|Testimony of Chris Klaus
I'm here today representing my company, Internet Security Systems,
and also ITAA (the Information Technology Association of America)
to provide you with some background information and recommendations
regarding the computer security threat. Every day, Internet Security
Systems stops criminal hackers and cyber-thieves by addressing vulnerabilities
in computers. These individuals use the Internet for business-to-business
warfare, for international cyber-terrorism, or to cause havoc and
mayhem in our technology infrastructure. Internet Security Systems
is involved in every aspect of computer security, whether in making
the security products or in managing them. We also monitor networks
and systems around the clock (24 x 7 x 365) from the US, Japan,
South America, and Europe in our Security Operations Centers. We
search for attacks and misuse, identify and prioritize security
risks, and generate reports explaining the security risks and what
can be done to fix them. At the heart of our solution is our team
of world-class security experts focused on uncovering and protecting
against the latest threats. This team of 200 global specialists,
dubbed the X-Force, understands exactly how to transform the complex
technical challenges into an effective, practical, and affordable
strategy. Because of all of these capabilities, companies and governments
turn to us as their trusted computer security advisor.
ITAA represents over 500 corporate member companies in the U.S.,
companies that build IT solutions for customers in industry and
government. ITAA is a national leadership organization in the InfoSec
Over the years, I have watched computer vulnerabilities increase
dramatically. The Internet is so useful for the very reasons that
it is so vulnerable. To give you an idea of what we are dealing
with, I'd like to share an analogy. I'll compare a computer to a
house. Every computer connected to the Internet has the equivalent
of 65,536 doors and windows which need to be locked and monitored
to make sure no one breaks in. Multiply 65,536 by every computer
in every company or household and you begin to see the extent of
the problem. Just as physical security companies like ADT monitor
your physical doors and windows, computer security companies must
lock and monitor the doors and windows of computers.
II. Example of denial-of-service attack.
A denial-of-service attack, or "DoS", is a specific type
of attack on a network that is designed to bring the network to
its knees. A DoS causes a network to have zero accessibility by
flooding it with useless Internet traffic and requests. Many DoS
attacks exploit limitations in the network. During a distributed
DoS attack, a hacker actually takes over multiple computers with
a "zombie" program and then, from a remote location, sets
them to launch an attack all at once. This attack makes it nearly
impossible to trace the hacker since the attacks appear to have
come from the infected computers - which could be anywhere, such
as universities, the Federal Government, businesses, or your home.
For all known DoS attacks, there are software fixes that system
administrators can install to limit the damage caused by the attacks.
But, like viruses, new DoS attacks are constantly being created
by hackers. Last week's well-publicized Code Red email worm is an
example of how a new DoS attack can be launched.
Code Red was designed to launch a DoS attack that would effectively
shut down the White House's Web site last Thursday evening. Code
Red took advantage of systems running commonly used software. Due
to Code Red, more than 200,000 servers were infected to act as "zombies"
that would wake up and flood the White House Web site with DoS traffic
in order to force the site to shut down.
The White House was fortunate and acted in time -- in cooperation
with industry -- to side-step this attack, but Code Red has forced
network and system administrators to spend hours installing and
testing a patch for the infected servers. And some servers may remain
infected, setting the stage for possible future attacks.
III. NIPC Discussion.
I'm here to represent industry's viewpoint on the General Accounting
Office (GAO) report entitled "Critical Infrastructure Protection:
Significant Challenges in Developing National Capabilities".
As you know, this report examines NIPC (National Infrastructure
Protection Center) and recommends how NIPC can improve its ability
to combat cybercrime and cyberterrorism. Before getting to the details
of my findings and recommendations, I would like to point out that
NIPC has made great strides. Ron Dick has been an effective leader
and should be commended for his efforts in a very complicated job.
The GAO report had three main themes: 1) NIPC's limited analysis
and warning capabilities; 2) lack of interagency cooperation at
NIPC; and 3) reluctance of private companies to share information
about cyberattacks with NIPC.
The GAO found that NIPC's analysis and warning capabilities were
limited. It is our experience that the NIPC has excellent sources
of information from law enforcement and intelligence sources. While
we understand that some information cannot be shared due to its
sensitive or classified nature, the NIPC makes every effort to craft
its information into meaningful warning messages suitable for distribution
to the widest possible audience.
Industry needs information as quickly as possible. However, we understand
that NIPC puts a premium on accuracy in its warning products because
it speaks for the federal government. Having worked with NIPC on
warning products, we have seen this first hand. While obviously
not all information can be provided to the private sector, in our
experience NIPC shares a broad array of information with the private
sector so it can be pondered and analyzed.
Because both speed and accuracy are important, NIPC should explore
ways to improve the warning process so that it can put out the most
accurate warning products it can in the fastest possible time.
GAO also pointed out that the reluctance of private companies to
share information about cyberattacks was an issue in the effectiveness
of NIPC. We agree that NIPC would be more effective if the private
sector shared more information with it, but we have seen great strides
in information sharing over the past couple of years. The private
sector not only runs private communications facilities, but also
runs most of the Government communications facilities. We think
that the ISACs (Information Sharing and Analysis Centers) and other
information sharing mechanisms are a good mechanism for this information
sharing to take place. However, the ISACs and other information
sharing mechanisms need time to further develop. We at ISS are very
supportive of ISACs and are doing our part to make this initiative
as effective as possible.
We also support GAO's praise of Infraguard. Infraguard is an effective
initiative. Infraguard is able to effectively get information out
to the business and academic communities horizontally.
V. Information sharing is the key.
All of the above themes involve more information sharing. We have
discussed how the Federal Government could be better at sharing
information. Companies also could be better at sharing information.
However, sharing information about corporate information security
practices is inherently difficult. Companies are understandably
reluctant to share sensitive proprietary information about prevention
practices, intrusions, and actual crimes with either competitors
or Government agencies. No company wants information to surface
that they have given in confidence that may jeopardize their market
position, strategies, customer base, or capital investments.
Allowing the ISACs time to develop and grow is one way the Government
can help private companies become more amenable to sharing information.
The voluntary nature of ISACs or information sharing bodies is extremely
important. Attempting to force this to happen would be a disaster.
As I mentioned earlier in my testimony, speed is extremely important
for security information to be most useful. Placing burdensome requirements
on companies would cause information sharing to be a legal and time-consuming
To help encourage growth of the ISACs, it is important to support
legislation that will strengthen information sharing legal protections
that shield U.S. critical infrastructures from cyber and physical
attacks and threats. Legislation that will clarify and strengthen
existing Freedom of Information Act and anti-trust exemptions, or
otherwise create new means to promote critical infrastructure protection
and assurance, would be very helpful. This legislation would likely
have a catalytic effect on the initiatives that are currently under
way. It is absolutely vital that we work collectively to remove
barriers to information sharing. A broad industry coalition has
been working with Senator Bennett and Senator Kyl on legislation
in the Senate, and with Congressman Davis and Congressman Moran
in the House. On behalf of ITAA, I want to express industry support
for these bills.
We are pleased that the Government is interested in taking computer
security seriously. The United States Government spends billions
of dollars buying weapons and gaining intelligence to protect our
country from more conventional types of attack. Our computer systems
must also be adequately protected, or our entire infrastructure
could be compromised by one person with one computer. Even though
the task is complicated, computer systems can be protected.
The Government has taken great strides in the past few years. However,
much, much more is needed. As industry has considerable resources
and expertise, a continued partnership with industry is crucial.
In addition, computer security must be a priority, and leadership
and coordination are necessary in the Government. International
leadership is also required. Perhaps most importantly, funding for
secure Government systems must be increased by a substantial amount,
and outsourcing should be considered as a viable, cost-effective
option. The Government often does well with the resources it has
been given. However, computer security specialists are required
to implement and coordinate many different security products and
services to adequately secure a system. As computer security expertise
is extremely rare, the cost of computer security specialists is
astronomical. To help address the cost of computer security, educational
efforts must be undertaken to train the personnel required.
Thank you for inviting me here today. I look forward to a continuing
dialog on the computer security issue, and hope that, working together,
we can adequately secure our country's assets and information.