THE PERMANENT SUBCOMMITTEE ON INVESTIGATIONS,
U.S. SENATE COMMITTEE ON
Wednesday, June 5, 1996
Mr. Chairman and Members of the Subcommittee,
The "1996 CSI/FBI Computer Crime and Security Survey" was conducted by CSI and composed of questions submitted by the Federal Bureau of Investigation (FBI) International Computer Crime Squad's San Francisco office. Both CSI and the FBI hope that the results of this survey will be used to better understand the threat of computer crime and provide law enforcement with some basic information that can be used to address this problem more effectively.
CSI, established in 1974, is a San Francisco-based association of information security professionals. It has thousands of members worldwide and provides a wide variety of information and education programs to assist practitioners in protecting the information assets of corporations and governmental organizations.
The FBI, in response to an expanding number of instances in which criminals have targeted major components of information and economic infrastructure systems, has established International Computer Crime Squads in selected offices throughout the United States. The mission of these squads is to investigate violations of Computer Fraud and Abuse Act of 1986, including intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software and other crimes where the computer is a major factor in committing the criminal offense.
There is a serious problem.
The "1996 CSI/FBI Computer Crime and Security Survey" offers some evidence.
For example, 42% of respondents acknowledged that they had experienced unauthorized use of computer systems within the last 12 months. And we're not talking about users playing solitaire on company time-respondents reported a diverse array of attacks from brute force password guessing (13.9% of attacks) and scanning (15% of attacks) to denial of service (16.2% of attacks) and data diddling (15.5% attacks).
The figures concerning data diddling in financial institutions (21% of attacks) and medical institutions (36.8% of attacks) were higher than both the averages for other specific industry segments and the overall average. This data is disturbing. Private medical records, financial transactions and credit histories are at risk.
Respondents reported that their networks were being probed with frequency from several access points. Over 50% reported incidents on their internal networks and almost 40% reported frequent incidents through both remote dial-in and Internet connections. These results tear at the "conventional wisdom" that 80% of the information security problem is due to insiders (i.e. disgruntled or dishonest employees, contractors, etc.)
Over 50% of respondents said that the information sought in probes would be of use to U.S.-owned corporate competitors. Over 50% also said that they considered U.S.-owned corporate competitors likely sources for eavesdropping, system penetration and other forms of attack. Foreign competitors and foreign government intelligence services also drew double-digit numbers as likely sources of attack. These results indicate that another bit of "conventional wisdom"-i.e., that "hackers" from the electronic underground and disgruntled or dishonest employees are the biggest problems-may be ill-founded.
Other studies corroborate CSI's findings in different ways.
According to "Trends in Intellectual Property Loss," a study from American Society for Industrial Security (ASIS), potential losses from intellectual property theft for U.S.-based companies are estimated to be $24 billion annually. The ASIS study also ranked hacking second only to pre-text phone calls (i.e., social engineering) as a means of acquisition.
According to the 1996 Ernst & Young/Information Week survey, 80% of respondents considered employees a threat to information security, 70% considered competitors a threat to information security, and almost 50% had experienced financial losses due to an information security incident.
According to a 1995 study from East Michigan State University, over 40% of respondents had been the targets of computer crimes at least 25 times. The study also indicated dramatic increases in many types of computer crime (e.g., a 77% increase in theft of trade secrets and a 95% increase in unauthorized access to computer files).
According to the General Accounting Office, the U.S. Defense Department may have suffered as many as 250,000 attacks on its computer systems last year and the number of such attacks may be doubling each year.
But even if you are skeptical of the data yielded in such studies, a glance at recent newspaper headlines should give you a feel for the scope of the problem. In 1994, IBM, General Electric and NBC were hacked over Thanksgiving Day weekend. The alleged perpetrators, a mysterious group dubbing itself "The Internet Liberation Front" caused major disruptions. In 1995, Citibank was hit by Russian hackers who illegally transferred over $10 million to separate accounts around the world, using a laptop PC.
Recently, a former software engineer for Intel Corporation pled guilty to charges that he stole Pentium chip production secrets, worth millions of dollars, and gave them to a rival computer company. Also, in recent weeks, it was revealed that several employees of the Social Security Administration allegedly passed information on 11,000 people (including their Social Security numbers and mothers' maiden names) to a credit card fraud ring.
In another widely reported incident, FBI investigators armed with a court-ordered wiretap and a sophisticated program called Intruder Watch (I-Watch), tracked down an alleged hacker who had compromised computer networks at many sensitive sites including Harvard University, NASA and the Los Alamos Naval Laboratory.
These incidents weren't reported because they were exceptional, they were exceptional because they were reported. Less than 17% of respondents to the CSI/FBI survey reported incidents to law enforcement; over 70% cited negative publicity as the reason.
Perhaps the most disturbing data relates to the level of preparedness within organizations.
Over 50% of respondents don't have a written policy on how to deal with network intrusions.
Over 60% of respondents don't have a policy for preserving evidence for criminal or civil proceedings.
Over 70% of respondents don't have a "Warning" banner stating that computing activities may be monitored. (Absence of "Warning" banners hampers investigations and exposes an organization to liability.)
Over 20% of respondents don't even know if they've been attacked. And as already mentioned, less than 17% of respondents who experienced intrusion(s) indicated that they reported it to law enforcement, and over 70% cited fear of negative publicity as the primary reason for not reporting.
It is our view that the preponderance of evidence indicates that the problem of computer crime is only getting worse. And although the heated debate over the U.S. export restrictions on cryptography would seem to suggest otherwise, encryption is not a panacea. All organizations (whether public sector or private sector) must develop a comprehensive information security plan. Encryption is a vital component, but it is not a complete solution.
There is an insufficient level of commitment to information security.
A serious commitment to information security translates into budget items for building information security staffs as well as providing them with training to keep abreast of emerging trends and empowering them with sophisticated technologies.
A serious commitment to information security also means conducting in-depth, periodic risk analysis in order to understand the nature of the threat as it relates to the particulars of a specific organization as well as developing strong, enforceable policies on a broad range of information security issues.
Security awareness for users is also essential. Organizations that don't already have such a program in place must implement one immediately. Those that already have a program in place must augment, update and intensify its scope.
Even physical security is often overlooked as well.
There is also a great need for an emphasis on information security in computer science curriculum and on computer ethics as a critical aspect of good citizenship.
The high-tech vendors of operating systems, applications and hardware must begin to pay more than lip service to information security. Since the dawn of the desktop PC, the emphasis has been on ease of use, speed and connectivity. This attitude must change. Security can no longer be ignored. And although there are many excellent third-party security products from firewalls to Fortezza cards, until the underlying information systems architectures are developed with a greater respect for security issues, serious vulnerabilities will continue to be exploited.
Finally, there is a need for greater cooperation between the private sector, academia and the government. There is much to be done and too little time to do it. There are many excellent champions who have been working tirelessly--e.g., Scott Charney of the U.S. Justice Department, Professor Eugene Spafford of Computers, Operation, Audit, Security and Technology (COAST) at Purdue University, and CSI's own members in Fortune 500 corporations, government agencies and universities. But is imperative that common ground be found in order to meet the "current and future danger."
Statement of Intent
This survey was conducted by the Computer Security Institute (CSI) on behalf of the Computer Crime Squad of the Federal Bureau of Investigation (FBI).
The purpose of this joint effort is threefold: