Good Morning, Mr. Chairman
and Members of the Committee. I am pleased to appear before
you today to discuss an issue of great importance to our
In 1991, our
the founder and Chief Technology Officer of Internet Security
Systems, Chris KClaus, became interested in government security
while interning at the Department of Energy. Chris then
began working on a groundbreaking technology that actively
identified and fixed computer security weaknesses. The next
year, while attending Georgia Institute of Technology ("Georgia
Tech"), Chris released his product for free on the
Internet. He received 10,000thousands of requests for his
invention, and decided that he should sell it. In 1994,
I met Chris over the Internet and teamed with him to form
Internet Security Systems. I was then working for a computer
company, having attended GA Tech and Harvard Business School.
Chris and I then launched the company's first product, Internet
Scanner,. We and went public in March 1998. And yes, we're
a profitable company, even in today's market. Today, ISS
Internet Security Systems is the worldwide leader in security
management software. For more than nearly 10 years, which
is several lifetimes in Internet time, we have been involved
in computer security, watching the area grow from the outset.
Chris Klaus (who is now 26) is one of a handful of premiere
experts in the world on computer security, and Internet
Security Systems is a widely recognized pioneer in computer
security. Computer security is all we do. We now have more
than 1,500nearly 2,000 employees in 18 countries focused
exclusively on computer security. 7Altogether, we now have
more than 68,000 customers, including 68 percent of the
Fortune 500, and 21 of the 25 largest U.S. commercial banks.
We also serve the ten largest telecommunication companies,
numerous U.S. government agencies, and other non-U.S. governmentsies,
including (add the most important government agencies).
I'm here today
to provide you with some background information on threat
assessment. Every day, ISS Internet Security Systems stops
hackers, crackers (criminal hackers)criminal hackers and
cyber-thieves cold by addressing vulnerabilities in computers.
The individuals who use the Internet for business to business
warfare, for international cyber-terrorism, or to cause
havoc and mayhem in our technology infrastructure. Internet
Security Systems is (Hackers are . . . Crackers are . .
. Cyber-thieves are . . .) involved in every aspect of computer
security, whether in making the security products or in
managing them. Backdoor programs are . . . We also
monitor their networks and systems around the clock (24
x 7 x 365) from the US, Japan, South America, and Europe
in our Security Operations Centers ("SOCs"). We
search for attacks and misuse, identify and . We are able
to prioritize security risks, and generate reports explaining
the security risks and what can be done to fix them. ISS'
At the heart of our solution is our team of world-class
security experts focused on uncovering and protecting against
the latest threats. This team of 200 global specialists,
dubbed the X-Force, understands exactly how to transform
the complex technical challenges into an effective, practical,
and affordable strategy. Because of all of these capabilities,
companies and governments turn to us as their trusted computer
Over the years,
I have watched computer vulnerabilities increase dramatically.
The Internet is so useful for the very reasons that it is
so vulnerable. To give you an idea of what we are dealing
with, I'd like to share two analogies. First, I'll compare
a computer to a house. Every computer connected to the Internet
has the equivalent of explain the 6 45,005360 doors and
windows which need to be locked and monitored to make sure
no one breaks in. Multiply 645,000536 by every computer
in every company and you begin to see the extent of the
problem. Just as physical security companies like ADT monitor
your physical doors and windows, computer security computer
security companies must lock and monitor the doors and windows
of your computers.
My second analogy
compares this complicated area of computer security to a
Chess game. In a Chess game, the goal is to protect the
king - or mission critical information. The other Chess
pieces protect the king. But a knowledgeable Chess player
is required to maneuver the Chess pieces. With computer
security, the goal is to protect the information. A variety
of computer security products, including Intrusion Detection
Systems (IDS) and firewallsvulnerability assessment, function
as Chess pieces, and protect and watch the information.
These products are absolutely essential. However, you also
need to have a computer security expert to manage these
products, just as you have to have a knowledgeable Chess
player maneuver the Chess pieces. Just as a Chess game environment
is constantly changing, the computer security environment
is also constantly changing. Computer security companies,
such as Internet Security Systems, produce the products
and perform the services that protect the information and
manage the products so that they function in the proper
Over the years,
as the Internet has become more used in businessopen, and
more accessible to the masses, it has been attacked at an
increasing rate. Incidents occur when hackers maneuver through
a system, take advantage of the vulnerabilities, and cause
a system breach. Vulnerabilities are holes, weaknesses,
and problems that exist in computer systems. Incidents include
credit card theft or other informationdata theft. The first
slide documents the top security breaches. 4% of these breaches
are actual physical security breaches, such as breaking
a window or getting in through a locked door. 20% are system
unavailability breaches or denial-of-service breaches, such
as the "ILUVYOU" email virus. Electronic exploits
represent 20% of the breaches. An example of an electronic
exploit is finding a hole where you can install a backdoor
to get into a computer system. 25% of the breaches are loss
of privacy or confidentiality breaches, such as when a cracker
breaks through a firewallinto a database server and gains
access to credit card information. 26% are malicious code
breaches, such as when a hacker sends an email with an attachment
that when opened, deletes files on the computer system.
5% of the breaches are other breaches.
To give you
an idea of how fast incidents are occurring, the second
slide examines the increase in just one type of breach,
the virus. Viruses, such as the "ILUVYOU" virusV
are mini computer programs thatthat install back doors,
flood a computer system with email so that the system slows
down or crashes. These are often called denial-of-service
viruses. Viruses can also destroy information on a computer
system. . (A virus is . . .) In October 1999 alone,
there were 2,007more than 2000 new known viruses. In November
1999, there were 2,427 new viruses. In December 1999, 2,586
were added. Look at how these numbers have dramatically
increased in 2000. In October 2000, there were 30,678 new
viruses. In November 2000, there were 23,962 new viruses.
In December 2000, there were 16,762 new viruses. Keep in
mind that the vast impact caused by the "ILUVYOU"
virus was caused by only one of these viruses.
To give you
a better idea of how incidents generally occur, and how
computer security companies protect against these incidents,
the third slide is an example of a Web site where crackers
can get information that will help them break into a system.
Because we are in the protection business, we have modified
this site and removed the identifying information. This
site lists new vulnerabilities that have been discovered,
and includes programs that allow unsophisticated crackersanyone
to use these to exploit these vulnerabilities to damage
a system. There are thousands of similar Web sites. Our
X-Force monitors the most important Web sites to discover
the latest trends. In addition, thousands of private chat
rooms exist where more sophisticated crackers trade hacking
tools over the Internet. Our X-Force gains access to important
chat rooms and monitors them as well.
pleased that the Government is interested in taking computer
security seriously. The United States spends billions of
dollars buying weapons and gaining intelligence to protect
our country from more conventional types of attack.. Our
computer systems must also be adequately protected, or our
entire infrastructure could be compromised by one person
with one computer. Even though the task is complicated,
computer systems can be made secureprotected.
has taken great strides in the past few years. However,
much, much more is needed. As industry has considerable
resources and expertise, a continued partnership with industry
is crucial. In addition, computer security must be a priority,
and leadership and coordination are necessary in the Government.
International leadership is also required. Perhaps most
importantly, funding for secure Government systems must
be increased by a substantial amount, and outsourcing should
be considered as an option. The Government often does well
with the resources it has been given. However, computer
security specialists are required to implement and coordinate
many different security products and services to adequately
secure a system. As computer security expertise is extremely
rare, the cost of computer security specialists is astronomical.
In my company alone, the average salary of my 2000 employees
is around $80,000. To help address the cost of computer
security, educational efforts must be undertaken to train
the personnel required. Computer programmers in universities
should be trained in computer security. Currently, they
are not. In addition, specialized programs in computer security
should be encouraged.
Thank you for inviting me here
today. I look forward to a continuing dialog on the computer
security issue, and hope that, working together, we can
adequately secure our country's assets and information.