IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

SUBCOMMITTEE ON GOVERNMENT EFFICIENCY, FINANCIAL MANAGEMENT AND INTERGOVERNMENTAL RELATIONS

Congressman Stephen Horn, R-CA Chairman


Oversight  hearing on

"What Can be Done to Reduce the Threats Posed by Computer Viruses and Worms to the Workings of Government?"

August 29, 2001

Testimony of 

Harris N. Miller
President
Information Technology Association of America

before the 


Subcommittee on Government Efficiency, 
Financial Management 
and Intergovernmental Relations 

 

 

Chairman Horn, thank you for inviting me to the heart of Silicon Valley to testify about what practices, policies, and tools are being deployed to reduce the impact of computer security threats to government at all levels. I commend you for your continued leadership on information technology issues. My name is Harris N. Miller, and I am President of the Information Technology Association of America (ITAA), now celebrating its 40th Anniversary. I am proud that ITAA has emerged as the leading association on cyber security issues. ITAA represents over 500 corporate members. These are companies that have a vested economic interest in assuring that the public feels safe in cyberspace to conduct e-commerce and that in the developing era of e-government, their information will be secure and transactions reliable. As surveys ITAA has conducted demonstrate, concerns about security by citizens and consumers are major inhibitors to e-commerce and e-government.

I commend this Subcommittee for holding today’s hearing and Though the official title of today’s hearing focuses on government, I submit to you that security is ultimately a government AND business challenge that must be addressed at the highest levels of all organizations, whether private or public or private. We all must do more to go beyond recognizing that cyber security is a challenge -- which is an important first step. Government and industry need to work together to find ways to enable solutions, solutions to threats that will likely become greater and more significant as the Internet becomes more pervasive, and eventually ubiquitous in our society.

As we witnessed during the recent "Code Red" situation, if cyber security receives the kind of prioritization needed at senior levels, government and industry can mobilize quickly and effectively to combat common and significant threats to the Internet. Representatives from the private and public sector -- some are here today -- stood together on one stage on July 30th in Washington, DC and warned the world about the need to take precautionary steps to stop the spread of the Code Red computer worm. Those efforts helped to reach users of vulnerable systems on a massive, unprecedented scale that arguably helped prevented the further spread of the worm:

Over a million copies of Microsoft's security patch have been downloaded, and since the patch can be downloaded once and installed to any number of machines, the number of systems that were actually patched is no doubt higher;

Microsoft observed a dramatic increase in the number of downloads during the week of July 30th, which suggests the industry-government effort to heighten user awareness and fend off the worm before it could significantly impact the Internet, worked;

Few of the major Web sites were affected by the "Code Red" worm, because many took action after the industry-government announcement on July 30th; and

The public's awareness of Information Security issues -- and about the specific kinds of cyber threats out there -- increased significantly during the "Code Red" situation.

This cooperative, proactive response by industry and government could be used as one model for more meaningful and effective cooperation on cyber security issues in the future. If industry and government do not collaborate to minimize impact of threats such as the "Code Red" worm -- which we were able to do in a timely and effective way in this situation -- the impact of such threats on the Internet and users could be much greater in the future. Trust is a key factor here and building relationships on trust will not happen overnight; however, industry and government collaboration on "Code Red" certainly provided a helpful boost in the right direction while our joint actions limited the number of "Code Red" infected machines.

Chairman Horn, I know from working together during the late 1990’s on Y2K and cyber security issues that you are fond of report cards and grading, which you issued in your previous career as a leading academic political scientist. Today I would like to offer a report card in six separate categories and an overall grade on industry and government handling of computer security threats. This is my own grading system, and I look forward to suggestions from you and others about additional areas requiring grading and whether I am grading based on the correct factors.

I think we can all agree that progress is being made. However, our foes in the Internet underworld are moving in Internet time, and unless we take a hard look at the effectiveness of our efforts, they may beat us at every stroke of the keyboard in the future.

A Cyber Security Report Card

Government Organization

In recognizing the challenges and developing structures that can adequately address cyber security challenges, the Federal Government has moved from a failing grade in the mid-1990s to a passing grade or "C" today. I base my grade on four factors: 1) priority for the Federal government, 2) internal cooperation, 3) mechanisms for liaising with other stakeholders, and 4) response time.

The National Plan for Cyber Security and Presidential Decision Directive (PDD) 63 helped provide a framework for government organization and thinking about information security that helped to raise the government’s grade. However, the alphabet soup of government agencies charged with some aspect of cyber crime prevention makes it easy to see why progress has been slow in government. To his credit, Ron Dick, Director of the National Infrastructure Protection Center (NIPC) has forged ahead and has been successful with programs such as InfraGuard. , and bBecause of his efforts and others that ITAA has initiated with the U.S. Department of Justice and other law enforcement agencies—including two major national events with the previous Attorney General--, industry is becoming more comfortable with government and law enforcement efforts in cyber security. The Department of Commerce also plays a critical role for government organization, since industry often feels most comfortable working with the Department of Commerce and the Critical Infrastructure Assurance Office (CIAO) there. For example, both John Tritak, CIAO's Director, and Dan Hurley, Director of the Communication and Information Infrastructure Assurance Program at NTIA, have done an outstanding job reaching out to industry during the ongoing development of the President's National Plan Version 2.0.

According to numerous press reports, President Bush will soon announce sign an Executive Order that will establish the "Critical Infrastructure and Protection and Continuity Board," as reported in the media.. That's As that draft Executive Order has been explained to us, it should be a a step forward, creating substantially more coordination and less duplication among the plethora of government departments and agencies involved in InfoSec. But I continue to believe that an InfoSec Czar position similar to the role played by John Koskinen during the Year 2000 date rollover would be more effective, on the "one throat to choke" principle. With minimal overhead and resources, but strong backing from the President, Mr. Koskinen was able to have substantial influence on both the governmental and private sector efforts to address the Y2K challenge. Should the new Board result in a centralized, coordinated cyber security effort based in the White House, this grade has a chance from moving from a "C" to a "B."

Government Funding for Information Security

The grade for government funding for information security has gone from a "D-" to a "D." Mr. Chairman, while you and some of your colleagues such as Representative Greenwood have done a valuable service in scrutinizing computer security policies and practices in U.S. government agencies and departments, that is not enough. As that well-known philosopher Yogi Berra would say, "This is déjà vu all over again." As you pointed out through your invaluable oversight hearings during the early days of Y2K, government agencies had neither plans nor funding for Y2K remediation. Due to your prodding, plans were developed, but funding was not. Until finally, thanks to your efforts and those of so many of your Congressional colleagues, additional appropriations were provided that enabled departments and agencies to become Y2K compliant.

That pattern is being repeated with InfoSec. Agencies now know much more about what they need to do. But the funding is still not there. A General Accounting Office (GAO) report issued earlier this month strongly criticizing the Department of Commerce for InfoSec failures internally carries the clear implication that additional financial resources are needed. Every Federal CIO with whom I speak tells me privately they are in desperate need of additional funding for their InfoSec activities.

The Federal Government needs to make information security a part of every manager's responsibilities, authorize and appropriate new money for agency information security enhancements, fund advanced information security research, and invest in the training and development of more skilled information security workers. There is a long way to go before government receives a passing grade here. For example, when Congress did have a chance to act and make a small investment in deploying and securing e-government by providing funding for the President's E-government Fund, it only provided $5 million of the $20 million requested this year. Government needs to move beyond the rhetoric and invest real funds in this important issue in order to boost its grade.

Corporate Focus and Spending for Information Security

When corporate America addressed the Y2K challenge, information technology was elevated from a back-office, MIS sideshow to a Boardroom-level, center stage mission critical component of most businesses. A corollary of this intensive focus was an understanding by more CEO’s that the security of their IT systems is critical. I submit that this action was effective in moving information security to the front lines of corporate focus and spending early in the game, and because of that, Yet, at best, I give corporate attention a "B-." I give it a "B-".

One reason for the lower grade is the huge variations between industries and between companies of different sizes. As usual, the financial services industry, so dependent on IT, is leading the charge, with a clear focus—and related dollar commitments—on InfoSec. Telecommunications is also doing reasonably well. But many others, including manufacturing, retail, and health care are much more problematic and uneven. And as we found with Y2K, larger companies are much more understanding of the importance of InfoSec, than medium and small companies.

One of the reasons the major alert on Code Red was necessary was the evidence that many mid-sized and smaller firms were not paying attention to the need to implement the patch, though information about the patch had been widely available for some time. The July 30 press conference was designed to reach what I call the second and third tier IT users, not the first tier users and the IT specialists who had already remediated the problem because they are so focused on it.

But even in corporations that are paying attention to the issue, too many times, the incorrect assumption is made that improving cyber security and fighting cyber crime can be done with technology alone. That is wrong. Just as the best alarm system will not protect a building if the alarm code falls into the wrong hands, a network will not be protected if the passwords are given out freely. Failures in the "process and people" part of the cyber crime solution may, in fact, be the majority of the problems we see. From a strategic point of view, the challenge is to make cyber security a top priority issue. Moving from platitudes to practical action requires the sustained commitment of senior management. The position of "Chief Information Security Officer" should be added to every corporate roster, in my opinion, in order to get this grade to an "A".

Organizations must be willing to invest in the development of comprehensive security procedures and to educate all employees--continuously. We call this practicing sensible cyber hygiene and Internet users have to be vigilant about it.

The primary focus of improving processes and changing behaviors is inside the enterprise. However, the scope of the effort must also take into account the extended organization—supply chain partners, subcontractors, customers, and others that must interact on a routine basis.

Industry-Government Cooperation on Cyber Security Issues

The ad hoc coalition of industry and government representatives that was formed to provide a public service message to counter the Code Red worm this summer is an operational example of successful industry and government cooperation on cyber security. It illustrates just how far the players have come.

A few years ago, industry-government cooperation would have received a "D" in my grade book. Through some hard work on both sides, progress has been made and the dialogue has increased. ITAA worked with the United States Justice Department in 1999 and 2000 to host high-level national industry and law enforcement meetings to share information and begin to open the lines of communications. We also established the Cybercitizen Partnership, a public-private partnership with DOJ to help parents and educators teach children about ethical online behavior and provide "rules of the road" to help protect the Internet from kids who have the skills to threaten the Internet, but not necessarily the guidance to know it is wrong to hack. I think these and the efforts to stand up Information Sharing and Analysis Centers (ISACs) by the Telecommunications, Financial Services, Electric, Transportation, and IT industries have helped to bring us to a "C" grade, and the Code Red coalition raised our grade to a "B-".

In order to get to an "A", the remaining industry sectors will need to stand up and operationalize the ISACs, and all ISACs will need to share confidential information with the government. Equally important and as much of a challenge, government and law enforcement agencies will need to share threat information with the ISACs. In short, we must develop trust in each other; to develop relationships between law enforcement and the private sector that are built on meaningful cooperation. That won't will not happen overnight. Improved information sharing between government and industry will be a step forward.

In order to solidify that trust, a bill introduced by U.S. Representatives Tom Davis and Jim Moran in the House -- and a bill soon to be introduced by U.S. Senators Robert Bennett and John Kyl in the Senate -- to remove legal obstacles to information sharing should be passed and signed into law this year. Regarding the latter, we hope that U.S. Senator Dianne Feinstein, in her key role as will join her colleague John Kyl on the Judiciary Committee in support of this bi-partisan bill. Senator Feinstein's leadership in the Congress on high tech issues is critical to our industry, and we hope that she will support this bill in her role as Chairman of the Judiciary Committee's Subcommittee on Technology, Terrorism, and Government Information, will take the lead in moving this important bill through the Senate.

Industry-to-Industry Cooperation on Cyber Security Issues

Let me emphasize that while the government has a critical role to play, not just in the U.S. but the government of every nation, vertical industries also have an obligation to communicate on cyber security issues. I think progress has been made in this arena. I believe the grade has moved again from a "D-" a few short years ago to a "C+ / B-" today. How so? The Partnership for Critical Infrastructure Security, begun in December, 1999, has created a cross-sectoral dialogue with collaboration from government to address risks to the Nation’s critical infrastructures and assure the delivery of essential services over the nation’s critical infrastructures in the face of cyber threats. The Partnership is run by companies and private sector associations and is effectively meeting the industry dialogue challenge. The Critical Infrastructure Assurance Office (CIAO) provides support for the Partnership. and Government officials are invited to participate in Partnership meetings on a collaborative basis, but and the group is becoming more effective with each meeting.

The Partnership for Global Information Security <http://www.pgis.org> provides a forum for executives from both the public and private sector in economies around the world to share information about InfoSec topics. PGIS members are focused on five areas for collaboration: sound practices, workforce, research and development, cyber crime and law enforcement and public policy. This Partnership arose from the first Global Information Security Summit organized by ITAA in October, 2000 in conjunction with our sister IT associations around the world, collectively known as the World Information Technology and Services Alliance (WITSA).

But much more needs to be done globally. I have advocated creation of an International InfoSec Cooperation Center, analogous to the highly successful International Y2K Cooperation Center, that I know you supported very strongly, Chairman Horn, that would help address the global InfoSec challenge, particularly in developing countries.

International Government Cooperation on Cyber Security Issues

In this subject the area of international governmental cooperation, I give an average grade of a "C-" with the explanation that some portions of international government cooperation are working quite well, while others at the same time are forgetting that the main owners and operators of the information infrastructure around the world are the private sector.

The Council of Europe Cybercrime Convention is one such example of good and bad news mixed. The countries involved in drafting this treaty were able to coordinate their law enforcement efforts and interests reasonably well, so they get high marks. Unfortunately, their grade gets docked substantially for neglecting the commercial sectors in their countries when establishing treaty objectives.

The Council of Europe Cybercrime Convention has improved in many respects through the efforts of the U.S. delegation. Though the US is not a member of the Council of Europe, it does have observer status. However, we were disappointed to learn that several changes of critical importance to us industry, privacy groups and noncommercial interests were not adopted in the final version of the convention. For example, the Convention does not address adequately several important issues, including data retention and surveillance technology mandates, lack of reimbursement for compliance with surveillance mandates, lack of standard privacy protections for law enforcement requests, and potential liability for complying with requests. Therefore, we are concerned that implementation of the Convention will produce a patchwork of costly and inconsistent requirements worldwide that create significant market access barriers for communications companies, and undermine user privacy.

One important area of particular concern in implementation of the treaty is proposals by foreign governments to mandate that Internet and telecommunications companies maintain, for between one and seven years, massive logs reflecting every innocent user’s communications over their networks, or to mandate that companies install new surveillance technologies. The Council of Europe Cybercrime Convention that the U.S. Government helped to negotiate neither requires nor prevents such mandates.

The data retention mandates would require communications companies to retain enormous amounts of data that they do not retain in the ordinary course of business. Data would have to be retained about every user, without any showing that these users were suspected of engaging in illegal activity. The mandates would compromise user privacy, create costly barriers to entry for U.S. companies seeking to enter foreign markets, and threaten the security of user data by creating a ripe target for hackers. In some countries, such as Holland, service providers are subject to unique surveillance technology standards requirements, which create barriers to deploying international networks in those countries.

Overall Grade

To sum up, there is much work to be done. In addition to improving our letter grades on information security, both industry and government need to strive to have the teacher commend us for playing well with others. Cooperation, communication, and sharing sensitive information are the keys to moving from today’s grade, a "C-", to an "A+". Summer vacation is ending, and we’re we are about to begin a new school year in America next week. By working together to build meaningful and effective relationships that recognize the bottom line impact of InfoSec on our businesses, government operations -- and the global economy -- we can all move to the head of the class on cyber security issues.

Thank you and I welcome any questions from the Committee.


Background: Economy at Risk

Cyber crime places the digital economy at risk. Just as the reality or threat of real crime can drain the economic vitality of neighborhoods, cities and even nations, so to can the reality or threat of crimes committed online against people and property shutter businesses and cause an otherwise motivated digital public to break their Internet connection.

The risk is significant and continues to grow. The Computer Security Institute's most recent survey reported nearly $400 million in losses by U.S. corporations to cyber-crime last year. That number is a conservative estimate and doesn't account for break-ins and losses that were never reported. As the Internet becomes more pervasive and as more and more businesses put their operations on-line, the impact of cyber-crime on our economy -- and the global economy -- will continue to increase. Also, Cyber threats such as the ILOVEYOU virus and the Code Red Worm cost businesses billions of dollars in damage, productivity and revenue loss.

Cyber crime falls into several categories. Most incidents are intended to disrupt or annoy computer users in some fashion. Distributed denial of service (DoS) attacks crash servers and bring down websites through the concerted targeting of thousands of email messages to specific electronic mailboxes. Viruses and other malicious code introduce phantom computer software programs to computers, designed intentionally to corrupt files and data. Other online intrusions are conducted to deface websites, post political messages or taunt particular groups or institutions. Even though no one stands to profit, damages caused by such attacks can run from the trifling to the millions of dollars. What motivates these attackers? Hackers may view the attack as a technology challenge, may be seeking to strike a blow against the establishment, may be looking for group acceptance from fellow hackers, or may be just indulging themselves in a perverse thrill.

Other cyber criminals are more material guys and gals. They hope to profit from their intrusions by stealing valuable or sensitive information, including credit card numbers, social security numbers, even entire identities. Targets of opportunity also include trade secrets and proprietary information, medical records, and financial transactions.

For some cyber criminals, the Internet is a channel for the dissemination of child pornography and a tool used in the furtherance of other crimes against children and adults. These crimes include fraud, racketeering, gambling, drug trafficking, money laundering, child molesting, kidnapping and more.

Cyber terrorists may seek to use the Internet as a means of attacking elements of the physical infrastructure, like power stations or airports. As we have seen in the Middle East and other regions of the world, cyber terrorists encouraging political strife and national conflict can quickly turn the Internet into a tool to set one group against another and to disrupt society generally.

Another class of cyber criminal and, unfortunately, the most common is the insider who breaks into systems to eavesdrop, to tamper, perhaps even to hijack corporate IT assets for personal use. These could be employees seeking revenge for perceived workplace slights, stalking fellow employees, looking for the esteem of peers by unauthorized "testing" of corporate security, or other misguided individuals.

Regardless of category, the threat is real. A recent study produced by Asta Networks and the University of California San Diego monitored a tiny fraction of the addressable Internet space and found almost 13,000 DoS attacks launched against over 5,000 targets in just one week. While most targets were attacked only a few times, some were victimized 60 or more times during the test period. For many small companies, being knocked off the Internet for a week means being knocked out of business for good.

A nationwide public opinion poll released last year by ITAA and EDS showed that an overwhelming majority of Americans, 67 percent, feel threatened by or are concerned about cyber crime. In addition, 62 percent believe that not enough is being done to protect Internet consumers against cyber crime. Roughly the same number, 61 percent, say they are less likely to do business on the Internet as a result of cyber crime, while 33 percent say crime has no effect on their e-commerce activities. The poll of 1,000 Americans also revealed that 65 percent believe online criminals have less of a chance of being caught than criminals in the real world, while only 17 percent believe cyber criminals have a greater chance of being caught.

These threats collectively represent a chipping away at the trust that is so critical to the Internet. There continues to be significant concern in the public about cyber-crime, and rightly so. High profile cyber threats such as the ILOVEYOU virus and the Code Red Worm certainly increase the amount of attention by users on the cyber crime issue and hopefully, also increase the number of steps that users take to enhance their information security practices. The technology is available to protect users' systems, but the vulnerabilities usually come from the "people and process" part of the equation. Our hope is that as users become more aware of information security, they will practice sound cyber hygiene.

While it's very difficult to track cyber attacks to their source, advancements in technology -- and improved cooperation with law enforcement through the FBI's InfraGuard program and other mechanisms -- is bearing fruit.

Industry Plan for Cyber Security: Developing Effective Policies, Tools, and Practices

ITAA and its members have been working to execute a multi-faceted plan designed to improve cooperation on issues of information security at all levels. However, Mr. Chairman, we would all be remiss if we believed it was just the IT industry that must cooperate within its own industry--we must work cross industry, and industry with government. Protecting our infrastructure is a collective responsibility, not just the IT community’s role.

We are working on multiple fronts to improve the current mechanisms for combating threats and responding to attacks through our role as a Sector Coordinator for the Information and Communications sector, appointed by the U.S. Department of Commerce. Through ITAA’s InfoSec Committee, our member companies also are exploring joint research and development activities, international issues, and security workforce needs. Elements of the plan include Information Sharing, Awareness, Education, Training, Best Practices, Research and Development, and International Coordination.

Information Sharing: Sharing information about corporate information security practices is inherently difficult. Companies are understandably reluctant to share sensitive proprietary information about prevention practices, intrusions, and actual crimes with either government agencies or competitors. Information sharing is a risky proposition with less than clear benefits.

Companies are concerned that information voluntarily shared with the government that reports on or concerns corporate security may be mistakenly subjected to the Freedom of Information Act (FOIA). They are also concerned that lead government agencies may not be able to effectively control the use or dissemination of sensitive information because of similar legal requirements. Unfiltered, unmediated information may be misinterpreted by the public and undermine public confidence in the country's critical infrastructures. Also, business competitors and others may use shared information to the detriment of a reporting company, or as the basis for litigation. Any and all of these possibilities are reasons why the current flow of voluntary data is minimal. ITAA supports the clarification, not the abrogation of the Freedom of Information Act. The legislative proposals we support give our companies the unambiguous confirmation that their communications intended to aid in a joint defense from a common critical infrastructure protection threat are protected. Businesses also need protection from unnecessary restrictions placed by federal and state antitrust laws on critical information sharing that would inhibit identification of R&D needs or the identification and mitigation of vulnerabilities.

There is uncertainty about whether existing law may expose companies and industries that voluntarily share sensitive information with the federal government to unintended and potentially harmful consequences. This uncertainty has a chilling effect on the growth of all information sharing organizations and the quality and quantity of information that they are able to gather and share with the federal government. ITAA is strongly in favor of removing disincentives to information sharing and that is why we support current legislation to address these issues.

Given the changing nature of the cyber crime threat and in spite of the many business, operational and policy hurdles standing in the way, many companies in the private sector recognize the need to have formal and informal information sharing mechanisms. Internet Service Providers are an example of the latter circumstance. Because these firms provide networking capability commercially, these businesses often have extensive network security expertise. Such firms act as virtual Information Sharing and Analysis Centers, gathering information about detected threats and incursions, sanitizing it by removing customer specific data, and sharing it with customers.

The IT industry has adopted a formal approach to the information sharing challenge. In January 2001, nineteen of the nation’s leading high tech companies announced the formation of a new Information Technology Information Sharing and Analysis Center (IT-ISAC) to cooperate on cyber security issues. The objective of the IT-ISAC is to enhance the availability, confidentiality, and integrity of networked information systems.

The IT-ISAC is a not-for-profit corporation that enables the information technology industry to report and exchange information concerning electronic incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures. Its internal processes will permit information to be shared anonymously. The organization is a voluntary, industry-led initiative with the goal of responding to broad-based security threats and reducing the impact of major incidents. Membership in the IT-ISAC is open to all U.S.-based information technology companies. It offers a 24-by-7 network, notifying members of threats and vulnerabilities. The group also is clear on what is will not undertake. Excluded activities include standards setting, product rating, audits, certifications or dispute settlement. Similarly, the IT-ISAC is not a crime fighting organization.

The Software Engineering Institute’s CERT Coordination Center plays an information sharing role for numerous industries. The oldest and largest of information sharing programs, CERT is a Federally funded research and development center at Carnegie Mellon University in Pittsburgh. The organization gathers and disseminates information on incidents, product vulnerabilities, fixes, protections, improvements and system survivability. The organization strives to maintain a leak proof reputation while collecting thousands of incident reports yearly. These could be anything from a single site reporting a compromise attempt to a computer worm or virus with worldwide impact.

Awareness: ITAA and its member companies are raising awareness of the issue within the IT industry and through partnership relationships with other vertical industries, including finance, telecommunications, energy, transportation, and health services. We are developing regional events, conferences, seminars and surveys to educate all of these industries on the importance of addressing information security. An awareness raising campaign targeting the IT industry and vertical industries dependent on information such as the financial sector, insurance, electricity, transportation and telecommunications is being overlaid with a targeted community effort directed at CEOs, end users and independent auditors. The goal of the awareness campaign is to educate the audiences on the importance of protecting a company’s infrastructure, and instructing on steps they can take to accomplish this. The message is that information security must become a top tier priority for businesses and individuals.

Education: In an effort to take a longer-range approach to the development of appropriate conduct on the Internet, the Department of Justice and the Information Technology Association of America have formed the Cybercitizen Partnership. Numerous ITAA member companies and recently the Department of Defense have joined this effort. The Partnership is a public/private sector venture formed to create awareness in children of appropriate on-line conduct. This effort extends beyond the traditional concerns for children's safety on the Internet, a protective strategy, and focuses on developing an understanding of the ethical behavior and responsibilities that accompany use of this new and exciting medium. The Partnership is developing focused messages, curriculum guides and parental information materials aimed at instilling a knowledge and understanding of appropriate behavior on-line. The Partnership hosted a very successful event last fall at Marymount University in Northern Virginia that brought together key stakeholders in this area. Ultimately, a long range, ongoing effort to insure proper behavior is the best defense against the growing number of reported incidents of computer crime. The Cybercitizen website has received over 600,000 hits in the past year.

Training: ITAA long has been an outspoken organization on the impact of the shortage of IT workers – whether in computer security or any of the other IT occupations. Our groundbreaking studies on the IT workforce shortage, including the latest, "When Can You Start," have defined the debate and brought national attention to the need for new solutions to meet the current and projected shortages of IT workers. We believe it is important to assess the need for and train information security specialists, and believe it is equally important to train every worker about how to protect systems.

We have planned a security skills set study to determine what the critical skills are, and will then set out to compare those needs with courses taught at the university level in an effort to determine which programs are strong producers. We encourage the development of "university excellence centers" in this arena, and also advocate funding for scholarships to study information security. We commend the Administration and Congress for supporting training more information security specialists.

The challenge to find InfoSec workers is enormous, because they frequently require additional training and education beyond what is normally achieved by IT workers. Many of the positions involving InfoSec require US citizenship, particularly those within the federal government, so using immigrants or outsourcing the projects to other countries is not an option.

Best Practices: We are committed to promoting best practices for information security, and look to partners in many vertical sectors in order to leverage existing work in this area. In addition, our industry is committed to working with the government—whether at the federal, state or local levels. For example, we are working with the Federal Government’s CIO Council on efforts to share industry’s best information security practices with CIOs across departments and agencies. At the same time, industry is listening to best practices developed by the government. This exchange of information will help industry and government alike in creating solutions without reinventing the wheel.

While we strongly endorse best practices, we strongly discourage the setting of "standards." Why?

Broadly, the IT industry sees standards as a snapshot of technology at a given moment, creating the risks that technology becomes frozen in place, or that participants coalesce around the "wrong" standards. Fighting cyber crime can be thought of as an escalating arms race, in which each time the "good guys" develop a technology solution to a particular threat, the "bad guys" develop a new means of attack. So to mandate a particular "solution" may be exactly the wrong way to go if a new threat will soon be appearing.

It is also critical that best practices are developed the way much of the Internet and surrounding technologies have progressed – through "de facto" standards being established without burdensome technical rules or regulations. While ITAA acknowledges the desire within the Federal government to achieve interoperability of products and systems through standard-setting efforts, the reality is that the IT industry can address this simply by responding to the marketplace demand. The marketplace has allowed the best technologies to rise to the top, and there is no reason to treat information security practices differently.

Research and Development: While the information technology industry is spending billions on research and development efforts—maintaining our nation’s role as the leader in information technology products and services—there are gaps in R&D. Frankly, for industry, more money is frequently spent on "D"—development—then "R"—long-term research. Government, mainly in the Department of Defense, focuses its information security R&D spending on defense and national security issues. We believe that between industry’s market-driven R&D and government’s defense-oriented R&D projects, gaps may be emerging that no market forces or government mandates will address. Government funding in this gap—bringing together government, academia and industry—is necessary.

International: In our work with members of the information technology industry and other industries, including financial services, banking, energy, transportation, and others, one clear message constantly emerges: information security must be addressed as an international issue. American companies increasingly are global corporations, with partners, suppliers and customers located around the world. This global business environment has only been accented by the emergence of on-line commerce—business-to-business and business-to-consumer alike.

Addressing information security on a global level clearly raises questions. Many within the defense, national security and intelligence communities rightly raise concerns about what international actually means. Yet, we must address these questions with solutions and not simply ignore the international arena. To enable the dialogue that is needed in this area, ITAA and the World Information Technology and Services Alliance (WITSA), a consortium of 41 global IT associations from economies around the world, conducted the first Global Information Security Summit in Fall 2000. This event brought together industry, government and academia representatives from around the world to begin the process of addressing these international questions. The governmental international linkages must be strengthened—and not just among the law enforcement and intelligence communities. Government ministries around the world involved in economic issues—such as our own Department of Commerce—need to be key players.

ITAA also houses the Global Internet Project (GIP), an international group of senior executives that are committed to fostering continued growth of the Internet, and which is spearheading an effort to engage the private sector and governments globally on the Next Generation Internet and related security and reliability issues. The GIP recently sponsored two high-level forums on security, reliability, and privacy in the next generation of the Internet in Germany and the U.S. that drew industry leaders from around the world to participate in a cross-industry dialogue about possible solutions.

How Government Can Help

In many ways, solutions to cyber security challenges are no different than any other Internet-related policy issue. Industry leadership has been the hallmark of the ubiquitous success of our sector. Having said that, we also believe that government has several roles to play in helping achieve better cyber security and combating cyber crime:

First and foremost, like a good physician practicing under the Hippocratic oath, do no harm. Excessive or overly broad legislation and subsequent regulation crafted in a rapidly changing technology environment is apt to miss the mark and likely to trigger a host of unintended consequences. In many instances, existing laws for crimes in the physical world are adequate to address crimes conducted in cyberspace. New legislation should always be vetted for circumstances that single out the Internet for discriminatory treatment.

Practice what you preach. The rules of technology, process and people apply equally to the public sector. The U.S. government must lead by example in preventing intrusions into agency websites, databanks and information systems. Leadership in this area means substantial investments of new money in information security technology and services. Responding to the issue by reallocating existing dollars from current programs is robbing Peter to pay Paul and likely to play out at the expense of the American public and their confidence in e-government. It also means insisting that government agencies implement rigorous information security processes and practice them on a daily basis. Making InfoSec part of the government culture will require extensive senior management commitment.

Reach out to international counterparts for crucial discussions of cyber security, and in particular, how to most constructively and effectively enforce existing criminal laws in the increasingly international law enforcement environment fostered by the Internet and other information networks.

Bring leadership to bear through existing local, state, and national structures including the new cyber security board that will likely be established by a Presidential Executive Order later this year. ITAA, its members and the IT industry continue to work hard to develop collegial and constructive relationships with the leadership and staff of the Critical Information Assurance Office (CIAO), the Commerce Department (DOC), the National Institute of Standards and Technology (NIST), and the Critical Information Infrastructure Assurance Program Office (CIIAP) at NTIA, as well as the National Security Council (NSC), Department of Justice (DOJ), Department of Energy, the National Information Protection Center (NIPC), and the National Security Agency (NSA).

Funding will also help in the areas of workforce development and research. We have a critical shortage of information technology professionals generally and information security specialists specifically. In general, we support legislation to increase the number of appropriately skilled workers in this critical area. We also support additional R& D funding.

Thank you and I welcome any questions from the Committee.