Homeland Security

Cybersecurity & Consumer Data: What's at Risk for the Consumer?
Subcommittee on Commerce, Trade, and Consumer Protection
November 19, 2003
10:00 AM
2123 Rayburn House Office Building

<DOC>
[108th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:90728.wais]
   CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER?
=======================================================================
                                HEARING
                               before the
                            SUBCOMMITTEE ON
                COMMERCE, TRADE, AND CONSUMER PROTECTION
                                 of the
                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES
                      ONE HUNDRED EIGHTH CONGRESS
                             FIRST SESSION
                               __________
                           NOVEMBER 19, 2003
                               __________
                           Serial No. 108-52
                               __________
      Printed for the use of the Committee on Energy and Commerce
 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house
                               __________
                      U.S. GOVERNMENT PRINTING OFFICE
90-728                        WASHINGTON : 2003
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800, DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: stop SSOP, Washington, DC 20402-0001
                    COMMITTEE ON ENERGY AND COMMERCE
               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida           JOHN D. DINGELL, Michigan
JOE BARTON, Texas                      Ranking Member
FRED UPTON, Michigan                 HENRY A. WAXMAN, California
CLIFF STEARNS, Florida               EDWARD J. MARKEY, Massachusetts
PAUL E. GILLMOR, Ohio                RALPH M. HALL, Texas
JAMES C. GREENWOOD, Pennsylvania     RICK BOUCHER, Virginia
CHRISTOPHER COX, California          EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia                 FRANK PALLONE, Jr., New Jersey
RICHARD BURR, North Carolina         SHERROD BROWN, Ohio
  Vice Chairman                      BART GORDON, Tennessee
ED WHITFIELD, Kentucky               PETER DEUTSCH, Florida
CHARLIE NORWOOD, Georgia             BOBBY L. RUSH, Illinois
BARBARA CUBIN, Wyoming               ANNA G. ESHOO, California
JOHN SHIMKUS, Illinois               BART STUPAK, Michigan
HEATHER WILSON, New Mexico           ELIOT L. ENGEL, New York
JOHN B. SHADEGG, Arizona             ALBERT R. WYNN, Maryland
CHARLES W. ``CHIP'' PICKERING,       GENE GREEN, Texas
Mississippi                          KAREN McCARTHY, Missouri
VITO FOSSELLA, New York              TED STRICKLAND, Ohio
ROY BLUNT, Missouri                  DIANA DeGETTE, Colorado
STEVE BUYER, Indiana                 LOIS CAPPS, California
GEORGE RADANOVICH, California        MICHAEL F. DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire       CHRISTOPHER JOHN, Louisiana
JOSEPH R. PITTS, Pennsylvania        TOM ALLEN, Maine
MARY BONO, California                JIM DAVIS, Florida
GREG WALDEN, Oregon                  JAN SCHAKOWSKY, Illinois
LEE TERRY, Nebraska                  HILDA L. SOLIS, California
ERNIE FLETCHER, Kentucky
MIKE FERGUSON, New Jersey
MIKE ROGERS, Michigan
DARRELL E. ISSA, California
C.L. ``BUTCH'' OTTER, Idaho
                   Dan R. Brouillette, Staff Director
                   James D. Barnette, General Counsel
      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
                                 ______
        Subcommittee on Commerce, Trade, and Consumer Protection
                    CLIFF STEARNS, Florida, Chairman
FRED UPTON, Michigan                 JAN SCHAKOWSKY, Illinois
BARBARA CUBIN, Wyoming                 Ranking Member
JOHN SHIMKUS, Illinois               HILDA L. SOLIS, California
JOHN B. SHADEGG, Arizona             EDWARD J. MARKEY, Massachusetts
  Vice Chairman                      EDOLPHUS TOWNS, New York
GEORGE RADANOVICH, California        SHERROD BROWN, Ohio
CHARLES F. BASS, New Hampshire       JIM DAVIS, Florida
JOSEPH R. PITTS, Pennsylvania        PETER DEUTSCH, Florida
MARY BONO, California                BART STUPAK, Michigan
LEE TERRY, Nebraska                  GENE GREEN, Texas
ERNIE FLETCHER, Kentucky             KAREN McCARTHY, Missouri
MIKE FERGUSON, New Jersey            TED STRICKLAND, Ohio
DARRELL E. ISSA, California          DIANA DeGETTE, Colorado
C.L. ``BUTCH'' OTTER, Idaho          JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana       (Ex Officio)
  (Ex Officio)
                                  (ii)
                            C O N T E N T S
                               __________
                                                                   Page
Testimony of:
    Ansanelli, Joseph G., Chairman and CEO, Vontu, Inc...........    48
    Burton, Daniel, V.ice President, Governmental Affairs, 
      Entrust Technologies.......................................    52
    Charney, Scott, Chief Trustworthy Computing Strategist, 
      Microsoft Corporation......................................    30
    Davidson, Mary Ann, Chief Security Officer, Oracle 
      Corporation................................................    43
    Morrow, David B., Managing Principal, Global Security and 
      Privacy Services, EDS......................................    37
    Schmidt, Howard A., Vice President, Chief Information 
      Security Officer, eBay Inc.................................    23
    Swindle, Hon. Orson, Commissioner, Federal Trade Commission..    16
    Thompson, Roger, Vice President of Product Development, 
      PestPatrol, Inc............................................    58
                                 (iii)
   CYBERSECURITY AND CONSUMER DATA: WHAT'S AT RISK FOR THE CONSUMER?
                              ----------                              
                      WEDNESDAY, NOVEMBER 19, 2003
              House of Representatives,    
              Committee on Energy and Commerce,    
                       Subcommittee on Commerce, Trade,    
                                   and Consumer Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:10 a.m., in 
room 2123, Rayburn House Office Building, Hon. Cliff Stearns 
(chairman) presiding.
    Members present: Representatives Stearns, Shimkus, Shadegg, 
Pitts, Bono, Issa, Schakowsky, Towns, Davis, Green, and 
McCarthy.
    Staff present: Ramsen Betfarhad, policy coordinator and 
majority counsel; Jill Latham, legislative clerk; Jon Tripp, 
deputy communications director; David Cavicke, majority 
counsel; and David Nelson, minority counsel.
    Mr. Stearns. Good morning. Welcome to the Subcommittee on 
Commerce, Trade, and Consumer Protection's hearing on 
cybersecurity and consumer data. I am pleased that we are 
joined this morning by a group of distinguished witnesses. And 
all of us look forward to your testimony.
    On November 15, 2001, nearly 2 years ago to the day, the 
subcommittee held a hearing entitled, ``Cybersecurity: Private 
Sector Efforts Addressing Cyber Threats.'' The focal point of 
that hearing, as it is with this hearing, was cybersecurity as 
it related to consumer data used in stream of commerce.
    We are fortunate that three of our witnesses, Ms. Davidson, 
Mr. Schmidt, and Mr. Morrow, all of whom testified at the 
hearing 2 years ago, have joined us today to reflect on what 
has transpired with regard to cybersecurity in the last 2 
years. Normally you don't have people back to give you a little 
post-analysis. So we are very fortunate to have that.I am 
confident their insights, along with the testimony of the other 
witnesses, will be particularly helpful to our better 
understanding the issue, its evolution, and what we believe is 
its increasing significance.
    The subcommittee's hearings 2 years ago was held in the 
shadow of the tragic events of September 11, when we as a 
Nation, it seemed, had become obsessed with security. Of 
course, that was and is understandable. Yet the problem that 
gave rise to cybersecurity concerns that predated September 11, 
in just the years 2000 and 2001, as a result of only three 
cyberattacks--the ``I Love You'' and ``Code Red'' viruses and 
the February 2000 denial-of-service attacks--the media reported 
losses in excess of $10 billion.
    The number of cyberattacks, as reported by the Computer 
Emergency Response Team, CERT, at the Carnegie Mellon 
University, was expected to nearly double in 2001 from 2,000 to 
40,000.
    Now, fast forward 2 years. In 2003, the ``SQL Slammer'' 
worm disrupted computers around the globe. And during the 
attack, half of all Internet traffic was being lost. The 
SoBig.F virus clogged e-mail boxes and networks around the 
world, and became the fastest spreading virus on record, 
infecting 1 in 17 e-mails at its peak.
    Showing a bit of humor, the creator of the Blaster worm, 
which caused some 500,000 computers running Windows to crash, 
targeted the Microsoft Web site from which users could download 
the program and the patch to protect their vulnerability with 
Microsoft Windows code, the very weakness in Windows that the 
worm itself was exploiting.
    The virus and worm attacks of 2003 did bring about 
disruptions, such as the SQL Slammer worm, knocking out Bank of 
America's ATM machines for a while, but overall they did little 
reported damage. Although the ultimate objective of the SoBig.F 
virus is not known, the 2003 vintage of viruses and worms, like 
most of the ones that preceded them, did not have a malicious 
or destructive payload. If they did, their impact would have 
been very, very different. These viruses and worm attacks are 
external attacks to the networks, and, as such, according to 
some estimates, only represent 30 percent of computer attacks. 
The remaining 70 percent of the attacks are carried out from 
within the corporate firewalls.
    Those attacks or security breaches taking place within the 
corporate firewalls, many argue, are the most costly and, of 
course, the least reported. I raise the issue of virus and worm 
payload within corporate firewall breaches, because one key 
question I want answered today is ``What are the real risks and 
costs to consumers from cybersecurity breaches, and what poses 
the most risk to cybersecurity?''
    One response to breaches in cybersecurity by industry and 
government alike has been increased spending on security 
technologies. UBS Warburg estimates that such spending will 
increase from $6 billion in 2001 to over $13 billion in the 
year 2003.
    Meanwhile, other data suggests that companies spend less 
than just 3 percent of their technology budget on security. The 
technology budgets tend to be around 3 percent of revenues. So 
why are these expenditures so low? Some argue because there is 
no real understanding of quantifiable cost associated with 
cybersecurity breaches, even among senior managers. Is this 
true? This is another question for the panel to consider.
    Finally, many argue that cybersecurity is not just a 
technological problem and thus can't be solved by adding new 
and improved technologies defending against cyberattacks, but, 
rather, they argue that it is as much a governance or 
management issue as it is a technological problem. Strategic 
decisions, such as deciding the appropriate balance between 
cost and risk, are ones that only senior managers can take. And 
without a clear mandate from the top management, cybersecurity 
measures will be disregarded as just simply nuisances by rank-
and-file employees.
    Moreover, it appears that there is increased management 
participation mostly when it is mandated either directly or 
indirectly by government regulations. For example, the Graham-
Leach-Bliley Act, the Sarbanes-Oxley Act, the Health Insurance 
Portability and Accountability Act, or enforcement actions by 
the Federal Trade Commission.
    I want to know, are these observations accurate? If so, is 
there an optimum role for the Federal Government to play when 
it comes to protecting consumers from cybersecurity threats?
    With that, I conclude my opening statement and welcome the 
ranking member for her opening statement.
    Ms. Schakowsky. Thank you, Mr. Chairman, for conveying this 
important hearing today. Cybersecurity is one of those words 
that have recently entered our lexicon. Most people are 
probably confused, as I was, the first time they hear or see it 
in print. There are no doubt several interpretations of the 
word. It is one of those things like electricity or television 
signals that we all hope someone else understands enough to 
assure its availability.
    Before widespread viruses and ID theft became somewhat of a 
norm, we were able to take cybersecurity for granted. Of 
course, it should be safe to operate a home computer or a Palm 
Pilot. Unfortunately more and more Americans, a 
disproportionate share in and around Chicago, by the way, have 
come to a very personal understanding of how vulnerable our 
information technology, storage, and transmittal systems are.
    No longer is cybersecurity something over which just 
government and corporate technicians fret. Life savings now 
disappear before victims are even aware that there is a threat 
to the security of their personal and financial information. 
Highly sensitive personal information is available for sale 
without the knowledge, much less the consent, of targeted 
individuals.
    Americans expect that their government and the private 
sector institutions they rely upon for financial and other 
services will protect their privacy, and that those they rely 
on for cybersecurity will do their job. It is becoming 
increasingly apparent that consumers are not being adequately 
protected.
    Estimates of the economic impact of cybercrimes on society 
vary widely. One of our witnesses will tell us that identify 
theft alone totaled $24 billion last year, and is expected to 
escalate to $73 billion by the end of this year. If he is 
correct, this means that identity theft will cost Americans 
more, perhaps much more, than the authorized cost of the war in 
Iraq.
    Another witness tells us that 1 in 10 Americans has been 
victimized by identify theft. Each of these heists is estimated 
to cost nearly $10,000; clearly this problem is reaching 
epidemic proportions.
    Added to the economic cost is the loss of our invaluable 
privacy. We are all aware of the Orwellian dangers that may 
flow from personal information that the government can tap, 
using sophisticated technology. What many of us do not 
adequately understand is the danger of intrusive prying by 
private interests. The expropriation of commercially useful 
data from each and every one of us that accesses the Internet 
from a computer where personal information is stored is a 
continuous process. And, of course, there is no reason to 
believe that firms interested in selling us something are the 
only ones looking.
    I look forward to the testimony of the Federal Trade 
Commission regarding what the Federal Government is doing to 
control this electronic crime spree. I hope in the future we 
can also hear from the Justice Department or the agencies that 
regulate financial institutions, because it is my understanding 
that much, if not most, of identify theft is perpetrated by 
employees of banks, insurance companies, and the like.
    I would have liked to hear directly from those private 
institutions as well. Nonetheless, Mr. Chairman, I am looking 
forward to hearing from the witnesses you have assembled. I am 
sure they will be able to give us a sufficiently comprehensive 
picture of the problems with our cybersecurity systems from 
which we can fashion whatever policy changes may be necessary 
to protect the privacy, pocketbook, and safety of our 
constituents.
    And, Mr. Chairman, I look forward to working with you, as 
always, to end this epidemic. I look forward hearing from each 
of our witnesses, and I thank them for taking time to share 
their expertise with us today.
    Mr. Stearns. I thank the gentlelady.
    The gentlelady from California, Ms. Bono.
    Mrs. Bono. Good morning, and thank you, Mr. Chairman. I 
look forward to hearing from your colleagues and the witnesses 
on the issue of cybersecurity as it relates to consumers.
    Cybersecurity and the protection of consumer data is a very 
real issue that the government, businesses, and consumers alike 
must acknowledge and respond to. Of course, there are many 
things that consumers can do to protect themselves.
    Antivirus software and patches are regularly available for 
downloading and updating. Moreover, one should always be 
cautious while downloading software. Consumers should avoid 
opening e-mails from strangers and should be hesitant to 
disclose personally identifiable information over nonsecure 
sites.
    However, the methods of hacking into computers and data 
bases are just as evolving as the technologies on which they 
reside and function. Recently I introduced H.R. 2929, also 
known as the Safeguards Against Privacy Invasions Act, or the 
Spy Act. This bill aims to put consumers in the loop. 
Unfortunately, consumers regularly and unknowingly download 
software programs that have the ability to track their every 
move.
    Consumers are sometimes informed when they download such 
software. However, the notice is buried deep inside multi-
thousand-word documents that are filled with technical terms 
and legalese that would confuse even a high-tech expert.
    Many spyware programs are purposefully designed to shut off 
any antivirus or firewall software program it detects. The Spy 
Act would help prevent Internet spying by requiring spyware 
entities to inform computer users of the presence of such 
software, the nature of spyware, and its intended function.
    Moreover, before downloading such software, spyware 
companies would first have to obtain permission from the 
computer user. This a very basic concept. The PC has become our 
new town square and global market as well as our private data 
base. If a consumer downloads software that can monitor the 
information shared during transactions for the sake of the 
consumer as well as e-commerce, it is imperative that the 
consumer be informed of whom he or she is inviting into their 
computer and what he or she is capable of. After being 
informed, the consumer should have the chance to decide whether 
to continue with that download.
    Since the introduction of H.R. 2929, I have had the 
opportunity to speak with many different sectors of the 
technology industry and retail businesses that operate on the 
Internet. Through these discussions I have received meaningful 
feedback, and I am currently working on refining H.R. 2929. 
Once installed on computers, some spyware programs--like 
viruses embedded among code for other programs--in effect how 
these programs function on the users computer.
    Additionally, spyware is becoming more and more difficult 
to detect and remove. Usually such programs are bundled with 
another unrelated application that cannot be easily removed, 
even after the unrelated application has been removed.
    According to a recent study, many problems with computer 
performance can be linked in some way to spyware and its 
applications. Additionally, some computers have several hundred 
spyware advertizing applications running, which inevitably slow 
down computers and can cause lockups. If you have spyware on 
your computer, you most likely are getting more pop-up 
advertisements than you would have if you have had no such 
software on your computer.
    Moreover, the advertisers may not always be forthcoming. 
Many times spyware entities contract with companies to post 
advertisements and, in turn, post such advertisements on the 
Web sites of competitors. The result is confusion. In other 
words, while visiting the Web site for Company A, you may be 
browsing to purchase a product. However, while browsing, a pop-
up link may appear, informing you of a great sale. Under the 
impression that you are looking at a link for Company A, you 
may purchase the product, all the while uninformed that the 
product was purchased via a pop-up link from Company B. I have 
often thought that this would be a very effective campaign 
tool, too, to put out a link and have someone go to my 
opponent's Web site and my Web site pops up.
    All of these consumer disadvantages can be decreased or 
eliminated if disclosures surrounding spyware are required and 
enforced. If consumers are informed about spyware, chances are 
they will not choose to download the software. Upon choosing 
not to download software, consumers' computers will run more 
efficiently, their antivirus programs and firewalls will 
function better, they can decide which information to share and 
not share, and consumers will not be deceived into buying a 
product or service from unknown entities or voting for our 
opponents.
    Thank you, and I look forward to hearing from the witnesses 
on the issue.
    Mr. Stearns. I thank the gentlelady.
    Mr. Green.
    Mr. Green. Thank you, Mr. Chairman. I thank you and our 
ranking member for holding this important hearing on 
cybersecurity and its impact on consumers.
    The proliferation of Internet-based services and commerce 
has dramatically changed the world we live in, and many of 
these changes have been for the better, with consumers able to 
make almost any purchase imaginable on line. Unfortunately, 
these computing advances also create a fertile ground for 
fraudulent activities and thus increase the pressing need for 
computer security.
    The problems are coming from all directions. We have 
viruses, computer worms that are attempting to swarm our 
networks and are causing terrible harm to computer users and 
billions in damages to U.S. Businesses. We have unsolicited e-
mails taking over our in-boxes, spam that at the very least is 
an annoyance and at worst is helping to transmit these computer 
viruses and deliver pornographic e-mails to our children.
    Mr. Chairman, if I could ask unanimous consent to put in an 
article from Business Week that was published on August 12 
about the unholy matrimony, spam versus virus.
    Mr. Stearns. By unanimous consent, so ordered.
    [The article referred to follows:]
                    [Business Week--August 12, 2003]
                    Unholy Matrimony: Spam and Virus
                             By Jane Black
    Their common goal is subterfuge, and by combining their strategies, 
they could make today's junk e-mail look like a mere nuisance
    In June, half of all e-mail was spam--those annoying unsolicited 
messages that hawk everything from porn and Viagra to mortgage-
refinancing deals and weight-loss patches. But if you think spam is out 
of control, prepare yourself. It could get a lot worse.
    Over the past few months, e-mail security companies have seen 
mounting evidence that spammers are using virus-writing techniques to 
assure that their sales pitches get through. At the same time, intrepid 
virus writers have latched onto spammers' trusty mass-mailing 
techniques in an effort to wreak widespread digital mayhem. ``What 
we're seeing is the convergence of the spammer and the malicious code 
writer,'' says David Perry, global director of education at antivirus 
company Trend Micro (TMIC).
    RELAY STATIONS. Witness the recent spread of a virus known as 
Webber, which was discovered on July 16. It carried the subject line 
``Re: Your credit application.'' Users who opened the attachment 
downloaded a malicious program that turned a home PC into a so-called 
open relay server, which allows a third party to send or receive e-
mail--including spam--remotely from that PC. Spammers are notorious for 
using open relays to hide their identities. According to British e-mail 
security company MessageLabs, 70% of spam comes through open relays.
    Then there's Sobig.E, a virus that grabs e-mail addresses from 
several different locations on a PC, including the Windows address book 
and Internet cache files. Sobig.E then tries to send a copy of itself 
to each address. It also uses one of the stolen addresses to forge the 
source of the message, so that it appears to come from someone else. 
MessageLabs believes Sobig.E is a spammers' virus designed to harvest 
legitimate e-mail addresses from users' computers.
    So far, no concrete evidence shows any home PCs that have been 
infected by either Webber or Sobig.E have been used to send spam. But 
experts fear that the two viruses could be ``spam zombies,'' programs 
that will lie in wait on a PC until called on by the spammer to send 
out millions of untraceable e-mails.
    ``I LOVE YOU'' MORE. The convergence of spam and malicious code 
makes sense, says Chris Miller, Symantec's (SMYC ) group product 
manager for enterprise e-mail security. ``They have a common goal--to 
do what they're doing without being seen,'' Miller says.
    Virus writers and spammers send out their messages from 
illegitimate e-mail accounts, never from the ISPs where they are 
registered. It isn't hard to see where the union of these two insidious 
groups' techniques might lead. Using such weapons as Sobig.E and 
Webber, spammers can hijack a user's address book, then use the PC to 
send out hundreds, even thousands, of junk messages.
    And virus writers can use mass-mailing techniques to spread 
malicious code even faster than before. The destructive ``I Love You'' 
virus of 2000 was originally sent to a small number of people. Within 
days it had affected tens of millions of computers and caused damage 
worth hundreds of millions of dollars. Imagine if, like spam, it had 
originally been mailed to a half-million computers.
    Security experts cite other recent examples of spam-virus 
convergence:

 Key-logger Trojans. In May, 2003, a major food-manufacturing company 
        received a spam e-mail that, when viewed in a preview pane in 
        Microsoft Outlook, showed a message that appeared to be an 
        opportunity to sign up for a newsletter. First, though, the 
        message asked the recipient to verify their e-mail log-on ID 
        and password. That information was collected by the key-logger 
        code and then sent to the spammer, who could then log into the 
        user's e-mail at any time and search for valuable information.

 Drive-by downloads. Recent spam sent to a major airline manufacturer 
        led unsuspecting users to Web pages where spying software was 
        secretly downloaded without the user's knowledge. So-called 
        spyware monitors a user's activity on the Internet and 
        transmits that information to someone else, usually an 
        advertiser or online marketer. Spyware can also gather 
        information about e-mail addresses, passwords, and credit-card 
        numbers. Drive-by downloads can be done without either 
        notifying the user or asking permission because many users 
        accept such a download without question, thinking it's a normal 
        function of the Web site.
    CALL IT ``MALWARE.'' According to the strictest definitions, key 
loggers and drive-by downloads aren't viruses, which are programs that 
replicate themselves. (If you've seen The Matrix Reloaded, think of the 
way Agent Smith makes infinite copies of himself to try to destroy 
Keanu Reeves' Neo.) A Trojan is a program that rolls into your computer 
unannounced, then persuades the computer to launch it through fraud.
    As spam and malicious code converge, however, such definitions are 
becoming less useful. That's why experts like Trend Micro's Perry are 
now looking at a broader term--``malware''--to describe any program 
with malicious intent. ``With traditional hackers, the motivation has 
always been to prove that you're a rad dude,'' Perry said in a phone 
interview from the Las Vegas hacker convention DefCon. ``But when we 
start seeing these techniques used for commercial gain like spam, it's 
going to get a whole lot more serious.'' Cybersurfers, beware.
    Mr. Green. Thank you, Mr. Chairman. We can all agree that 
spam is a serious problem that both Congress and the private 
sector should address quickly, and I hope that Congress will 
act before the end of the session to enact the Wilson-Green 
Antispam Act of 2003, which is the strongest antispam bill in 
Congress.
    And, Mr. Chairman, again, I would like to ask unanimous 
consent to place into the record a letter by the Internet 
Committee of the National Association of Attorney Generals that 
talks about the Senate bill that passed and the need for strong 
legislation.
    Mr. Stearns. By the unanimous consent, so ordered.
    [The letter follows:]
    [GRAPHIC] [TIFF OMITTED] 90728.001
    [GRAPHIC] [TIFF OMITTED] 90728.002
    [GRAPHIC] [TIFF OMITTED] 90728.003
    [GRAPHIC] [TIFF OMITTED] 90728.004
    [GRAPHIC] [TIFF OMITTED] 90728.005
    Mr. Green. Thank you, again, Mr. Chairman.
    When we investigate cybersecurity, however, we must also 
consider the increasing troubles and problem of identity theft. 
According to the Federal Trade Commission, identity theft is 
the most common complaint from consumers in all 50 States. With 
simple personal information such as name, Social Security 
number, or credit card number, identity thieves can commit 
fraud or other crimes in our name.
    The implications for victims of identify theft can't be 
overexaggerated. They can easily include damaged credit 
records, unauthorized credit card charges, and bank 
withdrawals, not to mention the months or even years that it 
takes for victims to restore their good names and credit 
records.
    The magic question remains, how can we prevent these 
computer-related security problems that seem to be spiraling 
out of control? With the increased organization, efficiency, 
and productivity that computer systems offer, it is safe to say 
that our dependence on computers will continue to rise; 
therefore, we must ensure that we take the appropriate 
precautions to ensure that any information stored in or 
transmitted through computers, be it personal, medical, or 
financial, is secure.
    We also need to examine the extent to which the Federal 
Government and other law enforcement mechanisms can help solve 
this problem. By some estimates, less than 30 percent of 
computer attacks come from outside of a company or computer 
system. That being said, I think we have to work with the 
private sector to take a hard look at the practices companies 
are putting in place to combat attacks within their own 
firewall.
    I am also interested to hear our witnesses' experience with 
cybersecurity and learn their opinions on how best we can go 
about solving these problems. And, again, I would like to thank 
our panel today, and look forward to their testimony.
    Thank you, Mr. Chairman and Ranking Member Schakowsky.
    Mr. Stearns. Thank you.
    Mr. Pitts.
    Mr. Pitts. Thank you, Mr. Chairman. And thank you for 
convening this important hearing on cybersecurity.
    Rapid advances in technology are greatly impacting the 
lives of every American. Computer software, information 
systems, and cybernetworks are revolutionizing the way that we 
communicate, and the way we conduct business and provide 
services. And while there is a lot of good in the advances, 
there is also great potential for harm.
    Technology is a cat-and-mouse game. Each advancement of 
technology leads to an exploitation that we must vigilantly 
guard against, and the hearing this morning takes a look at the 
myriad threats to cybersecurity. One area that I am greatly 
concerned about is the development of peer-to-peer software.
    Peer-to-peer software allows individuals to download and 
trade files, many of which are illegal, with one another. It 
has also become the latest vehicle that pedophiles use to 
exploit and abuse innocent children by distributing child 
pornography. And peer-to-peer software can cause any personal 
information stored in a computer, such as financial or medical 
records, to be inadvertently shared with anyone else with the 
same software.
    And that is why my colleague Chris John and I introduced 
H.R. 2885, ``The Protecting Children from Peer to Peer 
Pornography Act.''
    Mr. Chairman, I appreciate your interest in this issue. It 
is my hope that we can have a hearing in the near future 
dedicated to taking a closer look at this dangerous new 
software that threatens our children or a person's privacy and 
our cybersecurity in general.
    Thank you, Mr. Chairman.
    Mr. Stearns. Thank you.
    The gentleman from New York, Mr. Towns.
    Mr. Towns. Thank you very much, Mr. Chairman.
    The Internet will never reach its fullest potential unless 
consumers feel comfortable and confident while surfing the Web 
and partaking in e-commerce. How can we ask citizens to put 
personal information, such as credit cards, PIN numbers, onto 
the computer if they are worried about issues such as identity 
theft, spam, or other privacy protections?
    It seems that every time we turn around there is a new 
virus harming commerce on the Internet, and the most pressing 
of these data and privacy abuses is what has come to be known 
as spyware. Spyware is a particularly dangerous threat to the 
future of e-commerce and Internet consumer confidence.
    Many times consumers do not even know what this software--
which can track all movements on a computer, copy keystrokes, 
and open security holes in networks--is open on their system, 
much less have the knowledge it takes to get them removed.
    It should also be noted that many of the peer-to-peer 
programs suggested Kazaa and Morpheus are funded largely by 
allowing these spyware companies to piggyback on their network, 
allowing for corporate entities to gain information about our 
children and their on-line habits.
    I am proud upon the lead Democratic sponsor of H.R. 2929, 
the Safeguard Against Privacy Invasion Act, with my friend from 
California, Mrs. Bono. This bill will ban these programs from 
being downloaded from the Internet to unknowing consumers. It 
is a commonsense approach to privacy protection, and I would 
like to thank the many members on both sides of the aisle from 
this committee who have chosen to cosponsor the bill with us, 
and look forward to working closely with the leadership to 
ensure its passage through the committee.
    On that note, Mr. Chairman, I yield back the balance of my 
time.
    Mr. Stearns. I thank the gentleman.
    Mr. Shimkus.
    Mr. Shimkus. Thank you, Mr. Chairman, and I will be brief.
    I always want to take the opportunity to, especially in 
consumer protection that deals with the Internet and 
cybersecurity, to continue to mention .kids.us as a place safe 
for kids, that was passed into law, signed by the President, 
and now we have groups that are using it: Smithsonian.kids.us, 
it is safe, no hyperlinks, no chatrooms for kids under the age 
of 13.
    And so I use the bully pulpit here to continue to help 
build interest and movement for people to take use of .kids.us.
    Other than that, Mr. Chairman, I know we have got a great 
panel of people testifying. I want to get to that. Thank you 
for the time. And I yield back.
    Mr. Stearns.  I thank the gentleman.
    The gentlelady from Missouri.
    Ms. McCarthy. Mr. Chairman, I want to thank you for pulling 
together such a distinguished panel of experts for our work 
today. I am going to put my remarks in the record so that we 
can get on learning about the wisdom that is here to be shared.
    Mr. Stearns. I thank the gentlelady.
    And the vice chairman of the committee, Mr. Shadegg.
    Mr. Shadegg. Thank you, too, Mr. Chairman. I too want to 
thank you for holding this important hearing today and for 
putting together a tremendous panel for us to learn from.
    And I do want to mention that both as a member of this 
subcommittee, and as a member of the Select Homeland Security 
Committee, I worry deeply about these issues. I have devoted a 
great deal of time to them, having written in 1998 the Identity 
Theft and Assumption Deterrence Act, which made identity theft 
a Federal crime for the first time.
    We have already heard here this morning the degree to which 
millions of Americans are victimized by that crime, and that we 
are losing billions of dollars to it.
    The Fair Credit Reporting Act, which is now in conference, 
includes some important provisions to deal with that issue. But 
there is much more we can do. And I appreciate, Mr. Chairman, 
your holding this hearing, and I look forward to the testimony 
of the witnesses.
    Mr. Stearns. I thank my colleague.
    [Additional statement submitted for the record follows:]
 Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee 
                         on Energy and Commerce
    Mr. Chairman, Thank you for calling this important hearing today.
    Cyber security is a very serious concern in today's digital world, 
and as our global economy and all of our lives rely more and more on 
computers, it will become essential that we ensure that our nation's 
computers--corporate, government, and personal computers--are safe from 
the hackers and other malefactors in the digital environment. We've 
learned in the last few years how much damage viruses and worms, such 
as ``Sobig.F'' and ``Blaster,'' can do to our computer infrastructure. 
In fact, the New York Times estimated that the cost of the ``I Love 
you'' virus alone--which seriously affected this House and this 
Committee--may have reached as much as $15 Billion.
    Computers affect almost every aspect of our daily lives. From our 
computers at home and our personal e-mail accounts, to the daily work 
of the public and private sectors, the role of computers in our society 
is so ubiquitous as to go almost unnoticed at times. The security of 
these systems however cannot go unnoticed. Not only can the e-mail 
system of the House of Representatives be hindered or disabled, but one 
shudders to think of the damage that could be done to countless 
consumers if someone was able to infiltrate one of the many enormous 
databases in this country and steal the personal information--from 
credit card numbers to music preferences--of millions of Americans.
    This kind of theft and misuse of personal data is not yet a 
widespread problem, but unless we all facilitate and encourage open 
discussion about how we best combat the bad actors, we will only see 
these problems grow. Most computer scientists don't say ``if'' when 
discussing this possibility, they say ``when.'' They believe that a 
truly debilitating virus will inevitably make its way around the 
Internet sometime in the relatively near future. Companies must take a 
preventive approach when looking at solutions to security problems. 
They must realize that, as the old adage says, ``An ounce of prevention 
is worth a pound of cure.'' We must combat technology with technology. 
Investment must be made in the security of vital and sensitive systems, 
in order to ensure the confidence of the American people in the retail, 
banking, and health care computer systems they depend upon.
    But simply investing in technology to combat viruses is not enough. 
In the end, the private sector and the American people must work in 
concert to best protect the computers and networks we all use. The 
private sector needs to reevaluate its vulnerabilities as well as its 
current security priorities. The public needs to be better educated 
about anti-virus software and personal firewalls for their home 
computers, as well as the insidious ``SpyWare'' technology that can 
monitor individuals' computers and their actions on the Internet. I 
know the gentlelady from California, Ms. Bono, has introduced a bill--
H.R. 2929, ``The Safeguard Against Privacy Invasions Act''--that 
attempts to deal with this concern, and I look forward to working with 
her on the bill to try to prevent these intrusions.
    In the end, Mr. Chairman, it seems that the genie is out of the 
proverbial bottle, and this problem is not going to go away on its own. 
It is up to all of us to work together to safeguard our computer 
infrastructure to prevent the next serious virus from becoming a 
nationwide, indeed even a worldwide problem.
    Thank you, and I yield back the balance of my time.
    Mr. Stearns. And with that, we will start with the panel 
and welcome the Honorable Orson Swindle, the Commissioner of 
the Federal Trade Commission; Mr. Howard Schmidt, Vice 
President, Chief Information Security Officer of eBay; Mr. 
Scott Charney, Chief Trustworthy Computing Strategist from 
Microsoft Corporation; Mr. David Morrow, Managing Principal, 
Global Security and Privacy Services; Ms. Mary Ann Davidson, 
Chief Security Officer, Oracle Corporation; Mr. Joseph G. 
Ansanelli, Chairman and CEO of Vontu, Incorporated; Mr. Daniel 
Burton, Vice President of Government Affairs, Entrust 
Technologies; and Mr. Roger Thompson, Vice President of Product 
Development, PestPatrol, Incorporated.
    And we will let Commissioner Swindle start. We will go from 
my right to my left. I welcome you.
 STATEMENTS OF HON. ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE 
     COMMISSION; HOWARD A. SCHMIDT, VICE PRESIDENT, CHIEF 
 INFORMATION SECURITY OFFICER, eBAY INC.; SCOTT CHARNEY, CHIEF 
TRUSTWORTHY COMPUTING STRATEGIST, MICROSOFT CORPORATION; DAVID 
  B. MORROW, MANAGING PRINCIPAL, GLOBAL SECURITY AND PRIVACY 
   SERVICES, EDS; MARY ANN DAVIDSON, CHIEF SECURITY OFFICER, 
  ORACLE CORPORATION; JOSEPH G. ANSANELLI, CHAIRMAN AND CEO, 
   VONTU, INC.; DANIEL BURTON, VICE PRESIDENT, GOVERNMENTAL 
    AFFAIRS, ENTRUST TECHNOLOGIES; AND ROGER THOMPSON, VICE 
       PRESIDENT OF PRODUCT DEVELOPMENT, PESTPATROL, INC.
    Mr. Swindle. Thank you, Mr. Chairman. Mr. Chairman, members 
of the subcommittee, I appreciate the opportunity to present 
the Commission's views on Cybersecurity and Consumer Data: What 
is at risk for the consumer?
    At the outset, I believe that it is important that we not 
lose sight of the forest for the trees. Cybersecurity is a vast 
issue that faces many threats, and the challenges that the 
Commission faces in protecting consumers in cyberspace are 
numerous. The Commission takes action to protect consumers from 
fraud, whether they are individuals or companies who engage in 
identity theft, use a pretext to obtain personal information, 
employ deceptive spam to trick consumers into providing 
personal and financial information (phishing), misrepresent the 
sender of spam to misdirect the ``remove me'' request to an 
innocent third party (spoofing), or exploit computer system 
vulnerabilities in order to extort money from consumers (D-
Square Solutions).
    Consumers are also placed at risk by their own conduct, 
such as through peer-to-peer file-sharing or failing to use 
firewalls and antivirus software. While there are many 
challenges to cybersecurity, I will focus my remarks on 
companies who obtain and control consumer information.
    The Commission addresses information security concerns 
through aggressive law enforcement actions, consumer and 
business education, and international cooperation. Through 
these efforts we strive to enhance the security of information 
systems and networks and bring attention to the fact that all 
users of information technology, that is, government, industry, 
and the general public, must play a role in this effort.
    If companies fail to keep their express and implied 
promises to protect sensitive information obtained from 
consumers, then those promises are deceptive. The Commission 
has brought enforcement actions against such companies for 
violating Section 5 of the Federal Trade Commission Act, which 
prohibits unfair and deceptive practices.
    Three of these Commission cases illustrate some important 
principles. The case against Eli Lilly demonstrates that a 
company's security procedures must be appropriate for the kind 
of information it collects and maintains. Despite promises to 
maintain security of sensitive information, Eli Lilly 
inadvertently disclosed the names of consumers who used a 
prescription drug.
    Our case against Microsoft illustrates that there can be 
law violations without a known or actual breach of security. 
Microsoft promised consumers that it would maintain a high 
level of security for its Passport and Passport Wallet system 
of accounts. Even though there was no actual security breach, 
after reviewing Microsoft's systems, the Commission alleged 
that Microsoft failed to take reasonably appropriate measures 
to maintain the security of consumers' personal information.
    The case against Guess, Inc. illustrates that good security 
depends upon an ongoing process of risk assessment, identifying 
vulnerabilities, and taking reasonable steps to minimize or 
eliminate those risks. We alleged that Guess stored consumers' 
information, including credit card numbers, in clear 
unencrypted text, despite claims to the contrary.
    Unencrypted information is vulnerable to attackers, 
something that is well known in the industry and can be 
corrected.
    The Commission's settlements in these three cases require 
the companies to implement comprehensive information security 
programs. In addition, Microsoft and Guess must obtain an 
independent security audit every 2 years.
    The Commission has engaged in a broad and continuing 
awareness and outreach campaign to educate businesses, 
consumers, and political leaders about the importance of 
cybersecurity. We work closely with industry, government 
agencies, and consumer groups to expand awareness. This is the 
single most essential element in creating a culture of security 
that is increasingly necessary for the protection of our 
critical infrastructure.
    We have a first-class Web site focusing on safe computing 
practices. Our site provides a wealth of information on 
cybersecurity and how each of us can and must contribute to the 
effort. Our Web site registered more than 400,000 visits in the 
first year of deployment, making it one of the most popular FTC 
Web pages. And, a Google search recently indicates that 445 
other Web sites link to our security site.
    Every House and Senate office has a copy of our safe 
computing disk. And I might add, I will hold this up, and I 
think there is a package on your desk with a lot of our 
information security material in the package.
    This CD disk was designed to assist each Member of Congress 
and staff in educating constituents on safe computing 
practices. Several Members of Congress have constructed 
excellent information security pages on their Web sites using 
information from the FTC. Each Member is an outstanding leader 
within his or her community and district. As the FTC's 
authorizing body and as the leaders in consumer protection, 
this committee in particular can partner with us effectively in 
our consumer awareness efforts on information security.
    Our staff and I personally are standing by to help you and 
join with you in leading.
    In addition to law enforcement and our awareness campaign, 
the Commission has taken an active leadership role in 
international efforts promoting cybersecurity. In 2002, the FTC 
led the U.S. Delegation, working with the OECD, to revise its 
security guidelines. The revised guidelines serve as an 
excellent, common sense starting point for government, 
business, and organizations to implement information security. 
They address accountability, awareness, and action by all 
participants and form the basis for international cooperation 
toward establishing a culture of security. The guidelines have 
been embraced by the United Nations, APEC, nongovernment 
organizations, and many international businesses and 
associations.
    In conclusion, attaining adequate information security will 
be a continuing journey; a long project, where complacency is 
not an option. I look forward to responding to your questions. 
Thank you.
    [The prepared statement of Hon. Orson Swindle follows:]
 Prepared Statement of Hon. Orson Swindel, Commissioner, Federal Trade 
                               Commission
                            i. introduction
    Mr. Chairman, and members of the subcommittee, I am Commissioner 
Orson Swindle.<SUP>1</SUP> I appreciate the opportunity to appear 
before you today to discuss the Federal Trade Commission's role in 
protecting information security and its importance to both consumers 
and businesses.
    Today, maintaining the security of our computer-driven information 
systems is essential to every aspect of our lives. A secure information 
infrastructure is required for the operation of everything from our 
traffic lights to our credit and financial systems, including our 
nuclear and electrical power supplies, and our emergency medical 
service. We are all, therefore, directly or indirectly linked together 
by this infrastructure. Consumers rely on and use computers at work and 
at home; increasingly, more consumers are making purchases over the 
Internet and paying bills and banking online.
    These interconnected information systems provide enormous benefits 
to consumers, businesses, and government alike. At the same time, 
however, these systems can create serious vulnerabilities that threaten 
the security of the information stored and maintained in these systems 
as well as the continued viability of the systems themselves. Every 
day, security breaches cause real and tangible harms to businesses, 
other institutions, and consumers.<SUP>2</SUP> These breaches and the 
harm they do shake consumer confidence in the companies and systems to 
which they have entrusted their personal information.
                ii. the federal trade commission's role
    The Federal Trade Commission has a broad mandate to protect 
consumers and the Commission's approach to information security is 
similar to the approaches taken in our other consumer protection 
efforts. As such, the Commission has sought to address concerns about 
the security of our nation's computer systems through a combined 
approach that stresses the education of businesses, consumers, and 
government agencies about the fundamental importance of good security 
practices; law enforcement actions; and international cooperation. Our 
program encompasses efforts to ensure the security of computer 
networks, an understanding that we all have a role to play, as well as 
efforts to ensure that companies keep the promises they make to 
consumers about information security and privacy. In the information 
security matters, our enforcement tools derive from Section 5 of the 
FTC Act,<SUP>3</SUP> which prohibits unfair or deception acts or 
practices, and the Commission's Gramm-Leach-Bliley Safeguard Rule 
(``Safeguards Rule'' or ``Rule'').<SUP>4</SUP> Our educational efforts 
include business education to promote compliance with the law, consumer 
and business education to help promote a ``Culture of Security,'' 
international collaboration, public workshops to highlight emerging 
issues, and outreach to political leaders.
A. Section 5
    The basic consumer protection statute enforced by the Commission is 
Section 5 of the FTC Act, which provides that ``unfair or deceptive 
acts or practices in or affecting commerce are declared unlawful.'' 
<SUP>5</SUP> The statute defines ``unfair'' practices as those that 
``cause[] or [are] likely to cause substantial injury to consumers 
which is not reasonably avoidable by consumers themselves and not 
outweighed by countervailing benefits to consumers or to competition.'' 
<SUP>6</SUP> To date, the Commission's security cases have been based 
on deception,<SUP>7</SUP> which the Commission and the courts have 
defined as a material representation or omission that is likely to 
mislead consumers acting reasonably under the 
circumstances.<SUP>8</SUP>
    The companies that have been subject to enforcement actions have 
made explicit or implicit promises that they would take appropriate 
steps to protect sensitive information obtained from consumers. Their 
security measures, however, proved to be inadequate; their promises, 
therefore, deceptive.
    Through the information security enforcement actions, the 
Commission has come to recognize several principles that govern any 
information security program.
1. Security procedures should be appropriate under the circumstances
    First, a company's security procedures must be appropriate for the 
kind of information it collects and maintains. Different levels of 
sensitivity may dictate different types of security measures. It is 
highly problematic when a company inadvertently releases sensitive 
personal information due to inadequate security procedures.
    The Commission's first information security case, Eli 
Lilly,<SUP>9</SUP> involved an alleged inadvertent disclosure of 
sensitive information despite the company's promises to maintain the 
security of that information. Specifically, Lilly put consumers' e-mail 
addresses in the ``To'' line of the e-mail that was sent to Prozac 
users who subscribed to a service on Lilly's website, essentially 
disclosing the identities of all of the Prozac user-subscribers.
    Given the sensitivity of the information involved, this disclosure 
was a serious breach. Nevertheless, the Commission recognized that 
there is no such thing as ``perfect'' security and that breaches can 
occur even when a company has taken all reasonable precautions. 
Therefore, the Commission construed statements in Lilly's privacy 
policy as a promise to take steps ``appropriate under the 
circumstances'' to protect personal information. Similarly, the 
complaint alleged that the breach resulted from Lilly's ``failure to 
maintain or implement internal measures appropriate under the 
circumstances to protect sensitive consumer information.'' 
<SUP>10</SUP> The focus was on the reasonableness of the company's 
efforts.
    According to the complaint in the Lilly matter, the company failed, 
among other things, to provide appropriate training and oversight for 
the employee who sent the e-mail and to implement appropriate checks on 
the process of using sensitive customer data. The order contains strong 
relief that should provide significant protections for consumers, as 
well as ``instructions'' to companies. First, it prohibits the 
misrepresentations about the use of, and protection for, personal 
information. Second, it requires Lilly to implement a comprehensive 
information security program similar to the program required under the 
FTC's Gramm-Leach-Bliley Safeguards Rule, which is discussed below. 
Finally, to provide additional assurances that the information security 
program complies with the consent order, every year the company must 
have its program reviewed by a qualified person to ensure compliance.
2. Not All Security Breaches Are Violations of FTC Law
    The second principle that arises from the Commission's enforcement 
in the information security area is that not all breaches of 
information security are violations of FTC law--the Commission is not 
simply saying ``gotcha'' for security breaches. Although a breach may 
indicate a problem with a company's security, breaches can happen, as 
noted above, even when a company has taken every reasonable precaution. 
In such instances, the breach will not violate the laws that the FTC 
enforces. Instead, the Commission recognizes that security is an 
ongoing process of using reasonable and appropriate measures in light 
of the circumstances.
    When breaches occur, our staff reviews available information to 
determine whether the incident warrants further examination. If it 
does, the staff gathers information to enable us to assess the 
reasonableness of the company's procedures in light of the 
circumstances surrounding the breach. This allows the Commission to 
determine whether the breach resulted from the failure to have 
procedures in place that are reasonable in light of the sensitivity of 
the information. In many instances, we have concluded that FTC action 
is not warranted. When we find a failure to implement reasonable 
procedures, however, we act.
3. Law Violations Without a Known Breach of Security
    The Commission's case against Microsoft <SUP>11</SUP> illustrates a 
third principle--that there can be law violations without a known 
breach of security. Because appropriate information security practices 
are necessary to protect consumers' privacy, companies cannot simply 
wait for a breach to occur before they take action. Particularly when 
explicit promises are made, companies have a legal obligation to take 
reasonable steps to guard against reasonably anticipated 
vulnerabilities.
    Like Eli Lilly, Microsoft promised consumers that it would keep 
their information secure. Unlike Lilly, there was no specific security 
breach that triggered action by the Commission. The Commission's 
complaint alleged that there were significant security problems that, 
left uncorrected, could jeopardize the privacy of millions of 
consumers. In particular, the complaint alleged that Microsoft did not 
employ ``sufficient measures reasonable and appropriate under the 
circumstances to maintain and protect the privacy and confidentiality 
of personal information obtained through Passport and Passport 
Wallet.'' <SUP>12</SUP> The complaint further alleged that Microsoft 
failed to have systems in place to prevent unauthorized access; detect 
unauthorized access; monitor for potential vulnerabilities; and record 
and retain systems information sufficient to perform security audits 
and investigations. Again, sensitive information was at issue--
financial information including credit card numbers.
    Like the Commission's order against Eli Lilly, the Microsoft order 
prohibits any misrepresentations about the use of, and protection for, 
personal information and requires Microsoft to implement a 
comprehensive information security program. In addition, Microsoft must 
have an independent professional certify, every two years, that the 
company's information security program meets or exceeds the standards 
in the order and is operating effectively.
4. Good Security is an Ongoing Process of Assessing Risks and 
        Vulnerabilities
    The Commission's third case, against Guess, Inc.,<SUP>13</SUP> 
highlighted a fourth principle--that good security is an ongoing 
process of assessing and addressing risks and vulnerabilities. The 
risks companies and consumers confront change over time. Hackers and 
thieves will adapt to whatever measures are in place, and new 
technologies likely will have new vulnerabilities waiting to be 
discovered. As a result, companies need to assess the risks they face 
on an ongoing basis and make adjustments to reduce these risks.
    The Guess case highlighted this crucial aspect of information 
security in the context of web-based applications and the databases 
associated with them. Databases frequently house sensitive data such as 
credit card numbers, and Web-based applications are often the ``front 
door'' to these databases. It is critical that online companies take 
reasonable steps to secure these aspects of their systems, especially 
when they have made promises about the security they provide for 
consumer information.
    In Guess, the Commission alleged that the company broke such a 
promise concerning sensitive information collected through its website, 
www.guess.com. According to the Commission's complaint, by conducting a 
``web-based application'' attack on the Guess website, an attacker 
gained access to a database containing 191,000 credit card numbers. 
This particular type of attack was well known in the industry and 
appeared on a variety of lists of known vulnerabilities. The complaint 
alleged that, despite specific claims that it provided security for the 
information collected from consumers through its website, Guess did 
not: employ commonly known, relatively low-cost methods to block web-
application attacks; adopt policies and procedures to identify these 
and other vulnerabilities; or test its website and databases for known 
application vulnerabilities, which would have disclosed that the 
website and associated databases were at risk of attack. Essentially, 
the Commission alleged that the company had no system in place to test 
for known application vulnerabilities or to detect or to block attacks 
once they occurred.
    In addition, the complaint alleged that Guess misrepresented that 
the personal information it obtained from consumers through 
www.guess.com was stored in an unreadable, encrypted format at all 
times; but, in fact, after launching the attack, the attacker could 
read the personal information, including credit card numbers, stored on 
www.guess.com in clear, unencrypted text.
    As in its prior security cases, the Commission's emphasis in Guess 
was on reasonableness. When the information is sensitive, the 
vulnerabilities well known, and the fixes inexpensive and relatively 
easy to implement, it is unreasonable simply to ignore the problem. As 
in the prior orders, the Commission's order against Guess prohibits the 
misrepresentations, requires Guess to implement a comprehensive 
information security program, and, like Microsoft, requires an 
independent audit every two years.
B. GLB Safeguards Rule
    In addition to our enforcement authority under Section 5 of the FTC 
Act, the Commission also has responsibility for enforcing its Gramm-
Leach-Bliley Safeguards Rule, which requires financial institutions 
under the FTC's jurisdiction to develop and implement appropriate 
physical, technical, and procedural safeguards to protect customer 
information.<SUP>14</SUP> The Rule became effective on May 23 of this 
year, and the Commission expects that it will quickly become an 
important enforcement and guidance tool to ensure greater security for 
consumers' sensitive financial information. The Safeguards Rule 
requires a wide variety of financial institutions to implement 
comprehensive protections for customer information--many of them for 
the first time. If fully implemented by companies, as required, the 
Rule could go a long way to reduce risks to this information, including 
identity theft.
    The Safeguards Rule requires financial institutions to develop a 
written information security plan that describes their program to 
protect customer information. Due to the wide variety of entities 
covered, the Rule requires a plan that accounts for each entity's 
particular circumstances--its size and complexity, the nature and scope 
of its activities, and the sensitivity of the customer information it 
handles.
    As part of its plan, each financial institution must: (1) designate 
one or more employees to coordinate the safeguards; (2) identify and 
assess the risks to customer information in each relevant area of the 
company's operation, and evaluate the effectiveness of the current 
safeguards for controlling these risks; (3) design and implement a 
safeguards program, and regularly monitor and test it; (4) hire 
appropriate service providers and contract with them to implement 
safeguards; and (5) evaluate and adjust the program in light of 
relevant circumstances, including changes in the firm's business 
arrangements or operations, or the results of testing and monitoring of 
safeguards. The Safeguards Rule requires businesses to consider all 
areas of their operation, but identifies three areas that are 
particularly important to information security: employee management and 
training; information systems; and management of system failures.
    Prior to the Rule's effective date, the Commission issued guidance 
to businesses covered by the Safeguards Rule to help them understand 
the Rule's requirements.<SUP>15</SUP> Commission staff also met, and 
continues to meet, with a variety of trade associations and companies 
to alert them to the Rule's requirements and to gain a better 
understanding of how the Rule is affecting particular industry 
segments. Now that the Rule is effective, the Commission is 
investigating compliance by covered entities.
C. Education and workshops
    In addition to our law enforcement efforts and conducting outreach 
under the Commission's Safeguard's Rule, the Commission has engaged in 
a broad educational campaign to educate businesses and consumers about 
the importance of information security and the precautions they can 
take to protect or minimize risks to personal information. These 
efforts have included creation of an information security ``mascot,'' 
Dewie the e-Turtle, who hosts a portion of the FTC website devoted to 
educating businesses and consumers about security,<SUP>16</SUP> 
publication of business guidance regarding common vulnerabilities in 
computer systems,<SUP>17</SUP> speeches by Commissioners and staff 
about the importance of this issue, and outreach to the international 
community. Many offices in the Commission including the Commission's 
Bureau of Consumer Protection, the Office of Public Affairs, and the 
Office of Congressional Relations, have participated in this effort to 
educate consumers and businesses.
    The Commission's outreach effort is centered on the Commission's 
information security website.<SUP>18</SUP> The website registered more 
than 400,000 visits in its first year of deployment, making it one of 
the most popular FTC web pages. The site is now available in CD-ROM and 
PDF format and frequently updated with new information for consumers on 
cybersecurity issues. In addition, the Commission's Office of Consumer 
and Business Education has produced a video news release, which has 
been seen by an estimated 1.5 million consumers; distributed 160,000 
postcards featuring Dewie and his information security message to 
approximately 400 college campuses nationwide; and coordinated the 2003 
National Consumer Protection Week with a consortium of public- and 
private-sector organizations around the theme of information security.
    Finally, the Commission's Office of Congressional Relations has 
conducted outreach through constituent service representatives in each 
of the 535 House and Senate member offices by mailing ``Safe 
Computing'' CDs. We would like to thank Chairman Stearns for his 
leadership on the issue of cybersecurity, and for encouraging his 
colleagues, in his July 18, 2003 ``Dear Colleague'' letter announcing 
the delivery of the FTC's safe Internet practices outreach kit, to 
educate their constituents on safe computing practices.
    In addition, the Commission uses opportunities that arise in non-
security cases to educate the public about security issues. For 
example, in early November, the Commission announced that a district 
court issued a temporary restraining order in an action against D 
Squared Solutions, and its principals.<SUP>19</SUP> The complaint 
alleged that the defendants operated a scam that barraged consumers' 
computers with repeated Windows Messenger Service pop up ads--most of 
which advertised software that consumers could purchase for about $25 
to block future pop ups. Part of what made the defendants' conduct so 
egregious is that consumers continued to be bombarded by pop-ups, even 
when they were off of the Internet and working in other applications 
such as word-processing or spreadsheet programs and that the defendants 
allegedly either sold or licensed their pop-up sending-software to 
other people allowing them to engage in the conduct. The defendants' 
website allegedly offered software that would allow buyers to send pop-
ups to 135,000 Internet addresses per hour, along with a database of 
more than two billion unique addresses. Contrary to the defendants' 
representations, consumers, when educated about how the Windows 
operating systems works, can actually stop pop-up spam at no cost by 
changing the Windows default system.
    In addition to bringing a law enforcement action to halt the 
defendants' conduct, the Commission issued an alert to consumers about 
the security issues raised in the case. The ``Consumer Alert'' provides 
instructions for consumers on how to disable the Windows Messenger 
Service in order to avoid other pop-up spam. The alert <SUP>20</SUP> 
also discusses the use of firewalls to block hackers from accessing 
consumers' computers.
    Finally, the Commission continues, and will continue, to host 
workshops on information security issues when appropriate. Last summer, 
the Commission hosted two workshops focusing on the role technology 
plays in protecting personal information.<SUP>21</SUP> The first 
workshop focused on the technologies available to consumers to protect 
themselves. Panelists generally agreed that, to succeed in the 
marketplace, these technologies must be easy to use and built into the 
basic hardware and software consumers purchase.
    The second workshop focused on the technologies available to 
businesses. We learned that businesses, like consumers, need technology 
that is easy to use and compatible with their other systems. 
Unfortunately, we also heard that too many technologies are sold before 
undergoing adequate testing and quality control, frustrating progress 
in this area.
    The Commission also held a workshop on unsolicited commercial e-
mail (``spam'') which was instructive about the security risks that 
spam poses. We learned that, in addition to other problems, spam can 
also serve as a vehicle for malicious and damaging code.
D. International Efforts
    In addition to our cases and domestic efforts, the Commission has 
taken an active international role in promoting cybersecurity. We 
recognize that American society and societies around the world need to 
think about security in a new way. The Internet and associated 
technology have literally made us a global community. We are joining 
with our neighbors in the global community in this enormous effort to 
educate and establish a culture of security.
    During the summer of 2002, the Organization for Economic 
Cooperation and Development (``OECD'') issued a set of principles for 
establishing a culture of security--principles that can assist us all 
in minimizing our vulnerabilities. Commissioner Swindle has had the 
opportunity to work with this organization and to head the U.S. 
Delegation to the Experts Group on the post-September 11 review of 
existing OECD Security Guidelines and to the Working Party on 
Information Security and Privacy.
    The OECD principles are contained in a document entitled 
``Guidelines for the Security of Information Systems and Networks: 
Towards a Culture of Security.'' <SUP>22</SUP> The nine principles are 
an excellent, common-sense starting point for formulating a workable 
approach to security. They address awareness, accountability, and 
action. They also reflect the principles that guide the FTC in its 
analysis of security-related cases, including that security 
architecture and procedures should be appropriate for the kind of 
information collected and maintained and that good security is an 
ongoing process of assessing and addressing risks and vulnerabilities. 
These principles can be incorporated at all levels of use among 
consumers, government policy makers, and industry. They already have 
been the model for more sector-specific guidance by industry groups and 
associations.
    Besides the OECD, the Commission also is involved in information 
privacy and cybersecurity work undertaken by the Asian Pacific Economic 
Cooperation (``APEC'') forum. APEC's Council of Ministers endorsed the 
OECD Security Guidelines in 2002. Promoting information system and 
network security is one of its chief priorities. The APEC Electronic 
Commerce Steering Group (``ECSG'') promotes awareness and 
responsibility for cybersecurity among small and medium-sized 
businesses that interact with consumers. Commission staff participated 
in APEC workshop and business education efforts this past year and is 
actively engaged in this work for the foreseeable future.
    Along with the OECD and APEC, in December 2002, the United Nations 
General Assembly unanimously adopted a resolution calling for the 
creation of a global culture of cybersecurity. Other UN groups, 
international organizations, and bilateral groups with whom the 
Commission has dialogues, including the TransAtlantic Business and 
Consumer Dialogues, the Global Business Dialogue on Electronic 
Commerce, and bilateral governmental partners in Asia and in the EU 
also are working on cybersecurity initiatives.
    Notwithstanding these global efforts, developing a ``Culture of 
Security'' is a daunting challenge. The FTC and other government 
agencies have a role to play, but the government cannot do this alone, 
nor should it try. The Commission is working with consumer groups, 
business, trade associations, and educators to instill this new way of 
thinking. We are encouraging our global partners to do the same and to 
share what is learned.
                            iii. conclusion
    The Commission, through law enforcement and consumer and business 
education, is committed to reducing the harm that occurs through 
information security breaches. Maintaining good security practices is a 
critical step in preventing these breaches and the resulting harms, 
which can range from major nuisance to major destruction. The critical 
lesson in this information-based economy is that we are all in this 
together: government, private industry, and consumers, and we must all 
take appropriate steps to create a culture of security.
                                ENDNOTES
    <SUP>1</SUP> The views expressed in this statement represent the 
views of the Commission. My oral presentation and responses to 
questions are my own and do not necessarily represent the views of the 
Commission or any other Commissioner.
    <SUP>2</SUP> For example, our recently released Identity Theft 
Report, available at http://www.ftc.gov/os/2003/09/synovatereport.pdf, 
showed that over 27 million individuals have been victims of identity 
theft, which may have occurred either offline or online, in the last 
five years, including almost 10 million individuals in the last year 
alone. The survey also showed that the average loss to businesses was 
$4800 per victim. Although various laws limit consumers' liability for 
identity theft, their average loss was still $500--and much higher in 
certain circumstances.
    <SUP>3</SUP> 15 U.S.C.  45.
    <SUP>4</SUP> 16 C.F.R. Part 314, available online at http://
www.ftc.gov/os/2002/05/67fr36585.pdf.
    <SUP>5</SUP> 15 U.S.C.  45 (a) (1).
    <SUP>6</SUP> 15 U.S.C.  45(n).
    <SUP>7</SUP> Where appropriate, the Commission has also brought 
Internet cases using the unfairness doctrine. See FTC v. C.J., Civ. No. 
03-CV-5275-GHK (RZX) (Filed C.D. Cal. July 24 2003), http://
www.ftc.gov/os/2003/07/phishingcomp.pdf.
    <SUP>8</SUP> Letter from FTC to Hon. John D. Dingell, Chairman, 
Subcommittee on Oversight and Investigations (Oct. 14, 1983), reprinted 
in appendix to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984) 
(setting forth the commission's Deception Policy Statement.).
    <SUP>9</SUP> The Commission's final decision and order against Eli 
Lilly is available at www.ftc.gov/os/2002/05/elilillydo.htm. The 
complaint is available at www.ftc.gov/os/2002/05/elilillycmp.htm.
    <SUP>10</SUP> Eli Lilly Complaint, paragraph 7.
    <SUP>11</SUP> The Commission's final decision and order against 
Microsoft is available at http://www.ftc.gov/os/2002/12/
microsoftdecision.pdf. The complaint is available at http://
www.ftc.gov/os/2002/12/microsoftcomplaint.pdf.
    <SUP>12</SUP> Microsoft Complaint, paragraph 7.
    <SUP>13</SUP> The Commission's final decision and order against 
Guess, Inc. is available at http://www.ftc.gov/os/2003/06/
guessagree.htm. The complaint is available at http://www.ftc.gov/os/
2003/06/guesscmp.htm.
    <SUP>14</SUP> 16 C.F.R. Part 314, available online at http://
www.ftc.gov/os/2002/05/67fr36585.pdf.
    <SUP>15</SUP> Financial Institutions and Customer Data: Complying 
with the Safeguards Rule, available at http://www.ftc.gove/bcp/conline/
pubs/buspubs/safeguards.htm.
    <SUP>16</SUP> See http://www.ftc.gov/bcp/conline/edcams/
infosecurity/index.html.
    <SUP>17</SUP> See http://www.ftc.gov/bcp/conline/pubs/buspubs/
security.htm.
    <SUP>18</SUP> See http://www.ftc.gov/infosecurity.
    <SUP>19</SUP> The Commission's press release announcing the case 
can be found at http://www.ftc.gov/opa/2003/11/dsquared.htm.
    <SUP>20</SUP> The alert can be found at http://www.ftc.gov/bcp/
conline/pubs/alerts/popalrt.html.
    <SUP>21</SUP> Additional information about the workshops are 
available at http://www.ftc.gov/bcp/workshops/technology/indes.html.
    <SUP>22</SUP> http://www.oecd.org/dataoecd/16/22/15582260.pdf
    Mr. Stearns. I thank the Commissioner.
    Mr. Schmidt, welcome.
                 STATEMENT OF HOWARD A. SCHMIDT
    Mr. Schmidt. Thank you, Mr. Chairman.
    Chairman Stearns, distinguished members of the committee, 
my name is Howard Schmidt. I am the Vice President and Chief of 
Information Security for eBay, where I lead a team responsible 
for ensuring the trustworthiness and security of the services 
that bring so many global citizens together each day in this 
tremendous global marketplace.
    I would like to thank you again for the opportunity to come 
before the committee for the second time and your continued 
leadership in this very important issue. Prior to arriving at 
eBay a few months ago, I had the privilege of being appointed 
by President Bush to lead, with Richard Clarke, the President's 
Critical Infrastructure Protection Board, which represented one 
part of the overall government response to the threat of 
cybersecurity attacks in the wake of September 11; and after 31 
years retired, and we successfully published the National 
Strategy Defense for Cyberspace, working with a team of 
dedicated public servants, this body, and the American public.
    In addition to my day job, I continue to proudly serve at 
the U.S. Army Reserves, assigned to the 701st MP Group as a 
Special Agent with the computer crimes section, and also serve 
on the board of directors for ISC Squared, the body that 
oversees certification for security professionals through the 
CISSB certification.
    My remarks today will focus primarily on the changes that 
have taken place with both business and government to create 
the level of information-sharing and collaboration necessary to 
improve cybersecurity and to further improve security for 
consumers, as well as how the sharing and collaboration has 
indeed improved the level of information and protection of 
consumer data.
    I would like to provide my update in specific examples of 
improvement in four major areas. Those areas are awareness and 
education, product enhancement, government activities and 
private sector initiatives. While these examples will not be 
comprehensive, they will indeed be some representative efforts 
we have undergone.
    I would also state, even though my comments are very 
optimistic as where we have come from, I think we will also 
have a long way to go. I think under the block of awareness and 
education, one of the biggest visible changes that has taken 
place is the increase in dialog and training to better inform 
the end user and consumer on how to secure their computer 
systems and their information.
    One of the first consumer-targeted awareness programs was 
truly a joint public/private partnership between many of the 
companies, the FTC, NSA, as well as some other government 
agencies, and it took place in the formation of the 
Cybersecurity Alliance, and the creation of our Web site, 
staysafeonline.info, which we drove out of the efforts of the 
White House. This Web site has a wealth of information to help 
even the most inexperienced users understand cybersecurity, 
potential threats from on-line criminals, and steps they can 
take to protect themselves.
    In addition, we at the White House held a series of town 
hall meetings over the past 18 months to meet with private 
sector partners, individuals, parent-teacher organizations, 
with speakers ranging from CEOs of major financial 
institutions, to my distinguished colleague to my left, 
Commissioner Orson Swindle. Many of these town meetings were 
also Webcast to get the broadest audience to be able to see 
them and participate over the Internet.
    Private sector companies have also held free seminars 
around the country, providing awareness to citizens. Many of 
these sessions focused on informing the elderly, one of the 
segments of our society who has received great benefits in the 
on-line world and the resources that it can provide. Also, as 
we enter the holiday season, there will be mass media campaigns 
to educate consumers further on how to safely and securely 
enjoy the richness and robustness of the on-line e-commerce 
world.
    Under product enhancements, another major improvement we 
have seen over the past 2 years has been the way security is 
now offered as a standard within software and hardware. One 
very visible example is with the hardware provided to use 
wireless technology and broadband, we now see firewalls being 
built directly into these components as well as antivirus 
software being built into wireless modem operations.
    Major operating systems have now auto update features as 
antivirus functions. Many antivirus vendors have done an 
amazing job in speeding up the detection and analysis of many 
of the threats that you have mentioned in your opening comments 
of the viruses and trojans that are found in the wire. Many of 
them even provide free on-line services for consumers to be 
able to download and inspect their systems as a public service, 
and I noticed in the paper this morning, one of them is now 
offering free antivirus software for the next year.
    Under the heading of government activities, there have been 
a number of great activities beyond the creation of the 
National Strategy to Defend Cyberspace. Recently the Department 
of Homeland Security created the U.S. Computer Emergency 
Response Team at Carnegie Mellon as a focal point for building 
partnerships based on cybersecurity response networks and 
providing a notification network of threats and vulnerabilities 
as they are discovered.
    The Department of Justice, the U.S. Secret Service, and the 
FBI have significantly improved the response times and 
increased priorities around the investigation of cybercrimes. 
As a matter of fact, Director Mueller has placed cybercrime as 
one of the top five priorities within the FBI, and the Secret 
Service is growing a cadre of expert agents working with 
private sector called the Electronic Crime Task Force. 
Additionally, the Department of Defense continues to work in 
that area as well.
    On the government effort, since these things have no 
borders, the State Department has done a wonderful job in 
creating multilateral and bilateral discussions with 
international partners, many of which the industry colleagues, 
some of us sitting here today, have been a part of since the 
very beginning.
    Two quick examples in the private sector initiatives:
    We know that there will be no silver bullets in enhancing 
cybersecurity, but recently we created a coalition to address 
specifically the area of on-line identity theft. We have fully 
recognized that the vast majority of identity theft occurs in 
the off-line world through dumpster diving and other 
mechanisms, but we have seen, as many of you have, an increase 
in criminals attempting to do the same thing on line.
    The two recent methods are what we call phishing, with a p-
h, or spoofed e-mails, where criminals send out thousands of e-
mails telling people to update their information. We are 
working to address this in four areas: building new 
technologies to prevent this; second, to provide awareness and 
training to consumers so they are better informed to not fall 
victim to these scams; third, to share information amongst very 
competitive companies on protection of these things; and 
fourth, to work with the law enforcement community to prevent 
these people through deterrence of investigation.
    In closing, I want to cite three specific areas I think 
that we can look at because, despite the great security 
enhancements we have seen and will continue to see, there are 
clear challenges you must address.
    We must review our commitment to enhance consumer awareness 
of basic cybersecurity practices, and the recent attacks have 
once again demonstrated how home users are now becoming the 
target.
    Second, while we build an effective response network, we 
must not lose sight of the innovation frontier. Technologists 
on the horizon hold the potential to dramatically and 
potentially decisively transform our cybersecurity challenges. 
Self-healing computers, embedded technologies, can enable 
devices that recognize and defend against these attacks. We 
must not inhibit their ability to move forward in collaboration 
with our best universities.
    And, finally, we must recognize that cybersecurity is no 
longer merely about product services and strategies. What is at 
stake in the effective implementation of advanced cybersecurity 
technology is nothing less than the ability to unleash the next 
wave of IT-led growth in jobs and productivity. Cybersecurity 
is an essential enabler.
    In closing, I want to say that the next step of this will 
be on December 2 and 3. Homeland Security has invited a lot of 
the public service or private sector organizations to create a 
summit, creating a task force to move forward in a lot of those 
areas that we mentioned and we care very deeply about.
    This concludes my prepared remarks and I thank you for the 
opportunity to be here.
    [The prepared statement of Howard A. Schmidt follows:]
   Prepared Statement of Howard A. Schmidt, Vice President and Chief 
             Information Security Officer, eBay Corporation
                              introduction
    Chairman Stearns, distinguished members of the Committee, my name 
is Howard A. Schmidt. I am the Vice President and Chief Information 
Security Officer for eBay, where I lead a team responsible for ensuring 
the trustworthiness and security of the services that bring so many 
global citizens together in this tremendous global marketplace each 
day. I would like to thank you for the opportunity to come before this 
Committee again as well as your continued leadership on this very 
important issue. Prior to my current position at eBay and subsequent to 
my last appearance, I had the privilege of being appointed by President 
Bush to lead, with Richard Clarke, the President's Critical 
Infrastructure Protection Board, which represented one part of the 
overall governmental response to the threat of cyber security attacks 
in the wake of September 11. I retired from 31 years of public service 
after completing and publishing the ``National Strategy to Defend 
Cyberspace,'' working with a team of dedicated public servants, this 
body, and the American public.
    I have had the privilege of working with committed individuals in 
the private sector, law enforcement, and government to forge the 
collaboration and cooperation that is so essential to safeguard cyber 
space for everyone, from inexperienced home users to large well-run 
corporate enterprises. I assisted in the formation of some of the first 
collaborative efforts in the law enforcement community to address cyber 
crime in local law enforcement and the FBI. I also helped lead the 
creation of the Information Technology Information Sharing and Analysis 
Center (IT-ISAC) and had the honor of serving as its first president.
    I continue to proudly serve in the U.S. Army reserves, assigned to 
the 701st MP Group, (CID) as a Special Agent with the computer crime 
unit at CID headquarters. I also serve on the Board of Directors for 
ISC2, the body that oversees certification of security professionals 
through the CISSP certification. My remarks today will focus primarily 
on the changes that have taken place within both business and 
government to create the level of information sharing and collaboration 
necessary to improve Cybersecurity and further improve security for 
consumers, as well as how this sharing and collaboration has improved 
the level of information and protection of consumer computer data.
    Today, the Internet connects over 170 million computers and an 
estimated 680 million users, with an estimated growth to 904 million by 
the end of 2004. From major data operations conducting large-scale 
financial transactions, to wireless devices keeping families connected, 
the Internet touches virtually all aspects of our economy and quality 
of life. eBay is a prime example of how deeply ingrained the Internet 
is in American life. Every day on eBay, millions of Americans, along 
with millions of people in countries around the world, come together to 
buy and sell all types of goods and services. Business relationships 
and, often, deep friendships are formed on the basis of commerce and 
shared interests. The eBay marketplace reflects the enormous power of 
the Internet to unite humanity at a crucial moment in history.
    More pointedly, the Internet has become a fundamental component of 
business processes--enhancing productivity by speeding connectivity 
between remote locations or across functional operations. The Internet 
is deeply ingrained in managing power, producing chemicals, designing 
and manufacturing cars, managing money and delivering government 
services ranging from human services to environmental permitting. The 
flip side of these productivity-enhancing applications is an increase 
in attacks against the online community.
    Today the Internet is utilized by hundreds of millions of users all 
across the globe sending information ranging from homework assignments 
and simple greetings to the most sensitive financial and operational 
data of government and industry, all at the speed of light. The 
Internet landscape also includes a private sector security industry 
that has grown to an estimated $17 billion per year in goods and 
services. And, as we are all painfully aware, attack speeds today are 
measured in seconds, not days.
    I would like to provide my update in the format specific examples 
of improvement in four major areas. Those areas are: Awareness and 
education; product enhancements; government activities; and private 
sector initiatives. While we have made significant progress, I also 
want to stress that we still have much work to do and will continue to 
improve overall Cybersecurity by continued improvement in some of the 
examples I will mention today.
Awareness & Education:
    One of the biggest visible changes that has taken place is 
increased dialogue and training to better inform the end user on how to 
secure their computers and information. One of the first consumer-
targeted awareness programs was truly a joint private-public 
partnership. This partnership took place in the form of the Cyber 
Security Alliance. The alliance combined the expertise of a number of 
private sector entities with the efforts of government partners to 
create a comprehensive website for consumers. The website, 
www.staysafeonline.info has a wealth of information to help even the 
most inexperienced users understand cyber security, potential threats 
from online criminals, and steps they can take to protect themselves.
    In addition, the White House held a series of town hall meetings 
around the country with private sector partners. These town hall 
meetings were open to the public and well-attended, with speakers 
ranging from CEOs of major financial institutions and exchanges, to 
subject-matter experts in cyber security. Many of these town hall 
meetings were webcast so those that could not attend in person could 
participate over the Internet.
    Private sector companies have also held free seminars around the 
country to provide awareness to citizens. Many of the sessions focused 
on informing the elderly, one of the segments of our society that has 
received great benefit from the online world and the resources that it 
provides. As we enter the holiday shopping season, there will be mass 
media campaigns to educate consumers on how to safely and securely 
enjoy the richness and robustness of the online e-commerce world.
    In the category of formal education, the National Security Agency 
(NSA) has a program identifying universities that meet the criteria to 
be designated a center of academic excellence in information security. 
This NSA program not only ensures the education of the next generation 
of information security professionals, but also guarantees that the 
university has sound cyber security practices in place as well as 
awareness education for the students, who make up a large number of the 
online users and consumers. The NSA also administers the Cyber Corp 
program with NSF and OPM, providing scholarships for students in cyber 
security.
Product Enhancements:
    Another major improvement that we have seen in the past two years 
is the way security enhancements are now offered standard in software 
and hardware. One very visible example is the hardware provided to use 
wireless technology. Broadband technology (Cable modem, DSL, satellites 
etc.) has given us capabilities and speeds that were only available to 
corporations before. We now see firewalls and the ability to download 
anti-virus software being built into wireless modems.
    The major operating systems now have auto-update features included, 
and are now being turned on by default in more future versions. 
Products are now being shipped with many services turned off by 
default, thus making them more secure. Many of the online email 
services block potentially malicious code and do a much better job of 
blocking the Spam that often contains malicious functions.
    Anti-virus vendors have done an amazing job in speeding up the 
detection, analysis and updates for many of the viruses that are found 
in the wild. Many of them even provide free online virus scans as a 
public service to assist consumers.
Government Activities:
    There have been a number of government actions that have taken 
place since I last appeared before this committee--most notably the 
creation of the President's Critical Infrastructure Protection Board 
and the release of the National Strategy to Defend Cyberspace. This 
critical document set the framework for much of the private public 
partnerships, focusing a section on home users and small/medium 
enterprises.
    I would also argue that the consolidation of cyber security related 
organizations into the Department of Homeland Security in the 
Infrastructure Protection Director was a valuable reorganization. The 
bringing together of the NIPC (FBI), Fed-CIRC (GSA), CIAO (Commerce), 
Energy Information Assurance Division (DoE) and the National 
Communications System (DoD) created a center of excellence that, with 
the help of focused leadership, will move to implement the national 
strategy. This new organization is called the National Cyber Security 
Division.
    Recent action taken by the Department of Homeland Security (DHS) to 
create the US CERT at Carnegie Mellon University has the potential to 
significantly enhance security for all users. The US CERT is designed 
to serve as a focal point for building partnerships based cyber 
security response network and provide a notification network as threats 
and vulnerabilities are discovered.
    The goal for US CERT is to ensure that there is an average response 
time of no less than 30 minutes in the case of any attack. The very 
specific nature of this goal is designed to deliberately focus the US 
CERT on building broad participation by the private sector.
    The US CERT will undertake the following major initiatives:

 Develop common incident and vulnerability reporting protocols to 
        accelerate information sharing across the public and private 
        response communities;

 Develop initiatives to enhance and promote the development of 
        response and warning technologies; and

 Forge partnerships to improve incident prevention methods and 
        technologies;
    The Dept. of Justice, the U.S. Secret Service and the FBI have 
significantly decreased their response times and increased priorities 
around investigations of cyber crimes. Director Mueller has placed 
cyber crime in the top 5 priorities at the FBI, and the Secret Service 
has added a number of electronic crime task forces in order to 
successfully investigate and prosecute cyber criminals. All of the 
Defense Department's investigative organizations have led the way 
investigating cyber crimes and have some of the best investigators in 
the world. The Department of Justice, through its Computer Crime and 
Intellectual Property Section, has chaired the G-8 Subcommittee on 
cyber crime and has been a significant driving force in combating 
worldwide cyber crime.
    Since there are no borders when it comes to cyber space, and 
criminal attacks on consumers can come from all corners of the world, 
the State Department has conducted bilateral and multilateral 
discussions to ensure that there is international cooperation in the 
effort to protect cyber security.
    I have had the extreme pleasure of working with Commissioner 
Swindel of the Federal Trade Commission, who has been a beacon of light 
for the protection of consumers' privacy and security. With his help in 
the creation of the FTC's ``Dewey'' program and his tireless support 
for town hall meetings, he truly has created a ``culture of security'' 
globally.
Private Sector Initiatives:
    While there will be no silver bullets in enhancing cyber security, 
the private sector continues to grow its capabilities and make solid 
improvement in securing their part of cyberspace . Two of the earliest 
examples of private-public cooperation for ``Cyber Crime/Cyber 
Security'' were the the High Tech Crime Investigators Association 
(HTCIA) and the Information Systems Security Association (ISSA). Both 
organizations date back to the mid/late 80's and are dedicated to 
sharing nformation on cyber crime and information security. They still 
exist today and their membership and value have increased significantly 
over the years.
    Most recently, the private sector has created a coalition that I 
see as an excellent example of efforts to enhance consumer cyber 
security. As you are probably aware, identity theft is a major problem. 
While the vast majority of ID theft occurs in the physical world, we 
have seen an increase in the activities of criminals to commit the same 
types of crime online. The most recent method is by using what we call 
``phishing'' or ``spoofed'' emails. The criminals will send out 
thousands of emails telling people that there is an error with their 
online account and ask them to fill in an ``update form'' or their 
account will be closed. This form has the look and feel of major e-
commerce sites--there was even a fake email from someone pretendingto 
be the FBI and asking unsuspecting users to enter personal information 
into a fake web site.
    To combat this, many of the major players in the e-commerce space 
banded together to create an Anti-Online ID Theft Coalition. The 
Coalition boasts many private sector members, with the Information 
Technology Association of America providing support as the executive 
director. The Coalition has four major goals: 1) to build technology to 
reduce the likelihood of these mails even reaching their intended 
victim; 2) to provide awareness training to consumers so they can more 
readily identify these criminal acts; 3) to share information on new 
scams amongst the various security teams; and 4) to insure 
accountability by working with law enforcement to identify and 
prosecute these bad actors.
    In a larger perspective, Sector Coordinators representing each of 
the major sectors of our economy have been appointed to fight potential 
cyber attack. A sector coordinator is an individual in the private 
sector identified by the sector lead agency to coordinate their sector, 
acting as an honest broker to organize and bring the sector together to 
work cooperatively on sector cyber security protection issues. The 
sector coordinator can be an individual or an institution from a 
private entity.
    These private sector leaders provide the central conduit to the 
federal government for the information needed to develop an accurate 
understanding of what is going on throughout the nation's 
infrastructures on a strategic level with regards to critical 
infrastructure protection activities. The sector coordinators and the 
various sector members were key to the creation of the National 
Strategy to Defend Cyber Space.
    In addition, there has been a number of new private sector 
Information Sharing and Analysis Centers (ISACs). An ISAC is an 
operational mechanism to enable members to share information about 
vulnerabilities, threats, and incidents (cyber and physical). The 
sector coordinator develops these Centers with support from the sector 
liaison. In some cases, an ISAC Manager may be designated, who is 
responsible for the day-to-day operations of the ISAC, to work with the 
sector coordinator or the sector coordinating body with support from 
DHS and the lead federal agencies.
    Despite these security enhancements, we can be certain that as 
increased collaboration continues to enhance our protection and 
responsiveness, the nature and sophistication of attacks will certainly 
evolve. There are clear challenges we must continue to address.
    First, we must renew our commitment to enhance consumer awareness 
of basic cyber security practices. The recent attacks demonstrate that 
home users can be used as an effective pathway to launch attacks, or as 
a gateway into large enterprises. We need to build on the public/
private initiatives to promote cyber security with a focused and 
aggressive outreach effort to benefit all consumers.
    Second, while we build an effective response network we must not 
lose sight of the innovation frontier. Technologies on the horizon hold 
the potential to dramatically and potentially decisively transform our 
cyber security challenges. Self-healing computers, embedded 
technologies that enable devices to recognize and defend against 
attacks, and devices which enhance both security and privacy are within 
reach with an aggressive technology development agenda. This effort 
must be industry-led in collaboration with our best Universities. Most 
importantly, it must be synergistically linked with our response 
initiatives.
    Finally, we must recognize that cyber security is no longer merely 
about products, services and strategies to protect key operations. What 
is at stake in the effective implementation of advanced cyber security 
technologies and strategies is nothing less than the ability to unleash 
the next wave of information technology-led growth in jobs and 
productivity. Cyber security is an essential enabler to the advent of 
the next generation Internet and all it holds for how we work, live, 
and learn.
    I don't want to close without mentioning my expectation that many 
of these challenges will be addressed, and indeed met head-on, with 
tangible commitments and deliverables through the upcoming National 
Cyber Security Summit, to be held on December 2-3, 2003. This Summit 
will be co-hosted by the Information Technology Association of America, 
the U.S. Chamber of Commerce, TechNet and the Business Software 
Alliance, with the support of the Department of Homeland Security. I 
have the honor to serve at that summit, as will many of the brightest 
minds and most innovative companies across all sectors of the economy.
    The work of this summit will continue past December 2-3 through 
task force work programs that will drive toward solutions in intense 
work before, during, and beyond the Summit. We expect that many of 
these proposals will be forwarded to DHS early next year, after which 
we can measure progress on an ongoing basis. We expect this to be an 
all-hands-on-deck effort where we bring together, distill, and 
integrate many of the outstanding work products from many groups 
regarding cyber security metrics, software development and maintenance, 
public outreach initiatives, and, of course, public-private 
partnerships in information sharing and early warning systems.
    Chairman Stearns, this concludes my prepared remarks. I thank you 
for the opportunity to come before this Committee and welcome any 
questions that you and the Committee members may have.
    Mr. Stearns. Thank you.
    Mr. Charney.
                   STATEMENT OF SCOTT CHARNEY
    Mr. Charney. Thank you. Chairman Stearns, Ranking Member 
Schakowsky, and members of the subcommittee, my name is Scott 
Charney, and I am Microsoft's Chief Trustworthy Computing 
Strategist.
    I want to thank you for the opportunity to appear here 
today to provide our views on cybersecurity and what we are 
doing to secure consumer data. At Microsoft, security is our 
No. 1 priority. We are committed to continually improving the 
security of our software.
    As Howard Schmidt just said, there are no silver bullets in 
cybersecurity; there will always be vulnerabilities in complex 
software and systems. As was true when we testified before you 
in 2001, cybersecurity involves many layers and many 
collaborative partnerships. In other words, cybersecurity 
involves management of technologies, as much as the technology 
itself.
    Meanwhile, much has changed since we last testified before 
you. Consumer dependence on the Internet has grown. And as of 
March 2003, 30 million homes in America had a broadband 
connection to the Internet, double the number who had high-
speed connections at the end of 2001.
    Another key change over the past 2 years is that the time 
between the issuance of a patch and the time when we see a 
concrete exploit taking advantage of the underlying 
vulnerability has dramatically shortened. Therefore, once a 
patch is released, a race ensues between those installing the 
patch to eliminate the vulnerability and those developing code 
that exploits the vulnerability.
    Moreover, the sophistication and severity of cyberattacks 
are also increasing. In response to these threats, industry has 
increased tremendously the resources and priority it devotes to 
cybersecurity issues, and the government has also taken 
significant steps during this time period to address these 
heightened risks for on-line consumers, including creating the 
National Cybersecurity Division at the Department of Homeland 
Security and signing the Council of Europe's Cybercrime Treaty. 
We commend these actions as important steps and hope the Senate 
ratifies the treaty when it is received.
    Security is Microsoft's top priority, and we know that 
security is a journey rather than a destination. 2 years ago 
before this committee, my friend and co-panelists Howard 
Schmidt properly stated: We know there is no finish line for 
these efforts, but by working as we have with industry peers 
and with governments, we have a chance to keep one step ahead 
of cyber criminals.
    Shortly thereafter, Bill Gates had launched our trustworthy 
computing initiative, which involves every aspect of Microsoft 
and focuses on four key pillars: security, privacy, 
reliability, and business integrity. As part of this, we have 
enhanced the training of our developers to put security at the 
heart of software design and at the foundation of the 
development process.
    Through this effort we are seeing a quantifiable decrease 
in vulnerabilities. For example, if you compare Windows Server 
2000 and Windows Server 2003, for the last 6 months Windows 
Server 2003 has required fewer patches.
    Another part of trustworthy computing involves 
communicating with our customers. In the wake of Blaster, we 
launched the Protect Your PC campaign, urging commerce to take 
three steps to improve their security, all available through 
Microsoft.com/protect.
    Two years ago, we also spoke about the need of increased 
deterrence of criminal hacking. Although the Cybersecurity 
Enforcement Act passed last year, there is still much more that 
needs to be done. Despite the best and laudable efforts of 
dedicated law enforcement personnel, far too many hackers 
unleash their malicious code, commit crimes with no punishment. 
This is an untenable situation.
    Earlier this month, we took a significant step to support 
law enforcement by creating the Antivirus Reward Program to 
provide monetary rewards for information resulting in the 
arrest and conviction of hackers. The government continues to 
play a key role in efforts to secure consumers' software and 
data.
    I want to outline a few specific areas where government 
initiatives can be particularly helpful in promoting 
cybersecurity.
    First, the public sector should increase its support for 
basic research and security technology.
    Second, the government can lead by example by securing its 
own systems, buying software that is engineered for security, 
providing better training for government systems administrators 
and leading public awareness campaigns, such as the FTC's 
campaign featuring Dewey the Turtle.
    Third, government and industry should reduce barriers to 
exchanges of information.
    Fourth, law enforcement should receive additional 
resources. We also support the forfeiture of personal property 
used in committing these crimes.
    Fifth, greater cross-jurisdictional cooperation among law 
enforcement is needed for investigating cyberattacks.
    In conclusion, we will continue to pursue trustworthy 
computing and to work closely with our partners in the computer 
software and communications industries, the government and our 
commerce to enhance cybersecurity.
    Thank you, and I look forward to your questions.
    [The prepared statement of Scott Charney follows:]
   Prepared Statement of Scott Charney, Chief Trustworthy Computing 
                   Strategist, Microsoft Corporation
    Chairman Stearns, Ranking Member Schakowsky, and Members of the 
Subcommittee: My name is Scott Charney, and I am Microsoft's Chief 
Trustworthy Computing Strategist. I want to thank you for the 
opportunity to appear today to provide our views on cybersecurity and 
on what we are doing to secure consumer data. I oversee the development 
of strategies to create more secure software and services and to 
enhance consumer security and privacy through our long-term Trustworthy 
Computing initiative. My goal is to reduce the number of successful 
computer attacks and increase the confidence of all computer users. 
This is something I have worked toward throughout much of my career, 
including during my service as chief of the Computer Crime and 
Intellectual Property Section (CCIPS) in the Criminal Division of the 
U.S. Department of Justice. While at CCIPS, I helped prosecute nearly 
every major hacker case in the United States from 1991 to 1999.
    At Microsoft, security is our number one priority, and as an 
industry leader, we are committed to continually improving the 
capability of our software to protect the privacy of consumers and the 
security of their data. We are at the forefront of industry efforts to 
enhance the security of computer programs and networks and to educate 
consumers about good cybersecurity practices. We also work closely with 
our partners in industry and governments around the world to identify 
security threats to computer networks, share best practices, improve 
our coordinated responses to security breaches, and prevent computer 
attacks from happening in the first place.
    This hearing is exceptionally timely because of the rapid 
developments in cybersecurity over the past two years. We 
wholeheartedly agree with this Subcommittee that it is critical for all 
of us to address consumer concerns about the privacy and security of 
their online data in order to stimulate the further growth of e-
commerce and to help realize the Internet's full potential.
    Today, I want to describe the risks posed to consumers' 
cybersecurity, and the ways in which industry and government are 
working together to protect consumers' online data. First, I will 
discuss the general state of cybersecurity since November 2001, when we 
last appeared before this Subcommittee; I will touch both on what has 
stayed the same, and on what has changed. Second, I will discuss 
Microsoft's ongoing efforts to help secure consumers' computer data. 
Third, I will offer a few suggested steps that the government can take 
to enhance the security of consumer data.
                  i. cybersecurity since november 2001
    The pursuit of cybersecurity involves a daily and never-ending 
contest between industry, governments, and computer users, on the one 
hand, and cyber criminals, on the other. Hackers remain elusive, 
aggressive, and innovative. When we last testified before this 
Subcommittee on this topic, the ``ILOVEYOU,'' Code Red, Ramen, Li0n, 
and Trinoo worms and viruses had already struck a variety of operating 
systems. Since that time, criminal hackers have unleashed Slapper, 
Scalper, Slammer, Blaster, SoBig, and many other viruses and worms to 
infect computers, deny service, and impair recovery.
    There are no silver bullets in cybersecurity, and there will always 
be vulnerabilities in complex software and systems, as well as human 
errors made. As was true in 2001, cybersecurity involves many layers 
and many collaborative partnerships, including software design, 
software configuration, software patching, the sharing of threat and 
vulnerability information, user education, user practices, and the 
investigation and prosecution of cybercrime both within the United 
States and internationally. In other words, cybersecurity involves 
management of technology as much as the technology itself.
    Meanwhile, much has changed since we last testified before you. 
Consumer dependence on the Internet has grown, and consumers are more 
frequently sharing their personal information, including their 
identities, contact information, financial data, and health 
information, over the Internet. Moreover, as the personal computer 
becomes more central to the daily lives of many citizens and to the 
daily functions of the public and private sectors, the government, 
consumers, and business enterprises are storing more personal 
information on their Internet-connected computers and networks, thus 
potentially exposing their data to hackers even if that personal 
information is never transmitted over the Internet. In addition, 
consumers with broadband are, unlike those with a dial-up connection, 
connected to the Internet with unvarying IP addresses and at a high 
connection speed, and therefore place consumer data at greater risk. As 
of March 2003, 30 million homes in America had a broadband connection 
to the Internet, double the number who had a high-speed connection at 
home at the end of 2001 and a 50% increase from March 2002.
    Another key change over the past two years is that the time between 
the issuance of a patch and the time when we see a concrete exploit 
taking advantage of the underlying vulnerability has dramatically 
shortened. This time period is crucial because we have had very few 
attacks that actually precede the patch; more typically, once a patch 
is released, a race ensues between those installing the patch to 
eliminate the vulnerability and those developing code that exploits the 
vulnerability. When an exploit is developed faster, enterprises and 
individuals have that much less time to learn of, test, and install the 
patch before a hacker uses the exploit to inflict damage. That window 
for the NIMDA virus was 331 days between patch release and exploit; for 
Blaster, less than two years later, it was only 26 days.
    The chronology leading up to the criminal launch of the Blaster 
worm illustrates the complex interplay between software companies, 
security researchers, persons who publish exploit code, and hackers. On 
July 16, we delivered a patch for the vulnerability and a security 
bulletin to our customers. This was followed by ongoing outreach to 
consumers, analysts, the press, our industry partners, and the 
government. On July 25, nine days after we released the patch, a 
security research group called XFOCUS published a tool to exploit the 
vulnerability that the security bulletin and patch had highlighted. In 
essence, XFOCUS analyzed our patch by reverse engineering it to 
identify the vulnerability, then developed a means to attack the 
vulnerability, and finally offered that attack to the world so that any 
unsophisticated hacker could then unleash an attack by downloading 
XFOCUS's work and using launch tools freely available on the Internet.
    At this point, we heightened our efforts to inform our customers 
about the steps they should take to secure their computers. On August 
11, only 26 days after release of the patch, the Blaster worm was 
discovered as it spread through the Internet. This sequence of events 
underscores a dilemma: the same information that helps customers to 
secure their systems also enables self-identified security researchers 
and others to develop and publish exploit code, which hackers then use 
to launch damaging criminal attacks.
    The sophistication and severity of cyberattacks are also 
increasing. The Slammer worm in January 2003 did not attack the data of 
infected systems, but resulted in a dramatic increase in network 
traffic worldwide and in temporary loss of Internet access for some 
users. This past summer, criminal hackers released the Blaster worm, 
which spread by exploiting a security vulnerability for which we had 
released a patch. Machines infected by Blaster used the network 
connection to locate new, vulnerable machines, whereupon the worm would 
copy itself, infect the new machine, and continue the process. Blaster 
affected Windows NT4, Windows XP, Windows 2000, and Windows Server 2003 
systems, but could not reach those machines that were patched and 
defended by a properly configured firewall. The worm also tried to deny 
service to those users seeking to download the patch for Blaster.
    In addition, cybercriminals have been able to make viruses more 
prevalent and harder for consumers to detect by ``spoofing'' legitimate 
email addresses, which makes it more difficult to determine who the 
real sender is. In 2002, there were twice as many email viruses as 
there were in 2001. In January 2003, the SoBig virus spoofed email 
addresses and contained infectious .pif attachments, which if opened 
would infect the user's computer and search the infected user's hard 
drive for email addresses of possible further victims. Multiple 
variants of the SoBig virus surfaced during the year. It is important 
to note that SoBig did not exploit any software vulnerability; it was a 
social engineering attack based on users' willingness to trust email