COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
MARCH 9, 2000
__________
Serial No. 106-160
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
67-018 CC WASHINGTON : 2000
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California ------
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH-HAGE, Idaho (Independent)
DAVID VITTER, Louisiana
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
David A. Kass, Deputy Counsel and Parliamentarian
Lisa Smith Arafune, Chief Clerk
Phil Schiliro, Minority Staff Director
------
Subcommittee on Government Management, Information, and Technology
STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois JIM TURNER, Texas
THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon MAJOR R. OWENS, New York
DOUG OSE, California PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Bonnie Heald, Director of Communications
Bryan Sisk, Clerk
Trey Henderson, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on March 9, 2000.................................... 1
Statement of:
Gerretson, Jim, director of operations, Information
Assurance, ACS Defense, Inc.; Mark Rasch, senior vice
president and legal counsel, Global Integrity Corp.; and
James Adams, chief executive officer, iDEFENSE............. 161
Tritak, John, Director, Critical Infrastructure Assurance
Office, Department of Commerce; John Gilligan, Chief
Information Officer, Department of Energy, and co-chair,
Security, Privacy, and Critical Infrastructure Committee,
CIO Council; Karen Brown, Deputy Director, National
Institute of Standards and Technology, Department of
Commerce; and Rich Pethia, director, Computer Emergency
Response Team Coordination Centers, Software Engineering
Institute, Carnegie Mellon University...................... 5
Letters, statements, et cetera, submitted for the record by:
Adams, James, chief executive officer, iDEFENSE, prepared
statement of............................................... 186
Biggert, Hon. Judy, a Representative in Congress from the
State of Illinois, chart on computer security management
key players................................................ 196
Brown, Karen, Deputy Director, National Institute of
Standards and Technology, Department of Commerce, prepared
statement of............................................... 38
Gerretson, Jim, director of operations, Information
Assurance, ACS Defense, Inc., prepared statement of........ 165
Gilligan, John, Chief Information Officer, Department of
Energy, and co-chair, Security, Privacy, and Critical
Infrastructure Committee, CIO Council:
Information concerning initiatives and activities........ 22
Prepared statement of.................................... 26
Horn, Hon. Stephen, a Representative in Congress from the
State of California:
Followup questions and responses......................... 159
Prepared statement of.................................... 3
Pethia, Rich, director, Computer Emergency Response Team
Coordination Centers, Software Engineering Institute,
Carnegie Mellon University, prepared statement of.......... 46
Rasch, Mark, senior vice president and legal counsel, Global
Integrity Corp., prepared statement of..................... 173
Tritak, John, Director, Critical Infrastructure Assurance
Office, Department of Commerce, prepared statement of...... 9
Turner, Hon. Jim, a Representative in Congress from the State
of Texas, prepared statement of............................ 152
COMPUTER SECURITY: ARE WE PREPARED FOR CYBERWAR?
----------
THURSDAY, MARCH 9, 2000
House of Representatives,
Subcommittee on Government Management, Information,
and Technology,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2247, Rayburn House Office Building, Steve Horn (chairman
of the subcommittee) presiding.
Present: Representatives Biggert, Walden, and Turner.
Staff present: J. Russell George, staff director and chief
clerk; Matt Ryan, senior policy administrator; Bonnie Heald,
director of communications; Bryan Sisk, clerk; Ryan McKee,
staff assistant; Trey Henderson, minority professional staff
member; and Jean Gosa, minority staff assistant.
Mr. Horn. The hearing of the House Subcommittee on
Government Management, Information, and Technology will come to
order. Earlier this year, the Nation successfully met its first
technological challenge of the new millennium, Y2K. Although
the time, labor, and $100 billion cost for this effort, private
and public, we learned much from this experience. Those lessons
will be especially important now as we turn to the second
technological challenge of the new year, computer security.
We are here today to learn. In April 1996, this
subcommittee held a similar information hearing on the year
2000 computer problem. Our questions will be many of the same
questions we asked in that hearing 4 years ago. We want to know
the dimension and scope of these cyber attacks. We want to know
what efforts are being undertaken toward solving the problem,
and we want to know what the Federal Government is doing to
address this problem.
Since the early 1990's, the worldwide use of computers and
computer networks has skyrocketed. The Internet has
revolutionized the way governments, nations, and individuals
communicate, and the way to conduct business. The Internet and
electronic mail are now available 24 hours a day to anyone with
a desktop computer, a modem, and a telephone line. Yet, without
rigorous efforts to protect the sensitive information contained
in these computer systems, many of the Nation's essential
services, telecommunications, power distribution, national
defense, and so on down the line are vulnerable to cyber
attacks.
Over the last few weeks, several of the Nation's most
viable Internet websites have fallen prey to ``denial-of-
service computer attacks.'' Although these attacks disrupt
essential business services, they only scratch the surface of
cyber attacks that may be taking place in other highly
integrated computer networks.
Our first panel of witnesses today will discuss the
vulnerability of the Nation's vital computer systems and the
Government's efforts to protect them. Our second panel, from
the private sector, will demonstrate how easy it is to invade
or hack a computer system, and what organizations can do to
protect these systems. We welcome each of you and we look
forward to your testimony.
If you will stand and raise your right hands, we will swear
you in.
[Witnesses sworn.]
Mr. Horn. The clerk will note that all four witnesses
affirmed the oath. We will start with Mr. Tritak, Director of
Critical Infrastructure Assurance Office, Department of
Commerce. Mr. Tritak. I might say, the way we work here, once I
announce you, your full statement is automatically put in the
record.
The staff has read it and when we have had a chance, we
read it. We then want you, if you could, to summarize it in 5
minutes. Do not read it, whatever you do, but give us from your
heart what this problem is. That is what we are interested.
When you are all done, we will then have questions, 5 minutes
on each side when those Members come here. We will try to get a
rounding out of what the testimony is.
So, Mr. Tritak, you are first.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T7018.001
[GRAPHIC] [TIFF OMITTED] T7018.002
STATEMENT OF JOHN TRITAK, DIRECTOR, CRITICAL INFRASTRUCTURE
ASSURANCE OFFICE, DEPARTMENT OF COMMERCE; JOHN GILLIGAN, CHIEF
INFORMATION OFFICER, DEPARTMENT OF ENERGY, AND CO-CHAIR,
SECURITY, PRIVACY, AND CRITICAL INFRASTRUCTURE COMMITTEE, CIO
COUNCIL; KAREN BROWN, DEPUTY DIRECTOR, NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY, DEPARTMENT OF COMMERCE; AND RICH
PETHIA, DIRECTOR, COMPUTER EMERGENCY RESPONSE TEAM COORDINATION
CENTERS, SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON
UNIVERSITY
Mr. Tritak. Thank you very much, Mr. Chairman.
I am grateful for this opportunity to appear before you
today to begin a dialog with you and your committee on the
issues relating to critical infrastructure assurance and
computer security. In the way of talking about infrastructure,
one of them I want to mention is that my slides just showed up.
If you do not mind, I would like to just put them up before
you.
Mr. Horn. Sure. Keep talking. They can put them up.
Mr. Tritak. In any event, Mr. Chairman, Americans have long
depended on delivery of essential services over the Nation's
critical infrastructures. The need to assure the delivery of
these services against significant disruptions has been a
concern of infrastructures, owners, and operators for as long
as there have been electric power plants, telecommunications
systems, airlines, railroads, banking, and financial services.
In other words, critical infrastructure assurance itself is not
new.
What is new is the increasing reliance on information
technology and computer networks to operate those
infrastructures. This growing reliance introduces new
complexities, interdependencies, and potentially
vulnerabilities. The threat that individuals, groups, and
nation states are seeking to identify and exploit these
vulnerabilities is real and growing.
[Chart shown.]
Mr. Tritak. In recognition of this, President Clinton
issued PDD-63 establishing the protection of the Nation's
infrastructures as a national security priority. As you can see
from the chart, Mr. Chairman, PDD-63 sets forth an ambitious
goal. It calls for a national capability by 2003 to protect our
critical infrastructure from intentional attacks that could
significantly diminish the Federal Government's ability to
perform essential national security missions and to ensure
general public health and safety, State and local government's
ability to maintain order, and to deliver minimal essential
services to the public.
Three, the private sector's ability to ensure the orderly
functioning of the economy and the delivery of essential
telecommunications, energy, financial, and transportation
services. The important conclusion of PDD-63 is that critical
infrastructure assurance is a shared responsibility. With 90
percent of the Nation's infrastructures being privately owned
and operated, the Federal Government alone cannot guarantee its
protection.
In response to the issuance of PDD-63, the Federal
Government had to organize itself in order to meet the
challenges posed by this unique national security challenge. A
national coordinator for security, infrastructure protection,
and counter-terrorism was created to oversee national policy
development and implementation, as well as to advise the
President and national security advisor on the same.
My Office of Critical Infrastructure Assurance Office was
created to coordinate policy development for the national plan,
to assist agencies in analyzing their critical infrastructure
dependencies, and to coordinate national education and
awareness efforts. The National Infrastructure Protection
Center was created at the FBI to serve as a threat assessment
center, focusing on threat warnings, vulnerabilities, and law
enforcement.
For each infrastructure sector that could be a target for
infrastructure cyber or physical attacks, a single government
department or agency was established as a lead agency for
working directly with representatives from private industry.
[Chart shown.]
Mr. Tritak. Earlier this year, President Clinton issued the
first version of the national plan. Displayed before you is the
cover. It says a lot about what the plan is and is not. First,
the plan focuses on the cyber dimensions for securing critical
infrastructures and underscore the new challenges posed by the
information age. That is not to say that physical
infrastructure protection is no longer important. It is.
Future versions of the plan will reflect that importance.
In fact, the plan is designated 1.0 and subtitled, An
Invitation to a Dialogue For a Good Reason. It is very much a
work in progress. It concentrates on the Federal Government's
efforts in infrastructure protection. The plan acknowledges
that this is not enough. We must work closely with industry and
include them in the national planning process.
We must also deal with the fact that there is an
international dimension to national information assurance, as
well as a domestic one. Of course, we must work closely with
you in the Congress to ensure that your concerns, ideas, and
interests are reflected in subsequent versions of the plan.
[Chart shown.]
Mr. Tritak. To meet the goal of PDD-63, the national plan
establishes 10 programs for achieving three broad objectives.
First, steps must be taken to identify the key elements and
systems that constitute our critical infrastructures. Their
vulnerability to attack must be assessed and plans must be
developed to address those vulnerabilities.
In so preparing, we hope to prevent attacks from reaching
their target in the first place. Next, should such attacks
occur, we must develop a means to identify, assess, and warn
about them in a timely manner. The attacks must then be
contained. Disrupted services must be restored and affected
systems must be reconstituted.
Finally, we must lay a strong foundation upon which to
create and support the Nation's commitment to achieving the
first two objectives. These include coordinated research and
development, training, and employing information security
experts, raising awareness, and, where appropriate, identify
potential legal or legislative reforms.
[Chart shown.]
Mr. Tritak. The President requested $2 billion for critical
infrastructure protection in his fiscal year 2001 budget
request. This represents a 15 percent increase over fiscal year
2000 funding. Of this, 85 percent supports protection of agency
infrastructures; 72 percent goes to supporting critical
infrastructure efforts within the national security agencies.
Our President proposes a number of key initiatives in his
budget request. I will just highlight a few. The Federal Cyber
Service Initiative seeks to redress the shortage of information
security expertise in the Federal Government. This shortfall
reflects the scarcity of college-level programs in information
security. It also reflects the inability of the Government to
compete for highly skilled workers in this area.
Our goal is to recruit, train, and retain a cadre of IT
specialists for Federal service. The Federal Intrusion
Detection Network will serve as a centralized burglar alarm
system for critical computer systems within civilian government
agencies. Intrusion Detection Systems will be installed and
operated by the civilian agencies. Alarm data indicating
anomalous computer activity will be sent through the agency, by
the agency to the GSA for further analysis.
Only if there is evidence of criminal behavior will data be
sent to the NIPC and law enforcement. FIDNet will not monitor
any private network traffic. It will comply with all existing
privacy laws. The Partnership for Critical Infrastructure
Security attempts to build on the efforts already underway
between government and industry.
It seeks to bring the individual sectors together to
encourage a cross-sectoral dialog as a common concern, such as
the growing interdependencies among the infrastructure owners
and operators. The Partnership also provides a form for
infrastructure owners and operators to engage other interested
stakeholders, including the audit community, insurance
community, Wall Street, and the investment community, and of
course mainstream businesses who are the ultimate consumers of
infrastructure services.
Now, the partnership is dedicated to the belief that once
industry recognizes a business case for action, economic self-
interest in the market can go a long way toward addressing the
challenges of infrastructure assurance. That is not to say that
self-interest in the market alone can solve these problems,
because they cannot. Where they cannot, and what national
security interests of their country requires, the Federal
Government must step in to address any gaps and vulnerabilities
that may exist.
Last month, over 200 representatives of more than 120
companies began to organize their participation in this
Partnership. I think the Partnership represents a good step in
not only addressing issues of common concern, but also for
industry to take a lead in addressing the problems that
confront us today. When you have good partnership between
industry and government, we are better able to identify and
define our respective roles so that where there
are gaps, where the market cannot address a problem of concern
to the Nation, we can fill that gap.
Given the limited time, Mr. Chairman, I am going to
conclude my remarks here and I look forward to your questions.
[The prepared statement of Mr. Tritak follows:]
[GRAPHIC] [TIFF OMITTED] T7018.003
[GRAPHIC] [TIFF OMITTED] T7018.004
[GRAPHIC] [TIFF OMITTED] T7018.005
[GRAPHIC] [TIFF OMITTED] T7018.006
[GRAPHIC] [TIFF OMITTED] T7018.007
[GRAPHIC] [TIFF OMITTED] T7018.008
[GRAPHIC] [TIFF OMITTED] T7018.009
[GRAPHIC] [TIFF OMITTED] T7018.010
[GRAPHIC] [TIFF OMITTED] T7018.011
[GRAPHIC] [TIFF OMITTED] T7018.012
[GRAPHIC] [TIFF OMITTED] T7018.013
Mr. Horn. Thank you very much. I would appreciate it at
this point in the record if you would submit the national plan
for the record. So, without objection, it will be put right
after this point.
We now go the next gentleman who is very familiar to this
committee. You are doing a fine job. Mr. John Gilligan, Chief
Information Officer, Department of Energy, and Co-Chair,
Security, Privacy, and Critical Infrastructure Committee of the
Chief Information Officer Council. Mr. Gilligan.
Mr. Gilligan. Thank you, Chairman Horn.
As you noted, I come before the committee speaking in both
my role as Chief Information Officer of the Department of
Energy and as well the Co-Chair of the Federal CIO Council
Security, Privacy, and Critical Infrastructure Committee. As I
prepared for this testimony, I gave a lot of thought to what I
viewed were the two critical issues that I face as a Federal
CIO. I would like to spend a moment addressing these issues for
you.
Up-front, let me tell you that my biggest issues are not
technology challenges. The primary challenge is educating and
convincing line management that computers and networks, as well
as the information they possess and process, should be treated
and managed as mission-essential and strategic organization
resources. Let me illustrate my point with an example.
Last summer, at one of the Department of Energy
laboratories we conducted a security audit. The laboratory was
evidenced as having the best firewall within the Department,
very good security policies, and adequate protection of our
classified systems. However, that same organization had a
number of instances of what I refer to as no-brainer security
weaknesses. For example, there were a number of computer
systems that had software configurations that were years out of
date.
In this case, they were not taking advantage of dozens of
patches that had fielded to upgrade the security of those
systems over the years. In addition, there were a number of
systems where their passwords, including system administrator
passwords were easily guessed, or in some cases even used the
term ``password.'' These and other weaknesses provided relative
ease of a potential hacker to break into the laboratory's
unclassified computer system.
As I evaluated this apparent paradox, the same organization
having both the best and the worst security practices, the root
issue became clear to me. The organization was not focusing on
information technology as an overall laboratory resource,
rather only sub-sets of the systems and networks were being
pro-actively managed. Most of the unclassified computers were
procured and operated as work center or personal resources.
I have found similar dichotomy at a number of other daily
sites. The problem at this lab was not the absence of sound
security policies or lack of security technology knowledge, but
the fact that management of computers had become highly
decentralized and, in many cases, was a personal task. I found
that the number of system administrators approached the number
of laboratory employees.
The security audit findings highlighted to the laboratory
director and senior management that they had fundamental
problems with information technology management. The solution
required a fundamental change in how computers, networks were
purchased, installed, and operated. I firmly believe that this
is the most significant and pervasive problem facing Federal
agency CIOs.
A second challenge I face is working with Federal managers
in the Department of Energy in determining how much security is
enough. That is, how much is adequate? In the past, primary
security focus was on the protection of national security
information, classified systems, and more easily controlled
mainframe computers. Adequate security was defined by security
gurus, in most cases, with much input from line management, and
defined, in most cases, in absolute terms.
Today, we use computers for a wide variety of missions
where it is not cost effective or appropriate to apply the same
protection mechanism or security policies in all cases. We have
information relating to national security. Personnel data and
business operations must be protected to ensure
confidentiality. On the other hand, we have public websites
where we want to protect the integrity of the information. In
addition, there are mission impact and perception factors which
influence what is adequate, as well as rapidly changing
threats, missions, and technologies.
Federal security policies require an assessment of risk to
guide management decisions on what is adequate. Sounds easy. I
would submit that it is not. The Federal Government is also
held to a very high standard and one that continues to change
and become more stringent over time. In my testimony, I have
included some status updates within the Department of Energy on
our recent security activities. I will not detail them here.
I would like to, however, turn for a few minutes to the
work of the CIO Security, Privacy, and Critical Infrastructure
Protection Committee, which I co-chair with Roger Baker, CIO of
the Department of Commerce, and Fernando Robano, CIO of the
Department of State. Our committee is developing a set of
products that we believe will augment and accelerate
improvements in implementing adequate levels of protection in
assuring appropriate privacy of Federal information and
systems.
I would like to submit for the record a brief summary of
our committee activities.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7018.014
[GRAPHIC] [TIFF OMITTED] T7018.015
Mr. Gilligan. I would also like to highlight a few of the
committee's efforts. Our project to develop and Information
Technology Security Maturity Framework is intended to help
guide agencies and senior government officials in establishing
and maturing an effective cyber security program. Following the
example of the successful Software Capability Maturity
Framework developed by Carnegie Mellon University, the
Information Technology Security Maturity Framework recommends
the building block approach to security.
Emphasis is placed at lower levels on critical foundation
activities, such as documented policy, and clearly defined
assigned responsibilities, as well as robust training and
security assessment of progress. I have brought a display that
summarizes the six levels of security maturity described in the
draft framework. The Security Committee believes that all
agencies should be working toward achievement of level 2 in the
near term.
This level describes what is called a documented security
program. It is based on policy and guidance from the General
Accounting Office, the Office of Management and Budget, and the
National Institute for Standards and Technology. The committee
is working to develop specific evaluation criteria, a checklist
guide that could be used for level 2, as well as further
definition of level 3.
We have invited the Software Engineering Institute and the
General Accounting Office to participate in the refinement of
the framework. The committee also has initiatives in the
development of a tool that will allow us to identify and make
available the Federal agency's best security practices. We are
developing sample agency policies and guidelines dealing with
security and privacy.
We are working to accelerate the use of so-called public
key encryption. We are working with the Information Technology
Association of America in the development of security solution
benchmarks, linked to common electronic services such as
financial track statues with the public, benefit inquiries over
the web, and electronic submission of contractor pricing
proposals.
I would like to conclude my remarks with some
recommendations from my perspective as co-chair of the
Security, Privacy, Critical Infrastructure Committee. The first
two recommendations deal with funding for security. First, I
recommend that organizations specifically identify and analyze
their expenditures in cyber security. In this regard, I suggest
that we work with the government and industry to establish and
refine benchmarks against which line managers can assess
whether their investment is comparable to similar
organizations.
Work by the Gardner Group suggests that a reasonable range
for cyber security spending is somewhere between 1 and 5
percent of an organization's spending for information
technology. Second, I would recommend consideration of
increased funding for a set of governmentwide security
initiatives that are focused not on multi-year research or
product development, but on short-term immediate operational
benefits for Federal agencies.
I note that most of our CIO Council cyber security efforts
are focused toward ongoing operational support. Furthermore, I
recommend that we continue to tightly tie our cyber security
efforts with other initiatives to improve overall management of
information technology resources from an enterprise
perspective.
Finally, I suggest that we continue to focus our education
efforts toward government managers. I believe managers need to
know how to make risk tradeoffs. What they need is greater
awareness of their responsibility in managing information
technology as a strategic resource, as well as simple
benchmarks and metrics, such as funding levels and a maturity
framework, against which they can evaluate organization-
specific risks, as well as the progress of their cyber security
programs.
This concludes my testimony. I look forward to your
questions.
[The prepared statement of Mr. Gilligan follows:]
[GRAPHIC] [TIFF OMITTED] T7018.016
[GRAPHIC] [TIFF OMITTED] T7018.017
[GRAPHIC] [TIFF OMITTED] T7018.018
[GRAPHIC] [TIFF OMITTED] T7018.019
[GRAPHIC] [TIFF OMITTED] T7018.020
[GRAPHIC] [TIFF OMITTED] T7018.021
[GRAPHIC] [TIFF OMITTED] T7018.022
[GRAPHIC] [TIFF OMITTED] T7018.023
[GRAPHIC] [TIFF OMITTED] T7018.024
Mr. Horn. Thank you very much, Mr. Gilligan.
Our next witness is Ms. Karen Brown, the Deputy Director,
National Institute of Standards and Technology, otherwise known
as NIST. With the Weather Bureau there, I wonder why we cannot
be MIST? Anyhow, the Department of Commerce. Thank you for
coming.
Ms. Brown. Thank you.
Thank you Mr. Chairman and members of this subcommittee for
the invitation to speak to you today about computer security
issues. Computer security continues to be an ongoing and
challenging problem that demands the attention of the Congress,
the executive branch, industry, academia, and the public.
Computer security is not a narrow technical concern.
The explosive growth in electronic commerce highlights the
Nation's ever-increasing dependence upon the secure and
reliable operation of our computer systems. Computer security
has a vital influence on our economic health and our Nation's
security, and we commend the committee for your focus on this
security. Today, I would like to address NIST computer security
activities that contribute to improving computer security for
the Federal Government and the private sector.
I would also like to briefly describe for you our proposed
new program activities for next year. Under NIST statutory
responsibilities, we develop standards and guidelines for
agencies to help protect their sensitive, unclassified
information systems. In meeting the needs of our customers in
both the public and private sector, we work closely with
industry, Federal agencies, testing organizations, standards
groups, academia, and private sector users.
As awareness of the need for security grows, more secure
products will be demanded in the marketplace. Addressing
security will also help ensure that electronic commerce growth
is not limited because of security concern. What does NIST do
specifically? To meet these responsibilities in customer needs,
we first work to improve the awareness of the need for computer
security, which is an ongoing effort.
Additionally, we research new technologies and their
security implications. We work to develop security standards
and specifications to help users specify security needs, and
establish minimum security requirements for Federal systems. We
develop and manage security testing programs in cooperation
with the private sector to enable users to have confidence that
a product meets a security specification.
We also produce security guidance to promote security
planning and secured system operations in administration. I
will briefly discuss the need and benefits of each. First,
there is a need for timely, relevant, and easily assessable
information to raise awareness about risk, vulnerabilities, and
requirements for protection of information systems. This is
particularly true for new and rapidly emerging technologies
which are being delivered with such speed in the Internet age.
We host and sponsor information sharing among security
educators, the Federal Security Program Managers' Forum, and
industry. We seek advice from our external advisory board of
computer experts. We meet regularly with members of the Federal
computer security community, including the Chief Information
Officer of the Security Committee, and the Critical Information
Assurance Office.
We actively support information sharing through our
conferences, workshops, webpages, publications, and bulletins.
A second need is for research on information technology
vulnerabilities and cost effective security. When we identify
new technologies that could potentially influence our customer
security practices, we research these technologies and their
potential vulnerabilities.
We also work to find ways to apply new technologies in a
secure manner. The solutions we develop are made available to
both public and private users. Research helps us to find more
cost effective ways to implement and address security
requirements. The third is the need for standards and for ways
to test that standards are properly implemented on products.
For example, cryptographic algorithms and techniques are
essential for protecting sensitive data and electronic
transition.
NIST has long been active in developing Federal
Cryptographic Standards and working in cooperation with private
sector voluntary standards organizations in this area. We are
currently leading a public program to develop the Advanced
Encryption Standard [AES], which will serve 21st Century
Security needs. Another aspect of our standards activity
concerns public key and key management infrastructures.
We have been actively involved in working with industry and
the Federal Government to promote the security and inter-
operability of such infrastructures. Standards help users to
know what security specifications may be appropriate for their
needs. Testing complements this by helping users have
confidence that security standards and specifications are
correctly implemented in the products they buy.
Testing also helps reduce the potential vulnerabilities
that products contain that could be used to attack systems. For
over 5 years, we have led the Cryptographic Module Validation
Program, which has now validated about 90 modules, with another
50 expected this year. This successful program utilizes private
sector accredited laboratories to conduct security conformance
testing of cryptographic modules against the Federal standard
we developed and maintain. Many of these activities are being
done in cooperation with the Defense Department's National
Security Agency in our National Information Assurance
Partnership.
The goal is to enable product developers to get their
products tested easily and voluntarily, and for users to have
access to information about test products. Under this program,
we have also led the development of an international mutual
recognition arrangement, whereby the results of testing in the
United States are recognized by our international partners,
thus reducing costs to the industry.
Advice and technical assistance for both government
organizations and private sector is the fourth need. While I
have given you a few examples of NIST work, I obviously have
not covered everything. I want to emphasize there is still much
more to be done.
Please keep in mind that approximately $6 million of direct
congressional funding supports both our Federal and industry
computer security responsibilities. This is plainly not enough.
Thank you.
[The prepared statement of Ms. Brown follows:]
[GRAPHIC] [TIFF OMITTED] T7018.025
[GRAPHIC] [TIFF OMITTED] T7018.026
[GRAPHIC] [TIFF OMITTED] T7018.027
[GRAPHIC] [TIFF OMITTED] T7018.028
[GRAPHIC] [TIFF OMITTED] T7018.029
Mr. Horn. Thank you very much. That was very helpful
testimony. We now go to our last witness on this panel. I must
say, Mr. Pethia, everywhere I talked and saw people in the last
3 weeks putting this panel together, the first magic word was
Carnegie Mellon. So, we are glad to have you come here. We hope
to visit your campus sometime. You can show us around.
Mr. Rich Pethia is the director, Computer Emergency
Response Team Coordination Centers, Software Engineering
Institute at Carnegie Mellon University in Pittsburgh.
Mr. Pethia. Mr. Chairman and members of the subcommittee, I
would like to thank you for the opportunity to come and talk to
you today about computer security. Today, I would like to
describe a number of the trends that impact security on the
Internet. I will illustrate the results of those trends and
then outline some steps that I think will help us all
effectively manage the increasing risk of damage from cyber
attacks.
My perspective comes from the work that we do with the CERT
Coordination Center. The Center is charted to respond to
security emergencies on the Internet, and to work with both
technology producers and technology users to facilitate
response to major security problems. Since 1988, we have
handled over 24,000 separate security incidents, and analyzed
more than 1,500 separate computer vulnerabilities.
The current state of Internet security is cause for
concern. The vulnerabilities associated with technology used on
the Internet put government, business, and individuals at risk.
Security is influenced by many factors. An organization that
wishes to improve its security has to deal with a lot of
issues. First of all, the Internet itself is growing at an
amazing rate.
As the technology is being distributed, so is the
management of that technology. System administration and
management often fall upon people who do not have the training,
skills, resources, or interest needed to operate their system
securely. This problem is about to get worse. Now that we have
direct Internet connection to homes, schools, libraries, and
other venues that do not have training and security staff.
These always-on rarely protected systems will allow
attackers to continue to add new systems to their arsenal of
captured weapons. Intruder tools are becoming increasingly
sophisticated and also becoming increasingly user-friendly and
widely available. This technology is evolving like any other.
Sophisticated developers of intruder programs package their
tools in user-friendly forms and make them widely available. As
a result, even unsophisticated intruders can use them.
On the technology side, when vendors release patches or
upgrades to solve security problems, organizations' systems
often are not upgraded. The job may be too time consuming, too
complex, or just too low a priority for the system
administration or staff to handle. There is little evidence of
improvement in the security features of most products. Today,
we continue to receive new vulnerability reports in second
generation and third generation products.
Developers are not devoting sufficient effort to apply
lessons learned about the sources of vulnerabilities and doing
the engineering work necessary to remove them. Finally,
engineering for ease of use is not being matched by engineering
for ease of secure administration. Today, we would all find it
ludicrous to safely operate and drive an automobile, a person
would have to be a master mechanic.
Yet, today we expect our computer users and novice system
administrators to have detailed technical knowledge of all the
intricacies and nuances of the technology. We are simply
developing technology that is not fit for use in today's
environment. Because of these and other factors, organizations
and individuals who are using the Internet become vulnerable to
various kinds of cyber attack, including the denial-of-service
attacks that were widely publicized in February.
The key point about this attack, this attack type, is that
although an organization may be able to harden its own systems
to help prevent having its systems used as a part of a
distributed attack vehicle, there is essentially nothing a site
can do with currently available technology to prevent becoming
a victim of these coordinated denial-of-service attacks.
The best an organization can do today is get ready to
respond and have its response capabilities in place, should it
ever become the victim of one of these attacks. These attacks
work by having intruders compromise vulnerable systems. They
collect these vulnerable systems into aggregated attack
networks. These networks act in unison to attack a single
victim.
The network can be activated remotely at a later site by a
master computer. Communication between the master and the
networks is encrypted, often making it difficult to locate the
master. Once activated, these tools proceed on their own. They
are rapidly evolving. Individual nodes in the attack network
can be automatically reprogrammed to change the type of attack
so that it becomes increasingly difficult to build defenses
against this technology.
Clearly, we have entered a new era in the Internet, where
the power of the Internet itself is now being used to attack
people who are connected to it. At the CERT, we constantly
monitor trends and watch for new attacks and tools. We became
aware of this new form of denial-of-service attack in late
August, early September 1999. Denial-of-service attacks are not
new.
These kinds of attacks have been around since 1994, with
significant increases in 1996 and 1998. By the end of
September, it was evident that this was a new form of attack.
It was something we had never seen before. We called together a
workshop of 30 international experts who came together for 2
days in Pittsburgh and produced a paper that explains the
threat posed by these intruder tools, as well as guidance to
organizations about how to protect themselves and be prepared,
and how to be ready to respond.
This paper, along with other advisories, were issued to the
community in December. We have had a series of communications
out to the Internet community. The problem is serious. It is
complex. A combination of approaches must be used to reduce the
risks associated with this ever-increasing dependence on the
Internet. First of all, we need better ability to collect,
analyze, and disseminate information on assurance issues.
A lot of what we do today is reactive. We see a problem. We
analyze it. We understand what just happened. That is no longer
adequate. New forms of attack are now happening at Internet
speed, both automated attacks, like these distributed denial-
of-service attacks, as well as new forms of viruses, such as
Melissa that showed up in March of this year.
Today, we need to find analysis methods that build a
predictive early warning capability. We need to be able to
understand what is going to happen before it happens, which
means we need new ways of analysis. In addition, better
attention paid to collecting information. There has been a lot
of discussion and debate about instrumenting networks to
collect data to watch the traffic on the network to anticipate
what the problems might be.
Certainly, there is a need to be concerned about privacy,
but we have to find some way to balance our need to collect
information about the operation of networks with our need to
keep individual transactions and user's activities private.
Until we get a better view into what is happening on our
networks, we are going to have a very difficult time defending
against new forms of attack.
Third, we need to invest in better education and training
to raise the level of security and security awareness. In
particular, we need to focus on bringing the understanding of
security issues to senior and middle management in government,
as well as in industry. Until there is management commitment,
and management commitment of resource to solve this problem,
little is going to happen. Part of that includes encouraging
the development of comprehensive security programs with well-
defined responsibilities for managers, users, and system
administrators.
Finally, all of this is only going to help us mitigate the
problem, stem the flow of quality that we are having. It will
not solve the problem. In order to get ahead of this problem,
we need to support research and development activities that
will lead to a new generation of technology on the Internet and
other broad-scale networks. Systems that are easier to secure,
systems that do not require so much constant attention, systems
that do not repeat the vulnerabilities of the past, the long-
term solution is better technology.
That is going to take years. Until we get there, we need
better management approaches. Thank you.
[The prepared statement of Mr. Pethia follows:]
[GRAPHIC] [TIFF OMITTED] T7018.030
[GRAPHIC] [TIFF OMITTED] T7018.031
[GRAPHIC] [TIFF OMITTED] T7018.032
[GRAPHIC] [TIFF OMITTED] T7018.033
[GRAPHIC] [TIFF OMITTED] T7018.034
[GRAPHIC] [TIFF OMITTED] T7018.035
[GRAPHIC] [TIFF OMITTED] T7018.036
[GRAPHIC] [TIFF OMITTED] T7018.037
[GRAPHIC] [TIFF OMITTED] T7018.038
[GRAPHIC] [TIFF OMITTED] T7018.039
[GRAPHIC] [TIFF OMITTED] T7018.040
[GRAPHIC] [TIFF OMITTED] T7018.041
[GRAPHIC] [TIFF OMITTED] T7018.042
[GRAPHIC] [TIFF OMITTED] T7018.043
[GRAPHIC] [TIFF OMITTED] T7018.044
[GRAPHIC] [TIFF OMITTED] T7018.045
[GRAPHIC] [TIFF OMITTED] T7018.046
[GRAPHIC] [TIFF OMITTED] T7018.047
[GRAPHIC] [TIFF OMITTED] T7018.048
[GRAPHIC] [TIFF OMITTED] T7018.049
[GRAPHIC] [TIFF OMITTED] T7018.050
[GRAPHIC] [TIFF OMITTED] T7018.051
[GRAPHIC] [TIFF OMITTED] T7018.052
[GRAPHIC] [TIFF OMITTED] T7018.053
[GRAPHIC] [TIFF OMITTED] T7018.054
[GRAPHIC] [TIFF OMITTED] T7018.055
[GRAPHIC] [TIFF OMITTED] T7018.056
[GRAPHIC] [TIFF OMITTED] T7018.057
[GRAPHIC] [TIFF OMITTED] T7018.058
[GRAPHIC] [TIFF OMITTED] T7018.059
[GRAPHIC] [TIFF OMITTED] T7018.060
[GRAPHIC] [TIFF OMITTED] T7018.061
[GRAPHIC] [TIFF OMITTED] T7018.062
[GRAPHIC] [TIFF OMITTED] T7018.063
[GRAPHIC] [TIFF OMITTED] T7018.064
[GRAPHIC] [TIFF OMITTED] T7018.065
[GRAPHIC] [TIFF OMITTED] T7018.066
[GRAPHIC] [TIFF OMITTED] T7018.067
[GRAPHIC] [TIFF OMITTED] T7018.068
[GRAPHIC] [TIFF OMITTED] T7018.069
[GRAPHIC] [TIFF OMITTED] T7018.070
[GRAPHIC] [TIFF OMITTED] T7018.071
[GRAPHIC] [TIFF OMITTED] T7018.072
[GRAPHIC] [TIFF OMITTED] T7018.073
[GRAPHIC] [TIFF OMITTED] T7018.074
[GRAPHIC] [TIFF OMITTED] T7018.075
[GRAPHIC] [TIFF OMITTED] T7018.076
[GRAPHIC] [TIFF OMITTED] T7018.077
[GRAPHIC] [TIFF OMITTED] T7018.078
[GRAPHIC] [TIFF OMITTED] T7018.079
[GRAPHIC] [TIFF OMITTED] T7018.080
[GRAPHIC] [TIFF OMITTED] T7018.081
[GRAPHIC] [TIFF OMITTED] T7018.082
[GRAPHIC] [TIFF OMITTED] T7018.083
[GRAPHIC] [TIFF OMITTED] T7018.084
[GRAPHIC] [TIFF OMITTED] T7018.085
[GRAPHIC] [TIFF OMITTED] T7018.086
[GRAPHIC] [TIFF OMITTED] T7018.087
[GRAPHIC] [TIFF OMITTED] T7018.088
[GRAPHIC] [TIFF OMITTED] T7018.089
[GRAPHIC] [TIFF OMITTED] T7018.090
[GRAPHIC] [TIFF OMITTED] T7018.091
[GRAPHIC] [TIFF OMITTED] T7018.092
[GRAPHIC] [TIFF OMITTED] T7018.093
[GRAPHIC] [TIFF OMITTED] T7018.094
[GRAPHIC] [TIFF OMITTED] T7018.095
[GRAPHIC] [TIFF OMITTED] T7018.096
[GRAPHIC] [TIFF OMITTED] T7018.097
[GRAPHIC] [TIFF OMITTED] T7018.098
[GRAPHIC] [TIFF OMITTED] T7018.099
[GRAPHIC] [TIFF OMITTED] T7018.100
[GRAPHIC] [TIFF OMITTED] T7018.101
[GRAPHIC] [TIFF OMITTED] T7018.102
[GRAPHIC] [TIFF OMITTED] T7018.103
[GRAPHIC] [TIFF OMITTED] T7018.104
[GRAPHIC] [TIFF OMITTED] T7018.105
[GRAPHIC] [TIFF OMITTED] T7018.106
[GRAPHIC] [TIFF OMITTED] T7018.107
[GRAPHIC] [TIFF OMITTED] T7018.108
[GRAPHIC] [TIFF OMITTED] T7018.109
[GRAPHIC] [TIFF OMITTED] T7018.110
[GRAPHIC] [TIFF OMITTED] T7018.111
[GRAPHIC] [TIFF OMITTED] T7018.112
[GRAPHIC] [TIFF OMITTED] T7018.113
[GRAPHIC] [TIFF OMITTED] T7018.114
[GRAPHIC] [TIFF OMITTED] T7018.115
[GRAPHIC] [TIFF OMITTED] T7018.116
[GRAPHIC] [TIFF OMITTED] T7018.117
[GRAPHIC] [TIFF OMITTED] T7018.118
[GRAPHIC] [TIFF OMITTED] T7018.119
[GRAPHIC] [TIFF OMITTED] T7018.120
[GRAPHIC] [TIFF OMITTED] T7018.121
[GRAPHIC] [TIFF OMITTED] T7018.122
[GRAPHIC] [TIFF OMITTED] T7018.123
[GRAPHIC] [TIFF OMITTED] T7018.124
[GRAPHIC] [TIFF OMITTED] T7018.125
[GRAPHIC] [TIFF OMITTED] T7018.126
[GRAPHIC] [TIFF OMITTED] T7018.127
[GRAPHIC] [TIFF OMITTED] T7018.128
[GRAPHIC] [TIFF OMITTED] T7018.129
[GRAPHIC] [TIFF OMITTED] T7018.130
Mr. Horn. Thank you very much.
We will now go to questioning. It will be 5 minutes to a
side. We will get everybody in here in three rounds, if you
need them.
[Pause.]
Mr. Horn. This looks like a vote.
What I want to do is start on one issue. Then I will yield
to Mr. Turner. As I listened to the comment about maybe we need
a tzar in this area, usually my spinal column starts wiggling.
As a student of Russian history, I keep wondering what happened
to a lot of tzars and who is Rasputin in this operation? So, I
guess I would ask, is the Koskinen model a good one for this?
Now, with the Koskinen model, then when Mrs. Maloney and I
wrote the President, then talked to him and said, look, you
have got to get somebody to coordinate this effort. Some were
waving the flag for a tzar. I was not. The way it worked out,
one, the President picked a person that he had known before he
was President and had trust in.
No. 2, we made him assistant to the President, which is the
highest rank you can have in the White House hierarchy. No. 3,
he was not in OMB. He was housed near there. The President had
him and the President spread the word to the Cabinet that this
is serious business, when they finally got around to it.
No. 4, they called on each of the Deputy Secretaries that
really run departments and obviously involved the Chief
Information Officers, who are the people we ought to be
spending the time to be the managers they are supposed to be of
communications and information in their particular agencies.
So, I guess I would simply like to get the feeling of you as to
whether that was a successful model that we could also apply to
computer security and not have some tzar in OMB.
Of course, as you know, I am trying to split the management
part out of OMB. It might well roost there, but the fact is the
model I think worked the way it did. I do not know if any of
you want to take that and say, hey, there is another way to
look at this. Go ahead. Mr. Gilligan.
Mr. Gilligan. Sir, let me give you some perspectives. I
think the model with the particular individual, John Koskinen,
worked extremely well. I think there were a number of factors
that made it work well, one of which was the personal
characteristics and strength of John Koskinen. I think there
were also some other factors that made it effective. That was
the urgency and the immediacy of Y2K heightened the interest
across the board.
There was a need and a willing acceptance of someone to
help lead the effort across government and across really the
country. It is not clear to me that an exact parallel to that
would work as effectively in computer security. I know that
there has been some frustration, and there continues to be at
all levels, with our difficulty of pulling together across-
government activities in this area.
So, it is clear that we need to emphasize and we need to
work in that area. Obviously it is something the CIO Council is
trying to address, and yet we realize that we have limited
abilities as well. So, while I would not specifically endorse
the exact model, I think we need to continue to look for some
way to better leverage our across-government efforts in this
area as a part of our solution.
Mr. Horn. Any other thoughts on this? Mr. Tritak.
Mr. Tritak. I would agree with those comments.
Mr. Horn. So, you would like that model?
Mr. Tritak. I think what is intriguing about the Koskinen
and the Y2K effort generally is, in many respects, the Y2K was
your first critical infrastructure challenge to the United
States. It had a lot of things going for it. First of all,
there was a recognition. In fact, industry actually led the
way. The government took a little while to get onboard.
There was an acknowledgment of what the challenge was.
There was a known problem. The people rallied for it. I think
that when you look at the Koskinen model, it is important to
look at what the factors of success were. You have identified
quite a few of them. He was viewed as having the authority. He
worked very closely with the Cabinet. The Cabinet knew that
when he walked into the room, who he was, and what he stood
for.
We certainly cannot under-emphasize the importance of a
leadership and view it as someone who is speaking with
authority on behalf of the President; especially when you are
talking about across-agency issues, which critical
infrastructure really is all about. If you look at the way this
has evolved, there was a time probably when the Computer
Security Act was actually passed where you could talk about a
computer system within an agency. It was that agency's system.
Now, you are looking more at an interconnected set of
systems. You have to ensure, in terms of the government as a
whole providing a service to the Nation, that you have strong
links across government agencies, as well as within them, so
that you do not create weak links in the chain. Now, with that
said, I think that we have to look very closely about how the
challenges, as ongoing, differ from the Y2K experience before
you talk about institutionalizing a new position.
I think certainly some of the ingredients that you
indicated bear close scrutiny and attention on that. In fact,
you could make the case that, that kind of leadership becomes
even more essential in some regards when the known threats are
not as immediate, but you know they are out there and they
could happen at any time as opposed to a date-specific.
Mr. Horn. Any other comments on this?
I will yield 5 minutes to the gentleman from Texas. If you
would like, we could recess now to go vote, and then come back,
and then start with your 5 minutes. Is that OK with you?
Mr. Turner. That is fine.
Mr. Horn. OK. We are going to be in recess then for 20
minutes so we can get these two votes.
[Recess.]
Mr. Horn. This subcommittee will be in order. We will
proceed with the questioning. It is 5 minutes for Mr. Turner,
the ranking member from Texas.
Mr. Turner. Thank you, Mr. Chairman.
I appreciated your comments. I really get the impression
that what you were saying to us is that there is a lot of work
that has got to be done in the area of new technology before we
will ever have any hope of really having a secure Internet. I
guess I was kind of curious as to what types of things you are
talking about? We made the comparison a minute ago to the Y2K
problem.
To me, what we are talking about today dwarfs the Y2K
problem. In that arena, we had a date certain we were working
toward. We knew if we made it past that date, we had succeeded.
The government was able to provide a coordinating role for both
the public and the private sector. This challenge seems to be
so much greater. When you say we need better technologies, what
kinds of things are we talking about?
Mr. Pethia. First of all, the driving factor behind my
belief is that more and more devices attached to Internet are
going to become consumer items. I think we are already there
with personal computers. We are almost there, even with some
devices like routers and fire walls, when you think about
having these things installed in libraries, in doctors'
offices, and in places where you would not expect to find
someone with a degree in computer science.
That is going to continue. We are going to have all kinds
of devices at home. We are going to have hand-held portable
units. We are going to have cell phones connected, as we
already do, into the Internet. So, from one perspective what we
need to do is to make security much simpler than it is today.
You can configure a very secure personal computer, be it a Unix
box or a Microsoft Windows box.
All of the mechanics are there to do that, but it is not
easy. It takes a lot of understanding and a lot of knowledge.
Not only do you have to get it right the first time, you have
to keep it that way over time as you add new applications into
your personal computer. So, if you think back to the 1960's
when all computers were hard to use in all kinds of ways, the
industry responded very well with a lot of research and
development in easy-to-use, in fact ease of use was the buzz
word for the industry back then.
We need the same effort today, in terms of security
controls and security mechanisms. Bring those controls and
mechanisms to the point where the average user could use them.
I think that is sort of a near-term, by ``near-term'' I mean a
2- to 3-year effort that could show some results, significant
results, major results in that period of time.
Mr. Turner. I forget the name of the group or company that
is certifying whether something is secure or not. I read about
it somewhere. Is that the kind of thing that would motivate the
private sector to be sure they develop their products in a way
that they can be secure?
Mr. Pethia. I think that kind of thing will certainly help.
I think the tension is going to be between the length of time
it takes to do the evaluations and the market forces that keep
driving new products. Very often, the situation of doing an
exhaustive evaluation takes time. By the time you are through
with that evaluation, the marketplace has already moved on to
the next generation of products. I think we have to struggle
with that issue.
Mr. Turner. That seems to be one of my greater concerns
because this field moves so fast. It is always the private
sector that is moving forward. We had some government effort
over there, though it is not in one place right now. It seems
that the government effort, even if we consolidate it, is
always going to be a step behind what is really going on in the
private sector.
So, it is forcing you to try to think of private sector
incentives to try to make this all happen. I cannot get it in
my mind that the government is going to be able to keep up with
it.
Mr. Pethia. I think the private sector interest is rising.
I think as more and more damage happens on the Internet, people
are going to begin to understand that investing in security is
something they are going to need to do in order to keep their
businesses operational. So, I think that is happening. I see a
big increase in private sector interest today, over just a year
ago. That trend has been going on for several years.
I think the marketplace, in my opinion, has become
complacent. The marketplace is currently accepting whatever the
vendors produce. I think an awareness campaign and an
understanding that technology can be changed; technology does
not have to be the way it is today is something that would help
move, first of all, the consumer to a better understanding of
the kind of quality the consumer should expect from a product.
Then finally, the technology producers, as they begin to
see a marketplace for that new product, to begin to produce.
There is a place where I think government campaigns focused on
broad-scale awareness, understanding, helping the consumer,
both in government and outside government, understand that
technology possibilities exist beyond what we have available to
us today, I think, would go a long way to spur that kind of
effort.
Mr. Turner. Is it a reasonable suggestion to think in terms
of a second Internet? After all, we are even getting to the
point where much of what takes place can even be done in a
wireless mode. Is there a reason to consider that there could
be more than one Internet? That there are secure Internets so
that we can solve some of our national security type problems
and others in a way that we know that we are protected?
Me. Pethia. Certainly, I think there are some needs for
high security in some applications where those networks and
systems will remain isolated and should remain isolated from
the broad Internet. I think the last 10 years of history has
told us that the Internet is going to continue to evolve. It is
going to continue to lure people because of the broad
connectivity that is available over th
[106th Congres
because of the dramatic lower cost of operating on this huge
network where everybody shares the expense.
I think the economics are going to continue to push most
organizations toward the Internet. I think the challenge as to
rather than trying to isolate from the Internet, the question
is how do we go about fixing the Internet so that we can all
enjoy the level of security that we need?
Mr. Turner. Your effort at Carnegie Mellon, through the
Computer Emergency Response Team, seems to me to be an
excellent private sector initiative. Do you think government is
capable of duplicating that or will it be best left to efforts
like yours?
Mr. Pethia. I think it is going to take a combination of
efforts. There are within the government a number of computer
emergency response teams in the DOD, in the Department of
Energy, and in some of the other agencies. There is the FedCIRC
activity which we actually participate in. So, I think there is
a large government effort there. One of the advantages that I
think we have is that in addition to the reactive work that we
do, we are also housed in a research university.
So, in the private sector where you can have these kinds of
reactive capabilities to help us understand what the problem
is, but also marry with that a research and development
capability we can move toward solution. That, I think, is a
good combination. So, there perhaps is a way where government
can team with organizations in the private sector, with the
government doing some of the response reactive work, ensuring
that they have close working relationships with technology
researchers so that the researchers really understand what the
real problems are.
Mr. Turner. Thank you, Mr. Chairman.
[The prepared statement of Hon. Jim Turner follows:]
[GRAPHIC] [TIFF OMITTED] T7018.131
[GRAPHIC] [TIFF OMITTED] T7018.132
[GRAPHIC] [TIFF OMITTED] T7018.133
[GRAPHIC] [TIFF OMITTED] T7018.134
Mr. Horn. I thank the gentleman.
Now, I yield to the gentlewoman, the vice chairman from
Illinois, Mrs. Biggert to question the witnesses for 5 minutes.
Mrs. Biggert. Thank you, Mr. Chairman.
If I could ask unanimous consent to include my opening
statement.
Mr. Horn. Without objection, it will be so ordered as read
at the beginning, after Mr. Turner's opening remarks.
Mrs. Biggert. Thank you.
This is a question for all of you. What is the real threat
from cyber terrorists to the Federal agencies' mission critical
systems? I know that is a broad question, but how does the
administration's recently released National Plan for
Information Systems Protection address the plans to mitigate
these terrorist threats? I think when we were talking about
Y2K, we had our mission critical systems. I think that was what
was really addressed there. First of all, is there a threat
from the terrorists?
Mr. Tritak. Well, I think the national plan makes clear
that the threats posed by cyber terrorists as well as nation
states is growing. I would urge you, if you have not already,
to get a briefing by Mr. Michael Vaddis at the National
Infrastructure Protection Center who could give you a lot more
detail, an appropriate level of detail than I can get into. One
of the reasons for PDD-63 stemmed from a Presidential
commission which asked the question, what are the new threats
to the Nation? The cold war is over. It is unlikely that anyone
would be foolish enough again to take on the United States with
armed forces. So, what are they?
That question was initially prompted, of course, by a
number of events that were happening in the mid-1990's, the
Towers' bombing, Oklahoma City. What is going on here? The
recommendation of that commission was to say that the critical
infrastructure of this country are increasingly becoming
vulnerable to types of attacks that could be delivered over the
information super highway.
Why? Because as was indicated earlier, traditional
infrastructures are increasingly relying on computer networks,
not only to receive e-mail, but actually perform operational
functions of their business. As you move further and further
into deregulation, the need to cut your costs to make the
margins up, you are going to be relying more and more on
information technologies to perform functions which
traditionally may have been performed by manual labor for
example.
Also, in the past, if a computer operational system went
down, say in the electric power industry, they have ways of
shifting over to manual type responses in order to keep the
flow of services going. Now, over the long-term, more and more
of those primary functions are performed by information
technology, and if those systems are then networked either
through the Internet or some wide area network systems, the
potential for someone being able to get in and cause damage
increases.
Now, I am glad you also mentioned the critical systems
because this is a very important thing about critical
infrastructure assurance. What we are concerned about are those
systems within our critical infrastructures which, if
disrupted, could cause immediate and significant harm to the
Nation's security, its economy, or the health and welfare of
its people. If someone means to do harm, they are going to want
to leverage their efforts to find weak links in the chain.
So, one of the purposes of the effort that is outlined in
the national plan is to begin to raise this issue with industry
to make clear that this is more than just a hacking problem.
Frankly, they deal with that now. They know that they are being
hacked. Their websites are being looked at. The idea that if
more and more of their business relies on information
technology, for example, banking and finance, e-commerce, where
the very nature of the revenue stream turns on information
technologies. This is a different problem.
The same thing within the Federal Government. There was a
time when you could talk about a computer system within the
Federal Government and it was the agency's system. It was
insular. It was self-contained. Now, like everywhere else, you
are getting inter-connectivity between agencies. They are
depending on different services, both within government as well
as outside of government.
This inter-dependency is one of the newer challenges. An
agency can get their security concerns right, but if they are
dependent upon systems which do not have their security right,
that is where the vulnerability lies. Your types of attacks
which, again, Mr. Vaddis will be in a better position to talk
to you about this, they are looking for the weak links. They
are not simply going to willy-nilly take on any piece of the
information infrastructure. They are going to look for where
the highest value payoff is going to come from.
Mr. Gilligan. I think Mr. Tritak has done a good job of
summarizing the significance of the threat and many of the
characteristics that contribute to it. I would only add a
couple of thoughts. One, I think it is not just linkages
between agencies, but linkages within sites and within agencies
where you find I think unknowingly our interconnection.
We are just about intermeshed in our network connectivity
among systems that we have the same vulnerabilities. I think
second, we really, in my view, have kind of two tiers of
threat. Unfortunately, a lot of our emphasis and visibility is
on what I will call the lower tier, which is a very
unsophisticated, but today, because of the vulnerabilities, is
ineffective and gets a lot of visibility.
Now, I think there is one that is much more sophisticated.
We only get glimpses of it. In many cases, that is something we
do not share a lot of insight. It is almost masked. That is, we
are seeing some of these lower sophistication threats. That is
what we are focusing a lot of attention. I think we need to
because you need to dampen those out of the system before you
can really start to focus and then get the protection that you
need to address the more sophisticated attack.
Ms. Brown. Well, I think both gentlemen have done a really
good job. I would only add that I think one of the key
challenges is not just today's problem, but the ongoing
problem. There is new software every month. There are new
systems every month. So, there is not a single fix, as in the
Y2K, as Mr. Turner and everyone has talked about. There was a
single crisis. There was a single thing that we had to fix.
This is going to be an ongoing problem, and ever more
difficult in many ways to stay on top of as we become more and
more global. So, we need to look at what can we do today, but
also on the more fundamental things to make our systems
fundamentally secure. How do we design the systems and how do
we design the software so it is not up to the user to fix and
put the patches, which will always be there? Somehow, how do we
fundamentally make the system more robust?
Mr. Pethia. I am building briefly on Mr. Gilligan's
remarks; this idea of two tiers of threat. At the lowest level,
and one of my big concerns, and the reason that I am advocating
for increased emphasis on analysis, capability, and data
collection is that the low-level threat, the amount of noise
generated by that threat is now so huge. We literally get 50
new incidents reported to us every day. We are only 1 of 90
emergency response teams, as well as a number of government
agencies who focus on this issue.
There is so much activity out on the network today. It is
very difficult to pull out from all of that noise the one or
two key things that you really need to pay attention to. In
order to stay ahead of this problem, I think we are going to
need to become much more sophisticated in the way we collect
and analyze incidents data. So we can look for those key
indicators that there is something really significant going.
Mrs. Biggert. Thank you. Thank you, Mr. Chairman.
Mr. Horn. Thank you. May I suggest that if we have some
additional questions, that we have a time problem here. A
number of us are involved in things that just go every 15
minutes, starting at around 12:05 p.m. So, if you do not mind,
we would like to submit some of these questions, I know that I
have, to you. Take your time, but we would love to have them in
the record at this point, your best thoughts, if that is OK
with you.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7018.135
[GRAPHIC] [TIFF OMITTED] T7018.136
Ms. Brown. Thank you very much for the opportunity.
Mr. Horn. Well, we thank you. The chart here I particularly
want your comments. That is our question 5, for the majority. I
think you have it. Now, this was prepared by counsel, Mr. Ryan.
He is 100 percent Irish. I am only 50 percent Irish. It is not
even St. Patrick's Day. I look at that. I looked for Jesse
Jackson on the floor. It looks like the Rainbow Coalition. He
is serious about this and we are.
So, we would like your best shot at it, in terms of all of
these organizations and how they can work on computer security
issues. The key question still remains on who is coordinating
this operation? Are there various ways, given the private
sector, the Federal sector, the State sector, the local sector,
the non-profit sector? So, if you would struggle a little with
that, we would appreciate it.
Well, thank you very much for coming. We will now swear in
the next panel.
Mr. Horn. We have Mr. Jim Gerretson, Director of
Operations, Information, Assurance, ACS Defense, Inc.; Mr. Mark
Rasch, senior vice president and legal counsel, Global
Integrity Corp.; and Mr. James Adams, chief executive officer,
iDEFENSE.
Gentlemen if you will just stand and raise your right-
hands.
[Witnesses sworn.]
Mr. Horn. The clerk will note all three witnesses affirmed.
We will begin, Mr. Gerretson with you. It will be 5 minutes for
a summary. We are going to have to stick to that. We all have
your papers. If you were not in the room, they automatically go
in at this point in full. If you can give us a summary, and
then we would like to have some questions before noon. Then we
are going to have to break.
So, Mr. Gerretson, it is all yours.
STATEMENTS OF JIM GERRETSON, DIRECTOR OF OPERATIONS,
INFORMATION ASSURANCE, ACS DEFENSE, INC.; MARK RASCH, SENIOR
VICE PRESIDENT AND LEGAL COUNSEL, GLOBAL INTEGRITY CORP.; AND
JAMES ADAMS, CHIEF EXECUTIVE OFFICER, iDEFENSE
Mr. Gerretson. Mr. Chairman and members of the committee,
thank you for giving me the honor of testifying today. I am
here today to give you a brief presentation on hacking. We
believe that in order to start to fix your systems and
networks, that you have to understand the enemy, and hackers
really are the enemy. The following presentation will take you
briefly through what we call the hacker protocol and
demonstrate just some of the tools and techniques used by
hackers to gain access to your systems.
All of the tools that you are going to see today are freely
available on the Internet or you can go to a local computer
show on a weekend and, for $10 per CD, buy a full CD of
different types of hacks. The current data base that we have
contains over 3 gigabytes of data. What you see on the screen
before you is what we call the hacker protocol. Different
people may use different terms, but professional hackers in
nation states that implement hacking as warfare do follow the
same concepts.
The thing that is important to recognize here is this is
highly structured in its approach and in its planning. A good
hack, for better or for worse, is invariably a well-thought-
out, well-executed operation.
Mr. Horn. I might add on that very useful chart that, that
will be placed in the record at this point, without objection.
All other charts will be put in appropriately where they have
been used by the witness or the staff. So, all of those charts
will go in the final hearing report.
Mr. Gerretson. Thank you, sir.
[Slide shown.]
Mr. Gerretson. The first phase of the hacking protocol is
intelligence gathering. This is primarily an espionage
operation. There are many facets to it. Social engineering is a
large part. I may act as a user calling up a help desk and say
I have forgotten my password. Help desks are setup to be very
helpful. They will frequently say, the default password is, or
your network is. So, I get a lot of information that way.
Open source materials such as newspapers, prospectuses, and
library magazine articles are also a wonderful way of getting
information. You hear the term a lot, but ``dumpster diving''
is also a very popular way of getting information on your
system.
[Slide shown.]
Mr. Gerretson. Once we have done the intelligence
gathering, the next step is to do reconnaissance. Again, to
define the target. Your domain host is the name of your
computer system on the network. I want to know what I have got,
see if I can attack it, and how I can attack it. This is what
we are going to show you. It is a freely available program
called NMAP. We are going to take that information that we have
gathered and scan your network to determine what is there. The
program that we are using is called Ping Sweep.
[Slide shown.]
Mr. Gerretson. In simple terms, my computer is going out to
your network and saying, hello, are you there? Your computers
are coming back and saying, yes, I am. What you see here, with
these being listed, are computer targets that have come back
and said, I am here. What we have now done is identified a
target set. We are not wasting our time.
[Slide shown.]
Mr. Gerretson. The next slide, we are going to take one of
those targets that we have identified and go and look for
additional information. What we are trying to do is find out
what services are open, as you see, I am pointing out. These
are all considered services on a computer. This one, for
example, is finger, which we will talk about in a second.
What we are doing is finding a means to attack your system.
We are also going to go out to try to find out the operating
system that your computer is running which is again identified.
Once we have this information, we can now go and do specific
probes. What we are going to do is take that information and
look for a way to get into your system.
[Slide shown.]
Mr. Gerretson. This presentation that we are going to show
you now is one of the tools called Finger. It is an information
gathering tool, you are seeing it used in a way it was never
intended to be used. In order to attack and control the system,
you need three things. You need a valid user name. You need a
valid password, and you need a host address from the computer
system that is allowed to talk to you.
If you look across here, as I am highlighting ``student
one,'' I now have a valid ID and I now have a valid computer
system that I am talking from. I have two of the three items
that I need to attack this system.
[Slide shown.]
Mr. Gerretson. This next scan, web servers as we are all
aware, are a wonderful target for attack. It used to be that in
order to do the attack, I had to know all of the systems and
all of the vulnerabilities. Now, I have a tool that will run it
for me automatically. It requires very little work on my part.
It identifies the server type that is running and will simply
go out and scan all of the CGI weaknesses on this web system. I
do not even have to know what these systems are now.
I do not have to know what these vulnerabilities are. It
just tells me it finds one. I go out to my tool kit, pull in
this particular attack and away I go. Once we do that, we are
trying to get a toehold on the system. This is basically I just
get into your box any way I can. I cannot control the data. I
do not need it, but I am on it and it gives me the next step.
[Slide shown.]
Mr. Gerretson. The next step is to go from just being a
user into what we call the root or administrator level of the
system then we really do own this box. I am going to skip this
example.
[Slide shown.]
Mr. Gerretson. We are going to go and actually break into
this system and take it over. It acts as a user system. What
this program does is it shows us actually going in and doing an
attack on the system that in a matter of about 15 seconds turns
us into the root administrator of the box, simply from being a
user. Once we have gotten control of the system, there are a
lot things we can do.
We could kill this box. We could take the information. But
what we do want to do is use it again later. So, we are going
to hide our track. We do not want people to know we are there.
We can do that by deleting files or modifying log files. We are
going to show you a quick example of how we just simply modify
a log file.
[Slide shown.]
Mr. Gerretson. This is a program called Wipe. We have a
user account. We are called ``Reacher.'' We get into the
system. If the system administrator were to check his logs, he
would say, why is this guy here. But we have gone and wiped it.
We are no longer there. We are now invisible to the person that
runs this machine.
[Slide shown.]
Mr. Gerretson. We can put Trojans on the system. A Trojan
is a program that will look like something that is a valid
program that is supposed to be there, but in effect it is a
program that does a lot of bad things. In this brief example,
listen. We can record every keystroke you type on the system.
We can turn on your sound system. So, if you have a microphone,
we can record everything that is said in the area, and you will
never know what happened.
[Slide shown.]
Mr. Gerretson. Now, sounds bad and it gets worse. I will
make a bold statement that if you are connected to the network,
and if I have enough time and want to make the effort, I can
hack you. The only sure fire way to protect your system is to
disconnect it from the network. Take out your floppy. Take out
your CD and then lock it up in a secure room. Anything short of
that, eventually it can be had.
It sounds pretty bad, but there is hope. It is not all bad;
just mostly bad. The first thing is you have to have a
vulnerability assessment. You have to know what your security
posture is. Second, we believe in the defense-in-depth
approach. It is vital. There is no single solution to make your
system secure. You have to have layered approachs that
complement each other.
The next thing, training is the key. As the earlier
witnesses said, there are good people out there, but they just
do not understand security. One of the key things to recognize
is the solution that works today may not work in 6 months. You
will never have a final solution. You are constantly
reassessing.
Thank you for your time.
[The prepared statement of Mr. Gerretson follows:]
[GRAPHIC] [TIFF OMITTED] T7018.137
[GRAPHIC] [TIFF OMITTED] T7018.138
[GRAPHIC] [TIFF OMITTED] T7018.139
[GRAPHIC] [TIFF OMITTED] T7018.140
[GRAPHIC] [TIFF OMITTED] T7018.141
[GRAPHIC] [TIFF OMITTED] T7018.142
Mr. Horn. Thank you very much.
We now have our second witness, Mr. Mark Rasch, who is the
senior vice president and Legal Counsel for the Global
Integrity Corp. Perhaps you would like to tell us a little bit
about the corporation.
Mr. Rasch. Yes, thank you, Mr. Chairman.
I work for Global Integrity Corp. It is a company that does
information security consulting work for the private sector.
So, our clients tend to be things like banks, insurance
companies, Fortune 100 companies that take the problem of
information protection. Notice I used the term ``information
protection'' and not computer security. They take that problem
seriously.
What we are trying to protect here is not the computers
themselves, but the information that is contained on those
computers. So, the perspective that I bring is what the private
sector sees as the problem and what the private sector is
trying to do itself to try to solve the problem. One of the
things we noticed is that the Commerce Department issued a
report in the last couple of days that indicates that U.S.
retail e-commerce sales for the fourth quarter of 1999, that is
October through December, was about $5.3 billion.
What has happened is this Internet that we created 20 years
ago is being asked to do something that it was never designed
to do. That is to support a national economy; to support a
national infrastructure that it was never designed to do. So,
what happens is we have this distributed computer network,
which was essentially unsecured. All of the security to that
network is essentially added afterwards.
That is being designed now and being asked to protect the
critical infrastructure. The attacks that we saw a few weeks
ago against Yahoo, Ebay, and others also demonstrated another
problem. As a lawyer, this is one that concerns me much more
than what concerned me about the year 2000 bug problem, from a
litigation standpoint. That is that we are only as secure as
everybody else on the Internet.
As the previous panel discussed, these are targets of
opportunity. People attack systems because they can get in.
They attack the ones that they feel that they can get into.
Also, the fact that even if you have done stuff to harden your
system, people will break into other people's systems and use
those to attack you. So, what we have is a serious looming
litigation problem, or what we would call downstream liability.
If you are attacked by somebody and the attack is coming
from another corporation that did not secure the systems, and
you go to your lawyer and ask, can we sue, which is always the
dumbest question to ask a lawyer because the answer is always
yes. The question is who are you going to sue, the 17- or 18-
year-old hacker, if they are ever identified, or the
corporation from whom you are attacked?
So, the idea of a worldwide web that is dependent upon the
security of everybody else creates targets of opportunities,
not just for hackers, but for lawyers as well. One of the
problems also that we have seen is a massive increase, not only
in the use of the Internet and the use of the Internet for
electronic commerce, but of these types of criminal activity.
For example, from 1998 to 1999, theft of intellectual
property increased from 15 percent. Unauthorized access by
hackers from inside is up 28 percent. Insider abuse to the
Internet is up 17 percent. System penetration by external
parties increased 32 percent. Why is this happening? The first
reason is that attack technologies are becoming very easy to
use. So, as Mr. Gerretson just showed, you can go to any hacker
convention, pick up a copy of this disk, put it in your
machine, and knowing no more than a lawyer, which is a fairly
low standard I would say, put this in your machine and launch
an attack on any computer on the Internet.
You do not need to know a lot. It is point and click and
you are in. So, the tools are getting easier to use. They are
becoming more widely available. In addition, with the growth of
the Internet, you have tens of thousands and probably of
millions of insecure computers out there that are used as
targets of opportunity and methods of attack. The software is
becoming increasingly complex and much more difficult to
secure.
Software manufactures who are building this software are
trying to design it to be functional. If you are coming out
with a new word processing program or you are trying to come
out with a new operating system, and you are under competitive
pressures to get it out to market, you want to make sure that
it is functional. Until companies demand security and the
government demands security as an integral part of
functionality, I do not think the manufacturers are going to
ship these things as being at least more secure.
So, these are some of the problems. What is the private
sector doing? Well, speaking just for Global integrity, we are
doing two things working with the financial services industry,
which I think is a model for both the government and for other
private sector enterprises. One of them is something called the
BITS Laboratory that we are working with the Banking Industry
Technology Secretariat and a consortium of banks.
What they are doing is they are developing a series of
security standards. We at Global, are testing computer
products, hardware, software, and other types of products,
against the security criteria. The idea is that the marketplace
then will say, for example, banks will say unless your software
had been tested against these criteria, we will not buy it.
Unless it is pre-configured to be in a secured manner, we will
not buy it.
So, we are using the marketplace as a method of trying to
ensure security. The second thing is the Financial Services
Information Sharing and Analysis Center [FSISA]. This is
something that we are doing. Financial services industries,
banks, insurance companies, and the like have a secure method
of sharing information amongst themselves about attacks and
vulnerabilities.
Let us face it, they do not want to tell people that they
have been attacked, but they are happy to share information
among themselves, if that will lead to more security. These are
some of the models that are currently in place. We need to do
more in the private sector and in the government sector to help
secure the infrastructure.
Thank you.
[The prepared statement of Mr. Rasch follows:]
[GRAPHIC] [TIFF OMITTED] T7018.143
[GRAPHIC] [TIFF OMITTED] T7018.144
[GRAPHIC] [TIFF OMITTED] T7018.145
[GRAPHIC] [TIFF OMITTED] T7018.146
[GRAPHIC] [TIFF OMITTED] T7018.147
[GRAPHIC] [TIFF OMITTED] T7018.148
[GRAPHIC] [TIFF OMITTED] T7018.149
[GRAPHIC] [TIFF OMITTED] T7018.150
[GRAPHIC] [TIFF OMITTED] T7018.151
[GRAPHIC] [TIFF OMITTED] T7018.152
[GRAPHIC] [TIFF OMITTED] T7018.153
Mr. Horn. Thank you very much.
Our next witness and the last one on this panel is Mr.
James Adams, chief executive officer of iDEFENSE.
Mr. Adams. Chairman Horn and members of the committee, I
want to thank you very much for inviting me here today. Few
revolutions are accomplished without bloodshed. Already as we
plunge headlong into the knowledge age, we are beginning to
receive the initial casualty reports from the front lines of
the technology revolution.
From the headlines, you would think that the recent denial-
of-service attacks were the beginning of the end of cyber world
as we know it. Nothing could be further from the truth. These
were mere in-breaks on the audio-V commerce. Consider instead
that some 30 countries have aggressive, offensive information
warfare programs. All of them have America firmly in their
sights.
Consider too that if you buy a piece of hardware or
software from several countries, among them, some of our
allies, there is real concern that you will be buying doctored
equipment. It will syphon copies of all material that passes
across that hardware or software back to the country of
manufacture.
The hacker today is not just the stereo-typical computer
geek with a grudge against the world. The serious hacker today
is much more likely to be in the employ of government, big
business, or organized crime. Consider the band of Russian
hackers who, over the past 2 years, have syphoned off an
enormous amount of research and development secrets from United
States corporate and government entities in an operation code
named Moonlight Mays television.
I would like to focus on this nexus between the public and
private sectors, and on the government's efforts to respond to
the growing threat. A couple of illustrations to begin; 20
years ago, some 70 percent of all technology development was
funded by the public sector. Today, that figure is under 5
percent. In other words, in the course of one generation, every
government agency should have changed how it does business.
Has that happened? No. Looking ahead for that same 20-year
period, we will see the following. The ordinary computer that
you have on your desk will have the computing capacity of the
human brain. At the same time, research offers the possibility
of our ability to manufacture perfectly the human body. So, in
the course of a generation, our view of life, death, family,
society, and culture, the bed rocks of our way of life down
this century will have changed forever.
Is government or the private sector thinking and planning
for such fundamental change? No. One further point; the pace of
the revolution is accelerating rapidly. Yet, the pace of change
within government seems to be exactly the same today as it was
10 years ago. How has the government responded so far? Well,
there has been the usual President's Commission and then the
Principal's Working Group, then the bureaucratic compromise
that nobody really wanted, and then the national plan which
arrived 7 months late and was not a plan at all, but an
invitation to further discussion.
[Chart shown.]
Mr. Adams. These two charts that I brought today illustrate
the current chaos. What you see is a totally disorganized
organization chart. One that, if it were in the private sector,
would be a sign of eminent bankruptcy. You see no clear
leadership. You see duplication of efforts; the waste of
billions of dollars of taxpayers' money, and the struggle by
stovepipe agencies to retain power, influence, and money.
In other words, there is no coherent strategy and the
tactics are not about winning a war, but about preserving turf.
There are, of course, some notable exceptions to this. You have
heard from one of them today, John Tritak. What is needed today
is an outside entity with real power to implement drastic
change in the way government approaches technology and the
underlying security of its systems.
What is needed most is a personal entity that would draw on
skill sets in many areas that will overlap those of the CIO,
CFO, or CSO, and most of the other officers or entities in any
organization. Let us give this new person the title of chief of
business assurance. He or she would be in charge of the Office
of Business Assurance. Business assurance is more than
security, more than technology, and more than a combination of
the two.
It is an understanding of the whole environment and what
that means for a business or a public sector operation. The
CBA's task would be to continuously gather and synthesize
infrastructure-related trends and events to intelligently
evaluate the technological context within which the
organization operates, to identify and assess potential
threats, and then to suggest defense action.
Viewed from the positive side, to assess the technological
revolutions' opportunities and propose effective offensive
strategies. The Office of Business Assurance must be a totally
independent organization with real teeth and real power within
government. There is much in common between government and
industry when it comes to the challenges and the opportunities
that the technology revolution poses.
Both sectors face a common threat. Both sectors share
common goals. Both employ technologies that are, in essence,
identical. Both must work together to protect each other. I
will leave you with this thought. You will employee total
transformations of the way business and government is conducted
internally and externally going forward. We have heard a great
deal in recent months about the potential of a digital divide
that is developing between the computer-haves and the computer-
have-nots.
I believe there is another digital divide that is growing
between the American Government and its citizens. If this
committee's efforts do not move forward in changing this
culture inertia, there is real danger that the digital divide
that exist between the government and the private sector will
only widen. We cannot afford a situation where the governed
feel that their government is out of touch and increasingly
irrelevant to their lives.
Thank you.
[The prepared statement of Mr. Adams follows:]
[GRAPHIC] [TIFF OMITTED] T7018.154
[GRAPHIC] [TIFF OMITTED] T7018.155
[GRAPHIC] [TIFF OMITTED] T7018.156
[GRAPHIC] [TIFF OMITTED] T7018.157
[GRAPHIC] [TIFF OMITTED] T7018.158
Mr. Horn. Thank you. All three of you have made some really
excellent suggestions. Let me start some of this query. Let me
note that, Mr. Rasch, you were very active before you took your
current job. You were a trial attorney with the Fraud Section
of the Criminal Division of the U.S. Department of Justice. You
left the Department in 1991. You were the sole attorney in the
Computer Crime Unit. That was on a part-time basis.
The Computer Crime and Intellectual Property Section of the
Department of Justice today consist of 18 attorneys. The
Internet consisted of perhaps 60,000 computers. Then you have
made some very thoughtful things. Let me pursue this. I turned
to Mr. Ryan, the counsel to the subcommittee, when you were
testifying. I said, let us draft a bill that would make this
simply illegal.
Now, how does the Justice Department, what does it use to
be able to get after hackers now? What laws? Do you need new
legislation which would ban them and get those out of here?
Mr. Rasch, the principal statute that exist to prosecute
Federal computer crimes is 18 U.S.C. Section 1030, which is the
Federal computer crimes statute. That focuses on activities.
For example, intentionally accessing a computer without
authorization or disrupting authorized access to a computer.
So, for example, the recent attacks and the denial-of-service
attacks squarely come within the ambit of that statute and are
being aggressively investigated and could be prosecuted under
that.
Mr. Horn. Is there any first amendment concerns on this?
Mr. Rasch. Probably not. This is action and not speech.
Although just as burning down a building may be an expression,
it is certainly is not a protected expression. There are some
first amendment concerns in the area of encryption and some
legislation. There is some case law on the question of whether
or not software itself acts as a form of expression. That
relates to these type of hacker tools.
The dissemination of hacker tools themselves; whether or
not that type of dissemination is criminal. There are really
two separate statutes that could be used there. One is the
Digital Millennium Copyright Act which passed last year, which
is right now being used in a civil lawsuit against the people
who attempted to reverse-engineer the DVD codes to allow them
to pirate software and things like that.
So far, it has withstood a challenge on Constitutional
grounds. The second one would be 18 U.S.C. Section 1029 which
makes it illegal to disseminate what are called access devices,
which could be such things as passwords and things like that.
Mr. Horn. Any comments on those?
Mr. Adams. I think you raise an interesting, Chairman. I
would just make this in addition to what Mark was saying. There
has been a great deal of focus on law enforcement. Of course,
law enforcement has a prominent role to play in this. The speed
of the revolution is such that, that is very much after the
fact, obviously. An event has occurred. We failed and therefore
we have to do something about it.
By the time somebody is caught and prosecuted, the
revolution has moved several steps forward. So, we need to
think about what does the prevention look like in the globally
virtual environment in which we find ourselves. Then if that
fails, of course you need something to follow that up. The
first step has to be a much more comprehensive approach to
prevention, warning, intentions, good intelligence, and so on.
Mr. Horn. At this point, I am going to turn the Chair over
to the vice chairwoman, Mrs. Biggert, the gentle woman from
Illinois. I, unfortunately, have other commitments that I have
got to do. I want Mr. Turner and Mrs. Biggert to get all of the
questions out that they can. So, thank you particularly for
functioning and coming here.
Mrs. Biggert [presiding]. Mr. Turner, you are recognized
for questions.
Mr. Turner. Mr. Adams, you were showing us your two charts
here, which I guess were designed to display the multitude of
efforts within various Federal agencies to deal with
information system security. Rather than look at that as a
failed effort, I guess it shows that every agency is struggling
to try to keep up with the problem.
There are obviously some things that we ought to do to
consolidate the effort. This battle is so dependent upon
technical expertise. One of the battlefields where we should be
fighting on is to figure out how to train people to work for
the good guys. There are probably people within these Federal
agencies that are noted to be outstanding technical experts
that do good work in trying to find solutions and trying to
make the systems secure.
Are we going to be constantly behind the curve in terms of
what government does? I think it is probably difficult to
attract the best and the brightest to the public sector. I am
sure that Global Integrity and others of the world are going to
be reaching out and trying to pay the salaries necessary to
attract the people who could really create the defensive
mechanisms you need.
Mr. Adams. I think those are very good points. We clearly
face a very difficult dilemma. The government is at the front
line here, as is the private sector. The private sector, my
largest number of recruits come from government agencies. The
private sector is hiring the best and the brightest and moving
forward very quickly. Clearly, there needs to be a relationship
between the public and private sector. Look, for example, at
what the CIA is doing to try and keep itself up to speed with
the pace of technology change.
It is doing that by establishing essentially a venture
capital arm that is the interface between the public and
private sector. So, you have that on the one hand; different
ways of doing it. On the other hand, something that the Federal
Government can do dramatically different is push education into
the system, so that what we are doing is seeding the next
generation and the generation after that to keep itself up to
speed.
The Federal Government is going to be an enabler. It is not
going to be able to mandate very much. This revolution is
occurring outside of its orbit. So, it can do a lot of things
to influence it. It needs to, I think, do that more creatively
so that it is seeding the population. We have tremendous
shortages of skills at the moment in the whole area of
computers, and computer security, information security, and so
on.
So, how to tackle that more creatively and aggressively is
going to be a very important issue which is partly where it all
comes back to leadership. You need to have a more creative and
push-through process than we have at the moment.
Mr. Turner. If you were to have a free hand at creating an
entity that would do that, what would it look like?
Mr. Adams. Well, I think what the lesson we have learned in
this revolution from the private sector is that if you take an
old economy company and you try and transition it to the new
economy, this will largely fail. What you have to do is do the
Apple Computer model. You setup a new building, different
people, and put a pirate flag on the roof. They developed a
culture and they forced something else into the system, which
is why this idea of a Business Assurance, some sort of entity
that sits outside of the Federal Government that is able to
communicate effectively with the private sector and with the
public sector and force through change.
What those charts illustrate is, as you rightly say, lots
of people try to fix it. These are people of good will, by and
large. They are unable to move collectively aggressively
enough. They are falling further and further behind in the
revolution, which is this disconnect. It is very dangerous in a
democracy. So, if you can have a way of driving through change,
something with real power, the Koskinen model, but with muscle,
not just please will you all sit around the table.
If you do not do this, you will be held accountable for
failure. That is something where there is an opportunity
perhaps because it is the private sector that has the expertise
and the energy. That is going to continue to be the case. That
is just going to be a fact of life. So, much better to try and
figure out a way to bridge that gulf, rather than say, well, we
can actually fix it all ourselves. It is all about a
partnership between the private and the public sector, making
that work and then driving it into the public sector.
That is the trick for you all to try and come up with a way
of creating something very muscular that will force change,
rather than saying, well, let us get around to it in another
couple of years. Too late.
Mr. Turner. Although we obviously have to let the CIA do
their own thing, would that kind of model work for the rest of
government?
Mr. Adams. I think it is too early to say at the agency.
Clearly, what we know is that they are bringing some
interesting technology back into the system. The problem comes
then is this is a voluntary exercise. We found this really cool
stuff. We think you should use it. Can the culture be forced to
change? The CIA is a very inert bureaucracy like a lot of
government agencies. Will that drive it through?
I think it is an interesting model in creating the place
for dialog, but it is a difficult challenge. For example, there
is a government agency that is currently revising its ways of
procuring things, trying to keep on the front of technology. It
feels that it is making a big step forward by doing changes in
2 years; design and implementation in a couple of years. My
company is not into design and implementation in 90 days. I
cannot afford to do it because I am losing market share.
So, how do you change that culture to a place which is much
more reflective of what is happening in the private sector? It
is a very difficult challenge. It has to, I think, have
somebody. You are talking about very big picture stuff here;
billions, and billions, and billions of dollars, where you have
a single entity that says you do this my way or it is not going
to happen; so forcing it.
This is very counter-culture to the way governments
traditionally work. One of the great strengths of democracy and
the great strength of government entities is that they slowly
evolve. They move forward to match a pace. Well, in a
revolution that is very hard because you cannot afford to
evolve in the same way. You have to either become a
revolutionary or you get swept away. We have seen examples of
that throughout history.
That is why this is both a dangerous and a very challenging
time; dangerous because it can threaten the institutions that
provide stability, but a tremendous opportunity for America as
the leading Nation in the world to move with the revolution,
embrace it, and drive it forward. The government and the
private sector have to come together somehow to make that so.
Mr. Turner. Thank you.
Mrs. Biggert. Thank you. Mr. Gerretson and probably Mr.
Rasch, how vulnerable are home computer users? You mentioned
that the whole Internet is only as secure as the most
vulnerable link. Then after that, if after they surf the web
and turn off their modems, are there still risks to the system?
Mr. Gerretson. I will take the first shot at that. The
first answer is if you are on a dial-up modem, you are
vulnerable while you are connected. Cable modems and DSL are
widely becoming available now. They are always on. I run a
private network at my house. I have a firewall. Every night I
have probably six to eight of what I call drive by shootings
where somebody comes and just tries out my system to see if
they can get a hold of it.
The answer is they are very vulnerable. There is very
little protection on them because it sits on there. Without
that firewall, I probably would have been one of what they call
the zombie machines attacking Yahoo and would have never known
it. As the cable modems and the DSLs get more and more
ubiquitously available, it is a huge problem.
Mr. Rasch. I would mirror that. We did a study at Global
where we left a cable modem on at a home PC and simply tested
it to see how many times, without a firewall deliberately, to
test to see how many times it was attempted to be attacked. We
found that in 1 month, almost 6,000 attempted attacks on a home
PC.
What was interesting about that study, however, was the
fact that these attacks were coming from Eastern Europe, from
Africa, from Asia, as well as from the United States. So, these
are coordinated concerted attacks on any computer that they can
find on the Internet. That would include home PCs in the
always-on mode; particularly, those on DSL connections or cable
models.
Mrs. Biggert. So, in theory, these really then could lead
you into, let us say, a Federal agency through those computers?
Mr. Rasch. Absolutely.
Mr. Gerretson. That is right.
Mrs. Biggert. OK. Then we talked in the first hearing about
this chart with the yellow bubbles at the top and sides
representing the executive branch, and then those organizations
that also have a stake-hold in the Federal computer security.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7018.159
Mrs. Biggert. So, to me, it looks very similar to your
chart, Mr. Adams. The problem is that we have kind of a blank
in the middle. So, would you all agree that we need an outside
coordinator to be in control of this to coordinate all of our
efforts?
Mr. Gerretson. Well, ma'am, I would say that my first
question when I saw this chart and I was talking to Mr. Ryan
about this is, who is coordinating the coordinators? It seems
to be somewhat disorganized. I would like to make one little
statement about that. The one advantage that the Federal
Government has is that they know they are screwed up. We do a
lot of commercial work.
If you get outside of the IA Groups, they do not even know
they are in trouble. So, yes, you are lagging behind, in some
cases, but, at least you know you are lagging behind. That is
kind of contrary in view, but there are advantages to what you
are doing. This is a problem.
Mr. Rasch. What I see as the problem is a definition of
function. What we really need somebody to do is to say, not so
much just coordinate the efforts, but say, alright, testing.
That is NIST. For developing new technologies, that is somebody
else. Basically, not so much coordinating, but defining who has
what roles. One of the things that happened with the
development of the Computer Emergency Response Team at Carnegie
Mellon, the CERT Team, it was a wonderful idea, and remains a
wonderful idea, and works very well.
Now, we have dozens, and dozens, and dozens of computer
emergency response teams. The problem with that is it is like
living in a town that has 20 different 911 numbers. So, you run
into a problem of who are you going to call. So, you need to
really define the functions first and then decide who is going
to coordinate between and among those functions.
Mrs. Biggert. This has been very interesting. Obviously,
you have heard the bells. We have another vote. So, I think
that we will have to adjourn at this time. We will be having
several more hearings. I know that we will be pursuing this
more in-depth. I agree with you that we are behind and we need
to look at this problem. I think that this has been a great
start for this committee. So, I really appreciate you all
participating and look forward to asking more questions of you,
I am sure, in the future when we get into this.
So, without more, this committee hearing is adjourned.
[Whereupon, at 12:05 p.m., the subcommittee was adjourned.]
