|
Testimony of Harris N. Miller
President, Information Technology Association
of America (ITAA)
Before the
House Subcommittee on Crime
Hearing on
"Fighting Cyber Crime"
June 14, 2001
Introduction
Chairman Smith and Members of the Subcommittee, thank you for
inviting me here to testify today on cyber crime. My name is Harris
N. Miller, and as President of the largest information technology
trade association, the Information Technology Association of America
<http://www.itaa.org/> <http://www.itaa.org>, I am
proud that ITAA has emerged as the leading association on the
issue of information security. ITAA represents over 500 corporate
members. These are companies that have a vested economic interest
in assuring that the public feels safe in cyberspace; in the United
States, most of the Internet related infrastructure is owned and
operated by the private sector.
I am also President of the World Information Technology and Services
Alliance <http://www.witsa.org/> <http://www.witsa.org>,
a consortium of 41 global IT associations from economies around
the world, so I offer a global perspective. ITAA also houses the
Global Internet Project <http://www.gip.org/> <http://www.gip.org>,
an international group of senior executives committed to fostering
continued growth of the Internet, which is spearheading an effort
to engage the private sector and governments globally on the Next
Generation Internet and related security and reliability issues.
I commend this Subcommittee for holding a series of hearings
on cyber crime and recognizing that to solve this enormous challenge,
industry leadership, in meaningful partnership with government,
is essential.
The stakes involved are enormous. Information technology represents
over 6 percent of global gross domestic product (GDP), a spending
volume of more than $1.8 trillion, and over 8 percent of US GDP,
according to Digital Planet <http://www.witsa.org/DP2000sum.pdf>
2000, a report released last year by WITSA. According to the US
Department of Commerce <http://www.ecommerce.gov/ecomnews/ecommerce2000annual.pdf>,
IT accounted for approximately one-third of the nation's real
economic growth from 1995 to 1999. Despite the current slowdown,
IT-driven productivity increases have enabled our country to have
what many economists thought we could not have: high growth, low
unemployment, low inflation, and growth in real wages.
The IT industry's importance to the economy goes beyond the numbers
I just recited, however, because the IT industry is not only a
vertical industry-such as financial services or health care-it
is also a horizontal industry whose technology and services under
gird all the other industry sectors. For instance, the failure
of a particular IT company to meet the information security challenge
not only hurts that company's bottom line, it also hurts the bottom
line of companies to which it provides software or IT services.
Economy at Risk
Cyber crime places the digital economy at risk. Just as the reality
or threat of real crime can drain the economic vitality of neighborhoods,
cities and even nations, so to can the reality or threat of crimes
committed online against people and property shutter businesses
and cause an otherwise motivated digital public to break their
Internet connection.
Cyber crime falls into several categories. Most incidents are
intended to disrupt or annoy computer users in some fashion. Distributed
denial of service (DoS) attacks crash servers and bring down websites
through the concerted targeting of thousands of email messages
to specific electronic mailboxes. Viruses and other malicious
code introduce phantom computer software programs to computers,
designed intentionally to corrupt files and data. Other online
intrusions are conducted to deface websites, post political messages
or taunt particular groups or institutions. Even though no one
stands to profit, damages caused by such attacks can run from
the trifling to the millions of dollars. What motivates these
attackers? Hackers may view the attack as a technology challenge,
may be seeking to strike a blow against the establishment, may
be looking for group acceptance from fellow hackers, or may be
just indulging themselves in a perverse thrill.
Other cyber criminals are more material guys and gals. They hope
to profit from their intrusions by stealing valuable or sensitive
information, including credit card numbers, social security numbers,
even entire identities. Targets of opportunity also include trade
secrets and proprietary information, medical records, and financial
transactions.
For some cyber criminals, the Internet is a channel for the dissemination
of child pornography and a tool used in the furtherance of other
crimes against children and adults. These crimes include fraud,
racketeering, gambling, drug trafficking, money laundering, child
molesting, kidnapping and more.
Cyber terrorists may seek to use the Internet as a means of attacking
elements of the physical infrastructure, like power stations or
airports. As we have seen in the Middle East, cyber terrorists
encouraging political strife and national conflict can quickly
turn the Internet into a tool to set one group against another
and to disrupt society generally.
Another class of cyber criminal and, unfortunately, the most
common is the insider who breaks into systems to eavesdrop, to
tamper, perhaps even to hijack corporate IT assets for personal
use. These could be employees seeking revenge for perceived workplace
slights, stalking fellow employees, looking for the esteem of
peers by unauthorized "testing" of corporate security, or other
misguided individuals.
Regardless of category, the threat is real. A recent study <http://www.cs.ucsd.edu/~savage/papers/UsenixSec01.pdf>
produced by Asta Networks and the University of California San
Diego monitored a tiny fraction of the addressable Internet space
and found almost 13,000 DoS attacks launched against over 5000
targets in just one week. While most targets were attacked only
a few times, some were victimized 60 or more times during the
test period. For many small companies, being knocked off the Internet
for a week means being knocked out of business for good.
The Computer Security Institute/FBI also documents the problem
in a widely reported study on computer breaches. This year's survey
of 538 respondents found 85 percent experiencing computer intrusions,
with 64 percent serious enough to cause financial losses. Estimated
losses from those willing to provide the information tallied $378
million, a 43 percent increase from the previous year.
A nationwide public opinion poll released last year by ITAA and
EDS showed that an overwhelming majority of Americans, 67 percent,
feel threatened by or are concerned about cyber crime. In addition,
62 percent believe that not enough is being done to protect Internet
consumers against cyber crime. Roughly the same number, 61 percent,
say they are less likely to do business on the Internet as a result
of cyber crime, while 33 percent say crime has no effect on their
e-commerce activities. The poll of 1,000 Americans also revealed
that 65 percent believe online criminals have less of a chance
of being caught than criminals in the real world, while only 17
percent believe cyber criminals have a greater chance of being
caught.
Battling Cyber Crime: Information Security
Information security is the multifaceted discipline that counteracts
cyber crime. Information security--or InfoSec--deals with cyber
crime prevention, detection and investigation. How do we achieve
information security?
Information Security is Built From Technology, Processes
and People
Too many times, the assumption is made that fighting cyber crime
can be done with technology alone. That is wrong. Just as the
best alarm system will not protect a building if the alarm code
falls into the wrong hands, a network will not be protected if
the passwords are given out freely. Failures in the "process and
people" part of the cyber crime solution may, in fact, be the
majority of the problems we see.
The marketplace is responding to the technology component of
this equation. Our customers demand it and, therefore, ITAA members
supply it. Beyond that simple yet effective commercial dynamic,
we also see market pressures beginning to coalesce. As cyber crime
becomes more common and more pervasive, we will hear a building
chorus of demand for information security solutions from insurance
firms, health care providers, financial services companies, utilities,
and the public at large.
The degree to which such products are necessary is in large part
determined by the level of risk incurred. In most cases, for instance,
security levels required to protect an email application would
not be as robust as those protecting electronic funds transfer.
Organizations must be able to select the technology solution that
is adequate to the job at hand. The marketplace must have the
commercial incentive to deploy a variety of technology solutions,
be they password protection, encryption, firewalls, biometrics
or other means.
Processes and people tend to be the more problematic elements
of the policy puzzle. The two are closely linked. From a strategic
point of view, the challenge is to make information security a
top priority issue. Moving from platitudes to practical action
requires the sustained commitment of senior management.
The goal is to embed information security in the corporate culture.
That is not always easy to do. CEO's want their IT systems to
be as fast as a Maserati-but as safe as a Brinks truck. Whenever
tradeoffs arise, the bias is towards speed, not safety. The challenge
for the IT sector and its customers working together is to provide
security at the speed of business.
Organizations must be willing to invest in the development of
comprehensive security procedures and to educate all employees--continuously.
The primary focus of improving processes and changing behaviors
is inside the enterprise. However, the scope of the effort must
also take into account the extended organization-supply chain
partners, subcontractors, customers, and others that must interact
on a routine basis.
Organizations Must Also be Prepared to Cooperate with
Law Enforcement
Unfortunately, companies often feel that the disruption to operations
and potential damage to reputation outweigh the benefits of such
cooperation. Until the private sector feels that it can do so
on a reasonable basis, hackers and cyber criminals will have a
significant advantage. ITAA and the Department of Justice conducted
a series of executive level meetings and conferences last year,
including participation by then Attorney General Janet Reno, to
work towards a new dialogue on this issue. More such events will
be held later this year. Companies can move this process along
by working through trade associations and groups like the Partnership
for Critical Infrastructure Security <http://www.pcis-forum.org>,
to achieve the necessary balance of public and private interests.
The challenge of processes and people is not a concern for the
private sector alone. The federal government must play a significant
role as well. The Administration, for instance, must bring substantial
leadership to the information security arena and help raise the
nation's level of awareness about cyber attacks and preventative
measures. A major part of this message must be that, given the
nation's extensive dependence on information systems, information
security means economic security.
The responsibility is both national and international. The U.S.
has critical defense and economic relationships around the globe.
A breakdown in any link of this chain can have cascading consequences.
It is, therefore, incumbent on the U.S. government to accept its
global information security role and educate foreign governments
as to the nature of the threat and how to respond to it. Industry
stands ready to work with multinational organizations and NGOs
to help in this process.
Industry Plan for Cyber Security
ITAA and its members have been working to execute a multi-faceted
plan designed to improve U.S. cooperation on issues of information
security. However, Mr. Chairman, we would all be remiss if we
believed it was just the IT industry that must cooperate within
its own industry--we must work cross industry, and industry with
government. Protecting our infrastructure is a collective responsibility,
not just the IT community's role.
We are working on multiple fronts to improve the current mechanisms
for combating threats and responding to attacks through our role
as a Sector Coordinator for the Information and Communications
sector, appointed by the U.S. Department of Commerce. Through
ITAA's InfoSec Committee, our member companies also are exploring
joint research and development activities, international issues,
and security workforce needs. Elements of the plan include Information
Sharing, Awareness, Education, Training, Best Practices, Research
and Development, and International Coordination.
Information Sharing: Sharing information about
corporate information security practices is inherently difficult.
Companies are understandably reluctant to share sensitive proprietary
information about prevention practices, intrusions, and actual
crimes with either government agencies or competitors. Information
sharing is a risky proposition with less than clear benefits.
No company wants information to surface that they have given in
confidence that may jeopardize their market position, strategies,
customer base, or capital investments. Nor would they risk voluntarily
opening themselves up to bogus but costly and time-consuming litigation.
Releasing information about security breaches or vulnerabilities
in their systems presents just such risks. Negative publicity
or exposure as a result of reports of information infrastructure
violations could lead to threats to investor - or worse - consumer
confidence in a company's products. Companies also fear revealing
trade secrets to competitors, and are understandably reluctant
to share such proprietary information. They also fear sharing
this information, particularly with government, may lead to increased
regulation of the industry or of electronic commerce in general.
Public policy factors also act as barriers to industry information
sharing. One of the obstacles is the Freedom of Information Act
(FOIA). Companies worry that if information sharing with government
really becomes a two-way street, FOIA requests for information
they have provided to an agency could prove embarrassing or costly.
FOIA requests place the private sector's requirement for confidentiality
at odds with the public sector's desire for sunshine in government
information. We are working with Congressman Tom Davis (R-VA),
Senator Robert Bennett (R-UT), and other key players on legislation
to meet this concern.
Anti-trust concerns are a second potential legal hurdle to information
sharing. Fortunately, such risks appear small. The antitrust laws
focus on sharing information concerning commercial activities.
Information Sharing Advisory Centers (ISACs) should be in compliance
with the antitrust laws because they are not intended to restrain
trade by restricting output, increasing prices, or otherwise inhibiting
competition, on which the antitrust laws generally focus. Rather,
ISACs facilitate sharing of information relating to members' efforts
to enhance and to protect the security of the cyber infrastructure,
so the antitrust risk of such exchange is minimal. The Justice
Department has also indicated that there are minimal antitrust
concerns involving properly structured joint industry projects
for dealing with externalities. An entity created to share information
regarding common threats to critical infrastructure should fall
into this category.
Given the changing nature of the cyber crime threat and in spite
of the many business, operational and policy hurdles standing
in the way, many companies in the private sector recognize the
need to have formal and informal information sharing mechanisms.
Internet Service Providers are an example of the latter circumstance.
Because these firms provide networking capability commercially,
these businesses often have extensive network security expertise.
Such firms act as virtual Information Sharing and Analysis Centers,
gathering information about detected threats and incursions, sanitizing
it by removing customer specific data, and sharing it with customers.
The IT industry has adopted a formal approach to the information
sharing challenge. In January 2001, nineteen of the nation's leading
high tech companies announced the formation of a new Information
Technology Information Sharing and Analysis Center (IT-ISAC) to
cooperate on cyber security issues. The objective of the IT-ISAC
is to enhance the availability, confidentiality, and integrity
of networked information systems. The group has made excellent
progress in the six months since its founding and is in the process
of being formally "stood up," although information sharing is
already beginning to take place within this ISAC.
The IT-ISAC is a not-for-profit corporation that will allow the
information technology industry to report and exchange information
concerning electronic incidents, threats, attacks, vulnerabilities,
solutions and countermeasures, best security practices and other
protective measures. Its internal processes will permit information
to be shared anonymously. The organization is a voluntary, industry-led
initiative with the goal of responding to broad-based security
threats and reducing the impact of major incidents. Membership
in the IT-ISAC is open to all U.S.-based information technology
companies. It will offer a 24-by-7 network, notifying members
of threats and vulnerabilities. The group also is clear on what
is will not undertake. Excluded activities include standards setting,
product rating, audits, certifications or dispute settlement.
Similarly, the IT-ISAC is not a crime fighting organization. The
nineteen Founding Member companies of the IT-ISAC, all represented
at the announcement, are AT&T, Cisco Systems, Computer Associates,
CSC, EDS, Entrust Technologies, Hewlett-Packard Company, IBM,
Intel Corporation, KPMG Consulting, Microsoft Corporation, Nortel
Networks, Oracle Corp., RSA Security, Securify Inc., Symantec
Corporation, Titan Systems Corp., Veridian and VeriSign, Inc.
The group plans to evolve its information sharing activities
over time, starting with IT companies and then moving across sectors.
It is also expected that the ISAC will enable sensitive information
to be shared between industry and government. But that sharing
must be a two-way street, if it is going to be effective.
The Software Engineering Institute's CERT Coordination Center
plays an information sharing role for numerous industries. The
oldest and largest of information sharing programs, CERT is a
Federally funded research and development center at Carnegie Mellon
University in Pittsburgh. The organization gathers and disseminates
information on incidents, product vulnerabilities, fixes, protections,
improvements and system survivability. The organization strives
to maintain a leak proof reputation while collecting thousands
of incident reports yearly. These could be anything from a single
site reporting a compromise attempt to a virus with worldwide
impact.
The IT-ISAC is specifically designed to support the IT industry
in this country. Other ISACs have been formed in the financial
services and telecommunications industries. And I would like to
mention two other groups that play an important information sharing
role. The Partnership for Critical Infrastructure Security <http://www.pcis-forum.org/>
provides a venue for organizations from numerous industries to
pool their knowledge and experience about information infrastructure
risks and protections. PCIS also examines critical interdependencies
among infrastructure providers and seeks common solutions to risk
mitigation. The Partnership for Global Information Security <http://www.pgis.org/>
<http://www.pgis.org> provides a forum for executives from
both the public and private sector in economies around the world
to share information about InfoSec topics. PGIS members are focused
on five areas for collaboration: sound practices, workforce, research
and development, cyber crime and law enforcement and public policy.
ITAA is proud to have played a leadership role in the formation
of both organizations, and I sit on the Boards of Directors of
both.
Awareness: ITAA and its member companies are
raising awareness of the issue within the IT industry and through
partnership relationships with other vertical industries, including
finance, telecommunications, energy, transportation, and health
services. We are developing regional events, conferences, seminars
and surveys to educate all of these industries on the importance
of addressing information security. An awareness raising campaign
targeting the IT industry and vertical industries dependent on
information such as the financial sector, insurance, electricity,
transportation and telecommunications is being overlaid with a
targeted community effort directed at CEOs, end users and independent
auditors. The goal of the awareness campaign is to educate the
audiences on the importance of protecting a company's infrastructure,
and instructing on steps they can take to accomplish this. The
message is that information security must become a top tier priority
for businesses and individuals.
Education: In an effort to take a longer-range
approach to the development of appropriate conduct on the Internet,
the Department of Justice and the Information Technology Association
of America have formed the Cybercitizen Partnership <http://www.cybercitizenship.org/>.
Numerous ITAA member companies and recently the Department of
Defense have joined this effort. The Partnership is a public/private
sector venture formed to create awareness in children of appropriate
on-line conduct. This effort extends beyond the traditional concerns
for children's safety on the Internet, a protective strategy,
and focuses on developing an understanding of the ethical behavior
and responsibilities that accompany use of this new and exciting
medium. The Partnership is developing focused messages, curriculum
guides and parental information materials aimed at instilling
a knowledge and understanding of appropriate behavior on-line.
The Partnership hosted a very successful event last fall at Marymount
University in Northern Virginia that brought together key stakeholders
in this area. Ultimately, a long range, ongoing effort to insure
proper behavior is the best defense against the growing number
of reported incidents of computer crime. The Cybercitizen website
has received over 600,000 hits in the past year.
Training: ITAA long has been an outspoken organization
on the impact of the shortage of IT workers - whether in computer
security or any of the other IT occupations. Our groundbreaking
studies on the IT workforce shortage, including the latest, "When
Can You Start <http://www.itaa.org/workforce/studies/01execsumm.htm>,"
have defined the debate and brought national attention to the
need for new solutions to meet the current and projected shortages
of IT workers. We believe it is important to assess the need for
and train information security specialists, and believe it is
equally important to train every worker about how to protect systems.
We have planned a security skills set study to determine what
the critical skills are, and will then set out to compare those
needs with courses taught at the university level in an effort
to determine which programs are strong producers. We encourage
the development of "university excellence centers" in this arena,
and also advocate funding for scholarships to study information
security. We commend the Administration and Congress for supporting
training more information security specialists.
The challenge to find InfoSec workers is enormous, because they
frequently require additional training and education beyond what
is normally achieved by IT workers. Many of the positions involving
InfoSec require US citizenship, particularly those within the
federal government, so using immigrants or outsourcing the projects
to other countries is not an option.
Best Practices: We are committed to promoting
best practices for information security, and look to partners
in many vertical sectors in order to leverage existing work in
this area. In addition, our industry is committed to working with
the government-whether at the federal, state or local levels.
For example, we are working with the Federal Government's CIO
Council on efforts to share industry's best information security
practices with CIOs across departments and agencies. At the same
time, industry is listening to best practices developed by the
government. This exchange of information will help industry and
government alike in creating solutions without reinventing the
wheel.
While we strongly endorse best practices, we strongly discourage
the setting of "standards." Why?
Broadly, the IT industry sees standards as a snapshot of technology
at a given moment, creating the risks that technology becomes
frozen in place, or that participants coalesce around the "wrong"
standards. Fighting cyber crime can be thought of as an escalating
arms race, in which each time the "good guys" develop a technology
solution to a particular threat, the "bad guys" develop a new
means of attack. So to mandate a particular "solution" may be
exactly the wrong way to go if a new threat will soon be appearing.
It is also critical that best practices are developed the way
much of the Internet and surrounding technologies have progressed
- through "de facto" standards being established without burdensome
technical rules or regulations. While ITAA acknowledges the desire
within the Federal government to achieve interoperability of products
and systems through standard-setting efforts, the reality is that
the IT industry can address this simply by responding to the marketplace
demand. The marketplace has allowed the best technologies to rise
to the top, and there is no reason to treat information security
practices differently.
Research and Development: While the information
technology industry is spending billions on research and development
efforts-maintaining our nation's role as the leader in information
technology products and services-there are gaps in R&D. Frankly,
for industry, more money is frequently spent on "D"-development-then
"R"-long-term research. Government, mainly in the Department of
Defense, focuses its information security R&D spending on
defense and national security issues. We believe that between
industry's market-driven R&D and government's defense-oriented
R&D projects, gaps may be emerging that no market forces or
government mandates will address. Government funding in this gap-bringing
together government, academia and industry-is necessary.
International: In our work with members of the
information technology industry and other industries, including
financial services, banking, energy, transportation, and others,
one clear message constantly emerges: information security must
be addressed as an international issue. American companies increasingly
are global corporations, with partners, suppliers and customers
located around the world. This global business environment has
only been accented by the emergence of on-line commerce-business-to-business
and business-to-consumer alike.
Addressing information security on a global level clearly raises
questions. Many within the defense, national security and intelligence
communities rightly raise concerns about what international actually
means. Yet, we must address these questions with solutions and
not simply ignore the international arena. To enable the dialogue
that is needed in this area, ITAA and WITSA conducted the first
Global Information Security Summit in Fall 2000. This event brought
together industry, government and academia representatives from
around the world to begin the process of addressing these international
questions. A second Summit is planned for later this year to continue
the dialogue. The governmental international linkages must be
strengthened-and not just among the law enforcement and intelligence
communities. Government ministries around the world involved in
economic issues-such as our own Department of Commerce-need to
be key players.
How Government Can Help
In many ways, solutions to information security challenges are
no different than any other Internet-related policy issue. Industry
leadership has been the hallmark of the ubiquitous success of
our sector. Having said that, we also believe that government
has several roles to play in helping achieve information security
and combating cyber crime:
First and foremost, like a good physician practicing under the
Hippocratic oath, do no harm. Excessive or overly broad legislation
and subsequent regulation crafted in a rapidly changing technology
environment is apt to miss the mark and likely to trigger a host
of unintended consequences. In many instances, existing laws for
crimes in the physical world are adequate to address crimes conducted
in cyberspace. New legislation should always be vetted for circumstances
that single out the Internet for discriminatory treatment.
Practice what you preach. The rules of technology, process and
people apply equally to the public sector. The U.S. government
must lead by example in preventing intrusions into agency websites,
databanks and information systems. Leadership in this area means
substantial investments of new money in information security technology
and services. Responding to the issue by reallocating existing
dollars from current programs is robbing Peter to pay Paul and
likely to play out at the expense of the American public and their
confidence in e-government. It also means insisting that government
agencies implement rigorous information security processes and
practice them on a daily basis. Making InfoSec part of the corporate
culture will require extensive senior management commitment.
Reach out to international counterparts for crucial discussion
of cyber security, and in particular, how to most constructively
and effectively enforce criminal law in the increasingly international
law enforcement environment fostered by the Internet and other
information networks. The Council of Europe draft Convention on
Cyber Crime, which, as the first such attempt to create an international
convention in this area, has become a central subject of debate.
It is no secret that the private sector has expressed significant
concerns about several aspects of the treaty. When governments
engage in the development of cyber crime legislation or participate
in international organizations on this issue, government should
ensure that the process is inclusive of industry, civil society
and the appropriate ministries that represent these constituencies.
Governments should also match the private sector's efforts to
secure their information systems swiftly, robustly, and continuously.
Bring leadership to bear through existing structures and establish
an InfoSec Czar position similar to the role played by John Koskinen
during the Year 2000 date rollover. With minimal staff, but strong
backing from the President, Mr. Koskinen was able to have substantial
influence on both the governmental and private sector efforts
in Y2K. ITAA, its members and the IT industry continue to work
hard to develop collegial and constructive relationships with
the leadership and staff of the Critical Information Assurance
Office (CIAO), the Commerce Department (DOC), the National Institute
of Standards and Technology (NIST), and the Critical Information
Infrastructure Assurance Program Office (CIIAP) at NTIA, as well
as the National Security Council (NSC), Department of Justice
(DOJ), Department of Energy, the National Information Protection
Center (NIPC), and the National Security Agency (NSA).
Funding will also help in the areas of workforce development
and research. We have a critical shortage of information technology
professionals generally and information security specialists specifically.
In general, we support legislation to increase the number of appropriately
skilled workers in this critical area. We also support additional
R& D funding.
Conclusion
Society's reliance on information technology will only increase
over time. Ultimately, the level of information security we achieve
will go far in defining our level of economic security. Market
forces will push us to this inevitable conclusion. These forces
will include:
Insurance companies seeking to control and assess the risk of
cyber crime related losses;
Banks seeking to assure that Internet-dependent businesses have
mitigated InfoSec related risks;
Shareholders insisting that their equity be protected through
executive level attention to information security;
Medical establishments that must assure the absolute privacy
of individually identifiable patient records; and
Critical suppliers needing to assure unimpeded flow of goods
and services to plants and factories.
The challenge is large, so the achievement will be formidable.
While cyber crime may never be eliminated, it can be contained
through effective information security products, intelligent practices
and suitably trained people. Industry and government have important
roles to play in achieving this purpose.
The Information Technology Association of America is proud to
do its part.
Thank you and I welcome any questions from the Committee.
Synopsis of Harris Miller Testimony: June
14, 2001 - House Subcommittee on Crime
I commend this Subcommittee for holding a series of hearings
on cyber crime and recognizing that to solve this enormous challenge,
industry leadership, in meaningful partnership with government,
is essential.
The stakes involved are enormous. Information technology represents
over 6 percent of global gross domestic product (GDP), a spending
volume of more than $1.8 trillion, and over 8 percent of US GDP,
according to Digital Planet <http://www.witsa.org/DP2000sum.pdf>,
a report released last year by WITSA.
Cyber crime places the digital economy at risk. The private sector
must exert its leadership in preventing cyber crime because it
owns a majority of the information infrastructure and also because
it has the commercial incentive to do so.
Information security is the multifaceted discipline that counteracts
cyber crime. Information security-or InfoSec--deals with cyber
crime prevention, detection and investigation. How do we achieve
information security? Information security is built from technology,
processes and people.
ITAA and its members have been working to execute a multi-faceted
plan designed to improve U.S. cooperation on issues of information
security. Elements of the plan include:
Information sharing
Awareness
Education
Training
Best Practices
Research and Development
International
To focus briefly on just one of these topics, information sharing,
ITAA has found that information about corporate information security
practices is inherently difficult. However, the IT industry and
other vertical industries have overcome significant barriers to
establish organizations for the confidential exchange of sensitive
information security information. The IT-ISAC specifically addresses
issues that are often unique to the IT industry. The group is
clear on what is will not undertake. Excluded activities include
standards setting, product rating, audits, certifications or dispute
settlement. Similarly, the IT-ISAC is not a crime fighting organization.
Additionally, ITAA has played a leadership role in the formation
of groups that facilitate cross-industry and international information
exchange.
Government has several roles to play in helping achieve information
security and combating cyber crime. These roles include exercising
legislative and regulatory restraint, taking a best practices
approach to the security of government information assets, and
reaching out to international counterparts to increase InfoSec
education and to harmonize cyber crime fighting regimes. ITAA
will continue working on solutions with government agencies, and
other constituencies in and outside of the IT industry.
|
