[Senate Hearing 106-486]
[From the U.S. Government Publishing Office]
S. Hrg. 106-486
CYBER ATTACK: IS THE GOVERNMENT SAFE?
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
MARCH 2, 2000
__________
Printed for the use of the Committee on Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
63-639 cc WASHINGTON : 2000
_______________________________________________________________________
For sale by the Superintendent of Documents, Congressional Sales Office
U.S. Government Printing Office, Washington, DC 20402
COMMITTEE ON GOVERNMENTAL AFFAIRS
FRED THOMPSON, Tennessee, Chairman
WILLIAM V. ROTH, Jr., Delaware JOSEPH I. LIEBERMAN, Connecticut
TED STEVENS, Alaska CARL LEVIN, Michigan
SUSAN M. COLLINS, Maine DANIEL K. AKAKA, Hawaii
GEORGE V. VOINOVICH, Ohio RICHARD J. DURBIN, Illinois
PETE V. DOMENICI, New Mexico ROBERT G. TORRICELLI, New Jersey
THAD COCHRAN, Mississippi MAX CLELAND, Georgia
ARLEN SPECTER, Pennsylvania JOHN EDWARDS, North Carolina
JUDD GREGG, New Hampshire
Hannah S. Sistare, Staff Director and Counsel
Ellen B. Brown, Senior Counsel
Susan G. Marshall, Professional Staff Member
Joyce A. Rechtschaffen, Minority Staff Director and Counsel
Deborah Cohen Lehrich, Minority Counsel
Darla D. Cassell, Administrative Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Thompson............................................. 1
Senator Lieberman............................................ 3
Senator Akaka................................................ 5
Senator Collins.............................................. 16
Senator Edwards.............................................. 18
Witness
Thursday, March 2, 2000
Kevin Mitnick.................................................... 6
Jack L. Brock, Jr., Director, Governmentwide and Defense
Information Systems, Accounting and Information Management
Division, U.S. General Accounting Office....................... 21
Roberta L. Gross, Inspector General, National Aeronautics and
Space Administration........................................... 23
Kenneth Watson, Manager, Critical Infrastructure Protection,
Cisco Systems, Inc............................................. 33
James Adams, Chief Executive Officer, Infrastructure Defense,
Inc............................................................ 35
Alphabetical List of Witnesses
Adams, James:
Testimony.................................................... 35
Prepared statement........................................... 88
Brock, Jack L., Jr.:
Testimony.................................................... 21
Prepared statement........................................... 55
Gross, Roberta L.:
Testimony.................................................... 23
Prepared statement........................................... 71
Mitnick, Kevin:
Testimony.................................................... 6
Prepared statement........................................... 47
Watson, Kenneth:
Testimony.................................................... 33
Prepared statement........................................... 83
Appendix
Copy of S. 1993.................................................. 92
Questions for the record submitted by Senator Akaka and responses
from:
Jack L. Brock, Jr............................................ 113
Roberta L. Gross............................................. 116
Kenneth Watson............................................... 119
CYBER ATTACK: IS THE GOVERNMENT SAFE?
----------
THURSDAY, MARCH 2, 2000
U.S. Senate,
Committee on Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:05 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Fred
Thompson, Chairman of the Committee, presiding.
Present: Senators Thompson, Collins, Lieberman, Akaka, and
Edwards.
OPENING STATEMENT OF CHAIRMAN THOMPSON
Chairman Thompson. The Committee will be in order, please.
I am afraid we are going to have a vote. I guess it is on right
now, so we will have to leave momentarily, but let us see if we
can get a little something accomplished before we have to
leave.
Today, the Committee on Governmental Affairs is holding a
hearing on the ability of the Federal Government to protect
against and respond to potential cyber attacks. This Committee
spent considerable time during the last Congress examining the
state of Federal Government information systems. Numerous
Governmental Affairs Committee hearings and General Accounting
Office reports uncovered and identified systemic failures of
government information systems, which highlighted our Nation's
vulnerability to computer attacks from international and
domestic terrorists, to crime rings, to everyday hackers.
We directed GAO to study computer security vulnerabilities
at several Federal agencies, including the Internal Revenue
Service, the State Department, the Federal Aviation
Administration, the Social Security Administration, and the
Department of Veterans' Affairs. From these and other numerous
reports, we learned that our Nation's underlying information
infrastructure is riddled with vulnerabilities which represent
severe security flaws and risks to our national security,
public safety, and personal privacy.
Every year, the government gathers information on every one
of us because we give the government this information in order
to obtain government services, like getting Social Security
benefits, veterans' benefits, Medicare, or paying taxes, and
yet, year after year, this Committee continues to receive
reports detailing security breaches at these same agencies.
Sometimes these things improve. Agencies usually will respond
to specific GAO recommendations or to a particular Inspector
General report. But this is a band-aid approach to protecting
information systems, that is, fixing the system little by
little, problem by problem after it is revealed that it is no
longer secure.
What is most alarming to me is that after all this time and
all these reports, there is still no organization-wide approach
to preventing cyber attacks and the security program management
is totally inadequate. I am afraid it is another example of how
difficult it is to get the Federal bureaucracy to move even in
an area as important as this.
Those reports highlight that an underlying cause of Federal
information security vulnerabilities is inadequate security
program planning and management. When GAO studied the
management practices of eight organizations known for their
superior security programs, GAO found that these organizations
manage information security through continuous management
activities, which included specific practices to support their
information security principles. We think this is lacking in
the Federal Government.
And we think agencies must do more than establish programs
and set management goals. Agencies and the people responsible
for information systems in those agencies must be held
accountable for their actions, and I believe that Congress
should examine how we can provide assistance to the agencies to
ensure that they have the resources necessary to maintain
information technology security preparedness at all times.
It is clear to me, based on GAO report after GAO report,
that what needs to emerge in government is a coordinated and
comprehensive management approach to protecting information
which incorporates the efforts already underway and takes
advantage of the extended amount of evidence that we have
gathered over the years. The objective of such an approach
should be to encourage agency improvement efforts and measure
their effectiveness through an appropriate level of oversight.
In order to develop such an approach and begin to find
solutions to the problems which have been identified, we
concluded that a more complete statutory foundation for
improvement is needed. That is why Senator Lieberman and I
introduced S. 1993, the Government Information Security Act, at
the end of last year. The primary objective of our bill is to
address the management challenges associated with operating in
the current interdependent computing environment.
Our bill begins where the Paperwork Reduction Act of 1995
and the Clinger-Cohen Act of 1996 left off. These laws and the
Computer Security Act of 1987 provide the basic framework for
managing information security. We recognize that these are not
the only things that need to be done. Some have suggested we
provide specific standards in the legislation. Others have
recommended we establish a new position of a national chief
information officer or even a national security czar. These
things should be considered and these issues and more will be
brought up during our hearing today.
The witnesses before us represent a broad array of
experience and expertise in the area of information security.
First, we have Kevin Mitnick, who has described himself as a
reformed hacker.
Next, we will hear from Jack Brock, who is the Director of
Governmentwide and Defense Information Systems at GAO, and
Roberta Gross, Inspector General for NASA. Both of them have
done significant work in the area of Government information
security.
We will also hear from Ken Watson, who is the Manager of
Critical Infrastructure Protection at Cisco Systems, Inc., and
James Adams, the CEO and co-founder of iDEFENSE.
I welcome all of you and look forward to your testimony
about the cyber threats that we face today and how we can work
together to fashion solutions to the many problems associated
with computer security.
Senator Lieberman.
OPENING STATEMENT OF SENATOR LIEBERMAN
Senator Lieberman. Thank you very much, Mr. Chairman.
Thanks for calling this hearing on a topic of enormous concern
to all of us. The security of our digital information is
something that affects every one of us on a daily basis and
should be taken as seriously as the security of our property,
of our neighborhoods, of our communities, of our Nation, and in
the worst case, as seriously as the security of our lives.
The reach of the Internet and the alacrity with which it
has achieved that reach is the story of the closing years of
the 20th Century and the beginning of the 21st Century. Enabled
by the remarkable innovation in information technology, we are
fast approaching a time when the world will always be on,
always connected, always open for business. It will be a fast
environment marked by increasing efficiency and decreased cost.
But it also will be intensely competitive and without
boundaries. Almost every institution we rely on in our daily
lives is feeling the effect of this latest technological
revolution.
Just last month, the General Services Administration's
Chief Information Officer, Bill Piatt, wrote something that I
think all of us in government should keep in mind, ``From the
perspective of our bosses, the citizens, electronic government
is neither an option to be chosen nor a mandate to be decreed.
It is simply expected.''
So the basic goals of e-Government, which are the
electronic delivery of information and services, are the same
as government's goals have always been, as enumerated in our
Constitution and the laws that we have adopted pursuant to it.
But if government is going to be plugged into the networked
world as an active permanent presence, we will have to protect
the confidentiality, the integrity, and, of course, the
availability of the information contained on government
computers.
We must be acutely aware of the range and content of the
information at stake here. It covers everything from the
movements of our armed forces and the deployment of our most
powerful weapons to accumulated data about the economy and the
financial markets, to support for our transportation networks,
to the most private information about the American people, such
as tax, wage, and medical records.
The information in far too many cases today is wide open to
exploitation, from pranksters to terrorists and every
disaffected person in between. The fact that the GAO has
labeled as ``high risk'' virtually the entire computer security
system of our government is just unacceptable. We must take
action, and quickly, to get the government's computer security
systems off of the high-risk watch list.
Last year, Senator Thompson and I, and this Committee,
looked into what went wrong in the Federal investigation of Dr.
Wen Ho Lee, the former Los Alamos nuclear laboratory scientist
who is charged with downloading classified information to an
unclassified computer. Mr. Lee has been indicted now. The
Justice Department is still investigating other areas and, of
course, his guilt or innocence is yet to be determined. But the
case should focus everyone's attention on the vulnerability
that comes with reliance on computers. So, too, should the more
recent revelations of former CIA Director John Deutch, who
maintained sensitive information on his home computer.
The hacking of government sites, including those at the
Senate, the FBI, the White House, Interior, and the Department
of Defense is actually becoming a near daily occurrence, and I
would not be surprised if scores of other government sites have
also been invaded. But the truth is, we will never know because
monitoring intrusions, much less reporting them, is not
required.
There are many reasons Federal computer-based information
is inadequately protected, but the underlying problem,
according to GAO, who we will hear from this morning, is poor
management. In some cases, this is a cultural problem. Our
concentration on security simply has not grown at the same pace
as our reliance on computers. That is why the Government
Information Security Act of 1999, which Chairman Thompson and I
have introduced, is a beginning step toward correcting this
fundamental shortcoming. The bill would put every government
agency on notice that it must implement a computer security
plan which will be subject to annual independent audits, report
unauthorized intrusions, and provide security awareness
training for all its workers.
There are a number of areas we have not addressed in our
bill yet and we will be asking for input on how best to handle
them. For example, the government needs to increase
dramatically the number of trained information security
professionals. In that regard, I am intrigued by President
Clinton's proposal for a Federal Cyberservice at universities
based on the ROTC model, and we need incentives for
universities to train more people in this area.
We also need to consider what to do to keep the government
informed of technological changes in computer security so we do
not fall behind. The President's proposal to establish a
National Institute for Infrastructure Protection sounds like a
good idea if it provides assistance with R&D and technical
support.
Mr. Chairman, I am hopeful that the proposal that you and I
have made will stimulate significant debate and early action.
Our bill is a work in progress. I know that we anticipate
hearing from a broad range of interested parties. We have got
to particularly listen to those in private industry who have
made, I think, much more headway than we in the public sector
have in protecting the security of computer-based information,
because we do not need to reinvent the wheel here, a very high-
tech wheel. We need to share experiences and exchange ideas to
learn what works best.
I think we have put together a very interesting group of
witnesses today. I look forward to their testimony, which I
know will help us craft the best possible legislation to secure
the government's vast and important treasury of information.
Thank you very much.
Chairman Thompson. Thank you very much.
We are down to a minute or 2 on the vote, so we will recess
for a few minutes to vote.
[Recess.]
Chairman Thompson. Let us go back into session.
Senator Akaka, did you have a statement.
OPENING STATEMENT OF SENATOR AKAKA
Senator Akaka. Thank you very much, Mr. Chairman. Thank you
for scheduling this hearing. I have a longer statement, Mr.
Chairman. I will ask that my longer statement be made part of
the record.
Chairman Thompson. It will be a part of the record.
Senator Akaka. I just have a few points to make, three of
them, to be exact. First, computer hacking has gone beyond the
stage of being mischief making. Too much money is being lost.
Hacking is a crime, but it has also become an act of
international aggression. Last year, there were more than
20,000 cyber attacks on Defense Department networks alone.
Second, current technology has so far failed to provide
adequate safeguards for critical infrastructure networks. We
have little ability to detect or to recognize a cyber attack
and even less capability to react.
Third, the President has unveiled his national plan for
information systems protection. This, I feel, is a good
proposal and deserves the immediate support of Congress.
Again, Mr. Chairman, my thanks to you. The legislation you
have introduced on this subject, S. 1993, is something that we
need to address immediately, and the Government Information
Security Act is an important contribution. I look forward to
today's discussion. Thank you, Mr. Chairman.
Chairman Thompson. Thank you very much.
[The prepared statement of Senator Akaka follows:]
PREPARED STATEMENT OF SENATOR AKAKA
Thank you, Mr. Chairman and Senator Lieberman, for providing the
opportunity to discuss cybersecurity. In this new age of information
warfare, no issue is of more vital importance to our security.
A cyber attack against our national information infrastructure
would affect the integrity of our telecommunications, energy, banking
and finances, transportation, water systems, and emergency services. As
the Ranking Member of the Subcommittee on International Security,
Proliferation, and Federal Services, I applaud all efforts to call
attention to this issue. It is one in which the Subcommittee has also
been involved. The Chairman and Ranking Member deserve great credit for
the effort that they have made to heighten awareness of the threat
while proposing methods to counter the threat.
Computer hacking can no longer be labeled benign mischief. Once,
those who gained unauthorized access to government and private sector
computer networks were heralded as technical icons, whose exploits were
lionized by the popular media. That is not the reality any more. Now
hacking is a Federal crime at the very least--at the worst, an
international act of aggression. As Deputy Secretary of Defense John
Hambre has stated, ``We are at war--right now. We are in a cyber war.''
Total losses from cyber fraud, including loss of service, recovery,
and restoration costs, are estimated to be in the hundreds of millions
of dollars. We now know that hostile countries have, or are developing,
the capability to engage in overt and covert information warfare.
Last year alone there were more than 20,000 cyber attacks on
Department of Defense networks alone. Astonishingly, we do not know who
was behind the majority of those attacks.
In 1998, during a period of increased tensions with Iraq over
United Nations weapons inspections, over 500 U.S. military, civilian
government, and private sector computer systems were attacked. What was
first thought to be a sophisticated Iraqi cyber attack proved to be a
rather unsophisticated, yet highly effective attack by two juveniles
from California with the cooperation of several individuals in Israel.
Last month, cyber-based denial of service attacks had a dramatic
and immediate impact on many Americans and resulted in the loss of
millions of dollars when several large e-commerce sites were shut down
for several hours.
Just recently a student at a major university was arrested and
charged with hacking into Federal Government computers at the National
Aeronautics and Space Administration (NASA) and the Department of
Defense where he was able to read, delete, and alter protected files
and intercept and save log-in names.
Clearly, cybercrime has become a pervasive problem. And it is
getting worse. According to FBI Director Louis Freeh, cybercrime is one
of the fastest evolving areas of criminal behavior and a significant
threat to our national and economic security. The escalation of
cybercrime is rapidly overwhelming our current capability to respond.
Current technology has thus far failed to provide adequate
safeguards for critical infrastructure networks. The Internet is
international, knowing no boundaries and no ownership. Any attempt to
stifle its growth and development would be counter productive to the
economic interests of America. A variety of easy to use sophisticated
hacker tools are freely available on the Internet, available for use by
anyone in the world with an inclination to mount a cyber attack.
Today, the United States has little ability to detect or recognize
a cyber attack against either government or private sector
infrastructures and even less capability to react. Nevertheless, we
must, through cooperative public and private sector efforts, develop
adequate defensive technologies to neutralize threats. Without new
defenses, it is likely that attacks will occur with greater frequency,
do more damage, and be more difficult to detect and counter.
In January 2000, President Clinton unveiled his ``National Plan for
Information Systems Protection,'' which proposes critically needed
infrastructure improvements with milestones for implementation. This
multifaceted plan promotes an unprecedented level of public/private
cooperation, and proposes 10 programs to assess vulnerabilities, and
significantly enhance capabilities to deter, detect, and effectively
respond to hacking incidents. It also calls for vital research and
educational enhancements to train adequate numbers of desperately
needed information security specialists and sustain their perishable
skills.
Our continued leadership and prosperity in the global economy may
well hinge on our national commitment to act as leaders in bringing
information assurance to the global information environment we have
helped to create. I commend the Chairman and Ranking Member for their
leadership in calling attention to this particularly insidious problem
by their introduction of S. 1993, the Government Information Security
Act. I welcome our witnesses, and look forward to hearing their
testimony today.
Chairman Thompson. Our first witness will be Kevin Mitnick.
Mr. Mitnick, thank you for being with us here today. Please
introduce yourself. Your full statement will be made a part of
the record. If you could summarize that for us, we would
appreciate it very much.
TESTIMONY OF KEVIN MITNICK \1\
Mr. Mitnick. Great. Good morning. It is an honor to be
here. I am glad that you value my opinion. It is interesting to
note that the United States was my adversary in years of
litigation, and despite that fact, I am with you here today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Mitnick appears in the Appendix
on page 47.
---------------------------------------------------------------------------
Chairman Thompson. I have seen those documents several
times, United States of America versus some individual. It is
kind of intimidating, is it not?
Mr. Mitnick. It sure is. Despite that, I am ready, willing,
and able to assist, and that is why I am here today. I have
written a prepared statement. That way, I can just read it and
hopefully will answer some questions.
Hon. Chairperson Thompson, distinguished Senators, and
Members of the Committee, my name is Kevin Mitnick. I appear
before you today to discuss your efforts to create legislation
that will ensure the future security and reliability of
information systems used by the Federal Government. As you
know, I have submitted my written remarks to the Committee. I
would like to use this time to emphasize some of those remarks
and to introduce a few ideas that I did not include in my
written testimony.
I have 20 years' experience circumventing information
security measures and can report that I have successfully
compromised all systems that I targeted for unauthorized access
except one. I have 2 years' experience as a private
investigator and my responsibilities included finding people
and their money, primarily using social engineering techniques.
Breaching information security measures is a difficult
undertaking. As I stated in my prepared remarks, my success
depended on exploiting weaknesses in computer systems and
network security and the use of social engineering techniques.
However, even the sophisticated techniques I have exploited for
2 decades depended on the lack of commitment by software
manufacturers to deliver software free of security weaknesses.
The manufacturers of operating systems and software
applications are under enormous pressure to deliver their
products to the market with new features and are unwilling to
thoroughly test their software under current market conditions.
As a result, operating systems and applications contain
security flaws that allow people with the required time, money,
resources, motivation, and persistence to exploit those
weaknesses. The Federal Government has no control over the
security weaknesses that software manufacturers permit to reach
the marketplace. Thus, it is imperative to enhance other
security measures to overcome these shortcomings.
The average American's confidence in the public telephone
system is misplaced. Here is why. If I decided to target a
computer system with a dial-in modem, my first step would be to
use social engineering techniques to find the number of the
modem. Next, I would gain access to the telephone switch that
controls the number assigned to the modem line. Using that
control, I would redirect the modem number to a log-in
simulator that would enable me to capture the passwords
necessary to access the target machine. This technique can be
performed in real time to capture dynamic passwords that are
changed once per minute.
All of the actions I just described would be invisible to
anyone monitoring or auditing the target computer security.
What is important here is to consider the big picture. People
use insecure methods to verify security measures. The public's
confidence in the telephone system as secure is misplaced, and
the example I just described demonstrates the reason why.
The human side of computer security is easily exploited and
constantly overlooked. Companies spend millions of dollars on
firewalls, encryption, and secure access devices and it is
money wasted because none of these measures address the weakest
link in the security chain, the people who use, administer,
operate, and account for computer systems that contain
protected information.
It is my understanding that this Committee oversees
information security for the Internal Revenue Service and the
Social Security Administration. In the United States v.
Czubinski, an IRS employee was convicted of wire and computer
fraud, the same crimes for which I spent 5 years in Federal
prison. It is not lost on me that Mr. Czubinski's conviction
was overturned by the First Circuit Court of Appeals as the
court found that he never deprived the IRS of their property
interest in the confidential information he accessed just to
satisfy his personal curiosity, the same circumstances which
precisely match the crimes to which I plead guilty in March
1999.
Ironically, in their publicly filed briefs, the government
revealed the name of the computer system used by IRS employees
and the commands reportedly used by Mr. Czubinski and IRS
employees in general to obtain confidential taxpayer
information. I would like to bring to this Committee's
attention how I successfully breached information security at
the IRS and the Social Security Administration using social
engineering techniques before 1992, which just so happens to be
beyond the applicable statute of limitations. [Laughter.]
I called employees within these agencies and used social
engineering to obtain the name of the target computer system
and the commands used by agency employees to obtain protected
taxpayer information. Once I was familiar with the agency's
lingo, I was able to successfully social engineer other
employees into issuing the commands required to obtain
information for me using as a pretext the idea that I was a
fellow employee having computer problems. I successfully
exploited the security measures for which this Committee has
oversight authority. I obtained confidential information in the
same way government employees did and I did it all without even
touching a computer.
Let me emphasize for the Committee the fact that these
breaches of information security are ongoing and even as I
stand before you today and that agency employees are being
manipulated using social engineering exploits despite the
current policies, procedures, guidelines, and standards already
in place at these agencies.
S. 1993 is an important step toward protecting the
confidentiality, integrity, and availability of critical data
residing in government computer systems. However, after
successfully exploiting similar security measures at the IRS
and the Social Security Administration, as well as some of the
planet's largest technology companies, including Motorola,
Nokia, Sun Microsystems, and Novell, I am concerned that
enacting this law without vigorous monitoring and auditing
accompanied by extensive user education and training will fall
short of the Committee's admirable goals.
In closing, I would be happy to offer my knowledge and
expertise to the Committee regarding methods that may be used
to counteract the weakest link in the security chain, the human
element of information security. That is it. Thank you.
Chairman Thompson. Thank you very much. That was very short
but very powerful, Mr. Mitnick. Thank you very much.
It seems, in essence, what you are telling us is that all
of our systems are vulnerable, both government and private.
Mr. Mitnick. Absolutely.
Chairman Thompson. We had the members of The L0pft here a
couple of years ago, some of the computer hackers, who
basically told us the same thing. They said they could shut
down the Internet and it was not a real problem. As I sit here
and listen to you, you are one individual. Obviously, you are
very bright, but there are a lot of very bright individuals out
there. It makes you wonder, if one individual can do what you
have done, what in the world could a foreign nation, with all
the assets that they would have at their disposal do.
Mr. Mitnick. It is pretty scary.
Chairman Thompson. The point, and I think it is one that
you make, is that we really do not know to what extent we
already have been compromised, and the fact that we do not know
or that other people or entities have not taken advantage of
that or done something bad to us yet does not mean that we have
not already been compromised in some way, is that not true?
Mr. Mitnick. It is a possibility.
Chairman Thompson. You also point out that the key to all
of this, we sit here and think of systems and programs and all,
but you point out the key is personnel, that that is the
weakest link. No matter what kind of system you have, unless
you have personnel that are adequately trained, adequately
motivated--can you explain the importance of the personnel
aspect to this and what you think we might be able to do about
it?
Mr. Mitnick. In my experience, when I would try to get into
these systems, the first line of attack would be what I call a
social engineering attack, which really means trying to
manipulate somebody over the phone through deception. I was so
successful in that line of attack that I rarely had to go
towards a technical attack. I believe that the government
employees and people in the private sector, that their level of
awareness has to be--you have to do something to raise their
level of awareness that they could be the victim of some sort
of scam over the telephone.
What I might suggest is maybe a videotape be made that
would demonstrate somebody being manipulated over the phone and
the types of pretexts and ruses that are used and maybe that
will make somebody think the next time they get a phone call.
The problem is, people do what they call information mining, is
where you call several people within an organization and you
basically ask questions that appear to be innocuous, but it is
really intended to gain intelligence.
For instance, a vendor might call a company and ask them
what software, what are you currently using, what computer
systems do you have, to sell them a particular product, because
they need to know that information, but the intent of the
caller might be to gain intelligence to try to target their
computer systems.
So I really have a firm belief that there has to be
extensive training and education to educate the users and the
people who administer and use these computer systems that they
can be victims of manipulation over the telephone, because like
I said in my prepared statement, companies could spend millions
of dollars towards technological protections and that is money
wasted if somebody could basically call somebody on the
telephone and either convince them to do something on the
computer which lowers the computer's defenses or reveals the
information that they are seeking.
Chairman Thompson. So you can compromise a target without
ever even using the computer?
Mr. Mitnick. Yes. For example, personally, with Motorola, I
was working at a law firm in Denver and I left work that day
and just on an impulse, I used my cellular telephone and called
Motorola, their 800 number, and without getting into details of
how this, because of the time constraints, is by the time I
left work and by the time I walked home, which was about a 20-
minute period, 15- to 20-minute period, without any planning or
anything, I was able to, by the time I walked to the front
door, I had the source code to the firmware which controlled
the Motorola Ultralight telephone sitting on a server in
Colorado. Just by simply making pretext telephone calls within
that 15- to 20-minute period, I had the software. I convinced
somebody at Motorola to send the software to a particular
server.
Chairman Thompson. So this has to do with personnel, it has
to do with training within a larger umbrella of management.
Mr. Mitnick. Absolutely, and I think the management has to
be from top down, and the whole idea here is to protect the
information regardless of whether it resides on a computer
system or not, because whether or not this information is
printed on a printout or is sitting on a floppy disk, it is
still information which you want to protect against any type of
confidentiality breach and the integrity of the information
from being modified or destroyed.
Chairman Thompson. These are the things we are trying to
address in our bill.
Mr. Mitnick. Yes, I read the bill.
Chairman Thompson. We appreciate your comments on that. One
of the questions we are going to have to deal with is whether
or not we ought to be more specific in terms of training, for
example.
Mr. Mitnick. I think you should be, because----
Chairman Thompson. We vest the responsibility, but we kind
of end it there and leave it up to the agencies to take it from
there, but some have suggested that we might be more specific
and more precise in exactly what kind of training we ought to
have.
Mr. Mitnick. Yes, I think that is important because I am
not privy to this information, but I assume that there are
policies, procedures, guidelines, and standards in effect for
protecting information at these agencies, just by protecting
the information without regard to the computer systems. I think
by explaining my background and experience with the Committee
today that you can see that those policies and procedures were
easily circumvented.
So what the Committee has to--I guess what has to be done
is there has to be a way to figure out what the Federal
Government could do to protect its information, and just
enacting a law or policies and procedures may not be effective.
I do not know. I think it really depends on really training the
systems administration staff, management, and the people who
use, administer, and have access to the information about all
the different methodologies that could be used to breach
computer security, which is not only just the human element.
You have physical security, you have network security, and you
have security of computer systems. So it is a very complex
issue, so you have to be able to get people on board that would
know how to protect each different area.
Chairman Thompson. We are not interested in another overlay
of statutory requirements, and you are right, there are plenty
of laws on the books that have to do with information systems
in general. Technology has changed and the government has not
changed with it, and what we have discovered is that although
we have a lot of laws on the books, there is no comprehensive
management scheme out there. There is no way to measure and
evaluate the effectiveness of what anybody is doing. We will
have a GAO witness here in a little while and we will go over
the fact that for a few years now, we keep being told that
government is ineffective. It is not working. It is not doing
the job. So we go back and Congress does more. So that is what
we are trying to do here and your testimony is very helpful.
We have other Senators here, so I will pass. Senator
Lieberman.
Senator Lieberman. Thanks, Mr. Chairman.
Mr. Mitnick. Can I make a comment?
Chairman Thompson. Yes.
Mr. Mitnick. And, by the way, private investigators and
information brokers today obtain confidential taxpayer
information from Social Security and the IRS and they are doing
it as we speak. You can go to any private investigator and hire
them to do this.
Chairman Thompson. We have had testimony to that effect.
Mr. Mitnick. So obviously it is somebody who has access to
the computer either illegitimately or somebody that is taking
payola to reveal this information that is within the agency.
Chairman Thompson. Thank you.
Senator Lieberman. Thanks. Mr. Mitnick, thanks for your
testimony. You have been very illuminating and helpful. My
staff lifted up some clips in preparation and one of them
described you as ``arguably the most notorious computer hacker
in the world.'' I thought I would ask you if you would be
comfortable, as we confront this problem, helping us to answer
the question of ``why?''
I mean, in one sense, the ``why'' of a certain number of
people, national certainly in security areas is clear. If a
foreign government, such as the Serbs during the Kosovo
conflict, or some subnational group of terrorists tries to
break into our computer systems, that is a pretty clear
``why.''
But this is not like most crime waves. To a certain extent,
as I read about your story and hear about others in the kind of
daily breaking of government computer systems, it seems to me
that there is a different sort of motivation. In some sense, it
almost seems to be the challenge of it. If you would, just talk
about why you, or if you want to third personalize it, why
people generally become hackers.
Mr. Mitnick. Well, the definition of the word hacker, it
has been widely distorted by the media, but why I engage in
hacking activity, my hacking activity actually was--my
motivation was the quest for knowledge, the intellectual
challenge, the thrill, and also the escape from reality, kind
of like somebody who chooses to gamble to block out things that
they would rather not think about.
My hacking involved pretty much exploring computer systems
and obtaining access to the source code of telecommunications
systems and computer operating systems because what my goal was
was to learn all I can about security vulnerabilities within
these systems. My goal was not to cause any harm. It was not to
profit in any way. I never made a red cent from doing this
activity, and I acknowledge that breaking into computers is
wrong and we all know that. I consider myself a trespasser and
my motivation was more of--I felt like an explorer on these
computer systems and I was trying--it was not really towards
any end.
What I would do is I would try to obtain information on
security vulnerabilities that would give me greater ability at
accessing computers and accessing telecommunications systems,
because ever since I was a young boy, I was fascinated with
communications. I started with CB radio, ham radio, and
eventually went into computers and I was just fascinated with
it. And back then, when I was in school, computer hacking was
encouraged. It was an encouraged activity.
Senator Lieberman. Who encouraged it?
Mr. Mitnick. In school. In fact, I remember one of the
projects my teacher gave me was writing a log-in simulator. A
log-in simulator is a program to trick some unknowing user into
providing their user name and password, and of course, I got an
A---- [Laughter.]
But it was encouraged back then. We are talking about the
1970s. And now, it is taboo. A lot of people in the industry
today, like Steven Jobs and Steven Wozniak, they started out by
manipulating the phone system and I think even went to the
point of selling blue boxes on Berkeley's campus, and they are
well recognized as computer entrepreneurs. They were the
founders of Apple Computer.
Senator Lieberman. Yes. The fork in the road went in
different directions in their case.
Mr. Mitnick. Just slightly. [Laughter.]
Senator Lieberman. Well, maybe there is still time. You are
young, so there is still time.
Your answer is very illuminating again. Part of what you
are saying struck me, which is unlike other forms of trespass
or crime, you did not profit at all.
Mr. Mitnick. I did not make a single dime, but that is not
to say--one of the methods how I would try to avoid detection
and being traced was to use illegitimate cellular phone numbers
and electronic serial numbers to mask my location.
Senator Lieberman. Right.
Mr. Mitnick. I did not use this to avoid the cost of making
a phone call, because most of the phone calls were local. I
could have picked up a phone at home and it would have been a
flat rate call. I did it to avoid detection, but at the same
time, it was cellular phone fraud because I was using airtime
without paying for it.
Senator Lieberman. Were you aware as you went through this
pattern of behavior that you were violating the law?
Mr. Mitnick. Oh, of course, yes.
Senator Lieberman. You were? Were you encouraged or at
least not deterred by the fact that you had some confidence
that there were few or no consequences attached to it? There
are cases where people know that they are doing something
illegal, but they think that the prospects of being apprehended
and charged are so slight that they go forward nonetheless.
Mr. Mitnick. Well, that is true, because as you are doing
some illegal activity, you are not doing a cost-benefit
analysis--well, at least I was not doing a cost-benefit
analysis. I did not think of the consequences when I was
engaging in this behavior. I just did it, but I was not
thinking about, well, if I were to get caught, I would have
these consequences. It was just focusing on the activity at
hand and just doing it.
Senator Lieberman. Because of what you described before as
the thrill of it or the challenge of it, the adventure.
Mr. Mitnick. It was quest for knowledge, it was the thrill,
and it was the intellectual challenge, and a lot of the
companies I targeted to get the software was simply a trophy. I
would copy the code, store it on a computer, and go right on to
the next without even reading the code.
Senator Lieberman. Interesting.
Mr. Mitnick. I mean, that is a complete different
motivation of somebody who is really out for financial gain or
a foreign country or a competitor trying to obtain information,
like economic espionage, for instance.
Senator Lieberman. Right, very different. Clearly, as a
lawmaker, part of why I ask these questions is because I wonder
whether if we raise the stakes, that is to say we set up
security systems that make detection more likely and increase
penalties for this kind of trespass, Internet trespass, whether
there is a prospect of deterring the next Kevin Mitnick.
Mr. Mitnick. You are talking about enacting further
criminal----
Senator Lieberman. Yes, raising the prospects that a so-
called hacker is going to be detected, for one, and then
second, raising the criminal penalties for the hacking.
Mr. Mitnick. I would encourage you to come up with a method
of prevention and detection, and I encourage the computer
industry today to look to methods to better detect intrusions
and, again, extensive user training and education on how to
prevent the human exploitation.
For instance, in my case, I was basically doing this out of
the curiosity rather than for financial gain, and what is
interesting to note is in that case I described in that U.S. v.
Czubinski case, where this was an IRS agent who obtained
confidential taxpayer information and was eventually
prosecuted, his convictions were reversed by the First Circuit
Court of Appeals because what the court held is that Mr.
Czubinski did not deprive the IRS of their property interest in
this information because he had no intent to use or disclose
the information he obtained.
That is the same circumstances as in my case. I was not
doing it to use the information or disclose it to anybody. It
was the trophy. So it is a very interesting issue of whether I
really engaged in computer trespass or fraud, because fraud is
where you deprive somebody of their money or property, and in
my case, while it was a gross invasion of privacy, I never, in
my opinion, deprived any of these companies of their software
or used it to their detriment. So that is the difference in my
hacking.
Then you have people out there who are working for private
investigators, trying to obtain confidential information like
from the IRS or Social Security and through State and local
government agencies to sell. Information brokers sell it to
private investigators who have clientele that are trying to
find information on people.
Senator Lieberman. You know, I hate to suggest a waste of
your talent, but as I listen to you, I think you would make a
great lawyer. [Laughter.]
Mr. Mitnick. Well, I do not know if you are convicted of a
felony, if they would allow you to be admitted to the bar.
Senator Lieberman. That is harder to do. [Laughter.]
Let me ask you just a few more questions.
Mr. Mitnick. Maybe I could get a Presidential pardon.
Senator Lieberman. Yes. Maybe we will come back.
Chairman Thompson. We have a lot of criminal lawyers around
here.
Senator Lieberman. Yes, we do. [Laughter.]
Chairman Thompson. Nothing personal.
Senator Lieberman. The response of the people attending was
much more enthusiastic than we might like. [Laughter.]
Mr. Mitnick, building on what you have just said,
obviously, you have been away, involuntarily, from the world of
computers for a number of years now. I wonder if you feel that
the techniques that you used are still useful today and whether
they have retained their relevance in light of all the change
that has occurred, and whether you have any sense that today's
computer security systems are more sophisticated than they were
when you were involved in your hacking.
Mr. Mitnick. Well, I can say that the social engineering or
the exploiting the human element of computer security, I think
is in the same state as it was 5 years ago before I went to
prison.
Senator Lieberman. Yes.
Mr. Mitnick. However, by reading materials and magazines
and reading advertisements, I know that the industry is
building security products to try to protect information that
resides on computer systems. I have not had a chance to
evaluate it, but it is simply if somebody has the resources,
the time, money, and motivation, they can get into any
computer. The only thing that the Federal Government and
private sector can do is to reduce the threat. You cannot
reduce it to zero----
Senator Lieberman. Make it harder.
Mr. Mitnick [continuing]. You can only make it harder, and
hopefully, the attacker will find it difficult that they will
go to the next guy, just like people do at home. They put a
lock on the door. If somebody really wants to get in, they are
going to go through a window, and you can only make it more
difficult so they try to go to the next guy. Then if somebody
is really targeted, government information or trying to target
information in the private sector, I think it would be
extremely difficult to prevent, and that is why management is
so important to really encourage systems administrators and the
users of these computer systems, maybe to do some sort of
rewards program, or if information is breached under their
control, there should be some punishment.
I have not really given it that much thought, but for the
human element, I think it is still in the same state, and I
believe there have been some technological improvements, but
the Internet, do not forget, the Internet started out as the
ARPANET, which was pretty much academia, government agencies,
and universities sharing information and the protocols were not
developed with security in mind. They were developed to allow
these individuals or these companies to share information and
to co-work on projects, and now everybody is scrambling because
of the e-commerce to build security on top of a weak
foundation. Maybe what should be considered is building a
strong foundation.
Senator Lieberman. Well said. I am struck by your emphasis
on the human element as the weak link in this computer security
chain and it conforms to other information we have heard that
the so-called cultural factors, in some cases just plain
negligence or inattention by people in charge of computers,
leads to most of the problems in security that we have.
Let me ask one last question and then yield to my
colleagues. In the question of security, as we think about
computer security as it affects our national security, we
naturally think of defense. But I have read some material that
makes, I think, the good point that a hostile group or Nation
wanting to do harm to the United States might not only go after
traditional defense targets but might try to incapacitate power
grids, for instance, public utility grids or transportation
information systems or even stock or commodities markets.
To the best of your knowledge and experience, would you say
that those essential but non-defense systems are probably as
vulnerable as you have described systems to be generally?
Mr. Mitnick. Perhaps. If you have the resources of a
foreign government, what would stop a foreign government from
putting operatives to work in the companies to develop the
hardware and software that is utilized by these groups, or the
power grid, transportation, and these things of national
importance, and put some type of back doors or some type of
flaw in the operating system or the software applications that
allows them to have access. I mean, they can go to those
extremes and they have the resources to do it.
Senator Lieberman. Your answer leads me to just ask one
last question: You have talked about the prominent role of what
you have described as social engineering, which is to
manipulate unwitting employees. I know it is hard to state a
percentage on this, but would you guess that most hacking is
being done in that way-by the manipulation of the cultural
weaknesses, the human weaknesses? And to that extent, how much
does hacking depend on successful human penetration of a system
as opposed to technological penetration of a system without any
assistance from anybody inside, with the assistance from inside
coming either knowledgeably, that is, by somebody who has been
placed in there, or just unwittingly by a negligent employee?
Mr. Mitnick. In my experience, most of my hacking involved
the social engineering exploitations, but I think that most of
the hacking out there is really the weaknesses that are
exploited in the operating systems and the software
applications, because if you go on the Internet, you can simply
connect to computer sites that basically have scripts of the
exploit scripts, so anybody that has access to a computer and
modem could download these exploits and exploit these
vulnerabilities that are in the operating systems developed by
the software manufacturers.
That is why I brought out the point that I think it is
important for the software manufacturers to be committed to
thoroughly testing their software to avoid these security flaws
from being released to the marketplace.
Senator Lieberman. It is a very important point.
Mr. Mitnick. And maybe government and private industry, if
these companies are not committed to it, is maybe going with
another company.
Senator Lieberman. Thanks, Mr. Mitnick. You have been very
helpful. I think you have turned your unfortunate experience in
the past into some very constructive support this morning.
Thank you.
Mr. Mitnick. Thank you for having me.
Chairman Thompson. How much time did you actually serve?
Mr. Mitnick. Fifty-nine months and 7 days.
Senator Lieberman. Five years.
Chairman Thompson. Fifty-nine months?
Mr. Mitnick. I do not know how many minutes or hours.
Chairman Thompson. Well, you know if instead you had raised
millions of dollars for political campaigns, you would have
gotten probation. [Laughter.]
Senator Collins.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. How can I follow that, Mr. Chairman?
Chairman Thompson. You had better choose your excitement
more carefully in the future.
Mr. Mitnick. I think that is a good idea.
Senator Collins. Mr. Chairman, I want to first commend you
and Senator Lieberman for holding this hearing to highlight the
pervasive vulnerability of our private sector and government
computer systems.
Mr. Mitnick, I was struck by your emphasis, as was Senator
Lieberman, on the human element involved, because I think we
often think of computer security in terms of technological
safeguards or the physical security of the computers in
restricting access. Yet your experience as well as the recent
revelations about the former CIA Director's carelessness with
his home computer suggest that we may be overlooking what is
the most important factor, which is the human element.
In general, do you think there is a lack of awareness of
the risks of the human element, both in the private sector and
in the public sector? I am particularly thinking of at the
higher levels of corporations and government agencies. I think
training tends to occur at the lower levels, and yet the risk
may be just as high at the higher levels. Could you comment on
that?
Mr. Mitnick. I think the greater risk is at the lower
levels. I do want to make a point. When you order a pizza, how
they verify that you are the one that ordered it is by calling
you on the telephone to verify that that is you. Well, you have
got to really look at the big picture, and because there is a
false reliance placed on telecommunications systems, such as
the public telephone network, which is easily exploitable.
So, for instance, if I were to call you at your--what I did
is offer to do a demonstration today if the government would
give me immunity, but there was not any time. But anyway, what
somebody could actually do is if they have access to the
telephone switch, they could actually manipulate it so you can
call back a legitimate number that you think you are calling to
verify the authenticity of the request, but that number has
been rerouted to the attacker. So because of the reliance on
faxes, on voice mail, on telephones in general to verify the
legitimacy, and that is easily exploitable, that is what makes
it so easy to exploit the human element.
Senator Collins. How easy is it for a computer hacker to
use work done by others--I am told it is called an attack
script--in order to hack into a computer? Would such a person
even have to really understand how the computer code was
written in an attack script in order to use it to hack into a
system?
Mr. Mitnick. Not really. If there is a shell script or a
script is written where they just run it and it gives them the
super-user privileges or system administrator privileges, they
really do not have to know how it is working, and what is
unfortunate, you have a lot of people out there that have
access to those scripts that really do not know what they are
doing, so if they get into a computer and obtain system
administrator-level privileges, they could easily destroy
information or damage the computer by trial and error and
without realizing what they are doing because they do not have
the knowledge or the experience on that particular type of
computer system. So it is concerning.
Senator Collins. Another issue that you raised earlier was
that when the Internet was in the early stages of development,
the emphasis was on sharing information, accessibility,
openness, free exchange of ideas. The emphasis was not on
security and that has made us vulnerable in some ways.
Do you think that is also a problem with the growth of e-
commerce, that there has been insufficient attention given to
security, that the emphasis has been on accessibility, ease of
use, making it easy for people to make purchases? Do you think
the private sector has been a little bit slow in turning its
attention and investing in the security of its systems?
Mr. Mitnick. Well, unfortunately, because I was unavailable
for the last 5 years and e-commerce just started after I was
sent away, I was not really able to keep up with it. But today,
everybody is reluctant to use their credit card over the
Internet because they think somebody is going to get their
credit card number and defraud them. I think that there is a
loss of confidence in using the Internet, especially with doing
financial transactions, because mostly you hear about these
media reports of these people being able to circumvent security
so easily.
What is interesting is people will go into a restaurant and
will hand their credit card number to a waiter or waitress and
they have no problem with that, but they are afraid to type
their number onto the Internet because they figure it could be
captured, which is a possibility, but I think what is
interesting is I think there is limited liability if someone
were to obtain your card and use it without permission. There
is maybe a $50 to $100 liability.
Maybe security systems have to be created that would raise
the level of confidence that the public has in using the
Internet for e-commerce.
Senator Collins. Thank you, Mr. Mitnick. I just want to
wish you well as you go on with your life. You clearly have a
great deal of talent and intelligence, and it seems to me, as
we have been discussing, that you paid a pretty heavy price for
your crime and I wish you well.
Mr. Mitnick. Thank you very much.
[The prepared statement of Senator Collins follows:]
PREPARED STATEMENT OF SENATOR COLLINS
Mr. Chairman, I appreciate the work you and Senator Lieberman have
done on the important topic of the security of the computer system of
the Federal Government.
The Internet offers unprecedented openness and accessibility. Those
same attributes make it vulnerable to attacks by unauthorized users.
The pervasive vulnerability of our computer systems raises the specter
of malicious attacks by terrorists rather than simply the relatively
benign intrusions of teenagers.
As one expert in computer security recently stated, ``The Net
changes the nature of crime. You don't need skills to be an attacker.
If you are going to make counterfeit bills or burglarize a building,
you need certain abilities. On the Net, you download an attack script
and click here.''
The sophistication of computers has been matched by the opportunity
for malicious activity based on information obtained through the
Internet. In my view, this creates an increased ability for a greater
number of people to threaten government computers.
We have an excellent group of individuals on the panels today who
can share their view of what the government can do to better protect
its computer system. I look forward to their testimony.
Chairman Thompson. Thank you very much. Senator Edwards.
OPENING STATEMENT OF SENATOR EDWARDS
Senator Edwards. Thank you, Mr. Chairman.
Good morning, Mr. Mitnick.
Mr. Mitnick. Good morning.
Senator Edwards. I am from North Carolina and actually live
in Raleigh and I remember vividly----
Mr. Mitnick. I have been there. [Laughter.]
Senator Edwards. You were big news for a long time in
Raleigh. I remember it very well. Let me ask you about a couple
of things. In answering one of Senator Lieberman's questions
about why you got involved in hacking to begin with, I was
listening to the words you were using and they sounded very
much to me like a description of addictive behavior. Do you
believe that addictive behavior is involved with folks who are
habitually involved in hacking like you were?
Mr. Mitnick. I am not sure I would consider it addictive
behavior. It was just an activity I was intensely interested
and focused on, because ever since I was a young boy, I was
interested in telecommunications and computers and that was
just my calling, just like somebody is very interested in
sports and every day they go out and practice. I am not sure
that you can really equate it to like a physical addiction. But
then again, I am not a health services professional, so I would
not know.
Senator Edwards. No, I understand. But did you feel like
you yourself were addicted to this hacking behavior?
Mr. Mitnick. I enjoyed it. I would say it was a distinct
preoccupation, but I do not think I could label it as an
addiction, per se.
Senator Edwards. Did you ever try to stop?
Mr. Mitnick. I did stop for a while, and then at that time
that I was not engaging in that behavior, the Department of
Justice, specifically the FBI, sent this informant to target
me, and basically, I got hooked back into computer hacking
because of the enticements that this fellow that they sent to
target me, enticed me back into that arena.
Senator Edwards. What advice would you give to other
hackers, or probably more importantly, potential hackers?
Mr. Mitnick. That is hard to say. I would have to really
think about that. I do not encourage any activity which
maliciously destroys, alters, or damages computer information.
Breaking into computer systems is wrong. Nowadays, which was
not possible for me when I was younger, computer systems are
now more affordable and if somebody wants to hack, they can buy
their own computer system and hack the operating system and
learn the vulnerabilities on their own system without affecting
anybody else with the potential for causing any type of harm.
So what I would suggest is if people are interested in the
hacking aspect of computers, they can do it with their own
systems and not intrude upon and violate other personal or
corporations' privacy, or government.
Senator Edwards. Do you think it is possible to use things
like click stream data to identify people who are least
potentially going to----
Mr. Mitnick. Excuse me, to use what?
Senator Edwards. Click stream data. Do you know what that
is?
Mr. Mitnick. No.
Senator Edwards. OK. Do you think there is some way to
identify people who are likely to become engaged in hacking
just based upon their patterns of behavior in using their
computer systems?
Mr. Mitnick. I do not know.
Senator Edwards. You said in your testimony, and maybe
someone has asked you this and I did not hear it, that in 20
years of experience in circumventing information security
measures, you have been able to successfully compromise all
systems save one.
Mr. Mitnick. That is true.
Senator Edwards. Which one?
Mr. Mitnick. It was a computer system run by an individual
and this computer was at his home and it was in the U.K., in
England, and I was unable to circumvent the security on that
system because I did not have control of BT, which was British
Telecom.
Senator Edwards. So there is nothing about the security
system itself that gives us a lesson on how we can make systems
more secure?
Mr. Mitnick. See, a real important point is the more people
that have access to a computer system, the easier it is to
penetrate because--well, of course, for the social engineering
exploit, like in government or in large corporations, it is
very easy. But the less people that have access to the computer
system, the less vulnerable it is, and in this particular
instance, it was one person and it was his home machine, so it
was extremely difficult and this person was very, very sharp on
computer security issues. In fact, this individual is the one
that found security vulnerabilities in the VMS operating system
which was manufactured by Digital Equipment Corporation, and
why I targeted this individual was to basically find and obtain
all the security flaws that he discovered in the operating
system because my goal was obtaining information on all
security vulnerabilities so I would be effective at being able
to compromise any system that I chose to compromise.
Senator Edwards. One last thing. In North Carolina, we have
a company called Red Hat.
Mr. Mitnick. Linux?
Senator Edwards. Yes. They have been, as you know, very
successful. I had a meeting a few weeks ago with Bob Young, who
is the founder of that company, and I was just curious whether
you--and based on my discussions with him, I had some feeling
that there was at least the potential for these open source
software systems to be more secure. Do you have any views about
that?
Mr. Mitnick. Yes. I think that is true, the reason being is
they are open for inspection by the public at large and in so
doing, just like with systems that utilize encryption, I think
those security flaws could be readily identified and published
and fixed rather than in a proprietary system where it is not
open to the public and then you maybe have the individuals that
find these holes do not report them and they use them to
exploit vulnerabilities and access computer systems without
anyone knowing the better, or without detection.
Senator Edwards. Thank you very much. Good luck to you.
Chairman Thompson. Thank you very much, Mr. Mitnick. You
have been very, very helpful to us. Good luck to you.
Mr. Mitnick. Thank you.
Chairman Thompson. Thanks for being with us today.
Mr. Mitnick. It is an honor to be here today.
Chairman Thompson. I would like to introduce our second
panel, Jack Brock, Director of Governmentwide and Defense
Information Systems at GAO, who is responsible for most of the
work done by the GAO for this Committee over the last few
years. Also on the panel is Roberta Gross, the Inspector
General for NASA, who has done much work in the area of
computer security and even has a special investigative unit on
computer crimes, so thank you for being with us.
We always take more time with our first panel, whether it
is one witness or 10. We are going to have to be out of here in
about an hour, so as far as we are concerned and the panels are
concerned, let us keep that in mind and do what we can.
Mr. Brock, do you have any opening comments to make?
TESTIMONY OF JACK L. BROCK, JR.,\1\ DIRECTOR, GOVERNMENTWIDE
AND DEFENSE INFORMATION SYSTEMS, ACCOUNTING AND INFORMATION
MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE
Mr. Brock. Yes, sir. I could actually spend my entire time
reading you a list of the reports that we have done on computer
security, many of these for your Committee.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Brock appears in the Appendix on
page 55.
---------------------------------------------------------------------------
Chairman Thompson. Could you summarize all that?
Mr. Brock. Absolutely.
Chairman Thompson. Would you say there is a bunch?
Mr. Brock. There are a lot.
Chairman Thompson. All right.
Mr. Brock. Unlike Mr. Mitnick, when we go into agencies, we
are doing so with the full knowledge and authorization of the
agencies we go in. A long time ago, when we did computer
security work, we examined agencies' controls and we would
comment on those controls and we would say the controls are
inadequate and the agency would say, well, no, they are
adequate, so we disagree with you.
A few years ago, we started doing our own testing of the
controls. We do not call it hacking, we call it penetration
testing. We have been uniformly successful in getting into
agencies. The reports that we have done for your Committee over
the past few years at NASA, State, DOD, and the IRS, indicate
that, typically, agencies have very poor controls.
EPA, which we have just released a report on a couple of
weeks ago, we went in through their firewall, which offered
virtually no protection. We had access to their mainframe
computer center, which had almost no controls set up, and we
were able to wander around the agency almost at will. It was
not really difficult.
At another agency where the firewall offered better
protection, we did what Mr. Mitnick was referring to as social
engineering. We simply call people and say, I am Joe Blow. I am
the system administrator. Here is my telephone number. Call me
back. We are having a problem with your account. Give me your
password, and you can call this number and check it. It is
amazing how many people just call you right back and give you
the password.
If that does not work, you just gain access to the building
and walk around and you find computers that are open. You find
the computer monitors with the password in a sticky on it. It
is not very difficult to get access.
So as we have gone to agency after agency after agency, the
specific weaknesses are usually technical. There is a technical
reason that we are getting in. The software has a hole in it.
The firewall is not very good. It is not very rigorous.
Password protection is weak, or whatever.
We, frankly, after doing many of these and we are doing the
same report over and over, we said, there has got to be a
better way of doing this, and at your request, we looked at
agencies or at organizations that have good computer security,
and there we found that good management attention to the
problem is the secret. It is much like if you have a house and
you have wood rot and people come in and they say, well, you
have got a problem, and you patch it over with a little putty,
you still have that underlying weakness.
We found when we were going into agencies and pointing out
specific computer weaknesses, that these weaknesses would be
corrected. They would patch it. But the underlying causes, the
poor management, the lack of management attention, the lack of
budget, all of these things really did not fix the underlying
problem. So it was like sticking your finger in the dike. You
would plug up one hole and another hole would spring out
somewhere else and things would leak through. That is the
condition we find at agencies, and we find it consistently.
One of the things that your bill does is it changes the
direction of the computer security legislative framework. The
Computer Security Act is inherently flawed in that it is built
on a system-by-system basis. It starts with the premise that
computer security can be fixed at the system level when really
it needs to start at the management level. I would like to
briefly go over a few features in your bill that we think are
very commendable and we would encourage that if legislation is
being considered, that these items be kept.
First of all, it incorporates the best practices that we
found at leading organizations, in other words, those
management practices that agencies or organizations undertook
to, in fact, provide a secure framework throughout their
organization.
Second, your bill requires a risk-based approach to be
implemented by agency program managers and technical
specialists. Let me just talk about this a little bit. If you
do not know what your risk is, and risk is a function of the
vulnerability of the system, a function of the threat to the
system and a function of the value of the information of the
process that that system controls. If you do not understand
your risk, you are not going to put in the right kind of
controls, you are not going to have the right kind of training,
you are not going to have the right kind of testing. Rarely do
we find agencies that do a good job at determining the risk
they face, and again, without determining the risk, you are not
going to know what sort of controls need to be put into place.
Third, your bill provides for an independent audit and we
think that is an absolute must. An independent audit gives OMB,
oversight committees, such as yourself, and agencies themselves
an opportunity to see how well do controls work, how well do
training policies work, how well are they doing as a management
entity in terms of providing good computer security over our
information resources.
Finally, it also eliminates the distinction between
national security and non-national security systems. Right now,
there is a dividing line. We have actually gone to some
agencies and talked to them about computer security and they
say, we do not have any classified information. Therefore,
computer security is not an issue with us. And by having that
distinction between national security and non-national
security, we think that in many agencies, it creates a barrier
to having an effective agency-wide security program.
If I could just indulge you for a moment more, we would
like to talk about a couple of features that we think you
should consider. The first of those, and you alluded to this in
your opening remarks, is that we believe there should be
mandatory standards put into place and that these standards
should be in two parts. The first part would be a standard set
of data classifications which would be used by all agencies,
for example, risk levels ranging from one to whatever, and that
data would be classified in one of these risk elements, ranging
from things that you did not care that much about, information
that was not particularly sensitive, was not particularly
vulnerable, all the way to national security information.
In turn, this would lead to a set of mandatory control
requirements that would set minimum requirements for each of
these data classifications. We believe if this were instituted
across the government, it would improve the ability of the
government to enforce computer security, it would improve the
ability of managers to provide a minimal level of support for
their agency, it would permit better targeting of resources,
and it would improve the ability of the independent auditors to
do a good job.
Finally, we think there is also a need for stronger central
guidance. I think the lessons learned from Y2K is that a strong
central hand, in this case, John Koskinen, really can provide
much needed oversight and impetus to agencies in terms of
making sure that they are following good practices, making sure
that budget submissions are responsive, and in general,
providing the leadership that seems to be lacking in computer
security.
That is my brief statement, and I would ask you, Mr.
Chairman, that my full statement be included in the record.
Chairman Thompson. All statements will be made a part of
the record. Thank you very much.
Chairman Thompson. Ms. Gross, thank you.
TESTIMONY OF ROBERTA L. GROSS,\1\ INSPECTOR GENERAL, NATIONAL
AERONAUTICS AND SPACE ADMINISTRATION
Ms. Gross. Good morning. Thank you very much for inviting
me here to testify on the act. I am here in a double capacity.
I am here as the NASA Inspector General. I also head a task
force that is looking at this bill on behalf of the Inspector
Generals, and so I will weave in some remarks that will reflect
some of the community remarks.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Gross appears in the Appendix on
page 71.
---------------------------------------------------------------------------
This is a world of limited budgets. We all know that. And
in making decisions, agencies have to decide--Mr. Brock pointed
that out--they have to figure out what is the risk to their
systems. Obviously, in an agency like NASA, you are going to
give a different kind of security to the public website than
you would, for example, to protecting the astronauts on the
space shuttle. So you have to make these risk/benefits and that
requirement is a key element of this act.
But there is a complication to agencies making investments
in IT security. I think if you look at the Y2K issue, the
problem of the change of the year for the computers, once it
was a success, headlines were, this was maybe a hype and we
spent too much money. Well, if it was not a success, there
would have been a different set of headlines. So investment in
IT security is very difficult for agencies to make, because if
its security is working, you do not get headlines. But boy,
when it does not work, you get headlines. I think recent events
about the hackers attacking different systems, it makes
headlines. But agencies do not see the visibility of IT
security until it fails.
I would draw your attention to the success of the Y2K
coordinated efforts. I think it provides a model that is
reflected in your bill about how to approach IT security. It
was at the highest level supported and everybody plugged in.
You had the President, OMB, agency heads, the CIOs, GAO, and
the IGs, as well as the Congress in its exercise of oversight,
and the focus worked. We entered the new millennium with
minimal Y2K problems.
This act asks many of the same players to have the same
sustained focus, and that is key, a sustained focus. It was
easy for Y2K, because it started rolling around and everybody
started really focusing on it. But computer security is an
ongoing effort, and I think it will be very helpful for this
Committee and other committees with oversight to keep that
sustained focus.
We (NASA OIG) support the placement of the focus of OMB,
the Deputy Director, having oversight. I think it gives a high
level attention. Also the Deputy Director has a unique vantage
point. The Deputy Director serves as the chair for the IG
councils, the CFO, the chief financial officer councils, the
CIO councils, and also the president management councils (That
is the very senior level executives that head up the agencies).
And so you have a person at a high level that is able to
coordinate all these different councils for a government-wide
focus and I think that was a good selection.
You also make the heads of agencies to be accountable.
Heads of agencies occupy bully pulpits. They are able to set
the priorities of their agencies. Use the Y2K example. I can
remember Dan Goldin saying, ``I am being held accountable and
we are not going to fail.'' He had the bully pulpit and
everybody heard. So this is enlisting again the heads of
agencies, and you need to hold the agency heads accountable
because they can change a culture of ``I do not care,'' or ``we
are just scientists,'' or ``we just want information, how does
it impact me?'' So that is a very important feature.
In terms of the CIOs, we had a discussion with the IG
working groups. Many in the working groups view these CIOs as
not having resources, not having staff, not having budget. Some
even characterize their CIOs as paper tigers. So this act gives
a lot of responsibility to the CIOs and it is going to be
important for OMB and for this Committee and other committees
to make sure that those CIOs have the authority and the
resources to do what this act is expecting.
I would use the example of NASA. We have repeatedly made
criticisms of the way that NASA establishes the CIO. He is
doing the best he can, but he has no budget, or little budget,
he has almost no staff, and NASA has decentralized the CIOs at
each of the centers, and there are ten NASA centers. They (the
center CIOs) do not report to him. He does not control their
budget. He does not do their evaluation. The centers can give
the CIOs collateral duties or they can decide what grade level
the CIO should be: an SES, a 15, or a 14. If they do not agree,
who do they report to? They report to the centers, not to the
CIO, the head CIO. That decentralization and fragmentation
impedes IT security.
To further compound that problem at NASA they have
bifurcated, not bifurcated, they have given each of the centers
various tasks. In Glenn in Ohio, the Glenn Center does
training. In Ames in California, that is the center of
excellence for IT security. You go to Marshall and that is the
center for the firewalls, and on and on. Each center is a
little center of excellence and none of those people report to
the CIO. He does speak with them. They do collaborate. They do
have telecons. But is it any wonder that it takes a long time
for NASA to get any policies and procedures?
We have had reports pointing out instances where this
decentralization and fragmentation, that whole kind of
structure in and of itself weakens IT security, and we have
more to say on that in my testimony, the written testimony.
I want to get to the part of the act that has to do with
the Inspector Generals. In terms of the OIG working group, we
did have a problem with the act narrowly defining the
independent external auditor. Under the act, if the IGs do not
do the work, an external auditor can be hired, but we thought
that that implies a financial orientation and it should be any
qualified external entity, and that is just a wording change.
But one of the things that the OIG working group commented
on was they welcomed the act's tasking. They think you cannot
be doing the high-risk work that agencies are facing without
doing the review work, but the IGs will have to recruit, train,
and retain a good cadre of professionals. That is going to
require the support of the agencies and OMB and the Congress in
supporting their budgets.
In my written testimony, I went through how for the past 4
years I have been recruiting a cadre of people in the audit
arena and in the criminal investigative arena, as well as my
inspectors, and that has taken time and these are a high-paid,
qualified group. They are worth it. They are definitely worth
it. But it does take time and it does take money and this group
(Congress) has got to be supporting the budget that goes with
that.
The last detail that I want to address is the section that
talks about law enforcement authorities. The act requires that
security incidents be reported to law enforcement officials,
but it does not define that term. Where an OIG has a computer
crimes division, then the agency system administrators need to
report security incidents to and work closely with the IG
special agents so that the agency ends up preserving evidence,
maintaining chain of custody, and that you have the documents
that you need and the materials that you need so that you can
have a court case.
The Department of Justice has made clear in writings and in
its actions that it is not just the FBI that does the criminal
investigations on computer intrusions, and in my written
testimony, I have a letter, referred to a letter by Scott
Charney, who was then the former head of the Department of
Justice Computer Crimes and Intellectual Property Division,
where he talks about other agencies that do and have the
authority for computer crimes--Secret Service, Air Force audit
and their investigative service, as well as NASA's Inspector
General. But I think that is very important for this oversight
Committee to understand that.
Obviously, the Presidential Directive, PDD-63, established
the NIPC, the National Infrastructure Protection Center, so
that you can have the critical infrastructure reviews and
investigations done by the FBI. But there are thousands of
intrusions each year and every intrusion is not against the
critical infrastructure. Indeed, at NASA, space does not even
make the critical infrastructure. It is very important, then,
that NASA have a good Inspector General's computer crimes unit,
to have a group that has a focus on NASA as the victim.
It is important that this Congress support the efforts of
Inspector Generals to have a computer crimes unit. It takes
training. It takes training people. You have to have a very
qualified cadre of people. But if you recall, the Inspector
General Act was to have the synergism of audits and
investigations so that if you are doing an investigation and
you see internal control problems, you also tell your auditor
so that they can do a system-wide look-see. That synergism is
very important and it is very important that the Inspector
General communities have computer crimes units so that the IGs
can make sure that they protect the victim agencies.
In sum, I think you have the framework for a very good act.
It has an oversight capacity, which I think is very important,
and it also enlists the players that need to be there--OMB,
heads of agencies, and CIOs. Thank you very much.
Chairman Thompson. Thank you very much. You were invited to
come because of the innovative approaches that you have at
NASA, and you remind us how important the IGs are in this whole
process, so thank you very much for what you are doing and your
helpful testimony.
Mr. Brock, let me address a few questions to you. The thing
that jumps out at me first when I start to look at this, in
February 1997, the GAO had a series of reports to Congress and
things were so bad that this security problem was put on the
high-risk list at that time. Late in that same year, 1997, the
CIO Council, which is, of course, under the OMB, delineated it
as a top priority. On March 31, 1998, the GAO filed another
report on the consolidated financial statements and that report
pointed out widespread deficiencies in terms of information
security. Then again in September 1998, of course, we have this
report entitled, ``Serious Weaknesses Place Critical Federal
Operations and Assets at Risk.'' I do not know how much more
pointed you could be than that.
It is really outrageous that the Federal Government in an
area of this sensitivity cannot do more faster. Since at least
1997, it has been 3 years since we have known--at least--since
we have known about the seriousness of this problem. We get
report after report after report. If I were you guys, I would
wonder why you are even in business and whether or not we pay
any attention to you or not. This last report still points out
serious deficiencies, still do not have any management in the
system, and we are still extremely vulnerable, and it makes you
wonder what in the world it takes to get anybody's attention.
I look back at the current law and wonder, what are we
doing to help the process? Are we overlaying an already complex
process? I see we have given OMB responsibilities before. We
have given agencies responsibilities before. Are we just
telling them again to do it and we really mean it this time, or
what are we really doing? I am playing devil's advocate with
our own bill here, I guess, but are we really doing something
here that is different from all of these other acts, the
Computer Security Act, the Clinger-Cohen Act, Paperwork
Reduction Act, on and on and on, the Privacy Act. I mean, you
have a dozen pieces of legislation that in some way deal with
this overall problem, so our solution is another piece of
legislation. I am very skeptical, generally, of that problem.
Now, I do not want to waste my time or yours on this unless
we are really doing something that, for the first time, can
have some accountability. Until people are held accountable,
until somebody is fired or somebody loses some money or
somebody is embarrassed more than we have been able to so far,
nothing is going to change. It looks to me like we have a
chance here maybe of having some accountability. With the
Results Act and everything, everybody is talking about
measurements and measuring results and accountability from
those results. I do not know whether we mean it or not yet, but
we are all talking about it now, and now we are bringing it to
this problem, measurable outputs and things like that.
First of all, is my assessment off base? If not, why has it
taken so long to do anything and are we, in our bill, really
doing anything that has a decent chance of making a difference?
Mr. Brock. First, Mr. Chairman, as chairman of our
oversight committee, I hope you were not really serious about
wondering why we are in business. [Laughter.]
Chairman Thompson. Well, I would have to ask the same thing
about ourselves, would I not?
Mr. Brock. I agree with your basic premise. It is a shame
that you have to have a bill to mandate good management. I
mean, clearly, it is not a crime now to have good management in
agencies that said, we are going to do things the right way.
But clearly, the reports that we have done for your Committee
over the past few years have indicated agencies are not doing
the things the right way, that something is broken, and that
attention needs to be paid to this.
I think the features you have in the bill, that many of
these features are the kinds of things that are designed to
pick things up by the nape of the neck and shake and grab
attention. The independent assessments every year are a
mechanism where you can identify weaknesses, where you can
identify where accountability should lie and where it has not
been exercised and where it gives the administration, as well
as the Congress, an opportunity to take corrective action, and
that is the next step. Pointing out the weaknesses, pointing
out the management deficiencies is one thing, and then taking
the next step to exercise that accountability is something that
would still remain to be done.
Chairman Thompson. I take it that you feel that we need to
be more specific in establishing standards.
Mr. Brock. Yes, sir.
Chairman Thompson. Than the bill as currently drafted?
Mr. Brock. Yes.
Chairman Thompson. And we need to delineate what with
regard to risk levels, a requirement that they be considered or
we tell them how to consider it, or how specific should we get
on the mandatory requirements in determining risk level and
also how specific in the mandatory minimum requirements, I
guess you might say, in addressing those levels? Obviously, we
cannot deal with all that here today, but----
Mr. Brock. Your bill starts off in the right direction on
that by requiring agencies to do a risk-based assessment. But
once they do the assessment, they need to be able to categorize
that. We have this level of risk, or we have this risk level.
What category should that be in? How risky is it?
Chairman Thompson. That is really kind of management 101,
is it not?
Mr. Brock. Basically.
Chairman Thompson. I guess they do need to be told to do
that.
Mr. Brock. Basically, but if you had it consistent across
the agencies, it would be much easier to have guidance that
could be more easily developed and more easily taught and
trained. But then the next step, if you are at a certain risk
level, what are the minimum things you should do in terms of
authentication, in terms of encryption, or in terms of
independent testing to make sure that you are meeting those
levels of control?
Chairman Thompson. So it would be a mistake to let each
individual agency determine what it needed to do to address
these because they have not shown any indication that they have
the capability or the motivation to do that, is that correct?
Mr. Brock. Yes. I think it is----
Chairman Thompson. You said it would be much easier to have
minimum good standards that would apply to any agency.
Mr. Brock. Right. I think it is appropriate for each agency
to determine its risk that it faces, but then if you had the
common standards. I think just the very process of developing
those common standards would really create a rich dialogue and
go a long ways towards improving a shared understanding among
agencies about what some of the good features of computer
security should be.
Chairman Thompson. And third, you mentioned some stronger
central guidance. Obviously, OMB has not been doing its job.
They have responsibility here. Now their major objection to
your report, I understand, was that you are focusing too much
on our responsibility at OMB and they either do not think they
have that or want it. They are pointing to the agencies, and
the agencies, I am sure, are pointing to somebody else. So here
we go with OMB again, which causes some people to say we need a
new information security czar, because maybe OMB inherently, if
the allocation of their resources and what is going on over
there, maybe they are not the right ones to be bird-dogging
this. They sure have not done a good job of it so far.
What are we doing that is going to improve that situation?
I understand that we cannot even tell where the money that we
appropriate is supposed to go for, maybe it is not line item,
but it is supposed to go for security enhancement. You cannot
even find it. We do not know how it is being spent, in terms of
information security, is that true?
Mr. Brock. That is correct. We have trouble determining how
much money is spent within each agency on computer security. I
think Ms. Gross in her statement, when she talked about the
similarities between the Y2K problem and how top managers
within each agency felt accountable, and I think one of the
reasons they felt accountable was really the strong role that
the central manager, in this case, Mr. Koskinen, made in making
sure they understood they were being held accountable.
We do not have that situation on computer security. I think
it should be closely examined as to whether there should be a
computer security czar, though, and separate that from a CIO
that would have responsibilities for other aspects for
information management. We have rarely gone to a good
organization that had good computer security, and we found out
when we go there that they also have other good information
management practices. It is part and parcel. We have never gone
to a place that had poor information management, where they had
poor lifecycle management, poor systems development efforts,
poor software acquisition processes and had good computer
security. It all runs together.
Therefore, I would be reluctant to suggest that you
separate computer security from the other aspects of
information management. Next year, the OIRA reauthorization
will be coming up and you will have an opportunity at that
time, as well, to examine the Paperwork Reduction Act, the
Clinger-Cohen Act, as well, and I think these are good
questions to also bring up at that time.
Chairman Thompson. We are looking forward to that, but we
are not vesting responsibility there in this bill. We are
bringing it to a little higher level than that, but thank you
very much.
Senator Lieberman.
Senator Lieberman. Thanks, Mr. Chairman. Thanks to both of
you. I think your testimony, both written and here today, has
been really very direct and very helpful and you are both
obviously quite knowledgeable. The Chairman has covered some of
the areas I had an interest in, so I will be fairly brief.
I take it that you agree not only with what Mr. Mitnick
said, but what I have learned generally in my reading here,
that a lot of the problems of computer security are cultural,
which is to say human, correct?
Mr. Brock. Yes.
Senator Lieberman. Beyond management, which obviously is
critical and at the heart of this, let me just ask you to speak
a little bit more about the question of whether there should be
consequences if a Federal employee fails to follow proper
procedures relating to computer security. Or, on the other end,
whether there ought to be consequences for exemplary behavior
with regard to computer security.
Mr. Brock. Yes, I would agree with that. The problem we
have, though, and some Federal agencies are going to, that
accountability is always at the technical level. Well, we have
had a break-in, we have had a failure, it must be the guys in
the computer room's fault or we would not have had this. And
for specific weaknesses, that might well be true, but the
accountability typically does not extend upwards into
management, where an atmosphere has been created or budget
resources have not been appropriated or whatever and those
individuals also need to assume their share of the
accountability.
In the private sector, we found very definite links and
control mechanisms for measuring accountability, for measuring
performance against that accountability and holding individuals
responsible, whether they be system administrators or the
system process owners.
Senator Lieberman. How are they held responsible in the
private sector?
Mr. Brock. In one good example we have, managers have to
define the risk. Along with the technical people, they agree
upon the vulnerabilities and the threats. They then have to
allocate money and resources to providing an appropriate level
of protection and they sign off on that. At the end of the
year, the independent audit comes in and, first of all,
determines did you, in fact, appropriately determine the risk
and are you appropriately protecting these to the level you
agreed upon.
In some cases, we found good examples where they made a
business decision not to provide a level of protection, but it
was a business decision and it was examined and agreed upon by
the board. And in some cases, I believe that people were fired
when they failed to meet the terms of their contract.
Senator Lieberman. Ms. Gross, do you want to add anything
about individual accountability here?
Ms. Gross. Yes. I think what you have to do is first
implement a training program----
Senator Lieberman. Right.
Ms. Gross [continuing]. Because this is very much a
cultural thing. I mean, NASA, you go to, for example, the
Goddard Space Center and its scientists, its engineers, they
are collegial. They are talking with universities and they are
interested in their earth science programs and they do not
think about security. It is not until, for example, you will
tell a scientist who is collecting data and working on a
journal article, if somebody takes your information through the
computer and publishes that information a year ahead of you or
6 months ahead of you, do you care? Oh, they all of a sudden--
it comes home that it actually does impact them.
Senator Lieberman. Sure.
Ms. Gross. And I think the GAO audit on NASA pointed out
they did not have a training program. They still do not. They
are still getting it together and trying to work out what
should be the appropriate training program, partially because
they did not have IT security standards, so how can you develop
your training program. But meanwhile, you have to have systems
administrators trained. They expect to have it in 2001. You
cannot wait until 2001. You have got to have systems
administrators held accountable in some ways.
So the issue on accountability is a lot more complex than
just saying, you have got to be accountable and we are going to
take action. On the other hand, on very simple, no-cost, low-
cost things that the agency can do, they should be held
accountable. They are supposed to banner their systems, both
for law enforcement and for downstream liability, it is
supposed to say, this is a government computer, you are
accessing a government computer, so the hacker knows he is
trespassing. He cannot say, oh, I was just surfing. I was
looking for America On-Line and look what I got, I got NASA.
So bannering is simple, but it does not happen. In that
case, if a system administrator is not going to banner the
computer, we just take away the computer. They cannot do their
science. That you can hold for simple, no-cost, low-cost, which
we have identified and we can continue to identify. You can
hold them accountable because it makes the agency safer right
away.
On the other hand for some of the major accountabilities,
you have to have risk assessments and you also have to then
make sure that your systems administrators, and that is not
insignificant numbers, are trained, and let me explain why I am
saying it is not an insignificant number.
For example, the Goddard Space Center, they said, how many
of you think that you are system administrators, in other
words, you have basically root access and have super controls
of the computer. Nine hundred people need a basic training and
an advanced training so that they can be systems
administrators, and in many of those cases it is a collateral
duty. They are not security specialists, they are scientists,
but they have a very powerful computer system that networks
with other systems, so they need training.
So I am trying to put it in a context, because you can say,
OK, we are going to hold people accountable and we should have
very powerful consequences. I think that, definitely, agencies
can start immediately, no cost, low cost. There is no reason
why agencies cannot be bannering their computers. That is
nothing new.
Senator Lieberman. Right.
Ms. Gross. There is no reason why people cannot be using
passwords that are a little more difficult than the dictionary.
I mean, the security office gives instructions on how to have
better passwords. All those things, you can start holding
people accountable for, and I think what you end up having to
have is your CIO making a range of things that we expect
tomorrow or next week, and these are the other things we are
going to phase in, but it takes attention, and again, you start
with the bully pulpit of the head of the agency. You (Congress)
all have the bully pulpit also, and that is important, but the
agency does, too.
Senator Lieberman. Right. I think the intention of the
bill--though it does more than this--is to raise up computer
security as a priority consideration of Federal agencies and of
individual Federal employees who have responsibility.
Let me ask a last question of you, Mr. Brock. I am sure you
know that the President proposed a Federal Intrusion Detection
Network, FIDNet, to monitor patterns of intrusions in the
Federal systems, which is supposed to be housed at GSA's
Federal Computer Incident Response Capability office.
Mr. Brock. Yes.
Senator Lieberman. In your testimony, you mentioned the
need to improve the government's ability to respond to attacks
on computer systems. So my question is, just to build a bit on
whether we need a stronger Central Incident Response Center,
whether the President's idea and location is the right one.
Mr. Brock. Well, those all go together.
Senator Lieberman. Right.
Mr. Brock. We do believe that incident response is
important and that intrusion detection is important. A specific
criticism we had of the President's plan was the fact that it
focused so much on intrusion detection, you began to get the
impression that that was the primary means they had of
improving the government's or the Federal Government's computer
security program.
Senator Lieberman. You mean as opposed to all the other
management----
Mr. Brock. As opposed to prevention, for example.
Senator Lieberman. Prevention, right.
Mr. Brock. One agency that we have gone to at EPA, they did
a pretty good job of reporting and recording their intrusions.
They did a very bad job of doing anything to prevent those
intrusions or in analyzing those intrusions in order to take
corrective action.
So intrusion detection is important. It is important to
share that information with other agencies so that you can
learn from it. So to that point, we strongly support sharing
the information. We would strongly support some sort of
incident response capability so that you could take action, but
it needs to be part and parcel of an entire program and should
not be the primary or the only focus of such a program.
Senator Lieberman. Thanks very much. Thank you both. That
was very helpful.
Chairman Thompson. Thank you very much. We could spend a
lot of time with the both of you. You have been very helpful
today and we will continue to work together on this. We
appreciate your contribution to this and your fine work.
Mr. Brock. Thank you.
Ms. Gross. Before I go, I would like to just incorporate
into the record my full written testimony.
Chairman Thompson. Absolutely. All statements will be made
a part of the record.
Ms. Gross. And both Senators, I would like to leave for you
all, we have done a ``Clearing Information From Your Computer's
Hard Drive'' pamphlet. Mr. Mitnick was saying how easy it is at
the lowest levels to end up having intrusions. This is when you
excess your computer and you get a nice new super computer and
you think you have deleted all your files and what happens is a
lot of your information that you think is very sensitive is
going out to schools, to prisons, etc. We have some on the desk
and I certainly draw this to your attention. Thank you.
Chairman Thompson. Thank you very much.
On our third panel, we are fortunate to have Ken Watson,
Manager of Critical Infrastructure Protection at Cisco Systems,
Inc., and James Adams, who is the CEO and co-founder of
iDEFENSE. Both of these gentlemen are known in the industry as
experts on the issues related to information protection and
security.
Gentlemen, thank you very much for being with us here
today. Mr. Watson, do you have an opening statement to make?
TESTIMONY OF KENNETH WATSON,\1\ MANAGER, CRITICAL
INFRASTRUCTURE PROTECTION, CISCO SYSTEMS, INC.
Mr. Watson. Thank you, Chairman Thompson, Ranking Member
Lieberman, and distinguished Members who are here. I appreciate
the opportunity to speak to you about network security best
practices.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Watson appears in the Appendix on
page 83.
---------------------------------------------------------------------------
The last 8 years of my 23 years in the Marine Corps I spent
helping to draft policy and doctrine for information warfare
and taking joint teams and conducting information operations to
integrate those into other military operations. When I retired,
I went to work for WheelGroup Corporation, where I managed our
security consulting team. We would do legal contracted security
posture assessments in corporate networks and provide them
reports of their vulnerabilities. When Cisco acquired
WheelGroup, I transitioned to critical infrastructure
protection and that is my role now at Cisco.
That team just recently conducted a 6-month study of
vulnerabilities in corporate networks and I have put together
the top three to five vulnerabilities that were discovered in
every area as the last two pages of my written testimony and it
is just a table of what are the vulnerabilities and how do you
fix them. It is important to note that the way this team works,
it does not use anything like social engineering or other
things that might cross the bounds into becoming illegal
activities. They concentrate on working at the keyboard only
and finding technical vulnerabilities and that is it.
It is kind of interesting that they are continually
successful in penetrating external defenses about 75 percent of
the time, but once inside, they are about 100 percent
successful in gaining unauthorized access between machines
inside a network, and that would be true for government or
private sector networks.
Cisco systems is serious about network security and about
its implications for critical infrastructures on which this and
other developed nations depend. Few can argue that the Internet
is changing every aspect of our lives. Internet economy is
creating a level playing field for companies, countries, and
individuals around the world. In the 21st Century, the big will
no longer outperform the small. Rather, the fast will beat the
slow.
So how do you decide on a best practices solution? I would
like to offer a simple way to organize network security
technologies and practices and talk a little bit about what
Cisco has seen in customer networks. Our model is not
reinventing the wheel, but it is what we call the security
wheel and it talks to five general areas where you can group
technologies and practices and it is a management model.
Good security must be based on policy. Employees must know
what they can and cannot do with company systems or government
systems and that they will be held accountable by whoever is
the boss, the CIO or whoever is accountable, and those people
should be accountable, also.
The policy must also be risk-based, so I am in concurrence
with a lot of what you have already heard today.
After setting appropriate policies, a company or
organization must methodically consider security as a part, an
integrated part of normal network operations. This could be as
simple as configuring routers to not accept unauthorized
addresses or services, or as complex as installing firewalls,
intrusion detection systems, authentication, and encrypted
virtual private networks.
A basic tenet of military combat engineers is that an
unobserved obstacle will eventually be breached, and that is
also true for networks. Hackers will eventually figure a way
around or through static defenses. The number and frequency of
computer attacks is constantly on the rise. There are no
vacation periods. As such a critical part of the security wheel
is to monitor the network, intrusion detection and other
monitoring devices, so that you have 24 by 7 visibility into
what is going on inside and outside the network.
The next stop is testing the network. Organizations that
scan their networks regularly, updating electronic network
maps, determining what hosts and services are running, and
cataloging vulnerabilities, and they should also bring in
experts for independent network security posture audits once or
twice a year to provide a more thorough assessment of
vulnerability.
It is just like cleaning your teeth. We brush our teeth
every day. Those are like your internal own network scans. And
you go to the dentist once or twice a year and get an
independent outside observation. It may be painful, but you get
a lot of good out of it in the long run.
Finally, there needs to be a feedback loop in every best
practice. System administrators must be empowered to make
improvements. Senior management has to be held accountable for
network security. Those involved in day-to-day operations must
have their attention.
If you were to ask me, what is the most important step to
do right now, I would give you two answers, one for the short-
term and one for the long-term. In the short-term, the best
thing I think any company or organization can do is to conduct
a security posture assessment along with a risk assessment to
establish a baseline. Without measuring where you are, you
cannot possibly figure out where you need to go.
For the long term, the best thing we can do together is to
close the alarming skills gap. The requirement for highly
skilled security specialists is increasing faster than all the
training programs combined can produce qualified candidates.
Universities are having difficulty attracting both professors
and students. The government is also having a hard time
retaining skilled security professionals. We in the private
sector are building and maintaining state-of-the-art security
training programs and we are collaborating with education
institutions and training partners to provide a wide base for
delivery.
We are also helping the Office of Personnel Management to
identify knowledge skills, abilities, and ongoing training
requirements and career management and mentoring ideas for a
Federal IT security workforce. This human resources issue is by
far the most critical information security problem we face in
the long term and the solution must be based on government,
industry, and academic collaboration.
Corporate network perimeters are blurring. That is also
true for the lines between government and industry. The
Internet knows no boundaries and we are all in this together.
We are very enthusiastic about the new Partnership for Critical
Infrastructure Security, a voluntary organization of some 120
companies from across the country dedicated to improving the
network security of our critical infrastructures.
As we further build the relationship between the public and
private sectors, we hope the great spirit of cooperation
currently led by the Department of Commerce and the Critical
Infrastructure Assurance Office will continue.
We believe that confidence in e-commerce is increasing.
Thirty-eight new web pages are being added to the World Wide
Web every second. Our job, all of us, all of our job, is to
raise the bar of security overall, worldwide, so that we can
empower our citizens and customers to take full advantage of
the Internet economy in the Internet century.
Thank you very much. I will be glad to answer any
questions.
Chairman Thompson. Thank you very much. Mr. Adams.
TESTIMONY OF JAMES ADAMS,\1\ CHIEF EXECUTIVE OFFICER,
INFRASTRUCTURE DEFENSE, INC.
Mr. Adams. Chairman Thompson, Ranking Member Lieberman,
thank you very much for including me on this distinguished
panel.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Adams appears in the Appendix on
page 88.
---------------------------------------------------------------------------
By way of brief background, my company, iDEFENSE, provides
intelligence-driven products--daily reports, consulting, and
certification--that allow clients to mitigate or avoid computer
network information and Internet asset attacks before they
occur. As an example, iDEFENSE began warning its clients about
the possibility of distributed denial of service attacks, the
kind of hacker activity that is capturing headlines currently
around the world, back in October and November of last year.
At the outset, I would like to commend you and your staff
for crafting such thoughtful and badly needed legislation in
the area of computer security for the Federal Government. We
are currently in the midst of a revolution, the information
revolution, which calls for dramatic and bold steps in the area
of securing cyberspace. It is in this context that your bill
takes a crucial step forward by shaking out the current culture
of lethargy and inertia gripping the Federal Government. With a
proposal to put teeth into the OMB's oversight of computer
security issues, this bill is a solid step in the right
direction.
Why does this matter? Few revolutions are accomplished
without bloodshed. Already, as we plunge headlong and terribly
ill-prepared into the knowledge age, we are beginning to
receive the initial casualty reports from the front line of the
technology revolution and to witness firsthand the cyber
threats that, if allowed to fully mature, could cause
horrendous damage.
The recent denial of service attacks were mere pinpricks on
the body of e-commerce. Consider instead that some 30 countries
have aggressive offensive information warfare programs and all
of them have America firmly in their sights. Consider, too,
that if you buy a piece of hardware or software from several
countries, among them some of our allies, there is real concern
that you will be buying doctored equipment that will siphon
copies of all material that passes across that hardware or
software back to the country of manufacture.
The hacker today is not just the stereotypical computer
geek with a grudge against the world. The hacker today is much
more likely to be in the employ of a government or big business
or organized crime, and the hackers of tomorrow will be all of
that and the disenfranchised of the 21st Century who will
resort to the virtual space to commit acts of terrorism far
more effective than anything we have seen in the 20th Century.
The government, in all its stateliness, continues to move
forward as if the revolution is not happening. Seven months
ago, my company won a major contract with a government agency
to deliver urgently needed intelligence. The money was
allocated, the paperwork done. Yet, it remains mired in the
bureaucratic hell from which apparently it cannot be
extricated. [Laughter.]
Another government agency is trying to revolutionize its
procurement processes to keep up with the pace of the
revolution. They are proudly talking about reducing procurement
times down to under 2 years. In other words, by the time new
equipment is in place, the revolution has already moved on 8
Internet years. In my company, if I cannot have a revolutionary
new system in place within 90 days, I do not want it.
The Thompson-Lieberman legislation is a good first step to
try and control and drive the process that will bring the
government up to speed with this revolution. I believe,
however, that to effectively cope with the technology
revolution, this proposal must be strengthened. What is needed
is an outside entity with real power to implement drastic
change in the way government approaches technology and the
underlying security of its systems. Currently, jurisdictional
wrangling, procurement problems, and a slew of other issues are
seriously hampering the government's ability to stay current.
The Thompson-Lieberman bill provides a framework to begin
sorting through this mess. However, what is needed most is a
person or an entity that will draw on skill sets in many areas
that will overlap that of the CIOs, CFOs, CSO, and most of the
other officers or entities that currently exist. Let us give
this person the title of Chief of Business Assurance, or
perhaps the Office of Business Assurance, to relate it directly
to the Federal Government.
The OBA's task would be to continuously gather and
synthesize infrastructure-related trends and events, to
intelligently evaluate the technological context within which
the organization operates, to identify and assess potential
threats, and then to suggest defensive action, or viewed from
the positive side, to assess the technological revolution's
opportunities and propose effective offensive strategies. The
OBA must be a totally independent organization with real teeth
and real power.
There is much in common between government and industry
when it comes to the challenges and the opportunities that the
technology revolution poses. Both sectors face a common threat.
Both factors share common goals for the well-being of America
and her people. Both employ technologies that are, in essence,
identical, and both must work together to protect each other.
I leave you with this thought. In the near term, you will
see total transformations of the way business and government is
conducted, internally and externally. A failure to change to
meet these new challenges is to risk the destruction that all
revolutions bring in their wake. Proactive action is the route
to survival.
We have heard a great deal in recent months about the
potential of a digital divide developing between the computer
haves and the computer have-nots. I believe there is another
digital divide that is growing between the American Government
and its citizens. If this Committee's efforts do not move
forward in changing this culture of inertia, there is real
danger that the digital divide that exists between government
and the private sector will only widen. We cannot afford a
situation where the governed feel that their government is out
of touch and increasingly irrelevant to their lives. By
stepping up to the plate and tackling computer security with an
innovative, bold approach, the Thompson-Lieberman bill
significantly boosts the chances of reversing the current
bureaucratic approach to a very dynamic problem.
Thank you again for the honor of appearing before you.
Chairman Thompson. Thank you, Mr. Adams. Very well said.
You heard me mention, I am sure, a while ago about all of
the reports and assessments and so forth over the last 2 or 3
years pointing this out. Now, in addition to all of that, we
have the President's first version of the National Plan for
Information Systems Protection. The plan discusses the need to
make the government a model for cyber protection.
As I look at it, I see few concrete proposals as to how to
do that. As you know, I am mindful of these overlays and these
impressions that we try to leave sometimes that we are doing
something when we are really not. Where does this plan fit into
the solution to what we are talking about here today?
Mr. Adams. Well, I would just say a couple things about
that. First, the plan was 7 months late. It is not a plan, it
is an invitation to dialogue, a very different thing. If you
asked those who were involved in the formulation of the plan,
they will tell you that it was a ``business as usual,
government at work'' nightmare. Every meeting, 100 people would
turn up. They would talk about not what was good for the Nation
but what was good for their existing equities.
The result was a bureaucratic compromise, which is the
document that you see, that raises some interesting points. But
a plan will actually emerge, I would guess, a year from now,
longer. Meanwhile, we all march on. It requires, I think, more
than that, and where the action will have to come from and the
leadership will come from is exactly right here. It is not
going to come from the Federal Government as we know it,
because it is a revolution and governments do not become
revolutionaries. They naturally evolve, which is a great
strength in a democracy. But in the middle of a revolution, it
is actually a threat and a challenge to us that we need to step
up to try and meet.
Chairman Thompson. So we are trying to do something very
tough but very necessary, is what you are saying.
Mr. Adams. Absolutely, and the great thing, I think, that
you are doing is saying, yes, this needs to be done. The very
difficult thing for you, as you were rightly articulating
earlier, is how to force what needs to be done to actually
occur, because you say to the OMB, an inert bureaucracy in its
own right, you have to force other organizations to change.
True, but how exactly, and typically, it does not work like
that.
If you look at what the CIA is doing to try and embrace the
revolution, they formed an outside organization, INCUTEL, that
is driving technology revolution into the organization and
pushing change from without to within, and to expect or ask
organizations that are comfortable with business as usual to
say, no, no, no, revolutionize, they will not do it. Imposition
of change is the only way it will occur, and it will be
resisted, but the consequence of not doing it can be very, very
serious, and you can already see how relevant does anybody in
Silicon Valley think the government is--not at all.
Mr. Watson. If I might add a comment----
Chairman Thompson. Yes, go ahead.
Mr. Watson. Mr. Chairman, the plan is not a complete plan
yet, but at least----
Chairman Thompson. We are relevant in terms of the harm we
can do them and how we can mess things up. From a positive
standpoint, it is a very good question. Excuse me. Go ahead.
Mr. Watson. But at least there was enough foresight in the
Critical Infrastructure Assurance Office to at least get a plan
started, and it is an invitation to a dialogue. They have asked
industry to help complete this plan, add our perspective, bring
in a physical dimension, look at the international aspects that
are not in the current plan. I look forward to working with the
Partnership, the big ``P'' Partnership that we just launched,
to help make that come to pass.
Chairman Thompson. It has taken 3 years since this all has
been on the high-risk list, and now, when we cannot even take a
baby step, we are talking about flying an airplane, and
international and all these other high-sounding things which
may eventually come about when China becomes a full democracy.
Let me explore, you obviously feel like we have to have
some kind of an outside entity. You refer to the OBA. Where
does this individual fit into the process? What kind of entity
are you talking about? Who is this person? How is this person
selected? Who are they accountable to? I take it it is not
within OMB, is what you have got in mind. Have you thought that
through to that extent?
Mr. Adams. I think OMB has got a long and traditional role
in oversight and it does that job and has done so for a long
time. It would be possible to have something sitting outside of
OMB but working within the Federal Government structure but
with a rather different mandate.
If you look at the way industry sets up revolutionary
change, it does so by--Steve Jobs and Apple is a good example.
Put them in a different building, you set them outside the
culture, you put a pirate flag on the roof, they develop their
own language and culture and they come up with new and creative
ideas.
What we see at the moment is the traditional organization
says we will go to the traditional places, the traditional
consulting companies. They are use to forming committees,
punching button A, producing a report in 6 months. Everybody
thinks about it and does not do anything. Meanwhile, the people
who really are making this revolution occur are the very
different organizations that are the dot-com companies, and
there needs to be some mechanism for allowing them to have
input into change.
So I would envisage something where you, Congress, would
mandate and budget a group that would have the ability and the
authority to impose change. Now, there is a thought, to impose,
and if you do not do it, you will be held accountable in a
culture, remember, where many of the things that government has
traditionally thought of as its own self.
To take Cisco, for example, they have 26,000 employees.
They have three people in the whole organization doing expense
accounting. Now, in the government, you have hundreds and
thousands or however many people doing the process that can be
outsourced. So we need to think about this and how can we make
government efficient, relevant, fast moving, changing, dynamic,
and I do not believe that it can be done imposing internal
solutions.
Processes and all of those things need to come from
outside--technology, people, and processes. They will not be
able to meet the technology because they cannot procure it fast
enough. They cannot hire the people because they cannot afford
them. We cannot, and we are paying much more money. And you
will not have the processes because you need to impose them in
a constantly dynamic way. So those three things will have to
come from outside, and the only place that can mandate it, I
think, is Congress, which will enforce it, enforce a different
structure, a different way of thinking.
Chairman Thompson. Thank you. Senator Lieberman.
Senator Lieberman. Thanks. Again, thanks to both of you. I
think, Mr. Chairman, we have had really excellent witnesses
today.
Mr. Mitnick earlier made the allegation that part of the
problem here, though, as you know, he focused on the human
management problem, is that there is such competition,
particularly among software manufacturers, to get the product
out to the market quickly that they are not spending sufficient
time to deal with potential security flaws in that software. In
fact, you have actually gone one step to the other side, really
stunningly, or to me, fascinatingly, in saying that some
foreign manufacturers may, in fact, be putting, I do not know
whether you would call it a virus or something in the system
that allows it to divert information back to them to be more
easily hacked.
Let me ask you to go at both parts of that. First, whether
Mitnick has a point that manufacturers are not spending
sufficient time dealing with systems to stop security problems
before they put their products on the market.
Mr. Adams. Well, we clearly know that that is correct. The
rush to market, speed is of the essence. You clearly do not
waste time. They are able to get away with that partly because
we are all rushing forward with the revolution and absorbing it
as fast as we can, and partly because there is not any
training, there is not any process, and people are not security
aware.
If there was, as Jack Brock was talking about earlier, a
minimum benchmark above which you have to be, then there would
become a market-driven demand. I am not going to buy this
software because it just simply does not meet my minimum
standard, but I will buy this because it does. So there will be
a market-driven enforcer that would say, if you do not raise
your standards to become more security aware, you are out of
business.
Senator Lieberman. Yes. In other words, people who are
doing it may advertise that as an attribute, for instance----
Mr. Adams. Absolutely.
Senator Lieberman [continuing]. Market it, and then,
hopefully, you drive the market.
Mr. Adams. My security is better than his security, so----
Senator Lieberman. So you should buy mine.
Mr. Adams. Exactly right.
Senator Lieberman. Do you want to respond, Mr. Watson?
Mr. Watson. Yes, sir. We do see market pressure to provide
more secure products and that is why we do provide a whole
range of them and everyone else is getting into that game, too.
Senator Lieberman. Right. So that is happening now?
Mr. Watson. It is happening. No. 1, demand from the market
is speeding quality of service. No. 2 is security, and that may
switch. We do not know. There is a great enabler that security
brings to freedom of use of the Internet economy.
Senator Lieberman. Say a little more about this other part
of it, the other side, that some foreign manufacturers are
putting in gaps, vulnerabilities in the system that they can
then penetrate. Is that being done by them for private gain or
is it being done by their governments or what is happening?
Mr. Adams. If you look at the way, to take just 2, China
and France, see the opportunity of the virtual space, they see
this as no different from the terrestrial environment and there
is a blurring, unlike in the United States, between the public
and private sector. So what the Nation does, it does on behalf
of the private sector.
It was striking when I was in Moscow a couple of years ago
talking to their intelligence people and their sort of security
folks in the prime minister's office. They were obsessed by
what they felt were American attacks in the virtual space. So
any equipment they bought from overseas, computer software,
hardware, they felt had bugs of one kind or another planted in
it.
Senator Lieberman. That U.S. manufacturers had put in it?
Mr. Adams. Yes. Now, I have no idea whether that is true or
not. What we do know is that other countries are very
aggressively, indeed, contacting the United States, both with
their impregnated devices of one kind or another and attacking
through the virtual space. The challenge that we have is that
we still see the front line as a Nation as soldier/sailor/
airman/marine, our border. The front line actually is the
private sector, because as you were rightly saying earlier, who
is going to attack a soldier? You are actually going to attack
the power grid or the telecom or you are going to steal the
national intellectual property, and how easy it is because we
do not actually understand the threat.
The awareness among CEOs or CIOs in the private sector and,
indeed, in the public sector, is lamentable, and yet the threat
and the way the America's technological advantage, and the fact
that we are the most wired Nation in the world, is being
exploited on a daily basis is a national outrage, and yet here
we are.
Senator Lieberman. Is there any way for a purchaser of a
software system with a bug in it to determine that there is a
bug in it as they use it?
Mr. Adams. You can, but it is very difficult. It is
rather--I would say that there needs to be some way of a
dialogue taking place between the traditional defenders of the
nation-state, the intelligence community, the early warning
system----
Senator Lieberman. Right.
Mr. Adams [continuing]. And those that are in the front
line and need to be defended. There is intelligence. There is
information. There are things that you can do, but the degree
of sharing of that knowledge is very, very limited indeed
currently.
Senator Lieberman. One of the things that strikes me, and
you referred to it in a way, is that not only would a hostile
power or group think about striking at purely private systems,
but governmental systems and military systems even use private
communication lines to convey information so that there is
vulnerability in different ways. So what you just said is very
important: There is more electronic interdependence of public
sector and private sector than we generally acknowledge, and,
therefore, a true solution to this security problem really has
to be joint.
Mr. Adams. That is right, and if you think about how we
traditionally see the nation-state, we see it as the government
and the private sector goes on and does its thing and helps the
nation-state when war breaks out. In the virtual space, war is
going to be a constant. It is no different, if you like, to the
way we were with terrorism in the early 1970s, when Congress
would have hearings about bombings and assassinations and the
bombers and assassins could choose the time and place and the
target. We were very undefended. We did not understand the
problem.
This is very similar to that, except the targeting has
changed. The methods have changed. We are moving everything to
the virtual space and the same actors are out there. It is just
that we do not yet understand how to manage it, and it will be
a comprehensive thing. There is no single fix. It is a series
of things, some of them being done by Cisco with some of the
excellent things that they make, some of them being done with
the public-private partnership, some of them being driven by
leadership that is going to come from people like yourselves.
Senator Lieberman. Very interesting. As you both know but I
think a lot of people out there do not know, it was the Federal
Government, certainly through DARPA and the Defense Department,
that did some of the initial work that led to the Internet and
to the whole information revolution. Now, of course, we have
fallen behind, certainly in this computer security part of it,
behind the private sector that we in government gave birth to
or spawned.
Do you have any ideas for what we might do to help
government both be a stimulator, an incentivizer of more
sophisticated computer security technology? Or in a broader
sense, thinking perhaps idealistically, what government can do
to be a model itself, which it is not now, for computer
security?
Mr. Adams. If I can give you one statistic first, 20 years
ago, 70 percent of all technology development was funded one
way or another in America by the American Government. Today,
that is under 5 percent. So in a single generation, you had an
absolute transfer of energy, drive, and power from public to
private. So what that says is that there needs to be--the
public sector is never going to be a model. It cannot move fast
enough. It is never going to be a zero-sum game. You are never
going to get rid of the problem. You are only going to be able
to effectively manage it.
So it is how to incorporate the private, how to see that
the solution is outside and bring it in, rather than thinking
about it being inside and imposing it out, and it is a very
different way of thinking and a very radical way of thinking
for government in its whole, because government in its whole
tends to think that I am the answer, and in this case, that is
not it.
Senator Lieberman. I also serve on the Armed Services
Committee. While this is not the perfect model and it is the
minority of what happens, there is a lot more willingness to
buy off-the-shelf today. In fact, some of our major defense
systems are being built in a way that allows parts to be pulled
out and the newest parts from the private sector to be put in
over time, and maybe that is a model for computer security, as
well.
Mr. Watson, do you want to respond?
Mr. Watson. Yes, sir. First of all, it is true that the
Internet knows no boundaries. There are no more perimeters, no
more borders. It is all cyberspace.
Two things, though. Industry tends to develop things at
Internet speed and move a lot faster than most governments can
move. Since industry owns and operates most of the
infrastructures on which the government, both private
government and the infrastructures that we run, depend, it is
our responsibility to do our part to develop solutions and we
are doing that.
Also, in our studies, we have discovered that you can spend
a lot of time studying the threat, but it is a lot more
profitable to look at vulnerabilities and solve those to raise
the bar of security. So that is the direction that we are
taking. We are looking at vulnerabilities and addressing those.
That is why it is important to do security posture assessments,
risk assessments, to look at where you are and to know what you
can fix at zero or little cost, as the NASA IG said.
Two provisions of the S. 1993 bill, I think, are really
important. One is that it does include security as an
integrated part, component, of each agency's business model and
it emphasizes training as essential. That is a multi-faceted
problem. Training security specialists is something we need to
do and training everybody in the awareness problem and how
users can better exercise security is important.
Senator Lieberman. Should we be building on the DARPA
model? Although again, maybe the private sector is zooming so
far ahead that we do not have to do that. But there are certain
areas in which, over time, we have found that because of market
pressures, the private sector may not invest enough in research
and development and so the government gets involved to do that.
Is this an area where we ought to be targeting more Federal
money in R&D and computer security breakthroughs?
Mr. Watson. Before we will know the answer to that, it is
important to have some kind of a clearinghouse and finding out
what industry is doing, what academia is doing, what the
government could target its money so it is not duplicating
efforts. And I think the vehicle that we have in place right
now, it is just a beginning, is the Partnership for Critical
Infrastructure Security, and maybe the PCIS recommendation for
the Institute for Information Infrastructure Protection might
be able to be that clearinghouse.
Senator Lieberman. Right.
Mr. Adams. I also think, though, that the way of--you take
the DARPA model----
Senator Lieberman. Right.
Mr. Adams [continuing]. You speak to folks at DARPA now, as
you, I am sure, know, they focus not so much on inventing the
new but integrating what is there, a different thing. Private
industry is moving very, very rapidly. Cisco invests more money
in thinking about new stuff on securing the Web than the
government could ever really get together.
Senator Lieberman. So maybe there is not a need for us to
do it if the market is driving it.
Mr. Adams. But maybe there is a different way of doing it.
I mean, what is there that the Federal Government can do to
influence the outcome for the Nation? Education is
fundamentally important. We go home at night, we unlock the
door. We leave in the morning, we turn on the burglar alarm, we
look the door, we make sure the windows are shut, and so on.
Nobody is being trained in these elementary things.
There is an enormous amount that could be done in education
in schools, in universities, in funding programs, seed money
that would ensure the security of the Nation going forward into
this century rather than looking at, well, we have put in a
spot of money here, but instead thinking about this in a
national context. What is the best for the Nation as a whole
that we, the Federal Government, can facilitate, because the
private sector is continuing again to drive this revolution. So
education is extremely important. Awareness is extremely
important. And this is a major national security issue, so
there are things that can be done from the Federal down to the
local level.
Senator Lieberman. Thank you both. You have been excellent
witnesses. I appreciate your time.
Mr. Watson. Thank you.
Chairman Thompson. Could I ask, just very briefly, how
would you sell that from a national security standpoint? We
talk about educating the young people and bridging the gap
between the rich and the poor and all that, but how would you
articulate the necessity to do that from a national security
standpoint? These are kids. They are obviously going to use it
in the short-term for things other than that. But from a long-
term national benefit, are there not going to be just
specialists that do that sort of thing? For the masses, it is
certainly beneficial and maybe necessary, but does it really
have to do with national security?
Mr. Adams. I would not posture it quite like that. Let me
give you a brief anecdote. I was in a meeting about national
security, American national security, a little while ago
talking about future threats, 5 to 10 years. There was general
agreement that China is a very significant threat to the United
States.
At that same meeting, one of America's leading high-
technology companies, they had one of their senior officers
there and he was describing how they have had to make an
investment decision about a new technology product that they
are making, a new next step in the revolution. This is an
American company. Where do we go? We go to the place where
there is a customer base, where we have cheap labor and we have
a high number of engineers. Where do they build their new
factory? China. National security is irrelevant.
So the argument is not national security. The argument is
what is going to be the resource for America in this century.
Answer, trained and qualified people who can manage and master
the revolution. As part of that, as part of that education
process, just as you get trained in sanitation or good health
practices, so you get trained in good security practices. It is
part of being trained as an information specialist.
Chairman Thompson. In order to remain in a leadership
position in the global economy, you have to maintain the
productivity and, therefore, maintain your technological
advantages, and, therefore, you have to have the educational
background.
Mr. Adams. Exactly, and that is something that the
government can absolutely influence the outcome of.
Chairman Thompson. What kind of group was this that you
said you just attended?
Mr. Adams. I would have to talk to you about that outside.
Chairman Thompson. All right.
Mr. Watson. I would suggest incentives to collaborate with
the private sector. Cisco networking academies are in all 50
States and 25 foreign countries. We are adding security modules
into that training. We build security training syllabuses and
training partners deliver that training. We would view Federal
requirements for security training as a market pressure and we
would develop products and services to meet that demand.
Chairman Thompson. Mr. Watson, in your background with
regard to information warfare, do you subscribe to the notion I
have heard some say that it is almost for sure that in any
future military attack, one industrialized country against
another, that it would probably be preceded by a cyber attack?
Mr. Watson. I would say that was possible and maybe even
likely.
Chairman Thompson. What would you think, Mr. Adams?
Mr. Adams. I would say that most countries that have an
information warfare capability see that as a precursor to full-
scale war, and indeed, the full-scale war itself may occur in
the virtual space. The interesting thing is that while America
has a capability in this area, the lawyers have not yet decided
what is war in the virtual space. So we may be attacked and in
serious trouble before we can do anything about it.
Chairman Thompson. One final thing. Senator Lieberman and
you mentioned the shift of capability from the government to
the private sector and now we are here in our legislation
trying to decide what government should be doing, first of all,
about itself and managing itself. You heard the GAO testimony
about the government needing to decide minimum standards.
I am wondering what is going on in the private sector out
here. How is that going to interface with what we are trying to
do? Should the government be setting standards for itself,
minimum standards and as it is purchasing the hardware,
software, servicing, and all from the outside, or should these
be private standards determined by the private sector that we
incorporate? Do you see what I am trying to get at? How does
that interrelate?
Mr. Adams. I think there are two different things that you
are addressing. What we have at the moment as this revolution
has unfolded is a multitude of standards--hardware, software,
different in America, different in Britain, different in
France, all over the world.
Yes, it is a common arena, as Ken was saying earlier, and
for the government or governments, more likely, the World Trade
Organization to agree on a common standard is completely
unrealistic, I think. It would take years and just will not
happen.
More likely will be if you go back to the housing problems
at the beginning of this century in the United States, a
tremendous amount of poor housing that were in very bad shape.
Nobody could agree what to do about it, but when the insurance
industry said, OK, here is a minimum standard or else you do
not get insurance. If you do not have insurance, you cannot
have a mortgage. Lo and behold, the standards raised up and the
standards of housing went up with it. The market drove the
solution, in other words, and I think exactly the same thing
will happen here.
There has been lots of talk about minimum risk standards
and that needs to be applied. Two things will drive it. One
will be down value chains. You are going to do business with
me, you need to be affirmed at this risk level of some kind or
another, certified at this risk level, and if you do not, then
I am not going to do business with you.
And the second will be the insurance industry, which will
say, if you are going to be insured with me, just like if I
issue you with a house insurance policy, you get 10 percent off
for this burglar alarm, 15 percent off if you are connected to
the police station, so it will be a similar thing in the
virtual space. So those two market factors will drive it.
Chairman Thompson. So instead of the government requiring
certain standards of private industry, private industry would
be requiring certain standards from the government?
Mr. Adams. Exactly.
Mr. Watson. And we are already working in that direction.
We are beginning to dialogue with the insurance and audit
industries to develop standards. There are no standards across
the board for security posture assessments or penetration tests
or white-hat hacking or whatever you want to call it. If you
ask two companies to give you an assessment of your security,
you will get two completely different answers because they are
based on different standards.
There is no standard training program for network security
engineers to certify that someone has the skill required to do
that kind of an assessment. There are no standard ratings for
security in a network. How would you do that anyway? It would
be an instantaneous security state, but how would you say, if
you have a firewall, you have one level of standard. If you
have a firewall, intrusion detection, and remote monitoring,
you meet another security standard that could be insurable.
Those are the kinds of questions that we need to address.
Chairman Thompson. Well, you know the GAO has these best
practices and so forth. Do we not have any minimal standards,
without being so minimal that they are meaningless?
Mr. Watson. They are just not defined yet.
Mr. Adams. And there is no common language, we all speak--
it sounds similar, but we all interpret it differently and you
can give yourself a tick in the box which actually you are
nowhere near where you should be.
Chairman Thompson. Thank you very, very much. We appreciate
it.
Senator Lieberman. Thank you.
Chairman Thompson. The record will remain open for 1 week
after the close of the hearing. We are adjourned.
[Whereupon, at 12:50 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC] [TIFF OMITTED] T3639.001
[GRAPHIC] [TIFF OMITTED] T3639.002
[GRAPHIC] [TIFF OMITTED] T3639.003
[GRAPHIC] [TIFF OMITTED] T3639.004
[GRAPHIC] [TIFF OMITTED] T3639.005
[GRAPHIC] [TIFF OMITTED] T3639.006
[GRAPHIC] [TIFF OMITTED] T3639.007
[GRAPHIC] [TIFF OMITTED] T3639.008
[GRAPHIC] [TIFF OMITTED] T3639.009
[GRAPHIC] [TIFF OMITTED] T3639.010
[GRAPHIC] [TIFF OMITTED] T3639.011
[GRAPHIC] [TIFF OMITTED] T3639.012
[GRAPHIC] [TIFF OMITTED] T3639.013
[GRAPHIC] [TIFF OMITTED] T3639.014
[GRAPHIC] [TIFF OMITTED] T3639.015
[GRAPHIC] [TIFF OMITTED] T3639.016
[GRAPHIC] [TIFF OMITTED] T3639.017
[GRAPHIC] [TIFF OMITTED] T3639.018
[GRAPHIC] [TIFF OMITTED] T3639.019
[GRAPHIC] [TIFF OMITTED] T3639.020
[GRAPHIC] [TIFF OMITTED] T3639.021
[GRAPHIC] [TIFF OMITTED] T3639.022
[GRAPHIC] [TIFF OMITTED] T3639.023
[GRAPHIC] [TIFF OMITTED] T3639.024
[GRAPHIC] [TIFF OMITTED] T3639.025
[GRAPHIC] [TIFF OMITTED] T3639.026
[GRAPHIC] [TIFF OMITTED] T3639.027
[GRAPHIC] [TIFF OMITTED] T3639.028
[GRAPHIC] [TIFF OMITTED] T3639.029
[GRAPHIC] [TIFF OMITTED] T3639.030
[GRAPHIC] [TIFF OMITTED] T3639.031
[GRAPHIC] [TIFF OMITTED] T3639.032
[GRAPHIC] [TIFF OMITTED] T3639.033
[GRAPHIC] [TIFF OMITTED] T3639.034
[GRAPHIC] [TIFF OMITTED] T3639.035
[GRAPHIC] [TIFF OMITTED] T3639.036
[GRAPHIC] [TIFF OMITTED] T3639.037
[GRAPHIC] [TIFF OMITTED] T3639.038
[GRAPHIC] [TIFF OMITTED] T3639.039
[GRAPHIC] [TIFF OMITTED] T3639.040
[GRAPHIC] [TIFF OMITTED] T3639.041
[GRAPHIC] [TIFF OMITTED] T3639.042
[GRAPHIC] [TIFF OMITTED] T3639.043
[GRAPHIC] [TIFF OMITTED] T3639.044
[GRAPHIC] [TIFF OMITTED] T3639.045
[GRAPHIC] [TIFF OMITTED] T3639.046
[GRAPHIC] [TIFF OMITTED] T3639.047
[GRAPHIC] [TIFF OMITTED] T3639.048
[GRAPHIC] [TIFF OMITTED] T3639.049
[GRAPHIC] [TIFF OMITTED] T3639.050
[GRAPHIC] [TIFF OMITTED] T3639.051
[GRAPHIC] [TIFF OMITTED] T3639.052
[GRAPHIC] [TIFF OMITTED] T3639.053
[GRAPHIC] [TIFF OMITTED] T3639.054
[GRAPHIC] [TIFF OMITTED] T3639.055
[GRAPHIC] [TIFF OMITTED] T3639.056
[GRAPHIC] [TIFF OMITTED] T3639.057
[GRAPHIC] [TIFF OMITTED] T3639.058
[GRAPHIC] [TIFF OMITTED] T3639.059
[GRAPHIC] [TIFF OMITTED] T3639.060
[GRAPHIC] [TIFF OMITTED] T3639.061
[GRAPHIC] [TIFF OMITTED] T3639.062
[GRAPHIC] [TIFF OMITTED] T3639.063
[GRAPHIC] [TIFF OMITTED] T3639.064
[GRAPHIC] [TIFF OMITTED] T3639.065
[GRAPHIC] [TIFF OMITTED] T3639.066
[GRAPHIC] [TIFF OMITTED] T3639.067
[GRAPHIC] [TIFF OMITTED] T3639.068
[GRAPHIC] [TIFF OMITTED] T3639.069
[GRAPHIC] [TIFF OMITTED] T3639.070
[GRAPHIC] [TIFF OMITTED] T3639.071
[GRAPHIC] [TIFF OMITTED] T3639.072
[GRAPHIC] [TIFF OMITTED] T3639.073
[GRAPHIC] [TIFF OMITTED] T3639.074
[GRAPHIC] [TIFF OMITTED] T3639.075
-
�