on Telecommunications and the Internet
November 6, 2003
2123 Rayburn House Office Building
Mr. Robert W. Holleyman II
President & Chief Executive Officer
Business Software Alliance
1150 18th Street, NW
Washington, DC, 20036
Good morning. Chairman Upton, Congressman Markey, Members of the
Subcommittee, thank you for the opportunity to provide testimony
on this important and timely subject: computer viruses. My name
is Robert Holleyman and I am President and CEO of the Business
Software Alliance (BSA).
BSA represents the world's leading developers of software, hardware
and Internet technologies. We are headquartered in Washington,
D.C. We also have offices in Europe and Asia and are active in
more than 65 countries.
* * *
Today I'd like to focus my remarks on laying out a prescription
for prevention of cyber attacks and the three critical areas where
technology companies and governments need to make progress in order
to make our information
- First, elevating information security as management priority
- Second, enhancing law enforcement's capabilities to treat destructive
attacks as serious crimes, and
- Third, increasing international cooperation to better recognize
are, more often than not, international in scope.
But before I talk about some of these crucial steps that the high-tech
industry and governments around the world need to take to mitigate
let me begin by giving you a prognosis for the disease.
- According to preliminary data from a BSA survey of more than
12,000 information security professionals, 65 percent of security
professionals believe it is likely that their organization will
be hit with a major cyber attack in
the next 12 months.
- According to research by Symantec, an estimated 200-300 new
viruses are discovered each month, bringing the total number
of catalogued viruses and worms
to over 65,000.
- Gartner has predicted that cyber crime will double or triple
between 2001 and the end of this year. It also believes that
by 2005, 60 percent of the security breaches will be financially
or politically motivated.
- The cost of viruses to American business is staggering. Business
Week and Gartner report that viruses have already cost US businesses
$13 billion this
As the National Strategy to Secure Cyber Space has clearly articulated,
threats are real, and the solutions are not simple.
At the Business Software Alliance, we have focused much of the
last several years on working with businesses and governments to
assist them in preparing against potential cyber attacks, and to
institute - through both industry-led best practices and legislative
reforms - sound policies to help eliminate some of this confusion
and maximize our collective cyber preparedness.
Our efforts have encompassed a wide array of topics - from encouraging
industry leadership in best information security practices, to
opposing technology-specific government standards that would stymie
the dynamic evolution
of security and anti-virus tools.
Indeed, the software industry has redoubled its own efforts to
build better, more reliable, and more secure products. I can tell
you with complete certainty that security is the top priority for
each and every CEO in our industry. Clearly, our industry has a
critical responsibility to make the most secure products possible,
and we are stepping up to the plate.
At the same time, there are three areas where we, as a nation,
collectively turn our focus.
INFORMATION SECURITY MANAGEMENT
First, it is imperative that cyber security become a senior management
priority for every company. We need to fundamentally recognize
that information security is not solely a technical issue, but
a corporate management challenge that must be treated as such to
make progress. That's why the BSA has created a CEO Task Force
on this issue, which is working to elevate cyber security to the
level of senior management. We must remember, after all, that the
private sector owns nearly 90 percent of the nation's information
We are doing more than just preaching this message, however. The
BSA task force recently released a preliminary Framework for Action
that outlines specific roles for business unit heads, senior managers,
CIOs, and the CEOs themselves. This whitepaper distilled the lessons
contained in other policy reports, legislation, and guidelines
and found broad consensus on what needs to
The more we do together to promote awareness of information security
among corporate executives and accelerate adoption of effective
the more secure our nation will be.
EFFECTIVE LAW ENFORCEMENT ACTIONS
The second area that needs immediate attention is law enforcement
in cyber space. Determined, innovative hackers, virus writers and
cyber criminals are constantly working to develop new ways to break
into systems - just as criminals in the real world are continually
inventing new types of fraud and finding new ways to break into
cars or homes. But many cyber crimes are not yet perceived as real
crimes. As a result, there is insufficient deterrence for these
criminals and potential cyber terrorists.
Let me highlight three areas for further progress:
- First, we need to raise awareness globally that computer viruses,
worms and denial of service attacks are not clever acts of mischief,
but serious crimes that can cause major economic damage, or worse.
Just as in the offline world, when criminals steal or attack
online, authorities need to be able to
find and punish them.
- Second, we need to ensure that law enforcement has the resources
it needs -personnel, training, and equipment - so that cyber
space doesn't turn into a safe haven for hackers, virus writers
and other criminals. Governments need access to the same cutting-edge
technologies that cyber criminals use, and the ability to coordinate,
investigate and enforce.
- Third, we need to ensure greater cross-jurisdictional cooperation
in investigating cyber attacks. Cyber security is inherently
an international issue that requires international solutions.
Many of the most recent cyber attacks were international in scope.
Continued collaboration, information sharing, and tough laws
in every country criminalizing cyber attacks are vital to ensuring
that law enforcement can help prevent crime and investigate cyber
wherever they may hide.
* * * * *
That brings me to my third and final point:
Our cooperative efforts need to extend far beyond law enforcement.
Indeed, strong relationships are necessary with Europe and the
still small number of countries around the globe that are taking
a lead on these issues.
I was in Brussels in June for a major forum that BSA co-organized
with leading members of the European Parliament to discuss cyber
security, and, specifically, the European Commission's proposed
Network and Information Security Agency. It is crucial that the
technology industry - and the U.S. government - work closely with
the EU to ensure that the structure of this new agency - and any
others that are ultimately created around the world - is flexible
enough to provide rapid responses to ever-changing security threats.
It also needs to be technology-neutral - relying on performance
guidelines and best
practices rather than technology-limiting standards.
The U.S. has a unique opportunity to build new global partnerships
and set baseline standards that reinforce the importance of technology
private sector leadership.
* * * * *
In closing, let me affirm BSA's belief that successful, constructive
partnership by both government and industry is necessary to effectively
meet the global
information security challenge.
While today's hearing is about making progress in defending against
computer viruses and worms, it is really about how we can build
faith in our information networks to make them more valuable and
effective. To do this, we need a shared commitment to reducing
risks and increasing cooperation between businesses, network operators,
law enforcement agencies and governments as a whole. The BSA stands
committed to playing our part in helping ensure that the nation
has a prescription, not just for immunizing ourselves against viruses
and worms, but for enabling a safe and healthy digital world that
fosters innovation, unleashes human potential, and spurs economic
Thank you and I look forward to your questions.