Prepared Testimony of Scott Charney
Chief Trustworthy Computing Strategist
Before the Subcommittee on Commerce, Trade and Consumer Protection
House Committee on Energy and Commerce
U.S. House of Representatives
November 19, 2003
Hearing on “Cybersecurity & Consumer Data: What’s at Risk for the Consumer?”
Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee: My name is Scott Charney, and I am Microsoft’s Chief Trustworthy Computing Strategist. I want to thank you for the opportunity to appear today to provide our views on cybersecurity and on what we are doing to secure consumer data. I oversee the development of strategies to create more secure software and services and to enhance consumer security and privacy through our long-term Trustworthy Computing initiative. My goal is to reduce the number of successful computer attacks and increase the confidence of all computer users. This is something I have worked toward throughout much of my career, including during my service as chief of the Computer Crime and Intellectual Property Section (CCIPS) in the Criminal Division of the U.S. Department of Justice. While at CCIPS, I helped prosecute nearly every major hacker case in the United States from 1991 to 1999.
At Microsoft, security is our number one priority, and as an industry leader, we are committed to continually improving the capability of our software to protect the privacy of consumers and the security of their data. We are at the forefront of industry efforts to enhance the security of computer programs and networks and to educate consumers about good cybersecurity practices. We also work closely with our partners in industry and governments around the world to identify security threats to computer networks, share best practices, improve our coordinated responses to security breaches, and prevent computer attacks from happening in the first place.
This hearing is exceptionally timely because of the rapid developments in cybersecurity over the past two years. We wholeheartedly agree with this Subcommittee that it is critical for all of us to address consumer concerns about the privacy and security of their online data in order to stimulate the further growth of e-commerce and to help realize the Internet’s full potential.
Today, I want to describe the risks posed to consumers’ cybersecurity, and the ways in which industry and government are working together to protect consumers’ online data. First, I will discuss the general state of cybersecurity since November 2001, when we last appeared before this Subcommittee; I will touch both on what has stayed the same, and on what has changed. Second, I will discuss Microsoft’s ongoing efforts to help secure consumers’ computer data. Third, I will offer a few suggested steps that the government can take to enhance the security of consumer data.
The pursuit of cybersecurity involves a daily and never-ending contest between industry, governments, and computer users, on the one hand, and cyber criminals, on the other. Hackers remain elusive, aggressive, and innovative. When we last testified before this Subcommittee on this topic, the “ILOVEYOU,” Code Red, Ramen, Li0n, and Trinoo worms and viruses had already struck a variety of operating systems. Since that time, criminal hackers have unleashed Slapper, Scalper, Slammer, Blaster, SoBig, and many other viruses and worms to infect computers, deny service, and impair recovery.
There are no silver bullets in cybersecurity, and there will always be vulnerabilities in complex software and systems, as well as human errors made. As was true in 2001, cybersecurity involves many layers and many collaborative partnerships, including software design, software configuration, software patching, the sharing of threat and vulnerability information, user education, user practices, and the investigation and prosecution of cybercrime both within the United States and internationally. In other words, cybersecurity involves management of technology as much as the technology itself.
Meanwhile, much has changed since we last testified before you. Consumer dependence on the Internet has grown, and consumers are more frequently sharing their personal information, including their identities, contact information, financial data, and health information, over the Internet. Moreover, as the personal computer becomes more central to the daily lives of many citizens and to the daily functions of the public and private sectors, the government, consumers, and business enterprises are storing more personal information on their Internet-connected computers and networks, thus potentially exposing their data to hackers even if that personal information is never transmitted over the Internet. In addition, consumers with broadband are, unlike those with a dial-up connection, connected to the Internet with unvarying IP addresses and at a high connection speed, and therefore place consumer data at greater risk. As of March 2003, 30 million homes in America had a broadband connection to the Internet, double the number who had a high-speed connection at home at the end of 2001 and a 50% increase from March 2002.
Another key change over the past two years is that the time between the issuance of a patch and the time when we see a concrete exploit taking advantage of the underlying vulnerability has dramatically shortened. This time period is crucial because we have had very few attacks that actually precede the patch; more typically, once a patch is released, a race ensues between those installing the patch to eliminate the vulnerability and those developing code that exploits the vulnerability. When an exploit is developed faster, enterprises and individuals have that much less time to learn of, test, and install the patch before a hacker uses the exploit to inflict damage. That window for the NIMDA virus was 331 days between patch release and exploit; for Blaster, less than two years later, it was only 26 days.
The chronology leading up to the criminal launch of the Blaster worm illustrates the complex interplay between software companies, security researchers, persons who publish exploit code, and hackers. On July 16, we delivered a patch for the vulnerability and a security bulletin to our customers. This was followed by ongoing outreach to consumers, analysts, the press, our industry partners, and the government. On July 25, nine days after we released the patch, a security research group called XFOCUS published a tool to exploit the vulnerability that the security bulletin and patch had highlighted. In essence, XFOCUS analyzed our patch by reverse engineering it to identify the vulnerability, then developed a means to attack the vulnerability, and finally offered that attack to the world so that any unsophisticated hacker could then unleash an attack by downloading XFOCUS’s work and using launch tools freely available on the Internet.
At this point, we heightened our efforts to inform our customers about the steps they should take to secure their computers. On August 11, only 26 days after release of the patch, the Blaster worm was discovered as it spread through the Internet. This sequence of events underscores a dilemma: the same information that helps customers to secure their systems also enables self-identified security researchers and others to develop and publish exploit code, which hackers then use to launch damaging criminal attacks.
The sophistication and severity of cyberattacks are also increasing. The Slammer worm in January 2003 did not attack the data of infected systems, but resulted in a dramatic increase in network traffic worldwide and in temporary loss of Internet access for some users. This past summer, criminal hackers released the Blaster worm, which spread by exploiting a security vulnerability for which we had released a patch. Machines infected by Blaster used the network connection to locate new, vulnerable machines, whereupon the worm would copy itself, infect the new machine, and continue the process. Blaster affected Windows NT4, Windows XP, Windows 2000, and Windows Server 2003 systems, but could not reach those machines that were patched and defended by a properly configured firewall. The worm also tried to deny service to those users seeking to download the patch for Blaster.
In addition, cybercriminals have been able to make viruses more prevalent and harder for consumers to detect by “spoofing” legitimate email addresses, which makes it more difficult to determine who the real sender is. In 2002, there were twice as many email viruses as there were in 2001. In January 2003, the SoBig virus spoofed email addresses and contained infectious .pif attachments, which if opened would infect the user’s computer and search the infected user’s hard drive for email addresses of possible further victims. Multiple variants of the SoBig virus surfaced during the year. It is important to note that SoBig did not exploit any software vulnerability; it was a social engineering attack based on users’ willingness to trust email that appeared to be from individuals whom they knew.
In response to these threats, industry has increased tremendously the resources and priority it devotes to cybersecurity issues. Many of those efforts continue today, and I will describe them in more detail in the next Section. Over the past two years, the government has also taken significant steps during this time period to address these heightened risks for online consumers. We commend these actions as important steps in our shared journey toward enhanced cybersecurity.
First and foremost, the Department of Homeland Security created the National Cyber Security Division (NCSD) under the Department’s Information Analysis and Infrastructure Protection Directorate. The NCSD is established to provide 24 x 7 functions, including cyberspace analysis, issuing alerts and warning, improving information sharing, responding to major incidents, and aiding in national-level recovery efforts. The Department created the NCSD as part of its implementation of the Homeland Security Act of 2002 and the National Strategy to Secure Cyberspace, which the White House released in February 2003 after soliciting extensive comments from consumers, industry, and other government actors. We worked with government officials in all of these activities, and we are encouraged by the work DHS has done to date. Moreover, I personally look forward to co-chairing a task force at its December “National Cyber Security Summit.”
Second, the United States signed the Council of Europe Convention on Cybercrime in November 2001. The Convention requires parties to have minimum procedural tools to investigate such attacks, and to facilitate international cooperation in investigating those attacks. Because of the inherently international nature of cybercrime, the Council of Europe cybercrime treaty is an important step towards the transborder cooperation that is vital to combating cybercrime and protecting consumers. We look forward to the day when the treaty is sent to the Senate for its consideration.
Security is Microsoft’s top priority. We have devoted and will continue to devote enormous resources to enhancing security. As we confront new challenges and develop new approaches and new partnerships, we continue to learn that perfect security in cyberspace is unattainable, just as it is in the physical world. Operating system software is one of the most complex items that humans have created, and it is impossible to eliminate all software vulnerabilities. Thus, we know that security is a journey rather than a destination, and it can only be improved by partnerships involving government, industry, responsible security researchers, and customers around the world including government agencies, enterprises, and individual users. Two years ago before this committee, my friend and co-panelist Howard Schmidt properly stated, “We know that there is no finish line to these efforts, but by working as we have with industry peers – including some of these panelists – and with governments, we have a chance to keep one step ahead of cyber-criminals.”
In January 2002, Bill Gates launched our Trustworthy Computing initiative, which involves every aspect of Microsoft and focuses on four key pillars: security, privacy, reliability, and business integrity. Security involves designing programs and systems that are resilient to attack so that the confidentiality, integrity, and availability of data and systems are protected. The goal of our privacy efforts is to give individual consumers greater control over their personal data and to ensure, as with the efforts against spam, their right to be left alone. Reliability means creating software and systems that are dependable, available when needed, and perform at expected levels. Finally business integrity means acting with honesty and integrity at all times, and engaging openly and transparently with customers.
Under the security pillar, we are working to create software and services for all of our customers that are Secure by Design, Secure by Default, and Secure in Deployment, and to communicate openly about our efforts.
“Secure by Design” means two things: writing more secure code and architecting more secure software and services.
“Secure by Default” means that computer software is more secure out of the box, with features turned off until needed and turned on by the users, whether it is in a home environment or an IT department.
“Secure in Deployment” means making it easier for consumers, commercial and government users, and IT professionals to maintain the security of their systems.
“Communications” means sharing what we learn both within and outside of Microsoft, providing clear channels for people to talk with us about security issues, and addressing those issues with governments, our industry counterparts, and the public.
The Trustworthy Computing goals are real and specific, and this effort is now ingrained in our culture and is part of the way we value our work.
We have enhanced the training of our developers to put security at the heart of software design and at the foundation of the development process. Security is and will continue to be our highest software development priority. All new software releases and service packs are now subject to an enhanced security release process which has already resulted in a notable decline of vulnerabilities in some of our server software. This effort, which can cost hundreds of millions of dollars and delay the software’s release to the market, is a critical step in improving software security and reliability. We are seeing a quantifiable and dramatic decrease in vulnerabilities: for example, Windows Server 2003 followed this process and in the first ninety days, we reported and patched three critical or important security vulnerabilities and six total in the first 180 days. Whereas in Windows Server 2000, we found eight critical or important vulnerabilities in the first ninety days, and twenty one in the first 180 days.
When an attack does occur, our Microsoft Security Response Center (MSRC) coordinates the investigation of reported vulnerabilities, the development of patches, and our customer outreach efforts. We are very proud of this organization and believe it represents the industry’s state of the art response center.
Although we have made major strides, much work on Trustworthy Computing remains ahead of us. One key piece of that work is the Next-Generation Secure Computing Base (NGSCB). This is an on-going research and development effort to help create a safer computing environment for users by giving them access to four core hardware-based features missing in today’s PCs: strong process isolation, sealed storage, a secure path to and from the user, and strong assurances of software identity. These changes, which require new PC hardware and software, can provide protection against malicious software and enhance user privacy, computer security, data protection and system integrity.
Part of Trustworthy Computing involves communicating with our customers. In the wake of Blaster, we launched the Protect Your PC campaign, urging customers to take three steps to improve their security: install and/or activate an Internet firewall, stay up to date on security patches, and install an anti-virus solution and keep it up to date. The www.microsoft.com/protect web site serves as the focal point for the campaign. We also provide a wide range of free security tools and prescriptive guidance to make it easier for consumers to make their computers and their data more secure.
Patch management is a significant issue. We recognize that the most important solution is to reduce the number of vulnerabilities in code, thus reducing the need for patching. This is why we are emphasizing secure by design. But no operating system – regardless of development model – will ever be free of all vulnerabilities. We must manage this risk by providing customers with simple and easy to use patches. To streamline those processes, we are taking the following steps:
Improving our testing of patches to ensure patch quality.
Reducing the number of patch installers to provide users with a consistent patch experience, and make patching simpler.
Working to ensure that each patch is reversible, so a rollback is possible if deployment raises an unanticipated issue, such as adversely affecting a legacy application.
Ensuring that patches register their presence on the system – and producing improved scanning tools – so a user can quickly determine if his or her machine is patched appropriately.
Making our security patch releases more predictable. We are now providing security updates once a month, but we will still provide patches outside this schedule when necessary, such as when exploit code is publicly available.
Avoiding reboot of the computer where practicable, as our customers are more likely to apply a patch more quickly, if server availability will not be interrupted.
Producing specific technology, such as Software Update Services and Systems Management Server, so enterprises can download patches, test them in their unique environments, and then easily deploy them.
Informing customers about the AutoUpdate feature in recent Microsoft operating systems, which can automatically download updates and then either install them as scheduled or request permission from the user to do so.
As noted, protecting consumer security depends, in part, on protecting the security of enterprise servers, which often hold valuable consumer data. Steve Ballmer, Microsoft’s Chief Executive Officer, announced last month that we are working to secure these networks from the hazards that arise when users log into those networks from home or other remote locations. Those hazards include malicious e-mails, viruses and worms, malicious web content, and buffer overruns.
While patches remain part of the solution, we are developing what we call safety technology to secure these networks at the perimeter by:
Reducing the risk from computers such as notebooks and portable computers that are moved between an enterprise’s network and external networks.
Improving browsing technologies to minimize the risk of hostile web sites executing malicious code on visiting users’ computers.
Enhancing memory protection to help prevent successful buffer overrun attacks.
Improving the Internet Connection Firewall within Windows while also working closely with partners in the software security industry.
Through these measures, we hope to help protect machines even when not patched, thus giving enterprises more time to test and deploy patches and enabling enterprises to patch on their schedule, not on a schedule determined by hackers.
We are also providing new information and guidance on how enterprises can secure their computers to protect data, including the personal information of their customers.
We embrace our role in providing more secure computing for all our customers. Because security is an industry-wide issue, we participate actively in partnerships that span the industry, customers and both the public and private sectors to encourage customers to implement software in more secure ways.
For example, we are a founding member of the Organization for Internet Safety (OIS), an alliance of leading technology vendors, security researchers, and consultancies that is dedicated to the principle that security researchers and vendors should follow common processes and best practices to efficiently resolve security issues and to ensure that Internet users are protected.
We also work with the Virus Information Alliance (VIA), a centralized resource for Internet users seeking information about the latest virus threats. Through its member companies, Microsoft, Network Associates, Trend Micro, Computer Associates, Sybari, and Symantec, the VIA offers recommended best practices for preventing malicious attacks, information about specific viruses, how-to articles and links to other anti-virus resources on its web site.
I am personally participating with some of my co-panelists in the Global Council of Chief Security Officers, a newly formed think tank that will share information with member companies and governments on cybersecurity issues and enhance the involvement of private sector officials in cybersecurity issues.
We also helped found the Information Technology – Information Sharing and Analysis Center (IT-ISAC) and I serve on its board today. The IT-ISAC coordinates information-sharing on cyber-events among information technology companies and the government.
Two years ago we spoke about the need to increase deterrence of criminal hacking. Although the Cyber Security Enforcement Act passed this Congress last year, there is still much more that needs to be done. Despite the best and laudable efforts of dedicated law enforcement personnel, far too many hackers unleash their malicious code or commit crimes with no punishment, as evidenced by the fact that the authorities have yet to bring to justice the criminals who launched major attacks like Blaster, NIMDA and Slammer. This is an untenable situation, and it is one the nation allows to persist in no other area. We need a robust deterrent to criminal activity online.
When criminal attacks are launched, we work with law enforcement officials to support their investigations. And earlier this month, we took a significant step to support them by creating the Anti-Virus Reward Program to provide monetary rewards for information resulting in the arrest and conviction of hackers. For example, we have announced a reward of $250,000 each for information leading to the arrest and conviction of those responsible for the SoBig virus and the Blaster worm.
To use a medical analogy, we are strengthening the Internet’s immune system through initiatives such as the anti-virus reward program, our technical and legal anti-spam efforts, consumer education, and efforts to secure existing systems and to make security integral to new systems and applications. In the meantime, interim treatment will be necessary.
The government continues to play a key role in efforts to secure consumers’ software and data. We have recently collaborated with the Department of Homeland Security to raise awareness of cyberthreats through release of security bulletins. Such partnering between industry and the government is a vital step toward additional cybersecurity for consumers. I want to outline a few specific areas where government initiatives can be particularly helpful in promoting cybersecurity.
First, sustained public support of research and development continues to play a vital role in advancing the IT industry’s efforts to secure consumers’ software and data. A major portion of our $6.9 billion annual R & D investment goes to security, and accordingly, we support additional federal funding for basic cybersecurity research and development (R & D), including university-driven research. The public sector should increase its support for basic research in technology and should maintain its traditional support for transferring the results of federally-funded R & D under permissive licenses to the private sector so that all industry participants can further develop the technology and commercialize it to help make all software more secure.
Second, the government can lead by example by securing its own systems through the use of reasonable security practices, buying software that is engineered for security, and providing better training for government systems administrators. We also hope government will continue to promote security awareness among both home consumers and businesses – as the Federal Trade Commission did in its information campaign featuring Dewie the Turtle.
Third, government and industry should continue to examine and reduce barriers to appropriate exchanges of information, and to build mechanisms and interfaces for such exchanges. One encouraging step in this direction is the NCSD’s recent creation of the National Computer Emergency Response Team (US-CERT). This coordination center, for the first time, links public and private response capabilities to facilitate communication of critical security information throughout the Internet community.
Fourth, it will take increased government commitment to root out those who hack into computers and propagate destructive worms and viruses that harm millions of computer users. Therefore, law enforcement should receive additional resources, personnel, and equipment in order to investigate and prosecute cyber crimes. We also support tough penalties on criminal hackers, such as forfeiture of personal property used in committing these crimes.
Fifth, because cybersecurity is inherently an international problem with international solutions, greater cross-jurisdictional cooperation among law enforcement is needed for investigating cyber-attacks.
We will continue to pursue Trustworthy Computing and to work closely with our partners in the computer, software, and communications industries, the government, and our customers to enhance cybersecurity. In the end, a shared commitment to reducing cybersecurity risks and a coordinated response to cybersecurity threats of all kinds – one that is based on dialogue and cooperation between the public and private sectors – offer the greatest hope for protecting the privacy of consumer data, enhancing the confidence of consumers in the Internet, and fostering the growth of a vibrant, trustworthy online economy.