OSINFO - Open Sources Information

From: MASHABLE

• READ FULL POST

** CRS BILL DIGEST **

* HR2616: Encryption for the National Interest Act * * Sponsor: Goss (R-Fla.) * * Official Title: A bill to clarify the policy of the United States with respect to the use and export of encryption products, and for other purposes. * TABLE OF CONTENTS:

Title I: Domestic Uses of Encryption

Title II: Government Procurement

Title III: Exports of Encryption

Title IV: Liability Limitations

Title V: International Agreements

Title VI: Miscellaneous Provisions

Encryption for the National Interest Act - Declares that it is U.S. policy to protect public computer networks through the use of strong encryption technology, promote the export of encryption products developed and manufactured in the United States, and preserve public safety and national security.

Title I: Domestic Uses of Encryption - Makes it lawful for any person within any State and for any United States person to use any encryption product, regardless of encryption algorithm selected, encryption bit length chosen, or implementation technique or medium used, except as otherwise provided by this Act or by law. Defines "United States person" to mean any U.S. citizen, any other person organized under the laws of any State, and any person organized under the laws of any foreign country who is owned or controlled by such individuals.

(Sec. 103) Amends the Federal criminal code to prohibit, and set penalties for, knowingly using encryption in furtherance of the commission of a criminal offense for which the person may be prosecuted in a U.S. district court. Prohibits the court from placing on probation any person convicted of such a violation and prohibits the term of imprisonment imposed from running concurrently with any other term imposed for the underlying criminal offense. Specifies that the use of encryption by itself shall not establish probable cause to believe that a crime is being or has been committed.

Makes it unlawful for any person to intentionally: (1) obtain or use decryption information without lawful authority for the purpose of decrypting data, including communications; (2) exceed lawful authority in decrypting data; (3) break the encryption code of another person without lawful authority for the purpose of violating the privacy or security of that person or depriving that person of any property rights; (4) impersonate another person for the purpose of obtaining decryption information of that person without lawful authority; (5) facilitate or assist in the encryption of data, knowing that such data are to be used in furtherance of a crime; or (6) disclose decryption information in violation of code provisions. Sets penalties for violations.

Requires a court of competent jurisdiction to issue an order ex parte granting an investigative or law enforcement officer (officer) timely access to the plaintext of encrypted data, or requiring any person in possession of decryption information to provide such information to a duly authorized officer: (1) upon the application by a Government attorney that is made under oath and that provides a factual basis establishing the relevance of the information sought to a law enforcement, foreign counterintelligence, or international terrorism investigation; and (2) if the court finds that the information being sought is relevant to an ongoing investigation and the officer is entitled to such information.

Directs that the order issued by the court: (1) be placed under seal, except that a copy may be made available to the officer authorized to obtain access to the information sought in the application; and (2) subject to notification procedures, be made available to the person responsible for providing the information to the officer.

Bars disclosure of an application made or order issued under this section, except as specifically permitted by this section or another court order.

Directs that there be created an electronic or similar type of record of each instance in which an officer, pursuant to an order under this section, gains access to the plaintext of otherwise encrypted information, or is provided decryption information, without the knowledge or consent of the owner of the data who is the user of the encryption product involved. Authorizes the court issuing the order to require that the record be maintained in a place and manner that is not within the officer's custody or control. Requires: (1) the record to be tendered to the court, upon notice from the court; and (2) the court to make the original and a certified copy of the record available to the Government attorney and to the attorney for, or directly to, the owner of the data who is the user of the encryption product, pursuant to specified notification procedures.

Specifies that nothing herein shall be construed to enlarge or modify the circumstances or procedures under which a Government entity is entitled to intercept or obtain oral, wire, or electronic communications or information.

Directs the court, within a reasonable time but not later than 90 days after the filing of an application for such an order which is granted, to cause to be served to specified parties an inventory which shall include notice of: (1) the entry of the order or application; (2) the date of the entry of the application and issuance of the order; and (3) the fact that the person's decryption information or plaintext data has been provided or accessed by an officer. Allows the court, upon the filing of a motion, to make available for inspection to that person or that person's counsel such portions of the plaintext, applications, and orders as the court determines to be in the interest of justice.

Sets forth provisions regarding: (1) postponement of inventory for good cause; (2) admission of encrypted information into evidence; (3) contempt; (4) motions to suppress; (5) appeal by the United States; (6) a civil action for violations; (7) a statute of limitations; (8) exclusive remedies; (9) technical assistance by a provider of encryption technology or network service; and (10) reporting requirements.

Authorizes an officer to whom plaintext or decryption information is provided to use such information only for purposes of conducting a lawful criminal investigation, foreign counterintelligence, or international terrorism investigation and for purposes of preparing for and prosecuting any criminal violation of law. Bars any such information provided to an officer from being disclosed, except by court order, to any other person for use in a civil proceeding that is unrelated to a criminal investigation and prosecution for which the information is so authorized. Allows such order to issue only upon a showing by the party seeking disclosure that there is no alternative means of obtaining the information being sought where the court also finds that the interests of justice would not be served by nondisclosure.

Prohibits an officer from using decryption information to determine the plaintext of any data unless it has obtained lawful authority to obtain such data under other lawful authorities.

Sets forth provisions regarding: (1) the return of decryption information; (2) other disclosure of such information; (3) identification of material that discloses such information; and (4) responsibility of the officer to reasonably assure that inadvertent disclosure does not occur.

Title II: Government Procurement - Authorizes the President to require an encryption product or service procured to provide the security service of data confidentiality for a computer system owned and operated by the Government to include recoverability features or functions that enable the timely decryption of encrypted data or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such products or services.

Requires the President to ensure that all encryption products purchased or used by the Government are supportive of and consistent with: (1) all statutory obligations to protect sources and methods of intelligence collection and activities; and (2) those needs required for military operations and the conduct of foreign policy.

(Sec. 202) Authorizes the President to direct that any communications network established for the purpose of conducting the business of the Government use encryption products that: (1) include features or functions that enable the timely decryption of encrypted data or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such products or services; and (2) are supportive of and consistent with all statutory obligations to protect sources and methods of intelligence collection and activities and those needs required for military operations and the conduct of foreign policy.

(Sec. 203) Authorizes the President to require as a condition of any Government contract that any encryption product used by a private vendor in carrying out the contract include features or functions that enable the timely decryption of encrypted data or timely access to plaintext by an authorized party without the knowledge or cooperation of the person using such products or services.

(Sec. 204) Permits an encryption product to be labeled to inform Government users that the product is authorized for sale to or for use by Government agencies or Government contractors in transactions and communications with the Government under this title.

(Sec. 205) Bars the Government from requiring the use of encryption standards for the private sector, except as otherwise authorized by section 204.

(Sec. 206) Makes this title inapplicable to encryption products and services used solely for access control, authentication, integrity, nonrepudiation, digital signatures, or other similar purposes.

Title III: Exports of Encryption - Directs the President to control the export of all dual-use encryption products. Authorizes the President to deny the export of any encryption product on the basis that its export is contrary to national security. Provides that any decision made by the President or his designee regarding the export of encryption products under this title shall not be subject to judicial review.

(Sec. 302) Makes encryption products with encryption strength of 64 bits or less eligible for export under a license exception if: (1) such encryption product is submitted for a one-time technical review, does not require licensing under otherwise applicable regulations, and is not intended for a country, end user, or end use that is by regulation ineligible to receive such product and is otherwise qualified for export; (2) the exporter, within 180 days after the export of the product, submits a certification identifying the intended end use and intended recipient of the product and provides the names and addresses of its distribution chain partners; and (3) the exporter, at the time of submission of the product for technical review, provides proof that its distribution chain partners have contractually agreed to abide by all U.S. laws and regulations concerning the export and reexport of encryption products designed or manufactured within the United States.

Requires the technical review to be completed within 45 days after submission of all required information. Directs the President to specify the information that must be submitted for the one-time technical review. Prohibits the exportation of an encryption product during the technical review of that product.

Provides for: (1) periodic review of the license exception eligibility level; and (2) an export license exception for an encryption product whether or not it contains a method of decrypting encrypted data.

(Sec. 303) Authorizes the President to permit the export of encryption products with an encryption strength exceeding the maximum level eligible for a license exception if the export is consistent with national security.

(Sec. 304) Directs the President to establish procedures for the expedited review of commodity classification requests, or export license applications, involving encryption products that are specifically approved by regulation for export.

(Sec. 305) Authorizes the President to grant an export license for encryption products with an encryption strength exceeding the maximum level eligible for a license exception which are designed or manufactured within the United States (with an exception) under the following conditions: (1) there shall not be any requirement, as a basis for an export license, that a product contains a method of gaining timely access to plaintext or decryption information; and (2) the export license applicant shall submit the product for technical review, a certification under oath identifying the intended use of the product and the expected end user or class of end users of the product, proof that its distribution chain partners have contractually agreed to abide by all U.S. laws and regulations concerning the export and reexport of encryption products designed or manufactured within the United States, and the names and addresses of its distribution chain partners.

Requires the technical review to be completed within 45 days after submission of all required information. Bars exportation of an encryption product during the technical review.

Requires all exporters of encryption products designed or manufactured within the United States to: (1) submit a report to the Secretary of Commerce (the Secretary) at any time the exporter has reason to believe any such exported product is being diverted to a use or a user not approved at the time of export; (2) report any pirating of their technology or intellectual property to the Secretary as soon as practicable after discovery; and (3) submit to the Secretary a report specifying the particular product sold, the name and address of the ultimate end user of the product (if known), or the name and address of the next purchaser in the distribution chain, and the intended use of the product sold.

Authorizes the Secretary, the Secretary of Defense, and the Secretary of State to exercise the authorities they have under other provisions of law to carry out this title.

Grants the President specified waiver authority.

(Sec. 306) Establishes an Encryption Industry and Information Security Board, which shall undertake an advisory role for the President. Sets forth provisions regarding the Board's purposes, membership, meetings, findings and recommendations, and termination. Specifies that the Board shall have no authority to review any export determination made under this title and that the consideration of foreign availability by the Board include computer software that is distributed over the Internet or advertised for sale, license, or transfer.

Title IV: Liability Limitations - Provides that, except for a person who provides plaintext or decryption information to another in violation of this Act, no civil or criminal liability shall attach to anyone for disclosing or providing: (1) the plaintext of encrypted data; (2) the decryption information of such data; or (3) technical assistance for access to the plaintext of, or decryption information for, such data.

(Sec. 402) Makes compliance with this Act a complete defense for any civil action for damages based upon activities covered by this Act, other than an action founded on contract.

(Sec. 403) Specifies that an objectively reasonable reliance on the legal authority provided by this Act authorizing access to the plaintext of otherwise encrypted data or to decryption information that will allow the timely decryption of data that is otherwise encrypted shall be an affirmative defense to any criminal or civil action that may be brought under the laws of the United States or any State.

Title V: International Agreements - Expresses the sense of Congress that: (1) the President shall conduct negotiations with foreign governments for purposes of establishing binding export control requirements on strong non-recoverable encryption products; and (2) such agreements should safeguard the privacy of U.S. citizens, prevent economic espionage, and enhance U.S. information security needs.

(Sec. 502) Authorizes the President to consider a government's refusal to negotiate such agreements when considering U.S. participation in any cooperation or assistance program with that country.

(Sec. 503) Sets forth reporting requirements.

Title VI: Miscellaneous Provisions - Directs the Attorney General to compile, and maintain in classified form, data on: (1) the instances in which encryption has interfered with, impeded, or obstructed the ability of the Department of Justice (DOJ) to enforce U.S. law; and (2) the instances where DOJ has been successful in overcoming any encryption encountered in an investigation. Requires that such information, including an unclassified summary, be submitted to Congress annually beginning October 1, 2000.

(Sec. 603) Authorizes appropriations for the Technical Support Center of the Federal Bureau of Investigation for FY 2000-2003.

===============================================================================

* Related Item: * ===============================================================================

* Subject Keywords: * Actions and defenses Administrative procedure American economic assistance Appellate procedure Armed forces Authorization Business Business intelligence Civil liberties Computer crimes Computer industry Computer networks Computer security measures Computer software Computers Computers and government Congress Congressional oversight Congressional reporting requirements Consumers Contempt of court Copyright infringement Counterintelligence Court records Criminal investigation Criminal justice Criminal justice information Cryptography Damages Defense policy Department of Justice Electronic commerce Encryption Evidence (Law) Executive Office of the President Executive departments Executive orders Export controls Exports Federal advisory bodies Fines (Penalties) Foreign aid Foreign policy Foreign trade promotion Fraud Government and business Government attorneys Government contractors Government employees Government information Government liability Government paperwork Government procurement Imports Imprisonment Information networks Information technology Intellectual property Intelligence activities Intelligence services International affairs International cooperation Internet Labeling Law Law enforcement Law enforcement officers Legal fees Liability (Law) Licenses Limitation of actions Military operations Military technology National security Official secrets Politics and government Presidents Pretrial procedure Probation Product development Prosecution Public contracts Recidivists Research and development Right of privacy Right of property Science policy Sentences (Criminal procedure) Standards Technology Technology transfer Telecommunication Terrorism Trade Trade agreements Trade negotiations Warrants (Law)

===============================================================================

Microsoft helped international law enforcement create the Child Exploitation Tracking System as part of a continuing collaboration to stop those who prey on children online.

TORONTO, April 7, 2005 -- The Child Exploitation Tracking System (CETS) saw early success while still in beta in November 2004. The tracking system identified a link between information arising from an FBI investigation in the United States and a separate investigation conducted by the U.S. Department of Homeland Security, known as Operation Falcon. As a result of this link, the Child Exploitation Section of the Toronto Police Service’s Sex Crimes Unit charged a man previously arrested on child-pornography charges with sexually assaulting a 4-year-old-girl, taking pornographic pictures of her and distributing them.

Microsoft Deputy General Counsel Nancy Anderson (L) and Royal Canadian Mounted Police (RCMP) Commissioner Guiliano Zaccardelli (R) at a news conference to announce the Child Exploitation Tracking System jointly developed by Microsoft, RCMP and the Toronto Police Service. Toronto, April 7, 2005.

Click image for high-res version.

CETS, a software solution built using open industry standards, assists law-enforcement officials in their work to stop the exploitation of children on the Internet by enabling effective collaboration and providing a set of advanced software tools and technologies for use by investigators. Officially launched today, CETS was developed jointly by Microsoft Canada, the Royal Canadian Mounted Police (RCMP) and the Toronto Police Service.

“Our vision is to support more effective child-exploitation policing by enabling collaboration and information sharing across police services,” says David Hemler, president of Microsoft Canada. “The tracking system will serve as a repository of information and will also be used as an investigative tool.”

Teaming of Industry and Law Enforcement

Inspector Jennifer Strachan, officer-in-charge with the RCMP’s National Child Exploitation Coordination Center, praises CETS for making linkages that have helped in the execution of warrants. She also applauds the tool’s use of SharePoint Portal Server to help track trends and post best practices. But most of all, she is optimistic about the partnering of law enforcement with industry.

“The old ways of policing won't meet the needs of today's cyber criminals,” Strachan says. “Industry created this environment, and Microsoft is setting a good example by realizing that with this innovation also comes accountability. Law enforcement will never be industry, and industry will never be law enforcement, but we need to keep the best interests of the people we serve in mind.”

As Strachan notes, it is difficult to look at the images of these children being exploited and not want to do something to save them. So she, like many others in law enforcement, is excited to see where CETS will take them.

“We see the excitement amongst police agencies when they realize the potential of this tool and the difference it will make in the fight against online predators,” Hemler says. “The responsibility lies with all of us to limit evil on the Internet and to protect our young people from being exploited. It is part of our duty as responsible leaders.”

CETS’s reach continues to grow as police agencies around the world show interest in using this tool.

“The international law-enforcement community is always looking for ways to stop child pornography and exploitation,” said Rich LaMagna, director of worldwide investigative and law-enforcement programs with Law and Corporate Affairs. “The international law-enforcement community has expressed strong interest in exploring this tool. CETS has got their attention as a way to have a great impact in this field.”

‘We Were Always Playing Catch-up’

The seeds for CETS were planted when Sergeant Paul Gillespie, a detective with the Toronto Police Service’s Child Exploitation Section, felt he was fighting a losing battle in his attempts to stop child exploitation online. While officers in his unit learned their way around the Internet, cyber-criminals were advancing in their ability to victimize children online, trade images and create pedophile communities, all in relative anonymity.

• READ FULL POST…

Download Paper: Tribler: A social-based peer-to-peer system (PDF, 6 pp., February 2008)

Statement of James Lewis Director and Senior Fellow Technology and Public Policy Program Center for Strategic and International Studies (CSIS)

Committee on House Armed Services Subcommittee on Terrorism, Unconventional Threats and Capabilities

April 01, 2008

I thank the committee for the opportunity to testify. As you know, we have seen new domains for conflict emerge in the last decade. These new domains are in space and in cyberspace. Cyberspace is in some ways the more interesting of the new domains, because the `price of entry` is low and also because it has been an area of significant U.S. vulnerability for many years, a vulnerability that has been eagerly exploited by our opponents.

We know that networks and information technology improve performance for both businesses and for militaries when they are used to provide better information and better coordination. One study examined exercises that pitted networked F-15s against F-15 relying only on traditional voice communications, and found that networking resulted in dramatic improvements in combat effectiveness.1 This study is indicative of the direction that future conflict is likely to take - the side with the informational advantage is more likely to win. We are only at the beginning of finding the organizational structures and tactics that will make full use of the new technologies that can provide informational advantage.

But at the same time, the use of these technologies has created serious new vulnerabilities.

These vulnerabilities are the result, in part, of the newness of the technologies themselves. Our opponents have seized the opportunity created by these vulnerabilities to engage in an extensive espionage campaign against the U.S. by mapping the vulnerabilities of our networks, accessing U.S. computers through these networks, and transferring sensitive information from the U.S. to their own computers.

There is also the possibility that when an unknown intruder has accessed a U.S. computer to steal information, he or she has also left something behind. We cannot say with assurance that a network that has been penetrated has also not been infected with hidden malware that could be triggered in a crisis, disrupting data and communications. This is not the ``electronic Pearl Harbor`` scenario that unfortunately dominated much of the early thinking about cyber security, but the potential for disruption and at least a temporary military advantage for an opponent as a result of attacking U.S. computer networks cannot be discounted.

None of our opponents will deliberately seek conventional military conflict with the U.S. Instead, they are attracted to asymmetric attacks, which look for and exploit areas where they are strong and the U.S. is weak and unaware. To achieve asymmetric advantage, some opponents will rely on terrorism or insurgent tactics, where combatants blend with the civilian population to attack the U.S. Other opponents plan to disrupt, destroy or deceive U.S. sensors and communications, to degrade our informational advantage. Their goal is to exploit vulnerabilities, places where U.S. assets are poorly defended.

Computer networks are just such a place. The nature of information technology and the internet means that in these asymmetric attacks in cyberspace, the advantage lies with the attacker. The internet was not designed to be a global network with millions of different devices all interconnected over a telecommunications backbone. The result is that there are many avenues for attack. Many different entities are exploring how to take advantage of vulnerabilities in cyberspace. These include nations, criminals, terrorist groups, political activists and perhaps even some corporations.

China and Russia are perhaps the most dangerous of our potential opponents. China has resources and is willing to spend them, and Russia has experience and skill. However, China and Russia are not the only nations interested in and capable of waging cyber warfare, nor are nation-states the only potential opponents in this new domain. The emergence of a powerful and skilled cybercrime community has serious implications for U.S. interests.

Over the last few years, cyber criminals have become technologically sophisticated and well-organized. These are not the amateurs of a few years ago. Cyber criminals have developed black markets where you can buy malware, guides to vulnerabilities, credit card numbers. There are contests among cyber criminals, to see who can be the first to hack a new system or to discover a new vulnerability. Some of these sites offer guarantees while others provide a rating system for potential buyers. It is possible to rent bot-nets, huge assemblies of hijacked computers to use in an attack, or even to hire hackers. As in any black market, an unwary buyer can end up being exploited, but a knowledgeable purchaser or one with resources and experience - and this customer base includes nations, companies, and terrorist groups - can find most of what they need for cyber attacks.

If we have underestimated the risks of cyber espionage and cyber crime, the risk of cyber terrorism is overstated. Terrorists do make extensive use of the global internet for recruitment, propaganda, fundraising, training, and for command and control. The ability of terrorist groups to use commercial communications networks has provided them with robust, flat organizations that are more difficult to defeat. It has provided them with a global presence they would not have been able to achieve twenty years ago. But this is not the equivalent of attacks with bombs or firearms, which terrorists prefer. Cyber weapons are not yet sufficiently lethal for terrorist use.

To date, cyber disruption and attacks on critical infrastructure remains largely hypothetical. Cybercrime and cyber espionage are the most serious problems. Cyber-espionage is a far greater problem for national security than many recognize. Last year, the U.S. government suffered a series of breaches of its computer networks.

These have been attributed to China and while attribution is always difficult when it comes to cyber attacks, we should note that senior officials in the German, French and British governmental also complained about Chinese hacking during the same time as the attacks on the U.S. occurred.

Using computer break-ins for espionage has a long history. The earliest breach I know of occurred in the 1980s, when the KGB hired West German hackers to penetrate U.S. military and research networks. There were also incidents in the 1990s involving the Departments of Energy and Defense. These incidents show that the cybersecurity problem is twenty years old, but last year we crossed a threshold in cyberattacks, with the noisy demonstrations launched against Estonia`s government networks and with the massive sustained attacks - some successful - on U.S. government networks and on the networks of allied countries.

In 2007, computer networks in the Departments of Defense, State and Commerce were penetrated and had to be taken off line for repair. It is likely that other agencies suffered breaches as well. The primary intent of these attacks was to collect information. What they revealed was a remarkable unevenness in the defense of U.S. networks. Some of our government networks, usually those providing the most sensitive services - are very secure. Other networks, including some that contain information about sensitive technologies are not as secure as we would like, whether these are at the Department of Energy or State, or even the Secretary of Defense`s unclassified email system, all of which have been hacked.

This series of attacks has prompted the U.S. to begin a major new initiative to improve the security of government computer systems. The Administration has reportedly issued a new, joint policy directive - National Security Policy Directive-54 and Homeland Security Policy Directive-23, which directs agencies to carry out a comprehensive federal cybersecurity initiative. Many of the initiative`s elements are highly classified - some would say over-classified - But there has been public discussion of some of its elements and the Administration has said it will make more information publicly available sometime in the next few months.

We know that the initiative allocates more money and personnel to cyber security. Federal spending on cybersecurity will increase ten to twelve percent, according to press reports. The Department of Homeland Security will expand the use of its `Einstein` system to monitor traffic in and out of Federal government networks.

Einstein will be reinforced by undisclosed NSA monitoring systems as well. Building on programs initiated in the Department of Defense, the Office of Management and Budget has mandated the use of the Federal Desktop Core Configuration, a secure standardized configuration for use on all Federal Computers. OMB has also begun a ``Trusted Internet Connections`` initiative (TIC), which will reduce the points of connection between Federal networks and the rest of the internet from hundreds to only fifty. The U.S. is considering whether to establish new organizations to oversee cyber security efforts, and existing organizations will be strengthened. Both DOD and the Intelligence community have increased their efforts in cyberspace. The initiative has twelve separate projects to improve cyber security, including one that will look at how to improve coordination with the private sector.

These are all very positive steps, but difficult issues remain to be solved. One such issue is improving coordination with the private sector. This will be a major test for the Initiative. The U.S. has mechanisms for coordinating public and private cyber security efforts, but in some ways these are continuation of the initial programs from the 1990s, such as the FBI`s National Infrastructure Protection Center (NIPC) or the Department of Commerce`s Critical Infrastructure Assurance Office (CIAO).

We need to rethink and improve how the government interacts, cooperates and coordinates with the private sector to assure better cyber security.

Another issue is that there is an international element to cyber security that must be addressed. These attacks on federal networks and critical infrastructure come over global networks. A national effort can provide only part of the solution. The U.S. will need to work with its allies and perhaps even with our opponents to change this. A sustained international effort could involve better cybercrime enforcement, new international norms for cyberspace, new collaborative mechanisms and, with our allies, agreed doctrine on securing networks and responding to attacks.

One advantage of better international cooperation is that it could increase the level of deterrence, at least for cyber criminals. Currently, some nations act as sanctuaries for cybercriminals. Cybercriminals who operate overseas can, with a little skill, almost eliminate the chances of being caught and prosecuted. Only international cooperation will change this.

Other forms of deterrence are less practical. It is difficult to deter by threatening counterattack if you do not know who is attacking. It is even more difficult to deter by threatening counterattack is you cannot estimate the degree of collateral damage. Attacks come over a global network to which we are all connected, and the attackers can use unsuspecting civilian computer networks, assembled into bot-nets to launch their attacks.

Last year`s attacks on Estonia are a good example of these problems. They are widely attributed to Russia, and in my view Russian intelligence services are almost certainly behind the attacks, yet there is no evidence to substantiate this. The attackers, a collection of cybercriminals and amateur hackers mobilized and encouraged by unknown entities used captive computers around the world, in Europe, china and in the U.S. A counterstrike against the attacking computers would have damaged innocent networks around the world. It would be a bold President who authorized counterstrikes when he or she does not know the target or the possible extent of collateral damage to friendly networks.

The attacks on Estonia highlight the problems of anonymity and attribution. The Internet is too anonymous, and too easily deceived. Identity management must be improved if cybersecurity is to be improved. This is a thorny subject, given the implications for privacy and civil liberties, but the anonymity of the internet makes it difficult to determine who is responsible for an attack or a crime, this difficulty with attribution makes it more difficult to deter attacks. Progress on measures such as HSPD-12.which will improve Federal credentials and authentication is crucial. The RealID program, although widely vilified, is also crucial for improving the quality of identity documents and procedures in the U.S. DOD has been a leader in better identity management with its Common Access Card Program Federal organization remains a challenge. The slow pace of the rollout of the Initiative was due in part to disagreements over which agency would have the lead. The Intelligence Community has the best capabilities for cyber defense in many ways, but there are civil liberties concerns and clear links to the renewal of the Foreign Intelligence Surveillance Act (FISA) over assigning the Director of National Intelligence the lead role. There are also concerns over giving the lead in cybersecurity to a military organization, such as the U.S. Strategic Command. The Department of Homeland Security, the civilian agency with the responsibilities for cyber security, would be the logical lead but there have been questions about its competence and authority. The previous administration had a cyber `czar,` who successfully began the immense effort required to reorient Federal policy and to develop strategies, but a ``Czar`` may no longer make sense now that the Department of Homeland Security has been created.

Government organization for cybersecurity reflects a larger challenge for the U.S. In effect, we have a vertical organization trying to respond to a horizontal threat.

This means we have four or five different and independent agencies each of whom are responsible for a part of the problem. There is no single agency responsible for the entire problem. Even at the White House we have two organizations - the Homeland Security Council and the National Security Council - that share responsibility for cyber security.

This sort of organizational problem is very difficult for governments to overcome. The creation of the Department of Defense in 1948 was an effort to develop collaborative and ``joint`` action to meet the problems of National Security. That effort was reinforced and given new impetus by the Goldwater- Nichols Act. DOD has worked for decades to achieve `jointness.` Other agencies are far behind in achieving a collaborative, `horizontal approach. The creation of the Department of Homeland Security can be seen as an effort to duplicate the 1948 solution for homeland security. The Intelligence Reform and Terrorist Prevention Act can also be seen as an effort to create an `intelligence enterprise` with a powerful CEO whose remit would stretch across multiple agencies.

I would wish reorganization on no administration, but the structure of our government is still largely based on a template created in the 1900s. This template is inefficient in many ways. Reorganization is unavoidable, but it will take years of effort. We do not have years, however, to respond to the new security threats in cyberspace.

To be fair, this problem extends beyond government. Our conceptual framework for thinking about security has moved beyond the cold war, but not by much. My concern is that conflict in cyberspace is seen the way that airplanes were seen in 1912 - interesting toys, but not a serious security or military issue. Some, pointing to Pearl Harbor and to 911, say that we will only reshape our thinking and our organization to deal with cybersecurity after some disaster has occurred. I hope this is not the case.

Federal organization, strategy and doctrine, coordination with the private sector and allies - these and other issues remain challenges despite the progress made by the President`s cybersecurity initiative. That the initiative comes in the last year of the Presidency also creates challenges. Any administration would face difficulties in making rapid progress on a new initiative after July. The political realities are that the Administration has between fourteen and sixteen weeks to implement its cyber initiative. Much can be done, but much will necessarily remain unfinished.

This means that the burden of improving cybersecurity will fall on the next administration when it takes office in January of 2009. That administration, whether Democratic or Republican, will inherit a cyber security situation that is much improved. It will also inherit a cyber security initiative that is a work in progress, with a number of unfinished elements. Like any new administration, it will have to ask what should it keep or continue from this initiative, what should it change or drop, and what new steps it should take to address this increasingly serious problem for national security.

Transitions are also, as the members of the Committee well know, a moment of opportunity. The new Administration will have a degree of good will and authority. Perhaps more importantly, it will have something of a clean slate when it comes to initiatives and organization. 2009, the first year of the next administration, provides an opportunity to take the Bush Administration`s cybersecurity initiative and advance it.

To help the new administration think about this opportunity, The Center for Strategic and International Studies (CSIS) established a nonpartisan commission on Cyber Security for the 44th Presidency - the administration that will take office in January 2009. CSIS is a nonpartisan, nonprofit research organization headquartered in Washington, D.C. with more than 200 staff and a large network of affiliated experts. Its focus is on security in a changing global environment.

CSIS`s has been conducting research, holding public events, and advising government agencies on cyber security since before 2000, and this body of work will provide the foundation for the Commission on Cyber Security for the 44th Presidency. CSIS routinely uses commissions, task forces and work groups to help it conduct analysis and develop recommendations. This approach lets us draw upon the broader communities of interest in Washington and benefit from their expertise and experience.

The goal of this effort is to look at cybersecurity as a problem for national security and develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure. The Commission will consider federal organization and strategy, cybersecurity norms and authorities, international issues, federal investment and acquisition policies, and it will explore ways in which the government can engage with the private sector.

The members of the commission are experts in cybersecurity with extensive government experience. In addition, CSIS intends to make the work of the Commission an inclusive process and has asked other experts and groups to participate in the development of recommendations and to make plenary presentations on substantive issues. Our first public briefing took place on March 12, in a well attended event where five widely recognized leaders in cybersecurity give their views and recommendations on how to move forward in cybersecurity. We plan to hold several more briefings in the next three months.

As part of this effort, we have created a number of working groups that will examine these issues in detail and develop specific recommendations. These groups have just begun their work. They include members of the commission and other experts, all of whom have volunteered their time for this effort. If the committee wishes, I can report back at a later stage on how their work has progressed. Our plan is for the Commission to complete its work by November 2008. The final product from the Commission will be a well-supported package of recommendations for improving cyber security that could help to guide U.S. policy in the future.

The advantage we gain from being network centric is eroded by uneven security. We will never have perfect security, but our goal, as a nation, should be to increase our ability to use network technologies to improve our military and economic performance while at the same time reduce the ability of our opponents to take advantage. Our hope is that the efforts of CSIS and the other participants in the commission can contribute in some way to this improvement.

One element of the CSIS projects is to reassess the larger strategic context for cybersecurity. This context is shaped by considerations involving national defense, law enforcement, intelligence and global economic competition. This may require a broader definition of national security. It is no surprise that one result of immense economic and technological change we are undergoing is that old assumptions about security and the policies based on those assumption do not work as well as they did in the past. The process of adjusting those policies to the new global environment is a major challenge for all governments. Each country in some way must respond to a world where the lines between government and commercial, and between domestic and foreign are blurred.

This blurring makes finding solutions to cybersecurity more difficult but achieving better cyber security and greater benefit from network centric operations requires this reassessment of the strategic context.

In the 1990s, there was considerable discussion of what the international security environment would look like after the cold war and what the new threats to US security would be in that environment. Much of this speculation was wrong, not in that it misidentified the new threats, but that it gave some threats more importance than they deserved. We underestimated the threat of global terrorism. We did not prepare adequately for cyber espionage. There were a few visionaries who pointed to these problems, but in the main, they were ignored.

In the last decade, the shape and nature of the new security environment has become clearer. We face new kinds of competition and new kinds of threats. In this new environment, the ability to operate in cyberspace and to defend against the operations of others in cyberspace is a crucial task for security. The United States has begun to take the steps needed to defend and to compete effectively in cyberspace, but we have only begun and there is much to do.

I thank the Committee again and I would be happy to take any questions.

OTTAWA, April 2, 2008 /PRNewswire/ -- VoIPshield Laboratories, the research division of VoIPshield Systems Inc., today announced it has discovered over 100 security vulnerabilities in Voice over IP systems marketed by Avaya, Cisco and Nortel. A vulnerability is a design or implementation flaw in a VoIP system that can be exploited by a hacker with malicious intentions, including extortion through service outage threats, industrial espionage through call recording, or identity theft through the stealing of sensitive customer information.

VoIPshield notified the vendors of its findings earlier this year. Under the terms of its Responsible Disclosure Policy, VoIPshield works with the vendors to help them recreate the vulnerabilities in their own test labs, and offers its services to assist the vendors in determining the best remediation approach.

"It is important that companies understand the security risks associated with their VoIP systems," said Rick Dalmazzi, president and CEO of VoIPshield. "Now is the time to start planning a protection strategy, while the hacking community is still learning about VoIP, not after the attacks begin."

The vulnerabilities are cataloged and presented on the company's website at http://www.voipshield.com/research . Each vulnerability is categorized based on an exploit's most likely malicious intent: unauthorized access, code execution, denial of service or information harvesting. Each is also given a severity rating based on a modified industry standard index. Vendor responses are also included, indicating what action if any the vendor has indicated they will take to remediate the vulnerability, and when.

"The limited number of high-profile attacks against IP telephony has lulled most chief information security officers and voice/data managers into a false sense of security, with the result that most do not have adequate protection for their converged networks," said Lawrence Orans, research director for networking and communications equipment at Gartner Research. "As IP telephony continues to gain momentum, targeted attacks -- and possibly broad-based attacks -- will surface and gain greater visibility, highlighting vulnerabilities and the overall lack of focus on IP telephony security."

The database marks the first of ongoing announcements that VoIPshield Labs will make as it continues its research into these and other vendors' products. Avaya, Cisco and Nortel were chosen for the initial round of research because of their popularity in the North American market. Microsoft has recently announced its entry into the enterprise VoIP market.

Just this month, communications research firm In-Stat revealed that while 80% of companies said they'd deployed some type of VoIP solution, more than 40% do not have specific plans for securing them. This finding, based on a survey of U.S. companies conducted in September 2007, was published in a report titled U.S. Businesses Lag in Securing VoIP. "Regardless of the VoIP solution that is in place or planned, security should be an integral part of an implementation from the beginning," the report summarized.

The vulnerabilities discovered are used by VoIPshield to create signatures for its enterprise VoIP security solutions: VoIPaudit(TM), a VoIP Vulnerability Assessment system, and VoIPguard(TM), a VoIP Intrusion Prevention System (VIPS). Users are protected against attacks attempting to exploit the known vulnerabilities. VoIPshield products are regularly updated with new signatures through the VoIPshield Update(TM) subscription service.

"Digital video and voice enabled by Voice over IP technologies are vital to commerce and are substantially at risk," said Jonathan Zar, chairman of the threat taxonomy committee of the Voice over IP Security Alliance (VoIPSA). It is important that products be developed that are specifically designed to protect VoIP systems. VoIPSA encourages all research leading to such products."

For more information about the vulnerabilities database and VoIPshield's products visit http://www.voipshield.com/research .

About VoIPshield Systems

VoIPshield Systems Inc. develops products to secure voice communications on IP networks. Each application uses VoIPshield's proprietary database of VoIP-specific vulnerabilities and corresponding threat signatures, developed by VoIPshield Laboratories. VoIPaudit(TM) is an award-winning VoIP vulnerability assessment product. VoIPguard(TM) is the industry's first VoIP Intrusion Prevention System (VIPS) based on signature-based and behavior-based detection technology. More information is available at http://www.voipshield.com .

SOURCE VoIPshield Laboratories

Tony Keller of SS|PR, +1-719-634-8279, tkeller@sspr.com

Statement of Alan Paller Director, Research The SANS Institute

Committee of House Oversight and Government Reform Subcommittee on Information Policy, Census, and National Archives Subcommittee on Government Management, Organization, and Procurement

February 14, 2008

--Federal agencies are under massive attack from China and other nation states, and agencies have demonstrated that they are not able to protect their systems or the sensitive information stored on those systems.

--In 2000, President Clinton vowed to make sure the federal government leads by example in cyber security.

--Government has failed to lead in large measure because of a provision that was originally made in the Government Information Security Reform Act (GISRA), but carried over to the Federal Information Security Management Act (FISMA). Federal cyber security has been set back, and more than $300 million in scarce cyber security funding has been wasted because of this error.

--A small legislative change and a shift in oversight technique could turn this situation around.

--Time is of the essence. The Director of National Intelligence reported last week to the Senate Select Committee on Intelligence, that cyber exploitation is growing ``more sophisticated, more targeted and more serious. ``

My name is Alan Paller; I am director of research at the SANS Institute. Thank you for the opportunity to testify today. While there are doubtless many things that could be done to improve the security of the Federal government`s cyber infrastructure, my testimony today will focus on one item that, in my professional opinion, would materially improve the security of that infrastructure without requiring the expenditure of more money.

The Cyber Threat Is Expanding and Growing In Sophistication

Federal agencies and government contractors are facing a wave of cyber attacks from sophisticated nation states. The attacks began in earnest at least five years ago (our first firm evidence is from May 2003) and are so successful that agencies that know they were penetrated do not know how much information was taken, how widespread the compromises were on their systems, nor which systems are still under control of the attackers.

Those attacks resulted in sensitive data about national security technologies and strategies and practices being copied and moved to hostile nations. The stolen data, although not classified, is highly sensitive - such as details on the technologies that the US considers too sensitive to export and the specifications for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force. The Commander of the US Air Force Cyber Command, Major General William Lord, said in August of 2006 that ``There is a nation-state threat by the Chinese... China has downloaded 10 to 20 terabytes of data from the NIPRNetl.``

Moreover, the fact that federal computers are under the control of potentially hostile foreign governments means that the US government agencies cannot be sure the data they provide is accurate or whether it may have been altered to be misleading.

The attacks are continuing, accelerating, and spreading to the commercially owned US critical infrastructure. A week ago today, the Director of National Intelligence, J. Michael McConnell, told the Senate Select Committee on Intelligence,

``Our information infrastructure-including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industriesincreasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year. ``

A Presidential Cvber Security Promise That Could Not Be Kept Because of FISMA

In February of 2000, in the aftermath of the Mafia Boy attacks on Amazon, CNN, Yahoo, and Dell, the President of the United States promised twenty Internet leaders that the US government would ``lead by example`` in building defenses that would block the growing scourge of cyber crime. But neither the Clinton Administration nor the Bush Administration have led by example, in large part because they were hamstrung by an error in a law called GISRA, the Government Information Security Reform Act. GISRA later morphed into FISMA, but the FISMA drafters did not know of the error, and did not fix it. Because of that error in GISRA, not only are government systems far less secure than they could be, but more than a $300 million dollars of scarce federal security money was spent on writing reports that were never read, and that did not improve security.

How do we know this? Because SANS trains more than 14,000 cyber security professionals each year - with more than 15% employed in federal information security. Our alumni in the working for the federal government and for contractors, like other alumni around the world, keep us up to date on what works and what doesn`t in cyber security.

SANS also operates the Internet Storm Center, an early warning system, so we have a pretty clear picture of the threat landscape as wet l as the effectiveness of the defenses.

Major Federal Successes in Cvber Security Illuminate How FISMA Can Be Improved

On December 10, 2007, SANS published a compendium of federal successes in information security, entitled ``What Works in Implementing the US National Strategy to Secure Cyberspace: Case Studies of Success in the War on Cybercrime and Cyber Espionage.`` I have attached that document for your reference.

A quick review of the federal successes listed in the ``What Works`` document shows that most were accomplished without any FISMA support or relevance, but that the most important one (the Federal Desktop Core Configuration or FDCC) was enabled by a clause in FISMA [3544(b)(2)(D)(iii)].

That one powerful clause worked because it showed agencies how to prioritize their cyber security actions. It did that by providing direct, unequivocal guidance.

What Went Wrong Because of FISMA

The error in GISRA and later in FISMA was the lack of priority setting. It is best illuminated by showing exactly what went wrong when agencies tried to implement FISMA.

First, the National Institutes of Standards and Technologies (NIST), following its FISMA mandate, wrote a series of guidance documents, later made mandatory by OMB, telling agencies how to comply with FISMA. NIST failed to prioritize the actions it required agencies to take. Instead NIST wrote guidance at a very high level - leaving interpretation to the agencies and their Inspector Generals (IGs). The lack of priorities, along with language open to broad interpretation, made it nearly impossible for agencies to do all the things their IGs might consider as required. None of the agencies had sufficient budgets to do everything, so they did what they could and received Ds and Fs on their report cards because the IGs found that they hadn`t done everything.

Far worse than bad grades, however, was the three hundred million dollars wasted in the name of GISRA and then FISMA compliance. That money could have gone a long way toward improving the security of federal systems.

The money was wasted because both Congress and OMB forced agencies (through the annual Congressional Report Card and the President`s Management Agenda) to write Certification and Accreditation (C&A)repoits on 100% of their systems, using C&A requirements documented by NIST. Every agency had to prepare reports on every system every three years with annual reviews of those systems every year. That would be a wonderful way to monitor improvements in security if the security actions being reported are the essential ones that actually block attacks and improve response to attacks. But guidance from NIST was far too high level. Most of the NIST-specified security measures are disconnected from the key protections. And because the report writers felt obliged to cover all the NIST controls, the reports became essentially useless. Most were never read by the operational staff who would have to implement key security controls. We know that the reports were never read from complaints received from dozens of people frustrated by the process, but the most telling data comes from a meeting of the Northern Virginia Information System Security Association, the membership group of cyber security managers and consultants. While addressing an audience of 72 security professionals there, I asked them to raise their hands if their job involved drafting C&A reports. Fifty-five raised their hands. Then I asked them to keep their hands up if anyone had ever read their reports besides the people who wrote them. Only four kept their hands up.

In other words,

1.FISMA became a report writing exercise caused by

2.NIST language that focused on `everything` and

3.`a single scorecard/report card` that indicated `compliance` to everything (and nothing) and

4.gave a Talse sense` that systems were actually secure -- as demonstrated by the continued infiltrations and exfiltrations.

5.In this case, compliance often had little to do with actual security but Agencies spent all the money on compliance. Why? Because...

6.Leaders are small. They want to keep their jobs. Congress and OMB (and the press) focused so exclusively on the report cards that CIOs simply spent the money to get Congress and OMB off their backs.

Proof That Tighter FISMA Language Improves Security

One exception demonstrates how to correct the problem. Subsection 3544(b)(2)(D)(iii) of Title 44 tells agencies to establish, implement minimum security configurations for every system. The Air Force demonstrated that following this Congressional rule to the letter enabled it to reduce vulnerabilities significantly, to cut patching time from seven weeks to 3 days and to save tens of millions of dollars. It improved security while reducing costs.

The single most important correction needed in FISMA is to include language that directs NIST to prioritize the actions it tells agencies to take and the frequency for ensuring each action is taken: NIST guidance would provide specific actions and specific time frames for executing those actions. The most critical actions are to be performed quite frequently. For example:

--Actions performed continuously would include such things as stopping malicious packets from entering the network and alerting security teams when any unauthorized system or service is added to the network.

--Actions performed weekly would include things such as ensuring every system is configured in accordance with the agency`s standard secure configuration, and

--Actions that could be performed annually would include such things as security awareness testing.

FISMA can be an important part of the successful defense of the computers and networks that run our government. But to do that it needs to direct agencies to spend their security money on the defenses that make a difference in their ability to protect the information they keep. You can make FISMA do that. At the request of your staffers, we have provided draft changes and report language that we think would help make FISMA more effective.

I would be happy to answer your questions.

Statement of Mr. Gregory C. Wilshusen Director, Information Security Issues Government Accountability Office

Committee on House Oversight and Government Reform Subcommittee on Information Policy, Census, and National Archives Subcommittee on Government Management and Information Policy

February 14, 2008

Mr. Chairmen and Members of the Subcommittees:

Thank you for the opportunity to participate in today`s hearing to discuss information security over federal systems. Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission or business. It is especially important for government agencies, where the public`s trust is essential. The need for a vigilant approach to information security is demonstrated by the dramatic increase in reports of security incidents, the wide availability of hacking tools, and steady advances in the sophistication and effectiveness of attack technology. Over the past few years, federal agencies have reported numerous security incidents in which sensitive information has been lost or stolen, including personally identifiable information, which has exposed millions of Americans to a loss of privacy, identity theft, and other financial crimes. Concerned by reports of significant weaknesses in federal computer systems, Congress passed the Federal Information Security Management Act (FISMA) of 2002,1 which permanently authorized and strengthened information security program, evaluation, and annual reporting requirements for federal agencies. However, five years after FISMA was enacted, we continue to report that poor information security is a widespread problem with potentially devastating consequences. Since 1997, we have identified information security as a governmentwide high- risk issue in each of our biennial reports to the Congress.

In my testimony today, I will summarize (1) agencies` reported progress in performing key control activities, (2) the effectiveness of information security at federal agencies, including security incidents reported at federal agencies, and (3) opportunities to improve federal information security. In preparing for this testimony, we reviewed prior GAO and agency Inspector General (IG) reports on information security at federal agencies. We also examined fiscal year 2007 governmentwide information security performance information presented in the President`s proposed fiscal year 2009 budget for information technology, and information about federal security initiatives; analyzed performance and accountability reports for 24 major federal agencies;3 and reviewed the Office of Management and Budget`s (OMB) FISMA and information technology (IT) security guidance; and information on reported security incidents. We conducted our work, in support of this testimony, during February 2008 in the Washington, D.C. area. The work on which this testimony is based was performed in accordance with generally accepted government auditing standards.

Results in Brief

Over the past several years, agencies have consistently reported progress in performing certain information security control activities. According to the President`s proposed fiscal year 2009 budget for information technology, the federal government continued to improve information security performance in fiscal year 2007 relative to key performance metrics established by OMB. The percentage of certified and accredited systems governmentwide reportedly increased from 88 percent to 92 percent.4 Gains were also reported in testing of security controls - from 88 percent of systems to 95 percent of systems - and for contingency plan testing - from 77 percent to 86 percent. These gains continue a historical trend that we reported on last year.5 At that time, agency IGs identified weaknesses in the processes several agencies use to implement these and other security program activities.

Despite the reported progress, federal agencies continue to confront long-standing information security control deficiencies. Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. In addition, agencies did not always effectively manage the configuration of network devices to prevent unauthorized access and ensure system integrity, install patches on key servers and workstations in a timely manner, assign duties to different individuals or groups so that one individual did not control all aspects of a process or transaction, and maintain complete continuity of operations plans for key information systems. An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs. As a result, federal systems and information are at increased risk of unauthorized access to and disclosure, modification, or destruction of sensitive information, as well as inadvertent or deliberate disruption of system operations and services. Such risks are illustrated, in part, by the increasing number of security incidents experienced by federal agencies.

Nevertheless, there are opportunities for federal agencies to bolster information security. Federal agencies could implement the hundreds of recommendations made by GAO and IGs to resolve prior significant control deficiencies and information security program shortfalls. In addition, OMB and other federal agencies have initiated several governmentwide initiatives that are intended to improve security over federal systems and information. For example, OMB has established an information system security line of business to share common processes and functions for managing information systems security and directed agencies to adopt the security configurations developed by the National Institute of Standards and Technology and Departments of Defense and Homeland Security for certain Windows operating systems. Opportunities also exist to enhance policies and practices related to security control testing and evaluation, FISMA reporting, and the independent annual evaluations of agency information security programs required by FISMA.

Background

Virtually all federal operations are supported by automated systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets. Therefore, it is important for agencies to safeguard their systems against risks such as loss or theft of resources (such as federal payments and collections), modification or destruction of data, and unauthorized uses of computer resources or to launch attacks on other computer systems. Sensitive information, such as taxpayer data, Social Security records, medical records, and proprietary business information could be inappropriately disclosed, browsed, or copied for improper or criminal purposes. Critical operations could be disrupted, such as those supporting national defense and emergency services or agencies` missions could be undermined by embarrassing incidents, resulting in diminished confidence in their ability to conduct operations and fulfill their responsibilities.

Critical Systems Face Multiple Cyber Threats

Cyber threats to federal systems and critical infrastructures can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources. Unintentional threats can be caused by software upgrades or maintenance procedures that inadvertently disrupt systems. Intentional threats include both targeted and nontargeted attacks. A targeted attack is when a group or individual specifically attacks a critical infrastructure system. A nontargeted attack occurs when the intended target of the attack is uncertain, Page 5 GAO-08-496T Federal Information Security such as when a virus, worm, or malware6 is released on the Internet with no specific target. The Federal Bureau of Investigation has identified multiple sources of threats to our nation`s critical information systems, including foreign nation states engaged in information warfare, domestic criminals, hackers, virus writers, and disgruntled employees working within an organization. Table 1 summarizes those groups or individuals that are considered to be key sources of cyber threats to our nation`s information systems and infrastructures.

There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack. According to the Director of National Intelligence,7 ``Our information infrastructure------including the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries------ increasingly is being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year.``

Increased Vulnerabilities Could Expose Federal Systems to Attack

As federal information systems increase their connectivity with other networks and the Internet and as the system capabilities continue to increase, federal systems will become increasingly more vulnerable. Data from the National Vulnerability Database, the U.S. government repository of standards-based vulnerability management data, showed that, as of February 6, 2008, there were about 29,000 security vulnerabilities or software defects that can be directly used by a hacker to gain access to a system or network. On average, close to 17 new vulnerabilities are added each day. Furthermore, the database revealed that more than 13,000 products contained security vulnerabilities. These vulnerabilities become particularly significant when considering the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks. Thus, protecting federal computer systems and the systems that support critical infrastructures has never been more important.

Federal Law and Policy Established Federal Information Security Requirements

Over five years have passed since Congress enacted FISMA, which sets forth a comprehensive framework for ensuring the effectiveness of security controls over information resources that support federal operations and assets. FISMA`s framework creates a cycle of risk management activities necessary for an effective security program, and these activities are similar to the principles noted in our study of the risk management activities of leading private sector organizations8 assessing risk, establishing a central management focal point, implementing appropriate policies and procedures, promoting awareness, and monitoring and evaluating policy and control effectiveness. More specifically, FISMA requires the head of each agency to provide information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems used or operated by the agency or on behalf of the agency. In this regard, FISMA requires that agencies implement information security programs that, among other things, include

--periodic assessments of the risk;

--risk-based policies and procedures;

--subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate;

--security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency;

--periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with a frequency depending on risk