Congressman Stephen Horn, R-CA Chairman

Oversight  hearing on

"What Can be Done to Reduce the Threats Posed by Computer Viruses and Worms to the Workings of Government?"

August 29, 2001

Testimony of 

Lawrence Castro

Chief, Defensive Information Operations Group
Information Assurance Directorate
National Security Agency

before the 

Subcommittee on Government Efficiency, 
Financial Management 
and Intergovernmental Relations 

Good morning, Mr. Chairman and distinguished Members of the Committee. On behalf of Lt Gen Michael Hayden, Director of the National Security Agency (NSA), I am pleased to accept the Subcommittee’s invitation to discuss NSA’s view of the threats posed by malicious computer code, particularly viruses and worms. My name is Larry Castro, and I lead the Defensive Information Operations Group within NSA’s Information Assurance Directorate. I am accompanied today by Mr. Steve Ryan, a senior technical director in our group. NSA is most well known for its Signals Intelligence or SIGINT mission which provides critical information about a wide range of foreign intelligence topics. Our Information Assurance mission to protect national security related information is another vital part of our fifty-year history. It is in this capacity of representing NSA’s Information Assurance capability that I appear before you today. NSA’s responsibilities and authorities in the area of Information Assurance are specified in or derived from a variety of Public Laws, Executive Orders, Presidential Directives, and Department of Defense Instructions and Directives. Chief among them is the July 1990 "National Policy for Security of National Security Telecommunications and Information Systems" (NSD-42). This National Security Directive designates the Secretary of Defense as the Executive Agent for National Security Telecommunications and Information Systems Security (NSTISS), and further designates the Director of NSA as the "National Manager" for NSTISS. The Directive assigns the Director, NSA, broad responsibilities for national security systems including:

• Evaluating system vulnerabilities
• Acting as the focal point for U.S. Government cryptography and Information Assurance
• Conducting research and development in this area
• Reviewing and approving Information Assurance standards
• Conducting foreign liaison
• Operating printing and fabrication facilities for cryptographic keying material
• Assessing overall security posture
• Prescribing minimum standards for cryptographic materials

I think it is very important that the Committee Members have a clear understanding of the responsibilities and scope of NSA in the area of Information Assurance. At this point, I would like to briefly outline some of the forces and recent history that have shaped the situation we find ourselves in today and which point to some of the fundamental issues that need resolution in the near future.

When I began working at NSA some 36 years ago, the "security" business we were in was called Communications Security, or COMSEC. It dealt almost exclusively with providing protection for classified information against disclosure to unauthorized parties when that information was being transmitted or broadcast from point to point. We accomplished this by building the most secure "black boxes" that could be made, employing high-grade encryption to protect the information. In the late 1970s, and especially in the early 1980s with the advent of the personal computer, a new discipline we called Computer Security, or COMPUSEC, developed. It was still focused on protecting information from unauthorized disclosure, but brought with it some additional challenges and threats, e.g., the injection of malicious code, or the theft of large amounts of data on magnetic media. With the rapid convergence of communications and computing technologies, we soon realized that dealing separately with COMSEC on the one hand, and COMPUSEC on the other, was no longer feasible; and so the business we were in became a blend of the two, which we called Information Systems Security, or INFOSEC. The fundamental thrust of INFOSEC continued to be providing protection against unauthorized disclosure, or confidentiality, but confidentiality was no longer the exclusive point of interest. The biggest change came about when these computer systems started to be interconnected into local and wide area networks, and eventually to Internet Protocol Networks, both classified and unclassified. We realized that in addition to confidentiality, we needed to provide protection against unauthorized modification of information, or data integrity. We also needed to protect against denial-of-service attacks and to ensure data availability. Positive identification, or authentication, of parties to an electronic transaction had been an important security feature since the earliest days of COMSEC, but with the emergence of large computer networks, data and transaction authenticity became an even more important and challenging requirement. Finally, in many types of network transactions it became very important that parties to a transaction could not deny their participation, so that data or transaction non-repudiation joined the growing list of security services often needed on networks. Because the term "security" had been so closely associated, for so long, with providing confidentiality to information, within the Department of Defense we adopted the term Information Assurance, or IA, to encompass the five security services of confidentiality, integrity, availability, authenticity and non-repudiation. I should emphasize here that not every IA application requires all five security services, although most IA applications for national security systems – and all applications involving classified information – continue to require high levels of confidentiality.

Much of the work of Information Assurance in providing an appropriate mix of security services is not operational or time-sensitive, i.e., education and training, threat and vulnerability analysis, research and development, assessments and evaluations, and tool development and deployment. However, in an age of constant probes and attacks of on-line networks, an increasingly important element of protection deals with operational responsiveness in terms of detecting and reacting to these time-sensitive events. This defensive operational capability is closely allied with and synergistic with traditional Information Assurance activities, but in recognition of its operational nature is generally described as Defensive Information Operations, or DIO. The organization I lead, the Defensive Information Operations (DIO) Group, provides the following services to assist our customers.

• Operational Readiness and Assessments - This service establishes a customer's IA readiness level. Operational Security (OPSEC) Assessments and Information Security (INFOSEC) Assessments are services available to customers needing expert and experienced vulnerability and risk analysis support for their operational systems. OPSEC examines in totality the operation being evaluated to identify any associated information that could be exploited by known or potential adversaries. The Inter-agency OPSEC Support Staff (IOSS) provides this support to a wide range of customers. The INFOSEC Assessments Office provides customers with an IA analysis focused on the identification of their missions, identification of information critical to the performance of those missions, identification of potential vulnerabilities of the systems which process, store and transmit critical information, and recommendations for elimination or mitigation of identified vulnerabilities. We also have a "Red Team" which provides authorized readiness support to customers through active cyber intrusion activities to their computer networks based on very specific customer requirements. In this role, NSA operates much as an adversarial cyber intruder without causing any damage to the systems "attacked." The results of these Red Team operations are then shared with the customer to assist in improving their network security.\
  
• IA Monitoring - Information Assurance monitoring is conducted by the Joint COMSEC Monitoring Activity (JCMA) under a Joint Chiefs of Staff charter. It is performed by a mix of civilian and military personnel deployed worldwide who monitor customer communications systems, including encrypted and unencrypted communications, for force protection and for exercises. This activity is strictly controlled in conformity with procedures approved by the Attorney General pursuant to the Electronic Communications Privacy Act with authorization from the customer receiving the monitoring support. Detected disclosures of sensitive or classified information over monitored systems are reported directly to the customer for appropriate action.
  
• National Security Incident Response Center - The defense of both the National Information Infrastructure (NII) and the Defense Information Infrastructure (DII) requires a robust and time-sensitive approach. To help meet this challenge, NSA's National Security Incident Response Center (NSIRC) provides near real-time reporting of cyber attack incidents, cyber attack analysis, and threat reporting relevant to information systems. Through round-the-clock, seven-days-a-week operations, the NSIRC provides the Departments of Defense, the Intelligence Community, Federal Law Enforcement and other Government organizations with information valuable in assessing current threats or defining recent cyber intrusions.

Clearly the threat to computer networks is real and growing worldwide, from nation states, non-state groups, and individuals. These sources have a wide variety of motives ranging from revenge or ego to profit, influence, or intelligence collection. Factors such as expanding network connectivity and the subsequent ease of access to systems, coupled with growing worldwide computer literacy, facilitate attacks against computer systems. The explosion in the number of computer bulletin boards and newsgroups has led to the wide and instantaneous dissemination of attack tools and techniques. Not only are intruders becoming more sophisticated, but the development of automated tools makes it easier for less skilled intruders to inflict more damage. A single hacker could potentially cause damage in cyberspace normally only considered within the means of a nation state.

I believe it would be useful to review of the results of a recent examination of cyber incidents that have been encountered on DoD networks during the second quarter of this year. This summary provides a macro picture of the larger cyber environment against which the most recent worm activity may be viewed.

Not surprisingly, among the findings of this examination is that China is the largest apparent origin of cyber incident activity targeting DoD systems, comprising 20% of the examined activity. The limitations of the term "apparent origin" must be noted. This term is used because source Internet Protocol (IP) addresses identified in cyber incident reports can also be compromised systems. Therefore, the apparent origin countries may or may not be the host nation from which the intrusion or probe attempts actually originated. Nevertheless, the apparent source listing is informative because it portrays a listed country’s involvement (either wittingly or unwittingly) in malicious cyber activity or in precursor probing in preparation for such activity. As the DoD examination describes, the rest of the "top ten" list (in descending order) is: South Korea, Germany, United States, Canada, France, Taiwan, United Kingdom, Italy, and Japan.

The bulk of source IP addresses, U.S. as well as foreign, resolve to university or Internet service provided (ISP) systems. These systems often assign dynamic IP addresses to users, which may account for the fact that very few IP addresses were seen more than once as the apparent source of incident activity in this quarter. Additionally, university and ISP systems usually encompass a large number of computers available for exploitation. This, combined with the fact that the security practices of universities in general are commonly more relaxed, make them attractive targets for use as hop-points.

Automated probing of Internet addresses and scanning for vulnerable ports makes up the majority of reported incident activity. This type of activity, while legal, is often a precursor to intrusion attempts or malicious activity and should therefore be treated by network administrators as suspicious. In almost all cases, following probing and scanning, intruders gain their unauthorized access by exploiting known vulnerabilities in operating systems. Having gained such access, the intruder then inserts and activates a malicious code payload intended to extend the intruders reach to additional systems. One of the most serious examples of malicious codes we have seen, SubSeven 2.2, surfaced during the last quarter.

The SubSeven 2.2 is a Trojan Horse that exploits vulnerabilities associated with computers operating with Windows 9X, Windows 2000, Windows ME, and Windows NT 4.0. The code provides the capabilities that give the intruder access to cached passwords, the system registry, and other information on the infected computer. These capabilities provide the means for connection to a secure network using a compromised computer via cable or DSL modem causing serious concern. The code also enables the intruder to break into additional systems disguised as trusted personnel by redirecting the port and port scanner. At this point, the intruder has an army of computers at his disposal. Thus, a zombie network controlled by a Distributed Denial of Service (DDoS) tool can block or degrade network resources on an extremely large scale.

Such DDoS tools have become easier to use, offering more types of attacking techniques, better control of the zombie network, and better anonymity for the attacker. For these reasons, DDoS attacks are becoming more common, more complex, and more powerful. There are many barriers to a comprehensive solution to the problem posed by DDoS activity, including systems without basic security, the frequent international nature of the activity, and the lack of preparedness of victims.

The threat is wide ranging, and the potential for damage to global e-commerce has already been demonstrated by cyber events of the past year. Additionally, while not yet demonstrated, the possibility of a well-coordinated cyber attack that could inflict significant damage to one or more of our Nation’s critical infrastructures must be anticipated. Within NSA, our Defensive Information Operations mission to counter this threat is primarily directed toward assisting in the protection of national security and national security-related systems. In this regard, the National Security Incident Response Center (NSIRC) works in support of the U.S. Space Command and its subordinate Joint Task Force for Computer Network Operations (which has responsibility for the protection of Department of Defense networks) and the FBI’s National Infrastructure Protection Center. This cooperation and interaction includes the posting of NSIRC analysts to both organizations for the purpose of coordinating our joint effort. We are not defenseless, and there are many significant efforts underway to respond to the cyber threat. Key factors in mitigating the damage from cyber attacks include:

•  Education and Awareness
• Anticipatory Defensive Measures
• Responsible Exchange of  Actionable Cyber Incident Information

A continuing cooperative effort to inform the Nation about the nature of the cyber threat and the potential for damage from this threat is required. Such an effort involves U.S. Industry, Academia, and the U.S. Government, and this hearing is certainly an example of such a joint endeavor. One of the goals of this thrust is to significantly increase the number of students in U.S. colleges and universities pursuing degrees in Information Assurance-related fields. In this regard, we at NSA have designated 23 universities as Centers of Academic Excellence in Information Assurance under the Centers of Academic Excellence Program. NSA granted the designations following a rigorous review of university applications against published criteria based on training standards established by the national computer network defense community.

The majority of cyber attacks exploit well-known vulnerabilities for which preventive measures are available. System administrators are encouraged to stay informed about such measures, heed compliance messages, install patches for known vulnerabilities, and configure systems to allow only necessary services. This guidance cannot be overemphasized. For example, last year, of the more than 24,000 cyber incidents reported by DoD elements, it is projected that nearly 80% would have been prevented if the proper vulnerability-closing patches had been installed.

Today there are many excellent cyber incident reporting and analysis activities in operation within government and industry. During the most recent CODE RED activity, there was unprecedented coordination and cooperation among these many centers. This interaction is absolutely essential if we as a Nation are to achieve the real-time, cyber situational awareness that will be necessary to protect our vital e-commerce interest and our sustained National Security-related use of cyberspace.

Mr. Chairman, this concludes my testimony and Statement for the Record. Once again I thank you and the Members of the Committee for the opportunity to share with you some of the insights that we at the National Security Agency have with regard to the cyber threats and initiatives to counter these threats.