IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Cybersecurity & Consumer Data: What's at Risk for the Consumer?

Subcommittee on Commerce, Trade, and Consumer Protection
November 19, 2003
10:00 AM
2123 Rayburn House Office Building 

Prepared Statement of The Honorable Cliff Stearns

Good morning and welcome to the Subcommittee on Commerce, Trade and Consumer Protection's hearing on cyber security and consumer data. I am pleased that we are joined this morning by a group of distinguished witnesses and look forward to having their testimony.

On November 15th, 2001, nearly two years ago to the date, the subcommittee held a hearing entitled: "Cybersecurity: Private-Sector Efforts Addressing Cyber Threats." The focal point of that hearing, as it is with this hearing, was cyber security as it related to consumer data used in stream of commerce. We are fortunate that three witnesses, Ms. Davidson and Messrs. Schmidt and Morrow, all of whom testified at the hearing two years ago have joined us today to reflect on what has transpired with regards to cyber security in the last two years. I am confident their insights along with the testimony of the other witnesses will be particularly helpful to our better understanding the issue, its evolution and its increasing significance.

The subcommittee's hearing two years ago was held in the shadow of the tragic events of September 11th, when we as a nation, it seemed, had become obsessed with security. Of course that is understandable. Yet, the problems that gave rise to cyber security concerns then predated September 11th. In just the years 2000 and 2001and as a result of only three cyber attacks - the I Love You and Code Red viruses and February 2000 denial of service attacks - the media reported losses in excess of $10 billion. The number of cyber attacks, as reported by the Computer Emergency Response Team (CERT) at the Carnegie Mellon University, was expected to nearly double in 2001 from 2000 to some 40,000.

Fast-forward two years, in 2003 the "SQL Slammer" worm disrupted computers around the globe and during the attack half of all Internet traffic was being lost. The Sobig.F virus clogged e-mail boxes and networks around the world and became the fastest-spreading virus on record, infecting one in 17 e-mails at its peak. Showing a bit of humor, the creator of the Blaster worm - which caused some 500,000 computers running Windows to crash - targeted the Microsoft website from which users could download a program to patch a known vulnerability in Microsoft Window's code, the very weakness in Windows that the worm itself was exploiting.

The virus and worm attacks of '03 did bring about disruptions, such as the SQL Slammer worm knocking out Bank of America's ATM machines for a while, but overall they did little reported damage. Although, the ultimate objective of the Sobig.F virus is not known, the '03 vintage of viruses and worms like most of the ones that preceded them did not have a malicious or destructive "payload". If they did, their impact would have been very different.

These virus and worm attacks are external attacks to the networks and as such, according to some estimates, only represent 30% of computer attacks. The remaining 70% of the attacks are carried out from within the corporate firewalls. Those attacks or security breaches taking place within the corporate firewalls, many argue, are the most costly and least reported.

I raise the issues of virus and worm "payloads" and within corporate firewall security breaches, because one key question I want answered today is: What are the real risks and costs to consumers from cyber security breaches and what poses the most risk to cyber security?

One response to breaches in cyber security by industry and government alike has been increased spending on security technologies. UBS Warburg estimates that such spending will increase from $6 billion in 2001 to $13 billion in 2003. Meanwhile, other data suggests that companies spend less than 3% of their technology budgets on security - the technology budgets tend to be around 3% of revenues. So why are these expenditures so low? Some argue, because there is no real understanding of quantifiable costs associated with cyber security breaches, even among senior managers. Is that true? This is another question for our panel to consider.

Finally, many argue that cyber security is not just a "technological" problem and thus can't be solved by adding new and improved technologies defending against cyber attacks. Rather, they argue that is as much a governance or management issue as it is a technological problem. Strategic decisions, such as deciding the appropriate balance between cost and risk are ones that only senior managers can take. And without a clear mandate from top management, cyber security measures will be disregarded as nuisances by rank and file employees. Moreover, it appears that there is increased management participation mostly when it is mandated either directly or indirectly by government regulation (e.g., Gramm-Leach-Bliley Act; Sarbanes-Oxley Act; and Health Insurance Portability and Accountability Act (HIPPA)) or enforcement actions (e.g., enforcement action taken against Eli Lilley, Microsoft, and Guess! by the Federal Trade Commission). Are these observations accurate? If so, is there an optimal role for the federal government to play when in comes to protecting consumers from cyber security threats?

With that question, I conclude and wish to thank the witnesses again for participating.