[House Hearing, 108 Congress] [From the U.S. Government Publishing Office] INDUSTRY SPEAKS ON CYBERSECURITY ======================================================================= HEARING of the SUBCOMMITTEE ON CYBERSECURITY, SCIENCE AND RESEARCH, AND DEVELOPMENT before the SELECT COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS FIRST SESSION __________ JULY 15, 2003 __________ Serial No. 108-16 __________ Printed for the use of the Select Committee on Homeland Security Available via the World Wide Web: http://www.access.gpo.gov/congress/ house __________ U.S. GOVERNMENT PRINTING OFFICE 97-672 PDF WASHINGTON : 2004 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-00012004 SELECT COMMITTEE ON HOMELAND SECURITY CHRISTOPHER COX, California, Chairman JENNIFER DUNN, Washington JIM TURNER, Texas, Ranking Member C.W. BILL YOUNG, Florida BENNIE G. THOMPSON, Mississippi DON YOUNG, Alaska LORETTA SANCHEZ, California F. JAMES SENSENBRENNER, JR., EDWARD J. MARKEY, Massachusetts Wisconsin NORMAN D. DICKS, Washington W.J. (BILLY) TAUZIN, Louisiana BARNEY FRANK, Massachusetts DAVID DREIER, California JANE HARMAN, California DUNCAN HUNTER, California BENJAMIN L. CARDIN, Maryland HAROLD ROGERS, Kentucky LOUISE McINTOSH SLAUGHTER, SHERWOOD BOEHLERT, New York New York LAMAR S. SMITH, Texas PETER A. DeFAZIO, Oregon CURT WELDON, Pennsylvania NITA M. LOWEY, New York CHRISTOPHER SHAYS, Connecticut ROBERT E. ANDREWS, New Jersey PORTER J. GOSS, Florida ELEANOR HOLMES NORTON, DAVE CAMP, Michigan District of Columbia LINCOLN DIAZ-BALART, Florida ZOE LOFGREN, California BOB GOODLATTE, Virginia KAREN McCARTHY, Missouri ERNEST J. ISTOOK, JR., Oklahoma SHEILA JACKSON-LEE, Texas PETER T. KING, New York BILL PASCRELL, JR., New Jersey JOHN LINDER, Georgia DONNA M. CHRISTENSEN, JOHN B. SHADEGG, Arizona U.S. Virgin Islands MARK E. SOUDER, Indiana BOB ETHERIDGE, North Carolina MAC THORNBERRY, Texas CHARLES GONZALEZ, Texas JIM GIBBONS, Nevada KEN LUCAS, Kentucky KAY GRANGER, Texas JAMES R. LANGEVIN, Rhode Island PETE SESSIONS, Texas KENDRICK B. MEEK, Florida JOHN E. SWEENEY, New York JOHN GANNON, Chief of Staff UTTAM DHILLON, Chief Counsel and Deputy Staff Director DAVID H. SCHANZER, Democrat Staff Director MICHAEL S. TWINCHEK, Chief Clerk ______ SUBCOMMITTEE ON CYBERSECURITY, SCIENCE, AND RESEARCH & DEVELOPMENT MAC THORNBERRY, Texas, Chairman PETE SESSIONS, Texas, Vice Chairman ZOE LOFGREN, California SHERWOOD BOEHLERT, New York LORETTA SANCHEZ, California LAMAR SMITH, Texas ROBERT E. ANDREWS, New Jersey CURT WELDON, Pennsylvania SHEILA JACKSON-LEE, Texas DAVE CAMP, Michigan DONNA M. CHRISTENSEN, ROBERT W. GOODLATTE, Virginia U.S. Virgin Islands PETER KING, New York BOB ETHERIDGE, North Carolina JOHN LINDER, Georgia CHARLES GONZALEZ, Texas MARK SOUDER, Indiana KEN LUCAS, Kentucky JIM GIBBONS, Nevada JAMES R. LANGEVIN, Rhode Island KAY GRANGER, Texas KENDRICK B. MEEK, Florida CHRISTOPHER COX, CALIFORNIA, ex JIM TURNER, Texas, ex officio officio (ii) C O N T E N T S ---------- Page STATEMENTS The Honorable Mac Thornberry, Chairman, Subcommittee on Cybersecurity, Science, and Research & Development, and a Representative in Congress From the State of Texas............. 1 The Honorable Christopher Cox, Chairman, Select Committee on Homeland Security, and a Representative in Congress From the State of California............................................ 45 The Honorable Jim Turner, Ranking Member, Select Committee on Homeland Security, and a Representative in Congress From the State of Texas................................................. 62 The Honorable Robert E. Andrews, a Representative in Congress From the State of New Jersey................................... 58 The Honorable Donna M. Christensen, a Delegate in Congres From the U.S. Virgin Island......................................... 47 The Honorable Bob Etheridge, a Representative in Congress From the State of North Carolina.................................... 45 The Honorable Sheila Jackson-Lee, a Representative in Congress From the State of Texas........................................ 54 The Honorable Zoe Lofgren, a Representative in Congress From the State of California............................................ 1 The Honorable Loretta Sanchez, a Representative in Congress From the State of California........................................ 52 The Honorable Pete Sessions, a Representative in Congress From the State of Texas............................................. 49 The Honorable Lamar S. Smith, a Representative in Congress From the State of Texas............................................. 40 WITNESSES Mr. Jay Adelson, CTO & Founder, Equinix, Inc. Oral Statement................................................. 18 Prepared Statement............................................. 20 Mr. Whitfield Diffie, Chief Security Officer Sun Microsystems, Inc. Oral Statement................................................. 8 Prepared Statement............................................. 10 Ms. Tatiana Gua, Chief Trust Officer and Senior Vice President, America On-Line (AOL) Core Services, AOL Time Warner Oral Statement................................................. 28 Prepared Statement............................................. 30 Mr. Frank Ianna, President--AT&T Network Services, AT&T Corporation Oral Statement................................................. 22 Prepared Statement............................................. 24 Dr. James Craig Lowery, Chief Security Architect/Software Architect and Strategist, Dell Computer Corporation Oral Statement................................................. 14 Prepared Statement............................................. 16 Mr. Phil Reitinger, Senior Security Strategist, Microsoft Corporation Oral Statement................................................. 2 Prepared Statement............................................. 4 APPENDIX Materials Submitted for the Record Responses to Questions for the Record from Dr. James Craig Lowery 72 Responses to Questions for the Record from Mr. Jay Adelson....... 72 Responses to Questions for the Record from Mr. Frank Ianna....... 74 Responses to Questions for the Record from Ms. Tatiana Gau....... 78 Responses to Questions for the Record from Mr. Phil Reitinger.... 79 INDUSTRY SPEAKS ON CYBERSECURITY ---------- TUESDAY, JULY 15, 2003 U.S. House of Representatives Subcommittee on Cybersecurity, Science and Research and Development Select Committee on Homeland Security, Washington, D.C. The subcommittee met, pursuant to call, at 10:02 a.m., in Room 2118, Rayburn House Office Building, Hon. William Thornberry [chairman of the subcommittee] presiding. Present: Representatives Thornberry, Sessions, Boehlert, Smith, Camp, Linder, Lofgren, Sanchez, Andrews, Jackson Lee, Christensen, Etheridge, Lucas, Langevin, Meek, Cox (ex officio), Turner (ex officio), also present, Dunn. Mr. Thornberry. [Presiding.] The hearing will come to order. This hearing of the Subcommittee on Cybersecurity, Science, Research & Development will take testimony today on industry perspectives on cybersecurity. And let me first thank each of the witnesses for making the effort to be here today. As you look down the line, it is truly not only a group that has a lot to offer to this subcommittee, but the world leaders in so many fields. So I appreciate each of you being here, and I appreciate the staff being able to assemble this panel and all we have, and enable us to learn from it. Ms. Lofgren and I again ask unanimous consent that members other than the chairman and ranking member waive oral written statements--oral opening statements, written opening statements will be made part of the record and each of the witnesses written statements will also be made a part of our record. And at this time the Chair will yield to the distinguished gentlelady from California, Ranking Member Ms. Lofgren. Ms. Lofgren. Thank you, Mr. Chairman. This is a terrific panel and I know that we at the end of the day will know more about what we face as a nation in the area of cybersecurity and will have, I think, a better idea of the prudent steps that we should take. I am especially pleased--I mean, every one of the witnesses is spectacular--but I would like to issue a special welcome to Whit Diffie, who was part of the encryption wars that Mr. Goodlatte and I engaged in with so many of the members of the committee a few years ago, and the inventor of public key encryption. I hope that as we hear from the witnesses, we can particularly hear about your company's investment into research and development on cyber vulnerabilities, and without going into specifics, learn about the various types of cyber attacks your company has faced in the past year, your company's policies on information-sharing relative to cyber attacks as well as any experience you have had in dealing with the Department of Homeland Security. As the chairman and I have discussed in past occasions, I think we all know the issue really is what benchmarks do we put in place, how do we audit or ensure benchmarks are being met, and which carrot and stick do we put in place. And those are broad categories, but the details are troublesome. And so that is what we are, I think, dealing with and we know that most of the infrastructure that needs to be protected is in the private sector, so it is absolutely so important that you are here today. And I would ask--well, we already have consent to put my full statement into the record. And I thank the chairman for yielding. Mr. Thornberry. Thank you, gentlelady. And I think we see things exactly the same. We are not going to be successful as a country without a partnership with each of you and other industry folks. So at this time I want to turn to our witnesses. As I mentioned, your full written statement will be made part of the record, and I will invite each of you to either summarize it or make such comments as you wish. We are going to go down the row. And I am going to start with Philip Reitinger, who is senior security strategist with Microsoft. Thank you for being here with us today. And you are recognized for five minutes. STATEMENT OF MR. PHIL REITINGER, SENIOR SECURITY STRATEGIST, MICROSOFT CORPORATION Mr. Reitinger. Thank you very much. Good morning. Good morning, Chairman Thornberry, Ranking Member Lofgren, and members of the subcommittee. As the chairman indicated, my name is Phillip Reitinger, and I am a senior security strategist with Microsoft Corporation. I want to thank you for the opportunity to appear before you here today to provide our views on an issue that affects government, businesses and consumers--cybersecurity. Microsoft is deeply committed to confronting the challenges of cybersecurity and we recognize our responsibility to make our products ever more secure. Our efforts accelerated after September 11 and crystallized when Bill Gates launched our trustworthy computing initiative in January 2002. Trustworthy computing is Microsoft's top priority and involves every aspect of the company. Last year, we had all 8,500 developers on the Windows team stop developing new code to focus on security. We spent over two months training our developers, reviewing the security of existing codes, reducing potential vulnerabilities, modeling threats, and conducting penetration testing of the code. This critical investment cost us an estimated $200 million dollars and delayed by months the release of our recent Windows Server 2003 product. Trustworthy computing, broadly, means that we are working to ensure that computers better protect the security of personal and corporate information, enable people in organizations to control how their information is used, and are more reliable. Security, privacy, reliability and business integrity are the core pillars of our trustworthy computing initiative. In this effort, we are working to create products and services that are secure by design, secure by default, secure in deployment, and to communicate openly about security. Secure by design means two things. Writing more secure code and architecting more secure products and services. Secure by default means writing computer software that is secure out of the box, whether in a home environment or an IT department. Secure in deployment means making it easier for consumers and IT professionals to maintain the security of their systems. And communications means sharing what we have learned, both within and outside of Microsoft, particularly through our industry- leading response center. The trustworthy computing goals are ingrained in our culture and are part of the way we value our work. Yet, we recognize that trustworthy computing and improved cybersecurity will not result from the efforts of one company alone. As demonstrated by my colleagues on this panel, we are not alone in these efforts. Microsoft is dedicated to working together with these industry partners and with government leaders to make the goals of trustworthy computing an industry-wide reality. We do so in a number of forums, including the IT ISACs, the Partnership for Critical Infrastructure Security, the National Cybersecurity Alliance and the Trusted Computing Group. We also recognize that technology, alone, cannot provide a complete answer. I want to outline a few specific areas where government policy can help promote cybersecurity. First, the government can help by recognizing IT products engineered for security and by securing its own systems. This can include purchasing common-criteria certified products, and even awarding a Malcolm Baldrige type of award for security solutions. Secondly, we support additional federal funding for cybersecurity research development, including university-driven research that can be transferred to the private sector so that industry can further develop this technology and deploy it widely. Third, we support an international law enforcement framework that establishes minimum criminal liability and penalty rules for cyber crime, so that cyber attackers cannot escape punishment for attacks against the United States by seeking refuge outside our borders. Fourth, the government must be both a provider as well as a consumer of valuable threat information. Finally, even with the creation of the Department of Homeland Security and the National Cybersecurity Division, both of which Microsoft supported, cybersecurity remains an interagency problem. Without a multi-disciplinary effort by both government and industry, we will not succeed. In conclusion, Microsoft is committed to strengthening the security of our products and services and is equally committed to working with governments and our industry peers on security issues. In the end a coordinated response to cybersecurity risks offers the greatest hope for promoting security and fostering the growth of a vibrant online economy. Thank you very much. [The statement of Mr. Reitinger follows:] PREPARED STATEMENT OF MR. PHILIP REITINGER Chainnan Thornberry, Ranking Member Lofgren, and Members of the Subcommittee: My name is Philip Reitinger, and I am a Senior Security Strategist at Microsoft reporting directly to Microsoft's Chief Security Strategist. I want to thank you for the opportunity to appear today to provide our views on an issue that affects governments, businesses, and consumers around the world--cybersecurity. It is the responsibility of all of us to ensure that the tremendous benefits of technology for governments, business and consumers are not thwarted by attacks on our computer systems. Because most cyber attacks are not discovered or, if discovered, are not reported, and because we have no national or international statistically rigorous measurement of damages from cyber crime, the exact cost of cyber attacks to companies and consumers is unknown. But four things are clear: First, there are people in cyberspace who seek to corrupt our systems. These criminals act with the knowledge that they are highly unlikely to be caught, let alone prosecuted and imprisoned. Second, the known damages are significant--perhaps in the billions of dollars annually. Software applications and operating systems, and the networks on which they reside, are ubiquitous and integral to society, and attacks upon them can cause significant disruption. Third, as September 11th taught us, our preconceived notions of the risk from terrorism and other threats may underestimate the actual risk by orders of magnitude. A cyber attack on the backbone of one of our nation's critical information infrastructures could disrupt America's physical and economic well-being and have a massive worldwide impact. Fourth, and most important, these attacks have an impact greater than immediate financial loss. Perhaps their greatest cost is the loss of consumer trust in information technology. Without such trust, society cannot realize the full potential of information technology. Thus, the effort to achieve cybersecurity--to achieve the trust necessary to reap the benefits of the digital age--is a critical priority for us all. At Microsoft, we are deeply committed to cybersecurity and we recognize our responsibility to make our products ever more secure. We are at the forefront of industry efforts to enhance the security of computer programs, products and networks, and better protect our critical information infrastructures. We also work closely with our partners in industry, government agencies and law enforcement around the world to identify security threats to computer networks, share best practices, improve our coordinated response to security breaches, and prevent computer attacks from happening in the first place. These efforts accelerated after September 11 and crystallized when Bill Gates launched our Trustworthy Computing initiative in January 2002. Today, I want to describe the ways in which we believe industry and government can work in partnership to promote cybersecurity. First, I will discuss our commitment to Trustworthy Computing and how it is reflected in our products and our research and development efforts. Next, I will discuss our efforts to join forces with industry and government to help guard against cyber-threats and enhance security for businesses and consumers. Finally, I will address government's critical and tailored role in enhancing cybersecurity. Microsoft's Commitment to Trustworthy Computing Trustworthy Computing is Microsoft's top priority and involves every aspect of the company. Last year, we had all 8,500 developers on the Windows team stop developing new code to focus on security. We spent over two months training our developers, reviewing the security of existing code, reducing potential vulnerabilities, modeling threats and conducting penetration testing of the code. This effort cost us an estimated $200 million dollars, and delayed by months the release of our recent Windows Server 2003 product. But we know that it was worth these costs, and it was a critical step to enhance the security of Microsoft's key software platform. ``Trustworthy Computing'' broadly means that we are working to ensure that computers better protect the security of personal and corporate information, enable people and organizations to control how their information is used, and are more reliable. We also are working to ensure that when problems do arise, they can be resolved immediately and predictably. Security, privacy, reliability and business integrity are the core pillars of our Trustworthy Computing initiative. The security pillar of Trustworthy Computing is most relevant for today's hearing. Under this pillar, Microsoft is working to create products and services that are Secure by Design, Secure by Default, and Secure in Deployment, and to communicate openly about security.``Secure by Design'' means two things: writing more secure code and architecting more secure products and services. Writing more secure code means using a redesigned software development process that includes training for developers, code reviews, automated testing of code, threat modeling, and penetration testing. Architecting more secure products and services means designing products with built in and aware security, so that security imposes less of a burden on users and security features are actually used. ``Secure by Default'' means that computer software is secure out of the box, whether it is in a home environment or an IT department. It means shipping products to customers in a locked-down configuration with many features turned off, allowing customers to configure their systems appropriately, in a more secure way, for their unique environment. ``Secure in Deployment'' means making it easier for consumers and IT professionals to maintain the security of their systems. We have a role in helping consumers help themselves by creating easy-to-use security technology. Due to the complexity of software and multiple environments in which it may be placed, software will never be perfectly secure while also being functional. Accordingly, ``secure in deployment'' means providing training on threats and security; offering guidance on how to deploy, configure and maintain products securely; and providing better security tools for users, so that when a vulnerability is discovered, the process of patching that vulnerability is simple and effective. ``Communications'' means sharing what we learn both within and outside of Microsoft, providing clear channels for people to talk to us about security issues, and addressing those issues with governments, our industry counterparts, and the public. The Trustworthy Computing goals are real and specific, and this effort is now ingrained in our culture and is part of the way we value our work. It is demonstrated by our enhanced software development process. It is demonstrated by our continued development of more sophisticated security tools, including threat models and risk assessments, to better identify potential security flaws in our products. It is demonstrated by our formation of what we believe to be the industry's best security response center to investigate immediately any reported product vulnerability and build and disseminate the needed security fix. And perhaps more clearly than anything else, it is demonstrated by our delay in releasing a product for months to continue to improve its security. In short, security is--as it should be--a fundamental corporate value. We make every effort to address security in the initial product design, during product development, and before a product's release, and we remain committed to security in the product once it has gone to market. At times, of course, people worry that increased security may lead to an erosion of privacy. It is important to note that we do not view security and privacy as in inevitable conflict. In fact, we think technology can help protect both simultaneously. We hear repeatedly from customers that they need new ways to control how their digital information is used and distributed. In response, we are working on a number of emerging rights management technologies that will help protect many kinds of digital content and open new avenues for its secure and controlled use. For example, we are on the verge of releasing Microsoft Windows Rights Management Services (RMS), a premium service for Windows Server 2003 that works with applications to help customers protect sensitive web content, documents and e-mail. The rights protection persists in the data regardless of where the information goes, whether online or offline. In this way it allows ordinary users and enterprises to take full advantage of the functionality and flexibility offered by the digital network environment--from sharing information and entertainment to transacting business--while providing greater privacy and persistent protections. Much work on Trustworthy Computing, however, remains ahead of us. One key piece of that work is the Next-Generation Secure Computing Base (NGSCB). This is an on-going research and development effort to help create a safer computing environment for users by giving them access to four core hardware-based features missing in today's PCs: strong process isolation, sealed storage, a secure path to and from the user, and strong assurances of software identity. These changes, which require new PC hardware and software, can provide protection against malicious software and enhance user privacy, computer security, data protection and system integrity. We believe these evolutionary changes ultimately will help provide individuals and enterprises with greater system integrity, information security and personal privacy, and will help transform the PC into a platform that can perform trusted operations, to the benefit of consumers. Microsoft's Collaboration with Third Parties on Security Initiatives Notwithstanding the robust nature of our own efforts, we recognize that Trustworthy Computing and improved cybersecurity will not result from the efforts of one company alone. And, as will be demonstrated by my colleagues from this and the next panel, we are not alone in these efforts--responsible information technology companies increasingly focus on security as a key corporate goal. Microsoft is dedicated to working together with these industry partners and with government leaders to make the goals of Trustworthy Computing an industry-wide reality. For example, as part of our work on NGSCB, we work with a variety of hardware and software partners to ensure that the PC platform has built-in protection against future viruses, threats from hackers, and unauthorized access to private information and digital property. In April of this year, we joined four other industry partners (AMD, Intel, IBM and Hewlett-Packard) in establishing the Trusted Computing Group (TCG), a not-for-profit organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies. The primary goal is to help users protect their information assets (data, passwords, keys, etc.) from external software attack and physical theft and to provide these protections across multiple platforms, such as servers, PDAs, and digital phones. In addition to these efforts, Microsoft remains committed to a multi-disciplinary approach to security that extends beyond technical solutions and specifications. Early detection and warning of cybersecurity threats, public education on cybersecurity, incident response, and prosecution of cyber-crimes, among other things, are all key aspects of creating a more secure computing environment. In order to have effective prevention and response, there must be an emphasis on cooperation and information sharing. For this reason, we have been supporters of the National Cyber Security Alliance and the Partnership for Critical Infrastructure Security, and we work closely with government agencies and other industry participants on both an informational and operational level to prevent and investigate computer intrusions and attacks. We also helped found the Information Technology - Information Sharing and Analysis Center (IT-ISAC) and provided its first president. The IT-ISAC coordinates information-sharing on cyber-events among information technology companies and the government. We continue to support and are working with other members to improve the IT-ISAC's efforts to coordinate among members, with the government, and with other ISACs. Such efforts are critical because this nation's infrastructures were and are designed, deployed, and maintained by the private sector. The interdependencies among infrastructure sectors mean that damage caused by an attack on one sector may have disruptive and perhaps devastating effects on other sectors. Voluntary information sharing and industry-led initiatives, supported by government cybersecurity initiatives, comprise an essential first line of defense against such threats. We believe that the information sharing engendered to date by the IT-ISAC and other ISACs is an important step in enhancing public- private cooperation in combating cybersecurity' threats. Yet, there remains room for progress and government and industry should continue to examine and reduce barriers to appropriate exchanges of information, and build mechanisms and interfaces for such exchanges. This effort must involve moving away from ad hoc exchanges and toward exchanges that are built into business processes. This will require working toward a common understanding of the information that is valuable to share, when and how such information should be shared, and the means by which shared information will be protected. The keystones are trust and value--if an information sharing ``network'' provides value and the participants trust it, then information will be shared. While the appropriate structure and form of this network are still evolving for both industry and government, we are eager to see a robust exchange of information on cybersecurity threats and will work with government, our industry partners, and with the ISAC community toward that goal. Where Government Policy Can Make a Difference While the sorts of technology-related steps outlined above can address many of the security challenges we face, technology alone cannot provide a complete answer. A comprehensive response to the challenges of cybersecurity depends on both technology and public policy--and critically, on how technology and policy interact with and complement one another. I want to outline a few specific areas where government policy can be particularly helpful in promoting cybersecurity. First, the government, through public attestations and its own security practices and procurement efforts, can help by recognizing IT products engineered for security. For example, the late Commerce Secretary, Malcolm Baldridge, was honored by having a quality award named after him and bestowed upon businesses that demonstrate outstanding quality in certain areas. We understand that the Department of Homeland Security is considering a similar award for high quality security solutions. We think this is a good idea and we are ready to support the government as it develops and implements this visible incentive. Likewise, the government can lead by example by securing its own systems through the use of reasonable security practices and buying products that are engineered for security. Where appropriate--such as for national security agencies and other agencies, issues, and services for which security is of the utmost importance--this should include purchasing products whose security has been evaluated and certified under the internationally-recognized (and U.S. supported) Common Criteria for Information Technology Security. Such efforts to procure only security-engineered products, and specifically such clear support for the Common Criteria, will help strengthen the government infrastructure. In doing so, the government also will help set a high standard for security--one that ultimately is necessary to enhance the protection of critical infrastructures. Second, public research and development can play a vital role in advancing the IT industry's security efforts. Accordingly, we support additional federal funding for cybersecurity research and development (R&D), including university-driven research. The public sector should increase its support for basic research in technology and should maintain its traditional support for transferring the results of federally- funded R&D under permissive licenses to the private sector so that industry can further develop the technology and deploy it widely. Third, Microsoft believes that greater cross-jurisdictional cooperation and capability among law enforcement is needed for investigating cyber-attacks. Cyber-attackers can easily transit any border, as demonstrated by the I LOVE YOU and Anna Kournikova viruses and the Solar Sunrise attacks, all of which were international in scope. Enhanced law enforcement cooperation across local, state and international borders, along with increased law enforcement capability internationally, is vital for law enforcement to prevent and investigate cyber attacks. We therefore support an international law enforcement framework that establishes minimum criminal liability and penalty rules for cyber crime so that cyber-attackers cannot escape punishment for cyber attacks against the U.S. by seeking refuge outside of our borders. Fourth, government has a critical role to play in facilitating information sharing. Government sharing its own information with industry is essential both to protect critical infrastructures and to build value in an information sharing network. In short, the government must be a provider as well as a consumer of valuable threat information. Finally, government must recognize that even with the creation of the Department of Homeland Security and the new National Cyber Security Division (NCSD)--both of which Microsoft supported--cybersecurity remains an interagency problem. Accordingly, one of the key roles for the new Department, and specifically for NCSD, will be building incentives for effective government action, helping other government agencies develop new business processes that support homeland security, and reducing government stovepipes. Without a multidisciplinary effort by both government and industry, we will not succeed. Conclusion Microsoft is committed to strengthening the security of our products and services and is equally committed to working with governments and our industry peers on security issues, whether by offering our views on proposed regulatory and policy measures or participating in joint public/private security initiatives. In the end, a coordinated response to cybersecurity risks--one that is based on dialogue and cooperation between the public and private sectors--offers the greatest hope for promoting security and fostering the growth of a vibrant online economy. Mr. Thornberry. Thank you. We will now turn to our next witness, which is--who has already been partially introduced, Whitfield Diffie is vice president and fellow at Sun Microsystems, and has been one of, if not the key leader in public key cryptography. And thank you for being here. You are recognized for five minutes. STATEMENT OF MR. WHITFIELD DIFFIE, CHIEF SECURITY OFFICER, SUN MICROSYSTEMS, INC. Mr. Diffie. Well thank you very much. When people look back on this era we are in, the end of the twentieth century, the beginning of the twenty-first, I think what is going to be remembered is the era of a transition from a physical society to a virtual society, an information society, an electronic society. And things that we now regard as fairly arcane security mechanisms will come to be seen as fundamental social mechanisms in the same way that interpersonal recognition, which is a security mechanism, is perhaps the most fundamental mechanism of society. Now, information security at this point is in my view 100 years old. There is a lot of prehistory, a lot of cryptography in the Renaissance and things like that. But the critical thing was the introduction of radio, because radio was the communications medium so valuable that nobody could afford to ignore it. And yet it was a medium in which all of the traditional security measures typified by the diplomatic pouch had no applicability at all. And consequently, cryptography was the only mechanism available to protect radio. Now there are some other more technical ones, but cryptography is the most general one. And that swamped the code clerks. First World War, they were working with techniques intended to encrypt a small volume of messages that were going to go into other protective channels. Suddenly they had to encrypt a vast fraction of what was communicated by radio. And this started a race to automation and a race to develop good cryptography that dominated information security for most of the twentieth century. I am pleased to say that I think that as a practical matter, we have largely solved that kind of problem. And I will just list one example of something that happened within the past few months. Within the past 4 years or so, the U.S. adopted a new national cryptographic standard. It is called the Advanced Encryption Standard. And it was actually formally adopted the 26th of November, 2001. Unlike its predecessor, the data encryption standard, it was designed to be as secure as anybody could want. And that fact has been recognized this spring in the issuance of CNSS-15, policy memorandum from the Committee For National Security Systems, recognizing the AES is adequate to be used for the protection of classified national security data. Now, there is still a long way to go. Even in that direction we are a long way from having the first piece of comsec equipment that uses AES. But this is a crucial milestone. Later in the 20th century, communications security, cryptography centered security was joined by computer security. And in the first generation of this in the 1970s and 1980s, the envision was what was then called timesharing, lots of processes running on the same computer. That program was not entirely successful, although I am pleased to say that one of its best products is one of ours: Sun's trusted Solaris system is used widely throughout the federal government for high security applications. But what happens if a secure computing, more than if the problem was solved, was that the problem changed? And it became a problem of network security, and we went into--curiously, one of the greatest developments in security is something Sun not originated but certain pioneered, which is client-server computing: dividing functionality out among the computers of a network so that one appeals to another for services. We introduced the Java programming language--a different style of writing programs with security very high among its qualifications. Cryptography has become much more widely available and much better developed than it was back in the first period of computer security. And the cost of hardware has fallen so that we can support computer security better with dedicated hardware. In short, we have a whole new ball game. It also happens we have a whole new challenge. Today when we say, as say a lot at Sun, The network is the computer, we are not saying a shadow of what we will be saying when we say that five to 10 years from now. We are entering an era--the current buzzword is ``Web services.'' I don't know if the buzzword will persist, but the concept will endure. Computers communicating with computers and subcontracting work to them. You need data mining done? You need a movie rendered? You go out and you look at yellow pages, you find a computer, a resource that has the equipment to do this, and you get it done, they return their bill. Suddenly we face a new set of security requirements and these are characterized by negotiation--one computer has to agree with the other what is going to be done; and by configuration control--a computer has to demonstrate to the other that it is capable of doing these things. So we are in the infancy of a computer-mediated society and economy. And one of the critical things we know: We have to be careful. The decisions we make in security today are going to influence the structure of society all through the 21st century. So we need both not to rush into regulation, particularly not to respond to disasters by sudden patch-up regulations, but to exercise foresight in this area to devote efforts to studying this area and to plan well for the security measures we need. Very often the short sight of individual users drives security policy. They prefer what appears to be convenience in applications over a sound structure that gives them secure operation because they don't anticipate the inconvenience of being broken into and having lots of down time. I think that government will have a big but what must be a very carefully considered role to play in this. Security is going to be far more than just technology. It is going to influence law, it is going to influence business. The example I gave in my written testimony is: You capture the current contracting and subcontracting mechanism in things that happen in fractions of a second between computers. What are you going to do about adjudication? Nothing we have at the moment speaks to the time scale and complexity of operation--of business operations--that is approaching. I would like to close with one concrete suggestion, prefaced with some very important thanks. There was a proposal within the past year ago to move the computer security division of NIST into the new homeland security department. And we at Sun and many in industry thought that this was ill-considered because that division had learned over its 15 years of operation after the Computer Security Act of 1986 to work with industry, to field standards that industry actually accepted and used. And we feared that the move into a department with a more military and more classified and more closed style would lead to standards that were not so enthusiastically received by industry. So I would like particularly to thank representatives Boehlert, Goodlatte and Lofgren for their support in this matter. But I think the computer security division at NIST needs much more support and has now a vital role to play. My colleague spoke about the importance of common-criteria certification for security processes. And that is a very valuable mechanism; it is very much in need of improvement. The set of classifications within that system are complicated, hard for users to understand, hard for them to know the difference between something certified at EAL-2 and EAL-4. It needs to be simplified; evaluation needs to be improved and speeded up, but probably most important--something that the government is best placed to do--is that a validation mechanism for these ratings needs to be put in place, something that follows this history of evaluated products, determines whether they are really functioning securely, and is able to speed back the record of break-ins or attempted break-ins to these products in order to improve the evaluation products and guarantee that when we have security certification it really means the things are secure. Thank you very much. [The statement of Mr. Diffie follows:] PREPARED STATEMENT OF MR. WHITFIELD DIFFIE, CHIEF SECURITY OFFICER SUN MICROSYSTEMS, INC. When historians write the history of the late 20th century and the early 21st, they are likely to see it as the period when the world moved from the physical to the virtual. When face to face meetings, written letters, and visits to showrooms were progressively replaced by phone calls, e-mail, and web browsing. As information, and with it human culture, come to travel more and more in a digitized, computer- mediated world, the computer and communications infrastructure must be expanded to provide the fundamental mechanisms needed to support the totality of human culture. One of these, widely recognized but little understood, is security. Information security: essentially, the protection of information in electronic media, is about a century old. The field has a long prehistory. Information has been protected on paper and in crude telecommunication channels, like signal fires, for millenia but information security as we know it today dates from the development of radio and from the use of radio in WWI. The first major problem in information security was cryptography. Despite cryptography's romantic aura and long history, prior to radio, cryptography was always a secondary security measure. A dispatch on paper might be enciphered but its primary protection lay not in the encryption but in the careful handling of the diplomatic bag. Although telegraph messages were frequently sent in code, the customers were relying more on the integrity of the telegraph companies than on the codes for security. The use of radio, particularly military radio in wartime, was different. Radio was so valuable that no one dared forgo its use. Prior to radio, Britain's First Sea Lord, who commanded the largest navy in the world had only a vague idea of where his ships were. He might dispatch a flotilla on a mission and not hear anything about their progress for weeks or months. Within a few years of the introduction of radio, the First Sea Lord could expect to reach any ship in the fleet within hours. Today, of course, with the exception of submarines, this process is virtually instant, like making any other phone call. The problem with radio from a security viewpoint is that everyone can listen to the radio and often the people you don't want listening get better reception than the ones you do. This promoted cryptography from a secondary security measure to a primary one. It was the only security measure of any use in protecting radio transmissions and it is still the primary one. The result was to swamp the code clerks, whose hand techniques were designed to add extra protection to a small fraction of military traffic, not provide the primary protection to most of it. The result was the race to automate cryptography, and the resultant race to automate cryptanalysis, that dominated cryptography throughout the 20th century. For half a century, military cryptography was dominated by rotor machines: electromechanical devices that embodied cipher alphabets in rotating wheels and automated the polyalphabetic ciphers that had been known since Renaissance Italy but had been too prone to errors to see extensive use. Mechanization reduced the errors, increased the speed, and allowed much more thorough protection than could be achieved by hand. In the 1930s, a new kind of rotor machine was developed in the US, one in which the wheels, of one rotor machine were moved by the actions of another rotor machine. This machine, called Sigaba, was the most secure cryptosystem of its era and it appears that no Sigaba traffic was read in the WWII period. By the time of WWII, the US had secure cryptographic systems for protecting ten-characterper-second telegraph traffic but little ability to protect voice or other broader-band signals. The first secure telephone was developed during the war. The system, called Sigsaly, provided very secure, surprisingly comprehensible voice communications with one severe drawback: the system occupied thirty-racks of equipment, weighed as many tons, and cost millions. At first, the only customers who could ``afford'' Sigsaly were Roosevelt and Churchill. Even though, Sigsaly's were later provided to major military commands, there were never more than a dozen of them. However limited in deployment, Sigsaly was proof of concept for secure voice and the need to develop higher speed cryptosystems dominated cryptographic development for decades. Although, like all important subjects, cryptography is still beset with profound unsolved problems, it is no longer the limiting resource in secure communication that it was for most of the 20th century. Good cryptographic systems are now available and the mathematical foundations on which they rest are widely understood. The new status of cryptography is exemplified by the US Advanced Encryption Standard (Federal Information Processing Standard 197). AES is the successor to the US Data Encryption Standard (FIPS-46) which was adopted in 1977. At that time, the National Security Agency, recognized the need for a cryptographic system to protect government information outside the national-security sphere. Because such a system could not achieve its objectives without being made public, NSA worried that it would also be used by the enemies of the United States. The result was a compromise, a system that NSA considered strong enough for its intended application but weak enough that it would not present an insurmountable obstacle if NSA encountered a DES cryptogram that it felt sufficiently motivated to read. The development process, although formally open, was in fact closely held and the compromise became the subject of a long-running controversy. When the DES came to the end of its useful lifetime in the late 1990s, the National Institute of Standards and Technology set out to replace it. This time the process was entirely different. After a public process of developing the requirements for the new algorithm, a solicitation drew fifteen candidates from around the world. The candidates were studied over a period of two years in a process that involved three public conferences. Five finalists were selected from the fifteen and then one winner was selected from the finalists. On the 26th of November 2001, an algorithm designed in Belgium was selected as the national standard of the United States. To those who had watched the evolution of US cryptographic policy over the previous three decades, the AES seemed miraculous but an even more surprising turn occurred this spring, which was publicly announced in June. The Committee on National Security Systems of the Department of Defense issued Policy Directive 15, which authorized the use of AES (in approved implementations) for all levels of classified national security information. It will be years before we are applying COTS infosec technology to the majority of our national security systems but we have just passed a essential way point on that road. Although, unification of other aspects of cryptography have not reached the same level of standardization, key-management techniques based on the first generation of public-key cryptographic systems is in use for both government and private sector security. Second generation key-management techniques based on elliptic curve cryptosystems promises a greater degree of unification within the decade. In the latter half of the 20th century, cryptography was joined by another information security problem: secure computing. With the development of computers capable of running more than one program at a time, came the problem of running two different programs with different security levels or different owners and preventing them from interfering with each other. In the 1970s and 1980s there was great optimism about the prospects of developing a multi-level secure operating system. This program called for extensive system specifications and formal verification that the systems met their specifications. This proved expensive and fewer systems emerged than had been expected. Among the successes is Sun's Trusted Solaris, a high-security operating system that is widely used in DoD and the Intelligence Community. In a reflection of the rising importance of security, the enhanced-security features of Trusted Solaris are being steadily integrated into the main-stream Solaris product and the two systems will be merged in the next major release. Despite such isolated successes as Trusted Solaris, the problem of secure computing has been transformed more than solved. In the 1970s an organization of moderate size, such as Rand or the MIT Lincoln Laboratory would have a small number of big computers, perhaps only one. Every program that was run would have to be run on the one machine. If it was so sensitive that it could not be run in the presence of other programs, for fear that they might be spying on it, it would have to pay the high price of having the machine to itself. As the seventies flowed into the eighties, two factors came together to change this. Computers got cheaper and became available at a variety of prices and a variety of levels of performance. Equally important, the ARPAnet, ancestor of the Internet, became available. This meant that a sensitive project no longer had to make arrangements for using a shared computer. It could purchase its own computer, appropriate to its needs an budget, put the computer in a room, and lock the door. Its communications with the outside world, if it needed any, could be handled through network channels more easily controlled than the communication paths internal to an operating system. Client-server computing, the concept on which Sun was built, although rarely thought of as a security mechanism, has made a major contribution to security. In the network environment, a sensitive database can be isolated on a machine by itself, communicating with the rest of the world through a network connection. Enforcing the databases' access policies against users of other machines on a network is far easier than enforcing them against other users on the same machine. Another key success in computer security came with the Java language. In the 1970s, DoD aspired to purchase ``untrusted'' applications, such as compilers and run them on classified data, in this case secret programs. Untrusted in this case means ``uncleared.'' The programs in question came from reputable software manufacturers but from manufacturers who did not have DoD facility clearances or cleared workforces. In the 1990s, this objective was magnified several fold. With the rise of the Internet, it became valuable for client computers to import applet programs in real time from servers. As the cost of putting up a server is small, the applets no longer could be counted on to come from reputable computer manufacturers. ``Untrusted'' had reached a new level; a workstation needed the ability to run programs about which it knew nothing and get useful work out of them, without exposing itself to excessive risk. The Java solution is to write the programs in a portable language which is structured to allow the client machine to verify the structure of the incoming program before executing it. Given the substantial effort that has been devoted to computer security over the past thirty years, the mixed results of that effort, and the fact that the need for security is steadily increasing, it is reasonable to ask what the prospects are today for major improvement. If one answers, as I would, that the prospects are quite bright, one must also answer the question ``Why?'' As described above, the answer is that in large part, we are facing a new problem. The computer security problem seen in the 1970s has changed into a network security problem of the 21st century. Some problems have been solved, some problems remain, and many new problems have appeared. Equally important is the fact that new tools have become available. In the 1970s, cryptography was primitive by comparison with its development today. Two aspects of cryptography especially crucial to computer security, public key cryptography and hashing functions were in their infancy. Equally important, the National Security Agency, whose monopoly of cryptographic erudition was far greater then than now, was the major backer of secure computing research but discouraged the application of much cryptographic techniques to the problem in unclassified research. The final piece of the puzzle is the ever- decreasing cost of computing. It is now feasible to dedicate computing capacity to security in a way that was not feasible even a decade ago. An early example of a hardware-based approach to security problems is the domaining system of Sun's E12K and E15K servers. These servers can assign processors to processes and confine the resources available to those processes within a hardware-enforced domain. The effect is to combine much of the security advantage of running the process on an isolated computer with the advantage in cost and flexibility of running it on a shared computer. It is a fair summation of our present position in information security that we have an excellent toolkit in the cryptographic area and a moderately good one in the computer security area. Having good toolkits is not the same as having good security, however; if it were, the security of the cyberinfrastructure would be far better than it is. Much of what needs to be done can be characterized as routine. New code needs to be written with greater care than has often been customary, old code needs to be repaired, and the security mechanisms that we know how to build--keying infrastructures, for example--need to be built, shaken down, and brought to a level of operational quality that allows us to depend on them. Other challenges loom on the horizon, however. For as long as I have known the company, Sun has had the slogan: ``The Network is the Computer.'' and every year the slogan becomes truer. For years, it has been difficult for me to detect whether files I was using were on my own desktop or stored on a server some distance away. More recently, it has become possible to call on specialized computing and storage processes outside my own machine. These more recent techniques go under the name ``Web Services.'' At present most uses of web services involve interaction of a program currently being used by a human being--most often a browser--with a remote website supplying a service. In the near future--five or ten years at the most--this will evolve into a primarily computer to computer activity. Today, the activities of both the public and the private sectors consists largely of business to business contracting and subcontracting processes. Some of these require great imagination and will for the indefinite future be performed by humans; others are routine and will be automated at a steady rate. Computers needing services will consult ``yellow pages'' directories of available services; choose providers according to price and capability; send out work orders; receive their results; and pay their bills. Two sorts of web-based businesses are easy to foresee. The first are specialized businesses; businesses that offer a specific sort of service. They may have proprietary algorithms for such computationally intensive activities as graphic rendering or datamining; they may have access to specialized data such as the results of physical, biological, or social studies; they may have vast amounts of computing power. At present, Google provides an example of all three. It possesses vast amounts of computing power that it uses to build specialized databases, available to no one else, and it delivers information to its customers using specialized algorithms for both building and searching the databases. A second kind of business that is in its infancy is more general in character: utility computing. As a business, utility computing is rather like property rental. Many companies, rather than owning property, rent their offices and often subcontract to their landlords the provision of furniture, food, environmental controls, etc. As utility computing matures, a startup-- based perhaps on development of a new datamining algorithm--will no longer need to raise sufficient capital to have the powerful computer required to do production runs for its customers. It can wait for work to come in, then turn around and lease computing capacity from a ``computer cycle provider.'' What sort of security measures will be required in this environment? They will parallel those of the current contractual mechanisms, particularly those employed for government contracts. When a system integrator contractor subcontracts the fabrication of a part for a military aircraft to a machining business, it is trusting not only that the work will be done correctly but that the plans for the part will be returned and that the subcontractor will not make extra copies for competitors. In choosing its subcontractor, the system integrator will seek a provider with a suitable facility clearance. Contracting on this scale is generally for work lasting from days to years and often reflects long-standing business relationships. The computers will do it all faster. It is hard to predict exactly how far in the future this vision is but at some point, contracts for specialized data processing are likely to be negotiated and fulfilled in seconds. The two problems that will be at the forefront of security research and development over the next decade are negotiation and configuration control. They will parallel existing business functions but they will take place at much higher speed and without moment-to-moment human oversight. The circumstances will encorporate many mechanisms now in use such as reputation assessment (clearance, Better Business Bureau membership) but in a far less forgiving environment. When contracting goes badly at present, problems are generally referred to the courts. When contracting goes badly on the scale of seconds, what mechanism will step into the breach? As we move our economy and society further and further into computer mediated telecommunication channels, the role of cybersecurity in homeland security will grow steadily. There will not be general agreement on the proper course of action. Our decisions will advantage some legitimate parties and disadvantage others. The solutions to the problems that arise will thus be as much legal and political as technical and will tax both our resources and our imaginations. Mr. Thornberry. Thank you, sir. We will now turn to Dr. Craig Lowery, who is chief security architect and a software architect and strategist at Dell Computers. Welcome, sir, you are recognized. STATEMENT OF DR. JAMES CRAIG LOWERY, CHIEF SECURITY ARCHITECT/ SOFTWARE ARCHITECT AND STRATEGIST, DELL COMPUTER CORPORATION Dr. Lowery. Thank you Chairman Thornberry, Ranking Member Lofgren, members of the subcommittee. My name is Craig Lowery, software architect and strategist for Dell. We are very pleased to be here this morning, and we would like to wholeheartedly concur with your opening themes of partnership and consensus, because Dell believes that that is the best way to go about achieving more secure systems for everyone. Since everyone is using these systems, we all play a role. We see a universe of technology which has vendors and customers that are working in partnership together. It is not reasonable to think that one party or the other has a complete key to solving the security puzzle. Vendors bring products to market, and they must make reasonable allowances for security as part of the design of those products. And customers have a responsibility, too, in the way that they deploy those products. It is possible to create a product that is ``secure,'' when it is shipped as a single component, but when it is placed into an aggregate configuration it could very well be part of an insecure infrastructure that is created. So it is not a one-sided approach that should be considered to solving the security puzzle. It has to be partnership-and consensus-driven. One of the things that is defining about Dell as a company is its direct business model, which you may have heard about. If you haven't, I will give you just a little bit of a glimpse into it, because it very much influences how we are approaching this problem, among others. The direct business model means that Dell believes that having direct relationships with our customers is the best way to go about delivering solutions to them, because we can hear directly from them the problems that they are having, they are trying to solve, the solutions that they need. One way to arrive at consensus of customer input, customer feedback, is through standards. We are a very standards- oriented company. We prefer to deliver standards-based solutions, because we believe that that is, first of all, something that has gone through a consensus process, either formal or sometimes more informal, through user groups. We also see that that consensus process develops a standard which everyone understands, there are no surprises, and can be delivered to, we can deliver products to that. That is very much in line with our direct business model. One of the concrete examples that I have for you this morning of this strategy at work is a new offering from Dell which is based on work that is been done by a group called the Center for Internet Security, or the CIS. The Center for Internet Security is a group of users across sectors of industry, government, education, finance and health care, who have gotten together their security experts and have pooled their knowledge of experience and best practices, the best way to go about securing things. And the product of this group is a set of things called benchmarks. These benchmarks are settings for pieces of software, such as operating systems, which the users that are members of the CIS agree are the best settings, according to their research and their work. At the request of our government customers, we have taken those settings for Microsoft Windows 2000 and we are now making those settings available direct from our factory, pre- installed, on certain products, specifically our Optiplex, our Latitude notebooks and our Precision Workstations. This is the direct result of our philosophy and the work of the consensus mechanism in the industry to bring about immediate changes into the security landscape at this time. We certainly see that security is a moving target, and that as things progress these improvements will appear not as a change to settings that we have to make, but that are going to be built directly into software products, and we see that already happening at the source. We are also working in other areas to deliver more secure solutions to our customers at their request, things like smart cards, which are a form of authentication that has been requested by customers. We now have smart card readers built into our D series Latitude notebook computers, and also we have keyboards for our systems which read smart cards. We have biometric technology, which we have been evaluating, and we have decided that some of those solutions meet our requirements and those of our customers, and we are now making those things available through our Software and Peripherals Department. Standard physical locks for chassis and racks and things like that are always something that we are attending to and making sure are securing the physical hardware, and new types of products, for example, such as fire walls, which we are making available through Dell to our customers so that they are able to get their security solutions, or most of their computer solutions, directly from us. So in summary, we do believe that security is best achieved in partnership and consensus, things we are very happy to hear that are being expressed here today. Our direct model, we believe, puts us in a position to really make use of standards and to help disseminate that kind of information. The CIS offering is a concrete example of that in action. We continue to evaluate best-of-breed solutions in the security space and bring them to market as our customers request them. Thank you for your time. [The statement of Dr. Lowery follows:] PREPARED STATEMENT OF DR. JAMES CRAIG LOWERY, PH.D. Chairman Thornberry, Ranking Member Lofgren, and Members of the Subcommittee, thank you for the opportunity to discuss Dell's perspective on cybersecurity and the role of technology, specifically hardware and software security products. My name is Craig Lowery and I am the chief security architect in the Dell Product Group. Headquartered in Round Rock, Texas, a suburb of Austin, Dell was founded in 1984 on a simple concept: that by selling computer systems directly to customers, Dell could best understand their needs and efficiently provide the most effective computing solutions to meet those needs. Today, Dell is the world's leading computer systems company. The company employs approximately 40,000 team members around the globe. We design, build and customize products and services to satisfy a range of customer requirements from the desktop notebook, server, storage and professional services needs of the federal government agencies, to those of the largest global corporations, and to those of consumers at home. To fully appreciate Dell's security strategy, one must understand Dell's direct business model. We believe that the best customer solutions are most efficiently derived through direct relationships with our customers and suppliers. Our build-to-order system allows customers to order computers tailored to their needs, manufactured specifically for and delivered directly to them. We believe that customers receive the best value from products built with standard technologies; to that end, we seek to foster standards throughout the industry to reduce cost and increase customer flexibility and choice. As I will explain, each of these facets of the direct model plays a key role in how Dell is approaching computer system security. Cybersecurity has become increasingly important for our industry due to the need to provide products to our customers to better protect their IT systems from cyber attacks and viruses. Until recently, most company security solutions have been proprietary and customized to fit their specific needs. As the need for IT security has grown from supporting specific applications to that of protecting critical IT infrastructure, our industry, including Dell, has pushed for standardization to make security more affordable and widely available. As a technology vendor, Dell is committed to delivering value through reducing the costs of acquisition, deployment, interoperation and maintenance of our products, including our security products. Dell believes that these benefits are best achieved through the benefits of industry standard technologies. Specifically, Dell believes that standards in the security arena are driving and will continue to drive these technologies to levels of maturity that make them more transparent to the end-user and thus suitable for widespread adoption in the industry. As these technologies mature, Dell leverages the benefits of its direct model to bring these technologies to market quickly and affordably. Securing information systems is only possible through partnership between vendors and customers. Security is a moving target, and the products and services addressing security needs necessarily evolve as the landscape changes. Vendors are responsible for bringing to market products that incorporate widely accepted security design goals. Customers are responsible for deploying the products in a manner consistent with effective security best practices. Vendors must be open to customer feedback to understand their security concerns, and customers must be diligent to provide that input. Dell is placing more and more emphasis on security as a chief design consideration in all of our products. Certainly as a hardware vendor, we are acutely aware of the need for physical security through mechanisms such as locks and detection devices. Our efforts to deliver more secure products extend beyond hardware. Since we custom-build the systems we ship, including factory installing operating systems and applications, we have the opportunity to continually improve upon the software configurations we offer to customers. We work closely with software providers during their design and implementation phases. We are able to identify and integrate tested security components into our factory-installed software so that customers can enjoy the benefit of best solutions ``out-of-the-box.'' Pre-installed virus protection is one example. An important security benefit of our build-to-order system is that it reduces the time between when we make changes to our products in the factory, and the time a customer receives the product. Therefore, if we improve the security of a product, our system helps to minimize the lag time in getting it to the customer since there is no inventory that must first be moved in the distribution channel. Another example of creating an even more secure software configuration is a new Dell offering available through our custom factory integration unit. Dell is beginning to offer desktop systems installed with Microsoft Windows 2000 pre-set to the Center for Internet Security's Level I benchmark. This is a separate offering from our ``normal'' Windows 2000 installation, which continues to be available. The CIS Level I benchmark is a consensus standard which the CIS considers the best and least restrictive security settings for Windows 2000. These settings were developed with input from government agencies, business, universities, and individual security experts. In providing the factory installed benchmark systems, Dell is responding to customer demand for a hardened operating system direct from the factory. Although it is designed for our public segment customers such as federal, state and local governments, this product can benefit any organization wishing to receive a certain level of security with a system directly from Dell. System BIOS passwords and hard-drive passwords continue to play an important role in security. For even more robust forms of authentication and access control, Dell now offers integrated smart card readers in our Latitude D-family notebooks as a standard feature, and in our smart card reader keyboard for desktops. In addition, Dell offers biometric authentication solutions in the form of add-on peripheral devices. Dell is actively involved in new developments in wireless security standards such as Wi-Fi Protected Access, and the emerging 802.1li standard. Through our software and peripherals department, Dell is able to provide customers with thirdparty solutions that meet their demanding standards, such as wireless products, firewalls, and security software. Again, security requires cooperation between vendor and customer. At Dell, we know our customers face many challenges when it comes to successfully deploying an IT infrastructure that is secure, usable, and manageable. We provide deployment and management assistance to our customers in several forms to help them in these efforts. In addition to telephone support, Dell provides access to our technical support web site. Premium technical support is available to customers requiring even faster response. Our engineers develop white papers and journal articles targeting many content areas, including computer system security. These articles are also freely downloadable from our web site at dell.com/powersolutions. We are actively engaged with security organizations such as the SANS Institute, the CERT Coordination Center, the Center for Internet Security, and the Free Standards Group. Dell also makes available pre-packaged and customized services, helping to ensure consistent, repeatable processes for our customers. Dell's service offerings include everything from onetime services to deploy and configure, to fully managed solutions where we take on the day-today tasks of running your IT infrastructure. Security is one of many aspects we consider in providing these services to our customers. Dell is a security-aware and privacy-aware company. We know that security is of increasing importance to our customers, and we are striving to deliver more secure products and services, as well as those that are security-specific, as they become available. We deliver security solutions in a way that is consistent with Dell's model: quality, low cost, easily integrated standards-based solutions that meet our customer requirements, delivered directly to them. We look forward to working with this Subcommittee as it considers ways to improve cybersecurity. Thank you again for inviting me to participate in today's hearing and for seeking Dell's perspective on cybersecurity. I would be happy to answer any questions. Mr. Thornberry. Thank you, sir. As my colleagues can tell, we have roughly divided up the witnesses into two groups. We have heard from three witnesses that are roughly in the field of products, and now we are about to turn to three that are roughly in the field of services although with these companies, clear lines are difficult to draw. We will now turn to Jay Adelson, who is a founder and chief technology officer of Equinix, which is the largest independent, or neutral, provider of interconnection and data center services in the world. Welcome, sir. You are recognized for five minutes. STATEMENT OF MR. JAY ADELSON, CTO & FOUNDER, EQUINIX, INC. Mr. Adelson. Thank you. Chairman Thornberrry, Congresswoman Lofgren, distinguished members of the committee, I sincerely appreciate having the opportunity to be here today as a representative from Internet industry, and more specifically, the perspective of critical Internet infrastructure, the Internet itself, network access points, or commonly known as Internet exchange points. As you said, my name is Jay Adelson. I am the founder and chief technology officer of Equinix. And the reason Equinix has a unique perspective on the issue of Internet security is, as you said, we are the largest neutral provider of interconnection. Equinix's facilities, therefore, serve as the meeting places for all the various elements of Internet, ranging from enterprise users, large Internet Web sites, network providers, telephone carriers, cable companies and subscriber services. Much of the Internet industry knows us as an exchange point or NAP where most of the Internet traffic in the United States, or significant portions, converge as they pass from one network, such as AT&T, to another, such as AOL, as well as the place where important sites, such as Google, Yahoo, Paypal, IBM customers and others place their critical infrastructure. A good analogy for an exchange point is that we function as an international airport for Internet networks and services. And our airlines are networks and our travelers are data bits and bytes. There are 100 exchange points in the world bearing services and levels of security though, in common, they all facilitate this exchange of traffic. While my distinguished panel members are part of well known, large vendors and network service providers, the chances are, while you may not have been exposed to Equinix in the past, you stand to receive e-mail that traverse our exchange points and surf Web sites housed in our facilities. The very fact that Equinix is a physical part of the Internet infrastructure, where such a large percentage of the Internet itself, happens is not as well known. It illustrates the fact that the Internet itself is a massive structure interconnecting independent entities very difficult to accurately measure, monitor, and international in scope. Equinix, like international airports, focuses heavily on the physical security of our data centers. And we have instituted check points, audit trails, people traps, steel cages, layers of biometric security, et cetera, and very strong security operations procedures. Our customers demanded these in the late 1990s when we built them. And we based the security design and requirements from our financial service customers and recognize that there was no physical security standard on which to build and base our new design. We were not able to find any of these reference standards to the level of security operation procedure we felt, and our customers felt, were appropriate for such an important hub as Internet traffic. It didn't exist. So, therefore, we made a conscious decision, as part of our business plan, to be the most physically secure exchange point in the United States. But this model is fairly unique in that market forces allowed us to develop this new approach to providing heightened physical security. A balance must be achieved between network service providers, hardware vendors and their users. Ultimately, users must bear, as my colleagues suggested, the largest responsibility for protecting their assets. Network service providers and software and hardware vendors supporting the Internet industry can only empower the Internet users with systems and services that enabled secured use of the Internet. There are strong economic limitations to the scope of physical and logical protection network service providers can reasonably implement. But at a minimum, a baseline standard of configuration and administration can be met. The cyber and physical security best practice, developed by the Network Reliability and Interoperability Committee, are a good example of how infrastructure operators are able to provide baselines for all network operators to follow. These range from information about network configuration to background checks for employees in critical facilities. And as a nation, we must continue to advance research and development to increase the embedded security level as well as support these standards at the network level and with edge users. There are a surprisingly high number of autonomous networks and systems that affect the health of the Internet. A common misunderstanding is that only a few very large networks, known as backbones, create the largest impact. As incidents of the past have taught us, there are many more players, enterprises, domain name service providers, foreign networks and small regional networks that can impact network stability and security. These entities are scattered all over the world, their security policies and procedures are as diverse as the networks and services that they operate. While information sharing with the federal government is a newer concept in the Internet arena, information sharing is fairly robust within the Internet technical community, and it has to be. We are all customers and providers to one another, and a major failure on the Internet impacts all infrastructure operators at the bottom line. We communicate with our account reps, our technical help desk, our emergency contacts, to restore services as quickly as possible. It is not clear, however, how to integrate the federal government into the commercial information-sharing exchange. The government has an opportunity to act as a means to spread the word during a crisis, and tools such as the Cyber- Warning Information Network are a good start, although the original intent of these systems must not be diluted. Opening the communication channels is critical when every second counts, but choosing what data is appropriate through ISAC-to-ISAC communications, versus leaving it open, limits their effectiveness. The federal government must do more to expand information- sharing with infrastructure owners, and establishing the National Cyber-Security Directorate at the Department of Homeland Security is a good first step. In the event of a cyber-crisis, it is important for the Department of Homeland Security to understand that the infrastructure owners, the network operators in particular, are the first responders. Speed is of the essence in responding effectively to these types of crises, and therefore adding communications steps and information management runs the risk of slowing down the response. For infrastructure operators, the Internet is first and foremost a commercial enterprise, and thus restoration of service is critical in order to meet the service level agreements with customers, as well as to support the Internet commerce generally. This must be recognized as processes are developed, and, as well, centralization of all this information will improve accuracy in communication. The methods of information distribution must be relatively instantaneous and flat in hierarchy. In conclusion, Equinix strongly supports the work of the Department of Homeland Security in working to promote both physical and cyber-security for our nation's networks. And I very much appreciate the opportunity to testify here today, and would be happy to answer questions that the committee may have. [The statement of Mr. Adelson follows:] PREPARED STATEMENT OF MR. JAY ADELSON Chairman Thornberry, Congresswoman Lofgren, distinguished members of the Committee; I sincerely appreciate having the opportunity to be here today as a representative from Internet industry, and more specifically, the perspective of critical infrastructure of the Internet itself, the Internet Exchanges, or Network Access Points (NAP). My name is Jay Adelson, and I am the Founder and Chief Technology Officer of Equinix. The reason Equinix has a unique perspective on the issue of Internet security is that we are the largest independent, or ``neutral,'' provider of interconnection and data center services in the world. Equinix's facilities serve as the meeting places for all the various elements of the Internet, ranging from enterprise users, large Internet web sites, and network providers such as telephone carriers, cable companies and subscriber services. Much of the Internet industry knows us as a NAP operator, or Network Access Point, where most of the Internet traffic in the United States converges as it passes from one network, such as AT&T, to other large networks, such as UUNet or AOL, as well as the place where important web sites, such as Google, Yahoo!, PayPal, or IBM customers, place their critical infrastructure. A very good analogy for a NAP operator is that we function as an international airport for Internet networks and services, though our airlines are networks, and our travelers are the data bits and bytes. There are over a hundred NAPs throughout the world, varying in services and levels of security, though in common they all facilitate the exchange of Internet traffic. While my distinguished panel members are part of well known, large network service providers, chances are that while you may not have been exposed to Equinix, you have sent or received e-mails that have traversed our exchange points, and surfed websites housed in our facilities. The very fact that Equinix, as a physical part of the Internet infrastructure, where such a large percentage of the Internet passes, is not as well known, illustrates the fact that the Internet itself is a massive structure of interconnecting, independent entities, very difficult to accurately measure or monitor, and international in scope. Role of Industry and Equinix In Securing Cyberspace The Internet exists on multiple layers, both the physical and the logical. At the physical level, the industry has a long way to go to secure itself. While some infrastructure operators provide advanced cyber and physical security, some operators have not yet incorporated security into their basic business plan. This provides the Internet industry as whole with much room for improvement. Equinix, like international airports, focuses heavily on the physical security of our datacenters, and have instituted checkpoints, audit trails, man traps, steel cages, five layers of biometric security, high-availability video, concrete embankments and strong security operations procedures. Our customers have demanded this physical security from our facilities. When we built them in the late nineties, we based the security design on the requirements from our financial services customers, and recognized that there was no physical security standard upon which to base our new design. We were not able to find any reference standard for the level of security operations procedure we felt, and our customers felt, was appropriate for such an important hub of Internet traffic. It simply didn't exist. Equinix, therefore, made a conscious decision as a part of our business plan to be the most physically secure NAP operator in the United States. However, our model is fairly unique in that market forces allowed us to develop a new approach to providing heightened physical security for critical Internet assets. At this point, Equinix's customer base represents over 90% of the Internet routing table, as over 120 of the largest and most prolific Internet networks use our locations as their critical hubs. Equinix, as a central exchange point between networks, will continue to do our part to physically secure the Internet assets. At the logical level, the implementation issues are international in scope, with literally thousands of independent players requiring education and motivation to adopt modem security practice. Industry Responsibilities A balance must be achieved between network service providers, hardware vendors, and their users. As secure as a network may be from compromise, or as many features that a hardware or software vendor places in their products, ultimately users must bear the largest responsibility for protecting their assets. Network service providers, and software and hardware vendors supporting the Internet industry can only empower the Internet's users with services and systems that enable secured use of the Internet. There are strong economic limitations to the scope of physical and logical protections network service providers can reasonably implement, but at a minimum, a base-line standard of configuration and administration can be met. The cyber and physical security best practices developed by the Network Reliability and Interoperability Committee (NRIC) are a good example of how infrastructure operators are able to provide baselines for all network operators to follow. These range from information about network configuration to background checks for employees in critical facilities. However, best practices are often difficult and costly for smaller networks, enterprises, universities, governments, or individuals to implement. As a nation we must continue to advance research and development to increase our imbedded security level, at the network level and with edge users. Information Sharing There a surprisingly high number of autonomous networks and systems that affect the health of the Internet. A common misunderstanding is that only a few, very large networks, commonly known as backbones, create the largest impact. As incidents of the past have taught us, there are many more players, including enterprises, content providers, domain name server operators, foreign networks and small regional networks, that can have significant impact on network stability and security. Recent research Equinix conducted shows evidence of there being over 13,000 entities, not including network service providers, in the global Internet that manage their own multi-network connectivity, injecting their network information into the global Internet. These entities are scattered all over the world, and their security policies and procedures are as diverse as the networks and services they operate. While abuse from one of these entities can be mitigated through good security practice, a large number of them are as relevant in information sharing as the network operators themselves. While information sharing with the federal government is a newer concept in the Internet arena, information sharing is fairly robust within the Internet technical community. It has to be--we are all customers and providers to one another, and a major failure on the Internet impacts all infrastructure operators at the bottom line. We communicate with our account representatives, with our technical help desks, with our emergency security contacts, to restore service as quickly as possible. What is not yet clear, however, is how to integrate the Federal government into the commercial information sharing exchange. How the Federal Government Can Help with Information Sharing The Federal Government has the opportunity to act as a means to spread the word during a crisis as a central moderator. Tools such as the Cyber Warning Information Network are a very good start, although the original intent of these systems to be a tool during a crisis for the Internet community must not be diluted. Opening the communication channels is critical when every second counts. Choosing what data is appropriate for ISAC to ISAC communications, versus leaving it open, limits their effectiveness. The Federal government must do more to expand information sharing with Internet infrastructure owners. Establishing the National Cyber Security Directorate at the Department of Homeland Security is a good first step. However, for the Federal government to become a trusted partner for information sharing purposes, it will have to develop business plans and models to highlight how and where the government is best suited to assist the Internet infrastructure in protecting and restoring itself. The Role of the Department of Homeland Security The DHS has two unique and immediate functions that it should provide to infrastructure operators. First, DHS should provide a platform for information to be shared, amongst infrastructure sectors, and to the states. Second, DHS should be working in partnership within industry to promote the development of cyber security standards and baselines, to ensure a national approach to cyber-security. Clarifying the Federal government's role as the ``Public'' partner in our Public-- Private Partnership, cited in the National Strategy. to Secure Cyberspace, will be a critical task for the new Cyber Security Directorate. A network operator, content provider, or NAP operator all have different roles to play in a crisis, and the value of the response will be contingent upon the DHS having a clear understanding of what data is appropriate for which group, and what action, if any, the government is capable of taking. In the event of a cyber-crisis, it is important for the DHS to understand that the infrastructure owners, the network operators in particular, are the ``first responders.'' Speed is of the essence in responding effectively in these types of crisis, and therefore adding communication steps and information management runs the risk of slowing down the response. For infrastructure operators, the Internet is first and foremost a commercial enterprise, and thus restoration of service is critical, in order to meet service level agreements with customers, as well as to support Internet commerce generally. As a result, crisis communications at the technical level between the largest infrastructure operators is generally very good. Trust and experience has played a large role in increasing the response capabilities of the largest infrastructure operators, and the government will have to develop trust and experience as it becomes a part of cyber-security. This must be recognized as processes are developed, as while centralization of the information will improve accuracy, the methods of information distribution must be relatively instantaneous and flat in hierarchy. Working with industry as the ``first responder'' will be an immediate challenge, and a new paradigm for DHS that requires dedicated effort. In conclusion, Equinix strongly supports the work of the Department of Homeland Security in working to promote both physical and cyber- security for our nation's networks. I very much appreciate the opportunity to testify today, and would be happy to answer any questions that the Committee may have. Mr. Thornberry. Thank you, sir, appreciate it. Frank Ianna has been with AT&T for more than 30 years, including most recently as president of AT&T network services. Earlier this year he announced his intention to retire, but they can't let him go. And so we are glad you are here within us today, sir, and now you are recognized for five minutes. STATEMENT OF MR. FRANK IANNA, PRESIDENT, AT&T NETWORK SERVICES, AT&T CORPORATION Mr. Ianna. Chairman Thornberry, thank you very much, Congresswoman Lofgren and members of the subcommittee. Let me summarize my testimony with several points, and then recommendations under some of those points. First, along the idea of cyber and physical security. Cyber-threats are particularly challenging to the service industry for four reasons. First, attackers do not need a physical presence or a large investment in a physical presence to cause harm. They could do it remotely. Point number two is that all vendors of products and services, hardware and software, whether they are switching elements or computing elements, have critical roles to play in enhancing the overall cyber-resiliency of mission-critical services. And several recommendations can spring from this, such as software and equipment vendors and network operators and standards bodies should have products that have built-in baseline security features. With system administration, any interaction of these should be made simple. Service providers and vendors should collaborate also to develop an overall security management system so that we could see very instantaneously the traffic anomalies happening on networks, then we could respond very quickly too. And the government can stimulate development of more secure products by funding research and development of inter-operable software and hardware standards to provide network management described above. The third point is that there is extensive interconnection, as some of my colleagues have mentioned, this is very nature of communications among telcom and IP providers and data network providers. And each of these carriers are interconnected to form a service for a consumer or a business. We must help each other. And we have to communicate with each other, our operations centers, on a continuous basis. A significant failure in one network can cause a significant failure in another network. And in many cases, the symptoms of a failure in one network actually show up first in the other network. Carriers today do share network disruption information directly between their operation centers, ours, the global network operation center in Bedminster and all the other carriers that we interface with, and with the Telecom Information Sharing and Analysis Center, the Telecom ISAC, today. For example, the slammer worm that we detected on January 25, 2003 was the fastest-spreading worm in history, but industry worked together with the Telecom ISAC and with government to share our mitigation plans, our strategies and our notification procedures. Point number four, insider threats to our network should not be discounted. A malicious insider may easily circumvent cyber-security protections employed to discourage outside threats. So a recommendation here would be to have infrastructure providers and governments work together to develop a process to ensure that all employees and contractors with access to critical facilities undergo background checks, screening and National Crime Information Center reviews. Now, the next point is talking about public and private partnerships. What we are saying here is that there is a good opportunity to have a public/private partnership with the government. The telecom ISAC, for example, is a good example of this, it is the number one long-standing public/private partnership in telecom. Point number six, is companies will only engage in sustained and meaningful information sharing when there is a compelling business case to do so and only in a trusted environment. And this is for two related reasons. The government should consider adopting the NCC funding model to enhance effectiveness of other ISACs where the government is actually funding some of the infrastructure for us to communicate amongst each other. For example, the round-the-clock staffing is not borne exclusively by the private sector, it is borne by the government. And the government partners provide value back to the industry. Two examples here, the government should provide value to other ISACs in the form of useful and timely threat information, and supporting industry's response recovery efforts during the crisis. The NRIC, as my colleague here mentioned, the National Reliability and Interoperability Council, which is really the sixth incarnation of that council created every 2 years, is a long-standing partnership that the FCC and the Telecom industry started in 1992. The FCC--and point number seven--has wisely recognized that to be successful, the effort must be: number one, voluntary; number two, developed by industry experts; and number three, adaptable to different network providers to reflect differing architectures and approaches. What constitutes a network failure in a wire line voice network is very, very different than what constitutes a failure in an IP-provided network, for example. Two final points here. Number one, information about physical locations and capabilities of network infrastructures must be carefully safeguarded. We have seen instances where much public information has been put out and there are lot of requests for information. We recommend here that particularly we work with the Department of Homeland Security and particularly the states. We may not be only getting one request from the federal government, and we actually could be getting 50 requests from different states to provide very macro and very specific threat and vulnerability information. And we believe that the Department of Homeland Security should be the focal point for coordinating process amongst all federal agencies and states so that we ensure that the information is properly managed. And then finally we should expand our public and private partnership. Private sector critical infrastructures providers must have the opportunity to provide input to portions of the new national emergency response plan that address how the private sector would respond in a national crisis. I would like to thank you for allowing me to make these comments, summarizing the positions that AT&T has from our experience in these industries. Thank you very much. [The statement of Mr. Ianna follows:] PREPARED STATEMENT OF MR. FRANK IANNA Thank you for this opportunity to testify on behalf of AT&T regarding industry views on cyber security. My name is Frank Ianna, and I am the outgoing President of AT&T Network Services. My testimony will describe AT&T's views on several aspects of this very important issue. AT&T is among the premier voice and data communications companies in the world, serving businesses, consumers, and government. The company runs one of the most sophisticated communications networks in the U.S., backed by the research and development capabilities of AT&T Labs. A leading supplier of data, Internet and managed services for the public and private sectors, AT&T offers outsourcing and consulting to large businesses and government. With approximately $37 billion of revenue, AT&T has about 40 million residential customers and 4 million business customers who depend on AT&T for high-quality communications. As such, we have an overarching interest in preserving and promoting a safe, secure and robust infrastructure that will be a key enabler of economic growth and prosperity of the United States. We therefore very much appreciate the opportunity to offer these comments today. Cyber vs. Physical security: Sound security practices obviously must address both physical risks and cyber risks. Cyber security risk management is more focused on the ``logical'' or user's view of the way data or systems are organized as compared to physical security risk management of our network which is topology/technology-focused. But cyber threats are particularly challenging for at least four key reasons. First, attackers do not need physical presence to do significant harm, and a cyber ``saboteur'' could launch attacks from anywhere. Nor does it take a large investment to launch a cyber attack, only a PC and access to the Internet. Second, the availability and deployment of cyber security capabilities is not only a service provider issue, but requires the involvement of product developers, vendors, and end-users. Software code is becoming increasingly complex and the number of lines of code is multiplying at an incredible rate. Thus no single entity has complete control over the security of its product or service. The very structure of to day's hearing reflects that reality - that all vendors of products and services have critical roles to play in enhancing the overall cyber- resiliency of mission-critical services. Industry, standards bodies, software and equipment vendors, network operators, and end-users of all products and services that make up the Internet should ensure that these products have built-in baseline security features and that these features are appropriately configured and kept up-to-date. System administration of current cyber products is much too difficult. Vendors need to be encouraged to simplify their products and employers need to increase the level of expertise required to perform this vital task. One specific area in which service providers and vendors could cooperate that would make a vast improvement in cyber-security is in the development of an overall security management system that would provide detailed traffic statistics to the Network Operations Centers of major IP backbone providers about the transmission of packets on our networks and detect and respond to anomalies, as we do today in our public switched telecommunications network. Government can also play a key role in stimulating development and deployment of more secure products and services, not by trying to impose compliance at some arbitrary level, but by funding research and development of interoperable software and hardware standards to provide the network management that would enable network operators to detect and stop malicious attacks in the core network. Government can also create strong incentives for the deployment of these capabilities through its purchasing power as a user of more secure cyber capabilities. Third, because there is extensive interconnection among telecommunications and IP networks, carriers must assist one another because a significant failure in one network can affect another network. In fact, telecommunications carriers today share network disruption information directly between Network Operations Centers, and with the sector Information Sharing and Analysis Center (ISAC). The Slammer worm, which was detected on January 25,2003, was the fastest spreading worm in history. This worm affected more than 90 percent of vulnerable hosts within 10 minutes, far more quickly than Code Red of 2001. Industry participants worked together through the Telecom ISAC and with the government to share mitigation plans. The good news is that the Slammer worm had no payload; the bad news is that a similar worm could be launched with a malicious payload. We need to be better prepared by building more secure technology and employing better processes to support security controls for the entire network. Lastly, though cyber threats can originate anywhere, the insider threat should not be discounted, because a malicious insider may easily circumvent cyber security protections that are deployed to discourage outside threats. To address this issue, providers of critical facilities must work with others in industry, and with government at all levels to develop and employ a standard process to ensure that all employees and contractors with access to critical facilities undergo appropriate background checks, screening, and National Crime Information Center reviews. Government can play a key role by helping to develop the most efficient process, and by acting as a centralized resource to coordinate requests from industry for reviews. This is good and will help. Now, having said that, I want to add that those service providers of critical infrastructure have had to solve the problem of access long before it became prominent following the events of September 11. Many people enter and leave critical infrastructure facilities every day. The location may be any location where multiple providers have placed facilities and equipment. These individuals may be communications technicians from different service providers who are maintaining equipment housed in the building. There are others who also may need to gain access to a building, such as power contractors, janitors, vending machine operators, copying machine technicians, etc. During the day, any number of non-communications-related individuals go in and out of telecom buildings. One solution that AT&T has implemented is to escort all non-badged individuals who need access to critical locations. AT&T has made strong security a top priority for many years, but because we are so extensively interconnected with other infrastructure operators, we must also closely cooperate with our peers, arguably to a greater extent than in any other infrastructure. Our industry has of necessity been a leader in the information sharing process long before the President's Commission on Critical Infrastructure Protection and PDD-63 recommended the formation of sector-specific, information sharing forums in May, 1998. Developing an effective ``public-private partnership``: As you know, most of the country's critical infrastructures are owned and operated by the private sector, thus the private sector must play a key role in safeguarding those infrastructures. With cyber security, the private sector has an even more important role, because the responsibility for implementing adequate security measures falls not only on core infrastructure providers like AT&T, but also on government and business enterprises that deploy and rely on cyber information systems to perform business-critical functions. For these reasons, much has been said about the need for an effective ``public-private partnership'' to share security-related information and to address security-related threats and vulnerabilities. These are laudable goals, and in fact, AT&T and other telecommunications companies have been working together to identify and address security risks, and to develop security-related best practices in partnership with government, for many years. Two of the most significant partnerships are noteworthy. The Telecom-ISAC Much of the benefit attributed to a partnership between government and industry involves the need to encourage robust, timely, two-way information sharing about threats, vulnerabilities, intrusions and anomalies. New protections provided in the recently enacted Homeland Security Act significantly reduce the possibility that sensitive information shared voluntarily for these purposes might be disclosed publicly. Nevertheless, companies will only engage in sustained and meaningful information sharing when there is a compelling business case for doing so, and only in a trusted environment. We at AT&T have a lot of experience in this area. Telecommunications carriers have shared information informally with the National Communications System (NCS) since 1984. In 1991, the National Security Information Exchange (NSIE) was established as a forum in which government and industry could share information in a confidential, trusted environment. Since March of2000, the NCS's National Coordinating Center (NCC) has served as the Information Sharing and Analysis Center, or ``ISAC'' for Telecommunications. Telecom-ISAC participants, including industry and government representatives, gather and share information on threats, vulnerabilities and intrusion attempts. Information is analyzed to help avert or minimize disruptions to the telecommunications infrastructure. The results are aggregated and disseminated as provided by agreement among the ISAC members. In addition, the NCS hosts the NCC and is the lead agency for the telecommunications support functions under the Federal Emergency Response Plan. In that capacity, the NCC is specifically charged with assisting in the coordination of telecommunications restoration and provisioning during national disasters through government and industry cooperation on a 24-hour basis. NCS and the telecommunications carriers also collaborated on the development of the ``Government Emergency Telecommunications Service'' or ``GETS'', which provides government and industry personnel with key national security or emergency preparedness responsibilities with the ability to gain priority access to the public switched telecom network in times of significant network congestion. There are two related reasons why we believe that the telecom-ISAC has been particularly successful. First, the Telecom-ISAC is funded largely by government appropriations, so the core infrastructure and round-the- clock staffing is not borne exclusively by the private sector, as is the case with other ISACs. Second, government ``partners'' provide value back to the industry participants. First, the information-sharing goes two ways. The government routinely provides specific threat and alert information to industry representatives. Second, in real crises, the government NCC representatives quickly engage as ombudsmen on behalf of industry, helping industry gain access to impaired locations for purposes of restoration and recovery, and they represent the needs of concerns of the industry in terms of coordinating response. On September 11, 2001, the NCC helped network providers gain access to Ground Zero to restore communications, including arranging for military air transport for some of our key disaster recovery personnel who were stranded in California when commercial aircraft were grounded. The ability of government to deliver this kind of assistance, proven repeatedly in crises of differing degrees over the years, has led to an atmosphere of trust and cooperation in which we in industry have felt comfortable sharing sensitive information with the government and with our competitors in times of crisis. This level of trust is essential because in order for information about security concerns and incident response activities to be useful to companies and to the government, it must be shared quickly. This need for expediency results in reports that are initially incomplete and potentially inaccurate, and there can be unintended consequences if the information is not treated with care. This trusted environment has also allowed industry and government partners to engage in periodic ``exercises'' to test the potential impact of different threat scenarios based on accurate network data from multiple carriers. The National Reliability and Interoperability Council (NRIC) Another example of the partnership that has worked and should be the model for any government and industry problem solving is the Network Reliability and Interoperability Committee (NRIC). First organized by the FCC in 1992, the NRIC was established following several telecom outages to study the causes of the outages and to make recommendations to reduce their number and effects on consumers. Since then, some 50 telecom carriers, equipment manufacturers, state regulators and consumers have participated. This has been a standing committee for over 10 years, and is a forum where industry and government come together for the good of the industry to work specific issues. Y2K was one such issue. NRIC VI is focused on Homeland Security with teams addressing both Physical and Cyber security. The product is a set of best practices (proven processes used in the industry) for service providers and equipment/software vendors to use to mitigate risk of attacks. Another feature of NRIC is the monitoring and analysis of the performance of the public switched network based on reliability data collected during the last 10 years. The Network Reliability Steering Committee NRSC, a voluntary industry committee, reviews each outage report submitted to the FCC, looks for trends, publishes the results quarterly and annually, and looks for ways to improve the collective performance of the network. A new phase of this work, currently underway in the NRIC, is collecting similar outage data on wireless, cable and ISP networks in order to conduct data analysis, enable performance improvement, and develop new best practices. In leading this effort, the FCC has wisely recognized that to be successful, it must be: 1) voluntary; 2) developed by industry experts; and 3) adaptable by different network providers to reflect differing architectures and approaches. Safeguarding sensitive proprietary information: As a private sector operator of a major part of one of America's most important critical infrastructures, we carefully safeguard all information about the physical locations, capabilities and components of our world-wide infrastructure. While some security experts discount the ``security through obscurity'' approach to risk management, I disagree. A July 9 Washington Post article describing the ability of a GMU graduate student to amass copious quantities of sensitive information about a vast array of critical infrastructure facilities highlights the danger of making sensitive information too easily available. In fact, we would suggest that if possible, this student's report be provided by the Department of Homeland Security to the appropriate industry body, presumably the Telecom-ISAC, for analysis of its accuracy. It is in keeping with national security interests to assess the extent to which a motivated individual can develop a map of the infrastructure through compilation of publicly available information. The findings would be very useful in developing safeguards to prevent the continued proliferation of such information. While this kind of threat clearly is of major importance for physical security, it also presents a very significant, indirect threat from a cyber-security perspective because the information could be used to launch simultaneous cyber and physical attacks, which could result in exponential reductions in network capacity and potentially dramatic customer impact. Despite these concerns, we are increasingly solicited by various governmental entities for very specific, extremely sensitive, proprietary information about our capabilities and maps of our network facilities and routes. States are attempting to compile lists of the critical assets of AT&T and other carriers for purposes of critical infrastructure protection. We are concerned about the breadth, open- endedness, lack of specificity, potential cost, and ability to safeguard and keep confidential any information that is provided. Neither states nor the federal Government should expect this information from network operators. First, security-related information that is provided to government entities outside the federal Department of Homeland Security may not be adequately protected from federal and state Freedom of Information laws. Even more importantly, it is not clear that information collected on a wholesale or generalized basis advances homeland security in any way, and may create greater risks to homeland security. In fact, proper analysis of any potential vulnerability requires a detailed assessment of the specific facilities of concern, the services they support, and the impact mitigation strategies applicable to those services. Instead of making arbitrary requests for massive downloads of extremely sensitive information, states should work with the Department of Homeland Security (DHS) and directly with critical infrastructure providers to determine what specific information is really needed and to establish coordinated processes and procedures. The DHS should be the focal point for the coordination across the regions, states, and municipalities, as well as across key industry sectors, to ensure that the information is useful, responsive, and properly managed. Expanding and refining the ``public private partnership'' We understand that the Department of Homeland Security, in coordination with the nation's governors, is updating and expanding the Federal Disaster Response Plan into a National Response Plan, and that private sector critical infrastructure providers will have the opportunity to provide input to portions of the plan that address how the private sector would respond in a national crisis. We applaud this approach, and look forward to continuing to work with the country's leaders, both public and private sector, to ensure that the private sector's views are considered and our capabilities are reflected in the evolving plan. I would also like to emphasize that a significant challenge during the recovery from the attacks of September 11 was physical perimeter control procedures that were changed as the responsible government authority shifted from local to state to federal control. As NSTAC recommended to the President, I also recommend that Congress task the Department of Homeland Security to partner with industry in developing a physical perimeter control plan to be part of the National Response Plan for use by all government authorities. AT&T would like to particularly thank Chairman Thornberry, Congresswoman Lofgren and the Members of this Subcommittee for holding a hearing on this important issue. I offer AT&T's assistance to the Committee as well as my own, and I would be glad to answer any questions you may have. Mr. Thornberry. Thank you, sir. Finally, batting cleanup as they say, Tatiana Gau is chief trust officer and senior vice president at America Online. Thank you for being here and you are recognized for five minutes. STATEMENT OF MS. TATIANA GAU, CHIEF TRUST OFFICER AND SENIOR VICE PRESIDENT, AOL CORE SERVICES, AOL TIME WARNER Ms. Gau. Thank you, Chairman Thornberry, Representative Sessions, Representative Lofgren and members of the subcommittee. Thank you for the opportunity to testify before the subcommittee on the important issue of cybersecurity. My name is Tatiana Gau, and I am the chief trust officer and senior vice president, America Online, where much of my focus is on cybersecurity, consumer protection, privacy and online safety. At AOL we are committed to playing the leadership role on the issue of security. Employing our technology, tools and educational resources we strive to provide secure products and services, to ensure a safe and secure environment online, and to educate our members to help them protect themselves. As part of these efforts, we have developed extensive plans to address security issues in our products and services, our network and on the Internet. AOL is working hard to implement recommendations in the President's national strategy to secure cyberspace that apply to our service. This strategy lays out some very important steps that the private sector should take and that AOL is undertaking to protect consumers. We have designed elements of the next version of our software, AOL 9.0 Optimized, to fit the recommendations in the strategy. AOL embraces the partnership between government and private sector envisioned by the strategy, and we are committed to working with our vendors and competitors to strengthen security at the network and the end-user level. Online security is an ongoing process. At AOL, network security is an important part of the cyber safety equation. In order to prevent denial-of-service attacks and other intrusions, AOL, like many other ISPs, has integrated dynamic denial-of-service mitigation protection at all levels of our system which help us protect against attempted attacks. We monitor our network for viruses and take both proactive and reactive measures to prevent, detect and eliminate them. AOL also employs significant protections to safeguard access to member data. And we have incorporated many new safety and security features in our next client software, which is expected to be available later this summer. These cutting-edge safety and security features include: a free firewall for broadband users provided in partnership with Network Associates; free and premium antivirus services which are automatically updated every time a user logs on to AOL; advanced spam filters; and computer checkups that enable our members to diagnose and fix security problems within their systems. Through easy-to-use, behind-the-scenes protective measures and checkups, we are helping our consumers help themselves, especially in instances where the user may not know how to install or update security settings on their own. Clearly no tools or technologies are useful unless consumers know about them and know how to use them. That is why AOL also undertakes significant effort to provide a wide range of educational resources. For example, AOL's safety and security area online includes specific information about the security features that AOL provides and tips on how members can protect themselves against scams and viruses as well as how to protect their credit card numbers and passwords. It also hyperlinks members to industry collaborative Web sites, like Stay Safe Online, GetNetWise, the FTC's information security Web page, for other specific suggestions and reinforcement of our messages. In addition to informing our members about security risks and solutions, we recognize that online leadership means taking on responsibilities beyond the AOL community. To that end we have undertaken numerous initiatives such as joining with other leading private-sector companies to form the National Cybersecurity Alliance, in partnership with the federal government. The Alliance Web site, www.staysafeonline.info, provides clear and concise consumer tips on information security as well as security background papers and research studies. Just last month, in response to an Alliance study, and as part of our ongoing educational outreach, we launched a media campaign to inform high-speed users about the dangers of an unprotected broadband connection. The primary goal of this unprotected broadband media campaign has been to reinforce the message that Internet users need to be cyber secure citizens and ensure that their computers cannot be hijacked by hackers to engage in cyber crime. Many of the initiatives I have outlined here involve close cooperation with our partners in industry and government and could not succeed without the existence of reliable processes for sharing information. Internet attacks can come from any part of the network of networks that constitutes the Internet and come in many different changing forms. For this reason, AOL strongly supports the development of information-sharing and analysis centers--ISACs--and through these and other fora actively engages in sharing information about cyber-threats and-attacks. And, because cyber-attacks can happen quickly and at any time, all ISPs should have a 24/7 point of contact within their company to work with other ISPs, other providers and governments to respond to potential cyber-threats. We believe that government can play a valuable role working with the private sector in encouraging dialogue among all industry players to promote information sharing and helping to educate consumers and businesses. We look forward to working with the Department of Homeland Security to achieve this goal, and we applaud the creation of the National Cybersecurity Division last month to continue and expand on many of these public-private partnership objectives. Thank you for the opportunity to be here today. [The statement of Ms. Gau follows:] PREPARED STATEMENT OF MS. TATIANA GAU Chairman Thornberry, Representative Sessions, Representative Lofgren, and Members of the Subcommittee, on behalf of America Online, Inc., I would like to thank you for the opportunity to testify before the Subcommittee on the important issue of cybersecurity. My name is Tatiana Gau, and I am the Chief Trust Officer and Senior Vice President at America Online, Inc., where much of my focus is on cybersecurity. I oversee the integrity of the user experience, consumer protection, privacy, online safety, accessibility, community standards and policy, as well as crisis management and coordination for all of the company's brands. At AOL, we are committed to playing a leadership role on the issue of security. Employing our technology, tools, and educational resources, we strive to build secure products, provide a safe and secure environment within which to surf the Internet, and educate our members to help them protect themselves. As part of these efforts, we have developed extensive plans to address security issues in products, our network, and on the Internet. To succeed in the area of security, we work with our members to give them the tools and knowledge that they need to protect themselves. We cooperate with other ISPs, mailers, and members of the computer industry on our plans and initiatives. We also work closely with the FTC, FCC, and other federal and state entities. Because of the nature of the Internet, we believe that only through cooperation among all the parties can we properly address cybersecurity as a whole, both for our members and the public in general. AOL is working hard to implement recommendations in the President's ``National Strategy to Secure Cyberspace'' that apply to our service. This Strategy lays out some very important steps that the private sector should take and that AOL is undertaking to protect consumers. As I will describe, we have designed several features of the next version of our software, AOL 9.0 Optimized, to fit the recommendations in the National Strategy. AOL embraces the partnership between government and the private sector envisioned by the National Strategy, and is committed to working with our vendors and competitors to strengthen security at the network and end-user levels. AOL'S COMMITMENT TO SECURITY At AOL, safety and security are our top priorities. We have worked hard to develop a culture within the company where the starting point for all of our products and services is safety and security. However, online security is an ongoing process. It means providing consumers with easy-to-use security technologies, educating consumers about what to do to help keep their machines and the rest of the online community secure, controlling the use of our networks and keeping them safe, keeping personal information private, avoiding scams, and educating consumers about safe computing practices. Because we recognize that safety is one of the keys to instilling consumer confidence in the online medium and is critical to the continued growth and expansion of the Internet, we are working continuously to safeguard our members' accounts and computers and our infrastructure. The AOL approach to consumer security is therefore threefold, with a focus on: 1) building more secure products and technology, 2) providing state-of-the-art security tools to our members, and 3) educating consumers-both at AOL and beyond-to keep security in mind while surfing the Internet. In each of these areas, we work with others in industry and our friends in the government in a partnership aimed at providing a secure network for all users. 1. BUILDING SECURE PRODUCTS AND TECHNOLOGY Our company strives to develop and deploy the best security technology available. The AOL brand includes many products and services that many people do not realize are part of AOL, including AIM, WinAmp, and Netscape. We have invested in all of these products and services with the aim to provide the best security technology available for our subscribers. We believe that network operators must make security a top consideration in every decision about their networks. We believe that they should monitor their networks for intrusions, apply all security patches for their software in an expeditious fashion, and employ a variety of other applicable best practices. At AOL, network security is an important part of the cybersafety equation. We monitor our network for viruses and take both proactive and reactive measures to prevent, detect, and eliminate them. We have a dedicated team of network security specialists who are on call 24 hours a day, seven days a week to protect the security of our infrastructure. Moreover, AOL member-to-member communications take place within a controlled environment, and are facilitated over our highly secure data transit network. In order to prevent denial-of-service attacks and other intrusions, AOL has integrated denial-of-service mitigation protections at all levels of our system, which help us protect against attempted attacks. AOL is no stranger to the cybersecurity fight. We are under almost constant attack from hackers and spammers who target our networks. To combat these attacks, AOL and other ISPs have designed Intrusion Detection Systems (IDS), which unobtrusively monitor corporate networks in real time for activity such as known attacks, abnormal behavior, unauthorized access attempts, and policy infringements. These systems can be used proactively to block certain types of infections and attacks. For example, ISPs can be configured to recognize and block inbound traffic that could otherwise infect AOL's corporate data systems. IDS also can be used to detect computer compromises through signatures that identify known hostile traffic patterns. When these compromises are detected in AOL's network, the IDS system generates an alert to the AOL security staff, which responds immediately. When file attachments containing new viruses are reported to AOL by our members, a signature is built and passed on to anti-virus software vendors and our own IDS machines so that the viruses can be detected in subsequent attacks. We alert our customers as to how they can prevent further propagation of a virus and reach out to other providers where we detect abnormal Internet traffic that may be generated by a virus. AOL also employs significant protections to safeguard access to member data. AOL keeps passwords strictly confidential; verification of screen names and passwords is performed on AOL's secure servers. We recognize that a sound security system involves not only use of tools such as firewalls, intrusion detection systems, and anti-virus software, but that our employees play an integral role in protecting security. To this end, access to member data is granted on a need-to- know basis, and employees are extensively trained and screened prior to being granted access privileges. We also conduct periodic internal auditing of network records of data access to detect and promptly address suspicious activity. 2. PROVIDING OUR MEMBERS WITH SECURITY TOOLS We are particularly proud of the safety and security features of our new client software, AOL 9.0, which is expected to be available later this summer. These cutting-edge safety and security features include a free firewall for broadband users, free and premium anti- virus services, advanced spam filters, and a computer ``check-upt' that enables our members to diagnose and fix security problems within their systems. Some of these features have already been launched but will come together as a complete package in AOL 9.0. To assist both our narrowband and broadband members, AOL runs a virus scan on all e-mail attachments that it receives from the Internet or that are uploaded from our members. If a problem is detected and we can fix the filet we do so and deliver it to the addressees. If it is a Trojan horse, something that by its very nature cannot be fixed, we return the e-mail (but not the attachment) to the sender with a warning. However, e-mail attachments are only one way that a computer can get infected with virus. AOL, therefore, has a premium anti-virus offering that, after downloading a small program, will guard a subscriber's computer from viruses on floppy disks or CDs. In addition, every time a subscriber signs on to AOL, the virus definition file is updated with the latest virus definitions--the most important step in protecting your computer because more than 250 new viruses are released on the Internet every month. In addition, AOL is providing broadband members with a customized firewall to guard against hackers and other unauthorized intruders by helping build a wall around the member's computer. The wall, when properly configured, blocks access to sensitive files, financial records, and personal data stored on the member's computer. AOL has teamed with Network Associates to provide free firewall protection. We strongly believe that all users, whether an AOL member or a user of another service, should install, regularly update, and run anti- virus software at least once a week. If the user has broadband, he should also install and run a firewall. These two steps alone would dramatically increase the security of consumers' computers. In addition, AOL has built in an array of security features to address the growing problem of spam. AOL already blocks as many as 2.4 billion spam messages in a single day. To empower our members and to track down and block spammers more quickly, we provide users with a ``Report Spam'' button on the AOL 8.0 software, which gives us rapid reports of spam that evades our filters. Building on the ``Report Spam'' feature and based on extensive member feedback, AOL 9.0 will contain unparalleled spam fighting tools that will make it easier for members to manage spam and to protect themselves from unwanted mail. These tools include very advanced filters, as well as a feature that will block images and URLs from unknown senders unless a member chooses to see them. This feature will help ensure that spammers cannot force e-mail that could compromise the security of members' computers. We also are working closely with Congress on legislative solutions to spam. AOL 9.0 also empowers users to be proactive toward security by providing for computer check-ups. Through these easy-to-use check-ups and behind-the-scenes protective measures, AOL can diagnose and fix security as well as connectivity problems on a member's computer. We help the member help themselves, especially in instances where the member may not know how to install or update security settings on their own. 3. EDUCATING CONSUMERS AT AOL AND BEYOND AOL devotes significant time and energy to providing a wide range of well-placed education tools and resources that our members would find difficult to avoid. Because our members spend an average of 70 minutes per day online with AOL, we have ample time to remind them about security, and we do. This time online also has implications for the safety of the infrastructure. With more people staying online longer, those computers can be used to launch a distributed denial-of- service attack. For this reason, AOL spends considerable resources to highlight safety and security information available on the AOL service. First, members can easily reach safety, security, and privacy information on the service with a toolbar button-which is always right in front of the member. Second, we have promoted and will be promoting even more educational material on spam and Internet scams with our Welcome Screen space. A recent Welcome Screen promotion on scam e-mails had the highest click-through of any Welcome Screen promotion (including those on Britney Spears) until we started our current promotion on spam. Spam is currently the number one area of interest to our members. One important feature of our service is its Safety, Security, and Privacy area. Member security begins with educational tools that are clear, easy to find, easy to use, and easy to customize. Collectively taking care of our community, this site urges members to ``protect your home computer and the nation's Internet infrastructure.'' The site includes specific information about how members can protect themselves against scams and viruses, as well as how to protect their credit card numbers and passwords. It also hyperlinks members to industry collaborative sites like ``StaySafeOnline,'' ``GetNetWise,'' and ``Site-Seeing Tips: Travel Insurance for Cyberspace'' for other specific suggestions and reinforcement of our messages. Another key feature of our service is AOL Keyword: Help. This feature provides a resource for members who need assistance on any topic, including security. This process is easy to navigate, clear and simple to understand. At Help, one of six listed topics is ``Online Safety.'' Clicking this link gives the member online safety subtopics to choose, including information on protecting your password, avoiding computer viruses and spotting scams and schemes. Clicking any of these choices gives the member a menu of related short, simple, useful articles such as ``Password Requests in E-mail,'' and ``Password Stealing Schemes.'' In addition to providing many avenues for our own members to be fully informed about security risks and solutions, we recognize that online leadership means taking on responsibilities beyond the AOL community. AOL feels keenly an obligation to use our resources wisely for the benefit of all consumers in the online world. To that end, we have undertaken numerous initiatives. For example, we have joined with other leading private sector companies to form the National Cyber Security Alliance, a unique partnership with the federal government that fosters awareness of cybersecurity through educational outreach. The Alliance website, http://www.staysafeonline.info, provides clear and concise consumer tips on information security. AOL is proud to have participated in the design of that site, to be hosting it on our web servers, and to be dedicating substantial resources toward driving traffic there. To gauge consumer attitudes toward and readiness regarding cybersecurity, AOL has commissioned studies independently and with others in industry to help identify areas where efforts and initiatives can further enhance security. We use the results of these studies to tailor solutions to members' attitudes and practices. A recent study conducted by the Alliance demonstrated that the overwhelming majority of broadband consumers lack basic protections against the dangers of an always-on connection to the Internet. The study revealed that most consumers do not realize that they lack those protections or that their computers and personal information are at risk. In response to this study, and as part of our ongoing educational outreach, we launched a major campaign in June to inform high-speed access users about the dangers of an unprotected broadband connection. The primary goal of this Unprotected Broadband media campaign has been to reinforce the message that Internet users need to be cybersecure citizens and ensure that their computers cannot be hijacked by hackers to engage in cybercrimes. 4. THE IMPORTANCE OF INFORMATION SHARING Many of the initiatives we have outlined above involve close cooperation with our partners in industry and government and could not be successful without the existence of reliable processes for sharing information. Because Internet attacks can come from any part of the network of networks that constitutes the Internet and come in many different, changing forms, information sharing regarding security threats is essential to good cybersecurity. For this reason, strongly supports the development of Information Sharing and Analysis Centers (``ISACs''), and through these and other fora actively engages in sharing information regarding cyber threats and attacks. This cooperation has proven very important to the continued stable operation of the Internet. For example, in February of 2000, the ISP industry worked together to combat the largest attack on the Internet to date by a single individual in Canada who was able to organize a large scale denial-of-service attack on several large websites, temporarily knocking them out of service. As the attack occurred, the large players in the ISP industry quickly communicated with each other, through informal technical contacts, to isolate and locate the source of the attacks. As a result of the industry's quick response, service to the websites was restored in a matter of hours, and the functionality of the Internet as a whole was never interrupted. This type of response is typical in the ISP industry, and these well-established informal procedures and responses proved to be effective in remedying subsequent attacks on the infrastructure, such as NIMDA and Code Red viruses. When our IDS system detects or we receive reports of new viruses, we build a signature and pass along to anti-virus software vendors as well as our own IDS machines. We also reach out to other ISPs when we detect abnormal traffic patterns that may reflect a virus or hacker attack, and have a Cybersecurity team on call 24 hours a day, seven days a week available to address indications or reports of security threats. Indeed, because cyber attacks can happen quickly and at any time, we believe strongly that all ISPs should have a similar 24/7 point of contact within their companies to work with other ISPs to respond to potential network abuses. Information-sharing can also help on the law enforcement side of the cybersecurity equation. AOL works closely with law enforcement and other government agencies to deal with threats to the critical infrastructure, even when those threats may not directly affect AOL or our members. AOL has a dedicated team of professionals, including former prosecutors, who work with law enforcement in investigations of cybercrimes, including hacking and other security threats. We cooperate with authorities not only in responding in a timely fashion to their requests for information during an investigation, but also pro actively in alerting law enforcement to potential network threats. AOL has worked closely with government and law enforcement to identify and locate major hackers whose actions have threatened the Internet, including the creator of the infamous Melissa virus. We look forward to working with our colleagues in industry and government to build upon these existing mechanisms for cooperation and information-sharing, and to ensure that the lines of communication are open and clear. THE ROLE OF GOVERNMENT AND PUBLIC-PRIVATE PARTNERSHIPS We believe that government can work with the private sector in the following key areas of cybersecurity: 1) encouraging dialogue among all industry players to promote informationsharing; 2) educating the public about staying alert to potential network abuses; and 3) promoting active cooperation between industry and government in finding and apprehending hackers. Many of the initiatives we outlined above have involved close cooperation between government and industry players in these areas. With responsibilities for cybersecurity now coming under the primary purview of the Department of Homeland Security's Directorate for Information Analysis and Infrastructure Protection, we applaud its creation of the National Cyber Security Division (NCSD) last month and believe it can continue and expand on many of these public-private partnership objectives. We look forward to working with the NCSD, particularly as it seeks to: identify risks and help reduce vulnerabilities to government's cyber assets and coordinate with the private sector to identify and help protect America's critical cyber assets. As previously stated, government can play a very valuable role in keep the lines of communication open and clear about cyber threats and cybersafety; oversee a consolidated Cyber Security Tracking, Analysis & Response Center (CST ARC), which hopefully will serve as an effective, single point of contact for the federal government's interaction with industry and other partners on a 24x7 basis. The CST ARC should work closely with existing ISACs and should seek to develop tools to increase communications among all players; and create cybersecurity awareness and education programs and partnerships with consumers, businesses, governments, academia, and international communities. In coordination with the National Cyber Security Alliance and its StaySafeOnline campaign, and other organizations, the NCSD should seek to advance the development and expansion of education programs without delay. We look forward to seeing DHS's execution of the actions and recommendations outlined in the National Strategy to Secure Cyberspace, and will support those efforts as we continue to work closely with government and law enforcement in minimizing threats to our cybersecurity. CONCLUSION We applaud the Subcommittee for its examination of these issues as companies such as ours undertake significant efforts on behalf of our members and the Internet as a whole. We will continue to work hard to implement recommendations laid out in the National Strategy in our products and our outreach initiatives, and encourage other companies to do so as well. We are deeply committed to addressing cybersecurity in partnership with government and with our suppliers and others in our industry. We look forward to continuing to work with Congress, the Administration, and others in industry toward ensuring cybersecurity. Mr. Thornberry. Thank you. It is a little bit frustrating from this side of the dais because I think the subcommittee could spend an entire hearing with each of you. And yet what we are trying to do is also get our arms and brains around the larger problem, the overview. And so we appreciate each of you being here today. I want to mention before we turn to questions that toward that end this subcommittee is sponsoring, with CRS, a workshop on cyber-security, and I would encourage all members to have their staff members attend. It is Monday, July 21, in the Cannon Caucus Room. Ms. Lofgren and I have sent information on this to each of your offices. We have some fine folks who are there and I would recommend that you send your people. I would like to start with a kind of a broad overview question addressed to each of you. And a number of you have talked about this in your statement. But, again, in the interest of trying to see if there is consensus and in broad form where we go, I would like for each of you to briefly address this question. We are not going to have time to get all into it, but we will go back. And here is, I guess, my question. The market is driving each of you towards some measure of greater security. First question is, are you comfortable that that market-induced level of security is sufficient for our nation's security or is something more required than where the market is going to take you? Secondly, if you think something more is required--and I don't assume that--but if you think something more is required, then just in rough outline what is the federal government's role in achieving that extra measure beyond which the market allows you to go. Again, I would ask each of you to be relatively brief in your answer, because I want to turn to other folks, but that is kind of the big question that this subcommittee is grappling with. And so I would like to just go down the line. Mr. Reitinger, if you would start? Mr. Reitinger. Thank you, Mr. Chairman. I will try to be very brief. I think the market is going to go a long way. This is a very innovative industry. And as you heard from the panel today, across the industry we are seeing security innovation. It is possible that in selected areas the market will not go as far as the nation needs for national or homeland security purposes. I have two points on that. One, you can't look at that broadly, though. In other words, the market may not go far enough in a particular place, or in another particular place or sector. So I think it is less a broad question and more a particularized question. Second, it is dynamic. In other words, the question is not where is the market now, but where is the market going and where do we need to be? Do we need to look at the direction we are going in. Second point, even if the market is not going to go as far as we want to go, I would urge policy makers to move in as, I believe my estimable colleague Whit Diffie said, as tailored a fashion as possible. Just because the market may not go as far as you need for national security doesn't mean to leap to regulation or some other mandatory step. I think one of the critical functions for the new Department of Homeland Security is to take a very close look at where the market is going, figure out what it is going to do, where there may be gaps, and then figure out the best and least intrusive way to close that gap. And I think some of the suggestions we would have I stated in my written statement and I outlined for the committee and won't repeat. Thank you. Mr. Thornberry. Thank you. Mr. Diffie? Mr. Diffie. I think I will take it for granted that there is some role for government in this and just spend a moment or two just looking at what that might be. I think it is important for the government to do those things that it is uniquely qualified to do. So, for example, the government has access to information that is not available or not as readily available in the private sector. And so, as I said in my testimony, I believe that a follow-up mechanism for measuring the actual security of systems in operation should be used to validate the certification mechanisms. This turns on the fact that the intelligence information needed to do that is very hard for industry to get because individual pieces don't want to share it and they share it more readily with the government. I also believe the government has played a very important role in standardization. I cited the advanced encryption standard. If it is anything like as successful as its, I believe, more controversial predecessor, the data encryption standard, that will be something that the fact the U.S. government took this on as a standard will have a transforming effect. Finally, there is government's incomparable role as a customer, both in the sense that the government could perhaps show more foresight in putting security forth as a requirement for the systems that it uses but also in a unique ability to engage in certain large purchases, so to speak. So, one of the problems--we have had a long discussion of why public key infrastructure has not developed as well as many of us hoped. And I believe at root that is a capital development problem. That is to say, like a telephone infrastructure, a keying infrastructure becomes more valuable, the more of it there is. And so it is hard to get it started. So, if you contrast general government and civil sector keying activities with those of the Department of Defense, which has a focused mechanism for putting out up-front development costs, you see that they got much better results in a shorter period of time. So I think the government needs to consider what major steps like that it might take. Mr. Thornberry. Thank you. Dr. Lowery. Dr. Lowery. I am wondering if there will be much left to say by the time you get to the end of the row because many of the themes that you have heard expressed so far to my right we also concur with. In particular, government's role as a customer is one that we see as extremely important. You have a lot of opportunity to give us input through our direct relationship with you as a customer of Dell, for example, to tell us what it is that you want. And the CIS benchmark offering is a prime example of this in action. This is a result of government customers asking for that. So, as a customer, I think you have immediate impact to how industry works through market forces. The coordinating role of government also should be reemphasized because since we do believe in standards or where this is going to happen, the consensus that needs to be driven here, a coordinating role is important to make that happen. And I think that government helping to arrive at standards is an important function that you can provide. And we would like to see more involvement in helping to coordinate the standards that are already being developed through the market. Mr. Thornberry. Thank you. Mr. Adelson, is market enough? And if not, where does government fit? Mr. Adelson. I believe market drives much of the end-user requirement, end-user type of applications and tools. While government can certainly advise and inform the service providers to provide those tools, market will only go so far as to, say, create my end-user environment, something from Microsoft, something from AOL. At the network infrastructure level, for example, if two networks have authentication when they speak with other, users never see that. They don't know if it is on or off. And so, in order to get network infrastructure going, you have to have certifications and standards, create some kinds of best practices, check against them, and then be able to advise the user community that a network has met or not met those standards. Mr. Thornberry. Thank you. Mr. Ianna. Mr. Ianna. Answer to the first question. I think that the market will take it a long way but not all the way. And I think the government can help here. And I would liken this back to when the FCC and the Telecom industry created the network reliability council. I there were some failures in the industry, local carriers, long distance carriers. And I think they were dragged in front of a hearing, and were asked two basic questions. Number one, how reliable is the public switched telecommunications network? And there was not a lot of good information to give that answer. And if you couldn't answer the first question, you certainly couldn't answer the second one, is it getting better or is it getting worse? Forming the network reliability council brought all of the participants in the industry together, NRIC as it is now called. And we now have some 44 quarters worth of data broken down amongst the components, the physical components, of wire line networks as to what causes failures. And we know how reliable it is and is it getting better or worse and what is causing a particular problem. So I would suggest that the way that we approach this--is, to have a voluntary public forum that we could share information, best practices and the like and that we set a standard to answer the question: How cyber secure are we? And there is going to be a metric around that. And is it getting better? Is it getting worse? Because it will continuously change. As we interconnect one network to another network, if somebody introduces a new application, the holes or the opportunities for hackers to get in and do something will change continuously. By the way, I think you could also answer the question amongst different industry segments, the financial industry, the water industry, the power industry. And each one of those can focus on their own mission-critical services and how cyber- secure they are and how they need to be. And we could share information amongst those ISACs too. Mr. Thornberry. That changing nature is part of the challenge for government because we don't change very fast, particularly when we are talking about laws and regulations. So I think that is a good point that several of you made. Ms. Gau? Ms. Gau. I have been with AOL since the mid-1990s and never has there been a time where I haven't had to argue until I was blue in the face about the need and the good business sense to include security in our products. Our consumers are demanding it now. Extensive research that we have done shows that it is first and foremost on their minds when they are surfing the Internet, especially if they have family involved. And they may not be thinking about the nation's critical infrastructure in that context, but they are thinking about how to be safe themselves and how to protect their point of vulnerability. And obviously, they have the buying power. Well, consumers are not the only buyers out there. As some of my colleagues have mentioned, government can play a role here in really driving the market for more secure products. One--a similar situation might be with Section 508 of the Americans with Disabilities Act which requires that companies include accessibility in their products if they are going to sell to the government. Similar types of approaches could be taken in the area of security. With respect to what more could the government do, I would go back to the mission of the National Cybersecurity Division and to homeland security in general in this area with respect to information-sharing, providing those of us in the industry, those of us that are working to keep the critical infrastructure up in place with information that we might not be able to easily obtain elsewhere; to provide for research and development in areas that we are not able to. And to also work to educate all users, consumers, businesses and other government agencies alike about the need for cyber-security. Mr. Thornberry. Thank you. Ms. Lofgren? Ms. Lofgren. Thank you, Mr. Chairman. This is a very helpful panel. And actually, if I am listening to you, I am hearing broad agreement on many themes: that we do need standards. We need accountability towards those standards. We need a role for government in coordination and maybe assisting in the development of those standards, additional research. I am glad, Mr. Ianni, that you mentioned the physical infrastructure issue because that is also--I don't want to belabor that. But that is something that we--you know, we are thinking hackers, but actually the tradition of terrorists has been guys with bombs. So we should not overlook that element. I have a question because Mr. Diffie mentioned that we do now will have a downstream effect. And I think about that all the time, that if we make a misstep now that it will have an impact, you know in 10 or 50--my children will live with the mistakes that I make. And so I especially want to avoid them. And while we are focusing on security, which we must do, I am eager to hear from you, what is the worst thing we could do as the federal government that would either impair our security, but also impair our liberty in the future? I am concerned about what we might do now that would impact the architecture of the Internet to the detriment of our free society. And I am wondering if you have thought about those issues and what your thoughts might be. Each of you, starting with Mr. Reitinger Mr. Reitinger. Thank you, Congresswoman. Although it is a little unfair for me to go first on each of these. I will be very brief so I don't cut folks off. I would say I think the worst thing that you could do is something that would impair security and privacy innovation. Doing something in such a way that the ability of industry to respond to the increasing market demand for security and the increasing need for homeland and national security, that ability would be impaired in some way. Mr. Diffie. I guess my greatest concern is that these technologies will get bottled up and become the properties of-- to give the jargon, certain elites, in the way that say, drug development is now regulated. I think it is very important that people continue to own their own computers, genuinely to own their own computers, to have the root authority and the actual power to control what their computers do. So that we get security sort of by an aggregation from the ground up of all of the individual citizens, rather than something imposed by some government-industry security mechanism that restricts either security practices, security uses, or in general, the use of computers by the citizenry. Dr. Lowery. I think anything that you do which does not allow for the fact that security is a moving target is going to be ill conceived. It is a changing landscape from day to day. So anything that is done above and beyond what customers are asking us to do, I think has to be very carefully considered, because ultimately, as time moves forward and we are looking back on what we are deliberating today 15 years from now, we very well may say, How could we have foreseen this happening? So we have to be very open minded about what could happen in the future, and not kid ourselves that we have all the answers today. Mr. Adelson. I think anything that government does that would slow down first response, and from, you know, that if, your good intentions aside, monitoring or controlling the ``Internet,'' with quotes around it, you know, is something that is far beyond the scope, and if you tried to implement such a thing, I fear that the Internet itself would actually be at increased risk toward our, you know, how fast you get back up after a national crisis. Mr. Ianna. I think the worst thing that the government could do is not listen to the industry participants as to what they are capable of doing, and what can be done in a timely and cost-efficient manner. I go back to some of the NRC days, where we were trying to define a failure. And if you ask a consumer group, they may come up with something that says, Well, this is a failure, and every time you have this failure you need to file a report. We would have cut down acres of trees and buried Washington in paper and not improved the state of reliability had we adopted some of those that the industry said, This can constitute a failure, and this is what we want to improve. We work together in a true partnership. I really believe that all of the industry participants in that case, in telecom, although we were fierce competitors, came together in the best interests of the country. So listening to the participants about what is doable and what can be done quickly and cost-effectively, I think, is very important. Not listening to them, I think, would be a very big mistake. Ms. Gau. Well, I have to echo all my colleagues' comments, particularly in the area of developing standards that might be obsolete by the time they would be published, because security is a moving target, and it is an ongoing process. Additionally, I think, one of the worst things government could do would be to not engage and further strengthen relations with the private sector. There have been ongoing dialogues, AOL have very close working relationships with government and also with law enforcement at the state and local levels, and we are engaged in a continual dialogue. But anything that would hamper our ability to respond, whether it is some type of system where we have to go through a central control without being able to first focus on what we need to do as a company to get our business back up and to be able to provide the service to our customers would be a mistake. Mr. Thornberry. The gentleman from Texas, Mr. Smith. Mr. Smith. Thank you, Mr. Chairman. Mr. Reitinger, let me address my first question to you and ask you to call upon your experience with the Department of Justice, where you served prior to joining Microsoft. There, according to your bio, you were a prosecutor of computer crimes. One of the frustrations we have on this committee, and I have to say we have in on the Judiciary Committee, as well, is not being able to quantify the number of computer crimes, not knowing how many are committed, not knowing what the trends are, and therefore, not being able to necessarily address the problems as much as we should. As you know, when computer crimes are prosecuted, they are kept track of by statute not by type. What can we do to get a better handle on the types of computer crimes that are committed, how many are committed and what the trends are? Mr. Reitinger. Thank you very much, Congressman. I think your frustration is widely felt. One of the concerns--and you will see in the opening of my written statement, as I think in prior testimony the committee has seen, there is a general sense that we don't really know what the scope of computer crime and computer damages are. We actually don't have a statistically rigorous measurement of the amount of harm from computer crime and computer attacks. There are government agencies that do that sort of thing, the Census, the Bureau of Justice Statistics. I would think that having a statistically rigorous analysis of the amount of harm that our economy faces as a result of computer crime would be a very valuable thing and help close what I think of as the knowledge gap that we face in addressing questions in that area. Mr. Smith. I agree and I think that is exactly what we need to do. And I will try to engage in some discussions with the various agencies to try to collect that information for the reasons that you stated. Thank you. Dr. Lowery, in regard to your testimony, you mentioned some of the initiatives that Dell has taken as far as systems security goes. Would you go into a little bit more detail of specifically about what Dell has done that you find effective. Dr. Lowery. Yes, I would be glad to. Dell has responded to customer input, specifically from our federal customers, to deliver from our factory directly to them Microsoft Windows 2000 installed on Dell computers, specifically the Optiplex, Latitude and Precision Workstations, that are already set with the configuration settings from the Center for Internet Security, which I mentioned before. The reason that we have done this is purely because customers have requested it. Also, we see it as something that can be made available to all of our customers. It is not something that is restricted to our federal customers. We think that everyone can benefit from it. So this is an example of industry best practices as they exist currently, today, that we can bring to market with very minimal lag time because of our direct model. We build--most every system that we ship is custom built to that particular customer's order. And so as soon as we have new information that impacts product safety or security and we are able to get that into the product and into the factory, it is in our customer hands typically in five to 10 days after that as we start shipping it. So that is why we have taken that role. We can deliver that technology fairly quickly to our customers that have requested it. Mr. Smith. Thank you, Dr. Lowery. Mr. Reitinger, let me go back to you and Ms. Gau. Both of you have had extensive experience dealing with the federal government. We have heard in response to some earlier questions that we need to establish a better relationship with the federal government. We need to do more listening, and so forth. Specifically, though, how do you think the federal government can better, or more enhance cybersecurity? Ms. Gau, let me begin with you. Ms. Gau. At the risk of sounding repetitive, I am going to go back to the information-sharing, the research and development, coordination with private sector and education components that actually form the mission of the National Cybersecurity Division. One of the areas that we are looking at right now in terms of the industry is information-sharing with each other and how we can continue to improve on those processes that already exist, such as 24-7 contacts that exist amongst the players in the industry. And taking that a step further, really having that kind of cooperative relationship with government at the DHS level in the National Cybersecurity Division is something that I would very much look forward to. At this point, we are still developing our relationship with DHS and I look forward to seeing the Cybersecurity Division get going, so to speak, and engage us more actively. Mr. Smith. Okay. Thank you. Mr. Reitinger? Mr. Reitinger. Thank you very much, Congressman. I will also--I think the main points we have hit on and Ms. Gau also retracked there--let me touch on one point on information-sharing. There is an anecdote I have heard about something that occurred long ago, before the IT ISAC in particular was formed, where my boss' predecessor, Howard Schmidt, got a call in the middle of the night from the network operation people who said we are seeing a spike in network activity. He came in and he saw that there in fact was an issue and started calling his colleagues, including a colleague from Sun. They were able to sort of quickly see that this spike was occurring across the networks and take some action. In particular, Howard was able to reach out and talk to people at the Department of Defense, and as a result, a lot of DOD computers got protected as a result of that. This goes to show that we already have a lot of ad hoc and very valuable information-sharing that is taking place. What we need to do now is put that on rails, make it a part of business processes for both government and industry so it becomes a part of how we do business. And the government, I think, can help a lot in that regard, in particular in some of the ways Mr. Ianna was referring to. Mr. Smith. Thank you, Mr. Reitinger. Thank you, Mr. Chairman. Mr. Thornberry. Thank you. The Chair's intention is to call on members in the order of appearance at the hearing. And I will now call on the gentleman from North Carolina. Mr. Etheridge. Thank you, Mr. Chairman. Let me thank you and the ranking member for holding this hearing, and more specifically, for our witnesses being here today, because I sit here and think of so many questions, so much information and so little time on such a critically important question. Mr. Reitinger, let me ask you the first one, because I am going to go from your written testimony, if I may, and then I will come back and ask the others. The next time I will go in reverse order from the other end. But yours first. You stated that cybersecurity remains an interagency problem, as you said earlier, and that a key role for DHS and the National Cybersecurity Division is building industries for effective government action in helping other agencies develop procedures that support homeland security. What has the department done thus far to fulfill this role? And have its efforts produced results that industry is feeling? Mr. Reitinger. Thank you, Congressman. I might be the wrong person to ask that question to. The people who could best answer it would be in the department. I am very encouraged by a lot of the activity that the department is undertaking. I think they are very new. They were only officially stood up less than six months ago. But listening to the things that they are saying, particularly Assistant Secretary Liscouski, on the issue of cyber-security, I am looking forward with hopeful expectation to the things that they are going to accomplish. In particular, one of the things that I think they are doing is focusing on deliverables, getting things done in both the short term and the medium term as they look towards the long term. I think there is a tremendous problem there. There are a lot of government stovepipes that need to be tackled. And I think the entire department needs a lot of help from across the bureaucracy and from this committee. But I feel very hopeful about it. Mr. Etheridge. Thank you. Want you to understand, I asked you that question because you have been inside and now moved outside, and I think it is critically important to hear your views on it. Let me start on the other end and ask this question of each one of you very quickly, because each one of you touched on about the security issues that you are employing that you have ramped up. And my question is, what event or events prompted the additional focus on security from your strategic standpoint as an industry? Because different ones have talked about the customer demands--that does it. Was it customer demand or was it an attempt to differentiate between products or some other events? Because you have shared with us the need for industry to be given a goal, but at the same time industry's going to take certain actions. It would be of interest to me and I think to others on this committee to know some of the things that have driven that. Ms. Gau. As a consumer-facing business, the AOL perspective is going to be geared, obviously, towards what we see with our consumers. Whereas there have been the early technology adopters, as well as other people out there in the marketplace that have always been concerned about security, I would say that it was probably right around the time of the Melissa virus in the year 2000 when the mass market of consumers all of a sudden realized that, My gosh, a virus, and the whole story of how it propagated and how the guy then got caught and the cooperation that was entailed in catching the guy--it really all of a sudden woke people up. And it was about the same time that also there were the attacks against eBay and a number of other major providers that were taken down for a brief period of time, as well as some privacy breaches, some high profile privacy breaches that took place that year. So I would say it was really in 2000 that we started seeing our consumers identifying safety and security as a top priority for them in the security research or general research that we do on a routine basis to understand our customers. Mr. Ianna. Actually, it starts from customer demand, but that only starts from the base of what you know and what you are trying to protect against. For example, in a data network you are saying, I am trying to make it as reliable as I possibly can. People know about cable cuts, they know about software failures--trying to make sure that this network is four nines of reliability. All of a sudden some other new thing comes up, somebody does a distributed denial-of-service attack, and you are hosting that Web site in your network. You now have to be aware of the fact that this goes on and how do you mitigate it. So it is not only customer demand but it is an event that occurs that is a new form of failure that you very quickly have to adapt to. And unfortunately, as networks get more and more sophisticated--for example, let us say for example in data networks now, Wi-fi becomes a very popular form of access. I guarantee you we will see different types of failures and different types of potential intrusions in gathering information in that network than we have seen in other networks, maybe because of the unsecure nature of transmitting some of that information. So it is the baseline of what you know always augmented by something new happening and customers saying, ``I don't want that to happen to my application. What are you, AT&T, what are you, service provider, ISP, doing to prevent that from happening again?'' And that is what drives our continuous development. Mr. Adelson. I will speak to the physical components, since that is our area of speciality. There was no specific event which changed the focus on physical security for us. I know back in 1996, I worked at Digital Equipment, in their research, and what we found was that the participants--and infrastructure radically changed from 1996 to 1997, and started to include companies like Alta Vista and Yahoo and Google, as well as the network service providers. Their requirements for physical security had commerce behind it, and it changed all of the focus. And so, for example, exchange points moved from a central office to a robust physical infrastructure. That is really the closest thing to an event--it is really a market shift that focused our change. Dr. Lowery. Congressman, I would say that I perceive no specific event, but instead a succession of events that are also progressive, kind of ramp-up. And also, as Mr. Diffie mentioned earlier, we are making a transition to more virtual world. And so it is becoming more important, and becoming something that we rely on increasingly. And this has been happening over the past three or 4 years. The time lines you have already heard. So that does drive customer demand. As customers become more aware of how much they have invested in these technologies, and how much those technologies impact them personally, they start making more specific requests. And as I said, we are always open to our customer input. That is what we are looking for. We look to them to help us make a determination as to where we go next as far as what we should be doing with our products. Mr. Diffie. Well, he stole my line. I thought I was going to be first to say that I couldn't remember any explicit event. As I go back over the half dozen things I can list, which seems to be significant Sun contributions to security--client server computing Java, hardware domaining, trusted Solaris--my sense is that they are the responses to our perception of our customers' needs in security, as opposed to their desires in security. So, for example, with the rise of the World Wide Web, the development of a computer language intended to have security with mobility--in this case, mobility of code--was intended to enable the sort of business development that we saw. And I think that is the kind of reflection that is always going to be required in this area, that you are never able to determine security requirements merely by market survey. Mr. Etheridge. Thank you, Congressman. Rather than listing a specific event, I will briefly mention three factors that I think play outside of customer demand, one of which relates to what Mr. Diffie was just talking about. First, I think there is a business imperative to build trust. Security is in a sense less a size of the slice of the pie issue as it is a size of the pie issue. For all of us to do better and be more successful, we need people--and for society to be more successful--we need people to utilize information technology broadly. That is not going to happen unless people trust information technology. And so we need to accomplish that. Second, September 11. September 11 taught is we need to worry not just about the foreseeable, but also the unforeseeable. And third, and this is a point related to what was just talking about: social responsibility. With market share comes responsibility. And we as large and important corporations have a responsibility to look towards protecting the security and privacy of our customers. Mr. Thornberry. Thank you very much. Thank you. Chairman Cox. Mr. Cox. Thank you, Mr. Chairman. I want to thank this panel for being exceptionally educational and for your willingness to devote some careful thought into providing your fair testimony even before you got here and, of course, for your years of experience that enabled you to do that. And I want to thank the chairman and the ranking member for organizing this particular focus on cybersecurity. As members of the panel know, in organizing this Committee on Homeland Security, and indeed, in organizing the Department of Homeland Security last year, the Congress had it in mind to pay particular attention to our information infrastructure. And this subcommittee is the only subcommittee in either the House or the Senate devoted to cybersecurity. I make the point because so much of our focus on what we now call homeland security, on fighting terror, is really coming to grips with technology, whereas in the 20th century, only nation states could pose WMD threats to us; in the late 20th century, we found that such dirt-poor nations as North Korea could pose similar threats. And now we are finding that terrorist bans, and ultimately I am sure we will come to the conclusion in the 21st century, that individuals will find their own capacity to harm civilization levered by psychology in the same way that this technology is improving our productivity in all other peaceful aspects of our existence. And so I want to make sure that as we organize the Department of Homeland Security, we are focused not just on, for example, the Internet the way we know it today but on where this technology is headed, because 10 years ago if we would had this hearing and asked these questions with all that time to prepare, we still couldn't have prepared ourselves because so much of what we have today was unknowable at the time. And we want to make sure that in the future we are nimble. So in matching the strengths and weaknesses of the federal government, which we have all agreed today need to be a partner in this venture with those of the private sector, I find that one of the federal government's characteristics is extremely troubling. And that is that it tends to be ponderous and sluggish in its movements in developing regulations or in implementing its policies. Whereas what typifies not only the private sector but, in specific, the technology industry is lightning quick ability to change. And this change is going on all around us, not just our nation, but around the world. And so, my question is as we have gone from, for example, code red 2 years ago to slammer this year and we have got our reaction time to a matter of minutes, and we may be looking at even seconds, when what you are asking the federal government to do is help post best practices, how do we deal with the fact that it might take too long for the federal government to be the clearinghouse for this information? And anyone who wants to jump at that is welcome to do so because you are all expert in this. Mr. Diffie. Well, I will take a brief crack at it and say I think that the federal government should not be apologetic for being ponderous and slow. It is running the largest enterprise in the world. And I don't think if we look at the record that we would see, in cases where it is active in haste, it has necessarily acted very wisely. I think the important thing in here is that there are long- term principles. Federal legislation must recognize the principles, speak to the principles, speak to provision of resources, and certainly weave the rapid reaction much further down the chain from Congress, perhaps to parts of federal agencies and to industry and individuals. Mr. Cox. Well, that certainly reflects my views, particularly when it comes to writing legislation. I want to be sure as a norm here in Congress that we try not to write technology into the law, because ultimately the lawyers will then make sure that in order to comply with the law, you maintain the technology that is written in the statute. And that will be a very, very bad world indeed. And so, I think your recommendation is getting us on the right track. I would be happy to hear further. Mr. Ianna. Yes, I think the answer to that question or a answer to that question is there are many solutions to a problem of sharing information. For example, the Telecom ISAC, we have to be very comfortable with that one. It has been a good government/industry partnership. I think the thing that we could be ponderous on is that there are many good solutions, and deciding which is the right one, we spend too much time on. I think they are all about 80 percent right. And I think we need to spend more time on taking a good example of what works and then applying that to other industries not and worry about not making the right solution, but making the solution right, and leave the quick, rapid response to an ISAC or to an information sharing way lower down in the chain, but get the people and the participants participating in that very quickly and define what you want to protect and how you want to define your measure of success very quickly. And just say, for example, if you are protecting water, what is our critical systems that we want to have? What is the level of cybersecurity we need around those? Let the industry participate in that. And then, further down the chain, let them go implement those solutions. And then you will have to continuously look at it, because threats will change, lots of things will change, networks will change, but you will have a history, then, of are we getting better or are we getting worse? And that is the key. Mr. Thornberry. Mr. Reitinger? Mr. Reitinger. Just briefly, chairman, thank you. I think that this is a--cybersecurity is a network problem much like the Internet, and requires a network response. The government has some very important nodes on that network, with some strengths and weaknesses, and probably needs to concentrate on the things it does well and must do, as Whit was saying before. Within DHS, I think it needs to concentrate on three things: people, process and technology. And I think of those three, they are all important, just to expand a little on process. There are a lot of government business processes that are no longer well suited to protecting homeland security in a new environment. And DHS needs to lead that transition and incentivize--I know it is a private sector word--but incentivize that transition within government for processes that effectively protect homeland and national security. Mr. Cox. I thank you, Mr. Chairman. My time has expired. Mr. Thornberry. I thank the Chairman. Ms. Christensen? Mrs. Christensen. Thank you, Mr. Chairman. I want to welcome the panelists. We have had some briefings on cybersecurity that left us a lot less hopeful than informed than the information you have provided for us today. I want to begin by asking Mr. Adelson a question. Putting what you do in the perspective of first responders is very helpful. And communications, steps in information management, is an issue for all of the first responders, the fire, police, everyone. Is this a part of the ongoing dialogue that the private sector is having with the federal government? And do you have any recommendations as to what this committee can do to better make that more efficient so that you can respond in a timely manner? Mr. Adelson. Sure, I believe that there is a lot of learning going on right now, and I should stress that we are in the initial stages of determining where the threshold should be in information sharing. Information sharing being the critical component, as you have said, as an exchange point operators seen the communication problems that go on between network and service providers and vendors in government today, we know that it is a monumental task and should be approached very carefully. Classic example of this is the Freedom of Information Act provisions that really must be preserved to protect network service providers so that they can freely share that information with government without concerns. And I feel that that is one example of a number of areas where really we have to understand the full scope of what is at stake for network service provider before engaging in any kind of formal process. But I am encouraged by the process that is happened so far on the standards and suggestions that I have seen. Mrs. Christensen. You raise the trusted environment again. And that is really critical between the private--between private industry and between private industry and government. Are there recommendations from any of the panelists as what this committee can do to foster that trusted environment so that the communications can flow as it needs to flow? Mr. Ianna. The trusted environment can exist in a government-private partnership. We have seen it work in the telecommunications environment. We are concerned about sending lots of information to not only one place, but multiple places to then have it become public, which may not be in our best interests. The other thing, I think, that is really important is to get to the level of protection that I think we all want. A macroanalysis of vulnerabilities will not get you there, in my opinion. You have to get to the microanalysis of each and every industry and network. An example that I give is I could create a network for a large bank out of AT&T services, SBC services, Microsoft services, Equinix services, et cetera. And that could be very, very physically secure and very logically secure. I could take the same bank and the same four vendors and create a network that is not physically secure and not logically secure, just by putting the parts together differently or having absence of pieces. So a macroanalysis does not get you there. It is a microanalysis, and it has to be done at the industry and at the entity level. A lot of the components to create very secure, cyber secure, and very physically secure networks are there already. And a macroanalysis of this may not get you there. It has to get down to the, I believe, the individual network level. Mrs. Christensen. Well, maybe I can--I don't see anyone else jumping to answer, so I will ask my last question. The government and the private sector have been collaborating and discussing security before the creation of the Department of Homeland Security. Has there been good continuity in that collaboration? Has it improved? Has the creation of the department, bringing all of the different parts under one umbrella, has it become more cumbersome? Has this dialogue between the private sector and the government improved since the Department of Homeland Security over these issues? Or is it more complicated because of all of the different pieces coming under this one umbrella? Mr. Adelson. Well, I will say that my experiences before the Department of Homeland Security, while encouraging that there were efforts underway, we are, you know, minimally exposed to. Part of it is because, you know, we were focused on our customers and we didn't have the resources to have someone here in this environment at all times to interact with government. One of the components of DHS which was encouraging for us was they were reaching out. And for the first time we were hearing from government with a request to learn. Like this hearing today is a great example of that. So I think we are headed in the right direction. Mr. Ianna. I would just like to say that as part of this, many state governments have done something similar. And certainly, from a response request and the amount of effort that you have to put into it, and the vulnerability of information and create a few lists in 51 places, as opposed to one place, also. I would like to see more coordination and templating amongst the states to the federal level also. I think that would be very helpful. Mrs. Christensen. Thank you. Thank you, Mr. Chairman. Mr. Thornberry. Thank you. Vice chairman of the subcommittee, Mr. Sessions? Mr. Sessions. Thank you, Mr. Chairman. I am sorry to have skipped back and forth, but I heard the testimony from Mr. Diffie, and I heard you talk about standards by the government. I heard, certainly, Mr. Ianna talk about government standards that would be good for us to development. And part of the dialogue and discussions then that Dr. Lowery was the CIS. The question I have got for anyone on the panel is is there any consensus on a best practice? Mr. Ianna, I just heard you say you could develop a secure network that would be great. And depending on how you put the pieces of the puzzle together, it may or may not be secure using even the same vendors. Is there a best practices model out there that should be looked at, sanctioned, if not by some government entity, by I think they are called CIS? Is there something out there today that says this is the most secure way that we know of today to develop the architecture? Or would everything just be so robust you would have to literally pay somebody thousands of dollars to come and piece, part it for you? How difficult is that? And does the government follow a model, from what you can tell, as related to whatever this business model may be? Anybody? Mr. Ianna. I will try a shot. There are best practices that industry participants have shared. The NRIC previously the NRC is a good example of that. As we came across failures and we analyzed failures, we figured out what do people do? And what do people do well and what do people do not so well, or companies within that? And we created best practices and we shared them. And we are doing that right now in NRIC 6 at the physical level and at the cyber level. But to paint the entire problem, I believe, with one set of best practices, I would just urge that we don't fall into the trap. For example, a best practice for a financial application at a very high level transmitting, you know, hundreds of millions or billions of dollars in transactions may be one set of best practices. And somebody surfing the Web for information may be a totally different set of best practices with different levels of security, fire walls, et cetera. So I believe that best practices do exist in industries. I think we have some proof of it in the telcom industry. I can't speak for others. I think there are--power industry, for example, et cetera. But I don't know if there is one best practice that fits all sizes of all types of networks and applications that the government should sanction. I don't know if we should go that far. Mr. Sessions. Then, what would you say? Dr. Lowery, you might want to speak to this, but what would you then say, and your observations about the United States government, following these known best practices, how well do you think they do? Mr. Ianna. Well, that is a good point. The government is a very big customer. And it can drive some very big changes in the industry or practices in the industry just from its own purchasing power. So if the government decided, for certain networks, that it wanted these levels of cybersecurity, firewalling, anti-virus software, automatic updates, et cetera, it could drive that particular standard for that level of security because you have the purchase power of a large customer. Mr. Sessions. And how well do you think the government does? Mr. Ianna. I really can't paint that with one brush. I don't have an answer. Mr. Sessions. Good. There are examples of very, very good? Or do you enough about this to speak on this? Mr. Ianna. I probably don't know enough about it. Mr. Sessions. Okay. Thank you. Ms. Gau. If I may, I just wanted to pick up on one element that Mr. Ianna mentioned. And that was the auto updating. When you look at some of the organizations in the industry today that put out security standards, there are a number of them other than CIS. And they try to market it as a service. There are even security seal programs just like there are privacy seal programs where the industry is trying to take a self-regulatory approach to establishing a baseline level of security for certain applications. The problem is that as we have already said, security is an ongoing process and a moving target. And as part of any of these standards, as part of any potential piece of legislation, it needs to be auto updating. And there lies the dilemma. Mr. Sessions. I would love to see it stay away from legislation, but to be able to say there is some standards body that we believe enunciates the best practices and becomes a model. And somebody talked about this. I think that that could be a way to highlight someone. And I think that is the best way that we ought to pat somebody on the back but not with rules and regulations. Dr. Lowery, did you have a comment or someone else? Dr. Lowery. Just wanted to expand on the Center for Internet Security and also what has already been said, just to expand on that somewhat, that security is not one-size-fits- all. There are best practices, though, which are broadly applicable. And the Center for Internet Security benchmark level one is intended to be that kind of best practice. They also have level two benchmarks, which are much more rigorous. And then you could also turn to individual companies and the products that they provide, and they can give you also their recommendations on how to best secure their products. So you look at the situation in which the technology is going to be deployed. You adopt best practices, which everyone has already agreed these are good ideas, and then you specifically tailor the security for your environment. Mr. Diffie. So let me speak to two aspects of what you have said. One is that the question you are asking about how well the government has done is really one in my mind that if in need of objective measurement, that is to say, I think, that it would behoove the government to just go through, make provision for assessing the security in operations of the computer systems its using. And then, asking about each individual sort of product and installation configuration, should we have been doing this. Should we continue to buy more things of this kind from the spender, whatever? A reactive--an energetic, a due diligence customer approach. The other point is it is the most critical thing in security in many ways, is a realistic vision of the threats. And we have before in Washington seen the impact of unrealistic visions in both directions, one of which is not to worry about it, and the other of which, particularly during the Cold War, is to let us security enthusiasts, and I have--though were many in the federal government, get in a position to try to push, in this case, civilian agencies to meet various kinds of military standards that merely cost a lot of money. And because there was a general--not an inevitable, but a general antagonism between security and flexibility, you must be very careful about how you impose practices and security standards on agencies so as not to interfere with their getting of their work done, which is the primary thing. Mr. Reitinger. Briefly, Congressman, to re-emphasize what Dr. Lowery said, there is no one-size-fits-all solution. Anyone taking a particular configuration of the system, for example, needs to take a look and see whether that meets their particular environment. But one additional point, one thing that can be done, and something that Congress did last year was pass a management framework for information security in the federal government as a part of FISMA. So that is not a one-size-fits-all, that is actually a management framework that addresses security in federal government systems. Mr. Adelson. You asked a specific question about whether best practice could secure, and I just wanted to point out best practices are important, but there are still a lot of research that needs to be done at the industry level to fully secure vulnerabilities that we have exposed over the course of the next few years in the infrastructure, and we can't just leave that. Federal government could help with funding of research, for example, to help us get us there. Mr. Sessions. I thank the panel. Thank you, Chairman. Mr. Thornberry. I thank the gentleman. And I might mention next week this subcommittee is having a hearing trying to focus on the research and development ahead and what those needs are and how those resources ought to be directed. And so, I think the gentleman makes a good point. The gentlelady from California, Ms. Sanchez? Ms. Sanchez. Thank you, Mr. Chairman. I have some specific questions for--and so, I will call out the names when I come to the question for you all. I just want to say thanks for having me, Mr. Chairman, and I know I have learned quite a bit. I am a member from California, and I represent Orange County, which has a pretty good information and high-tech community. So I have been working with some of my colleagues, like Anna Eshoo and Zoe Lofgren and others on some of these issues like encryption and everything over the years. But I mean, this is just such a large area for us to try to focus on. I really appreciate all of you being here today for it. Mr. Reitinger, even if an underlying operating system is considered secure, can programs running on that platform still cause problems like spreading viruses or attacking other systems? And if that is the case, would we need to security check every piece of software that we run? And if we do that, do you foresee proprietary problems if its necessary to check source codes of all programs, for example, for security holes, embedded viruses and other issues? Mr. Reitinger. Certainly, applications as well as operating systems can have vulnerabilities and can pose difficulties. I think what is essential is to use software that is developed by companies that use a robust quality assurance or software assurance process where they, in the course of development do-- use trained developers, track their source code, do code reviews, do external third-party reviews, do penetration testing and seek external certification, such as the common criteria, for their products. And I think that provides a fair amount of assurance that the products are as secure as they can be under the circumstances. Ms. Sanchez. Thank you. Mr. Diffie, you say that the latest encryption standard is as secure as you need to be. And I was just discussing with Ms. Lofgren where we were with encryption, because we have been working on this for awhile. I know it is a regulatory process now, and we seem to have an ability to move encryption standard, if you will. Can you explain what you meant by as secure as we need to be at this point? Mr. Diffie. I apologize--I don't think that was probably exactly the term I used. I think I said a secure as one could want. And what I meant precisely is that when the data encryption standard was fielded 25 years ago, it had to give, getting into technicalities, a 56-bit key, about a billion billion possible keys. And that number was chosen, at the time, to be a compromise between the desires of the intelligence community and the perceived security needs of civilian government. The advanced encryption standard offers three different key lengths: 128, 192 and 256. And as far as my community, the open cryptographic community can tell, and as far as we understand from NSA, what they believe, we do not know how to break into AES encryption at any of those key lengths faster than just looking through the keys. That is infeasible at all three of those lengths. And so to take the words of the preface to an old Soviet encryption standard, this algorithm places no limitation on the security of the data to be protected. So that is exactly what I meant, that the intent here and what we observe in the public community and what NSA tells us all accord in saying that this is as secure as any cryptographic algorithm we know of. Ms. Sanchez. Thank you. I hadn't quite heard it put that way so thank you for your information on that. Dr. Lowery, you talked about a partnership between the vendors and the customers. Vendors provide security-minded products, and customers make sure that they have proper security settings. I am concerned about the customer who might not know how to keep things secure or inadvertently creates problems within the system. Can you elaborate on the responsibilities that you think we would like to see customers take on with respect to security? And how do we, as a government, encourage that? Because, you know, we are as secure as our weakest link and it could be one of these users. Dr. Lowery. I think one of the most important things you can do is to educate end users, not about technical aspects of security, but simply about the role that they play as individuals, as gatekeepers, into a larger community of data sharing and information sharing. If we could get the end users to understand that as a participant in e-mail, for example, simply opening an attachment has ramifications that not only affects them, but could affect others. Just an awareness of their ability to impact others through how they use these technologies could go a long way to improving security for everyone who participates in these systems. Ms. Sanchez. Thank you. I see that my time is up. I have some other questions, but I will submit them for the record, Mr. Chairman. Thank you, gentlemen and-- Mr. Thornberry. The Chair thanks the gentlelady. The gentlelady from Texas, Ms. Jackson Lee. Ms. Jackson Lee. Thank you very much, Mr. Chairman. And thank you and the ranking member for holding this important hearing. To the panelists, thank you for your presentation and your indulgence on members who have several hearings going on at once. Let me take personal privilege and express my appreciation that Dell is still in Texas, in Austin, Texas. We are gratified for that. And to thank AOL Time Warner for being one of the first groups to host members of Congress out into the Virginia location. I think that is prior to the merger, but we thank you very much. This is an important issue. The bell is ringing, I believe, so let me quickly comment. Mr. Thornberry. If the gentlelady would yield briefly? The Chair's intention is to go until we have about 7 or 8 minutes left in this vote. My understanding is we have two votes. And then I would like to come back. Hopefully, we would be gone no more than 15 minutes, and then we could resume. And so that is my intention. Thank the gentlelady. Ms. Jackson Lee. In an article, and the date is a little fuzzy, so I will just refer to the article, talks about the administration abolishing the high-level Critical Infrastructure Protection Board and the fuzziness of the administration's position on cybersecurity. And I would be interesting in your assessment on what the sense of the industry is with respect to where government is on cybersecurity particularly in the loss of Richard Clarke, who was a very visible government person on these issues and the fact that this board now has been recomprised in DHS with a lot lower profile and staffing, if you are familiar with that particular board. But that was the board that had the face of the administration, and that is the Critical Infrastructure Protection Board that generated after the turn of the century and of course, after 9/11. My question is what can we do in government as relates to cybersecurity? And I ask these questions. Do we need more information sharing? Do we need more firewalling? And do we need a best practices? And in your opinion, what are the three things that the government may need to do immediately to improve cybersecurity? If you want to point it at the department or point it at this select committee because we are supposed to be the fixer-up-it in terms of trying to find solutions. I would appreciate your response to that, whoever wants to jump in. Or we could start--we will start in that direction, yes. Ms. Gau. Thank you. I appreciate you reference to the former Critical Infrastructure Protection Board and Richard Clarke, whom I worked with quite closely, with him and his staff on the national strategy that came out. One of the things I have noticed is that there has been little reference, other than my own, to the national strategy to secure cyberspace. And although there are critics of the document that say it is too watered down and that it does not really lay out responsibilities, it simply makes recommendations. It nonetheless serves as a blueprint. And there are detailed actions and recommendations outlined in that document that address all of the issues we have been discussing today. One of my recommendations would be to indeed look at that document, engage more actively in pursuing the actions and recommendations in the document, and to look towards perhaps elevating the level of attention that the national cybersecurity division has right now. My personal experience and AOL's experience has been that when that board existed and Richard Clarke was in place, we had a much more active relationship with the White House on cybersecurity than we do now. And whether or not the placement of the national cybersecurity division within DHS is the appropriate location is not something that I believe I am qualified to speak to. But we would like to see a similar level of attention and priority given to the issue of cybersecurity. Ms. Jackson Lee. One of the points you mentioned was firewalling versus information sharing. And let me just say that security is an almost unlimited excuse for keeping things secret. And very often in the short run that is the right thing to do. But I think it should be recognized that secrecy in regard to security matters should always be thought of as a vulnerability. Because no matter how hard you are trying to keep a secret, your opponents might discover it. And the ideal security systems are ones that operate in a very open environment, and do not depend on secrecy about themselves. So I want to say that although we in industry very often have a parochial interest in the government helping us keep secrets about how our products work, about what our vulnerabilities have been, that the long-run interest of government is probably in promoting and requiring greater openness. Ms. Jackson Lee. Can I get one person to answer the question, what the government needs to do right now in cybersecurity--just one person, and then? Mr. Adelson. I will say-- Ms. Jackson Lee. I appreciate it. Mr. Adelson. --promote the Department of Homeland Security as the epicenter of information sharing for industry and federal, state and local government--number one. Number two, preserve the federal information act protections and the Critical Infrastructure Information Act. Number three, consider funding for outreach to promote the sharing, research and development of security and testing. I just want to say that that is an introduction. Right? But that is the immediate thing that could see support for, those three things would be critical right now. Ms. Jackson Lee. Anyone else? Mr. Ianna. Just to echo that, there are some examples of ISACs that I believe are working well. I could speak for mine in telecommunications industry ISAC as well as the Network Reliability Council sponsored by the FCC. We see effective partnerships between the government and the private sector, particularly where the government is funding part of the infrastructure, which I believe is important, which the other ISACs may not be experiencing. That might be a good model to move to those other ISACs. Ms. Jackson Lee. You think it needs to be elevated in the Department of Homeland Security from where it is now? Mr. Ianna. I can't say that. I just say that there is an effective--it seems to be, from my perspective in this industry, an effective model in Homeland Security right now, in telecom ISAC. If the other ISACs are struggling--and I don't know if they are--with information sharing, maybe a funding, a government funding of some of those ISACs would be helpful. Ms. Jackson Lee. Does anyone believe it should be elevated from where it is in the Department of Homeland Security to a higher presence, this whole idea of cybersecurity? Mr. Diffie. I am willing to say yes, but I think that is something to give a considered answer would require a bit of study of what is actually being done, organization of the department. Ms. Jackson Lee. Did you have a response, sir? Mr. Reitinger. I would say that I think cybersecurity is a critical issue. I think one reaches a point where reorganizations become harmful rather than helpful. What we are interested now is seeing action and working with the department to make it as productive and effective as possible. Ms. Jackson Lee. Thank you. Mr. Thornberry. The Chair thanks the gentlelady. As I mentioned, we have two votes, and my intention is to be back in about 15 minutes to continue this hearing. Again, I thank all of our witnesses for their patience. And we will resume shortly. The subcommittee stands in recess. [Recess.] Mr. Thornberry. The subcommittee will resume its setting. Obviously, other members are going to be coming back after the vote. And again, I thank the witnesses for their patience. Let me ask about a couple of areas as members are coming back. One of the things that I am struck by in each of your testimony today is a somewhat different tone from some of the testimony we received before. In some of our previous meetings and hearings, there is a feeling that the advantage lies with the cyber attacker, that the advances in technology are really working to the advantage of the people who are trying to break into systems and find out things, and that our response is lagging further and further behind, and for a variety of reasons, which they have enumerated. And it is a somewhat pessimistic view of our country's ability to protect against particularly sophisticated sorts of attacks. I would be interested in that larger sense from what you all see in your business dealings every day, whether you share that view of and concern that attacks are growing exponentially both in number and in sophistication. And that it is going to be very difficult for us to stay ahead of the bad guys, if you will. Mr. Diffie? Mr. Diffie. Well, let me suggest to start with that we are ahead. Our economy, I know, is not as its best at this instant, but fundamentally, it is a great, thriving, robust institution. Our society, likewise. So a lot of the way you view this issue of how many attacks there are how sophisticated they are, how much damage they did you is really just a matter of setting thresholds, which are going to come out very emotional, because loosely speaking, any level of attack is irritating to us. And I would be very skeptical that on balance development and cyber attacks so far could actually be said to have slowed our society down very much. Moving to a slightly more technical level, I would say that we have unquestionably made major achievements in some areas of security, which, if adequately widely deployed, would put an end to many of these things. And so, this again comes down almost to a matter of definition. When you are trying to protect, you are trying to protect the whole curtain wall of your fortress. And somebody who punches any hole through it gets credit. So we will probably always be chafing at the number of cases in which we failed. But I think that if you look at the overall development, and not just of security techniques, but of computer software. You will find it is far more robust, far more reliable, far more resistant to attack today fundamentally than it used to be. The difficulty comes out of the degree to which this is a dual-use technology. And the technology is in the hands of a wide diversity of people, some of whom don't have our best interests at heart. What worries me maybe most in planning about this is that we think of it a lot as cyber crime and as a cyber nuisance. And that as so far, we have not seen any 9/11-like, let alone a nuclear bombing-like attack on the United States by cyber methods. I believe it is still a matter of speculation whether that could by itself be comparable in damage. When you look at our own military doctrine, we use cyber warfare conjoined with physical warfare. But the thing that worries me is that we are not making sufficient preparation for protecting ourself against cyber attack by what I think of as real enemies, enemies who have assets outside the United States, outside the control and to some degree outside the retribution of the United States, who can develop and cook their attacks long enough that they will be really dangerous when they happen. Mr. Reitinger. I would just reiterate, Mr. Chairman, that I am equally positive about what industry can and will accomplish. I think the priority has changed. One area that we do have to attack is the issue that has come up a number of times of information sharing. Sadly, hackers are still better at sharing information than perhaps we in government and industry are. They are great at describing vulnerabilities in systems and building wonderful GUI-based attack tools to use. We need to share information to that same level. But I remain very positive that government and industry working together and industry innovating will achieve new and better security solutions. And we are actually better off and we are getting better off over time. Dr. Lowery. Mr. Chairman, I would add to that that a pessimistic or defeatist attitude is not warranted. We have a very positive outlook on this as well. There are really no technical reasons that we should be less secure than we are perceived to be. Again, I point back to education as a prime component of this. That many of the problems that continue to arise, this lag that you may be perceiving is really a gap in education, which we could rectify if we put resources behind educating those who are using the technology so they use it in a more responsible manner. Mr. Thornberry. And Ms. Gau? Ms. Gau. With respect to AOL suffering a debilitating cyber-attack, I would be optimistic in saying that I don't believe it could happen. However, let me just say that AOL is attacked by hackers on a daily basis. We see all forms, all varieties and all numbers of hacker attacks. And they have increased and varied in techniques over the years. And as a result, not only have we had to invest money into the systems that we have in place to monitor the network, but also the staff that we have in place to be there. We have also had to make sure that we are eternally vigilant about these issues. And to the extent that we remain vigilant and that we use the security technology that is available today, I believe we are in a good position. However, there is still the human element. The human element being the weakest link. And there, again to reiterate education, it is not only on a public awareness level, but it is also making sure employees are trained, that they understand what are the steps that they need to take. Mr. Thornberry. And I want pursue the education issue in just a second. Just real briefly, are you finding it more difficult to stay ahead of the hackers? I mean, you said you are putting more resources into it, is it becoming increasingly difficult to stay a step or two ahead? Ms. Gau. I would not characterize it as being more difficult, no. Mr. Thornberry. Okay, that is helpful. Gentleman from New Jersey, Mr. Andrews? Mr. Andrews. Thank you. I would like to thank the witnesses for their outstanding work and testimony today. Thank the chairman and the ranking member for another in a series of truly edifying and challenging hearings. Thank you for your work. I want to go back to the question the chairman raised at the beginning of the questions here because I think it is the central focus that we have. He asked whether the panel thought that the market alone would bring us to a sufficient point of security or whether there was a point beyond that. And I think I heard the consensus was that although the market would take us a very long way indeed that there was an increment of security above and beyond what the market would do. The second point of consensus that I am hearing is that one of the ways, one of the most effective ways the government can help us stretch the market, stretch the market solutions is through the creative use of our purchasing power as a customer that demands these products. The third thing that I am hearing a point of consensus is that that purchasing power must be carefully calibrated and distinguished among various sectors. What the Agriculture Department would buy would be something very different than what the Defense Department would buy. That it needs to be continuously upgraded. A theme that I am hearing from the panel, and really from the members, is that if we have a static standard of what is sufficient that you are all going to leave us behind in the dust, at least I hope you will if that is the case. And the final point of consensus that I am hearing is that--I think I am hearing is that we need to do a surgical and thoughtful job of articulating what those standards ought to be. We shouldn't haphazardly define the standards. What I would like to ask the panel is if I have misstated any point of consensus here, please tell me. And I say that without pride of authorship, I am simply reporting what I think I hear, number one. And number two, if it was your job to design the standard-setting function within the Department of Homeland Security and within the U.S. government generally, what would that institution look like? What kind of institution would it be that would tell our purchasing people what it is they should demand when they buy a system that protects the Social Security Administration's record? Or when they buy a system that protects the troop deployment databases of the Marines Corps? Or whatever else. And we will start with our friend from AOL at the right side. I, just parenthetically, my last name begins with 'A' and in law school a lot of professors call on students in alphabetical order. It is a very harrowing experience. So when I taught law school, I start at the other end of the alphabet so I wanted the people at the other end to get their just deserts. So because you have had to wait so often today, we will start at your end. Ms. Gau. Picking the latter part of your question with respect to what would an institution look like that might set security standards for the government, I think that the model of everything we are talking about where it would be an institution that would work closely with the private sector together, as we all hope to do, with Department of Homeland Security. That there would have to be dialogue to establish what the baseline security standards would be. And such an institution, presumably, would have tentacles into procurement processes such that they could mandate the different standards, just as there are other standards such as those that I have referenced earlier today such as accessibility standards and products. Where it might best fit, I don't think I am really in a position to say either. But I think that such an attempt by the government to indeed mandate that as a customer and a consumer of these goods that government would move in the direction to push manufacturers and service providers to include the baseline security standards is a step in the right direction. Mr. Andrews. I want to be clear also, as I know you said, I am not talking about mandating standards on the private sector. I am talking about mandating our own internal standards for demanding product when we go into the private sector. Yes, sir. Mr. Ianna. I think the question has to be answered this way, what level of security do you want to be able to espouse? Do you have a metric to be able to easily convey to the public that we have raised the cyber-security level to this level? And we have to create that metric, just like we had to create the metric in network reliability. What are we talking about? We are talking about, you know, how many DPMs, defects per millions of failures you have and what constitutes a failure, et cetera. And then I think it has to be done on a--you can't eat this elephant all in one bite. You have to do it in small bites. And every sector needs to define, I believe, their critical systems that they need to have cyber-defense around. And once you have done that, do we have, for example, the critical systems cyber- protected to this gold level in the Department of Agriculture or how long will it take us to get there. Then I think--if I were in the government, I would be trying to convey to people that we have a methodical way of convincing people that we know what we are doing. We know what direction we are going in. And we know how we are on our journey to get there. And secondly, lastly actually, it is not static. The minute somebody says I am protected to the gold level, a new threat comes in and the gold standard has to be redefined. Mr. Andrews. Sir? Mr. Adelson. I believe that that is the key is the dynamic nature. And perhaps one way to achieve a dynamic standard, if you--that is kind of a contradiction in terms, but--is to actually involve in real time, industry. And by real time, I mean having individuals who represent industry be part of a panel wherever this group sits in government, where they can provide that data and how it has changed in real time. And I suggest that just because industry, because of the market forces, is going to be thinking about that with a great degree of diligence. And I would expect that their message should be heeded, even across different sectors, as it applies to, you know, buying power within government. Mr. Andrews. I hear you. Boy, that would raise significant issues about protection of intellectual property. I mean, we want to do that, but we want to do it in a way that doesn't punish the private sector concern for participating in that, right? Mr. Adelson. I think there are certainly protections that can be put in place so that communication can happen. I can tell you that it is relatively rare, although it does occur, where, you know, data about an incident is something that I might fear being propagated. However, data about the security technology itself is really mostly, in terms of consumer products, you know, certainly the case, public data. And there is a lot out there which would go a long way. And certainly within the standards set, I would hope that these would be technologies that everyone can purchase. So there isn't a lot there to hide. Mr. Andrews. Thank you. Dr. Lowery. Congressman, I think you have accurately summarized at least what we believe at Dell. And as far as how I would structure this entity that you have referenced, I don't know that I would be an expert in helping you to architect such an organization. But things that you should consider when you are developing the standards for the government, consider what I said earlier and that is that there is a baseline of security which is just prudent for everyone to adhere to. And then each particular application of technology must be scrutinized in the context in which it will be used and security for that purpose needs to be customized for it accordingly. Mr. Andrews. Thank you. Sir? Mr. Diffie. I think that what we have to keep in mind is the breadth of the activity you are talking about. Government has a major movement in the last, say 20 years, to move to commercial off-the-shelf technology to support all its activities wherever it can, to narrow back the, you know, technical nuclear, the technical comsat with things. It all stems from going away with the national arsenal system 80 years ago. Second, all of this is in some sense dual-use technology in terms of the role it plays in cyber-crime and cyber-warfare and cyber-security. So you are building things out of standard components, components that people use for a very wide range of things in society. And finally, this is an international problem. We cannot afford, as we did during the Cold War, to think of our own security needs in isolation from those of our trading partners and indeed the rest of the world. So let me suggest that this organization, which is going to need to walk down the Potomac on its tiptoes, I am afraid, has to be a meeting ground with a prudent ability to manage information relations between quite a number of constituents. Its government customer--and I construe that broadly; the intelligence and law enforcement communities on which it will depend for a lot of the kinds of feedback information I have been talking about; the industry on which it will depend almost entirely for products and processes and support; and the international community, the international standards organizations and many different kinds of governmental and non- governmental and industrial organizations throughout the world. So the best I can say is I am very in favor of openness in the standard-setting function. And that that should be specialized so the cases where closed things are needed, that we should give careful thought to the way the information- restricted activities take place and be sure that that is subordinate to the general openness that will allow us to accommodate ourselves to everybody's needs. Mr. Andrews. Follows your principle that secrecy creates vulnerability as I think you said at the beginning. Mr. Diffie. Yes, actually, I think that actually this principle's a little broader than this. My view is this is infeasible without a lot of information-sharing that has been stifled in the past. Mr. Andrews. Yes, sir, thank you. Mr. Reitinger. I will be very brief, Congressman. First off, on standards, one suggestion I would have is that as, again, I am repeating a lot of what Whit is saying, that we avoid having specific government standards to the extent possible. I think if you rely on industry-based market-driven standards, you will find the government keeps more up to date than if it sets government-specific standards which will maybe become hoary in a shorter period of time. The second thing is that I think it would be useful to turn and see what is happening at NIST under some of the processes started under the Federal Information Security Management Act. NIST--I would have to go back and reread the act, but I know NIST recently published FIPS 199, which has a categorization of information and information systems into risk categories. My understanding is that under that last act, they are going to go on and produce guidelines for how to protect that information. And that might be a very valuable process for this committee to look at and watch. Mr. Andrews. Thank you very much. Thank you, Mr. Chairman. Mr. Thornberry. Thank the gentleman for, again, asking excellent questions. The ranking member of the full committee, the gentleman from Texas. Mr. Turner. Thank you, Mr. Chairman. First, I want to compliment you, Mr. Chairman and Ms. Lofgren, our ranking member, on your leadership in the area of cybersecurity. Those who have been a part of your hearings and your also compliment you on the leadership you are both providing in this important area. Dr. Lowery I want to compliment Dell for your leadership in providing or offering your Center of Internet Security Level I benchmark to your customers. There is no question that your business model selling directly to customers provides an excellent opportunity to promote the purchase of a secure computer system. I guess your interest in providing security arose out of the Department of Defense requirements. By then turning that into an offering to others with the stamp of approval of the Center for Internet Security, it seems to me that it should become something very quickly that most people would want to pay for. Dr. Lowery. We agree with that assessment too, Congressman. We were directed to CIS by federal customers, who pointed to the CIS as a source of best practices that they agreed with. We evaluated the CIS and their benchmark settings, and we heard that a product offering where we could make those settings in the factory was feasible, that we could do as our customer requested. We did that, and we got it in such a way that others can benefit from our work and the work of CIS. We are very excited about the offering. We hope that it will contribute to improving the security landscape as it exists. Mr. Turner. Well, I commend you for it. The issue before us and the same one raised by Congressman Andrews: How do we replicate this? As I understand it, there is a host of entities out there that say they certify or they recommend certain security measures. Every company, you know, is looking for somebody. Not everybody looks to the Center for Internet Security. Some look to other groups out there. If we want to accomplish what I think is the goal that most of us share--self regulation--wewant to be sure the industry provides the leadership on security initiatives. As has been pointed out, if government is the role of creating standards they will be outdated the moment that they are drafted. It is clear we need a viable ongoing effort among industry partners to set some standards. How would you suggest, Dr. Lowery, or any of the witnesses, that we decide on a consensus organization made up of that we would look to as the good housekeeping seal of approval, if you will, for security. We should have something so we would know that if it had that stamp of approval on it, then that was the best you could buy. As you all have said, if you don't want to buy such a certified approved product then that is you choice. At the very least we would have provided an industry-wide approved certification that is recognized by the buying public. Then we would encourage the buying public to make a choice. The reason I believe strongly that is the right way to go is I think security is on everybody's mind. I think this problem can be solved in this fashion voluntarily, if industry will work in cooperation with government we will have a standard-setting entity that everybody knows about and respects, and therefore, will follow. I know how it was in our house when we made our last computer purchase. We were thinking about security now. And I think most people are. I don't think any business in America wants to be caught short in not providing security to its business systems. The liability and the risk are too great. So how can we get there with a standard that people will follow? Dr. Lowery. I think everything you said is true. And I also perceive that there are a lot of little organizations, for lack of larger ones. Each of them are trying to make sense out of the security problem and have delivered into the spaces they perceive where there is a gap, what they call their standard or a consensus that they have arrived at. I think all of them are valuable. None of them should be belittled because their stuff often comes from small sector doing something. But I do also see the need for convergence, a consensus process. Dell would also welcome seeing a more consolidated approach to achieving the standards. The fewer standards that there are, the easier it is for us to bring them to market. The only caution that I would give you in trying to approach a singular standard or a single organization, which does that, is that organization must understand that security is not one side fits all. We had to be very careful in its deliberations and in standards that it might recommend. To keep that in mind, that we must be sure that security fits the situation, that it is going to be the deployable technology. As far as the way to actually achieve the convergence, I think we are seeing some of that already. I am not exactly sure what to recommend what we do to hasten the convergence. Mr. Turner. Anyone else? Mr. Diffie. Let me extend that not one but sole point as saying it is important to remember that security is always a secondary objective. You always want to do something and you want to do it securely. So having an underwriters lab like stamps that would go on everything happens to be particularly tricky in security, because security is more contextual probably more than the other safety technologies. And so although your car, of course, depends on how it is driven and how it is maintained, as well as how it was built, that kind of environmental characteristics are even more important in the security area. So I think that a labeling scheme, we already have several, is not going to be trivial to achieve. Mr. Reitinger. Two brief points, Congressman. First off, as you suggested, there are lots of good standards or other organizations out there developing things and certifying things such as the common criteria. Second, I have got some very good news, which is although one size does not fit all--I agree very much with that--it is important to have as much consistency as possible among different people providing advice to consumers. And so Microsoft, for example, is working closely with the Center for Internet Security to converge our guidance on how to secure our products going forward. That kind of activity is taking place in industry. We are talking amongst ourselves and we are trying to solve the problem. And I think we are solving the problem. Mr. Turner. Thank you. Thank you, Mr. Chairman. Mr. Thornberry. Let me delve--I thank the ranking member-- let me ask briefly about the information sharing, because a number--we have talked about it a lot and it has come up in different contexts. Mr. Ianna, you talked, I know, specifically about the telecom ISAC and it being successful. What I hear from others is that their ISACs are not nearly as successful as you have become. And you mentioned government funding being one of the things that is not the case with the others. And then I am also struck, Mr. Adelson, one of the comments you made is that we share information real well on a technical level, but what that leads me to think, Okay, where do we not share information real well? That is going to be for the areas that are competitive, the things that are not so technical. And so the view has been expressed that there is a limit to how far information sharing is ever going to reach. That when you are dealing with competitors and industry grouping, they are only going to go so far. And they will talk about FOIA, and then they will talk about anti-trust and then they will do something else that they talk about. Whatever it is, it is going to be an obstacle to--and I am not criticizing that, but it is a natural thing. I guess I am interested in observations--Mr. Ianna, I will start with you--about this subject of information sharing. Are there legitimate barriers that the federal government needs to break down? Or is it more a question of a trusting sort of relationship that has to develop over time, at least for industry to share information with the federal government? So you see ISACs as--I will say salvageable--some people say they are not, need to start from scratch. And if so, how do we make them? And I realize there are too many things to get into. But I would appreciate each of your suggestions on this information sharing idea. Mr. Ianna. Well, first of all, I think one of the other keys on the telecom ISAC and other structures surrounding that--I mention ENRIC--is beware their time. They have been in existence for quite some time. ENRIC goes back almost 11 years. I don't know when. Probably more than that. So there has been time when they worked together. Believe me, the first few years when we started ENRIC at NRC, we had the exact same thing. I can imagine that Microsoft and MCI and AT&T and Sprint saying we are all going to share our failures. All right, it was not easy, okay, number one. Number two, it came down to a situation that we realized that by very nature we were all interconnected. And we were all just interconnected. And the failures that we would see in one network might show up in another network because we all used similar types of equipment. And I think some of those--some of those--you know, we all use equipment from a set of vendors that might experience a failure. So want to be able to know what happened. And then I think that the next thing that we experienced was nobody likes to advertise a failure. And there was a lot of debate about, Well, when I have a failure, it is AT&T and can I ask AT&T? And we had this debate. And we started out as they were masking it. And finally, after a while, we just said, Okay, here they are, here are the failures. And last year AT&T had 20-something FCC reports on this--had three. I know how many MCI had. I know how many Sprint had. But the good news of that, the good news of that is that we do have quarters, 40 quarters worth of statistically valid data on failures on wire line networks. Now the debate going on at the NRC is others saying, Look, wireless for data networks, et cetera, will be voluntary. We will map the data, et cetera. So I think there are ways of sharing the information. And I think what it all comes down to in the end is that we can improve the situation of the whole lot. There are competitive issues. We worried about anti-trust. We worried about information sharing and competitive things. And we had lawyers praying over that for a while. And we got past that. And I think the end result has been that we have listed-- now the FCC has sat in front of you, and you ask is the network reliable? Can it give you a number? Can you say it is getting better or worse? And they can break it down by quarter. And they can break it down by technology. So I think the answer is it does work. It takes time. It takes trust. And the other issue of information sharing that I know a lot of people--and I am worried about also is when we do share information, is the problem about sharing information from one competitive entity to another, which you don't want to have happen as a competitive concern, but then making that information then public. I think some of the protections that went into the Homeland Security Act around information protection are good and need to be enforced so that we don't have information getting pulled out under Freedom of Information Act, something that we have shared that we don't want to become public and also that doesn't become public. Mr. Adelson. There are a few points that we made that I would like to comment on. First, regarding the telecom ISAC, I absolutely agree that the telcom ISAC has worked for telecommunication-specific issues. But just using 9/11 as an example, during that crisis, there were between 25 and 50 extremely large critical networks and service providers in the United States who did not get any contact and were not part of any telecom ISAC. That is one issue. Secondly, on recent research you could do on the Internet would point to over 13,000 independent entities that are relevant to Internet stability, even for the biggest carriers. To put an ISAC together for Internet infrastructure would require representation not only from network service providers anymore, but from content providers, enterprise and vendors. Why so diverse? It is a function of the hierarchy used to be a carrier sold to a content provider who provided services for a user and so on. Now it is much more of a level playing field. And those players need to be represented at a security level in discussing these issues. So I don't know how to do that with an ISAC with the Internet. That is one issue. Secondly, you mentioned the technical communication that is going on. The real difference between the Internet and other industry areas where that communication happens is that the Internet is extremely interdependent. My ability to stay up is dependent on my peer--is the term used--and their ability to stay up. And so, because of that interdependency, there has been a tendency to communicate. Furthermore, because security issues on the Internet are technical in nature, we have been fortunate in that most of the communication that is been required at least for disaster recovery are handled by technical people. I mean, there are exceptions, the provisioning side, for example, who somewhat separate from the technical. But there has been some industry success there. And I think as we expand beyond network to network communications and go into network and enterprise communications, this is where I see a central point of contact, a central group becoming really critical, 13,000, 50,000, however many entities require some critical information. I am not comfortable relying on the industry itself to provide that intercommunication well. Ms. Gau. Actually, you took one of the points I wanted to touch upon relating to information sharing and is there a competitive barrier to doing so. I think, once again here, we see the marketplace forces in action. As we are networks connected to networks connected to each other, and we are in the interdependent, even though we have points of redundancy. If AOL sees a hacker attack coming on, that we might be able to sustain, but we might know that somebody else might not be able to or in more, should we say, self-centered interests, we don't want anything bad to happen to anybody else because if they go down, we are going to get a ton of mail thrown back at us from their servers as an example of a denial of service attack back on us. So we are actually motivated not only to maintain the stability of the Internet and the ability of people, for example, to send e-mail to AOL, but also for us to be able to maintain our own service and not have to then deal with a situation where somebody else has gone down. Additionally, in that same regard, not only are we reaching out to individual providers and companies and partners that we have that we know are going to potentially be impacted by a particular attack or a particular vulnerability, we do share that information with government and we do so in an effort to ensure that that information is made available to the mom and pop ISP that may not be able to have access to that information because, as you have pointed out, they don't have the resources to have somebody sitting here at the table. That is where we would really strongly like to continue to work with the government, in particular, the Department of Homeland Security and the new cybersecurity division. Mr. Thornberry. Mr. Ianna, let me ask you one brief question. You mentioned, which is not something I had thought of much before the demands placed upon you from 50 different states for information, which is information sharing in a little different way. Do you think that there needs to be some--you mentioned a template which implies that the federal government would require certain information and the same sort of thing could be sent to the states. Do you think that there is a need for some sort of legislation that preempts states from asking for the same or additional information? You know, we did that with ARISA on insurance where the federal standard is the thing that, you know, trumps everything else. If you are--if all of you could get demands from lots of different jurisdictions which would be impossible to keep up with, it seems to me. Mr. Ianna. I don't--I can't speak to whether legislation at the federal level would be the best way to do it. I would say certainly, cooperation, or saying look, if we are going to have a standard, let us make the federal government the standard. And if I just need to parse out the data for this state, here is the data for that state. I don't know. I could go back and research, but after the FCC at the federal level in NRIC, or NRC, started asking for outage reports, several states followed with that. I don't know how many. I think it is probably more than a dozen or so about outages in their states and whether or not they followed the same rules, et cetera. But I think it would benefit the industry, only because of this--particularly in cyber defense, it is very hard to determine the geography of where the issue is and where it started. It might be impacting something in a particular state, but the cause might have been in a totally different state. So trying to define geographic boundaries in a cyber environment is not the same as trying to define physical boundaries against physical attacks. So from a cyber perspective, it certainly would be helpful to have a template or a focusing organization, like Department of Homeland Security, say let us do it this way. Let us do it once. And then we could give you your data, okay, that is, you know, for your state. Mr. Thornberry. I suspect in all areas of information sharing that differences between industries are a key thing. I mean, I can see a number of the things you all are talking about that require information sharing for the IT sector may not apply to electricity or agriculture, some of the other critical infrastructures which have been identified and may be the same case here. Depends on how much the states regulate, for example, electricity or telecommunications as to the leverage they have to put demands upon you for any information. Mr. Ianna. Just one other point that was made by the gentleman to my right about the telcom ISAC and the IT-ISAC. One of the things that we found out is because, particularly on data communications and computer-based Internet communications et cetera, the telcom ISAC and the information technology computer ISAC are twisted together very tightly. For example, with the slammer virus, our security people were not only working with the telcom ISAC, but also obviously with the IT-ISAC. It was the computers on the network that were causing the problem with the virus and that was impacting the networks. So they are very tightly twisted together. And you can't just look at one, they are very tightly twisted together. Mr. Thornberry. Good point. The gentlelady from California have additional questions? Ms. Lofgren. Just one. And I am mindful that you have been here a long time, and we certainly do appreciate it. I think really the information you have provided us, each of you today, has been enormously helpful. And we may want to follow up with you as we proceed with additional questions and ideas. But listening today, obviously, this is a complicated area. But it may be further complicated by constraints that are being--that we may face as we go down the road. I heard the comment relative to the lawyers praying over the anti-trust implications. That was a cute way to put it. Recently, we expanded the exemptions for anti-trust risk for entities that are setting open technical standards. And I think it is important that the openness be part of it. And I am wondering--this will be two questions--whether we have sufficiently addressed anti-trust concerns in the development of open standard setting in this arena? And then secondarily, I can't remember who, mentioned the issue of the need to be able to deploy solutions in ways that are not burdened by intellectual property protection and whether anyone has advice for us in that area as well, those two implications of IP as well as anti-trust. Do we need to change the law in any way? Mr. Diffie. Well, I am not sure. I think there are ramifications from the question I don't understand. But the intellectual property issue has come in here in two different ways. One is a fairly ordinary issue of things that are particularly--are patentable and therefore royalties are owing to the patent holders in turn for using that technology. The other is in this argument in the computer industry between open source and closed source coding practices. And that is one of the ones that I think presents a thorny problem because in security there is, as I said earlier, a very explicit respect in which closeness is a vulnerability. At the same time, proprietary techniques, trade secrets are an essential basis of our business practices in this country. So we need to find a business model that permits the users of products with security requirements and security implications to be able to verify that the products have the security characteristics they need. And to do this, to see if we can do this and still allow ourselves the benefits of allowing some manufacturers with proprietary techniques. I don't have a clearer statement of it than that. But I believe it actually is one of the research frontiers in this area and it is a business frontier. Ms. Lofgren. One of the--I mentioned to Chris Henkin a comment that--I won't mention the fellow's name, and I don't think there is a chance in the world that the federal government will do this, that it was recommended by the-- someone in law enforcement that we establish a kind of a software clearinghouse and that the federal government would clear, you know, all the software. I think that is a very bad idea. But the issue is how do we achieve assurance? Obviously, not with a government agency. But how do we do this, for lack of a better word, the audit function for the security? Whether it is software or networks or hardware, how is that best achieved? How do we set up a structure so that occurs? Mr. Reitinger. Congresswoman, I think my answer to that would be the one I gave when you asked a similar question earlier, which is making sure that the vendor that is providing the software has a robust software assurance and quality assurance process that the government can review and make a judgment upon. I think vendors are moving in that direction. A lot of them are there already. And I think it is important and valued for customers to know about that process. Mr. Diffie. So I would say in this respect we should look at the successes and failures of an existing model, which is that for decades the National Security has been the executive agent for information security for the Defense Department and some other areas of the U.S. government. And they have done, in many ways, a good job. On the other hand, the mechanisms they have, whose strength is in the, unfortunately, their unification of intelligence and security and their ability to trade off between the two and make use of their intelligence function in monitoring the security of their products. They show no sign of being able to cope with the problem that we face, for the following reason. The Defense Department is a very large organization, but it is very unified. Everyone in the Defense Department knows the chain of command, starting with the President down through the secretary of defense. And the important point about the Internet as a place is that so many people stand their by rights. You don't get to vet your personnel in the whole world. So we have an extraordinary diversity. And I think your suggestion is one of the major critical points. You can ask what the track record and what the development methodologies of your suppliers are. It is also true that there is an ever developing methodology in two directions. One is vetting individual applications, knowing that you are going to be able to minimize the damage they can do you. This, just incidentally, is one of the targets to which Java is devoted. The other is in building operating systems that have sufficient capacity to confine applications so that the applications can't do damage to other things. And this is one: The declining cost of hardware has allowed us to devote more and more hardware to that explicit objective. Sun's largest servers now have what is called hardware domaining, which is a very robust way of containing processes. So I think that the proposal that the federal government should vet all the software is on the face of it is infeasible whether or not? Ms. Lofgren. Well, it is a non-starter anyhow. Mr. Diffie. Whether it is desirable or not, it is perfectly infeasible. But that both the original 1970s, 1980s DOD objective of building an operating system that could maintain what the Soviets called praksa; prison laboratories, where they didn't have to trust the staff because they weren't going to let them go anywhere. Or at standpoint in Java we call sandbox or at the other end improving software development methodology, which will have a profound impact not only in security but through all of our economy. I think both of these things will play a role. Mr. Ianna. I think there are--as a service provider who uses a lot of these different types of hardware and software technology, either in the provision of service directly or the support systems that help us provision and maintain these services, we have a practice where we try to test the software in our laboratory and attempt--and I do use the word ``attempt''--to simulate many of the conditions that we may find in the network before the software and the hardware is introduced into the network. It is called an integrated test network. Some vendors find that process very, very cumbersome. It does add time to our development process and our deployment of technology. But the alternative is to have software out there which may have an interaction with some other software out there which creates something that is very bad for your customers on your network. I would like to be able to say that we find every bug in every software issue that we have and we know of every interaction that is bad that can happen out there, that is not the case. But we do have--and we have shared practices in the telcom ISAC and, the NRIC, on ways of testing those things. By the way, it was interesting, at least what I was thinking about this issue, one of the interesting things here is we had a time in our recent history where we had to do this very quickly, because we didn't have all the time in the world, and that was for Y2K. We had a date certain that we had to do something. And we picked a way of doing it because we couldn't make all the permutations, so we shared a lot of information. And if I knew this software interacting with this switch with this operating system was okay by some other vendor's test, I accepted that and I shared my tests with somebody else too. Otherwise, you would have, you know, even if you took one second for every test in the 3 years, you wouldn't have been able to test all the permutations. And that worked extremely well. The difficulty we have in this situation is we don't have a date certain when something is going to happen. And we don't know--the thing that might happen is not defined and will change. And creating that sense of urgency around that I think is important for us at the government level and at the industry level to do that we must be cyber secure and we must take this very seriously. We do only because we have had failures where software was the cause. Ms. Gau. Fortunately, at this point, we have not suffered a large-scale cyber attack by a foreign government or foreign agents so to speak. But AOL, as I mentioned, experiences hacker attacks on a daily basis. And over the years, we have found that that kind of pounding of our systems has helped us identify security problems that we are then able to fix. Because as it turns out, the hacker in question was just a teenager working, you know, on the computer, or not working, but playing on the computer in the home, and wasn't really seeking to do anything but to gain bragging rights for having accomplished something. And obviously, not everyone can do that to every product that they are going to put out into the market. There is only so much beta testing you can do. But one of the things that we have done with vendors of ours, particularly, for example, companies that participate in the shopping area on AOL, what we consider certified merchants. We require them to undergo security audit with one of two firms that we identify to them. Now, on a large-scale basis, that is not realistic, because there are costs involved. And so only the big players can really come to the table if they want to be in the shopping area on AOL because they are going to have to pay for this security audit. But there is no question that stress-testing of systems and perhaps further R&D, as well as further incubation periods for products might lead in a direction where we have less products in the market place that you have security holes discovered in once they hit consumers. Ms. Lofgren. Mr. Chairman, we should let them have lunch. Mr. Thornberry. I think the gentlelady's point is well taken. Let me thank each of you again for your time and your contribution. Let me also invite each of you to continue to discuss these issues with the members and the staff of this subcommittee. As we move ahead, we are going to continue to need your input and our suggestions. For example, next week we are having this hearing on research and development. What areas do you think the federal government should concentrate its research and development in the area of cybersecurity? If you have thoughts on that, we would like to hear it. Again, thank you for being here. And this hearing stands adjourned. [Whereupon, at 1:16 p.m., the subcommittee was adjourned.] APPENDIX Material Submitted for the Record Responses to Questions for the Record from DELL, Dr. James Craig Lowery 1. There has been widespread concern among computer industry insiders that DHS is not taking information security vulnerabilities seriously enough. There is still no Undersecretary for Information Analysis and Infrastructure Protection, and even when one is in place, there is concern that information security will be relegated to second-class status. Industry has expressed the interest in expanding partnerships with government agencies to improve security, but DHS does not appear to be moving quickly to embrace this idea. a. What do you see as the government's role in increasing security and standards setting? Could it be fostered through partnerships (such as those done through National Institute for Standards and Technology) and purchasing criteria? Would government mandated standards, such as the Common. Criteria, be a helpful baseline or a hindrance to future innovation? Response: Dell is interested in sharing its insights and views on cybersecurity with the Department of Homeland Security. Overall, the government's role in increasing, security and standards setting is as a customer and through its participation in organizations such as the Center for Internet Security in an open, voluntary and consensus-based process that includes input from all stakeholders. Security is a moving target, and the products and services addressing security needs necessarily evolve as the landscape changes. Government mandated standards would likely result in a one-size fits- all approach that fails to address the security problem and would also be and obstac1e to innovation in our industry. Additionally, there is some concern that the process associated with the setting of government standards would be slow and cumbersome that technology and knowledge would always be ahead of government standards. b. From what you can tell, is there sufficient information- sharing taking place between researchers who discover most vulnerabilities, companies who created the products and DHS? If CERT were formally connected to DHS, would that-help FedCIRC with information dissemination and the remediation of security problems and breaches? Response: We support the information-sharing that is taking place with organizations such as CERT Coordination Center, the SANS Institute, the Center for Internet Security, and the Free Standards group. These organizations are working to develop 'security solutions based on consensus and standards with the input from government agencies, businesses, universities, and individual security experts and to disseminate information. In order for these organizations to remain effective, it is important for Federal departments such as the Department of Homeland Security to participate in these organizations. c. How can the government help companies be more responsive to known security issues? Would a law providing safe-harbor, with a sunset, help encourage companies to quickly fix security issues after they are discovered? Response: The Federal Government should provide information on its cybersecurity needs to its vendors as well as provide its input and views to organizations that are engaged in an open, voluntary and consensus-based process for the development of security standards. Responses to Questions for the Record from EQUINIX, Mr. Jay Adelson 1. There has been widespread concern among computer industry insiders that DHS is not taking information security vulnerabilities seriously enough. There is still no UnderSecretary for Information Analysis and Infrastructure Protection, and even when one is in place, there is concern that information security will be, relegated to second-class status. Industry has expressed the interest in expanding partnerships with government agencies to improve security, but DHS does ,not appear to be moving quickly to embrace this idea. a. What do you see as the government's role in increasing security and standards setting? Could be fostered through partnerships (such as those gone through National Institute for Standards and Technology) and purchasing criteria? Would government mandated standards, such as the Common Criteria, be a helpful baseline or a hindrance to future innovation? Response: The government has an opportunity to assume a leadership position in the coordination of efforts to create common security standards. While like many voluntary standards, they do not require regulatory enforcement such standards can be useful as competitive differentiators and therefore industry-driven. Partnerships would be required to fulfill this need, as currently the federal, government does not have the background, and relationships required on an international level to begin this dialogue. It would be of tremendous benefit to the industry if this could change, and via the UnderSecretary for Information Analysis and Infrastructure Protection, such expertise could be established within the DHS over time. The government has had a role in developing cyber and physical security best practices through the FCC's Network Reliability and Interoperability Counsel (NRIC), which can provide a model and a starting point. However, in our opinion, NRIC is not an effective place to create these best practices going forward, as it only represents regulated entities, a small subset of Internet infrastructure. Migrating the homeland security best practices work from NRIC to DHS will allow the scope of that work to be expanded to include previously untapped communities and a better representation of Internet infrastructure in general. Purchasing criteria to meet certain standards, as well as process and technology criteria, would be inclusive in these standards. While it would be appropriate for the federal government to act as an early adopter of these Common Criteria, the purchasing power of government does not alone constitute a significant enough motivator to catalyze adoption of these standards. b. From what you can tell, is there sufficient information- sharing taking place between researchers who discover most vulnerabilities, companies who created the products and DHS? If CERT were formally connected to DHS, would that help FedCIRC with information dissemination and the remediation of security problems and breaches? Response: Our visibility into the information-sharing between DHS and other entities is limited. Certainly, at an operational level, we have seen no indication that DHS has had any significant communication with elements of the industry that represent the Internet infrastructure, outside of the major router manufacturers arid the top five telecommunication carriers. While five years ago this may have been sufficient, the Internet infrastructure has evolved into tens of thousands of individual influential entities that all require significant communication from DHS in the event of a crisis or in crisis preparation. CERT need not be formally connected to DHS for CERT's information to be better propagated. The communications path between DHS and industry can potentially be better funded and maintained than the communication path between CERT and industry, and this neutral organized approach could incorporate other information outside of CERT in the decision-making process of who to tell what information. In sharp contrast to DHS' current communication practice with industry, informal industry-based communication practice is strong between similar service providers, such as ISPs and telecom carriers, outside of any ISACs. Unfortunately, enterprises and large content providers have been excluded from this self-developed communication due to their relative infancy in the Internet infrastructure, and therefore this provides an excellent opportunity for DHS to develop these practices, particularly amongst the largest population of Internet infrastructure businesses represented by enterprise and content. c. How can the government help companies be more responsive to known security issues? Would a law providing safe-harbor, with a sunset, help encourage companies to quickly fix security issues after they are discovered? Response: Current communication plans from government to industry are event-driven. A major restructuring of this concept for the Internet industry would be necessary, shifting the approach to scheduled communication in addition to event-driven communication. The nature of business revenue priority would typically defocus enterprises from maintaining up-to-date information, however government-approved standards, that require regular participation by enterprise, would ensure proper communication practice. Laws providing safe-harbor would appropriately address privacy concerns. In essence, laws that protect service providers from brand damage after an event, such as exemptions from the Freedom of Information Act, would be necessary to ensure two-way communication. Responses to Questions for the Record from AT&T, Mr. Frank Ianna 1. There has been widespread concern among computer industry insiders that DHS is not taking information security vulnerabilities seriously enough. There is still no Undersecretary for Information Analysis and Infrastructure Protection, and even when one is in place, there is concern that information security will be relegated to second-class status. Industry has expressed the interest in expanding partnerships with government agencies to improve security, but DHS does not appear to be moving quickly to embrace this idea. a. What do you see as the government's role in increasing security and standards setting? Could it be fostered through partnerships (such as those done through National Institute for Standards and Technology) and purchasing criteria? Would government mandated standards, such as the Common Criteria, be a helpful baseline or a hindrance to future innovation? Response: Government should first ensure that its procurement activities across Federal, State, and Local settings are properly coordinated through a common set of security standards. This is a logical first step for our nation--and frankly, unless such coordination can occur between these separate government entities, it will be unlikely to occur in a more diverse commercial setting. Selection of which standard to use is not the critical issue; security best practices are well understood and agreed upon by current security professionals. The more important issue is that the selected standard be uniformly applied--and government procurement is the obvious place to start. b. From what you can tell, is there sufficient information- sharing taking place between researchers who discover most vulnerabilities, companies who created the products and DHS? If CERT were formally connected to DHS, would that help FedCIRC with information dissemination and the remediation of security problems and breaches? Response: Information sharing about vulnerabilities has certainly gotten much better and companies like AT&T are taking advantage of that information to better protect against and respond to vulnerabilities as they are identified. For example, information shared quickly during the recent slammer and blaster events helped AT&T take the necessary assessment and remediation actions that much more efficiently and effectively. Regarding CERT specifically, what is most important is that CERT be among the resources available to DHS as part of the overall public-private partnership for information-sharing purposes. It seems unnecessary for CERT to be ``formally connected'' to DHS in order for it to continue to be a valuable tool for DHS and the private sector alike. The much more urgent issue is the prevention and removal of vulnerabilities from commonly used products such as commercial operating systems and applications. c. How can the government help companies be more responsive to known security issues? Would a law providing safe-harbor, with a sunset, help encourage companies to quickly fix security issues after they are discovered? Response: Government should foster a competitive commercial environment in which marketplace forces reward products and services that are free of security vulnerabilities. One area in which this can occur relates to government procurement (see above); another relates to a renewed assessment of the proper assignment of liabilities should such vulnerabilities result in business losses for users. That said, it is also important to ensure that companies that act responsibly by identifying vulnerabilities through timely and prudent evaluation, by notifying its customers and by otherwise handling identified flaws in a responsible manner are protected from liability and thus not discouraged from acting responsibly. 2. Several experts have cited the threat of cyber attacks by well- organized and technically savvy terrorist groups--specifically Al Qaeda. An article in the Washington Post last year laid out chilling scenarios in which terrorists might carry out cyber attacks that could do the same amount of damage to our critical infrastructure as tons of explosives. Another fear is the coordination of a cyber and physical attack, so that our response capabilities would be compromised or even shut down just when we need them most. a. Do you agree that these threats are real? If so, how much of a priority should they be? Are there other variations of the cyber threat that should be getting more attention than they have? Response: It is difficult for an individual private-sector entity such as AT&T to assess the degree of actual cyber-threats, especially those outside of the telecommunications industry, and Congress should look to government intelligence agencies, and not the private sector, to gauge the likelihood and severity of cyber-threats. Nonetheless, the increase of attempted intrusions and disruptions that we have identified over time does suggest that there are real threats, and addressing these threats continues to be a high priority for AT&T, and should be for companies within each critical industry sector. Like the FCC/NRIC model, each industry sector should work together to identify the critical systems that could be exploited to cause disruptions, and develop and observe voluntary best practices to improve each company's intrusion detection, deterrence and disaster recovery capabilities. This assessment must be done separately for each sector, and specifically for each mission-critical system at the ``micro'' and not ``macro'' level to be sure that characteristics unique to each system are identified and evaluated. Furthermore, each sector should develop measures around these best practices so that each industry's progress can be measured over time. In addition, it is important for companies that own and operate critical infrastructures, such as AT&T, to have ongoing communications with government intelligence entities to stay informed as new threats are identified. b. Are we, and specifically is DHS, doing enough now to address the possibility of large-scale cyber attacks? If not, what more needs to be done--is it a question of changing priorities? hiring additional personnel? placing a higher-ranking official in charge of the cybersecurity issue? Response: The Department of Homeland Security was only created in March of this year, making it nearly impossible for a private-sector corporation such as AT&T to fairly assess its effectiveness in addressing cyber-security. Certainly more can be done, and naming a senior official responsible for cybersecurity will help. c. What is being done to research or combat the possibility of viruses, worms or other cyber threats morphing, so that they are impossible to protect against? Response: The global cyber community is currently investing countless hours and resources in the establishment of incident response teams that identify and respond to viruses, worms, and other cyber attacks. While this is appropriate given our current global cyber security posture, such security investment could be redirected toward alternate innovations that could help enable new services and hence drive the economy. As such, the primary research issue should involve the prevention and removal of security vulnerabilities from occurring in the first place. This must start with the vendors of software products that are used almost ubiquitously across the globe on servers, workstations, and other devices. Virtually every major security incident being experienced in recent months rely on the presence of such software vulnerabilities. d. From what you can tell, is there sufficient information- sharing taking place between the intelligence community (and specifically the DHS Intelligence Analysis Directorate), which analyzes threats, and the science and technology arena (and specifically the Science and Technology Directorate), where new solutions and tools can be developed to counteract the most likely or most worrisome threats? Response: The private sector is not in a position to assess the quality of information sharing between these two nascent directorates within DHS. e. Do you feel the Information Sharing Analysis Center (ISAC) established under Presidential Order is the right structure for information sharing between sectors and the federal government? What would you recommend as an optimal model for ISAC-like activities? How is DHS working with your industry ISAC? Response: We agree with the ISAC concept but would suggest that there is no single model that would meet the needs of every critical infrastructure. Infrastructure operators in some sectors, such as telecommunications, have a compelling need to communicate frequently through multiple points of interface. This is because the components, or segments, of the telecommunications infrastructure as interconnected and the functioning of each segment has significant implications for other operators. These communications channels are frequently exercised because incident management in the telecommunications industry is a daily necessity, due to the widely dispersed assets, which are exposed to a multitude of threats. Other infrastructures, such as electric power, probably have a similar requirement. However, an infrastructure such as water, likely does not have the same need for many operators to communicate with one another on a regular basis. For infrastructures such as telecommunications, we believe the National Coordinating Center (NCC), operated by the National Communications System (NCS), which is a component of DHS, is the best model. It was established in 1984 and has functioned as an ``ISAC'' for over twenty years. The federal government operates the center while the private sector provides representatives for ``resident'' and ``non-resident'' memberships. The NCC is the focal point for coordination of disaster response for telecommunications under the Federal Response Plan (FRP). Government funding and participation in this ISAC makes a compelling business case for participation by the private sector. f. How has the insurance industry reacted to the development of cyber attacks and cyber terrorism as a risk factor for your industry? Are losses caused as a result of such incidents generally covered under existing policies, or have new products been created to specifically address this risk factor? Do you have any sense of the impacts on insurance costs? Response: The insurance industry has begun to develop new insurance products albeit this market is in the formative stages. Losses caused by cyber-related terrorist acts are generally not covered under existing policies. Though some new insurance products have become available, few insurance companies are willing to take on such risk, and even where available, coverage is limited and costly. There has been no impact to our insurance costs because this risk is excluded from our policies. If we chose to purchase insurance that protected against loss from this risk our insurance costs would increase. 3. Providing patches to vulnerabilities is time and resource intensive. How does your company address the problem of legacy equipment and software with respect to cybersecurity? Are older and discontinued products supported with respect to fixing newly discovered security flaws? If so, how is the end user notified? Is there a role for the federal government in this process? Response: This is a significant and costly issue from a cybersecurity perspective. In many cases, security patches are not provided to address flaws in legacy systems and software, and we are left with no choice but to replace potentially vulnerable but otherwise operational capabilities. For example, commercial operating systems are often periodically ``retired'', at which point vendors will no longer provide remediation, patches or support. Entities running those operating systems have no option but to replace them or risk the possibility that vulnerabilities could be exploited. 4. Up to this point, cybersecurity has depended on voluntary consensus across industry. The Federal Communications Commission (FCC) has a process via the National Reliability and Interoperability Council (NRIC) that seems to have worked for the telecommunications sector, but much of this was based on the FCC regulatory role for that industry. a. Could DHS fill this void for establishing best practices, common criteria, and standards for Information Technology products and services, particularly for the Internet? If so, how might that be structured? Response: With regard to telecommunications, the Network Reliability and Interoperability Council, established in the early 1990's, has developed best practices for the wireline communications industry for reliability, physical and cyber security, etc., and the NRIC has expanded its work in the last few years on best practices to address IP-based, wireless and cable services. The Council has also established processes for standards and for templates (criteria) for interconnection and interoperability. Therefore, we do not see a void with regard to telecommunications. DHS should be encouraged to interact with the FCC/NRIC with regard to telecommunications best practices. This model could be used by other sectors as well, but each sector should be responsible for working with the appropriate government agencies (e.g. perhaps DOE and FERC for the electric power industry, Treasury and the Federal Reserve for the financial services industry), in conjunction with DHS, to develop and implement best practices tailored to each specific sector. b. Are there aspects of standards for which a mandatory approach might be more appropriate, as is the case, for example, in health care or telecommunications? Response: The standards process is a necessary part of the service industry. In telecommunications, standards are essential because suppliers and competitors are all interconnected using ubiquitous standards agreed to by the industry. Service industry participants work the standards process in various standards committees such as ATIS and IETF for the telecommunications industry. The benefit of the standards process to the industry is the ability to gain consensus by all participants. This ensures that all ``voices'' are heard from and one group does not dominate the process. ANSI provides for accreditation to ensure that standards committees do follow this procedure. (if they are certified). However, a mandatory approach to security standards would be extremely difficult, and participation may be in jeopardy since industry participants will have concerns and the open exchange of information will not be as forth coming. Rather than attempting to mandate security standards, a better approach is to use an NRIC-like approach (described further in 2(a) and 4(a) above) and allow peer performance pressure to be the stimulus for improvement in the market throughout each sector. c. Some major auditing firms want to help companies assess their security vulnerabilities and develop plans to address them. How is the business case being formed to justify the additional costs? Response: Business Continuity is an essential process for each enterprise. Each enterprise does some degree of Business Continuity and risk assessment/remediation. This risk assessment must examine closely the ``expected value'' of each security investment, because even though the probability of loss is low, the impact could potentially be quite high. This analysis is key in order to establish accurate priorities in where to invest limited security resources. The use of external auditing firms helps the enterprise with their business continuity process. Use of auditing can be for: validation of internal risk assessment, identification of gaps, new opportunities or thoughts processes, certification of center operations, etc. The business case for auditors would be part of the business continuity business case. 5. Emergency preparedness and disaster recovery are common themes for the physical infrastructure, but there does not appear to be adequate attention to these areas for cyberspace. a. From the perspective of your industry, how should the Department of Homeland Security prioritize its cybersecurity activities, from threat detection through disaster recovery? Response: Priority one should involve remediating vulnerabilities in software that powers our critical infrastructure. Investments in software engineering process improvements, research into better tools for ensuring correctness of software, and increased attention to correctness in government procurement activities should be paramount in the DHS plans. In addition, DHS alone cannot achieve the charter of the department. It will take partnership with the industry to develop the priorities and programs to meet the demands of the ``new'' cyber world we all live in now. Any major initiative that could have a significant impact on private sector infrastructures should include, from the outset, industry participation, guidance and expertise. For example, much has been said about the possibility that the government might establish a center for cyberspace security. However, before undertaking such an important project, government and industry need to work together to explore whether we should have a national center for cyber space security or not, and if so, who would participate, and how it would operate. b. What should be the threshold for federal involvement in the event of a cyber attack? When should it be left entirely to the private sector to respond? Response: While the majority of critical infrastructure is owned and operated commercially, a non-trivial percentage (15% by most estimates) is controlled by government. Accordingly, government must ensure that it is properly responding to cyber attacks for these resources. Leading by example may be the most powerful means for improving the overall security posture of the nation. In addition, thresholds for determining when federal government should get involved should be established on a sector-specific basis. In telecommunications, thresholds have been defined through the NS/EP process and the work of the NCC/NCS. Each event is different and it is difficult to define what the threshold should be to capture a process that would be applicable to all events. In the cyber world, each event has unique characteristics and it is difficult to define what is the critical nature of the event. The NCC/NCS has a long history in knowing when to pull the service providers together for a common restoration. Many of the principles applied over the years to the telecommunications structure can be transferred to the cyber arena. The NSEP process should be adopted for these purposes. These principles can and should be applied to other sectors, and adjusted for each sector that reflect the needs and particular characteristics of that sector. In fact, the threshold could be different in each industry sector. c. What role could the federal government play in reconstituting Internet service if a major debilitating attack were to occur? Response: To the degree that government-controlled infrastructure is included in the overall Internet community (e.g., NIPRnet, DISN, FTS- 2001, etc.), government should obviously take the lead in coordinating proper reconstitution of such resources with its vendors, suppliers, and partners. More importantly, government should try to take the lead in preventing such attacks from occurring through the software vulnerability reduction measures outlined above. In addition, the government should look to the NCC/NCS, established in 1984 with the break up of the Bell System, to coordinate communications restoration when appropriate. Over the years the NCC has expanded its membership from traditional circuit switched providers to internet- related providers and vendors. In fact, during the September 11th event, the NCC, with its links to the White House, worked with industry to restore Wall Street first as part of the recovery. Continued use of the NCC/NCS in the ``trusted' environment is the best way for the recovery process to work when required. d. In the event of a major cyber attack, what are your concerns with respect to disaster recovery for your company and more broadly? Do you think that existing continuity and recovery planning are sufficient? If not, what more needs to be done? Response: AT&T has the premier physical Disaster Recovery capability in the industry, which addresses the physical replacement of destroyed assets. AT&T has invested over $300M in infrastructure and processes that can be deployed to recover from such a disaster scenario. In addition, AT&T has detailed business continuity and recovery plans for all of our key data centers and systems. These processes are exercised regularly and overseen by resiliency experts at AT&T Labs to ensure that plans are tested and refreshed as warranted. We also monitor the health of our networks constantly and can identify and address abnormalities very quickly. Even in these tight economic times, AT&T has continued to invest including expanding our disaster recovery capabilities to our key facilities outside the United States. It is important for all entities, but especially operators of critical infrastructures, to perform periodic and rigorous assessments of their mission-critical functions to minimize the impact that disruptions might otherwise cause. With regard to recovery from a major cyber attack, disaster response could take many forms. There are basic principles to guide the recovery: first, the detection and analysis of traffic data anomalies and other indicia in real-time; and second: remediation actions, which could range from applying software patches and upgrades, to quarantining and inoculating infected LANs, to shutting off routers to prevent further damage and rebooting machines using ``clean'' saved software. e. Is there a need for a coordinated international response as part of the efforts to protect national information infrastructures? What form might this response take? Response: Obviously, global coordination is required. Multinational corporations do this across their business unit structure, often in a seamless manner. In addition, the international environment is critical to controlling the health of the Internet. From a disaster recovery viewpoint, AT&T is investing in recovery for service nodes in Europe. Our Business Continuity and Risk Assessment processes are currently being refreshed in light of changed conditions. Establishing a working group across national boundaries could have benefit just as the NRIC Council has provided benefits in the communications industry. Cyber attacks can come from anywhere, therefore international cooperation at both the government and industry levels is a necessary component. However, currently, it is be very difficult for the private sector to engage in effective information-sharing and security coordination efforts in a global context because there are so many different approaches to information protection and disclosure world-wide at this time. There is a critical role for the U.S. government to play in structuring this partnership to ensure that U.S. corporations and citizens are protected by U.S. laws. Active private sector participation requires significant harmonization to ensure adequate legal protections such as protection of sensitive information are continually maintained. Response to Questions for the Record from AOL, Ms. Tatiana Gau 1. There has been widespread concern among computer industry insiders that DHS is not taking information security vulnerabilities seriously enough. There is still no UnderSecretary for Information Analysis and Infrastructure Protection, and even when one is in place, there is concern that information security will be relegated to second-class status; Industry has expressed the interest in expanding partnerships with government agencies to improve security; but DHS does not appear to be moving quickly to embrace this idea. a. What do you see the government's role in increasing security and standards setting? Could it be fostered through partnerships (such as those done through National Institute for Standards and Technology) and purchasing criteria? Would government mandated standards, such as the Common Criteria, be a helpful baseline or a hindrance to future innovation? Response: We believe that government's role is to lead by example on cybersecurity, to encourage information sharing and the development of industry best practices; support R&D, and to enter into partnerships with industry to improve cybersecurity in areas where it is lacking. Because cybersecurity is such a rapidly evolving area we do not believe that government mandated standards are a particularly effective approach, as such standards could quickly become obsolete. However, we do think that government procurement standards may be helpful in encouraging best practices throughout the private sector. b. From what you can tell, is there sufficient information- sharing taking place between researchers who discover most vulnerabilities, companies who created the products and DHS? If CERT were formally connected to DHS, would that help FedCIRC with information dissemination and the remediation of security problems and breaches? Response: To our knowledge, while there is a good deal of information- sharing taking place among researchers and IT companies, there is not yet significant information-sharing between DHS and the ISP sector. We applaud the recent decision by DHS to create a government CERT that will coordinate with the private sector. We believe such a collaborative approach will create an environment that is conducive to information-sharing and cooperation. c. How can the government help companies be more responsive to known security issues? Would a law providing safe-harbor, with a sunset, help encourage companies to quickly fix security issues after they are discovered? Response: AOL and other industry leaders already spend very significant sums of money on cybersecurity. However, government can foster greater responsiveness to known security issues through information-sharing, and by educating the public about security issues, as AOL does through its service. Government can play a particularly important role by providing easy-to-access security warnings for small business and home users. Responses to Questions for the Record from MICROSOFT, Mr. Phil Reitinger 1. There has been widespread concern among computer industry insiders that DHS is not taking information security vulnerabilities seriously enough. There is still no UnderSecretary for Information Analysis and Infrastructure Protection, and even when one is in place, there is concern that information security will be relegated to second-class status. Industry has expressed the Interest in expanding partnerships with government agencies improve security, but DHS does not appear to be moving quickly to embrace this idea. a. What do you see as the government's role in increasing security and standards setting? Could it be fostered through partnerships (such as those done through National Institute for Standards and Technology) and purchasing criteria? Would government mandated standards, such as the Common Criteria, be a helpful baseline or a hindrance to future innovation? Response: The government has a vital and tailored role to play in cyber security. First and foremost, the United States Government is the owner and operator of some of the largest and most sensitive computer networks in the world--its actions regarding its own cyber security can serve to demonstrate both the importance of the problem and best-in- breed solutions. Accordingly, the U.S. Government must act as a model, buying technology engineered for security, and implementing state-of- the-art security practices. Second, the U.S. Government must attack the ``knowledge gap'' regarding cyber security--even today we do not know the quantitative risks posed by a lack of cyber security, and in which areas public and private actions fall short of addressing these risks. Business leaders are very good at risk management, but some of the risks posed by cyber crime and cyber attack are best known to the Government and need to be shared, to the greatest extent possible, with the private sector. This will enhance the business case for cyber security to the benefit of all. In particular, we all need to know more about interdependency between sectors and how that may affect our economy and our nation. Moreover, even with the increasing business focus on cyber security and enhanced private sector action, in some areas there may be a national or homeland security need for computer and network security above what the market will provide. Therefore, the government, with knowledge of the risk in hand and recognizing the dynamic nature of the problem, needs to conduct an analysis of where private action may fall short and then determine the best way to address this shortfall through tailored action. Third, the U.S. Government needs to otherwise catalyze and enhance private action. There is and has been considerable activity in the cyber security realm, which can lead to two contrary but related mistakes. The first is to think that all, this activity is progress, and that the cyber security problem is close to being solved. The second is to view this activity as mere churn without progress. In fact, considerable progress has been made, with the private sector increasingly focusing on and devoting resources to cyber security, and the public sector taking actions such as creating the Department of Homeland Security and adopting an improved information security governance structure though the enactment of the Federal Information Security Management Act. The federal government is uniquely able to continue and enhance this progress. It can help reduce the ``churn'' by examining the activity that is taking place and identifying and supporting the private and public initiatives that offer the best opportunity to solve problems. It can, help to develop and support metrics by which the private sector can judge its status and capabilities. As identified in my testimony, the federal government should provide more support for cyber security R&D (among the topics could be improved development tools, security for Internet-scale computing, human-computer interaction and security, priority routing, basic protocol research, and wireless security). And with respect to information sharing, besides sharing its own information (see above), the federal government can catalyze information sharing by the private sector by working with it to develop interfaces and protocols for sharing information among the various players and for the subsequent protection and use of that information--this would help to ease the burden of sharing information and increase the trust that shared information would be handled appropriately. Fourth, the U.S. Government must fulfill its particular responsibilities as a national government, including for national and homeland security. These include continuing to enhance the capability of law enforcement to catch and punish cyber criminals, because without an effective deterrent the amount of cyberc crime will continue to grow. The Government can also raise public awareness about computer security, and build international relationships and agreements that enhance computer security worldwide. The government role in standards setting is also vital if properly tailored--in our view, the market should drive the emergence of open standards. If market competition is permitted to determine which standards succeed, users are most likely to get the best mix of security and value, while the process itself will ensure that more secure standards constantly replace those that are less secure. That said, the government can and should set the requirements for its IT purchases, relying to the greatest extent possible on the standards developed, through market-driven means. This gives the government the benefit of widely interoperable and more up-to-date technology and processes. Moreover, as your question also suggests, where appropriate the government's acquisition policies should include purchasing software whose security has, been evaluated and certified under the internationally-recognized (and U.S. supported) Common Criteria for Information Technology Security. Policies requiring the acquisition of software that has received appropriate Common Criteria certifications should be developed and applied consistently and evenhandedly, and we applaud DoD's recent efforts to make clear that its security policies apply to software that has been developed under all business, development, and licensing models. Such efforts to procure only security-engineered technology, and specifically such clear support for the Common Criteria, will help strengthen the government infrastructure and motivate markets. The government should, however, avoid mandating standards for use by the private sector. Legislated standards are likely to become quickly outmoded--indeed, they may be outmoded at enactment. Standards are already ``following'' rather than ``leading,'' that is, standards tend to enshrine best current practice rather than encapsulate expected innovation. Adopting a particular standard in legislation or regulation may enshrine outdated and antiquated technology and practice on our most critical infrastructures. Mandatory standards can also restrict innovation, by reducing the benefit from developing new technology or practices that are non-compliant, 'and also skew innovation, by favoring one technology or practice over another. Finally, mandating standards can actually drive security to a floor. Here, as elsewhere, the government must tailor its activity to meet specific needs, and act in the least intrusive manner possible, to avoid damaging the market's continuing innovation. b. From What you can tell, is there sufficient information- sharing taking place between researchers who discover most vulnerabilities, companies who created the products and DHS? If CERT were formally connected to DHS, would that help FedCIRC with information dissemination and the remediation of security problems and breaches? Response: Information sharing regarding vulnerabilities is certainly taking place, and of course I would like to see it improve. Responsible disclosure of vulnerabilities minimizes risk to users, the Internet, and the critical infrastructures that depend upon it by giving vendors an opportunity to develop a fix for a vulnerability before giving attackers the knowledge necessary to launch attacks. Microsoft applauds and thanks those researchers who follow responsible disclosure policies. Therefore, Microsoft is working with other industry leaders to propose and institutionalize industry best practices for handling security vulnerabilities in ways that more effectively protect Internet users. We are a founding member of the Organization for Internet Safety (OIS), an alliance of leading technology vendors, security researchers, and consultants that is dedicated to the principle that security researchers and vendors should follow common processes and best practices to efficiently resolve security issues and to ensure that Internet users are protected. See www.oisafety.org. Last month, OIS published a set of best practices for reporting and responding to security vulnerabilities. These guidelines, which were built with input from across the security community, provide specific, prescriptive guidance that establishes a framework in which researchers and vendors can work together to improve the speed and quality of investigations into security vulnerabilities, then jointly provide guidance to help users protect themselves and their infrastructures. We view these best practices as an important step in elevating standards for accountability on all fronts and among all audiences in managing security vulnerabilities. With regard to the formal connection of CERT to DHS, I would need further information on how such a proposal would work before commenting in detail. c. How can the government help companies be more responsive to known security issues? Would a law providing safe-harbor, with a sunset, help encourage companies to quickly. fix security issues after they are discovered? Response: The U.S. Government can help companies be more responsive to known security issues by taking the actions described above--being a leader and securing its own systems, addressing the knowledge gap, catalyzing and enhancing private sector activity, and fulfilling its governmental responsibilities. In particular, addressing the knowledge gap will help business both to make rational decisions about cyber security and risk management and to implement the best defense. As for your question about Safe Harbor, I would need more information about the proposal to comment.