Who We Are Republican Views Newsroom Documents Archives Subcommittees Search the site Home

Cyber Security: Private-Sector Efforts Addressing Cyber Threats.

Subcommittee on Commerce, Trade, and Consumer Protection
November 15, 2001
1:00 PM
2322 Rayburn House Office Building

Cyber Security Panel
Cyber Security Panel
 

 

Mr. John P. Casciano
Group Senior Vice President, Secure Business Solutions Group
SAIC
8301 Greensboro Drive
Mc Lean, VA, 22101

Chairman Stearns, Congressman Towns, and members of the Subcommittee.  I am pleased to be able to support your examination of cyber security in US industry and of how industry can effectively protect itself against cyber threats.  This is a complex and multifaceted challenge.  Today, I would first like to highlight briefly a few of the major threats and vulnerabilities related to cyber security for American businesses, and then discuss approaches the private sector can take at reasonable cost to increase its own levels of cyber protection and assurance. Finally, I'd like to address some steps the Congress could consider in promoting and encouraging an improved cyber security posture for US industry.

For perspective, I have been involved with cyber security matters for some time both in government and in industry.  During my 32 years of service in the US Air Force, I had the privilege of commanding both the Air Intelligence Agency and what is now known as the Joint Information Operations Center.  In those assignments, I had responsibility for both the Air Force Computer Emergency Response Team and the Air Force Information Warfare Center, and had the opportunity to observe and direct the development of information technology capabilities for both defensive and offensive purposes in support of Joint operations.  More recently, while on the US Air Force Headquarters Staff, I participated in developing and managing the response to the real world cyber attacks against the Department of Defense information infrastructure that came to be known as Solar Sunrise and Moonlight Maze.  I continue to be involved in Department of Defense cyber security issues through pro bono work.  For example, I served on the 1999 USCINCSPACE Summer Study on Computer Network Defense and on the 2000 Defense Science Board Task Force on Defensive Information Operations.  I was also one of a handful of "outside" reviewers for last year's National Intelligence Estimate on Information Warfare threats. 

I retired from the Air Force in 1999, and for the last two and a half years have become involved in cyber security in the private sector, serving both government and commercial clients. Currently, I manage the Secure Business Solutions Group, the information security practice at Science Applications International Corporation (SAIC). SAIC provides diversified professional and technical services that involve the application of

cientific expertise, and computer and systems technologies, to solve complex technical problems. SAIC is a Fortune 500 company with annual revenues of $5.9 Billion and over 41,000 employees, and is the largest employee-owned, high-tech company in the U.S. 

Within SAIC, the Secure Business Solutions Group provides clients with the full spectrum of information security offerings - consulting, implementation, education and training, and managed services. For many years, SAIC has provided support to the Department of Defense and several civil agencies - including support to the FEDCIRC Incident Reporting and Handling Services -- as well as commercial clients. We developed and still have an interest in a commercial security firm - Global Integrity - that created and operates the first Information Sharing Analysis Center, or ISAC, for the financial services industry - as well as ISACs for global firms and for Korea. Today, nearly 40 per cent of my Group's business is for commercial customers concerned with protecting the security, integrity, privacy, and survivability of their business information and that of their clients.  

While the terrible events of September 11, 2001 have heightened all our concerns for security and are seen by many as defining the beginning of a new era in U. S. national security, the vulnerabilities -- both physical and cyber -- have been with us for quite some time.  The whole trend toward globalization and the reach brought about by modern transportation and communications have eroded the sanctuary we Americans have enjoyed for over two centuries.   These terrorist events have taken both a shocking human toll that we must never let the world forget and an economic toll that has been extremely disruptive to the American people and others around the world.  One notable observation from these events is that the cost of entry for such attacks is extremely low.  The cost to the perpetrators to plan and mount the attacks was probably less than a million dollars -- certainly no more than a few million -- while the human and economic consequences have been staggering.  The impact of the losses to our economy alone is in the billions of dollars.  

For the last several years, we have observed the same low cost of entry for those who would disrupt or attack in cyber space, and the same disproportionate consequences for those who have been attacked.  While the impacts of cyber attacks are difficult to quantify, largely due to the reluctance of businesses to report fully, or at all, for competitive reasons, we saw the stock prices of several large companies such as AOL and Yahoo fall significantly as a result of the Distributed Denial of Service attacks in 2000, and some estimates place the recovery and lost business costs at nearly $10 Billion. We have also seen the progress of E-commerce be impeded in recent years over concerns for the security and integrity of transactions, with probable significant impacts on our economic expansion and competitiveness.

 More recently, the NIMDA virus was detected and spread within a week of the terrorist attacks.  I'm not suggesting a relationship, because we just don't know, but NIMDA represents a new, more dangerous class of virus that operates at a peer-to-peer level, infecting not just servers, but clients and even web pages. The losses from NIMDA-measured directly in disrupted business and in opportunity costs of repair and reconstitution-may well have exceeded several billion dollars despite some early warning by the National Infrastructure Protection Center and the ISACs. The difficulty in attributing the sources of these attacks and in prosecuting them make them a special concern. 

The general sources of these cyber attacks are by now familiar, ranging from the "recreational hacker" on the low end to the more sinister perpetrators from international criminal and terrorist elements and nation-states.  Following is a brief synopsis of these: 

  • Hackers, Crackers, and Other Outsiders.  These have been the most active source of background "noise" in the cyber environment.  They include casual hackers who are often juveniles or "hobbyists" using scripted attacks and commonly available tools from the Internet and its many "clubs."  There are also professional level attackers who can design and mount novel attacks against protected targets using both a combination of commonly available tools and "homegrown" capabilities sometimes based on cracking encryption.  Their purposes range from joyriding and ego gratification to criminal intent, where fraud or financial theft is the goal.  Of interest, the 2001 CSI/FBI Computer Crime and Security Survey indicates among a sample of 186 business respondents that internet connections and outsider activities are now generating the largest source of attacks against the business information infrastructure, more numerous than those due to insiders. 

  • Insiders.  One of the most costly and dangerous human threats to business has historically been the insider, and this continues to be the case in the information age as well.  Insiders have legitimate access to at least some of the business information resources and IT infrastructure of the enterprise, and often know enough of the company's technology, processes, and human elements to be in a good position to subvert them.  They may act maliciously if they are disgruntled employees -- sometimes destroying, corrupting, or locking out access to information. On other occasions they may use the system to embarrass the business to the public or use it for financial advantage for themselves and others if they are industrial spies.  In every case, they are clear and present threats to the intellectual property, information resources, IT infrastructure, and the reputation of the business. 

  • Terrorists and Criminal Elements.  These may be foreign or domestic persons or organizations, and they may launch their attacks through cutouts and indirect network paths from overseas or from within the US.  Terrorists resorting to cyber attacks may be advancing a political cause, using direct cyber action to advocate environmental issues; opposing globalization, or attacking modernism on fundamentalist religious grounds.  In each case, for them, their end justifies their means.  Dramatic, headline-grabbing disruption of the US economy is their goal, and US businesses, especially those that are large and have a global footprint or multinational operations, are attractive targets.  Much of the current cyber terrorist activity is low level, to include web site defacement and temporary disruption of business operations.  However, terrorism is an activity planned and executed by the alienated, and terrorists and their causes have increasing appeal to students here and abroad who have the skills to become serious cyber threats to business.  Of particular concern is the possibility of a combination of terrorist attacks against targeted businesses, wherein cyber, physical, and anti-personnel actions may be taken.  

  • State Enabled Threats.  The most complex and difficult threat to combat for both businesses and governments is one that is sponsored and executed with the technology and resources that only a nation-state can bring to bear.  Such attacks could be conducted with outsiders, insiders, proxies, or combinations of all three, using leading edge technologies to defeat commercial grade cyber security for even the best-protected enterprises.  Businesses that would be logical targets for such attacks would be proprietors/operators of our national infrastructures (e.g., telecommunications, transportation, energy/power, banking/finance, etc) or those large companies that provide key products and manufacturing (defense contractors, chip makers, etc).  Unfortunately, the numbers of nations that could conduct such attacks against the US and its businesses are likely to grow, given the low barriers to entry in such warfare.  This is warfare based on brainpower -- readily available worldwide -- and the weapons of choice are computers, fast becoming commodities.  State-enabled attacks against U. S. businesses are both a national and economic security threat, and they require vigilance and response by the Federal government, and close cooperation by the business community.  

Malicious threats to the information and IT infrastructures of commercial enterprises seek to exploit vulnerabilities in business computer information systems.  These vulnerabilities stem in part from worldwide business trends, paths in technology development, and operating standards which affect business processes and decision making: 

  • Globalization.  Business is going international as never before and is in a fierce worldwide competition for talent, resources, and markets.  Time is money and to the swift belongs victory.   Commercial attention is riveted on the business plan, the pursuit of core business, and above all on bottom line performance.  Broad connectivity and numerous interfaces both within and without the enterprise are needed to thrive in the "brave new world" of globalization.  However, cyber security imposes delays and additional costs of doing business, both of which are unattractive to business leaders responsible for customer satisfaction and the bottom line.  

  • Open Processes.  To cut business costs and improve responsiveness, businesses are connecting directly with suppliers and customers, sharing information, and even providing the opportunity for people and organizations outside the enterprise to access and input critical information on production and delivery, purchasing, and marketing.  This integration via supplier and customer chains depends heavily on trust and constitutes an inherent process vulnerability, if not addressed by cyber security and other technical and operational checks.  Of note, "Information Week Research" issued a study that was conducted this spring among 375 respondents, 67% of whom reported that supply-chain collaboration has increased in the last year.  However, only 21% of 4500 security professionals surveyed worldwide by IWR indicate that security policies include procedures for partners and suppliers. 

  • Wide Access.  As global businesses concentrate on core competencies, they increasingly rely on outsiders in maintaining and supporting their administrative processes and IT infrastructures.  Outsourcing is increasing steadily as a means to cut costs and gain additional business efficiency.  Maintainer and outsourcer personnel, a constantly changing parade of names and faces, vetted in uncertain ways in many cases, have insider access to systems and information, and therefore the opportunity to do serious mischief to businesses. 

  • Standard Architectures.  Because of the continuing increase in desktop, workstation, and server computing power, the client-server architecture reigns supreme, increasingly supplanting mainframes.  Client-server uses standard software in normalized configuration for operating systems and applications; industry-wide protocols for information sharing, display, and storage; and common approaches to design and implementation of system and subsystem interfaces for interoperability in communications and information exchange.  Variations in information system design are shunned due to cost and support considerations, even though such variations increase the immunity of the business information systems to cyber attack techniques that target standardized architectures and designs.             

 Over recent years, the losses to industry from cyber attacks have been real and steadily growing, drawing considerable media attention.  The 2001 CSI/FBI Computer Crime and Security Survey reports a 41% increase in electronic financial losses among 186 business respondents compared to a similar sample for 2000.  It is a fair question to ask why industry -- with or without government support  -- has not done more to safeguard its information systems and the intellectual property contained within its information infrastructure, and to protect its bottom line.   There are several apparent answers: 

  • Many managers aren't attuned to the problem.  Cyber security is a consideration for them, but the losses attributed to security lapses are tolerable for many; that is, they view them as part of the cost of doing business.  To the extent that managers are attuned to it at all, they generally put the issue into the hands of their Chief Information Officer, who may not have the resources or operational clout to implement and enforce security solutions. The lack of senior management attention is further exacerbated by a failure in current accounting methods to attribute current real costs of losses due to cyber insecurity in business, and to assess the potential magnitude of future losses that could accrue as the cyber threat to business grows.                                    

  • Poor cyber security performance by government.  Starting with the federal government and extending to state and local levels, government "talk" about cyber security has generally far exceeded the resource commitment and management attention it has been willing to devote to the problem of protecting the privacy, integrity, and access to government information and information infrastructure.  This judgment has been validated on an annual basis by the House Government Reform Subcommittee on Government Efficiency, which for FY 2001 has awarded government a grade of "F" for its overall cyber security posture.  Two thirds of the agencies and departments failed based on the information they are required to provide the Office of Management and Budget. Here, the parallel with the business world is striking, as resources for security solutions are scarce and often considered a problem for the technical staff and not the operational leadership.    Federal jawboning of industry on cyber security has led to a proliferation of advisory and coordinating organizations, but precious little in the way of practical technical support, tailored alerting/warning systems, security incentives, or subsidies to industry to improve cyber protections.   In sum, government sets an uncertain example and has provided little help to industry in coping with cyber security issues.                        

  • The "commons" problem.   Enterprise IT environments are growing, changing, and being used in new ways such as to resist system identification and configuration control.  They contain an expanding number of real or potential vulnerabilities in their software, hardware, communications, internal/external interfaces, people, and processes.  Moreover, they are frequently subject to decentralized control and resourcing.  Everyone depends on them, but nobody owns them.   Line organizations do not want to pay for IT, far less cyber security, because of the "free rider" problem in funding the IT "commons" and ensuring its security.  Within a business sector, losses due to cyber insecurity may be tolerable if they are judged to be comparable to other costs of doing business, and especially if competitors appear equally affected by the same cyber attacks.  The business case for cyber security so far is not well made in businesses outside the financial sector, which necessarily must lead integration of cyber security capabilities into its IT infrastructure based on historic experience with fraud, embezzlement, and theft.  Government is waiting for industry to solve the cyber security problem technically, and is waiting too for its shrink-wrapped product solutions.  Industry looks upon it as too big, too complex, and too diverse to tackle without government funding and legal relief from public information (FOIA) and anti-trust.  The "commons" problem of cyber security will be dealt with over time, either by an insurance approach, by regulation, or by some combination of the two.  For now, however, industry does not have the means, authority, or motivation to work a global solution.        

Given the threats and vulnerabilities that businesses face, and the tough, highly competitive business environment that keeps management attention on bottom line issues as opposed to security, what can enterprises do to improve their security postures?   In developing a suitable cyber security posture for a business, there are certain top-level actions that management must take, and they are independent of the size or resources of the company.  In the final analysis, sound security depends on three interdependent elements:  people, process, and technology. The elements outlined below are intended to size the requirement for cyber security using the same logical approaches employed for any other business decision:  

  • Develop and deploy a sound security policy.  This is a no cost/low cost first step that many businesses fail to take.  What is the general approach to security and how will it be addressed and inculcated organizationally?  What behaviors and what competencies are expected of users of enterprise IT and information?  What will be the standards for access and the levels of information sensitivity?  How will management oversight of security be conducted and performance measured over time? How will security lapses be dealt with? 

  • Identify critical information, processes, and systems.  What constitutes the major components of the critical IT infrastructure and critical business information, and what levels of protection are required for each?  The objective is not to eliminate the threat altogether, but rather to manage it. 

  • Analyze threats and vulnerabilities.  What are the real sources of threats and vulnerabilities to the business's IT and information? These are based on business sector experience, state of the world, competition, enterprise footprint, and future business plans.  What are the technical, process, and operational vulnerabilities in the IT infrastructure and information resources? 

  • Perform risk management.  In examining the combination of threats and vulnerabilities affecting the enterprise IT infrastructure and its information, it is important to make informed and deliberate management decisions about how to deal with risks, consistent with sound business principles.  The choices are several, but depend on an assessment of how much risk a business can tolerate versus how many resources it has to commit:  

  • Avoid risks.  Take actions that eliminate or do not incur the threat/vulnerability duality of concern in the first place.

  • Shift risks.  Use insurance when available or move liability to others if a threat/vulnerability must be faced.  Cyber insurance is a nascent but developing specialty in the insurance industry as work proceeds on identifying risks and developing tools to set premiums. 

  • Mitigate risks.  Take technical and/or procedural steps to reduce the threats/vulnerabilities if necessary, economic, and efficient to do.  With improvements in security technologies and products, the choices for mitigation are on the rise.

  • Accept risks/develop contingency plans and backups.  Risks that must be run and which are expensive but improbable in occurrence may be accepted if downside plans and alternative approaches can be developed in advance.

  •  Revisit and review.  With changes in the threats and vulnerabilities, the whole range of technologies, business processes, people, and IT infrastructure, assumptions and decisions about the level and extent of cyber security must be subject to periodic management reconsideration. 

In facing up to the requirements for improved cyber security, there are certain bedrock principles that any business, regardless of size, should consider in developing procedural solutions.  They are not technology driven and do not require capital investment as much as management attention. 

  • Ownership: Identify primary and alternate system and data owners to be responsible for identifying the sensitivity and criticality of the information on their systems and validate protection controls and access requirements. 

  • Accountability: Hold individuals with access to information responsible and accountable for protecting information while in their possession. 

  • Awareness: Users are the first line of defense.  They should be educated about policies, standards and procedures and adhere to them. 

  • Detection & Monitoring: Implement tools and methods to detect misuse and anomalous activities on both a real-time and periodic basis. 

  • Incident Response: Develop and publish a response plan that details actions required when a violation to the security policy is detected.  

  • Defense in depth: Implement security measures in multiple layers versus single layers, and place security devices as close to the item of value as possible. 

  • System Configuration: System vulnerabilities that can be eliminated without reducing functionality should be corrected.  System support devices and data storage should contain only applications or services for which a business reason exists. 

  • Assessment/Audit: Conduct periodic reviews of systems, networks, and applications against policies, standards and procedures to test and measure compliance and determine vulnerability to emerging exploits. 

  • Reliable Records: Maintain secure chronological records and logs on significant activities on the network and critical systems.  

  • Recovery:  Implement tools and mechanisms to ensure recoverability and business continuity. 

  • Access: Personnel, systems, or applications should only be granted access rights and privileges based on justified business-related requirements.  These rights and privileges must be exercised within the scope and limits of identified responsibilities. 

  • Exception:  Exceptions to policies, standards and procedures should be granted or denied based on individual review and management acceptance of risk.  All exceptions should be documented.

  •  Research:  Investigate, study, and understand emerging security technologies and techniques to develop appropriate methods and controls that protect against ascending threats and vulnerabilities. 

The cyber security problem has spawned significant creativity in the development of improved cyber security products by many vendors.  Properly selected, integrated, configured, deployed, operated, and supported, these can upgrade the security posture of any business.  With increasing attention to and demand for cyber security, and the growth in the commercial cyber security industry, the general classes of security technologies and capabilities below are emerging as shrink-wrapped products which are easy to integrate into IT infrastructures.  In parallel, IT product vendors are increasing the direct integration of cyber security functions into their own software lines, making each generation more secure and robust. However, a word of caution!  There is a real danger in looking for a single, "black box" solution to an enterprise's security problems.  It is my belief that there is not one today; nor will there be in any future I can envision.  The combination of people, process, and technology offers the best hope of managing cyber security risks.  Some of the more common technologies enterprises should consider are listed below: 

  • Perimeter defenses.  Firewall software and devices at the enterprise, network, server, and even host level are becoming standard.  These permit a variety of steps to limit access by sender, receiver, domain, function, and data type.  Although not the total security solution, these are a necessary portion of the security configuration for business systems, and the first layer in the defense in depth implementation for cyber security.  

  • Intrusion Detection.  Unauthorized penetration of business information systems must be assumed.  Rapid detection is a requirement.  Intrusion Detection Systems (IDS) work with sensors which either detect (1) specific activities or processes which have been previously templated as threatening, or (2) departures from previous information system activity and behaviors which have been assessed to fall in the "normal" range.  New approaches to IDS are beginning to emerge that include combinations of such sensors and detection criteria supported by enhanced data fusion, display, and decision support capabilities.  IDS capabilities are improving relative to threat and vulnerabilities, and becoming more widespread.  

  • Autonomic Response.  Most IT system response to intrusion and anomaly detection is ad hoc.  The next area for improvement will be in automated response to penetration, wherein pre-planned reactions are automatically executed to contain, reduce, and eliminate damage and sources of threat.  Over time, development work for DoD may provide for commercialized capabilities for adaptive response to penetration.  This area of cyber security products is currently very immature but appears promising for the future.   

  • Virtual Private Networks (VPN).  Virtual Privacy Networks provide secure tunnels between trusted sources connected over paths through less trusted domains by using encryption.  This approach is mature now and proving necessary for ensuring privacy for businesses using the internet as part of their extended IT infrastructure.  In view of globalization and the rise of collaborative working with international partners, VPN technology is a necessary security component for many businesses.   

  • Encryption.  Cheap, reliable digital encryption using software has now become available and practical for industry.  Software based encryption is susceptible to attack by a state level threat, but is sufficient for all others.  Encryption is now required to protect sensitive data in motion (i.e., as it moves through networks and across telecommunications paths) and at rest (i.e., in storage) to ensure integrity and privacy.  Encryption is also useful in providing authentication between sender and receiver, and non-repudiation services (for accountability). 

  • Public Key Infrastructure (PKI).  Public Key Infrastructure using asymmetric keys has emerged as the only practical technology to support encryption requirements, such as those above, for numerous, diverse users who are geographically dispersed but functionally connected.  In a word, this is globalized, 24/7 business today.  PKI has been criticized as not being user friendly and scaleable, but outsourced providers can reduce its application to something like a subscriber service for most businesses.   

  • Digital Rights Management (DRM).  Digital Rights Management technology provides persistent controls of information and intellectual property over time.  It can set and enforce rules for sharing, display, editing/modification, usage, and even expiration of storage.  Other DRM capabilities will support secure billing and micro-payments, provide auditing and transaction tracking, and permit alteration in the rules as requirements may change.  PKI solutions can provide necessary encryption support.  DRM is not yet mature but is an emergent technology that can improve the cyber security of business processes in the future. 

I am generally optimistic about the improvements that we see developing in cyber security technology and believe these can be integrated at reasonable cost in ways that will markedly improve protection for individual business IT infrastructures operating in many different business risk environments.  These technical safeguards, combined with proper operating procedures and people with suitable training and policy direction, can make business cyber security postures quite robust.  Unfortunately, it is also clear that cyber attack tools are improving steadily in their capability and ease of use.  We can expect new waves of attack based on widespread internet dissemination of vulnerability information, the advent of adaptive of "polymorphic" viruses, improved counter-encryption capabilities, and clever attack tactics that evade IDS.  These attacks will come from an increased number of people globally who are prepared to use cyberspace and sophisticated software tolls in malicious ways.  This is particularly of concern as we realize that in the next year the majority of internet content will no longer be in English, and the number of aggrieved foreign players with access and attitude rises. 

For the present, the experience SAIC has had as a cyber security integrator with numerous industry customers is a bit mixed.      

  • Financial sector clients are far ahead of all others in awareness and concerns about cyber security, and in the sophistication of their solutions.  They in fact can provide technical and procedural lessons in best practices to the US national security community as well as other parts of the private sector. 

  • Many of our other commercial clients approach us when they have had a penetration or other IT infrastructure failure.  They want quick fixes, some testing to assure the problem has been resolved, and hesitate on cost grounds to support a longer-term relationship in which their security posture is systematically tested and upgraded. 

  • In assessing the sources of penetration, we normally find the attacks are not novel, but in fact are familiar.  In the majority of cases, patches have been available, but were not implemented.  In other cases cyber security systems were not correctly configured.  Those persons responsible for cyber security were overworked, under trained, or poorly supported and resourced by their management.

  • Many commercial clients are still doubtful about the business case for cyber security and typically do not make high demands on software developers of their operating systems and applications to incorporate strong security features.   

  • Outside of the financial sector, encryption and PKI are coming more slowly to industry customers than to the Federal government.  Government pressures for vendors to use PKI based encryption services in B2G transactions will gradually increase usage patterns. There is some interest in outsourcing cyber security support services and to use managed cyber security service models on a subscriber basis.  This is economic, especially for small- and mid-sized firms that are mindful of the cyber security threat, but want to concentrate on their core business competency. Unfortunately, it may take a catastrophic event in cyber space to galvanize business attention fully to cyber security issues and change perceptions about the business case. 

Against this background discussion of growing cyber risks, actionable best practices, technology trends, and current business realities, there is an important role for the Congress to play to encourage improvements in commercial cyber security. For good or ill -- and I believe for good -- we live in the information age, and there is no turning back.  While the "dot com" euphoria in the stock market may have come to an abrupt end, the underlying march of information and information technology has not.  We are wedded to the cyber realm for our future prosperity in virtually every area.  Our challenge is to learn how to live and operate in this new domain.  It will take time to evolve public policies and craft information age laws, but progress is being made.  In my view, here are some of the things the Congress may wish to pursue.           

  • Encourage industry to define standards for due diligence in the development and validation of secure software by developers, and its secure implementation and operation by users.  In the event these standards were not met they would provide a basis for judicial allocation of liability and compensation.  Part of this approach would be to promote security testing of developer's software products according to accepted standards, and to increase emphasis on the integration of proper software configurations with prompt patch updates for operators.

  •  Advocate an insurance-based solution to appropriate aspects of the cyber security problem that do not lend themselves to "ownership"- the "commons" problem -- and an immediate technology solution.  As has been proposed in the aftermath of 9/11 for insurers of physical properties, it might be possible to consider Federal backing if insured losses exceeded a certain total due to cyber attack. 

  • Consider tax subsidies or other incentives for improved cyber protections for certain industries or for the mitigation of particular classes of risks.  Low margin industries vital to public welfare in food and transportation, for instance, might be beneficiaries of such support for improved cyber security. 

  • Support education and training programs for cyber security skills.  It does not matter whether graduates of such programs enter government or commercial jobs since their capabilities will benefit business and the nation as a whole.  Ideally this would reduce dependence on foreign providers of those skills and services over time. 

  • Fund certain highly promising cyber security technologies and approaches that are under development.  Those that permit information systems to operate in degraded mode despite intrusion, to self-diagnose, and to heal themselves seem especially valuable and promising.  However, these technologies are far from ready for a shrink wrapped solution and will require considerable development over time that industry alone will not pursue. 

  • Resist the inclination to legislate specific technical solutions.  As in many similar problems, Congress will serve industry and the nation best by promoting an environment and development of the infrastructure of people and technologies required to define, implement, and upgrade efficient cyber security solutions over time.  For reasons I discussed earlier, to fix on any single technical approach now in a field so volatile is certain to fail. 

There are bills in various stages of progress in Congress that include provisions promoting improvements in business cyber security practices and capabilities.  HR 2435, "The Cyber Security Information Act," and S 1456, "The Critical Infrastructure Information Security Act of 2001," each have provisions to protect from FOIA requirements and antitrust concerns B2B and B2G sharing of sensitive information for alerting and warning of threats to business information infrastructures.  I commend these provisions for your favorable consideration in any legislation that is forthcoming this session.  

To summarize, industry faces a future of increasing and evolving threats to its IT infrastructure, Intellectual Property, and other critical information.  There is every expectation that better technology is emerging to improve protections.  But, more than technology, people at every level of the business enterprise are crucial to achieving upgrades to cyber security.  To be effective, managers must provide - first and    foremost - competent, executable security policy.  That policy must be implemented in specific processes and technologies.  Cyber security must become an integral part of business operations.  People at the management level need to believe there is a business case for IT security and manage accordingly, and employees must receive training that maintains both security awareness and competence as a sustaining activity in their careers.              

I thank you for requesting SAIC's views on this important matter, and I would be pleased to answer any of your questions.

Related Documents

 

Printer Friendly

Comment On This Page

Related Documents
Tipline: Report Waste, Fraude, and Abuse
Majority Site