 |
Cybersecurity & Consumer Data: What's at Risk for the Consumer? Subcommittee
on Commerce, Trade, and Consumer Protection
Introduction Mr. Chairman and Members of the Subcommittee, thank you for the opportunity to testify before you today on Cybersecurity and Consumer Data: What's at Risk for the Consumer. My name is David Morrow, and I am the deputy director for global security and privacy services at EDS. I have over 25 years of experience in the information technology ("IT") field as a computer programmer and analyst, operations chief, security officer, investigator, and consultant. Prior to joining EDS, I was a security consultant with Ernst and Young, LLP and Fiderus Strategic Security and Privacy Services, a small, start-up consulting firm. I also spent 13 years of a 22-year Air Force career as an investigator of computer crime for the Air Force Office of Special Investigations (AFOSI). When I retired in 1998, I was the Chief of the Computer Crime Investigations and Information Warfare Division for AFOSI. I am honored to join you today to present EDS' views on the state of information technology security, two years after my last appearance before the Subcommittee. In my testimony two years ago, I focused on the changes in our way of life after the tragedy of September 11, and the need to make investments to protect our information networks. I called upon government and industry to increase their collaboration, to focus not only on physical security but also information security, and to view cyber security as an essential capital investment rather than as an expense. I also noted a few ways that government can help industry bear the burden to protect our information economy and, therefore, our economic security. At the risk of repeating myself, I do want to emphasize that all those comments still hold true. Today, I will focus my comments on what has changed in the last two years, what needs improvement, and once again where I think both industry and government can make greater efforts. What has changed? Thankfully, we have not seen another September 11. However, we are still in a heightened threat environment. More recent attacks on our information networks, such as the DNS root server attacks in October 2002 and several high profile virus and worm attacks, have not stopped us from relying on them to conduct business and live our lives. In fact, we continue to look to information technology to drive innovation, efficiency, and productivity in our business operations. In addition, consumer use of the Internet for recreation and to conduct business continues to expand. And, our networks and the data on them are still vulnerable. At EDS, we are seeing an increase in the tempo and severity of new viruses and other attacks on our information infrastructure. As I believe many of us predicted here two years ago, the complexity and sophistication of such attacks has continued to increase, making the task of defending and repairing our networks and systems all the more difficult. Installing software "patches" to deflect intrusions has become the favored way of addressing impending attacks. But, our clients are concerned about the need to install patch after patch after patch in rapid succession, on thousands of servers and tens of thousands of desktops. As you can imagine, it is a daunting task to do three major patch updates in one week in a large company or government agency. As these attacks become more frequent, severe, and sophisticated in often incompatible environments, what we call patch management has become a larger issue. Unfortunately, another change we have seen is the increased incidence of identity theft and criminal misuse of personal information that affects millions of Americans at any given moment. While there are a variety of both high and low technology ways to obtain personal identity and credit information, the biggest "bang" for the criminal "buck" is still to locate and steal such information from an insecure network. I am disturbed by the increasing number of identity theft victims, and I believe more effective practices in network security and protection of personal data would benefit us all, both individually and as a society. I am glad to see that the Administration and Congress took the opportunity of reauthorizing the Fair Credit Reporting Act to address this challenge in a positive way and look forward to the passage of that legislation very soon. Another change is the regulatory environment for us and for our clients. The Federal Trade Commission's new "Do-Not-Call-List", the Sarbanes-Oxley Act, and the pending FCRA reauthorization are the latest iterations. They follow the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. None of these regulatory frameworks give specific requirements for information security - and shouldn't, in my opinion. But in one way or another, either through greater corporate accountability, stronger privacy requirements, or new reporting obligations, each has direct or indirect implications for improving the integrity of data. As such, I would argue that each raises the level of awareness of information security in enterprises across the country. This increasing awareness is a key component in the changes that I have seen in the last two years. More and more companies are coming to us with questions about how to address their information and network security. The problem is, they are still often asking the wrong questions. There is not a silver bullet that can address everything that achieves a stronger security posture. You can't point and click and say "done." There are no magic technologies or software. Information security is a continual process that elevates security planning out of the traditional information technology silo and involves the whole enterprise: IT, legal, regulatory, sales, marketing, and security, as well as each individual employee and business partner. It's hard work, but it's essential. Another concern is the lack of details or guidance on standards of acceptable security practices. There are many organizations that are putting forth standards that purport to drive best practices or interoperability, for example. But the proliferation of differing standards has caused some confusion among some of our clients that has prevented them from making important changes as they wait for further direction. We often use the ISO Standards because they are widely accepted, but there is room for improvement in developing standards for the future that are flexible enough to reflect changes in technology and business operations. As modern global businesses become increasingly intertwined through partnerships, consortia, and merger and acquisition activity, traditional network and security boundaries are, in many cases, no longer intact. The security problems of one member of a partnership arrangement or newly acquired company now quickly become the problems of the entire group as the insecure network or system becomes the weak link in the entire chain. In addition, information security entails many things that may not appear to be security issues at first glance, such as enterprise training, for example. Addressing these issues requires strategic thinking about: · the way a company or agency uses information, both on the network and off; · what information is critical to the enterprise; · what risk mitigation measures need to be put in place for what functions, how your information security fits into an overall business continuity plan; and · how privacy and security policies and processes complement - or contradict - each other in the business. Companies need to look at information security in a holistic way to create and integrate what has been dubbed a "culture of security" in to their enterprise. This may be a daunting task for those enterprises that are behind, but it is crucial to ensuring our economic security. Despite its demonstrated critical importance, we have not seen a universally overwhelming increase in the amount of investment that companies or the government are making in information security. Some of the early adopters are often driven by regulation or in response to an attack, but there are many more who have taken a wait-and-see approach and hope that the next incident does not affect them.at least not too much. Part of that is a response to the current economic situation, and part is still a lack of understanding of the loss implications from an attack or even a natural disaster. There is cause for hope, however. In a survey of corporate Chief Information Officers released earlier this month by Forrester Research, increased funding for security and privacy efforts were at the top of the list of priorities for 2004. I am hopeful that as the economy continues to recover, these plans will materialize into concrete actions and investment in the security and privacy of our national data resources. What companies have been doing since September 11, is committing some resources and expertise to the greater dialogue on information security. Trade associations and other industry groups are including information security in their work program, or beefing up existing programs. New information sharing mechanisms are developing, existing ones are working to improve their impact, and industry groups are putting forth best practices and other guidance for their industry. EDS was a founding member of the Information Technology Information Sharing Analysis Center, or ISAC, one of 13 that were set up as part of Presidential Decision Directive 63 for the designated critical infrastructures. We have also taken on a role in the National Infrastructure Advisory Council (NIAC) that was established after September 11. Importantly, efforts are also extending beyond the so-called high technology sector. EDS led an effort in the Business Roundtable, an association of Fortune 200 Chief Executive Officers, to develop a roadmap for large corporations in any sector to seriously consider their cyber security. The publication is called Building Security in the Digital Economy: An Executive Resource and is submitted as part of my written testimony. What still needs improvement? While I appreciate the increased level of awareness, I still think we need to do more to increase the level of real investment and improvement in information security. I believe it requires a recognition that security is not merely good for its own sake. We need to incorporate the notion of security as a business enabler into our business models. Enterprises that are looking at security as an enabler to their business are investing in more strategic ways, and are, therefore, better able to serve their clients, consumers, citizens, and business partners. As I said earlier, it's not just a business expense.it's an essential element in today's strategic - and networked - business model. I believe the jury is still out on the role of the Department of Homeland Security in information security. We do applaud the creation of the National Cyber Security Division (NCSD) as well as its initial efforts on establishing the U.S. Computer Emergency Response Team (US-CERT) and collaborating with industry. EDS will be participating in the Cyber Security Summit scheduled for early December and the ongoing work of the summit's designated task forces. However, we hope that its placement in the new agency does not illustrate a lack of concern, authority, or funding for information security efforts in the US government. We all need to be diligent to make sure the NCSD's efforts are maintained and relevant. Virtually every one on this panel two years ago called for a public-private partnership and increased collaboration on cyber security. Arguably, we have made important strides in that direction as more companies, people, and agencies are talking about these issues in our associations and in government groups. These efforts are encouraging, but I argue we can do more, particularly by coordinating and learning from them, rather than duplicating them. In addition, once again we cannot look at individual aspects of security in isolation. As we consider our infrastructure protection, we have to look at the convergence of physical and cyber security because they can no longer be looked at independently. In sum, I would characterize our state of information security readiness as marginally better than it was two years ago, with hope for greater improvement. While more are concerned, many are not doing as little as possible to remedy the problems they have. While more are aware of the threat, they are not mitigating the corresponding risks with appropriate measures. And, while there is more activity and public-private collaboration on information security, it is not well coordinated across the spectrum of industries and issues that are impacted by security measures. What can be done? First, we can continue our efforts for a more coordinated program of industry-government cooperation. The release of the Administration's National Strategy to Secure Cyberspace earlier this year provides a framework for continued work, and I urge both industry and government to take advantage of the upcoming Summit to solidify some of that work going forward. The Department of Homeland Security's National Cyber Security Division provides a focal point for monitoring industry efforts and participating as appropriate. As DHS solidifies its operations, we should ensure that the division has the appropriate mandate, funding, and industry coordination to support its activities. Second, we can strive to improve information sharing mechanisms that are an important component of the public-private partnership on cyber security. For example, the Information Sharing and Analysis Centers (ISACs) are still active and are looking for ways to be more effective for their industries. I would argue the ISACs should also look for ways to communicate and even collaborate with each other when appropriate. Just as we cannot put information security into one silo, we cannot look at each industry sector in isolation. We are all interconnected now and rely on not only the security of our own network, but that of our suppliers, customers, partners, and competitors. Industry was collectively pleased when Congress provided for Freedom of Information Act exemptions for information shared on cyber security in the Homeland Security Act. We urge Congress to preserve the integrity of that provision in any future reviews of the Act in order to allow continued information sharing about vulnerabilities, breaches, attacks, and other actual or anticipated cyber incidents. Our experience has repeatedly shown that effective and timely information sharing is one of the most effective ways to prevent widespread incidents and to combat them when they do occur. Third, we still believe there are areas where incentives are necessary for companies to allocate the necessary funds to upgrade their information security. This is particularly true for functions that the US Government deems to be of critical importance to our economic - and, therefore, our national security. Fourth, we must continue to emphasize research and development for innovations in information security and encourage Congress to keep these avenues open for resolution in the budget process. Fifth, I remain a strong proponent of ways in which we can continue to develop and professionalize the cadre of information security professionals practicing today. In the past two years we have seen a notable increase in the number of educational institutions offering courses and even advanced degrees in information security topics. While this is an encouraging sign, I still believe that there is great room for improvement in expanding the discussions beyond the purely technical disciplines and into the more general business curriculum. Finally, as stated earlier, our intertwined information networks are global in nature and transcend traditional borders. That directly impacts global companies such as ours as well as consumers. It is imperative that we engage in the global dialogue on information security as well. I commend the Organization for Economic Cooperation and Development and the Asia Pacific Economic Cooperation for their efforts to bring this issue to the international arena. Conclusion In conclusion, I would just like to emphasize the fact that the improvements we have made over that last two years in information security have much to do with an increasing awareness of cyber security concerns for all of us. Increased awareness here at home and abroad will continue to be crucial for our security going forward, and I support efforts such as this hearing toward that objective. We are better off and heading in the right direction, but we can and need to do more - now. I have outlined some suggestions for future focus that I hope are helpful to the Committee. Mr. Chairman, thank you for the opportunity to share my views and EDS' experience once again. I will be happy to answer any questions you and the Members of the Subcommittee may have. |