| |
Mr. Chairman, Ranking Member Schakowsky, and members of the Subcommittee, my
name is Mary Ann Davidson, Chief Security Officer of Oracle Corporation. Thank
you for inviting me here again to talk about cybersecurity, and specifically,
the efforts all of us can take - as information technology consumers, producers,
caretakers and policymakers - to advance information assurance.
As you know, I appeared before this subcommittee just a few months after the
ghastly events of September 11th. In the shadow of one of the most tragic
terrorist attacks in history, all of us contemplated the potential catastrophe
caused by cyberterror on a massive scale, and the need for all of us to take far
greater responsibility toward better information assurance.
While we have yet to witness a point-and-click terrorist attack, we have
experienced, through CodeRed, Blaster and Sobig.F, its forebears, with billions
of dollars in damage and lost productivity. These attacks are a grim reminder of
what I warned this subcommittee two years ago: Far too much commercial software
is built without attention to information assurance principles, leaving many of
our national cyberassets - most in private hands - vulnerable to attack.
This vulnerability increases every day. Bounty money may result in the arrest
of one or two of those responsible for cyberplagues, but it won't slow the
development of advanced hacking tools, or change our increasing dependence on
Internet-based platforms to administer public and private enterprises - two
trends that are at the heart of our growing vulnerability. We are in our own
version of an arms race, and the bad guys are winning.
For the information technology industry, our contribution to cybersecurity is
straightforward: to achieve a marketplace and an industry culture where all
commercial software is designed, delivered and deployed securely. There are no
'silver bullets' to get there. A culture of security will require years to
achieve and decades to maintain. Good intentions are not good enough and
frankly, can do more harm than good. We already have seen one instance, in
California, where a cyber-related event triggered a rush by the legislature to
impose reporting requirements on security breaches. This law was passed without
a fundamental understanding of the limits of current technology, and arguably
could make consumer data more vulnerable to unauthorized access. It's not good
intentions, but sound ideas that we need from government, and fortunately, there
are a number of constructive steps the federal government can take, as both a
software buyer and policy-maker to move us toward a culture of secure software.
Let the buyers be wary. Try as you might, Congress can't legislate good
software. Those in a position to make a difference for the better are software
consumers, from small business enterprises to big government agencies. All they
have to do is make security a purchasing criterion. We at Oracle made the
investments to integrate security throughout our development process because our
customers asked for it. Our first customers, the intelligence community, who I
affectionately call the 'professional paranoids,' are some of the most
security-conscious people on the planet.
After ten years of an on-again, off-again merry-go-round by the federal
government to become a more responsible software buyer, we are seeing
constructive action being taken by the Defense Department to enforce a
pro-security approach to software procurement known as NSTISSP #11. Simply put,
for national security systems, an agency can only purchase commercial software
that has been independently evaluated under the international Common Criteria
(ISO 15408) or the Federal Information Processing Standards (FIPS) Cryptomodule
Validation Program (CMVP).
Since NSTISSP #11 went into effect 14 months ago, we've seen several positive
developments. First, a number of firms, including several of our competitors,
are getting their products evaluated under FIPS or the Common Criteria for the
first time. Second, we're seeing firms, including Oracle, financing evaluations
of open source products. The security of open source versus proprietary software
must not be a religious argument, as it so often is, but a business one. Open
source, like proprietary software, is here to stay. We must all work to make it
as secure as possible. Third, several industry organizations, such as the
financial services industry, are coming together to make security a purchasing
criterion industry-wide and are using NSTISSP #11 as a model.
We're seeing all of this because the initial impression from an industry
perspective is that the federal government - the largest single buyer of
commercial software -- means business this time. As a result, security is now
more in the software development consciousness than it was two years ago, and
all of us as information technology consumers stand to benefit. That, in and of
itself, is a major victory, and credit goes to the people within the Defense
Department and intelligence agencies, as well as Congress, who are making a
concerted effort to make this process work.
Secure 'out of the box.' NSTISSP #11 is a strong lesson that the federal
government, acting as a security conscious software buyer, can change the entire
commercial software landscape for the better. That said, are there ways, other
than NSTISSP #11, that can accomplish the same purpose? We believe one measure
worth considering is for the federal government to insist that the commercial
software it buys is either defaulted to a secure setting right out of the box,
or made easy for the customer to change security settings, for example, through
automated tools that enable customers to become, and remain, secure. For
example, the Office of Management and Budget, working in conjunction with the
federal agencies, the National Institute of Standards and Technology (NIST) and
private industry, could specify what is the appropriate default security setting
for the software it buys, or require appropriate and easy-to-use tools needed to
change these settings.
Software Underwriters Lab. Government can be a useful vehicle to promote
voluntary cooperation in the name of better security. For example, the Federal
Trade Commission could work with the software industry to establish the software
equivalent of the Underwriters Laboratories (UL). Security evaluations under the
Common Criteria, which can cost half a million dollars per evaluation, are not
for everyone, especially for many forms of consumer software. A software version
of the UL is a cost-effective vehicle to capture less complex, more
consumer-oriented forms of software. Again, the fundamental goal is to make all
commercial software secure by design, delivery and deployment. To get there, the
federal government should work with private industry to establish a consumer
software equivalent of the UL. Thanks to the UL, most consumer products are
generally difficult to operate in an insecure fashion. For example, Cuisinarts
are designed so that you can't lose a finger while the blades are whirling. We
don't expect the consumer to do anything special to operate Cuisinarts securely;
they just are secure. Similarly, consumers should not be expected to be rocket
scientists or security experts. Industry needs to make it easy to be secure.
Better Information for Buyers. There are already several good web sites to
help private and public customers understand Common Criteria, FIPS and NSTISSP
#11. However, particularly as more and more private customers see Common
Criteria as a potential security benchmark, we are finding that what many of our
customers need is a one stop, 'go to' site in order to validate vendor security
claims and compare them to the evaluation results themselves. It would be useful
for a government procurement officer, or a private sector buyer, to be able to
see all evaluations of any type, for a single vendor, at a single glance, from a
single location, whether FIPS-140 or Common Criteria, whether evaluated here or
abroad. This empowers them to make apples to apples comparisons. For example,
two database vendors can both receive an EAL4 certification, even though one
database vendor made two functionality claims in a security target, while the
other database vendor made forty security claims. A clearinghouse would enable
buyers to perform security target 'scorecarding' and facilitate this and other
types of comparisons.
Academic Research and Professional Development. As in many disciplines, the
market alone cannot produce every security solution. A culture of security, like
any professional culture, has to have an academic component for professional
development, and to advance the field in areas not addressed in the commercial
marketplace. For example, even with a good development process, "to err is
human." A developer can check 20 of 21 conditions, and if failure to check
the 21st causes a buffer overflow, the system is still potentially vulnerable.
Keep in mind, hackers only need to find one error, while developers have to
anticipate and close every one. It's an uneven battle. Federal government
resources directed toward academic talent can work with industry and level the
playing field.
One area that deserves attention, especially as more and more US firms
partner with foreign countries on software development, is research on effective
tools that can scan software and pinpoint irregularities or backdoors in the
code. Unfortunately, this type of product research and development is not seen
as an attractive option among venture capitalists, who generally channel their
funds toward products that are nothing more than techno-band-aids for security
faults. In other words, the market mentality toward information assurance is
focused on developing a better Band-Aid, rather than an effective vaccine.
Congress last year took an important step in filling this void when it passed
the Cyber Security Research and Development Act, which authorizes nearly a
billion dollars over five years to invest in projects like code-scanning tools.
We are about to enter the second year of this five-year program, and Congress is
providing very limited assistance to pursue the goals of this legislation. We
hope Congress will increase its investment.
If the medical community could eradicate smallpox with a strong investment in
research, we should be able to eradicate buffer overflows. It's just code, after
all.
A portion of the proposed investments under the Cyber Security R&D Act is
authorized to create or improve academic programs and research centers on
computer security in order to increase the number of graduates with this
specialty. These kinds of investments are needed. The National Science
Foundation reported earlier this year that only seven PhD's in cybersecurity are
awarded each year. Research conducted more than two years ago found that while
there were twenty-three schools identified as 'centers of excellence' in
information assurance, not one four-year university offered a bachelor's program
in cybersecurity. Only one associate degree program was offered at two-year
institutions. We've seen some progress on this front, but much more can be done
if the federal government invested more resources in this effort. The private
sector can be a critical support component as well, especially given the current
and growing demand for information security professionals among publicly held
corporations.
In the IT industry, no one should be able to work on software that becomes
part of critical infrastructure without proving that they understand and can
demonstrate sound software design, coding and engineering principles. We do not
allow engineers to design buildings merely because they use "the coolest
materials." They must be licensed professional engineers. Why do we hire
programmers to design critical IT infrastructure merely because they know the
coolest programming languages? Ignorance and hubris are the enemies of reliable
cyber infrastructure. Industry lacks for neither of these, unfortunately, so
long as we hire based on what programming languages someone knows, and not
whether they speak the language of cybersecurity. We are at war, and all our
footsoldiers must be armed with the knowledge of what the enemy can and will do
to the unprepared or careless.
A strong academic component in our culture of security also fosters a
competitive and diverse culture. Strong competition and diversity will prevent
the IT equivalent of the Irish potato famine, where reliance on one strain of
potatoes brought on mass starvation and emigration. Similarly, lack of
'biological' diversity in many IT infrastructures renders them immensely
susceptible to cyberplagues. I dare say that far more than one quarter of our
population would be affected should the next cyberplague be more destructive
than its predecessors. Biological diversity breeds resistance. Lack of it is
deadly.
As today's hackers and virus spreaders demonstrate every day, cybersecurity
is an evolving discipline, one that combines art and science, and determination
and passion. One cannot simply take a snapshot of a company's IT systems today
and compare it to some preconceived list and say 'yes, you are secure,' or 'yes,
you are doing the right things toward better security.' The state of the art is
in a perpetual state of revolution.
Ultimately, any culture is as good as the institutions that serve as the
foundation of that culture. So, if there is an overarching recommendation for
you and your congressional colleagues, it is to work with us in industry and in
academia to facilitate the development of the institutions, practices and mores
necessary to build a strong, vibrant and diverse culture of security. I believe
we have turned a corner, and are making progress toward getting more and more of
our customers to think about security. Further steps are needed, such as the
ones outlined here. Again, these recommendations are no silver bullets, but what
we at Oracle believe are the next appropriate steps up this ladder of better
security. We are very pleased to be a part of next month's Cybersecurity Summit
being planned by the Department of Homeland Security, and some of our leading
trade associations. Establishing that kind of regular, continuing dialogue is
yet another link toward making sure we have truly turned a corner for the
better, rather than yet another trip on the merry-go-round of information
assurance.
Thank you again, Mr. Chairman, for the opportunity to appear before you
today.
|
|
