Testimony of Dr. Fred Cohen
Sandia National Laboratories
before the
Joint Economic Committee
of the U.S. Congress
February 23, 2000
"Cyber Threats and the U.S. Economy"

Sandia National Laboratories is a National Security Laboratory
owned and operated for the U.S. Department of Energy by the Lockheed Martin Corporation


My name is Fred Cohen and I am a Principal Member of Technical Staff at Sandia National Laboratories.

Before I begin to address the subject at hand, I want to briefly introduce myself and my background so that you will have the context required to evaluate what I have to say.

My Background:

I am 43 years old and I began working with computers before I was 10. I received a B.S. in Electrical Engineering from Carnegie-Mellon University in 1977, an M.S. in Information Science from the University of Pittsburgh in 1981, and a Ph.D. in Electrical and Computer Engineering from the University of Southern California in 1986, with a thesis titled "Computer Viruses".

In 1983, I coined the term "Computer Virus". I was the first to define the term and do serious research on the subject, and I first devised and demonstrated the initial versions of most of the defenses now in use against computer viruses. All told, more than half of all the computers in the world use the techniques that I first demonstrated.

Since that time, I have published more than 150 journal articles and other papers in the information protection area, I have written several popular books on the subject, and I have continued to do research, education, and consulting in all aspects of information protection. Some of my work is particularly relevant to today's subject, and I will discuss it briefly, but this is by no means an exhaustive recounting of my activities.

Over the years, in a consulting and instructor role, I have worked with many of the largest companies and Federal Agencies on issues related to information protection. In 1993, I was the principal investigator for a study for the Defense Information Systems Agency (DISA) titled "Planning Considerations for Defensive Information Warfare - Information Assurance" which first defined the term "Information Assurance" as it is currently used in the United States Government. From this study followed my book "Protection and Security on the Information Superhighway". Many paragraphs and portions of these have been used in Defense Science Board studies, the President's Commission on Critical Infrastructure Protection final report, and numerous other studies and reports.

In 1996, I ran the all.net Internet site against which the first two documented Internet-based Distributed Coordinated Attacks (DCAs) took place. At that time I wrote a paper on the subject and defined that term. I tracked down the attackers in both of these cases within six hours with essentially no resources other than my wits and computer skills. I did it with the kind assistance of systems administrators from other nations that I have never met. The all.net site, which I still own, has been attacked many times over the years, generally without substantial effect. As in the first attacks, law enforcement, the Federal Bureau of Investigation (FBI), and the courts have been unable or unwilling to do anything to the perpetrators, and I believe that this is a substantial part of the reason we continue to see these attacks today.

Later in 1996, I joined Sandia National Laboratories where I do research, education, and studies in the area of information protection. I am also allowed to continue doing select consulting where no conflict of interest arises and it does not interfere with my normal duties. I have also trained Cybercops for the Federal Law Enforcement Training Center, the SEARCH group, and other organizations, and teach classes over the Internet on information protection and digital forensics through the University of New Haven. Today, I work with about 15 students at Sandia National Laboratories in the College Cyber Defenders program and 10 graduate students at the University of New Haven in digital forensic investigation.

Just to complete the picture, I have done a wide variety of things in my career, including working with multinational firms on threat and vulnerability assessment, working on protection assessments for military and civilian systems, and doing assessments for major telecommunications providers, elements of the US power grid, a national laboratory, microelectronics manufacturers, financial institutions, and many other organizations. Specifics are not available for reasons of contractual confidentiality. I have trained specialists in how to attack and defend information systems, including so-called "Red Teams", and corporate, government, and military groups. I have been a professor, the president of a 250 person company, and a consultant.

Threats in Cyber Space:

Now, on to the subject at hand. I have been asked to testify about threats to information systems. In order to do so, I must first explain what threats are in the language of my profession. As in most of the things I will say here today, other experts may hold slightly different views, and this does not make either their views or mine invalid. It just reflects the lack of standards and common usage in the information protection profession.

Risk results from the combination of threats, vulnerabilities, and consequences. Without consequences, threats are of no import, and without vulnerabilities, threats can do no harm. Risk is managed by a combination of mitigation strategies and risk-taking.

To me, risks ultimately have to do with harming people. If no human being is harmed, I am not interested. I don't care if a computer gets blown up unless there is a negative impact on a person. In some cases I would blow up a computer to prevent harm to a person. That's why my field is called information protection.

In information protection, we deal with keeping people from being harmed (protection) from symbolic representations in the most general sense (information). We most commonly deal with issues of integrity, availability, and confidentiality - also called privacy. The goal of our efforts is generally to achieve an appropriate level of assurance associated with these three things.

In financial systems, integrity is generally the most important factor, followed by availability. This is because it is better to be out of service than to start transferring billions of dollars around incorrectly. On the other hand, there are also times when availability is extremely important. For example, in the daily clearance of funds with the Federal Reserve Bank, a failure to clear funds can result in hundreds of millions of dollars of loss.

In the recent high-profile denial of service attacks over the Internet, availability was impacted, not integrity, and not confidentiality. People who are not familiar with this subject area commonly misunderstand this difference and confuse privacy for almost everything else. These attacks did not cause the release of any private information. These attacks also did not cause any personal records to become corrupted. These attacks did not have an effect on clearing transfers with the Federal Reserve Bank, in part because these operations are not done over the Internet, or at least they weren't the last time I looked at this issue. All they did was cause a disruption in service for people accessing sites over the Internet. The same consequences commonly occur when Internet routers fail, during storms that cause power failures, and in similar events.

Threats - the subject at hand - are actors, including individuals, groups, organizations, and for convenience we also include nature. Threats are not magical and thus they have their limits. For example, threats are limited by expertise, time, funding, capabilities, and knowledge of situational specifics. In the case of nature, the threat is commonly analyzed by statistical means, but human threats are normally far harder to analyze in this way because people act with malice and intelligence and adapt to defenses.

I have heard and read about some people who have made assertions about theoretical capabilities such as the ability of a few "hackers" - and I use the term specifically - to take down and hold down the U.S. power grid in 15 minutes. This is simply not true, for two specific reasons. The first reason is that the people that we call "hackers" do not harm people through their use of computer systems. If people do harm to others, then they are not "hackers". They are a different sort of threat - most commonly criminals of one sort or another. The second reason is that no small number of individuals with only 15 minutes to prepare and act has any realistic chance of having this sort of effect.

Today, through the process of deregulation and its associated requirement that all elements of the US power grid be connected in real-time to the World Wide Web to allow efficient buying and selling of power through brokers, elements of the power grid are far more susceptible to over-the-Internet attack by relatively low quality threats than they were before deregulation or need remain today. This is similar to the effect of deregulation on the telephone business wherein the major telecommunications companies were forced to make the backbone of their networks controllable by anybody who wanted to start up a telephone services business. As in the case of the power grid and the Internet, these infrastructures were not designed for high assurance in the presence of untrusted insiders. Any national wounds that result from this particular aspect of the deregulation process are self-inflicted, because the same results could have been attained without the need to expose these critical infrastructures to these vulnerabilities.

At the other end of the threat spectrum from threats like "hackers" and "crackers" are threats like military organizations and nation states. If we used the Russian military as an example of a threat, and somebody asserted that this threat had the capability to bring down and hold down large elements of the U.S. power grid with a planning time on the order of a few months, this would be a far more credible assertion than the "hacker" scenario presented above. The reason this is more credible is that the Russian army has sufficient intelligence, weaponry, personnel, finance, and other capabilities required to do such a job. Other groups and nation states have similar capabilities, and I do not mean to single out the Russians, but hackers and most other threats do not have these capabilities. If one of the threats capable of launching such an attack did so, it might be relatively obvious that some of their particular capabilities were used. Since such groups would face the potential of serious repercussions and retribution, it is highly unlikely that they would launch such an attack except under the most exceptional circumstances.

This brings us to the heart of the matter when evaluating threats relative to their impact on risk and when evaluating what to do about mitigating risks from a perspective of dealing with threats. If there is one thing to understand about threats it is that actual threats are all specific while mitigation of risk based on assessments of threats is all generic. Let me clarify this a bit with an example.

Generic Threat Profiles:

If we have adequate intelligence in place to determine specifically that a particular group of individuals are planning a specific cyber-attack on an information capability at a specific time using a specific method, there is a pretty good chance that if the consequences are high enough and we have enough time and capability to counter the attack, we will be able to mitigate the harm by protective actions. While each specific attack involves all of these specific items, defenders rarely have even a small portion of this information. Lacking all of that information, the defender is left with the need to provide adequate protection to mitigate the perceived threat in light of considerable uncertainty. Thus, the defender must plan to act based on generic threats, and to the extent that specific information is available, use that information to inform the model of these generic threats.

Over a period of many years, I have worked to a significant extent on characterizing generic classes of threats. These assessments are based largely on information from the media, information gleaned from numerous interactions with clients, substantial experience in training of Red Teams and others, personal experience as the target of numerous attack attempts, information provided from colleagues, and other sources. As a result, I have built up a characterization of generic classes of threats that can be used for some preliminary analysis. These are summarized in a database I make available over the Internet. The names of these threat profiles are:
  • activists
  • club initiates
  • competitors
  • consultants
  • crackers for hire
  • crackers
  • customers
  • cyber-gangs
  • deranged people
  • drug cartels
  • economic rivals
  • extortionists
  • foreign agents and spies
  • criminals engaging in frauds
  • global coalition
  • government agencies
  • hackers
  • hoodlums
  • industrial espionage experts
  • information warriors
  • infrastructure warriors
  • insiders
  • maintenance people
  • military organizations
  • nation states
  • nature
  • organized crime
  • paramilitary groups
  • police
  • private investigators
  • professional thieves
  • reporters
  • terrorists
  • tiger teams
  • vandals
  • vendors
  • whistle blowers

This list is not static, and neither are the capabilities associated with the different threat profiles. The capabilities that these threats have and tend to exercise are often understandable in terms of their motives and resources. For example, it is far more likely that a foreign agent will use stealthy techniques and will rapidly back off when detected than an infrastructure warrior, who will most commonly have relatively obvious effects at the time of attack. For more detail on this, I would suggest that you read the detailed threat profiles from the online database (http://all.net/). For more detailed discussions of some threat profiles, examine the student papers generated by the students in the CJ625 class at the University of New Haven (http://www.newhaven.edu/california/).

Threats Capable of Catastrophic Economic Impact:

When it comes to economic harm at the scale of a major nation state, large-scale sustained power, telecommunications, or other supply-chain outages are the sorts of events that can trigger serious consequences. There are, of course, many examples of outages of these sorts of systems, including intentional, accidental, and nature-induced outages. Based on relatively limited assessments done for providers of different elements of infrastructure, there are also threats capable of creating far greater outages than those experienced on a regular basis.

Other than these sorts of supply chain outages, the only national-scale economic attacks with components of information systems involved that I am aware of today are (1) perception management attacks in which public confidence is eroded and (2) direct attacks against information infrastructure in support of financial systems. These are, of course, interrelated because the financial industries are based on public and institutional confidence. Loss of confidence causes market crashes or major 'adjustments', while reports of corruption of information resulting in illicit financial transfers (read theft) or disruption of service resulting in serious financial loss may reduce confidence as well as producing direct or consequential losses.

These sorts of events - supply chain outages, perception management activities, and large-scale distributed coordinated attacks - are examples wherein vulnerabilities can be exploited to cause severe consequences. If we are to understand serious economic threats on a national scale, we must somehow match threats with vulnerabilities and severe consequences before the impact becomes sufficient to be worthy of serious protective action at the governmental level. This is not to say that the government should ignore thefts, outages, and manipulations of the market that are not of enormous scale. Rather, my point is that threats producing smaller consequences are economically manageable without government intervention beyond normal law enforcement practices.

In examining threats that could have catastrophic effects on major nation states, we see only a few generic threat profiles with adequate combinations of capabilities and motives to have realistic effect. Without going into a detailed analysis, let us say the threat list for this level of effect is reduced to the following:

I might expect others to assert that situations like the widely publicized theft from Citibank in which a few million dollars of fungibles were illicitly moved and less than one million dollars of value was lost, demonstrate vulnerabilities that could be catastrophic. I find such conclusions to be gross exaggerations. Some years ago, Citibank failed to make the deadline for clearing a day's worth of transactions with the Federal Reserve Bank. The financial loss was in the hundreds of millions of dollars, as I recall, but the overall effect on finance in general and Citibank in particular was almost unnoticeable. The ability to steal a few million or even a few hundred million dollars every once in a while does not have serious large-scale economic impacts on the United States.

A similar level of alarm might be raised with respect to the recent Internet denial of service attacks. From a technical standpoint, and from a macro fiscal standpoint, the total economic effect of these attacks was essentially undetectable. Some might even espouse that the economic gain resulting from increased interest in these sites after these attacks more than compensated for the few million dollars in lost revenues they suffered for a few hours of down time. The question of public confidence seems to be answered for the time being as well. There was no major market crash after the recent Internet-based attacks despite plenty of media attention and fear mongering by those who might gain from rapid changes in the markets. It does appear that the value of companies focusing on information protection went up.

I have found no substantial evidence that any sort of attack on financial systems or the infrastructure that supports them would have a large-scale economic effect with the exceptions of: (1) an attack causing catastrophic disruption of services over an extended period of time, or (2) massive corruption of systems and their redundant backups resulting in the inability to properly associate people and organizations with their financial assets. People are resilient, and if the financial interests are high enough, it is very difficult to create situations in which the self-interest of hundreds of millions of people can be defeated.

I won't go into any great details on how such large-scale effects might be generated. Indeed, to do so in specific detail would require a substantial intelligence effort, planning and analysis process, and weapons development and deployment process on my part. I think that this is a very important point to make. A substantial effort of this sort is almost certainly detectable by a well-prepared, properly funded, and properly managed intelligence infrastructure that is doing its job well.

That bears repeating. If the United States does a good job in intelligence and counter-intelligence activities, it should be able to detect technical efforts that could have large-scale consequences on U.S. financial systems. If the organizations involved are willing and able to properly engage in this process and access and use this information, there is a very good chance that any such attack will be effectively countered.

Poor Management:

There is another challenge that we face here, and this was well demonstrated by the recent Internet denial of service attacks. The people running the organizations that were seriously affected by the attacks should have been well aware of the potential for such attacks and well prepared for them, but apparently they were not. Despite their claims to the contrary, they could have weathered these attacks and a lot worse if they had taken the time and effort to do a good job of information assurance in the first place. Indeed this lesson should extend to most parts of the United States government as well as many of the world's critical infrastructure providers.

I have just asserted that the recent attacks could have been far more successfully defended against, that the people in charge of these companies failed to take proper precautions, and that the loss was negligible. A valid argument could almost be made that the proper risk management decisions were made. I say almost because, based on the public statements made by the management of the affected companies, they did not make risk management decisions. Instead they depended on luck and were relatively lucky. Or perhaps they were let off the hook. In either case, they failed to do what management must be held responsible to do, and that is to make prudent risk management decisions based on reliable knowledge of the situation they face.

Arguments like "How could I have known?" simply don't wash in this situation. If you are managing an organization in the information age, you must understand information-related risks or, in my opinion, you cannot meet the standards of due diligence required to manage other peoples' money. In the case of the recent Internet-based denial of service attacks, the Carnegie-Mellon University (C-MU) Computer Emergency Response Team (CERT) and the FBI had been warning organizations about these same said attacks for a period of months. Other organizations like the Computer Security Institute and the SANS Institute were also warning of these sorts of attacks. Before these high profile attacks, other attacks were made against other sites that were lower profile, and for a period of at least four years before this time, such attacks were made against other sites with details published. I am not a lawyer, but failing to know about and prepare for such attacks in this situation appears to me to fall under the category of gross negligence.

Lack of Attribution:

In all fairness, I don't want to place all of the blame at the feet of the people managing the high profile firms who were the targets of these attacks. There are many causes of these losses of availability, and many organizations that have failed to address these issues are partially responsible for the outages. I will address many, but not all of these causes in this testimony, but for now, I want to concentrate on one of the causes that I consider to be key. That is the nature of anonymity in the Internet.

While I am generally not a proponent of any government action, particularly in the stifling of information-related freedoms, I find that the ability to act with relative anonymity in the Internet is primarily being used for criminals to avoid attribution and to hide their crimes. While some might try to assert that anonymity is needed in order to protect personal privacy in the Internet, this is really not true, and I think it is a disingenuous position. Another valid use of anonymity is its use to allow honest people to report on important issues without fear of retribution. Again, this is not very common in the Internet today and does not require anonymity.

The method most often used to assure personal privacy in the Internet, and the method that is most effective at doing so, is pseudonymity. Pseudonymity is what most 'proxy' servers and 'anonymizer' services provide. They generate a pseudonym for the user and disassociates the user from their use. In order to get results back to the original requester, these systems retain the information required to re-associate results to users. Along the way, responsible providers retain audit trails so that, for example, if the user commits a crime, law enforcement can trace the criminal down. This is also done to assure continued service and is a normal business record in most such systems. I have operated an anonymizer service on the Internet, and in my experience, the vast majority of the traffic connects to pornographic sites. As a result, I removed the anonymizer service from general use and only provide it to authorized users for specific purposes. My service also permanently retains audit trails.

Before going forward I want to pause to relate these two points. I have asserted that the recent denial of service attacks could have been defeated if it weren't for the ease of anonymity in the Internet. On face value, somebody that is not knowledgeable in this area of technology might assume that this is because we could have traced the attacks to their sources. While that may also be true, that is not the reason I have related the two subjects. In fact, the recent denial of service attacks could have been easily defeated in a matter of seconds to minutes without any advanced technology or intense activities by any parties. All that is required is that the messages with obviously forged source addressed not be passed to the rest of the Internet by the Internet Service Providers (ISPs) that connect the intermediary computers used in these attacks to the rest of the Internet. While that may sound complicated, it is in fact very easy to do.

In 1996, in response to the large number of address forgeries being exploited over the Internet at that time, I published a paper that showed how ISPs could eliminate address forgery of this sort with almost no cost and with very little time or effort consumed. This method was subsequently adopted in a recommendation by the C-MU CERT and adopted as part of an Internet RFC (a Request For Comments - the Internet's version of a consensual protocol or procedure). If this or a similar method were adopted by ISPs, either on their own, as a result of legislation, or based on customer demand, the problem of Internet Protocol (IP) address forgery would be almost completely eliminated without any encumberance to the proper functioning of the Internet.

While I have heard a wide range of claims by ISPs that assert that this would make their systems unmanageable or too slow, such networks as the @home network now operated by AT&T, which is far higher speed than the vast majority of ISP connections today, have adopted this practice with great success and without apparent management or cost effects.

Similar challenges related to anonymity exist throughout the Internet today in other areas. In particular, electronic mail (email) addresses are forged on a regular basis in the Internet. Vulnerable intermediary computers are used to 'bounce' these emails from the original source to the final destination, thus anonymizing the original source. This is used to: (1) send massive unsolicited email advertisement - called SPAM, (2) malign and slander individuals and organizations, (3) convince unwitting users to do things that ultimately harm them, (4) conceal the sources of malicious attacks, (5) harass individuals and organizations, and (6) induce email loops in which list servers send email back and forth to each other and all of their users, consuming vast resources to no end. While I am a believer in personal privacy, when anonymity is used as an excuse to do these things, then the theoretical "right" to privacy must yield. I, for one, am tired of being slandered with anonymous postings on the Internet by those who I have associated with their criminal activities.

I am personally in favor of the concept of anonymity with responsibility and have written on this subject in the past at some length. In my view, pseudonymity should be provided through brokers who can be held legally responsible for the actions of those they broker for, unless they provide the means to attribute information to its source under legally mandated conditions. Like the newspaper reporter who refuses to reveal a source, jail and contempt can be used to compel compliance. Unfortunately, this is only true in cases where compliance is possible in the sense that the person providing pseudonymity knows the actual source of the information. Today, some participants in the Internet are intentionally building systems that destroy all traces of the sources of the messages they anonymize. While they claim this is to assure personal privacy, my experience tells me that it is used primarily to conceal criminal activities and illicit (i.e., unauthorized and prohibited) access to pornographic sites.

Inadequate Education:

As it turns out, the issues of management and technical ignorance of information protection, poor attribution and unlimited anonymity, low assurance system bearing high valued burdens, legal and politically forced changes without proper consideration of risks, misestimates of threats, and misunderstanding of the implication of consequences on risk management are all quite closely related. They all relate to a lack of education in information protection throughout a society that is rapidly entering the information age. This should not be unexpected, but it is a serious problem that must be addressed before most of these other challenges can be met.

This very subject was discussed only a few weeks ago at the Workshop for Educators in Computer Security (WECS). One of the things we generally agreed upon was that there aren't enough educators to educate the number of people in need of education. And even worse, most of the people being educated are not going into education, so the educators of today are not educating the educators of tomorrow. To make the problem still worse, many of the best current professors in this area are approaching retirement, and much of the historical work in this field is being ignored by recent graduates. This means that, as a profession, we continue to repeat the mistakes of 30 years ago out of ignorance. There are many other limitations in our educational institutions that will not be solved for some time, but fortunately, the Internet offers a unique opportunity for education in information protection. Institutions like the University of New Haven are starting to take up this task, and I am proud to be associated with this effort.

If I were to select two things that will have the greatest effect on the future of the United States in the information protection area, they would be the education of our young people and the simultaneous movement toward a scientific basis for information assurance. These things go hand in hand largely because, as the old saying goes, you never really know a subject until you have to teach it to somebody else. Most people believe that university education has contributed substantially to scientific progress, but one of the most important reasons that scientific progress is tied to university research is that the university researchers get a constant stream of fundamental questions and interesting new research ideas and assistance from their very intelligent students.

Perception Management:

As I mentioned earlier, the most likely cause of substantial large-scale economic harm to the United States, and the historical cause of most such consequences, comes from loss of confidence rather than loss of technological capability. While the technical issues may sometimes seem compelling, the information technology with the most potential for economic impact is the technology that allows people to manage the perceptions of other people.

In the mid 1990s, I created and operated the first Internet-based information warfare war games and ran the second such game with a set of students from the National Defense University. One of the activities required for setting up such a game was the creation of a set of realistic future scenarios, and one of the things necessary for the creation of these scenarios was the prediction of some aspects of the future. Based on some research I had recently done to predict the future course of global information technology deployment by region, I surmised that in the near future (circa 2005) we would be capable of real-time simulation of real people moving and speaking as well as a set of other information-related technologies to support such activities as Internet-based voting and large-scale video-telephony.

One of the resulting scenarios examined the notion that an adversary group made up of select insiders could use real-time human simulation over the electronic media to mimic presidential and other official speeches, defeat the ability of real communications to be effective on a national scale, and through further coordination, temporarily inhibit key communications, transportation, and power hubs. The overall effect was the ability to have dramatic national impacts by managing the perceptions of the average citizen as well as the decision-makers in key institutions. The resulting economic impacts and crises of confidence could be quite severe.

According to press accounts, a hacker (the use of this term is appropriate here) impersonated President Clinton during his first "Chat" over the Internet on CNN. They managed to insert the message "Personally, I'd like to see more porn on the Internet." and followed it up by asking Wolf Blitzer "Wolf, how about you? Are you all for more porn on the Internet?". Many of us in the information protection field recall an email message forgery some years back purporting to be from the Kremlin in the, at that time, Soviet Union. This was taken seriously for some time. No doubt a serious attacker with proper backing, motivation, and capabilities could achieve a far higher degree of efficacy in a distributed coordinated attack, with perception management as a basis, if it was designed to achieve a specific goal.

In fact, perception management is being used today to stage a sort of 'friendly' economic takeover of the United States. Perhaps more precisely, the perception of value associated with Internet stocks is being used to change the set of people in control of the financial assets of the nation. Now I am most surely not an expert in economics, but it seems to me that the movement of financial value from companies with real assets to companies with almost no assets is a case of perception management having a serious financial effect. And this is not, in my view, a case of information assets being assessed too high a value. For example, IBM has tremendous intellectual property, expertise, physical plant, good will, and other assets of real value. Yet its market value is on par with many companies that have never turned a profit and have almost no assets whatsoever. This is a case where financial value is associated with perception.

If such a company does this well in their initial public offering (IPO), they can invest in other companies or diversified portfolios, turning the perceived value into ownership with real value. The real effect is more of a changing of the guard. We came to trust a different set of people than we used to trust to manage key business sectors because they managed to convince us that their vision of the future and ability to manage our assets is better than what was there before.

I can easily imagine a case in which an enemy of the United States uses this method to take control of substantial financial assets and uses those assets against the United States. The perception management mechanism is the same, even if the actors are different.

There is also a lot of history to support the power of propaganda and other perception management techniques in having large-scale political and economic effects. Control of the media has long been a widely held concern, and the lack of control of the media in the Internet has been both a godsend for free speech and a bane to the assurance of integrity. Anybody has publishing power in today's Internet, and rumors spread as quickly as computer viruses.

Internet-based perception management has been used by individuals and groups taking on multiple identities to multiply their influence and vouch for themselves as independent experts. Hate groups use the Internet to build their ranks, while nearly identical web site names were used in the last presidential campaign to redirect traffic to competing candidate sites. Insider information and rumors have been published on Internet sites like Yahoo and this has apparently had direct effects on share value of the companies involved.

Free flow of information is a two-edged sword. Some of the bad guys I have helped to chase down have launched computer viruses that have associated my name and web site as the source of their virus. If it weren't for my hard-learned ability to defend myself against rumors with counter perception management, my reputation would have been trashed and my Internet connections shut down long ago.

While these factors don't individually have a high economic impact, in the aggregate, these sorts of actions may cause substantial effects. Nobody has yet determined whether such attacks can have severe economic consequences, but it seems clear that ongoing perception management can be used to build small terrorist armies, to cause serious harm to the economic lives of individuals, and to create stock price run-ups and run-downs. As more and more of these events take place, overall public confidence in Internet-based financial systems as well as other aspects of our information-based economy may be impacted. Still, people have a way of adapting. Attacks that might have caused economic shudders only a few years ago have almost no impact today. Whether we are riding an economic boom or a giant bubble, all but the most ferocious and well-planned perception management attacks seem unlikely to have high economic consequences on today's market.

Public Awareness:

I do not believe that the solution to the challenges underlying perception management and economic effects of infrastructure vulnerabilities lie in more government control. I think that the solution lies in broad public awareness of the risks associated with our critical infrastructures. Of course the difference between rational understanding of risks and blind fear is a fairly thin line. Exaggerated fear of high consequence events is a common phenomenon and it can be and has been exploited to political and economic advantage. The difference between perceived risk and actual risk is often exploited in perception management. The best current counter to perception management is widely publicized accurate information from trusted and historically trustworthy sources.

In the Internet arena, I think that the recent widely publicized incidents have done a great deal to improve public awareness, and to the extent that the information provided by the media has been accurate, I think this has been a good thing. On the other hand, while most of the media information in this area has been reasonably good lately, some of the major media outlets have spread a great deal of poor information and misinformation. Indeed, in recent coverage of the recent denial of service attacks, CNN largely shunned information security experts in favor of putting a known - convicted - computer criminal on the air as if he were an expert in information protection. This represents a fundamental misunderstanding of the issues underlying the information protection field that has been promulgated through the image of the 'high school hacker' as some sort of hero.

This is one of the reasons for the College Cyber Defenders program at Sandia National Laboratories. I, for one, believe that the vast majority of young people in our society and throughout the world are good people who can contribute in a positive way to the world. By giving more of the best students the opportunity to do good things in a good environment, I believe we will be building the future of our nation. At Sandia, we engage these students in building and running their own Intranet and figuring out how to defend against the same attacks that others are using to take networks down.

In my view, this is the best thing the nation can do to provide for a secure future in the information age. We should combine teaching our young people with building the scientific base we need to defend ourselves against information attack, and do so in an environment where they can become good corporate and national citizens. I was very pleased lately to see some of the students in this program get some attention from the media. They richly deserve such attention for their fine work, and I am very proud of the work they have done. Even more importantly, media attention to them is helping to frame the national debate. Some day, instead of seeing convicted computer criminals treated as if they were security experts, we may see these students telling it like it really is.

Engineering Surety:

The future of attack and defense in the information age seems destined to move toward the notion of total war, just as the industrial age led toward this notion during the 20th century. Over time, as the defenders learn how to defend themselves and the attackers learn how to launch more sophisticated attacks, we will begin to see full-spectrum attacks that combine perception management with technical approaches and exploit interdependencies of systems for targeted effects. We are already beginning to see a movement in this direction. An example is a recent Web hijacking attack based on the combination of denying service to legitimate Domain Name Servers (DNSs translate names into the IP addresses that are used to route traffic in the Internet) and then forging the address of the DNS to give false responses and redirect traffic.

I am indeed fortunate to be working at Sandia National Laboratories when it comes to this particular aspect of information protection, because Sandia has done systems engineering in the arena of cyber attack and defense for the better part of the last 50 years. In the nuclear command and control environment as well as related environments where Sandia has responsibility, high assurance is demanded by the combination of severe threats and severe consequences. In order to move away from ad-hoc notions of assurance, many Sandia researchers have spent many years looking at systematic approaches to the information assurance issue, which Sandia calls surety.

The systems engineering approach to surety is based on building a good model of the system under scrutiny, including all of the interdependent systems that relate to that system. Based on this model, detailed analysis of large sets of independent and coordinated actions can be done for both attack and defense purposes. Over time, it is highly likely that these techniques will become more widely applied in the cyber attack and defense community with the result being a dramatically increased capability for large-scale distributed coordinated attack and defense across the full information and physical spectrum. It turns out that I am going to be giving a talk on this very subject at the Naval Postgraduate School in Monterey, California tomorrow. This means that military planners both on the offensive and defensive side are already considering these issues in a serious way. If our planners are looking into this issue, you can be certain that other nations and actors are actively engaged in this area as well.

The range of issues facing us in the information arena today is truly astonishing. From the specter of full-spectrum warfare to the lowest criminal trying to use the Internet to steal from retirees or post obscene pictures of our young people, we face a wide array of challenges. Just as the beginnings of the industrial age left us with inadequate engineering capabilities, the beginnings of the information age finds us with inadequate information engineering. Just as cars have been getting safer for the last hundred years, information systems will take some time to reach a level of surety that is appropriate to the need.

Summary and Conclusions:

In closing, I want to summarize the highlights of this testimony.

1) Risk comes from the combination of threats, vulnerabilities, and consequences. Information protection focuses on mitigating risks by assuring an appropriate level of integrity, availability, and confidentiality. Risk management is the process by which we make knowledgeable decisions about risk taking and risk mitigation.

2) People who make risk management decisions often don't have the knowledge required to make those decisions well, and in many cases don't even know that they are making decisions with large potential consequences. This applies to industry, government, and perhaps most importantly, government regulation that affects industry.

3) While there are large-scale economic risks related to the information age, they are not likely to come from attacks like those denial of service attacks recently experienced in the Internet, although in some cases they may appear to be quite similar.

4) Supply chain risks, sophisticated distributed coordinated attacks, and perception management attacks appear to be the most significant things to be concerned with when it comes to catastrophic economic harm to the United States, and only specific threats currently have the capability of exploiting these methods for catastrophic effect.

5) Defending against catastrophic information age economic events today is largely dependent on our ability to do threat assessment and tracking in the intelligence community and the ability to share certain aspects of this threat information with the people who make risk management decisions and handle attacks in real time.

6) The lack of attribution in the Internet is a serious concern and addressing this issue would have a dramatic positive impact on that environment. If properly done, removing unconditional anonymity and preventing the ability to forge addresses on a large scale would not cause any significant negative impact on freedom of speech or technical impediments to operations. It would, however, largely eliminate the most serious attacks we have encountered in this environment over the last five years and substantially mitigate consequences associated with emerging threats that might eventually gain the ability to cause far more serious economic harm.

7) We lack the necessary strong long-term scientific research commitment, knowledgeable base of university professors, and strong interaction between universities and industry in information protection to meet our future information protection needs. The creation of a system wherein the knowledge in the brains of people that are rapidly moving toward retirement could be imparted to a new generation of tenured university professors would be of great value in mitigating this situation. Historically, this is addressed by endowed chairs, long-term commitments to university research, and strong industry ties.

8) The lack of high quality information and the use of questionable advice and council in this area by decision-makers and some of those in the media verges on being a national disgrace. Computer criminals and people who do business under pseudonyms are not generally very knowledgeable about information protection. Competent professionals who put their names on the line every day and seek ongoing education and scholarship in this area are the experts we should depend on.

I would like to thank the committee for taking the time to review my testimony and welcome any questions that you might have.