Counterpane's Bruce Schneier Testifies at Hearing of Homeland Security Subcommittee on Cybersecurity, Science, and Research and Development

Renowned Security Technologist Informs Subcommittee on Cyber Security Risks and Trends and Provides Recommendations on Better Securing Critical Infrastructure

CUPERTINO, Calif., June 25, 2003 - Bruce Schneier, founder and CTO of Counterpane Internet Security, Inc. today testified at the Hearing of Homeland Security Subcommittee on Cybersecurity, Science, and Research and Development. The hearing titled, "Homeland Cybersecurity: A Nation Dependent and Dealing with Risk," was the first in a series on cyber security issues and is to help promote public understanding of the importance of the Department of Homeland Security's role in protecting the nation's information infrastructure by providing an outside view on the challenges faced by the new Department, particularly in dealing with the private sector that owns and operates the vast majority of America's critical information infrastructure.

Key points and recommendations from Schneier's testimony:

• Cybersecurity trends: The rise in crime in cyberspace is due to attack tools becoming more sophisticated and easy to use. Paradoxically, as security technologies improve, cyberspace is becoming less secure because of the increasing complexity of technology. Also lending to this is the ineffectiveness of today's security products and the poor quality of software security.
• A "Digital Pearl Harbor" is not a critical threat today: Fears about cyberterrorism are largely the result of companies and organizations wanting to stoke the fears of people and of the news media looking for sensationalist stories. Real terrorism, attacking the physical world via the Internet, is much harder, and the effects of cyber attacks are far less terrorizing than might seem at first. Cyber-crime is a much more critical threat today.
• The fundamental problem of cybersecurity: Those that can improve it (the companies that build computer hardware and write computer software) aren't motivated to do so. Secondly, companies are only going to consider their own risks; the ancillary risks to critical infrastructure will not be taken into account. The risks to that infrastructure are greater than the sum of the risks to the individual companies.
• Stop trying to find consensus. Over the years, several cyberspace security plans and strategies have come out of various government agencies. Each of these plans significantly suffer from an inability to properly force requirements and standards due to the risk of offending industry players, in many cases the same players for which they were created to protect. Cybersecurity requires hard choices that will necessarily come at the expense of some industries and some special interests.
• Expose computer hardware, software, and networks to liabilities. The major reason companies don't worry about the externalities of their security decisions, the effects of their insecure products and networks on others, is that there is no real liability for their actions. Liability will immediately change the cost/benefit equation for companies, because they will have to bear financial responsibility for ancillary risks borne by others as a result of their actions. Liability is a common capitalistic mechanism to deal with externalities, and it will do more to secure our nation's critical infrastructure than any other action.
• Secure government networks. Fund programs to secure government networks, both internal and publicly accessible networks. Only buy secure hardware and software products. The government does not need to create its own organization to identify and analyze cyber threats; it is better off using the same commercial organizations that corporations use. The threats against government are the same as the threats against everyone else, and the solutions are the same. The U.S. government, specifically the Department of Homeland Security, should use and improve the resources that are available to everyone, since everyone needs those same resources.
• Use buying power to drive increased security. U.S. government procurement can be a potent tool to drive research and development. If it demands more secure products, companies will be forced to deliver. Once companies deliver products to the increasingly demanding specifications of the government, the same products will be made available to private organizations as well.
• Invest in security research; invest in security education. As the market starts demanding real security, companies will need to figure out how to supply it. Research and education are critical to improving the security of computers and networks.
• Rationally prosecute cybercriminals. Security problems are rarely solved by technical means alone. We need to increase law enforcement to deal with real computer crimes.

Full testimony is available at http://hsc.house.gov/.

About Bruce Schneier

Schneier, a Founder and Chief Technical Officer of Counterpane Internet Security, is responsible for maintaining Counterpane's technical lead in world-class information security technology and its practical and effective implementation. Schneier's security experience makes him uniquely qualified to shape the direction of the company's research endeavors, as well as to act as a spokesperson to the business community on security issues and solutions. Schneier is the author of six books, including Secrets & Lies: Digital Security in a Networked World, and Applied Cryptography. He also writes the free email newsletter Crypto-Gram, which has over 90,000 readers. He has presented papers at many international conferences, and he is a frequent writer, contributing editor, and lecturer on the topics of cryptography, computer security, and privacy. Schneier designed the popular Blowfish encryption algorithm. His Twofish was a finalist for the new Federal Advanced Encryption Standard (AES). Schneier served on the board of directors of the International Association for Cryptologic Research, and is an Advisory Board member for the Electronic Privacy Information Center.

About Counterpane

Counterpane Internet Security, Inc., is the innovator and acknowledged leader in providing Managed Security Monitoring (MSM) services. MSM combines people and technology to safeguard businesses. Working from a network of technically sophisticated Secure Operations Centers (SOCs) and using progressive analysis tools, Counterpane has built the most advanced analysis, correlation, detection, and diagnosis technology, comprising a Sentry monitoring probe on the customer's network and the Socrates knowledge base inside the SOCs. Using this technology, Counterpane's expert Security Analysts are able to detect security incidents-both external intrusions and insider attacks-in real time, and tailor immediate, effective responses for its customers. The company is funded by Accel Partners, Amerindo Investment Advisors, Inc., Comcast Interactive Capital, LP, Bessemer Venture Partners, Dell Ventures, LP, Meritech Capital Partners, LP, Morgan Stanley Venture Partners and Symphony Technology Group. Headquarters are located at 1090 La Avenida, Mountain View, California, USA. Phone: 650-404-2400, Fax: 650-903-0461, Web site: www.counterpane.com.

###

Counterpane is a trademark of Counterpane Internet Security, Inc. All other companies, brand names or products are trademarks or registered trademarks of their respective companies.