1996 Congressional Hearings
Intelligence and Security

STAFF STATEMENT
U.S. SENATE PERMANENT SUBCOMMITTEE ON INVESTIGATIONS
(Minority Staff)
HEARINGS ON
SECURITY IN CYBERSPACE
JUNE 5, 1996

The computer age arrived with great promise and expectation. Just four years ago, the Internet hosted one million users. Today that number exceeds 58 million, and is growing at an estimated rate of 183% per year. Advances in computing and networking have affected virtually every aspect of our society, including civilian government, the military, communications, transportation and commerce. Government is more efficient and connected, business is more robust and able to provide more services, and individuals now have access to large caches of information and each other.

The computer age has also brought with it vulnerabilities and weaknesses. As we rush to connect to the information superhighway, are we sufficiently questioning the vulnerabilities created by our growing dependency on computers and networks? As the most critical pieces of our national infrastructure become dependent upon these information networks, have we ensured they are secure and reliable?

The purpose of this report is to examine the vulnerabilities of our national information infrastructure and efforts by our government to promote its security. To prepare this Statement, the Permanent Subcommittee on Investigations (Minority) Staff, at the direction of the Subcommittee's Ranking Minority Member, Senator Sam Nunn, spent approximately 8 months interviewing representatives from industry and government, as well as private individuals expert in the field of information security. The

Staff also examined the international aspects of this issue with numerous briefings from foreign officials.

The Staff's conclusions, which are set forth throughout this report, can be summarized as follows:

• Our government and our private sector have become increasingly dependent on computers and networks such that our nation has created a critical information infrastructure that supports the most essential functions of our society.

• Today, our information infrastructure is increasingly vulnerable to computer attack from a variety of bad actors including foreign states, subnational groups, criminals and vandals. Anecdotal evidence documents that these adversaries are organized and already regularly exploiting these vulnerabilities.

• The technology that allows this array of bad actors to exploit networks is becoming more available and user-friendly. Vulnerabilities in hardware and software are giving hackers - no matter their motive - greater opportunities and abilities to successfully attack our information infrastructure. Recent Defense Department studies suggest that computer attackers successfully intrude on DoD unclassified but sensitive networks more than 65% of the time.

• Computer hackers use different routes of attack, often crossing national boundaries and using private and public computer network systems. This presents complex and novel legal and jurisdictional issues that hinder the detection of and response to computer intrusions.

• Our government and private industry's inability to foster a culture that promotes computer security is greatly exacerbating the vulnerabilities of our information infrastructure.

• Our government has been unable to adequately define the scope of the threat posed by computer attacks because the intelligence community has failed to dedicate sufficient resources to data collection and analysis.

• The private sector - including the commercial and financial world - has been unwilling to report their own vulnerabilities for fear of inspiring customer insecurity. As a result, enormous losses occur that escape the attention of the law enforcement and intelligence communities. One informal estimate by a group of computer security firms documents losses among just their clients at over $800,000,000 in one year alone.

• The U.S. government has recently recognized the potential severity of this problem and is only now beginning to address its very serious ramifications to our national security.

• Our nation is in need of a comprehensive strategy that addresses the vulnerability of our information infrastructure.

• Our failure to recognize this threat and respond with sufficient resources, will have severe consequences for our nation's security as we become more connected and more dependent upon our information infrastructure.