COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY U.S. HOUSE OF REPRESENTATIVES WASHINGTON, DC 20515 March 22, 1994 MEMORANDUM TO: Members, Subcommittee on Science FROM: Rick Boucher, Chairman RE: Hearing on Internet Security ___________________________________________________________________________ SUMMARY On March 22, 1994, beginning at 9:30 a.m. in room 2318 of the Rayburn House Office Building, the Subcommittee on Science will hold a hearing on the security of the Internet. A tentative witness list is attached. PURPOSE OF THE HEARING The hearing will explore the level of vulnerability of computers interconnected with the Internet to unauthorized access and possible destruction or alteration of files. The immediate impetus for the hearing comes from an advisory issued by the federally funded Computer Emergency Response Team (CERT) on February 3, 1994, warning Internet users to change their passwords. The notice followed a series of break-ins to Internet computers both within and outside of the United States. The hearing will also evaluate the status of security on the Internet today and examine measures currently available to enhance security, assess the effectiveness and degree of implementation of such measures, and identify obstacles to enhancing Internet security. BACKGROUND The Internet The Internet is an international network of computer networks that use uniform packet-switched communications protocols known as TCP/IP (Transmission Control Protocol/Internet Protocol). The Internet has evolved over the past quarter-century from the ARPANET, a network of federal government defense host computers that was conceived by the Advanced Research Projects Agency (ARPA) in the late 1960's. In the United States, both government and non-government sponsored networks are connected through the Internet. NSFNET, the computer network of the National Science Foundation (NSF), provides the academic world with broad connections to the Internet and serves as the Internet backbone for research and education communities interconnected with the Internet in the United States. There are an estimated 25 million Internet users worldwide, with the number growing by 15 to 20 percent each month. The Internet is valued for its ad hoc evolution, open structure, and democratic decision making. No organization controls the Internet per se; however, there is an evolving structure for the standardization of Internet protocols and the examination of technical and social issues related to the Internet. A keystone of that structure is the Internet Society (ISOC), a non-profit professional society formed in 1992. Membership is open to anyone. The ISOC is governed by a board of trustees elected by ISOC members. The ISOC sponsors protocol development for the Internet. This development takes place in three groups separate from the ISOC. The first group is the Internet Architecture Board (IAB), consisting of approximately a dozen international members whose membership is ratified by the ISOC trustees. The IAB looks at the overall architecture and growth of the Internet. It produces technical documents which provide guidance to the Internet Engineering Task Force (IETF), the second of the three groups. The IETF develops protocols and chooses standards for the Internet. Its membership consists of technical people who participate in one or more of IETF's 60 to 80 working groups. These groups are divided into a few general subject areas, such as security, network management, operations, applications, and standards. The IETF is governed by a steering group consisting of the IETF chair and the director of each of the subject areas. The third group is the Internet Research Task Force (IRTF), which is comprised of a few long-term research groups examining specific technical issues facing the Internet. Among these research groups is the Privacy and Security Research Group (PSRG). In the United States, Federal participation in standards setting for the Internet is coordinated through the Federal Networking Council (FNC). The Council includes Federal agencies that support networking research and development. The Department of Energy (DOE), the National Aeronautics and Space Administration (NASA), NSF, and ARPA form the executive committee of the FNC. The National Institute of Standards and Technology (NIST) is among the 18 member agencies of the FNC. The FNC has a security working group that focuses on networking security issues for the research and education community. The Internet is regarded as a precursor of, and model for, the National Information Infrastructure (NII). It will be a part of the NII. It does not necessarily follow, however, that security problems on the Internet portend similar problems on the NII. The inherently open nature of the Internet protocols does not promote security. The protocols used on the NII will probably be less vulnerable. Still, the Internet can serve as a laboratory for many of the security issues that will arise in connection with the development of the NII, particularly as government and industry endeavor to assure full network interoperability. Gaining Access to the Internet An Internet user gains access to the Internet by logging onto a host computer. A host computer is a computer that is connected to the Internet and has the protocols necessary to convert information into a form in which it can be sent anywhere on the Internet. Currently, there are 2,200,000 Internet host computers worldwide. Some hosts serve a user simply as an entry point to the Internet. Other hosts serve as the end point, where they may provide users with one or more services. These services might include data base information, file transfer capability, or computational services. To log onto a host computer, a user provides an ID and a password. A user often logs onto a host computer from a remote desk top computer; however, a user can log on directly to a host computer. Security Breaches The most notorious lapse in Internet security occurred in 1988 when Robert T. Morris, Jr., a Cornell University graduate student, sent over the Internet a computer virus that reproduced so rapidly it overloaded thousands of computers. In response to the Morris incident, the Defense Advanced Research Projects Agency (DARPA, as ARPA was named from 1975 until 1993) established the federally funded Computer Emergency Response Team (CERT). CERT's sole responsibility is Internet security. CERT is operated full time by employees of the ARPA supported Software Engineering Institute (SEI) at Carnegie Mellon University. Since CERT was created, more than 30 other response teams have been established in the United States and abroad. Together, they form a coalition known as the Forum of Incident Response and Security Teams (FIRST). NIST serves as the secretariat. Each team has its own security goals and procedures for pursuing those goals. The participation of the teams in the FIRST coalition is voluntary. CERT issued an advisory February 3, 1993, in response to a series of Internet break-ins that began with an incident in July 1993 and was followed by a similar incident in October 1993. Then, in January 1994, CERT became aware of seven more confirmed break-ins and approximately seven more suspected break-ins of the same type as the first two. The January break- ins convinced CERT to issue its advisory. Following the advisory, another 17 break-ins in the same mode were confirmed. To date, between 30 and 40 break-ins are suspected or confirmed. CERT believes that additional break- ins have gone unreported by organizations too embarrassed to admit to a security problem. The break-ins were accomplished when one or more intruders from a remote location surreptitiously installed a "sniffer" software program onto an Internet host computer. The software is called a sniffer program, because it monitors the communications port that connects a host computer with the Internet and seeks and captures log-in information for users gaining remote access to that host, as well as other information on the network to which the host is connected. The sniffer then separates out the log in information, which consists of the name of the host computer, as well as the user IDs and passwords. Armed with log in information, an intruder is able to gain access to some or all the information on the host computer and can read, transmit, alter, or destroy that information. The intruder might use the sniffer to capture log in information for several hosts. Moreover, once in a host computer, the intruder might obtain information sufficient to allow access to additional host computers. Thus the sniffer program carried the potential for significant damage. According to the CERT advisory, "[i]ntruders have already captured access information for tens of thousands of systems across the Internet." The CERT advisory recommended as a long term remedy that users not transmit reusable, non-encrypted passwords on the Internet. If a password is changed after each use, or if it cannot be read, capturing it will not benefit an intruder. Other than the fact that log-in information has been captured, it is not yet clear what damage, if any, has been or will be realized as a result of the break-ins. Nor is it clear how may intruders have been involved. While the initial break-ins probably were accomplished by no more than a handful of adept perpetrators, CERT suspects that the sniffer program quickly became widely available. By now, a large number of copycats may have obtained and installed the program. The FBI is conducting an investigation into the break-ins. Relevant Federal Statutes High Performance Computing Act of 1991 (HPCA) -- One purpose of the HPCA is to address networking security: Section 101(a)(2)(I)(i) requires that the High-Performance Computing Program provide, among other things, "for the security requirements, policies, and standards necessary to protect Federal research computer networks and information resources accessible through Federal research computer networks, including research required to establish security standards for high-performance computing systems and networks." Section 102(c)(5) states that the National Research and Education Network (NREN) will "be designed and operated so as to ensure the continued application of laws that provide network and information resources security measures. . . ." Section 204(b) charges NIST with responsibility "for developing and proposing standards and guidelines needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems." Computer Security Act of 1987 (CSA) -- The CSA was enacted "[t]o provide for a computer standards program within the National Bureau of Standards [now NIST], to provide for Government-wide computer security, and to provide for the training in security matters" of government personnel involved with Federal computer systems: Section 3 gives NIST, inter alia, the "responsibility within the Federal Government for developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems. . . ." This responsibility does not extend to defense computer systems. Section 3 also establishes a computer System Security and Privacy Advisory Board within the Department of Commerce to, among other things, identify computer system security and privacy issues and advise NIST on security and privacy issues pertaining to Federal Computer systems. Section 6 requires each Federal agency with one or more computer systems to develop a plan for the security and privacy of those systems. The agencies must give NIST copies of these plans for advice and comment. FOCUS OF THE HEARING The hearing will focus on the following questions: 1. The recent emergency: What caused the security breaches? What was the scope of the infiltration and resulting damage? What remedial steps have been taken and by whom? What is still unknown about the emergency? 2. Status of network security technology: What is the state of the art of network security? Which are the most effective technologies? Who employs cutting edge security measures, and who does not? What are the obstacles to more widespread deployment of state of the art security protections? What are the costs of utilizing security technologies? Who is responsible for security on the various Internet networks? How are Internet security concerns changing? What are the complications imposed by an international environment? How should Internet security evolve? 3. Organizational structure and government involvement: What is the role of the IAB in addressing security concerns? How effective is the current structure involving CERT, NIST, and FIRST? Are the security requirements of the High-Performance Computing Act being fulfilled? 4. Additional legislation: What additional legislative steps, if any, should be taken to address Internet security? COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY SUBCOMMITTEE ON SCIENCE Hearing on Internet Security March 22, 1994 9:30 a.m. - 2318 Rayburn House Office Building Tentative Witness List Mr. L. Dain Gary, Manager Computer Emergency Response Team Operations Carnegie Mellon University Pittsburgh, Pennsylvania (CERT is one of the response teams that form the Forum of Incident Response and Security Teams (FIRST)) Mr. Thomas T. Kubic, Chief Financial Crimes Section Federal Bureau of Investigation Washington, DC Dr. Vinton G. Cerf, President Internet Society Reston, Virginia (Senior Vice President of Data Architecture, MCI) Mr. Lynn McNulty Associate Director for Computer Security Computer Systems Laboratory National Institute of Standards and Technology Gaithersburg, Maryland (NIST is the secretariat for FIRST) Dr. Stephen D. Crocker, Vice President Trusted Information Systems Glenwood, Maryland (Chair, Privacy and Security Research Group, Internet Research Task Force) >From fins@access2.digex.net Fri Mar 18 14:48:05 1994 Received: from mercury.house.gov by nfs1.digex.net with SMTP id AA06797 (5.67a8/IDA-1.5 for ); Fri, 18 Mar 1994 13:14:58 -0500 Received: from hr.house.gov by mercury.house.gov with SMTP (1.37.109.4/16.2) id AA08860; Fri, 18 Mar 94 13:11:56 -0500 Received: by HR.HOUSE.GOV (Soft*Switch Central V4L380P5) id 720909130094077FSY00; 18 Mar 1994 13:09:13 EST Message-Id: Date: 18 Mar 1994 13:09:13 EST From: "SSTPRESS" Subject: SS&T Weekly Calendar To: fins@access.digex.net Comment: MAR21CAL.DOS Committee on Science, Space, and Technology U.S. House of Representatives 2320 Rayburn House Office Building Washington, DC 20515 FOR THE WEEK BEGINNING: MARCH 21, 1994 MARCH 22, 1994 (TUESDAY) SCIENCE SUBCOMMITTEE: 9:30 A.M. - 1:00 P.M. - 2318 RHOB HEARING: Security of the Internet INVESTIGATIONS AND OVERSIGHT SUBCOMMITTEE: 9:30 A.M. - 1:30 P.M. - 2325 RHOB HEARING: Unfunded Federal Mandates: Who Should Pick Up the Tab? MARCH 23, 1994 (WEDNESDAY) FULL COMMITTEE: 10:00 A.M. - 5:00 P.M. - 2318 RHOB MARKUP: H.R. 3254, the National Science Foundation Authorization Act of 1993; H.R. 3476, the National Science and Technology Policy, Organization and Priorities Act Amendments of 1993; H.R. 3870, the Environmental Technologies Act of 1994; and Committee Report on Oversight Visit-Baikonur Cosmodrome SPACE SUBCOMMITTEE: 1:30 P.M. - 5:00 P.M. - 2325 RHOB HEARING: NASA Authorization: Space Transportation MARCH 24, 1994 (THURSDAY) TECHNOLOGY, ENVIRONMENT AND AVIATION SUBCOMMITTEE: 9:30 A.M. - 12:00 NOON - 2318 RHOB HEARING: Global Positioning System: What Can't It Do? Background information and a tentative list of witnesses are available for each of these hearings by fax (202/225-8280) or by email (sstpress@hr.house.gov). Before coming to attend a hearing, please double- check that it is still scheduled by calling the Committee's 24-hour hearings hotline (202/225-3018). For further information: Rick Borchelt, press secretary, 202/225-3359 Joe Moss, press intern, 202/226-1461 24-HOUR HEARINGS HOTLINE: ***(202)225-3018***