Can be Done to Reduce the Threats Posed by Computer Viruses and Worms
to the Workings of Government?"
Information Technology Association of America
Subcommittee on Government Efficiency,
and Intergovernmental Relations
Horn, thank you for inviting me to the heart of Silicon Valley to testify
about what practices, policies, and tools are being deployed to reduce
the impact of computer security threats to government at all levels. I
commend you for your continued leadership on information technology issues.
My name is Harris N. Miller, and I am President of the Information Technology
Association of America (ITAA), now celebrating its 40th Anniversary.
I am proud that ITAA has emerged as the leading association on cyber security
issues. ITAA represents over 500 corporate members. These are companies
that have a vested economic interest in assuring that the public feels
safe in cyberspace to conduct e-commerce and that in the developing era
of e-government, their information will be secure and transactions reliable.
As surveys ITAA has conducted demonstrate, concerns about security by
citizens and consumers are major inhibitors to e-commerce and e-government.
commend this Subcommittee for holding today’s hearing and Though the official
title of today’s hearing focuses on government, I submit to you that security
is ultimately a government AND business challenge that must be addressed
at the highest levels of all organizations, whether private or public
or private. We all must do more to go beyond recognizing that cyber security
is a challenge -- which is an important first step. Government and industry
need to work together to find ways to enable solutions, solutions to threats
that will likely become greater and more significant as the Internet becomes
more pervasive, and eventually ubiquitous in our society.
we witnessed during the recent "Code Red" situation, if cyber
security receives the kind of prioritization needed at senior levels,
government and industry can mobilize quickly and effectively to combat
common and significant threats to the Internet. Representatives from the
private and public sector -- some are here today -- stood together on
one stage on July 30th in Washington, DC and warned the world about the
need to take precautionary steps to stop the spread of the Code Red computer
worm. Those efforts helped to reach users of vulnerable systems on a massive,
unprecedented scale that arguably helped prevented the further spread
of the worm:
a million copies of Microsoft's security patch have been downloaded,
and since the patch can be downloaded once and installed to any number
of machines, the number of systems that were actually patched is no
observed a dramatic increase in the number of downloads during the
week of July 30th, which suggests the industry-government effort to
heighten user awareness and fend off the worm before it could significantly
impact the Internet, worked;
of the major Web sites were affected by the "Code Red" worm,
because many took action after the industry-government announcement
on July 30th; and
public's awareness of Information Security issues -- and about the
specific kinds of cyber threats out there -- increased significantly
during the "Code Red" situation.
cooperative, proactive response by industry and government could be used
as one model for more meaningful and effective cooperation on cyber security
issues in the future. If industry and government do not collaborate to
minimize impact of threats such as the "Code Red" worm -- which
we were able to do in a timely and effective way in this situation --
the impact of such threats on the Internet and users could be much greater
in the future. Trust is a key factor here and building relationships on
trust will not happen overnight; however, industry and government collaboration
on "Code Red" certainly provided a helpful boost in the right
direction while our joint actions limited the number of "Code Red"
Horn, I know from working together during the late 1990’s on Y2K and cyber
security issues that you are fond of report cards and grading, which you
issued in your previous career as a leading academic political scientist.
Today I would like to offer a report card in six separate categories and
an overall grade on industry and government handling of computer security
threats. This is my own grading system, and I look forward to suggestions
from you and others about additional areas requiring grading and whether
I am grading based on the correct factors.
think we can all agree that progress is being made. However, our foes
in the Internet underworld are moving in Internet time, and unless we
take a hard look at the effectiveness of our efforts, they may beat us
at every stroke of the keyboard in the future.
Cyber Security Report Card
recognizing the challenges and developing structures that can adequately
address cyber security challenges, the Federal Government has moved from
a failing grade in the mid-1990s to a passing grade or "C" today.
I base my grade on four factors: 1) priority for the Federal government,
2) internal cooperation, 3) mechanisms for liaising with other stakeholders,
and 4) response time.
National Plan for Cyber Security and Presidential Decision Directive (PDD)
63 helped provide a framework for government organization and thinking
about information security that helped to raise the government’s grade.
However, the alphabet soup of government agencies charged with some aspect
of cyber crime prevention makes it easy to see why progress has been slow
in government. To his credit, Ron Dick, Director of the National Infrastructure
Protection Center (NIPC) has forged ahead and has been successful with
programs such as InfraGuard. , and bBecause of his efforts and others
that ITAA has initiated with the U.S. Department of Justice and other
law enforcement agencies—including two major national events with the
previous Attorney General--, industry is becoming more comfortable with
government and law enforcement efforts in cyber security. The Department
of Commerce also plays a critical role for government organization, since
industry often feels most comfortable working with the Department of Commerce
and the Critical Infrastructure Assurance Office (CIAO) there. For example,
both John Tritak, CIAO's Director, and Dan Hurley, Director of the Communication
and Information Infrastructure Assurance Program at NTIA, have done an
outstanding job reaching out to industry during the ongoing development
of the President's National Plan Version 2.0.
to numerous press reports, President Bush will soon announce sign an Executive
Order that will establish the "Critical Infrastructure and Protection
and Continuity Board," as reported in the media.. That's As that
draft Executive Order has been explained to us, it should be a a step
forward, creating substantially more coordination and less duplication
among the plethora of government departments and agencies involved in
InfoSec. But I continue to believe that an InfoSec Czar position similar
to the role played by John Koskinen during the Year 2000 date rollover
would be more effective, on the "one throat to choke" principle.
With minimal overhead and resources, but strong backing from the President,
Mr. Koskinen was able to have substantial influence on both the governmental
and private sector efforts to address the Y2K challenge. Should the new
Board result in a centralized, coordinated cyber security effort based
in the White House, this grade has a chance from moving from a "C"
to a "B."
Funding for Information Security
grade for government funding for information security has gone from a
"D-" to a "D." Mr. Chairman, while you and some of
your colleagues such as Representative Greenwood have done a valuable
service in scrutinizing computer security policies and practices in U.S.
government agencies and departments, that is not enough. As that well-known
philosopher Yogi Berra would say, "This is déjà vu all over again."
As you pointed out through your invaluable oversight hearings during the
early days of Y2K, government agencies had neither plans nor funding for
Y2K remediation. Due to your prodding, plans were developed, but funding
was not. Until finally, thanks to your efforts and those of so many of
your Congressional colleagues, additional appropriations were provided
that enabled departments and agencies to become Y2K compliant.
pattern is being repeated with InfoSec. Agencies now know much more about
what they need to do. But the funding is still not there. A General Accounting
Office (GAO) report issued earlier this month strongly criticizing the
Department of Commerce for InfoSec failures internally carries the clear
implication that additional financial resources are needed. Every Federal
CIO with whom I speak tells me privately they are in desperate need of
additional funding for their InfoSec activities.
Federal Government needs to make information security a part of every
manager's responsibilities, authorize and appropriate new money for agency
information security enhancements, fund advanced information security
research, and invest in the training and development of more skilled information
security workers. There is a long way to go before government receives
a passing grade here. For example, when Congress did have a chance to
act and make a small investment in deploying and securing e-government
by providing funding for the President's E-government Fund, it only provided
$5 million of the $20 million requested this year. Government needs to
move beyond the rhetoric and invest real funds in this important issue
in order to boost its grade.
Focus and Spending for Information Security
corporate America addressed the Y2K challenge, information technology
was elevated from a back-office, MIS sideshow to a Boardroom-level, center
stage mission critical component of most businesses. A corollary of this
intensive focus was an understanding by more CEO’s that the security of
their IT systems is critical. I submit that this action was effective
in moving information security to the front lines of corporate focus and
spending early in the game, and because of that, Yet, at best, I give
corporate attention a "B-." I give it a "B-".
reason for the lower grade is the huge variations between industries and
between companies of different sizes. As usual, the financial services
industry, so dependent on IT, is leading the charge, with a clear focus—and
related dollar commitments—on InfoSec. Telecommunications is also doing
reasonably well. But many others, including manufacturing, retail, and
health care are much more problematic and uneven. And as we found with
Y2K, larger companies are much more understanding of the importance of
InfoSec, than medium and small companies.
of the reasons the major alert on Code Red was necessary was the evidence
that many mid-sized and smaller firms were not paying attention to the
need to implement the patch, though information about the patch had been
widely available for some time. The July 30 press conference was designed
to reach what I call the second and third tier IT users, not the first
tier users and the IT specialists who had already remediated the problem
because they are so focused on it.
even in corporations that are paying attention to the issue, too many
times, the incorrect assumption is made that improving cyber security
and fighting cyber crime can be done with technology alone. That is wrong.
Just as the best alarm system will not protect a building if the alarm
code falls into the wrong hands, a network will not be protected if the
passwords are given out freely. Failures in the "process and people"
part of the cyber crime solution may, in fact, be the majority of the
problems we see. From a strategic point of view, the challenge is to make
cyber security a top priority issue. Moving from platitudes to practical
action requires the sustained commitment of senior management. The position
of "Chief Information Security Officer" should be added to every
corporate roster, in my opinion, in order to get this grade to an "A".
must be willing to invest in the development of comprehensive security
procedures and to educate all employees--continuously. We call this practicing
sensible cyber hygiene and Internet users have to be vigilant about it.
primary focus of improving processes and changing behaviors is inside
the enterprise. However, the scope of the effort must also take into account
the extended organization—supply chain partners, subcontractors, customers,
and others that must interact on a routine basis.
Cooperation on Cyber Security Issues
ad hoc coalition of industry and government representatives that was formed
to provide a public service message to counter the Code Red worm this
summer is an operational example of successful industry and government
cooperation on cyber security. It illustrates just how far the players
few years ago, industry-government cooperation would have received a "D"
in my grade book. Through some hard work on both sides, progress has been
made and the dialogue has increased. ITAA worked with the United States
Justice Department in 1999 and 2000 to host high-level national industry
and law enforcement meetings to share information and begin to open the
lines of communications. We also established the Cybercitizen Partnership,
a public-private partnership with DOJ to help parents and educators teach
children about ethical online behavior and provide "rules of the
road" to help protect the Internet from kids who have the skills
to threaten the Internet, but not necessarily the guidance to know it
is wrong to hack. I think these and the efforts to stand up Information
Sharing and Analysis Centers (ISACs) by the Telecommunications, Financial
Services, Electric, Transportation, and IT industries have helped to bring
us to a "C" grade, and the Code Red coalition raised our grade
to a "B-".
order to get to an "A", the remaining industry sectors will
need to stand up and operationalize the ISACs, and all ISACs will need
to share confidential information with the government. Equally important
and as much of a challenge, government and law enforcement agencies will
need to share threat information with the ISACs. In short, we must develop
trust in each other; to develop relationships between law enforcement
and the private sector that are built on meaningful cooperation. That
won't will not happen overnight. Improved information sharing between
government and industry will be a step forward.
order to solidify that trust, a bill introduced by U.S. Representatives
Tom Davis and Jim Moran in the House -- and a bill soon to be introduced
by U.S. Senators Robert Bennett and John Kyl in the Senate -- to remove
legal obstacles to information sharing should be passed and signed into
law this year. Regarding the latter, we hope that U.S. Senator Dianne
Feinstein, in her key role as will join her colleague John Kyl on the
Judiciary Committee in support of this bi-partisan bill. Senator Feinstein's
leadership in the Congress on high tech issues is critical to our industry,
and we hope that she will support this bill in her role as Chairman of
the Judiciary Committee's Subcommittee on Technology, Terrorism, and Government
Information, will take the lead in moving this important bill through
Cooperation on Cyber Security Issues
me emphasize that while the government has a critical role to play, not
just in the U.S. but the government of every nation, vertical industries
also have an obligation to communicate on cyber security issues. I think
progress has been made in this arena. I believe the grade has moved again
from a "D-" a few short years ago to a "C+ / B-" today.
How so? The Partnership for Critical Infrastructure Security, begun in
December, 1999, has created a cross-sectoral dialogue with collaboration
from government to address risks to the Nation’s critical infrastructures
and assure the delivery of essential services over the nation’s critical
infrastructures in the face of cyber threats. The Partnership is run by
companies and private sector associations and is effectively meeting the
industry dialogue challenge. The Critical Infrastructure Assurance Office
(CIAO) provides support for the Partnership. and Government officials
are invited to participate in Partnership meetings on a collaborative
basis, but and the group is becoming more effective with each meeting.
Partnership for Global Information Security <http://www.pgis.org>
provides a forum for executives from both the public and private sector
in economies around the world to share information about InfoSec topics.
PGIS members are focused on five areas for collaboration: sound practices,
workforce, research and development, cyber crime and law enforcement and
public policy. This Partnership arose from the first Global Information
Security Summit organized by ITAA in October, 2000 in conjunction with
our sister IT associations around the world, collectively known as the
World Information Technology and Services Alliance (WITSA).
much more needs to be done globally. I have advocated creation of an International
InfoSec Cooperation Center, analogous to the highly successful International
Y2K Cooperation Center, that I know you supported very strongly, Chairman
Horn, that would help address the global InfoSec challenge, particularly
in developing countries.
Government Cooperation on Cyber Security Issues
this subject the area of international governmental cooperation, I give
an average grade of a "C-" with the explanation that some portions
of international government cooperation are working quite well, while
others at the same time are forgetting that the main owners and operators
of the information infrastructure around the world are the private sector.
Council of Europe Cybercrime Convention is one such example of good and
bad news mixed. The countries involved in drafting this treaty were able
to coordinate their law enforcement efforts and interests reasonably well,
so they get high marks. Unfortunately, their grade gets docked substantially
for neglecting the commercial sectors in their countries when establishing
Council of Europe Cybercrime Convention has improved in many respects
through the efforts of the U.S. delegation. Though the US is not a member
of the Council of Europe, it does have observer status. However, we were
disappointed to learn that several changes of critical importance to us
industry, privacy groups and noncommercial interests were not adopted
in the final version of the convention. For example, the Convention does
not address adequately several important issues, including data retention
and surveillance technology mandates, lack of reimbursement for compliance
with surveillance mandates, lack of standard privacy protections for law
enforcement requests, and potential liability for complying with requests.
Therefore, we are concerned that implementation of the Convention will
produce a patchwork of costly and inconsistent requirements worldwide
that create significant market access barriers for communications companies,
and undermine user privacy.
important area of particular concern in implementation of the treaty is
proposals by foreign governments to mandate that Internet and telecommunications
companies maintain, for between one and seven years, massive logs reflecting
every innocent user’s communications over their networks, or to mandate
that companies install new surveillance technologies. The Council of Europe
Cybercrime Convention that the U.S. Government helped to negotiate neither
requires nor prevents such mandates.
data retention mandates would require communications companies to retain
enormous amounts of data that they do not retain in the ordinary course
of business. Data would have to be retained about every user, without
any showing that these users were suspected of engaging in illegal activity.
The mandates would compromise user privacy, create costly barriers to
entry for U.S. companies seeking to enter foreign markets, and threaten
the security of user data by creating a ripe target for hackers. In some
countries, such as Holland, service providers are subject to unique surveillance
technology standards requirements, which create barriers to deploying
international networks in those countries.
sum up, there is much work to be done. In addition to improving our letter
grades on information security, both industry and government need to strive
to have the teacher commend us for playing well with others. Cooperation,
communication, and sharing sensitive information are the keys to moving
from today’s grade, a "C-", to an "A+". Summer vacation
is ending, and we’re we are about to begin a new school year in America
next week. By working together to build meaningful and effective relationships
that recognize the bottom line impact of InfoSec on our businesses, government
operations -- and the global economy -- we can all move to the head of
the class on cyber security issues.
you and I welcome any questions from the Committee.
Background: Economy at Risk
Cyber crime places the digital economy at risk. Just as the
reality or threat of real crime can drain the economic vitality of neighborhoods,
cities and even nations, so to can the reality or threat of crimes committed
online against people and property shutter businesses and cause an otherwise
motivated digital public to break their Internet connection.
risk is significant and continues to grow. The Computer Security Institute's
most recent survey reported nearly $400 million in losses by U.S. corporations
to cyber-crime last year. That number is a conservative estimate and doesn't
account for break-ins and losses that were never reported. As the Internet
becomes more pervasive and as more and more businesses put their operations
on-line, the impact of cyber-crime on our economy -- and the global economy
-- will continue to increase. Also, Cyber threats such as the ILOVEYOU
virus and the Code Red Worm cost businesses billions of dollars in damage,
productivity and revenue loss.
crime falls into several categories. Most incidents are intended to disrupt
or annoy computer users in some fashion. Distributed denial of service
(DoS) attacks crash servers and bring down websites through the concerted
targeting of thousands of email messages to specific electronic mailboxes.
Viruses and other malicious code introduce phantom computer software programs
to computers, designed intentionally to corrupt files and data. Other
online intrusions are conducted to deface websites, post political messages
or taunt particular groups or institutions. Even though no one stands
to profit, damages caused by such attacks can run from the trifling to
the millions of dollars. What motivates these attackers? Hackers may view
the attack as a technology challenge, may be seeking to strike a blow
against the establishment, may be looking for group acceptance from fellow
hackers, or may be just indulging themselves in a perverse thrill.
cyber criminals are more material guys and gals. They hope to profit from
their intrusions by stealing valuable or sensitive information, including
credit card numbers, social security numbers, even entire identities.
Targets of opportunity also include trade secrets and proprietary information,
medical records, and financial transactions.
some cyber criminals, the Internet is a channel for the dissemination
of child pornography and a tool used in the furtherance of other crimes
against children and adults. These crimes include fraud, racketeering,
gambling, drug trafficking, money laundering, child molesting, kidnapping
terrorists may seek to use the Internet as a means of attacking elements
of the physical infrastructure, like power stations or airports. As we
have seen in the Middle East and other regions of the world, cyber terrorists
encouraging political strife and national conflict can quickly turn the
Internet into a tool to set one group against another and to disrupt society
class of cyber criminal and, unfortunately, the most common is the insider
who breaks into systems to eavesdrop, to tamper, perhaps even to hijack
corporate IT assets for personal use. These could be employees seeking
revenge for perceived workplace slights, stalking fellow employees, looking
for the esteem of peers by unauthorized "testing" of corporate
security, or other misguided individuals.
of category, the threat is real. A recent study produced by Asta Networks
and the University of California San Diego monitored a tiny fraction of
the addressable Internet space and found almost 13,000 DoS attacks launched
against over 5,000 targets in just one week. While most targets were attacked
only a few times, some were victimized 60 or more times during the test
period. For many small companies, being knocked off the Internet for a
week means being knocked out of business for good.
nationwide public opinion poll released last year by ITAA and EDS showed
that an overwhelming majority of Americans, 67 percent, feel threatened
by or are concerned about cyber crime. In addition, 62 percent believe
that not enough is being done to protect Internet consumers against cyber
crime. Roughly the same number, 61 percent, say they are less likely to
do business on the Internet as a result of cyber crime, while 33 percent
say crime has no effect on their e-commerce activities. The poll of 1,000
Americans also revealed that 65 percent believe online criminals have
less of a chance of being caught than criminals in the real world, while
only 17 percent believe cyber criminals have a greater chance of being
threats collectively represent a chipping away at the trust that is so
critical to the Internet. There continues to be significant concern in
the public about cyber-crime, and rightly so. High profile cyber threats
such as the ILOVEYOU virus and the Code Red Worm certainly increase the
amount of attention by users on the cyber crime issue and hopefully, also
increase the number of steps that users take to enhance their information
security practices. The technology is available to protect users' systems,
but the vulnerabilities usually come from the "people and process"
part of the equation. Our hope is that as users become more aware of information
security, they will practice sound cyber hygiene.
it's very difficult to track cyber attacks to their source, advancements
in technology -- and improved cooperation with law enforcement through
the FBI's InfraGuard program and other mechanisms -- is bearing fruit.
Plan for Cyber Security: Developing Effective Policies, Tools, and Practices
and its members have been working to execute a multi-faceted plan designed
to improve cooperation on issues of information security at all levels.
However, Mr. Chairman, we would all be remiss if we believed it was just
the IT industry that must cooperate within its own industry--we must work
cross industry, and industry with government. Protecting our infrastructure
is a collective responsibility, not just the IT community’s role.
are working on multiple fronts to improve the current mechanisms for combating
threats and responding to attacks through our role as a Sector Coordinator
for the Information and Communications sector, appointed by the U.S. Department
of Commerce. Through ITAA’s InfoSec Committee, our member companies also
are exploring joint research and development activities, international
issues, and security workforce needs. Elements of the plan include Information
Sharing, Awareness, Education, Training, Best Practices, Research and
Development, and International Coordination.
Sharing: Sharing information about corporate information security practices
is inherently difficult. Companies are understandably reluctant to share
sensitive proprietary information about prevention practices, intrusions,
and actual crimes with either government agencies or competitors. Information
sharing is a risky proposition with less than clear benefits.
are concerned that information voluntarily shared with the government
that reports on or concerns corporate security may be mistakenly subjected
to the Freedom of Information Act (FOIA). They are also concerned that
lead government agencies may not be able to effectively control the use
or dissemination of sensitive information because of similar legal requirements.
Unfiltered, unmediated information may be misinterpreted by the public
and undermine public confidence in the country's critical infrastructures.
Also, business competitors and others may use shared information to the
detriment of a reporting company, or as the basis for litigation. Any
and all of these possibilities are reasons why the current flow of voluntary
data is minimal. ITAA supports the clarification, not the abrogation of
the Freedom of Information Act. The legislative proposals we support give
our companies the unambiguous confirmation that their communications intended
to aid in a joint defense from a common critical infrastructure protection
threat are protected. Businesses also need protection from unnecessary
restrictions placed by federal and state antitrust laws on critical information
sharing that would inhibit identification of R&D needs or the identification
and mitigation of vulnerabilities.
is uncertainty about whether existing law may expose companies and industries
that voluntarily share sensitive information with the federal government
to unintended and potentially harmful consequences. This uncertainty has
a chilling effect on the growth of all information sharing organizations
and the quality and quantity of information that they are able to gather
and share with the federal government. ITAA is strongly in favor of removing
disincentives to information sharing and that is why we support current
legislation to address these issues.
the changing nature of the cyber crime threat and in spite of the many
business, operational and policy hurdles standing in the way, many companies
in the private sector recognize the need to have formal and informal information
sharing mechanisms. Internet Service Providers are an example of the latter
circumstance. Because these firms provide networking capability commercially,
these businesses often have extensive network security expertise. Such
firms act as virtual Information Sharing and Analysis Centers, gathering
information about detected threats and incursions, sanitizing it by removing
customer specific data, and sharing it with customers.
IT industry has adopted a formal approach to the information sharing challenge.
In January 2001, nineteen of the nation’s leading high tech companies
announced the formation of a new Information Technology Information Sharing
and Analysis Center (IT-ISAC) to cooperate on cyber security issues. The
objective of the IT-ISAC is to enhance the availability, confidentiality,
and integrity of networked information systems.
IT-ISAC is a not-for-profit corporation that enables the information technology
industry to report and exchange information concerning electronic incidents,
threats, attacks, vulnerabilities, solutions and countermeasures, best
security practices and other protective measures. Its internal processes
will permit information to be shared anonymously. The organization is
a voluntary, industry-led initiative with the goal of responding to broad-based
security threats and reducing the impact of major incidents. Membership
in the IT-ISAC is open to all U.S.-based information technology companies.
It offers a 24-by-7 network, notifying members of threats and vulnerabilities.
The group also is clear on what is will not undertake. Excluded activities
include standards setting, product rating, audits, certifications or dispute
settlement. Similarly, the IT-ISAC is not a crime fighting organization.
Software Engineering Institute’s CERT Coordination Center plays an information
sharing role for numerous industries. The oldest and largest of information
sharing programs, CERT is a Federally funded research and development
center at Carnegie Mellon University in Pittsburgh. The organization gathers
and disseminates information on incidents, product vulnerabilities, fixes,
protections, improvements and system survivability. The organization strives
to maintain a leak proof reputation while collecting thousands of incident
reports yearly. These could be anything from a single site reporting a
compromise attempt to a computer worm or virus with worldwide impact.
ITAA and its member companies are raising awareness of the issue within
the IT industry and through partnership relationships with other vertical
industries, including finance, telecommunications, energy, transportation,
and health services. We are developing regional events, conferences, seminars
and surveys to educate all of these industries on the importance of addressing
information security. An awareness raising campaign targeting the IT industry
and vertical industries dependent on information such as the financial
sector, insurance, electricity, transportation and telecommunications
is being overlaid with a targeted community effort directed at CEOs, end
users and independent auditors. The goal of the awareness campaign is
to educate the audiences on the importance of protecting a company’s infrastructure,
and instructing on steps they can take to accomplish this. The message
is that information security must become a top tier priority for businesses
In an effort to take a longer-range approach to the development of appropriate
conduct on the Internet, the Department of Justice and the Information
Technology Association of America have formed the Cybercitizen Partnership.
Numerous ITAA member companies and recently the Department of Defense
have joined this effort. The Partnership is a public/private sector venture
formed to create awareness in children of appropriate on-line conduct.
This effort extends beyond the traditional concerns for children's safety
on the Internet, a protective strategy, and focuses on developing an understanding
of the ethical behavior and responsibilities that accompany use of this
new and exciting medium. The Partnership is developing focused messages,
curriculum guides and parental information materials aimed at instilling
a knowledge and understanding of appropriate behavior on-line. The Partnership
hosted a very successful event last fall at Marymount University in Northern
Virginia that brought together key stakeholders in this area. Ultimately,
a long range, ongoing effort to insure proper behavior is the best defense
against the growing number of reported incidents of computer crime. The
Cybercitizen website has received over 600,000 hits in the past year.
ITAA long has been an outspoken organization on the impact of the shortage
of IT workers – whether in computer security or any of the other IT occupations.
Our groundbreaking studies on the IT workforce shortage, including the
latest, "When Can You Start," have defined the debate and brought
national attention to the need for new solutions to meet the current and
projected shortages of IT workers. We believe it is important to assess
the need for and train information security specialists, and believe it
is equally important to train every worker about how to protect systems.
have planned a security skills set study to determine what the critical
skills are, and will then set out to compare those needs with courses
taught at the university level in an effort to determine which programs
are strong producers. We encourage the development of "university
excellence centers" in this arena, and also advocate funding for
scholarships to study information security. We commend the Administration
and Congress for supporting training more information security specialists.
challenge to find InfoSec workers is enormous, because they frequently
require additional training and education beyond what is normally achieved
by IT workers. Many of the positions involving InfoSec require US citizenship,
particularly those within the federal government, so using immigrants
or outsourcing the projects to other countries is not an option.
Practices: We are committed to promoting best practices for information
security, and look to partners in many vertical sectors in order to leverage
existing work in this area. In addition, our industry is committed to
working with the government—whether at the federal, state or local levels.
For example, we are working with the Federal Government’s CIO Council
on efforts to share industry’s best information security practices with
CIOs across departments and agencies. At the same time, industry is listening
to best practices developed by the government. This exchange of information
will help industry and government alike in creating solutions without
reinventing the wheel.
we strongly endorse best practices, we strongly discourage the setting
of "standards." Why?
the IT industry sees standards as a snapshot of technology at a given
moment, creating the risks that technology becomes frozen in place, or
that participants coalesce around the "wrong" standards. Fighting
cyber crime can be thought of as an escalating arms race, in which each
time the "good guys" develop a technology solution to a particular
threat, the "bad guys" develop a new means of attack. So to
mandate a particular "solution" may be exactly the wrong way
to go if a new threat will soon be appearing.
is also critical that best practices are developed the way much of the
Internet and surrounding technologies have progressed – through "de
facto" standards being established without burdensome technical rules
or regulations. While ITAA acknowledges the desire within the Federal
government to achieve interoperability of products and systems through
standard-setting efforts, the reality is that the IT industry can address
this simply by responding to the marketplace demand. The marketplace has
allowed the best technologies to rise to the top, and there is no reason
to treat information security practices differently.
and Development: While the information technology industry is spending
billions on research and development efforts—maintaining our nation’s
role as the leader in information technology products and services—there
are gaps in R&D. Frankly, for industry, more money is frequently spent
on "D"—development—then "R"—long-term research. Government,
mainly in the Department of Defense, focuses its information security
R&D spending on defense and national security issues. We believe that
between industry’s market-driven R&D and government’s defense-oriented
R&D projects, gaps may be emerging that no market forces or government
mandates will address. Government funding in this gap—bringing together
government, academia and industry—is necessary.
In our work with members of the information technology industry and other
industries, including financial services, banking, energy, transportation,
and others, one clear message constantly emerges: information security
must be addressed as an international issue. American companies increasingly
are global corporations, with partners, suppliers and customers located
around the world. This global business environment has only been accented
by the emergence of on-line commerce—business-to-business and business-to-consumer
information security on a global level clearly raises questions. Many
within the defense, national security and intelligence communities rightly
raise concerns about what international actually means. Yet, we must address
these questions with solutions and not simply ignore the international
arena. To enable the dialogue that is needed in this area, ITAA and the
World Information Technology and Services Alliance (WITSA), a consortium
of 41 global IT associations from economies around the world, conducted
the first Global Information Security Summit in Fall 2000. This event
brought together industry, government and academia representatives from
around the world to begin the process of addressing these international
questions. The governmental international linkages must be strengthened—and
not just among the law enforcement and intelligence communities. Government
ministries around the world involved in economic issues—such as our own
Department of Commerce—need to be key players.
also houses the Global Internet Project (GIP), an international group
of senior executives that are committed to fostering continued growth
of the Internet, and which is spearheading an effort to engage the private
sector and governments globally on the Next Generation Internet and related
security and reliability issues. The GIP recently sponsored two high-level
forums on security, reliability, and privacy in the next generation of
the Internet in Germany and the U.S. that drew industry leaders from around
the world to participate in a cross-industry dialogue about possible solutions.
Government Can Help
many ways, solutions to cyber security challenges are no different than
any other Internet-related policy issue. Industry leadership has been
the hallmark of the ubiquitous success of our sector. Having said that,
we also believe that government has several roles to play in helping achieve
better cyber security and combating cyber crime:
and foremost, like a good physician practicing under the Hippocratic oath,
do no harm. Excessive or overly broad legislation and subsequent regulation
crafted in a rapidly changing technology environment is apt to miss the
mark and likely to trigger a host of unintended consequences. In many
instances, existing laws for crimes in the physical world are adequate
to address crimes conducted in cyberspace. New legislation should always
be vetted for circumstances that single out the Internet for discriminatory
what you preach. The rules of technology, process and people apply equally
to the public sector. The U.S. government must lead by example in preventing
intrusions into agency websites, databanks and information systems. Leadership
in this area means substantial investments of new money in information
security technology and services. Responding to the issue by reallocating
existing dollars from current programs is robbing Peter to pay Paul and
likely to play out at the expense of the American public and their confidence
in e-government. It also means insisting that government agencies implement
rigorous information security processes and practice them on a daily basis.
Making InfoSec part of the government culture will require extensive senior
out to international counterparts for crucial discussions of cyber security,
and in particular, how to most constructively and effectively enforce
existing criminal laws in the increasingly international law enforcement
environment fostered by the Internet and other information networks.
leadership to bear through existing local, state, and national structures
including the new cyber security board that will likely be established
by a Presidential Executive Order later this year. ITAA, its members and
the IT industry continue to work hard to develop collegial and constructive
relationships with the leadership and staff of the Critical Information
Assurance Office (CIAO), the Commerce Department (DOC), the National Institute
of Standards and Technology (NIST), and the Critical Information Infrastructure
Assurance Program Office (CIIAP) at NTIA, as well as the National Security
Council (NSC), Department of Justice (DOJ), Department of Energy, the
National Information Protection Center (NIPC), and the National Security
will also help in the areas of workforce development and research. We
have a critical shortage of information technology professionals generally
and information security specialists specifically. In general, we support
legislation to increase the number of appropriately skilled workers in
this critical area. We also support additional R& D funding.
you and I welcome any questions from the Committee.