1997 Congressional Hearings
Intelligence and Security





 Page 1       TOP OF DOC
SECURE COMMUNICATIONS
TUESDAY, FEBRUARY 11, 1997
U.S. House of Representatives,
Committee on Science,
Subcommittee on Technology,
Washington, DC.

  The Committee met at 10 a.m. in room 2318 of the Rayburn House Office Building, Hon. Vernon J. Ehlers presiding.
  Mr. EHLERS (presiding). I would like to call this meeting to order.
  My name is Vernon Ehlers. I am Vice Chair of the Science Committee. I am sitting in for Congresswoman Morella who chairs the Subcommittee on Technology. She unexpectedly was called to a meeting at the White House, and those type of summons we normally obey. So she will be here as soon as possible and I will be happy to relinquish the chair to her at that time.
  However, we did not want to delay the hearing, or the briefing, and therefore I will be chairing this until such time as Congresswoman Morella arrives.
  I certainly want to welcome everyone to this briefing. I particularly want to welcome the panel. I thank you very much for your willingness to appear and to testify on the important issue of communications security.
  This is a very, very difficult topic. One of the prices we pay for living in a country with the freedoms we have is that we are constantly endangered by people who take advantage of those freedoms to engage in nefarious acts of one sort or another.
  Computer hackers of course are the most notorious and the most widely publicized in terms of computer security, but there are many other types of security risks. The espionage that companies may engage in; and of course also the espionage that terrorists or foreign enemies may engage in. These are all a part of it.

 Page 2       PREV PAGE       TOP OF DOC
  In addition, security of telephone lines is a matter of concern and particularly security of cellular transmissions. So there are many areas of life today where individuals are very much worried about their privacy and their security.
  Something else that receives virtually no publicity but which is equally important, particularly in the world of commerce and government, is the authenticity of the messages being transmitted. And again that is--although the public has little knowledge of the concern in that area--a major concern.
  I believe it is a very important topic that has to be examined. Both the Congress and the public have to be informed about the nature of security risks and some of the problems we have, the issues of privacy that are related to that, and therefore I am very pleased that Congresswoman Morella and Donna Farmer, the aide most responsible for this, I am pleased they have put this forum together. This will provide an opportunity for us to examine these issues in depth.
  The format of the briefing will be that each of the panelists will have 10 minutes to present their viewpoint. The intent is not to interrupt with any questions until they have all completed their statements.
  If, however, a Member happens to have a burning question and has to leave for another appointment, we might give them a brief opportunity to ask that question, but the intent is to proceed directly through the panel and take all questions afterwards.
  I am pleased to welcome Representative Tom Davis from the Virginia area, and also I see Representative Goodlatte arriving who is on the Judiciary Committee but has sponsored a bill on encryption which I am pleased to co-sponsor, and we have worked on that issue together. He also deals with other computer security issues.
  The panel before us is a very distinguished panel. I will give brief introductions for all of them at this point and then we will proceed rapidly through their presentations.

 Page 3       PREV PAGE       TOP OF DOC
  First we have Dr. Daniel Geer who has appeared before us once before as a panelist on our November 26th briefing on encryption. He is the Director of Engineering for Open Market, Incorporated, and was in charge of the MIT team that developed Kerberos during Project Athena in the late 1980's. This technology is widely enough adopted to approach a de facto standard for remote authentication in client/server environments.
  He will be discussing how computer security relates to electronic commerce and the importance of trust in a digital economy.
  Next we will have Mr. Daniel Lynch who founded the Interop Trade Show that yearly teaches over 300,000 computer systems people how to get their computers to talk to each other over the Internet. He also co-founded CyberCash, an early leader in electronic commerce payment, and Pretty Good Privacy--which is one of my favorite titles--the leading supplier of electronic message security.
  He will focus on the interoperability and how all of these issues fit together.
  Mr. Tsutomu Shimomura is a Senior Fellow at the San Diego Supercomputer Center and, with John Markoff, co-author of TAKEDOWN, a book which chronicles his pursuit of computer criminal Kevin Mitnick--and I am sure most of you have heard about that. The rights to his story have recently been sold to a major motion picture studio--and you have my sincere sympathies for engaging in that activity and getting involved in that world.
  [Laughter.]
  Mr. EHLERS. Mr. Shimomura is an expert in cellular and wireless security. He will be discussing issues relating to telecom security and its pervasive implications.
  Next will be Mr. Geoff Mulligan who is a Senior Staff Engineer in the Security Products Group at SunSoft and is principal architect for Sun's premier firewall product ''Sunscreen'' as well as a founding member of the Internet Commerce Group.
  Prior to joining Sun, Mr. Mulligan worked at Digital's Network Systems Laboratory developing the DEC SEAL firewall, developing networking courseware, and researching e-mail issues.

 Page 4       PREV PAGE       TOP OF DOC
  He will be discussing inter- and intra-organizational security and the role of ''containment.''
  Next will be Mr. Daniel Farmer who is an independent security consultant and co-author of the well-known SATAN software which aggressively audits the security of network computer systems.
  He recently released a survey paper entitled, ''Shall We Dust Moscow?'' which discusses the current state of the Internet security.
  He has worked at CERT, which is an acronym for the Computer Emergency Response Team. He has done security consulting and vulnerability assessments, as well as at Sun Microsystems and Silicon Graphics.
  He will be discussing the role of security tools and their relation to the larger context of security.
  Our final witness will be Dr. Eugene Spafford. Dr. Spafford is an Associate Professor of Computer Sciences at Purdue University. He is the founder and director of the world's largest academic research group dedicated to information security R&D: the COAST Laboratory at Purdue University.
  He has been actively involved in computer and network security for 15 years. He is co-author of one of the most widely cited computer security books and a frequent lecturer.
  He will be discussing what education can lend to this process.
  Before we go to the panel, let me introduce the other Congresspersons who have arrived. I see Congresswoman Lynn Rivers from Ann Arbor, Michigan, the finest State in the Union----
  Ms. RIVERS. We could say----
  Mr. EHLERS. Yes, right, and one of the finest universities, exceeded only by Berkeley, of course.

 Page 5       PREV PAGE       TOP OF DOC
  [Laughter.]
  Mr. EHLERS. And also Congresswoman Eddie Bernice Johnson from Texas. You have, I believe, the Space Center close to your area?
  Ms. JOHNSON. It is in Texas.
  Mr. EHLERS. Yes, it is in Texas. I know that.
  [Laughter.]
  Mr. EHLERS. She has also had a keen interest in science and technology issues because of the strength of those issues in Texas.
  We welcome you all. We welcome the panel, and we will now proceed with the testimony.
  Dr. Geer?
STATEMENT OF DANIEL GEER, Ph.D., DIRECTOR OF ENGINEERING, OPEN MARKET, INC., CAMBRIDGE, MASSACHUSETTS

  Mr. GEER. Good morning----
  Mr. EHLERS. Could you turn on your microphone, please?
  Mr. GEER. Of course.
  Mr. EHLERS. Thank you.
  Mr. GEER. I want to give a bit of an overview that the other members of the panel will elaborate on. It is relatively simple. In fact, it is intended to be simple. I think if we cannot discuss this in simple terms, we are never going to get anywhere.
  The conversion of much of the physical world to an electronic one, whether we are talking about government or business is simply inevitable. I would like to think that was a nondebatable point as we go forward here. It is just simply inevitable. It is already underway. The force of economy makes it so. There is no turning back.

 Page 6       PREV PAGE       TOP OF DOC
  It will proceed in some locations faster than in others, but it is already well underway and it is simply a fact of nature.
  It changes everything. Conversion of the physical world to an electronic one changes most everything that we know about, and yet at the same time in some odd sense it changes nothing.
  The issues that are important to us in the physical world, whether it is trust or the ability to communicate with a counterparty and know whom you are talking to; the ability to have some recourse if things go awry; the ability to find the resources that you are looking for; all of those sorts of issues which were well familiar to us in the physical world also are issues in the electronic world.
  The question at hand is: How do we get from here to there?
  There are only three requirements, to my way of thinking, for an electronic world to happen. Two of the three of those are already well understood. It is the third one that is the issue of the panel today.
  The first one is: You have to have network connectivity. You have the have the ability to participate in the first place. The wire has to reach where you are. There has been a lot of progress in the last few years on that. The rate of growth of the Internet which is chronicled in the lay press and the trade press alike, illustrates this point very well. It is almost growing so fast that we do not know how to even hand out the network addresses, how to hand out the identities, how to simply connect enough people up. The amount of fiber being laid and so forth is astonishing.
  Yet I think it is fair to say that this is already a solved problem. There is almost no place on the planet--in fact, I would claim there is no place on the planet--where you cannot get reasonable network connectivity already. The price is dropping like a stone, and you can just simply assume that everything will be wired in reasonable order.

 Page 7       PREV PAGE       TOP OF DOC
  There is certainly a role for Congress to play in what the terms of that wiring is, but speaking as a technologist there is no question but what it is going to happen, and it is already well underway. So that is the first requirement for an electronic world.
  The second requirement is you have got to have something to sell, or something to say. I think that also is already taking place. It is already inevitable. It is already well underway.
  Think back. It is only 4 years ago that the Web came into existence, the WorldWide Web and the Browser market, and think how pervasive it already is.
  Or think, in a similar fashion, how long did it take after the invention of the video cassette recorder before the question was not, ''Are there any movies for this?'' but instead that there is a video store for every 10 square miles, or every 10,000 people, whichever is smaller.
  It takes no time for there to come something to sell on a new medium. That is also true here. It is easy, in other words, and this is underway.
  The third requirement for an electronic world, the conversion of the commerce that we know today to an electronic commerce, is trust or security. The security point of all of this is: If you are going to engage in real transactions for real dollars in real amounts over a wire, how do you know what is going on?
  How do you know you are talking to the right person--the authenticity term that the Chairman spoke of earlier?
  How do you know that the authorization is actually present to engage in that transaction?
  How do you have any accountability when you are done?
  How do you avoid having someone later claim the message that appeared to come from them did not, or the credential under which it took place was stolen?
  Or in some other way the idea that what is needed for commerce to take place is contract and for what is needed for contract is the ability to have recourse.

 Page 8       PREV PAGE       TOP OF DOC
  The basic message I want to bring you from where I sit today is that the Congress needs to help set the rules of the game so that recourse and liability and other issues of that form are well enough understood that the game can proceed at its own pace.
  We have a trusted group of individuals here direct from the front. Everyone sitting on the panel here has in some sense been a participant at the very front of this wave of conversion of the physical world to an electronic world. I think each of them brings something similar and yet something different to this discussion, and I know that you will profit from hearing what they have to say.
  The thing that I want to stress to you is that time runs quickly. Where I work we speak of it in terms of ''Web time'' or ''Web years.'' It is sort of like dog years. Time passes at a remarkably fast clip, and if you want to lead as opposed to follow or get out of the way, there is a very limited time to do so.
  I know in the commercial world we have discussions along the lines of, ''If we can bring that product out in 6 months we will have a killer; if we bring it out in 9 we might as well not bother.'' Those sorts of discussions dominate the world that I live in, and I think that they illustrate the time scale at which change is going to happen.
  If the Congress wishes to set these rules before there is a substantial amount of sunk investment, before there are a lot of prior interests to reflect and to in some way calculate in and to compromise with, there is a very limited amount of time remaining for you to do so.
  You are, in effect, I would argue, in competition with other countries, with other entities that make law. In the electronic commerce space there is no ''place'' there. There is no ''location.'' A wire leads off into the Internet. Where is the other end? In some sense it is not only independent of location, it is irrelevant of location, and you are in competition with all other entities that would make laws. And, just as there are Panamanian ships, Swiss bank accounts, and Delaware corporations, there is going to be something similar in the electronic commerce world and the question for you is: Do you want to have the most attractive and the most compelling place for this kind of activity to take place?

 Page 9       PREV PAGE       TOP OF DOC
  My argument with you is: It will take place somewhere; the only question is, where?
  So let me say that if you want to set those rules, you have a limited amount of time to do so, just as I on the commerce side, on the product side, have a very limited amount of time to actually make those products.
  If you do not do so, if you do not set the rules of the game, if you choose to pass on this one, then the rules of the game will be set by some combination of other governments, trial lawyers, and the insurance industry; because somewhere the rules have to come from; somewhere, the rules have to come from.
  I would request that the Congress take action in this regard as opposed to letting it happen in those other ways.
  Finally, if you choose to not act, there is also the very tangible risk that the choice you will have made is to export jobs instead of products, because the technology that we are going to speak of here today has no way to sequester it in one locale. It travels. Everything we know is known anywhere else.
  It is no longer possible to sequester an idea. It is no longer possible to ban a book. It is no longer possible to think of the Internet as anything else than Radio Free Europe on steroids. I invite you to listen to the rest of the panel here as they describe their viewpoints on this fact.
  Thank you.
  [The prepared statement of Mr. Geer follows:]

TESTIMONY OF DANIEL E. GEER, JR., SC.D.
U.S. HOUSE OF REPRESENTATIVES
COMMITTEE ON SCIENCE
SUBCOMMITTEE ON TECHNOLOGY

 Page 10       PREV PAGE       TOP OF DOC
WASHINGTON, DC
11 FEBRUARY 1997
Thanks to the subcommittee on Technology for the invitation to be here today and thank you all for choosing to spend your time with us. Every member of this panel is a trusted subject matter expert of considerable standing. Our worlds and yours do not ordinarily cross, but they should. They will have to. What is happening in the electronic world is, to quote The Economist, more defining than the telephone and but one notch short of the printing press. Without rancor or hyperbole, there is really very little time remaining for Congress to itself choose whether to lead, follow or get out of the way. Where it is crucial that government lead is in setting the rules of the game.
We hope to educate you today, but we know that in your line of work there is no time to study subjects not germane to this term's legislative agenda; we panelists, therefore, have the burden of proof to say something relevant. I am reminded of what I know as the four verities of government:

Most exciting ideas are not important,
Most important ideas are not exciting,
Not every problem has a good solution, and
Every solution has side effects.

The trade press gets it wrong when it tries to talk about security as just a question of picking the right vendor. The lay press gets it wrong when it talks about exciting personalities and not about important ideas. Those of you in this room today have an inkling that something is up or you would not be here. Congratulations; you're right.
In one way or another, I have tried to make and sell computer security products for over a decade. Until the last year, I found that I could only sell to two kinds of organizations: Those that had already been hurt and those that had to answer to some higher authority and soon. Almost without exception, until 1996 no one talked about security in other than defensive terms. 1996 was the last year for that kind of thinking.

 Page 11       PREV PAGE       TOP OF DOC
The wholesale conversion of the commercial world into an electronic market is upon us. If I'm wrong by a year or two, that is all that I'm wrong about. Since the start of 1996, my phone rings incessantly with both public and private organizations wanting to know how to be part of this electronic revolution without embarrassing themselves. There are only three requirements for an electronic business, or an electronic government for that matter.
Requirement number one is network access; that's easy--it's universally available and the price is dropping fast; half the users on the Internet have been there less than a year and there is nowhere on this planet where an electronic business cannot be located, technically speaking.
Requirement number two is something to sell; that's easy, too--how long did it take the VCR to go from ''Are there any movies for this thing?'' to one video store for every 10 square miles? The market for ideas has never been greater and as governments everywhere will learn, with the Internet out there, it is no longer possible to ban a book or even an idea. The Internet is Radio Free Europe on steroids.
Requirement number three is some way to have trust in the transactions--that is, per se, why we're here today. Security technology is the single essential enabling technology other than the network itself. Those who get it right and agree on how to do trust management will dominate the next century.
I am here to convince you that security technology and security issues are worth the investment of your time and your brain cells. I want you to become educated consumers of security claims. In one of the Sherlock Holmes stories, Holmes, holding a scalpel in his hand, says ''Watson, isn't it interesting how the instruments of healing are so indistinguishable from those of crime?'' Security technology is like that precisely; there is a very subtle difference between the good and the evil here and there are already frank charlatans and charismatic quacks aplenty.
Let me assume for a moment that you of the Congress want the electronic markets to be as much dominated by enterprises within your sphere of control as the physical markets of today are, i.e., that you want the United States to continue to enjoy its economic position in a world of free trade and location-does-not-matter. Let me also assume that you are fond of entrepreneurial efforts as a way of taking advantage of change. Here is what you must do.

 Page 12       PREV PAGE       TOP OF DOC
You must not hinder the use of security technology. This means you must explicitly forbid domestic use controls on cryptographic technology. If you do not do this, you will have chosen to export jobs rather than products.
You must make enough rules that there can be recourse when electronic commerce goes awry. Today, the rules of liability for purely electronic businesses are without case law precedent or agreed-upon governance. If you do not do this, the insurance industry will do it for you and, again, you will export jobs rather than products.
That is only two things and they are simple things. Do not let anyone make it more complex or argue that we need to go slow or that we first have to let foreign governments or domestic law enforcement catch up. By the time that happens, you will definitely be somewhere between ''follow'' and ''get out of the way.'' I, we, beg you to invest some study time on this and talk to people like us. No leading company in electronic commerce is more than three years old; the companies you see every day are likely to be as in the dark as government is. The smarts are out there and, if you act informedly now, you can do the right thing before the calculus of sunk investment and private interest dominate the conversation.
Thank you.

  Mr. EHLERS. Thank you very much for your testimony.
  Dr. Lynch?
STATEMENT OF MR. DANIEL LYNCH, CHAIRMAN, CYBERCASH, REDWOOD CITY, CALIFORNIA

  Mr. LYNCH. Where are we today?
  Well, right now the Internet business in the United States is about a $30 billion a year business. That is, the manufacturers and service providers in this country for 1996 did about $30 billion in business.

 Page 13       PREV PAGE       TOP OF DOC
  Well I remember back in 1973 when I got into this game at Stanford Research Institute it was a $4 million business all supported by DARPA, the research of the ARPANET. What was going on then was, I was working in California. I had friends in London and Boston and in Salt Lake and in Linshopeng, Norway, and we were all programmers working on this ARPANET that became the Internet and helping each other solve problems, programming problems, and it was fun, and it was work, and we trusted each other. We helped each other. We were a community of people, and we learned to trust each other even though we had never seen each other, most of us.
  Then it grew, and it grew, and it grew, as they say. Now what is the Internet?
  It is this giant communications system for communities of interest to share. It is no longer just a dozen programmers who can figure out how to trust each other because they kind of know that if you are not speaking the language I am speaking, I know you are an imposter, and now we have this problem of trusting people at a distance.
  The physical boundaries, as Dr. Geer said, the physical boundaries are kind of meaningless. It does not mean that you do not live in the place and obey those rules of that society that you are in, but the society that is being built worldwide on the Internet is confusing for those of us who are out there now because you say, I do not want to break a law that I am unaware of; so we have this space frontier in some sense, or space-less frontier, and the only way we have to figure out who each other are is through this nasty word called ''cryptology,'' or ''secret writing,'' as we all know it to be from long ago.
  There have been many technologies developed in the last 20 years and techniques developed so that I can prove who I am. I can be sure I am talking to you. I can be sure that what I sent you, you can't forge or alter and pass on to someone else as if it were my, you know, kind of speaking or writing. And all of these techniques and technologies rely on some mathematics that, oh, by the way, is just math, folks.
  The Israelis know it. The Russians know it. The Chinese know it. The Mexicans know it. Everybody knows it. And if we think we can keep it in a container somewhere, that is pretty fallacious thinking.

 Page 14       PREV PAGE       TOP OF DOC
  This Internet system is an open system. It thrives on kind of like a biological environment, it thrives on other people adding their value, adding their ideas, adding their hopes, and seeing if it takes, seeing if other people like it. It is a world global village.
  Marshall McClellan died before this thing came into being, but he predicted it, and it is definitely in place. The part that has been in place, interestingly enough, for quite a long time, is the business-to-business electronic commerce world. That is, businesses sending each other information, and bills, and making payments through the banking system, and all of that has been done for the last, oh, 10 or 15 years by businesses using dedicated links to each other, and building up--remember the old story about the telephone operators? You know, the streets of Boston and New York were going to be black with wires, and they would have to have one wire between every two speakers, and all that jazz?
  Well, the Internet came along and basically made it so you do not have to have point-to-point wires between everybody. You can share the wires. That drives the cost down, makes the skies prettier, and oh, by the way, makes it so other people can see what you are doing.
  Now sometimes you do not care about that, but sometimes you do. What we want to make sure of is that when you do care what other people are seeing what you are doing, that you can make it so they cannot see what you are doing.
  That is in the business-to-business world.
  What has happened now with the Internet is that the, I call them ''normals,'' regular human beings are on the Internet now, tens of millions of them. It is not just us couple hundred thousand programmers anymore.
  They also have these cheap computers now. Anyone can get a computer for, you know, a thousand bucks to two thousand bucks, and they are beginning to do electronic commerce, and buying, and things like that on the Internet, and they are a little nervous.
  I mean, one of my companies, we are sitting there waiting for them to come. It's a ''Field of Dreams.'' We've built a whole technology but it is not strong enough, cryptographically, to assuage everyone's fears that it is safe to use because it is invisible. It is hard to see.

 Page 15       PREV PAGE       TOP OF DOC
  So we need to get these old laws that were military laws to protect us against ''the bad guys'' figuring out what was going on with our communications technology that is no longer relevant, I believe, we need to relax those rules.
  Here is the debacle I do not want to see:
  This Internet stuff was created in the United States and it has grown, as I said, to about a $30 billion a year business at about a 100 percent growth rate that just keeps doubling beautifully for quite a while and has been doubling ever since I started my InterOp Trade Show back in 1986; it is doubling every year; and it will eventually end, we all know that, but it still has a long run.
  We built all this technology, and the public liked it and they bought it and no one told them they had to, and now we have--and there was this other technology called OSI, Open Systems, which mainly and European and Asian controlled, and it lost the battle in the marketplace.
  I do not want to see us give over to the other countries our well-earned lead in building all this technology because of some rules that we impose on ourselves and then we just lose this marvelous lead.
  Thank you.
  [The prepared statement of Mr. Lynch follows:]

CYBERSPACE IS OUR NEW HOME
FEBRUARY 11, 1997
DAN LYNCH, CHAIRMAN, CYBERCASH, INC.
Cyberspace is about a new space, a new home, that our children will inhabit much more easily than we can imagine. Here is a short story about what could happen in that space.
Allen owns a small company that designs computer printed circuit boards. His four-engineer design group is located 10 miles outside of Boulder Creek in the mountains near Santa Cruz, California. This morning he checked his Internet mail and found a message from Irene, a design engineering manager at a large computer company in San Jose, California. She asked him to look at a sensitive Request for Quotation (RFQ) she had just posted. The RFQ was open only to three firms, and the message was encrypted in such a way that only those three firms could read it.

 Page 16       PREV PAGE       TOP OF DOC
After analyzing the RFQ, Allen again used the Internet. He checked the current prices for the integrated circuits (ICs) he would need to build Irene's board. He examined several online catalogs for IC manufacturers, and he made rough estimates of the cost of materials. There was one thing left to deal with: a design issue he didn't quite understand.
Allen queried several engineers at Irene's company, as well as an engineer in Amsterdam he had met at Comdex. The Amsterdam engineer referred him to an article in a back issue of an electronics association journal, which Allen promptly downloaded from the journal's Internet forum.
After lunch, Allen prepared his quotation and sent it to Irene, encrypted. Not only was the bid secret, it was a legally binding offer. Allen mused about how his access to the Internet enabled his company to get jobs that used to go to the big boys on the other side of the hill. Allen's quotations are extremely accurate; he can always look up the most up-to-date prices and inventories in the online catalogs. His designers are very efficient, because they have access to the latest applications and utilities from colleagues all over the world. And Allen's company cash flow is improved because he sends his invoices and remittances over the Internet.
Irene, at the other end of the electronics food chain, remarks about how using the Internet has helped her company's profitability. The publications group cuts the printing costs by putting its data sheets, catalogs, and data books online. Her engineering group takes advantage of the special strengths of different board designers, no matter their location: The other two firms bidding on this RFQ were in Oregon and Taiwan.
The bottom line: For Allen and Irene, the Internet is secure and easy to use. It provides access to services and information around the globe. It is a commercial tool, as fundamental as a spreadsheet or a telephone, that they both use to stay competitive.
That is the end of the short story. What can go wrong to prevent that scenario from playing out in the next generation? Modern day ''Luddites'' are trying to stop the underlying encryption technology from being used to make electronic communications secure. They correctly point out that this technology helps criminals as well as nice people. Well, so do knives and automobiles, but we have not outlawed their use. Why should we outlaw the use of strong encryption? Furthermore it is pure folly to think it can effectively be done. Let me explain why.

 Page 17       PREV PAGE       TOP OF DOC
A fundamental reality about encryption is that it cannot be stopped by technical means. Why not? Cryptographic material can be disguised within other material. For instance, it's not possible to tell whether you're looking at an encrypted message when it's hidden in a picture. To explain: Suppose you have a digitized picture of the Mona Lisa, in full 24-bit color. If you utilize the low-order bit to contain your encrypted message, the picture still looks like the picture. Why? That low-order bit is meaningless noise at the visual level. Furthermore, if the cost of transmission is low enough, it's worthwhile to transmit such pictures. And without the key, it's impossible to unlock the noise. (Is it or isn't it a secret message? Only the keyholder knows for sure.) This ability to hide information within another message is referred to as ''creating a subliminal channel.'' Subliminal channels, for better or worse, can provide some basic freedoms.
Do we want our citizens to resort to such subterfuges or do we want to simply recognize their right to converse digitally with whomever they wish with as much privacy as they wish in their new home?

  Mr. EHLERS. Thank you, very much. We appreciate those comments.
  We have been graced by the presence of a few additional Congresspersons. First, Congresswoman Zoe Lofgren from Silicon Valley, who has a keen personal interest; and Congressman Lampson. Welcome.
  We will next go to Mr. Shimomura.
STATEMENT OF MR. TSUTOMU SHIMOMURA, SENIOR FELLOW, SAN DIEGO SUPERCOMPUTER CENTER, LA JOLLA, CALIFORNIA

  Mr. SHIMOMURA. Yes. Hello.
  I want to talk a little bit about how the world is changing in terms of communications. It used to be that when we engaged in commerce and when we talked to each other, we talked to each other face-to-face.

 Page 18       PREV PAGE       TOP OF DOC
  We would meet in person and we knew each other. We knew each other by face, by what we do, and by mannerisms. Then we engaged in commerce for a while in non-face-to-face ways where you send in mail order, or where you send letters to communicate or by telephone, and even though for a long time it was face-to-face, we have learned to adapt to these technologies such as the mail where you can send someone a letter and you have some notion of how private it is or how not private it is; or you can call someone and you can recognize their voice and can tell something about who you are talking to, hopefully, but we are coming increasingly depended on these non-face-to-face technologies like telephone and like the Internet.
  In a lot of ways we tend to misuse them. We have had a long time to become comfortable with mail. When we get a bill in the mail we will be suspicious--if we do not recognize who sent it, we will be a little bit suspicious and we will tend not to pay it immediately.
  But often with computers, when we get a message we do not know whether to trust it or not, or how trustful it should be. There is a part of us that says, oh, we should trust this because it came from the computer.
  There are a lot of mechanisms that are insecure but we try to use them as if they were secure because we want them to be secure. We want to be able to use them. We have to. As commerce moves on-line, as our lives have moved on-line, we cannot not use these things without being really handicapped.
  So we have infrastructure. We have communications' infrastructure and other things which are not really trustable and not really secure but we use them as though they were.
  In the real world, there are many things that are not secure but we get used to it as well. We come to understand those risks. But in the on-line world we often do not understand those risks and so we misuse these technologies.
  There are a lot of risks. I was involved in the pursuit and capture of a fellow by the name of Kevin Mitnik, a computer criminal who has been on--I guess he has been in and out of prison and jail for 15 years. It is interesting.

 Page 19       PREV PAGE       TOP OF DOC
  I guess Dan Lynch here was the first guy to catch him and cause him to be prosecuted. I guess I am the most recent thus far. I hope I am the last, but I don't know. But there are many risks here.
  I have a computer here which has transcripts on it from a computer cracker. We do not know who it was, but it was someone who broke into a machine at Los Alamos National Laboratory just about a year ago. It was February 10th last year.
  Could I have the lights, please?
  [A computer demonstration is presented.]
  Mr. SHIMOMURA. The other set of lights also, please.
  We have tools that will let us capture intruder sessions. This is an unknown intruder who broke into a machine at Los Alamos National Laboratory and they used it as a base of operations to break into what he thought was my computer at the San Diego Supercomputer Center funded, incidentally, by you guys.
  It turns out that this machine is actually----
  Mr. EHLERS. I have to correct that. It is funded by the American people.
  [Laughter.]
  Mr. SHIMOMURA. Indeed.
  In any case, this is a machine that we put up as bait so that we can see people attacking and watch them, and study them. It is like putting test subjects in a cage.
  We have tools that let us watch exactly what the guy was seeing on his screen as he was breaking in, or as he was doing whatever.
  Here there is a session--this is a fellow who is trying to type up a message to mail out to the world to try to prove that he has broken into my computer. This guy does not know how to type, yet he has broken into a machine at Los Alamos.
  In particular, he has not figured out the difference between the ''delete'' key and the ''backspace'' key on the keyboard. So every time he makes a mistake, he has to retype the entire line.

 Page 20       PREV PAGE       TOP OF DOC
  [Laughter.]
  Mr. SHIMOMURA. ''The Mitnik Liberation Front,'' oops, try again.
  [Laughter.]
  Mr. SHIMOMURA. And this goes on, and this goes on.
  So we have people like this. I think these are the people who vandalize WorldWide Web sites such as the Justice Department has had, the Air Force, the CIA, and this is what we see these days.
  These guys are not the problem. These guys are juveniles. But they get in the infrastructure right now because we don't have secure communications and is weak enough to let these guys come and go as they will.
  In this case, what we believe happened was: Since passwords are used to access these machines, you log in by using a user password, it is possible by intercepting--by monitoring the network and by intercepting communications, to acquire passwords, and we believe that is what happened in this case.
  So the password of a legitimate user was monitored and then abused in this case. If we had strong cryptographic tools, this would be a little more difficult.
  Something else that has been in the news recently is the issue of cellular privacy. We use cellular phones because they are a great convenience. We treat them as though they were secure, many times.
  The current analog systems have no provisions for security. Even the digital systems often are operating with security disabled.
  Mr. Chairman, we have a device that I guess is in front of you--or that is at the other end; okay--a device which I guess is being passed down, which is a Palmtop Personal Computer, just like a PC, and a regular cellular phone, unmodified, and a cable to connect the two.

 Page 21       PREV PAGE       TOP OF DOC
  There is software which can be readily obtained running on the machine which lets you intercept cellular calls. In this case, all it is doing right now is monitoring the control channels, one of the control channels that is used by one of the local cells so that you can watch to see who is setting up calls.
  So you get the phone number of every cellphone that is used in this area. Right now it is just displaying that, but someone could easily modify the software, or enable features in the software that would let you pick up any of those calls and actually monitor it with the audio, or search for other calls. There is no protection against this right now.
  Right now you have people perhaps with scanners who sit there all day and record conversations, or attempt to record conversations. This can be fully automated. If someone is serious about trying to get information about industrial espionage, about trying to do harm, the technology is there.
  There have been various attempts to try to restrict the availability of receivers such as this, but the cost of equipment to intercept a cellular call will probably never be any greater than the cost of a telephone.
  This can be had for somewhere between 1 cent and $100, I guess, these days. That is because, again, there are technologies in cryptology that can be used to make these systems much more secure, but we do not have them deployed.
  Consider the real problem when there is actually a profit motive. Consider situations with things like the direct-to-home broadcast stuff where you can save, or appear to save significant money by defrauding the satellite companies and whatnot.
  Consider how much work people have put into defrauding these and making money off those. Consider that as we move commerce on-line and there is actual profit to be had by subverting these networks, how many more people are going to have incentive to actually subvert our communications for profit?

 Page 22       PREV PAGE       TOP OF DOC
  It is just like the real world. There is really no difference in the on-line world and the real world. We have criminals in the real world and we will have them in the on-line world.
  We have had a long time to learn to deal with criminals in the real world, and we are just learning how to deal with them in the on-line world.
  The thing is, in the real world we have a notion of risk. When we lock a door, we have a good, intuitive feel of how secure that is. When we put something in our desks, we know how secure that is, and we use these appropriately. We know how strong the screen door latch is.
  The problem is that in the on-line world right now it is hard for us to know in many cases just how trustworthy something is. Partly this is because we do not know how to build systems that are both usable, that do what we expect, and provide us security. So we tend to misuse these, as I mentioned.
  I think we need a lot of research into how to build secure systems--not just secure systems, but secure systems that are usable, that are usable for the kinds of things we need to do for commerce, for private communication, for business.
  There are many impediments; this is not just technology. We have problems with, for example, as both Dan and Dan here have mentioned, there are tools in cryptology, technologies of cryptology that can be used to make these things much more secure. Unfortunately, they are very difficult to deploy right now due to, in some cases, government controls and having to do with inability to export products.
  It is a world market, and it is not economical for a company to develop products that are usable only in one country. So we need to address those issues unless we wish to lose our lead, as Mr. Geer has said. And we need to learn how to build secure systems. Research I think is critical at this point.
  Thank you, very much.

 Page 23       PREV PAGE       TOP OF DOC

  Mr. EHLERS. Thank you, very much. We appreciate your testimony. Could we have the lights up again, and the room lights, as well? We would appreciate that.
  Thank you, very much.
  I notice the room is very, very crowded. If some of those standing near the doorways would like to sit in the desks in the front row, that is permissible, just so that you can be comfortable and we can be accommodating. So feel free to move forward. It is perhaps one of your few times to pretend that you have a position of supposed power.
  [Laughter.]
  Mr. DAVIS. And they will find out how little it is.
  Mr. EHLERS. Yes, as Congressman Davis says, you will find out how little power you actually do have.
  [Laughter.]
  Mr. EHLERS. Our next witness is Mr. Geoff Mulligan. You may proceed.
STATEMENT OF MR. GEOFF MULLIGAN, SENIOR STAFF ENGINEER, SECURITY PRODUCTS GROUP, SUNSOFT, COLORADO SPRINGS, COLORADO

  Mr. MULLIGAN. Thank you, very much.
  For the past 17 years as I have helped to build the Internet, I have noticed that one of the fundamental conflicts that we have is that we have built the Internet to share data and it conflicts with the idea of security of trying to limit the sharing of data.
  We tend to trade off one for the other.
  As the Internet has grown, we have noticed basically three types of attacks. Tsutomu has mentioned one: interception; intercepting your cellular conversation. People do this to try to gain your passwords, to get your credit card information or other private information about your conversations about what you are doing today.

 Page 24       PREV PAGE       TOP OF DOC
  The other is an intrusion. It is the type of attack where they actually break into your system to change or to steal other information from your systems or your network. And the last is a denial of service attack where they are not actually trying to steal any information, but instead they are trying to keep you from your information which can be just as devastating.
  Can you imagine what would happen if I were able to block all communications with the Federal Reserve for a period of 15 minutes during some change in monetary events? I could conceivably change, or during that time while the communications is down take advantage of that?
  The United States infrastructure, technology infrastructure, is very susceptible to denial of service attacks, taking out power grids, taking down telecommunications and the like.
  We do have the start of solutions. It starts with a well-defined security policy, what it is that you do, and you do not want to allow in and out of your network in and out of your systems.
  We have tools like Network Containment, or Perimeter Defense. It is much like putting a guard or a receptionist that companies put at their front door to control people coming in and out, but you allow free access when someone is past the receptionist and they can move around from office to office and allow that free flow of information.
  But we guard the perimeter of the network, or our buildings. Today the best known technology of perimeter defense is known as ''firewalls.''
  One thing that is interesting to note, and I believe is of major concern, the most popular firewall today is built by a foreign corporation, not a U.S. corporation, and it is being used today to guard our banking industry, our government, and our national defense.
  This is a true major concern I believe for the security and the sanctity of the United States, some technology infrastructure.
  But firewalls are not perfect. Just as you may try to check credentials when somebody comes into the building and you are not sure about what happens when they are inside your building. We need protection in depth.

 Page 25       PREV PAGE       TOP OF DOC
  One of the ways to do that is through application containment, colloquially known as ''the sandbox.'' It gives you the control, or it gives you the ability to control what each program does, what each specific application does.
  It can stop viruses from infecting your system, and it can keep it from doing some other nefarious things. We recently found out that a technology that is being deployed throughout the United States and through the Internet called ''Active X'' has the ability to modify files on your system such that your financial program can automatically do fund transfers without your knowledge.
  So you fire up your thing to check your account balance, and it just happens to transfer $5,000 or whatever you have from one account to someone else's account unbeknownst to you and uncontrolled by you.
  We need to develop. We need research and time spent on researching things like application containment, network containment so that we can better build these tools and the United States can move again into the front of this development.
  In the United States we are readily accepting new technologies without really understanding the security implications or doing any education as far as the security relationship of those new technologies.
  Tsutomu has talked about and discussed cellular phones, but if you want to plug one of the largest possible security leaks in your office, reach into your pocket and pull out something like this pager [indicating] and look at it. When you realize that when someone sends you a page, if you are on a nationwide paging service, that paging is being perceived in every city, every major city in the United States, and go along with that, understand that for less than $50 I can build a connecter to this to monitor and read every single one of those pages, you realize what a security potential risk there is involved here.
  Not only that, for slightly more than $50 I can build a connecter to this to now start sending pages to you, and looking as though they came from anybody else. Consider the risk, or the havoc I could wreak on the Nation should I decide to do this and to start sending out pages nationwide and say that the stock market suddenly is off 140 points.

 Page 26       PREV PAGE       TOP OF DOC
  As everybody goes to run and sell their stock, or to do whatever they would normally do if the market was down, I could cause considerable economic impact to the United States.
  Yet, we have no constraints, and we have no thought behind accepting technology like pagers and cellular phones. We certainly use them to do our job, but we need to have more research. We need to have education, and we need to have funding put into advancing the security aspects of this.
  The technology is there. We can start to build it. But we also need the ability from Congress to implement and deploy that in an unconstrained manner.
  Thank you, very much.
  [The prepared statement of Mr. Mulligan follows:]

SECURITY THROUGH CONTAINMENT
A WHITE PAPER
BY GEOFF MULLIGAN
SUN NETWORK SECURITY PRODUCTS GROUP
About the Author
Geoff Mulligan is a Senior Staff Engineer in the Security Products Group at SunSoft. He works on emerging network technologies and network/system security products such as telecommuting tools, firewalls and encryption. He was the principal architect for Sun's premiere firewall product--SunScreen and a founding member of the Internet Commerce Group. Prior to joining Sun, Geoff worked at Digital's Network Systems Laboratory developing the DEC SEAL firewall, developing Networking courseware and researching e-mail issues. Before working at Digital, he spent 11 years in the Air Force working at the Pentagon on computer and network security, building local and wide area networks and teaching computer science at the Air Force Academy. Geoff received his M.S. in 1988 from the University of Denver and B.S. in 1979 from the United States Air Force Academy.

 Page 27       PREV PAGE       TOP OF DOC
SECURITY THROUGH CONTAINMENT
1.1 Introduction
Is Network Security an oxymoron? Networks are designed and built to facilitate the sharing and distribution of data and information, while the goal of security is to limit and control the distribution of information. Ideally, networks are built to increase the ease of use while security reduces this convenience--passwords are difficult to remember, and certain systems are not allowed to exchange information. We end up trading some ease of use for the sake of added security and we give up some security to increase the sharing of data and information. One method for providing both connectivity and security is through the use of containment.
1.2 What is Containment?
Containment is a methodology whereby access to information, files, systems or networks is controlled via access points. Much as a bank vault has only a single well-controlled entry and exit with various security procedures and protections, the security container also has controlled entries and exits known as connectivity points, though when using security containment, there may be more than a single connectivity point. Each of these may handle a specific type of service, such as electronic mail or file transfers. They may also control connections to other systems or networks, such as from the internal network to the global Internet or from an application to the files on the local system. The container has well defined security policies that it enforces and has security protection mechanisms to guard against attack.
1.2.1 Security Policies
Without well defined security policies, even the best container will leak like a sieve. These policies outline the procedures used to pass or move information into and out of the container. Examples of some connectivity security policies might be:

No users or systems outside the company will have access to the financial network.

 Page 28       PREV PAGE       TOP OF DOC
Employees can only have access to the Internet during work hours.
No files downloaded from the Internet are to be run on corporate systems.
Any attempts to access the executive network will be logged.
Alerts will be generated whenever sensitive files are being accessed.

Once the policies have been defined they are implemented and enforced using security containment.
1.2.2 Taxonomy of Security Attacks
There are three main groups of security attacks: intrusion, information interception, and denial of service.
1.2.2.1 Intrusion
Intrusion is when unauthorized persons gain access to internal networks, systems or files. They may only be able to read the data or they may gain complete access to read and modify the information. In the second case their entry may go undetected if they can modify security log files to hide the intrusion. They may also be able to cause actions to be taken by the user without his knowledge, such as initiating funds transfers or equipment purchases by modifying the appropriate files. Intrusions are usually accomplished by guessing or cracking passwords, using IP spoofing, or exploiting operating system bugs.
1.2.2.2 Information Interception
Information interception doesn't require the intruder to actually penetrate the internal networks or systems, but instead merely eavesdrop on data being passed into and out of the systems. He may capture electronic mail messages, conversations, paging messages or even the key strokes while you type. Interception is most commonly used to collect credit card or other sensitive information such as passwords. Using a simple packet sniffer, the intruder watches each packet looking for usernames and passwords and stores them for later use. They then use this information to gain access to internal systems in an intrusion attack.

 Page 29       PREV PAGE       TOP OF DOC
1.2.2.3 Denial of Service
The final type of attack is the denial of service attack. While the attacker cannot read the data or listen to the conversation, they can keep you from doing it. Jamming, as used by the military, is a denial of service attack and when properly initiated can be devastating to the target group. Overloading a system with invalid requests so that valid users are not able to access the system or causing the system or network to crash are both examples of denial of service attacks. It may not be necessary to access its systems to hurt a company. Interfering or jamming the phone lines of a bank causing financial transactions to be delayed or lost can result in irreparable financial damage.
There are tools and mechanisms that can be used to diffuse most of these attacks, though the most difficult to defend against is the denial of service attack. The attacker can remain focused on the single point of failure or weakest link in the connection and either crash it or overload it. Quite often these attacks are used against the security system to try to circumvent the procedures or to stop all connectivity.
1.3 Network/Connectivity Containment
One level of security containment is at the network or connectivity layer of the system. In the United States, we control our security with guards and border patrols while allowing unrestricted movement between the states. Companies control the access to their buildings with receptionists or guards stationed at the entrances and again allow free access to the offices within the building. Using network containment we put our ''guards'' and ''patrols'' at the edge of our network, where it connects to the global Internet, phone system, or customers. In fact, wherever there is a connection to a network or system that is not controlled under the same security policy, a ''fence'' should be installed. This type of security containment is called perimeter defense.
The benefits derived from a perimeter defense are ease of use and ease of implementation. Putting the controls at the edge or perimeter of the network allows a free flow of information within the network. This has been termed the ''Cadbury Egg'' security model, where there is a hard shell with a soft middle. Should an attacker break through the hard shell, they have unrestrained access to all the systems within the interior. It is, therefore, necessary to ensure that the perimeter is well maintained and guarded.

 Page 30       PREV PAGE       TOP OF DOC
The other benefit of perimeter defense is ease of implementation. Quite often there are legacy systems that cannot be secured, such as MS-DOS and Windows systems. These machines, if connected to a network, can be quite easily compromised. In addition, it may be impossible due to the sheer number of machines and networks to completely protect each and every system. In these cases a connectivity container provides the best mechanism to defend against attacks.
1.3.1 Firewalls/Proxies
The current and most popular implementation of connectivity containers is the Firewall. These systems reside between your internal network and the external Internet. They check each and every piece of information (packet) that attempts to pass through the Firewall, but do not interfere with data passing inside the network, much like a receptionist only checks visitors coming in or leaving.
Firewalls are very effective at protecting and limiting the flow of information into and out of the network. They work well at stopping or blocking various types of intrusion attacks, such as IP spoofing, password guessing/cracking and other operating system service level attacks or operating system security deficiencies. In addition, they can provide some measure of protection against denial of service attacks, but the Firewall themselves may be vulnerable to these same attacks and shutting down the information flow through the Firewall can be equally destructive.
Firewalls cannot protect against ''inside jobs.'' If the attacker gains access to the inside or ''soft middle'' of the network, the firewall provides very little protection. It may be able to track and log the attackers' activities which can be used in the future to learn what was done and how to better protect the network.
Firewalls also cannot protect against content level attacks. This means that they cannot completely filter or control what is being carried via electronic mail messages or inside downloaded programs. There are some tools that can provide the most rudimentary filtering to try to catch viruses, worms and e-mail bombs, but it is impossible to completely protect against these attacks with just a connectivity container. This is best accomplished with the use of the software/application container discussed later.

 Page 31       PREV PAGE       TOP OF DOC
1.3.2 Encryption and Authentication
By combining encryption and authentication technologies with connectivity containment (Firewalls), it is possible to eliminate information interception. The eavesdropper will only see the encrypted data and therefore cannot capture usernames and passwords, thereby also preventing that type of intrusion attack.
It is also possible to stop password eavesdropping by using authentication via digital tokens or one-time passwords. This method uses a challenge/response scenario, where the user is asked to prove who they are by answering with a ''secret'' that only they know. This is usually done by sending the user some data and asking them to encrypt or ''sign'' it using their digital signature. The strongest level of protection is created by encrypting all data sent from the user's system and decrypting it at the destination. This is known as ''end-to-end'' encryption and makes it virtually impossible to intercept the data at any place between the two systems.
Encryption also protects the user from the intruder making changes to information being sent. For example, if the user is sending payment information to a mail order house an intruder could modify the data to transfer the funds to their account rather than the account originally specified. Carried out on a large scale, it would be possible to divert huge sums to the attackers account.
1.3.3 Virtual Private/Secure Networks
Many companies are now implementing telecommuting and are becoming geographically dispersed. In order to have secure communications, these companies currently must use costly leased-lines. Firewalls facilitate the creation of Virtual Private Networks (VPN) and combining these with encryption will create Virtual Secure Networks (VSN). This technology allows users who are at different locations to communicate as though they are directly connected to each other while using the much less expensive public Internet to carry the data. Encryption is required so that attackers cannot intercept and/or change the data and the users' communications are still afforded the same level of security as with leased lines.

 Page 32       PREV PAGE       TOP OF DOC
1.4 Software/Application Containment
Software or Application containment is similar to connectivity containment except that the perimeter surrounds only the single program or application rather than an entire network or system. This container is colloquially called the sandbox. The program is allowed to do whatever it wants within the sandbox, but in order for it to access or use anything outside the sandbox, the ''parent'' must be asked. Access is only granted if the request follows and meets the security policies. In this case, a security policy might be ''programs loaded over the Internet are not allowed to read or write to local files or systems, but a program loaded from the local disk drive can access files on that disk.'' Any attempt to violate the security policies causes an alert to be signaled and applications determined to be inappropriate may be shut down.
The sandbox approach can provide security against content level attacks. Should a virus try to infect a system, alerts would be generated when the virus attempts to modify operating system files and the virus' attempted infection would be blocked.
1.4.1 Component
Components are re-usable software modules and systems that can range from an on-screen button to a complete application, such as a word processor. Each component is a software module that includes a specific programming interface and program logic that defines how that module will process data and user events sent to it. The key technologies that components provide are re-use and dynamic interconnection. These two technologies allow programmers to build very large and complex systems by combining simpler, already developed and well tested modules. A Programmer building a banking application can use a pre-written, tested and validated balance sheet module, rather than having to write a new program which very likely could contain bugs. This can save significant development, testing and maintenance time and dollars.
1.4.2 The ''Sandbox''

 Page 33       PREV PAGE       TOP OF DOC
The sandbox, just like the Firewall, implements a predefined security policy. This security policy, if well designed, will allow for the safe execution of downloaded programs and modules and will not compromise the security of the company. For example, some standard security policies might be:

Only programs or modules loaded from the local system can read or write to files on the local system.
No modules can write or change any operating system files.
Execution of modules that do not bear the digital signature of the user's company will be disallowed
Communication with any systems other than where this module was retrieved is prohibited.

The program is free to do whatever is needs to do with the data provided in the module and is only constrained when it tries to access data, systems or networks that are outside the security perimeter.
1.4.3 Digital Signatures
Digital signatures allow a receiver of a message to verify who sent the original message with non-repudiation, meaning that the sender cannot deny sending the message and that the message was received unchanged. Digital signatures use the properties of complex mathematical functions combining exponentiation and factoring very large numbers to create two ''keys.'' The public key is available to everyone, while the private key is kept strictly to the user. When the user signs a message, program or module, he uses his private key. Anyone receiving that module can verify where it originated and that it wasn't changed before receipt.
By combining digital signatures with application containment it becomes possible to finely control the execution of programs and modules. Based upon the digital signature carried by the module the user can either allow or disallow the execution of that code. Only programs written by authors or companies that are trusted by the user will be loaded, thereby stopping viruses and intruders.

 Page 34       PREV PAGE       TOP OF DOC
1.5 Conclusions
Deployment of security through containment, Firewalls and ''the sandbox,'' and encryption can greatly improve the usability and functionality of current and future systems. By installing Firewalls with encryption and authentication most methods of attack can be eliminated and communications can be protected from eavesdropping. In addition, protection can be afforded to those systems that systems that are inherently insecure, such as MS-DOS and Windows. The use of application containment, as in Sun Microsystems JAVA security model, enables the sharing of pre-written applications without the security issues of rogue programs stealing corporate secrets or requesting funds transfers without the user's knowledge.

  Mr. EHLERS. Thank you. We appreciate your comments.
  This is getting downright depressing, you know?
  [Laughter.]
  Mr. MULLIGAN. We do not mean to be depressing, but----
  Mr. EHLERS. Yes; right. Thank you.
  Well, next we turn to Mr. Farmer. I do have to say as an individual who is obviously follicly challenged----
  [Laughter.]
  Mr. EHLERS. I do have a bit of envy of you, Mr. Farmer. You may proceed.

STATEMENT OF MR. DANIEL FARMER, INDEPENDENT SECURITY CONSULTANT, BERKELEY, CALIFORNIA


  Mr. FARMER. Thank you.
  I am afraid I do not have a lot of good news to say in my 10 minutes, as well, just to forewarn you.

 Page 35       PREV PAGE       TOP OF DOC
  Briefly, I am going to talk about security programs and sort of the state of the Net, as I see it.
  Security programs are nothing more than other programs you might encounter such as LOTUS 1-2-3, EXCEL, NOTES, whatever. They are just programs written to do things.
  Typically they fall into one of two categories: offensive and defensive programs. Now unfortunately for perhaps the good people, the people in the white hats, the defensive programs have been far outstripped by the offensive programs. It is much easier to build a gun than it is to build a wall that is going to stop this kind of weapon.
  The offensive tools generally do very simple things. They can either, as Geoff commented, they can disable a machine by a denial of service attack of some other form of attack. They allow you to spy on people, capture transmissions, or they essentially allow you to take control of the machine, whether it is individual files, or the actual hardware itself.
  Programs can do anything to a computer. Anything that can be done by a human being typing on a computer can be done by a program that takes over the computer. I just want to emphasize that in 1988, probably one of the most influential and famous security programs ever was released, the Internet Morris Worm written by Robert T. Morris.
  What it did is, at the time the Internet was at about 50,000 systems, broken into about 10 percent of the systems, about 5,000 systems, and it was just as if someone was individually typing in and attacking all of these systems by hand. But the age of automation makes this considerably more easy and very much more effective.
  Almost 10 years later now, this last December, I decided to take a look at the network today and to examine whether we have gone any further.
  The Internet is pretty ubiquitous. Almost everyone is on it, including the Congress, the Senate, and the White House. What is the difference, if any, between the physical and the virtual realms? Is there any difference in terms of security?

 Page 36       PREV PAGE       TOP OF DOC
  I examined banks, government systems, newspapers, other very highly visible, highly laden with information content and sometimes financial content systems, and found that just using the most simple tests, not even trying to break in at all, I can easily compromise about 2/3 of the systems. I am talking about things like the White House Web Site and so forth. These are not Joe's Garage's Web Site. And I estimate that if further tests were done, you could probably break into about 3/4 of the systems.
  So I estimate on the Internet today you have about a 75 percent vulnerability rate on all systems out there. For instance with the government, we had the CIA and the DOJ recently broken into, their Web Sites, and there should be no excuse for this.
  If the CIA cannot protect its own resources, how can you expect a business to do this with orders of magnitude less resources and such.
  When I was doing the survey, I discovered that there was a problem with the White House security on their Web Site. I sent them mail to the system manager and I never got a response. I explained that I was a security researcher; I had found a significant problem. They never responded to me.
  If this was a physical problem, if I had talked to the Secret Service about something that was a physical issue with the White House security, they would have met immediately with me, or perhaps taken me away with the men in black suits.
  The important thing is there is a big disparity of how we view physical and how we view virtual security. We think of them as kind of being the same as a consumer, but when you actually get down to the actual physical operations and running these things, they are treated very differently.
  Now there are banks, and Internet commerce is being done, $30 billion, was it? You would think that with this amount of money at stake they would know what is going on. Again, I run into the same sorts of issues. We are talking about real dollars that are at stake here.

 Page 37       PREV PAGE       TOP OF DOC
  Newspapers: There is an old ''Bloom County'' strip where Oliver, the little hacker boy, goes into The New York Times, breaks in, and changes a Reagan quote to say ''Women Are America's Little Dumplings'' or something, and it was a joke, at the time, but you can do this now. You can break into The New York Times. You can go into Reuters. You can go into the wire services and make headlines.
  And it is not just papers. We are talking about actual physical press. In addition, we are getting more and more of our information from the electronic sources that are easily mutable.
  I was talking to CNN a few weeks ago and they said they were about 6 seconds from airing that George Bush died in Japan because of the food poisoning incident.
  What would be the impact if the President dies on the news, or even that something like there is an early freeze in the Florida orange groves? How is this going to affect prices of such things? And who is going to check on these things? And how are we going to tell what is actually going to happen with our electronic information, and how can we validate and verify this kind of thing?
  In the military--I was once a Marine----
  [Laughter.]
  Mr. FARMER. With hair significantly closer to the ears than it is now----
  [Laughter.]
  Mr. FARMER. And I know how they use computers. They put all their stuff on-line on their computers, and then a gunner or staff sergeant will sit on the computer and they will dial up the Internet, or they will dial up the local BDS, without any knowledge of how the information is stored on the computer and how it might get out.
  I was at the Watergate last night, the Watergate Hotel, and it struck me that perhaps what needs to happen now is that a Senator or a Congressperson, perhaps the President, will get their information taken from the computer and somehow it will be used by someone else, or be publicized in a very public thing--maybe an Electronicgate, or an E-Gate of some sort in the future; that maybe--it seems that we only react to disasters.

 Page 38       PREV PAGE       TOP OF DOC
  There is lots of stuff on all of our computers. Most people certainly in businesses, and most people in government, use computers now for sending campaign funds. We heard about the White House has this huge Rolodex of campaign funds.
  What if somebody went in and modified, or was able to publish this kind of thing? This is really serious stuff we are talking about here.
  When I go to people, I say, well, I work in computers. Their first response is: Oh, I know nothing about computers. My daughter or my son is the real whiz. There is a real resistance to even listening to anything about computers.
  We are trained in such that somehow computers are difficult, or somehow they are beyond our comprehension and so we will just ignore them and hope they will either go away or we will die before they get too important.
  [Laughter.]
  Mr. FARMER. So where are we now? The Internet now is--I was talking to someone at AT&T and their internal network now is larger than the Internet was when the Internet Worm hit. We are talking about orders of magnitude in size difference.
  If someone took the existing Worm code that was used then, put in new tests and all this kind of stuff, it would not take much work. We could probably get about a 5 percent saturation hit rate on that. That means like something on the order of a million computers compromised in a couple of hours. That is a lot of machines. A lot of those machines are machines that you people are depending on every day for your kind of transactions.
  Just in closing, I would hope that the government does not try to throw billions and billions of dollars into some black hole into buying the latest and greatest hardware or software. That is not the answer. These problems are not technical problems. These are real social problems we are facing here.
  It is not hard to defend the system. It is not hard to protect the system. It takes a lot of resources and it takes a lot of education, and I hope that any efforts on your part will fund these.

 Page 39       PREV PAGE       TOP OF DOC
  Thank you.
  Mr. EHLERS. Thank you very much. I will use my prerogative as Chair to just make a few comments at this point, because I will have to leave shortly.
  I certainly appreciate the comments you have made. I think one that you made, Mr. Farmer, that others have alluded to is the difficulty of the public in understanding this.
  I think it is simply because it is the difference between a Watergate where you spot masking tape over the lock on a door and that is a very physical event and everyone can identify with that.
  My experience as a scientist in dealing with the public over the years is that anything that is abstract that is nonphysical, so to speak, is simply not of interest or not of concern. I have battled that for years in trying to deal with the energy resources of this country.
  In fact, I have written an article called, ''I Wish Energy Were Purple,'' simply on the basis that if people could see energy and be aware of the loss of energy in today's world, they would take action. But it is something that is intangible. To a physicist, it is real; but to the average person, energy is intangible and it is not something to worry about.
  I think that is true also of the Internet. The messages--the public would be amazed to realize that when they are talking on the phone their little message packet is going all over the country, that their message is being spit up and going 27 different ways from their telephone to the receiving telephone. There is no conception of what is actually going on in today's telephone and Internet systems.
  I frankly do not have much hope of educating the public. I think the key is to make certain that everyone realizes the insecurity of the system and the necessity for laws that govern the security and that punish those who violate the security.
  I believe the policymakers here are capable of understanding that and will take action as some of us have tried to do already.

 Page 40       PREV PAGE       TOP OF DOC
  Having said my piece, I will--first of all, I notice that Congresswoman Morella has arrived and I will be happy to turn the chair over to her, since this is her hearing. I will first introduce Dr. Spafford and ask that you proceed with your testimony.
  Thank you very much.
STATEMENT OF EUGENE SPAFFORD, Ph.D., ASSOCIATE PROFESSOR OF COMPUTER SCIENCES, PURDUE UNIVERSITY, WEST LAFAYETTE, INDIANA


  Mr. SPAFFORD. As an academic I have been conditioned so that to give presentations I either have to have some chalk in my hand or be at an overhead projector. So with your indulgence, I will move over to there. If I could have the lights brought down, as well.
  [Vu-graphs are shown.]
  Mr. SPAFFORD. Problems with technology. That was a hardware problem, yes.
  [Laughter.]
  Mr. SPAFFORD. We have 10 minutes to try to summarize concerns covering hundreds of items, perhaps thousands of important items. The issues of security and communication and computing are difficult to package nicely and describe because there are so many different aspects.
  So what I have tried to do is find a way to illustrate what I think is the current state of security, and then to try to present to you one of the causes of this picture.
  So I looked about and I found an illustration that shows some very careful thought given to what the current state of security is in our national infrastructure.
  This was a cartoon that was drawn by John Klossner and published in Federal Computer Week last year. I think it adequately captures exactly the state of things. We have put in a great deal of time, effort, and technology in building up our national infrastructure, and of course security is the gentleman down here behind the box [indicating].

 Page 41       PREV PAGE       TOP OF DOC
  Simply to get across that this is not quite as depressing as you might think: Let me note that the saucepan that he is wearing as a helmet was built to milspec standards and cost $89,000----
  [Laughter.]
  Mr. SPAFFORD. And the fly swatter he is using is export controlled as a ''critical weapons' technology.''
  [Laughter.]
  Mr. SPAFFORD. Let's try to look at the big picture of where we are. I have gone back 17 years as a starting point to 1980.
  At that point, 17 years--which is generally considered to be 1/2 of a generation, or perhaps a third of one's productive career. The ARPANET was the biggest network going in many respects and it had fewer than 200 hosts on it. There was no Internet. There was no WorldWide Web.
  Work stations had not yet been marketed. The PC industry was in its infancy. This was prior to even the introduction of the IBM PC.
  Bill Gates was known to only a few people.
  As an environment, this showed great promise. The government helped fund this development. The infrastructure was in place. The technology was cutting edge. It had an incredible lead. There were some attempts at networking going on in other places in the world, but the ARPANET soon grew to take over.
  Where are we now? We have tens of millions of people around the world and millions of systems connected. Over 120 countries (at least) with direct connections, including connections on all seven continents.
  I have regular conversations with sites in Antarctica. (So all seven continents.) And, in fact, the ALVIN-2 submersible that is operated out of Woods Hole: they have an Internet connection, and when they are on long dives some of the people there cruise the Web and participate in mailing lists. The Internet really is ubiquitous.

 Page 42       PREV PAGE       TOP OF DOC
  We are even talking about Internet appliances, very low-cost items that we can hook up to our cable systems at home, or to the network so that everybody will have access. In truth, that is coming very quickly with population with access to the Network doubling approximately every 8 to 12 months. Doubling! That is an incredible rate of growth.
  Unfortunately, with this we have a steady background of vandalism, fraud, various anarchy types of behavior. Law enforcement has not been able to keep up. The laws have not kept up. The technology is not there. Law enforcement personnel do not have the training or tools.
  Users cannot protect themselves because the technology is not available to them. Most of them, if they had the technology, they do not have the training. And if they had the training, they have not had the education to even recognize what the threats are.
  The result is that we have incredible losses. Some of the material that has been prepared for you in the background statements and other materials indicate losses in some cases ranging into the millions of dollars per incident in computer crime and fraud already, not to mention down time and other kinds of concerns. National security interests are also involved here, and those are impossible really to put a price on.
  One of the big problems from my point of view is that our research and education infrastructure has not kept up with the pace of technology. We have not done a good job in designing for tomorrow.
  The students we are educating today at our universities and colleges around the country are going to be designing what we are going to be seeing over the next 15 to 20 years. Our educational programs and our research programs in academia are where these products are coming from, and we are not training the students who are developing those products and who go out in the industry to produce them commercially to consider issues of security, of privacy, of reliability.
  Those are secondary issues. The primary motivating factors are:
  Can we make it work?

 Page 43       PREV PAGE       TOP OF DOC
  Can we make it work cheaply?
  Can we make it work even more cheaply?
  Can we sell it to people and have them buy it despite the bugs being present and taking our explanation of it'll be fixed in the next release?
  That is the level of education; that is the level of marketing.
  We need to do better than that, or else what we are going to have in our environment over the next few decades is going to be a breeding ground for a major disaster.
  Now there is some good news. I think after all you have heard a little bit of good news is warranted. We do have at least four places where there is cutting edge, state-of-the-art research being done, and where education is really important in computer security.
  There are more than this, but these four centers represent the best in some senses, because these four centers have collected at least three faculty members each, a body of students, research funding from the outside, they have recognition as centers within their universities, and recognition from their peers on the outside.
  I am not going to go through each one. Ours is one of these. We have been successful in attracting students from all over the world. We have been successful in attracting research funding from companies and from government, and sort of the good news is that the COAST group is probably the largest such academic center in the world.
  The bad news is: We aren't very big. We do not really have much in the way of resources--and I will say more about that on this next transparency. Here is the bad news:
  For those four centers--places where there is state-of-the-art, integrated education and research and computing security--if we look nationally over the last 5 years we have graduated about 5,500 Ph.D.s in computer sciences and engineering total. Of those, only 16 have received their degrees in computer security from these four centers: 16 new Ph.D.s in the last 5 years to help with cutting edge research in computer security.

 Page 44       PREV PAGE       TOP OF DOC
  Only 8 of those people were U.S. nationals. And of those 16, only 3 went into academic careers to help teach more people about computer security. I hope you can understand this is not good.
  Those same centers have produced only 50 Masters students in the last 5 years, and only 50 percent of those were U.S. nationals.
  Now I am not pointing that out to say that this is a bad thing. I think it is wonderful that we are attracting high-quality, very dedicated students from around the world. Many of them stay and add to our industrial base; they add to our population; and they certainly add to our tax rolls when they go into high-technology jobs.
  At the same time, we are educating people who are going back to their countries and competing with us and we are not educating enough of our own citizens on how to deal with computer security.
  In the history of those four centers there are only three companies that have provided multi-year ongoing support for research in computer security. So an argument that has been made is: If there was a need, then the commercial sector would be providing for it. Unfortunately that has not been the case. I am pleased to say that Sun Microsystems, employer of Geoff Mulligan, is one of those three companies.
  In the history of these centers also we have only had three government agencies that have provided nonsolicitation support; that is, who have provided any kind of infrastructure support that was not the result of a broad agency widespread solicitation where we had to compete for the funds for specific research projects.
  There has been no effective government underlying infrastructure funding for these centers. They can make a bigger difference if they had more resources. Unfortunately, most of them are in a very fragile state right now whereby the departure of one senior faculty member at any one of those centers would basically cause its dissolution. The prospects, in some senses, are bleak from the academic standpoint because outside opportunities lure away our students and our faculty.

 Page 45       PREV PAGE       TOP OF DOC
  Graduates at every level, undergraduate, Masters, Ph.D., from my center, are receiving offers from industry ranging from $10,000 to $25,000 more than the other average graduates out of our program. We have a very good program, and our students are much in demand. The security students are in greater demand.
  Recruiters are seeking those students prior to their graduation and luring some of them away before they even finish their degrees. I am typical of many of the academic faculty working in computer security in that I get unsolicited offers that are absolutely astonishing in what they are offering to lure us away from academia.
  Unless one is really dedicated or has other reasons why one would be staying in that environment, it is easy to leave and further reduce our capabilities in education.
  Advancement and recognition has been a problem in applied computer security. It has been difficult to evaluate someone's work because of the lack of support from the outside.
  Our peers have judged it to be not an important area and therefore do not take seriously many of the people who work in practical computing security. Because if there is no recognition from outside, then why should it be recognized inside the profession?
  The resources are often limited and unsustainable because we do not have long-term infrastructure funding. Faculty--and I can speak from my own experience here--sometimes have to spend up to 50 percent of our time on clerical work, on simple maintenance and trying to find replacements for software and hardware.
  Instead of me spending time doing research and educating my students, I am filling out paperwork and installing software because I cannot get funding for personnel to help with that.
  The sense of reward is not encouraged within academia, for all of these reasons and more, some of which are listed in the statement I submitted to the record, and the national focus and attention for research so far has been on spot problems.

 Page 46       PREV PAGE       TOP OF DOC
  There are big initiatives that have been generated for high-performance computing, the NII, information warfare, and large amounts of money for specific project areas and spot projects but they don't cover the broad picture.
  So we have seen a lot of funding that has gone into ideas for electronic commerce, universal access, information warfare, but we have not really gotten to the point of trying to look at the overall picture of what is required to lay down a future to research future issues in education and security.
  Well, I would like to close with some specific recommendations for things you might consider, and that others might consider to help redress some of this problem.
  First of all, I think it would be worthwhile to set up some program that would fund fellowships for students to go into computing security and communications security so that we can build up more training in this area, so that we can get more people involved in faculty positions, more people with appropriate training in the industry.
  Second is: Provide some form of fellowship or grants specifically to those individuals who might go into faculty positions, to encourage them to do so, to give them a sense of reward, and to make it clear to our academic colleagues that the application of computer security is a worthwhile area and is taken seriously, and therefore provide an environment that is conducive to them to want to stay there.
  Third, provide some form of long-term infrastructure funding for the existing centers. They are a critical national resource and they are in a fragile state. Unless something is provided to allow them to continue and to grow, to develop educational outreach, to build a stable set of resources, we may lose them.
  Fourth, we need to involve industry more in security education and application. The fact that only three major commercial firms have provided any consistent funding in this area is, (at least for our centers--I am not going to claim that is true nationwide)--is really distressing. We need to develop long-term collaborative partnerships there.

 Page 47       PREV PAGE       TOP OF DOC
  Fifth, we need to encourage more development of educational outreach because, although some of our students of today are going to be designing the systems of tomorrow, the people who are out there right now in industry are also going to be designing those systems and we need to re-educate them because the field is moving so quickly.
  And sixth, we need to encourage collaborative relationships across all of these--industry, education, and government--if we are going to make this work.
  A hearing such as this is a wonderful start, and I thank you for the opportunity to speak to you.
  [The prepared statement and attachment of Mr. Spafford follow:]

ONE VIEW OF A CRITICAL NATIONAL NEED: SUPPORT FOR INFORMATION SECURITY EDUCATION AND RESEARCH
EUGENE H. SPAFFORD
DIRECTOR, COAST PROJECT AND LABORATORY
PURDUE UNIVERSITY
W. LAFAYETTE, IN 47907-1398

Abstract
We are facing a national crisis in the near term that threatens our national security, our individual safety, and our economic dominance. The rapid growth of information technology is a driving factor in this threat: we are relying on new and often fragile technology in critical applications. Furthermore, those applications present attractive targets to criminals, vandals, and foreign adversaries.
Our students and soon-to-be students will be designing our information technologies of the future. We are endangering them and ourselves because the majority of them will receive no training in information security. This is largely because of a severe shortage of resources for computer security education and research. Current programs in place in industry and government do not address these needs, and some may actually serve to increase the problem.

 Page 48       PREV PAGE       TOP OF DOC
This paper serves to introduce the crisis in providing good computer security education. It presents some of the history and context of this problem. It then provides some suggestions for near-term actions that should help to ensure a safer future for us all.

Introduction
It is clear that computer security is an area of increasing, major concern and that all of society is facing an increasing number of severe challenges related to security. Incidents related to disclosure of information, wide-scale computer breakins, and the exponential growth in the number of computer viruses being written and discovered all indicate an increasing threat to effective use of computing resources.(see footnote 1) There have already been many documented cases of economic espionage, vandalism, theft, and other major economic crimes, some of which involve losses in the tens of millions of dollars per incident.[Pow96]



Many computer crimes go undetected. Others go unreported because the victims fear that any publicity about their losses (and by implication, their vulnerabilities) will result in a loss of confidence in their businesses. Additionally, there has been a huge number of cases involving smaller losses, most of which may not have been reported to the authorities for a simple reason: nearly everyone is aware that law enforcement is hopelessly undertrained, underequipped, and understaffed to cope with even a minute fraction of the current flood of computer crime--and this imbalance is steadily improving for the vandals and crooks.

The threat from violations of computer security are numerous and diverse. They include loss from fraud and theft, economic and international espionage, sabotage, terroristic activities, computer viruses, vandalism, and support of other forms of crime. Furthermore, not all of the criminal activities are directed at government, commerce and other organizations: violations of personal privacy, harassment, ''stalking,'' libel, and other activities threaten individuals as well.

 Page 49       PREV PAGE       TOP OF DOC
A few years ago, the report Computers at Risk[SSSC91], forcefully outlined several critical security problems facing computer users. Few of the recommendations in that study were addressed, and the problems have become even more pressing in the intervening years. Our increasing reliance on computers for critical applications poses increasing temptation for unauthorized criminal and terroristic activity. Our increased connectivity provided by new network technologies simply amplifies the existing threats that we do not yet completely understand. For example, sixteen years ago, the experimental IP protocol suite was introduced as the number of ARPANET hosts exceeded 210; today, we have a worldwide network of several million machines using the same protocol.
The increasingly widespread use of computer technologies involving distributed databases and parallel and distributed processing adds new variables that have not, as yet, been adequately examined. Initiatives that link together computing systems from around the world and that provide access to more users will only add to the potential for security problems. In his State of the Union Address in January 1997, President Clinton voiced a goal of connecting every school and library into the Internet. Are we prepared for the problems that may arise in addition to the perceived benefits of having such widespread access available by the general public?
As was noted in an Office of Technology Assessment report[OTA94, Forward]:

Information networks are changing the way we do business, educate our children, deliver government services, and dispense health care. Information technologies are intruding in our lives in both positive and negative ways . . . . As businesses and governments become more dependent on networked computer information, the more vulnerable we are to having private and confidential information fall into the hands of the unintended or unauthorized person . . . [Safeguards are required] Otherwise, concerns for the security and privacy of networked information may limit the usefulness and acceptance of the global information infrastructure.

 Page 50       PREV PAGE       TOP OF DOC

The problems are especially pressing in the arena of national defense. Consider this statement in Duane Andrews' cover letter in the Defense Science Board's November 1996 task force report on Information Warfare--Defense[Boa96]:

We conclude that there is a need for extraordinary action to deal with the present and emerging challenges of defending against possible information warfare attacks on facilities, information, information systems, and networks of the United States which would seriously affect the ability of the Department of Defense to carry out its assigned missions and functions. We have observed an increasing dependency on the Defense Information Infrastructure and increased doctrinal assumptions regarding the continued availability of that infrastructure. This dependency and these assumptions are ingredients in a recipe for a national security disaster.

It is interesting to note that this conclusion is independent of whether or not there is concern for protection against directed ''information warfare.'' Widespread criminal enterprises, selected actions by anarchists, or random acts of vandalism can also have ruinous effects on our safety as a nation. Furthermore, as more and more commercial entities move to ''internet commerce,'' the potential for serious disruption of our national economy also looms large.
Consider: in 1980, there were under 200 hosts on the ARPANET.[Sal95] A few countries were beginning to experiment with national networks. The first commercial workstations were not yet on the market, and the PC industry was in its infancy. The first, primitive Usenet newsgroups were flowing among a few dozen machines using 30 cps(see footnote 2) modem technology. And the World-Wide Web was pure science fiction and a dozen years away.



 Page 51       PREV PAGE       TOP OF DOC
Now, a mere 17 years later--one-half of a human generation or one-fifth of human lifetime--we have a global network that reaches to over 120 countries on all seven continents. We have tens of millions of people using the Internet daily. Governments are using the Internet to run their daily affairs. Commercial overload of service providers makes front-page news in all the major newspapers. Late night comics and editorial cartoons commonly refer to the WWW and network address. The President's State of the Union address is broadcast live around the world over the Internet. Some people estimate that billions of dollars are already invested and changing hands in commerce facilitated through on-line communications.
Where will we be in another 17 years? Although it is difficult for any of us to even imagine the changes in store, there is at least one clear aspect of that future: it will be designed tomorrow, in large part, by today's students. Some of them will enter the workforce and design the technology that will change our lives. Others will initiate the changes with their research projects soon to be underway. And still others will be wrought by those who are soon to be seeking re-education in high-tech fields so as to be productive employees of the 21st century.
Academic Security Education in the U.S.
This incredible pace of technology is changing our world so rapidly, there is clearly little chance to roll back the clock and reimplement decisions that may have negative security implications. To ensure safe computing, the security (and other desirable properties) must be designed in from the start. To do that, we need to be sure all of our students understand the many concerns of security, privacy, integrity, and reliability.
Unfortunately, this has not happened in recent years. For instance, consider the production of the software on which we currently depend. Commercial software vendors are still writing and releasing software needing patches for ''bugs'' that were well-known as security problems over 20 years ago!(see footnote 3) Even when highly-publicized problems occur, such as the buffer overflow problem exploited by the 1989 Morris ''Internet Worm'' [Spa89a, Spa89b], or the year 2000 date problem, those same software faults continue to be incorporated into existing operating systems.

 Page 52       PREV PAGE       TOP OF DOC



Systems continue to be built using techniques known to be unsafe. Why aren't these problems avoided? Why is it that our students do not learn better security techniques? It is almost certainly because so few of them have access to appropriate education in such topics.
Information security/computer and network security, as an area of specialization, is difficult to accurately define. Even professionals working in the this area have difficulty agreeing on an exact definition that appropriately encompasses the field. Part of the reason that security is difficult to describe is because it draws heavily upon so many areas of computing. In at least one sense, it seems closely related to software engineering--computer security is devoted to ensuring that software and hardware meet their specifications and requirements when used in a potentially hostile environment. Computer security thus includes issues in computer system specification, verification, testing, validation, safety, and reliability. However, security encompasses much more than these issues, including topics in (at the least) operating systems design, architectural design, information security, risk analysis and prediction, database organization, encryption and coding, formal models of computation, fault tolerance, network and protocol design, supportive interface design, government regulation and policy, managerial decisions, security awareness, and education.
The difficulty in defining computer security is also reflected in the scattered and underdeveloped educational and research programs in the area. Many other fields of computing research have well-defined bodies of educational literature, major research centers funded by government and industry, and a substantial student interest. Meanwhile, the field of computer security has been represented in academic life in the past dozen years by short chapters in textbooks on operating systems, data communications, and databases, and by a few individuals working in isolation in academia. The field currently has only a few widely-circulated archival journals in computer security topics: e.g., Computers & Security, Cryptologia, and the Journal of Computer Security. And the public perception of computer security is shaped(see footnote 4) by sensationalism such as computer virus scares, stories of 14-year old children breaking into sensitive military systems, and movies such as ''The Net'' and ''Hackers.''

 Page 53       PREV PAGE       TOP OF DOC



Few universities or colleges offer in-depth education in computer security. As of mid-1996, there were only three declared, dedicated computer security research centers in degree-granting departments at universities in the United States (these are discussed in the next section); in November of 1996, a fourth center came into public existence. When computer security courses are taught, relatively few textbooks on computer security are in use, and several of the most commonly used ones are principally devoted to cryptography (e.g., [Den83]).
Research in academia is being done by a limited number of faculty at scattered locations working with a few students. What research is being done, in academia or commercially, has traditionally been oriented towards limited military requirements because until recently that is where the major demand has been (and where the funding has been available). The recent trend has been somewhat more open, but is still focused on a few narrow areas involving cryptographic support for electronic commerce and network firewalls. Although these technologies are significant, they are not addressing more important security needs. By way of illustration, I have been using the following analogy in my lectures and seminars on this topic over the past few years:

Focusing our research on cryptographic protocols for secure electronic commerce is akin to investing all our money to build heavily armored cars. However, those armored cars will spend their lifetimes transferring checks written in crayon by people on park benches to merchants doing business in cardboard boxes under highway overpasses. Meanwhile, there are no traffic regulations, anyone on a skateboard can change the traffic lights with a screwdriver, and there are no police.

This lack of visibility, training, and coordinated research efforts has led to a significant shortage of practitioners trained in practical computing security, and to a critical shortage of academic faculty prepared to offer advanced instruction in this area. This contributes to a lack of consideration of security issues when new computer systems are being designed, thus placing those new systems at risk. As technology propels us into a future where global networks of communicating, multi-vendor computer systems are commonplace, the lack of universally-accepted social norms and laws will lead to difficulties that only well-designed computer security tools and techniques may prevent. To design those tools and train that workforce, we need an experienced, well-educated core of faculty.(see footnote 5)

 Page 54       PREV PAGE       TOP OF DOC



Educations and research in computer security-related issues has usually been conducted under a number of different rubrics reflecting its cross-disciplinary nature. Work in areas such as computer architecture, operating systems, data communications, database systems, and software engineering has addressed questions of computer security. Despite advances in all these areas, most direct security-related research in the last few decades has been largely directed towards only a few selected topics. For instance, most of the systems-oriented research done to date has been in support of formal trust models for multi-level secure machines employed in military settings, including compartmented-mode workstations. The results of this research is usually of little use in ''real-world'' computing environments. This is because the traditional focus of such research has primarily been focused on issues of confidentiality [Nat85, Nat88] (keeping information secret), rather than on related issues such as availability and integrity.(see footnote 6) Thus, there has been little support for research in the area of designing security tools and techniques for everyday use on commercial and educational computing platforms. Furthermore, as more computer users seek to use COTS (commercial, off-the-shelf) components, we will need better protection methods built in to these common systems.



In particular, considerable research in computer security methods and protocols over the last few decades has largely been focused on theoretical models of secure systems, multi-level systems, covert channels, statistical intrusion detection systems, and communications security issues (e.g., cryptography). Insufficient research has been focused on the development of tools for improving general security, policy formation, audit techniques, availability models, network security, computer forensics, countering malicious software (e.g., computer viruses and worms), policy formation, and integrity methods. In fact, research in many of these necessary areas has been discouraged by the military for fear that people might collaterally discover ways of penetrating government systems. Another reason work in these areas has been limited may be because such efforts require an interdisciplinary approach and few researchers and research groups have both the breadth and depth of expertise necessary to conduct such investigation. To conduct good research in this area with application potential requires a broad base of resources and focus.

 Page 55       PREV PAGE       TOP OF DOC
Education and research tend to track sources of demand. Thus, over the past few decades, research funding was made available by the military to researchers to conduct research issues related to military concerns. This tended to direct narrowly the research done in computing security. Journals and conferences came into being to provide outlets for this research, thus leading to a climate that did not readily accommodate research in other areas. The demand for students also shaped this picture, as the majority of job offers for graduates in security would come from either the government itself, from military contractors, or from vendors supplying the military. The overall demand for such graduates was not large. The Internet ''explosion'' has taken many in the community by surprise, to put it mildly.
One result, education in computer and network security in the U.S. is currently provided in a narrow, haphazard and inconsistent fashion. Some standard undergraduate and graduate texts in major course areas (e.g., operating systems) may have a brief chapter on security. These chapters often contain vague information about general security properties that are not particularly helpful in actual use. The instructors have not had direct experience or education in security, so they are unable to augment the material in the texts in any meaningful ways. The result, in the usual case, is that the material is presented in a cursory and compressed manner. As the material is in a separate chapter rather than integrated into the rest of the text, students are further given the implicit impression that security is unimportant, lacking in detail, and a separable concern.
Luckily, this is not true at every college and university. There are a number of faculty with some deeper background and concern with security. These faculty members do attempt to present information security concepts at greater depth in their courses. Even so, few students are given the opportunity to concentrate in security as a specialty, or to see how it cuts across several areas of study. There are only a few score faculty at institutions in the U.S. who conduct some research or specialized education in computer or network security. There are fewer still who have any experience with front-line security response experience.(see footnote 7)

 Page 56       PREV PAGE       TOP OF DOC



At the high-end of this specialization, there are four recognized academic centers in areas related to computer and network security in the U.S. Each of the four has several senior faculty whose research specialization is in one or more fields of information security. Each of the four centers has outside funding, recognition by its home university as a center of education and research, and recognition in the community. These four centers are (in order of their founding):

The Center for Secure Information Systems at George Mason University. This center has several faculty involved in research and education, with a primary emphasis on issues of information system security, database system security, and authentication methodologies.(see footnote 8)



The Computer Security Lab at the University of California, Davis. This group includes seven faculty and four post-doc staff, with a primary emphasis on verification methodologies, and security for large-scale systems and networks.
The COAST Laboratory at Purdue University. This group consists of almost a dozen faculty (half with current funding for research projects), and several staff. The COAST group has a primary emphasis on issues of host security, intrusion and misuse detection, computer forensics, and audit technologies.(see footnote 9) With over 35 students involved in research projects, this is the largest and most widely known of the four centers.

 Page 57       PREV PAGE       TOP OF DOC



The Center for Cryptography, Computer, and Network Security at the University of Wisconsin, Milwaukee. This center was formally announced in November of 1996, although the (three) faculty members involved have been working in security for several years. The primary focus of this group is on application and extension of cryptography and cryptographic methods.

As a set, these represent the most advanced groups involved in both security research and education in the U.S. today. One of the labs (COAST) is widely believed to be the largest such academic lab in the world; it is also located at the highest-ranked department of the four, according to statistics published by the National Research Council.(see footnote 10)



Consider the following information about these four centers combined:

Over the last five years, approximately 5500 PhDs in Computer Sciences and Engineering were awarded by universities in the U.S. and Canada.(see footnote 11) Only 16 of those (average of three per year) were awarded for security-related research at these major centers.




 Page 58       PREV PAGE       TOP OF DOC
Only eight of those 16 graduates were U.S. nationals.(see footnote 12)


Only three of the 16 went into academic careers.

The average production of Ph.D.-level students from these combined centers may rise to as many as five per year over the next three years; however, the ratios of citizens and of graduates entering academia is expected to remain constant.
The four centers combined produced fewer than 50 students with research-oriented Masters degree training over the last five years. Only 50% of those students were U.S. nationals. There is no significant increase in M.S. production beyond this level expected over the next few years.
In the history of all these centers, only three commercial sponsors have provided funding for research and education in security over a majority of the years the centers have been in existence.
In the history of all these centers, only three government agencies have provided multi-year support of any kind other than through competitive research bidding (e.g., DARPA BAA or NSF program solicitations).(see footnote 13) This is not because of any lack of quality or need at these centers, but rather because there is no Federal program in place that would provide such funding, even when desperately needed.



Undoubtedly, graduates with good security training and interests are coming out of other colleges and universities, too. This is not consistent, however--it depends on students with the right interests and skills matching up with faculty members who happen to have recently found funding for work in a related area. This is not a dependable manner of producing a large cadre of trained professionals.

 Page 59       PREV PAGE       TOP OF DOC
Even if these four centers account for only a fraction of the production of trained graduates in security-related areas, the numbers are still extremely distressing. Of particular note are the small numbers of Ph.D. graduates going into academia. It is clear that we are falling short in building an educational infrastructure to support the increased need for training in security.
Although it is not possible to accurately interpret all the causes and implications of these numbers, some indications of problems are obtainable by interviewing faculty and recent graduates in the field. Here are a few of the concerns that have been expressed repeatedly in such meetings:
Opportunity. Currently, because of the extremely small number of people with advanced degrees and comprehensive training in information security, industry is willing to pay substantial premiums to new hires. For example, excluding benefits and hiring bonuses, 1996 and 1997 graduates from the COAST Laboratory have been offered starting industrial salaries of mid-$50,000 for B.S. degrees, $70,000 for new M.S. candidates, and to almost $100,000 for new PhD. graduates. Compare this to an average starting salary of circa $67,900 for a twelve-month appointment as an assistant professor.(see footnote 14) Some senior faculty in security have repeatedly received unsolicited offers ranging well above $200,000 per year.


Advancement. There is a perception among some graduates that academic careers in experimental computer security are more difficult than in other areas of study. This is akin to the concerns of graduate students in experimental computer science in general.(see footnote 15) This perception is reinforced by an observed difficulty in obtaining appropriate funding, and a perceived bias in publication and tenure rates for those involved in anything but abstract, theoretical studies.


 Page 60       PREV PAGE       TOP OF DOC


Resources. Some forms of security research and education, especially those involving large networks or heterogeneous computing, require substantial resources and on-going maintenance. There are few institutions with existing resources to support such research, and those that do are often unable to sustain them beyond the lifetime of a single research project. There are currently no general programs of support for such collections. Furthermore, almost all current government programs sponsoring research in this field are highly focused and disallow any budgeting for support personnel, equipment upgrades, and other needed infrastructure improvements.
One result of this lack of infrastructure support results in academic faculty spending significant amounts of time on clerical work, acquisitions, and project management, thus taking them away from teaching, advising, and research. This serves both as an example to discourage senior students from seeking academic careers, and as a factor encouraging existing faculty to consider leaving academia for careers with less time spent in clerical duties.
Futures. The combination of circumstances, including lack of consumer awareness, government policies (e.g., restrictive cryptography export controls), lack of peer support, and lack of industry support imbues many graduates with a sense of futility concerning an academic career in security. Instead, they are much more interested in joining a commercial enterprise where the results of their efforts may make more of an immediate difference. This also tends to encourage existing faculty to leave academia.
A Call to Action
Undoubtedly, the situation is more complex than can be presented in this paper. However, some trends are clear: information security is an increasingly vital concern, there are insufficient educational and research resources to fill the need, there is considerable demand from industry for appropriately trained personnel, and current methods of support for the combination of education and research in computer and network security is woefully inadequate.

 Page 61       PREV PAGE       TOP OF DOC
We are facing a national crisis in the near term that threatens our national security, our individual safety, and our economic dominance. If we are unable to make a concerted and coordinated improvement in the situation within the next few years, we may find ourselves facing a ''security awareness deficit'' that we will not be able to overcome. That deficit will make us vulnerable to attacks from without and vandalism from within. It will also lead to increased pressure on our public servants to come up with immediate ''solutions'' that may be worse than the problems they solve, and that threaten some of the very principles from which our republic draws its strength. We must act quickly to prevent this from happening.
The following recommendations for action, if heeded, would undoubtedly make a significant improvement in this area of need:

1. We need to encourage more students to study in information security topic areas. To this end, we should explore programs that offer scholarships or forgivable loans to students majoring in information security in graduate studies. One or more programs could also be designed to help support personnel already in the computing profession to retrain appropriately in information security careers. An increase of only one hundred a year more such personnel would constitute a huge increase, and would make a substantial improvement in our current personnel deficit.
2. We need to encourage more graduate students in computer and network security to consider careers in academia. One way to accomplish this might be to establish some ''young security investigator/educator'' awards that would be designated prior to graduation. These could be used only if the candidate accepts a tenure-track position at an accredited institution upon graduation and remains on the faculty for some minimum number of years. The awards would serve the additional purpose of jump-starting each young investigator's research.
3. We need to provide substantial, long-term support to some or all of the existing centers of expertise in computer and information security. These are a critical national resource, not only for academia, but for the commercial sector, the Department of Defense, and for other public institutions. These centers should be provided with multiyear infrastructure support for personnel and resources, and encouraged to develop (more) outreach programs to other schools and to the public. To lose one of these existing centers would be a tragedy, and to lose one of the larger ones would be a disaster; however, the continuing existence of several of these centers may be considered fragile because of uncertain and erratic external funding combined with the lure to existing faculty of industrial positions.

 Page 62       PREV PAGE       TOP OF DOC
Note that this is not necessarily a recommendation for (or against) providing significant research funds for faculty in these centers. There are already many competitive programs available via NSF, DARPA, DOE, and other agencies to provide major project support. Qualified faculty can compete for these merit-based awards alongside their peers. However, infrastructure support is needed to ensure that a long-term base for education and collaboration is kept viable. Some on-going seed funding for research through these centers would be appropriate, however, to encourage continual exploration of frontiers not yet recognized by the traditional funding sources.
4. We need to build up other strong programs in research and education in security technology (but not at the expense of endangering the stability of the existing centers of expertise). As new faculty become available, as experience is gained with existing centers, and as society's needs continue to grow, we need to develop programs working in concert with each other to expand the output of trained students, as well as to work on some of the difficult research problems that are, as yet, unsolved.
5. We need to involve U.S. industry more in the research and education of students in information security. Industry will be (and is already being) severely impacted by the shortage of trained professionals and by the availability of scalable, affordable, and practical security technology. They should step forward with funding, personnel, and their expertise to work in concert with academia to produce solutions.
Closing Comments
The future need not be bleak if decisive action is taken. A small level of funding(see footnote 16) over the next decade would serve to dramatically increase our national readiness and capabilities in information security.



 Page 63       PREV PAGE       TOP OF DOC

The urgency of the problem is well-stated in the summary of the report(see footnote 17) of the Joint Security Commission (I have emphasized some text from the original):



Nowhere is this more apparent than in the area of information systems and networks. The Commission considers the security of information systems and networks to be the major security challenge of this decade and possibly the next century and believes that there is insufficient awareness of the grave risks we face in this area. The nation's increased dependence upon the reliable performance of the massive information systems and networks that control the basic functions of our infrastructure carries with it an increased security risk. Never has information been more accessible or more vulnerable. This vulnerability applies not only to government information but also to the information held by private citizens and institutions. We have neither come to grips with the enormity of the problem nor devoted the resources necessary to understand fully, much less rise to, the challenge . . . . Protecting the confidentiality, integrity, and availability of the nation's information systems and information assets--both public and private--must be among our highest national priorities.[Joi94, p. 2]

It is time that we joined together to treat this national priority with the seriousness it deserves.
Acknowledgements
I would like to thank the following people for their thoughtful comments and input to this paper: Mikhail Atallah, Rebecca Bace, Yvo Desmedt, Dan Geer, Mark Graff, Sushil Jajodia, Karl Levitt, Steve Lodin, Katherine Price, Ravi Sandhu, and Chris Wee. The conclusions discussed in this paper do not necessarily represent the views of any organization or person except the author himself.

 Page 64       PREV PAGE       TOP OF DOC
Appendix
For illustrative purposes, this is an annotated version of the mission statement and set of goals for the COAST Laboratory at Purdue. This should help explain why a center-based approach is being taken, and the benefits of such an approach. Unfortunately, researchers at COAST have been unable to identify any Federal programs that will provide support for most of these goals, except to fund very narrowly-focused research projects over a two or three year period. This is not sufficient to sustain a program of the (needed) scope of the one described below.
The mission of the COAST (Computer Operations Audit and Security Technology) Project and Laboratory is to conduct research and education on general and practical tools and techniques for improving computer and network security. The specific focus of this research is on typical computing environments--systems without multi-level requirements, and without formal levels of trust. In particular, our short-term research is directed to developing approaches of increasing the security of existing systems without severely impacting their usability. Our goal is to explore how to increase confidence in existing systems in a cost-effective and user-friendly manner. Our long-term research is directed to how to integrate better security mechanisms into common computing platforms. Using this research as a teaching mechanism, we are committed to providing a comprehensive and thorough education in security to our students at every level.
Operationally, COAST will bring together expertise of many faculty from throughout the university environment, provide shared resources in computer security research, and provide a unified approach to the research and education efforts in this vital area. It will provide a focal point both for internal and external agencies seeking reliable information about computer and network security, computer crime investigation, and appropriate computer use.
The specific, long-term goals of COAST is to have it continue to be:

A world-recognized center of research excellence. We intend to be known for our research into methods of practical computer security technology, including computer incident response, system management and network security technologies. We expect most of our research to be based on the real needs of the community, as conveyed to us through interactions with our sponsors and the general user population. COAST is already known world-wide, and we intend to build our existing reputation.

 Page 65       PREV PAGE       TOP OF DOC
A renowned source of educational and training materials in computer and network security. We intend to produce materials for use in computer security training, both for in-service training in government and industry, and for academic use. This includes traditional materials such as texts and lab materials, but may also include leading-edge technology as embodied in hypermedia and distance-learning methodologies.
An on-going source of quality graduates with cutting-edge training in computer and network security. We expect our undergraduate and graduate students to receive a broad-based and comprehensive education that will give them a solid foundation for work in computer security, computer systems, and communication networks.
A resource center for research. We intend to build a comprehensive collection of documents, references, tools, hardware, software, testbeds, and other resources necessary for comprehensive research and experimentation in various areas of computer security. We expect to make the COAST Research Laboratory a significant, widely-available resource for visiting scholars, sponsor personnel, and COAST researchers.
A resource center for independent evaluation of products. We intend to be able to provide unbiased, comprehensive testing and evaluation of security tools for computers and networks. By providing detailed test results to sponsors, vendors, and the general user population, we believe we will help improve the overall state of information system security and improve the general state of the art.
A resource center for information dissemination to the non-technical community. There is a significant need for sources of information for the press and public that is unbiased by commercial interest or government policies. We expect to continue to be known and consulted as one such source. (COAST personnel have been quoted on issues of computer security and computer crime over 150 times in the last five years, including quotations in the New York Times, Newsweek, the Wall St. Journal, NPR Radio, ABC Radio, Scientific American, Science and more.)

 Page 66       PREV PAGE       TOP OF DOC
A source of useful tools for system management and security. Although not a primary focus of COAST, we expect that we will produce new tools and protocols as useful byproducts of our research activity that will be of wide-spread applicability to the community at large. The COAST on-line archive is already acknowledged as the single largest and most comprehensive security repository on the Internet.
References
[A+76]--R.P. Abbott et al. Security Analysis and Enhancements of Computer Operating Systems. Technical Report NBSIR 76-1041, Institute for Computer Science and Technology, National Bureau of Standards, 1976.

[Boa96]--Defense Science Board. Report of the task force on information warfare (defense). Government report, November 1996.

[Den83]--Dorothy E. R. Denning. Cryptography and Data Security. Addison-Wesley, Reading, MA, 1983.

[Fle97]--M. Fleck. Preliminary faculty salaries from survey. Computing Research News, 9(1):6-7, January 1997.

[Joi94]--Joint Security Commission. Report of the joint commission. Technical report, U.S. Government, 1994.

[Lin75]--Richard Linde. Operating system penetration. In National Computer Conference, pages 361-368, 1975.


 Page 67       PREV PAGE       TOP OF DOC
[Nat85]--National Computer Security Center. Trusted computer system evaluation criteria. Technical Report DoD 5200.28-STD, U.S. Department of Defense, 1985.

[Nat88]--National Computer Security Center. Computer security subsystem interpretation of trusted computer system evaluation criteria. Technical Report NCSC-TG-009, U.S. Department of Defense, 1988.

[Neu95]--Peter G. Neumann. Computer-Related Risks. Addison-Wesley, 1995.

[oacfecs94]--Committee on academic careers for experimental computer scientists. Academic Careers for Experimental Computer Scientists and Engineers. National Academy Press, 1994.

[OTA94]--Information security and privacy in network environments. U.S. Office of Technology Assessment report, September 1994.

[Pow95]--Richard Power. Current and future danger. Technical report, Computer Security Institute, San Francisco, CA, 1995.

[Pow96]--Richard Power. Current and future danger. Technical report, Computer Security Institute, San Francisco, CA, 1996. Second Edition.

[Sal95]--Peter H. Salus. Casting the Net: From ARPANET to INTERNET and Beyond. Addison-Wesley, Reading, MA, 1995.

[Spa89a]--Eugene H. Spafford. An analysis of the internet worm. In C. Ghezzi and J.A. McDermid, editors, Proceedings of the 2nd European Software Engineering Conference, number 387 in Lecture Notes in Computer Science, pages 446-468. Springer-Verlag, September 1989. Also available as http://www.cs.purdue.edu/homes/spaf/tech-reps/933.ps.

 Page 68       PREV PAGE       TOP OF DOC

[Spa89b]--Eugene H. Spafford. The Internet Worm: Crisis and aftermath. Communications of the ACM, 32(6):678-687, June 1989. An expanded version is available as http://www.cs.purdue.edu/homes/spaf/tech-reps/823.ps.

[SSSC91]--National Research Council System Security Study Committee. Computers at Risk: Safe Computing in the Information Age. National Academy Press, 1991.

  Insert offset folios 1-22

  Mrs. MORELLA (presiding). That was very informative and I am pleased to now have joined for a bit this wonderful briefing on computer security. I want to thank Mr. Ehlers for taking over before I got here. I was at the White House on campaign finance reform, and now we get into computer security. I should have let them know that they had major problems with the White House security when I was there.
  I just wanted to take the liberty of just making a few initial comments with regard to the briefing, and then get into asking questions and let my colleagues proceed also with questioning.
  As one who will be chairing the Technology Subcommittee in this Congress, I take great pride, as the Subcommittee does, in the fact that our Nation currently leads the world in the creation and sale of innovative new technology tools and products.
  I represent a high-technology corridor, as do many members of this Subcommittee and those who are here today. Certainly we all know of many people who are, like you, blazing a path in the frontier of electronic commerce that this Nation's competitive advantage flows from, and our innovative and hardworking entrepreneurs who are willing to take risks and create products which one day will benefit all of us in our daily lives.

 Page 69       PREV PAGE       TOP OF DOC
  I think the Subcommittee can take a very strong and active role as we enter the 21st Century in terms of fostering and encouraging innovative new ideas.
  We all know that electronic commerce--and in fact all of electronic communication--is the forum in which these battles will be fought and won.
  I appreciate very much having you as experts come here and tell us about something that we indeed must be aware of as we proceed. Certainly everyone agrees that standards in such areas as certifying authorities, digital signatures, interoperability and open yet secure systems which the individual can trust are a must.
  Confidentiality, integrity, authenticity, authorization, accountability, these are computer security terms that are very important and we do not very often think about these because modern life is powered by computing. Conceptual familiarity with those issues is a necessity and no longer an option.
  Even more fundamental to our discussion that has been going on today, and will continue, is this concept of trust. Consumers and everyday citizens must be able to trust that their business and personal interaction can flow smoothly across different networks; that the parties with whom they are doing business are what they say they are; and that their communications remain secure and private.
  We have been exploring one of the most vital links in this chain: Secure communications. Increasingly, every aspect of our private lives and our business relationships pass over electronic networks and reside in electronic files.
  From the security of cellular phone conversations to the privacy and integrity of hospital and doctors' records, as well as all other forms of propriety business information we're very vulnerable.
  This includes the electronic systems of our government on which lives depend such as the Federal Aviation Administration, the National Weather Service, the Federal Emergency Management Agency, the Federal Bureau of Investigation, and I have before me a GAO report with regard to the Department of Defense.(see footnote 18)

 Page 70       PREV PAGE       TOP OF DOC

Orders by mail: U.S. General Accounting Office, P.O. Box 6015, Gaithersburg, MD 20884-6015. Phone: 202-512-6000. Fax: 301-258-4066.
For information on how to access GAO reports on the Internet, send an e-mail message with ''info'' in the body to: [email protected] or visit GAO's WorldWide Web Home Page at http://www.gao.gov

  It says that actually the Department of Defense, from Defense Information Agency data, may have experienced as many as 250,000 attacks last year. Attacks are successful, according to DISC information, 65 percent of the time, and the number of attacks is doubling each year, as Internet use increases along with the sophistication of hackers and their tools. That is pretty sad stuff.
  Experts in computer security have long been aware of the immensity of this challenge, but they cannot be expected to do it all. I think we all have a responsibility as citizens and policymakers to make sure that educating ourselves is a high priority.
  The cover of Fortune Magazine that many of you have seen argues that the financial losses from computer crime may reach as high as $10 billion a year. Thinking broadly, the financial cost of these break-ins may not be the most important part of the equation.
  Trade secrets may be stolen. Careers damaged. The wider economy undermined. In short, break-ins cause a loss of trust.
  They noted in that article, as I recall it, 24 percent of the corporations have no procedures for safeguarding proprietary data. In fact, 50 percent of them, or half of them, have no security system. This is incredible! For me, it was a real awareness.
  Of course such vulnerabilities are more than overshadowed by the countless benefits of computerization. The best education and medical care become even more accessible. Commuting is made easier. Families' lives are enriched daily by new breakthroughs in technology, and the scope of all these tradeoffs between staggering benefits and real risks makes it imperative that we understand both.

 Page 71       PREV PAGE       TOP OF DOC
  I appreciate the fact that our panelists, whom I met last evening as a matter of fact at the Watergate, will tackle and will continue to tackle the technological vulnerabilities which underlie this new economy so we can work toward improving the standard of our operations.
  I know that you have already commented, and I am pleased that your total statements will be in the record, and any papers that you want to include in our record; that you have discussed these ideas, as well as the underlying issue of whether or not users can trust the system; and what needs to be done so that everyday people may trust that their communications will not be compromised and that they are reaching their intended recipient.
  A vibrant marketplace and a free society will depend on getting the answers right. If we are to set high standards on the quality, security, and interoperability of all systems which facilitate electronic commerce, there is no time to lose.
  Finally, Thomas Paine, writing more than 200 years ago, said that ''The price of freedom is eternal vigilance.'' This statement may be even more true in today's digital society than it was at the founding of our great Nation.
  So I think it is important that we identify the risks, and you have mentioned what they are; analyze those alert-mechanisms to provide early warning of abuses; address what additional measures we can take as policymakers and the public to protect valued information; and ensure that there are technological means for making all the components of this system interoperable; and highlight the different individual, corporate, and government viewpoints in these matters and make all the facts accessible so that we can all benefit from the knowledge.
  So again I thank you.
  Maybe I will start off and ask just one question so that I can give my panelists an opportunity, and then have you get back so I will have a second round of questioning here.
  I guess I should really start off with Mr. Geer. I don't know, you may have addressed some of this, Mr. Geer, but what do you consider to be the biggest security risk that currently faces major corporations? And, do you see a role for us in addressing that?

 Page 72       PREV PAGE       TOP OF DOC
  Mr. GEER. Without question the kind of people who attack computer systems from the outside are worth nothing, and it is very much worth paying attention to the means of repelling them. But without any question, the greatest risk to any organization is from within.
  The person on the inside, to use Perry Mason terminology, has motive and opportunity and knows what to look for. Internal security policy and an internal security regime is very much the issue or, more to the point, people on the inside of an organization can attack it much better than people on the outside.
  In fact the first measure of success for an external attacker is they gain the credentials of an inside person. Ipso facto, if you have a good-quality internal security regime, you solve some of the external attack questions as a side effect.
  The thing that would be most important for you, and if not you perhaps for the underwriting rules of the loss-prevention insurers or something of that form, but I would think it would fall to the Congress to set some rules of the game about the degree to which every organization has a responsibility of protecting information that is entrusted to it, and to take that seriously, and for there to be some clarity as to what the liability rules are.
  In the absence of clarity, we must govern by crisis. I assure you that if we wait very long, the crisis will be upon us. I, for one, would prefer not to do that.
  So in the sense of what are the biggest risk issues, they have to do with the absence of seriousness internal to organizations about protecting the information they have and focusing instead on what my colleague, Mr. Shimomura would call, the ''ankle-biters'' out there.
  Mrs. MORELLA. Is there an awareness among corporations? Are they trying to hide the problems so that----
  Mr. GEER. Well nobody reports one's internal embarrassments in public. It would be foolish to do so. In fact, my experience has been that you know you are selling security technology to the right person in the organization when you say, ''What have you got to lose?'' If they say, ''A million dollars,'' it is the wrong person. If they say, ''Looking stupid above the fold of The Wall Street Journal some morning,'' then you are talking to the right person.

 Page 73       PREV PAGE       TOP OF DOC
  It is about the trust and integrity of the organization and they are not taking it seriously at that level because they probably do not realize how hard it is to handle a media event in which information that in theory was solely entrusted to you is now in the public sector, often by someone's hand as yet unseen.
  Mrs. MORELLA. I would like to ask you all questions, and I shall as time allows, but I want to now defer to my colleagues who have been here for awhile.
  I will start off with the gentleman from Virginia, Mr. Davis.
  Mr. DAVIS. Thank you, Madam Chairwoman.
  Let me first ask Dr. Spafford. I loved your slides. Is there a way we could get a copy of the slides, of your slides, for the Members today? You could make that available to the Committee staff and they could distribute it to us; that would be helpful.
  [The slides referred to follow:]
  Insert offset folios 23-28]

  Mr. DAVIS. I would ask Mr. Shimomura for your slides, as well. I did not understand them--I know you had it up there----
  [Laughter.]
  Mr. DAVIS. I was completely mystified.
  Let me ask Mr. Shimomura a question.
  We are aware of the dangers of using the analog cellphones, but I have seen some of the new cellphone companies coming out and saying they have the digital cellphones now that are must less vulnerable. This came out after some of the recent revelations in Congress about tape recording conversations.
  Can you comment on that?
  Mr. SHIMOMURA. The first----

 Page 74       PREV PAGE       TOP OF DOC
  Mr. DAVIS. I am not asking you to endorse a product or anything, but----
  Mr. SHIMOMURA. To your first question, everything I showed here is on the Web.
  Mr. DAVIS. Okay.
  Mr. SHIMOMURA. And I can give you it later--it is on WWW.TAKEDOWN.COM.
  Mr. DAVIS. Okay.
  Mr. SHIMOMURA. Much of our evidence is there. Okay, your real question----
  Mr. DAVIS. My kids will explain it to me.
  Mr. SHIMOMURA. Sure.
  [Laughter.]
  Mr. SHIMOMURA. There are new technologies out, the digital cellular technologies, which have the potential to give us some more privacy, but I think the most widely deployed one, the system called TDMA, Digital Cellular, is typically operated with the encryption turned off. In most markets that I have looked in, the encryption technology is turned off.
  It is interesting. Some phones will give you an alert when the encryption has been disabled, and certainly in the San Francisco Bay Area encryption has been turned off--at least every time I have tried to use it.
  Mr. DAVIS. Okay.
  Mr. SHIMOMURA. Even if the encryption were enabled, it is still not very secure.
  Mr. DAVIS. Somebody who was really good at targeting could go after you and the technology is there to do it?
  Mr. SHIMOMURA. It is a very weak algorithm. It is one that in the security community we would not even consider using. It is like a screen door latch.
  I think the cost of intercepting even a scrambled cellular call, you could decrypt that presumably with a PC or less.
  In terms of receiving calls, every cellular telephone has to have the ability to receive all frequencies and all channels and demodulate, or interpret the signals. By necessity, most of them have test modes, test programs built in for accessing the signals.

 Page 75       PREV PAGE       TOP OF DOC
  I have heard that there is equipment out there, modified cellular telephones, which can receive digital trivially. So just going digital does not protect us.
  We need to come up with standards which are safe, ones which actually give us privacy other than just the illusion of privacy.
  Mr. DAVIS. Okay. Thanks.
  Let me ask Dr. Spafford. We hear about the problem--that we can solve some of these problems with more education. I was interested in the four universities you cited. One, George Mason, is in my District. I know Dr. Alan Marten, the president there, very well, who happens to be one of the few university presidents who was a computer science major. I know they share your concerns.
  What tangible results can we get, though, by putting more emphasis on the academia part of this in terms of training people? And what should the government's appropriate role be, as you see it?
  Mr. SPAFFORD. Well, I think one of the goals of bolstering the educational system is going to be to have more individuals with training in computer security and reliability, which we need if we are going to deploy more products, but we also need to get better integration of this material into the typical curriculum that we are teaching all our students.
  Right now we have people going out into industry and creating new products with absolutely no thought given to some of the security implications. A few of the previous comments went to that.
  One example that I raised last night to someone, there is a popular PC operating system interface that is very, very user friendly. It has been marketed widely. Many people have it. Perhaps some of you do. And it is so friendly, in fact, that if an intruder comes up to your PC and tries to log into your account and gets the password wrong three times, a message will come up on the screen saying you appear to have picked a password that is too hard to remember. Would you like to pick a new one?

 Page 76       PREV PAGE       TOP OF DOC
  [Laughter.]
  Mr. DAVIS. Yes, I can see that is a problem.
  Mr. SPAFFORD. We need to avoid that kind of thinking in our products. The best way to do that is to try to increase awareness through education.
  A secondary product certainly might be some research results that would come out of our labs, but education is unique to the universities and colleges of this country and one of the things that make us strong, and we need to bolster that.
  Mr. DAVIS. So we are really talking about a fairly modest government investment at this point, and also as you say the partnerships with the private sector.
  Mr. SPAFFORD. Very much so. I think we need to encourage the private sector because they are the ones that are going to market this and employ our graduates.
  It really would not take a large investment to result in a very significant change in the posture.
  Mr. DAVIS. Thank you.
  That is all of my questions, Madam Chairwoman.
  Mrs. MORELLA. Thank you, Mr. Davis.
  I would now like to recognize the gentlewoman from Michigan, Ms. Rivers.
  Ms. RIVERS. You said a couple of times in your presentation, once about cellphones and then later about computer systems, that there is virtually no protection out there; that we are doing a lot of things without any thought about the vulnerability of the systems that we are using.
  When you say there is no protection, do you mean there is no legal protection? There is no technological protection? Both?
  Mr. SHIMOMURA. There is very little technological protection. There are things such as cryptology that we could use to protect our communications, but we do not have products that use them widely deployed.

 Page 77       PREV PAGE       TOP OF DOC
  There are legal protections in many cases, however unfortunately they are unenforceable, as with the cellular--we with cellular receivers, scanners, or whatever, there are supposed to be legal protections, but in many cases such as cellular it is much better to try to protect the signal as it is transmitted rather than trying to keep anyone from trying to protect the signal as it transmitted rather than trying to keep anyone from trying to receive it.
  Ms. RIVERS. Okay, so it is definitely defensive is where we want to go rather than trying to stop people from writing the software or producing software that has capabilities of attacking? Is that what you are saying?
  Mr. SHIMOMURA. I do not believe it is possible to stop people from doing things like that. We are in a much better position to protect ourselves.
  Ms. RIVERS. Okay. Great.
  Mr. Farmer, you talked a little bit about denial, and being in Congress we see that a lot on a lot of issues----
  [Laughter.]
  Ms. RIVERS. But is that the main barrier that is keeping us from moving forward? Is it resources? Is it that we do not have a national attitude on this yet?
  What is stopping us from moving in the direction we should move?
  And when we make that move, should it be done publicly with the help of the government, or is it sort of a private issue, sort of a Darwinian survival of the fittest, those companies that protect themselves survive, and those that do not do not?
  Mr. FARMER. Well let me just give you a little story, first of all, and maybe this will help answer your question.
  I was talking to a university about a breakin at one point. The breakin happened to also spill over to a military site. So I called up the military site and asked them--you know, I finally found out who was in charge of the computers, some sergeant somewhere, and I explained that he had been broken into, and that their systems were compromised, and I can tell them what to do to fix their problems.

 Page 78       PREV PAGE       TOP OF DOC
  And he said, ''Well, I appreciate that but I do not really want to know.'' I did not really know what to say, but it was their system and I cannot force anything on them, but I asked him, you know, ''Why don't you want to know about the problem?''
  He says, ''Well, it is very simple. If I know about it, I have to fix it.''
  It is this kind of attitude I think that permeates a lot of the problems. Security is not an easy thing at times, and you do not want to add more work to people that are already overburdened just making the systems run.
  I think a lot of the problems are that we do not put security in the infrastructure in the products, or as Professor Spafford said, in the curriculum. So people view it as something that is alien, difficult, and just not necessary for action.
  Ms. RIVERS. Mr. Mulligan, I am real curious if you are thinking about people moving into the computer industry--and we will just use that in the broad sense--and we will accept that people are motivated by dollars. Can you make more money attacking or defending?
  [Laughter.]
  Mr. LYNCH. How good are you?
  [Laughter.]
  Ms. RIVERS. That is true in every industry.
  Mr. MULLIGAN. If you are--I think as Dr. Spafford talked about, you know, the industry is trying to hire good people and throwing lots of money at them to hire them to build defensive tools, but with the current state of the infrastructure, I hate to admit it, but I think you can easily make much more money attacking because people just do not understand the systems today.
  You do not have to raise your hands, but take a little test. How many people know what ATMs are? Then the next question is: Well, how many people think that if you know what they are, how many people think that we are talking about automated teller machines? Then the next question is: How many people understand what asynchronous transfer mode is?

 Page 79       PREV PAGE       TOP OF DOC
  We quickly move and we readily accept new technologies that we do not understand the security implications of. So, yes, I could probably make a lot more money attacking than defending, although I would much rather build defensive systems.
  Ms. RIVERS. Dr. Geer, did you have a comment?
  Mr. GEER. Yes. I spent some years of my life helping Wall Street banks in what for them is no doubt a never-ending struggle because there is real money there. There is real money there.
  To my knowledge, almost all of the captures have been because the person stealing the money got greedy enough that they tripped a threshold somewhere.
  It was not because, per se, they could not get away with it. It is that they discovered they could take $1,000 a day, well, that worked; let's try $10,000. Well that worked, let's try $100,000. And you went over some limit that required two signatures or some other hidden trip wire.
  But if I want to steal money, a computer is a far more effective tool than a hand gun.
  Ms. RIVERS. Thank you.
  Yes, Mr. Shimomura?
  Mr. SHIMOMURA. I agree that one could make much more money right now by being on the dark side, but it would not be sporting.
  [Laughter.]
  Ms. RIVERS. The last question I have for all of you, and you can just be very brief on this:
  If encryption is a strategy that we decide to pursue, should the government have the key?
  Mr. GEER. No.

 Page 80       PREV PAGE       TOP OF DOC
  Mr. LYNCH. No.
  Mr. SHIMOMURA. No.
  Mr. MULLIGAN. No.
  Mr. FARMER. No.
  Mr. SPAFFORD. No. Is that brief enough?
  Mr. GEER. We will say it in unison, if you would like.
  Ms. RIVERS. Okay. All right. Thank you.
  Thank you all.
  Thank you, Madam Chairwoman.
  Mrs. MORELLA. That is a perfect lead into our next colleague from Virginia, Mr. Goodlatte.
  Mr. GOODLATTE. Thank you, Madam Chairwoman.
  First I want to thank you for holding this briefing because I think it is one of the best ones we have had. These folks have really made some I think very tangible examples of the nature of this problem in an area that often is too esoteric.
  I also want to put in a plug for them, too. I hope the Science Committee will find ways to increase funding for this type of work because it is vitally important.
  I would like to use the rest of my time, however, for a little advertisement for my legislation which, while I do not think it is going to by any means cure the problem, is a major step in the right direction to deal with this.
  That is, legislation called the SAFE Act, the Security And Freedom through Encryption Act, which now has more than 50 co-sponsors and which will be introduced in the next few days, and I hope that other members of this panel who is not--I know Ms. Lofgren is a co-sponsor already, and I hope some others will also sign onto that.
  It does four things.

 Page 81       PREV PAGE       TOP OF DOC
  First of all, it establishes as a principle the right of every American to use encryption to protect their communications, to have secure communications.
  Second, it prohibits the government from establishing a key escrow system or a central data bank into which the keys to everyone's private encoded communications would be put.
  Third, and in many respects very importantly in terms of advancing the technology, it allows our software industry which dominates the world market--about 75 percent of the software sold in the world today is created in the United States, and we are severely restricting its export and the ability of the software creators to compete with our foreign competition because of the Export Control Act and the very severe restrictions on the level of encrypted software that can be exported. We should at least allow our companies to go up and match our foreign competition.
  There are now more than 500 products available worldwide that are good products, that are above the level of encrypted software that are allowed to be exported by this country.
  And finally, we recognize the concern that law enforcement has in this area. They have some legitimate concerns. This bill makes it a crime to use encryption in the commission of a crime, or to cover up a crime.
  But I take it, Mr. Shimomura, that you would agree with me that encryption is primarily a tool to prevent crime rather than to use in the commission of crime?
  Mr. SHIMOMURA. Encryption is a tool and can be used for anything. I think in many cases it is much more effective to use to protect us than the other way around.
  An interesting footnote is that, when we were in pursuit of Kevin Mitnik, we discovered that he was using PGP, Pretty Good Privacy, with very large keys, the kind of stuff that is not exportable, and we came across messages which were encrypted using this, and it did not slow us down at all.
  Mr. GOODLATTE. Very good.

 Page 82       PREV PAGE       TOP OF DOC
  When you say it did not slow you down, you meant you used other means to trap it?
  Mr. SHIMOMURA. Correct. Yes. An inability to decrypt these messages did not slow down our pursuit at all.
  Mr. GOODLATTE. Right.
  Mr. SHIMOMURA. We were able to work around it.
  Mr. GOODLATTE. Bad guys leave tracks somewhere. Also, bad guys are not likely to put their keys into a central data bank.
  Sadam Hussein or Moammar Khadafi is not going to escrow his keys with a central data bank created by the administration.
  Mr. Lynch, let me follow up on that whole subject. It seems to me that this export control problem is a problem not only--on our competitiveness in the world market and the damage it could cause to the US software industry.
  The Commerce Department, for example, estimates that over the next 5 years it could cause us as much as $60 billion and 200,000 jobs in this country if we do not compete in this area because virtually any type of software in the future is going to have a demand for encryption to be attached to it.
  But what is really holding it up is that the lack of ability to export has a very severe impact on our development of this technology domestically as well, because most of the major users--banks, and securities' firms, and people in the health care field, governments and so on--who might want to use more heavily encrypted software have a need to use that not only domestically but internationally.
  And if you cannot use it with the communications you have with your overseas offices and contacts and customers and so on, then it is not suitable also to use domestically because it has got to be an integrated network.
  Therefore, the Administration's restriction on the use of encryption worldwide is a major contributor to the growing advent of this use of this technology domestically.

 Page 83       PREV PAGE       TOP OF DOC
  Do you agree with that?
  Mr. LYNCH. Totally. Yes.
  I mean, it is so silly when you think about it, like wait a minute, why can't you just use the strongest tools you have to protect your own assets? I mean, it is just common sense.
  The fact that it can be used for bad purposes--so do knives, so do automobiles, I mean, you know, everything has multiple purposes, and you just have to give up. The genie is out of the bottle.
  Export Crypto, not jobs.
  Mr. GOODLATTE. I think that is a good slogan.
  I also like the Chairwoman's concern about the privacy nature of this and quoting Thomas Paine in saying, ''The price of freedom is eternal vigilance.'' I think that is an excellent way to categorize this whole problem.
  Mr. Mulligan?
  Mr. MULLIGAN. I wanted to expand on that.
  At Sun we build security devices and security products. We have, if I say so myself, a very good firewall product that we are not able to sell effectively overseas because of the Export Control. It has severely damaged our ability to compete in a global market because we are told we cannot sell anything that is longer than 40 bits of encryption.
  We go to an overseas corporation and they laugh. They go: Fine. We will go to a foreign company and we will buy their product, and we just lose.
  Mr. GOODLATTE. Great. Thank you.
  Mr. Shimomura?
  Mr. SHIMOMURA. Incidentally, at the RSA Security Conference last week, or 2 weeks ago--I guess 2 weeks ago now--there was a challenge issue to 40-bit RC, I think RC-5 challenge, RC-4, RC-5 challenge--that was issued. It was broken by someone at UC-Berkeley in 3 1/2 hours using a network of work stations.

 Page 84       PREV PAGE       TOP OF DOC
  Mr. GOODLATTE. One would presume that if a Berkeley student has access to the computers and the knowledge to do that, that the national security agencies of our country that have legitimate needs to break encrypted communications when they have reason to believe they are being done by terrorists or criminals and so on, would have the ability to do the same?
  Mr. SHIMOMURA. One would certainly hope so.
  Mr. GOODLATTE. Right. And even if they do not, we need to address that problem and support their efforts to improve that. I am not trying to place this issue as one between law enforcement versus the computer industry.
  This is a matter of the two working together to solve a legitimate problem they have, but not go down the wrong path, which is the key escrow system that they have been promoting.
  I know I am taking too much time, Madam Chairwoman, but I would like to ask one last question. I am looking for endorsements.
  I have given you the four criteria that this legislation includes, and I would like to ask each one of you if you think the legislation is a good idea.
  Dr. Geer?
  Mr. GEER. Certainly it is a good idea. There is more to it than that, but it is certainly a good idea. Frankly, if you do not do what you are proposing, then part of the game will be shortly over.
  Mr. GOODLATTE. That works for me. Mr. Lynch?
  Mr. LYNCH. So what is an endorsement? I mean, is that kind of like signing your baseball card? I would be glad to.
  Mr. GOODLATTE. Great. Great.
  Mr. LYNCH. Can I get a chair in Congress to vote for this?
  Mr. GOODLATTE. No, no. Tell your Member of Congress to co-sponsor it, if they have not already.

 Page 85       PREV PAGE       TOP OF DOC
  Mr. SHIMOMURA. Certainly. I think this kind of legislation is critical, given the current situation. Right now our industries are suffering and our privacy is suffering. Something like this would put an end to a lot of the fighting debate and try to refocus the attention on what the real problems are of, yes, there are law enforcement issues; yes, they can be dealt with. But not without--and they can be done without weakening our systems.
  Mr. GOODLATTE. Mr. Mulligan?
  Mr. MULLIGAN. Absolutely. But note, it is a great start but not the answer. We need to move forward after we have passed this. We need to move on and add more.
  Mr. GOODLATTE. I agree. That is why I think the Science Committee has an important role in this in terms of promoting the technology, not just allowing it, which is what my legislation is about.
  Mr. Farmer?
  Mr. FARMER. Well primarily I think it is a wonderful idea. The only qualm I would have would be, I am not sure why punishing people by using cryptography, essentially treating it as a weapon of some sort, as an additional punishment is necessary; but other than that, I am very much in favor of it.
  Mr. GOODLATTE. True. Dr. Spafford?
  Mr. SPAFFORD. I should make the observation that escrow by itself is not a bad thing. In fact, I believe commercial organizations and the government should escrow their keys, but voluntarily.
  Mr. GOODLATTE. The question is: Whom do you trust?
  Mr. SPAFFORD. There is that case. The problem is that sometimes the people using the encryption may not be trustworthy and take the keys with them. So escrow in those situations is worthwhile.
  I personally and professionally am opposed to mandatory escrow. So the four principles you outlined I am definitely in favor of.

 Page 86       PREV PAGE       TOP OF DOC
  Mr. GOODLATTE. Great. Well, thank you all.
  Thank you, Madam Chairwoman.
  Mrs. MORELLA. Thank you, Mr. Goodlatte. I guess that was hardly an objective analysis from the panel, but I think it was a good question to ask and some good comments.
  I am glad to defer to the gentlewoman from Texas, Mrs. Johnson.
  Ms. JOHNSON. Thank you very much, Madam Chairwoman, and thank you for calling this meeting. It has brought me out of a state of denial.
  [Laughter.]
  Ms. JOHNSON. I was much more comfortable trying to pretend this all was not happening.
  My question is pretty simplistic and I would like for the panelists to respond. I was sitting here imagining that all of the schools would be connected, and all the students would have access. And, remembering the statement that, I think it was Mr. Farmer who said that younger people were more comfortable with this, and people tended to rely on grandchildren and children to teach them how, and I am one of those, what would be the future implications with practically every person when we have now probably 10 percent of the population of the Nation who know and use Internet pretty often--maybe a little higher, but I kind of doubt that right now--but coming on very shortly will be like 85 percent of the people.
  Would Mr. Goodlatte's legislation assist us with that in security?
  Mr. GEER. It would assist us in that. I would suggest to you that the question of how does this spread, and the role that the government may or may not play in helping it spread to where the children are is little different I suppose than the spread of the telephone when it was invented.
  In fact, The Economist Magazine considers the Net more important to human history than the telephone, and only a notch less than the printing press. So I think that it ought to be an investment for the children, and we can certainly deal with it.

 Page 87       PREV PAGE       TOP OF DOC
  I do not allow my children to call numbers at random. I do not allow them to surf at random, et cetera. I mean, you are on very good ground encouraging the availability of the Internet to young people and teaching them to use it, because their future lies with it far more than it lies with other things we are more familiar with as we stand here.
  Ms. JOHNSON. Well, thank you. Let me just comment on that.
  Clearly, most of us want to control telephones and everything else that our kids deal with, but that is not always accomplishable.
  I certainly want every student to have access to the technology, but my concern is: With so many more people being fascinated by this access, that we would have many more minds also finding ways to get into other things.
  And, while we feel that students would only be interested in the academics, I happen to know that I have a 10-year-old grandson who knows this technology very well. He is interested in whatever he can bounce up on. And just like, you know, any other young, inquisitive mind.
  So separating these issues I think might work for the next 10 or 15 months, but beyond that I think we are going to have a lot more people having access to everything there is to be accessed, and even adding to it just through fascination.
  But it could cause havoc within a system through any kind of business dealings, especially our commerce, and our security. That mixture is what I am very concerned about.
  I do not think for a moment that if we can come up with this kind of technology we could not come up with technology to be more protective, but I have a sense that we really do not want to be.
  Mr. LYNCH. You know you bring up a very sensitive point of inappropriate data that is out there for young ones, and I have young ones.
  If we had strong crypto everywhere, and if the purveyors of that kind of information, data, were interested in making money, then they would encrypt it and you would have to buy keys. So at least the kid would have to--to unlock it--and it would be just like the television set, you know, the test pattern on it without that key.

 Page 88       PREV PAGE       TOP OF DOC
  Then the child has to go through this and get money. Now that is one of the things where parents do have some control, to see how much money the kid gets.
  So, is it a perfect solution? No. Is it a 90 percent solution? Probably.
  Mr. FARMER. I would also like to say that most people view encryption to be what cryptography can offer. There are actually two important things that cryptology can give you.
  One is authentication, as well as encryption. If you are concerned about young people, or just inexperienced people doing things at random on the Network, having some kind of trail or some kind of way to determine who is talking to who is an invaluable tool and I think would do great things about enhancing security.
  Mr. MULLIGAN. The other thing is, we have opportunities. One of the things we can do is educate the parents to take off the veil of what this technology is so that parents can be with their children when they are surfing the Net and not be afraid to sit down with them. Things like Net Day that is coming up where we can try to get parents into the schools, that the schools are all getting on line so that they are not afraid.
  My mother-in-law and my mother are on line, and it is wonderful. But there is a big hurdle, too, to ''I'm afraid I'll break it; I might touch the wrong thing.''
  I said, ''You can't hurt it. If all else fails, turn it off; turn it back on again and it will be okay.'' And they were like, oh? Okay. That's fine.
  But we need to educate parents, and we need to bring them in so that they can monitor what the children are doing and understand what is appropriate, or how to keep them from going to inappropriate sites.
  Mr. SPAFFORD. I would echo that, that we currently have a state where a number of people, their view of computing is basically that the Web pages are flashing 12 and they don't know how to change it.
  We can address that through education and through better interfaces so that people know how to access the information they want to access.

 Page 89       PREV PAGE       TOP OF DOC
  I should make the point that cryptography is a partial solution to some of what you are asking, but there is a broad range of things that we can apply.
  Right now, what we have is, in effect, the library is in the room right next door to the bank vault, which is one door over from the research lab, all in the same building, and we do not have any kind of control where our students and our children are going.
  We can build better technology, but something like the Web is only 4 years old. It really has not matured yet to the point where we can say exactly how it is going to go. Attempting to regulate it as this point is perhaps a little premature.
  Mr. MULLIGAN. And Gene, they are all right next door to the adult book store.
  Mr. SPAFFORD. Right.
  Mr. SHIMOMURA. Consider that in the real world we have these problems and we have learned to live with them, as well. We have libraries, right, where kids can go, or anyone can go, to bookstores, libraries, sources of information, and we have learned how to deal with that in many ways because we understand them. Some libraries make provisions for limiting access to some things. Whether or not that is good is a matter of debate, but we understand this. Parents understand that. We have learned to cope with libraries.
  We do not talk about getting rid of libraries because of the potential risks of what people might access. I think the same thing will happen here, as well, as we come to understand the technology.
  Mr. MULLIGAN. There is one last thing. You started out asking about the legislation.
  The other thing is, by allowing our U.S. corporations to have better access to overseas' markets enhances their want to develop the technology and to spend their own money to do the research to build more secure tools and more secure technology.
  Ms. JOHNSON. Thank you, very much.

 Page 90       PREV PAGE       TOP OF DOC
  Mrs. MORELLA. Thank you, Ms. Johnson.
  I would like to now defer to Mr. Ehlers for any questioning.
  Mr. EHLERS. Thank you, Madam Chairwoman.
  I did make one comment before I left, and so I will try to reduce my comments or questions now. But hearing this panel reminds me a bit of a lunch that I was part of some years ago when I was on the staff at the University of California at Berkeley.
  We went to the faculty club for lunch and there were a group of physicists sitting around. There happened to be a wave of burglaries at that time, and we were analyzing ways to protect houses against burglars.
  This became an intellectual exercise. We devised fantastic means to prevent burglaries, or at least protect them, and then we would play the countergame of how would we overcome that if we were the burglar.
  After about 45 minutes of this, we reached the conclusion that we would be better off being the burglars----
  [Laughter.]
  Mr. EHLERS. Because every system we devised we could overcome in some way. That is somewhat similar to what is happening on the Internet.
  The difference is that we concluded at that luncheon that what would save society from the burglars is that most burglars were not very intelligent and would not be able to overcome the devices, protective devices.
  With the Internet, most of the burglars, the thieves, the rapscallions, are very intelligent. And what is a bit of a tragedy is that I think most intelligent people have shied away from crime in the past, but I think many of them see very little if anything wrong with the sorts of things they do on the Internet.
  I believe that is a totally different climate that we have today that makes it very difficult to deal with some of the Internet crime. Clearly some of it is blatant. It is for financial gain and so forth. But part of it is just intellectual fun for people.

 Page 91       PREV PAGE       TOP OF DOC
  I think that has created a part of the problem.
  In Congress the general rule of thumb is: Do not ever say anything that you would not want to see in the headlines the next day.
  [Laughter.]
  Mr. EHLERS. It is just a good rule of thumb, and it is surprisingly accurate, as Dick Morris found out, to his regret, and many others have found out.
  Unfortunately, that I think at this point probably has to be the message to the American public. Do not say anything on the Internet that you would not want to see in public--until, as you have mentioned, Dr. Spafford, the Web matures, the Internet matures, and we develop better means of educating the public and developing secure systems.
  I am not too worried about the business world because in a sense they are smart enough to protect their interests and they have a great financial incentive to do it. But I think for the average citizen security is not going to be of high concern.
  Their systems are not going to be a high concern, and they are going to continue to make mistakes and have their communications intercepted.
  I do have one specific question, and if anyone wants to respond to what I have said you may do that as well, but, Dr. Geer, you mentioned in your testimony something to the effect that we had to make--I forget the precise word you used--but the Congress had to make some rules for the Internet. If we didn't, the commerce might go elsewhere.
  I need a little clarification on that. But I also have to relate that I spoke a couple of years ago at a seminar put on by the Progress In Freedom Foundation on the Internet, and I would have to tell you that everyone there was adamant about Congress keeping their hands off the Internet.
  In fact, when I made--and they insisted they could make the rules themselves--and when I made the statement that if they did not, Congress would, they were horrified at the prospect of Congress doing it.

 Page 92       PREV PAGE       TOP OF DOC
  So I just need a little clarification in view of that.
  Mr. GEER. Sure. Actually it is a subtle point, and you are wise to bring it up.
  What I am trying to get at is that the reason for slow--we know what to do about security in many, many respects. Much of what we can describe as the threats, and the risks, and so forth, are ones which we have the technology to close. It is just that there is little motivation on the public's part, whether we are talking about the commercial public or the private public or the government public, there is little motivation to adopt it.
  The reason there is little motivation to adopt it is it appears that the cost of investment in the security technology is greater than the benefit that would otherwise be derived because there is no history of what the liabilities are.
  If I publish your private data, I suppose you can go after me in a number of ways and it will depend on what court you are in and so forth.
  The issue for me is that liability is not well understood. Two weeks ago I was at a meeting of State Chief Information Officers, state CIOs, from various States. It was called in San Francisco coincident with the RSA conference.
  Several States which are already trying to do business on the Web were asking the technology suppliers--in this case the authentication suppliers, the certificate authorities, as they are called--was there not some way in which the business world could cooperate about inauditability standards, and about interoperability standards such that ordinary procurement processes would work for State governments.
  Because today if they adopt any particular technology, they are sort of locking themselves in to one variation on the theme and it probably does not play well for procurement. There is no way to write a clean RFP, et cetera, and none of the companies involved here have a long track record. There is nobody to sue, in other words.
  That kind of issue--and all of the technology providers in the room agreed that one of the principal difficulties is it is hard to know what guarantees to make for your products because it is hard to know what the liability backlash of that might be when they fail.

 Page 93       PREV PAGE       TOP OF DOC
  One place where I think a great deal of benefit could be had on a nationwide basis rather than on a State-by-State basis is to make some sense about what the liabilities are when things go wrong.
  Security technology is only interesting when something has gone wrong. You want to then trace back and say, well, how did this happen? What was the--it is very much like the black box in an airplane.
  An average airplane flight is completely uninteresting. That is its virtue. The black box is what helps you decide when it was not uninteresting.
  We need the same kind of sense of liability proof and standards for what proof is, and that is all. Otherwise, I agree. Keeping hands off is really important.
  Premature regulation of any technology kills it and is generally sought by those who are behind in some way to keep the leaders from getting too far in front.
  So that is where the people were coming from when they spoke to you. Where I am coming from on this is some sense of what the rules of the game are for recourse are the most important parts.
  Mr. EHLERS. May I just ask if you or any other panelists, and we do not need a lot of time on this now, but if you would be willing to send me a letter of some sort just outlining the key points that you think should be addressed by the Congress, that would be very helpful. Because this is obviously the Subcommittee to deal with it, and I am sure that Congresswoman Morella is very interested in this, as well.
  We need some direction as to where we should go with this.
  Finally, I think my time is up, but I do want to wish all of you an uninteresting flight back home.
  [Laughter.]
  Mr. EHLERS. To use your words.

 Page 94       PREV PAGE       TOP OF DOC
  Mrs. MORELLA. I thank Mr. Ehlers. And we would indeed appreciate from you any communication that would give us some of the direction you think we can work in.
  I would now like to recognize a woman who has been very active in the whole Internet project, as well as on this Subcommittee, the gentlewoman from California, Ms. Lofgren.
  Ms. LOFGREN. Thank you, Madam Chairwoman.
  I would like to thank all of you for being here today. It has been really interesting to listen to you. Also, thanks for so many good things that you have done, Mr. Lynch, what PGP has done to advance the cause of freedom which is really worthy of our thanks; and what Scott Neally has led us to do on Net Day, and others.
  You have made contributions in many ways, in addition to being here.
  As I have been listening to you, I have been wishing to some extent that members of the Judiciary Committee, which I also serve on, could have been here to listen to all of this, as well.
  Clearly the Science Committee will look at the issue that you have just raised, Mr. Geer, and I would like very much to know more about that as your thoughts develop.
  I also, as with Mr. Ehlers, would like to pick your brains on it. Because the way we divide jurisdiction in the Congress is not always very useful. The Judiciary Committee has jurisdiction on tort liability.
  The Science Committee has jurisdiction on technology, and it ends up that sometimes people who may not be the most up-to-date on a particular area end up making decisions and, I would say, sometimes erroneous decisions based on lack of information.
  In thinking about your testimony, Dr. Spafford, in looking at half of the Ph.D. students were not Americans, or not at that time Americans--luckily, some of them stayed--I was reminded of the debate we had last year in the Immigration Act when the first draft of the bill prohibited the immigration of scientists of distinguished ability.

 Page 95       PREV PAGE       TOP OF DOC
  Right now, clearly we need to do more to have American students be high achievers, especially in science and math, but we are very lucky that people all over the world want to come here and become Americans.
  If you look at, I would say, it is not just computer science that go into physics, or chemistry, or any place, any graduate school in the United States, and you'll find large numbers of people who came from elsewhere and hopefully, if we are lucky--they will stay, although we keep making it harder and harder for them to stay.
  I do not have a whole lot of questions. I think you have answered many of them. I guess one additional question I would have:
  As a co-sponsor of the SAFE bill on encryption, I would be interested in what, in addition to that, what further the Congress should do in the area of hardware issues, and whatever other issues you think should be attended.
  Mr. Goldlatte is the chief author of this bill. I think he has tried to craft something that could be passed, recognizing that it may not be everything we need, but as the technology changes so quickly--I mean, it is amazing to me whenever I am home, I sit down with people in the Valley, and I think the product cycles are down to about 6 months now. It changes so fast that by the time the slow pace of government moves forward, the whole world of technology has changed.
  So I would be very eager to get, all of you, your additional comments on that.
  The other question I would like to pose to you is whether you have, or whether you would be willing to sit down with the FBI and outline the issue on encryption really that you have had today.
  If the FBI were to all of a sudden understand this issue in a more useful way, would that really--and we were to eliminate all controls on encryption--in your judgment would that really provide the bulk of the answer we need on this?

 Page 96       PREV PAGE       TOP OF DOC
  Mr. Shimomura, you are nodding your had.
  Mr. SHIMOMURA. I agree I think education is much of this. I think much of the FBI's concern is because the world is changing, and the techniques that they have used in the past to gather evidence for prosecution in apprehending criminals will not work as well in this changing world.
  There is a lot of resistance because they would like to slow this down so that they feel, I think, that they are less out of control. And by educating them and by showing them how these new technologies can be used and how they can still continue to gather evidence, I think that would help a lot.
  One of our colleagues, Whitfield Diffy, has made the observation that every new technology that has come out has been opposed by law enforcement, but eventually that they have benefitted from it.
  Consider radios, for example. When two-way radios came out there was an argument saying, well, they could be used by criminals, they could be used by whatever to facilitate crime. But in reality, every cop on the street now has a radio. Where would he be without it--he or she? I expect that will probably be the case with crypto, as well.
  Ms. LOFGREN. Well the problem is that if we continue in our current posture as a Nation, by the time that realization dawns on the law enforcement world we will have lost our position in the world.
  Mr. SHIMOMURA. That is our concern.
  Ms. LOFGREN. Yes, Dr. Spafford.
  Mr. SPAFFORD. To respond to that, I have spoken with many people in the FBI and also within our national intelligence agencies and there are many people within those organizations who disagree with the current public posture of their agencies because they realize either the futility of controlling this, or because they do not believe it is needed.

 Page 97       PREV PAGE       TOP OF DOC
  I agree with the comments there that if we can work with them to help them understand that they can still pursue what they need to do, if we can come up with ways of removing some of the current things that hamper investigations. Right now we have great difficulty in analyzing data that results from a crime.
  We have jurisdictional problems because, in a matter of a quarter of a second we can have a Chinese student in Australia breaking into a computer in Switzerland and stealing money belonging to an American company.
  Who has jurisdiction?
  Who investigates?
  Ms. LOFGREN. But jurisdictional issues can be resolved, in a way, more speedily than some of these other issues.
  Mr. SPAFFORD. They can, but those are the kinds of things that are so frustrating to the law enforcement agents now. They do not have the resources. They do not have the supporting legislation. They do not have some of the resources they need to pursue this.
  In particular, one area that you might consider for legislation--and I am not completely, unabashedly for this, but I will mention it--we have a problem that most computer crimes and incidents are not reported.
  We do not have a good sense of the magnitude. We do not know where all the problems are coming from. We do not know the full nature of what the problems are.
  As Dr. Geer mentioned, many companies are reluctant to report because it looks bad. Although now if someone were to walk into a bank with a hand gun and steal $5,000, they think nothing of putting the picture on the television and the newspaper; but if someone steals $5 million electronically, they do not want to tell anyone about it because they are afraid of that.
  That might go a long way toward helping the situation.
  Ms. LOFGREN. So you are suggesting sort of mandatory reporting by victims?

 Page 98       PREV PAGE       TOP OF DOC
  Mr. SPAFFORD. I think something along those lines might be worth discussing. I am not suggesting that be the exact solution, but it is an area that should engender some conversation because we really do not know the scope of the problem.
  [The following information was received for the record:]

COAST--Computer Operations Audit and Security Technology,
Department of Computer Sciences, Purdue University
March 4, 1997
Committee on Science,
Subcommittee on Technology,
U.S. House of Representatives,
Washington, DC

Greetings:
This letter is to clarify one of my statements made during the question and answer period of the Briefing on Secure Communications held on February 11, 1997. These comments were made in response to Representative Lofgren; because of additional conversation, my total comments were not heard by the Committee.
Representative Lofgren asked if I was suggesting that mandatory reporting by victims of computer crime should be considered. My response was that yes, I believe this was something worth discussing, and that I was not necessarily suggesting that it be the exact solution but that the topic be open for discussion. I meant to say further in response to Representative Lofgren that I did not believe that the panel of experts was appropriate or prepared to give the most expert advice on the issue at the time.
The issue of mandatory reporting of computer crimes would have considerable impact--both positive and negative--in the law enforcement community, the insurance industry, and in many commercial firms, especially in the financial community. Therefore, if there is consideration given to mandatory reporting of computer crimes (and I believe that this should be considered seriously), then appropriate parties from these communities should be brought together to discuss the issues involved. These issues include questions of how much detail to report, to whom to report, within what time frame, how to identify items that should be reported, what to do in cases of losses in international transactions and to international firms doing business in the US, and how US firms should report losses suffered overseas. These questions illustrate the complexity of this topic and I would encourage further thought be given to this question than we were able to provide at the briefing.

 Page 99       PREV PAGE       TOP OF DOC

Sincerely,
Eugene H. Spafford,
Associate Professor
Director, COAST Project and Laboratory

  Ms. LOFGREN. We certainly are trying to engender some conversation.
  Mr. Lynch, you were going to say something, too. I know I am using up--I probably have used up all my time, but I did want to hear from you, the person who comes up with a way to have the smut fighters embrace limitless encryption.
  Mr. LYNCH. Yes. They are in business. They want to make money. They do not want to go to jail. There is a class of citizenry that is their legitimate market in some locales, and, you know, we should make it so they can do their business and----
  Ms. LOFGREN. I think it is a very creative argument that I plan to make to some of the more conservative Members here on the Hill.
  [Laughter.]
  Ms. LOFGREN. With that, I think I have more than used up my 5 minutes. Thank you very much. I am looking forward to additional dialogue with each of you as these issues develop in this Congress.
  Mrs. MORELLA. You have used the time well.
  You know, this reminds me. It was about a year ago that this Subcommittee had a hearing on the Year 2000 in terms of computer conversion. It was amazing that nobody seemed to be aware of the problem and the fact that, you know, now as we look at it, what 34 months, and you need 1 year to actually debug, so it is less than that. It was both the Federal Government, and the private sector, and internationally, and this is like deja vu.

 Page 100       PREV PAGE       TOP OF DOC
  Here we are with a crisis impending, smoldering, and we really are not doing much about it. In an article here, you all are the experts in this area.
  What we did do with regard to the computer conversion is that we did have language put in an appropriations bill, which then required the Federal Government, each of its agencies, to come out with a plan, a timetable, and a cost factor, and we got the Office of Management and Budget to be the one to set up the CIO Council and work with the various agencies.
  They are moving--some still moving much too slowly--but at least it is a start that we are going to have to push. The States are beginning to try to do it. Private sector is beginning, too, and I really think it is going to lead to a lot of cottage industries and cost a lot more the longer they wait. But I think this is so similar.
  I guess I see that one of the major responsibilities we have is, again, to do that kind of awareness educating. I would like to know, incidentally, how many centers there actually are where people can get this training in computer security.
  Then, maybe--and this is my question to you; unfortunately we are going to have to clear out of this room in about 10 minutes for another hearing to take place, and I promise not to keep you too long--but my question is: Do we then have a responsibility to establish standards, establish test beds, do something with regard to setting up an honest broker kind of concept? Do we need forums to do this?
  I know you are going to give us some specifics, but just in general do we need standards? How do we educate? How do we bring individuals together for a common ground?
  If each of you would like to just briefly make a comment on that, I know, Mr. Geer, you have talked a lot about the clarity of liability rules, and the rules of the game. But I also want to bring up a point in terms of computer crimes not being reported. My understanding is that when Citibank reported its loss, it lost some of its best customers. I think that is again something that is a backdrop from which we should proceed.

 Page 101       PREV PAGE       TOP OF DOC
  So if you would like to comment on that rule?
  Mr. GEER. I do not know that I have anything additional to add. I am reminded of Arthur C. Clarke's comment that any sufficiently advanced technology is indistinguishable from magic. I think to some extent that is why this is not well understood. It is sufficiently advanced that it appears magic, and those who hate magic want to get rid of it, and those who love magic just want to say ''poof!'' and have it happen.
  It is a long way in between.
  Anything we can do together, those of us who are professional buffalo hunters and are here to report that there are lots of hoofbeats over the hill, and those people who are out there such as yourselves who are trying to figure out are there actions that you can take absent a crisis, the best thing I can think of is just making sure the--and I have said it several times now--is making sure the rules of the game are well understood.
  I believe we are now sufficiently far along that we can make some progress in that, at least intellectually. I don't know about politically.
  Mr. LYNCH. Well, you know, I am the person that built a very large computer networking conference called Interop, and I think you have given me a great idea for a new business.
  [Laughter.]
  Mr. LYNCH. A data security awareness thing. Not at the technical level, not at the RSA Data Security Conference, but the using of it.
  John, let's do that. Okay? Very good.
  Mrs. MORELLA. Then you can expand your winery.
  Mr. LYNCH. Yes, right.
  [Laughter.]
  Mrs. MORELLA. He told me last evening that as an avocation he has a winery that his computer operation pays for.

 Page 102       PREV PAGE       TOP OF DOC
  Mr. SHIMOMURA. I think the biggest problem that I see in many cases is that people are afraid of this technology because they do not understand it. I think it is our nature to be afraid of things we do not understand.
  There are several things responsible for this. One is that we have not gone out of our way to make the technology easy to understand. In many cases, if it does not do what we expect we do something, or we think we are doing something and it doesn't, it is completely counter-intuitive.
  We need to make it understandable and make it do the kinds of things we expect. And, we need support to do that. Of course the most important one is education. Education underlies all of this so we do not misuse these things, so that we have people who can design systems.
  We need education and research so we can study the problems. There are many problems that face us now which we need to understand. Until we understand them, we are going to be afraid of them.
  I think education really is the key here.
  Mrs. MORELLA. Except the education also gives us those hackers who are so bright because they know so much that can, because of challenges that perhaps they set up themselves, know how to break into systems.
  Mr. SHIMOMURA. Along with this goes the necessity for ethics. In the real world, there is acceptable behavior. It is not okay for me to break into your house and to wander around your living room just as long as I don't take anything. That is considered to be a crime and it is considered not to be okay.
  However, for some people that same ethic does not exist in the virtual world. We need to have people understand that these worlds are really very much the same in many ways; that we need to carry the ethics we have in this world with the sense of right and wrong to that world; that it is not a different world where none of this applies.

 Page 103       PREV PAGE       TOP OF DOC
  I think, again, that is partly education, but I am not sure what else you call that.
  Mrs. MORELLA. I think it is very important that ethics and integrity become part of that education. Thank you.
  Mr. MULLIGAN. I agree with Tsutomu that educating students that walking into somebody's computer system is tantamount to walking into their house and getting them to understand that.
  I will go back to educating the parents so that they are not afraid of the technology, so that they are not afraid to walk over and push the button and turn on their computer and sit down with their children and explore the WorldWide Web with them.
  It is an amazing research tool and I do not want to take it away from my daughters. We do not want to take it away from anybody. We just want to make sure that it is safe for them to cruise.
  Mr. FARMER. Well, I think it is unfortunate that if we do not educate people, the Internet will not collapse. It will run less efficiently if we do not give social and technological education to people. Things will go on. They just will not go on as well.
  It used to be that the government and the military sites were by far the worst-secured systems on the Internet. Now everyone else has caught up to them on the way down, and that is because of the big mad rush to be on the Internet.
  But as everyone else has said, education is definitely the key.
  Mr. SPAFFORD. My first comment is that one of the things we can do in the educational system is to teach about responsible use and the effects of hacking into computer systems, something which people who are self-taught do not often see and do not often learn.
  I am proud to say Mr. Farmer is a former student of mine and, like many of my other former students, has certainly learned something about appropriate use of computing and has decided to apply those talents toward the ''good.''

 Page 104       PREV PAGE       TOP OF DOC
  If we keep in mind that the phone system when it was first introduced, people would listen in on Party Lines for entertainment. The phone companies would distribute literature indicating that people should not swear on the phone because it was not appropriate. Other problems that we had with the technology because it was so new are no longer a problem because we have adjusted to it as a society.
  We need to get to that point, and we will. It will just take some time, and we should not try to over-regulate it.
  Finally to answer the question you asked, which is what can Congress do, what can we do, there are groups, there are organizations who have been looking at these issues certainly within the educational arena, within industry, within professional organizations like the ACM and the IEEE.
  Speaking as an educator, however, it has been somewhat foreign to me to provide input to you. Our worlds where we deal with mathematics, the computing, the sciences, are one where we have not had traditionally good contact with our legislative representatives and, in return, you have been sometimes a little bit hesitant to contact us.
  We need to improve that dialogue.
  I think there is a great deal that we can do with each other to help lead, if we can improve that communication.
  Mrs. MORELLA. This is a period of partnerships now where we talk time and time again, and hopefully act on the combination of public, private, and academia involved together in what we can do.
  I know Ms. Lofgren and I, and I know the others here, have been involved when we had the Telecommunications bill with an amendment for affordable access to the Internet for all schools and libraries and rural medical facilities.
  On April 19th, there will be I think a national effort for wiring up schools for the Internet. Again, that is a pretty good beginning of all the things that you have said, and I will make sure that the schools all know that they need to be teaching integrity of the use of the Internet, too, at the same time.

 Page 105       PREV PAGE       TOP OF DOC
  Does anyone have any final comment?
  Ms. LOFGREN. Madam Chairwoman, just on that point, I am glad you mentioned that. Because of what we did, really that is going to make a huge difference, and I am proud of the efforts we made at that time. And we are now doing our third Net Day this April, which is great.
  But, you know, when I go into schools in San Jose, California, I find Apple II-Es sitting there. So to think that we have actually gotten to where we need to go, we have so far to go with our young people, and the stakes are so high--really, it is the future of the country that is at stake.
  So thank you for what you have done, and I look forward to working with you with all that is left to be done.
  Mrs. MORELLA. And Mr. Ehlers, for the last word.
  Mr. EHLERS. Just a quick comment on the ethical issues. It is much broader than just the Internet. As I mentioned, I was at Berkeley in the 1960's when this new ethic developed that anything is okay as long as you do not hurt someone.
  I think a lot of people indulged in hacking and things like that thinking it is perfectly fine as long as they do not hurt someone.
  The important thing is to recognize that there are moral standards and there need to be moral standards in a society for it to function properly.
  It has to be more strict than just if it does not hurt someone it is okay. We have to get far deeper into our moral issues and our ethical issues as a Nation than we have and get away from a good deal of the laxness of the last couple of decades.
  I am not talking about the people now who are stealing money, I am talking about the people who are walking around virtual living rooms and intruding on people's private correspondence and so forth; they just think it is harmless. It is similar to being a peeping tom. It is not harmless. It is immoral; it is improper; and the public has to be taught that.

 Page 106       PREV PAGE       TOP OF DOC
  Thank you, very much.
  Mrs. MORELLA. I want to thank the panel for giving us their expertise and their time; it has been so valuable, and we appreciate your doing this and hope that you will, through us, see some results that you will approve of and say, yes, you were a part of it.
  So, Mr. Geer, and Mr. Lynch, and Mr. Shimomura, Mr. Mulligan, Mr. Farmer, and Mr. Spafford, again thank you very, very much. It has been a wonderful briefing.
  [Whereupon, at 12:22 p.m., Tuesday, February 11, 1997, the briefing was adjourned.]

39—395CC

1997

SECURE COMMUNICATIONS

BRIEFING

BEFORE THE

COMMITTEE ON SCIENCE

SUBCOMMITTEE ON TECHNOLOGY
U.S. HOUSE OF REPRESENTATIVES

ONE HUNDRED FIFTH CONGRESS


 Page 107       PREV PAGE       TOP OF DOC
FIRST SESSION

FEBRUARY 11, 1997

[No. 1]

Printed for the use of the Committee on Science



C O N T E N T S

February 11, 1997:
Daniel Geer, Director of Engineering, Open Market, Inc., Cambridge, Massachusetts
Daniel Lynch, Chairman, CyberCash, Redwood City, California
Tsutomu Shimomura, Senior Fellow, San Diego Supercomputer Center, La Jolla, California
Geoff Mulligan, Senior Staff Engineer, Security Products Group, SunSoft, Colorado Springs, Colorado
Daniel Farmer, Independent Security Consultant, Berkeley, California
Eugene Spafford, Associate Professor of Computer Sciences, Purdue University, West Lafayette, Indiana
(ii)







(Footnote 1 return)
See, for instance, [Pow95, Pow96], and the on-going series of advisories from response teams such as the CERT Coordination Center, Department of Energy CIAC, NASA NASIRC, and DISA ASSIST.

(Footnote 2 return)
Characters per second

(Footnote 3 return)
C.f. [A+76], [Lin75] and [Neu95].

(Footnote 4 return)
Warped?

(Footnote 5 return)
This is not to imply in any way that development of new network-based etiquette and laws will obviate the need for information security professionals!

(Footnote 6 return)
During the Cold War era, standard military computer security doctrine could be interpreted as allowing classified computers to be blown up, the users shot, and the surrounding building burnt to the ground so long as the data contained therein was not disclosed to enemy agents: policies such as these are not currently acceptable in most banks, universities, or retail establishments.

(Footnote 7 return)
For instance, I am the only full-time professor in the world to be associated with a FIRST-accredited response team in a day-to-day, active role; there is no incentive within traditional academia to play such a role, as it is unlikely to lead to publications or grants. Ludicrously, this situation is akin to encouraging faculty at medical schools to teach without ever having seen a patient or performed an autopsy. (FIRST is the international Forum of Incident Response and Security Teams_the network of CERT teams.)

(Footnote 8 return)
It is important to note that all four groups provide educational material across the broad spectrum of computer and network security. The indications of particular expertise given here is to note an emphasis, and not describe limitations.

(Footnote 9 return)
See also the Appendix of this paper.

(Footnote 10 return)
In their study Research-Doctorate Programs in the United States: Continuity and Change.

(Footnote 11 return)
Estimated from the Taulbee Survey conducted by the Computing Research Association; see .

(Footnote 12 return)
Some of the non-nationals stayed in the U.S. to work, and have since become U.S. permanent residents or citizens.

(Footnote 13 return)
N.B., To my knowledge, all funding from government agencies has been stringently reviewed for scientific content and purpose, no matter what funding mechanism was involved.

(Footnote 14 return)
Based on the Taulbee Taulbee survey[Fle97] average of $55,653 for a nine-month salary for all assistant professors at 131 responding U.S. departments, and a 22% rate for summer support.

(Footnote 15 return)
C.f. [oacfecs94].

(Footnote 16 return)
The combined suggestions in the previous section could probably be funded for $15-$20 million per year.

(Footnote 17 return)
This commission was composed of personnel of the U.S. Department of Defense, Central Intelligence Agency, and Department of Energy. The charter of the Commission was to evaluate the current state of security in their agencies and the U.S. Government, and to suggest needs and directions.

(Footnote 18 return)
The report referred to, Information Security_Computer Attacks at Department of Defense Pose Increasing Risks,'' GAO/AIMD-96-84, dated May 1996, may be obtained from GAO.