Security Risks in the Computer-Communication Infrastructure

Thank you for the invitation to appear before you today. It is a very special privilege for me. (For the record, I have included some of my personal background at the end of this testimony.) My written statement addresses some of the fundamental risks facing us in our present uses of computer-communications technology, and assess how those risks might change as we depend increasingly on that technology. These written comments address issues that I understand to be at the heart of the intended scope of these hearings: an assessment of security vulnerabilities and risks in computer-communication systems within the Department of Defense, non-DoD U.S. Government, and private sector (including the NII and its future evolution). I include a few recommendations that might contribute to improved security. In the present context, security implies techniques for the prevention of intentional and { to some extent { accidental misuse in computer-communication systems. Brief Summary To give an idea of the scope of this testimony, here are a few talking points. We are becoming massively interconnected. Whether we like it or not, we must coexist with people and systems of unknown and unidentiiable trustworthiness (including unidentiiable hostile parties), within the U.S. and elsewhere. Our problems have become international as well as national. There are fundamental vulnerabilities in the existing computer-communication infrastructure, and serious risks that those vulnerabilities will be exploited { with possibly very severe eeects. Our national infrastructure depends not only on our interconnected information systems and networks, but also the public switched network, the air-traac control systems, the power grids, and many associated control systems { which themselves depend heavily on computers and communications. There are many past cases of security misuse worthy of your attention, such as the 1988 Internet Worm, the Citibank penetration, and the Rome Lab case (Reference 8). (See the attached Reference 3 for a summary of other cases as well.) However, there are many serious security vulnerabilities that have been discovered by friendly parties and xed before they could exploited. In addition, there have been various cases of misuse of government databases,