Thank you Mr. Chairman for the opportunity to address you and the committee today. My name is Fred Cohen and I am a Principal Member of Technical Staff at Sandia National Laboratories.
There are serious cyber threats to the economic well being of the United States, but these threats don't come from hackers or crackers or most of the other actors that the media associates with cyber attacks today.
The likely effects of a serious attack would be:
The only groups likely to cause these effects at a national scale are economic rivals, global coalitions, government agencies, information warriors, military organizations, and nation states.
The methods used to deny services to a few Internet companies in recent weeks could be used as part of a larger attack, but on their own, they produce little real loss and are no real surprise. Similar attacks have been underway for years. The Internet of today is an anarchy. Nobody is in charge, there are few rules, and almost no enforcement. If you choose to use it for financial purposes, you must manage the risks properly.
These high-profile attacks resulted from Internet Service Providers not preventing forgery of computer locations. That's why it took hours instead of seconds to track down the computers involved. It's also one of the reasons people commit crimes over the Internet with impunity. This problem is easy to fix. The solution was published in 1996 and government should require it for public access networks. It works today for some of the largest providers, like AT&T in their @home network, and there is no excuse for other providers not to use it.
I believe that privacy is very important and that computer networks are a serious threat to privacy. But we need to balance privacy with the need to attribute acts to individuals. The Internet lacks attribution.
Some people want absolute anonymity in the Internet. In my experience this supports criminal enterprises and serves no legitimate need. Some in federal law enforcement want to do mass monitoring of communications. But historically, some people working for the United States government have abused such capabilities. We need a compromise solution.
Many 'proxy' and 'anonymizer' services exist in the Internet today. They provide unique pseudonyms for communication and they retain records of pseudonyms to return responses and resolve problems. These records can be subpoenaed by law enforcement to track down criminals and they are admissible in court under the business records hearsay exception. The legitimate user gets anonymity, and illegal or abusive behavior can be tracked to its source.
To make this work for all of us, we only need three reasonable controls:
If anybody tries to tell you that this solution is not technically feasible, don't believe them. It already works for many providers.
These examples underscore the need for more and better education in information protection. The history of this field goes back to biblical times and includes many breakthroughs, most of which are ignored today. As a result, we often repeat the mistakes of the past and ignore available solutions. This means that scientific progress is slowed, valuable resources are wasted, and we all suffer from poor protection.
We need a strong scientific base for information protection to work. We need to build on that base with people who have a track record and with a program that mentors new people with well-established experts.
Researchers and developers should try all sorts of interesting and innovative things, but they should do this with a knowledge of what others have done. Our educational institutions should better educate our students, our research community should do their homework before proposing research, and people who fund R&D should enforce this.
Today, we teach everybody how to use computers but not how to use them safely. It's like teaching people to drive without mentioning brakes and seat belts. Our media and our decision-makers seek out advice from computer criminals on how to provide protection. Would you trust a child molester to take care of your children? After all, they know how children are molested.
One group sought for advice by government and media alike:
Don't legitimize criminals. Seek advice from the most knowledgeable and high integrity people you can find.
The solutions discussed here are valuable steps toward more effective national information assurance, but they are not adequate on their own to mitigate the risks from the most severe threats. This can only be done with a world-class intelligence system.
In the recent high-profile attacks, the banking community had strong indicators that attacks were coming. They could not warn others because of legal impediments to information sharing. I heard of the situation late on the Friday afternoon before the attacks began. I was at home, so I wrote an article on technical defenses and published it to the Internet that evening along with situation specifics. I notified law enforcement and security groups via the Internet. By midnight, hundreds of key people in law enforcement and corporate security had access to specific defenses. I was acting on my own, not on behalf of the government, and not as part of a central intelligence mechanism.
Centralized organizations can not do this job in today's Internet. A highly distributed and resilient intelligence network is needed for the emerging threats to national security. Such a system must be broadly supported, with benefits to all participants. Today's loose knit networks must be supported, and more resilient networks must be created. Legal methods for broad information sharing and controlled attribution must be created and supported as well.
I thank you for your time and welcome any questions you might have.
Other topics covered in the question and answer period included:
Questions relating to the role of government in this arena.
Questions about legal issues that needed to be addressed:
Why government has such problems retaining expertise (salary, lack of respect, no line of advancement)