Prepared Testimony of Scott Charney
Chief Security Strategist
Before the Subcommittee on Government Efficiency, Financial Management, and
Committee on Government Reform
U.S. House of Representatives
July 24, 2002
Mr. Chairman and Committee Members, thank you for the opportunity to appear today at this important hearing on cyber-terrorism and critical infrastructure protection.
My name is Scott Charney, and I am Microsofts Chief Security Strategist. Microsoft works with industry leaders and governments around the world to identify security threats to computer networks, share best practices and prevent dangerous computer attacks. Like many other information-technology (IT) companies, we have seen security threats grow, and we are responding to prevent harm caused by those who simply launch scripts to potential cyber-terrorists. While we have worked diligently on cyber-security for several years, this effort accelerated after September 11 th and was crystallized for Microsoft when Bill Gates launched our Trustworthy Computing initiative in January. More recently, he reported on our progress to date in an executive e-mail distributed on July 18, 2002.
Today I would like to address IT security issues broadly, then use the Trustworthy Computing initiative as an example of how one company can take steps on its own and with partners to address cyber-security. And finally, I will propose several things the Congress can do to help prevent and manage cyber attacks and catch those who perpetrate them.
As Chief Security Strategist, I oversee the development of strategies to implement our long-term Trustworthy Computing initiative and create more secure products, services, and infrastructures. My goal is to reduce the number of successful computer attacks and to increase the confidence of all IT users. Not only do I work on Microsoft products and services, but I also collaborate with others in the computer industry and the Government to make computing more secure for all users.
Prior to joining Microsoft, I was a principal for the professional services organization PricewaterhouseCoopers (PwC), where I led the firms Cybercrime Prevention and Response Practice. In that capacity, I provided proactive and reactive cybersecurity services to Fortune 500 companies and smaller enterprises. Before joining PwC, I served as chief of the Computer Crime and Intellectual Property Section (CCIPS) in the Criminal Division of the U.S. Department of Justice where I helped prosecute nearly every major hacker case in the United States from 1991 to 1999. In that capacity, I also worked with Congress to enact the National Information Infrastructure Protection Act of 1996, and served on U.S. delegations to various international organizations working to harmonize government responses to cyber-crime.
Cyber Attacks And Critical Infrastructure Protection Are A National Challenge.
Mr. Chairman, the information technology revolution has transformed all aspects of our society. And this transformation will continue as computing technology is embedded in a wide range of devices and as those devices become increasingly networked. But our societys increasing dependence on computers means that the disruption of our networks whether due to nation-states, terrorists, criminals, or simply pranksters could seriously impair public safety, national security, economic prosperity and, more generally, our way of life. An attack against the information technology backbone of one of our nations so-called critical infrastructures such as communications services, energy, financial services, manufacturing, water, transportation, health care, and emergency services could disrupt Americans physical and economic well-being and have a worldwide impact. An attack against the U.S. that combines both cyber and physical elements could be particularly devastating, such as a physical attack against a building combined with disruption of the telecommunications infrastructure needed to provide emergency services to the physically affected area.
More specifically, cybercriminals could attack our computer systems in a variety of ways, causing serious consequences including: (1)
compromising the integrity of data, such as deleting records of financial institutions; (2)
breaching the confidentiality of data, such as obtaining information from nuclear power plants which can then be used to plan a physical attack; and (3) acting as weapons of mass disruption to take-down key Internet nodes whose failure would then lead to a cascading effect, meaning wide-ranging disruption of other parts of our critical infrastructures.
The Presidents recently-released states how a cyberattack against one critical infrastructure could have cascading effects against other critical infrastructure networks; for example, disrupting a water supply authoritys digital controls over water distribution could lead to a shutdown in electrical generation facilities, which in turn could cause widespread blackouts or brownouts But we need not speculate, as we have already had a cyber attack that caused cascading effects. Several years ago, a juvenile in Massachusetts disabled a telephone switch and consequently disrupted air traffic control at a regional airport served by that switch.
The challenge of cybersecurity has been with us ever since the Internet grew beyond its original purpose as a military communications network. The disabled portions of the Internet as long ago as 1988. And several publicized examples of viruses and worms over the last few years are the latest tangible reminders both of the widespread damage that worms and viruses can cause and that no vendors platform is immune. The virus of 2000 caused an estimated $8 billion in damages. The and worms attacked Linux software to deface websites and extract sensitive information such as passwords. The worm caused an estimated $2.4 billion in damages by exploiting Windows server software to deface websites, infect computers, and make computers susceptible to attack by third parties. The attacks exploited vulnerabilities in the Solaris operating system to stage distributed denial of service attacks against several prominent websites, causing an estimated $1.2 billion in damage. Most importantly, perpetrators are seldom identified and prosecuted. For example, the virus writer was found but remains free since the laws of his country did not criminalize his actions.
Unfortunately, we know two things: First, operating system software is one of societys most complex creations, and thus it will always have vulnerabilities. And second, because smart, malicious individuals will always seek and exploit these vulnerabilities, it is impossible to completely prevent cyber attacks. This places the IT industry in a perpetual race against cyber-criminals to maintain the Internets security.
Finally, U.S. critical infrastructures were and are designed, deployed and maintained primarily by the private sector. That is why this Administration and its predecessor have emphasized that securing critical infrastructures requires a partnership between Government and industry. Voluntary cooperation and industry-led initiatives, supported by appropriate Government cybersecurity initiatives, will work best to address computer security issues. As I will describe below, Microsoft is at the forefront of industrys efforts to work closely with the Government to secure our nations information technology infrastructure.
Microsofts Response To The Threat Of Cyber-Attacks Against Our Nation.
Microsoft is working with industry leaders and governments around the world to identify security threats to computer networks and share best practices, and this starts from the very top. Our senior leadership contributes its expertise to national policymaking on cyber-security and critical infrastructure protection, and from Bill Gates to each developer, we are devoting our resources and energies to our ongoing Trustworthy Computing initiative. We also engage on an operational level in assisting Government agencies to prevent and investigate cyber-attacks.
Microsoft Supports Current Government Cyber-Crime Initiatives.
The Government has made great strides in fostering greater awareness of cyber-security issues and building an effective public/private partnership. We of course support the job Richard Clarke is doing as the Presidents cyber-security advisor and coordinator. He has worked for years to raise the level of concern about cyber-security both in the nations boardrooms and within government departments.
We applaud the House of Representatives for passing H.R. 3482, the Cyber Security Enhancement Act of 2002. We are pleased in particular that this bill strengthens law enforcements ability to deter cyber-crime by permitting the United States Sentencing Commission to grant federal judges more flexibility in imposing sentences for cyber-crime. Today, sentences for violations of the Computer Fraud and Abuse Act are in large part determined by calculating actual economic loss, which is often difficult to determine in the cyber-crime context. Although other factors may be considered under existing law, H.R. 3482 more clearly delineates a broader range of relevant issues that should be considered when imposing sentences. For example, the Commission may consider whether judges should impose a sentence based upon factors such as the offenders purpose and the effect of the crime on national security or law enforcement interests.
There are other steps that Microsoft respectfully suggests the Government take to help protect our critical infrastructures against cyber-terrorism: First, we support heightened penalties for cyber-crime. Today, only the proceeds of cyber-crime not the means to commit the crime can be forfeited to the Government. We urge that forfeiture also apply to any personal property, such as computer equipment, used or intended to be used in the commission of cyber-crime. We believe the deterrent effect of expanded forfeiture for cyber-crime will be significant, particularly in the cases of felons who wage cyber-attacks for malicious rather than remunerative reasons. Moreover, it makes no sense to permit convicted hackers to keep the device that they used to harm others. Second, we strongly support increased funding for law enforcement personnel, training, and equipment to prevent and investigate cyber-attacks. These hard-working officials many of whom are former colleagues of mine are often short-staffed, under-funded, and lacking the state-of-the-art technology used by cyber-criminals. Increased funding is needed to modernize and place them on par with those they investigate. Additional funding may also help the Government coordinate with state and local law enforcement in preventing and investigating cyber-attacks.
Third, as I mentioned above, we are in a perpetual and accelerating race against hackers, and both the Government and industry need continuously to improve their cyber-security capabilities. For this reason, Microsoft supports increased funding for cyber-security research and development (R & D). The Government should increase its support for basic research in technology and should maintain its traditional support for transferring the results of federally-funded R & D to the private sector so that Government R & D will ultimately increase the cyber-security of the private sector. And the Government must also lead by example, securing its own systems through the use of reasonable security practices.
Fourth, we also believe that greater cross-jurisdictional cooperation among law enforcement is needed for investigating cyber-attacks. Cyber-attackers can easily transit any border, as demonstrated by the and viruses and the attacks, all of which were international in scope. Enhanced law enforcement cooperation across local, state and international borders is vital for law enforcement to prevent and investigate cyber-attacks. We also support an international law enforcement framework that establishes minimum criminal liability and penalty rules for cyber-crime so that cyber-attackers cannot escape punishment for cyber-attacks against the U.S. by seeking refuge outside of our borders.
Finally, our Government is composed of different organizations to deal with crime, espionage, and war. These organizations have different missions and authorities including the Foreign Intelligence Surveillance Act (FISA) for intelligence agencies and the Electronic Communications Privacy Act (ECPA) for law enforcement. However, in the case of cyber-attacks, the motive and identity of a particular cyber-attacker is difficult to ascertain at the onset of an investigation. As a result, the investigation poses issues such as which Government agency should take the lead in responding to the attack and what legal authorities will guide the investigation. The resolution of these issues requires continuing communication and a culture of sharing information as authorized by law. We need to think-through how to structure the Governments efforts most appropriately to prevent and investigate cyber-attacks so that we can address these issues effectively and in real time.
Microsoft pledges to remain a leader in industry efforts to secure products and services. Americans, their government and the critical infrastructures they depend on every day face significant and growing cyber-security challenges. Working with our Government partners and industry peers, we are committed to preempting, catching and prosecuting cyber-criminals to protect the computing experiences of our customers and the cyber-security of our nation.
 http://www.microsoft.com/mscorp/execmail/2002/07-18twc-print.asp .