"Reviewing the Federal Cybersecurity Mission"

Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology

Tuesday, March 10, 2009

Testimony

Mary Ann Davidson, Chief Security Officer, Oracle

http://homeland.house.gov/SiteDocuments/20090310143850-78976.pdf

Chairwoman Clark, members of the Subcommittee, my name is Mary Ann Davidson, and I am Chief Security Officer for Oracle. For more than 30 years, information security has been a central part of Oracle's software DNA, and is a big reason why the federal government is Oracle.s largest customer. Thank you for the opportunity to testify regarding the important issue of cybersecurity.

It's one thing to claim security is a central part of Oracle software in marketing or sales, but this is Mary Ann Davidson lying to Congress.

This truth of this statement should be self-evident but it isn't, and therein lies a risk to our freedoms. The ubiquity, flexibility, and configurability of information systems has led to circumstances in which software designed for a particular purpose and environment is too often deployed in an environment it was never designed for, without any thought or explicit acceptance of the risks in so doing. Without properly scoping our requirements we are faced with an all or nothing approach to cyberspace, simultaneously putting at risk our civil liberties, our homeland security and the women and men of our armed forces.

Information systems can pose a risk to our freedom, but also the 'risk' to the women and men of our armed forces. This is peculiar because the armed forces aren't the only who rely on these systems. Why not mention that every citizen relies on these systems for power, water, protection and more? Sending our troops the equipment they need (e.g., bullet proof vests that are in short supply) would be more effective than securing information systems. I don't recall seeing articles talking about any of the over 5,000 US soldiers lost in Iraq / Afghanistan dying due to insecure computer systems.

[..]

This brings me to my third point:

3. We are in a conflict - some would say a war. Let's call it what it is.

Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems for weaknesses, infiltrating U.S. government networks and making similar attempts against American businesses and critical industries - including our defense systems -is there any other conclusion to be reached? Whatever term we use, there are three obvious outgrowths from the above statement. One is that you do can't win a "conflict" - or war - if you don't admit you are in one. The second is that nobody wins on defense. And the third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to things we value in the real world. In short, Congress should consider developing a 21st century application of the Monroe Doctrine. The need for a framework to guide the government.s role in response to foreign aggression is a point that Melissa Hathaway has already noted during her 60- day interagency review of the Federal cybersecurity mission, and an area where this subcommittee can productively collaborate with the National Security Council.

For those a tad rusty on their US history, the Monroe Doctrine (introduced December 2, 1823) said that further efforts by European governments to interfere with states in the Americas . the Western hemisphere . would be viewed by the US as acts of aggression and the US would intervene. The Monroe Doctrine is one of our longest standing foreign policy tenets: invoked on multiple occasions by multiple presidents, including Teddy Roosevelt, Calvin Coolidge, Herbert Hoover and John Kennedy. We have, as the expression goes, sent in the Marines - and the rest of our armed forces - to support the Monroe Doctrine.

Note that the Monroe Doctrine did not detail the same intervention or even specific intervention for each perceived act of aggression, merely laid out "here is our turf; stay out or face the consequences. language that allowed great flexibility in terms of potential responses. Some may argue that cyberspace is 'virtual' and unsuited to declared spheres of influence. But even Internet protocol (IP) addresses map to physical devices in physical locations we care about . critical infrastructures such as a server for a utility company in New York, for example, or a bank in California.

This level of naivety in front of Congress should be criminal. Drafting an imaginary line isn't even a token gesture and only serves as political banter without backbone. With an imaginary red line around "our" Internet property, a cyber Monroe Doctrine doesn't hold up as a virtual equivalent. With a classic line, you see who steps across the line, you see what they are wearing (e.g., military uniforms from $country) and you know their intentions (e.g., the guns they are holding are a clue). For the cyber version, if someone crosses the line, do you even know who it was? Did the attacker just use a compromised host in one country to launch an attack on yours? Does attacking a random personally owned web site within our boundary count as an act of agression toward our country? What if the attacker that just broke into pentagon.mil is a 13 year old girl from Mexico, does that mean Mexico is waging war on the US?

If Davidson can't answer even one of these questions, she needs to re-think this Doctrine and start focusing on Oracle's dismal security record instead.

The advantages of invoking a Monroe-like Doctrine in cyberspace would be to put the world on notice that the US has cyber "turf," (properly scoped - we should not claim all cyberspace as our turf - there is plenty to go around). And the second is that we will defend our turf. We need to do both. Now.

As I mentioned earlier, having a military response capability does not mean militarizing all elements of U.S. cyberspace any more than invoking the Monroe Doctrine meant necessarily creating permanent encampments throughout the Western hemisphere. Nor should a cyber-Monroe Doctrine lead to permanent government encampments in private networks. With proper guidance, various government agencies and the private sector can find their natural role in guarding our cyber infrastructures in a manner similar to how we currently protect our real-world interests.


main page ATTRITION feedback