 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Cyber Security: Private-Sector Efforts Addressing Cyber Threats.
Subcommittee on Commerce, Trade, and Consumer Protection
Mr. C. Warren Axelrod
I
wish to thank you, Chairman Stearns, and the members of your Subcommittee on
Commerce, Trade and Consumer Protection, for the opportunity to address you
today on the very timely questions of what the private sector is doing to
protect itself against cyber attacks, what it should be doing, and how
government might help the private sector in accomplishing its goals. Mr.
Chairman, you and your subcommittee members, show both foresight and insight in
focussing your attention on protecting our critical infrastructure from cyber
attacks against the computer systems and networks upon which the economy of the
United States of America increasingly depends. You are to be commended for
tackling this important category of risk to commerce at a time when the Nation
is distracted by the tragic events of September 11th, an unresolved
bioterrorism attack, and a war in Afghanistan. Just
one week after the September 11th terrorist attacks, our computer
systems and networks were hit with one of the most devious and sophisticated
cyber infections to date - the Nimda worm. Nimda is an example of a new
generation of malicious software, or malware, that spreads in many ways and is
difficult to eliminate from infected machines. Perhaps
the Nation's initial focus on the aftermath of the physical attacks, followed
a short time later with a frightening anthrax scare, made Nimda appear less of a
threat than it actually was. The impact of Nimda was also considerably mitigated
by organizations having patched their systems as a result of the Code Red worm,
thereby providing greater protection. However, many security professionals see
this evolution in cyber-attack capability as a very disturbing and ominous
trend. The timing of the Nimda attack is also noteworthy, since it was launched
at a time when a number of major financial organizations were operating in
less-than-ideal disaster recovery modes. This suggests the recognition by cyber
attackers that their activities can be even more effective against targets that
are already weakened. MY
PERSPECTIVE I
am a director, responsible for Global Information Security, of the Pershing
Division of Donaldson, Lufkin and Jenrette Securities Corporation, a Credit
Suisse First Boston company. Today,
I intend to share with you my thoughts and suggestions on cyber security as
someone who is an information security professional and a practitioner with more
than a quarter of a century's experience as an information technology manager
in the financial services industry. It
is a great honor for me to represent the securities industry and I hope that my
testimony will lead to measures that will help in some ways to protect our
Homeland from the costly effects of cyber attacks. I wish to thank the SIA
(Securities Industry Association) for their support in preparing for this
hearing. As
one of the founders of the FS/ISAC (Financial Services Information Sharing and
Analysis Center) and a current member of its Board of Managers, I am firmly
committed to the important role of information sharing in assisting the
financial services industry in protecting itself from malicious cyber attacks. In
the late 1990s, I co-chaired two SIA committees on Year 2000 contingency
planning and event management, which provided extensive guidance for the
financial services industry. I recently recounted those efforts to the industry
to help deal with today's heightened fears, which are not much different from
those preceding Year 2000. Over
the millennium weekend, I served in the Cyber-Assurance National Information
Center, representing the banking and finance sector. The Cyber NIC was located
adjacent to, and continuously in contact with, the Information Coordination
Center¾a
center established by the Federal government to coordinate across state and
local governments as well as with industry sectors. I was with a group of
private sector volunteers who were monitoring the condition of cyberspace during
a time of great concern over potential cyber attacks. That apprehension was not
unfounded. THE
NATURE OF CYBER THREATS
It
is well known that, with their relatively recent and rapid adoption of the
commercial Internet, government and business organizations have become
increasingly dependent on a component of the critical infrastructure over which
they have little or no control. Largely due to this lack of control, we have
seen a proliferation of a whole variety of damaging creations and activities,
such as viruses, worms, denial-of-service attacks and network and system
breaches. With such accelerating use of the Internet, the impact on commerce of
unintentional network and system breakdowns and deliberate acts of destruction
and compromise is greater each day. Another
way in which cyber malfeasance differs from physical acts of terrorism, is that
location, cost, and fear of arrest and punishment do not seem to hinder or deter
cyber terrorists. While thousands of new viruses and worms are created each
month, relatively few make it from "the zoo" into "the wild" and cause
significant damage. While there are millions of scans of the Internet run each
day by those seeking out weaknesses, only a very small percentage result in
actual system compromises. However,
since the number of attempted attacks and the population of potential victims
are both so enormous, even a very small rate of success has produced estimated
damage in the billions of dollars per year over the past several years. Some
forms of malware, such as viruses, are released onto the Internet by their
creators and spread from system to system through the unknowing complicity of
others, not unlike their physical counterparts. Modern viruses and worms
frequently incorporate "social engineering" to get their unwitting
accomplices to take actions, such as opening an e-mail attachment, that will
propagate their payloads. The "I LOVE YOU" virus was a crowning example. Terrorist
groups or hostile countries would not generally use viruses and worms to
compromise an enemy's computer systems and clog its networks, since such
attacks are not directed and could just as easily impact friends as enemies.
Rather they would target specific Web sites or computer systems. We
have seen that virus developers and activators (who are not necessarily the same
individuals) tend to be out to undermine society in general or make a name for
themselves among their peers. However, the damage from viruses to commerce and
government can be very large, and measures are needed to reduce their impact, if
not eliminate them entirely. Cyber
attacks that are more directed can take several forms. Most commonly, the
attacker will search for exposures in the software products and equipment that
typically make up organizations' defenses and seek access into such systems by
exploiting their vulnerabilities. When access has been gained, the attacker will
try to gain control of the system as a so-called privileged user. Once in
control, the attacker may destroy, alter or steal data (including nonpublic,
personal consumer information), programs and other information assets, such as
credit card numbers, or may change various features of the system, such as by
defacing public Web pages. Alternatively, attackers may leave some program code
in place to facilitate their own future access and potentially perpetrate a
distributed denial-of-service attack on a particular Web site.[1]
The targets of such attacks are determined in advance, and the attackers have to
take specific actions (versus their passive role in the spreading of computer
viruses) to carry out such an attack. It
is because cyber attacks can be hugely disruptive and costly that we are
compelled to take protective measures. MEASURES
THAT HAVE BEEN TAKEN
In
this section, I will discuss what measures have been taken generally, and, where
appropriate, by the banking and finance sector in particular, according to the
categories of deterrence, avoidance, prevention, recovery and restoration. Deterrence
From
an economic perspective, it does not really matter what the source or type of
attack may be. After all, the damage can be much the same from a virus, worm,
denial of service, or information destruction or theft, whether the perpetrator
is a recreational hacker, terrorist, or hostile government or
government-sponsored group. Indeed, internal staffs have initiated some of these
same compromises, whether intentionally or not. However,
from a deterrence point of view, there is a big difference. If the source is
domestic, then there is a greater possibility of arrest and due process, whereas
if the attacker is in a foreign country, particularly one hostile to the U.S.,
the chances of capture are much diminished, even when the perpetrator is
identified. Law enforcement has tracked down quite a number of violators, but in
general the risk of apprehension has been low and the punishment moderate. I
think that we can safely say that deterrence generally has minimal effect and
that the attacker population continues to increase rapidly, as can be seen from
the continuing upward trend in the number of incidents and the increasing
effectiveness of their weapons (i.e., viruses, worms, and other malicious
programs). Avoidance
The
ease of use, global reach and low cost of the Internet have been major
motivators for government and business, as well as for individuals, to move
commercial activities to the Internet. With this growth, however, comes the
increasing risk of cyber attacks. Even if it were desirable, which it generally
is not, restricting the use of the Internet is difficult to accomplish, although
many have stated that electronic commerce (e-commerce) has been significantly
held back due to the lack of security, and hence privacy, for commercial
transactions. In
such situations implementing security measures is seen as enabling commerce in
situations where consumers' information would not be protected adequately
without the measures. Thus, it is possible to have a Web site certified by a
third party. However, many customers are not aware of these certifications nor
is there overwhelming evidence that customers choose one site over another
because of certification. Many
organizations use specialized software products to block employees' access to
certain Web sites that they deem inappropriate. This tends to reduce the risk of
accessing less well-protected Web sites that might be harboring a worm, such as
Nimda. Similarly, organizations strip off specific attachments on incoming
e-mail, such as those with file names with "exe" extensions, which are more
likely to harbor viruses and worms. There
are signs that private Internets may be considered an answer to cyber security
in some situations, as with the recent call for a private GovNet by Richard
Clarke, recently-appointed chairman of the President's Critical Infrastructure
Protection Board. Avoidance
served to reduce risk considerably during the Y2K date transition period. Over
that weekend, in particular, many companies shut down their Internet
connections, and took their computer systems off line. There were also fewer
aircraft in the air and many, who would normally be out celebrating such an
occasion, were at work monitoring their organizations' computer systems and
networks. While difficult to quantify, such tactics may well have resulted in
far fewer incidents than might have been expected. Prevention Since,
at this time, deterrence is not sufficiently effective, and the pressure has
been to expand services over the Internet rather than restrict them, we are left
with preventative measures as our best hope for reducing potential damage from
cyber attacks. The principle behind prevention is to identify and block cyber
attacks as they happen using technologies such as routers, firewalls and
intrusion detection software. E-mail is scanned for pre-specified words and
phrases and those items that appear suspicious are quarantined. Commercial
software is "patched" with the latest "fixes" to eliminate known
vulnerabilities, which might otherwise be exploited directly by a hacker or
through a virus or worm or similar piece of self-generating malicious software. If the world of cyber threats were static, then the above measures would eventually eliminate risks due to those threats. However, that is not the case. As mentioned above, there is a constant torrent of new dangers, and the government and business worlds must struggle to keep up with them. The greatest counter-force in this battle is, in my opinion, information sharing. Knowledge of new threats, newly-discovered weaknesses, and actual incidents that have happened to others in their industries and elsewhere, gives organizations the opportunity to prepare for impending attacks or prevent exploitation by closing off known vulnerabilities. This is where the FS/ISAC comes in. The
FS/ISAC
The
FS/ISAC was a product of Presidential Decision Directive Number 63 (PDD 63) on
Critical Infrastructure Protection, dated May 1998. PDD 63, which incorporated
President Clinton's critical infrastructure strategy, required government
agencies to partner with the sectors that make up the critical infrastructure.
The PDD additionally suggested that various industry sectors form Information
Sharing and Analysis Centers, or ISACs, which would collect and analyze threat,
vulnerability, and incident data. The U.S. Department of the Treasury is the
designated partner of the banking and finance sector. Treasury has been, and
remains, extremely supportive of the FS/ISAC. Treasury Secretary Robert Rubin
was very encouraging during the initial stages of the critical infrastructure
effort for the banking and finance sector and Treasury Secretary Lawrence
Summers officially launched the FS/ISAC on October 1, 1999. With
almost 50 full-time members and another 50 firms in a trial program, the member
companies of the FS/ISAC membership account for the processing and protection of
perhaps 80 percent of the financial assets handled by U.S. financial
institutions. The FS/ISAC provides warnings of threats and vulnerabilities,
up-to-the-minute notification of incidents as they unfold, and helpful advice as
to how to avoid or prevent threats from turning into disasters. It does so
according to a unique model, which I will now describe. The
FS/ISAC derives its information from many sources, including government
agencies. Members are expected to report security information or experiences to
which they are privy. This information can be submitted anonymously or can be
attributed, at the member's discretion. While, for anonymous submissions, the
FS/ISAC does not know the originator of the information, authentication
technologies ensure that the submitter is actually with a member company. The
FS/ISAC analyzes incoming information with respect to validity, importance,
timeliness, and severity. If the submission passes muster, it is then
"scrubbed" to remove all indications of the source (unless it is expressly
permitted to reveal the source), and notifications, with warnings as to their
urgency, are disseminated to members via e-mail, pager, telephone or fax.
Unfortunately, over the past two months, members have received distressingly
many alerts marked crisis or urgent. Redundancy,
Recovery and Repair Despite
best efforts, it is not always possible to prevent cyber threats from
succeeding, so that a number of incidents of varying severity do occur. In
most cases, security compromises or breaches can be quickly resolved through the
use of alternative on-site networks and systems, while the compromised systems
are being repaired. For this to be possible, suitable redundant facilities need
to be planned and installed in advance. If
a cyber attack renders a site unusable, an organization must turn to its
business continuity and/or disaster recovery plans as well as its crisis
management capabilities in order to operate in recovery mode at a different
location. It should be noted that a location can be rendered unusable if, for
example, a cyber attack were to take down other parts of the critical
infrastructure, such as the electrical power grid or telecommunications network. In
financial services, many companies had developed contingency plans for Y2K. It
was reported that a number of firms located in and around the World Trade Center
invoked their Y2K plans in response to the events of September 11th
and that the devastating impact of the catastrophe on firms was considerably
less because they were better prepared. Since then, the banking and finance
sector has ramped up several initiatives, including a crisis management
committee initiated by BITS (Banking Industry Technology Secretariat) and the
Business Continuity Committee established by the SIA. As mentioned previously,
the SIA had played an important leadership role in Y2K contingency planning and
established a command center in New York, with which I was able to communicate
from Washington over the Y2K weekend. The
financial services industry, in particular, has developed extensive contingency
plans, due to the criticality of their operations to the economy and from having
to meet strong legislative and regulatory requirements. WHAT
STILL NEEDS TO BE DONE While
I believe that the banking and finance sector has reason to be proud of the
initiatives that it has already put in place, there remains a considerable
amount still to be done before we can feel comfortable with our state of
preparedness. Information
Sharing The
FS/ISAC model for the sharing of cyber security information has been adopted by
a number of other critical sectors at home and by several countries
internationally. In addition, the FS/ISAC has had discussions with these and
other ISACs regarding the sharing of cyber security information, while still
maintaining anonymity of the source when desired. The goal is to have a global
network of "friendly" ISACs to leverage the advantages of a broader reach
and a larger population of incidents from which to derive patterns of activities
that might lead to an attack. The
FS/ISAC receives information from many government agencies, including
intelligence and law enforcement, and disseminates it among its members.
Unfortunately, it is not yet feasible to return the favor and provide government
with information that the FS/ISAC has obtained from its membership, since there
are antitrust and freedom-of-information issues that need to be resolved. I
feel strongly that the broadcasting over the Internet of information about
vulnerabilities by those who think that they are benefiting mankind by forcing
software vendors to strengthen their products is misguided and damaging to the
information infrastructure. For example, the Code Red virus appeared just a
couple of weeks after a security expert had posted a notice on the Internet
about a specific vulnerability in a particular piece of Web server software for
all to see. His rationale was that the particular software vendor had not
responded to his exhortations to fix the problem. Code Red resulted in possibly
billions of dollars in lost business. How much better would it have been if the
network of ISACs had been informed and had distributed the information on a
need-to-know basis to its members? In fact, members of the FS/ISAC had received
prior notice of an update to the software in question that, if applied to their
systems, avoids the effects of this particular virus. Outreach,
Education and Training
There
is a clear need for reaching out to the general public, educating them about
cyber security and making them aware of reasonable precautions that they might
take to limit the impact of a cyber attack. This should be done without arousing
undue concern or revealing information that would not be in the national
interest. There
is a severe shortage of qualified information security professionals to handle
the broad spectrum of knowledge and capabilities required in order to protect
our government agencies and private businesses from the increasing threats to
the computers and networks that make up the critical infrastructure. We need
programs to educate and train the requisite numbers of individuals in the basics
if information security and to provide on-the-job training for practitioners in
related areas. Some private companies are already doing this, but security
certifications of various types need to be encouraged so that more of those on
the Internet have taken necessary actions to secure their system and network
environments. A
National Strategy
It
is key to educate the general public and those in leadership positions of the
issues surrounding cyber security and its importance of sustaining the critical
infrastructure. Several National Plans for ensuring the protection of the U.S.
critical infrastructure systems have been written. One for government agencies
was published in January 2000. Sector plans have been developed but not
disseminated as yet. I worked on the draft of the Banking and Finance Sector
National Plan for Information System Protection. These planning documents, or
ones very like them, should be shared with industry leaders and the public and
should become the basis for a National Strategy for Homeland Security, as it
relates to cyberspace. At
the moment the destiny of the National Plan documents is not clear. Prior to the
establishment of the Office of Homeland Security, the Critical Infrastructure
Assurance Office (CIAO) was coordinating the collection and aggregation of the
plans from the various critical sectors. Research
and Development
One
way to keep up with, and even get ahead of, cyber attackers is to develop tools
with the ability to rapidly identify and block attacks, to determine
vulnerabilities in deployed systems and networks, and to discern suspicious
activities before they develop into full-blown attacks. An active,
well-supported research and development program for cyber security should be
initiated. The topics being researched need to have a strong practical bent and
meet the needs of the private sector. Separate
Networks
The
building of separate, restricted and highly secured networks, using the
technology of the Internet but not being as accessible to everyone, is something
to consider in the light of the risks in using a public, uncontrolled network
environment. GovNet might be the first, but others should follow as the concept
proves itself. Simulation
Modeling As
the complexities of modern economies become even greater, it is not possible for
an individual, or group of individuals, to understand all the complicated
interactions and dependencies of the various components on one another. This can
only reasonably be achieved through the use of simulation models to express the
interdependencies and provide the capability to examine what might happen if
certain parts of the infrastructure were to fail or be brought down by a cyber
attack. Contingency
Planning, Incident Response and Crisis Management
As
mentioned above, the initial steps have been taken in the banking and finance
sector to reconstitute the information coordination centers of the Y2K era, with
their attendant contact lists, chains of command, and information gathering,
analysis and reporting systems. Once communication, coordination, command and
control capabilities have been established, it is important that they are
maintained at some level on a round-the-clock basis into the foreseeable future
and can be ramped up rapidly to full-scale operations when an incident occurs. RECOMMENDATIONS
FOR CONGRESSIONAL ACTION
There
are many ways in which Congress can help promote programs and processes to
improve our defenses against cyber attacks and our ability to handle them. Information
Sharing
The
willingness of industry members to share information, particularly about
incidents, with others members of an ISAC would be much greater were there not
the fear of infringing antitrust laws. The ability of private industry to share
security information with government agencies depends very much on obtaining an
exemption, for this type of information, from the Freedom of Information Act,
since that would eliminate the concern that damaging information would become
available to the public, including competitors and potential attackers. Both
of these items were central to the "Critical Infrastructure Information
Security Act of 2001" proposed by Senators Bennett and Kyl, but which has not
yet been included in the legislative agenda. The proposals in the Act are key if
we are to encourage a much broader sharing of important security-related
information. This would to lead to broader availability of much more valuable
information and strengthen our ability to protect ourselves from cyber attacks. I
would like to suggest to Congress that it revisits this issue and, if possible,
accelerates legislation such as the Bennett-Kyl Bill. Similar legislation worked
for Year 2000, and it can work against cyber terrorism as well. Deterrence
We
need the ability to pursue cyber attackers and prosecute them fully, if we are
to discourage others from attacking our networks and computers. I would propose
that Congress considers legislation that will further empower law enforcement
agencies to track down perpetrators of cyber crime. In addition, we need
reciprocal arrangements with friendly foreign countries so that they will
support and participate in these endeavors. On
a global level, it may be reasonable to expect a commitment of funds for law
enforcement to counter cyber terrorism among the more prosperous and advanced
countries of the industrial world. However, this may not be true of so-called
Third World countries, especially those from which attacks emanate. Cyber
terrorism coming from hostile countries requires special consideration and
response. Avoidance
I
believe that the government should support, and subsidize where appropriate, the
establishment of separate secured private Internets, such as the proposed GovNet
network. I suggest that Congress encourage the development of these networks by
providing appropriate support and, if necessary, authorizing funds to seed these
initiatives. Outreach, Education and Awareness I
would propose that Congress consider supporting programs to educate our
population about the importance of maintaining the security of the networks and
computers that constitute much of our critical infrastructure. Also, I suggest
that the government should consider special programs, such as subsidizing
college-level studies, to develop information security professionals. Research
and Development
While
I am very much in favor of promoting research and development programs to come
up with ideas and capabilities to improve our cyber security, I am concerned
that such research might not result in a sufficient number of practical
solutions. I suggest, therefore, that R&D programs be conducted with some
industry representation so that the results meet the needs of real-world
entities. This
is an area for which the best use of funds is not obvious. Therefore I suggest
to Congress that a study be conducted, in conjunction with the private sector,
to ascertain the best way to generate new ideas in cyber protection. Simulation
Modeling
The
development of simulation models that appropriately represent the critical
sectors, their mutual interactions, and the impact of component failures is a
daunting task. I am aware that Los Alamos National Laboratories and Sandia
National Laboratories have done work in this area. I would recommend that
Congress should support and encourage these efforts but that, before major
commitments are made, the requirements of the models be determined by a working
group that includes subject-matter experts from various critical sectors.
Industry and government representatives should participate in the design process
to ensure that the models are realistic and useful. Contingency
Planning and Event Management I
would suggest to Congress that it should consider approving funding of a
permanent Information Coordination Center (ICC) along the lines of the one which
was established for the Year 2000 period, and which was subsequently dismantled.
A mix of individuals representing both government and the private sector should
staff the ICC. Under normal conditions, the ICC would have a minimal level of
staffing, but have the capacity to rapidly grow to full capability if an
emergency is declared. I
believe that there should be a dedicated permanent section of the ICC that
focuses on cyber security, rather than the ancillary arrangement that existed
during Year 2000. The cyber security group requires extensive and immediate
access to top experts in the field as well as an advanced capability to
continuously monitor activity on the Internet. National
Strategy
Finally,
I would suggest to Congress that it should support the development of a National
Strategy for protecting the Nation's critical infrastructure and that
participants from the various sectors be included in the development of the
plans in conjunction with representatives from assigned government agencies. CONCLUSION I
recognize that I am proposing an extensive and costly series of programs to
protect the Nation's critical infrastructure from increasingly dangerous and
damaging cyber attacks, especially during a time of diminishing budgets. The
cyber threats are very real, as we have seen in recent years, and we must
protect ourselves against them. It will surely be a long and bitter battle, but
we must engage in it if we are to prevail, which we must. Unfortunately, the
impact of a very successful cyber attack can far exceed that of many of the
physical attacks, which we have seen in recent weeks and about which we
speculate. Mr.
Chairman, I want to thank you again for the opportunity to present my thoughts
and experiences to you and your Subcommittee. This concludes my prepared
statement. I am happy to answer any questions that you and other members of the
Subcommittee wish to ask. [1] In a distributed denial-of-service attack, the attacker will compromise a number, perhaps in the hundreds or thousands, of weakly-defended computer systems and turn them into "zombies" by depositing some program code on those systems. At a particular point in time, the attacker will instruct all the zombies to direct a flood of messages at a specific site, which is overwhelmed and taken out of service.
|
|||||||||||
|
