 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Cyber Security: Private-Sector Efforts Addressing Cyber Threats.
Subcommittee on Commerce, Trade, and Consumer Protection
Mr. David B. Morrow
Although
media attention to cyber attacks has increased in recent months, the fact is
that commercial and government computers have been under daily attack for many
years. However, over the past
several years, the frequency and severity of cyber attacks against both
government and commercial infrastructures has increased dramatically. Overall, the state of IT
security in industry is poor and is struggling to improve.
New technical vulnerabilities and threats, such as viruses and worms, are
released on a regular basis. Many
organizations, both in and out of government, still leave the bulk of the work
of securing their systems to individuals who perform these critical tasks as an
addition to their normal jobs. Because
of this, critical security duties, such as making sure software is properly
updated with the latest security patches, is a low priority if it is done at
all. While we have seen a laudable
increase spending on aspects of physical security, there appears to be little
increase in funds allocated to strengthening the security of the commercial
information infrastructure which fuels our economy.
While many companies are attempting to increase security on their own,
the approach is piecemeal as there is no incentive from the government to
coordinate their efforts with their industry partners, suppliers, and customers.
Such incentives are vital, especially in the current economy. The tragic events of September
11 have brought many changes to our way of life.
Along with changes to the physical security of public places such as
airports and sports venues / arenas, we have witnessed a dramatic increase in
attention being paid to the security of what EDS chairman and CEO Dick Brown has
referred to as today's economic currency:
knowledge and information. Although media attention to cyber attacks has increased in recent months, the fact is that commercial and government computers have been under daily attack for many years. However, over the past several years, the frequency and severity of cyber attacks against both government and commercial infrastructures have increased dramatically. While many, if not most,
attacks are relatively minor, such as web site defacement and simple harassment,
others are designed to cripple, damage, or destroy the computer networks they
encounter. For example, our own EDS
network infrastructure detects and destroys over 20,000 viruses, worms (programs
that spread through a network by reproducing and transmitting themselves to
other network systems), and network attacks per month. Over the past several years, cyber attack software such as worms, viruses, and hacking tools have become both more sophisticated and easier to use. A computer novice can now download and launch computer attack software as easily as launching a commonly used commercial product such as a word processing program. Although massive attacks
against the national information infrastructure, the so called "electronic
Pearl Harbor", have long been predicted and expected, such attacks have, for
the most part, failed to materialize. In
the current war against terrorism, however, the stakes have risen considerably.
A massive, coordinated denial of service attack or a fast spreading
program like the recent Nimda worm could have devastating effects on our
economy, especially if the attack were designed to introduce random changes to
various pieces of data on every system it corrupted, as opposed to simply
slowing or halting the system itself. Our economic system is based
upon trust - trust between trading and investing partners.trust between
consumer and merchant.trust between supplier and purchaser.
If this sense of trust were damaged or destroyed our economy would be
crippled. Maintaining these
trust relationships is one of the most important things we can do to insure the
continued development and growth of the information economy. For many years, practitioners
of IT security have worried about the lack of both a sense of urgency and
priority for corporate IT security. Prior
to September 11, companies often viewed IT security as a variable, discretionary
expense that lacked a clear benefit to offset the costs involved.
This was especially true in companies in nonregulated industries where no
clear mandatory standards forced a minimum degree of security planning and
structure. Since September 11,
however, we have seen a doubling in requests for information about IT security,
especially in the areas of business continuity planning and overall security
best practices. Tragic as they
were, the events of September 11 helped to drive home the fact that security
should be considered an essential capital investment rather than simply an
expense. Overall, I would characterize
the state of IT security in industry as poor and struggling to improve.
New technical vulnerabilities and threats, such as viruses and worms, are
released on a regular basis. Many
organizations, both in and out of government, still leave the bulk of the work
of securing their systems to individuals who perform these critical tasks as an
addition to their normal jobs. Because
of this, critical security duties, such as making sure software is properly
updated with the latest security patches, is a low priority, if it is done at
all. The bulk of the problem remains
rooted in a lack of continuing, process oriented attention to basic security
principles such as good password practices, tracking and installing critical
software patches, as well as user training and education on security basics.
According to the federal computer incident response center, about 90% of
successful attacks are caused by the lack of updated software patches. A striking example of this is
found in the fact that the Code Red worm, which wreaked havoc on numerous
corporate systems a few months ago, took advantage of computer vulnerabilities
that had been identified and corrected by a software patch months before. The patch had simply not been installed in many of the
machines. Another example can be
found in the ease with which many web sites have been vandalized by exploiting
well-known and documented flaws in web server software. Finally, while we have seen a laudable increase in spending on many aspects of physical security, there appears to be little increase in funds allocated to strengthening the security of the commercial information infrastructure which fuels our economy. While many companies are attempting to increase security on their own, the approach is piecemeal as there is no incentive from the government for companies to coordinate their efforts with their industry partners, suppliers, and customers. Such incentive is vital, especially in the current economy. What can be done? First, we can concentrate on
developing a more coordinated program of industry/government cooperation that
stretches beyond the critical infrastructures designated by Presidential
Decision Directive 63 to encompass a wider variety of companies and
institutions. Programs such as the
FBI's Infragard are a good start, but more needs to be done to bolster the
commercial sector's level of trust in the government. As an investigator of
numerous network attacks, I can attest to the fact that coordinated information
sharing among victims of an attack is essential to halting the attack and
identifying the attacker. Companies
should not be penalized for acting together for the common good.
Legislation introduced by Representatives Davis and Moran is a good
start. Second, we should increase
incentives for companies to allocate the necessary funds to upgrade their IT
security. In today's
interdependent electronic economy, a failure of security in one area can spread
to encompass numerous other institutions within a very short time.
Security of all networks should be viewed as something we do for the good
of society as a whole rather than as a discretionary cost to be reduced or
eliminated when times are difficult. We
believe that the 30 percent bonus depreciation provision included in the
House-passed economic stimulus bill would be a big help in this regard.
We also think measures that specifically target investments in security
and technology, such as those introduced by Representatives Weller and Upton,
would be very helpful. Third, we should renew our
emphasis on security research and development, especially in developing secure
and stable software for our critical tasks.
A permanent extension of the research and development tax credit could be
part of the solution here. Finally, we should work
together to continue to develop and professionalize the cadre of IT security
professionals practicing today. Currently,
there are few widely accepted standards defining what an IT security
professional knows and does. Given
the critical role these professionals currently play in our society, we need to
insure that we have only the best and most trustworthy individuals guarding our
systems. As a last point, I would like
to reemphasize what is perhaps the most important point of my testimony today.
Security is not a static goal that we can ever fully achieve.
Rather, security is a continual journey.
There is no technical or procedural silver bullet that will magically
solve all security issues. Rather,
good security is a constantly evolving spectrum of processes, technical tools,
policies, and human values that is continually changing and being updated to
meet new threats and risks. Only by
fully utilizing all aspects of this spectrum can we maximize the security and
integrity of our national information infrastructure. Thank you again for the
opportunity to share my thoughts with you today. I will be glad to answer any of the Subcommittee's questions.
|
|||||||||||
|
