IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Cybersecurity & Consumer Data: What's at Risk for the Consumer?

Subcommittee on Commerce, Trade, and Consumer Protection
November 19, 2003
10:00 AM
2123 Rayburn House Office Building 

Mr. Howard Schmidt
Vice President, Chief Information Security Officer
eBay Inc.
2145 Hamilton Avenue
San Jose, CA, 95125


Chairman Stearns, distinguished members of the Committee, my name is Howard A. Schmidt. I am the Vice President and Chief Information Security Officer for eBay, where I lead a team responsible for ensuring the trustworthiness and security of the services that bring so many global citizens together in this tremendous global marketplace each day. I would like to thank you for the opportunity to come before this Committee again as well as your continued leadership on this very important issue. Prior to my current position at eBay and subsequent to my last appearance, I had the privilege of being appointed by President Bush to lead, with Richard Clarke, the President's Critical Infrastructure Protection Board, which represented one part of the overall governmental response to the threat of cyber security attacks in the wake of September 11. I retired from 31 years of public service after completing and publishing the "National Strategy to Defend Cyberspace," working with a team of dedicated public servants, this body, and the American public.

I have had the privilege of working with committed individuals in the private sector, law enforcement, and government to forge the collaboration and cooperation that is so essential to safeguard cyber space for everyone, from inexperienced home users to large well-run corporate enterprises. I assisted in the formation of some of the first collaborative efforts in the law enforcement community to address cyber crime in local law enforcement and the FBI. I also helped lead the creation of the Information Technology Information Sharing and Analysis Center (IT-ISAC) and had the honor of serving as its first president.

I continue to proudly serve in the U.S. Army reserves, assigned to the 701st MP Group, (CID) as a Special Agent with the computer crime unit at CID headquarters. I also serve on the Board of Directors for ISC2, the body that oversees certification of security professionals through the CISSP certification. My remarks today will focus primarily on the changes that have taken place within both business and government to create the level of information sharing and collaboration necessary to improve Cybersecurity and further improve security for consumers, as well as how this sharing and collaboration has improved the level of information and protection of consumer computer data.

Today, the Internet connects over 170 million computers and an estimated 680 million users, with an estimated growth to 904 million by the end of 2004. From major data operations conducting large-scale financial transactions, to wireless devices keeping families connected, the Internet touches virtually all aspects of our economy and quality of life. eBay is a prime example of how deeply ingrained the Internet is in American life. Every day on eBay, millions of Americans, along with millions of people in countries around the world, come together to buy and sell all types of goods and services. Business relationships and, often, deep friendships are formed on the basis of commerce and shared interests. The eBay marketplace reflects the enormous power of the Internet to unite humanity at a crucial moment in history.

More pointedly, the Internet has become a fundamental component of business processes---enhancing productivity by speeding connectivity between remote locations or across functional operations. The Internet is deeply ingrained in managing power, producing chemicals, designing and manufacturing cars, managing money and delivering government services ranging from human services to environmental permitting. The flip side of these productivity-enhancing applications is an increase in attacks against the online community.

Today the Internet is utilized by hundreds of millions of users all across the globe sending information ranging from homework assignments and simple greetings to the most sensitive financial and operational data of government and industry, all at the speed of light. The Internet landscape also includes a private sector security industry that has grown to an estimated $17 billion per year in goods and services. And, as we are all painfully aware, attack speeds today are measured in seconds, not days.

I would like to provide my update in the format specific examples of improvement in four major areas. Those areas are: Awareness and education; product enhancements; government activities; and private sector initiatives. While we have made significant progress, I also want to stress that we still have much work to do and will continue to improve overall Cybersecurity by continued improvement in some of the examples I will mention today.

Awareness & Education:

One of the biggest visible changes that has taken place is increased dialogue and training to better inform the end user on how to secure their computers and information. One of the first consumer-targeted awareness programs was truly a joint private-public partnership. This partnership took place in the form of the Cyber Security Alliance. The alliance combined the expertise of a number of private sector entities with the efforts of government partners to create a comprehensive website for consumers. The website, www.staysafeonline.info has a wealth of information to help even the most inexperienced users understand cyber security, potential threats from online criminals, and steps they can take to protect themselves.

In addition, the White House held a series of town hall meetings around the country with private sector partners. These town hall meetings were open to the public and well-attended, with speakers ranging from CEOs of major financial institutions and exchanges, to subject-matter experts in cyber security. Many of these town hall meetings were webcast so those that could not attend in person could participate over the Internet.

Private sector companies have also held free seminars around the country to provide awareness to citizens. Many of the sessions focused on informing the elderly, one of the segments of our society that has received great benefit from the online world and the resources that it provides. As we enter the holiday shopping season, there will be mass media campaigns to educate consumers on how to safely and securely enjoy the richness and robustness of the online e-commerce world.

In the category of formal education, the National Security Agency (NSA) has a program identifying universities that meet the criteria to be designated a center of academic excellence in information security. This NSA program not only ensures the education of the next generation of information security professionals, but also guarantees that the university has sound cyber security practices in place as well as awareness education for the students, who make up a large number of the online users and consumers. The NSA also administers the Cyber Corp program with NSF and OPM, providing scholarships for students in cyber security.

Product Enhancements:

Another major improvement that we have seen in the past two years is the way security enhancements are now offered standard in software and hardware. One very visible example is the hardware provided to use wireless technology. Broadband technology (Cable modem, DSL, satellites etc.) has given us capabilities and speeds that were only available to corporations before. We now see firewalls and the ability to download anti-virus software being built into wireless modems.

The major operating systems now have auto-update features included, and are now being turned on by default in more future versions. Products are now being shipped with many services turned off by default, thus making them more secure. Many of the online email services block potentially malicious code and do a much better job of blocking the Spam that often contains malicious functions.

Anti-virus vendors have done an amazing job in speeding up the detection, analysis and updates for many of the viruses that are found in the wild. Many of them even provide free online virus scans as a public service to assist consumers.

Government Activities:

There have been a number of government actions that have taken place since I last appeared before this committee - most notably the creation of the President's Critical Infrastructure Protection Board and the release of the National Strategy to Defend Cyberspace. This critical document set the framework for much of the private public partnerships, focusing a section on home users and small/medium enterprises.

I would also argue that the consolidation of cyber security related organizations into the Department of Homeland Security in the Infrastructure Protection Director was a valuable reorganization. The bringing together of the NIPC (FBI), Fed-CIRC (GSA), CIAO (Commerce), Energy Information Assurance Division (DoE) and the National Communications System (DoD) created a center of excellence that, with the help of focused leadership, will move to implement the national strategy. This new organization is called the National Cyber Security Division.

Recent action taken by the Department of Homeland Security (DHS) to create the US CERT at Carnegie Mellon University has the potential to significantly enhance security for all users. The US CERT is designed to serve as a focal point for building partnerships based cyber security response network and provide a notification network as threats and vulnerabilities are discovered.

The goal for US CERT is to ensure that there is an average response time of no less than 30 minutes in the case of any attack. The very specific nature of this goal is designed to deliberately focus the US CERT on building broad participation by the private sector.

The US CERT will undertake the following major initiatives:

Develop common incident and vulnerability reporting protocols to accelerate information sharing across the public and private response communities;

Develop initiatives to enhance and promote the development of response and warning technologies; and

Forge partnerships to improve incident prevention methods and technologies;

The Dept. of Justice, the U.S. Secret Service and the FBI have significantly decreased their response times and increased priorities around investigations of cyber crimes. Director Mueller has placed cyber crime in the top 5 priorities at the FBI, and the Secret Service has added a number of electronic crime task forces in order to successfully investigate and prosecute cyber criminals. All of the Defense Department's investigative organizations have led the way investigating cyber crimes and have some of the best investigators in the world. The Department of Justice, through its Computer Crime and Intellectual Property Section, has chaired the G-8 Subcommittee on cyber crime and has been a significant driving force in combating worldwide cyber crime.

Since there are no borders when it comes to cyber space, and criminal attacks on consumers can come from all corners of the world, the State Department has conducted bilateral and multilateral discussions to ensure that there is international cooperation in the effort to protect cyber security.

I have had the extreme pleasure of working with Commissioner Swindel of the Federal Trade Commission, who has been a beacon of light for the protection of consumers' privacy and security. With his help in the creation of the FTC's "Dewey" program and his tireless support for town hall meetings, he truly has created a "culture of security" globally.

Private Sector Initiatives:

While there will be no silver bullets in enhancing cyber security, the private sector continues to grow its capabilities and make solid improvement in securing their part of cyberspace . Two of the earliest examples of private-public cooperation for "Cyber Crime/Cyber Security" were the the High Tech Crime Investigators Association (HTCIA) and the Information Systems Security Association (ISSA). Both organizations date back to the mid/late 80's and are dedicated to sharing nformation on cyber crime and information security. They still exist today and their membership and value have increased significantly over the years.

Most recently, the private sector has created a coalition that I see as an excellent example of efforts to enhance consumer cyber security. As you are probably aware, identity theft is a major problem. While the vast majority of ID theft occurs in the physical world, we have seen an increase in the activities of criminals to commit the same types of crime online. The most recent method is by using what we call "phishing" or "spoofed" emails. The criminals will send out thousands of emails telling people that there is an error with their online account and ask them to fill in an "update form" or their account will be closed. This form has the look and feel of major e-commerce sites - there was even a fake email from someone pretendingto be the FBI and asking unsuspecting users to enter personal information into a fake web site.

To combat this, many of the major players in the e-commerce space banded together to create an Anti-Online ID Theft Coalition. The Coalition boasts many private sector members, with the Information Technology Association of America providing support as the executive director. The Coalition has four major goals: 1) to build technology to reduce the likelihood of these mails even reaching their intended victim; 2) to provide awareness training to consumers so they can more readily identify these criminal acts; 3) to share information on new scams amongst the various security teams; and 4) to insure accountability by working with law enforcement to identify and prosecute these bad actors.

In a larger perspective, Sector Coordinators representing each of the major sectors of our economy have been appointed to fight potential cyber attack. A sector coordinator is an individual in the private sector identified by the sector lead agency to coordinate their sector, acting as an honest broker to organize and bring the sector together to work cooperatively on sector cyber security protection issues. The sector coordinator can be an individual or an institution from a private entity.

These private sector leaders provide the central conduit to the federal government for the information needed to develop an accurate understanding of what is going on throughout the nation's infrastructures on a strategic level with regards to critical infrastructure protection activities. The sector coordinators and the various sector members were key to the creation of the National Strategy to Defend Cyber Space.

In addition, there has been a number of new private sector Information Sharing and Analysis Centers (ISACs). An ISAC is an operational mechanism to enable members to share information about vulnerabilities, threats, and incidents (cyber and physical). The sector coordinator develops these Centers with support from the sector liaison. In some cases, an ISAC Manager may be designated, who is responsible for the day-to-day operations of the ISAC, to work with the sector coordinator or the sector coordinating body with support from DHS and the lead federal agencies.

Despite these security enhancements, we can be certain that as increased collaboration continues to enhance our protection and responsiveness, the nature and sophistication of attacks will certainly evolve. There are clear challenges we must continue to address.

First, we must renew our commitment to enhance consumer awareness of basic cyber security practices. The recent attacks demonstrate that home users can be used as an effective pathway to launch attacks, or as a gateway into large enterprises. We need to build on the public/private initiatives to promote cyber security with a focused and aggressive outreach effort to benefit all consumers.

Second, while we build an effective response network we must not lose sight of the innovation frontier. Technologies on the horizon hold the potential to dramatically and potentially decisively transform our cyber security challenges. Self-healing computers, embedded technologies that enable devices to recognize and defend against attacks, and devices which enhance both security and privacy are within reach with an aggressive technology development agenda. This effort must be industry-led in collaboration with our best Universities. Most importantly, it must be synergistically linked with our response initiatives.

Finally, we must recognize that cyber security is no longer merely about products, services and strategies to protect key operations. What is at stake in the effective implementation of advanced cyber security technologies and strategies is nothing less than the ability to unleash the next wave of information technology-led growth in jobs and productivity. Cyber security is an essential enabler to the advent of the next generation Internet and all it holds for how we work, live, and learn.

I don't want to close without mentioning my expectation that many of these challenges will be addressed, and indeed met head-on, with tangible commitments and deliverables through the upcoming National Cyber Security Summit, to be held on December 2-3, 2003. This Summit will be co-hosted by the Information Technology Association of America, the U.S. Chamber of Commerce, TechNet and the Business Software Alliance, with the support of the Department of Homeland Security. I have the honor to serve at that summit, as will many of the brightest minds and most innovative companies across all sectors of the economy.

The work of this summit will continue past December 2-3 through task force work programs that will drive toward solutions in intense work before, during, and beyond the Summit. We expect that many of these proposals will be forwarded to DHS early next year, after which we can measure progress on an ongoing basis. We expect this to be an all-hands-on-deck effort where we bring together, distill, and integrate many of the outstanding work products from many groups regarding cyber security metrics, software development and maintenance, public outreach initiatives, and, of course, public-private partnerships in information sharing and early warning systems.

Chairman Stearns, this concludes my prepared remarks. I thank you for the opportunity to come before this Committee and welcome any questions that you and the Committee members may have.