IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads

W.J. "Billy" Tauzin, Chairman

The House Committee On 
Energy and Commerce
W.J. "Billy" Tauzin, Chairman


Subcommittee on Oversight and Investigations Hearing
Protecting America's Critical Infrastructures: How Secure Are Government Computer Systems?
April 05, 2001
09:30 AM
2322 Rayburn House Office Building

Mr. Tom Noonan
Internet Security Systems
6303 Barfield Road
Atlanta, GA, 30328

Good Morning, Mr. Chairman and Members of the Committee. I am pleased to appear before you today to discuss an issue of great importance to our country.


In 1991, our the founder and Chief Technology Officer of Internet Security Systems, Chris KClaus, became interested in government security while interning at the Department of Energy. Chris then began working on a groundbreaking technology that actively identified and fixed computer security weaknesses. The next year, while attending Georgia Institute of Technology ("Georgia Tech"), Chris released his product for free on the Internet. He received 10,000thousands of requests for his invention, and decided that he should sell it. In 1994, I met Chris over the Internet and teamed with him to form Internet Security Systems. I was then working for a computer company, having attended GA Tech and Harvard Business School. Chris and I then launched the company's first product, Internet Scanner,. We and went public in March 1998. And yes, we're a profitable company, even in today's market. Today, ISS Internet Security Systems is the worldwide leader in security management software. For more than nearly 10 years, which is several lifetimes in Internet time, we have been involved in computer security, watching the area grow from the outset. Chris Klaus (who is now 26) is one of a handful of premiere experts in the world on computer security, and Internet Security Systems is a widely recognized pioneer in computer security. Computer security is all we do. We now have more than 1,500nearly 2,000 employees in 18 countries focused exclusively on computer security. 7Altogether, we now have more than 68,000 customers, including 68 percent of the Fortune 500, and 21 of the 25 largest U.S. commercial banks. We also serve the ten largest telecommunication companies, numerous U.S. government agencies, and other non-U.S. governmentsies, including (add the most important government agencies).


I'm here today to provide you with some background information on threat assessment. Every day, ISS Internet Security Systems stops hackers, crackers (criminal hackers)criminal hackers and cyber-thieves cold by addressing vulnerabilities in computers. The individuals who use the Internet for business to business warfare, for international cyber-terrorism, or to cause havoc and mayhem in our technology infrastructure. Internet Security Systems is (Hackers are . . . Crackers are . . . Cyber-thieves are . . .) involved in every aspect of computer security, whether in making the security products or in managing them. Backdoor programs are . . . We also monitor their networks and systems around the clock (24 x 7 x 365) from the US, Japan, South America, and Europe in our Security Operations Centers ("SOCs"). We search for attacks and misuse, identify and . We are able to prioritize security risks, and generate reports explaining the security risks and what can be done to fix them. ISS' At the heart of our solution is our team of world-class security experts focused on uncovering and protecting against the latest threats. This team of 200 global specialists, dubbed the X-Force, understands exactly how to transform the complex technical challenges into an effective, practical, and affordable strategy. Because of all of these capabilities, companies and governments turn to us as their trusted computer security advisor.

Over the years, I have watched computer vulnerabilities increase dramatically. The Internet is so useful for the very reasons that it is so vulnerable. To give you an idea of what we are dealing with, I'd like to share two analogies. First, I'll compare a computer to a house. Every computer connected to the Internet has the equivalent of explain the 6 45,005360 doors and windows which need to be locked and monitored to make sure no one breaks in. Multiply 645,000536 by every computer in every company and you begin to see the extent of the problem. Just as physical security companies like ADT monitor your physical doors and windows, computer security computer security companies must lock and monitor the doors and windows of your computers.

My second analogy compares this complicated area of computer security to a Chess game. In a Chess game, the goal is to protect the king - or mission critical information. The other Chess pieces protect the king. But a knowledgeable Chess player is required to maneuver the Chess pieces. With computer security, the goal is to protect the information. A variety of computer security products, including Intrusion Detection Systems (IDS) and firewallsvulnerability assessment, function as Chess pieces, and protect and watch the information. These products are absolutely essential. However, you also need to have a computer security expert to manage these products, just as you have to have a knowledgeable Chess player maneuver the Chess pieces. Just as a Chess game environment is constantly changing, the computer security environment is also constantly changing. Computer security companies, such as Internet Security Systems, produce the products and perform the services that protect the information and manage the products so that they function in the proper way.

Over the years, as the Internet has become more used in businessopen, and more accessible to the masses, it has been attacked at an increasing rate. Incidents occur when hackers maneuver through a system, take advantage of the vulnerabilities, and cause a system breach. Vulnerabilities are holes, weaknesses, and problems that exist in computer systems. Incidents include credit card theft or other informationdata theft. The first slide documents the top security breaches. 4% of these breaches are actual physical security breaches, such as breaking a window or getting in through a locked door. 20% are system unavailability breaches or denial-of-service breaches, such as the "ILUVYOU" email virus. Electronic exploits represent 20% of the breaches. An example of an electronic exploit is finding a hole where you can install a backdoor to get into a computer system. 25% of the breaches are loss of privacy or confidentiality breaches, such as when a cracker breaks through a firewallinto a database server and gains access to credit card information. 26% are malicious code breaches, such as when a hacker sends an email with an attachment that when opened, deletes files on the computer system. 5% of the breaches are other breaches.

To give you an idea of how fast incidents are occurring, the second slide examines the increase in just one type of breach, the virus. Viruses, such as the "ILUVYOU" virusV are mini computer programs thatthat install back doors, flood a computer system with email so that the system slows down or crashes. These are often called denial-of-service viruses. Viruses can also destroy information on a computer system. . (A virus is . . .) In October 1999 alone, there were 2,007more than 2000 new known viruses. In November 1999, there were 2,427 new viruses. In December 1999, 2,586 were added. Look at how these numbers have dramatically increased in 2000. In October 2000, there were 30,678 new viruses. In November 2000, there were 23,962 new viruses. In December 2000, there were 16,762 new viruses. Keep in mind that the vast impact caused by the "ILUVYOU" virus was caused by only one of these viruses.

To give you a better idea of how incidents generally occur, and how computer security companies protect against these incidents, the third slide is an example of a Web site where crackers can get information that will help them break into a system. Because we are in the protection business, we have modified this site and removed the identifying information. This site lists new vulnerabilities that have been discovered, and includes programs that allow unsophisticated crackersanyone to use these to exploit these vulnerabilities to damage a system. There are thousands of similar Web sites. Our X-Force monitors the most important Web sites to discover the latest trends. In addition, thousands of private chat rooms exist where more sophisticated crackers trade hacking tools over the Internet. Our X-Force gains access to important chat rooms and monitors them as well.


We are pleased that the Government is interested in taking computer security seriously. The United States spends billions of dollars buying weapons and gaining intelligence to protect our country from more conventional types of attack.. Our computer systems must also be adequately protected, or our entire infrastructure could be compromised by one person with one computer. Even though the task is complicated, computer systems can be made secureprotected.

The Government has taken great strides in the past few years. However, much, much more is needed. As industry has considerable resources and expertise, a continued partnership with industry is crucial. In addition, computer security must be a priority, and leadership and coordination are necessary in the Government. International leadership is also required. Perhaps most importantly, funding for secure Government systems must be increased by a substantial amount, and outsourcing should be considered as an option. The Government often does well with the resources it has been given. However, computer security specialists are required to implement and coordinate many different security products and services to adequately secure a system. As computer security expertise is extremely rare, the cost of computer security specialists is astronomical. In my company alone, the average salary of my 2000 employees is around $80,000. To help address the cost of computer security, educational efforts must be undertaken to train the personnel required. Computer programmers in universities should be trained in computer security. Currently, they are not. In addition, specialized programs in computer security should be encouraged.

Thank you for inviting me here today. I look forward to a continuing dialog on the computer security issue, and hope that, working together, we can adequately secure our country's assets and information.

dot.jpg (1363 bytes)
U.S. House Seal

The Committee on Energy and Commerce
2125 Rayburn House Office Building
Washington, DC 20515
(202) 225-2927

dot.jpg (1363 bytes)

IWS Mailing Lists

Mailing Lists Overview