Search Form
First, enter a politician or zip code
Now, choose a category

Public Statements

Hearing of the Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee of the House Government Reform... (Continued)

By:
Date:
Location: Washington, DC


BREAK IN TRANSCRIPT

REP. PUTNAM: Thank you, Mr. Clay. Before we wrap up this panel I'd give all of you the opportunity to have a final word or answer a question you wish you had been asked, whatever the case may be. We'll begin with Mr. O'Carroll and go down the line and just give you a moment if you have anything that you'd like to say. And then we'll seat the second panel.

Mr. O'Carroll.

MR. O'CARROLL: The only thing I have to add, Mr. Chairman, is continuing on with what Mr. Martinez said, is that I think now days since we all have so much more work than we have people to handle it, that the wave of the future is going to be cooperation between all federal law enforcement agencies, and also working with local agencies. And by doing that, using the task force concept which is being used right now very effectively in the terrorism arena, in the identity theft arena, I think that's the solution. We can share information.

It's easier to do it. There's less structure or strictures in relation to disclosures of information on a task force. And I think that's something that we're going to be seeing a lot more of. We participate in about six identity theft task forces around the country that have been very successful.

REP. PUTNAM: Mr. Johnson.

MR. JOHNSON: In closing, Mr. Chairman, I would agree with Mr. O'Carroll that our electronic crimes task forces, the 15 that we've established, we are looking to double that number in the next three years. To further Mr. Clay's earlier question to Mr. Martinez about the big fish, are we-I would just like to say to the chairman that the Secret Service is, through prevention, or training at the local levels all the way up to the disruption of the major players in financial crimes and identity theft, that we are making inroads every day with these investigations. That, along with the electronic crimes task forces in the United States, the Secret Service is not only dedicated to the problem but it is a priority of our agency.

REP. PUTNAM: Thank you.

Mr. Martinez.

MR. MARTINEZ: Well first I want to tell you how much I appreciate and the FBI appreciates the opportunity to come and speak to you today and talk about this important crime problem. And I want to tell you how much we appreciate Congress' support in enacting the Can Spam Act, the identify theft penalty enhancement. These are the types of real tools that we can go out and take and try to make an impact on this crime problem. I just appreciate the opportunity to speak to you today.

Thank you.

REP. PUTNAM: Thank you, sir.

Mr. Swindle.

MR. SWINDLE: Mr. Chairman, someone-I've forgotten whether it was you or Mr. Clay-asked the question to another participant about whether or not the penalty matched the crime. I've been on the Federal Trade Commission for roughly six and a half years now and one of my great frustrations-not being a lawyer-but one of my great frustrations is to see one scam artist after another come through our process. Our staff does remarkable work in finding them, building the case, but we're a civil penalty organization, not criminal, and often times we find we catch these people-and that's one of the big problems with cyber crime in itself is we catch the spammers, we catch the scam artists and so much of it is being done electronically now-and when we expend great resources to get them they have nothing.

It's just a difficult task. I don't think the penalty is anywhere come close to matching the crime.

One of my greatest frustrations is that it appears as though some of this conduct is almost just the price of doing business when you get caught because the penalty is so insignificant relative to the size of the profits made, if you will.

Another one is oftentimes we find people after we track them down, they've ripped off the consumers for multi-millions of dollars, we catch them, guess what? They have no assets except perhaps a million dollar house in Florida which we can't touch because of homestead exemption. We ought to find ways to adjust the laws so that you don't get homestead exemption if you're engaged in criminal activity or alleged criminal activity and you settle.

It's a big problem. I think it's demoralizing to those who try to apprehend people, not to mention the poor victims of some of these crimes, which is of staggering proportions. And I think that's something we should seriously look at.

REP. PUTNAM: Thank you very much. I want to thank all of you and at this time we will dismiss panel one and the committee will recess for such time as it takes to set up the second panel.

(Recess.)

REP. PUTNAM: The subcommittee will reconvene. Would you rise and raise your right hand for the administration of the oath? Do you solemnly swear the testimony you will give to this subcommittee to be the truth, the whole truth and nothing but the truth, so help you God?

(Witnesses sworn.)

Note for the record that all the witnesses responded in the affirmative. We will move directly to testimony, beginning with Howard Schmidt. Mr. Schmidt joined eBay as vice president and chief information security officer in May of 2003 after retiring from the federal government with 31 years of public service. He was appointed by President Bush as the vice chairman of the president's Critical Infrastructure Protection Board and as the special advisor for cyberspace security for the White House in December of 2001. He assumed the role of chair at the board in January 2003 until his retirement in May of 2003.

Welcome to the subcommittee. You're recognized, sir, for five minutes.

MR. HOWARD SCHMIDT: Thank you, Mr. Chairman and Ranking Member Clay. Thank you very much for the opportunity to be here today. I'd like to keep my verbal comments relatively brief in lieu of all the questions that you had last time and I'm sure you'll have again.

But I want to basically focus my remarks in two major areas. One, what eBay, as a company itself, is doing relative to leadership, relative to the area of online identity theft and phishing, as you've stated so accurately so, the growing threat to consumers, business, federal employees, and basically anybody that uses the Internet. Also some of the industry-wide efforts that are taking place to collectively combat this area. And then some thoughts I think that I want to share, relatively to the public-private partnership that's so crucial to our success in and moving forward on the cyberspace security area, but more specifically on the online identity management.

You know, you've heard the numbers from the FTC reported earlier this year, that the identity theft tops the list of consumer complaints for the fourth year in a row, about a 33 percent increase in what we've seen over the previous years. But even that didn't tell the full story. In June of this year the Forester (ph) Report showed approximately 9 percent of U.S. online consumers, about six million houses that use the Internet, had experienced identity fraud. Now, when you look at the overall international user base on the Internet, it's estimated to be about 840 million users currently, so we're talking about just the U.S. portion of that.

What I probably worry about most, more than anything else, is the fact that the numbers that we have mentioned are potentially capable of growing if we don't take action quickly, if we don't use cohesive measures between the private sector and public sector. One of the reasons, of course, as some of the previous folks testified about, and that's this issue around phishing. What we've seen is an evolution as we've been very, very concerted about better cybersecurity enterprises. You mentioned the California 1386 law relative to reporting things. Sarbanes-Oxley-Graham-Leach-Bliley, you named a list of things that have given us incentives to do things better when it comes to cybersecurity.

And corporations, both publicly traded as well as privately owned, are doing more. We're starting to see the shift, the attack vector shift to the less sophisticated, the end users, the cable modem users. You know, we've seen instances even recently where phishing e- mails have come purported to be from the FBI, the FDIC, telling people that if you don't fill out this form and give us all your information, Social Security number, mother's maiden name, dog's name, address, high school, we're going to shut down your bank account. And that's tremendously scary to the uneducated and non-IT professional.

But it's interesting that this is not a new phenomenon. We've been dealing with this for over 20 years. In the 1980s we were actually teaching classes at the Federal Law Enforcement Training Center in Georgia on what we called at that time carding. We were actually doing shoulder surfing and going to airports, New York, LaGuardia, and looking people as they use calling card numbers and credit card numbers to make calls and using that for identity theft.

Now, what we've seen as of about two or three years ago, when this new spate of phishing was started they actually started from a perspective of trying to grab online time for free. It wasn't about identity theft, it wasn't about credit card fraud, it was getting online for free. And then what happened is that evolved and they said, well listen, we can make money off that. And I think all the previous witnesses testified as well that this has now moved from clever hobbyists and people thinking they're being funny and hacking to where it's true criminal enterprises.

And another report came out this year that estimated 57 million users online had received phishing e-mails. I'm averaging one a day now from major institutions all around the world.

REP. PUTNAM: Excuse me, can I just interrupt? Does that include the Saudi plea?

MR. SCHMIDT: Yes.

REP. PUTNAM: Because that's got to be at least two-thirds of it.

MR. SCHMIDT: That's a big chunk of it, absolutely correct.

REP. PUTNAM: Okay, thank you.

MR. SCHMIDT: And then, of course, we add in the political fundraising portion of it as well. And what happens now, we're seeing a more focused, what's being referred to by Marcus Jacobson (ph), who did some analysis while at RSA Security Laboratories, what they call context attacks, where they're phishing attacks are saying well you just recently bought a new car. Here is information relative to that and really convincing that this is a legitimate email. So, consequently, you know, this is indeed a new challenge we've not seen before.

Now, what are some of the things that are doing? First and foremost, many of us-particularly those of us that have multi, multi-million user bases like we do, are doing a continuous education process. We've changed our business processes. We no longer send active links in e-mails we send to customers anymore. As a matter of fact, we tell them, if you want to do a transaction, type in the URL or use a bookmark. But basically we've also spent a tremendous amount of resources hiring people to do full-time where we have the ability to identify these phishing sites on a near real-time basis and take them down.

Now, in closing, I just want to make one quick comment relative to the overall homeland security piece. Because as we were doing the national strategy to secure cyberspace out of the White House, some government agencies didn't feel that identity theft and identity management were homeland security issues. And I truly believe they are. One, first and foremost, no better tool-as we get better about physical identity, no better tool than for a terrorist or organized crime to use, criminal person to use, than your good name, to be able to assume your identity and be able to pass through airports.

Secondly, it becomes a nexus, as you see in my written testimony, that we're seeing 30,000 users that are being compromised on a regular basis, that then can be used to launch denial service attacks. And, lastly, to become a gateway into corporate enterprises, such as critical infrastructure. It's very important that we make sure we do everything we can to stop that from taking place.

So with that, I thank you for the opportunity again and I stand by for any of your questions.

REP. PUTNAM: Thank you very much.

I thank the witnesses. Dr. Bill Hancock. Dr. Hancock is the vice president of Security Practice and Strategy and the chief security officer of SAVVIS Communications, a large global telecommunications, hosting and IT services company. He has designed thousands of networks and been involved in hundreds of hacker investigations in his career of over 30 years in the high-tech industry.

Dr. Hancock has written extensively on security and networking. He is well-known in the industry as a technical visionary, due to his various original investigations, such as stealth firewall technology and intrusion detection and prevention technologies. Dr. Hancock is also a founding member and immediate past chairman of the Internet Security Alliance. Welcome to the subcommittee, sir. You're recognized for five minuets.

BREAK IN TRANSCRIPT

REP. PUTNAM: Thank you, Dr. Hancock.

Our next witness is Bill Conner. Mr. Conner is among the most experienced security and infrastructure executives worldwide, with a career that spans more than 20 years across numerous high-tech industries. Mr. Conner joined Entrust as its president and CEO in April of 2001. In 2003, Mr. Conner received the corporate CEO award as part of the annual Tech Titans Award program. Most recently, he has been a leader in the effort to elevate information security to a corporate governance issue and to fashion a public-private partnership to protect America's critical infrastructure.

Welcome to the subcommittee, Mr. Conner. You're recognized for five minutes.

BREAK IN TRANSCRIPT

REP. PUTNAM: Thank you very much, Mr. Conner.

Our next witness is Jody Westby. Ms. Westby recently joined PricewaterhouseCoopers as a managing director. Prior to joining PricewaterhouseCoopers, Ms. Westby held several positions in the IT field, including serving as president of her own company, launching an IT solutions company for the CIA, and managing the Domestic Policy Department for the U.S. Chamber of Commerce. She is the chair of the American Bar Association's Privacy and Computer Crime Committee and was chair, co-author and editor of its international guides to cybersecurity, to privacy, and preventing cyber crime. Welcome to the subcommittee. You're recognized for five minutes.

BREAK IN TRANSCRIPT

REP. PUTNAM: Thank you very much.

Mr. Schmidt and Mr. Conner, from your extensive work on information security issues, what conclusions have you drawn about why corporate America does not take the problem of information security seriously?

MR. SCHMIDT: Well, I'm not sure that I totally agree that it's not being taken seriously. I think, as has been point out more than once, there's a greater recognition now, more so than ever before, of the tremendous importance that cybersecurity is. But it's very complex. It's not as if we designed a system to eventually become secure. Many corporations that I see literally around the world have built systems that they put a system in place and they had another piece on top of it, so it's been very difficult.

What happened in the past couple of years now, we recognize obviously the critical infrastructure protection piece and the governance piece, as Mr. Conner has related to, where we've seen a lot more intended dollars and efforts put into the cybersecurity. But it's a complex issue and is not something you just, you know, flip a switch and turn it over. It will take a couple of years by the time we get operating systems and engineering design and quality processes in place to make it be able to respond and say yes, we have much better security now than we've had in the past.

MR. CONNER: Simply they're not taking the time. And if you take the time, the question is where you start. That's why we spent considerable amount of time on a framework because I personally believe, as many companies do, you need a framework to systematically assess your business, where the high risk is and how do you get a baseline to measure it. Once you have that, then you can apply it. It's a very simple process to get started. But if you don't know where to start, all your journeys will take you somewhere but maybe not where you want to go. And you won't get a return on investment and you won't be more secure.

I think that starts with the senior management executives and board saying we're going to take a framework that exists now. It is public. It's been there for six months and get started.

And that means you can't delegate it to a CIO. You've got to assess your own business needs and risks and that's something in today's environment, many corporations do it and many more don't it. And I can assure you in the ones I talk to, all of them are concerned about the liability of that assessment. It's a litigious society and in this environment, where class actions and others-that evidently comes to every discussion.

REP. PUTNAM: Dr. Hancock, you wish to add anything to that?

MR. HANCOCK: I've got two perspectives on it, sir. One is I deal with the same folks that Mr. Schmidt and Mr. Conner deal with in many respects because a lot of us all have the same kind of customers. It's been in my experience that most board directors level folks have a very limited knowledge of security and a lot of that is because security is not personal to them. They don't understand even the basics and I'll give an example, sir.

My son is 15 years old. When he was seven years old, someone tried to kidnap him. Because I'm a security person, by definition paranoid, when he started-at four years old, I started him at Tae Kwon Do. When the person grabbed my son, my son dislocated his kneecap and four his knuckles. As a result of that, I believe that assets should be self-defensible and that includes my family. It includes my children. It includes my home, whatever the case may be.

Most people don't look at security that way. To them, security is managed, dealt with by someone else and, just like Mr. Conner said, a lot of times delegated to the CIO. Many times, the CIO has no capabilities or understanding of what the security issues are. It's chopped out of the budget. It's considered to be something that is more of an irritant than something that needs to be done. So it's not part of the corporate agenda overall.

The second problem runs in-is that, just from a pure technology perspective, very few people in the business really understand how to secure things correctly. One of the problems that we have is that we continue to deploy technologies that are not secure in nature. And then we go back and we try to provide technology to help secure that. As a case in point and I'll tell you a story in my own company, I operate well over 50,000 routers. Of those 50,000 routers, I have 11,000 firewalls.

I know categorically that those firewalls cannot protect my network or my customers from everything that will come by because the opposition is far more creative and has a lot more time than my security people do. As a result of that, we have a constant challenge out of a pure security perspective. How do you stop things from happening when the technology does not exist for us to identify who's launching an attack or to identify a way for us to go back and trace it back and figure out where it's coming from? Just the very basics.

So you have a secondary problem in that, if the board of directors did come down tomorrow and they embraced security and said, yes, we really want to do this, the sad reality is much of the technology that is really required to stop a lot of this nonsense from happening just flat does not exist. And it will take time for that technology to be put into place since it's going to take research to make that happen.

REP. PUTNAM: Thank you. My time has expired. I'll call on Mr. Clay.

BREAK IN TRANSCRIPT

REP. PUTNAM: Mr. Clay, thank you.

Ms. Westby, your testimony and you've heard the answers that the other panelists have given about this issue, this issue of ignoring information security risks and the liability that it avoids or causes. In your experience in the field of information technology law do you see the attitude of being proactive about information security taking hold?

MS. WESTBY: Yes. The market has matured. The awareness has increased and I believe that especially in the environment we have today with heightened emphasis on corporate governance that senior management and boards are taking a look at what exactly is within their realm of responsibility. At least many of the major companies who are assisting with Sarbanes-Oxley are saying we have to look at how you are handling the data in the computer systems.

I think overall though we-our efforts haven't been in vain. Over the last six years, there have enormous efforts made by the federal government, by different organizations to engage businesses to-as an enterprise horizontally and vertically across an organization, I do think that has matured and we are seeing progress.

REP. PUTNAM: Mr. Schmidt and Dr. Hancock, in your lines of business, clearly spam and denial of service attacks are of great concern. A recent Symantec report suggests that the first half of this year saw a huge increase in zombie PCs. The company said it was monitoring 30,000 per day. You made reference to that, Dr. Hancock, with a peak of 75,000. Some estimates state that it's possible that as many as half of the machines on the Internet are in an infected state. How big of a threat is this bot issue or zombie issue to national and economic security?

MR. SCHMIDT: I couldn't agree more. We've seen instances in working with the law enforcement folks of those exact numbers. We've actually been able to identify from cable modem and DSL users. So it's significant because if you look through the cascade of litanies of ills that can happen as a result of this, one, clearly the hacking portion into the critical infrastructure, the identify theft, the denial of service attack capability. If you remember back in February of 2000, when we had the big denial of service attack that people talk about all the time, that was done at a rate of about 800 megabits per second which is a relatively insignificant amount of data now. Now with 20,000 systems that have been compromised, you can do 3 gigabytes, you know, do almost three times as much worth of damage.

And so, when you look at the overall aspect of it, you look at the identity theft, you look at the lack of trust that we have in the environment, if 87 percent of that 840 million users I referenced to earlier, are doing e-mail, less than 17 percent are doing e-commerce. Economically, that's just as bad. We should be able to go ahead and improve that. And the way we can do that is by making sure that we have the defense in depth, where, number one, the spams and the scams aren't getting in the inbox to begin with for the most part.

If they do get there, some sort of a firewall or browser protection or some validation keeps you from doing something ill from there and then lastly, of course, is to make sure that we're getting the law enforcement prosecution these things. The challenge I have with the law enforcement side which is directly related to this is this is a crime in progress. This is no different than somebody walking in your liquor store and sticking up somebody with a gun, except you're not there physically. It's got to be dealt with on a real-time basis.

REP. PUTNAM: Dr. Hancock.

MR. HANCOCK: I have to agree with Mr. Schmidt on all that and also add that one of the problems that we've got with zombie networks is that many times that we've found over the years is that those zombie networks are now being operated by organized crime in some cases. As a matter of fact, there was one that I was recently involved with a direct investigation on, that was where a gaming site was held up for extortion because of denial of service attack launched against it by a series of Russian organized crime. We know that.

We tracked it back. We worked with the Russian law enforcement agencies and the fact of the matter was we pinned it down and nailed the guy. But the situation is it took months for that to happen and this sort of thing is happening more and more.

We are seeing a lot of that happening where sites of e-commerce is the whole reason for the site to exist and we are seeing this more and more happen where corporations are depending more on their network infrastructure and they are being held up for extortion or being held up for some sort of, if you will, ransom, if you will, because of their technology being disabled through things like denial of service attacks and things like zombie nets that's being used.

I would also agree with Mr. Schmidt what he just said about the severity of these types of attacks. We recently saw a denial of service attack executed 2.3 gigabits. I had not seen one like that before and we operate a very, very large network infrastructure and we have a lot of customers out there that are some of the places you would normally frequent on the Web. When that one hit, we disabled that within about six minutes. But what was more important about it was, within five minutes after that, the attackers completely redirected an attacked a completely separate addressing block. I have never seen something like that happen.

That means that you can take 10,000 to 20,000 zombies, literally have them turn on a dime and then reconnect and re-attack a completely different site. That basically shows technical sophistication on the part of the attackers. It also shows that the zombie sophistication is increasing which means that these particular products can be redirected, redirected very, very quickly and be pointed with a very debilitating attack against very large network pipe. As a result of that over time, we're going to see more of that happen where these zombie networks where we have 5,000, 6,000 zombies now all of a sudden become 100,000 and now the types of attacks that can kill things like power networks, kill things like water networks. Those start to become very serious reality where a whole power grid is disabled simultaneously.

So I would agree that the zombie threat is a very severe one. I think it's going to get a lot worse. Just like with any other software there are new versions of it coming out all the time and the zombies are being upgraded with additional capabilities. And all things put together are going to cause some very serious problems for our e-commerce capabilities.

REP. PUTNAM: Who has the sophistication and technical capacity to do what you just described?

MR. HANCOCK: If you asked me that question 10 years ago, I'd say it had to be a hard-core stoned geek to do it. The fact of the matter is anymore that it takes very little sophistication. The attack Mr. Schmidt talked about in February 2000 was my first day of employment at the company that acquired (Nigel ?) format now. And I had been with the company exactly two minutes when Amazon.com and CNN.com and a few other sites went splat and the reality of that was that we found out later in the day that those attacks were executed by a 16-year-old out of Canada who went by the handle call Mafiaboy.

And we were involved with the FBI and the Secret Service and quite a few other agencies to track this individual down. We are capable of tracking these people down fairly quickly. Trying to get them apprehended and dealt with is a different story. That took weeks. So the end result was you had a child here who downloaded an exploit from a website. This individual had no sophistication whatsoever and understanding that exploit or in writing that tool.

However, sophisticated people are all over the Web. Those sophisticated people will find a vulnerability, they will write the exploit. They will post that on a website. They themselves do not execute that particular attack. Instead other people, which we call script-kiddies a lot of 13- to 18-year-old types will download it and execute the debilitating attacks. This is very, very common and compromises approximately 80 percent of these attacks we see.

My infrastructure gets attacked anywhere from 200 to 400 times a day. As a result of that, we see a lot of this stuff. We deal with a lot of this stuff. Most of the time, it's pretty straightforward to deal with it. What I'm concerned about are the people who are very serious who are doing it for profit motive.

Those people will employ programmers. They will employ people with specific skill sets and those people with specific skill sets will create these tools for specific reasons. That can be a nation state that wishes to cause harm to the United States by debilitating our commerce capabilities. Or it could be somebody just as simple as the Russian mob trying to go back and extort money from a company that executes over the web.

REP. PUTNAM: What responsibility does the software and hardware community have in all of this? How much does the constant influx of new patches, vulnerabilities in their products contribute to the problems of cybercrime?

MR. HANCOCK: Well, sir, I will give you an example.

A very popular desktop operating system that's floating around, used to have a version called Version 3 that comprised 3 million lines of code. The code version which was very popular on most PCs and comes out as 45 million lines of code. The next version coming out next year is going to be almost 105 million lines of code. When you have something that large, trying to secure that, no matter how conscientious you are, is virtually impossible. So the result is that's how systems get more and more sophisticated as they get more complex. And we lay a complexity of applications on top of that operating system.

For instance, a very popular database that is out there right now has almost a billion lines of code in it. When you take an operating system that has 45 million lines of code, a database which has one billion lines of code, you then add on top of that object-oriented programming which is done by the programmers so that you can communicate to the database and do something useful with it, you're getting very quickly with a couple of billion lines of code on a server sitting in a data center some place.

Trying to secure that is not trivial. Trying to go back and install programming discipline to make that secure is not trivial. And all these things require a great deal of education on the part of the programmers. They require standards. They require other types of methodologies that say this is a good way to write code or a bad way to write code. The problem that we have is that we have gone and put all these types of technologies in for many years without any discipline in the areas of security all the way from the way a program is written to the way that we install the technology to the way we manage it on a day-to-day basis.

And a lot of it is just like when Mr. Conner has said, Ms. Westby has said and Mr. Schmidt has said, it is a lot to corporate governance. There has not been an insistence by the corporate echelon to require vendors to install security in their technology, to put security in code, to put security in even simple things like routers. My most basic concern is that I work very closely with all the chief security officers of other different telcos through the FCC who operate something there that has got Focus 2B (ph) which puts forth cybersecurity best practices.

There is 54 people that are involved with that. We own about 90 percent of the actual infrastructure that everybody uses. We got together last December and told the FCC categorically and through public documentation that one of the biggest problems we've got is we keep deploying technology which is woefully security inadequate, that we keep putting it more and more. So to give an example about the zombie problem.

One of my base concerns that keeps me awake at night right now is third generation cell phones. And that's because most cell phones that are coming up from the cell phone manufacturers operate an operating systems which is a derivative of Umanix (ph). That operating system can have viruses. That operating system can be used as a zombie and the third generation cell phones will all have a TCPIP address. This means that every single handset can become a zombie and part of an attack factor, which means that current population of approximately 850 million Internet nodes will grow very quickly to three billion Internet nodes, all of which can be attacked and put through worm automation technology, a zombie parked on every handset that's out there.

In addition to that those handsets will be used for everything from e-commerce to charge services to go back over and even get a soda out of a soda machine, because they're being done that way in Europe right now. All those areas basically mean that the software development, the hardware development has got to install security discipline which is not there. In addition to that, we will continue to deploy these technologies and these technologies have serious flaws in them that is not being corrected.

REP. PUTNAM: That's uplifting.

(Laughter.)

Mr. Schmidt, you made reference to the fact that simply using passwords is just not adequate anymore and the nation should move to two-factor authentication by the end of next year. Yesterday, a major ISP announced that it would make two-factor authentication available to its customers. Do you see this as being a positive development and do you see that being the beginning of even more offerings and a greater commitment to secure communications?

MR. SCHMIDT: Yes, as a matter of fact, it's a tremendous step forward. We've been working for about seven months. We being a group of security experts have been working with that company, other companies, Mr. Conner's company and others, looking for solutions that we can do on a real-time basis to provide that extra two-factor authentication for the consumer and end users base. The DOD side of my life is computer crime investigator. I now have a smart card that I can use on any government computer system that I can log into my DOD account with full encryption, full authentication and to really know it's me, we need that way in the security space for the consumers.

It's probably going to be a slow process. There's going to be some shaking up of who is going to be the correlation and who's going to do this. But I think clearly we've reached a point in society with the fishing e-mails, the identity theft, the hacking that society is ready to move sort of the ATM card of the online world, if you would.

REP. PUTNAM: Mr. Conner, do you see the companies following AOL's lead?

MR. CONNER: Yes. The only comment that I made, that Howard and I talked about, it's a necessary step. But it's a baby step. Most of these are cost prohibitive for the masses and this is not an issue that can be dealt with on the haves and haves not. That is going to require innovation and deployment around identity and how do you deal with identity for every citizen or customer of eBay or someone else. And the current technology then becomes quite cumbersome to do in terms of easy use and economics.

I'd also offer it's only half the issue. Authentication or identity is one-half. It's the information they're reaching for, that's the other half. And second factor of any authentication scheme only deals with who is allowed in or not. That leaves the information itself still unprotected. And I'd just offer, you know earlier in the earlier panel the question on SB 1386 came up. I share with you that's probably been one of the more successful legislations in terms of focus because it drove focus on information and how do you protect information?

So it is a given people are going to get in. The question is what access to what information do they have when they get in. If all you do is playing defense on the perimeter of trying to keep people out, you are never going to win. You have to offensively protect and equip the information on the inside and the threat in California of class action suit, every corporate executive understands that, especially in California. So I'd just offer that identify theft, you can't be stuck on just the identity authentication. It is the information that must ultimately be protected. And anything that I've seen that's been announced up to this point, even yesterday with the ISP, only deals with half the equation.

REP. PUTNAM: I'm about to give this panel the same opportunity the first panel had. And we'll begin with you, Ms. Westby, of giving any closing remarks that you think is important for the subcommittee to have on the record, answering any questions you wish you had been asked or giving us any other thoughts.

MS. WESTBY: I will just leave you with the thought that there are some black holes that need to be addressed beyond technology gaps. One is in the legal framework. There is absolutely no legal framework or rules of law for how nation states will respond to cyberattacks. There is no capability for allied countries to work together to have some sort of allied response.

In defense circles, cyberdefense is not a category, a defense category. It's still land, sea and air and we see cyber as footnotes in presentations. It is also not an integrated response capability and we have to think beyond when we're looking at terrorist attacks and information warfare and the attacks-potential attacks from other countries, we have to look beyond our legal framework and think about how we can respond in a situation that would involve nation state activity or require coordinated action by other nation states.

REP. PUTNAM: Thank you.

Mr. Conner?

MR. CONNER: Mr. Congress thank you for your diligent support of these issues and your forceful viewing on hearing of the issues.

I would just ask that the task force report on framework, I think this specific subcommittee that did such good work on GISRA and FISMA and putting the report cards out, needs to go to a framework of assessment that we're asking private industry to. I think part of the problem with the report card piece is it's a different model than what private industries are doing, so there's a gap between the two.

And I think you would find you would make much more progress on a benchmark in measurements by using the 17799 standard that we coupled with FISMA to hold the departments and agencies accountable and give them a reference for it, for the private industries they deal with, whether it's DOE with utilities or whether it's Commerce with banks or Treasury with banks. So I'd just offer that as a final comment.

REP. PUTNAM: Thank you.

Dr. Hancock?

MR. HANCOCK: Mr. Chairman, thank you very much for today and also for your continued leadership in the area of cybersecurity. One of the things that I think are important to realize with all of this is that we have a problem with corporate governance. I think that that's pretty much a given. I think the secondary problem that we have also at the same time is that we have to realize that, as we continue to deploy technology, we continue to make the networks larger and more complex. And with complexity becomes the difficulty of trying to secure it.

And we're going to find in a very short amount of time that the size of the Internet will double or triple. And the reason it will do that is because of handsets and because of PDAs and other portable devices that will become Internet enabled or Internet capable. We will also simultaneously find that technology that is invisible to us now, such as your refrigerator, will become an important machine on the network. We know that some vendors are working right now with appliance manufacturers to go back and provide an Internet connectivity to different types of appliances, so someone can turn your refrigerator off from a remote location if they so desired or hacked it.

The result is that I think that what we see as extortive attempts by people now will change. I think that what we think of as identity theft will change, where you'll steal an entire city block's worth of IP addresses and sell those off to someone else. I think that we're going to see the whole framework of what is an identity theft and what kind of crime can be committed with that change quite radically over the next couple of years. So I think that there's a very serious sense of urgency in terms of how do you deal with the identity of both individual applications and technology devices so that we can properly go back over and not just trace these back but actually secure them and put in the proper technologies to make that happen.

REP. PUTNAM: And Mr. Schmidt.

MR. SCHMIDT: Mr. Chairman, I would also like to thank you once again, not only for your leadership and continued leadership in this area but also for Bob Dicks (ph), who as I jokingly told a friend of mine one time as I was driving out of DC after I retired, looking back in the rearview window thinking, at least Bob's there to keep this fight going. And I thank you for that.

Just a couple of quick comments. One relative to the private sector and the government now. We've seen over the past few years the change of guard when it comes to cybersecurity within corporations. Executives such as Mr. Hancock and myself are now outside of the IT organization. We have a special focus on cybersecurity, no longer just an IT function, which I think is very important, because it's more than just the technology. Looking at the government side, I think there probably should be some good reviews on how the governments function in that regard, how closely-are we still putting security folks in the IT organization, working for CEOs and somewhat handicap them in some former fashion.

The other portion of it, in both the Secret Service and the FBI we've talked about information sharing. I constantly get calls from people because of my law enforcement background, ask me, well, who do I call in the city? Do I call the Secret Service? Do I call the FBI? Is the Electronic Crimes Task Force the cyber crime squad? And the answer is not whoever gives you the best service. There should be a much more formal consolidation. If we have a cyber crimes squad with the FBI and electronic crimes in the same city, they should be part of a joint task force. That would help solve a lot of this sharing information issue, plus a lot of the confusion in the private sector, who to call.

And lastly, as I mentioned, I thank you for asking me that question about the two factor authentication. We were poised within the government to be able to do something about stronger authentication of the e-authentication piece, OMB's office. I think we can look at that from a two factor perspective, provide some extra value not only for government employees but also for the private sector as well, be able to do your healthcare and a litany of things that can be done that could make two factor authentication the normal way of doing business as opposed to just a one-off like as we've seen up to now. But thank you once again.

REP. PUTNAM: Thank you.

I want to thank all of our witnesses for their participation today. Your testimony is further evidence that it is so important for us to take immediate steps to improve our cyber security throughout the nation. In the event that there may be additional questions we did not have time for today, the record will remain open for two weeks for submitted questions and answers. We thank you all for your hard work and look forward to continued progress for the remainder of this year and in the next Congress.

The subcommittee stands adjourned.

Skip to top
Back to top