on Telecommunications and the Internet
November 6, 2003
2123 Rayburn House Office Building
Mr. John W. Thompson
Chairman & Chief Executive Officer
20330 Stevens Creek Blvd.
Cupertino, CA, 95014
Chairman Upton, Ranking Member Markey, members of the Subcommittee,
thank you for the opportunity to provide testimony today on computer
Viruses. This is a timely and important topic and on behalf of
Symantec, I appreciate your willingness to examine the issue and
challenges surrounding it.
Symantec, the world leader in Internet security technology, provides
a broad range of content and network security software and appliance
solutions to individuals, enterprises and service providers. The
company is a leading provider of client, gateway and server security
solutions for virus protection, firewalls and virtual private networks,
vulnerability management, intrusion detection, Internet content
and e-mail filtering, remote management technologies and security
services to enterprises and service providers around the world.
Symantec's Norton brand of consumer security products is a leader
in worldwide retail sales and industry awards. Headquartered in
Cupertino, Calif., Symantec
has worldwide operations in 38 countries.
We are at an important juncture with regard to cyber security.
The threats we are seeing today are more sophisticated, more aggressive
and are able to spread more rapidly than ever before. Equally important,
the time from the discovery of a new vulnerability to the release
of an exploit targeting that vulnerability is rapidly shrinking.
I make the analogy of an exploit being an "unlocked
door" of a building and an exploit being a break-in by someone who knows
about the unlocked door. These two phenomena have made the Internet increasingly
vulnerable to attack.
We are already beginning to see the early stages of what are called
flash threats, threats that are near instant in their delivery.
These are threats in which human reaction time is probably not
fast enough. A good example would be the recent Slammer worm, which,
at it's a peak rate, infected 90 percent of the vulnerable systems
in just 15 minutes. This speed of propagation, combined with the
reduction of the time to exploitation, raises serious issues about
approach our nation is taking to protect our networks.
We have taken the initial steps to improve our cyber security,
from the largest corporations or infrastructures to the individual
end user, but security is an evolving process and we must continue
to be aggressive in our corporate IT security governance and in
educating the individual user about good cyber
Congress passed the Federal Information Security Management Act
(FISMA) to improve the protection of government systems. This risk-based
management approach provides a guideline for Agencies to improve
the protection of their
In the private sector, associations like the Business Software
Alliance and TechNet are working on information security governance
projects to assist the private sector on improving the protection
of their infrastructure. I am pleased that Symantec is a part of
both of those projects.
I would also point to the upcoming Department of Homeland Security
Summit scheduled for December. The summit's intent is to bring
together government and industry leaders to work on implementing
the National Strategy to Secure Cyberspace. This is a positive
sign of the commitment to work together on this
But more needs to be done. If anything, the recent attacks during
of August served as a "wake-up" to all of us. In fact, the threat of
major cyber attacks causing significant damage to our infrastructure is real
still exists today.
Let me give some additional insight into the nature of the threats
we are seeing with information from our recently released Internet
Security Threat Report, a comprehensive semi-annual view of cyber
security activity. The report covers information on vulnerability
discoveries, malicious code trends and network-based attacks. I
have included a copy of the report for submission with
The report represents the distillation of data from over 500 Symantec
managed security customers and over 20,000 registered sensors monitoring
worldwide network activity in more than 180 countries. We would
argue that it provides the most complete view of the health of
the Internet available anywhere today.
As I mentioned earlier, the time from vulnerability discovery
to exploit is rapidly shrinking. For example, the SQL Slammer worm
attack from January of this year, exploited a vulnerability discovered
about six months earlier. Just a few months later that benchmark
changed significantly with the release of the Blaster worm. This
blended threat exploited a vulnerability just 26 days after
We have also seen that 64 percent of all new attacks targeted
vulnerabilities less than one year old. Moreover, of all the new
attacks documented in the first half of this year, 66 percent targeted
what would be classified as highly severe vulnerabilities. Symantec
documented over 1400 new vulnerabilities, a 12 percent increase
from last year. In looking at the severity of these new vulnerabilities,
we saw a 6 percent increase in those carrying a 'high' severity
rating and a 21 percent increase in those of 'moderate' severity.
These trends should be a major concern to all of us. As they continue,
we will need new security paradigms to appropriately protect our
Early warning and alerting capabilities, strong patch management,
and solid internal processes to respond when a new vulnerability
is discovered, may be the difference between protecting critical
systems and having them compromised.
With regard to malicious code trends, we observed a much more
aggressive attack pattern. The Blaster worm, as an example, infected
systems at an average
rate of 2,500 computers per hour.
We are also starting to see the use of viruses and worms to attack
newer applications, such as instant messaging and peer to peer
In fact, of the top 50 malicious code submissions we received
in our laboratory during the first half of this year, 19 used peer-to-peer
and/or instant messaging applications --- an increase of almost
400 percent in just one
So, the trends suggest that the overall rate of attack activity
rose 19 percent. Companies experienced, on average, 38 attacks
per week compared to 32
for same period last year.
By highlighting some of these key findings, we see the importance
prioritizing cyber security at work and at home.
I would like to focus on two key areas I believe are important
to improving cyber security of our IT infrastructure: Corporate
IT security governance and
Corporate IT security cannot continue to be an afterthought or
add-on approach. It should be integrated into the overall management
plan for an organization. In today's connected world, we rely heavily
on our IT infrastructure to conduct business, and it should not
be compromised due to a lack of security measures. The resource
constraints that many organizations are facing, coupled with the
increasing rate of attacks, make this a daunting challenge. In
many instances, these attacks are dealt with in a reactive rather
than a proactive manner, making the task even more difficult.
In developing a cyber security plan, we believe it should focus
on the following areas: ensuring overall business continuity, adhering
compliance, enabling organizations for their "e" initiatives, and,
establishment of a security policy and implementation plan. All of this must
be done with a watchful eye on balancing risk and managing cost to ensure both
system availability and security.
In discussions with enterprise organizations, they cite three
main drivers of the need to look at security in a more holistic
manner. They include the disappearing perimeter, the increase in
threats and the lack of security
The question really is "how do we adequately address these
issues?" I believe IT security requires a new level of governance
at the senior level. It requires a top down approach that reaches
across the organization's departments and functions. It requires
the creation of a culture of security.
IT governance must be a part of the overall governance of an organization.
Doing so will ensure that IT is aligned with the organization to
deliver value to its constituents, that IT resources are responsibly
utilized and that IT risks are mitigated and managed appropriately.
Taking this a step further, information security should also fit
in this broader view. For example, information security reports
should go to senior executives in an organization and information
security audits should be part of the overall audit program.
Furthermore, implementing security with real-time risk management
is a key to preparation and protection. Organizations need to know
where they are vulnerable, establish benchmark security levels
and policies that will ensure
Let me now turn to education and awareness. We have often heard
the statement that we, as individual users of the Internet, have
an obligation to protect our
piece of cyber space." I firmly believe this is true.
A vulnerable system, regardless of whether it is a home user surfing
the web on a broadband connection, a wireless mobile computer at
Starbucks, or a telecommuter working from home, all can open the
door to threats.
As we continue to see increased computing power for the individual
user and continued adoption of high-speed connections, we must
focus on providing a safe and secure environment for that user,
which includes using a firewall and a regularly updated anti-virus
I would point out that we often think of the individual user as
only the home user, a view that is short sighted. As mobile computing
becomes more pervasive we need to be aware at the enterprise of
the potential holes to the network that could open up from customers,
business partners or employees.
The perimeter to the enterprise is disappearing and steps must
be taken to protect those critical assets not just at the gateway,
but at all the end-points or access points being used in today's
This means more than just implementing technology solutions. It
means educating the employees through a well-organized security-training
program. Employees need to be armed with the knowledge to responsibly
Symantec has taken an active role in promoting a broad-based awareness
campaign through our participation as a founding member of the
In partnership with the Department of Homeland Security and the
Ad Council, the Alliance recently announced a $1.8 million national
cybersecurity awareness campaign. Symantec is a major supporter
of this effort along with other leaders
from industry and government.
The Alliance program will be designed to educate the home and
small business users on the importance of using anti-virus and
firewall technology, as well as tips to defend against online fraud.
Further information from the Alliance can
be found at www.staysafeonline.info.
A recent study by the National Cyber Security Alliance confirms
the need for this broad-based campaign. That study showed that
about 67 percent of high speed Internet users do not use firewalls
and more than 60 percent do not regularly update their anti-virus
In addition to the National Cyber Security Alliance, Symantec
has also created a tool that home users and small businesses can
use. This tool, called Symantec Security Check, can be found at
http://www.symantec.com/securitycheck , It is free service that
scans an individual's system for vulnerabilities. To date we have
conducted over 50 million scans. Of the 3.9 million people who
were scanned and agreed to submit their data, 24 percent did not
have any anti-virus protection, and 9 percent of those that did
have some type of anti-virus solution did not regularly update
their definitions. In addition, of the 1.35 million users who agreed
to submit their data to our virus detection scan, 35 percent were
infected with viruses or worms.
We need to broadly get the message out about the dangers and threats
to our Internet infrastructure. The work by the National Cyber
Security Alliance is a great example of the type of public-private
partnership that is essential to promoting a safe and secure computing
environment, and ultimately better
protecting our critical infrastructure.
Let me close by saying that education and awareness of the individual
whether in the largest multi-national corporation, small business
or the home user is critical. Security is more than just installing
a piece of software, it is using best practices, updating your
anti-virus and practicing safe and secure computing to ensure that
systems are safe and the nation's infrastructure is