch of the armed forces, and even the
offices of the Congress and White House. Although exact numbers are
impossible to obtain, some estimates currently run in the tens to
hundreds of billions of dollars per year lost in fraud, IP theft, data
loss, and reconstitution costs. Attacks and losses in much of the
government and defense sector are classified, but losses there are also
substantial.
Over the last few decades, there have been numerous reports and
warnings of the problems issued. When I was a member of the PITAC in
2003-2005, we found over a score carefully-researched and well-written
reports from research organizations that highlighted the dangers and
losses, and pointed out that the problem was only going to get worse
unless drastic action is taken. Our own report from the PITAC, Cyber
Security: A Crisis of Prioritization, published in 2005, echoed these
concerns but was given scant attention. Other reports, such as Toward a
Safer and More Secure Cyberspace by the National Academies have
similarly been paid little attention by leaders in government and
industry. Meanwhile, with each passing week, the threats grow in
sophistication and number, and the losses accumulate.
I do not mean to sound alarmist, but the lack of attention being
paid to these problems is threatening our future. Every element of our
industry and government depends on computing. Every field of science
and education in our country depends, in some way, on computing. Every
one of our critical infrastructures depends on computing. Every
government agency, including the armed forces and law enforcement,
depend on computing. As our IT infrastructure becomes less trustworthy,
the potential for failures in the institutions that depend on them
increases.
There are a number of reasons as to why our current systems are so
endangered. Most of the reasons have been detailed in the various
reports I mentioned above and their lists of references, and I suggest
those as background. I will outline some of the most significant
factors here, in no particular order:
Society has placed too much reliance on marketplace forces
to develop solutions. This strategy has failed, in large part,
because the traditional incentive structures have not been
present: there is no liability for poor quality, and there is
no overt penalty for continuing to use faulty products. In
particular, there is a continuing pressure to maintain legacy
systems and compatibility rather than replace components with
deficient security. The result is a lack of reward in the
marketplace for vendors with new, more trustworthy, but more
expensive products.
Our computer managers have become accustomed to deploying
systems with inherent weaknesses, buying add-on security
solutions, and then entering a cycle of penetrate-and-patch. As
new flaws are discovered, we deploy patches or else add on yet
new security applications. There is little effort devoted to
really designing in security and robustness. This also has
contributed to unprotected supply chains, where software and
hardware developed and sold by untrusted entities is then
placed in trusted operational environments: the (incorrect)
expectation is that the add-on security will address any
problems that may be present.
There is a misperception that security is a set of problems
that can be ``solved'' in a static sense. That is not correct,
because the systems are continuing to change, and we are always
facing new adversaries who are learning from their experiences.
Security is dynamic and changing, and we will continue to face
new challenges. Thus, protection is something that we will need
to continue to evolve and pursue.
Too few of our systems are designed around known, basic
security principles. Instead, the components we do have are
optimized for cost and speed rather than resilience and
security and those components are often needlessly complex.
Better security is often obtained by deploying systems that do
less than current systems--extra features not necessary for the
task at hand too often provide additional avenues of attack,
error, and failure. However, too few people understand cyber
security, so the very concept of designing, building, or
obtaining less capable systems, even if they are more
protected, is viewed as unthinkable.
We have invested far too little on the resources that would
enable law enforcement to successfully investigate computer
crimes and perform timely forensic activities. Neither have we
pursued enough political avenues necessary to secure
international cooperation in investigation and prosecution of
criminals operating outside our borders. As a result, we have
no effective deterrent to computer crime.
The problems with deployed systems are so numerous that we
would need more money than is reasonably available simply to
patch existing systems to a reasonable level. Unfortunately,
this leads to a lack of funding for long term research into
more secure systems to replace what we currently have. The
result is that we are stuck in a cycle of trying to patch
existing systems and not making significant progress toward
deploying more secure systems.
Over-classification hurts many efforts in research and
public awareness. Classification and restrictions on data and
incidents means that it is not possible to gain an accurate
view of scope or nature of some problems. It also means that
some research efforts are inherently naive in focus because the
researchers do not understand the true level of sophistication
of adversaries they are seeking to counter.
Too little has been invested in research in this field, and
especially too little in long-term, risky research that might
result in major breakthroughs. We must understand that real
research does not always succeed as we hope, and if we are to
make major advances it requires taking risks. Risky research
led to computing and the Internet, among other things, so it is
clear that some risky investments can succeed in a major way.
We have too many people who think that security is a network
property, rather than understanding that security must be built
into the endpoints. The problem is not primarily one of
``Internet security'' but rather of ``computer and device''
security.
There is a common misconception that the primary goal of
intruders is to exfiltrate information or crash our systems. In
reality, clever adversaries may simply seek to modify critical
applications or data so that our systems do not appear to be
corrupted but fail when relied upon for critical functions--or
worse, operate against our interests. We seldom build and
deploy systems with sufficient self-checking functions and
redundant features to operate correctly even in the presence of
such subversion.
Government agencies are too disorganized and conflicted to
fully address the problems. Authorities are fragmented, laws
exist that prevent cooperation and information sharing, and
political ``turf'' battles all combine to prevent a strong,
coordinated plan from moving forward. It is debatable whether
there should be a single overarching authority, and where it
should be if so. However, the current disconnects among
operational groups including DHS, law enforcement, the armed
forces and the intelligence community is a key part of the
problem that must be addressed.
We have too few people in government, industry and the
general public who understand what good security is about. This
has a negative effect on how computing is taught, designed,
marketed, and operated. I discuss this in more depth later in
this testimony.
I would be remiss not to note that most systems handling personal
information have also been poorly designed to protect privacy. Good
security is necessary for privacy protection. Contrary to conventional
wisdom, it is not necessary to sacrifice privacy considerations to
enhance security. However, it takes additional effort and expense to
design to both protect privacy and improve security, and not everyone
is willing to make the effort despite the rewards.
This battle is global. Our colleagues in other countries are also
under siege from criminals, from anarchists, from ideologues, and from
agents of hostile countries. Any effective strategy we craft for better
cyber security will need to take into account that computing is in use
globally, and there are no obvious national borders in cyberspace.
Additionally, it is important to stress that much of the problem is
not purely technical in nature. There are issues of sociology,
psychology, economics and politics involved (at the least). We already
have technical solutions to some of the problems we face, but the
parties involved are unable to understand or agree to fielding those
solutions. We must address all these other issues along with the
technical issues if we are to be successful in securing cyberspace.
Rethinking Computing \1\
---------------------------------------------------------------------------
\1\ Adapted from Rethinking computing insanity, practice and
research, CERIAS Weblog, December 15, 2008, . In turn, this post was derived from
my essay in the October 2008 issue of Information Security magazine.
---------------------------------------------------------------------------
Fifty years ago, IBM introduced the first commercial all-transistor
computer (the 7000 series). A working IBM 7090 system with a full 32K
of memory (the capacity of the machine) cost about $3,000,000 to
purchase--over $21,000,000 in current dollars. Software, peripherals,
and maintenance all cost more. Rental of a system (maintenance
included) could be well over $500,000 per month. The costs of having
such a system sit idle between jobs (and during I/O) led the community
to develop operating systems that supported sharing of hardware to
maximize utilization. It also led to the development of user accounts
for cost accounting and development of security features to ensure that
the sharing didn't go too far. As the hardware evolved and became more
capable, the software also evolved and took on new features.
Costs and capabilities of computing hardware have changed by a
factor of tens of millions in five decades. It is now possible to buy a
greeting card at the corner store with a small computer that can record
a message and play it back to music: that card has more memory and
computing power than the multimillion dollar machine of 1958. Yet,
despite these incredible transformations, the operating systems, data
bases, languages, and more that we use are still basically the designs
we came up with in the 1960s to make the best use of limited equipment.
We're still suffering from problems known for decades, and systems are
still being built with intrinsic weaknesses.
We failed to make appreciable progress with the software because,
in part, we've been busy trying to advance on every front. It is
simpler to replace the underlying hardware with something faster, thus
getting a visible performance gain. This helps mask the ongoing lack of
quality and progression to really new ideas. As well, the speed with
which the field of computing (development and application) moves is
incredible, and few have the time or inclination to step back and re-
examine first principles. This includes old habits such as the sense of
importance in making code ``small'' even to the point of leaving out
internal consistency checks and error handling. (Y2K was not a one-time
fluke--it was instance of an institutionalized bad habit.)
Another such habit is that of trying to build every system to have
the capability to perform every task. There is a general lack of
awareness that security needs are different for different applications
and environments; instead, people seek uniformity of OS, hardware
architecture, programming languages and beyond, all with maximal
flexibility and capacity. Ostensibly, this uniformity is to reduce
purchase, training, and maintenance costs, but fails to take into
account risks and operational needs. Such attitudes are clearly
nonsensical when applied to almost any other area of technology, so it
is perplexing they are still rampant in IT.
For instance, imagine the government buying a single model of
commercial speedboat and assuming it will be adequate for bass fishing,
auto ferries, arctic icebreakers, Coast Guard rescues, oil tankers, and
deep water naval interdiction--so long as we add on a few after-market
items and enable a few options. Fundamentally, we understand that this
is untenable and that we need to architect a vessel from the keel
upwards to tailor it for specific needs, and to harden it against
specific dangers. Why cannot we see the same is true for computing? Why
do we not understand that the commercial platform used at home to store
Aunt Bea's pie recipes is not equally suitable for weapons control,
health care records management, real-time utility management, storage
of financial transactions, and more? Trying to support everything in
one system results in huge, unwieldy software on incredibly complex
hardware chips, all requiring dozens of external packages to attempt to
shore up the inherent problems introduced by the complexity. Meanwhile,
we require more complex hardware to support all the software, and this
drives complexity, cost and power issues.
The situation is unlikely to improve until we, as a society, start
valuing good security and quality over the lifetime of our IT products.
We need to design systems to enforce behavior within each specific
configuration, not continually tinker with general systems to stop each
new threat. Firewalls, intrusion detection, antivirus, data loss
prevention, and even virtual machine ``must-have'' products are used
because the underlying systems aren't trustworthy--as we keep
discovering with increasing pain. A better approach would be to
determine exactly what we want supported in each environment, build
systems to those more minimal specifications only, and then ensure they
are not used for anything beyond those limitations. By having a
defined, crafted set of applications we want to run, it will be easier
to deny execution to anything we don't want; To use some current
terminology, that's ``whitelisting'' as opposed to ``blacklisting.''
This approach to design is also craftsmanship-using the right tools for
each task at hand, as opposed to treating all problems the same because
all we have is a single tool, no matter how good that tool may be.
After all, you may have the finest quality multitool money can buy,
with dozens of blades and screwdrivers and pliers. You would never
dream of building a house (or a government agency) using that
multitool. Sure, it does many things passably, but it is far from ideal
for expertly doing most complex tasks.
Managers will make the argument that using a single, standard
component means it can be produced, acquired and operated more cheaply
than if there are many different versions. That is often correct
insofar as direct costs are concerned. However, it fails to include
secondary costs such as reducing the costs of total failure and
exposure, and reducing the cost of ``bridge'' and ``add-on'' components
to make items suitable. There is less need to upgrade and patch smaller
and more directed systems far less often than large, all-inclusive
systems because they have less to go wrong and don't change as often.
There is also a defensive benefit to the resulting diversity: attackers
need to work harder to penetrate a given system, because they don't
know what is running. Taken to an extreme, having a single solution
also reduces or eliminates real innovation as there is no incentive for
radical new approaches; with a single platform, the only viable
approach is to make small, incremental changes built to the common
format. This introduces a hidden burden on progress that is well
understood in historical terms--radical new improvements seldom result
from staying with the masses in the mainstream.
Therein lies the challenge, for researchers and policy-makers. The
current cybersecurity landscape is a major battlefield. We are under
constant attack from criminals, vandals, and professional agents of
governments. There is such an urgent, large-scale need to simply bring
current systems up to some minimum level of security that it could soak
up way more resources than we have to throw at the problems. The result
is that there is a huge sense of urgency to find ways to ``fix'' the
current infrastructure. Not only is this where the bulk of the
resources is going, but this flow of resources and attention also fixes
the focus of our research establishment on these issues, When this
happens, there is great pressure to direct research toward the current
environment, and toward projects with tangible results. Program
managers are encouraged to go this way because they want to show they
are good stewards of the public trust by helping solve major problems.
CIOs and CTOs are less willing to try outlandish ideas, and cringe at
even the notion of replacing their current infrastructure, broken as it
may be. So, researchers go where the money is--incremental, ``safe''
research.
We have crippled our research community as a result. There are too
few resources devoted to far-ranging ideas that may not have immediate
results. Even if the program managers encourage vision, review panels
are quick to quash it. The recent history of DARPA is one that has
shifted toward immediate results from industry and away from vision, at
least in computing. NSF, DOE, NIST and other agencies have also
shortened their horizons, despite claims to the contrary.
Recommendations for action (including the recent CSIS Commission report
to the President) continue this by posing the problem as how to secure
the current infrastructure rather than asking how we can build and
maintain a trustable infrastructure to replace what is currently there.
Some of us see how knowledge of the past combined with future
research can help us have more secure systems. The challenge continues
to be convincing enough people that ``cheap'' is not the same as
``best,'' and that we can afford to do better. Let's see some real
innovation in building and deploying new systems, languages, and even
networks. After all, we no longer need to fit in 32K of memory on a $21
million computer. Let's stop optimizing the wrong things, and start
focusing on discovering and building the right solutions to problems
rather than continuing to try to answer the same tired (and wrong)
questions. We need a major sustained effort in research into new
operating systems and architectures, new software engineering methods,
new programming languages and systems, and more, some with a (nearly)
clean-slate starting point. Failures should be encouraged, because they
indicate people are trying risky ideas. Then we need a sustained effort
to transition good ideas into practice.
I'll conclude with a quote that many people attribute to Albert
Einstein, but I have seen multiple citations to its use by John Dryden
in the 1600s in his play The Spanish Friar: ``Insanity: doing the same
thing over and over again expecting different results.''
What we have been doing in cyber security has been insane. It is
past time to do something different.
Education
One of the most effective tools we have in the battle in cyber
security is knowledge. If we can marshal some of our existing knowledge
and convey it to the appropriate parties, we can make meaningful
progress. New knowledge is also necessary, and there too there are
urgent needs for support.
History
In February 1997, I testified before the House Science Committee.
At that time, I observed that nationally, the U.S. was producing
approximately three new Ph.Ds. in cybersecurity \2\ per year. I also
noted that there were only four organized centers of cyber security
education and research in the country, that none of them were very
large, and that all were judged to be somewhat at risk. Indeed, shortly
after that testimony, one of the centers dissolved as institutional
support faded and faculty went elsewhere.
---------------------------------------------------------------------------
\2\ This and related numbers in my report exclude individuals
working primarily in cryptology. Although cryptography is necessary for
good security, there is a difference between those who study the
mathematics of codes and ciphers, and those who study systems and
network security; the two general areas are related much in the way
mathematicians and mechanical engineers are.
---------------------------------------------------------------------------
Although the number of university programs and active faculty in
this area have increased in the last dozen years, the number involved
and the support provided for their efforts still falls far short of the
need. As an estimate, there have been less than 400 new Ph.Ds. produced
in cyber security in the U.S. over the last decade with some nontrivial
percentage leaving the U.S. to work in their countries of origin.
(Approximately 25 percent of those graduates have come from CERIAS at
Purdue.) Of those that remained, less than half have gone back into
academia to be involved in research and education of new students.
In my testimony \3\ in 1997 and in subsequent testimony in 2000, I
provided suggestions for how to increase the supply of both students
and faculty in the field to meet the anticipated demand. Three of my
suggestions were later developed by others into Federal programs: the
Centers of Academic Excellence (CAE), the Scholarship for Service
program, and the Cyber Trust program.
---------------------------------------------------------------------------
\3\ Available online
---------------------------------------------------------------------------
Today, we have about a dozen major research centers around the
country at universities, and perhaps another two dozen secondary
research groups. Many, but not all, of these institutions are certified
as CAEs, as are about 60 other institutions providing only specialized
cyber security education. The CAE program has effectively become a
certification effort for smaller schools offering educational programs
in security-related fields instead of any true recognition of
excellence; there are some highly regarded programs that do not belong
to the CAE program for this reason (Purdue and MIT among them). One
problem with the way the CAE program has evolved is that it does not
provide any resources that designated schools may use to improve their
offerings or facilities.
The Scholarship for Service program, offered through NSF, has been
successful, but in a limited manner. This program provides tuition,
expenses and a stipend to students completing a degree in cyber
security at an approved university. In return, those students must take
a position with the Federal Government for at least 2 years or pay back
the support received. Over the last 7 years, over 1000 students have
been supported under this program at 30 different campuses. The
majority of students in these programs have, indeed, gone on to Federal
service, and many have remained there. That is an encouraging result.
However, the numbers work out to an average of about four students per
campus per year entering Federal service, and anecdotal evidence
indicates that demand is currently five times current production and
growing faster than students are being produced. This program address
needs in other segments of U.S. society.
NSF has been the principal supporter of open university research in
cyber security and privacy through its Cyber Trust program (now called
Trustworthy Computing). That effort has produced a number of good
results and supported many students to completion of degrees, but has
been able to support only a small fraction (perhaps less than 15
percent) of the proposals submitted for consideration. Equally
unfortunate, there has been almost no support available from NSF or
elsewhere in government for the development and sustainment of novel
programs that are not specifically designated as research; as an
example, CERIAS as an important center of education, research and
outreach has never received direct Federal funding to support core
activities, staff, and educational development. If it were not for
periodic gifts from generous and civic-minded industrial partners, the
center would have disappeared years ago--and may yet, given the state
the economy. Other defined centers are similarly precariously funded.
Future
We need significant, sustained efforts in education at every level
to hope to meet the challenges posed by cyber security and privacy
challenges. In the following, I will outline some of the general issues
and needs, with some suggestions where Federal funding might be
helpful. A study by an appropriate organization would be necessary to
determine more precisely what program parameters and funding levels
would be useful. Given the complexity of the issues involved, I can
only outline some general approaches here.
Let me note that many of these activities require both a ramp-up
and sustainment phase. This is especially true for postgraduate
programs. We do not currently have the infrastructure to switch into
``high gear'' right away, nor do we have the students available.
However, once students are engaged, it is disruptive and discouraging
to them and to faculty if resources and support are not provided in a
steady, consistent fashion.
I will start by reiterating my support for the existing Scholarship
for Service program. It needs to include additional funding for more
students, and to allow recipient institutions to pursue curricular
development and enhancement, but is otherwise functioning well.
K-12
Our children are the future. We should ensure that as they are
being taught how to use the technology of tomorrow that they also are
getting a sound background in what to do to be safe when using
computers and networks. We teach children to cover their mouths when
they sneeze, to wash their hands, and to look both ways when they cross
the street--we should also ensure that they know something about
avoiding phishing, computer viruses, and sharing their passwords. Older
students should be made familiar with some of the more complex threats
and issues governing computing especially privacy and legal
implications.
Avenues for teaching this material certainly include the schools.
However, too many of our Nation's schools do not currently offer any
computing curriculum at all. In many schools, all that is taught on
computers is typing, or how to use the WWW to research a paper. Many
states have curricula that treat computing as a vocational skill rather
than as a basic science skill. Without having a deeper knowledge of the
fundamentals of computing it is more difficult to understand the issues
associated with privacy and security in information technology. Thus,
teaching of computing fundamentals at the K-12 level needs to be more
widespread than is currently occurring, and the addition of cyber
security and privacy material nationally should be considered as part
of a more fundamental improvement to K-12 education. Recently the
leaders of the computing community released recommendations on how the
Federal Government's Networking and Information Technology Research and
Development (NITRD) Program could be strengthened to address shortfalls
in computer science education at the K-12 level.\4\
---------------------------------------------------------------------------
\4\ http://www.acm.org/public-policy/NITRD_Comment_final.pdf
---------------------------------------------------------------------------
Consideration should be given to encouraging various adjunct
educational opportunities. Children's TV is one obvious venue for
conveying useful information, as is WWW-based delivery.
Computing has a significant diversity problem. Cyber security and
privacy studies appear, anecdotally, to be very attractive to students
from underrepresented groups, including females. Presenting meaningful
exposure to these topics at the K-12 level might help encourage more
eager, able young people to pursue careers in those or related STEM
fields.
Undergraduate Degrees
Of the thousands of degree-granting institutions throughout the
U.S., perhaps only a few hundred have courses in computer security
basics. These courses are usually offered as an elective rather than as
a part of the core curriculum. As such, basic skill such as how to
write secure, resilient programs and how to protect information privacy
are not included in standard courses but relegated to the elective
course. This needs to change or we will continue to graduate students
who do not understand the basics of the area but who will nonetheless
be producing and operating consumer computing artifacts.
More seriously, we have a significant shortfall of students
entering computing as a major area. Last year was the first year in six
where the enrollment of undergraduates in CS did not decline. The
significance of this concern is not only important from a national
competitiveness stand-point, but it implies that we will have a
significant shortfall of trained U.S. citizens in the coming years to
operate in positions of national responsibility. We are already off-
shoring many critical functions, and without an increase in the U.S.
production of computing majors, this will pose a significant national
security threat.
Graduate Degrees
There is disagreement within the field about the level of education
needed for some positions in the work force. Clearly, there is a range
of positions, some of which may only require an under-graduate degree,
but many that require at least a Master's degree. Some educators
(myself included) believe that a strong undergraduate degree in
computing or software engineering, or in some other field related to
cyber security (e.g., criminal justice), should be obtained followed by
a graduate degree to ensure appropriate depth of knowledge.
There continues to be a need for Ph.D. graduates in cyber security.
Individuals at this level are needed for advanced concept development
in academia, industry and government. Generally, a Ph.D. is also
required for faculty positions and some senior technical supervisory
positions. Given the strong demand in this field and the number of
institutions with need of faculty with experience in security or
privacy topics, there will undoubtedly be a continuing and increasing
demand for graduates at this level.
One of the issues facing researchers in academia is the lack of
access to current commercial equipment. Most funding available to
researchers today does not cover obtaining new equipment. Universities
also do not have sufficient resources to equip laboratories with a
variety of current products and then keep them maintained and current.
As a result, unless faculty are adept at striking deals with vendors
(and few vendors are so inclined) they are unable to work with current
commercial security products. As a result, their research may not
integrate well with fielded equipment, and may even be duplicative of
existing solutions. The situation is in some senses similar to that of
the 1980s when major research institutions were able to seek grants to
get connections to research networking, but has evolved to a point
where almost every college and university has network access. We now
need a program to fund the instantiation of experimental laboratories
for cyber security with a cross-section of commercial products, with an
eventual goal of having these be commonplace for teaching as well as
research.
Some faculty and their students are willing and able to work on
classified problems so long as that work is near enough to their home
institution to make travel reasonable. The best solution is to have a
facility on campus capable of supporting classified research. This is
not common on today's campuses.\5\ It is not inexpensive to build or
retrofit a facility for classified processing, and it is costly to
staff and maintain it. Research grants almost never cover these costs.
A Federal program to identify institutions where such facilities would
be useful, and then build and support them might be helpful.
---------------------------------------------------------------------------
\5\ As an example, I need to travel over 70 miles from Purdue to be
able to find a cleared facility.
---------------------------------------------------------------------------
To produce graduate students requires resources for stipends,
laboratory equipment, and general research support, as well as support
for the faculty advisors. Given university overhead costs, it will
often cost more than $250,000 over a period of years for a graduate
student to complete a Ph.D. That support must be consistent, however,
because interruptions in funding may result in students leaving the
university to enter the work force. Additionally, there needs to be
support for their advisors, usually as summer salary, travel, and other
expenses. Here again, consistency (and availability) are important. If
faculty are constantly worried about where the money will come from for
the coming year, some will choose to leave the field of study or
academia itself.
Other Disciplines
Computing is not the only area where advanced research can and
should occur. As noted earlier, the cyber security ``ecology'' includes
issues in economics, law, ethics, psychology, sociology, policy, and
more. To ensure that we have an appropriate mix of trained individuals,
we should explore including training and support for advanced education
and research in these areas related to cyber security and privacy.
Encouraging scholars in these areas to work more closely with computing
researchers would provide greater synergy.
On possibility that should be explored is to expand the current
Scholarship for Service program in a manner that includes students
taking advanced degrees with a mix of cyber studies and these other
areas; as an example, the program might fund students who have
completed an undergrad in cyber security to obtain a J.D., or a student
with a degree in public policy obtaining an M.S. in cyber privacy. Upon
graduation those individuals would be highly qualified to enter
government service as policy experts, prosecutors, investigators, and
other roles where there is currently an urgent and growing need for
multidisciplinary expertise.
Training
There are many people working in the IT field today who have
security and privacy as one of their job functions. Given the pace of
new tool development, best practices, new threats, and other changes,
it is necessary that these individuals receive periodic training to
stay current with their positions. Many 3rd-party organizations are
currently providing such training (although the expense per student is
significant), but as demand grows it seems unlikely that these efforts
will scale appropriately. It is also the case that not all individuals
who currently need such training either know they need it, or can
afford it.
There should be an effort made, perhaps through DHS and/or the
Department of Education, to provide ongoing training opportunities to
the workforce in a cost-effective and timely manner. This might be by
way of some mechanism that is delivered over the Internet and/or
through community colleges. ``Train the trainer'' opportunities should
be considered as well.
Note that this is not the same as continuing education as it
assumes that the students involved already know how to perform their
jobs. Rather, this is training in new tools and techniques to enable
individuals to stay current in their positions.
Adult Education
The majority of citizens today using personal computers do not know
anything about computer security, yet they are common targets for fraud
and abuse. Phishing, Spam, and botnets are all generally targeted at
home computers. Most people do not know that they need additional
knowledge about security, and those that do are often unsure where to
go to obtain that knowledge.
This is an area where many different techniques could be employed.
Having educational modules and resources available online for citizens
to review at their leisure would seem to be an obvious approach.
Providing incentives and materials for ISPs, community groups, public
libraries, and perhaps state and local governments to offer courses and
information would be another possibility. Public television is yet
another avenue for education of the general population about how to
defend their computing resources.
Coupled with this effort at citizen education might be some program
to provide access and ratings of products that could be obtained and
deployed effectively. Unfortunately, there are many ineffectual
products on the market, and some that are actually malicious in the
guise of being helpful. Providing resources for citizens to get product
details and up-to-date information on what they should be doing could
make a large difference in our national cyber security posture.
Professional Education
We have many people in professional roles who use computers in
their work, but who were not exposed to computing education during
their formal studies. These positions include law enforcement
personnel, judges, doctors, lawyers, managers, C-level executives,
bankers, and more. In these various professions the individuals need
education and training in cyber security and privacy basics as they
relate to their jobs. They also need to be made aware that lack of
security has real consequences, if not for their organizations, then
for the country, and that it should be taken seriously.
Many professional organizations already provide organized training
along these lines; for example, the National White Collar Crime Center
(NW3C) offers courses for law enforcement personnel. Mechanisms need to
be developed to help scale these offerings and motivate more
professionals to take them. Where no such courses are available they
need to be developed in conjunction with experienced and competent
advisors who understand both the material involved and the issues
specific to the professions.
Concluding Remarks
The cyber security problem is real. Informed warnings have been
large ignored for years, and the problems have only gotten worse. There
is no ``silver bullet'' that will solve all our problems, nor are
solutions going to appear quickly.
Any program to address our problems will need to focus on
deficiencies in our regulatory system, in the economic incentives, and
in user psychology issues as well as the technical issues. We need a
sustained, significant research program to address questions of
structure, deployment, and response. We need a significant boost to law
enforcement to act as an effective deterrent. Most of all, we need a
comprehensive and wide-reaching program of education and training to
bring more of the population in line to address the problem than the
small number of experts currently involved.
Thus, there needs to be a significant investment made in both
students and research in cyber security and privacy. The PITAC report
made a conservative recommendation of tripling available research
funding per year in 2005, although the committee privately discussed
that 4-5 times the base could be productively spent. We noted that much
of the money designated as R&D funding is really spent on the ``D''
portion and not on research. In the years since that report, it is
unlikely that the amount has more than doubled, and that is due, in
part, to standard inflationary issues and across-the-board increases
rather than any targeted spending.
A conservative estimate for FY 2010 would similarly be to at least
triple the current allocation for basic research and for university
fellowships, with some nontrivial fractions of that amount dedicated to
each of privacy research, cyber forensics tools and methods for law
enforcement, to cyber security infrastructure, and to multidisciplinary
research. Equal or increasing amounts should be allocated in following
years. An additional annual allocation should be made for community and
professional education. This is almost certainly less than 1 percent of
the amount lost each year in cyber crime and fraud in the U.S. alone,
and would be an investment in our country's future well-being. Again,
it is important to separate out the ``R'' from the ``R&D'' and ensure
that increases are made to the actual long-term research rather than to
short term development.
There must be a diverse ecology of research funding opportunities
supported, with no single agency providing the vast majority of these
funds. Opportunities should exist for a variety of styles of research
to be supported, such as research that is more closely aligned with
specific problems, research that is better coordinated amongst larger
numbers of investigators, research that involves significant numbers of
supporting staff beyond the PI's, and so on. The NITRD Coordination
Office is well-suited to assist with coordination of this effort to
help avoid duplication of effort.
There are many good topics for research expenditures of this order
of magnitude and beyond. As already mentioned, there are numerous
problems with the existing infrastructure that we do not know how to
solve including attribution of attacks, fast forensics, stopping
botnets, preventing spam, and providing supply chain assurance. More
speculative tasks include protecting future architectures including
highly portable computing, developing security and privacy metrics,
creating self-defending data, semi-autonomous system protection,
building high-security embedded computing for real-time controls, and
beyond. The PITAC report listed 10 priority areas, and the National
Academies report lists more. The community has never had a shortage of
good topics for research: it has always been a lack of resources and
personnel that has kept us from pursuing them.
Above all, we must keep in mind two important facts: First,
protection in any realm, including cyber, is a process and not a goal.
It is an effort we must staff and support in a sustainable, ongoing
manner. And second, as with infections or growth of criminal
enterprises, a failure to appropriately capitalize the response now
will simply mean, as it has meant for over two decades, that in the
future the cost will be greater and the solutions will take longer to
make a difference.
References
1. Cyber Security: A Crisis of Prioritization; Report from the
President's Information Technology Advisory Committee; National
Coordination Office, NITRD; 2005.
2. Toward a Safer and More Secure Cyberspace; Seymour E. Goodman
and Herbert S. Lin, Editors; National Academy Press; 2007.
3. Unsecured Economies: Protecting Vital Information; McAfee
Corporation; 2008.
4. Security Cyberspace for the 44th Presidency; Center for
Strategic & International Studies; 2008.
Acknowledgements
I wish to acknowledge comments and assistance provided to me in
preparing this testimony from Becky Bace, Steve Cooper, Dan Geer, Harry
Hochheiser, Lance Hoffman, Carl Landwehr, Ed Lazowska, Victor
Piotrowski, Bobby Schnable, Carlos Solari and Cameron Wilson. Despite
listing their names here, none of those individuals necessarily agrees
with, nor endorses any of my comments or opinions.
The Chairman. Thank you.
Senator Nelson, will you change that? Good. OK.
Extremely good presentations. I apologize, again, for the
lack of attendance. I just use all the other meetings going on,
but I don't know how somebody would manage to not be here.
You've talked, the four of you, about saying that you
produce teachers, and government labs produce people who go
into universities, and the rest of it. On the other hand, I
think you, Dr. Lewis, said that we don't have anybody learning
anything about this. Senator Snowe and I are putting together a
bill which would emphasize, and we would welcome anybody's
cosponsorship, and she's from the Intelligence Committee, and
Senator Nelson is from the Intelligence Committee. You said
people pass through engineering and they just simply never come
across the word ``cyber'' problems. And I'm wondering how you
think this can be changed.
I mean, one, we've got to change the way the private sector
looks at it. That would be my second question. I just put out
the first, but, second, how do we begin to train a body of
people? This ought to be the most fascinating, cerebral,
national-security, I'm-a-good-American problem that exists.
But, it's not attracting people. Why?
Dr. Lewis. A couple of reasons. First, you know, we've had
a larger decline across the board--and I know this Committee is
well aware of it--in science, technical education, engineering,
mathematics. We've underfunded it for years, and now we're
reaping the benefit. I was at a classified briefing, a couple
of months ago, where we were comparing how foreign countries
were doing to the United States. And it used to be we were
ahead. And in the briefing we had a couple of months ago, the
foreign countries had caught up, and somebody said, ``How did
that happen?'' And the answer is, ``Well, if you don't spend
the money for 15 years, they're going to catch up.''
So, what I would say--and I think this fits in with Dr.
Spafford's remarks--the way to get more students is to pay
people, to give them incentives to go into this. It is
fascinating, but we know that students sit down and say, ``How
am I going to make a living?'' And right now we don't have the
demand for it. So, fund people to go in; that would be a great
idea. Think about things like competitions; that would help.
And get industry to pay attention to this so there will be
demand at the receiving end.
The Chairman. Well, then why doesn't that work? It's
manifestly self-evident for big and small companies. I think
AT&T and Verizon and others are pretty familiar with it. It
just cries out for the smartest, most creative people, who can
make a huge difference in the future of their country.
Dr. Lewis. We've been having--I'll just say, quickly--we've
been having a discussion with some of the people working in the
government on this about what we call the ``conversion
experience.'' And it's like that Saul-on-the-road-to-Tarsus
moment, where the light bulb goes over your head. And we're
trying to figure out how many people have realized this is a
major national security problem. And I don't think enough have,
is the short answer.
Dr. Spafford. Sir, I'll add to this. This year, nationwide,
we probably have about 50 or 60 new Ph.D.s in the field, total.
And of those, perhaps 10 to 15 are going to return to their
home countries to start businesses to compete against the U.S.,
because our visa policies won't let them stay. Of the remaining
45, about half will go into industry, possibly to startups, and
the remaining will go into university environments, where they
will be teaching classes and perhaps creating a new generation
of students. But, that means that we have perhaps an annual
increment of 15 to 20 new faculty a year for thousands of
educational institutions across the country, and tens of
thousands of commercial organizations. The numbers are way too
small. And in part it is--as Dr. Lewis noted, we are not
portraying an image that this is an exciting career path, or
one that is--they can make a living at. Instead, we hear about
how jobs are going offshore to other companies--other
countries, how we don't have enough people in the stem
disciplines. For many years, some of our best students went off
to become bankers and lawyers. Maybe not our best students,
considering what happened, but----
[Laughter.]
Dr. Spafford.--nonetheless, those career paths seem to be
much more attractive.
So, there's a--it's a total issue.
The Chairman. Yes.
Dr. Amoroso. Mr. Chairman, I would offer just an--a
personal note. When I was a high school student, it was right
around the time that Arno Penzias and Bob Wilson won the Nobel
Prize for the Big Bang Theory, and Bob Wilson came and gave a
talk to my science club or high school--something like that.
And it was about the most inspiring thing I ever saw, and I
decided I wanted to go to Bell Laboratories. And there were a
group of people in my generation that really wanted to do that.
I think we've skipped a generation since then. I've noted,
in my prepared remarks, that I've been an adjunct professor at
Stevens Institute of Technology for 20 years. My graduate class
right now is about 98 percent foreign national, and we're
teaching cybersecurity to non-Americans.
I think we have a unique opportunity, though. Everyone in
this room, when we were young, you amused yourself, probably,
outside, running around. What do kids amuse themselves with
now? Xbox and computer games and so on. We've got a generation
of youngsters who, I think, are ripe and ready for careers in
this area, and I think legislation should take full advantage
of that and try and attract these youngsters into careers in
the areas that were noted.
The Chairman. Our legislation will.
Senator Udall?
Senator Udall. Thank you, Mr. Chairman.
I think some of you have touched on this a little bit, but
I'd like you to go into more depth for me. Are we confident, in
the United States, that the U.S. infrastructure, whether it's a
power grid or the telephone networks, as you've described, Dr.
Amoroso, with AT&T, our oil and gas infrastructure, our
infrastructure on our airlines, controlling airlines in the
air--are we confident that we can withstand a major cyberattack
to these kinds of networks? And what are the scenarios you see
if we had an attack? What scenarios would follow from there?
Dr. Weiss. Let me answer that question. In fact, if you'd
bear with me, can I just go back to what you were asking
before, and then I'll directly answer?
Senator Udall. [Inaudible.]
Dr. Weiss. I'm kind of, in a sense, a fish out of water,
not being a traditional IT person. I'm a control-system
engineer. One of our big problems is, when you look at the
cybersecurity centers of excellence, they're in the computer
science departments, they are not in the electrical engineering
department, they are not in the chemical engineering
department, they are not in the mechanical engineering
department, they are not in the nuclear engineering department.
So, part of what we have is this very much of a dichotomy
between what people normally associate with a computer and what
we, in industry, use as computers. And I go back to the fact
that they are very different.
I ended up getting a master's, through University of
Washington, on strategic planning for critical infrastructures.
Our textbook on cybersecurity was written by Matt Bishop, from
U.C. Davis, and it was dated 2003. It was a 1,000-page college
textbook. The words ``SCADA'' or ``control system'' were not
mentioned once. We are--it's a different area. It is a very,
very interdependent, functional type of discipline that needs
to be there, and it isn't. So, I just wanted to bring that into
play.
And the other thing, too, is, one of the differences in
industry, if you will, is, this is a huge business issue, as
well as security issue. And part of our problems can be
unintentional cyberincidents. They can have almost the same
impact--shutting down nuclear plants, you know, having pipeline
ruptures. These have already happened. They weren't
intentional, but it still shut down plants, killed people, et
cetera. Part of it is because we don't have adequate training,
we don't have adequate standards. So, I just wanted to go back.
Now, if you'll--if you will, I'll address what you were
asking.
Our systems were initially designed--were originally, and
still, to this day, designed--for performance. Security is an
add-on. Are our systems vulnerable? They're very vulnerable.
The issue, to me, is--and this is another aspect, too--some of
our biggest control-system cyberincidents did not come from the
Internet and did not come from Windows. They were control-
system issues. These control-system issues destroyed equipment,
shut down plants. The Northeast outage lasted 3 days--actually,
1 to 2 days, but I'm saying 3. And the reason is, there was no
damage to equipment. When you damage equipment--I assume you've
seen the tape of Aurora. This is where, by cyber alone, they
destroyed a large diesel generator. Physically destroyed it.
This is what we're talking about. It's destruction of equipment
that takes months--many, many months to procure. And we don't
even make that equipment in the U.S. anymore.
So, when you're asking about international issues, think
about, Where do we get those, and how do we know even what's
going to be replaced, is going to do what we want, and maybe
not have a Trojan embedded? This is a very, very difficult,
complicated issue that I want to get across. It is very real.
And it's not those laptops that you see that we're concerned
about, it's equipment--very expensive, very long-term design-
and-procure equipment.
Dr. Lewis. I take a little different view--I'll just jump
in real quick--because I think--you know, the--one of the
things you've heard is that there's a real risk here, and
there's a real potential for damage. We want to make sure that
doesn't happen. But, we're under attack right now. We're
suffering losses. Sometimes people say we have to worry about
an electronic Pearl Harbor. We probably had our electronic
Pearl Harbor in 2007. And we might have had one in 1998 or
1999. And, as you've heard from all of us, you know, we just
kind of say, ``Oh, well, gee, that's too bad.'' You know? So,
we are, every day, suffering big losses, and I don't know
which--which loss do you want to talk about? Do you want to
talk about breaking into NASA and stealing launcher designs? Do
you want talk about stealth? Do you want to talk--what do you
want to talk about?
So, I worry more about the loss of information, and I think
that's the attack--the beauty of this is, if you fix one, you
sort of address the other. We do have to worry about the
attacks on critical infrastructure, but right now we are
being--I don't know what the right word is--``robbed,'' I
guess; ``robbed'' would be the right word--by foreign entities,
of our most valuable technology, and we have to stop that.
So, I'm not worried about some crisis in the future. I'm
worried about the crisis we're in now.
The Chairman. Senator Nelson?
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. By the way, Dr. Lewis, we could not even
get the NASA IG to investigate the stealing of those rocket
designs through the Internet at NASA.
Dr. Weiss, you're right, they did that demonstration
project, known as Aurora through digital means to hack into the
power plant's generator and cause it to shut down.
We've got a serious problem in national security. I have
the privilege of serving with the immediate past chairman of
the Intelligence Committee, and we see it there. For example,
Defense Daily has just written that hackers are managing to
invade our military computer systems, though the defenses are
competent to stymie most of the attempts. This is what General
Chilton, the Strategic Command commander, says, ``Every day,
there are attempts to penetrate our network, some of which are
successful, but many, many more are defeated.''
This Senator's office computers have been invaded three
times in the last month, and one of them looks pretty serious,
as if it's talking to a computer in some international arena.
Dr. Amoroso, you mentioned in your statement, about the
Times report today on Conficker. It infected a large number of
computers and turned that into one of the largest botnets.
How should the private sector best deal with this type of
problem, when it's so fast-moving that you get a result and you
get a defense in a matter of days or even hours? Should we go
to the National Institute of Standards and Technology, to set
some sort of baseline cybersecurity standards or set up some
kind of best practices? What should we do?
Dr. Amoroso. I have some thoughts on that. I think there
are two things you need to do.
First off, you need a stopgap, because we can't do research
to solve a problem that could happen in the next hour. Need
something that will deal with the problem immediately. And I
believe the network is the place to do that. So, most of the
international and domestic carriers have these big--you can
think of them as, like, a big sponge that can absorb energy, or
like a big old shock absorber in the network, so when the
Conficker botnet is being aimed at the Department-of-This, or
this or that agency, or some company, we can soak up all that
energy. Now, again, that is a stopgap. That works today. That's
how we stop attacks now. You know, plumbers sitting in the
bowels of our network, basically, with these, you know, big
shock absorbers.
The long-term solution is, we've got to fix computing. I
think Dr. Spafford is right. I mean, we've got a lot of broken
software out there, including the software that's probably
running on your computers. You click an ``I Accept'' button
when you install it, and if you read that language, it
basically says, ``This computer is--you know, this software
doesn't work, you know, and you're accepting all the risk.''
So, I think a lot of our research activity needs to be directed
to fixing the endpoints.
So, stopgap, near term, primarily focused on network;
research, long term, primarily focused on computing. And I
think that's the right approach for our Nation.
Senator Nelson. Well, Mr. Chairman, I'll conclude and just
say that I think, in our subcommittee, as I serve you and the
full Committee, that we want to look at NIST and the NSF, at
new opportunities for them to examine these questions that have
been raised this morning.
Thank you.
The Chairman. Thank you, Senator Nelson.
And, in fact, in Olympia Snowe's and my bill, which I hope
that you'll all cosponsor, we go very aggressively after this
question, and through the National Science Foundation, of
awarding scholarships, just anything we can, to attempt to get
people into the field and get them stimulated. NIST is this
national treasure which nobody here ever goes to visit. You
can't--you can't sort of do NIST from a distance, you've got to
be there, you've got to talk. I remember going, 20 years ago,
and they said they hadn't seen a Senator in 5 years. It was a
bit depressing.
So, my question to you, you've got this question of
penetration testing. I like that phrase. It's the proactive
probing and testing of cyberdefense. The idea behind conducting
penetration testing is to better now where our vulnerabilities
are. There are a lot of companies that probably know this, but
I don't know what kinds of companies are aware of their
vulnerabilities. It's a very basic, naive question. I'm pretty
sure that the majority have absolutely no idea of what they
are. So, question number one, How do you reach out, the
government can't do this advertising like DOD can, saying
they're being hacked into 3 million times a day, and people
just pass over that, how do you reach out to the private
sector, which is going through tough times, but will be going
through far tougher times if they're not alert to this, and get
them aware of it? How do you do it? One, you've got to get
students interested. It's just shocking to hear you say that
they're not. How do you get business to inventory itself? Or,
if you don't, does NIST do it?
Dr. Weiss. Can I respond to a couple of your questions?
One is, there is----
The Chairman. You'll have time, Doctor.
Dr. Weiss. OK. In the electric industry, there are
currently some requirements--they're not near as comprehensive
as they should be, but they do attempt to drive that.
But, I wanted to mention one other thing, because I keep
going back to this. An industrial control system is very
different than an IT system. You had mentioned penetration
testing. Penetration testing is fine for a traditional
business-type IT system or network. If you penetration test a
legacy control system, you will shut it down or kill it. You
will be your own hacker. We've had this happen often, not just
throughout the U.S., but all over the world.
Part of what we need to do is develop--and again, think
about this for the Smart Grid, too--when you start talking
about these legacy devices, these are not your Microsoft
operating systems, these are your legacy devices--this is,
again, what would be designed by a chemical engineer or an
electrical engineer, a mechanical engineer, a nuclear engineer.
We need to have a set of, essentially, testing criteria and
assessment criteria specific to that. And training needs to be
there for that. And I go back to--curricula needs to be there
for that. And I just want to mention this, because too often
we're lumped with everybody else, ``Go do what everybody else
is doing.'' It will shut us down.
The Chairman. Well, the reason I'm asking it is because
sometimes you don't have the time to start a generation of
people on their way. You have to do it. And it's an absolute
priority. A number of years ago when some of this began to be
talked about, I got all of our chemical companies on the Ohio
River to come together, and I said, ``How are you protecting
yourselves? You're on the water. By definition, your
penetration is easy.'' And then I met with them again, a year
or so later, and they had put sidearms on the hip of the people
who were on the other side of the chemical plant who were
letting the workers in.
Now, that was shocking to me. That was shocking to me.
These are very sophisticated chemical companies, and I don't
understand why they're not onto this.
Voice: Mr. Chairman?
The Chairman. Oh, no. Maria, I've got to shut up, because
three votes just started, and Maria's got a much better
question than I did.
Senator Cantwell. I don't know about that, Mr. Chairman,
but I have enjoyed--well, I actually haven't enjoyed the
discussion; I think it's been a very enlightening panel, but it
is pretty disgusting that we've had more people trying to cook
up exotic toxic assets than willing to spend their time killing
bugs on the Internet. So, it is a poor statement about where
people have been lured.
But, Dr. Weiss, back to your point about control systems
and the curriculum. And we're proud that you're a U Dub alum.
What kind of curriculum are you talking about, from the sense
of power system engineering or----
Dr. Weiss. Well----
Senator Cantwell.--control systems? Obviously you know, in
the Northwest, with so many hydroelectric dams, we get the fact
that hacking that system is a----
Dr. Weiss. Yes.
Senator Cantwell.--big problem.
Dr. Weiss. Yes. And it's--by the way, it's all over. I
mean, because everybody has industrial systems. But, I've given
lectures at the University of Illinois. I gave one at
Mississippi State. I've given one--or at the Naval Post-Grad at
National Defense University. The issue that we need----
Senator Cantwell. Are we talking about a 4-year degree in
control systems, or are you talking about a basic computer
science----
Dr. Weiss. No, what I'm really looking at is two things.
One is just, maybe, a semester or a quarter dealing with this,
because, within the chemical engineering department or within
nuclear, you're going to have courses on control-system theory.
You don't have that, if you will, in computer science. Computer
science will have everything pointed toward traditional IT.
Senator Cantwell. So, are you saying that this is an add-on
program to either computer science or----
Dr. Weiss. I see it as a joint----
Senator Cantwell.--power-system engineering or----
Dr. Weiss. I see it as a joint effort, because you can't
divorce the computer science part. This is computers. But, for
our world, you can't--you can't divorce the science from it,
either.
Senator Cantwell. Can we go to NIST and what----
Dr. Weiss. Sure.
Senator Cantwell.--exactly do you think needs to--needs to
happen, as far as security standards at NIST, and how we get
there, given that there's obviously a lot of organizations,
like the IEEE and others, that are involved in standard-
setting, and they can help in creating a framework for
government to get at this sooner.
Dr. Weiss. Let me, if you'll bear with me, explain where
this came from. It was the law of unintended consequences. And
that was FISMA--you know, the Federal Information Security
Management Act--is a Federal law for all Federal agencies, and
NIST developed, you know, the framework, NIST SP 800-53, et
cetera. The law of unintended consequences was, people didn't
realize one of the Federal agencies happened to have been the
Tennessee Valley Authority, with coal-fired power plants and
hydro plants and nuclear plants and dams. The other thing they
didn't realize is that the Bonneville Power Administration is a
Federal agency. And what was happening is, when those agencies
tried to use the existing IT standards, which was what NIST SP
800-53 was, they failed their IT security audits, because they
weren't appropriate. So, what we ended up doing--I was actually
under contract to MITRE, supporting NIST on this--is, we went
back and we looked at--because I am a member of IEEE and ISA
and all of the other organizations--and what we did was to look
at what was missing in those standards that needed to be
included for industrial control systems, and then we extended
NIST SP 800-53 to address that.
And then what we did is something beyond that. We went back
and looked at things like the Bellingham, Washington, gasoline
pipeline rupture, the Browns Ferry Nuclear Plant broadcast
storm, et cetera. And we asked, ``Now that we've done this,
would--if you would have followed the NIST standards, would you
have been able to prevent that?'' So, we looked at this to
basically say, ``Is this going to be usable?''
Senator Cantwell. So, we don't have standards for control
systems in place, or--and we don't have a mechanism for
updating them, either, as new facilities come online or as new
technology is introduced.
Dr. Weiss. Well, these are systems--and, again, I keep--I
hate to keep coming back to the point, they're different--these
systems have lifetimes of 10 to 20 years. These are not 3 to 5
years, like with your traditional IT. So, once you put these
in, you are not going to replace them, no matter what you find,
in terms of vulnerabilities. We have to work around that.
Dr. Lewis. Just quickly, NIST has two big problems. OK?
Problem one, we're still in sort of a compliance culture, you
know, ``Here's your paper plan. Did you live up to your paper
plan? Hey, that's great.'' And we all know, from FISMA, that
you can get a good FISMA grade and still be totally insecure.
So, we have to move out of the compliance mode to something
else, and sometimes people talk about attack-based metrics or
metrics that are based on what's actually happening, and not on
some piece of paper.
The second big problem NIST has is that the offense does
not inform the defense. Now, it does a little, but it doesn't
adequately. So, we know what's going on in the offensive world.
We even have offensive people, ourselves. But, they don't hook
up with NIST and they don't help NIST write their standards.
And so, if you could fix those two things----
Senator Cantwell. And is fixing that having people feel
comfortable in having that dialogue, that issue about----
Dr. Lewis. Yes, they're----
Senator Cantwell.--legal vulnerability? Is that----
Dr. Lewis. Exactly right.
Senator Cantwell.--right.
Dr. Lewis. There are some legal impediments that I think
we'll have to look at, laws that might have made sense in the
1980s, but may not work in the more interconnected world we're
in today.
Senator Cantwell. You know, I think this is a very
important issue, Mr. Chairman, in the sense that, you know, you
get an operating system, people beat on it for months and
months and months and months, and try to break the system
before it's really introduced. But, you're saying, on a system
that meets the basic compliance, doesn't have that kind of
stress test to it, and then doesn't have the advancements and
technology checked up, as well. It sounds like we need a much
more robust system at NIST.
Dr. Lewis. Robust and nimble. And I think Dr. Spafford's
remarks pointed out that the people who are our opponents, they
pay a lot of attention to this, they spend a lot of money, and
they come up with new attack vectors every week, if not every
month.
Senator Cantwell. But, what is that, what's the ``nimble''
part? What would the ``nimble'' part be in a structure like
that?
Dr. Lewis. ``Nimble'' would be paying attention to what's
actually happening now on the networks, paying attention to,
``What are the attacks that are succeeding?'' and adjusting the
standards to make sure that that's what you're protecting
against. This is going to be hard, because, in some ways, the
NIST process is--I love NIST, but it's a--can be a little
stately, at time. And the criminals, the nation-states we're
going against, they evolve very quickly. So, ``nimble'' means
finding a way to make the NIST standards a bit more responsive
to external events.
Dr. Spafford. I would just like to add----
The Chairman. And quickly, because----
Dr. Spafford. Yes, sir--that one of the things----
The Chairman. Like, 1 minute.
Dr. Spafford.--that I really should stress, if we want to
respond is, we need to look to our law enforcement community,
not so much--standards are certainly going to help, but
standards are a minimum, always. What we really need to do is,
we also have to have a deterrent capability for our commercial
marketplace. Many of the things that are going on are basically
criminal, and if we could deter that, increase the risk for
those criminals, it would go a long way toward helping fix the
situation.
Senator Cantwell. And international cooperation on catching
them.
Dr. Spafford. That would definitely be part of it.
Senator Cantwell. Thank you, Mr. Chairman. Thank you for
this important hearing.
The Chairman. Thank you, Senator Cantwell.
And I'll just close it by thanking all of you. Again, I'm
mortified by the lack of attendance, but, you know, such is
life. That's why I had to scream and yell to try to get Maria
back, because she's a real IT expert, Senator Cantwell.
This is going to be the first of a number of hearings on
this subject. We're going to drive it home. We've got to raise
the profile of cybersecurity, we've got to get the President,
after the 60-day review, is it Melissa who's doing that?, to
get the person; and then, behind that there's probably got to
be an advisory board so that it's just pounding in on the
President, who happens to love this kind of subject. You know,
thank heavens for that. I mean, he knows about it, but he needs
to know a lot more about it, and I think he'll be very
proactive. And then, the creativity for the long-term
solutions, and promote public awareness, and protect civil
liberties, which always have to be a part of it, as I remember
from the FISA debate.
But, what you've given us is a very, very excellent first-
hearing set of analysis, and we are the better for it, and we
thank you.
Hearing is adjourned.
[Whereupon, at 11:17 a.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Questions Submitted by Hon. Olympia J. Snowe to
Dr. James A. Lewis
Question 1. The Internet has revolutionized some many different
areas of society and the economy. The innovation, adoption, and sheer
size of the Internet are simply unparalleled. The Internet currently
comprises of more than 1.5 billion users, 570 million computers, and
174 million websites. However, we will eventually enter a new iteration
of the Internet with the migration from IPv4, a 32-bit addressing
space, to IPV6, a 128-bit addressing, which provides 5 x 10 \28\ IP
addresses for every individual on earth (or 6.5 x 10 \23\ addresses for
every square meter of the earth's surface). In addition, Internet
Corporation for Assigned Names and Numbers (ICANN) plans to allow the
expansion of generic top level domains from the current 21 domains to
eventually hundreds if not thousands. Both of these efforts as well as
others present amazing opportunity and potential for the evolution of
the Internet but also present significant challenges with
cybersecurity.
What will this eventual expansion of IP addresses and domains mean
with respect to cybersecurity and threats? With domain name system
techniques such as fast fluxing, pharming, DNS cache poisoning, being
used by botnets, it could present an even greater challenge because
there is even a greater pool of resources available, right?
Answer. We've built an insecure global network. Now we are
expanding to include more people, more devices and more services. We
don't have adequate mechanisms to manage risk, and ``Internet
governance'' is weak. If we continue on the same path, risk will only
increase. ICAO (the International Civil Aviation Organization) which
sets minimum standards for civil aviation, may be a good precedent for
thinking about national will have to cooperate.
Question 2. The first sentence of Cisco's 2008 Annual Security
Report states ``Compared to previous years, online criminals are
becoming even more sophisticated and effective, employing a greater
number of relatively smaller, more targeted campaigns to gain access to
sensitive data.'' Another report by IBM's Internet Security Systems X-
Force Team highlighted that the number of new malicious Websites in the
fourth quarter of 2008 alone surpassed the number seen in the entirety
of 2007 by 50 percent and that new categories of threats affecting
clients are on the rise, specifically in the areas of malicious
documents, multimedia applications, and potentially Java applications
which are easy to host on the Web.
It seems that tackling the issue of cyber threats is a little bit
like ``whack-a-mole,'' in that you discover and fix one vulnerability
but then due to the sophistication and resourcefulness of the
criminals, ten more cyberattacks pop-up. So how can we realistically
deal with this, which seems to be a perpetually increasing problem?
Answer. The best approach is to stop playing whack-a-mole, a
reactive game where you let the enemy set the agenda, to a proactive
approach that starts to reshape the cyber environment. We need a
national policy that blends improved technology, international
engagement, regulation and standards and consumer training. A holistic
approach or a comprehensive approach is the only way to get out of the
``whack-a-mole'' cycle.
Question 3. The IBM report stated that of ``all the [cyber]
vulnerabilities disclosed in 2008, only 47 percent can be corrected
through vendor patches.'' Last April, the New York Times reported
thousands of corporate executives were targets of a phishing attack
that attempted to install malware on the recipients' computers.
Security experts found that less than 40 percent of antivirus programs
were able to identify and stop the attack. Cisco's report mentioned
that criminals are getting access to computers and networks by
exploiting weaknesses in technologies, software, and systems.
Is the software industry really performing the necessary due
diligence to make sure their products are up to par with respect to
security or do security concerns/vulnerabilities take a back seat to
getting the product or next version out in the market? It seems as if,
with all the patches, that the industry does not have the foresight to
proactively fill the holes, correct?
Answer. Some IT companies perform due diligence and some don't. A
coordinated approach that held companies to common standards or to
shared best practices would help reduce many easy avenues for attack.
The Government can help companies cooperate, use its purchasing power
to drive improvement, and consider regulation where necessary. One way
to think about this is the automobile industry--we give Americans some
minimal training, but the real reason the rate of fatal accidents has
decreased is because cars are built more safely. At first, car
companies resisted safety improvements, but after the government
mandated some basic requirements, they now compete to provide safer
cars. We need to start the same dynamic for the Internet.
Question 4. With the countless web applications, add-ons, software,
shareware, how can we imbed a ``best practices'' or set of
cybersecurity standards that better protect users and their computers
from vulnerabilities or cyberattacks? A criminal can target a seemingly
innocuous web browser add-on application to gain access to one's
computer or a network, right?
Answer. The only way to make the cyber environment more secure is
to use a combination of tactics and approaches--better law enforcement,
international cooperation, improved products, and increased consumer
awareness. This is like any other crime--we can never eliminate crime
but we can significantly decrease the rate of crime and the rewards to
criminals.
Question 5. While a notable percent of threats and attacks
originate here domestically, the vast majority come from overseas. The
2007 cyberattacks on DOD, DHS, and Commerce were all initiated by
unknown foreign entities. China is most prolific host of malicious
Websites. Russia, with the Russian Business Network (RBN), is a hot-bed
of activity.
We can certainly do a lot to address the domestic threats as well
as to protect our borders, but what can we specifically do across our
borders to address the source of the attacks?
Answer. We need a comprehensive approach that takes action in the
intelligence, diplomatic and law enforcement spheres. We can shape the
international environment to be more secure if we engage--this will
happen automatically and the ad hoc and erratic approach the U.S. has
taken in the past only guarantees failure. Stronger law enforcement
cooperation, a visible deterrent policy and a diplomatic strategy that
creates norms for international behavior and, perhaps, sanctions for
noncompliance can reduce cross-border threats. The U.S. needs to
integrate cybersecurity into all of its foreign policy engagement and
not treat it as an afterthought.
Question 6. As you may know, Chairman Rockefeller and I created the
E-rate program, which provides discounted telecommunications services
to schools and libraries, as an amendment to the Telecommunications Act
of 1996. The E-rate program has been instrumental in making Internet
access available to schools and libraries--before the program, only 14
percent of schools had Internet access. Today, nearly 100 percent of
America's schools, 94 percent of individual classrooms, and 98 percent
of public libraries are now wired. Internet access and information
technology have truly enhanced the learning environment and process as
well as better prepared our students for entering the digital global
economy. With E-rate, students are learning how to use the Internet as
a research tool, for collaborating on assignments and projects with
individuals in other geographical locations, and downloading homework--
the list goes on.
However, various studies and surveys indicate that students have a
false sense of security when using the Internet--they're often too lax
in their security with usernames/passwords and they more readily
provide personal information online. Are we doing enough for K-12
students in teaching them about cybersecurity? It seems we could do a
lot more to infuse cybersecurity education into school's curriculum, do
you agree?
Answer. To continue the information highway analogy, just as we
make students take driver's ed before they can venture out onto the
roads, we need to think of some kind of reasonable cyber training.
Cyber training should avoid hysteria and I am not recommending that we
``license'' users, but since we as a nation are increasingly dependent
on the use of the Internet, it is time to provide formal training on
safe Internet use for students.
______
Response to Written Questions Submitted by Hon. Olympia J. Snowe to
Dr. Joseph M. Weiss
April 17, 2009
Senator Snowe:
Thank you for the opportunity to respond to your very pertinent
questions. Because of the subject matter's importance, I enlisted a
distinguished group of information technology (IT) security,
telecommunications, and control systems security experts to assist me
in responding to your questions. This group includes Dr. Marshall
Abrams, Mr. Walt Boyes, Mr. Jacob Brodsky, Mr. Eric Cosman, Mr. Philip
Craig Jr., Mr. Lou Hatton, Mr. Marcus Sachs, Dr. Phyllis Schneck, Mr.
Jonathan Stanford, and Mr. Robert Webb. It is our consensus view that a
more effective oversight climate, which includes better standards and
possibly new legislation and regulation, is needed.
The responses are both general in nature and specific to my
personal expertise in the area of cybersecurity for industrial
automation and control systems (IACS). IACS are an integral component
of our critical infrastructure. They are not as well understood and
sometimes not as well-protected as the majority of our cyber assets and
are among our most important assets. IACS are very different from
office or enterprise IT systems, too. The security philosophy that
works for office and enterprise IT systems is to save the servers,
because that's where the data is. On the plant floor, the requirement
is to preserve the real time operating systems and maintain IACS
availability. That is, the fundamental difference between IT and IACS
in addressing security is the best way to protect a security breach in
IT is to STOP the flow of data and protect the servers whereas in IACS
stopping the flow of data could be disastrous to the process and to
safety. You can see how different the response of each sector to a
cyber incident must therefore be.
Security is hard work, often with no obvious short-term reward
(e.g., an immediate impact on the bottom line). Therefore, people in
every sector--public, private, traditional IT, and IACS--often avoid
doing security. Those entrusted to improving security of cyber systems
are often frustrated by their peers and management who do not believe
cybersecurity is necessary or even important. Moreover, they feel
frustration due to the amount of effort required to overcome
organizational politics or other roadblocks so resources for
improvements in technology, processes, and procedures can be brought to
bear.
According to the April 5, 2009 issue of The Washington Post, years
after the Department of Interior had been warned its computer network
was dangerously exposed to hackers--and ordered by a Federal judge to
fix the problems--the vulnerabilities remained. New threats and threat
agents arise continually, such as a recently indicted ex-employee of
Pacific Energy Resources.\1\ After being informed he would not become a
permanent employee, this individual compromised the leak detection
systems of several off-shore oil platforms while being logged in from
his home. With the emphasis on Smart Grid currently, it is important to
note that on April 7, 2009, Michael Assante, Vice President and Chief
Security Officer of the North American Electric Reliability Corporation
(NERC), issued a letter concerning the inadequacy of the electric
industry's approach to identifying critical assets under NERC
cybersecurity standards.
---------------------------------------------------------------------------
\1\ ``Feds: Hacker Disabled Offshore Oil Platforms' Leak-Detection
System'', By David Kravets, March 18, 2009, wired.com, http://
blog.wired.com/27bstroke6/2009/03/feds-hacker-dis.html.
---------------------------------------------------------------------------
We believe there should be an integrated team of IT and IACS
professionals from the public and private sectors working on
cybersecurity, with a dedicated leader who understands the issues and
who preferably will not leave in a year.
In conclusion, there is a need for a more effective oversight
climate, which includes better standards and possibly new legislation
and regulation, is needed.
Please let me know if we can answer any questions or provide
further input to support the proposed legislation.
Respectfully,
Joe Weiss, PE, CISM,
Applied Control Solutions, LLC, Cupertino, CA.
______
Question 1. The Internet has revolutionized many different areas of
society and the economy. The innovation, adoption, and sheer size of
the Internet are simply unparalleled. The Internet currently comprises
of more than 1.5 billion users, 570 million computers, and 174 million
websites. However, we will eventually enter a new iteration of the
Internet with the migration from IPv4, a 32-bit addressing space, to
IPv6, a 128-bit addressing, which provides 5 x 10 \28\ IP addresses for
every individual on earth (or 6.5 x 10 \23\ addresses for every square
meter of the earth's surface). In addition, Internet Corporation for
Assigned Names and Numbers (ICANN) plans to allow the expansion of
generic top level domains from the current 21 domains to eventually
hundreds if not thousands. Both of these efforts as well as others
present amazing opportunity and potential for the evolution of the
Internet but also present significant challenges with cybersecurity.
What will this eventual expansion of IP addresses and domains mean
with respect to cybersecurity and threats? With domain name system
techniques such as fast fluxing, pharming, DNS cache poisoning, being
used by botnets, it could present an even greater challenge because
there is even a greater pool of resources available, right?
Answer. By itself, the expansion of the IP addresses and domains
does not increase or reduce the cyber vulnerabilities. However, an
article titled ``IPv6 Security Challenges'' in the February 2009 issue
of Computer, published by the IEEE Computer Society, raises multiple
security issues associated with IPv6. While current attack
methodologies might not work as well in a new world of virtually
unlimited IP addresses and domain names, new technical problems will
emerge that can be leveraged by criminals, terrorists, and state-
sponsored groups. The real issue is not the size of the address space,
but whether there is a minimum security threshold that must be met.
This is almost impossible to do retroactively, which is why standards
are so important. Rather than taking the approach of connecting first
and then trying to apply security, we have to start thinking in terms
of systems and end-point capability. This can allow applying
traditional IT security principles like defense-in-depth to systems
having little or no defense at the present time. If a device or system
cannot demonstrate a minimum level of security, it should never be
connected to the network. Most importantly, we must realize that the
principles of good security are only partially dependent on good
technology. Users must adopt and use good technology, but equally
important, they must adopt and use good security practices. Any
security hardware or software can be rendered inadequate if users paste
their passwords on post-it notes. Like today's world, it will continue
to be an arms race to find and either exploit or mitigate problems.
There is a quiet but significant risk with all IP addresses--they
need to be treated with augmented privacy--analogous to the social
security number, which until relatively recently wasn't considered as
needing protection. The association of IP addresses to machine name or
function provides a virtual roadmap to the underlying IP communications
systems and connectivity. The case of the Associated Press (AP) v the
State of Arkansas (Dec. 18 2008) marked the beginning of the press and
public both wanting to use the Freedom of Information Act (FOIA) to
obtain association of machine name and function with IP addresses. The
court ruled against the AP in this case, but the AP filed an appeal.
Going forward, this case could pose a threat if reversed. New
addressing gives us a fresh chance to handle IP addresses more
carefully.
The corollary to this question is: ``Will a significant increase in
the number of intelligent devices increase the cyber threat to the
Smart Grid and other industrial applications?'' The answer is that this
will significantly increase the ``threat space.'' Furthermore, many of
these new devices are not designed to be cyber secure. Many legacy
devices in industrial networks that will continue to be deployed for
years were not designed with cybersecurity features. In fact, some of
these devices, new and old, have been exploited already. It should also
be noted that electric transmission, distribution, and power plants
currently use mostly serial communications and will continue to use
some amount of serial communications even with the Smart Grid. The
greater the dependence on network connectivity, the greater the
consequences will be when a network fails, or is deliberately used as
an attack vector that targets specific communications or inter-
connected devices. Consider the August 2003 Northeast blackout, which
was not a cyber initiated event. However, the consequences were
enormous--estimated at over $7 billion. Imagine the consequences of
such a blackout over most of the United States, with major power
shortages lasting many months instead of a few days. You can begin to
appreciate the potential increase in risk of a ``Smart Grid,''
dependent on thousands or millions of intelligent devices, all
carefully managing power generation and usage. To be sure, much of our
infrastructure has been very resilient and fault tolerant because it
was diverse, independent, and not interconnected. The pervasive network
connectivity envisioned in the expansion of the IP address space
provides tremendous opportunities. But it also increases the possibly
and consequences of such failures. Only by assuring significantly
improved security, and an adequate level of independence and diversity
in our critical infrastructure's cyber resources, can we minimize the
possibility of such horrific events, and realize the advantages we
anticipate gaining.
Our experience in the last 5 years has shown that many
organizations will not adopt adequate measures to assure security.
Measurable security outcomes should be mandated by law in any cases
where the infrastructure is critical to the well-being of our citizens.
To be sure, the industry should be allowed to participate in
determining how best to meet those requirements.
The first sentence of Cisco's 2008 Annual Security Report states
``Compared to previous years, online criminals are becoming even more
sophisticated and effective, employing a greater number of relatively
smaller, more targeted campaigns to gain access to sensitive data.''
Another report by IBM's Internet Security Systems X-Force Team
highlighted that the number of new malicious Websites in the fourth
quarter of 2008 alone surpassed the number seen in the entirety of 2007
by 50 percent and that new categories of threats affecting clients are
on the rise, specifically in the areas of malicious documents,
multimedia applications, and potentially Java applications which are
easy to host on the Web.
Question 2. It seems that tackling the issue of cyber threats is a
little bit like ``whack-amole,'' in that you discover and fix a single
vulnerability but then due to the sophistication and resourcefulness of
the criminals, ten more cyberattacks pop-up. So how can we
realistically deal with this, which seems to be a perpetually
increasing problem?
Answer. One has to assume that most, if not all, networks and/or
systems will be attacked and that we must provide a resilient
capability. Resilience comes from the concept of defense-in-depth. It
means that there should be layers of defense such as perimeter defense,
network segmentation, and system isolation to the degree possible so
that if one layer is penetrated others may provide protection.
Technology and procedures must be developed to permit continued
operations even while under attack. In fact, ``attack resiliency''
might become a new theme, replacing ``attack prevention'' as the focus
of security operations.
One of the key challenges with the Internet is that anyone,
anywhere, can send any amount of traffic content to any destination--
and by virtue of the design of the Internet, the payload arrives, even
if it causes a cyber train-wreck in its wake.
Researchers, companies and governments worldwide have produced
incredible science in identification of malicious Internet use (e.g.,
botnets) that disrupts the communications fabric that may be needed for
critical operations. Public-private partnerships transcend national
boundaries to identify and prosecute criminals behind Internet abuse.
However, these efforts cannot respond in real-time, and do not solve
the existing challenge of disabling malicious Internet traffic.
The Internet communications fabric must be made more intelligent to
not route and deliver malicious network traffic. In addition to saving
bandwidth for both emergency and commercial use, this would kill the
profit model for the botnet culture and severely lessen the
effectiveness of distributed denial-of-service (DDoS) attacks.
For IACS, that could even mean developing a dedicated network
independent of the Internet--an ``Industry Net'' designed for the
performance and security needs of industry. Again, one must remember
that even with the move to IP communications, there will continue to be
serial communications that also need to be addressed. Another reason
resilience is important for industrial control systems is that their
operating lifetimes are so long, typically 10 to 20 years or longer.
These are not changed out because of cyber threats and consequently,
restoration is of great concern.
There are many similar challenges in the world today--defense
against physical weapons and against evolving diseases are good
examples. An excuse like ``but it is hard'' is not a reason to give up
or ignore applicable threats. We can and must fight these threats with
a combination of the best intelligence, the best technology, defense-
in-depth, and resilient and reconfigurable systems that can function
without connectivity when isolation may be necessary. All of this must
be integrated and flexible (so that new technologies are not
precluded). Economic incentives or binding legal measures are needed so
that critical components of the infrastructure's connectivity--be they
hardware, software, or people--don't compromise the whole. The weakest
link in the chain is currently an issue for the electric industry,
where the Federal power entities are being held to higher standards
(e.g., the Federal Information Security Management Act and related NIST
standards such as Special Publication 800-53) than the non-Federal
power entities (i.e., the North American Electric Reliability
Corporation [NERC] Critical Infrastructure Protection [CIP]
cybersecurity standards). That is, the non-Federal power entities are
weak links that could cause failure of the Federal power entities, and
that is plain wrong.
The IBM report stated that of ``all the [cyber] vulnerabilities
disclosed in 2008, only 47 percent can be corrected through vendor
patches.'' Last April, the New York Times reported thousands of
corporate executives were targets of a phishing attack that attempted
to install malware on the recipients' computers. Security experts found
that less than 40 percent of antivirus programs were able to identify
and stop the attack. Cisco's report mentioned that criminals are
getting access to computers and networks by exploiting weaknesses in
technologies, software, and systems.
Question 3. Is the software industry really performing the
necessary due diligence to make sure their products are up to par with
respect to security or do security concerns/vulnerabilities take a back
seat to getting the product or next version out in the market? It seems
as if, with all the patches, that the industry does not have the
foresight to proactively fill the holes, correct?
Answer. In short, no, the industry does have the foresight to
proactively fill the holes. However, a combination of factors precludes
it from effectively doing so.
Good Security is a TEAM effort, and the software industry is only a
part of the team. Good security is combination of good software design,
good system hardware and software architecture, the successful
application of good policies and procedures to protect systems, and
many other factors. Much of the software industry is very serious about
proactively improving software security; it has spent millions to do
so. But unless the user demands and adopts the upgrades, it can have
little effect. In the case of IACS, the user is often precluded from
adopting such upgrades, because they will destroy the basic
functionality of the system we are trying to protect. In those cases,
the user must find alternative means to protect that system and its
vulnerable software. Regulation that requires the user to take measures
to protect vulnerable software will help to drive toward better
results.
Competition and the marketplace is currently a significant factor;
you are correct--the drive to get products out limits the amount of
improvement (if any) that occurs with each new version. Requirements to
protect key systems and to develop more secure software can both help
the vendors overcome some of the impediments to better software and
systems.
The lack of comprehensive standards--vendors are reluctant to
invest sufficient funds on security, because their work may be eclipsed
by regulation or standards or another vendor's defacto standard--so
they wait. Users are reluctant to improve security because they don't
believe they will be able to recover their investment, especially if a
different (than their approach) standard or law is adopted after they
spend significant funding--so they wait. All of this is exacerbated by
a lack of well-accepted evidence that we are facing a real problem. So
while there have been significant improvements, they have not been fast
enough or far reaching enough to preclude a major event within our
critical infrastructure. Carefully developed requirements that demand
action can help to break the waiting game, and get the involved
stakeholders working together to achieve more meaningful results
sooner.
There is no ``simple'' silver bullet solution that can be ``plugged
into'' each important system to protect it. Each system or application
typically requires an engineered solution. Each system is different,
and because of the limitations on the ability of legacy equipment to
use new or upgraded software, alternative solutions must often be
developed. Solutions can be developed, and there is specialty software
and equipment designed to protect inherently weak or vulnerable
systems. But it must be evaluated and configured for the system in
which it is applied.
Unfortunately, patching security holes will be with us for the
foreseeable future, particularly for commercial-off-the-shelf (COTS)
software, including operating system software. Software that
incorporates cybersecurity best practices will certainly help. However,
there is a large body of older legacy software in production use that
is vulnerable to malicious code. A recent report regarding several
hundred security breaches spanning several years found that the vast
majority of successful data breaches were attributed to systems not
being managed in accordance with best security practices. A lack of
patching does not cause breaches; the core issue is a lack of
management engagement and an ignorance of well-known security
practices.
In general purpose IT systems, automated patching can be a solution
to address ``buggy'' software. IACS incorporating general purpose
operating systems are often modified by the IACS supplier.
Consequently, automated patching can cause problems not typically
encountered in general purpose systems. IACS typically have minimal
computing resources. Applying traditional security approaches, such as
Anti-virus software, can be too resource-intensive. This might result
in unintended IACS shutdowns. Consequently, more work is needed to
identify appropriate security practices for IACS. Until IACS security
matures, vulnerable components must be isolated from attack vectors
that would not usually apply in a general computing system environment.
Many IACS cyber vulnerabilities stem from issues besides ``buggy''
software. The infamous ``Aurora'' demonstration by the Idaho National
Laboratory used dial-up modems to physically destroy hardware, in this
case, a diesel generator. Inadequate security testing can miss cyber
vulnerabilities and inadequate security planning can be the cause of
cyber incidents. The interactions of various types of software can
cause unanticipated cyber problems. As examples, interactions between
normally-functioning software caused a fossil Tower plant to overstress
a turbine,\2\ and a nuclear power plant to automatically shutdown.\3\
In both instances, no IT security policies were violated, but it is
clear that such policies should have addressed the scenarios leading to
the events. There is a critical need for effective IACS security
policies and robust security testing procedures that address the unique
characteristics of these types of systems and their operating
environments.
---------------------------------------------------------------------------
\2\ ``Runkle and Labbe--``Optimizing Turbine Life Cycle Usage and
Maximizing Ramp Rate,'' 16th Annual Joint ISA POWID/EPRI Controls and
Instrumentation Conference, 49th Annual ISA Power Industry (POWID)
Conference, Volume 49/ISA Volume 466, 4-9 June 2006, San Jose,
California.
\3\ Operating Experience Report OE26424--Isolation of Condensate
Demineralizer System and Subsequent Plant Trip While Testing Software
Change (Hatch), 3-11-08.
Question 4. With the countless web applications, add-ons, software,
shareware, how can we imbed a ``best practices'' or set of
cybersecurity standards that better protect users and their computers
from vulnerabilities or cyberattacks? A criminal can target a seemingly
innocuous web browser add-on application to gain access to one's
computer or a network, right?
Answer. You are correct in that a criminal can target a seemingly
innocuous web browser add-on application to gain access to one's
computer or a network. Consequently, multiple organizations are
attempting to establish cybersecurity standards and guidelines. Good
standards that are kept up to date are very important. However
standards are only one component in achieving adequate cybersecurity.
The complete picture includes robust and meaningful standards;
effective implementation of the standards; improvements in software and
equipment security; developing new types of secure equipment; and an
effective information sharing process for addressing new attack vectors
and threats commensurate with the risks they present.
Harmonization to a single set of standards and guidelines would
help. However, user awareness is often lacking, and existing standards
and guidelines aren't always followed. As an example, a security
consultant left compromised thumb drives in a parking lot to
demonstrate via social engineering that people would pick up the drives
and insert them into their corporate workstations even though such
actions were against their company's IT policies. Sadly, they did as
expected! Senior management must create a culture of security among
employees, while addressing cultural barriers between IT and other
organizations. To secure a modern IACS, there must be a coordinated
effort between IT security, networking and telecom organizations, and
the control systems personnel. Management must provide an adequate
governance structure that includes appropriate oversight and adequate
resources for ensuring security. Unfortunately, such a coordinated
approach to security is not the norm.
IACS security must be approached from an engineering perspective,
founded on the goal of improving system safety, performance,
reliability, and availability in the face of cyber-related threats. The
fundamental objective is to protect the integrity of the process, and
security is an element of that. The IACS community should develop an
adequate risk assessment methodology, an acceptable vulnerability
assessment methodology, and measures of acceptable levels of security
that are based on the goals of system safety, performance reliability,
and availability.
To be sure, there currently is a lack of information sharing
regarding IACS cybersecurity events. For IACS, the U.S. Computer
Emergency Response Team (CERT) and industry Information Sharing and
Analysis Centers (ISACs) do not work well. It is unlikely that the
proposed DHS ICS-CERT will either. Government should fund, collaborate
with, but NOT manage, a Cyber Incident Response Team (CIRT) for Control
Systems. This can overcome private industry's concerns about
confidential information being made public. It could ensure that vetted
experts will be available as a resource for incident handling and
mitigation, and that private industry will not be punished for
disclosing cyber incidents. An example is MITRE's Aviation Safety
Information Analysis and Sharing (ASIAS) System used by the Federal
Aviation Administration (FAA) to promote open exchange of safety
information. I have information related to more than 125 IACS cyber
incidents. One of the major conclusions of the 9/11 Commission was the
lack of ``connecting the dots'' regarding terrorism threats. Similarly,
there has been no attempt to ``connect the dots'' with IACS cyber
incidents. Such an effort could pay multiple dividends in helping to
develop more appropriate policies and architectures, better procurement
guidelines, and more buy-in of the real problems that exist.
While a notable percent of threats and attacks originate here
domestically, the vast majority come from overseas. The 2007
cyberattacks on DOD, DHS, and Commerce were all initiated by unknown
foreign entities. China is most prolific host of malicious websites.
Russia, with the Russian Business Network (RBN), is a hot-bed of
activity.
Question 5. We can certainly do a lot to address the domestic
threats as well as to protect our borders, but what can we specifically
do across our borders to address the source of the attacks?
Answer. It is doubtful we can separate the domestic and
international threats. Just as the Internet is global, computer
suppliers are also global. For example, Dell and Hewlett Packard are
domestic brands, but are manufactured all over the world. Toshiba is a
Japanese company that supplies North America, while the former IBM
laptop product line was purchased by a Chinese company--Lenovo.
Domestic suppliers obtain components and software from international
sub-suppliers. Supply chains provide another opportunity for malicious
activity. The same applies to IACS environments, where there is a mix
of domestic suppliers like General Electric, Emerson, and Honeywell,
and international suppliers like Siemens from Germany, Areva from
France, and ABB from Switzerland. At least one major American IACS
supplier has a SCADA software development center in China.
There are a number of steps we can take to improve security,
especially where critical infrastructure is involved. We can filter and
limit communications, and provide network segmentation and isolation of
our more important systems. We can monitor communications to identify
traffic patterns and share information on unexpected and problematic
network activities.
Properly identifying the sources of attacks or exploits assumes
that adequate forensic capabilities exist. In several recent cyber
incidents, even the newest control systems did not have logging
capability adequate to identify the causal factors of the incidents.
Current IT forensic approaches may actually harm IACS or inhibit
critical restart capabilities. Consequently, there is a critical need
to develop an appropriate IACS forensics methodology and related set of
protocols.
As you may know, Chairman Rockefeller and I created the E-rate
program, which provides discounted telecommunications services to
schools and libraries, as an amendment to the Telecommunications Act of
1996. The E-rate program has been instrumental in making Internet
access available to schools and libraries--before the program, only 14
percent of schools had Internet access. Today, nearly 100 percent of
America's schools, 94 percent of individual classrooms, and 98 percent
of public libraries are now wired. Internet access and information
technology have truly enhanced the learning environment and process as
well as better prepared our students for entering the digital global
economy. With E-rate, students are learning how to use the Internet as
a research tool, for collaborating on assignments and projects with
individuals in other geographical locations, and downloading homework--
the list goes on.
Question 6. However, various studies and surveys indicate that
students have a false sense of security when using the Internet--
they're often too lax in their security with usernames/passwords and
they more readily provide personal information online. Are we doing
enough for K-12 students in teaching them about cybersecurity? It seems
we could do a lot more to infuse cybersecurity education into school's
curriculum, do you agree?
Answer. Yes, I agree we need to infuse more cybersecurity into the
K-12 education process. Computer access is becoming ubiquitous and
social networking sites are breaking down previous privacy barriers.
There should be a better awareness among K-12 students regarding
security and the need to take security seriously. This is especially
important given the high level of social activity prevalent amongst
youth, who are early adopters of potentially risky online technology.
Our young should be educated that security risks exist when visiting
websites, downloading files from untrusted sites, chat and instant
messaging, and file sharing. They also need to understand cyber threats
are more than just a threat to computers, but can also lead to personal
threats like cyber bullying and cyber stalkers. Cybersecurity awareness
education should be integrated into curricula in the same way that
``looking both ways before crossing the street'' has been.
There is also a need to reach out to young people attending college
and within the work force. Almost all new technologies have digital
communication capability, which means there are often cyber
vulnerabilities. Cybersecurity is interdisciplinary in nature, and
should be taught as such. Currently, IT security certifications and
audit metrics exist for the information security community. However,
there are no certifications for IACS security or audit metrics unique
adapted for IACS. We need to ``train the trainers'' regarding IACS
security and develop the appropriate curricula. This is a pressing need
when it is seen that there are at best a few hundred people in the
entire world who are security subject matter experts specifically
relating to IACS.
______
Response to Written Questions Submitted by Hon. Olympia J. Snowe to
Dr. Edward G. Amoroso
Question 1. The Internet has revolutionized some many different
areas of society and the economy. The innovation, adoption, and sheer
size of the Internet are simply unparalleled. The Internet currently
comprises of more than 1.5 billion users, 570 million computers, and
174 million websites. However, we will eventually enter a new iteration
of the Internet with the migration from IPv4, a 32-bit addressing
space, to IPv6, a 128-bit addressing, which provides 5 x 10 \28\ IP
addresses for every individual on earth (or 6.5 x 10 \23\ addresses for
every square meter of the earth's surface). In addition, Internet
Corporation for Assigned Names and Numbers (ICANN) plans to allow the
expansion of generic top level domains from the current 21 domains to
eventually hundreds if not thousands. Both of these efforts as well as
others present amazing opportunity and potential for the evolution of
the Internet but also present significant challenges with cyber
security.
What will this eventual expansion of IP addresses and domains mean
with respect to cyber security and threats? With domain name system
techniques such as fast fluxing, pharming, DNS cache poisoning, being
used by botnets, it could present an even greater challenge because
there is even a greater pool of resources available, right?
Answer. You highlight two important changes in the Internet
ecosystem. From a security perspective, the key issue is that
``change'' always creates opportunities for vulnerabilities to be
exploited. The industry's transformation to IPv6 is an example of a
particularly significant change, and, consequently, a significant
opportunity for exploitation, particularly in light of the
proliferation of new and increasingly sophisticated threats. AT&T and
other network service providers continuously evaluate IPv6 deployment,
and all service providers have the potential to play a greater role in
addressing such vulnerabilities by building robust, smart-network
system capabilities. Government policy should support such private
sector efforts.
With respect to domain name expansion, AT&T has filed comments with
ICANN demonstrating that new generic top level domain names should not
be introduced until a whole range of Internet ecosystem issues,
including Internet security and stability, are adequately studied and
understood.
Question 2. The first sentence of Cisco's 2008 Annual Security
Report states ``Compared to previous years, online criminals are
becoming even more sophisticated and effective, employing a greater
number of relatively smaller, more targeted campaigns to gain access to
sensitive data.'' Another report by IBM's Internet Security Systems X-
Force Team highlighted that the number of new malicious Websites in the
fourth quarter of 2008 alone surpassed the number seen in the entirety
of 2007 by 50 percent and that new categories of threats affecting
clients are on the rise, specifically in the areas of malicious
documents, multimedia applications, and potentially Java applications
which are easy to host on the Web.
It seems that tackling the issue of cyber threats is a little bit
like ``whack-a-mole,'' in that you discover and fix one vulnerability
but then due to the sophistication and resourcefulness of the
criminals, ten more cyberattacks pop-up. So how can we realistically
deal with this, which seems to be a perpetually increasing problem?
Answer. Your analogy is apt, and we must not allow the game to get
out of control. The most realistic way to deal with threats of this
nature is to take a holistic approach, assuring that throughout the
ecosystem, we have developed sophisticated and flexible cyber security
capabilities. To this end, government policies should encourage private
sector investments in innovative security capabilities. As a network
provider, cyber security is an AT&T priority; we seek to assure that
the information, applications, and services our customers want are
secure, accurate, reliable, and available wherever and whenever they
are desired through the provisioning of a highly-intelligent network
capable of identifying and mitigating cyberattacks. Our intelligent
network capabilities are an important component of a proactive approach
to cybersecurity which includes prevention and rapid mitigation of
threats as they emerge.
Question 3. The IBM report stated that of ``all the [cyber]
vulnerabilities disclosed in 2008, only 47 percent can be corrected
through vendor patches.'' Last April, the New York Times reported
thousands of corporate executives were targets of a phishing attack
that attempted to install malware on the recipients' computers.
Security experts found that less than 40 percent of antivirus programs
were able to identify and stop the attack. Cisco's report mentioned
that criminals are getting access to computers and networks by
exploiting weaknesses in technologies, software, and systems.
Is the software industry really performing the necessary due
diligence to make sure their products are up to par with respect to
security or do security concerns/vulnerabilities take a back seat to
getting the product or next version out in the market? It seems as if,
with all the patches, that the industry does not have the foresight to
proactively fill the holes, correct?
Answer. Cyber security should be viewed as an ecosystem and not be
viewed as the exclusive domain of either software application providers
or network providers. Effective cyber security solutions will rely upon
smart networks working hand in hand with software based solutions. As
noted above, the government should seek to encourage private sector
investment in both innovative network security and edge application
security technologies. From my perspective, both application and
network providers are committed to addressing these challenges, but
vulnerabilities remain and need to be addressed, particularly through
the increasing availability of application software that allows end-
users within an enterprise to ``turn off'' unneeded features.
Question 4. With the countless web applications, add-ons, software,
shareware, how can we imbed a ``best practices'' or set of cyber
security standards that better protect users and their computers from
vulnerabilities or cyberattacks? A criminal can target a seemingly
innocuous web browser add-on application to gain access to one's
computer or a network, right?
Answer. You have identified a significant and difficult challenge
because, as you note, criminal can target an add-on application to gain
control. I believe that the key to embedding best practices is in
virtualization and greater centralization of cyber security
capabilities. This represents the best opportunity to respond to real-
time attacks and remove bad decisionmaking from end-users. In this
respect, network service providers can help address these issues by
offering comprehensive network based managed security services across
their customer base. AT&T is investing heavily in making our core
network the first line of defense in cyber security for our entire
customer base. We see it as our responsibility to educate our customers
about the need for professionally-managed cyber security in order to
protect them from exploitation.
From a software perspective, dealing with complexity is a
significant challenge, so complexity must be reduced so that secure
software can be more easily written to include operating system design
techniques, such as the inclusion of a policy enforcement kernel, to
guard against a range of attacks.
Question 5. While a notable percent of threats and attacks
originate here domestically, the vast majority come from overseas. The
2007 cyberattacks on DoD, DHS, and Commerce were all initiated by
unknown foreign entities. We can certainly do a lot to address the
domestic threats as well as to protect our borders, but what can we
specifically do across our borders to address the source of the
attacks?
Answer. A cooperative and coordinated response by governments and
the private sector is necessary in order to contain cyber threats.
These threats are possible only because of the inherently anonymous
nature of the global digital infrastructure as it has evolved, and
because illicit behaviors may find a safe haven, for a variety of
reasons, in places throughout the world. For this reason, a
constructive trans-national public and private sector dialogue on cyber
security must ensue, so that globally coordinated, cooperative
solutions can emerge. This dialogue can build on the cooperation and
discussions that are already taking place with strong private sector
involvement in order to respond to global cyber threats.
Question 6. As you may know, Chairman Rockefeller and I created the
E-rate program, which provides discounted telecommunications services
to schools and libraries, as an amendment to the Telecommunications Act
of 1996. The E-rate program has been instrumental in making Internet
access available to schools and libraries--before the program, only 14
percent of schools had Internet access. Today, nearly 100 percent of
America's schools, 94 percent of individual classrooms, and 98 percent
of public libraries are now wired. Internet access and information
technology have truly enhanced the learning environment and process as
well as better prepared our students for entering the digital global
economy. With E-rate, students are learning how to use the Internet as
a research tool, for collaborating on assignments and projects with
individuals in other geographical locations, and downloading homework--
the list goes on.
However, various studies and surveys indicate that students have a
false sense of security when using the Internet--they're often too lax
in their security with usernames/passwords and they more readily
provide personal information online. Are we doing enough for K-12
students in teaching them about cyber security? It seems we could do a
lot more to infuse cyber security education into school's curriculum,
do you agree?
Answer. Yes. With the widespread use of computers at the earliest
ages today, it makes sense to start educating our children about
digital literacy--both ``online safety'' as well as ``cybersecurity
awareness.'' Online safety means focusing on children's use of the
Internet in a way that protects their privacy, security and wellbeing,
and respect for others. Cybersecurity education is also essential and
involves teaching kids about the basics of cybersecurity and importance
of understanding the harm that viruses and other threats post to them
personally and to society at large.
AT&T, we are teaching children to be alert and aware online and
providing services that help them create a safer online experience. For
example, AT&T's parental controls allow parents, at no cost, to control
the content to which their children may obtain access to the Internet.
In the context of the AT&T Hometown Tours program, we have visited more
than 100 communities nationwide and taught children key Internet safety
skills, such as protecting computers against viruses, hackers and spam,
as well as reviewing age-appropriate content, and the potential dangers
associated with social networking. We also have implemented an online
safety program with our partner iKeepSafe, and the DARE officers,
reaching children in grades K-5 in thousands of communities across the
country.
These online safety initiatives help keep families aware of the
threats around them, but they supplement, and are not a substitute for,
holistic network-based and software-based cyber security practices.
______
Response to Written Questions Submitted by Hon. Olympia J. Snowe to
Dr. Eugene H. Spafford
Question 1. What will this eventual expansion of IP addresses and
domains mean with respect to cyber security and threats? With domain
name system techniques such as fast fluxing, pharming, DNS cache
poisoning, being used by botnets, it could present an even greater
challenge because there is even a greater pool of resources available,
right?
Answer. I have spoken with several of my colleagues about this
question, and the best answer we can provide is ``We do not know for
certain.'' The vast majority of our problems are traceable to two major
shortcomings: poor security of host endpoints, and a significant
problem in traceback and attribution of misbehavior. Neither of these
problems is likely to see any change resulting from more domains or a
switch to IPv6.
If we have more addresses with a switch to IPv6 (the only likely
way to expand addresses) we will have a situation where it is more
difficult--and highly impractical--for attackers to scan networks to
find unadvertised but vulnerable hosts. However, it will also be more
difficult for defenders to scan networks to look for unauthorized
connections.
The biggest issue with IPv6 is that very little of the current
security infrastructure (firewalls, intrusion detection, etc) is
designed to work with IPv6. Thus, a switch won't result in any
significant benefits directly, but could introduce new problems if the
infrastructure isn't upgraded simultaneously.
Having new domains and a larger IP space will both make it more
difficult to ``blacklist'' addresses in a reliable manner. The expanded
IP and namespace could make it easier for bad actors to hide or
relocate their operations, but current resources seem sufficient to
hide most of their activities, so it is difficult to say if a switch
would result in any significant change.
Question 2. It seems that tackling the issue of cyber threats is a
little bit like ``whack-a-mole,'' in that you discover and fix one
vulnerability but then due to the sophistication and resourcefulness of
the criminals, ten more cyberattacks pop-up. So how can we
realistically deal with this, which seems to be a perpetually
increasing problem?
Answer. I addressed this, in part, in my written testimony. The
solution is to pay more attention to the development of the systems
that are deployed. In large part, this means that we need to spend more
on development of hardened, minimal, systems. We must recognize that we
need to invest in development of systems that are better suited to use
in high-risk environments, rather than general-purpose systems designed
without strong practices.
We also need to invest in law enforcement and follow-up, to
increase the risk for people who abuse systems. This works in other
arenas, but is largely missing in cyber.
A key issue is one of economics and false value. Right now, most
users of computing technology (the Federal Government included), buy
and deploy systems without really valuing the potential losses if the
systems are compromised. As a result, the systems are purchased,
configured, and operated as cheaply as possible, without due
consideration given to the risk potential. (Analogy: constructing
military facilities out of cardboard because it is cheap, without
thinking about the potential risks and needs over the longer term.)
We can do better, but it requires both discipline and funding.
Question 3. Is the software industry really performing the
necessary due diligence to make sure their products are up to par with
respect to security or do security concerns/vulnerabilities take a back
seat to getting the product or next version out in the market? It seems
as if, with all the patches, that the industry does not have the
foresight to proactively fill the holes, correct?
Answer. Industry could do better, but the incentives aren't there.
To perform more tests or develop better tools would not only take time,
but cost money. Right now, there is no real business reason for
companies to expend extra resources to harden systems because there is
little evidence that customers are willing to pay the extra cost.
Customers large and small continue to buy systems that have been shown
to have a poor record of safety, and make choices based on purchase
price rather than on added security features.
This is related to my answer to Question 2--we need to create an
environment where it is possible to have multiple systems tailored for
specific applications rather than trying to adapt the same general-
purpose systems that are used in people's homes for use in business and
government. With a variety of systems, those that require more testing
and security features could have the extra cost included--although
other factors would need to be brought to bear to ensure that the more
secure systems were purchased and deployed in environments where needed
rather than the less-expensive (and less well-designed) systems. This
goes to creating an environment where management is held responsible
for failures, and there are recognized standards and metrics for good
security.
Question 4. With the countless web applications, add-ons, software,
shareware, how can we imbed a ``best practices'' or set of cyber
security standards that better protect users and their computers from
vulnerabilities or cyberattacks? A criminal can target a seemingly
innocuous web browser add-on application to gain access to one's
computer or a network, right?
There are some technical approaches currently under development
that could help with these issues. However, as noted above, unless the
extra cost is minimal or otherwise amortized, they may not widely
adopted.
As suggested by your answer, some better standards would definitely
help. So would better enforcement of existing laws and rules. However,
I am skeptical that any new regulations would be especially helpful
until current laws and regulations are enforced on a more regular and
consistent basis.
Question 5. We can certainly do a lot to address the domestic
threats as well as to protect our borders, but what can we specifically
do across our borders to address the source of the attacks?
Answer. The answer to this comes in parts.
First, there are criminal activities originating in friendly or
neutral countries. We can do more by ensuring that we have reciprocal
cyber crime treaties in place. The law enforcement officials in those
countries must have the training and resources to assist in
investigation of offenses.
Second, there are criminal activities originating in unfriendly
countries. In these cases, we have not obtained significant assistance
in law enforcement investigations. In some cases, the activities are
sanctioned or even supported by those governments. Where there is
little cooperation, other leverage is necessary such as financial or
political sanctions. Techniques currently used to address international
criminal activities involving drugs, counterfeiting, and other criminal
activity with these countries could also be employed in cyber, although
I am uncertain if enabling legislation would be required.
In both cases we need to raise the priority of enforcement and
provide the necessary resources to match that prioritization.
Question 6. However, various studies and surveys indicate that
students have a false sense of security when using the Internet--
they're often too lax in their security with usernames/passwords and
they more readily provide personal information online. Are we doing
enough for K-12 students in teaching them about cyber security? It
seems we could do a lot more to infuse cyber security education into
school's curriculum, do you agree?
Answer. Yes, I agree. I will note that we also don't do a very good
job of teaching basic computer science in K-12.
We used to have an effective and far-reaching program through my
center (CERIAS) for K-12 education but were forced to discontinue it
because there were no sources of support. We also had to discontinue
our community education programs for the same reason.
�