Statement of Dr. Vinton G. Cerf
Senior Vice President of Internet Architecture & Technology
Joint Economic Committee
February 23, 2000
I am Dr. Vinton Cerf, Senior Vice President of MCI WorldCom.
I am also pleased to represent today the Information Technology
Association of America (ITAA), representing over 26,000 direct
and affiliate member companies in the information technology (IT)
industry - the enablers of the information economy. ITAA members
are located in every state in the United States, and range from
the smallest IT start-ups to industry leaders in the custom software,
services, systems integration, telecommunications, Internet, and
computer consulting fields. I am also representing the Internet
Society as a member of its Board of Directors and as the former,
founding President and Chairman of the Board. The Internet Society
(ISOC) comprises approximately 150 organizational members and
6500 individual members. ISOC's focus is on the continued technical
evolution of the Internet and on its social and economic impact.
The Internet Architecture Board and Internet Engineering Task
Force, which develops the technical standards of the Internet,
operate under the auspices of the Internet Society. MCI WorldCom,
through its UUNET subsidiary, is the operator of one of the first
Internet backbone services and is also responsible for operation
of a number of network access points called Metropolitan Area
Exchanges where Internet Service Providers exchange traffic. MCI
WorldCom is also among the largest domestic and international
telecommunications service providers.
Sen. Bennett, it is an honor to appear before the Committee today.
I want to commend you and your colleagues for holding this hearing
on computer security, particularly given the serious "Denial of
Service" attacks launched in recent weeks. Clearly, the misdeeds
of a few have brought the issue of Information Security (InfoSec)
to the top of the national agenda. Those of us who have been around
the industry for a while know that network intrusions are nothing
new and that effective preventive technologies exist to counteract
them. Many people, however, may be shocked and alarmed that access
to websites, quickly becoming hallmarks of everyday life, has
been seriously impaired by these attacks.
So this is a dialogue well worth pursuing. And the stakes in
dealing with the problems properly are significant.
IT: The Engine of National Development
Information technology represents over 6 percent of global gross
domestic product (GDP), a spending volume of more than $1.8 trillion,
and over 8% of US GDP, according to Digital Planet, a report recently
released by the World Information Technology and Services Alliance
(WITSA). WITSA is a group of 39 IT trade associations around the
world. Enormous in their own right, the Digital Planet figures
mask the contribution made by this technology to the growth, competitiveness
and vitality of other industries. From China to Mexico, from Argentina
to Germany, countries have come to recognize that information
technology is an engine of national development, accelerating
the expansion of business opportunity and investment while acting
as a buffer against economic downturns. The recent US Department
of Commerce report indicates that an incredible 35% of the nation's
real economic growth from 1995 to 1998 came from IT producers.
Chairman Alan Greenspan of the US Federal Reserve Board recently
credited large investments being made in computers and other high-tech
products for the dramatic boost in the nation's productivity.
Even previously skeptical economists now concede that IT driven
productivity increases have enabled our country to have what they
said we could not have: high growth, low unemployment, low inflation,
growth in real wages.
If IT is the engine behind this growth, the Internet and E-commerce
are the rocket fuel. Forrester, a respected market research firm,
forecasts that the U.S. business-to-business marketplace is worth
$290 billion this year and will grow to $2.7 trillion by 2004.
The Internet is rewriting economic history. But along with the
blessings of this new prosperity comes a challenge- new vulnerabilities
exhibited by this evolving infrastructure.
A Foundation Built on Trust
If we are to continue building our New Economy on this digital
foundation, we must meet the challenges that it poses:
* Stakeholders must be able to trust that the Internet is a safe
and secure environment;
* Industry owns and operates most of this infrastructure and,
therefore, is its natural steward for safety and security issues;
* Government and industry share an interest in the health and
growth of the Internet and E-commerce and must find common ground
on which to coordinate on critical information infrastructure
* Ethical on-line behavior begins at home with the education
of children; safe and efficient on-line business operations demand
the investment by companies and organizations in a reasonable
set of information security practices and procedures;
* Because the Internet is a global medium, information security
issues must be pursued on a global basis; because the nature of
the cybercrime threat is dynamic, information security requires
on-going commitment and attention.
The Varied Faces of Cybercrime
The InfoSec threat comes in numerous guises. Mischief minded
hackers. Disgruntled employees. Corporate spies. Cyber criminals.
Terrorists. Unfriendly nations.
Aggressors attack at the point of maximum leverage. For modern
society, this means critical infrastructure-transportation, telecommunications,
oil and gas distribution, emergency services, water, electric
power, finance and government operations. A critical information
infrastructure supports all of these vital delivery systems and
becomes itself a target of opportunity for terrorists, adversary
nations, criminal organizations, and non-state sponsored actors.
Disrupting the underlying information infrastructure of a transportation
or finance system often can be as effective or even more effective
than disrupting the physical infrastructure. Why blow up a power
grid, when destroying the computers that control the power grid
will have the same impact?
The International Institute for Strategic Studies (IISS) recently
published a study on this topic citing one expert claiming he
could bring down the U.S. information infrastructure with 10 computer
specialists and in 90 days time. This potential vulnerability-even
if overstated --raises numerous difficult questions for industry
and government about how to best provide critical information
A recent Computer Security Institute (CSI) survey reports 62
percent of companies have experienced computer breaches; 51 percent
of respondents reported financial losses due to computer security
problems; criminal hacking losses of the 163 responding organizations
was placed at $123 million in 1998 and is climbing at an extraordinary
pace. The Institute found that system penetration by outsiders
has risen in each of the past three years as has unauthorized
access by insiders. Twenty-six percent of respondents in the CSI
study reported theft of proprietary information and 27 percent
reported financial fraud. Twenty percent reported unauthorized
use or misuse of websites.
Virus episodes like Melissa and Chernobyl are becoming more frequent.
The Symantec Anti-Virus Research Center estimates that new viruses
are being launched at a rate of 10 to 15 per day and that over
2400 currently exist. Thirty-five percent are considered to be
We have difficult challenges ahead. In the cyber realm, ambiguity
reigns supreme. What makes our new environment so different? Some
of the factors include:
* Increasing technological and environmental complexity - new
technologies are replacing "old" ones at a breathtaking pace as
hundreds of thousands of new players enter cyberspace on an almost
* Boundless environment and ambiguous laws - geographic boundaries
are irrelevant in cyberspace raising jurisdictional conflicts;
Anonymous adversaries - The potentially anonymous nature of the
Internet combined with a lack of geographic boundaries makes it
extremely difficult to distinguish between nuisance hackers, vandals,
criminals, terrorists and nation-states. And the effects may be
the same, regardless of motive;
* Conflicting responsibilities and jurisdictions - while cyberspace
is boundless, turf battles abound;
* Low levels of executive awareness
* Limited human resources - The public and private sectors continue
to struggle to find the skilled workers to manage the resources
they currently have. Assuring our information infrastructures
calls for more highly specialized individuals who are in extremely
It is my judgment that the Internet itself is for the most part
secure, though there are steps we know can be take to improve
security and resilience. Most of the vulnerabilities arise from
those who use the Internet-companies, governments, academic institutions,
and individuals alike--but who do not practice what I refer to
as good cyber hygiene. They are not sufficiently sensitive to
the need to protect the security of the Internet community of
which they are a part. The openness of the Internet is both its
blessing and its curse when it comes to security.
Government and Industry: Seeking Common Ground
Assessing the ultimate InfoSec roles for government agencies
and the private sector is really very simple: our new information-based
assets must be protected and preserved. The proliferation of low
cost computers and networks has spread information technology
to every quarter of society. Participants and users must understand
that along with the obvious benefits of information technology
are corresponding commitments to protect it. The societal stakes
involved in critical information protection compel government
and industry to seek common ground on the issue.
The road to this common ground may not be a straight line. On
the contrary, while the ends may be commonly shared, the policies
that government and industry will develop in order to provide
this protection are likely to be quite different.
For instance, government policy may seek to establish both internal
and externally directed standards to protect infrastructure elements
from physical or cyber attack, to require systems to detect when
attacks are imminent or underway, to develop processes to react
to the attack, and to reestablish the critical service. By definition,
if the service has been deemed critical to the nation, then the
federal, state and local governments will have increased interest
in the operation, management and protection of the private businesses
and services which comprise the infrastructure elements. The manner
in which this government concern is manifested can have a significant
effect on private sector interests.
Similarly, industry can be expected to react to infrastructure
threats in appropriate ways, guided by sound business considerations.
Individual companies will make infrastructure protection investments
commensurate with the risk management principles in their industries.
Government policies that impose protection standards more stringent
than those inherent in the private sector risk mitigation process
may not be practical. Additionally, requirements for reporting
incidents to government operations centers and responding to government
directed reconstitution plans might impose uneconomic and therefore
unrealistic burdens. Such requirements need to be developed in
consultation with the private sector.
Private sector firms face other real world pressures in formulating
an InfoSec response. First, companies run the significant risk
of negative publicity and exposure. Companies are concerned that
revealing and admitting past mistakes, shortcomings, negative
experiences or incidents can open them up for criticism from the
press, their competitors, their customers and their shareholders,
to say nothing of potential lawsuits. Along the same lines, and
for good reason, companies are loath to share proprietary or privileged
corporate information. Additionally, firms run the risk of eroding
consumer, customer, partner and investor confidence. The private
sector is often reluctant to share information and/or experiences
out of fear that such information will be misused, abused or released
to the public by the government or competitors. Lastly, with the
focus in today's corporate world on the immediate bottom line,
most firms see no clear short-term return on their information
To minimize the likelihood of, minimize the possible impact from,
or prepare a response to a coordinated, comprehensive attack on
critical US infrastructure will require coordinated, comprehensive
teamwork by government and industry. No matter what the business
or political pressures, we all have a stake in protecting our
information infrastructure. The nature of that teamwork is being
decided through national debate, substantive analysis and constructive
dialogue. As we look ahead, our nation is in need of new modes
of cooperation, collaboration and experience sharing among the
private sector and between the public and private sectors. With
the Denial of Service attacks, we received another wake-up call.
A well prepared and informed private sector can work with government
to find the proper balance that optimizes the government's need
to protect the critical infrastructure with business' need to
manage risks appropriately.
Significant reservations on the part of both private industry
and government to fully collaborate on these important issues
exist, however, which ITAA is attempting to address from both
a theoretical and practical viewpoint.
InfoSec: Establishing First Principles
In developing industry positions on national InfoSec issues,
ITAA has established an initial list of general principles that
will guide the development of future policy.
* The protection of the national information infrastructure must
be based on the least amount of government (federal, state, and
local) regulation as is practicable.
* The cost of protecting the national information infrastructure
must be kept to a level commensurate with the threat and the consequences
of attack. Parties must be able to differentiate between potential
but unlikely vulnerabilities and specific threats.
* Industry owns and operates the Global Information Infrastructure
and, as such, has primary responsibility for InfoSec requirements,
design and implementation.
* Industry and government share an interest in the proliferation
of a free and open Internet, electronic commerce, other value-added
networks, and an efficient, effective information infrastructure
* In protecting these resources, the specific and immediate priorities
of government and industry may potentially diverge.
* Industry will be guided by business considerations to protect
itself against physical and cyber-attack as the threat to the
information infrastructure evolves.
* Where corrective InfoSec action is required to protect the
public good, government must identify such instances and create
appropriate funding mechanisms. Government, in its capacity as
the nation's largest IT consumer, should also act as a role model
in adopting InfoSec best practices and avoiding security breaches.
* The Internet and electronic commerce are inherently global
in nature; therefore, information security will require collaboration
among international bodies.
* InfoSec measures must be commensurate with the threat involved;
risks must be appropriately identified and managed but not magnified
* Positive interaction between government and industry is essential.
Among issues, which will require on-going communication and assessment
is the need to balance the Constitutional right to privacy with
national security concerns.
* Industry must monitor the private sector portion of the national
information infrastructure and cooperate both internally, across
vertical industries and with local, state and federal government
in reporting and exchanging information concerning threats, attacks,
and protective measures. Coordination among principals must facilitate
creation of early warning systems. Barriers to this process must
be identified and solutions determined.
* In creating the information infrastructure, as well as attendant
tools and technologies, industry must be provided safe harbor
protections and its works viewed as incidental to losses caused
by criminal or malicious misbehavior or natural disasters.
* Distinctions must be made among cyber-mischief; cyber-crime
and cyber-war to clarify jurisdictional issues and determine appropriate
responses. The adequacy of current laws to prevent these threats
must be reviewed.
* Existing laws must be adapted as necessary to allow appropriate
levels of information sharing among companies, and between the
private sector and government.
* Continued support of short- and long-term information security
R&D projects by private and public sectors alike is needed
to support continued growth of the digital economy and to protect
our critical infrastructures. The vast majority of R&D in
information security is done by the private sector. Going forward,
market demands continue to be the most efficient means for directing
corporate R&D efforts. The Clinton Administration is moving
forward to create an Institute for Information Infrastructure
Protection to fill gaps in areas not now addressed by the private
* Industry and government must take steps to address the InfoSec
workforce needs. Research should be done to gauge the skill sets
of information security professionals, identify the security workforce
needs of industry, assess the current programs offered by academia,
and identify gaps. Programs, such as the Administration's Scholarship
for Service for the federal government workforce, should be identified
and funded to fill the short- and long-term gaps in the workforce.
* Law enforcement agencies must gain sufficient cyber-crime expertise
to combat specific threats and to investigate specific criminal
acts. The adequacy of current laws must be reviewed and the administration
of justice for cyber-crimes made uniform
* Emergency response organizations must gain sufficient disaster
recovery expertise to minimize the effect of catastrophic events
on the information infrastructure.
Implementing this diverse set of principles will require substantial
work, resources, and cooperation.
Difficult Issues Remain
At this nascent stage, many questions remain unanswered:
* What are the criteria for determining the individual elements
of the critical information infrastructure, and who is involved
in the determination?
* What should be the process/mechanism by which the government
will provide threat, indications and warning information to critical
information infrastructure companies?
* What legislative remedies are necessary to overcome the current
legal barriers to information sharing?
* Will shared information be protected from FOIA requests?
* What threshold should be established for reporting anomalous
activity? What type of reporting will be required, given that
industry will be motivated to monitor and protect itself against
cyber-attack for business reasons, and how will reported information
* What government restrictions/legislation must be modified or
lifted so that private sector companies may implement active cyber-defense
and/or counter-measures (i.e., anti-trust provisions leading to
* What type of organization(s) should plan and execute the strategy
for critical information infrastructure defense?
* What policy determinations are required to distinguish between
law enforcement and national security (warfare) jurisdictions
as a result of attacks on critical information infrastructure
* How should industry organize itself to represent private sector
views, to exchange relevant "lessons learned," and to participate
in policy development? Given that IT is both a vertical industry
sector itself, but also underlies all the other vertical sectors,
what should be the relationship between the IT sector and the
* What considerations must be allowed for those elements of the
critical infrastructure, which are foreign controlled or are part
of multi-national businesses, considering that most infrastructures
are international in nature?
* How should the information technology private sector assess
the implications of liability and insurance for critical services?
* Is there a sufficient research and development effort underway
to improve the ability of the private sector to monitor and protect
its designated critical elements? Who should fund this effort?
How should R&D information be distributed?
* If information system security becomes a competitive market
differentiator, how will the private sector accommodate the needs
of the government for infrastructure protection while maintaining
* How does our country develop a corps of IT workers with particular
skills to focus on security and infrastructure protection, particularly
in light of the overall IT workforce shortage?
In addition to substantive legal and policy issues, less tangible
concerns must also be addressed, particularly the development
of trust-within the private sector and between the private sector
and government. ITAA and companies like MCI WorldCom are working
with government to help build the necessary bridges.
Last week, some of this bridge building got underway. Over 25
leading IT and communications companies and organizations, including
both MCI WorldCom and ITAA, met with President Clinton, Attorney
General Janet Reno, Secretary of Commerce William Daley, Science
Advisor Neal Lane and other top Administration officials to launch
an industry-led, government supported mechanism to begin the information
sharing process. We presented the President with a statement of
principles on how such an information sharing mechanism within
industry could be achieved. The principles, available on the ITAA
website at http://www.itaa.org/InfoSec/InfoSecstmt.htm, call for
the creation of an early warning system, recognize the need for
incident response mechanism, and express a willingness to work
together on resolving information sharing issues. I believe that
the statement is a significant step in the right direction. Next
week, ITAA will host the first of series of meetings of industry
leaders to develop quickly the most efficient mechanisms to share
Just yesterday, dozens of companies from multiple sectors met
to further the development of the Partnership for Critical Infrastructure
Protection, an effort launched in December, 1999, to insure that
InfoSec issues will be addressed collaboratively across all important
sectors of the economy, including financial services, energy,
and transportation, in addition to the Internet industry itself.
No one sector alone can solve the InfoSec challenge.
ITAA and InfoSec
ITAA is taking a number of actions, has initiated programs, and
motivated its membership to address the InfoSec challenges that
the nation and our industry face. MCI WorldCom has been an ITAA
member for many years and is pleased to play its part in shaping
the Association's InfoSec program.
ITAA realized the importance of this issue and took it on over
two years ago with the establishment of a dedicated Critical Information
Protection Task Group to examine and analyze policy developments
in this area and to offer input into the policy process. In the
past year ITAA's Critical Information Protection Task Group, now
called the Information Infrastructure Assurance Committee (IIAC),
has continued its mission of providing ITAA outreach and education
to Administration officials, federal civilian, military, national
security, and law enforcement agencies, Congress, the media, international
organizations, and the public on the issues of information security
and assurance. The IIAC has been very active particularly in the
wake of Presidential Decision Directive 63 (PDD63), which was
issued last spring. IIAC activity is increasing as federal agencies
and industry grapple with the implementation of PDD63, which has
provided the initial outline and direction for the development
of a more comprehensive national infrastructure protection strategy
In the past 12 months, much has happened. Through the IIAC, our
members have been active in what has been the rapid development
of information infrastructure security issues and policy. Our
organization has produced one of the first concerted industry
efforts to address InfoSec issues. We have issued white papers
focused on critical information infrastructure protection. We
prepared an industry response to President's Commission on Critical
Infrastructure Protection (PCCIP) report and recommendations when
they were released in the fall of 1997.
Since then, we have held frequent meetings with representatives
across the government to educate, discuss and provide input into
the evolving national policy developments.
In February of this year, the Department of Commerce selected
ITAA as a Sector Coordinator for the Information and Communications
Infrastructure sector, in conjunction with two other associations
focused primarily on the telecommunications industry-the US Telephone
Association and the Telecommunications Industry Association. As
a Sector Coordinator, we are continuing to work with the federal
government and, in particular, with NTIA on the implementation
of PDD 63.
Education and outreach will be critical to the success of our
efforts. Last March, ITAA created the framework for a new Cybercitizen
Partnership in conjunction with Attorney General Janet Reno. The
Partnership will focus on promoting individual responsibility
in cyberspace and creating a public-private sector forum for exchange
and cooperation. Through the Partnership, private sector representatives
hope to work with federal partners, including the Attorney General,
the Department of Justice and National Security Agency representatives,
on development of a critical infrastructure protection education
and awareness campaign and other initiatives. In addition to an
awareness campaign we will be coordinating with the FBI's National
Infrastructure Protection Center to identify and coordinate industry
representation and participation in Center activities to build
the communication and trust that will be so essential in moving
The U.S. and much of the world are building their economic houses
on an information technology foundation. This is extremely positive
approach to take, delivering tangible benefits to a fast growing
percentage of the world's population. As we build this house that
reaches to a better, more prosperous and democratic future, we
must be ever vigilant of cracks in this structure. If Year 2000
was the first challenge to place our digital foundation at risk,
failure to adopt a rigorous approach to InfoSec will be the second
and even more dangerous. I have offered a conceptual framework
on which government and industry can work towards common ground.
ITAA and MCI WorldCom are committed to a private sector leadership
role in insuring that the necessary, timely and cost effective
solutions are implemented.
Thank you and I would be happy to answer any questions you may