Introduction
I am Dr. Vinton Cerf, Senior Vice President of MCI WorldCom. I am also pleased to represent today the Information Technology Association of America (ITAA), representing over 26,000 direct and affiliate member companies in the information technology (IT) industry - the enablers of the information economy. ITAA members are located in every state in the United States, and range from the smallest IT start-ups to industry leaders in the custom software, services, systems integration, telecommunications, Internet, and computer consulting fields. I am also representing the Internet Society as a member of its Board of Directors and as the former, founding President and Chairman of the Board. The Internet Society (ISOC) comprises approximately 150 organizational members and 6500 individual members. ISOC's focus is on the continued technical evolution of the Internet and on its social and economic impact. The Internet Architecture Board and Internet Engineering Task Force, which develops the technical standards of the Internet, operate under the auspices of the Internet Society. MCI WorldCom, through its UUNET subsidiary, is the operator of one of the first Internet backbone services and is also responsible for operation of a number of network access points called Metropolitan Area Exchanges where Internet Service Providers exchange traffic. MCI WorldCom is also among the largest domestic and international telecommunications service providers.
Sen. Bennett, it is an honor to appear before the Committee today. I want to commend you and your colleagues for holding this hearing on computer security, particularly given the serious "Denial of Service" attacks launched in recent weeks. Clearly, the misdeeds of a few have brought the issue of Information Security (InfoSec) to the top of the national agenda. Those of us who have been around the industry for a while know that network intrusions are nothing new and that effective preventive technologies exist to counteract them. Many people, however, may be shocked and alarmed that access to websites, quickly becoming hallmarks of everyday life, has been seriously impaired by these attacks.
So this is a dialogue well worth pursuing. And the stakes in dealing with the problems properly are significant.
IT: The Engine of National Development
Information technology represents over 6 percent of global gross domestic product (GDP), a spending volume of more than $1.8 trillion, and over 8% of US GDP, according to Digital Planet, a report recently released by the World Information Technology and Services Alliance (WITSA). WITSA is a group of 39 IT trade associations around the world. Enormous in their own right, the Digital Planet figures mask the contribution made by this technology to the growth, competitiveness and vitality of other industries. From China to Mexico, from Argentina to Germany, countries have come to recognize that information technology is an engine of national development, accelerating the expansion of business opportunity and investment while acting as a buffer against economic downturns. The recent US Department of Commerce report indicates that an incredible 35% of the nation's real economic growth from 1995 to 1998 came from IT producers. Chairman Alan Greenspan of the US Federal Reserve Board recently credited large investments being made in computers and other high-tech products for the dramatic boost in the nation's productivity. Even previously skeptical economists now concede that IT driven productivity increases have enabled our country to have what they said we could not have: high growth, low unemployment, low inflation, growth in real wages.
If IT is the engine behind this growth, the Internet and E-commerce are the rocket fuel. Forrester, a respected market research firm, forecasts that the U.S. business-to-business marketplace is worth $290 billion this year and will grow to $2.7 trillion by 2004. The Internet is rewriting economic history. But along with the blessings of this new prosperity comes a challenge- new vulnerabilities exhibited by this evolving infrastructure.
A Foundation Built on Trust
If we are to continue building our New Economy on this digital foundation, we must meet the challenges that it poses:
* Stakeholders must be able to trust that the Internet is a safe and secure environment;
* Industry owns and operates most of this infrastructure and, therefore, is its natural steward for safety and security issues;
* Government and industry share an interest in the health and growth of the Internet and E-commerce and must find common ground on which to coordinate on critical information infrastructure protection issues;
* Ethical on-line behavior begins at home with the education of children; safe and efficient on-line business operations demand the investment by companies and organizations in a reasonable set of information security practices and procedures;
* Because the Internet is a global medium, information security issues must be pursued on a global basis; because the nature of the cybercrime threat is dynamic, information security requires on-going commitment and attention.
The Varied Faces of Cybercrime
The InfoSec threat comes in numerous guises. Mischief minded hackers. Disgruntled employees. Corporate spies. Cyber criminals. Terrorists. Unfriendly nations.
Aggressors attack at the point of maximum leverage. For modern society, this means critical infrastructure-transportation, telecommunications, oil and gas distribution, emergency services, water, electric power, finance and government operations. A critical information infrastructure supports all of these vital delivery systems and becomes itself a target of opportunity for terrorists, adversary nations, criminal organizations, and non-state sponsored actors. Disrupting the underlying information infrastructure of a transportation or finance system often can be as effective or even more effective than disrupting the physical infrastructure. Why blow up a power grid, when destroying the computers that control the power grid will have the same impact?
The International Institute for Strategic Studies (IISS) recently published a study on this topic citing one expert claiming he could bring down the U.S. information infrastructure with 10 computer specialists and in 90 days time. This potential vulnerability-even if overstated --raises numerous difficult questions for industry and government about how to best provide critical information infrastructure protection.
A recent Computer Security Institute (CSI) survey reports 62 percent of companies have experienced computer breaches; 51 percent of respondents reported financial losses due to computer security problems; criminal hacking losses of the 163 responding organizations was placed at $123 million in 1998 and is climbing at an extraordinary pace. The Institute found that system penetration by outsiders has risen in each of the past three years as has unauthorized access by insiders. Twenty-six percent of respondents in the CSI study reported theft of proprietary information and 27 percent reported financial fraud. Twenty percent reported unauthorized use or misuse of websites.
Virus episodes like Melissa and Chernobyl are becoming more frequent. The Symantec Anti-Virus Research Center estimates that new viruses are being launched at a rate of 10 to 15 per day and that over 2400 currently exist. Thirty-five percent are considered to be intentionally destructive.
We have difficult challenges ahead. In the cyber realm, ambiguity reigns supreme. What makes our new environment so different? Some of the factors include:
* Increasing technological and environmental complexity - new technologies are replacing "old" ones at a breathtaking pace as hundreds of thousands of new players enter cyberspace on an almost daily basis;
* Boundless environment and ambiguous laws - geographic boundaries are irrelevant in cyberspace raising jurisdictional conflicts;
*
Anonymous adversaries - The potentially anonymous nature of the Internet combined with a lack of geographic boundaries makes it extremely difficult to distinguish between nuisance hackers, vandals, criminals, terrorists and nation-states. And the effects may be the same, regardless of motive;
* Conflicting responsibilities and jurisdictions - while cyberspace is boundless, turf battles abound;
* Low levels of executive awareness
* Limited human resources - The public and private sectors continue to struggle to find the skilled workers to manage the resources they currently have. Assuring our information infrastructures calls for more highly specialized individuals who are in extremely limited supply.
It is my judgment that the Internet itself is for the most part secure, though there are steps we know can be take to improve security and resilience. Most of the vulnerabilities arise from those who use the Internet-companies, governments, academic institutions, and individuals alike--but who do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.
Government and Industry: Seeking Common Ground
Assessing the ultimate InfoSec roles for government agencies and the private sector is really very simple: our new information-based assets must be protected and preserved. The proliferation of low cost computers and networks has spread information technology to every quarter of society. Participants and users must understand that along with the obvious benefits of information technology are corresponding commitments to protect it. The societal stakes involved in critical information protection compel government and industry to seek common ground on the issue.
The road to this common ground may not be a straight line. On the contrary, while the ends may be commonly shared, the policies that government and industry will develop in order to provide this protection are likely to be quite different.
For instance, government policy may seek to establish both internal and externally directed standards to protect infrastructure elements from physical or cyber attack, to require systems to detect when attacks are imminent or underway, to develop processes to react to the attack, and to reestablish the critical service. By definition, if the service has been deemed critical to the nation, then the federal, state and local governments will have increased interest in the operation, management and protection of the private businesses and services which comprise the infrastructure elements. The manner in which this government concern is manifested can have a significant effect on private sector interests.
Similarly, industry can be expected to react to infrastructure threats in appropriate ways, guided by sound business considerations. Individual companies will make infrastructure protection investments commensurate with the risk management principles in their industries. Government policies that impose protection standards more stringent than those inherent in the private sector risk mitigation process may not be practical. Additionally, requirements for reporting incidents to government operations centers and responding to government directed reconstitution plans might impose uneconomic and therefore unrealistic burdens. Such requirements need to be developed in consultation with the private sector.
Private sector firms face other real world pressures in formulating an InfoSec response. First, companies run the significant risk of negative publicity and exposure. Companies are concerned that revealing and admitting past mistakes, shortcomings, negative experiences or incidents can open them up for criticism from the press, their competitors, their customers and their shareholders, to say nothing of potential lawsuits. Along the same lines, and for good reason, companies are loath to share proprietary or privileged corporate information. Additionally, firms run the risk of eroding consumer, customer, partner and investor confidence. The private sector is often reluctant to share information and/or experiences out of fear that such information will be misused, abused or released to the public by the government or competitors. Lastly, with the focus in today's corporate world on the immediate bottom line, most firms see no clear short-term return on their information sharing investment.
To minimize the likelihood of, minimize the possible impact from, or prepare a response to a coordinated, comprehensive attack on critical US infrastructure will require coordinated, comprehensive teamwork by government and industry. No matter what the business or political pressures, we all have a stake in protecting our information infrastructure. The nature of that teamwork is being decided through national debate, substantive analysis and constructive dialogue. As we look ahead, our nation is in need of new modes of cooperation, collaboration and experience sharing among the private sector and between the public and private sectors. With the Denial of Service attacks, we received another wake-up call. A well prepared and informed private sector can work with government to find the proper balance that optimizes the government's need to protect the critical infrastructure with business' need to manage risks appropriately.
Significant reservations on the part of both private industry and government to fully collaborate on these important issues exist, however, which ITAA is attempting to address from both a theoretical and practical viewpoint.
InfoSec: Establishing First Principles
In developing industry positions on national InfoSec issues, ITAA has established an initial list of general principles that will guide the development of future policy.
* The protection of the national information infrastructure must be based on the least amount of government (federal, state, and local) regulation as is practicable.
* The cost of protecting the national information infrastructure must be kept to a level commensurate with the threat and the consequences of attack. Parties must be able to differentiate between potential but unlikely vulnerabilities and specific threats.
* Industry owns and operates the Global Information Infrastructure and, as such, has primary responsibility for InfoSec requirements, design and implementation.
* Industry and government share an interest in the proliferation of a free and open Internet, electronic commerce, other value-added networks, and an efficient, effective information infrastructure generally.
* In protecting these resources, the specific and immediate priorities of government and industry may potentially diverge.
* Industry will be guided by business considerations to protect itself against physical and cyber-attack as the threat to the information infrastructure evolves.
* Where corrective InfoSec action is required to protect the public good, government must identify such instances and create appropriate funding mechanisms. Government, in its capacity as the nation's largest IT consumer, should also act as a role model in adopting InfoSec best practices and avoiding security breaches.
* The Internet and electronic commerce are inherently global in nature; therefore, information security will require collaboration among international bodies.
* InfoSec measures must be commensurate with the threat involved; risks must be appropriately identified and managed but not magnified or embellished.
* Positive interaction between government and industry is essential. Among issues, which will require on-going communication and assessment is the need to balance the Constitutional right to privacy with national security concerns.
* Industry must monitor the private sector portion of the national information infrastructure and cooperate both internally, across vertical industries and with local, state and federal government in reporting and exchanging information concerning threats, attacks, and protective measures. Coordination among principals must facilitate creation of early warning systems. Barriers to this process must be identified and solutions determined.
* In creating the information infrastructure, as well as attendant tools and technologies, industry must be provided safe harbor protections and its works viewed as incidental to losses caused by criminal or malicious misbehavior or natural disasters.
* Distinctions must be made among cyber-mischief; cyber-crime and cyber-war to clarify jurisdictional issues and determine appropriate responses. The adequacy of current laws to prevent these threats must be reviewed.
* Existing laws must be adapted as necessary to allow appropriate levels of information sharing among companies, and between the private sector and government.
* Continued support of short- and long-term information security R&D projects by private and public sectors alike is needed to support continued growth of the digital economy and to protect our critical infrastructures. The vast majority of R&D in information security is done by the private sector. Going forward, market demands continue to be the most efficient means for directing corporate R&D efforts. The Clinton Administration is moving forward to create an Institute for Information Infrastructure Protection to fill gaps in areas not now addressed by the private sector.
* Industry and government must take steps to address the InfoSec workforce needs. Research should be done to gauge the skill sets of information security professionals, identify the security workforce needs of industry, assess the current programs offered by academia, and identify gaps. Programs, such as the Administration's Scholarship for Service for the federal government workforce, should be identified and funded to fill the short- and long-term gaps in the workforce.
* Law enforcement agencies must gain sufficient cyber-crime expertise to combat specific threats and to investigate specific criminal acts. The adequacy of current laws must be reviewed and the administration of justice for cyber-crimes made uniform
* Emergency response organizations must gain sufficient disaster recovery expertise to minimize the effect of catastrophic events on the information infrastructure.
Implementing this diverse set of principles will require substantial work, resources, and cooperation.
Difficult Issues Remain
At this nascent stage, many questions remain unanswered:
* What are the criteria for determining the individual elements of the critical information infrastructure, and who is involved in the determination?
* What should be the process/mechanism by which the government will provide threat, indications and warning information to critical information infrastructure companies?
* What legislative remedies are necessary to overcome the current legal barriers to information sharing?
* Will shared information be protected from FOIA requests?
* What threshold should be established for reporting anomalous activity? What type of reporting will be required, given that industry will be motivated to monitor and protect itself against cyber-attack for business reasons, and how will reported information be protected?
* What government restrictions/legislation must be modified or lifted so that private sector companies may implement active cyber-defense and/or counter-measures (i.e., anti-trust provisions leading to NSTAC-like organizations)?
* What type of organization(s) should plan and execute the strategy for critical information infrastructure defense?
* What policy determinations are required to distinguish between law enforcement and national security (warfare) jurisdictions as a result of attacks on critical information infrastructure elements?
* How should industry organize itself to represent private sector views, to exchange relevant "lessons learned," and to participate in policy development? Given that IT is both a vertical industry sector itself, but also underlies all the other vertical sectors, what should be the relationship between the IT sector and the others?
* What considerations must be allowed for those elements of the critical infrastructure, which are foreign controlled or are part of multi-national businesses, considering that most infrastructures are international in nature?
* How should the information technology private sector assess the implications of liability and insurance for critical services?
* Is there a sufficient research and development effort underway to improve the ability of the private sector to monitor and protect its designated critical elements? Who should fund this effort? How should R&D information be distributed?
* If information system security becomes a competitive market differentiator, how will the private sector accommodate the needs of the government for infrastructure protection while maintaining market competitiveness?
* How does our country develop a corps of IT workers with particular skills to focus on security and infrastructure protection, particularly in light of the overall IT workforce shortage?
In addition to substantive legal and policy issues, less tangible concerns must also be addressed, particularly the development of trust-within the private sector and between the private sector and government. ITAA and companies like MCI WorldCom are working with government to help build the necessary bridges.
Last week, some of this bridge building got underway. Over 25 leading IT and communications companies and organizations, including both MCI WorldCom and ITAA, met with President Clinton, Attorney General Janet Reno, Secretary of Commerce William Daley, Science Advisor Neal Lane and other top Administration officials to launch an industry-led, government supported mechanism to begin the information sharing process. We presented the President with a statement of principles on how such an information sharing mechanism within industry could be achieved. The principles, available on the ITAA website at http://www.itaa.org/InfoSec/InfoSecstmt.htm, call for the creation of an early warning system, recognize the need for incident response mechanism, and express a willingness to work together on resolving information sharing issues. I believe that the statement is a significant step in the right direction. Next week, ITAA will host the first of series of meetings of industry leaders to develop quickly the most efficient mechanisms to share information.
Just yesterday, dozens of companies from multiple sectors met to further the development of the Partnership for Critical Infrastructure Protection, an effort launched in December, 1999, to insure that InfoSec issues will be addressed collaboratively across all important sectors of the economy, including financial services, energy, and transportation, in addition to the Internet industry itself. No one sector alone can solve the InfoSec challenge.
ITAA and InfoSec
ITAA is taking a number of actions, has initiated programs, and motivated its membership to address the InfoSec challenges that the nation and our industry face. MCI WorldCom has been an ITAA member for many years and is pleased to play its part in shaping the Association's InfoSec program.
ITAA realized the importance of this issue and took it on over two years ago with the establishment of a dedicated Critical Information Protection Task Group to examine and analyze policy developments in this area and to offer input into the policy process. In the past year ITAA's Critical Information Protection Task Group, now called the Information Infrastructure Assurance Committee (IIAC), has continued its mission of providing ITAA outreach and education to Administration officials, federal civilian, military, national security, and law enforcement agencies, Congress, the media, international organizations, and the public on the issues of information security and assurance. The IIAC has been very active particularly in the wake of Presidential Decision Directive 63 (PDD63), which was issued last spring. IIAC activity is increasing as federal agencies and industry grapple with the implementation of PDD63, which has provided the initial outline and direction for the development of a more comprehensive national infrastructure protection strategy and plan.
In the past 12 months, much has happened. Through the IIAC, our members have been active in what has been the rapid development of information infrastructure security issues and policy. Our organization has produced one of the first concerted industry efforts to address InfoSec issues. We have issued white papers focused on critical information infrastructure protection. We prepared an industry response to President's Commission on Critical Infrastructure Protection (PCCIP) report and recommendations when they were released in the fall of 1997.
Since then, we have held frequent meetings with representatives across the government to educate, discuss and provide input into the evolving national policy developments.
In February of this year, the Department of Commerce selected ITAA as a Sector Coordinator for the Information and Communications Infrastructure sector, in conjunction with two other associations focused primarily on the telecommunications industry-the US Telephone Association and the Telecommunications Industry Association. As a Sector Coordinator, we are continuing to work with the federal government and, in particular, with NTIA on the implementation of PDD 63.
Education and outreach will be critical to the success of our efforts. Last March, ITAA created the framework for a new Cybercitizen Partnership in conjunction with Attorney General Janet Reno. The Partnership will focus on promoting individual responsibility in cyberspace and creating a public-private sector forum for exchange and cooperation. Through the Partnership, private sector representatives hope to work with federal partners, including the Attorney General, the Department of Justice and National Security Agency representatives, on development of a critical infrastructure protection education and awareness campaign and other initiatives. In addition to an awareness campaign we will be coordinating with the FBI's National Infrastructure Protection Center to identify and coordinate industry representation and participation in Center activities to build the communication and trust that will be so essential in moving forward.
Conclusion
The U.S. and much of the world are building their economic houses on an information technology foundation. This is extremely positive approach to take, delivering tangible benefits to a fast growing percentage of the world's population. As we build this house that reaches to a better, more prosperous and democratic future, we must be ever vigilant of cracks in this structure. If Year 2000 was the first challenge to place our digital foundation at risk, failure to adopt a rigorous approach to InfoSec will be the second and even more dangerous. I have offered a conceptual framework on which government and industry can work towards common ground. ITAA and MCI WorldCom are committed to a private sector leadership role in insuring that the necessary, timely and cost effective solutions are implemented.
Thank you and I would be happy to answer any questions you may have.