 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Cyber Security: Private-Sector Efforts Addressing Cyber Threats.
Subcommittee on Commerce, Trade, and Consumer Protection
Mr. Mark W. Doll
Executive
Summary Recent
events have exposed security risks and vulnerabilities throughout our nation's
critical Information Technology (IT) infrastructure. Our nation needs to work
quickly and thoroughly - in public-private partnership - to assess these
risks and vulnerabilities and implement effective security policies, not only to
address today's problems, but also to prepare for tomorrow's unforeseen
challenges. The
U.S. economy has flourished in an open society supported by a highly available
critical IT infrastructure (i.e. information systems and computer networks).
In just the past ten years, we have witnessed a quantum leap in the
number of computer networks and access points to the Internet.
This evolution has resulted in unprecedented gains in productivity,
connectivity, and wealth. Unfortunately,
security has not kept pace with IT system complexity, interdependency, and
growth. Much of our nation's IT infrastructure is privately owned
and was built with less concern for robust security than may now be required.
Internet technologies and new business processes have created new
markets, relationships, and unprecedented access to information systems, but it
also created new risks to the security of those networks.
Today, an individual or concerted attack could affect not only our
computer-controlled systems for banking, telecommunications, and most, if not
all utilities, but also the vital systems that maintain our personal identities,
medical records and criminal records, and proprietary information. But
we must not let the size of the problem paralyze us. Instead, we must move
resolutely to encourage companies and individuals alike to fix current systems
vulnerabilities and tackle head-on the hard issues -- such as authentication,
authorization, interoperability, recovery, and validation -- required for
critical infrastructure security. The recent terrorists events should galvanize our resolve. Indeed the Administration has issued a call to action to the private sector and government alike, through the President's October 16th Executive Order creating the Critical Infrastructure Protection Board. We must work together to identify and prioritize vulnerabilities, single out best practices, and act swiftly to ensure the long-term safety and viability of the critical infrastructure on which our economy, citizens, and government rely. INTRODUCTION Good
morning Mr. Chairman, and thank you for the opportunity to appear before your
subcommittee on the topic of security and private sector efforts to address
cyber threats. I am Mark Doll,
partner and National
Director of the Security & Technology Solutions Practice
for Ernst & Young LLP.
Ernst & Young is a leader in providing accounting, assurance, and
information technology services around the globe, with 84,000 employees based in
130 countries. While the Internet revolution has been occurring, Ernst & Young has been adapting to offer our clients a variety of assurance services aimed at securing their vital information and computer networks. I bring fifteen year's of experience working on IT systems implementations and corporate IT management. Today, my clients include many of the Fortune 500 and new and emerging companies. Of our 84,000 employees, over 1200 work specifically on security and IT risk matters, many of whom come to Ernst & Young from the United States military and intelligence communities. As a result of providing our services to numerous companies, Ernst & Young has a unique perspective on efforts to secure our country's critical IT infrastructure. Today
I will suggest to you that recent events have brought to the forefront
long-standing security risks and vulnerabilities throughout our nation's
critical Information Technology (IT) infrastructure.
In light of this, our nation now needs to work quickly and thoroughly -
in public-private partnership - to assess these risks and vulnerabilities and
implement effective security policies, not only to address today's problems,
but also to prepare for tomorrow's unforeseen challenges. Security
Has Not Kept Pace With Infrastructure Growth and Interdependency Corporate
success has historically depended on the ability of management to control
strategic business functions -- product quality, management of physical plants,
sales, and customer support -- to stay ahead of competition. Today, technology has changed the traditional business
environment, and is being used to increase productivity and enable the creation
of non-traditional business relationships. Competitors
are becoming partners, customers can now fulfill their own orders directly from
supplier's inventories, and all organizations rely on telecommunications and
information systems to manage the day-to-day operations of their businesses.
Yet, as corporate America spent the last decade scrambling to react to and grow at the same pace as its competitors, it gave little regard to the ramifications of that growth. Internet technologies and new business processes created new markets, relationships, and unprecedented access to information systems, but it also created new risks to the security of those networks. Productivity and IT systems grew rapidly; but the security and controls around those systems did not develop at the same pace. This
failure on the part of individual organizations to properly maintain the
security of their IT systems could have a potentially disastrous ripple effect
on our nation's collective security. Today,
every business in America, every citizen who accesses the Internet, creates a
portal into our vast interconnected system, creating not only a window through
which information is gleaned, but also a potential door through which an attack
on the whole system can be launched. Public
and private sector organizations rely on many of the same IT systems to maintain
productivity. Consumers and businesses
today rely not only on their own ability to conduct transactions, but also on
the reliability and availability of applications and infrastructure that are
managed by others, including their customers, business partners, government, and
other companies with whom they have no "traditional" business relationship.
This has created a highly interdependent "IT reliance chain" of systems and
businesses. What
Is At Risk?
Without being too alarmist, this failure to build security into our systems makes our critical infrastructure vulnerable to cyber attacks not only from terrorists, but also from criminals, hackers, and disgruntled employees. Such individuals often search for the weakest link within a system, sneaking in through a loophole in or between software or hardware systems. Once inside the cyber-perimeter of an IT system, a hacker is then free to disguise him or herself as a valid user, stealing confidential information or creating new vulnerabilities for others to exploit. Whether it is via a cyber attack, a worm, or a deliberately launched virus, a concerted effort could wreak havoc throughout the "IT reliance chain," putting at risk our nation's security, the way corporate America conducts business, and the way citizens live their lives. Our nation depends on interlinked information systems to run our telecommunications, power, transportation, financial, and national security functions. Business transactions can only take place if the applications and IT systems on which they rely (i.e. software solutions that control manufacturing) are functioning appropriately. But no business is an island of itself. If our nation's critical infrastructure is unavailable, individual businesses will be unable to operate. Similar to a house of cards, if just one component of this chain were to come under attack, the whole network could be affected or, in the worst case scenario, fail. For individuals, even the most mundane tasks in life are dependent on the proper functioning of the reliance chain. We have become reliant on computer-controlled systems for banking, telecommunications, power, and also the vital systems that maintain our personal identities, and medical records. An attack on these systems would dramatically affect the American way of life we take for granted, putting at risk our ability to communicate with family and friends, access money, visit a hospital, or even light our homes. We are all highly dependent upon the near 100% availability of our country's critical infrastructure components. What
Needs To Be Done?
The security systems surrounding our critical infrastructure, specifically the information and communications networks, electrical power systems, gas and oil transportation and storage, banking and finance systems, transportation systems, water supply systems, emergency services and government services, must be properly managed. As you can imagine, effectively securing these systems will be a task of unprecedented proportions. But we must not let the size of the problem paralyze us. Already, hardware and software companies are institutionalizing efforts to proactively post known vulnerabilities and provide patches to their customers. Leading companies are moving quickly to assess vulnerabilities in their operational infrastructures. But we must do more to encourage companies and individuals alike to fix current systems vulnerabilities and tackle head-on the hard issues -- such as authentication, authorization, interoperability, recovery, and validation -- required for critical infrastructure security. These are technical terms used by those of us in IT security industry to describe what are actually easy-to-understand concepts. Just as "notice," "choice," "access," and "security" needed to be understood before policy makers could tackle data collection issues, "authentication," "interoperability," "recovery," and "validation" need to be understood and debated if we are to move forward on a national cyber security program. 1.
Authentication & Authorization First, "authentication." The term refers to the ability to determine who is using computer systems, how to make sure that individuals are actually who they say they are. "Authorization" is simply what an individual is allowed to use or see on a system. Without an appropriate system for authentication and authorization, we will be unable to track and limit unauthorized individuals that might gain access to systems for personal gain or cyber terrorism. 2.
Interoperability The second issue we will need to tackle if we are to ensure security is "interoperability." Interoperability refers to the ability of systems to function seamlessly regardless of operating systems, applications, or hardware. We have today countless numbers of different protocols for operating systems, applications, and hardware. Each vendor has a proprietary interest in their protocols, including the organizations at the witness table with me today. This has created a dysfunctional environment of complicated interoperability between competing systems, applications, and hardware. This limited interoperability makes it costly and difficult for organizations to implement truly effective security solutions. 3.
Recovery Third, "recovery." This term refers to the ability to correct systems failures and catastrophes in a timely manner, wherever they occur. Today, we rely on companies to unilaterally act to implement fail-safe systems and contingency plans. Although most have systems to restore a site, network or system failure, it is our experience that many companies lack the necessary rigor and scale of recovery systems to respond to a national attack or cohesive cyber terrorism threat. Any national consideration of IT security must take into account the necessity for a national program requiring and architecting a national recovery system. Admittedly, this will be a costly undertaking on the part of both corporate America and the government. 4.
Validation Finally, "validation." Securing our critical infrastructure should not be perceived as a problem that can be fixed simply by purchasing the latest and greatest software or installing a firewall. Once a security application or process is put in place it must be regularly monitored and its effectiveness validated. This applies to all levels of security, including authentication, interoperability, and recovery. Unfortunately, there is no common set of standards for validating the security of computer and information systems. Instead, different countries, individual industries, application vendors, and hardware providers employ different standards for assessing vulnerabilities and the effectiveness of security solutions. This hampers efforts to conduct comprehensive risk assessments of network safeguards and controls across industries and applications. Services companies like Ernst & Young must then determine how to make all of these competing standards work within a complex corporate environment while allowing for innovation and growth. Any long-term discussion of IT security should, therefore, consider the need for harmonizing standards for validating effectiveness. Validation is, in my mind, the most crucial issue we need to tackle, for without it, we will not accomplish systemic change. Only by regularly assessing the effectiveness of controls around complex issues like authentication, interoperability, and recovery will we ensure that any quick fixes are working as intended. Public
Private Partnership Is Necessary
Clearly, critical IT infrastructure security raises difficult issues. Today's hearing is a step in the right direction. We need to work together, in a public-private partnership, to answer these difficult questions and deliberate on effective solutions. The
Administration has issued a call to action to the private sector and government,
through the President's October 16th Executive Order creating the
Critical Infrastructure Protection Board (the "Board"), to work together to
develop standards and best practices necessary to secure information systems for
critical infrastructure. Importantly,
the Executive Order requires the Board to work with members of the private
sector, including the audit community to, among other things, "propose and
develop ways to encourage private industry to perform periodic risk assessments
of critical information and telecommunications systems." We look forward to
working with the Administration and Congress on this important initiative. CONCLUSIONIn conclusion, the events of September 11, 2001, focused our country's attention on national security issues. It would be a mistake to focus solely on our country's outer security perimeter and overlook the security of our domestic IT infrastructure. We must work together to identify, prioritize and fix known vulnerabilities, as well as identify best practices to ensure the long-term safety and viability of the critical infrastructure on which our economy, citizens, and government rely. I appreciate the opportunity to be here this afternoon, and am happy to answer any questions.
|
|||||||||||
|
