Segment 2 Of 2     Previous Hearing Segment(1)

SPEAKERS       CONTENTS       INSERTS    
 Page 7       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
THE LOVE BUG VIRUS: PROTECTING LOVESICK COMPUTERS FROM MALICIOUS ATTACK
WEDNESDAY, MAY 10, 2000
House of Representatives,
Committee on Science,
Subcommittee on Technology,
Washington, DC.

    The Subcommittee met, pursuant to call, at 10:00 a.m. in room 2318, Rayburn House Office Building, Hon. Constance A. Morella (Chairwoman of the Subcommittee) presiding.

    Chairwoman MORELLA. Ladies and gentlemen, I am going to procedurally begin the hearing this morning with my opening statement. This is the Technology Subcommittee of the Science Committee, on ''The Love Bug Virus: Protecting Lovesick Computers from Malicious Attack.''
    A week ago, a number of people around the world began their day by reviewing their e-mails, including one with an attachment attractively entitled ''I LOVE YOU.'' Upon opening the attachment, however, these unsuspecting victims soon learned that saying ''I love you'' also meant having to say ''I'm sorry'' as they became victims of the Love Bug computer virus. In one day's time, roughly 47 million people received the e-mail worldwide and the virus looked for love in all the wrong places in over 10 million computers.
    Since its insidious inception in the Philippines, the Love Bug has already proved to be the fastest spreading and the most expensive computer virus in history, dwarfing the cost of the Melissa virus. Insurance giant Lloyds of London has estimated the virus will cost over $15 billion in damages and lost productivity. The advent of the Love Bug virus spotlights the continued vulnerability of our increasingly computer-dependent society.
 Page 8       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Nearly a year ago, we convened a hearing in the aftermath of the Melissa computer virus, which was widely considered a denial of service attack that was more akin to juvenile vandalism in its intent. The Love Bug virus, however, was much more sinister in its intent. Like Melissa, it targeted Microsoft Outlook users. But unlike Melissa, it spread to a victim's entire address book instead of just the first 50 names. It deleted picture and sound files from the hard drive and apparently attempted to steal the computer's password.
    Perhaps of greatest concern is the fact that experts are united in saying that the virus is such a simple program that even a sixth grader with visual basic scripting knowledge could have created it in a few hours. Indeed, the alleged perpetrators are students at a computer school without much training who simply copied source codes from previous viruses, purportedly with the intention of stealing computer passwords.
    Last year it was the Melissa virus; today it is the Love Bug. What will tomorrow's threat be? I don't know the answer, but I do know that as I speak someone around the world is probably conjuring up that threat right now.
    The Love Bug underscores the need to recognize and effectively combat the risks involved that can potentially create severe business disruption, economic calamity, and national security breaches. For about $8 an individual or organization can purchase the best information security tool in the world: a pair of wire cutters. Of course, in this age of e-commerce, interconnectivity is not—it is not practical to disconnect. To date, our information security efforts are proving ineffective because too often we are simply focusing on and reacting to the threats of the past. It is time that we took a proactive approach to safeguard our computer systems from evolving information technology threats of the future. We must now begin the process of laying the foundation for a coordinated national effort to guard our information technology systems from hackers or those with nefarious intent.

 Page 9       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    In other computer security hearings held by this Technology Subcommittee, we have heard a constant theme: most systems are simply too vulnerable and not enough is being done to protect critical information systems from attack and corruption. While computer security experts and the industry may remain divided on certain issues—such as how to deal with the collateral issue of privacy—there is general consensus on the need to increase computer security education, training, and scholarships.
    There is also consensus on the need to create collaboration, both internally and with Government, in reporting, responding, and exchanging non-proprietary information concerning threats and attacks. Additionally, there is also consensus that computer security initiatives should be industry-led. But the Federal Government can play an important role in coordinating efforts, working with industry to develop new security techniques and standards through its scientific laboratories such as the National Institute of Standards and Technology.
    This is the proactive and bipartisan approach the Science Committee. They have undertaken in the crafting of H.R. 2413, the Computer Security Enhancement Act. That legislation remains a legislative priority. I expect it to be favorably reported when the full Science Committee meets to consider legislation. In my view, strong policies and widely available safeguards, along with a concerted effort to coordinate efforts, is critical to protect our Nation's information systems.
    And to assist us in our efforts this morning, we have assembled a panel of very distinguished information security experts. I look forward to their testimony.
    I think at this point I can indicate who the panelists are. As I mentioned, we are fortunate to have a distinguished panel of experts, who took the time out of their busy schedules, with very little notice, to discuss these issues with us this morning.
    First we have Mr. Keith Rhodes, someone who has been with us with some frequency and given us the benefit of his hard work and technology assessment. He is with the General Accounting Office's Information Management Division. And as always, we very much appreciate the important work that Mr. Rhodes and his colleagues at GAO do in support of this subcommittee's efforts.
 Page 10       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Next we have someone who is also a very familiar face before this subcommittee, Mr. Harris Miller, who is President of the Information Technology Association of America. Mr. Miller did a terrific job leading the IT industry in its efforts to deal with the Year 2000 computer problem. He is now undertaking the very same effort with regard to computer security.
    And third we are going to hear from Ms. Sandra England—I think she pronounces it Angland—Senior Vice President, Development, with McAfee, the Anti-Virus Division of Network Associates. Ms. England has significant software industry experience, including working at Network Associates' Security Division, which I understand is in my district in Rockville, Maryland. Not only did Ms. England alter her schedule, but also travelled through the midwest storms and tornadoes to assist us today. Thank you very much for being with us.
    And fourth we will hear from Dr. Peter S. Tippett, Vice Chairman and Chief Technology Officer for ICSA.net. Dr. Tippett is nationally renown as an expert on corporate computer security and he Chairs the newly formed Alliance for Internet Security. I thank you for being here again.

    "The Official Committee record contains additional material here."

    Chairwoman MORELLA. Again, I thank all of you—the witnesses—for being with us today. I look forward to their testimony.
    And finally I want to point out that the subcommittee will receive testimony for the record—we have already received it for the record—from Dr. Peter G. Neumann of SRI International's Computer Science Laboratory. And we will include his testimony in the record and post it on the web site.
    I would now like to follow the policy of the Science Committee in asking our panelists to stand and raise their right hand to swear—to be sworn in.
 Page 11       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Do you solemnly swear that the testimony you are about to give is the truth, the whole truth, and nothing but the truth?
    [All witnesses respond in the affirmative.]
    Chairwoman MORELLA. Thank you.
    The record will demonstrate an affirmative response by all.
    Again, traditionally what we try to do is keep testimony to about 5 minutes, recognizing that everything that has been submitted will be included in the record in its entirety, and then I will proceed with the questioning.
    So we will start off with you, then, Mr. Rhodes.
TESTIMONY OF KEITH RHODES, TECHNICAL DIRECTOR, OFFICE OF THE CHIEF SCIENTIST, U.S. GENERAL ACCOUNTING OFFICE, WASHINGTON, D.C.

    Mr.
RHODES.Thank you, Ms. Morella.
    Thank you for inviting me to participate in today's hearing on the I LOVE YOU computer virus. Unfortunately, once again, I come before you to announce that the world is not practicing safe computing. At last year's hearing on the Melissa virus, I stressed that the next virus would likely propagate faster, do more damage, and be more difficult to detect and encounter. This is just what we have experienced with I LOVE YOU. While it looked a lot like Melissa in its operation, it moved much more swiftly, and it appears to have caused more disruption.
    Although many will argue the semantics of I LOVE YOU—is it a virus or a worm or a Trojan horse—all will agree that it qualifies as malicious code, that is, code that does something other than what the user wants it to do. The modis operandi is very similar to Melissa in that the malicious code arrives via e-mail, probably from someone you know, with an attachment called LOVE-LETTER-FOR-YOU.TXT.VBS.
 Page 12       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    The suffix VBS means that the attachment is executable code, not just text. Once the reader clicks on this file, I LOVE YOU attacks Microsoft Outlook—as you pointed out—mails a copy of itself to everyone on your mailing list—Melissa just used the first 50 names. It infects the software that supports chat rooms so that anytime a chat room is set up I LOVE YOU is sent out to all the chatters. It looks for picture, video, and music files to overwrite them with itself, since picture, video, and music files tend to get executed more often. And finally, it infects Internet Explorer with its password stealing program that activates when the system restarts.
    The I LOVE YOU virus spread more effectively than Melissa for two main reasons: one, it sends itself out to everyone on the mailing list and two, it came during the week, not on a weekend. And spread it did. By 6:00 p.m. on May 4th, the CERT at Carnegie Mellon estimated that approximately 420,000 hosts were infected. The next day, variants entitled ''Mother's Day,'' ''Very Funny,'' and the like were being sent out. The Department of Defense's Joint Task Force Computer Network Defense Group has identified at least 14 variants of I LOVE YOU, one version of which, entitled ''Virus Alert'' was more dangerous than the others since it corrupted and overwrote critical system files.
    Thus, the Love Bug hit large corporations like AT&T, TWA, and Ford, the Washington Post, ABC News, the British Parliament, the IMF, at least 14 U.S. Government agencies, as well as myriad schools, credit unions, and individual citizens. It shows again, for example, that computer attack tools and techniques are becoming increasingly sophisticated in direct proportion to how the infrastructure is becoming less sophisticated.
    Viruses are spreading faster as a result of the increasing connectivity of today's networks, commercial off-the-shelf products can be more easily exploited for attack by all their users, and there is no silver bullet solution to protecting systems, such as firewalls and encryption. No one thing is going to solve the problem.
 Page 13       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    I make it akin—the responses that we're making now are sort of like we're lining up little dutch boys and saying, ''Put your fingers in the dike.'' Unfortunately, what we need to do is start stacking the little dutch boys like cord wood because there is no dike.
    So what can agencies do? Agencies, both inside and outside the Government, can act immediately to address the weaknesses I just described and thereby reduce their vulnerability to computer attacks, including the I LOVE YOU worm/virus. Specifically, they have to do as you said, Ms. Morella, increase awareness, ensure that existing controls are operating effectively, ensure that software packages are up to date, use automated scanning and testing tools to quickly identify problems, expand their best practices, and ensure that their most common vulnerabilities are addressed. This, however, requires central management.
    There are some specific things that people can do to combat viruses and worms. They can take steps such as ensuring that security personnel are adequately trained to respond to early warnings of attacks and keeping anti-virus programs up to date. Strengthening intrusion detection capabilities may also help. Clearly, it is difficult to sniff out a single virus attached to an e-mail coming in, but if 100 e-mails with the same configuration suddenly arrive, an alert should probably be sounded.
    User education, as you pointed out, is also key. In particular, agencies can teach computer users that e-mail attachments are not always what they seem and that they should be careful when opening them. By no means, should users open attachments whose file names end in .EXE unless they are sure they know what they are doing. Users should also know that they should never start a personal computer with an unscanned floppy disk or CD ROM in the computer drive.
    But these are individual things that can be done. The broader issue is that agencies need to assess risks and determine protection needs. They need to select and implement cost-effective policies and controls to meet these needs. They need to promote awareness of the policies and controls and of the risks that prompted their adoption. And they need to implement a program of routine tests and examinations for evaluating the effectiveness of these policies.
 Page 14       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    That gets to the broader issues. Now, if I can include some points from Dr. Neumann's testimony regarding what this Science Committee can do. Specifically, the Science Committee should be interested in encouraging further technological improvements that are desperately needed. For example, security and robustness in operating systems, applications, networking, cryptography, authentication, accountability, source available software that can through collaborative efforts be more readily improved than can closed-source software, and systems that are easier to administer sensibly. You should also be considering pervasive educational efforts, certification of programmers and companies that develop critical systems, and incentives for better progress together with financial disincentives for poor performance.

    Even though there is going to be a discussion—a continuing discussion about how much damage the virus did, what I need to make clear about these virus attacks is something more insidious than just the fact that the attacks are taking place. We have not routinized the process and procedures to eliminate the surprise and the heroic measures taken to counter these attacks.

    Even after Melissa, private and Federal organizations are expending a considerable amount of time, cost, and other difficult-to-measure resources to defeat these attacks. These resources would otherwise be expended on generating value, knowledge, and wealth. This is the more disconcerting and pernicious element of mass virus attacks.

    I thank you for your time and would answer any questions that the committee has.

 Page 15       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    [The prepared statement of Mr. Rhodes follows.]

    "The Official Committee record contains additional material here."

    Chairwoman MORELLA. Thank you very much, Mr. Rhodes. And you did compact your testimony very nicely. I appreciate that and we will have questions for you.

    We have been joined by Mr. Gutknecht, and I am now pleased to recognize Mr. Harris Miller.

TESTIMONY OF HARRIS MILLER, PRESIDENT, INFORMATION TECHNOLOGY ASSOCIATION OF AMERICA, ARLINGTON, VIRGINIA

    Mr. MILLER. Chairwoman Morella and members of the subcommittee, thank you for inviting me to testify on the most recent international computer crime incident, last week's Love Bug virus. As president of the Information Technology Association, representing over 26,000 IT companies across the United States, we have focused intensely for several years on the need for good cyber hygiene, for the need to deal with the issue of cyber security. And of course, because 90 percent of the world's information infrastructure, including most of the Internet, is run by industry, this must be a topic in which solutions are led by industry.

    I also serve as president of the World Information Technology and Services Alliance, representing 41 associations around the world, so I also bring a global perspective to this challenge.
 Page 16       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    We understand the potential growth of the Internet, e-commerce, and e-business. We know the Internet is rewriting economic history. But along with the blessings of this new prosperity comes a challenge: the new vulnerability exhibited by this evolving infrastructure. The openness of the Internet is both its blessing and its curse when it comes to security.

    Last week's I LOVE YOU virus caught many unwary computer users and network administrators completely off guard—again. This after the widely reported Melissa and Chernobyl viruses, the recent denial of service attacks at popular web sites, and less known works of digital mayhem. Why do computer users continue to fall prey to hack attacks? And what can be done about it?

    Some of the answer is in fact found in the society's collective coming of age. Elected officials and the public generally give cyber crime lower priority than other types of crimes because it rarely involves physical violence. No doubt this attitude is changing, as your holding of this hearing today suggests.

    What thrills a tech troublemaker? While there is no surefire way to single out a would-be hacker, corporations and Government are taking a more serious look at how to avoid hiring these individuals. Approaches short of psychological profiling can be very effective and are becoming more widely employed, such as background checks, polygraphs, online monitoring, online name searches, employee counselling, and of course, awareness training.

    But the fact is whether the motivation is curiosity, ego, competition with fellow hackers, the desire to control, hactivism—which is political activism through hacking—revenge, or greed, there is a subculture out there that is actively plotting its next move, as you said. The Love Bug can be seen as an evolutionary link in the hacking chain.
 Page 17       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    What can we do? Solutions require responsible engagement across the Internet community. Love Bug was just one more wake-up call to corporations, Government, educational institutions, and individuals that they must collaborate to get out in front of the next intrusion, virus, or threat. This is not a time to bury our heads in the sand or to throw our computers out the window.

    So what are these specific steps? Number one, organizations and individuals must stop being easy targets for cyber criminals. Both business and Government agencies need to make information security a much higher priority with active executive level support for cyber crime prevention. Similar to Y2K, until the top executives of an individual organization or Government agency make this a priority, it will not become a priority for the entire organization.

    When you get this executive level buy-in, you will find the creation, implementation, and enforcement of a robust information security plan where employees are fully educated on best practices and vendors and suppliers are active, too. Everyone must practice good cyber hygiene, the idea that we all engage in best practices. These include people in business and home users.

    Number two, information sharing is another key challenge. Companies are reluctant to share information, particularly sensitive or proprietary information about threats to their information security systems because of the impact in the marketplace, because of potential negative media, perhaps because of concerns about intrusive investigations. So we are working at ITAA, following the meeting that was held with President Clinton after the denial of service attacks, to create an information sharing mechanism.
 Page 18       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    We are making very good progress with over 100 IT companies actively engaged in developing this mechanism. We are looking at a formal announcement of our mechanism in mid-summer. This mechanism will collaborate with mechanisms in other industries such as the one that already exists in the financial services industry. The bottom line is developing trust within industries, across industries, and between industries and Government.

    Number three, global awareness is also a key to success. As you pointed out, this bug originated outside the United States. It appeared in the Philippines. So we must have a global approach to meeting these challenges. Governments, multi-national companies, multi-national organizations must work together to create common ground. ITAA and our global association will host the first-ever global security summit here in Washington, D.C. on October 16th and 17th to bring together leaders across the nations to discuss the ways they can collaborate internationally. We hope to establish the same type of international collaboration plan that existed to deal with the Y2K bug.

    Fourthly, we must start young, teaching responsible computer users use to young users will help ensure a better understanding of right and wrong in cyber space. Did ''Mafiaboy'' have his ''Mafiaparents'' telling him not to do harm through destructive, malicious computer use? It is doubtful. Most kids—including very young kids 10, 11 and 12 years old—have a great deal of cyber knowledge. What they do not have is cyber ethics. Today's kids are the first generation of true cyber citizens.

    That is why ITAA is collaborating with Attorney General Janet Reno and the U.S. Department of Justice in what is called the Cyber Citizen Partnership—and I have a brochure I can share with the committee—which is directed to 10- to 12-year-olds to make sure that they are taught, along with the technology the need to practice good cyber ethics.
 Page 19       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    In conclusion, business and governments manage risk every day. Global computer viruses like I LOVE YOU are a growing component of that risk. If not addressed in a concerted way, this problem will grow to undermine the global information infrastructure, and ultimately the Internet economy. Consumers will lose confidence, companies will lose competitive advantage, and investors will seek opportunities elsewhere. Cyber crime must not become the accepted price of doing business on the Internet.

    Thank you, Madam Chairwoman.

    [The prepared statement of Mr. Miller follows.]

    "The Official Committee record contains additional material here."

    Chairwoman MORELLA. Thank you very much, Mr. Miller. It is also good to know that you have been pursing this globally as well as nationally.

    Ms. England, we are delighted to recognize you and, again, thank you for coming.

TESTIMONY OF SANDRA ENGLAND, SENIOR VICE PRESIDENT, MC AFEE—A NETWORK ASSOCIATES COMPANY, SANTA CLARA, CALIFORNIA

    Ms. ENGLAND. Thank you, Madam Chairwoman and members of the subcommittee, for the opportunity to appear before you today.
 Page 20       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    I am Sandra England, senior vice president of development for McAfee Associates, which is a Network Associates Company. I manage an organization of over 200 software engineers and anti-virus researchers who are focused on providing solutions to companies for this type of problem.

    I brought with me today a copy of the source code of the original Love Letter virus, and I would like to submit that as part of my written testimony.

    Chairwoman MORELLA. Without objection, that will be part of the record.

    Ms. ENGLAND. Thank you.

    I would like to give you a quick overview of the company and the anti-virus products that we are providing and measures that we are taking to try to prevent this type of attack in the future. And I would like to share with you some thoughts on what we should do collectively to prepare ourselves better in the future.

    McAfee is the world's leading anti-virus software company with over 50 percent market share. Network Associates, our parent company, provides software designed to keep networks secure and to ensure and maximize network and web site up time. We have 3,000 employees worldwide, including over 200 in Rockville, Maryland, in Madam Chairwoman's district. We focus all our resources on security and availability of networks.

 Page 21       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    It is quite remarkable that such business disruption as we have seen in the past 6 days can be wrought with such simplistic programs as the Love Letter virus. McAfee's anti-virus emergency response team—better known as AVERT—has teams spanning the globe from Oregon to the United Kingdom and to Sydney for round-the-world, round-the-clock protection against viruses.

    This is the first time in the research history of our company that our U.S.-based research team has not developed the solution to a virus crisis. This validates our company's decision to have multiple research command and control centers based around the world. It is imperative that anti-virus companies be able to operate rapidly in any time zone to develop the cure at the first point of infection.

    The AVERT team enabled us to respond immediately to the I LOVE YOU threat and have a cure available for customers within hours of the first detection. Our company is now working with the Justice Department, as we did during the Melissa outbreak, to help gather evidence on the creators of the original virus and the creators of its many variants.

    Although this virus is very high profile, new viruses are discovered on a daily basis. Last year, there was $12 billion in damage resulting from viruses. This is an ongoing problem and it shouldn't have to wait for a crisis situation to recognize that more effective solutions are required.
    The latest projection from Computer Economics estimates that the damage already from the I LOVE YOU virus and its variants is $6.7 billion. So this one virus in 6 days has caused more than one-half of the dollar damage that we saw in all of 1999. Our belief is that the year 2000 will see tens of billions of dollars in damage from viruses.
 Page 22       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    During the past 6 days, we have seen 27 variants of the original virus. This indicates two things to us. First, this virus was very simple and effective and it has served as a catalyst, of sorts, for the virus-writing community. Secondly, it indicates the fervor of the virus writers and their eagerness to share, either privately or publicly, in the publicity afforded by this situation.
    The most important point to make about virus outbreaks is that there are tools to protect systems from these attacks. With the outbreak of Melissa last year, one would think that organizations would have taken virus threats seriously. However, many organizations still have not changed their practices and their internal policies to respond to new virus threats. Companies have had 14 months to prepare since the Melissa virus, yet many are still caught unprepared, and we think there are several reasons for this case.
    The damage wrought by this type of virus is somewhat intangible. It is not physical and it is quite often difficult to put a cost on the actual damage. It is mainly a result of lost productivity and time as well as potential dollar damages from the fact that customers and companies and suppliers cannot communicate electronically.
    Secondly, security is a complex problem. Many companies don't understand how to solve the problem. And many companies are not adequately staffed in the information technology and security area. These resources are very difficult to come by because there is a shortage of talent as well as a shortage of people. And policies are not in place within these corporations. Well thought out policies are a good response to crisis issues, but knee-jerk reactions are not enough to solve a crisis situation.
    McAfee is committed to the eradication of viruses. We dedicate our resources and our research to trying to stay one step ahead of the threat. We have created new technology, which is included in our Groupware and Gateway products. This new technology is aptly called Outbreak Manager and is designed to protect potential and real virus threats. This technology looks for patterns of e-mails and attachments, and this virus could have been stopped before we even had new virus signature files to detect it. It is this type of leading-edge technology, combined with well-defined and enforced security policies within companies that will help protect us in the future.
 Page 23       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Anti-virus companies alone cannot completely contain these situations. It requires cooperation from individuals, organizations, and from Government. Individuals should engage in responsible computer security practices. They should be cognizant of opening e-mails from unknown senders and should not open attachments that have not been scanned for viruses. Anti-virus software must be kept up to date, and signature files must be updated religiously.
    Companies and organizations should protect themselves with multiple layers of defense within their organization. They should impose security policies on their systems and their employees, and keep their policies and software updated to respond to new threats. Companies must protect themselves at the Internet gateway, at the e-mail server, at the file server, and at the desk top level.
    Government, like other organizations, should make sure that their systems are protected at multiple layers and that they are updating their software and virus signature files religiously. In addition, I think Government must impose the threat of real punishment against virus writers who cause this type of damage. Protection and prosecution must go hand-in-hand.
    Thank you very much, and I look forward to your questions.
    [The prepared statement of Ms. England follows.]
    "The Official Committee record contains additional material here."

    Chairwoman MORELLA. Thank you very much, Ms. England. You have posed a lot of issues that we should look at and discuss.
    I am very pleased to now recognize Mr. Peter Tippett for his comments. Thank you.

TESTIMONY OF PETER TIPPETT, CHIEF TECHNOLOGY OFFICER, ICSA.NET, RESTON, VIRGINIA
 Page 24       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Mr. TIPPETT. Thank you, Madam Chairwoman, and thank you, members of the committee.
    I would like to start out by agreeing with all three of my contemporaries here on the panel. I especially like Ms. England's remarks regarding things that should be done and the fact that we have plenty of technology to do these things right now.
    My written testimony is both in your archives and on our web site at ICSA.net, so I am going to depart from that and mainly comment on what we have heard here. Also, I have brought some new information that more accurately measures the impact of this virus.
    So let me start out by suggesting that I am Peter Tippett, chief scientist at ICSA.net. ICSA.net sells neither software, nor hardware, nor consulting. Instead, we are a new breed of Internet company that provides what we call security assurance services—Internet security assurance services—more like Air Traffic Control is to the aviation industry than like consulting or building a better airplane. We believe that these external services that provide best practices that are tuned and effective, that provide alerts and updates and provide continuous measurement of those practices are an effective way to reduce risk in organizations.
    ICSA.net has numerous tendrils into the computer security community. We provide a set of consortia that represent, effectively, all computer security product vendors in the world, including the McAfee Company, Norton, and Trend, and other anti-virus companies as well as many, many hundreds of large and medium corporations through this security assurance service called TruSecure. We also publish a magazine called Information Security Magazine and have a very active computer security-related destination web site called ICSA.net.
    The information, as I said, that is available in my testimony is also posted on ICSA.net.
    One of the things that we do more than anything else at ICSA is measure the cost and the risk of associated security problems. We measure risk in six areas, in an area we call electronic risk, which is hacking and related issues, an area we call malicious code risk, which is viruses, Trojans, and back-doors, and worms and so on. We measure privacy risk, downtime risk, physical risk, and human-related risk. And our job, as we see it, is to actually come up with the right answers for what are the most important things that are really happening in the real world today next week, next month, and next year and focus on the things that are actually problems instead of the things that are perceived to be problems.
 Page 25       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    One of the interesting problems of network security that Ms. England mentioned is that products that deal with computer security actually work. Every anti-virus product that is certified by ICSA can detect and prevent and recover from every virus that has ever been promulgated on any company anywhere in the world from 3 days ago to the beginning of time. That is a pretty profound statement: every product is capable of working.
    If you take those same products and put them in companies, they cease to work. It is an interesting dilemma, but it is true. Most companies spend ten- fold more—between ten-and twelve-fold more—on the ramifications of things like computer viruses than they need to, given the products they already own and the technology they already have. The same is true for firewalls, it is maybe crisper there.
    All firewalls are capable of preventing every attack that has been perpetrated that is in the range of firewall protectable—all the certified firewalls that we work with, which is over 80 products worldwide and effectively all the products you might buy. But those products, when installed in companies—the company is only 30 percent effective. That is, 70 percent of companies, in many studies we have done, are vulnerable to the very same attacks that their own firewall if capable of preventing if managed more properly.
    So I would suggest that among the things we need to do is get the word out on how to use these things. It is like the difference between these lights and switches and wires and things that occupy every room, every one of which is Underwriters Lab tested and therefore not likely to burn down the room or electrocute people. But if you dump them all in the middle of a pile and ask your nephew to install them, the room might well be dangerous or likely to electrocute someone.
    In my testimony, I put a little table that shows the growth of the computer virus problem, and I will just summarize that.
    Ten years ago—between 10 and 5 years ago—the most common viruses were the Jerusalem, Cascade Form, and other viruses. They took a total of about $50 million of damage over the total 5-year period. It took an average of 3 years for those viruses to be born and reach number one as the most common virus in the community.
 Page 26       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    In 1995, the Concept virus was the most common virus. It took about 4 months to go from birth to the number one spot.
    Last year, the Melissa virus, obviously, was the number one. It took about 3 days from birth to the number one spot.
    And last Thursday, the Love Bug was the number one virus and it took about 4 hours to go from birth to the number one spot. So we went from 3 years to 4 months, to 3 days, to 3 or 4 hours in the rate of spread of computer viruses in the last four phases of computer viruses.
    Likewise, the cost of these viruses went from $50 million for all viruses in the beginning half of the decade to $50 million for Word Macro Concept alone to $93 million for the Melissa virus, and we are currently projecting about $950 million of damage in North American businesses due to the Love Bug virus. I realize these estimations are all over the map. I have some data I will tell you about in a minute that helps us get closer to the actual impact of the Love Bug virus.
    One other thing that I think is useful to talk about is that these viruses that do cause damage are being perpetrated by people who can be caught. I think that as of a year and a half ago the laws that related to computer crime had very, very, very little impact on computer virus writing. But since we caught and prosecuted and led to a guilty verdict the Melissa virus writer, David Smith, last year, the actual number of sites that disseminate viruses and the high-profile people doing that sort of work has decreased somewhat, although obviously the costs and ramifications are still increasing.
    ICSA has worked very extensively with both Justice and the FBI on both the Melissa case and on this case and will continue to do so.
    We have very preliminary data. Let me just conclude by suggesting that we are doing a study right now that will include about 3 million desk-top computers worth of information and the ramifications of the Love Bug virus—about 1,000 corporations worldwide. The beginning of that study has been done and I went into the study group last night and ripped off 10 percent completion and have got very, very crude numbers.
 Page 27       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    So we see—62 companies of 63 that were surveyed yesterday—these are randomized companies in North America that have more than 200 computers, so this is medium and large organizations—62 out of the 63, or 98 percent, experienced the Love Bug virus. That is, one did not. That is amazing. In the Melissa case, it was 20 percent of North American companies that had an experience with the virus.
    Of those, 41 companies were infected—infected means someone double-clicked on the extension and bad things happened—that is 65 percent of North American companies if these numbers pan out. And we currently believe this data is plus or minus 15 percent, although we won't really know until we get better data. I thought it would be better to have some rough data now, and apologize later and clean it up a little bit. So 65 percent of North American companies, we believe, were infected by the Love Bug virus on Thursday.

    Those 65 percent of companies that were infected included 133,000 desk tops that were infected in just this sample group of companies. This is not extended out to the larger group. And we expect that that will translate into—as had been reported in our first estimations—in the vicinity of 10 million desk-top computers that will totally be found to have been infected by this virus.
    We are still postulating that the cost in North America to these medium and larger businesses will be in the vicinity of $325 million on the low end to $950 million, the most likely dollars of damages.
    I think that is about all I would like to say and would just take any questions that anybody else has.
    [The prepared statement of Mr. Tippett follows.]

    "The Official Committee record contains additional material here."
 Page 28       PREV PAGE       TOP OF DOC    Segment 2 Of 2  

    Chairwoman
MORELLA. Thank you very much, Mr. Tippett.
    I just want to mention that we have been joined by Mr. Weiner from New York, Ms. Rivers from Michigan, and Mr. Wu from Oregon.
    Your chart is incredible, too, when you mention the fact that we have gone from—the time to reach number one, most prevalent, from 3 years to 5 hours, and the cost, and then this new 10 percent of the response to your survey is really pretty frightening, as this whole concept is.
    I want to start off with my question. I guess I will start off with GAO. And if I ask a question of Mr. Rhodes and any of you would like to respond also, I hope you will feel free to do that.
    I am curious about, first of all, the Federal response, like the FBI that morning. What was the Federal response to the virus and what Federal agency posted the first advisory and when? And whose job is it to coordinate the Federal response to cyber attacks?
    Mr.
RHODES. Well, that is a very good question, particularly on the responsibility side. The first notice that—according to the information I have—came out from the NIPC, from the FBI. Federal Government response was from the NIPC and it was—depending on who you talk to—between 10:00 and 11:00 in the morning on May 4th, I believe it was.
    The question is not really, When did that occur? The more important question you asked is, Who is responsible? And who is responsible is myriad reporting structures. I mean, there is the Department of Defense Joint Task Force, there is the Department of Defense's CERT, there is the Air Force Information Warfare Center, there is the NIPC. There are also reporting structures outside of the defense and law enforcement. There is GSA through FedCert. And that is one of the points we have stressed over and over again, that when everybody has to respond, then who do we listen to first?
 Page 29       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    In a lot of ways, getting a snippet from CNN is more valuable than waiting for a full-blown response from a Government agency that has to be vented and cleared. And just getting a notice from CNN that says, ''There is a Love Bug virus, don't open the attachment,'' sometimes is extremely valuable compared to what you get from ''official channels'', especially when there are myriad official channels.
    I don't know if any of the other——
    Chairwoman
MORELLA. I think Mr. Miller wants to respond to that, too, because it gets to the question, Should they be coordinating? Should there be something set up so that we don't have so many of the different groups who feel they are responsible for alerting us?
    Mr. Miller.
    Mr.
MILLER. Well, Mr. Rhodes and I didn't practice this, but he did sort of tee up my suggestion which I made before this subcommittee before, which is the need for cyber czar within the Government, analogous to Mr. Koskinen's position on Y2K. As you know, ITAA was also the first organization to call for a Y2K czar. Initially, it was rejected as being unnecessary, but eventually the Administration did recognize the value of it and I think Mr. Koskinen played an absolutely critical role in the long-term ability of the Government to address—both within the Government and working with private sector—the Y2K challenge.
    I think Mr. Rhodes' comments suggest exactly why we need someone reporting directly to the President who does have ability to coordinate. Again, not a big office, not a lot of staff that is being done in many other places in the Government, but someone who does have the authority and the ear of the President and can coordinate responses across the Government agencies and has some ability to pull all these resources together in times of crisis.
    Ms.
 Page 30       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
ENGLAND. Madam Chairwoman, I would like to add to that.
    If you look at how large companies handle these types of situations, large enterprises typically have a centralized IT or security awareness force that is the command and control center for this type of situation. And I think you need something analogous in the Government to be able to give you that same protection.
    Mr.
TIPPETT. I might as well finish.
    Chairwoman
MORELLA. Splendid.
    Mr.
TIPPETT. It seems to me that the rate of alert has dramatically increased. Learning something 6 hours later, in this case, was past the peak. The peak of this virus in North America was 9:30 in the morning. It was half over with by 9:30 in the morning on Thursday morning. That means that if you learned about it at 10:30, it was too late for more than half of you.
    So I would agree with the first comment that getting accurate information is a problem, if waiting for accurate is worth the wait. In this case, it isn't. And if it has to go through a committee, it isn't going to work.
    The vendor community, including the McAfee, Norton, and others, all have alert services to their customers. ICSA.net also has an alert service to our organizations. All of these are much faster than any centralized alert system that has happened.
    The one thing ICSA does is rate things as some rating between hypo or hot and publish on our web page in order to give people some value around whether somebody is just trying to claim there is a problem because they can fix it, or whether there is a real problem that is worth addressing. One of the problems with hearing about something on CNN is that you might run into work and fix something that is not worth fixing.
 Page 31       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Chairwoman
MORELLA. This is very, very important information we are gaining from you who have the experience about the coordination and the central point.
    We have a vote right now. I am going to recess the subcommittee for 15 minutes and we will be back.
    Incidentally, we are going to be voting on a moratorium on Internet taxation, something I think may interest you also. [Laughter.]

    [Recess.]
    Chairwoman
MORELLA. I want to reconvene the Technology Subcommittee of the Science Committee as we continue with our testing—with our questioning—talk about testing. It is important, after having heard the excellent testimony, very provocative and important testimony of our panelists.
    I am going to ask one more question and then I will recognize my colleagues for their line of questioning for the first round.
    I would ask Ms. England, and perhaps Mr. Tippett would like to also respond—most companies and organizations use anti-virus products. Why didn't existing anti-virus products product users from the Love Bug virus?
    Ms. ENGLAND. That is an excellent question, and many times when there is a new destructive virus of this nature, we have to develop what we call a virus signature file, which tells the anti-virus software specifically what to look for. And obviously that has to occur after the virus is known.

    Some of the technology I talked about earlier—particularly what we call Outbreak Manager—is set up to look for patterns within e-mails or patterns within attachments so that this particular type of virus, which happened to use e-mail as the propagation method, could have been stopped with this new technology.
 Page 32       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    So the virus signature file is a reactive measure once you know the virus exists. But I think that more technology needs to be created, creative such as what we have with Outbreak Manager that looks for patterns to help stop this kind of destructive virus.
    Mr.
TIPPETT. And I will take a slightly different take on that, if you like.
    The fundamental problem here is that computers are made to run programs and computer viruses are merely programs. Therefore, computers are made to run computer viruses. There isn't anything distinctive about a computer virus versus any other computer program. As much as we would like there to be something distinctive, computer viruses don't have a label on the front of them that says, ''I am about to destroy things. I am a regular computer program, but I am one designed to destroy things.''
    So it is very subtle to determine the difference between a malicious program and non-malicious program. And as a rule, we error as a community on the side of running new programs. And to the extent that our computers are designed and set up to allow ourselves to run any new program that comes along, then when a new program happens to be a virus, it is going to run it.
    There is a community in the anti-virus—a piece of anti-virus technology called heuristics, which is a generic term of looking for the badness within a program and stopping it on the basis of things that look to be maybe bad. Heuristics tends to be infringing, and if you turn it on it will stop lots of things that aren't bad, in general, and therefore people tend to turn it off.
    And let me make one more comment, and that is ICSA has a document that is free and available to everyone. It is called the TruSecure Anti-Virus Policy Guide. It is a list of suggestions, no one of which is perfect, but collectively, if you take something that is 50 percent effective and something else that 60 percent effective and something else that is 55 percent effective you wind up putting enough of them together to be 90 or 95 percent effective. For that reason, the people who used that TruSecure policy guide in the Melissa case were five-fold less likely to have damages from the Melissa virus than the rest of the community, even though it was too soon and the anti-virus signatures weren't ready yet. Similar things can be said in the Love Bug case.
 Page 33       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    This is system administration stuff that extends beyond the anti-virus. We look at the anti-virus products as primary control, absolutely needed, need to be updated, need to be updated faster, more and more automated things. But there is never going to be the case where a program can discern good from bad in advance. It might get better and better at it, but it is not going to get perfect.
    Chairwoman
MORELLA. I just want to know, how do they also know about those new disguises? For instance, someone in my office opened up JOKE and got that spread.
    Mr.
TIPPETT. They should have known better. [Laughter.]
    Chairwoman
MORELLA. Okay.
    On that, I am going to recognize Mr. Weiner for his questioning.
    Mr.
WEINER. Thank you, Madam Chair, and I want to thank the witnesses.
    You know, this must be a pretty humiliating experience for the McAfee Company. We have a virus that looks a lot like the Melissa virus that caused an enormous amount of damage theoretically and was recognized throughout the world that was created by a not particularly well-educated or well-trained person who wanted to pay homage to a stripper in Florida. And now another one that runs on the most popular e-mail program—Outlook—on the dominant platform—Windows—on everyone's computer tied to a phone line that looks the same. And now it might be, depending on which of the new stories you believe, might have been a young college student in the Philippines, or his sister, or his teenage cousin.
    This outbreak occurs and we now say oops. We feel bad about it. Our stock price is going up and we are all over the T.V. talking about Internet security and get this new piece of software. And now we need things like cyber czars or new laws or something.
 Page 34       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    I mean, the bottom line here is that there is an industry here that has come up to deal with viruses and this looks to me like a ground ball virus. It doesn't look that complex. You know, it's a program that came into my computer and told me—and set up an automatic method of going into my address book. That doesn't seem that complicated. It doesn't seem that extraordinary. It seems to me like the Melissa virus. It seems to me that we have had a little bit of time to figure out how to do this. It seems to be that some people are at risk.
    Then I find out that there was an alert that went out that said, ''Careful. This virus is there.'' It came through my e-mail. Might as well just call the e-mail I LOVE YOU because I wasn't going to open that either. It seems a little silly.
    Then we have computer help lines, 800 numbers, which you might as well not even bother because you couldn't get through to anybody.
    Frankly, this is an utter and abject failure of an industry that has sprung up to deal with these types of things. This isn't even that bad of a virus. This doesn't even do anything terribly pernicious once it gets in there and we couldn't stop it.
    So it seems to me for the McAfee Company and for other companies—Norton—who make a living stopping these things, that this has got to be a pretty bad day to come before Congress and hear—the numbers are a little bit absurd—the hundreds of millions—we don't know how much it costs. It might not have cost anybody anything. But this must be a pretty bad day for the company.
    And the company I would think is trying to figure out how it is that a teenager in the Philippines whips the McAfee Company so badly that you come before Congress and say, ''Madam Chair and members of the committee, hundreds of millions of dollars of damage was created by this thing because—oh, we were so surprised—it came across Outlook. We were so surprised it was based on a Windows platform. We are shocked it looked like Melissa. We don't know how they did it. They made e-mail send it to the address book.''
 Page 35       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    This is stunning to me. I mean, we very often here in Congress have done a laudable and smart thing by stepping back from this industry in terms of taxation—and I just voted to allow taxation—a measure to move to the Floor that would continue the ban on Internet taxation in terms of regulation, in terms of all the things the industry has come and said and do—and then you come before this committee once every 3 or 4 months and say, ''We were beaten again. We were whipped again. This time, they are getting younger and less educated each time.''
    So I guess my question is, Are we going to have testimony a couple of months from now saying we have another virus that looks a lot like Melissa but it doesn't go to the 50 mail addresses, it doesn't go to the whole book, it only goes to the first 75 that begin with consonants that immediately follow vowels and we're stumped and don't know what to do?
    I don't understand exactly why it is that with all of the technology that is available, with all of the consistent patterns that we're seeing—and this is the easy stuff. I mean, Ms. England, God bless you, but it ain't going to get any easier than this. They aren't going to knock on your door with a disk and say, ''This virus is going out on Monday morning.'' This is about as simple as it is going to get.

    And my constituents and computer users all over the world are wondering, If you can't stop this, what happens when they do something bad?
    I guess the question would be, Why did your stock price go up after this?
    Ms. ENGLAND. Well, thank you for that. I appreciate your passionate comments. A couple of things I would like to say.
    First of all, as Mr. Tippett said, programs—computers are meant to run programs and you don't always know if a program is a good program or a bad program. And we cannot predict who is going to write the next virus and where it is going to come from and what behavior it is going to take and have manifested.
 Page 36       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. WEINER. Can I interrupt? And I apologize because I know I have already said a lot.
    But what exactly do you think an anti-virus company does? You are not supposed to be able to predict. The idea is you are supposed to deal with viruses that come along. What form do they usually come in? An announcement? A memo? They come in the form of something that you have to anticipate based on past experience at the very least.
    Ms. ENGLAND. And we do, thank you very much.
    Mr. WEINER. But Ms. England, let me just follow up on this.
    If you had the Melissa virus that executed in a very similar way, Is it technologically impossible to create a virus program that goes in, looks at the thing and says, ''You know what, this sucker is going to go and send 50 e-mails,'' give me a little Outlook box that says, ''Are you aware that you are about to send e-mails to 75 of your closest friends?'' Press yes to cancel or whatever.
    You are telling me that that is technologically impossible?
    Ms. ENGLAND. No, I didn't tell you that. In fact, I didn't say much at all.
    What I would like to say is that companies are responsible for protecting themselves. We provide the solutions, we provide the software to help them do that, but that is still the responsibility of companies to roll the software out and make sure that it is updated and make sure that they have the latest virus signature files.
    We do tremendous advanced research. We try to anticipate viruses and we do that very effectively with heuristic technology that Mr. Tippett described and with our Outbreak Manager technology. It is impossible to predict everything. That simply cannot be done. No company in the world can do that. And I think we have done a very effective job.
    You are right. This is very similar to Melissa, but you don't know about the virus until it has been unleashed. You cannot know about it until it hits. And that is the unfortunate position we are in as an industry and in the whole Internet community and with people—8-year-olds who can write programs that are destructive.
 Page 37       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. TIPPETT. I am not an anti-virus company, so maybe I can take a third-party view here.
    Everybody who did get this virus did get a warning. A message popped up and said, ''This is a program that might be malicious and might have a virus. Do you want to run it anyway?'' And they said yes. It happened on every single computer that got this thing and replicated it.
    So——
    Mr. WEINER. That's not right.
    Mr. TIPPETT. Well, okay. It happened on 97 percent of the computers. When you double-click on the VBS with the default installation of the operating system, that message comes up. Unless you undid that, that is what happened.
    So what we have learned, interestingly, is that people like McAfee and other companies have these heuristic technologies which can be pretty good at getting 80 or 90 percent of the new things that come along and the users don't turn them on because they don't want to see those messages.
    Chairwoman MORELLA. Very provocative line of questioning.
    I am going to recognize Mr. Gutknecht of Minnesota for his questions.
    Mr. GUTKNECHT. Thank you, Madam Chair.
    I am from Minnesota, Mr. Weiner is from New York. We practice Minnesota Nice. But I must tell you, I attach myself to everything he just said.
    I came into this room really prepared to listen, that perhaps you had some suggestions. What I have heard today is really very frustrating. I mean—and it is whether you are in business, whether you are a private individual, in Government—whatever—the idea that we can practice better cyber hygiene, to me that is an unbelievable statement. Somehow, we are responsible? If I am a senior student at a university and I have a semester's worth of notes and two term papers and somebody sends me an e-mail that says I LOVE YOU, I'm not supposed to open it?
 Page 38       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    This really is a remarkable hearing, that you are here today saying the answer is—and I will answer your question. Why did the stock go up? Because the answer is, you have to buy more software. The last software doesn't work. You have to buy something new. And that seems to be the answer to every question.
    And somehow we in Government are responsible or consumers are responsible? If you have a problem with your telephone system, it is not the telephone company's fault, it is our fault?
    I am sorry. I don't know what cyber hygiene really is. Mr. Miller, maybe you can tell us. We have to wash our hands before we——
    Mr. MILLER. I can say, Mr. Gutknecht. I would be glad to respond.
    If you want a closed system—a closed Internet where every e-mail message first goes to a central place that someone scrubs it and makes sure there is nothing there that is not intended for you or makes sure that it goes through some kind of central processing system and slows the Internet down so that your messages come to you after they have been thoroughly cleaned by some third party, you can do that. You can have that kind of Internet system. And it is possible that the Internet could be designed that way.
    And that is a possibility, in which case you would have no responsibility. You would contract with this third party and say, ''I don't want to get any e-mail messages until you have opened them all and looked at them. I realize that means I am going to get my e-mail messages a couple of hours later or a couple of days later, but that is the kind of e-mail system I want,'' you can have that kind of system if you want to pay that price.
    What the consumers appear to want—whether business or individual consumers—is instant e-mail. In fact, they like this instant messaging. They want to be able to communicate the same way over the Internet they can by picking up a telephone or having a face-to-face communication. So they want things instantly.
 Page 39       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Which means, unfortunately, in terms of the Internet—as I said, the openness of it is also its vulnerability because in that Internet there are people who are bad guys. There are people who do cyber stocking, there are people who want to send you messages—even if it is not a virus—who want to prey on you or prey on young children. We know there are bad people on the Internet.
    That is what I mean by cyber hygiene, that you as an individual have to take some responsibility. What does that mean? That means that you make sure you have anti-virus software on your computer and you try to update it as regularly as possible, that you do look out for messages that indicate to you you should not be opening these things. And again, a message that says I LOVE YOU, at least in a business context, is probably something you should be very suspicious of, even if the sender is someone that you are familiar with.
    You should be constantly making sure that you don't give away your password to other people, that you follow the basic rules that are prescribed in your corporation or individual.
    That is cyber hygiene. No, it doesn't mean wash your hands. But it does mean that if you want to be a part of this open system, which is what the Internet is, you have to take some responsibility. You can't say it is the fault of the sender all the time, you can't say it is the fault of the company that developed the software. You are taking responsibility as long as you want to be part of this network.

    Again, you could opt out of the network. You don't have to use the Internet. That is your choice. Or you could do it through a third party vendor who would scrub all your e-mail messages for you. But you would have to be willing to accept the price of that, which is a delay and additional cost.
    Mr. GUTKNECHT. Would somebody else like to respond to the question Mr. Weiner had? If we can't stop what appears to be a relatively amateur hacker from the Philippines, what are we going to do when somebody is really serious?
 Page 40       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. TIPPETT. Could I put a slightly different analogy on this?
    Mr. GUTKNECHT. Well, you can put a different analogy on it, but I would like an answer to that question.
    Mr. MILLER. Well, people are very serious. There are thousands of viruses directed at all of us all the time. That is why we have anti-virus software. People attack the Pentagon web site, according to the Pentagon officials, 20,000 times a year and most of them don't get through because the industry, working with its customers, has developed technology to stop it. This committee today is focusing on the time that it did get through. What you are not focusing on is the tens of thousands of times the technology has been developed and successfully stopped attacks.
    The Pentagon problem is, as you suggested in your question, Mr. Gutknecht, the one time it does get through could be very serious to our national security, for example. So they have a special responsibility. Obviously, financial institutions have special responsibility. Obviously, the telecommunications has additional responsibility. Clearly, the Internet industry does because we are now part of this Internet economy.
    So that is what we are working to be able to share this information.
    But Mr. Gutknecht, there is no silver bullet. There is no one single program that anybody is going to write that is going to guarantee that every piece of e-mail you get is going to be absolutely clean. There is going to be no web designer that is ever going to develop a technology that is going to say that no hacker is going to break into your web site. It is going to take constant vigilance because it is an arms race. There are bad people out there who are constantly sitting around saying, How can I foil the good guys?
    Mr. TIPPETT. One slightly different approach to this—I think the Internet is about in the same state of affairs as aviation was 60 years ago. Sixty years ago, the chance of dying in a scheduled airline accident was 1,000 times higher than today. In today's terms, that means that we would lose 500 people a day in scheduled airline accidents if we had the same death rate we did 60 years ago. A lot happened in those 60 years.
 Page 41       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    The airplanes themselves only got about ten-fold better, more safe and so on. There are lots of surrounding things like policies, like practices, like alerts. We know that there is a thunderstorm coming in advance now because we have better radars and so on. We are going to be a lot faster than 60 years ago in getting to a much more remarkably safe Internet. But we have that growth to go through.
    For example, better authentication on the Internet, which is embodied in IPsec or a protocol called HIP, are both on track to get somewhere. Your group can do whatever you can do to speed those things up. If people knew where the message was coming from, these technologies are there, there are just not getting there fast enough. That would work.
    The technologies of public key infrastructure, the PKI digital signature technologies can make it so that machines can be built—they can't know, but they could be built—so that they would reject messages that weren't trusted or came from a source that was unauthenticated.
    This is technology that will work. It will all happen, it is just not working now.
    So there are plenty of things that will work, but we have to convince 100 million people to change their machines and make these technologies so they interoperate fluidly. And we are going to have to have other arguments about, for example, whether anonymity is an appropriate thing to have on the Internet? If you are going to have authentication and know where the thing came from, then you can't also have exactly the same sort of anonymity that we have now.
    Mr. RHODES. Mr. Gutknecht.
    Mr. GUTKNECHT [assuming chair]. If Ms. Rivers doesn't mind, we will let you respond.
    Mr. RHODES. Oh, I am sorry.
    One final point I would want to make is that the office environment today, both inside and outside the Government, is not based on an analysis of risk. There isn't a valuing of the assets inside the organization.
 Page 42       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. Weiner is absolutely correct, based on the structure of the organization we have now. This is child's play. You are right. We are not talking about Albert Einstein having to sit down with Hans Bethe and figure quantum mechanics to solve this problem.
    So what we have to do is, as we move toward electronic government, as we move to electronic commerce, we have to understand that there is risk involved with it and we have to design our organization based on the risk to our assets. If something is extremely valuable to us—and what I have heard from a lot of news people and from a lot of Government responses is that no permanent damage was done.
    It is sort of the same point that Mr. Weiner made the last time we testified on Melissa. He said, So what? What was the so what? And here we hear dollar values that range up to tens of billions of dollars are lost or less than a few hundred million dollars lost, and if you distribute that over a large corporation or many corporations then nobody is really hurt.
    We have to understand what the risk is. Is this truly digital graffiti, as we have discussed before? Or is this something more serious? If it is something more serious, then we are going to have to start designing how we handle information in our organization according to the level of risk and exposure that we want to take. If something is the crown jewel, then perhaps we have to take Mr. Miller's position and say, ''I am going to have to build a very hard sandbox around us and I can't exchange information except through an air gap.''
    But then you are taking your office and turning it into a counterpart to the National Security Agency or the CIA or something like that where they have lines of demarcation over which no one can cross. But this is the kind of risk analysis that has to be done and it is one of the things that we push for from the General Accounting Office standpoint throughout all of Government, but it is also throughout industry as well.
    Yes, this is very pernicious. This is an annoyance. It will be worse next time and it will probably cost more money. But until it reaches a threshold that hits the knee in the curve and we say that the risk is too great, we are going to continue to go through this if we don't start designing the information flow inside our organizations based on risk.
 Page 43       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. GUTKNECHT. Thank you, Mr. Rhodes.
    The gentlelady from Michigan, Ms. Rivers.
    Ms. RIVERS. Thank you, Mr. Chair.
    I want to ask a different set of questions because I sit here and listen to the conversation that is going on and I feel like people are dressing down the bank guards without ever looking at the fact that all the windows were unlocked in the bank building. I think we should be looking at the fact that this virus attacked a software system that 85 percent of all e-mail handles—that 85 percent of all e-mail is handled on that is essentially vulnerable to this kind of attack. It has been vulnerable to this kind of attack for some time. It is Microsoft.
    My understanding is that in 1991 the Internet community set attachment standards. And at the time, they recommended that there should not be any program that automatically executes attachments. Microsoft, in a desire to have some exclusivity in a proprietary way decided to create Outlook with that ability.

    In fact, we are dealing with a single software that is vulnerable to this attack—both to Melissa and to the I LOVE YOU virus.
    I guess I would like to talk about that. Do we have a widespread problem of vulnerability across all programs and all companies? Or do we in fact have a problem with a single software, the Outlook system? And should we not be addressing our concerns to why Outlook persists in the marketplace with this kind of problem?
    I would like to hear from all of you.
    Mr. RHODES. You do have a problem and it is pervasive across the infrastructure. Yes, Microsoft is an easy target because they own the market, but you have an environment where the software industry is delivering for a market.
 Page 44       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Ms. RIVERS. My understanding, though, is that the job of the programs were not—that most of the other programs were not affected by this virus. It was in fact a Microsoft-specific one.
    Mr. RHODES. I think that's true, but it can attack through Java as well. It is a matter of distribution based on the application as opposed to Java itself being weak. But they have a thing called the Java Development Took Kit and you can establish a thing called Sandbox and you can set up these boundaries on it. But if you open Eudora, for example, and there is a web address inside there and you move your pointer over it, you can automatically launch to that web address.
    That is a very pernicious event as well, but that is not due to executable code. It is due to an automatic distribution of your pointer out over the Web. Across the industry, it just becomes more apparent in the Silicon Forest up in Redmond, Washington because they own the market.
    Mr. MILLER. I think it goes back to the point Mr. Rhodes was making previously, which is that it is a trade-off between safety and speed. The customers say, ''I want that now. I want to be able to get my e-mails now. I want to be able to open these attachments now. I want to be able to respond now. I want to be able to send that document now.''
    Again, if you wanted to live in a totally safe environment, instead of driving a Porsche, you would drive a Hummer, because the Hummer, if you run into something it is going to get hurt. If you drive a Porsche and you are driving real fast, you have a chance to get hurt.
    Most people in the Internet world want to drive a Porsche. They want to go as fast as possible. And until they accept the trade-off here—and maybe they never will—to say we are going to have to have some different types of behavior in terms of the technology itself, which is important, as well as the behavior of the personnel.
 Page 45       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    As Dr. Tippett was suggesting before, many individuals never turn on the anti-virus software. In fact, it was reported at the meeting with the President back in February, one of the large vendors there said that 30 percent of their customers never turn on the safety features that are installed. When they go back and recommend the customers do they say no because that slows something down. That is the first reaction.
    Ms. RIVERS. I understand the psychology. But the point I am raising is that after listening—with all due respect—to my colleagues attack the industry that wants to defend for problems, why are we not starting with the basic programs? It makes no sense to me to attack the secondary software for a problem that absolutely exists with the primary software.
    I am hearing a lot of people as they discuss this talk about the basic vulnerability of Windows—whether it is others in addition to Windows, but certainly to Microsoft when they have 85 percent of the market share—and we had exactly the same problem with Melissa. And the problem wasn't changed in new versions.
    To me, that strikes me as a basic problem.
    Dr. Tippett.
    Mr. TIPPETT. Not being either a Microsoft bigot or an advocate, let me see if I can answer two of your questions at least.
    One, the autoexecute function in Outlook is by default turned off. So users would have to turn that on for that to happen. And the vast majority, but our testing of the replication of both Melissa and this virus, was because users double-clicked on it, not because it was automatically executed.
    Secondly, I would concur but in slightly different words. This virus and Melissa, if executed on a system using Notes or some other e-mail client, still did cause some damage. It may not have been the same. And if it were aimed at that platform, it would have been tuned to exploit that. So if somebody else was the market leader, that somebody else would have been exploited instead of Microsoft.
 Page 46       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Two other quickies. Microsoft has done some things with the anti-virus community—we coordinate a lot of that—and is participating in helping the anti-virus vendors tie in better to the Microsoft product. So there is some activity there.
    The fundamental solutions, which are code signing and digital signature related things, are moving along, though not nearly as fast as any of us had hoped. And they certainly are the things that need the wood behind the bat.
    Ms. RIVERS. Thank you.
    Thank you, Mr. Chairman.
    Ms. ENGLAND. May I make one comment, Ms. Rivers.
    Ms. RIVERS. Yes.
    Ms. ENGLAND. The features that are being exploited in the Microsoft Outlook product are features that are there for positive reasons, and many companies use those features very effectively. So it is a situation where the capabilities are there and someone figures out how to use them in a damaging and destructive way. So what you face is the trade-off between having the features available to accomplish all the good things that you want consumers to be able to accomplish with this software versus restricting them so that you try to prevent the bad things that could possibly happen. I don't think we have a real good solution or a real strong balance there in terms of saying you should or should not do one or the other.
    Ms. RIVERS. Thank you.
    Thank you, Mr. Chairman.
    Mr. GUTKNECHT. The gentleman from Washington, Mr. Baird.
    Mr. BAIRD. Thank you, Mr. Chairman.
    Thank you to the witnesses.
    I have three questions.
    First of all, with regard to Microsoft, the proposed Justice Department's proposal to split Microsoft into an OS system and an AP system I think is profoundly stupid. One of the elements of that proposal, as I understand it, is that it would prevent Microsoft from improving the OS system.
 Page 47       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    If Microsoft were to design an improvement to the OS system to make it more hardened to viruses, the proposed Justice Department's separation could conceivably prevent them from doing that.
    Mr. Tippett or others, if you want to comment on that aspect of the technological aspects of this, I would certainly appreciate that.
    Mr. TIPPETT. The particular technology that was exploited by this virus is both in the application and in the operating system. There are components of it that are completely independent of the operating system and operate in the Office Suite and components that operate in the operating system. If they were separate, presumably someone would make that work in either or both of those places anyway, either through a standard or otherwise.
    So I don't think separating the two components in companies would—I mean, it's totally hypothetical, but it's likely that someone would make a standard that operates much like VBS anyway, and make it work across platforms. If it was popular and interesting for people, then it would be widely deployed.
    So my guess is that there wouldn't be a lot of difference with two Microsofts or one in the vulnerability.

    As to whether they could fix the operating system, it would be totally ludicrous to constrain somebody from updating their software.
    Mr. BAIRD. That's essentially what the Justice Department is calling for, as I read it, and I think—here's a case where we're seeing that kind of both structural and procedural so-called ''fix'' might actually significantly impair the public. And I really hope that the Justice Department pays attention to this issue because to constrain Microsoft from improving its OS system, when the OS system could be made more hardened against the virus, just seems absolutely ludicrous and contrary to the consumer protection goals of any antitrust settlement to begin with.
 Page 48       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    So I appreciate your comment on that.
    Secondly, let me ask you a question. The critical damage, to me, is time. The single most precious commodity that we have as human beings is our time, and if you have to spend a lot of your time trying to rebuild your files, etc., that's not time you can spend with your family, time you can spend on constructive and gainful economic production.
    This is a hugely costly thing, and if someone came in and just scattered my files around my floor—maybe they didn't destroy my files, but it's going to take me hours to put them together.
    My question is, do we have adequate criminal procedures to penalize and track down these people and make them pay for making everybody else pay with the most precious commodity we've got?
    Mr. MILLER. I think that the penalties are fairly severe, potentially, Mr. Baird, but I think there is concern on industry's part as to whether the law enforcement community and judges take these cases as seriously as they take physical crimes that they give a lot higher priority to.
    I will say that there is a very constructive dialogue going on right now between industry and law enforcement. We had the privilege of hosting a meeting for Attorney General Janet Reno and 40 other law enforcement officials in Silicon Valley in early April that involved Federal, State, and local law enforcement officials, to increase the dialogue in this area. We will be having a follow-up meeting here in the Washington, D.C. area in June.
    But at the end of the day, what we had heard from a lot of the prosecutors was, unless the judges take these cases seriously, then it's hard for the prosecutors to spend a lot of time and resources prosecuting them. They don't want to spend all their time doing that versus something that involves a rape or a murder or a burglary, that they know the judges like to hand down tough sentences and be tough on. In fact, there has even been a sense in the community up until now that sometimes Johnny or Susie is admired because Johnny or Susie is so clever that he or she brought down the Pentagon website or brought down some bank's website.
 Page 49       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    So it is a whole attitude change that has to take place, and I think that the resource issue is a challenge.
    The other question, of course, we're seeing in the Philippines example is, in that case apparently the Philippines government doesn't have the expertise internally in their investigative authorities. We obviously have to respect the sovereignty of the Philippines government, but it is very positive to see that the FBI has been brought in to assist in the investigation.
    I was also very pleased to note that there was a tremendous collaboration between the U.S. law enforcement officials and the Canadian law enforcement officials to help track down Mafiaboy.
    So there are some positive signs there, but I think we have a long way to go.
    Mr. RHODES. There's also an additional side, that if corporate America and the Government says ''no permanent damage was done,'' then it's very hard to go to the Philippines, where they view this currently, according to the reports I have—they view it as vandalism.
    Mr. BAIRD. I can tell you, I will never get that time back, and my staff will never get that time back, and the constituents who lost service will never get that back, and the people who lost files of their children will never get that back. There was real damage, and it was huge in economic terms.
    Mr. RHODES. Until and unless General Electric or AT&T or someone like that stands up and says, ''By God, this cost me something,'' and time is money, but they aren't translating it into ''time is money.''
    Mr. BAIRD. Well, they need to do that.
    Mr. TIPPETT. So I actually think this is working better than we're suggesting. The Melissa virus author, during that study, David Smith of the Justice Department asked us what the cost of the Melissa virus was. We did a significant study, as we do often at ICSA.net, and told them it was between $93,000,000 and $380,000,000. So, evidence of that cost, 97 percent of which was time—the evidence of that cost was presented to the defense for the Melissa virus author, and they accepted that it was in excess of $80,000,000; that is, they didn't even plead their way down below the highest level sentencing guideline. And he will get between 5 and 10 years of jail time when he is sentenced in August.
 Page 50       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    So we do have experience. In America, the laws are capable of prosecuting these people, and I can tell you that the FBI and law enforcement and Justice are plenty motivated, by my observations; they call our office hourly.
    Mr. BAIRD. Can I make just one final observation, and that is—some of the comments that were made earlier—the virus analogy is an apt one, and I think it is reasonable to assume that the way the human body defends itself against a virus is, we get exposed to the virus and then we develop antibodies. But we get a cold. These are serious colds we are getting in the computer world, but we are developing the antibodies. In addition to the antivirus software selling, I think what we really need to say to the public is, you've got to sell the backup software, and you've got to do it, just like you take your vitamin C, just like you lock your door if you've got something valuable.
    But the analogy is apt; we're just pretending it's not. You do get exposed to viruses, you do get a cold, and you overcome them. We want you to do better at protecting us from those viruses, but we cannot expect—essentially the reason I say that, to reiterate my point at the start, we've got to allow Microsoft to continue to improve its OS system through whatever means it needs to so that it is more immune to these viruses, and we must not prevent it today from moving forward in that direction.
    Thank you, Madam Chairwoman.
    Chairwoman MORELLA. Thank you. Thank you for that great round of questioning, Mr. Baird and the others.
    Maybe, Mr. Tippett, this is a first-response kind of question. Do you think that the author of the Love Bug virus realized what he was doing—or she—the intent? Was the intent there? And then, the effect of it? Was the creator successful in gaining passwords?
    Mr. TIPPETT. Let's do two at a time there.
 Page 51       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Chairwoman MORELLA. Okay.
    Mr. TIPPETT. I think that the Melissa virus author will tell you that he didn't intend for it to be as pervasive or as damaging as it was. He has said that many times. I think that if you read his writings—and we had given the Justice Department 300 different documents within days of that—you can tell that he had every intent to damage things. He wrote treatises on how to damage more computers with better viruses, and had all kinds of malice in the writing that he did over the last 5 years.
    We don't have similar data on the Love Bug author yet. I suspect we will get a lot of that as we actually, physically identify the exact person, and we will figure out some of those intents beforehand.
    I think that both David Smith in the Melissa case, and whoever this Filipino 20-something-year-old is in the Love Bug case, I think both of them are probably surprised by how good it worked. I think that they were pleasantly surprised, but nevertheless surprised. And as to stealing passwords, this virus could well have stolen millions of passwords, and provided a way to provide for theft of anything else on a computer, including access to the computer and the network in future versions. It was designed to be able to get anything running on any computer that got infected in the future, and to able to decide those things as time went on.

    Because it went so fast, it didn't get many passwords. It probably got 1,000 in some way, shape, or form before the whole thing melted down.
    Chairwoman MORELLA. I think both Ms. England and Mr. Miller would like to comment.
    Ms. England and Mr. Miller.
    Ms. ENGLAND. Thank you, Mrs. Morella.
 Page 52       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    I think the intent was absolutely clear. I believe that e-mailing this to everyone in the Outlook Address book, you have to look at that and say yes, that was absolute intent. And I think that stolen passwords—you have to look at that and say, that's absolutely malicious intent. So I believe the intent was there.
    I believe also that perhaps the virus writer could not have predicted that this would have been as pervasive as it actually was; however, I don't think there's any question about the intent.
    Chairwoman MORELLA. Mr. Miller.
    Mr. MILLER. I don't think the intent makes any difference. It was done, and the perpetrator should be severely punished.
    Chairwoman MORELLA. We should do more with punishing—yes, Mr. Rhodes?
    Mr. RHODES. One additional point, though, is that there is a question of ''probable'' and ''plausible'' in this. Because the infrastructure is very weak, it becomes very hard to prove that this didn't get away from someone. I'm going back now more than a decade to the Morris Worm. The argument was, from Robert Morris up in Cornell, that his experiment got away from him, and because of the infrastructure being sort of analogous to Swiss cheese, it's absolutely possible that it got away from him.
    Now we have to go into the psychological profile, go in and see what the writings were, and figure out whether or not somebody really had the intention, because the infrastructure won't tell you that, because it is possible to go ''crashing and burning'' through many, many systems because of the way it's set up.
    Mr. MILLER. The ''Twinky defense,'' Madam Chairwoman—I just think we can't do that. We can't have people saying, ''Well, I was just playing around. I thought it might be a bother to my friends''——
 Page 53       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. RHODES. My point was not that we're giving the Twinky defense. My point is that it's very hard right now to prove that by hitting ENTER and mailing it off to someone, that you didn't expect it to go around the world, or you did expect it to go around the world, because the infrastructure is very weak.
    Mr. TIPPETT. Viruses are unique in all programs, and no one to date—and I've been involved in this from the very first virus—no one of any sort to date has ever shown anything useful about a computer virus, or anything predicted to be useful. That is, these things are always malicious, always. No one can even project that one might ever be created that might be useful, and therefore I would suggest that we make this one of those few First Amendment exceptions and make it illegal to create them.
    Chairwoman MORELLA. Very interesting.
    Let me go into NIST—the Department of Commerce, actually. NIST is actively working with industry, as you know, to design and develop and test new standardized products and protocols to make authentication, confidentiality, and integrity service inherent parts of all networks based on Internet protocols.
    Have any of you worked with NIST? And if so, what role do you envision for NIST in working with industry to improve Internet security? We think it might be the best agency to so do.
    Mr. Rhodes?
    Mr. RHODES. I guess in working with NIST and dealing with them in the standards area, the role that I would see for NIST would be sort of equivalent—if a plane crashes, there are two groups that show up. There's the FBI and the National Transportation Safety Board. If a network crashes right now, the NIPC shows up, so it is law enforcement by itself.
    One of the points that Mr. Miller made was information exchange. If the NIST could start to take on more of the role of being the National Transportation Safety Board of the Government networks, at least on the civil side, to give us a single point of contact—or assisting in a single point of contact—for us to do these diagnoses of what actually went on, that would be extremely helpful, so that we don't have to go to myriad locations and get varying understandings of what happened, and we can take the after-the-fact lessons learned from the test, or the lessons learned from the action, and actually roll it into better security for the civil side of Government.
 Page 54       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. MILLER. We've been talking with NIST about a different role which is related to information security, and that is long-term research and development. As you know, Madam Chair, the Administration has proposed in the fiscal year 2001 budget approximately $50,000,000 to set up a long-term research and development function to look at cybersecurity in the long term. Frankly, even the biggest and most successful companies can't undertake within their R&D budget. And as Ms. England said, her company and all the others do spend a prodigious amount of money on R&D.
    We believe that NIST does have a role in this R&D function. Primarily, we see that as working with private industry and the academic research community to pinpoint projects that would not overlap with research already being done by the private sector, and then finding either academic institutions or research facilities in the corporate or nonprofit world where the research could actually be conducted. And this could play some role in helping to define that research agenda.
    Chairwoman MORELLA. Picking up on what Mr. Rhodes has said, do you agree——
    Mr. MILLER. I guess not totally. I guess I'm a little uncomfortable with the idea that, number one, they haven't demonstrated in the past that capability in terms of being the repository of that kind of expertise.
    I think what you have found in terms of the forensic work that needs to be done, and particularly with the workforce challenge that you and I talked about on other occasions, and the inability of Government to attract and retain high-level people with specialization in information security, that in fact the private sector has worked very collaboratively with the Justice Department and other law enforcement officials to provide the forensic backbone. Companies like Ms. England's company, ICSA.net, and others have provided that expertise, as has the academic community. I think that seems to be working reasonably well. Whether we need to have a centralized governmental function, if that's what Mr. Rhodes is suggesting, I'm not quite sure that case has been made yet.
 Page 55       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Chairwoman MORELLA. Okay.
    I will move on to other questioning by my colleagues, unless either Ms. England——
    Mr. TIPPETT. I can summarize the software companies' viewpoint and other technical people. When I posted questions on what we should tell this committee, the sort of universal answer came back, as you might expect, for Government to stay as far away as possible. I think that's kind of a wrong answer, to start with, but I think the underpinnings come from this all moving so fast and changing so quickly that it would be easy to screw it up. We need to do things that are constructive, and I think research is constructive. I think some ability to facilitate the standards that are already in place to get there faster is a very good idea, and I just don't know how Government can do that. I would look to you guys to figure out how Government can make the right standards get in the right places quicker.
    Chairwoman MORELLA. We'll take on that challenge. We'll try.

    Mr. Weiner?
    Mr. WEINER. Thank you. I just have a brief follow-up.
    If the code for the Melissa virus and the Love Bug virus were available on the Internet, if I were to take it, write it, launch it with a different name—let's start with the Melissa virus—would it cause as much damage as it did the first time? Anyone can answer.
    Mr. TIPPETT. The answer to that is no, in part because people have cranked down some non-directly-Melissa-related controls. The thing in Microsoft Word that made Melissa possible is ''off'' by default now, instead of ''on'' by default now. And so any new version of Word would not perpetuate that, would not replicate that automatically.
    There are other controls——
 Page 56       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. WEINER. A new version of Outlook, or of Word?
    Mr. TIPPETT. Word. Word was the main application that made—although it used address books, it was the macro language in Word, that the macro language caused the mail to be sent.
    Mr. WEINER. Gotcha.
    Mr. TIPPETT. And that piece is turned off by default in current and future versions, I presume, of Word.
    Also, there are things at ICSA.net called ''synergistic controls.'' Many, many, many more people use .RTF instead of .DOC in the file format because it can't possibly be infected. Many people have default protections at their gateways that are generic for things that look like Melissa. And the antivirus companies have—although if something that looks very close to Melissa comes along, we will call it a variant automatically.
    Mr. WEINER. Gotcha. And I would ask the same question about the Love Bug virus. If I were to download the source code, whatever the code is called, write the thing, and launch it with a different name——
    Mr. TIPPETT. That has happened 20-some-odd times.
    Ms. ENGLAND. We have 27 variants of the original virus that have already been unleashed in the community, and I believe that they have not been as destructive as the first for several reasons. One is that companies' awareness is definitely up right now, so companies are aware that this could be a potential new threat. The virus signature files that we've produced do detect and clean all of the 27 variants.
    Mr. WEINER. Do the virus signature programs identify the architecture of this thing in terms of its ability to go into Outlook, read my address book, send things from my address book without my knowledge? Has that basic architecture problem been fixed?
    Ms. ENGLAND. We are unable to fix a basic architecture problem that exists in Outlook. That's not the nature of an antivirus program. What the antivirus program can do is identify, based on a specific signature, that this is a virus, and we can clean it or delete it, whatever the administrator chooses.
 Page 57       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. WEINER. If I were to write a program tomorrow from scratch that, with an e-mail executable file, had the program go into the Outlook address book of the recipient, look at the first 50 names—like Melissa did—and forward to them a program that allows it to go into each recipient's Outlook, would that piece of code trigger any particular defense by a product that you or anyone else in the industry has come up with?
    Mr. TIPPETT. Maybe I can help. The heuristic products that are in McAfee and the Dr. Solomon that McAfee bought, and the Norton products and others, the heuristic features which are most often not turned on by users can do that, the sort of thing you are talking about, in generic ways. The things that have the very least infringement, 1 error per 100,000,000 messages, that is calling something falsely a virus that isn't, are the things that users do turn on pervasively, and therefore they have to wait until after something changes——
    Mr. WEINER. I'm not sure I understood the answer. So that program that I just described, there is already antivirus software out there that would do what? It would give you, notify you——
    Mr. TIPPETT. It would detect 80 or 90 percent of those instances that you described and would stop them, either at the gateway or at the file server.
    Mr. WEINER. Gotcha. And what was it that this very smart guy in the Philippines is alleged to have done to get around that?
    Mr. TIPPETT. Well, if people had that feature turned on, it would have——
    Mr. WEINER. Does the feature notify you that they are going into your Outlook address book?
    Mr. TIPPETT. The heuristic features in the antivirus products work differently dependent on the product. Each product has some different twist on it. But they look for a code that is going down a path of bad behavior in general, and they have preprogrammed——
 Page 58       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. WEINER. I want to focus on that specific bit of behavior.

    Mr. TIPPETT. Right.
    Mr. WEINER. I don't think I've ever got a legitimate program that, when executed, goes into my address book, opens it up, and starts sending messages to my address book.
    Mr. TIPPETT. Au contraire. There are many, many companies that automate address book reforwarding of things as part of their business automation process.
    Mr. WEINER. Okay. But that line of code, that was the crux of the Melissa virus and the crux of this virus——

    Mr. MILLER. It's not the code, Mr. Weiner. I think it's the pattern of behavior. That's what heuristic means. The fact that something told you, some program said to your Outlook book, ''Grab all these names, write them a message.''
    Mr. WEINER. Right.
    Mr. MILLER. What Dr. Tippett is saying is, that kind of behavior may not be unusual for some companies; and therefore, unless they had a feature turned on—leaving aside what the code said; they're not testing the code per se, the antivirus is testing the behavior and saying, ''It's awfully unusual for you, as a user, to ever have that happen.''
    Mr. WEINER. But let me see if I understand this.
    There is a line of code that says, ''Go into Outlook and get the names and link them to this .EXE file and send it out.''
    Mr. MILLER. Right.
    Mr. WEINER. Okay. So that exists, and that was a troublesome piece of code for a large number of the people who got that program, okay, that item. And what I'm questioning is, if that line of language is in a program—and it was in Melissa, and it's in this one—it seems to me that a fix, not being an expert, would be to figure out a program that could go in, read that program, and say, ''Wait a minute, you should be aware that this activity is about to happen.'' If I get a virus alert that says, ''We're about to go into your Outlook address book and send something to your address book,'' like the Melissa virus, like the Love Bug virus, ''do you want to continue this activity?'' We would have stopped this thing in its tracks.
 Page 59       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    And my question is, why have we not, today, post-Melissa, post-Love Bug, figured out a way to do that?
    Ms. ENGLAND. There are solutions that handle the problem. They may not be the exact solution that you described, but for example, on e-mail and gateway servers, there is technology there that looks for patterns of e-mails and patterns of attachments, and will alert the administrator and take a series of actions, if necessary, to say, ''This could be a very bad situation.''
    Mr. WEINER. I understand. And I don't want to bog down the committee, and I apologize for taking so much time on this.
    But what about what I proposed? Is that technologically possible?
    Mr. TIPPETT. What your suggesting is part of what I call heuristics already in almost all antivirus products. Mostly, the problem is that it causes more false alarms than users are willing to tolerate; therefore, they don't turn it on.
    Mr. WEINER. Well, okay. Because you're saying there are so many people sending out programs that say, ''automatic''——

    Mr. TIPPETT. There are hundreds of things like the one you described.
    Mr. WEINER. No, I'm not talking about that. I'm talking about Melissa and the Love Bug.
    Mr. TIPPETT. There are 50,000 viruses in the ICSA.net virus library. Only three of them have been moved by this mechanism, okay? And yes, this mechanism ought to; it probably is blocked explicitly by these things, and if it isn't, it would be ridiculous not to, and you're right about all that.
    Mr. WEINER. Okay, but——
 Page 60       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. TIPPETT. But there is also Internet related chat mechanisms, there are FTP mechanisms, there are others that we don't want to talk about, that will be exploited an hour from now——
    Mr. WEINER. Dr. Tippett, I don't dispute that we have other things. I don't dispute that there have been a lot that you caught. I don't dispute that there are some great catches that have been done. I am trying to focus on this hearing now, which is a lot like the last hearing that had a similar theme. I'm not an expert. I only know about viruses when they visit my office. And we're now two for two with this particular little mechanism which has people go into the most popular mail distribution on earth, on the platform that is the most popular, and it just seems to me intuitively—not being an expert—that if you have this exact same little line of code that is vexing us so, I don't believe that a lot of people would be concerned if that line of code appears again, or something that looks similar to it, whenever you go into the Outlook address book.
    I've got a simple one for you. You give me a message that says, ''We are about to go into your Outlook address book and send a mass mailing to our Outlook address book, similar to the Melissa and Love Bug viruses,'' I don't think too many people are going to ignore it. I think they're going to say ''no, thanks,'' and move on. And I just don't know why—this is now Melissa and Love Bug—are we going to have a third one emerge, using the same method, before we—and maybe it's a technical issue.
    Ms. ENGLAND. That's an excellent point.
    The answer still is that even if the technology exists, the users must be running the antivirus software and they must be taking certain steps to make sure that they're protected. So antivirus companies can only provide the solution; it's still up to the corporations to have a security policy in place, to make sure that the antivirus software is up to date, to make sure that the signature files are up to date, to make sure that certain behavior is——
 Page 61       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr. WEINER. Ms. England, I'm fairly certain that we in the House of Representatives have a very, very excellent staff that does this. They send us notices all the time. We here were affected by Melissa; we were affected by Love Bug. Many of the offices just simply allow HIS here to come in and do whatever it is they want to do, periodically if they want to do it. Whenever they send us one of these broadcast phone calls, we all go and do our thing. And we got whacked with this thing. I don't believe that that was a function of us being careless; I don't believe it was a function of us ignoring warnings. I believe it was a function of you not having a message that—not being able to read the Melissa virus when it happened again, and I just hope that when we're here with some other virus that uses the exact same basic mechanism for communicating, that if it is so incredibly difficult to write an antivirus Melissa program that simply says, ''You are about to execute a file that looks a heck of a lot like Melissa,'' I don't believe we're going to ignore it. I think we're going to pay attention to it, and I think—not at the system administrator level, at the individual user level—I've learned not to say this in this committee room, but I don't think it's rocket science.
    Thank you, Madam Chairwoman.
    Chairwoman MORELLA. Thank you, Mr. Weiner.
    And now, Mr. Gutknecht, your questioning.
    Mr. GUTKNECHT. Thank you, Madam Chair.
    Once again, I attach myself to the comments made by my colleague from New York. Fool me once, shame on you; fool me twice, shame on me. It seems to me we have been fooled. And if there's a level of frustration that you're hearing from us today, it's because we've sort of been there before, and we count on smart people like you to help solve these problems.
    Dr. Tippett, I want to congratulate you for offering at least one suggestion that this committee can seriously look at, and that is some kind of legislation which makes it very clear that trying to write these kinds of viruses is a Federal offense and we ought to be very serious about it, because this is a serious offense. This is not tipping over outhouses out on the back parts of our country. That was clearly—what happened, and it still happens, I suppose, in some parts of the country.
 Page 62       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    But this is a serious matter, and I want to get to something else that I think we should consider, and I want you to consider it—not necessarily right now, but give us some feedback on this, because my sense is—and we have this on fairly good authority; it's not official—there is at least one Federal agency that apparently is out actually recruiting computer hackers, and they're going to build their own little team to try to build a system of supposedly ''reformed hackers'' who are going to help us become more insulated.
    We have an expression here at the Federal level that ''no good deed goes unpunished.'' That happens all the time: tax policy, marriage penalty tax, whatever you call it; no good deed goes unpunished. But unfortunately, I think there is sort of a growing theory—and maybe I should ask Ms. England, do you have any former hackers on your staff?
    Ms. ENGLAND. No, we don't. We basically don't hire those people.
    Mr. GUTKNECHT. Well, you basically don't, but do they get hired? I think there is a theory among some of these guys—; I say that generically—but I think there is a theory among some of them, ''If I'm smart enough to beat this particular system, or if I can penetrate this particular system,'' or whatever, ''the worst that's going to happen to me is I'm going to go to jail for a few months, and I'll probably get a six-figure consulting contract from somebody.''
    Mr. TIPPETT. I think, and have stated publicly many, many, many times, ICSA.net believes that, as a generic thing, hiring hackers is a bad idea, for lots of reasons. The reason that they're hackers in the first place, criminal hackers, or malicious hackers, or crackers, just to be clear about this. The reason that they do this in the first place is because they're not thinking straight, and you're basically hiring people who aren't thinking straight, who don't understand the larger ramifications of what they do.
    Furthermore, people who can break things are not the same people who can fix things. The fact that I can shoot holes through your car doesn't mean that I can make a car that you can't shoot holes through. It just doesn't compute.
 Page 63       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    So it makes no sense at all to me to hire Billy the Kid to make a better bank vault; I mean, that's crazy. But for whatever reason, there is an allure of these people, and many of them are good at programming—although, again, many of them have underpinnings of thought processes that you wouldn't want running your IT department. You certainly wouldn't want to give them the keys to the passwords to your inner workings.
    Mr. GUTKNECHT. Well, the real question for all of you—and maybe you want to answer it now, and maybe you don't; maybe you can write us a letter or maybe we can talk about this the next time we're together, after the next outbreak—but the question is, should we make it illegal for software companies to hire someone who has been convicted of computer hacking? Think about that. Maybe you want to answer it now, maybe not, but I think we need to think about that.
    Mr. MILLER. Mr. Gutknecht, I think the question is being asked in too black-and-white a fashion. I think we would all agree that hiring people who perpetrated criminal activities and were investigated and convicted, that's a clear no-no. Companies and Government should not be hiring them. But there are a lot of these people in a grey area who clearly do think they are—I will agree with Dr. Tippett—who believe they have a mission in life, which is to help take on the big corporations and find their vulnerabilities, and then turn that information over to those big corporations, or to the antivirus companies. The people do that, for a good reason. Ms. England doesn't want to hire. Yet they do, because they like to beat the authorities, they like to beat the big companies, they're going to go find that vulnerability somehow or other, and then turn that information over. And those are people that fall into this kind of grey area.

    Now, maybe you wouldn't be comfortable having that person working at the CIA or National Security Agency or DOD. But maybe that person in fact is the person who goes that extra mile to find that extra vulnerability that the DOD officials themselves didn't find, or that the companies themselves didn't find.
 Page 64       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    So I appreciate the fact that we like to think that the world is black and white, that there are black hats and white hats, and that there is a clear difference. But the reality is that there are some people somewhere in the middle. I don't think they are malicious in the sense that they want to do bad things. They may unintentionally do bad things, would fall into my category as somebody who should be prosecuted, but they do have something to contribute to fighting crime.
    Mr. GUTKNECHT. If I could just paraphrase what you said.
    There are people who love to do crossword puzzles, and this is the biggest and best crossword puzzle. And they just want to prove that they can actually beat that crossword puzzle.
    Mr. MILLER. That's right.
    Mr. GUTKNECHT. But they are not necessarily malicious. So okay. Thank you.
    Mr. MILLER. In my testimony I refer to a study done by two professors at George Washington University, two psychologists, who had done some work for the CIA—and in fact, people who do these kinds of things fall into a lot of different categories. Yes, there are malicious people. As I said before, punish them. Don't let them go with some Twinky defense. But there are people who are just anti-establishment, yet they are not necessarily trying to wreak havoc in Congressional offices or bring down a bank; they just want to show that they're smarter than the programmers at Microsoft, the programmers at Symantec, the programmers at Oracle, they're smarter than the DOD experts. And they may have something to contribute.
    Mr. GUTKNECHT. Yes.
    Ms. ENGLAND. Thank you, Mr. Gutknecht. I would like to make a couple of comments.
 Page 65       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    First of all, there are virus writers who write viruses and just submit them to the research community for us to see if we can come up with a solution, and in many cases we do that. That's why there are more than 50,000 known viruses, yet there are very few of those that are actually seen in the wild. So those are people who do not have malicious intent; they simply want to have some fun, and see if the antivirus companies can come up with a solution, and most often we do.
    Secondly, we are a trusted organization. When our Avert Research Team sends out a communication to our customers and to the Government, that's a trusted communication. People know that they're getting good information. They know that we are communicating responsibly. And if I had hackers in my organization, I think that trust level would be dramatically decreased, and I would certainly not want to take the risk of having a hacker that we have hired communicating out to the Government or to enterprise companies in supposedly what is a trusted fashion that may not necessarily communicate what we want them to.
    So we have chosen this path for a reason in terms of not hiring hackers and virus writers, and we feel fairly strongly that's the right decision.
    Mr. RHODES. Let me also echo the points that have been made. We have a computer security test lab, and we go out and test on behalf of Congress, agency security. Everyone there has at least 10 years of experience inside or outside of the Government. We have to have people who can pass polygraphs and all the rest of that, because we're going into an agency to test. There is no reason why we would want a ''hacker''—not because some hackers don't have talent, but they don't necessarily have discipline. And the discipline is, will they go inside and leave something? When we walk in, we have to test, and we have to assure the agency in question on behalf of this committee or whoever has requested us to do the work, that when we leave, we leave the place clean. And we won't post the vulnerabilities to some chatroom or whatever. That's one of the biggest concerns for us, is to make certain—it's not just a skill set; it's skill set, it's discipline, rigor, and the diligence of doing the work properly, and documenting what you find, so that we can give back to the agency, you know, ''Here's how we got in, and here's the proposed fix, line-by-line and problem-by-problem.''
 Page 66       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Chairwoman MORELLA. It seems to me that one of our difficulties, or another challenge, was brought out in the Washington Post this past week on the ''Federal brain drain,'' that series, because you talk about the need for adequate training, a record of trustworthiness, continuity. This has to be a tremendous problem for the Federal Government in this particular area, particularly as we mentioned, Mr. Miller, the workforce difficulty that we have even to begin with.
    I am trying to put together the things that we have discussed. If I were to ask you a final question about ''where do we go from here, and what is Congress' responsibility?'' Now, what we have all heard in many different ways is that there is a need to screen our employees. I recall reading about the fact that we also should make sure that employees know what their area is so that they don't have free access to other, maybe, highly secure areas. We know that—a question was raised about penalties, Federal offenses. Awareness is important for the private sector, as well as the public sector. We need to update our knowledge of antivirus mechanisms. Coordination is important; maybe some sharing, as well as long-term R&D. All of these things.
    Then, of course, implementation and oversight. I would like to give you each an opportunity to give us what you see as kind of the key elements that we in Congress have a responsibility to fulfill. I know you mentioned a number of them in your report.
    Mr. RHODES. The main thing that I would say that you bring is the two areas that you described as awareness and the workforce. There are lots of other issues that you brought up, but if we can stabilize the workforce inside the Government—it is very hard for me to hold onto qualified engineers. It's very hard for me to find them; then we train them, then they leave. The Government has put on the average, out of my office, approximately half a million dollars worth of training into an individual, and then they can go out the door and in some cases double and triple their salaries.
 Page 67       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    The only thing that I can hold onto them with is the ability to let them know they don't have to work 24 hours a day, the ability for them to work on very interesting work. They get to work on a wide variety of jobs that are very interesting. I'm going to get them the best possible pay that I can get them inside the Government which, of course, is not too competitive with private industry, but a lot of times it becomes quality of life in my office. I don't micromanage. I let people have freedom. I allow them to continue to publish, things like that. But those are the only things that I have to draw them in.
    But I also have to treat them as if I know they are walking around with two job offers at any given moment. So that workforce issue is the one that, frankly, I spend all the time on. The other one is making certain, through your oversight hearings, that the Government becomes aware, and that the Government becomes aware that it needs a partnership with private industry, that it cannot do it alone, that we aren't in the Government structure of us initiating, building, designing, and producing the products that we have, that we've got the work. But for us to be successful at that, we have to have a strong workforce. So I cannot stress the workforce issue enough.

    Chairwoman
MORELLA. Are you able to train the people yourselves?
    Mr.
RHODES. Yes. But we do that through industry, as well. I mean, there is industry training that we bring in to do that. There is university training. People come in with a basic skill set. And then there is also on-the-job training with them actually doing the testing.
    Chairwoman
MORELLA. Mr. Miller.
    Mr.
 Page 68       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
MILLER. First, I would like to say—I know that Mr. Weiner and Mr. Gutknecht had to leave, but I will guarantee you one thing: we will be back here having another hearing on another virus attack. I take your subcommitte's admonition very seriously, but I think the subcommittee and Congress would be foolhardy to assume that somehow there is a silver bullet out there or some magical solution. Bad people are out there and they're going to continue to try to exploit the architecture for all the reasons that were discussed, and so we will be back.
    In terms of the specific answer to your question, there are several areas that we will be looking to Congress for some help with. As you know, in terms of the information-sharing challenge within industry, there are some concerns about the Freedom of Information Act and the antitrust provisions. Congressman Davis and Congressman Moran have introduced a bill that we think may need some tweaking, but basically could be very helpful; we've been working with them on that piece of legislation.
    In the area of the workforce issue, I agree very much with Mr. Rhodes. The Government is just facing a crisis in terms of information technology specialists. A recommendation which the Clinton Administration has put forward—and I understand Senator Warner will be endorsing today—is the idea of a ''Cybercorps,'' which would be a program under which college students would be able to get special grant or loan dispensation if they agree to spend a certain amount of time, I believe it's 3 years, working for the Federal Government, if they are information security specialists.
    So I think this is an attempt to address directly the challenge of bringing more information security specialists into the Government by creating this kind of incentive system. That's something that the subcommittee might want to take a look at.
    Chairwoman
MORELLA. On that, do we have the colleges or the facilities to train these people?
    Mr.
 Page 69       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
MILLER. They're being ramped up, Madam Chair, but I think we're a long way from there. Through some funding through the National Security Agency, I believe seven universities have been identified as special places for training, including some local schools, George Mason and James Madison. Purdue University is another one. Those schools are being additional facilities and additional monies to particularly train people with information security specialization.
    Related is the R&D funding which I mentioned, which I think is directly related to the workforce issue in the following way. As you know, having been a teacher in the higher education system, a lot of the ability of schools to both attract faculty and graduate students has to do with research money. If you can get research money into these academic institutions, that allows them to provide fellowships and scholarships to recruit certain faculty, and also fellowships and scholarships to recruit graduate students. So the R&D funding that I mentioned before, the $50,000,000, if wisely spent, could not only help the R&D function, but could also help the workforce issue by bringing more funds to attract people to specialize in information security.
    In terms of the Federal Government itself, I think Mr. Rhodes has covered it very well in his testimony. Clearly, the Federal Government needs to be a model. It doesn't have a unique challenge, but it does need to be a model. The more it institutes best practices and carries out the absolute best cyber hygiene, the more likely it is that the private sector will do the same.
    Chairwoman
MORELLA. Ms. England.
    Ms.
ENGLAND. Thank you, Madam Chair. I would like to echo the comments of Mr. Miller and Mr. Rhodes as well. You may know of an organization within our company called NAI Labs. This is a long-term research and development organization. They work very closely with the Government, and they are focused on security issues that are 2 to 5 years out. We feel very strongly that that's an issue that requires funding and that requires close communication with the Government. We have done very well working together in the past.
 Page 70       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    An additional issue, I think that education and awareness is a requirement. We touched on that earlier. We are just seeing some of the problems that are going to be much more prolific in the Internet world, and I think that education and awareness at the individual level, as well as the Government and corporate levels, is a requirement as well.
    I also think there is an opportunity for the antivirus companies and Government to work together in terms of making solutions available. You have websites where solutions could be posted to this kind of problem. There are other alternatives that we could explore in working together to make sure that we are solving these crisis situations as soon as they occur.
    Chairwoman
MORELLA. Mr. Tippett, you get the last word.
    Mr.
TIPPETT. I have seven quick thoughts.
    One, if you make policies and laws and programs and so on that, number one, discourage criminal hacking and virus writing, whatever you can do in those places—I mentioned the First Amendment conflict, but I think it ought to be taken head-on.
    Two, accelerate technologies that facilitate authentication across the Internet. This is the underpinning of all computer security-related issues. We don't know where that message or that packet came from, and if we did, we could make judgments based on who sent it. We just don't have that ability now, and there are lots of technologies in place—one called, generically, PKI, Public Key Infrastructure. But all the digital signature stuff. IPSEC is the technology most likely to succeed in that across the Internet, but there is one called HIP—Host Identity Protocol—that is floated. Other things like that.
    Chairwoman
MORELLA. So you see our role in that, in terms of research and development?
 Page 71       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Mr.
TIPPETT. Well, whatever you can do to facilitate it and push it along.
    Three, find ways to get essential practices in the hands of more security administrators, or administrators of organizations. People don't know what the checklists ought to be. So it isn't that the great gurus of the world can't figure out how to make a network secure; it's that the masses can't, and we need to move what we know about the basic, simple, easy stuff to everyone. We call those ''essential security practices.'' We are nowhere even essential. People talk about best practices; the world doesn't even do the easy stuff right yet.
    Fourth, figure a way to enhance the dissemination of risk alerts—not the ''730,000 new bugs this week,'' that everybody needs to go around and fix, but bugs or vulnerabilities that have associated threats, or are likely to.
    Fifth, find a way to encourage effective testing and auditing of organizations. If you use good essential practices and hook that up with recurring alerts, and test to know where you are and where you are the next day and where you are the next day, that looks a lot like air traffic control and preflight briefings and standardized alerts and things that actually was the majority of the responsibility for making aviation safe.

    Finally, encourage the adoption of certifications. ICSA.net has a program called the Trustcare Program which allows companies to at least ensure that they are doing the essential practices, allows people to assure that each other are, and that they are keeping up to date in a continuous way. Dynamic certifications work. They work in the technology sector, and they can certainly work in the public sector and the Government.
    And finally, people do need to have training. I think every system administrator needs to learn about security. You could call that security training, or you could call that certification. ISSP has a program that has been around forever; CISSP and other organizations like ours are bringing out certification programs. Any of these are acceptable; we need to make sure that they happen.
 Page 72       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    Chairwoman
MORELLA. I think these have been great suggestions.
    Let me just also ask you to reiterate, Mr. Miller, you mentioned two items. You mentioned in terms of working together, the information sharing, that you were going to be having a report that was going to be coming out, mid-summer. I thought you might just want to make a comment about what we can expect to see in that report, to whom it will be issued.
    And then you also pointed out—wasn't there an international summit, again, coming up in like October, just those two dates, what we can expect?
    Mr.
MILLER. The Information Sharing and Assurance Center that we are developing comes out of the recommendations of the Presidential Commission that General Marsh headed. The banking industry has already set one up, which is allowing information sharing among the banking industry on these sensitive matters. The telecommunications industry is setting one up, using the existing National Communications Center, and now we're working to set one up in the IT industry. That's what we will be announcing later this summer. Also, the energy industry is working on one; the transportation industry is working on one. So what you're going to have, Madam Chair, is within these industries the ability to share, in a very confidential manner, proprietary information which can help these industries deal with the information security challenges, try to deal with preventing them when possible, or responding to them. And then the hope is also to be able to share information across these industries so that the banking industry, for example, can share information with the IT industry, with the energy industry, etc.
    And the third part of it is, how do you share information with the Government? Because again, a lot of this has to do with trust, confidentiality, proprietary information. So we are working on the one for the IT industry and we will be able to give you a lot more report on that by mid-summer.
 Page 73       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    The global conference you mentioned is one where we hope to spur a global partnership similar to the one that was developed in Y2K. As you know, we had the honor to host an international Y2K conference in 1998 at your urging and other Members of Congress. That was held in London. That in turn led to activities such as the International Y2K Cooperation Center, which Mr. Bruce McConnell headed up, which everyone agrees was very influential in helping to address the Y2K challenge on a global basis by establishing communications within industries across the globe, and between industries across the globe. We want to use our event here, October 16th and 17th, to kick off the same kind of partnerships, Madam Chair, so that we would be able to come back to this Congress a year from now and say that the telecommunications industry worldwide, the IT industry worldwide, the financial services industry worldwide, etc., communicate about these information security risks both within the vertical industries as well as across industries, and also, again, shares that information with Government where appropriate. And we see the event in October as kicking off that kind of activity.
    Chairwoman
MORELLA. It was just the other day that we passed a resolution that I had submitted, with others, to congratulate the Federal employees, especially, and to look to the private sector also, to commend them for the working together that was done on the Y2K computer problem. Many people in both sectors worked around the clock, worked long hours, made the difference. And I see it—and you picked up on this idea—I see it as kind of a little bit of a template of what could be followed in computer security. Obviously, we know that Y2K had a terminal date; this one doesn't, and I hope we don't see you back again with another virus. But I think that is probable.
    But I am hoping that these partnerships can be forged in that very same manner, and maybe even more sophisticated and streamlined.
    I think this has been an excellent hearing and I hope that it has inspired us to do all of those things that we should with education, awareness, equipment, trust. You know, we have a Character Counts Program nationally, some cities and municipalities have adopted it, where everybody works together. It seems to me that in terms of information technology, we need a Character Counts Program specific to that, with regard to the trust.
 Page 74       PREV PAGE       TOP OF DOC    Segment 2 Of 2  
    But I want to thank you for being here, Mr. Rhodes and Mr. Miller and Ms. England and Mr. Tippett. You've given a great deal of information and advice to us, and we appreciate it. I hope that you will continue to let us know if something comes up and you think, ''This is something Congress should be doing,'' I hope that you will inform us.
    Other members of the committee may have questions to submit to you for your response.
    Thank you, and our subcommittee is now adjourned.
    [Whereupon, at 12:42 p.m., the Subcommittee was adjourned.]

    "The Official Committee record contains additional material here."

APPENDIX