ABCs of Cybersecurity

Document Sample
ABCs of Cybersecurity Powered By Docstoc
					                               Remarks of Robert Holleyman, II
                                     President and CEO
                               Business Software Alliance (BSA)

                           Before the American Bar Association
                                 Section of Business Law
                                      Spring Meeting
                    Panel Discussion on “The ABCs of Cyber Security”
                                       April 5, 2003


Good morning. It is a pleasure to be here today. My name is Robert Holleyman and I am
President and CEO of the Business Software Alliance (BSA).1

BSA represents the world’s leading developers of software, hardware and Internet
technologies both in the United States and internationally. Our mission is to educate
computer users on software copyrights and cyber security, advance public policy that
fosters innovation and expands trade opportunities, and fight software piracy. We are
headquartered in Washington, D.C. and are active in over 65 countries internationally.

It is a pleasure to be with you today to discuss an issue of national importance, and one in
which I believe BSA has particular expertise: cyber security. And that is because our
member companies build many of the systems that power the world's information
infrastructures, including the Internet, and they develop the leading security tools used to
protect computer systems against cyber crimes and attacks.

                                           * * *

“Security” became a national clarion call in the aftermath of September 11th. But while
much of the nation and the world have focused on improving our physical security, there
is an alarming level of complacency about our vulnerability in cyberspace. Specifically,
our susceptibility to serious and sustained attacks on the networks that run everything
from our air traffic control systems to our financial enterprises to our sources of water
and energy.



1
 The Business Software Alliance (www.bsa.org) is the foremost organization dedicated to promoting a safe
and legal online world. The BSA is the voice of the world's software and Internet industry before
governments and with consumers in the international marketplace. Its members represent the fastest
growing industry in the world. BSA members include Adobe, Apple, Autodesk, Avid, Bentley Systems,
Borland, Cisco Systems, CNC Software/Mastercam, Dell, Entrust, HP, IBM, Intel, Intuit, Internet Security
Systems, Macromedia, Microsoft, Network Associates, Novell, PeopleSoft, SeeBeyond Technology,
Sybase, and Symantec.
It is not difficult to conceptualize the extent of our potential cyber vulnerability, given the
interconnectedness of networks. But it is striking to contemplate the reality of our
vulnerability, as expressed by IT professionals. Let me give you some examples.

In a survey conducted last year for the Business Software Alliance and the magazine
Business 2.0, information technology professionals predicted that a “major cyber attack”
would be launched against American businesses over the course of the following twelve-
month period.2 While a majority of these professionals said that their organizations had
made important strides in improving cyber security since 9/11, only 18 percent of those
surveyed stated that they believed that businesses were adequately prepared to defend
themselves against a major attack. 3

And despite the unprecedented emphasis on issues of security and preparedness, the
survey found that information technology professionals believe that the situation is
actually getting worse, not better. In fact, two out of three IT professionals surveyed said
that the gap between the likelihood of attacks against our business information networks
and the ability of businesses to respond to those attacks is growing, instead of narrowing.4

Indeed, recent empirical data on attack trends bears out these fears. According to the
February 2003 Symantec Internet Threat Security Report, an in-depth survey of cyber
attacks that examined 400 companies in over 30 countries, the average company
experienced 30 cyber attacks per week during the last six months of 2002.5 Disturbingly,
that volume represented a 20% increase over the rate of attack witnessed in 2001.6

The study found disparate rates of attack based on the characteristics of companies
surveyed, such as industry sector and company size. Frighteningly, power and energy
companies experienced the highest volumes of attack (a trend that we have seen before)
and, perhaps more importantly, the highest rates of “severe event incidence.” This is the
measure of whether an attack is sustained and sophisticated – in other words, more likely
to succeed.




2
  Ipsos Public Affairs, “U.S. Business Cyber Security Study,” July 24, 2002. Research for the Business
Software Alliance and Media Partner Business 2.0 (Survey of 602 IT professionals, 1,000 U.S. adults,
and1,094 U.S. Internet users conducted between July 8 and 15, 2002).
3
    ibid.
4
    ibid.
5
 Symantec Corporation, “Symantec Internet Threat Security Report,” Volume III, February 2003, Mark
Higgins, Editor. p. 4.
6
    ibid.
Power infrastructures were not the only business sectors targeted, however. Financial
institutions also saw an increase in the rate of severe event incidence, as did non-profit
organizations.7

“Severe” attacks, such as those measured in this study, can take many forms. They may
entail criminals breaking into computer systems in order to compromise data, such as
lifting, deleting, or altering financial records; or breaching the confidentiality of data,
such as seeking out individuals’ personal information; or carrying out major disruptions
in service, as recently seen in the case of the SQL Slammer (or “Sapphire”) worm.

Slammer was a disturbing example of the ever-increasing speed and virulence of
“malicious” computer code whose primary purpose is large-scale disruption. Slammer
was the fastest computer worm ever documented, doubling in size every 8.5 seconds.8
By comparison, the "Code Red" virus, which we saw in 2001, took 37 minutes to double
in size.9 At its peak, Slammer infected an estimated 200,000 to 300,000 servers
internationally, cutting the Internet speed of major U.S. sites in half, disabling an entire
emergency response system in Washington State, and knocking much of South Korea off
line.10

Of concern to businesses is the fact that malicious code like Slammer is growing not only
in virulence, but also in number. And increasingly, code writers from all over the world
are getting into the act. While roughly a third of all cyber attacks witnessed in the last six
months of 2002 appear to have been launched from the United States, other nations have
quickly emerged as major sources of cyber attacks. In the latter half of 2002, South
Korea doubled the number of attacks attributed to its citizens and accounted for 13% of
all cyber attacks seen in the study.11 China, Germany, and France round out the top 5.12

But while the variety, intensity and increasingly international nature of cyber attacks is
clear, our response – as private individuals, businesses, and as a nation – has been murky.
In fact, we have seen very little evidence in the marketplace that businesses, in the
aftermath of September 11th, are taking the threat of cyber attacks as seriously as they
should and implementing the policies and technologies needed in order to respond. Many
7
 Symantec Corporation, “Symantec Internet Threat Security Report,” Volume III, February 2003, Mark
Higgins, Editor. p. 5.
8
    “Service Sector Grows,” Washingtonpost.com, Thursday, February 6, 2003, p. E02.
9
    ibid.
10
  “Companies Continue To Wrestle With Slammer Computer Worm,” by Riva Richmond, Dow Jones
Newswires, January 27, 2003.
11
  Symantec Corporation, “Symantec Internet Threat Security Report,” Volume III, February 2003, Mark
Higgins, Editor. p. 5.
12
     ibid.
businesses remain in blissful ignorance of the threats that exist right inside their own
networks.

Let me give you an example.

An executive of a leading security technologies firm told us recently of a situation in
which a potential corporate client company was so confident of his company’s existing
cyber security measures, and so convinced that he did not need to direct additional
resources in this area, that he invited the technology firm to “look under the hood” of his
company’s IT infrastructure and see what they could find.

And find they did. Not the typical cyber vulnerabilities, mind you – the lack of firewalls
or authentication systems, or antiquated antivirus programs, or simple passwords that are
never changed. Instead, what they found was that employees were operating -- from the
company’s own computers and servers – a major on-line gambling site.

Now, I don’t know how many of you have visited such sites, but if you have, you’ll know
that they are high-volume, high-traffic businesses that receive thousands, and often tens
of thousands, of hits per day and transact large credit card payments in the process. And,
like many sites that contain sensitive financial information, they are a popular target for
hackers. They are not, in other words, the kinds of things you’d want running on your
company’s networks unbeknownst to you.

The client’s response, when informed of this gaping security hole, was distressingly
understated: “Well, at least that explains our slow Internet connection,” he said.

                                          * * *

This gentleman failed to understand a fundamental truth of doing business in today’s
technology climate. And that is this: the security of an organization’s computer networks
is as integral to its success as the security of its physical operations. A business can no
more leave its networks unsecured than it can leave its front door perennially unlocked.

At BSA, we have focused much of the last two years on working with businesses and
governments to assist them in preparing against potential cyber attacks, and to institute –
through both industry-led best practices and legislative reforms – sound policies that will
maximize our collective cyber preparedness.

Our efforts have encompassed a wide array of topics – from encouraging industry
leadership in best cyber practices to opposing technology-specific government standards
that would stymie the dynamic evolution of security tools. This morning, I will focus my
comments on two areas of our work that have particular implications on law and legal
policy. Specifically, our efforts to:
       1. Enhance information sharing about cyber vulnerabilities through reform of the
          Freedom of Information Act (FOIA); and

       2. Deter cyber attacks by strengthening sanctions against cyber crimes.

Improving Information-Sharing

Few legal issues in the realm of cyber security are as important as that of the need to
improve the flow of information about cyber attacks and vulnerabilities. Reporting a
cyber attack is not as simple as reporting a crime. Most businesses do not want to engage
law enforcement to investigate and address cyber attacks, because they fear that
information that provided to law enforcement or government could eventually be
disclosed. And they fear – rightly – that public knowledge of a corporation’s cyber
vulnerabilities could provoke not only copycat attacks, but also a rash of fears among
customers, or even a diminution in the company’s public valuation.

So, in the vast majority of cases, companies who have been subjected to cyber attacks –
whether successful or not – keep that information to themselves. And without that
information, law enforcement and governmental agencies can do little to redress those
attacks or to prevent future ones.

The result is a vicious cycle: businesses do not share information because they fear
hacker or consumer reprisal, and law enforcement and government experts do not learn of
these attacks so they cannot form the policies or instruments needed to prevent them.

BSA and its industry partners focused considerable efforts during last year’s debate on
legislation to create a Department of Homeland Security (DHS) on creating mechanisms
to remedy this problem. The outcome of these efforts was the creation of a narrowly
tailored exemption to the Freedom of Information Act (FOIA), which covers cyber
security vulnerabilities voluntarily shared with DHS.

As you know, FOIA grants individuals or entities the right to obtain public release of
non-classified, governmentally held information. FOIA is arguably the keystone of a
number of Federal “sunshine laws,” and its existence has been, in my view, fundamental
to the promotion of good government.

Like many good laws, however, FOIA can have unintended consequences. And in the
case of cyber security, it has.

Large companies, particularly in the critical infrastructure sectors, have long argued that
FOIA presented a critical stumbling block, ironically, to increased information sharing
about cyber attacks and vulnerabilities. As long as individuals could use FOIA to
petition the government to release information voluntarily shared by companies about the
cyber attacks to which they had been subjected, these businesses would opt against
engaging law enforcement or government in the first place.
And this is no small failure. Since nearly 90% of critical infrastructure networks are
owned and operated by private businesses, failure to share important security information
with the Federal Government can have very serious consequences.

For this reason, BSA, our industry partners, and a coalition of the nation’s largest critical
infrastructures successfully convinced the Congress late last year to include in the
Department of Homeland Security bill a narrowly-tailored provision that exempts from
FOIA disclosure requirements information about certain critical infrastructure
vulnerabilities that is voluntarily shared with the Department of Homeland Security.

I emphasize “voluntarily” for an important reason. The FOIA exemption has no bearing
on a party’s ability to procure, whether through discovery or any other legal or
investigative mechanisms, information pertaining to these businesses. It merely states
that FOIA cannot be the tool used to obtain this information in the case of voluntarily
shared data pertaining to critical infrastructure protection. It prevents, in other words,
companies from being punished for being good actors. 13

Arriving at this exemption was a process not without its controversy. There were
concerns, primarily raised by environmental groups and open government advocates, that
businesses would seek to use this exemption to protect from disclosure information that
went beyond the scope of critical infrastructure protection; for example, handing to non-
security related Federal agencies data that, if discovered, could open these companies to
liability for infractions of other Federal statutes.

In response to these concerns, the House and Senate worked to develop a compromise
provision that narrowed certain language. For example, whereas the original bill
permitted a range of Federal agencies to directly receive information protected under this
provision, the version enacted into law requires that DHS to be the initial recipient and
arbiter of that data.

Specifically, the mechanisms for confidentially handling this information and the
protocols to ensure its proper usage will be developed by an Infrastructure Protection
Program Office to be created within the Department of Homeland Security, according to
the recently released National Strategy to Secure Cyberspace.14 The Office’s mission will
include the development of “methods for protecting the confidentiality of the submitting
entity while still allowing the information to be used in the issuance of notices and
warnings for the protection of the critical infrastructure.”




13
  The provision also grants limited “use protection,” preventing the information from being used in
subsequent litigation against the party who voluntarily submitted it.
14
     The White House, “The National Strategy to Secure Cyberspace,” February 14, 2003, p. 25.
This will be an important process, and no doubt a delicate one. But it is one that is
critical and necessary if the Federal Government is to fully understand the scope of cyber
threats facing our nation’s businesses and develop strategies to address them.

Deterring Cyber Attacks

As with other forms of crime or malfeasance, deterrence is fundamental to preventing
cyber attacks. But, unlike the case of traditional crimes, cyber attacks are often viewed
by society as little more than pranks, to be punished lightly if at all. While I believe that
that sentiment is changing, we have a long way to go.

Let me give you some examples.

The Dutch writer of the Anna Kournikova virus, which affected hundreds of thousands of
computers and is believed to have led to billions of dollars in damage, received a simple
community service sentence totaling roughly one hundred hours. Even worse, officials
in the Philippines could not, under then-existing laws, even prosecute the writer of its
homegrown I LOVE YOU virus, perhaps the world’s most famous and economically
damaging large-scale cyber attack.15 And the writers of Code Red, Nimda, Slammer and
other major attacks on Solaris, Linux and Windows operating systems remain free and
anonymous.

It is nearly impossible, as you all know, to deter future crimes in the absence of any high-
profile convictions. And in the U.S., such convictions are made rare by a particularity in
our sentencing practices.

Sentences for those who violate the Computer Fraud and Abuse Act (18 U.S.C. 1030)
“are determined primarily by calculating actual economic loss.”16 The problem is, actual
loss is often very difficult to determine in the field of computer crimes. We can
determine the cost of actual damage to systems and financial theft when it occurs, but
how do we calculate the cost of thousands of man-hours of lost productivity, weakened
customer confidence, or a reduced corporate image that results from successful computer
crimes? Essentially, we can’t.

And U.S. sentences reflect this problem. Defendants convicted of computer crimes often
serve little or no term of imprisonment, demoralizing prosecutors and eliminating
whatever deterrent effect a case may once have had.

For this reason, BSA worked with our member companies to promote tougher sentencing
guidelines against cyber crimes during Congress’ consideration of the Department of

15
     Filipino law has been amended to make future, similar attacks punishable by law.
16
   Testimony of Susan Kelley Koeppen, Corporate Attorney, Microsoft Corporation, before the
Subcommittee on Crime, Committee on Judiciary, U.S. House of Representatives, February 12, 2002.
Homeland Security bill last year. Specifically, we strongly supported the enactment of
H.R. 3482, the Cyber Security Enhancement Act, introduced by Representative Lamar
Smith of Texas, then-Chairman of the House Judiciary Committee’s Subcommittee on
Crime.

The bill directed the Sentencing Commission to “review and, if appropriate, amend its
guidelines” pertaining to computer fraud and abuse.17 Under the bill, the Commission is
to “ensure that the sentencing guidelines and policy statements reflect the serious nature
of [computer] offenses…, the growing incidence of such offenses, and the need for an
effective deterrent and appropriate punishment to prevent such offenses.”18

In evaluating its guidelines, the Commission is directed to consider a host of factors,
including

             “…the potential and actual loss resulting from [a computer] offense;

             …the level of sophistication and planning involved in the offense;

              …whether the offense was committed for purposes of commercial advantage or
              private financial benefit;

              …whether the defendant acted with malicious intent to cause harm in
              committing the offense;

              …whether the violation was intended to or had the effect of significantly
              interfering with or disrupting a critical infrastructure; and

              …whether the violation was intended to or had the effect of creating a threat to
              public health or safety, or injury…”19

In order words, the Sentencing Commission was urged to take cognizance of the fact that
many cyber attacks are not nuisances but, in fact, serious economic crimes. And that
many of the individuals who commit these crimes are not simply teenagers on a
technological joyride but, rather, sophisticated and persistent individuals with a clear
intention to cause economic or personal harm.

Congress agreed with our views in this area and included the Cyber Security
Enhancement Act in the Department of Homeland Security bill. An open comment


17
  H.R. 3482, “The Cyber Security Enhancement Act of 2002,” Section 101 (As Agreed to or Engrossed by
the House), 2002.
18
     ibid.
19
     ibid.
period is now underway, during which the Commission is soliciting input into whether
and how the guidelines should be revised.

We are gratified by these developments, but much more needs to be done. For example,
given the global scope and sources of cyber attacks greater cooperation among law
enforcement officials around the world is vital. In the Internet world, no man is an
island, and neither is any nation. For this reason, we must work to strengthen and
harmonize criminal penalties and civil damages internationally.20 As long as there are
nations where cyber crimes are not punishable (or punishable by a slap on the wrist), we
will have havens of illicit activity from which criminals will be able to launch their
attacks.

And finally, we must provide additional resources to enforcement officials, both in the
United States and overseas. Computer and Internet-related crimes are sophisticated
endeavors, and their investigation requires special training, tools, and resources. BSA
has a long track record of support for increased Federal funding for enforcement of
Internet-related crimes, working successfully with the Congress to earmark additional
resources in this area.

                                              * * *

Our successful efforts to enhance cyber security information-sharing and to encourage
tougher sentencing guidelines against computer crimes give me confidence that we as a
nation are making real progress in the battle for cyber security. That confidence is
buttressed by other recent and welcome developments, including the release of the
comprehensive National Strategy to Secure Cyber Space and the Administration’s strong
budget request for Federal security IT expenditures.

However, as BSA’s surveys and our members’ experience have shown us, there is still a
real chasm between our level of preparedness for cyber threats and the intensity and
likelihood of these threats. Too many individuals, businesses, and government agencies
still think of security in strictly physical terms, ignoring the real and growing threats that
lie behind the networks that power so many of the services upon which we have come to
depend.

And so we must continually remind ourselves that there is no physical security without
cyber security. We are at the beginning of a journey but, with apologies to Robert Frost,
have miles to go before we sleep.

Thank you.




20
  Examples of recent multilateral initiatives in this area include the Council of Europe Treaty on
Cyber Crime.