Statement of Mr. Mark Graff
For the Joint Economic Committee
February 23, 2000
The Internet today is a sound platform for commerce, fueling
an economic expansion unparalleled in our history. It reliably
delivers billions of e-mail messages every day. It makes the
miracle of the World Wide Web possible. To many, the Net is
fast becoming essential to modern life. But substantial hard
work remains before the Internet is as safe and stable as its
older cousins, the telephone network and the electrical distribution
In this paper I will lay out what I see as the next steps towards
Internet security1. There is work here for everyone. I have
handed out assignments liberally. For government: provide a
legislative and regulatory environment that encourages responsible
behavior from all parties--but don't "kill the golden goose"
with heavy-handed coercion. For the builders of the Internet
("my" industry): use the best techniques you know to make products
of the highest possible security quality. For the media: learn
and teach that Net vandalism is no cuter than drunk driving.
For my fellow citizens: demand the best from those of us who,
for now, are in the driver's seat. Oh, and a suggestion for
Net vandals: grow up.
Security engineers usually begin a job with what we call a
"threat analysis". We ask ourselves, what bad thing can happen?
Nature of the Threat to the U.S. Economy
What are the greatest cyber-threats to American commerce today?
They are four; and all were illustrated by the distributed denial
of service episodes of early February.
The most obvious threat is the current susceptibility of major
World Wide Web sites to simple data flooding, and the weak security
at thousands of other sites that enabled them to be used as
attack amplifiers. These weaknesses result from out-of-date
assumptions and trust models, created by the people who conceived
the Net; from old and new engineering mistakes, shortcuts, and
trade-offs, instituted as the Internet of today was built; and
from the blithe inattention of many Net dwellers today to basic
The second threat is the widespread publishing of "vulnerabilities"-security
flaws in the operating systems and servers that bring the Net
to life. This activity is most dangerous when the disclosure
is accompanied, as is often the case, by the release of free,
ready-made software that exploits the bug. The practice is least
defensible when the disclosure is launched with no prior notice
to the vendor involved, ensuring that the weaknesses will be
exploited by Net predators until a patch can be devised, built,
tested, and released.
The third threat is the common practice of dramatizing security
incidents. The press and others routinely overstate potential
losses, exaggerate the technical expertise required to disrupt
the Net, and--perhaps most importantly--perpetuate and encourage
the narcissistic element of the vandal mentality by accepting
and repeating colorful "hacker handles" and "attack names".
The fourth and final key threat is the uncertainty and ignorance
that obscure the world created by the other three. Uncertainty:
How many networks are attacked each year, by what means, and
with what degree of success? What do the losses to commerce
total? How much is paid to extortionists, in response to what
kinds of threats, enabled by which technical or procedural flaws?
Which vulnerabilities have been fixed, but not patched; which
discovered, but not fixed; which dormant, and not discovered?
Now, ignorance: What do we mean when we say a system or network
is "secure"? How can we meaningfully compare the relative security
of two similar systems, or the same system after we have installed
a patch? To the first set of questions, few who know will answer.
On the second set, no one today can say. Yet, to keep the Net
safe as it grows, we must measure in order to know.
I spent almost all of the last decade working for Sun. In working
to secure networks, in my involvement with FIRST, in teaming
with many other computer vendors and helping to beat the security
bugs out of our products, I observed firsthand in the Nineties
many of the challenges involved in building and securing the
worldwide Internet. Let me tell you about some of the trends
that have presented themselves along the way.
On the scary side of the equation:
* Attacks have increased in technical complexity
* Attack tools are increasingly simple to operate, and now
are widely available
* Vulnerabilities are now usually routinely announced to the
public before a fix is ready
But there's good news, too:
* Vendor collaboration is increasing
* The public has become aware that security is an important
"feature" of a system
* Government institutions are seeking to determine their appropriate
roles in securing the Net
To close the discussion about trends, I must, on a personal
note, point out another fact of Internet life: a trend, if you
will, that never appeared. The security quality of networking
software has not improved.
Functionality, what the software can do, has made tremendous
advances, of course. So far as I am aware, however, the engineering
techniques used by developers have changed little in the past
twenty years. Looking under the hood of all the major operating
systems in use today, we find the same kinds of security flaws,
coding errors, and faulty assumptions programmers like myself
were turning out in the Seventies and Eighties. (To be clear:
I made these mistakes in the Nineties, too.) I don't think the
relative quantity of bugs has changed much, either. While groups
such as the Software Engineering Institute were advancing the
state of the programming art, industry, in day-to-day practice,
did not advance with them.
The reasons for this stasis are, it seems to me, both economic
and practical. Indeed, it may well be that the only way to achieve
the rapid, world-transforming progress we have made in global
networking was the path taken. Risk, I like to say, is a resource.
It is like money: you invest it to get things done. And now
that we have reached the point that the Net and the Web are
significant (soon to be dominant) elements of our economy, now
that we have become so quickly an essential part of the modern
infrastructure, the network-building industry needs to step
up to our new responsibilities and provide the best security
quality in our products we know how. The widespread adoption
of a higher standard of security quality must become one of
the important trends of this new decade.
Likely Sources of Attack
Let me begin a discussion of "likely sources of attack" by
discussing the kinds of attacks I find most threatening.
Most network users, and security experts, would probably list
the following "attack types" as the ones to be feared most.
1. Denial-of-service attacks, particularly "distributed" attacks
2. Email "viruses", such as 1999's so-called "Melissa"
3. DNS spoofing, re-direction, and outages.
The first two threats on this list have received so much press
lately that I am not going to explain them here.2 The third,
while it has received little public attention, may represent
the most acute security weakness of the Internet today. Domain
Name Service servers and such other software agents translate
computer system names and World Wide Web URL's to the explicit
Internet addresses ("IP numbers") needed for packet routing.
Over the past three years we have experienced a few small-scale,
accidental disruptions in these services. The result in each
case was that a segment of the Internet was effectively unreachable
for a few hours. An intentional, dedicated, coordinated attack
could, I believe, isolate large sections of the Net, perhaps
A question suggests itself here. If such an attack is possible,
why hasn't it happened yet? In general, why have we seen so
few substantial attacks against the Net, and the Web it supports?
Well, what would be the likely source of such an attack?
To answer that, ask another question. Cui bono? Who would benefit?
The answer I accept is that to date, no sufficient economic
or martial incentive has sufficed to motivate a large-scale
action. The Net grows larger and more important to us every
day, of course. We should waste none of the time left to us
in addressing such fundamental weaknesses as the IP-stack assumptions,
mail protocol flaws, and DNS dependencies which make possible
the three attacks I have singled out above.
Turning now to the experiences of Sun Microsystems with regard
to attacks and losses, I am able to draw a much more positive
picture. Both with regard to incidents referred to us by our
customers, and those sustained in the operation of our own network,
our experience tells us that:
1. Most threats, attacks, and losses come from inside the enterprise
2. Most attacks to date seem to be the work of individuals
or very small groups, working alone.
For this reason, Sun has focused the majority of its internal
security investment in recent years on the assessment and mitigation
of internal risks. We have yet to experience a major loss or
outage due to the malevolence of outsiders. (Of course, we have
one of the oldest and strongest firewalls on the Net.)
Recommendations for Action
In light of the threats and opportunities I have explored above,
I offer the following recommendations for action by the federal
government and others. I must emphasize that I make these recommendations
as an individual.3
To help reduce the susceptibility of the Net and the Web to
1. Encourage site operators and ISP's to install security patches,
and to practice the basic prophylactic measures suggested by
CERT and many other such groups.
2. Encourage or require the adoption of "ingress filtering"
by ISP's and other network routing agents. Encourage the adoption
Net-wide of "IP v6" (a new, more secure version of the Internet
Protocol) and Ipsec on IP v4. If funds are necessary to promote
these efforts, consider the imposition of an "excise tax" on
network routers to fund the effort
3. Establish and enforce uniform high standards of security
quality in all government networks
4. Promote the use of sound, modern engineering practices in
networks developed or managed by the government.
5. Encourage industry to practice the highest practicable standards
for software development. Use the government's position as one
of the largest computer customers in the world to advantage
by setting procurement standards high in the area of security
6. Work with the computer and network industries to develop
7. Work with the computer and network industries to develop
standards for security quality. As one of my (non-Sun) colleagues
remarked to me, "We already have to comply with UL electrical
rules, RF emission rules, OSHA rules, and encryption export
rules; why is software security any different?"
8. Facilitate collaboration between members of the industry
by ensuring that meeting and working together for the purpose
of improving network security is shielded from anti-trust and
To discourage the publishing and distribution of vulnerabilities
and exploit scripts before patches or other preventive measures
are in place:
1. Work with industry and academia to find sound alternative
methods of spurring the development of security patches and
improvement in security quality. Consider a "vulnerability escrow"
arrangement4 wherein the vulnerability would be held in confidence
by a neutral third party while the vendor undertook to develop
and release a fix within a short reasonable period of time.
2. Note: Punishment for releasing such information is in my
opinion both undesirable and infeasible, both out of First Amendment
concerns and because of the international and often anonymous
nature of these releases. I suggest it not be considered.
To avoid encouraging Net vandalism:
1. Fund and/or encourage "security responsibility" educational
campaigns in our primary and secondary schools, making sure
especially that whenever we hook up another school to the Internet
we also educate students, teachers, and administrators about
responsible network use
2. Direct government agents and officials, and encourage other
responsible figures, to avoid sensationalism in discussing security
flaws and incidents. Specifically, do not adopt or repeat without
qualification narcissistic "hacker handles" and dramatic "attack
To increase our understanding of the nature and scale of security
incidents and vulnerabilities:
1. Require all networks managed by the federal government to
report "sanitized" and canonical computer security incident
statistics to a central collection point such as the FBI Computer
Crimes Division. Report the aggregated statistics quarterly
2. Require publication of the same kind of reports from key
industries, including the financial community and public utilities
3. Fund academic and industry research in basic security metrics
4. Fund or facilitate the collection, sharing and analysis
of security vulnerabilities among industry and government groups
responsible for fixing them. If fear of liability is a barrier
to the disclosure, sharing, and repair of security flaws, provide
legislation to shield and spur the companies for a fixed period
5. Support cooperation between industry, academia, and the
federal government by creating and funding industry and academic
fellowships at the National Infrastructure Protection Center
and similar institutions. Support similar "exchange programs"
between groups, which we need to more effectively share information.
6. Strongly support the operation of Computer Incident Response
teams such as CERT and CIAC
7. Encourage all sectors of American industry, particularly
key elements of the infrastructure, to develop and support Computer
Incident Response teams
8. Support independent associations such as FIRST, the Forum
of Incident Response and Security Teams, to foster communication
and coordination amongst security experts world-wide
Because security is the mother of liberty, those of us who
love liberty must work to secure the Internet. The Net is the
marketplace, the workshop, the printing press, and the town
hall of the 21st century. If we fail to protect either its commerce
or its communications, we are choosing to deprive future Americans
of the societal sense of safety, surety, and stability that
is one of the necessary conditions for freedom.
1 My views are based on my experiences at Sun Microsystems,
but, unless other stated, do not necessarily reflect the policies
or positions of the company.
2 I can't resist pointing out that since we at Sun run our
enterprise largely on the hardware and software we make, our
network was one of the largest in the country completely unaffected
by the "Melissa" virus-unaffected, that is, except for one unfortunate
woman in Marketing who had a terrible time for a few days getting
her colleagues to respond to her e-mail. Her name, as it happens,
3 Sun Microsystems has not taken a position, so far as I know,
with regard to any of these suggestions, and may in fact not
support them--except the admonition to install security patches.
4 First suggested to me by Dr. Eugene Spafford of Purdue.