on Commerce, Trade, and Consumer Protection
November 19, 2003
2123 Rayburn House Office Building
Prepared Statement of The Honorable Cliff Stearns
Good morning and welcome to the Subcommittee on Commerce, Trade
and Consumer Protection's hearing on cyber security and consumer
data. I am pleased that we are joined this morning by a group of
distinguished witnesses and look forward
to having their testimony.
On November 15th, 2001, nearly two years ago to the date, the
held a hearing entitled: "Cybersecurity: Private-Sector Efforts Addressing
Cyber Threats." The focal point of that hearing, as it is with this hearing,
was cyber security as it related to consumer data used in stream of commerce.
We are fortunate that three witnesses, Ms. Davidson and Messrs. Schmidt and Morrow,
all of whom testified at the hearing two years ago have joined us today to reflect
on what has transpired with regards to cyber security in the last two years.
I am confident their insights along with the testimony of the other witnesses
will be particularly helpful to our better understanding the issue, its evolution
and its increasing significance.
The subcommittee's hearing two years ago was held in the shadow
of the tragic events of September 11th, when we as a nation, it
seemed, had become obsessed with security. Of course that is understandable.
Yet, the problems that gave rise to cyber security concerns then
predated September 11th. In just the years 2000 and 2001and as
a result of only three cyber attacks - the I Love You and Code
Red viruses and February 2000 denial of service attacks - the media
reported losses in excess of $10 billion. The number of cyber attacks,
as reported by the Computer Emergency Response Team (CERT) at the
Carnegie Mellon University, was expected to nearly double in 2001
from 2000 to some 40,000.
Fast-forward two years, in 2003 the "SQL Slammer" worm
disrupted computers around the globe and during the attack half
of all Internet traffic was being lost. The Sobig.F virus clogged
e-mail boxes and networks around the world and became the fastest-spreading
virus on record, infecting one in 17 e-mails at its peak. Showing
a bit of humor, the creator of the Blaster worm - which caused
some 500,000 computers running Windows to crash - targeted the
Microsoft website from which users could download a program to
patch a known vulnerability in Microsoft Window's code, the very
weakness in Windows that the
worm itself was exploiting.
The virus and worm attacks of '03 did bring about disruptions,
such as the SQL Slammer worm knocking out Bank of America's ATM
machines for a while, but overall they did little reported damage.
Although, the ultimate objective of the Sobig.F virus is not known,
the '03 vintage of viruses and worms like most of the ones that
preceded them did not have a malicious or destructive "payload".
If they did, their impact would have been very different.
These virus and worm attacks are external attacks to the networks
and as such, according to some estimates, only represent 30% of
computer attacks. The remaining 70% of the attacks are carried
out from within the corporate firewalls. Those attacks or security
breaches taking place within the corporate firewalls, many argue,
are the most costly and least reported.
I raise the issues of virus and worm "payloads" and
within corporate firewall security breaches, because one key question
I want answered today is: What are the real risks and costs to
consumers from cyber security breaches and what poses the most
risk to cyber security?
One response to breaches in cyber security by industry and government
alike has been increased spending on security technologies. UBS
Warburg estimates that such spending will increase from $6 billion
in 2001 to $13 billion in 2003. Meanwhile, other data suggests
that companies spend less than 3% of their technology budgets on
security - the technology budgets tend to be around 3% of revenues.
So why are these expenditures so low? Some argue, because there
is no real understanding of quantifiable costs associated with
cyber security breaches, even among senior managers. Is that true?
This is another question for
our panel to consider.
Finally, many argue that cyber security is not just a "technological" problem
and thus can't be solved by adding new and improved technologies
defending against cyber attacks. Rather, they argue that is as
much a governance or management issue as it is a technological
problem. Strategic decisions, such as deciding the appropriate
balance between cost and risk are ones that only senior managers
can take. And without a clear mandate from top management, cyber
security measures will be disregarded as nuisances by rank and
file employees. Moreover, it appears that there is increased management
participation mostly when it is mandated either directly or indirectly
by government regulation (e.g., Gramm-Leach-Bliley Act; Sarbanes-Oxley
Act; and Health Insurance Portability and Accountability Act (HIPPA))
or enforcement actions (e.g., enforcement action taken against
Eli Lilley, Microsoft, and Guess! by the Federal Trade Commission).
Are these observations accurate? If so, is there an optimal role
for the federal government to play when in comes to protecting
consumers from cyber security threats?
With that question, I conclude and wish to thank the witnesses