Can be Done to Reduce the Threats Posed by Computer Viruses and Worms
to the Workings of Government?"
of Advanced Concepts
Subcommittee on Government Efficiency,
and Intergovernmental Relations
Thank you Chairman Horn and members of the Subcommittee
for providing me with the opportunity to testify before you today. Mr.
Chairman, I would also like to commend you and your Subcommittee for your
leadership in examining the state of cyber-security among federal agencies
through previous hearings, and your release of the Report Card on Computer
Security in the Federal Government last year.
My name is Stephen Trilling and I am here representing
Symantec Corporation. Our company is a world leader in Internet security
technology, providing a broad range of solutions to government, individuals,
enterprises and service providers. We are a leading provider of virus
protection, firewalls, vulnerability management, intrusion detection,
and security services for enterprises and Internet providers around the
world. In addition, Symantec is providing security solutions to numerous
federal government agencies, including all four branches of the armed
forces and the U.S. Postal Service. Our enterprise-level solutions span
all tiers of the network, from desktop computers, to servers, to Internet
gateways. Symantec’s Norton brand of consumer security products leads
the market in worldwide retail sales and industry awards. Headquartered
in Cupertino, California, Symantec has approximately 4000 employees, worldwide
operations in 37 countries, and over 100 million users.
At Symantec, I oversee our Advanced Concepts team,
a research group dedicated to studying new security threats and creating
new technologies to protect computers at all levels of the Internet infrastructure.
Prior to this role, I oversaw our anti-virus research team, responsible
for analyzing and creating fixes for computer viruses and other malicious
threats. I am pleased to have the chance today to speak with you about
computer worms, a growing threat to our national and economic security.
Computer Viruses and Worms
A traditional computer virus is a program
designed to spread to many files on a single computer. However, a virus
cannot spread from one computer to another without the user performing
some manual action. For example, a user could inadvertently copy a virus
to a floppy disk, and then transfer the virus to another computer. Or
a user could unknowingly attach an infected file to an e-mail message.
Again, traditional computer viruses are dependent on user action, spreading
only as fast as humans exchange information, on the order of days or weeks.
Computer worms are malicious programs designed
to spread themselves over networks to as many computers as possible. Worms
spread largely without human interaction and can therefore infect new
computers at an exponential rate. In some cases, worms can infect hundreds
of thousands or even millions of computers in hours, without regard to
borders or boundaries.
Recent Computer Worms and their Impact
While there have been some notable computer worms
in the more distant past, the release of Melissa in March, 1999,
marked a significant turning point in fast-moving malicious computer threats.
Melissa spread itself automatically through e-mail from one computer
to the next, across the Internet. Even more damaging, was the LoveLetter
worm from May, 2000, which infected millions of e-mail messages and is
estimated by Computer Economics to have cost our global economy 8.7 billion
Most recently, certain versions of the Code
Red worm spread, by some estimates, to more than 350,000 computers
on the Internet in less than 15 hours, without any user interaction. According
to Computer Economics, Code Red has already had a worldwide economic
impact of 2.4 billion dollarsi. Initial versions of Code
Red, released in July 2001 attempted to launch a denial of service
attack on the whitehouse.gov Website. Code Red is particularly
virulent because it combines two different forms of attacks, first spreading
to many computers and then launching a denial of service attack.
A subsequent version of this worm, Code Red
II, released in early August 2001, again spread to many computers
across the Internet and also left behind a "back door" on each
infected machine. This back door provides a new security hole in the machine,
making it easy for an attacker to compromise the computer still further
even after Code Red II has been removed and the system has been
In the future, we could see computer worms moving
across the Internet at even greater speeds with an even wider array of
The Dangers Ahead
Our global economy is becoming more dependent on
the Internet. Computers connected to the Internet either control or will
likely soon control e-commerce sites, stock market trading, power generation,
transportation systems, electronic business supply chains, government
transactions and numerous other operations. A properly targeted computer
worm could hobble any or all of these systems, threatening our national
security. This is the price we pay for all of the efficiencies that the
Internet brings to our business and government systems.
The potential for such a devastating threat will
only grow more likely as home users move in greater numbers to broadband
Internet connections through cable modems or Digital Subscriber Lines
(DSL). A Code Red-type worm could quickly spread, without user
intervention, to 50 million or more home computers through broadband "always
on" connections. Furthermore, a denial of service attack then launched
from 50 million infected machines could decimate the online business-to-business
transactions of all Fortune 500 companies, as well as all business-to-government
and government-to-government electronic transactions. The Internet would
grind to a halt, just as would traffic on a freeway if 50 million stalled
cars were suddenly added to the road. In addition, the cleanup effort
required to disinfect tens of millions of privately owned computers would
be enormous, likely costing far more than for any previous incidents.
The demographics of online attackers are also changing.
To the extent that we know of their origin, amateurs—primarily young males,
ages 14-24—–appear to have created most of the recent computer worms and
were not targeting any special victims. Even the most damaging of these
threats, such as LoveLetter clearly had no particular target in
mind. However, with more and more business and government functions conducted
online, we expect to see an increase in professional attacks from organized
crime, corporate spies, social or political activists, terrorist groups,
rogue states, and other organizations targeting specific systems
on the Internet.
In March of this year, the National Infrastructure
Protection Center (NIPC) issued a release indicating that several organized
hacker groups from Eastern Europe had penetrated US e-commerce systems
and stolen proprietary customer information including over one million
credit cards (NIPC Advisory 01-003). Given the
increasing value of information stored on the Internet, we fully expect
other targeted attacks from professionals in the future.
Security in the Government and the Private Sector
There is no question that the need for improved
security is as much an issue for the private sector as for the United
States Government. Research from IDC on North American security trends
shows that both the federal government and private sector organizations
have been fairly successful in setting up a first line of cyber-defense,
through deployment of anti-virus software and firewalls. Furthermore,
according to IDC, government entities rank among the earliest adopters
of anti-virus technology and are also among the most effective at fighting
computer viruses in a timely fashion. While this initial line of defense
can thwart many of today’s threats, next steps should be taken if government
and industry are to provide a complete security solution to protect against
the targeted attacks we may face tomorrow. Should a professional attacker
attempt to exploit existing vulnerabilities through a more targeted worm,
the costs to American corporations could be astronomical.
Moving forward, it will be increasingly important
for the government and the private sector to share as much information
on cyber-attacks as possible, to protect our nation’s critical infrastructures.
Thanks to the support of the government through Presidential Decision
Directive 63 (PDD 63), private industry is in the process of setting
up a number of Information Sharing and Analysis Centers (ISACs) that provide
formal mechanisms for companies to share information on security attacks,
vulnerabilities, solutions, and best practices. This information is, in
turn, shared with the government in certain instances.
Symantec is a founding board member of the Information
Technology or IT-ISAC. The effort to build an ISAC for the IT community
has been spearheaded in large part by Harris Miller, President of the
ITAA who is also testifying before you today and I would like to commend
his efforts on this project. We hope that the creation of the IT-ISAC
will encourage further efforts by both the government and the private
sector to work together on cyber-security issues.
We provide further specific security recommendations
on the following section.
The key to effective security is a set of well
thought out and clearly communicated policies and plans that support the
organization’s objectives and provide guidance for employees. Successful
enforcement comes through a combination of informed people, sound policies,
workable procedures, management commitment and appropriate use of technology
One good lesson learned from the private sector
is the need to appropriately prioritize potential solutions according
to their cost/reward tradeoff. By applying a few simple rules, one can
prevent the vast majority of attacks. We sometimes refer to this as the
80/20 rule for security - by applying the most important 20 percent of
potential security solutions inside an organization, one can likely prevent
80 percent of possible attacks. Deploying effective security is not an
all or nothing procedure. Rather, it is an evolutionary process, where
each successive step further reduces risk.
Based on our experiences, the top security recommendations
for any organization, public or private, which will likely protect against
80 percent of attacks, are:
1. Organizations need properly configured and
regularly updated anti-virus software and firewalls, as a basis for
any effective security solution. To use an analogy from physical security,
this is similar to locking your door and having a guard in front of
the house. According to the CSI/FBI 2001 Computer Crime and Security
Survey, the penetration of both anti-virus and firewalls in the private
and public sector is very high.
2. Organizations need to deploy appropriate
updates for any announced security holes, on all systems, as soon
as they are available. Whenever a new security vulnerability in commercial
software is announced publicly, the information becomes accessible
not only to legitimate users of the software but also to attackers
who can then take advantage of the flaw for their own malicious purposes.
This was clearly demonstrated with the recent Code Red wormii.
3. Organizations should have a specific policy
to ensure that computer users’ passwords cannot easily be compromised.
This will help ensure that none of these computers can easily be co-opted
to launch a worm. This also greatly reduces the effectiveness of any
worm that attempts to spread in an organization from one computer
to the next by cracking user passwords. Such a policy includes making
sure that users do not have easily guessed passwords, such as common
words, users, names or initials, the word password and others.
Users should be required to change passwords regularly and use passwords
that are sufficiently long. The policy should include a requirement
to regularly test that all passwords are adequately strong.
Further general security recommendations, again
based on our experiences, are as follows:
1. Organizations should take more proactive
steps to deploy vulnerability assessment and vulnerability management
software. This type of monitoring can determine, for example, whether
appropriate software updates for security holes have been deployed
(#2 above) and whether any easily compromised passwords are being
used (#3 above). As such, these software solutions can help ensure
that organizations are adhering to the key elements of the 80/20 rule.
This type of software can also help organizations ensure full compliance
with existing security policies in advance of monitoring from outside
According to an IDC report, government
agencies as a whole tend to be slightly behind some other critical
organizations such as banking, communications, financial services,
healthcare, and utilities with respect to routine security auditing,
and slightly ahead of transportation. However, the federal government
is well ahead of most critical industry sectors in this areaiii.
While this survey does not directly address vulnerability assessment
software, these results are likely indicative of the level of deployment
of this type of solution across different sectors.
2. Organizations should consider blocking all
executable programs flowing into the corporation through e-mail attachments.
Such a policy will likely stop some legitimate attachments from entering
the organization, but will also vastly reduce the chance of a malicious
worm entering via e-mail. Many private corporations are quite willing
to make this tradeoff and have successfully blocked numerous worms
by instituting such procedures.
3. Organizations should consider installing
intrusion detection software to monitor their networks for potential
attacks. This software is analogous to alarm systems and motion sensors
in a home, alerting on any suspected intrusion. On a computer network,
intrusion detection software can provide alerts on attacks and break-ins
from numerous threats including worms such as Code Red.
According to the CSI/FBI Computer Crime and
Security Survey, deployment of intrusion detection systems is rapidly
increasing for large corporations and government agencies, although
its overall penetration is still well below that of anti-virus software
or firewallsiv. According to IDC, the federal government
is well ahead of such critical organizations as financial services,
healthcare, transportation, and utilities and comparable to banking
and communications with regards to deployment of intrusion detection
4. Organizations should deploy several layers
of security software at all tiers within the enterprise. The following
is an example of various different technologies that could have helped
stop Code Red from infecting a given Web site:
- Certain firewall products could prevent
initial Code Red infection.
- Intrusion detection software could alert
on a Code Red attack
- Vulnerability assessment software could
alert administrators to update their software to prevent attack
- Anti-virus software could be used to detect
the "back door" left by Code Red II.
Computer worms can potentially attack large
servers, desktop computers, and even handheld devices. This emphasizes
the importance of having an integrated set of security solutions protecting
all tiers of the network. For example, one should consider deploying
firewalls not only at the network perimeter, but also on desktop machines
to stop threats that have been released inside the organization.
5. Industries and government agencies that
are essential to our national security (as described in Presidential
Decision Directive 63) should consider using private networks
for all critical communications. Such private networks could help
isolate important transmissions from computer worms or worm-based
denial of service attacks.
6. We need continued public/private sector
cooperation in sharing information on security issues as well as in
providing appropriate security education to both government and corporate
entities. The IT-ISAC is a good current example of a cooperative sharing
organization for the IT sector. Recent alerts from the public and
private sectors on the need to deploy appropriate security updates
to protect against Code Red were a good demonstration of educational
efforts in this space.
Over the coming decade, a computer worm could
easily devastate our economy. As the threats become more dangerous
and more sophisticated, we must be vigilant and take necessary steps
to better protect our nation’s critical infrastructure. The time to
address and invest in the problem is now. Both the government and
corporations are building the next generation of online systems today,
and all of these systems will be targets tomorrow.
By applying the 80/20 rule, organizations can
likely prevent 80 percent of potential worm attacks to their infrastructure,
by addressing just the top 20 percent of good security practices.
This is a very good first step. However, the growth of home broadband
connections raises further concerns that a worm could spread rapidly
to millions of Internet users and drastically impact the operation
of our economy.
We must therefore look for comprehensive solutions
to protect against future attacks on our electronic highways. Only
through proactive attention to this problem across both the public
and private sector, and through greater cooperation between both groups,
will we be able to effectively deal with this serious threat.