JOHN McCARTHY, DIRECTOR OF CRITICAL INFRASTRUCTURE PROJECTION PROJECT, GEORGE MASON UNIVERSITY: I’m John McCarthy. I’m the Director of the Critical Infrastructure Protection project at George Mason University and we are the sponsor of the Critical Conversations Series.
This is the fourth in a series of discussions of bringing together congressional leadership, executive branch leadership and industry leadership to talk about relevant issues to our nation’s security and particularly focused on our critical infrastructures, and obviously today’s discussion is built around cyber security.
Before I begin, I’d like to recognize a few folks: President Alan Merten of George Mason University; Dean Kingsley Haynes of the School of Public Policy; and Joan Hash from NIST, who is our Executive Sponsor of the CIP program, who gives us great support.
I would be remiss if I didn’t recognize in absence, Congressman Frank Wolf, who was one of the visionary members of the Congress who conceptualized the program, based at George Mason, around the issues of law, policy, technology, economics and a confluence relative to our security. He has been an outstanding sponsor for us and a great supporter of the university, and we appreciate all that support.
I want to tell you a quick story about my cab ride over here. Washington is defined by the cab rides, and I had a very unique one. I got in the cab at the front of the law school in Arlington and the guy said, “How are you, John?” and I’m like, “I’m OK.” He said, “My name is Rick and I’m here to take you to the Press Club,” just like that. Apparently, that all came through the computer and before I went down, I got a call in my office.
My telephone rang and a computer voice came on and it said, “Your cab is waiting downstairs. If you’re ready to go, press one and if you’re not, press two.” I pressed one and the computer voice said, “Please proceed down to the cabby.”
So I got in the cab and he said, “We’re going to the Press Club and what’s the topic?” I said, “Computer security,” and he says, “Perfect.” For 25 minutes, he talked about nothing but computer security. In fact, he was better than some of the professors we have on staff. He told me computers are the downfall of society and computer security is a myth.
From his computer at home, he can personally control large portions of the government, the emerging threat to computer security is the development of HOW, from 2001, a Space Odyssey. He was very happy to hear Congressman Davis was involved in our discussion. Congressman, he told me to pass his regards because he voted for you. He knows that you’re one of the most tech-savvy members of Congress, and appreciates that. He’d like to have a conversation with you. He said that he’s available for testimony at any hearings you may hold. As I got out of the cab, Rich, the cab driver gave me one piece of advice, “get out of the computer security game. It’s a dead end.”
So with that, we launch our computer security discussion. We’re honored today to have a very distinguished panel of guests representing the congressional view and the private sector view.
I think this is a very important engagement and we’re at a critical time in the dialogue between the public and private sector. Having been involved with the National Critical Infrastructure agenda for quite some time, I know that we’re poised and we have to begin to move past some obstacles and get to the next step of the dialogue.
Many people in this room are working very hard on that and we’re very happy to have our panel. I’m very pleased to have so many knowledgeable people in the audience as well.
At this point, I’d like to turn it over to Frank Sesno and thank him for his service here as Professor of Public Policy, as a Senior CIT Fellow, and the outstanding job that he’s done helping us put on these programs. Thank you very much.
FRANK SESNO, PROFESSOR OF PUBLIC POLICY AND SENIOR CIT FELLOW: Thank you, John. I appreciate being here with this great panel. I especially appreciate your story about the computer-savvy cab driver. Now if they only knew how to get around Washington, we’d do really well.
President Merten, Dean Haynes, guests, and members of the press, I think we’re going to have a very timely conversation today, not the least reason being because the debate over the bill that contains some far-reaching implications for cyber security is commencing today.
With that in mind, the plan here is to talk amongst the panel for about 45 or 50 minutes or so and then open it up to your comments. As John indicated, I may turn to some folks in the audience from time to time for some thoughts as well.
Representative Tom Davis, we very much appreciate your time today. He is Chairman of the House Government Reform Committee, which has broad oversight regarding many aspects of Homeland Security. He has served Fairfax County, over the last many years and he knows technology very well, having been Vice President and General Counsel of PRC, which is a high tech and professional services company based in Northern Virginia.
Representative Lofgren serves on the House Homeland Security Committee, on Economic Security, Infrastructure Protection, and Cyber Security. She is the ranking democrat on the Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment and co-author of the Department of Homeland Security Enhancement Act, which is very much part of what’s being discussed here and on the Hill.
Paul Kurtz is the Executive Director of the Cyber Security Industry Alliance. He was Special Assistant to the President, Senior Director for Critical Infrastructure Protection on the Homeland Security Council at the White House before assuming his current position. He’s helped really define the agenda. His newsletter is tracking the very many pieces of legislation moving through the system.
Marian Hopkins?
MARIAN HOPKINS, DIRECTOR OF PUBLIC POLICY, THE BUSINESS ROUNDTABLE AND ASSOCIATION OF CHIEF EXECUTIVE OFFICERS OF MAJOR U.S. CORPORATIONS: Right here.
SESNO: Marian Hopkins is the Director of Public Policy, the Business Roundtable and Association of Chief Executive Officers of major U.S. corporations. She’s in charge of legislative and lobbying activities on Homeland Security and on technology issues and is working very hard on some key issues to include reconstitution.
Finally we have Jodie Westby. She is the President of Work IT Group and Managing Director of PricewaterhouseCoopers and experienced in technology, legal policy and business areas. She’s testified before Congress and brings a very important perspective, which is the role and responsibilities that corporate boards and senior management in the private sector have.
This is not all about government. So let’s begin. Standards, best practices, vulnerability, authority, leadership, are some of these issues that are tied up, and the stakes are immense.
The cost of business through computer hacking e-business, crime costs businesses by one estimate I’ve seen in 2003, was over $660 million. A LexisNexis search brought up 310,000 names, and their identities, associated with this problem. There’ve been problems at George Mason University, University of California, Berkeley, and over a million names often with Social Security numbers, VISA cards, and the like.
So you can see that identity theft, cyber security and terrorism are all very much intertwined. I would like to start by asking you that as you look at this landscape, you tee up this debate: what are the most urgent priorities if we’re to get serious about cyber security?
Congresswoman, why don’t you begin?
REPRESENTATIVE OF HOUSE HOMELAND SECURITY COMMITTEE, SUBCOMMITTEE ON ECONOMIC SECURITY ZOE LOFGREN: Thank you. There’s a lot that needs doing and not all of it needs doing by the government, but just a word of background.
Last Congress, when the Committee on Homeland Security was not a permanent committee, there was a Subcommittee on Cyber Security, per se. Congressman Mac Thornberry of Texas was the Chairman, I was the ranking member, and it was a remarkable experience for me and I think also for Mac, because unlike most of the Congress, which has a huge partisan divide, we actually approached this on a completely bipartisan way.
We mapped out the hearings together. Our staffs worked together. We wrote bills together, and at the end of the Congress, we issued not a majority and a minority report, but one report that we both agreed.
Within that report, it really points out that we have a number of vulnerabilities that have simply not been addressed, either by government or the private sector, and if I can just quote from the President’s national strategy to secure cyberspace.
“A network of networks directly supports the operation of all sectors of our economy, energy, transportation, finance, banking, information, telecommunications, public health, emergency services, water, chemical, defense industrial base, food, agriculture, postal and shipping.”
They also control physical objects, such as electrical transformers, trains, pipeline pumps, chemical vats, raters, which are all vulnerable if we’re not secure in cyberspace. Although my friend from counterpoint said, “who cares if we lose a few e-mails,” the issue really is much larger.
We’ve touched on identity theft and fishing, all of which are serious crime issues, but from a point of view of terrorism, we are concerned about our vulnerabilities to key infrastructures within the country.
I asked the cyber security staff of the committee to come up with some unclassified examples of recent things that have happened. One of the things they were able to pull out as unclassified was a computer hacker being in control of the telephone system and disabled an FAA control tower in Massachusetts.
In other countries, people have taken control of sewage systems and released raw sewage. Those who have taken control of energy grids did not utilize the full control that they gained to empty dams into urban areas.
Those are the things that keep me up at night. One of the things that Mac Thornberry and I did, which is on the floor today, is to come up with an issue that really addresses the need for more leadership on the part of the government about cyber security.
We had Richard Clark in the White House actually who put together the strategy for cyber security and as the years have gone by, the elevation position for cyber security has grown ever less important within the bureaucracy.
We cannot hire and keep talented people in the Department. Amit Yoran, who is a guy from Silicon Valley, is capable from all accounts, but actually quit a year to the day after he was recruited for the office.
So we have a bill that’s on the floor today that would elevate the position within the Department to an assistant secretary, and we found out that unlike past years, the Administration has not come out in opposition to this.
This is something we need to pay more attention to and simply implement the adopted strategy for cyberspace. We’re not even proposing to change the adopted strategy. So that is step one and it’s on the floor today and I have every hope that it will pass.
SESNO: What are your issue of priorities, Congressman Davis?
TOM DAVIS, CHAIRMAN OF THE HOUSE GOVERNMENT REFORM COMMITTEE: Well, thank you. I jotted a few notes down trying to get within my three minutes on what government should do and what they shouldn’t do regarding cyber security. Number one, we should secure our own people, our own facilities and our own networks in government. They’re very interconnected.
Any vulnerable spot exposes everything. This includes still using state-of-the-art security technology, and using best practices. The government’s FISMA grade is a D+ right now. I believe we are transitioning from a “need to know” mentality to a “need to share,” however there is a long way to go.
We need to enforce criminal law and deter cyber crime, including developing international relationships and ratifying, where appropriate, international conventions. This requires providing U.S. law enforcement with the personnel, training, and forensic tools necessary to conduct effective investigations.
Both the law and law enforcement are falling behind rapidly in the technological arms race with hackers. We need to provide funding, especially for basic research on cyber security. This year, I think we – the number of Ph. D diplomas in computer security is under 20.
Over half of them are foreign nationals. George Mason has been at the forefront of this, I might add, but very few universities are really paying much attention to this. And government funding, I think, is going to be critical to get them on the right path. We need to continue to work with the private sector and the public to raise awareness about cyber security and how to stay safe when you’re online.
We need to share threat and warning information with the private sector so that it can better protect itself and work with other governments to create international watch and warning capabilities. That actually entails some legal changes because of anti-trust laws and some other laws out there like the Freedom of Information Act (FOIA), which makes sharing with the government sometimes difficult and disadvantageous for the private sector.
We need to work with the industry and academia to enhance the education that future software developers receive so that the U.S. Academic Institutions are producing software developers and IT professionals who understand security and know how to implement it in their work.
Now, what the government should not do regarding cyber security. They should not impair or skew innovation through mandatory standards or regulations which would limit the ability of the private sector to come up with new and innovative ways to improve security.
The government should not impose unnecessary requirements or redundant certification regimes that would slow the deployment of new and more secure technology in the marketplace. Also the government should not respond to the increasingly international IT marketplace by becoming isolationists, by raising trade or unnecessary national security barriers that will limit the ability of U.S. industries to compete and innovate and provide solutions to the international marketplace demands.
SESNO: Let me just follow up on that, if I may, before we open the conversation. What you’re calling for the government to do and not to do inevitably leads back to the issue of leadership that the Congresswoman spoke about. Where are you on this question of a secretary for cyber security and would that make a difference?
DAVIS: Well, I think it makes a difference with the Department of Homeland Security, but if you’re talking about government wide leadership, it ought to come from the White House and it ought to come from OMB. It shouldn’t be in Department of Homeland Security. After all, you’re dealing with an agency that got an F on its own FISMA last year, so …
SESNO: So you wouldn’t put this in DHS?
DAVIS: Well, no. You can have the Assistant Secretary which will oversee DHS. They have a lot of coordination in very critical areas within that. When you’re talking government wide role, it ought to be with OMB because they have the juice when it comes to procurements to make sure that everything interconnects and safety is broad.
You’re not going to have the same kind of clout from the Department of Homeland Security to tell other agencies what to do. Only the White House and OMB have it. They haven’t utilized that clout correctly, but that’s where, in my judgment, it ought to be.
SESNO: But isn’t the whole purpose behind creating DHS to be doing just this?
DAVIS: Well, they’re doing a lot of things like border patrol. But when it comes to computers and the interconnectivity within government, they do a lot of things besides just cyber security and you can’t have one department overseeing one aspect of that and other parts overseeing others.
So much of this is tied up with our procurement budget. Over $65 billion was spent this year on IT procurements from the federal government. Somebody has got to oversee it all, not different agencies overseeing different parts of that. And cyber security ought to be paramount in what we oversee, but that’s got to be done centrally.
Sticking it in one agency as opposed to other agencies is not the way to accomplish it. Bureaucracies are governed by turf. They are governed by turf fights. OMB and the White House are the ones that have the juice throughout all of the different cabinet departments, not the Department of Homeland Security.
LOFGREN: Well, Tom and I disagree on this. I think the entire Homeland Security Committee, with the exception of Tom, really reached a contrary conclusion.
I actually voted against the creation of the Department of Homeland Security because I was fearful that instead of fighting terrorism for the next three years, we would be trying to set up a department for the next three years, and in fact, that’s what occurred. That’s part of the problem.
But we have the Department now and I think it’s important that they be given the authority to get the job done. It’s difficult especially in the area of cyberspace where, you can’t see it, touch it, feel it, taste it, it tends to be ignored. It has been ignored.
We need to elevate the discussion within the Department and some leadership needs to be exhibited in my judgment. The jury is still out of course, but I’m very hopeful about the new Secretary of Homeland Security.
He strikes me as a guy who is very tough-minded, very smart and I think that he will value having this new tool and will be able to recruit somebody who is as smart and tough-minded as he is to put the kind of emphasis on cyber security that we need. So I just respectfully disagreed with my friend.
DAVIS: I just might add that of course the committee voted for it. Every committee wants to enhance their jurisdiction and if they can basically oversight a government wide information policy out of OMB, out of the White House to their agency, then what committee wouldn’t do it. The Agriculture committee would do the same thing.
What you have to understand, we have tried this before.
It’s failed before, when you try to move government wide information policy into another agency of government that is outside the White House. Frankly, the Department of Homeland Security have their own problems right now getting their own systems straight.
I supported elevating this, but we’ve put limitations on what this assistant secretary can do. And the reason for that is they have a full-time job right now just getting their own systems up and operating and interconnected at this point. That’s going to take a couple of years at minimum.
SESNO: Let me draw in the private sector, folks, here if I may and ask you first, you know, your take on this discussion. If we’re going to get serious about this, if we’re going to move forward, if the issue is leadership, (A) is it? And (B) where does that leadership need to be coming from?
Because as is pointed out, cyber is everywhere, right? It’s in my home, it’s in my business, it’s in the, you know, in the electric grid, it’s in the NSA, it’s everywhere.
PAUL KURTZ, EXECUTIVE DIRECTOR, CYBER SECURITY INDUSTRY ALLIANCE: Yes. Let me try to cut down through the middle, if you will. I think there are two issues we’re trying to reconcile. We’re trying to reconcile the government’s own internal security and reliability of their information systems, which is clearly within the mandate of the office and management budget of the White House, and FISMA plays a key role there.
SESNO: For those who may not be aware, FISMA is?
KURTZ: I’m sorry. Federal Information Security Management Act, which Congressman Davis was the leader in pulling together. It is obviously critical. Then there’s the external view. What is the U.S. Government doing to enhance its security and reliability for critical information infrastructures outside the government space if you will?
What is the leadership role in that space? That’s an external point of view and I think it largely rests with the Department of Homeland Security.
Now, my statement that goes to, (A) the Homeland Security Act and what’s there; (B) the national strategy to secure cyberspace, which talks about roles and responsibilities for DHS and the area of reconstitution, contingency planning, emergency communications; and (C) Homeland Security Presidential Directive Number 7, which was signed by the President in December and talks about the need for the Department of Homeland Security to work externally on information security issues.
I think what we’re hearing up here is not necessarily inconsistent, it’s how do we do a better job managing internal government systems using the power of procurement? Great, we need to be doing more, but from a private sector point of view, we’re missing that chief, we’re missing that quarterback out there to chart the course.
As Representative Walker has pointed out, a chief strategist in the White House, we’ve lost that. And it would be nice to have that chief back or someone at the Department of Homeland Security who can offer that chief strategic thinking, that beacon that the private sector can work with.
This is not to say that the Department of Homeland Security should regulate everybody in cyber security, not by any stretch of the imagination. But there is a need for leadership in some critical areas.
SESNO: How have we done so far in securing cyberspace?
KURTZ: I think since the national strategy has been released, the record on the part of the government has been mixed. I think the national strategy to secure cyberspace is a timely and salient document. Of course, I had something to do with putting it together, so there’s a little bias.
There are a lot of different things that the Department of Homeland Security is trying to do and I know Secretary Chertoff is looking closely at these issues and I do think it’s important that the Secretary have the time to reevaluate the situation there, but it is critical.
We’ve slipped for the past couple of years and we need to do more. Adding an assistant secretary will certainly help. It’s not a panacea.
SESNO: Marian, the Representative of the Business Roundtable and the Chief Executive Officers of some of the largest U.S. corporation, priorities?
HOPKINS: Yes. Absolutely. We represent 160 companies, four trillion in annual revenues and 10 million employees. Cyber security has got to be one of the most important security issues. It impacts the economy. It impacts security.
In terms of an assistant secretary, we don’t have a formalized position on it. What the Roundtable would like to see is the issue of cyber security elevated in the federal government.
SESNO: So you’re not satisfied with where it’s been resting from?
HOPKINS: We’re not satisfied with the progress that’s been made. Frankly, in terms of an assistant secretary, my take on it is do whatever it takes in order to elevate cyber security within the federal government. The consequences are too dire if we don’t.
If that means having an assistant secretary of the department, let’s go do it. If it means elevating OMB and the White House, let’s do it. Let’s just do what it takes to get it done.
SESNO: What are these corporations, your membership, looking for more security?
HOPKINS: It’s really very simple. We want hardware and software that’s less flawed, more secure. We want the IP providers to provide products that improve security with minimal burden on the end users. We also recognize that there’s no silver bullet.
We’re not going to get it done overnight and because we’re not going to get it done overnight. The Business Roundtable has been working very hard on initially cyber reconstitution. We want to make sure that if the worst happens, if we have catastrophic cyber failure, that the federal government, the private sector, have thought it through. We know how to bring the Internet back up.
We know how to collaborate. We’ll know how to get it done. We have something called the National Response Plan. It has cyber antics to it, but it’s not thought through. It doesn’t have the strategic management goals and objectives in it. We’re working with an array of fabulous companies.
We’re working with Paul Kurtz and his group, so really, better and more secure software, federal government leadership, and reconstitution. Those are the priorities of the Business Roundtable.
SESNO: OK. You just saw me grimace because we’re going to lose a congressman here in five minutes because she’s got to go back and weigh in on this debate, this very debate.
So let me ask you if I can then, in the five minutes we’ve got left, in addition to this assistant secretary, what are the other high points of your perspective and agenda right now?
LOFGREN: Well, I think there’s a lot that Tom and I agree on. In the bill on the floor today, there is authorization for funding for more research. Recently, NSF has funded a major research effort on cyber security.
It’s enormously important and my friend, Dr. Shastri at the University of California, Berkeley, actually, was quoted as saying, “we need to do this before we have the cyber equivalent of Pearl Harbor.” I’d say that was a dramatic statement, but he worked with us very closely on crafting this legislation.
SESNO: Are we properly framing this issue when we talk about a cyber Pearl Harbor?
LOFGREN: I think it’s important to use language that will wake people up because our exposure is enormous. I think we need to do more research. Tom is right. In all of our efforts, we must avoid being prescriptive because the technology moves faster than the legislation.
We need to look at what incentives and business incentives, if any, need to be put in place for the uptake of what actually is already available.
Sometimes this is not really an issue of technology, but of leadership, and the biggest deficiencies are not so much in the technology sector, but in the rest of the world that really doesn’t understand fully sometimes their vulnerabilities. And why is that?
In addition to the research that we need to do, there is a training effort that Tom has already mentioned.
There is funding in a program that we passed in the last Congress that we need to enhance so that we have more people who are capable of providing this service in the private sector, and are trained to do it. That’s primarily not your Ph.D. candidates. It’s Bachelor’s or even two year degrees, people who can do the work that needs to be done. We have a huge deficit there.
One of the amendments we’re going to accept today when we go back is that there needs to be greater coordination in the department between some of the other very highly skilled components of the government, including the NSA. I think that has been deficient and there’s going to be an effort to include that to amendment that we will accept on a voice vote.
SESNO: OK. Maybe I can ask the both of you to chime in on this. A couple of the specifics that Paul Kurtz’s group has called for, ratify the Council of Europe’s Convention on Cyber Crime to get the kind of international juices flowing, and to lead by example, they put in procurements by requiring contracts and suppliers to meet federal requirements in their own systems. I wonder how you respond to those very specific suggestions?
LOFGREN: Those are best practices that we should have. Obviously, the House doesn’t ratify treaties, the Senate does, but we ought to ratify that treaty. And I would just note that the bill that Congressman Thornberry and I put together last year had broad support.
I think practically every technology business association in the country supported it, from business software lines, AEA, the academic world, and the reason for the support was because we got their help in putting the bill together.
DAVIS: I think we’ve got to work internationally on this. This stuff travels all over the place, and we need to be more proactive in doing that. Zoe and I agree on a lot. In fact, we support the provision, the bill that came out of the committee. I think we ironed out the differences and we’ll see where it goes. How the White House reacts. How Secretary Chertoff reacts.
The bottom line is the government has not paid enough attention to this. They haven’t put enough money into it. They haven’t given it the priority that it deserves. A cyber Pearl Harbor could very well happen and we’re all kind of frustrated at the pace at which the government has been reacting to this.
I think that we’ll get some of this worked out in the bill as it moves forward, but we’re years, not months, but years away from where we need to be on this.
SESNO: Before you go, I’m wondering if I can turn to Jody at the end of the table to throw some thoughts on the table in terms of creating incentive within the private sector to do this and get your response? We’ve talked really exclusively about the government’s role so far.
JODY WESTBY, MANAGING DIRECTOR, PRICEWATERHOUSECOOPERS: Let me say first I’m speaking of my own personal capacity, not on behalf of PricewaterhouseCoopers. One incentive that I think would be useful would be a requirement in SEC filings that companies simply state what they’re doing to protect their digital assets.
Let me read you a sentence from the Caremark case that came out in 1996. “It would in my opinion be a mistake to conclude that corporate boards may satisfy their obligation to be reasonably informed concerning the corporation without assuring themselves that the information and reporting systems exist in the organization are reasonably designed to provide senior management and its board timely accurate information sufficient to allow management and the board to reach informed judgments.”
Now, that’s 1996. For nine years, I’ve been reading this quote, and for nine years, I’ve been trying to get CEOs and boards to wake up to the fact that IT security is something important to them and they haven’t gotten there yet. Now, Marian and the work she is doing in Business Roundtable is absolutely critical to making this go forward.
But they clearly have an obligation to protect the assets of their corporation and to protect its financial stability. And today, assets of corporations, 80 percent of them are digital. We have clear correlations now between cyber incidents and loss of market share, financial loss, drop in market capitalization, damage to a brand, and legal liability. Now that is a pretty strong indication that that board should take responsibility.
SESNO: And they’re not?
WESTBY: No, they’re not. And so if you would have a requirement that simply in an SEC annual filing, they have to state what are they doing to protect their corporate assets, I think it would go a long way. It could be something as simple as Y2K. You saw what happened. Everyone started to say, here’s what we’re doing and it wouldn’t be onerous.
They could make it be what they want to be, but there would be market forces and pressure from shareholders to say, “what are you doing.”
SESNO: All right. Let me get Congressman Lofgren before we lose her.
LOFGREN: That’s one of the things where we had like 25 different hearings and meetings on these issues in the last Congress. The analogy to Y2K I think is erroneous because in Y2K, we knew exactly what the issue was.
We knew what the timeframe was, and there was no enhanced danger from disclosing the steps taken to deal with Y2K. The problem and the concern I have, and maybe there’s a way to do this, but we never did come up with it, is that if you disclose what you’re doing to protect yourself, you’ve actually given a roadmap to those who want to attack you on where you’re not protected.
So we do need some incentives for business to take the prudent actions that they need to take, but I was concerned and I think Congressman Thornberry as well, on the SEC disclosure idea. Maybe there is some way around it. I do think that there is, even without the Congress, some growing liability issues, if not under federal law certainly under state law, that are going to come into play.
It is possible today that technology is available to encrypt your data at risk. There is no excuse for anybody to have their data ripped off in putting the individuals whose data has been stolen at risk.
And under California law, there is some liability, there are losses that are going to be filed and anybody who doesn’t take the cheap and easy step to encrypt their data and thereby putting their clients at risk, is going to face a large dollar amount of liability.
SESNO: But requiring S&P, you don’t want to …
LOFGREN: I’m very concerned that it would actually enhance the risk.
SESNO: OK. Everybody wants to jump in. Congressman,
DAVIS: Well, that’s not what the SEC was designed to do and I think basically that you’re giving a roadmap not just to people who might intend some invasive procedure onto your computer models and your cyberspace, but also trial lawyers and other groups. I think it’s borne out of frustration with the current system, but I agree with Zoe.
WESTBY: I may respectfully disagree with both Mr. Chairman and the Congress woman. I come from a company that specializes and controls the metrics of Sarbanes-Oxley and there would be no more revealed in talking about the compliance of IT security than in fact, the compliance of financial controls.
We knew less about Y2K than we know about the kinds of security breaches that can happen on IT systems. If you simply had a statement that said, “we are regularly assessing our IT risks to corporate operations and we’re managing our threats and vulnerabilities. We have established corporate policies. We’ve got governing IT usage and cyber in security and employee conduct.
We have incorporated best practices and standards in our operations. We are insuring adequate funding for our enterprise security program. We have implemented training and we have controls and metrics and we are watching those to see that there is compliance and that we’re enforcing those and we are conducting regular reviews and audits.”
That tells the shareholder a lot and they can’t sign that statement unless they are doing those things and that doesn’t reveal anything.
But they would say – they would have to do it if they …
SESNO: I don’t want to get too bogged down in this. It’s a very interesting point and it starts to bring together the issues of regulation in the private sector. And I know you need to go, but I’d like to just button this up with one response to this if you’ve got it.
LOFGREN: Well, let me go back to the first issue, which is leadership in DHS. We were chilled in looking at this last year for a variety of reasons. If there is a way to accommodate this approach without enhancing risk, I think that’s something that the Congress would look at, but I think we need leadership within the Department to help us analyze the pros and cons of the various incentives and disincentives to take action.
And we lack that right now and I’m going to go right now to the floor of the House and see if we can help get that.
SESNO: What are you going to say? What are you going to say on the floor now? Let’s do it?
LOFGREN: Let’s do it. Thank you very much.
SESNO: Thank you very much. Let me just say, we’ve got six hours of debate. I’m going to get over there a little later. I’m not shirking my responsibility. Let the record show. Paul, you want to jump in?
KURTZ: Yes. I just wanted to respond to this whole question. I’d have to respectfully disagree with where Jody is coming from. She’s already said the two magic words and they are Sarbanes-Oxley. Sarbanes-Oxley has had a dramatic impact in corporate board rooms across the United States as far as focusing more on the role of IT and how their operations operate, or how their operations work.
It’s been very costly. It does in fact get into IT security issues. Internal controls more or less translates into cyber security. So I think laying another requirement over publicly traded corporations through the SEC is not the right way to go. I’m where Congressman Davis is, which is that’s really not the SEC’s direct responsibility, but let’s go to another angle.
One, I think we have to look at the debate that’s been out there regarding Sarbanes-Oxley and the impact it’s had on the global markets and folks even talking about delisting themselves from U.S. exchanges.
If we look at the idea that Jody’s talking about, you really have to look about risk benefit in that space. The other point I would note is that not every corporation out there is publicly traded. So you’re only reaching those corporations that are publicly traded. You’re leaving a lot of other institutions off the table.
So I think we need to let Sarbanes-Oxley work before we start laying any more requirements on top of corporate America or publicly traded corporations in this space.
SESNO: I mean, if I may for just a moment, folks, depart from this table and turn to President Merten briefly. The story was that George Mason University systems were breached apparently with some 30,000 …
PRESIDENT ALAN MERTEN, GEORGE MASON UNIVERSITY: Thirty-thousand names, and 30,000 social security numbers.
SESNO: And since that time, what’s been done? I ask you this question because what I’d like to ask the panel to discuss after you answer this is, how can we, government, private sector, incentivize cyber security if the threat is as wide and broad and deep as you’ve said, both in terms of hacking for various reasons and terrorism? You’ve got to get out in front of it.
MERTEN: I mean, the biggest thing we did in relation to the comments, is we’ve now had to move the responsibility to every office within the university. I think in the past, just as that there was a feeling that somebody else is going to worry about these things, that information technology people were going to worry about it, that it wasn’t mainline to people’s jobs.
And we’ve changed that. I’m going to just comment, about 25 years ago I was a co-author of a report by the Financial Executive Institute after the Foreign Practices Act came out on internal control, and the two things we found out that are still with us, and Jody got to one, and that is that people in the corporate world normally don’t want to think about bad things.
The general way is a CEO, a senior vice president, wants to think about good things. They want to be in the business – they want to be in the business of selling their products. The second thing, remind people that computer scientists, the best computer scientists today, do not go into the business of security.
They’re in the business of creating value for their company. They’re in the business of exciting systems. So we’re talking about something here that runs against human nature.
DAVIS: Can I cut in?
MERTEN: Please.
DAVIS: Alan, it’s worse in government. At least in the private sector, you have some incentive because the downside is huge if your systems are breached, if information gets out or, you know, if you’re a banker or insurance company or whatever, and that’s why they are ahead of government. In government, it’s even worse.
If you’re a manager in government, even under FISMA, we find out so many times the manager will check off what they need to check off and move on and just hope it doesn’t happen on their watch. But they have a limited number of resources and they’re going to accomplish their mission and go on from there and take the chance nothing happens. Private sector is a little different because there is a huge downside.
A cyber penetration into a business at the wrong time can cost you your business, so you’re seeing them being a little more defensive and being a little more proactive. In government, it’s even more dangerous in many cases because of the types of things that hackers can get in or somebody with malice or forethought of penetrating can get in and control.
SESNO: So how do we incentivize this? How do we incentivize the private sector which is where the bulk of this technology, this information and these resources lie?
DAVIS: Well, you have one bad cyber breach or mini Pearl Harbor, the lawyers get into it and everybody is going to be incentivized real quick. I mean, that’s the reality on that. I hope it doesn’t take that and some companies are in fact ahead of the curve on that.
HOPKINS: Yes. Frank, the bottom line, to put it very simply, is if you mandate IT disclosures, you’re going to have a leveling effect on IT security. Well, it depends on what your goal is here. If your goal is to do what the Congressmen are suggesting happened, which is to incentivize lawyers, go ahead and mandate disclosures to the SEC.
But if you really want to get companies to step up and take charge of IT security, then as we have recommended, it’s about a shared responsibility. It’s about the CEOs bringing IT management to the board, to the CEO level, which we have strongly recommended.
SESNO: But they haven’t done it.
HOPKINS: Well, you don’t know that they haven’t done it. Companies are spending more on IT security now than they ever have before and IT security is better, but we’ve got a problem here. We’ve got a software problem and we’ve got a hardware problem. We need to get at the heart of those problems too. It’s about a shared responsibility. It’s about the end users.
It’s about the IT suppliers and about the federal government doing what they need to do. So there is no one simple easy fix. It’s a shared fix.
WESTBY: Let me make clear, I’m not advocating mandating disclosures, so, Marian, I don’t think that’s what you thought I was saying, but I am saying there should be reporting of protections and to say this isn’t an SEC responsibility. I don’t understand that because we have clearly shown that these breaches have a financial impact on a company and on share value.
And that they impact the shareholder and we have clearly seen from what’s happened in these cases after Enron, you can’t throw the CIO and the CSO over the wall any more than you could throw the CFO over the wall. You have to be responsible today for your corporate operations and just because it’s a public company and it’s not going to reach everybody, is no reason not to do it.
It sets an example for everybody else, but, Chairman Davis has done a lot of good things just through his work with FISMA and then also with NIST, because they have set world class examples for an enterprise security program and world class guidance. So to you, Mr. Chairman, I would say those kinds of activities have been very helpful in moving the private sector towards knowing what to do.
SESNO: Paul, let me let you get in here. Go ahead.
KURTZ: I thought she was doing just great there.
SESNO: Oh, OK. Compliments are easily accepted, is that right?
KURTZ: On the issue of incentives, I guess I’d make a few points. I think one of the things that is very interesting to note in the market is that some firms are starting to see security as a competitive edge, where they can distinguish themselves from their competitors.
When we look at advertising on TV, we see some very creative examples of that. We’ve seen it with America Online and with other ISPs that are out there. We’ve seen relationships develop between authentication firms, about how we might do more to secure our systems.
So people are seeing that as a competitive edge. I think that’s a positive thing. Behind that, how do we incentivize in this space? The Congressional Research Service put out a report in February or March of this year, which admittedly says, this is a very tricky issue. How do we actually go down this road?
Representative Lofgren made reference to one of them, and that is insurance. How can we possibly stimulate more insurance writing in this space in order to deal with the problem that you spoke about? We don’t necessarily like to deal with bad news. You can’t really talk about cyber security in terms of a return on investment. It’s very difficult to do that.
It’s more in terms of talking about making sure you have fire alarms in the building, making sure that if you have a problem, that you don’t suffer those big losses or suffer the loss of reputation or suffer in shareholders. So we need to kind of think about how we couch this issue.
Insurance in fact may well help in that space. Looking at the issues of certification or self-certification in conjunction with some sort of Safe Harbor activity, which would require changes in law, would be an interesting space to look at.
SESNO: Comments? Those are interesting spaces to look at. Is that the way to go? Let me read you something here and then I want to turn to your questions if I may, and so please be ready. This is an article that appeared a few months back entitled, Industry Frustrated as U.S. Cyber Security Plan Stalls.
The reporter wrote that under government’s national strategy secure cyberspace plan, “The government by now is supposed to do more to insure that software companies make better programs with fewer bugs and holes that can allow hackers to exploit computers and the Internet, but finding and fixing software problems has been left almost exclusively up to private industry.”
The article goes on to say, “Most information about Internet attacks and their remedies still comes from private security companies, academics and others as opposed to the Department of Homeland Security as promised.” Is that a fair assessment and would any of these legislative changes being discussed, alter that?
DAVIS: I think it’s got to be cooperative between government and business, so you don’t want government coming in here and start passing a lot of laws directing this or that. I always go back to the analogy, we have to remember that the software industry and the whole IT industry is really driving the American economy, and it’s going to drive the economy of the 21st Century.
I don’t know how much over-regulation you get into if the government comes in and starts writing a lot of this up front and starts taking away some of the innovation that the marketplace, I think, is going to sulk.
SESNO: That’s interesting, because you mentioned a moment ago in your analogy of fire alarms in buildings. Fire alarms in buildings are required by building code.
DAVIS: They are.
SESNO: If people don’t do it …
KURTZ: Bad example.
SESNO: … well, it was your example.
KURTZ: Well, I would go back to what is actually happening in the private sector. I think using the example of a fire alarm was that people have tried to describe cyber security in terms of what’s the return on investment. And it’s in fact difficult to make that argument of a return on investment.
It’s more insuring your intellectual property, insuring your human resources, the security and privacy of your human resources, insuring your market share and your investor value. Those are the kind of issues we need to kind of think about and how information security plays in that.
Since we’ve been looking at this issue over the past 10 years or so, we’ve had a lot of discussion of partnership, but we really haven’t drilled down to roles and responsibilities as to who is responsible for doing what.
I think the debate up on the Hill now involving data broker security issues and breach notification is starting to open up new avenues of people to discuss these issues and what really is the government’s role and responsibility in this space. It’s not necessarily straightforward.
You know, the need to develop more secure software code is happening within a lot of firms. People are recognizing their existing hostile environment, but in fact, more needs to be done.
Congressman Davis has spoken about this too, of encouraging more education, more R&D, so we can actually have systems in the future that can operate at a very hostile environment.
DAVIS: Well, I think a lot of it is going to be market driven. Now you’ve got to remember, that about 90 percent of the critical infrastructure is owned by the private sector.
And one of the roles of the position here at Homeland Security that we’re creating is going to be, is trying to coordinate some level of security there. But when you talk about your regular banks and companies and what they have to do for cyber security, I think the marketplace is going to set those standards pretty quickly. I think you don’t want the government there.
SESNO: I see your question. I’m wondering if I could turn to our visitor, our guest from NIST here for just a minute and draw you in here and put you on the spot, and ask you, broadly speaking, where is this discussion about standards going, where do you see these trends, and to what degree does that address some of these issues?
JOAN HASH, EXECUTIVE SPONSOR OF CIP PROGRAM, NIST: Hello. My name is Joan Hash, I’m from NIST and I would say, in terms of standards, I’ve heard a lot of things here today about preparation, which we embrace at NIST. We also embrace the concept of voluntary standards. We understand and do work with the private sector.
To bring reality to the marketplace, something that is deemed to be feasible and has been bought into, certainly by industry. Obviously, government cannot do its job without the partnership of that and so we do respect the things that industry can bring to the table, and in terms of those discussions of standards and product, hardware and software products.
SESNO: Do you see it changing? Do you see it changing at all?
HASH: We see ourselves in a partnership. I think Paul was correct. I mean, we do see movement in terms of the attention that industry is giving to security features and products, but I’ve heard a lot of other things I want to say today in terms of – and a lot of people have mentioned it, but the holistic view of security, “no one component to us is more important than the other.”
We certainly heard training. Research, we need to partner with industry. To us, it is a holistic story, the failure of any one piece of that is a failure because the security story looks different depending on where you sit. My home user and my student, university president, and my person that plays in the private sector, and so to us, have to come together.
I hope, we’ve tried to obviously do our role, our job, in terms of trying to set a context with discussion. In other words, we’ve done a lot of work to even bring the language. You need to have an understanding when you speak to people about security so that we try to lay standards and guidance that presents for people a baseline of discussion that you can come to. If you say a word, I understand what it means.
If you mention a concept, we could have some common understanding of it. To us, we’ve always been engaged and involved and supportive of the voluntary standards approach with industry. And that has seemed to work very well and I think one of the great success stories was an Advanced Encryption Standard where that exercise was very well done.
SESNO: OK. Thank you. Thank you. There’s a question up here. Let’s go to the floor now for a couple of questions. If I can ask you, if you would like to direct your question to a particular individual, please do that. If you could identify yourself, thank you very much, and if I could ask you to keep your question fairly tight, we’ll get a lot more in, in the remaining two minutes.
UNIDENTIFIED PARTICIPANT: Your comment may be longer than my question. I’d like to direct the question primarily to Marian Hopkins and that is: you spoke of innovation. Who would you like to see have the major responsibility for promoting breakthrough innovation?
HOPKINS: The private sector because we do it best.
UNIDENTIFIED PARTICIPANT: Well, who in the private sector is doing it?
HOPKINS: Well, the IT industry I think has done actually a fabulous job in developing new products and technologies that we put to use every day. So you know, I think the private sector and the millions and millions of companies that are out there. Most of the investment and technology in R&D right now does come from private sector.
I think the federal government does have a role in it. Again, I get back to my shared responsibility state, the IT providers, the manufacturers and producers, you can drive it through the market and through need by the end users, and the federal government in terms of setting strategic policy goals and objectives to move us all in the right direction.
So again, it gets down sharing responsibility. There is no one segment that I think has sort of complete control of that. We all have a role in that.
DAVIS: Let me just say this. The federal government is the largest purchaser of IT products in the world, $65 billion annually, going up again this year. With this buying power, I think we have to make sure that information security is a priority. If the government makes it a priority with what we purchase, you’re going to see the private sector responding with more and more innovations.
That makes it also lower cost then to the private sector for what they’re doing as well. But we have an important role as the government continues to buy these products and look after the competitive sector to provide these products to kind of set a standard that the other companies can utilize what we’re doing.
If we don’t make information security a priority at the federal level with the amount of money we’re spending, I don’t think you’re going to have the same availability to …
SESNO: What does it take to make it a priority? I mean, that’s the question. That’s what we’ve been discussing here. It seems to me, this afternoon, making it a priority and establishing leadership, building these partnerships to accomplish these ends. What’s it going to take?
DAVIS: Well, I mean, I think they’re making it, getting there slowly. We give them our FISMA report cards and I think the next step on FISMA is you start to take money away and you’re – rewarding away from people that are compliant and non-compliant with these issues. And you’re going to have to use some kind of hammer.
Issuing a report card is an embarrassment to agencies as they go through, but these managers have so many priorities and so many check-offs they have to do every year. We don’t want to make this another check-off and I think we’ll probably move to another phase, you know, in the very near future. But it’s got to be driven from the top. It’s got to be driven from the White House.
They set the priorities and OMB is the one that’s got to and across different agencies. Right now what we’re seeing are different agencies give different priorities to this and it’s very, very uneven, even within DHS.
SESNO: Another question from the floor in the back, please?
UNIDENTIFIED PARTICIPANT: For Representative Davis and Mr. Kurtz, what should the government’s role be in spearheading a transition to the Internet Protocol’s Version Six?
KURTZ: I understand that there are a number of reports that are going to be coming on that. I think the GAO is doing something in that space and maybe the Department of Defense, and I think there may be one other report out there. I think the government, once again, as noted in the strategy, could lead by example in this space and look out and drive more rapid adoption of IPV6.
I think the issue that I would highlight now would be, that there are a lot of IPV6 capable systems out there today that are operating in IPV4 like environment. What am I saying? It means that there are vulnerabilities out there today that we may not necessarily understand.
As we evolve IPV6, we have to think of security and all that goes along with that along the way. I know the Department – I think it’s the Department of Commerce has this study coming out. I know Dan Caprio just walked in as well. And so I know there are three reports out there that are going to be coming out in this space, and we have to see what those reports look like. But it’s a very interesting issue that we need to track more closely.
DAVIS: Government can play a key role, but I don’t know that I’m familiar enough to say where we ought to go until I see some of the data.
SESNO: OK. Yes, sir?
JUSTIN TAFT: This is to Paul or Representative Davis. Two things, when I was …
SESNO: Could I ask you? I’m sorry, just to identify yourself for us?
TAFT: Oh, Justin Taft. Two things. Growing up, Nancy Reagan set up on TV and said, “Say No To Drugs.” There hasn’t been one public awareness campaign out of the government regarding cyber security, whether it’s awareness to the general public, corporate leaders, government users, whatever. That’s the first question.
The second one is, to secure the government, why don’t you go after the contractors and beltway bandits who do all these services and say, “you can’t work for us unless you do X, Y and Z”?
DAVIS: Let me start with the second part. We do that. That’s the whole role of OMB in this, in trying to take a look at all of the government contracting, across government. To get that uniformity, it has got to be handled from OMB. It can’t be handled within each department.
When we’ve gone that route, we’ve ended up with legacy systems that just don’t talk to each other and that’s been our whole problem. I think we’re making satisfactory progress in moving now, government wide in that.
In terms of the government being out there with public service announcements or whatever, the private sectors that are providing these goods are doing a pretty good job of getting the word out in terms of what their products are. Users are acutely aware of the problem.
Even your average home user is having to come up with all these pop-ups and fishing and having a lot of problems with their security. So I think that the private sector is doing a pretty good job of marketing that.
SESNO: So you think the market handles that?
DAVIS: I don’t think the government needs to run a public service announcement.
KURTZ: Yes, and just to build on what Congressman Davis has said, there is a group called the National Cyber Security Alliance in CSA, which has been in existence now for a couple of years, which is really I guess one of the better examples of partnership out there because there is money actually flowing in from the Department of Homeland Security in that space.
There’s money that’s being contributed on the part of the private sector. You know, October is National Cyber Security Awareness month. I know the folks who are working on that are looking to expand that agenda and do more in that space.
My organization, the Cyber Security Industry Alliance, has contributed financially to that and I think there are numerous other associations in Washington and individual corporations that are giving time and money in this space. So there is work in that space and, Justin, I think we could do better.
I think we could do better in our ultimate strategy and how we reach people and communicating in a way that is easier for people to understand and in order to make the decisions as to what they need to do at the consumer level, at small enterprise level, which is really what you’re talking about at the end of the day.
SESNO: John McCarthy, could I ask you just to put this discussion into a larger context? I mean, we’re talking cyber here. You know, when we talk about weapons of mass destruction versus weapons of mass disruption, what should we see this in? What context should the public see it in? Is it?
MCCARTHY: Well, I think the discussion has been very interesting, and you know, from Justin’s, the public service view, Paul and I first met working on the first cyber strategy with Dick Clark way, way back, and there was the whole issue of public communication. We see all the communication. Business Roundtable did an outstanding CEO guide. You should hold that up, give it a plug here.
HOPKINS: Thanks for the plug; it’s on our Web site.
MCCARTHY: You know, you have a tremendous amount of effort going into communication and I go into all parts of DHS and into DOD and you get that “deer-in-the-headlight” look of cyber as a weapon of mass disruption versus we’re really worried about important things. It goes back to the cyber Pearl Harbor question.
Is there really a threat and where are we? And I think we as a nation really haven’t really put the context of the cyber there. Yes, the weapons of mass disruption are real. We have to deal with them immediately. There’s real and immediate things we have to deal with cyber, but one of the things that I think may be lacking in the long-term agenda is who’s part of the strategic view of this? Who’s looking at this cyber thing as the emerging threat? I put it quickly on the table. I entered the Coast Guard in 1977 as a reserve port security man. At that point, the only people in the Coast Guard could be a port security, you know, as a reservist.
It was a backwater issue and it was less than one percent of the Coast Guard budget and when you talked about a container blowing up or commandeering a tanker and blowing it up, you were laughed at. Fast forward 25 years, and port security is the hottest ticket in the Coast Guard and these are real threats. Are we setting ourselves up for cyber the same way?
HOPKINS: Well, the point that you made in terms of the strategic view is precisely correct. What needs to happen is we need to pull all the best and the brightest minds together, which the Roundtable has been involved in a series of discussions, John’s worked with us, Paul has worked with us, thinking through how we need to manage ourselves as a nation in the event we do have this cyber Pearl Harbor.
I think I mentioned earlier in my discussion that we have something called the National Response Plan. We do have the bones of it, but you have to think global on this. It’s interesting, the federal government really has the responsibility to reconstitute in the event we do have massive cyber disruption, but it’s the private sector that has the resources to get it done.
So somehow we have to connect the people who have the responsibility and the people who have the know-how. And I don’t think we’ve done that effectively yet.
SESNO: Congressman?
DAVIS: Well, the reality is, I’m not defending, I’m just saying it’s the way it’s been long before I came to Congress, government is best when they respond to a crisis. When you talk about something out there that’s potential, everybody gives it lip service and you realize that we’re spending seven percent more this year on IT security at a time when generally funds are being cut across government.
So I think a lot of us are giving this a lot of attention. Our FISMA report cards are getting attention now with the secretaries of cabinet meetings, and I just hope it doesn’t take an incident to respond to this in the crisis role. So we’re gradually moving in the right direction, but there’s just a long way to go at this point and no, it hasn’t been given the priority I think that those of us, at least up here in the panel, would like.
SESNO: Quickly if I can, I want go back to the floor. Go ahead.
DAVIS: As far as strategically leadership in thinking, I take the point that we do need to think more strategically about this and pull people together.
But what we look up in the Congress right now, it’s interesting, we’re following at CSIA, over 20 bills that relate directly or indirectly to cyber security and we have a number of committees that obviously would have jurisdiction in this area. And Congress is getting active, states are getting more active.
I think our latest count was 250 or so bills that indirectly or directly relate to cyber security within the states. So in the future, what we’re looking at is perhaps a rather cumbersome compliance environment for people to …
SESNO: Perhaps.
DAVIS: Well, OK. Well, all right.
SESNO: 250 bills in the states and I want to do business across the country, and what am I going to be faced with?
DAVIS: OK. Well, better spokesman than I. So it creates a problem for the future, which means we do need to think more strategically.
SESNO: All right. Who does that? Who leads that?
DAVIS: We need to think more holistically.
SESNO: Are we back to the assistant secretary or are you going to take the lead on this?
DAVIS: Well, we’re going to help. But we need to join with other organizations, and I wanted it to go back to where Jody was a little bit ago. We talk about getting CEOs involved and Sarbanes-Oxley’s having an impact in that and this space, and this is something CSI is working on right now. Let’s bring CEOs themselves into this dialogue.
HOPKINS: I think we’re there.
DAVIS: Well, I mean a panel of CEOs talking about risks, talking about how decisions are made, where cyber security falls in their regime of how they make decisions about business. I think that would be incredibly interesting.
We’re working on that right now and hope to have something done later this year.
SESNO: Very quickly.
WESTBY: Well, this is such an important issue and right now, I’m involved with a project with HSARPA, and DHS is HSARPA – that’s – their Advanced Research Project Agency is – has a very tiny budget for cyber security R&D, and it is one of the only entities doing unclassified R&D. And what’s the project that I’m working on?
It’s to create test data sets of Internet traffic data and it’s the only data set that’s really out there that’s being used as one that ARPA created in 1998. Now this is 2005.
So we need more funding from Congress for cyber security R&D and we need with that – this is an incentive kicker, Congressman – is intellectual property incentives for transferring into private sector, joint public/private sector R&D, I launched IncuTel for the CIA to find unclassified solutions to our intelligence community as well as pressing technology problems and I can tell you that the public and private sectors share problem sets, but they don’t know it.
Marian’s companies know their own problems, but they don’t know all the government’s problems and vice versa, and so public/private R&D incentivized by intellectual property transfer and increased government funding would be a fabulous thing to do.
SESNO: OK.
DAVIS: We try in the Homeland Security Bill when it was created to talk about some of those issues and some of the legal barriers right now that make it disadvantageous from amending the Freedom of Information Act where we got rolled on the floor of the House when we tried to do that, to do some modest tort reforms and alliance, but I agree with you.
SESNO: A question from the floor right here.
SHARI LAWRENCE PFLEEGER, SENIOR INFORMATION SCIENTIST, RAND: I’d like to address …
SESNO: Could I ask you to identify yourself for us please?
PFLEEGER: Yes. I’m Shari Lawrence Pfleeger with RAND. I’d like to address and build on the notion of incentives and taking a broader look at the research, some of which is already there. For example, some of the things that you’ve mentioned like impacts on business related to cyber security incidents are different depending on whether you look short term or long term.
So for instance, yes, stock prices have gone down when there’s been an incident in the short term, but in the long term, research at Dartmouth shows that the stock price has recovered. So one of the issues in incentives is looking at how short and long term behavior plays a role in the kinds of incentives that you offer. If a company knows that eventually it will recover without doing anything extra, it may not pay attention to incentives.
HOPKINS: They’re still going to lose money in that period of time though.
PFLEEGER: Well, it depends …
HOPKINS: They’ll still lose money.
PFLEEGER: It depends on how much. How many students are not applying to George Mason because of the stolen names and Social Security numbers? Probably the answer is not very many at all. So I think looking at some of the softer sciences and not relying only on the hard sciences may give you a different perspective.
SESNO: Let me turn that around a little. The George Mason example is probably not a great example. If there were a similar example in the financial services industry, if a financial institution had had a similar breach and I was trying to figure out where I was going to open an account, as a business or a consumer, I wouldn’t go there.
Now you get into some very tricky issues about disclosure and competitiveness and all of that kind of business. It’s a very difficult area to navigate.
PFLEEGER: Well, I can give you a real example. In 1994, $12,000 disappeared from my Citibank account. Citibank never told me what the reason was, but putting pieces together after the fact, it was pretty clear that a hacker had gotten in and taken money out of Citibank accounts. It was restored to my account. Do I still have a Citibank account?
Yes, because I travel internationally and Citibank makes it easy for me to get money around the world. Because I know about this computer security, I could put the pieces together. Most people probably had no idea what was going on and were perfectly happy just to have their money restored to their Citibank accounts.
In the same way, how many people have changed their credit cards because credit card companies have lost information, Bank of America being a recent example? Probably not very many, because convenience trumps the short-term security incursion.
SESNO: Right. This gentleman right there in front of you?
JOHN CARLSON, SENIOR DIRECTOR, BITS: My name is John Carlson. I’m with an organization called BITS. We represent 100 largest financial services companies and I thought that was a great segue to my comment, and that is, in our world, we’re heavily regulated and Congress adds on new requirements each year to do everything from know your customer and, you know, U.S. …
DAVIS: But that’s for better or worse, right?
CARLSON: For better or for worse. So we understand that world in terms of we’re heavily regulated on everything including cyber security and information security issues. And the challenge that we found, being in this world for a long time, is that we need to have these partnerships, as Marian mentioned, a shared responsibility.
And we’re really finding that that’s a very difficult effort to keep moving forward unless we have strong government partnership in this area. The irony is we’ve had some of our best partnerships with our regulators.
SESNO: So what needs to happen?
CARLSON: So what needs to happen is, what can the government do in order to help make these partnerships work?
SESNO: What do you think the government can do to make it work?
CARLSON: Well, I think they need to do a number of things. One, they need to equip DHS with the resources to make these partnerships work, to invest in those things. As Jody mentioned, they need to invest R&D and get input from the private sector as to what to do.
They maybe need to deal with some anti-trust issues in terms of how do you get around the sharing of information that may be anti-competitive? You also have issues with respect to tools that the government can provide in terms of how do you get around the sharing of information that may be anti-competitive?
You also have issues with respect to tools that the government can provide in terms of how do you know whether or not a software meets certain requirements, making the common criteria or product certification programs, meaningful, robust, less costly to the manufacturers of software, maybe even putting a little bit more responsibility on the software manufacturers to just stand behind their products, because the liability is all falling upon the user.
DAVIS: And you have huge FOIA problems too? The Freedom of Information Act ?
CARLSON: Absolutely. We have information sharing centers, which we do share a tremendous amount of information. Most of that is generated anonymously from within the private sector, not shared with the government, and that’s by design, but we need a more robust partnership, not just a few meetings here, a few meetings there, a lot of statements about how we need to work together, but a real meaningful partnership and we don’t have it today.
DAVIS: Let me just say, I agree with that, and I think that we could institutionalize that through legislation give address the anti-trust and some of the tort provisions, some of the foyer provisions that need to be addressed that would foster this partnership.
I just think there are legal barriers right now that no matter what the leadership is, make the private sector reluctant to engage in this because basically instead of limiting your risk, you’re exposing more risk by doing it.
SESNO: We’ve got about five minutes left. Let me do this. This is the last question from the floor.
WYATT KASH, EDITORIAL DIRECTOR, GOVERNMENT COMPUTER NEWS: Yes. Wyatt Kash with “Government Computer News.” I think one of the biggest motivators and incentives we’ve seen ironically is the law in California that’s forced companies to expose when their systems have been hacked. You don’t need the SEC. You don’t need laws. You don’t need regulations other than saying you need to disclose it.
Is there any effort, Congressman Davis, to maybe do something more national that’s there, we’d put greater emphasis on companies to report this and by by-product, perhaps put more energy behind this effort?
DAVIS: You know, quite frankly, we just don’t look to the California legislature for our role model on a lot of this stuff.
SESNO: Oh, they don’t look to you either, so it’s probably new to them.
DAVIS: No, they don’t wait for us.
SESNO: But what about the substance of the question, which is some kind of consideration of a national requirement for breaches to be revealed and made public?
DAVIS: I think that’s been part of Putnam’s dialogue. There are pluses and minuses to doing this internationally.
SESNO: Where are you on that?
DAVIS: I’m reluctant to do that.
SESNO: Why?
DAVIS: I just think there’s a major exposure to businesses and lawsuits and the like in doing that. We see constantly people lining up looking for some excuse to sue you, expose a breach, something happened, nobody knew it happened. But all of a sudden, you have these injured shareholders out there that didn’t know they had been injured.
You go to some rural county where the largest employer is jury duty, you file a class action and that’s the end of it. And I’m just really reluctant to get into that, though the California legislature looks at it differently.
SESNO: Paul, you want to get in on this?
KURTZ: Well, just what I understand to be the case there on the Senate side, there are a couple of bills that have been floating around on national breach disclosure as well as on the House side. And I think most of those bills then proffer by the minority and I know that there is discussion on the part of the majority of some sort of national breach disclosure.
I think, the issues that Congressman Davis has raised are thoroughly in the mix. I was at a Senate Congress Committee last week talking about these issues and this gets to the issue of all the bills that are being proffered within the states. Do we want one national breach of disclosure provision? Those are the kind of issues that people are starting to wrestle with.
DAVIS: Let me pick up on that. Now, if you couple it with appropriate limitations on tort liability and the like, that would be fine, but whenever you offer that, they back off. And the California legislature didn’t back off. So I think there are different motives for when you say disclosure.
WESTBY: Well, and if I could add, I want the Congressman to know I agree with him on this. Because mandatory disclosure laws only get a tiny percent of security breaches.
It’s not going to cover intellectual property. It’s not going to cover economic proprietary information. It’s not going to cover the other long list of categories that are protected under federal and state law and it’s not going to get people to do an enterprise security program. So that just touches one problem.
DAVIS: One data point here, when we went through the process and I was part of the University computer security review piece, but one piece of the process of looking at the California law and should we disclose, President Merten erred on the side of caution. He said, let’s get out, let’s get ahead of this thing, et cetera.
Well, after we put the disclosure out, we were immediately deluged with numbers of businesses and other universities calling us saying, why the hell did you do that? You know, you don’t meet the threshold and so there’s a whole discussion of what’s the threshold of, you know, we had Social Security numbers and a name and they said that wasn’t enough unless it was linked to a computer card or some other kind of identifier.
So there needs to be some clarification in this area. If a CEO of a university or a CEO of a business has to make this decision, I think we need to have some better guidance here.
SESNO: Let me bring us in for a landing here if I may, by asking each of you, in 30 seconds to solve all the problems of the world in the context of this conversation is.
The stakes are very, very high, and in your book there, you have the famous incident and you’re committed to protecting America’s CEO guide to security challenges. Remember that sobering incident from 1992 where the teenager from Portland, Oregon, hacks into the VLM system and can open a hydro dam in Northern California?
Let’s think about what that that can involve. The Cisco System breach that took place last year, coming from a teenager in Sweden apparently, that then reached into some of our labs and NASA and places beyond. The damage that could be done and the danger I think we pretty well established.
So if we’re interested in seeing these issues that we’ve discussed here today move forward over, let’s say the next 12 to 18 months: What are, in each of your views, some of the key things that should happen that would suggest clearly progress?
Jody, you want to start? Let’s just move right down.
WESTBY: I think …
SESNO: I challenge you to think in bullet points here, folks, because – time to move on.
WESTBY: Thank you. I guess that it’s just to get the message out to corporate America and into the board room, that they really do need to wake up and there are solutions and identify those.
SESNO: OK.
KURTZ: (A) understand the relationships between all the problems we have out there in cyber security now taking a holistic approach. In other words, spyware, fishing, data warehouse security, identity theft, they all have a relationship. We need to see these things holistically and we need to take action at the federal level versus the state level.
Second point is to have more leadership out of the executive branch, ideally at the Department of Homeland Security, so we have that beacon if you will within the federal government to provide that overall strategy and leadership to the private sector and working its issues and I’ll stop there.
SESNO: Marian, I’m going to let you go so the Congressman can have the final word.
HOPKINS: Sure. It’s about shared responsibility. It’s about IT vendors doing better. It’s about CEOs stepping up which we have advocated and it’s about the federal government showing leadership. Until we get it all right, let’s make sure that if the worst happens, we know how to reconstitute.
DAVIS: First of all, because of a lot of the penetration we’re getting, I think we have to continue to enforce the criminal law and we’re going to have to update it in some cases for things that we didn’t consider to be crimes.
People have to understand that. Secondly, the government needs to take a greater leadership than we have, to keep our own systems secure. We need to leverage the tens of billions of dollars we’re using every year, and we also, with the private sector, need to continue to facilitate information sharing.
SESNO: And while we’ve got you here, what’s going to happen on the Hill this week?
DAVIS: The bill will come out of the House fine. Who knows what will happen in the Senate? I make no predictions on the Senate.
SESNO: So on that sobering note, folks, I want to thank our panel on behalf of the Critical Infrastructure Project at George Mason University, John McCarthy, thank all of you for having lunch with us today, and I hope this conversation was beneficial. We appreciate your participation very much.
The Critical Infrastructure Protection Program | George Mason University School of Law 3301 N. Fairfax Drive | MS 1G7 | Arlington, VA 22201 Phone: (703) 993- 4840 | Fax: (703) 993- 4847
=
Event(s) Scheduled
=
Today's Date