Information security was on the ascendancy long before the horrific events of September 11 became seared into our national consciousness, and information security remains in our thoughts as we now move to strengthen our defenses.  As ghastly as attacks on our physical infrastructure have been, how enticing would it be to our nation's enemies to attack our critical infrastructure from cyberspace, where there are no borders, and evildoers can attack us from virtually anywhere, via a computer and a modem? 

The good news in cybersecurity is that, while there are still no security magic bullets, there are many steps that companies - whether they are suppliers or consumers of information technology - can take and are taking to protect themselves.  Consumers of information technology need to be discriminating; they must make security a purchasing criteria, and hold vendors accountable through independent proof of information assurance, such as formal security evaluations.  They must create a "culture of security" within their own organizations, so that security is not diminished by the "weakest link" of a careless or unknowing employee. Vendors of information technology need to cooperate on security standards to facilitate the growth of secure systems, and commit to a secure product lifecycle. Paradoxically, vendors need to both join industry organizations that share information about hacker threats, and embrace the same  hacking techniques that expose so many security vulnerabilities (i.e. to detect and mend vulnerabilities in their own products and networks).  Lastly, there are specific security technologies, such as the ability to manage data of different sensitivities, that facilitate the information sharing required to address new threats to our national security. 

Representative Stearns, distinguished members of the House of Representatives: 

Information security was on the ascendancy long before the horrific events of September 11 became seared into our national consciousness, and information security remains in our thoughts as we now move to strengthen our defenses.  As ghastly as attacks on our physical infrastructure have been, how enticing would it be to our nation's enemies to attack our critical infrastructure from cyberspace, where there are no borders, and evildoers can attack us from virtually anywhere, via a computer and a modem? 

The information security explosion began several years ago and has accelerated with the growth of the Internet, which has been good news for providers of secure systems and those who depend on them. As more companies have embraced the Internet, security has moved from an afterthought to an essential part of business infrastructure. In that sense, the commercial world is merely catching up to the US government in terms of the importance it places on information security.  Prior to the Internet, the requirements for strong information security were almost solely driven by a select set of  "professional paranoids," such as intelligence agencies, the Department of Defense, and financial institutions. These organizations have understood for years that information security is central to their operations; they are literally out of business without it.  For organizations only recently joining the ranks of the security-aware, e.g. by becoming ebusinesses, the threat that one's mission-critical systems - now exposed to customers and partners - could be compromised has clearly elevated security on their radar screens. 

The good news in cybersecurity is that, while there are still no security magic bullets, there are many steps that companies - whether they are suppliers or consumers of information technology - can take and are taking to protect themselves.  Consumers of information technology need to be discriminating; they must make security a purchasing criteria, and hold vendors accountable through independent proof of information assurance.  They must create a "culture of security" within their own organizations, so that security is not diminished by the "weakest link" of a careless or unknowing employee. Vendors of information technology need to cooperate on security standards to facilitate the growth of secure systems, and commit to a secure product lifecycle. Paradoxically, vendors need to both join industry organizations that share information about hacker threats, and embrace the same  hacking techniques that expose so many security vulnerabilities (i.e. to detect and mend vulnerabilities in their own products and networks). 

In order for any organization to secure their infrastructure, they need to make security a purchasing criteria. Organizations must assess their security requirements - and not deviate from them - as part of system design.  If security is not built into a product or system from the get-go, it is often impossible to retrofit it after-the-fact. Organizations also need to look at the total cost of securing a system, including assessing  the lifecycle cost of security, such as how often they will have to patch their systems due to significant security vulnerabilities.  While no product is bug-free, an ostensibly secure  product, for which a vendor is constantly issuing security patches, is a sign that the vendor did not pay enough attention to security during design, and at some level does not "get it," or care about security. More importantly, often the single easiest way hackers break into systems is through public vulnerabilities for which the patch has not been applied. A vendor issuing a patch per day or every other day for their product suite is, in effect, building insecure and unsecurable systems. 

Industry has begun to recognize the disparate cost of securing products (from competing vendors) through the pricing mechanisms of hacker insurance; products with comparatively poor security track records are priced at a premium relative to their more secure cousins by the companies offering such insurance.  For example, one widely-deployed operating system carries a 25% risk premium relative to other commercial operating systems because of the difficulty in securing it.  While the government "self-insures" against cyberattacks, the higher risk premium should serve as a signal to the government, as it does to the commercial sector,  that a system is riskier and less secure to deploy.  Lest we forget the stakes:  it is impossible to put a price on national security. 

One easy measure of the security-worthiness of products is that of formal, independent security evaluations against objective criteria of "what it means to be secure." There have been many such criteria emerging in the past 15 years, including the US Trusted Computer Systems Evaluation Criteria (TCSEC or "Orange Book"), the UK Information Technology Security Evaluation Criteria (ITSEC), the Russian Criteria, and most recently, the international Common Criteria.  The Common Criteria is an International Standards Organization (ISO) standard (15408), and as such,  is the de facto worldwide standard for independent security evaluations. An independent security evaluation against the Common Criteria is mutually recognized by multiple countries, including the US, the United Kingdom, Germany, and most recently, Israel.  This enables a vendor to create a single product "acknowledged to be secure" in many major markets.  

The US Federal government has already realized the value of independent security evaluations, as witnessed by the many Federal procurement programs (for example, in the Department of Defense) requiring that a product has completed a formal security evaluation. The National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11 requires (as of July 2002), that procurement of commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled IT products to be used on systems entering, processing, storing, displaying, or transmitting national security information be limited to those which have independent security evaluations (i.e. against the criteria outlined above, or the Federal Information Processing Standard (FIPS)-140, which attests to the correctness of cryptographic modules). 

Information assurance efforts are undermined by procurement efforts which bypass these directives. Each time a procurement waiver is granted that evades the requirement for evaluated product,  it negates the value of information security, and the efforts of vendors who do comply with Federal directives.  An independent security evaluation of a large complex product, such as a database server, represents about $500,000 of additional security quality control, by someone other than the vendor.  Independent security evaluations are the "good housekeeping seal of security," and customers of information security products neglect or negate them at their peril. As the saying goes "you get what you pay for;" the US Federal government, as perhaps the largest consumer of secure systems, must demand better security in their procurements and accept nothing less. 

An important factor in a strong cyberdefense is the level of awareness of the entire organization - not merely the information technology (IT) department - of the importance of security. The creation of a "culture of security"  is a factor in any organization's cyberdefense, for the reason that you can never hire enough "cyberpolice" to secure your infrastructure without the cooperation and awareness of the users of the infrastructure.  The best security policy in the world can be defeated by users who are ignorant of their responsibilities under it, or who deliberately flout security policies, much as an alarm system will not protect your home if you leave the door unlocked, or the spare key under the mat. Not every organization requires a culture of security on the order of the National Security Agency; yet every organization has secrets.  Creating and enforcing security policies must go hand in hand with employee education and awareness.  Most employees want to do the secure thing, but they need to know what it is.

 Industry associations such as the IT industry ISAC (Information Sharing and Analysis Center) finds multiple organizations unified against a common threat of cyberattack.  Hackers have a nasty habit of repeating prior successes; as one discrete type of vulnerability is exposed, the hack is repeated through similar products from that vendor, or from other vendors. An organization that shares information about a threat to it, whether it is outright attacks on that organization's networks and systems, or a vulnerability in their product - even at the risk that the vulnerability will be used against it by a competitor -  helps strengthen the entire nation's critical infrastructure. As the saying goes "we must all hang together or we shall surely hang separately." Fierce business rivals can and are cooperating in industry ISACS, including the IT industry ISAC.  IT ISAC alerts are part of the early warning system for cyberattacks; many of the companies whose products are the foundation of the nation's IT infrastructure are members of the IT industry ISAC.  

The cooperation of many vendors upon common security standards facilitates a secure infrastructure in several key ways. One of them is that a protocol that is well-defined and subject to peer review is, all other things being equal, more likely to be secure than one that is proprietary and shrouded in secrecy. "Security by obscurity," the practice of hiding a product's security mechanisms and hoping someone cannot discover a weakness, does not work.  Hackers are all too clever at reverse-engineering code and finding security weaknesses.  If it's not secure under the light of day, it is not secure at all. Consumers of secure systems should seek security standards-compliant product, as it increases the chances that the security works, and will work with other related products. 

Another way in which standards facilitate better security is that it is easier for vendors to integrate security into their products; security is easier to deploy and more widely-deployed when there are common integration interfaces.  Finally, the growth and adoption of standards goes hand in hand with market expansion, and this provide consumers of security-related products with greater choice of higher quality products. You just do not get good products in a monopoly market dominated by proprietary security mechanisms, or one in which security solutions are fragmented and do not work together.  

An example of this is the growth of public key infrastructure (PKI) a security technology with important applications including network encryption (e.g. via the Secure Sockets Layer, an Internet standard) and digital signatures, which can enable non-repudiation of electronic transactions.  The PKI market has been slow to grow, because "I" is the operative word: deployment of a PKI requires major infrastructure changes in all products that use it, which has historically been expensive and difficult. Until recently, many vendors of PKI products and services were more concerned with pushing their proprietary technology than cooperating on standards, and growing the market.  It has only been with agreement upon and adoption of standards that PKI has been broadly deployable. 

Private industry offers many specific cybersecurity technologies that can potentially enable us to better secure other aspects of our nation's critical infrastructure. For example, one of the lessons of September 11 is the necessity of sharing data among interested parties, real-time, while preserving "need to know." At the same time, the needs of national security and privacy must be carefully balanced, so that the privacy of all is not compromised to identify the few who are malefactors.  For example, "watch lists" could be compared against airline reservation databases, and only those matching records culled and labeled so that those with "need to know" could access them. Suspect names from intercepts from one entity could be centralized in a database, with selected access by other law enforcement agencies.  The data, of course, needs to be labeled with appropriate security classifications and compartments, and may be relabeled real-time to facilitate information sharing among greater or lesser groups of law enforcement organizations, intelligence agencies and other parties with need-to-know. 

Commercial technology exists today from Oracle Corporation that enables multiple companies' data to be stored in the same database, ensuring that Company A only sees Company A's data, and Company B sees Company B's data.  Data may also be accessed by both companies (for example, if they are trading partners), and can be natively labeled with sensitivity classifications (e.g. "Company Confidential: A and B") much like government classifications of fine granularity (e.g. "Secret" or "Top Secret: Project X"). The ability of commercial off-the-shelf software to natively manage data "owned" by different entities,  and label data with sensitivity classifications, allows both separation and sharing of data, real-time. We believe this technology to be even more valuable in ensuring national cybersecurity than it is for supporting hosted information systems, exchanges, and "communities of interest" on the Internet, where it is currently used. 

The practice of "ethical hacking" is being employed by many companies as a cyberdefense, much as the armed forces conduct wargames.  The notion is simple: break into your own systems - or, in the case of software and hardware providers, break into your products - before someone else does.  Learning how to think like, and act like a hacker makes it easier to build hack-resistant or hack-proof product. "Lessons learned" from hacking attempts can be used to educate IT professionals and product developers, as well as continuously improve engineering processes. Ethical hacking is an important weapon in a company's security arsenal.  

Ironically, the best cyberdefense for our infrastructure may be the hacking community itself. The vast majority of hackers merely want "bragging rights" among their peers for discovering a security vulnerability; they are not malicious with that knowledge. The more that hackers expose product vulnerabilities and contact the vendors whose products they so creatively break into, giving them time to address the vulnerabilities, the more secure the resulting product is.  As much as no vendor likes hackers going after their product, we learn from them and we build better product because of them.  It's not too far fetched to think that a "cybercorps" of hackers can measurably help secure the nation's critical infrastructure against the hackers of a malicious foreign power. 

There are no security magic bullets. Industry and government, consumers and purveyors of information technology: each must each do his part.  The price of cybersecurity, as with liberty, is eternal vigilance.