|
Introduction
Mr.
Chairman and members of the Subcommittee, my name is Howard Schmidt. I am the Chief Security Officer at the
Microsoft Corporation. As such, I am
one of many who are responsible for the development of a trusted computing
environment at Microsoft and, to the extent possible, throughout the
information technology industry. I
serve as president of the Information Technology Information Sharing and
Analysis Center (IT-ASAC), which coordinates information sharing on cyber vulnerabilities
among information technology companies and the U.S. government. I serve on the board of the Partnership for
Critical Infrastructure Security, a cross-sector, cross-industry effort
supported by the National Security Council and the Department of Commerce. I am also an industry executive subcommittee
member of the National Security Telecommunications Advisory Committee. I served for several years in the United
States Air Force, the FBI, and local law enforcement, and on September 11th
I arrived in Washington, D.C. for one stop among many that would take me across
the globe. I was meeting that morning
with several Senators when I learned of the attacks, and I immediately reported
for duty at the Pentagon. There I
stayed for the next several weeks after being called to active duty with the
United States Army. During that time I
was deployed simultaneously to the Joint Task Force for Computer Network
Operations, the Department of Justice, and the FBI’s National Infrastructure
Protection Center.
That experience
built upon my many years of computer security work in the public and private
sectors, in which I have observed extremely talented and committed individuals
in both communities wage daily battles in a war without silver bullets, where
there will always be some vulnerabilities, and where the criminal hacker has
proven itself elusive, diverse, and endlessly resourceful.
With this
background, I would like to review some problems we face and address two
elements of cyber-security. First, the steps Microsoft takes as an industry leader,
and second, some steps I believe the government should take to stop
cyber-crime.
The
Problem
Mr. Chairman, the
information technology revolution has transformed the way business is
transacted, government operates, and national defense is conducted. Those functions depend on an interdependent
network of physical and technological critical information infrastructures that
industry and government work together constantly to secure. Protection of these
systems is essential to government and to the telecommunications, energy,
financial services, manufacturing, water, transportation, health care,
information technology and emergency services sectors – the so-called critical
infrastructures of our economy.
These
sectors are national assets. Their loss
or degradation would severely impact our national defense and the very
stability of our economy. Yet, unlike
other national defense assets, they were largely built, and are owned and
operated, by the private sector. That
is why this Administration and its predecessor have insisted that securing
critical infrastructures requires a partnership between government and
industry. Voluntary cooperation and
industry-led initiatives will work best to address computer security
issues.
The
issues posed by criminal hackers are real, cross-platform, and costly. The “ILOVEYOU”
virus of 2000 caused an estimated $8 billion in damages. The Ramen
and Lion worms attacked Linux
software to deface websites and extract sensitive information such as
passwords. The Code Red worm
exploited Windows server software to deface websites, infect computers, attack
other websites, and make computers susceptible to attack by third parties. Damage has been estimated at $2.4 billion. The Trinoo
attacks exploited vulnerabilities in the Solaris operating system to
stage distributed denial of service attacks against several prominent
websites. The damage was $1.2 billion.
Truly,
these are genuine “weapons of mass disruption.” Yet, perhaps the most depressing fact in all of these attacks is
that no perpetrator has been caught with one exception – the “ILOVEYOU” virus writer remains free since
the law of his country did not criminalize his actions.
These
attacks did not occur because the extremely innovative engineers creating the
underlying codes disregarded security. They occurred because equally innovative
criminal hackers worked day after day to find, create and exploit
vulnerabilities in the software or in human nature that gave them new ways to
trespass on your computers, steal your data and shut down your networks.
Elements
of a Solution: Microsoft and
Cybersecurity
Leadership.
We at Microsoft
are deeply involved at the national level and within the information technology
sector in advancing policies to improve critical infrastructure
protection. This takes form through
senior executive leadership, continuous improvement in software development,
security response, and coordination with law enforcement.
First of all, we lead from the top. Bill Gates, our Chairman and Chief Software Architect, is a presidentially-appointed member of the
National Infrastructure Assurance Council (NIAC). The NIAC is intended to advise the President and encourage
cooperation between the public and private sectors to address physical threats
and cyber threats to the Nation's critical infrastructure.
Craig
Mundie, Microsoft’s Senior
Vice President and Chief Technical Officer for Advanced Strategies and Policy, was appointed by the President to the National
Security Telecommunications Advisory Council (NSTAC). The NSTAC advises the President on policy and technical issues
associated with telecommunications.
Steve Lipner, Microsoft’s Lead Program
Manager for Security, serves on the Congressionally-mandated Computer Systems
Security and Privacy Advisory Board.
Finally, I am deeply involved in U.S.
government, G8, United Nations and state & local cyber-security
initiatives. In addition to my duties
at the IT-ISAC and NSTAC, I recently participated in a U.S.-Australia bilateral meeting on critical
infrastructure protection led by the U.S. Departments of State and
Commerce.
From the top down, our senior
executives believe in excellent security.
They drive our thinking on what we need to do to create a more secure
Internet infrastructure, and they simultaneously play a leading role in shaping
the general U.S. technological and policy environment.
Service & Development. Allow me to mention several examples of what we have done
at their direction. About four weeks
ago, we rolled out the Strategic Technology Protection Program (STPP) which
addresses the patch application problems while also enhancing our software
development practices.
As part of this initiative, we are doing several things, including
deploying many of our personnel to our customers’ sites to assist them in
utilizing our patches. We also are providing advanced training to our own
developers so they better understand current threats and vulnerabilities; we
are developing superior code analysis tools to root out subtle flaws that can
create vulnerabilities; we are expanding testing of our software by using
independent penetration teams; and we are working closely with third party
experts in and outside government.
In addition to the STPP, we have created a fully staffed, highly
effective security response organization.
We believe that it is the industry’s best such organization. It investigates thoroughly all reported
vulnerabilities, then builds and disseminates any needed security updates. In 2000, for instance, we received and
investigated over 10,000 reports from our customers. Where we found vulnerabilities – as we did in 100 cases – we
delivered updated software through well publicized web sites and our free
mailing list to 200,000 subscribers.
Another major element of our protection efforts focuses on
incorporating new security features in our products. As examples, we have integrated previous stand-alone patches in
products like Outlook 2001, installed a personal firewall in Windows XP, and
added software restriction policies to Windows XP to allow administrators to
limit what software can run on the system.
The feedback we have received thus far from our customers, outside
analysts and the press has been overwhelmingly positive. We consider that an
essential vote of confidence in the direction we have taken, and these programs
are not one-time initiatives. We take
them very seriously, for security and privacy go to the heart of our culture.
Education. Leading by example is one way to improve computer security. Making sure that it becomes a national ethic
for business and government, however, requires serious, sustained efforts to
educate our colleagues in both the public and private sector.
Like any real solution to reducing
computer security vulnerabilities, this requires that both sectors play a
part. On the industry side, we strongly
support industry-generated efforts to spread the gospel of cyber security. At Microsoft, we have done this through the
good works of our top executives and through other broad-based efforts to
encourage appropriate security practices.
For instance, at an industry-wide level, Microsoft this month sponsored
its second annual Trusted Computing conference at our Silicon Valley Campus. This
conference brought together leaders from industry, government, the academic
community and other interested parties to discuss and reach consensus on issues
of security and privacy. One of the highlights of this year's event has been a
debate about the handling of product vulnerability information. With several other companies, we have taken
a leadership position that the public release of "exploit code" by
"security researchers" -- that subsequently can be used by hackers to
break into customers' systems -- is harmful to customers and inconsistent with
professional responsibility. We believe
that similar efforts to reach consensus within the industry can improve both
security awareness and lead to real security improvements.
On the government side, I admire and
support the job Dick Clarke is doing as the President’s cyber security advisor
and coordinator. He has worked
tirelessly for years to bring the message of computer vulnerability and the
need for increased computer security to the nation’s boardrooms and cabinet
offices. He needs support throughout
the government in making clear that this is a national priority. Certainly this message has reached the
Department of Defense, which so heavily relies on information technology to
gain battlefield superiority. It must
become part of the lexicon of many other government agencies and officials.
Criminal Enforcement. Like traditional crime, cyber-crime
needs to be opposed with strict criminal laws, strong enforcement capabilities,
and well-equipped and highly trained law enforcers. Yet despite the billions in damage and significant network
disruption, many criminal code writers remain at large. In this troubled time, we can expect that
some may fall under the control of terrorist organizations and hostile nations,
and thus we need to address the inadequate enforcement of criminal laws and
insufficient law enforcement resources.
To slow this growing threat, penalties for cyber-crime should be
increased and law enforcement capabilities should be enhanced. The Computer Fraud and Abuse Act and
other statutes make hacking, unauthorized access to computers, and the theft,
alteration, or destruction of data federal crimes. However, penalties are weakly enforced, and tougher sentences
need to be imposed to deter and punish cyber criminals.
Law enforcement should receive additional
resources, personnel, and equipment in order to investigate and prosecute
cyber-crimes. These hard working
officials are often short-staffed and under-funded. Many also lack the state-of-the-art technology used by hackers,
and increased funding is needed to place them on par with those they
investigate.
Finally, cyber-criminals and
cyber-terrorists operate across international borders, as in the “ILOVEYOU”
virus, the “Solar Sunrise” attack, and the “Anna Kournikova” virus. Enhanced international law enforcement
cooperation is a vital tool our law enforcers need to fight and find the cyber
criminals and cyber-terrorists.
That’s why Microsoft
strongly supports adding new cyber-crime provisions to the anti-terrorism laws
and the criminal code. We see a need for increased funding for law enforcement
personnel, training, and equipment. We
support tougher penalties on criminal hackers, such as civil forfeiture of
personal property used in committing these crimes, and we seek clear guidance
from the Sentencing Commission on how courts should punish these convicted
felons. We strongly support greater
international cooperation among law enforcers in these time-sensitive
investigations. And we want ISPs to
have the authority to share information voluntarily with the entire government
once they see that life or limb are endangered.
We have also worked
closely with the authors of the pending legislation to provide an exemption
from the Freedom of Information Act (FOIA) for cyber security information
voluntarily shared with the federal government. In a letter to the NSTAC, President Bush signaled his support for
this reform and as President of the IT-ISAC, I can assure you that this simple
change will lead many companies to answer the government’s urging that they
provide much more computer security data to the government. When that happens, the government network
administrators will learn much more about network vulnerabilities from the
private sector and be in a far better position to secure their own
networks. They will also be able to
model future attacks and position themselves to anticipate them in advance,
whereas today most analysis occurs after the attack.
Finally, the Council of
Europe has completed negotiations on a comprehensive cyber-crime treaty. We know that from an ISP perspective it
contains a number of controversial or vague requirements affecting both privacy
and regular business practices. We
share many of these concerns and worked in several industry coalitions to
ameliorate them. Yet we see the clear
need for an international law enforcement framework that establishes minimum
liability and penalty rules for cyber-crime, and common procedures for
intergovernmental cooperation. Without
this, all the computer crime laws on the books are useless when cyber-criminals
cross international borders. Whether or not the Council of Europe treaty is an
ideal vehicle I leave to the lawyers to decide, but I assure you that we do
need harmonization and cooperation in this area, and we need it now.
Investment. Microsoft believes that there is a demonstrated need
to protect and defend the nation’s critical information infrastructures from
computer hackers and cyber-terrorists.
Law enforcement must be adequately trained and properly equipped to
fight cyber-crime, whether it is hacking, or other forms of cyber-security
offenses, committed by terrorists and other criminal entities. That is why we propose giving the Attorney
General additional discretionary funds to expand staffing, training and
technological capabilities of the Computer Crime and Intellectual Property
Section and the National Infrastructure Protection Center; to accelerate
funding for law enforcement computer modernization; to hire experts in
cyber-security; and to fund state and local law enforcement efforts to deter,
investigate and prosecute cyber-security offenses.
Government
Response. Software
security is a rapidly evolving market of suppliers and consumers. We have seen over the past few years tremendous
growth and a massive increase in awareness of these issues. There is no single nor comprehensive
solution and there will always be more to do.
For this reason, I believe we need to let the Internet economy and the
information technology industry operate as a market. That means that it must operate without government
interference.
Federal security
mandates or requirements, such as rules and regulations for patch application,
dictates on the type of technology a company must use, or legal requirements
that a company declare that it follows some form of security best practices,
would have the perverse effect of slowing innovation in the security
market. A rule requiring notice of
security practices would also have the unintended consequence of causing
companies to gravitate toward accepted practices rather than toward innovative
practices. In sum, there is a critical
difference in quality, innovation and thoroughness between security solutions
driven by market and private sector pressures and those driven by regulation,
bureaucratic timetables and one-size-fits-all approaches. A serious government-industry partnership
can encourage security innovation and implementations, but will falter if
regulation is imposed upon information technology businesses.
Summary
Let me close by thanking the Subcommittee for
inviting me to testify. Although the
recent horrific terrorist attacks in New York and Washington were physical in
nature, Congress quite rightly must look beyond the current tragedy and loss of
those catastrophic attacks. We were
fortunate that the terrorists or a random hacker did not unleash a
corresponding cyber attack. Yet that is
a risk we face, and we must take steps now to deter these actions through
improved technology, fully funded cyber crime law enforcement, tough criminal
penalties, and continued industry & government cooperation. We know that there is no finish line to
these efforts, but by working as we have with industry peers – including some
of these panelists - and with governments, we have a chance to keep one step
ahead of cyber-criminals and cyber-terrorists.
Thank you.
|
