Fighting Cybercrime: Efforts by Private
Testimony of Dave McCurdy
Electronic Industries Alliance
Subcommittee on Crime of the House Judiciary
June 14, 2001
Chairman Smith, Ranking Member Scott, and members of the Judiciary
Subcommittee on Crime: I appreciate the opportunity to testify
today on behalf of the Electronic Industries Alliance. I am deeply
thankful to the Chairman for holding this series of timely and
informative hearings on cybercrime. There are few issues that
are of more importance to the 2,300 member companies of EIA than
cybercrime and a secure Internet.
This is not news, but it still amazes me how quickly the Internet
became such an important part of our lives - both personally and
professionally. From the simplest personal task like checking
your bank account to the most complicated business transaction,
the Internet and information technologies have changed the way
Unfortunately, the Internet was not designed with security, privacy
or civil liberties in mind. It was designed to be an open platform
for communication, with distributed control and mutual trust among
users. I'm sure the architects of the Internet had no concept
of what it would become, just as we have no concept of what it
will become twenty years from now.
Our dependence on this new technology in all areas of our lives
has created a true challenge for policymakers: how to protect
users of the Internet from the abusers.
As policymakers contemplate how to best protect the Internet
from cybercriminals and try to ascertain the proper role of government
on the Internet, the reality remains: as a rule, technology has
exponentially outpaced the establishment of sound policy.
Dependence on information technologies has opened the door to
a host of vulnerabilities. Cybercriminals take advantage of these
vulnerabilities every day, including threats to staff, physical
assets, networks, transmission and stored data. Any of these critical
parts of our information infrastructure are susceptible to sophisticated
attacks from anonymous cyber-operators such as 'benevolent hackers',
delinquents, industrial competitors, organized crime, foreign
adversaries and terrorists.
The question is not whether or not an attack will come.because
it will come. The question is what will government and business
do to prepare for the next imminent attack and preserve critical
systems and assets to maintain operability in the information
Sophistication of cyberattacks
"Nothing more than a whim of a 13-year old hacker is required
to knock any user, site or server right off the internet" - Steve
Gibson, Gibson Research Corporation, June 2, 2001
Between January 1, 2001, and June 12, 2001 new vulnerabilities
in software products were reported from at least 39 different
countries. Furthermore, traditional models of security often
focus on perimeter defenses -- securing your own network from
unauthorized access. This model is insufficient for today's networks
for a variety of reasons including the level of technical of sophistication
and the tools criminals use to launch attacks has evolved very
rapidly. This is further complicated by the ability of intruders
to evade law enforcement by launching their attacks from intermediate
machines they have previously compromised. Here are some examples
of some of the common tools associated with cybercrime activities:
· Automated scanners - programs that scan a range of Internet
addresses looking for computers of a particular type.
· Probes - programs that examine a computer, once it is located,
searching for one or more vulnerabilities. These vulnerabilities
are often present in operating system, network, or applications
software. They are problems because even when corrected by vendors,
system owners often do not upgrade their software with those corrections.
· Root kit - a program that takes control of a penetrated computer
and disguises its presence so the legitimate system owners don't
know that the system has been compromised. Once a computer is
compromised in this way, the attackers have full access to all
data on that computer and often to all data on the local network
the computer is connected to.
· Sniffers - programs that are installed on compromised machines
to scan network traffic as it passes by and look for data the
attackers can use to their advantage (computer account names and
passwords, credit card numbers, and other unencrypted sensitive
· Attack networks - compromised computers that attackers aggregate
into networks controlled by one or more master computers. These
networks can be programmed to attack other machines on the Internet,
often with crippling denial-of-service attacks.
· IP spoofing - a technique attackers use to hide the identity
of their attack computers and fool (spoof) the attacked machine
into believing the attacks have come from a different source.
As the Internet grows,, so does the risk. For the first time,
intruders are developing techniques to harness the power of hundreds
of thousands of vulnerable systems on the Internet. Using what
are called distributed-system attack tools, intruders can involve
a large number of sites simultaneously, focusing all of them to
attack one or more victim hosts or networks. The sophisticated
developers of intruder programs package their tools into user-friendly
forms and make them widely available. As a result, even unsophisticated
users can use them. Subsequently, serious attackers have a pool
of technology they can use and mature to launch damaging attacks
and to effectively disguise the source of their activities.
[See attachments A, B]
Attack technology is developing in an open source environment
and is evolving rapidly. Technology experts and users are improving
their ability to react to emerging problems, but we are behind.
Significant damage to our systems and infrastructure can occur
before effective defenses can be implemented. As long as our strategies
are reactionary, this trend will worsen.
Current Cybercrime Policy
The control of U.S. cybercrime policy has traditionally been
viewed as an issue for the law enforcement and national defense
communities -- not an economic policy issue. Solutions for cybercrime
have been expressed in terms of criminal sanctions, counter-terrorism
efforts and law enforcement training rather than the prevention
managed by the users of the information assets, like businesses
However, law enforcement and national security communities do
not have all the answers. In addition to leadership from private
industry, the following goals need to be met in any national policy
· A National strategy from the President after consultation with
leadership of constituencies for coordinated responses to threats
and attacks, such as was developed for Y2K including:
§ Establishment of empowered organizations for sharing information
about cyber-threats, attacks and remedies such as the Internet
Security Alliance, the sectoral ISACs, and similar government
and international groups
· Incentives for industrial and government institutions to adopt
top-down policies of institutional security - including information
technology/network security - that include:
§ Clear designation of responsibility/delegation from CEO
§ Creation of risk management plan
§ Investments in employee enculturation and user education
§ Establishment of best practices regarding high value / high
risk environments in information technology, for example:
· Establishment of organizational CIO
· Employee education on IT security practices
· Deployment of best practices technologies
o Antiviral software
o PKI authentication/encryption for e-mail/Internet
· In government, necessary training and funding for these types
What we need to avoid in establishing a national policy:
New technology-specific criminal statutes that will result in
the hobbling of vendor industries and slowing of deployment of
leading edge technologies to the mass of internet users.
Where can the private sector help?
In order to protect all Internet consumers, organizations must
search for an industry-led, global, cross-sector network focused
on providing solutions to the challenges of the Internet Economy.
We are at risk, and the business community must make it a leadership
priority. The following are examples of what the private sector
should be doing:
Maintaining an adequate level of security in this dynamic environment
is a challenge, especially with new vulnerabilities being discovered
daily and attack technology evolving rapidly in an open-source
environment. To help organizations stay current with vulnerabilities
and emerging threats the private sector must concentrate on providing
· Vulnerability catalog: a complete record of
past vulnerability reports. New entries would be added to the
catalog as they were reported.
· Technical threat alerts: in the form of "special
communications" provide early warning of newly discovered security
threats and are updated as analysis activities uncover additional
information. Ranging from alerts on newly discovered packages
of malicious code, such as viruses and trojan horses, to in-depth
analysis reports of attack methods and tools, these reports would
help organizations defend against new threats and associated attack
· Member information exchange: augmenting the
basic services listed above, an organization would have to develop
an automated information sharing mechanism that allows business
and individuals to anonymously report vulnerability, threat, and
other security information that they are willing to share with
other secure channels.
· Threat analysis reports: today the great majority
of Internet security incidents are conducted by unknown perpetrators
who act with unknown motivations to achieve unknown goals. Managing
security risks in the long-term will require a better understanding
of the perpetrators and the economic, political and social issues
that drive them.
Effective management of information security risks requires that
organizations adopt a wide range of security practices. From basic
physical security controls that prevent unauthorized access to
computing hardware, to user-focused practices on password selection,
to highly-detailed system administration practices focused on
configuration and vulnerability management, these practices help
organizations reduce their vulnerability to attacks from both
outsiders and insiders.
· Practices catalog: beginning with existing
practice collections and standards, and in collaboration with
any participating companies an organization must develop a catalog
of practices that span the full range of activities that must
be addressed when developing an effective risk management program.
The catalog will contain high-level descriptions of the required
practices and should be made publicly available
While a sizeable commercial marketplace has developed for hardware
and software tools that can be used to enhance an organization's
security and a variety of tools can now be purchased, comprehensive
tool sets are lacking. To fill the gaps, organizations build their
own or find and evaluate public domain tools - a time consuming
and expensive activity. An organization would have to establish
a tools exchange: a restricted access repository where network
administrators only can exchange special purpose tools they have
created as well as information about, and evaluation of, public
domain tools available over the Internet.
While there are many things an organization can do to enhance
its security, some issues require broad action. For example, overall
security could be improved through increased information sharing
between industry and government, but FOIA (Freedom Of Information
Act) regulations deter companies from sharing sensitive information
with the government. Other issues like privacy and the proposed
HIPPA legislation could also affect network security. An organization
needs to identify these overarching issues and work with the appropriate
industry and government organizations to advocate policy that
effectively addresses the issues.
Other Critical Areas
The current state of Internet security is the result of many
additional factors, such as the ones listed below. A change in
any one of these can change the level of Internet security and
· Enhanced incident response capabilities - The incident response
community has handled most incidents well, but is now being strained
beyond its capacity. In the future, we can expect to see multiple
broad-based attacks launched at the Internet at the same time.
With its limited resources, the response community will fragment,
dividing its attention across the problems, thereby slowing progress
on each incident.
· The number of directly connected homes, schools, libraries
and other venues without trained system administration and security
staff is rapidly increasing. These "always-on, rarely-protected"
systems allow attackers to continue to add new systems to their
arsenal of captured weapons.
· The problem is the fact that the demand for skilled system
administrators far exceeds the supply.
· Internet sites have become so interconnected and intruder tools
so effective that the security of any site depends, in part, on
the security of all other sites on the Internet.
· The difficulty of criminal investigation of cybercrime coupled
with the complexity of international law mean that successful
apprehension and prosecution of computer criminals is unlikely,
and thus little deterrent value is realized.
· As we face the complex and rapidly changing world of the Internet,
comprehensive solutions are lacking. There is increased reliance
on "silver bullet" solutions, such as firewalls and encryption.
The organizations that have applied a "silver bullet" are lulled
into a false sense of security and become less vigilant. Solutions
must be combined, and the security situation must be constantly
monitored as technology changes and new exploitation techniques
· There is little evidence of improvement in the security features
of most products. developers are not devoting sufficient effort
to apply lessons learned about the sources of vulnerabilities.
Until their customers demand products that are more secure, the
situation is unlikely to change.
· Engineering for ease of use is not being matched by engineering
for ease of secure administration. Today's software products,
workstations, and personal computers bring the power of the computer
to increasing numbers of people who use that power to perform
their work more efficiently and effectively. Products are so easy
to use that people with little technical knowledge or skill can
install and operate them on their desktop computers. Unfortunately,
it is difficult to configure and operate many of these products
securely. This gap leads to increasing numbers of vulnerable systems.
While it is important to react to crisis situations when they
occur, it is just as important to recognize that information assurance
is a long-term problem. The Internet and other forms of communication
systems will continue to grow and interconnect.
· More and more people and organizations will conduct business
and become otherwise dependent on these networks.
· More and more of these organizations and individuals will lack
the detailed technical knowledge and skill that is required to
effectively protect systems today.
· More and more attackers will look for ways to take advantage
of the assets of others or to cause disruption and damage for
personal or political gain.
· The network and computer technology will evolve and the attack
technology will evolve along with it.
· Many information assurance solutions that work today will not
Managing the risks that come from this expanded use and dependence
on information technology requires an evolving strategy that stays
abreast of changes in technology, changes in the ways we use the
technology, and changes in the way people attack us through our
systems and networks. To move forward, we will need to make improvements
to existing capabilities as well as fundamental changes to the
way technology is developed, packaged, and used.
Cybercrime needs to be attacked at the security level. Attacks
will happen - they will become more sophisticated as our technology
becomes more sophisticated. The best defense we can take as a
nation is to ensure our networks and systems are properly fortified