IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Computer Viruses: The Disease, the Detection, and the Prescription for Protection

Subcommittee on Telecommunications and the Internet
November 6, 2003
09:30 AM
2123 Rayburn House Office Building 

Mr. Robert W. Holleyman II
President & Chief Executive Officer
Business Software Alliance
1150 18th Street, NW
Suite 700
Washington, DC, 20036

Good morning. Chairman Upton, Congressman Markey, Members of the Subcommittee, thank you for the opportunity to provide testimony on this important and timely subject: computer viruses. My name is Robert Holleyman and I am President and CEO of the Business Software Alliance (BSA).

BSA represents the world's leading developers of software, hardware and Internet technologies. We are headquartered in Washington, D.C. We also have offices in Europe and Asia and are active in more than 65 countries.

* * *

Today I'd like to focus my remarks on laying out a prescription for prevention of cyber attacks and the three critical areas where technology companies and governments need to make progress in order to make our information networks safer:

  • First, elevating information security as management priority for every company.
  • Second, enhancing law enforcement's capabilities to treat destructive virus attacks as serious crimes, and
  • Third, increasing international cooperation to better recognize that viruses are, more often than not, international in scope.

But before I talk about some of these crucial steps that the high-tech industry and governments around the world need to take to mitigate our risks, let me begin by giving you a prognosis for the disease.

  • According to preliminary data from a BSA survey of more than 12,000 information security professionals, 65 percent of security professionals believe it is likely that their organization will be hit with a major cyber attack in the next 12 months.
  • According to research by Symantec, an estimated 200-300 new viruses are discovered each month, bringing the total number of catalogued viruses and worms to over 65,000.
  • Gartner has predicted that cyber crime will double or triple between 2001 and the end of this year. It also believes that by 2005, 60 percent of the security breaches will be financially or politically motivated.
  • The cost of viruses to American business is staggering. Business Week and Gartner report that viruses have already cost US businesses $13 billion this year alone.

As the National Strategy to Secure Cyber Space has clearly articulated, the threats are real, and the solutions are not simple.

At the Business Software Alliance, we have focused much of the last several years on working with businesses and governments to assist them in preparing against potential cyber attacks, and to institute - through both industry-led best practices and legislative reforms - sound policies to help eliminate some of this confusion and maximize our collective cyber preparedness.

Our efforts have encompassed a wide array of topics - from encouraging industry leadership in best information security practices, to opposing technology-specific government standards that would stymie the dynamic evolution of security and anti-virus tools.

Indeed, the software industry has redoubled its own efforts to build better, more reliable, and more secure products. I can tell you with complete certainty that security is the top priority for each and every CEO in our industry. Clearly, our industry has a critical responsibility to make the most secure products possible, and we are stepping up to the plate.

At the same time, there are three areas where we, as a nation, must collectively turn our focus.

*****

INFORMATION SECURITY MANAGEMENT

First, it is imperative that cyber security become a senior management priority for every company. We need to fundamentally recognize that information security is not solely a technical issue, but a corporate management challenge that must be treated as such to make progress. That's why the BSA has created a CEO Task Force on this issue, which is working to elevate cyber security to the level of senior management. We must remember, after all, that the private sector owns nearly 90 percent of the nation's information networks.

We are doing more than just preaching this message, however. The BSA task force recently released a preliminary Framework for Action that outlines specific roles for business unit heads, senior managers, CIOs, and the CEOs themselves. This whitepaper distilled the lessons contained in other policy reports, legislation, and guidelines and found broad consensus on what needs to be done.

The more we do together to promote awareness of information security among corporate executives and accelerate adoption of effective security strategies, the more secure our nation will be.

********

EFFECTIVE LAW ENFORCEMENT ACTIONS

The second area that needs immediate attention is law enforcement in cyber space. Determined, innovative hackers, virus writers and cyber criminals are constantly working to develop new ways to break into systems - just as criminals in the real world are continually inventing new types of fraud and finding new ways to break into cars or homes. But many cyber crimes are not yet perceived as real crimes. As a result, there is insufficient deterrence for these cyber criminals and potential cyber terrorists.

Let me highlight three areas for further progress:

  • First, we need to raise awareness globally that computer viruses, worms and denial of service attacks are not clever acts of mischief, but serious crimes that can cause major economic damage, or worse. Just as in the offline world, when criminals steal or attack online, authorities need to be able to find and punish them.
  • Second, we need to ensure that law enforcement has the resources it needs -personnel, training, and equipment - so that cyber space doesn't turn into a safe haven for hackers, virus writers and other criminals. Governments need access to the same cutting-edge technologies that cyber criminals use, and the ability to coordinate, investigate and enforce.
  • Third, we need to ensure greater cross-jurisdictional cooperation in investigating cyber attacks. Cyber security is inherently an international issue that requires international solutions. Many of the most recent cyber attacks were international in scope. Continued collaboration, information sharing, and tough laws in every country criminalizing cyber attacks are vital to ensuring that law enforcement can help prevent crime and investigate cyber criminals wherever they may hide.

* * * * *

That brings me to my third and final point:

INTERNATIONAL COOPERATION.

Our cooperative efforts need to extend far beyond law enforcement. Indeed, strong relationships are necessary with Europe and the still small number of countries around the globe that are taking a lead on these issues.

I was in Brussels in June for a major forum that BSA co-organized with leading members of the European Parliament to discuss cyber security, and, specifically, the European Commission's proposed Network and Information Security Agency. It is crucial that the technology industry - and the U.S. government - work closely with the EU to ensure that the structure of this new agency - and any others that are ultimately created around the world - is flexible enough to provide rapid responses to ever-changing security threats. It also needs to be technology-neutral - relying on performance guidelines and best practices rather than technology-limiting standards.

The U.S. has a unique opportunity to build new global partnerships and set baseline standards that reinforce the importance of technology neutrality and private sector leadership.

* * * * *

In closing, let me affirm BSA's belief that successful, constructive partnership by both government and industry is necessary to effectively meet the global information security challenge.

While today's hearing is about making progress in defending against computer viruses and worms, it is really about how we can build faith in our information networks to make them more valuable and effective. To do this, we need a shared commitment to reducing risks and increasing cooperation between businesses, network operators, law enforcement agencies and governments as a whole. The BSA stands committed to playing our part in helping ensure that the nation has a prescription, not just for immunizing ourselves against viruses and worms, but for enabling a safe and healthy digital world that fosters innovation, unleashes human potential, and spurs economic growth.

Thank you and I look forward to your questions.