March 10, 2009

The Honorable Yvette D. Clarke
Chair
Subcommittee on Emerging Threats, Cybersecurity, Science and Technology,
    Committee on Homeland Security
United States House of Representatives
1029 Longworth House Office Building
Washington, DC 20515-3211

Dear Chairwoman Clarke,

On behalf of the Cyber Secure Institute, I write to offer you the Institute’s unqualified support for your position that new standards and incentives are vital to making our nation cyber secure. To this end, we respectfully ask you to introduce legislation that would provide baseline, performance- and evidence-based, objective standards for cybersecurity for both government and private sector critical infrastructure information technology (IT) systems.

The Cyber Secure Institute

The Cyber Secure Institute is an analysis and advocacy group dedicated to serving as the voice for effective cyber security. We were founded because our nation’s critical networks are inherently vulnerable. Our singular purpose is to help drive the development and deployment of next generation, inherently secure IT systems. Our name says a lot about our goal. We view “cyber secure” as an end-state goal, the state of being secure in the digital world; in contrast we see cybersecurity as the current reactive process of seeking to patch known flaws in inherently insecure IT systems.

Background

As you are well aware, our nation’s critical IT systems remain unacceptably at risk. Recent examples show that virtually no systems are adequately secure:

A 2008 Center for Strategic International Studies (CSIS) report revealed that the departments of State, Defense, Homeland Security, and Commerce have all been compromised by attacks from foreign entities.
The networks at the Pentagon alone are probed thousands of times each day.
Last November, Chinese hackers penetrated the White House network multiple times, and were able to acquire emails between government officials.
Our critical infrastructure is also at risk:

In December 2006, TJX Co., which operates Marshalls, TJ Maxx and other retail companies, experienced a serious attack on its computer networks. Hackers breached the company’s networks, putting at risk over 45 million credit and debit card numbers.
On January 20th, Inauguration Day, Heartland Payment Systems Inc., a credit card processing company, announced that it had experienced a large data breach. While Heartland did not reveal how many records have been breached, industry experts have estimated that up to 100 million credit card numbers could have been compromised, making it potentially the largest known data breach in history.
Last year the Department of Homeland Security released previously classified video showing that a cyber attack could physically destroy an industrial electrical power generator.
Each year cyber attacks cost the U.S. economy $2.6 billion.
In our view this is a direct and predictable result of the last administration’s laissez-faire approach to cybersecurity.

The most revealing evidence for this can be found in a recent communication to the newly appointed Secretary of Homeland Security, the Honorable Janet Napolitano, from the leadership of the National Cybersecurity Center (NCSC’s). Denied resources and devoid of real authorities, the NCSC’s leadership described its major accomplishments as including: the completion of a CONOP and implementation plan; development of a working group; development of an economic model for cybersecurity; introducing concepts of game theory; creating a vision for a new National Cyber Center; contributing to the national thinking on this issue; and presenting to 10,000 people at 40 events.

What is startling is that there is not a single mention of a significant improvement in the actual cybersecurity of the nation. That is because the gains in cybersecurity to date have been marginal at best. At a time when we require bold action, we instead find ourselves caught up in a Sisyphean struggle – the endless cycle of hack and patch trying to fix legacy systems that are, at best, inherently insecure.

This must change, and, as you rightly noted, change will not come on its own, unprompted. To be blunt, we have tried the laissez-faire approach to cyber security and it has gotten us only so far; it is now time to drive technological progress.

In order for our nation to become “Cyber Secure,” the Congress and the Executive will need to drive change. We share your view that a combination of regulation and incentives are needed to overcome the inertia of the status quo.

It is the Institute’s view that to be effective such legislation needs to be based upon objective, performance- and evidence-based standards. The beginnings of and necessary technological capacities for such a framework are already in place within the certification program carried out by the National Security Agency (NSA) and the National Information Assurance Partnership (NIAP) (a joint program of the NSA and the National Institute for Standards).

THE NSA-NIAP CERTIFICATION SYSTEM

The federal government, namely the NSA-NIAP, issues security certifications for the IT technologies used across our economy and digital-lives. The NSA-NIAP certification scheme is based on the Common Criteria Evaluation and Validation Scheme (CCEVS), which provides a framework of protection profiles recognized by nations around the world, against which technologies are measured. Certifications are awarded on the basis of independent evaluations of a technology’s performance against the specific protection profile. At the higher certification levels this evaluation process includes extensive penetration testing, including using source code and design manuals as guides to find the most potentially vulnerable areas of the system.

The NSA-NIAP/CCEVS system is the only government-recognized, objective cybersecurity certification system in existence.

However, the system is not mandatory and is under-utilized—its potential benefits are squandered. There are no baseline cybersecurity standards—neither NIAP/CCEVS nor any other standards—for federal civilian agencies (e.g., the Department of State, the Department of Energy, the Department of Health and Human Services), nonfederal government agencies (e.g., State level counter-terrorism offices, State-level Departments of Health, Emergency Management, Public Safety, Homeland Security), or the private sector. The Department of Defense (DoD) mandates the use of NIAP/CCEVS evaluated technologies on all DoD networks. However, even within DoD, there are no baseline or minimum NIAP/CCEVS standards.

As a result, many of the IT systems widely in use today have never been independently evaluated against their marketing claims, let alone against objective, evidence- and performance-based measures. Companies are free to make all sorts of security claims—ranging from mere puffery to clearly deceptive advertising. Even the most sophisticated buyers have little way to actually evaluate every such claim in the marketplace in advance of a purchasing decision.

Further, all widely deployed, currently certified technologies are certified against protection profiles that safeguard against only inadvertent and non-hostile attacks. In other words, even the certified systems, are actually certified—in the negative—as being incapable of defeating the sorts of sophisticated hostile attacks that our nation faces every day.

Moreover, these certified systems are only certified at low confidence levels against the most minimal protection profiles. The NSA-NIAP system utilizes Evaluation Assurance Levels in conjunction with the Common Criteria security profiles to grade both the security of systems and indicate the level of confidence in that grade. These levels range from EAL1 (minimal security) to EAL 7 (highly secure). Most systems we rely on today have been certified only up to EAL4+. This includes virtually all the systems across both the federal government (e.g., the White House, the Congress, the Department of Defense) and our most critical infrastructure (e.g., nuclear plants, power grids, water systems, healthcare systems, banking and finance systems).

The reliance on low-level certified technologies is also particularly troubling because at such levels even the NSA-NIAP program does not require penetration testing.

Putting all this in context, virtually all our vital systems today are certified to only a modest level of confidence (4 out of 7) that they can withstand only non-hostile, inadvertent attacks.

Unfortunately, the cyber-adversaries we face today are anything but inadvertent or non-hostile. Our nation is under constant cyber-attack by domestic and foreign adversaries, ranging from elite hacking units of the Chinese Army to the Russian Mafia to al Qaeda to cybercriminals. Our nation’s critical networks will continue to remain at risk if steps are not taken to secure them.

New technologies are available that meet the most secure protection profiles (“high robustness”) at EAL6 and EAL7 certification confidence levels. These inherently secure technologies offer the nation the ability to significantly reduce our cyber vulnerabilities.

Request for Legislation

To this end, we would respectfully ask that in your leadership role as the Chair of the Emerging Threats, Cybersecurity, Science and Technology Subcommittee, you consider advancing legislation that would put in place baseline cybersecurity performance standards to drive the adoption of inherently secure technologies.

Such legislation could and should be:

Based on the NIAP-NSA certification program, which offers an objective technology and performance-based evaluation process.
Mandatory for both government and private sector critical infrastructure IT systems.
Phased-in but within an expedited timeframe that recognizes the serious present-day threats to our nation.
Action forcing, driving the adoption of next generation technologies.
Comprehensive and strong, including, for example, oversight provisions to ensure such standards, once promulgated, are actually implemented.
Accompanied by both transition and technical assistance.
The Institute recommends that rather than re-inventing the proverbial wheel, any such cyber baseline legislation should task NSA-NIAP to work, in conjunction with the Department of Homeland Security and other relevant federal agencies, to develop such standards.

We further recommend that the legislation also take steps to address ways to improve the current NSA-NIAP certification program, including:

Provide grant monies for small businesses with promising technologies to offset the costs of certification.
Put in place a mentor-protégé program to assist small businesses going through the certification program for the first time.
Reduce the certification (or more accurately re-certification) requirements for simple updates to an already certified technology—an improvement the NSA is already working towards.
Increase the program’s funding and capacities to enable it to meet the new demand such standards will create for certifications, reduce the overall time required for certification decisions to be made, and enhance consistency of the testing processes.
Provide highest-level certified IT providers, and, in turn, those companies that rely on highest-level certified technologies for their IT systems incentives, which might range from caps on liability (akin to those under the SAFETY Act) to preferential tax treatment.
Create an outreach program to assist the private sector in understanding the importance of the certification regime and how it can help their individual enterprises.
We also share your view that such a regulatory program should be accompanied by targeted incentives to help the private sector offset the costs of deploying new, inherently secure technologies. We would stress that any such incentives must be tailored to meet the goal of driving technological change and a new cyber secure end state. They should not be available to offset just any new IT security spending—helping companies deploy more patches will not change our nation’s level of security. Rather, such incentives should be available solely for the deployment of high-level certified, inherently secure technologies.

The benefits of this approach are substantial. Most importantly, baseline evidence- and performance-based requirements will ensure a high-level degree of security for all the nation’s critical IT systems.

Such an approach will also increase next generation R&D and innovation. To the extent that standards and incentives are put in place to drive government and industry to adopt certified, inherently secure technologies, more IT providers will endeavor to develop new, better technologies that can meet these standards—rather than working on the next patch or modestly better firewall. Over the mid-term this approach will provide the government and private sector more and better options for real cybersecurity.

Additionally, this approach framework will encourage IT providers to submit their technologies for testing and certification processes. Outside expert testing will help improve the quality of products introduced to the marketplace. Such testing will help weed inferior and insecure products out before they can be marketed, widely adopted and their flaws seized upon by criminals, terrorists, and our nation’s adversaries. Certified products will be proven inherently secure.

Increased testing and certification will also greatly reduce the “cyber snake-oil factor” that undermines the effective functioning of the cybersecurity market. Objective measures of security performance will provide the government and the private sector the ability to cut through the current morass of deliberately confusing, and often over-hyped marketing claims. A robust certification system that replaces claims with performance standards will allow the individuals charged with protecting vital systems the ability to identify and buy certified, best-in-class systems.

The overall effect of such an approach will be to empower America for a new era of innovation. The Institute recently opined that the greatest impediment to American innovation—our nation’s core comparative advantage—and economic progress is IT insecurity. The promise of next generation technologies to improve our lives and increase efficiency and productivity is immense. We stand on the verge of genetic cures for diseases, the ability to predict and prevent illnesses, smart power grids, and machines that can react to our thoughts and needs through brain interfaces—the list is long. However, the adoption of such technologies is seriously undermined by inherent technological insecurities. People will not trust their personal data—let alone their very lives—to IT systems that they cannot fully trust. Nor can we trust a smart grid to power our nation if that grid can be hacked and shut down by our enemies. Driving security will empower innovation and foster progress.

#            #            #

Chairwoman Clarke, we welcome your leadership of this vital Subcommittee, and we are excited at the prospect of working with you to make our nation truly cyber secure.

We would welcome the opportunity to meet with you to discuss these issues. Please feel free to have your staff contact me at (202) 289-3666 or via email at rhousman@cybersecureinstitute.org.

Sincerely,

Rob Housman
Executive Director

Imagine a day when you no longer need to carry money with you—everything you need to buy groceries, make investments, pay your gas bill, apply for a mortgage, move money around the world, put cash into your child’s college account, all of it is contained on a microchip embedded in your next generation communications device.

Imagine a day when all your vital information is on the same device and instantly at the finger tips of the emergency room doctor in whose hands your life hangs in the balance after a bad car accident—your blood type, your prior bad experiences with anesthesia, your allergies, your cardiac history, and even your living will.

Imagine a day when that same device can suggest a new restaurant based on your prior history (determined by your past searches and purchases, or even by the shows you watch, the movies you rent and the books) and that of your friends (as determined by your most frequent contacts from the same device’s memory), which is located just a block from your current location (as pinpointed by an embedded GPS chip).

Imagine a day when you come up with a new proprietary supply chain innovation for your company while walking down a street in Beijing, you go online, research the innovation, ping your company’s logistics team about how it might be implemented, receive IM responses immediately, exchange data and diagrams to begin the innovation process, and make arrangements for an in process design review via a web conference (which you will participate in via your device) for later that day.

Imagine a day when you drive your car with your thoughts down a smart road that prevents your car from crashing into the car in front of you, or driving off the road, and which sets the optimal speed based on road conditions, energy efficiencies, and whether you are late for a doctor’s appointment or just taking a leisurely drive on a Sunday afternoon.

All of these things are here now or are technologically within the realm of the possible soon.
However, the two greatest obstacles to these and other advances are security and privacy (which is really another manifestation of security concerns).

In January the public learned of a data breach at Heartland Payment Systems that experts say has comprised tens of millions of credit and debit transactions.  Heartland processes roughly 100 million transactions a month for more than 250,000 companies.  Some are saying this is the largest breach ever.  The breach was caused by a malicious software inserted into the payment processing network.  To make this breach truly troubling the company has no clue how the software got on its system or who put it there.  Also Heartland not only has no idea what transactions were comprised, but they can’t even tell whose accounts were breached and information stolen.  As a result, basically any American could find that they their accounts have been defrauded in the future.  And, just to increase the distrust factor, even though the breach occurred last year, Heartland elected to inform the public on Inauguration—a strategy guaranteed to draw as little attention to the information as possible.

A recent study by the world’s largest market research firm, Research and Markets, determined that, “Security concerns are the single biggest factor inhibiting consumer acceptance of mobile banking.”  Seventy-three percent of respondents feared that a hacker would be able to remotely access their accounts through a mobile-device system.  Similarly, 47 percent said that they did not sign up for available mobile banking services specifically because of security concerns.  The study surveyed a representative and random sample of 2,350 U.S. households.

The New York Times online closed out 2008 by reporting that a team of U.S. and British researchers were able to use “a cluster of several hundred Sony PlayStation 3 video-game machines to exploit a basic weakness in the software system used to protect commercial transactions made via the Internet . . . The flaw would make it possible for a criminal to redirect a Web surfer to a fake bank or online merchant without being detected by the security mechanism embedded in today’s Web browsers.”  This security flaw exists only because a few entities that issue the digital certificates that secure Internet transactions have continued to rely on outdated MD5 algorithms, despite repeated warnings about their vulnerabilities.  This vulnerability—or more precisely the inability of the entities that are supposed to make online transactions secure to secure their own operations—calls into question the integrity of ecommerce, especially for anything beyond consumer goods.

A November 2008 study of mobile device (e.g., laptops and PDA’s) use by of over 1,000 healthcare professionals found that 93 percent of the devices were at risk.  The study found that 49 percent of the healthcare professionals surveyed downloaded sensitive patient data on their devices.  The study further found that over 71 percent of respondents protected their devices and sensitive data with just a single password.  Additionally, at least 13 percent of these healthcare professionals had lost one or more devices containing such sensitive information.  No wonder that numerous studies find upwards of 70-80 percent of Americans are concerned about the security of their electronic medical records and their personal privacy.  A 2008 Institute of Medicine study found that almost 60 percent of Americans believe that personal medical information is not adequately protected by federal and state laws or organizational practices, despite new safeguards under the Health Insurance Portability and Accountability Act.

If people don’t trust the security of digital information the enormous gains that the digital revolution can bring will never be realized.  Smart devices have little value if smart people won’t use them.  Markets won’t move beyond online videos and books if ecommerce increasingly becomes “eswindled.”

Insecurity is the greatest impediment to innovation.

And this hurts America most of all. The United States simply cannot win in an economic race based almost exclusively on lower costs of production.  We cannot compete on that footing against other nations where wages and benefits are vastly lower, standards of living for the majority of the people are abysmal, and health care is the ultimate luxury good of the elites. Other nations are uniquely able to re-engineer and make at a lower cost the things that Americans and others around the world need.  If we run that race to the bottom we lose—win, lose or draw.

America’s competitive advantage has always been, and should always remain, our ability to innovate.  It was Henry Ford, an American, who invented mass production and brought the automobile to the masses.  The Wright brothers of North Carolina created the first airplane.  American innovation gave rise to skyscrapers and with them the modern city.  America has brought the world four successive generations of the information age, first with the telephone, then the television, then the computer, and then the Internet (whether you agree Al Gore invented it or not).

To be successful America needs to constantly push the limits of innovation and efficiencies.  We need to be out in front of the learning curve.  We need to be highly entrepreneurial and technologically driven just to remain competitive, let alone regain some of our lead.

But American innovation can’t take consumers and companies to the next level if they don’t want to go there because they fear the security of their data, money, and personal privacy.  The innovation highway is littered with the wreckage of countless companies with amazing product ideas that have gone too far beyond the limits of consumer confidence.

However, the corporate sector is slow to see this dynamic.  Most companies are loathe to invest more on cybersecurity, especially during these tough times.  Instead corporate “leaders” are quick to take shelter behind a series of rationalizations—we are secure enough (but not secure), we are secure as our competition (which isn’t very secure either), we haven’t suffered a major cyber-attack loss (yet).

To those who preach innovation this inability to respond to looming trends looks a lot like Detroit in the late 60’s and 70’s, and again in the last few years.  Only this time the problem doesn’t threaten a single industry and its dependents; this time the threat is to the prospects for renewed American economic strength.

So, if our future is dependent upon capturing the promise of the digital revolution, and if that future is being compromised by the insecurity of our information systems, it would seem logical that we should do all we can to fix that problem so that we can succeed.

There are innumerable ways that we can seek to address this situation.

We can work to educate and cajole the private sector to understand the problem and hope that these leaders will come around and do the right thing.  This is a worthwhile effort, albeit one that may take some time.  We can also use carrots and sticks to speed this process.

Another thing we can do is to invest in the integrity of our digital infrastructure as a nation.  For years we have ignored our crumbling physical infrastructure.  Now, faced with the current financial crisis, experts and the Obama administration are calling for a massive stimulus package, with much of the money to be spent on infrastructure.  The idea is infrastructure spending will not only stimulate the economy, but also improve America’s ability to compete.  This is inherently smart thinking.

However, America’s infrastructure today is as much digital as it is physical—as much bit and byte as it is brick and mortar.  And, the future of America’s economy requires that both our physical and our digital infrastructures need to be world class.  Thankfully this is not lost on the new President-elect who has pledged to use the stimulus package to boost America’s digital economy.  The President-elect has called for major investments in broadband deployment and increasing the use of technology in education and healthcare.

However, while increasing access and reach are important, access only won’t fix our problem.  Far too many Americans who already have access to these technologies are not using them because these systems are insecure.  Innovations that could create new efficiencies and economic growth are being passed over because of security concerns.

To fix the problem we need to not just expand our information superhighways, but also make them safer, more secure and more reliable.  To achieve this a portion of those digital stimulus dollars should be spent on making our digital infrastructure inherently secure.

Even a small percentage of the stimulus package could have a significant impact if invested wisely on private sector digital critical infrastructure security.  If the total economic stimulus package reaches $1 trillion, as some suggest it will, a mere one percent devoted to cybersecurity would amount to $10 billion.  If that money was used in the form of grants requiring a 50 percent match, then the overall impact would be $20 billion in new cybersecurity spending.

There is a clear parallel with what is planned for and needed with respect to physical infrastructure.  Overwhelmingly, the problem with our physical infrastructure isn’t that we lack bridges and roads—the problem is that too much of this infrastructure is unsafe and/or unreliable.

You can’t trust an unsafe bridge with your life, nor can you trust your life to an unsafe digital superhighway.  Let’s fix both.