b"<html>\n<title> - CYBERSECURITY RECOMMENDATIONS FOR THE NEXT ADMINISTRATION</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n \n       CYBERSECURITY RECOMMENDATIONS FOR THE NEXT ADMINISTRATION\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                        SUBCOMMITTEE ON EMERGING\n                        THREATS, CYBERSECURITY,\n                       AND SCIENCE AND TECHNOLOGY\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                           SEPTEMBER 16, 2008\n\n                               __________\n\n                           Serial No. 110-138\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n\n                                     \n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n\n                               __________\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n48-089                    WASHINGTON : 2009\n-----------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd0900012009\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\n\nLoretta Sanchez, California          Peter T. King, New York\nEdward J. Markey, Massachusetts      Lamar Smith, Texas\nNorman D. Dicks, Washington          Christopher Shays, Connecticut\nJane Harman, California              Mark E. Souder, Indiana\nPeter A. DeFazio, Oregon             Tom Davis, Virginia\nNita M. Lowey, New York              Daniel E. Lungren, California\nEleanor Holmes Norton, District of   Mike Rogers, Alabama\nColumbia                             David G. Reichert, Washington\nZoe Lofgren, California              Michael T. McCaul, Texas\nSheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania\nDonna M. Christensen, U.S. Virgin    Ginny Brown-Waite, Florida\nIslands                              Gus M. Bilirakis, Florida\nBob Etheridge, North Carolina        David Davis, Tennessee\nJames R. Langevin, Rhode Island      Paul C. Broun, Georgia\nHenry Cuellar, Texas                 Candice S. Miller, Michigan\nChristopher P. Carney, Pennsylvania\nYvette D. Clarke, New York\nAl Green, Texas\nEd Perlmutter, Colorado\nBill Pascrell, Jr., New Jersey\n\n                    I. Lanier Lavant, Staff Director\n\n                     Rosaline Cohen, Chief Counsel\n\n                     Michael Twinchek, Chief Clerk\n\n                Robert O'Connor, Minority Staff Director\n\n                                 ______\n\n   SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND \n                               TECHNOLOGY\n\n               James R. Langevin, Rhode Island, Chairman\n\nZoe Lofgren, California              Michael T. McCaul, Texas\nDonna M. Christensen, U.S. Virgin    Daniel E. Lungren, California\nIslands                              Ginny Brown-Waite, Florida\nBob Etheridge, North Carolina        Paul C. Broun, Georgia\nAl Green, Texas                      Peter T. King, New York (Ex \nBill Pascrell, Jr., New Jersey       Officio)\nBennie G. Thompson, Mississippi (Ex \nOfficio)\n\n                   Jacob Olcott, Director and Counsel\n\n       Dr. Chris Beck, Senior Advisor for Science and Technology\n\n                       Carla Zamudio-Dolan, Clerk\n\n           Kevin Gronberg, Minority Professional Staff Member\n\n                                  (II)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable James R. Langevin, a Representative in Congress \n  From the State of Rhode Island, and Chairman, Subcommittee on \n  Emerging Threats, Cybersecurity, and Science and Technology....     1\nThe Honorable Michael T. McCaul, a Representative in Congress \n  From the State of Texas, and Ranking Member, Subcommittee on \n  Emerging Threats, Cybersecurity, and Science and Technology....     5\nThe Honorable Ginny Brown-Waite, a Representative in Congress \n  From the State of Florida:\n  Prepared Statement.............................................     6\n\n                               Witnesses\n\nMr. David Powner, Director, Information Management Issues, \n  Government Accountability Office:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     9\nMr. James A. Lewis, Project Director, Commission on Cybersecurity \n  for the 44th Presidency, Center for Strategic and International \n  Studies; Accompanied by Lieutenant General Harry D. Raduege, \n  Jr., Co-Chairman, Commission on Cybersecurity for the 44th \n  Presidency, Center for Strategic and International Studies; and \n  Paul Kurtz, Member, Commission on Cybersecurity for the 44th \n  Presidency, Center for Strategic and International Studies:\n  Oral Statement.................................................    18\n  Prepared Statement.............................................    20\n\n                             For the Record\n\nThe Honorable James R. Langevin, a Representative in Congress \n  From the State of Rhode Island, and Chairman, Subcommittee on \n  Emerging Threats, Cybersecurity, and Science and Technology:\n  Letter.........................................................     4\n\n\n       CYBERSECURITY RECOMMENDATIONS FOR THE NEXT ADMINISTRATION\n\n                              ----------                              \n\n\n                      Tuesday, September 16, 2008\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n      Subcommittee on Emerging Threats, Cybersecurity, and \n                                    Science and Technology,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2:22 p.m., in \nRoom 311, Cannon House Office Building, Hon. James R. Langevin \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Langevin, Green, Pascrell, and \nMcCaul.\n    Mr. Langevin. The subcommittee will come to order. The \nsubcommittee is meeting today to receive testimony on \ncybersecurity recommendations for the next administration. I \nwill begin by recognizing myself for the purposes of an opening \nstatement.\n    Of course I want to thank our panel for being with us \ntoday. Good afternoon, and welcome to our final public hearing \nof the 110th Congress. The Subcommittee on Emerging Threats, \nCybersecurity, Science and Technology has tackled a number of \ncritical issues related to our national security, including \nbiological, chemical, agricultural, radiological, and nuclear \nthreats. We have had an extremely busy schedule, and I thank \nall of the Members for their commitment and their leadership \nover the course of this Congress.\n    Today we are holding our eighth hearing on cybersecurity. I \ndon't think anyone would disagree when I say that this \nsubcommittee has established itself as the policy leader in the \nU.S. Congress on the issue. We have held hearings on hacking \nincidents at the Department of State, Commerce, and Department \nof Homeland Security; cyber attacks on our internet \ninfrastructure; oversight on the Cyber Initiative; the need for \nadditional investment in cybersecurity research and \ndevelopment; mitigating cyber vulnerabilities in the electric \ngrid; DHS and critical infrastructure sector plans to mitigate \ncyber vulnerabilities; and incentives for private sector \ncritical infrastructure owners to mitigate cyber \nvulnerabilities.\n    This is a significant number of hearings, but it is one \nthing to hold hearings and quite another to improve the \nsecurity of America. That is our goal. That is what I want to \ntalk about today. I believe our oversight has enhanced Federal \nand critical infrastructure cybersecurity by improving security \nat DHS, highlighting and filling gaps in Federal cybersecurity \npolicy, and holding individuals in public and private sectors \naccountable.\n    First, we have improved situational awareness, increased \nsecurity on networks at the Department of Homeland Security \nacross the Federal Government. Our goal on this committee, one \nthat I have discussed on many occasions, is to make the \nDepartment of Homeland Security the gold standard in Federal \ninformation security. We have got a long way to go before we \nget there, however. But as a result of our investigations and \nhearings, the CIO's Office began receiving more threat \nbriefings. That raises situational awareness.\n    The CIO also began working in a more collaborative fashion \nwith US-CERT after we questioned why the EINSTEIN system wasn't \ndeployed on more networks at DHS. Shortly after our June 2007 \nhearing, EINSTEIN was deployed at more than 2 dozen DHS \ngateways, providing greater insight into the significant number \nof attacks on Government systems. This helps us to know where \nto commit resources to our defenses.\n    Now, we also saw results from those early subcommittee \nhearings. In April 2007 we called for a national-level \ninitiative that would standardize intrusion detection \ntechnologies across the Federal Government. Eight months later, \nthe administration announced a new Cyber Initiative to improve \nthe security posture of the Federal Government's networks.\n    Second, the subcommittee's oversight has filled and will \ncontinue to fill significant gaps that exist in Federal \ncybersecurity policy. We spent a significant amount of time on \nthe electric grid, one of our most vulnerable critical \ninfrastructure sectors. In 2007, this subcommittee initiated a \nreview of the Federal Government's effort and ability to ensure \nthe security of the bulk power system from cyber attack. We \nbegan surveying the electric sector to determine their \nmitigation efforts for the Aurora vulnerability. During my \nreview of these efforts, it became evident that mitigation of \nthis vulnerability was highly inconsistent. My colleagues and I \nwere surprised and disturbed to see how dismissive many of the \ncompanies were of this vulnerability, so we began doing all we \ncould to ensure that it would be fixed.\n    Today, because of our hearings, more companies are \nmitigating Aurora and other cyber vulnerabilities in their \nsystems. During that review, we also identified inconsistent \nFederal policies that would leave the grid vulnerable to cyber \nattack.\n    Last week, I testified before the Energy and Commerce \nSubcommittee on Energy and Air Quality about the need to \nprovide the Federal Energy Regulatory Commission with emergency \nauthority to ensure the security of the electric system from \ncyber attack. I am highly optimistic that the Congress will \nsoon consider legislation to grant this authority to FERC, and \nI thank Chairman Boucher for his initiative on this issue.\n    Finally, I believe the subcommittee's oversight has \nestablished much needed accountability in both the public and \nprivate sectors. For instance, as a result of our investigation \ninto cyber attacks of Chinese origin, the inspector general, \nthe Office of Security, and the FBI are busy conducting their \nown reviews of attacks on DHS systems. The contractors \nresponsible for securing these systems also remain under \ninvestigation. This would not have happened without the \noversight of this committee, and I hope that the public will \nsoon hear about the findings of these reviews.\n    After providing misleading or confusing statements to this \nsubcommittee in May, the North American Electric Reliability \nOrganization has demonstrated a new commitment to \ncybersecurity, and they should be commended for their efforts \nthus far. After our hearing, NERC announced a process to create \nnew standards for cybersecurity and created a new position of \nchief security officer for the electric grid. I was glad to see \nNERC endorsed the FERC emergency authority legislation last \nweek, and look forward to watching their continued progress on \nthis issue.\n    I also at this time want to take the opportunity to thank \nmy partner and Ranking Member, Congressman Mike McCaul of \nTexas, who has been a true ally in this effort.\n    We have done some good work so far, but there is obviously \nmuch more work ahead of us. That is why we are here today. In \nOctober 2007, Mike and I were named co-chairs of the Center for \nStrategic and International Studies Commission on Cybersecurity \nfor the 44th Presidency. The CSIS Commission is a nonpartisan \ncommission composed of approximately 30 renowned cybersecurity \nexperts, both in and out of Government from across the country. \nIt is an impressive, experienced, and diverse group of people, \nand we are glad to be joined today by three members of the \nCommission: Jim Lewis, the program director; retired General \nHarry Raduege, one of the four co-chairs; and Paul Kurtz, also \na member of the Commission. Unfortunately, Scott Charney, Vice \nPresident of Trustworthy Computing at Microsoft, and the other \nco-chair of the group, was unable to attend today, but he has \nbeen vital to the Commission's work. I want to acknowledge his \ncontributions and leadership as well.\n    We are here to talk about what the next administration \nneeds to do to improve cybersecurity. There are a number of \nsignificant issues that the incoming administration will face. \nNew organization and national strategies must be considered, \nlegal authorities altered and enhanced, investment and \nacquisition policies shaped, regulation and incentive regimes \nrevised; and Government relationships with the private sector \nrestored.\n    Congress plays a key role in the future of cybersecurity \npolicy. Just as this administration hasn't spoken with one \nvoice, however, committee jurisdictional squabbles threaten to \ndivide the attention and focus of Congress on these issues as \nwell. That is why I am announcing today that with my colleague, \nRanking Member and partner in this effort, Congressman Mike \nMcCaul and I created the first House Cybersecurity Caucus. The \npurpose of the Caucus is to raise awareness and provide a forum \nfor Members representing different committees of jurisdiction \nto discuss the challenges in securing cybersecurity. We have \nalready received great support from a number of Members, and we \nlook forward to having our kick-off event in January 2009.\n    With that being said on the Caucus, I would like to, with \nunanimous consent, enter a letter into the record basically \nannouncing and establishing the Caucus. Without objection, that \nwill be so ordered.\n    [The information follows:]\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    Mr. Langevin. With that, I just want to close by again \nthanking my partner in this effort, Congressman McCaul, and my \nfellow Members of the subcommittee for their participation, \ntheir support, and their efforts in this area. I want to thank \nof course the witnesses for their appearance here today. Your \nwork on the CSIS Commission has been invaluable, and it is \ndoing great service to our country, and particularly on the \nissue of cybersecurity. Again, I am grateful for your efforts.\n    With that, the Chair now recognizes the Ranking Member of \nthe subcommittee, the gentleman from Texas, Mr. McCaul, for \npurposes of an opening statement.\n    Mr. McCaul. Thank you, Mr. Chairman. We commend you for \nyour excellent leadership, your steadfastness, your focus on \nsuch an important issue with regards to our national security. \nYou have been a real leader in this Congress. I know this is \nour last hearing, but I know we will continue to work together \nas colleagues, as partners, and as friends on this important \nissue.\n    I think this Commission is a great legacy. When I look back \nat this Congress and all the things that we have accomplished, \nI can think of nothing that makes me more proud than the \npartnership I have had with you on cybersecurity and the \ncreation of this important Commission. So I want to thank you \nfor that.\n    Mr. Langevin. Thank you.\n    Mr. McCaul. You know, this issue doesn't always get the \nheadlines. Sometimes people glaze over when you talk about it. \nBut I think everybody sitting in this room understands the \nimportance of it and how it impacts every facet of our lives, \nand how we are vulnerable to an attack either by criminals, by \ncriminal enterprises, by espionage, or by cyber warfare. So \nthis is a very, very important issue.\n    The oath we took coming into office was to protect and \ndefend the Constitution from all enemies, foreign and domestic. \nThe most solemn obligation we have as Members of Congress is to \nprotect the American people. That is what this committee is all \nabout, the Homeland Security Committee, and that is also what \nthis Commission is about, is about protecting the American \npeople.\n    I just came back from my district in my home State of \nTexas, where I witnessed a natural disaster bringing power \ndown, destroying homes and lives amidst pain and suffering. \nThat is a natural disaster. What we are talking about here is a \nforce that would have the same potential, but it is man-made. \nSo this committee protects the American people from both man-\nmade and natural disasters.\n    So as we saw the power grids go down in the greater Houston \narea, the Texas Gulf Coast, a cyber attack could accomplish the \nsame destruction by the click of a mouse. You know, over the \nlast 2 decades America has become increasingly dependent on the \nsmooth operation of our computer networks, and many critical \nsectors of our Nation's economy are dependent on cyberspace. It \nis clear that the security of the American homeland is directly \ntied to our cybersecurity efforts.\n    As this subcommittee under the Chairman's leadership has \nheard over and over again, our Nation is being attacked by \ndetermined enemies every single day in cyberspace, resulting in \neconomic loss and the loss of critical information to hostile \nforeign powers. It is essential that the next administration \nplace a high priority on cybersecurity. It is the intention of \nChairman Langevin and myself to make sure it is high on the \nradar screen. The Center for Strategic and International \nStudies Commission on Cybersecurity for the 44th Presidency has \nbeen working on a cybersecurity strategy since November 2007. \nThat has been informed by many of this administration's current \nefforts to secure cyberspace. While the President's \nComprehensive National Cybersecurity Initiative will help \nsecure Government networks and help protect our Nation against \ncomputer network exploitation and attack, we also heard from a \nmultitude of essential industry partners that without \nsubstantial private sector coordination, our networks will \nremain highly vulnerable.\n    I believe this Commission's report can and will add \ntremendously to the discussion on how to secure cyberspace and \nhow to put the issue high on the next President--no matter \nwhich party--to put this issue high on the President's priority \nlist.\n    A key component of the Commission's work has been the \ncritical issue of how to involve the private sector in a truly \ncomprehensive cybersecurity plan. While the work of the \nCommission is ongoing, we hope to hear from our witnesses \ntoday, and I hope to hear them discuss some of the Commission's \nwork and roll out some of the preliminary findings and \nrecommendations.\n    On a personal note, again I want to thank you, Chairman \nLangevin, for your truly bipartisan spirit. It is too bad that \nwe in the Congress don't have more of that kind of partnering \nin a bipartisan way. I think that is what the American people \nwant. I think it is what the American people deserve. When we \ncan accomplish great things like this in a bipartisan way, I \nthink it does the country tremendous service.\n    I want to thank the members that are here today from the \nCommission: Dr. Lewis, General Raduege, Mr. Kurtz. Mr. Powner, \nthank you for being here today from the GAO. But I feel like \nover the course of the last year or so that we have become good \nfriends, and I believe that you all are doing some great work, \nand I look forward to hearing your testimony. Thank you.\n    Mr. Langevin. I thank the Ranking Member for his statement, \nand again for his input and partnership in this effort. Before \nI go into introducing our panel today, I just want to for the \nrecord extend my sympathies, condolences to the people of \nTexas, for the loss that they have endured as a result of \nHurricane Ike. We stand with you in solidarity and support in \noffering any help that we can give as you get through this \ndifficult time. I know particularly your district was hit \npretty hard. Again, our thoughts and prayers are with you and \nyour district at this difficult time.\n    Mr. McCaul. I appreciate it.\n    Mr. Langevin. With that, I just wanted to say that other \nMembers of the subcommittee are reminded that under the \ncommittee rules, opening statements may be submitted for the \nrecord.\n    [The statement of Hon. Brown-Waite follows:]\n\n           Prepared Statement of Honorable Ginny Brown-Waite\n\n    Thank you, Chairman Langevin.\n    Thank you for holding this hearing today. As the country moves \nfurther and further into the twenty-first century, it will become \nincreasingly important to improve and expand our ability to prevent and \nrespond to cyber attacks. In the coming years, this committee, the \nintelligence community, the Department of Defense and the next \nadministration will have to figure out the best way to move forward.\n    When a power plant in my State is attacked and shut down by a cyber \nattack from overseas, does the situation constitute an act of war or an \nact of terrorism? Will it be possible to discern the difference? \nMoreover, what is America's capacity to respond to such an attack?\n    Eighty percent of the information technology infrastructure in this \ncountry is owned and managed by the private sector. This fact alone \nmeans we will have to see greater cooperation between the private \nsector and the Federal Government when it comes to protecting our \ncountry from cyber attacks in the future. In addition, as the IT \nindustry's largest single customer, I hope that the U.S. Government can \nbring its size to bear in driving down costs and encouraging innovation \nin cybersecurity standards.\n    Finally, I would like to thank the witnesses for their efforts in \npreparing this study for the next administration. This will certainly \nbe a priority going forward, and it seems clear that you have laid down \nsome important groundwork.\n    I thank you for being here today, and I look forward to your \ntestimony.\n\n    Mr. Langevin. With that, I just want to now welcome our \ndistinguished panel of witnesses.\n    Our first witness is Dave Powner, Director of Information \nTechnology Management Issues at the Government Accountability \nOffice. Mr. Powner and his team have produced a number of \nreports for this subcommittee in the 110th Congress. I want to \ntake this opportunity to thank you and your team for your \nexcellent work.\n    Our second witness is Jim Lewis, the Director of the Center \nfor Strategic and International Studies Technology and Public \nPolicy Program. He is a senior fellow. He is also the program \nmanager for the CSIS Commission on Cybersecurity for the 44th \nPresidency. Jim, I want to welcome you here today and thank you \nfor your friendship and leadership, particularly over this last \nyear as the Commission has conducted its work. It has been \noutstanding.\n    Our third witness is General Harry Raduege. General Raduege \nis Chairman of the Joint Center for Network Innovation. \nPreviously, he spent 35 years serving the Nation in the U.S. \nmilitary. His latest assignments were Director of the Defense \nInformation Systems Agency and Commander of the Joint Task \nForce for Global Networks Operations. General Raduege is also \nco-chair of the CSIS's Commission on Cybersecurity. Welcome.\n    Our fourth witness is Paul Kurtz, a partner at Good Harbor \nConsulting. Mr. Kurtz is a recognized cybersecurity and \nhomeland security expert, having served in senior positions on \nthe White House's National Security and Homeland Security \nSecurity Councils under Presidents Clinton and Bush. He is a \nmember also of the CSIS Commission on Cybersecurity.\n    Welcome to all of you. For the purposes of opening \nstatements, I have asked Mr. Lewis to deliver one opening \nstatement on behalf of the other members of the CSIS \nCommission. Without objection, the witnesses' full statements \nwill be inserted into the record. I will now ask each witness \nto summarize his statement for 5 minutes, beginning with Mr. \nPowner. Thank you for being here today.\n\n  STATEMENT OF DAVID POWNER, DIRECTOR, INFORMATION MANAGEMENT \n            ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Powner. Chairman Langevin, Ranking Member McCaul. \nMembers of the subcommittee, thank you for inviting us to \ntestify on cybersecurity recommendations for the next \nadministration. Also thank you for your oversight and \nleadership, as our work for you has resulted in numerous \nrecommendations to DHS to improve the security of our Nation's \ncyber critical infrastructure.\n    Today we are releasing two new reports with significant \nrecommendations, completed at your request, on cyber analysis \nand warning, and Cyber Storm exercises. My comments this \nafternoon will address key recommendations in these reports, as \nwell as recommendations associated with organizational \ninefficiencies in leadership, sector-specific plans, and \nrecovery planning.\n    Starting with organizational inefficiencies in leadership, \nseveral organizational issues need to be addressed to more \neffectively manage cyber operations at DHS. First, the National \nCommunications System and the National Cyber Security Division \nneed to integrate duplicative and overlapping operations to \nmore efficiently respond to communication disruptions.\n    Next, the authorities and responsibilities associated with \nthe new Cybersecurity Center, establishing a response to the \nPresident's January 2008 Cyber Initiative need to be reconciled \nwith those of both the Assistant Secretary for Cyber Security \nand the NCSD. On a broader scale, a more fundamental policy \nissue that the new administration will need to tackle is \nwhether these responsibilities should reside in DHS or whether \nthe Nation's focal point for cyber should be elevated to the \nWhite House.\n    Over the course of our work, many in the private sector \ntold us that it worked better when it resided there prior to \nthe creation of DHS.\n    Next, sector planning. Mr. Chairman, we testified before \nyou last October on the lack of cybersecurity focus in the 17 \nsector plans. The revised sector plans, which are expected by \nthe end of the month, need to ensure that our Nation's key \nsectors are keenly focused on prioritizing cyber assets, \nconducting comprehensive vulnerability assessments, and \naddressing security weaknesses. Otherwise, this will remain a \npaper exercise.\n    A broader policy issue that the new administration should \nconsider is whether all sectors are of equal importance, and \nwhether our Nation should designate or prioritize certain \nsectors that are more critical.\n    Turning to cyber analysis and warning. Despite some \nprogress, our report being released today shows that the US-\nCERT is far from the national cyber analysis and warning focal \npoint envisioned in policy. Our report lays out 10 detailed \nrecommendations and highlights 15 areas that need improved.\n    For example, US-CERT needs to expand its scope \nsignificantly, get more on the front end of attacks, be capable \nof handling multiple significant events, and issue warnings \nthat are targeted, actionable, and timely. Leveraging similar \ncapabilities at DOD and within the intelligence community \nshould also be explored.\n    Next, recovery planning. Despite Federal policy requiring \nDHS to develop an integrated public-private plan to address \ninternet disruptions, our representations to guide these \nefforts, and numerous congressional hearings on this, a joint \npublic-private internet recovery plan still does not exist. \nDespite efforts with the various sectors, ISACs and \ncoordinating councils to build better partnerships with the \nGovernment, this is a clear example of where the partnering has \nnot been sufficient. Further, it leaves our Nation not fully \nprepared to respond to major internet disruptions.\n    The final area that I would like to address is cyber \nexercises. Today we are releasing a report where DHS has \ncompleted about two-thirds of nearly 70 actions called for from \nthe 2006 Cyber Storm exercise. So, clearly, progress has been \nmade and these exercises have proven useful.\n    However, Mr. Chairman, more aggressive follow-up needs to \noccur, and DHS needs to document lessons learned from these \nexercises more timely.\n    The March Cyber Storm. Two results are not to be documented \nuntil December of this year. Meanwhile, planning for the next \nexercise is underway. The Nation's focal point for \ncybersecurity should not and cannot be viewed as a slow-moving \nbureaucracy.\n    In summary, Mr. Chairman, I would like to thank you for \nyour leadership and oversight of our Nation's cyber critical \ninfrastructure protection and for focusing the next \nadministration on these critical areas that need to be \naddressed.\n    Many large policy questions loom: organizational placement, \ncontinuing with the sector-based approach, regulation versus \nmarket incentives. However, no matter what decisions or \napproaches our Nation pursues, the Federal Government needs to \ndo a better job in the areas it controls, including cyber \nanalysis and warning, and coordinating exercises and recovery \nefforts so that it is viewed as a credible player and a partner \nin securing our Nation's critical infrastructure. Today it is \nnot. We look forward to working with you in the future on these \nissues and to your questions.\n    [The statement of Mr. Powner follows:]\n\n                   Prepared Statement of David Powner\n                           September 16, 2008\n\n                             GAO HIGHLIGHTS\n\n    Highlights of GAO-08-1157T, a report to Subcommittee on Emerging \nThreats, Cybersecurity, and Science and Technology, Committee on \nHomeland Security, House of Representatives.\n\n                         WHY GAO DID THIS STUDY\n\n    Recent cyber attacks demonstrate the potentially devastating impact \nthese pose to our Nation's computer systems and to the Federal \noperations and critical infrastructures that they support. They also \nhighlight that we need to be vigilant against individuals and groups \nwith malicious intent, such as criminals, terrorists, and nation-states \nperpetuating these attacks. Federal law and policy established the \nDepartment of Homeland Security (DHS) as the focal point for \ncoordinating cybersecurity, including making it responsible for \nprotecting systems that support critical infrastructures, a practice \ncommonly referred to as cyber critical infrastructure protection. Since \n2005, GAO has reported on the responsibilities and progress DHS has \nmade in its cybersecurity efforts. GAO was asked to summarize its key \nreports and their associated recommendations aimed at securing our \nNation's cyber critical infrastructure. To do so, GAO relied on \nprevious reports, as well as two reports being released today, and \nanalyzed information about the status of recommendations.\n\n                          WHAT GAO RECOMMENDS\n\n    GAO has previously made about 30 recommendations to help DHS \nfulfill its cybersecurity responsibilities and resolve underlying \nchallenges. DHS in large part concurred with GAO's recommendations and \nin many cases has actions planned and underway to implement them.\n\n  CRITICAL INFRASTRUCTURE PROTECTION: DHS NEEDS TO BETTER ADDRESS ITS \n                     CYBERSECURITY RESPONSIBILITIES\n\n                             WHAT GAO FOUND\n\n    GAO has reported over the last several years that DHS has yet to \nfully satisfy its cybersecurity responsibilities. To address these \nshortfalls, GAO has made about 30 recommendations in the following key \nareas.\n\n                 KEY CYBERSECURITY AREAS REVIEWED BY GAO\n------------------------------------------------------------------------\n                                                       Area\n------------------------------------------------------------------------\n1......................................  Bolstering cyber analysis and\n                                          warning capabilities.\n2......................................  Reducing organizational\n                                          inefficiencies.\n3......................................  Completing actions identified\n                                          during cyber exercises.\n4......................................  Developing sector-specific\n                                          plans that fully address all\n                                          of the cyber-related criteria.\n5......................................  Improving cybersecurity of\n                                          infrastructure control systems\n                                          (which are computer-based\n                                          systems that monitor and\n                                          control sensitive processes\n                                          and physical functions).\n6......................................  Strengthening DHS's ability to\n                                          help recover from internet\n                                          disruptions.\n------------------------------------------------------------------------\nSource: GAO analysis.\n\n    Specifically, examples of what GAO reported and recommended are as \nfollows:\n  <bullet> Cyber analysis and warning.--In July 2008, GAO reported that \n        DHS's United States Computer Emergency Readiness Team (US-CERT) \n        did not fully address 15 key cyber analysis and warning \n        attributes. For example, US-CERT provided warnings by \n        developing and distributing a wide array of notifications; \n        however, these notifications were not consistently actionable \n        or timely. Consequently, GAO recommended that DHS address these \n        attribute shortfalls.\n  <bullet> Cyber exercises.--In September 2008, GAO reported that since \n        conducting a cyber attack exercise in 2006, DHS demonstrated \n        progress in addressing eight lessons it learned from this \n        effort. However, its actions to address the lessons had not \n        been fully implemented. GAO recommended that the Department \n        schedule and complete all identified corrective activities.\n  <bullet> Control systems.--In a September 2007 report and October \n        2007 testimony, GAO identified that DHS was sponsoring multiple \n        efforts to improve control system cybersecurity using \n        vulnerability evaluation and response tools. However, the \n        Department had not established a strategy to coordinate this \n        and other efforts across Federal agencies and the private \n        sector, and it did not effectively share control system \n        vulnerabilities with others. Accordingly, GAO recommended that \n        DHS develop a strategy to guide efforts for securing such \n        systems and establish a process for sharing vulnerability \n        information.\n    While DHS has developed and implemented capabilities to address \naspects of these areas, it still has not fully satisfied any of them. \nUntil these and other areas are effectively addressed, our Nation's \ncyber critical infrastructure is at risk of increasing threats posed by \nterrorists, nation-states, and others.\n    Mr. Chairman and Members of the subcommittee: Thank you for the \nopportunity to join in today's hearing to discuss efforts in protecting \nour Nation's critical infrastructures from cybersecurity threats. The \nrecent computer-based, or cyber, attacks against nation-states and \nothers demonstrate the potentially devastating impact these pose to \nsystems and the operations and critical infrastructures that they \nsupport.\\1\\ They also highlight the need to be vigilant against \nindividuals and groups with malicious intent, such as criminals, \nterrorists, and nation-states perpetuating these attacks.\n---------------------------------------------------------------------------\n    \\1\\ Critical infrastructure is systems and assets, whether physical \nor virtual, so vital to the United States that their incapacity or \ndestruction would have a debilitating impact on national security, \nnational economic security, national public health or safety, or any \ncombination of those matters. There are 18 critical infrastructure \nsectors: agriculture and food, banking and finance, chemical, \ncommercial facilities, communications, critical manufacturing, dams, \ndefense industrial base, emergency services, energy, Government \nfacilities, information technology, national monuments and icons, \nnuclear reactors, materials and waste, postal and shipping, public \nhealth and health care, transportation systems, and water.\n---------------------------------------------------------------------------\n    Today, I will discuss the Department of Homeland Security's (DHS) \nprogress in fulfilling its responsibilities to protect systems that \nsupport critical infrastructures--a practice referred to as cyber \ncritical infrastructure protection or cyber CIP--as well as its \nprogress in addressing our related recommendations. Due to concerns \nabout DHS's efforts to fully implement its CIP responsibilities as well \nas known security risks to critical infrastructure systems, we added \ncyber CIP as part of our Federal information technology systems \nsecurity high-risk area in 2003 and have continued to report on its \nstatus since that time.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ For our most recent high risk report, see GAO, High-Risk \nSeries: An Update, GAO-07-310 (Washington, DC: January 2007).\n---------------------------------------------------------------------------\n    As requested, my testimony will summarize our key reports--two of \nwhich are being released today at this hearing--and their associated \nrecommendations aimed at securing our Nation's cyber critical \ninfrastructure. Specifically, these reports and recommendations focus \non: (1) Providing cyber analysis and warning capabilities; (2) being \neffectively organized to plan for and respond to disruptions on \nconverged voice and data networks; (3) conducting and coordinating \ncyber attack exercises; (4) developing cyber-related sector-specific \ncritical infrastructure plans; (5) securing control systems--computer-\nbased systems that monitor and control sensitive processes and physical \nfunctions; and, (6) coordinating public/private planning for internet \nrecovery from a major disruption.\n    In preparing for this testimony, we relied on our previous reports \non Department efforts to fulfilling its cyber CIP responsibilities. \nThese reports contain detailed overviews of the scope and methodology \nwe used. We also obtained and analyzed information about the \nimplementation status of our recommendations. We conducted our work, in \nsupport of this testimony, from August 2008 through September 2008, in \nthe Washington, DC area. The work on which this testimony is based was \nperformed in accordance with generally accepted government auditing \nstandards.\n\n                            RESULTS IN BRIEF\n\n    Since 2005, we have reported that DHS has yet to fully satisfy its \ncybersecurity responsibilities. These reports included nearly 30 \nrecommendations on key areas essential for DHS to address in order to \nfully implement its cybersecurity responsibilities. Examples of what \nGAO reported and recommended are as follows:\n  <bullet> Cyber analysis and warning.--In a report being released \n        today, we determined \\3\\ that DHS's United States Computer \n        Emergency Readiness Team (US-CERT) did not fully address 15 key \n        cyber analysis and warning attributes related to: (1) \n        Monitoring network activity to detect anomalies; (2) analyzing \n        information and investigating anomalies to determine whether \n        they are threats; (3) warning appropriate officials with timely \n        and actionable threat and mitigation information; and, (4) \n        responding to the threat. For example, US-CERT provided \n        warnings by developing and distributing a wide array of \n        notifications; however, these notifications were not \n        consistently actionable or timely. As a result, we recommended \n        that the Department address shortfalls associated with the 15 \n        attributes in order to fully establish a national cyber \n        analysis and warning capability. DHS agreed in large part with \n        our recommendations.\n---------------------------------------------------------------------------\n    \\3\\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in \nEstablishing a Comprehensive National Capability, GAO-08-588 \n(Washington, DC: July 31, 2008).\n---------------------------------------------------------------------------\n  <bullet> Cyber exercises.--In another report \\4\\ being issued today, \n        we concluded that since conducting a major cyber attack \n        exercise, called Cyber Storm, DHS demonstrated progress in \n        addressing eight lessons it learned from these efforts. \n        However, its actions to address the lessons had not been fully \n        implemented. Specifically, while it had completed 42 of the 66 \n        activities identified, the Department identified 16 activities \n        as ongoing and 7 as planned for the future. Consequently, we \n        recommended that it schedule and complete all of the corrective \n        activities identified so as to strengthen coordination between \n        both public and private sector participants in response to \n        significant cyber incidents. DHS concurred with our \n        recommendation.\n---------------------------------------------------------------------------\n    \\4\\ GAO, Critical Infrastructure Protection: DHS Needs To Fully \nAddress Lessons Learned From Its First Cyber Storm Exercise, GAO-08-825 \n(Washington, DC: Sept. 9, 2008).\n---------------------------------------------------------------------------\n  <bullet> Control systems.--In a September 2007 report and October \n        2007 testimony,\\5\\ we identified that DHS was sponsoring \n        multiple control systems security initiatives, including \n        efforts to: (1) Improve control systems cybersecurity using \n        vulnerability evaluation and response tools; and, (2) build \n        relationships with control systems vendors and infrastructure \n        asset owners. However, DHS had not established a strategy to \n        coordinate the various control systems activities across \n        Federal agencies and the private sector, and it did not \n        effectively share information on control system vulnerabilities \n        with the public and private sectors. Accordingly, we \n        recommended that DHS develop a strategy to guide efforts for \n        securing control systems and establish a rapid and secure \n        process for sharing sensitive control system vulnerability \n        information to improve Federal Government efforts to secure \n        control systems governing critical infrastructure. DHS \n        officials took our recommendations under advisement and more \n        recently have begun developing a strategy, which is still a \n        work in process. In addition, while DHS has begun developing a \n        process to share sensitive information, it has not provided any \n        evidence that the process has been implemented or that it is an \n        effective information sharing mechanism.\n---------------------------------------------------------------------------\n    \\5\\ GAO, Critical Infrastructure Protection: Multiple Efforts to \nSecure Control Systems Are Under Way, but Challenges Remain, GAO-07-\n1036 (Washington, DC: Sept. 10, 2007) and Critical Infrastructure \nProtection: Multiple Efforts to Secure Control Systems Are Under Way, \nbut Challenges Remain, GAO-08-119T (Washington, DC: Oct. 17, 2007).\n---------------------------------------------------------------------------\n                               BACKGROUND\n\n    The same speed and accessibility that create the enormous benefits \nof the computer age can, if not properly controlled, allow individuals \nand organizations to inexpensively eavesdrop on or interfere with \ncomputer operations from remote locations for mischievous or malicious \npurposes, including fraud or sabotage. In recent years, the \nsophistication and effectiveness of cyber attacks have steadily \nadvanced.\n    Government officials are increasingly concerned about attacks from \nindividuals and groups with malicious intent, such as criminals, \nterrorists, and nation-states. As we reported \\6\\ in June 2007, \ncybercrime has significant economic impacts and threatens U.S. national \nsecurity interests. Various studies and experts estimate the direct \neconomic impact from cybercrime to be in the billions of dollars \nannually. In addition, there is continued concern about the threat that \nour adversaries, including nation-states and terrorists, pose to our \nnational security. For example, intelligence officials have stated that \nnation-states and terrorists could conduct a coordinated cyber attack \nto seriously disrupt electric power distribution, air traffic control, \nand financial sectors. In May 2007, Estonia was the reported target of \na denial-of-service cyber attack with national consequences. The \ncoordinated attack created mass outages of its Government and \ncommercial Web sites.\\7\\\n---------------------------------------------------------------------------\n    \\6\\ GAO, Cybercrime: Public and Private Entities Face Challenges in \nAddressing Cyber Threats, GAO-07-705 (Washington, DC: June 22, 2007).\n    \\7\\ Computer Emergency Response Team of Estonia, ``Malicious Cyber \nAttacks Against Estonia Come from Abroad,'' April 29, 2007, and Remarks \nby Homeland Security Secretary Michael Chertoff to the 2008 RSA \nConference, April 8, 2008.\n---------------------------------------------------------------------------\n    To address threats posed against the Nation's computer-reliant \ninfrastructures, Federal law and policy establishes DHS as the focal \npoint for cyber CIP. For example, within DHS, the Assistant Secretary \nof Cyber Security and Communications is responsible for being the focal \npoint for national cyber CIP efforts. Under the Assistant Secretary is \nNCSD which interacts on a day-to-day basis with Federal and non-Federal \nagencies and organizations (e.g., State and local governments, private-\nsector companies) regarding, among other things, cyber-related \nanalysis, warning, information sharing, major incident response, and \nnational-level recovery efforts. Consequently, DHS has multiple \ncybersecurity-related roles and responsibilities. In May 2005, we \nidentified, and reported on, 13 key cybersecurity responsibilities \ncalled for in law and policy.\\8\\ These responsibilities are described \nin Appendix I.\n---------------------------------------------------------------------------\n    \\8\\ GAO, Critical Infrastructure Protection: Department of Homeland \nSecurity Faces Challenges in Fulfilling Cybersecurity Responsibilities, \nGAO-05-434 (Washington, DC: May 26, 2005); Critical Infrastructure \nProtection: Challenges in Addressing Cybersecurity, GAO-05-827T \n(Washington, DC: July 19, 2005); and Critical Infrastructure \nProtection: DHS Leadership Needed to Enhance Cybersecurity, GAO-06-\n1087T (Washington, DC: Sept. 13, 2006).\n---------------------------------------------------------------------------\n    Since then, we have performed detailed work and made \nrecommendations on DHS's progress in fulfilling specific aspects of the \nresponsibilities, as discussed in more detail later in this statement.\n    In addition to DHS efforts to fulfill its cybersecurity \nresponsibilities, the President in January 2008 issued HSPD 23--also \nreferred to as National Security Presidential Directive 54 and the \nPresident's ``Cyber Initiative''--to improve DHS and the other Federal \nagencies' cybersecurity efforts, including protecting against intrusion \nattempts and better anticipating future threats.\\9\\ While the directive \nhas not been made public, DHS officials stated that the initiative \nincludes steps to enhance cyber analysis related efforts, such as \nrequiring Federal agencies to implement a centralized network \nmonitoring tool and reduce the number of connections to the internet.\n---------------------------------------------------------------------------\n    \\9\\ The White House, National Security Presidential Directive 54/\nHomeland Security Presidential Directive 23 (Washington, DC: Jan. 8, \n2008).\n---------------------------------------------------------------------------\n      DHS NEEDS TO ADDRESS SEVERAL KEY AREAS ASSOCIATED WITH ITS \n                     CYBERSECURITY RESPONSIBILITIES\n\n    Over the last several years, we have reported that DHS has yet to \ncomprehensively satisfy its key cybersecurity responsibilities. These \nreports included about 30 recommendations that we summarized into the \nfollowing key areas that are essential for DHS to address in order to \nfully implement its cybersecurity responsibilities.\n\n                 KEY CYBERSECURITY AREAS REVIEWED BY GAO\n------------------------------------------------------------------------\n                                                       Area\n------------------------------------------------------------------------\n1......................................  Bolstering cyber analysis and\n                                          warning capabilities.\n2......................................  Reducing organizational\n                                          inefficiencies.\n3......................................  Completing actions identified\n                                          during cyber exercises.\n4......................................  Developing sector-specific\n                                          plans that fully address all\n                                          of the cyber-related criteria.\n5......................................  Improving cybersecurity of\n                                          infrastructure control\n                                          systems.\n6......................................  Strengthening DHS's ability to\n                                          help recover from internet\n                                          disruptions.\n------------------------------------------------------------------------\nSource: GAO analysis.\n\nBolstering Cyber Analysis and Warning Capabilities\n    In July 2008, we identified \\10\\ that cyber analysis and warning \ncapabilities included: (1) monitoring network activity to detect \nanomalies; (2) analyzing information and investigating anomalies to \ndetermine whether they are threats; (3) warning appropriate officials \nwith timely and actionable threat and mitigation information; and, (4) \nresponding to the threat. These four capabilities are comprised of 15 \nkey attributes, which are detailed in Appendix II.\n---------------------------------------------------------------------------\n    \\10\\ GAO-08-588.\n---------------------------------------------------------------------------\n    We concluded that while US-CERT demonstrated aspects of each of the \nkey attributes, it did not fully incorporate all of them. For example, \nas part of its monitoring, US-CERT obtained information from numerous \nexternal information sources; however, it had not established a \nbaseline of our Nation's critical network assets and operations. In \naddition, while it investigated if identified anomalies constitute \nactual cyber threats or attacks as part of its analysis, it did not \nintegrate its work into predictive analyses of broader implications or \npotential future attacks, nor does it have the analytical or technical \nresources to analyze multiple, simultaneous cyber incidents. The \norganization also provided warnings by developing and distributing a \nwide array of attack and other notifications; however, these \nnotifications were not consistently actionable or timely--providing the \nright information to the right persons or groups as early as possible \nto give them time to take appropriate action. Further, while it \nresponded to a limited number of affected entities in their efforts to \ncontain and mitigate an attack, recover from damages, and remediate \nvulnerabilities, the organization did not possess the resources to \nhandle multiple events across the Nation.\n    We also concluded that without the key attributes, US-CERT did not \nhave the full complement of cyber analysis and warning capabilities \nessential to effectively perform its national mission. As a result, we \nmade 10 recommendations to the Department to address shortfalls \nassociated with the 15 attributes in order to fully establish a \nnational cyber analysis and warning capability. DHS concurred with 9 of \nour 10 recommendations.\n\nReducing Organizational Inefficiencies\n    In June 2008, we reported \\11\\ on the status of DHS's efforts to \nestablish an integrated operations center that it agreed to adopt per \nrecommendations from a DHS-commissioned expert task force. The two \noperations centers that were to be integrated were within the \nDepartment's National Communication System and National Cyber Security \nDivision. We determined that DHS had taken the first of three steps \ntowards integrating the operations centers--called the National \nCoordination Center Watch and US-CERT--it uses to plan for and monitor \nvoice and data network disruptions. While DHS completed the first \nintegration step by locating the two centers in adjacent space, it had \nyet to implement the remaining two steps. Specifically, although called \nfor in the task force's recommendations, the Department had not \norganizationally merged the two centers or involved key private sector \ncritical infrastructure officials in the planning, monitoring, and \nother activities of the proposed joint operations center. In addition, \nthe Department lacked a strategic plan and related guidance that \nprovides overall direction in this area and has not developed specific \ntasks and milestones for achieving the two remaining integration steps.\n---------------------------------------------------------------------------\n    \\11\\ GAO, Critical Infrastructure Protection: Further Efforts \nNeeded to Integrate Planning for and Response to Disruption on \nConverged Voice and Data Networks, GAO-08-607 (Washington, DC: June 26, \n2008).\n---------------------------------------------------------------------------\n    We concluded that until the two centers were fully integrated is \ncompleted, DHS was at risk of being unable to efficiently plan for and \nrespond to disruptions to communications infrastructure and the data \nand applications that travel on this infrastructure, increasing the \nprobability that communications will be unavailable or limited in times \nof need. As a result, we recommended that the Department complete its \nstrategic plan and define tasks and milestones for completing remaining \nintegration steps so that we are better prepared to provide an \nintegrated response to disruptions to the communications \ninfrastructure. DHS concurred with our first recommendation and stated \nthat it would address the second recommendation as part of finalizing \nits strategic plan.\n    DHS has recently made organizational changes to bolster its \ncybersecurity focus. For example, in response to the President's \nJanuary 2008 Cyber Initiative, the Department established a National \nCybersecurity Center to ensure coordination among cyber-related efforts \nacross the Federal Government. DHS placed the center at a higher \norganizational level than the Assistant Secretary of Cyber Security and \nCommunications. As we previously reported,\\12\\ this placement raises \nquestions about, and may in fact, diminish the Assistant Secretary's \nauthority as the focal point for the Federal Government's cyber CIP \nefforts. It also raises similar questions about NCSD's role as the \nprimary Federal cyber analysis and warning organization.\n---------------------------------------------------------------------------\n    \\12\\ GAO-08-588.\n---------------------------------------------------------------------------\nCompleting Corrective Actions Identified During A Cyber Exercise\n    In September 2008, we reported \\13\\ on a 2006 major DHS-coordinated \ncyber attack exercise, called Cyber Storm, that included large-scale \nsimulations of multiple concurrent attacks involving the Federal \nGovernment, States, foreign governments, and private industry. We \ndetermined that DHS had identified eight lessons learned from this \nexercise, such as the need to improve interagency coordination groups \nand the exercise program. We also concluded that while DHS had \ndemonstrated progress in addressing the lessons learned, more needed to \nbe done. Specifically, while the Department completed 42 of the 66 \nactivities identified to address the lessons learned, it identified 16 \nactivities as on-going and 7 as planned for the future.\\14\\ In \naddition, DHS provided no timetable for the completion dates of the on-\ngoing activities. We noted that until DHS scheduled and completed its \nremaining activities, it was at risk of conducting subsequent exercises \nthat repeated the lessons learned during the first exercise. \nConsequently, we recommended that DHS schedule and complete the \nidentified corrective activities so that its cyber exercises can help \nboth public and private sector participants coordinate their responses \nto significant cyber incidents. DHS agreed with the recommendation.\n---------------------------------------------------------------------------\n    \\13\\ GAO-08-825.\n    \\14\\ DHS reported that one other activity had been completed, but \nthe Department was unable to provide evidence demonstrating its \ncompletion.\n---------------------------------------------------------------------------\nDeveloping Sector-Specific Plans That Fully Address All of the Cyber-\n        Related Criteria\n    In 2007, we reported and testified \\15\\ on the cybersecurity \naspects of CIP plans for 17 critical infrastructure sectors, referred \nto as sector-specific plans. Specifically, we found that none of the \nplans fully addressed the 30 key cybersecurity-related criteria \ndescribed in DHS guidance. We also determined that while several \nsectors' plans fully addressed many of the criteria, others were less \ncomprehensive. In addition to the variations in the extent to which the \nplans covered aspects of cybersecurity, there was also variance among \nthe plans in the extent to which certain criteria were addressed. For \nexample, fewer than half of the plans fully addressed describing: (1) A \nprocess to identify potential consequences of cyber attack; or, (2) any \nincentives used to encourage voluntary performance of risk assessments. \nWe noted that without complete and comprehensive plans, stakeholders \nwithin the infrastructure sectors may not adequately identify, \nprioritize, and protect their critical assets. Consequently, we \nrecommended \\16\\ that DHS request that the lead Federal agencies, \nreferred to as sector-specific agencies, that are responsible for the \ndevelopment of CIP plans for their sectors fully address all cyber-\nrelated criteria by September 2008 so that stakeholders within the \ninfrastructure sectors will effectively identify, prioritize, and \nprotect the cyber aspects of their CIP efforts. The updated plans are \ndue this month.\n---------------------------------------------------------------------------\n    \\15\\ GAO, Critical Infrastructure Protection: Sector-Specific \nPlans' Coverage of Key Cyber Security Elements Varies, GAO-08-64T \n(Washington DC; October 31, 2007); and Critical Infrastructure \nProtection: Sector-Specific Plans' Coverage of Key Cyber Security \nElements Varies, GAO-08-113 (Washington DC; Oct. 31, 2007).\n    \\16\\ GAO-08-113.\n---------------------------------------------------------------------------\nImproving Cybersecurity of Infrastructure Control Systems\n    In a September 2007 report and October 2007 testimony,\\17\\ we \nidentified that Federal agencies had initiated efforts to improve the \nsecurity of critical infrastructure control systems--computer-based \nsystems that monitor and control sensitive processes and physical \nfunctions. For example, DHS was sponsoring multiple control systems \nsecurity initiatives, including efforts to: (1) Improve control systems \ncybersecurity using vulnerability evaluation and response tools; and, \n(2) build relationships with control systems vendors and infrastructure \nasset owners. However, the Department had not established a strategy to \ncoordinate the various control systems activities across Federal \nagencies and the private sector. Further, it lacked processes needed to \naddress specific weaknesses in sharing information on control system \nvulnerabilities. We concluded that until public and private sector \nsecurity efforts are coordinated by an overarching strategy and \nspecific information sharing shortfalls are addressed, there was an \nincreased risk that multiple organizations would conduct duplicative \nwork and miss opportunities to fulfill their critical missions.\n---------------------------------------------------------------------------\n    \\17\\ GAO-07-1036 and GAO-08-119T.\n---------------------------------------------------------------------------\n    Consequently, we recommended \\18\\ that DHS develop a strategy to \nguide efforts for securing control systems and establish a rapid and \nsecure process for sharing sensitive control system vulnerability \ninformation to improve Federal Government efforts to secure control \nsystems governing critical infrastructure. In response, DHS officials \ntook our recommendations under advisement and more recently have begun \ndeveloping a Federal Coordinating Strategy to Secure Control Systems, \nwhich is still a work in process. In addition, while DHS began \ndeveloping a process to share sensitive information; it has not \nprovided any evidence that the process has been implemented or that it \nis an effective information-sharing mechanism.\n---------------------------------------------------------------------------\n    \\18\\ GAO-07-1036.\n---------------------------------------------------------------------------\nStrengthening DHS's Ability to Help Recovery From Internet Disruptions\n    We reported and later testified \\19\\ in 2006 that the Department \nhad begun a variety of initiatives to fulfill its responsibility for \ndeveloping an integrated public/private plan for internet recovery. \nHowever, we determined that these efforts were not comprehensive or \ncomplete. As such, we recommended that DHS implement nine actions to \nimprove the Department's ability to facilitate public/private efforts \nto recover the internet in case of a major disruption.\n---------------------------------------------------------------------------\n    \\19\\ GAO, Internet Infrastructure: Challenges in Developing a \nPublic/Private Recovery Plan, GAO-06-863T (Washington, DC: July 28, \n2006); and Internet Infrastructure: DHS Faces Challenges in Developing \na Joint Public/Private Recovery Plan, GAO-06-672 (Washington, DC: June \n16, 2006).\n---------------------------------------------------------------------------\n    In October 2007, we testified \\20\\ that the Department had made \nprogress in implementing our recommendations; however, seven of the \nnine have not been completed. For example, it revised key plans in \ncoordination with private industry infrastructure stakeholders, \ncoordinated various internet recovery-related activities, and addressed \nkey challenges to internet recovery planning. However, it had not, \namong other things, finalized recovery plans and defined the \ninterdependencies among DHS's various working groups and initiatives. \nIn other words, it has not completed an integrated private/public plan \nfor internet recovery. As a result, we concluded that the Nation lacked \ndirection from the Department on how to respond in such a contingency. \nWe also noted that these incomplete efforts indicated DHS and the \nNation were not fully prepared to respond to a major internet \ndisruption.\n---------------------------------------------------------------------------\n    \\20\\ GAO, Internet Infrastructure: Challenges in Developing a \nPublic/Private Recovery Plan, GAO-08-212T (Washington, DC: Oct. 23, \n2007).\n---------------------------------------------------------------------------\n    In summary, DHS has developed and implemented capabilities to \nsatisfy aspects of key cybersecurity responsibilities. However, it \nstill needs to take further action to fulfill all of these \nresponsibilities. In particular, it needs to fully address the key \nareas identified in our recent reports. Specifically, it will have to \nbolster cyber analysis and warning capabilities, address organizational \ninefficiencies by integrating voice and data operations centers, \nenhance cyber exercises by completing the identified activities \nassociated with the lessons learned, ensure that cyber-related sector-\nspecific critical infrastructure plans are completed, improve efforts \nto address the cybersecurity of infrastructure control systems by \ncompleting a comprehensive strategy and ensuring adequate mechanisms \nfor sharing sensitive information, and strengthen its ability to help \nrecover from internet disruptions by finalizing recovery plans and \ndefining interdependencies. Until these steps are taken, our Nation's \ncomputer-reliant critical infrastructure remains at unnecessary risk of \nsignificant cyber incidents.\n    Mr. Chairman, this concludes my statement. I would be happy to \nanswer any questions that you or Members of the subcommittee may have \nat this time.\n                               Appendix I\n\n                DHS'S KEY CYBERSECURITY RESPONSIBILITIES\n------------------------------------------------------------------------\n                                                   Description of\n             Responsibilities                     Responsibilities\n------------------------------------------------------------------------\nDevelop a national plan for CIP that       Developing a comprehensive\n includes cybersecurity.                    national plan for securing\n                                            the key resources and\n                                            critical infrastructure of\n                                            the United States, including\n                                            information technology and\n                                            telecommunications systems\n                                            (including satellites) and\n                                            the physical and\n                                            technological assets that\n                                            support such systems. This\n                                            plan is to outline national\n                                            strategies, activities, and\n                                            milestones for protecting\n                                            critical infrastructures.\nDevelop partnerships and coordinate with   Fostering and developing\n other Federal agencies, State and local    public/private partnerships\n governments, and the private sector.       with and among other Federal\n                                            agencies, State and local\n                                            governments, the private\n                                            sector, and others. DHS is\n                                            to serve as the ``focal\n                                            point for the security of\n                                            cyberspace.''\nImprove and enhance public/private         Improving and enhancing\n information sharing involving cyber        information sharing with and\n attacks, threats, and vulnerabilities.     among other Federal\n                                            agencies, State and local\n                                            governments, the private\n                                            sector, and others through\n                                            improved partnerships and\n                                            collaboration, including\n                                            encouraging information\n                                            sharing and analysis\n                                            mechanisms. DHS is to\n                                            improve sharing of\n                                            information on cyber\n                                            attacks, threats, and\n                                            vulnerabilities.\nDevelop and enhance national cyber         Providing cyber analysis and\n analysis and warning capabilities.         warnings, enhancing\n                                            analytical capabilities, and\n                                            developing a national\n                                            indications and warnings\n                                            architecture to identify\n                                            precursors to attacks.\nProvide and coordinate incident response   Providing crisis management\n and recovery planning efforts.             in response to threats to or\n                                            attacks on critical\n                                            information systems. This\n                                            entails coordinating efforts\n                                            for incident response,\n                                            recovery planning,\n                                            exercising cybersecurity\n                                            continuity plans for Federal\n                                            systems, planning for\n                                            recovery of internet\n                                            functions, and assisting\n                                            infrastructure stakeholders\n                                            with cyber-related emergency\n                                            recovery plans.\nIdentify and assess cyber threats and      Leading efforts by the public\n vulnerabilities.                           and private sector to\n                                            conduct a national cyber\n                                            threat assessment, to\n                                            conduct or facilitate\n                                            vulnerability assessments of\n                                            sectors, and to identify\n                                            cross-sector\n                                            interdependencies.\nSupport efforts to reduce cyber threats    Leading and supporting\n and vulnerabilities.                       efforts by the public and\n                                            private sector to reduce\n                                            threats and vulnerabilities.\n                                            Threat reduction involves\n                                            working with the law\n                                            enforcement community to\n                                            investigate and prosecute\n                                            cyberspace threats.\n                                            Vulnerability reduction\n                                            involves identifying and\n                                            remediating vulnerabilities\n                                            in existing software and\n                                            systems.\nPromote and support research and           Collaborating and\n development efforts to strengthen          coordinating with members of\n cyberspace security.                       academia, industry, and\n                                            Government to optimize\n                                            cybersecurity-related\n                                            research and development\n                                            efforts to reduce\n                                            vulnerabilities through the\n                                            adoption of more secure\n                                            technologies.\nPromote awareness and outreach...........  Establishing a comprehensive\n                                            national awareness program\n                                            to promote efforts to\n                                            strengthen cybersecurity\n                                            throughout Government and\n                                            the private sector,\n                                            including the home user.\nFoster training and certification........  Improving cybersecurity-\n                                            related education, training,\n                                            and certification\n                                            opportunities.\nEnhance Federal, State, and local          Partnering with Federal,\n government cybersecurity.                  State, and local governments\n                                            in efforts to strengthen the\n                                            cybersecurity of the\n                                            Nation's critical\n                                            information infrastructure\n                                            to assist in the deterrence,\n                                            prevention, preemption of,\n                                            and response to terrorist\n                                            attacks against the United\n                                            States.\nStrengthen international cyberspace        Working in conjunction with\n security.                                  other Federal agencies,\n                                            international organizations,\n                                            and industry in efforts to\n                                            promote strengthened\n                                            cybersecurity on a global\n                                            basis.\nIntegrate cybersecurity with national      Coordinating and integrating\n security.                                  applicable national\n                                            preparedness goals with its\n                                            National Infrastructure\n                                            Protection Plan.\n------------------------------------------------------------------------\nSource: GAO analysis of the Homeland Security Act of 2002, the Homeland\n  Security Presidential Directive--7, and the National Strategy to\n  Secure Cyberspace.\n\n                              Appendix II\n\n        KEY ATTRIBUTES OF CYBER ANALYSIS AND WARNING CAPABILITIES\n------------------------------------------------------------------------\n                Capability                           Attribute\n------------------------------------------------------------------------\nMonitoring...............................  --Establish a baseline\n                                            understanding of network\n                                            assets and normal network\n                                            traffic volume and flow.\n                                           --Assess risks to network\n                                            assets.\n                                           --Obtain internal information\n                                            on network operations via\n                                            technical tools and user\n                                            reports.\n                                           --Obtain external information\n                                            on threats, vulnerabilities,\n                                            and incidents through\n                                            various relationships,\n                                            alerts, and other sources.\n                                           --Detect anomalous\n                                            activities.\nAnalysis.................................  --Verify that an anomaly is\n                                            an incident (threat of\n                                            attack or actual attack).\n                                           --Investigate the incident to\n                                            identify the type of cyber\n                                            attack, estimate impact, and\n                                            collect evidence.\n                                           --Identify possible actions\n                                            to mitigate the impact of\n                                            the incident.\n                                           --Integrate results into\n                                            predictive analysis of\n                                            broader implications or\n                                            potential future attack.\nWarning..................................  --Develop attack and other\n                                            notifications that are\n                                            targeted and actionable.\n                                           --Provide notifications in a\n                                            timely manner.\n                                           --Distribute notifications\n                                            using appropriate\n                                            communications methods.\nResponse.................................  --Contain and mitigate the\n                                            incident.\n                                           --Recover from damages and\n                                            remediate vulnerabilities.\n                                           --Evaluate actions and\n                                            incorporate lessons learned.\n------------------------------------------------------------------------\nSource: GAO analysis.\n\n\n    Mr. Langevin. Thank you, Mr. Powner, for your testimony.\n    The Chair now recognizes Mr. Lewis to summarize the \nCommission's statement for 5 minutes. Welcome.\n\n STATEMENT OF JAMES A. LEWIS, PROJECT DIRECTOR, COMMISSION ON \nCYBERSECURITY FOR THE 44TH PRESIDENCY, CENTER FOR STRATEGIC AND \nINTERNATIONAL STUDIES; ACCOMPANIED BY LIEUTENANT GENERAL HARRY \n D. RADUEGE, JR., CO-CHAIRMAN, COMMISSION ON CYBERSECURITY FOR \n  THE 44TH PRESIDENCY, CENTER FOR STRATEGIC AND INTERNATIONAL \n STUDIES; AND PAUL KURTZ, MEMBER, COMMISSION ON CYBERSECURITY \nFOR THE 44TH PRESIDENCY, CENTER FOR STRATEGIC AND INTERNATIONAL \n                            STUDIES\n\n    Mr. Lewis. I thank the committee for this opportunity to \ntestify. Our goal is to identify actions that the next \nadministration can take in its first hundred days to improve \nU.S. national security and global competitiveness.\n    In doing this, we would begin by noting that the next \nadministration should build on the work of the comprehensive \nNational Cybersecurity Initiative. It is a good start. Let me \nnote that you, Mr. Chairman, and your colleague, Congressman \nMcCaul, have provided invaluable support and guidance during \nthe course of our work. I know a lot of times people say that, \nbut I really mean it. It has really been a lot easier having \nyou two. If I ever do another Commission, I want you to be on \nit. It has really helped. Your leadership has been crucial.\n    I would also like to note that we have received tremendous \nassistance from the Departments of Defense, Homeland Security, \nthe intelligence community, and the FBI. So with all this help, \nit has been very valuable.\n    We are still working, as you noted. We hope to be done by \nNovember. But we are in a position where we can discuss some of \nour preliminary findings. I will begin by stating our two most \nimportant findings.\n    The first is that cybersecurity is now one of the most \nimportant national security challenges facing the United \nStates. This is not a hypothetical challenge. We are under \nattack and we are taking damage.\n    Our second finding is that the United States is \ndisorganized and lacks a coherent national strategy. Our \nrecommendations call for the use of all instruments of U.S. \npower, diplomatic, military, economic, law enforcement, and \nintelligence, to secure cyberspace. This new strategy should be \none of the first documents that the next administration issues.\n    We have looked at military activities in cyberspace. Most \nof these are classified. However, we will be able to discuss \nseveral important topics. The most important conclusion that we \nhave reached regarding military activity is that credible \noffensive capabilities are necessary to deter potential \nattackers.\n    A comprehensive strategy for cyberspace creates an \nimportant challenge, however. We have found in our interviews \nand in our discussions that the ability to organize and \ncoordinate Government activities for cybersecurity is \ninadequate. The central problems are lack of a strategic focus, \noverlapping missions, poor coordination, and diffuse \nresponsibility. Our interviews have suggested that while DHS \nhas improved in recent years, oversight of cybersecurity must \nmove elsewhere.\n    We have considered many alternatives, such as whether it \nshould be the intelligence community or DOD or other agencies. \nThe conclusion that we have reached is only the White House has \nthe authority needed for cybersecurity. This is not a call for \na czar. Czars in Washington tend to be marginalized. Longing \nfor a czar is a symptom of dissatisfaction with how our \nGovernment works now. One of the things we hope to do is \ndevelop recommendations for how to use technology to improve \nsecurity and increase efficiency in Government.\n    On the subject of public-private partnerships, we found \nalmost universal recognition that existing partnerships are not \nmeeting the needs of either the Government or the private \nsector. Our work concentrated on two problems. The first is the \nneed to rebuild trust. The second is to focus on \ninfrastructures that are truly critical for cyberspace. For us \nthose are the electrical power sector, telecommunications, and \nfinance. We heard in many interviews that trust is the \nfoundation of a successful partnership. We also heard that \ndespite good intentions on all sides, trust between Government \nand the private sector has declined. Our recommendations will \ncall for a restructuring to rebuild trust.\n    Our group had a long debate over the role of regulation and \nwhether there has been market failure. Our conclusion is that \ngreater regulation is necessary for critical cyber \ninfrastructure, but the prescriptive command and control \nregulation will not increase security. Based on this \ncommittee's hearings with NERC and FERC, we are exploring new \napproaches to regulation.\n    We also concluded that cybersecurity requires better \nauthentication. We know this is a sensitive subject, and we \nrealize that any recommendation will need to ensure that \nprivacy and confidentiality are protected. We heard many times \nin our interviews that key laws are outdated. The next \nadministration, we will recommend, should work with Congress to \nrevise investigative authorities, modernize Clinger-Cohen and \nFISMA, and remove the distinction between national security and \ncivil agency systems found in many laws.\n    Our interviews suggest that the Federal Government can use \nits powers to change market conditions, it can increase \nresources available for cybersecurity by supporting training \nand education, it can expand research, it can encourage the \ndeployment of more secure products and protocols.We will \nrecommend that the new administration build on OMB's Federal \nDesktop Core Configuration and use Government and industry \npartnership to make better products for IT security.\n    Let me tell you what our next steps are. I hope you realize \nthis was a cursory survey of where we are coming out in the \nCommission. There are other details that will come out in \nquestioning. Our goal is to produce implementable \nrecommendations that could guide both the legislative agenda \nand Presidential policy. We are on track to have this done by \nNovember.\n    Several difficult issues remain, including how to move from \nIndustrial Age Government to one better suited to the \nInformation Age, how to scope and design a new approach to \nregulation, where to locate authorities for cyberspace, and how \nto make public and private partnerships more efficient. I am \nconfident that with your help and guidance we can resolve these \nissues and offer recommendations to the next administration, \nthe Congress, and the American people.\n    Thank you again for your support and for this opportunity. \nI look forward to your questions.\n    Mr. Langevin. Thank you, Mr. Lewis, for your testimony.\n    [The statement of Mr. Lewis follows:]\n\n                  Prepared Statement of James A. Lewis\n                           September 16, 2008\n\n    I thank the committee for the opportunity to testify on the work of \nthe CSIS Cybersecurity Commission on Cyber Security for the 44th \nPresidency. As you know, this Commission was established a year ago. It \nheld its first meeting in November 2007. Our goal is to identify \nconcrete actions that the next administration can take to improve \ncybersecurity. We are composed of forty individuals with extensive \nexperience in cyber security and in Government operations, and our work \nhas been supported by a number of eminent experts in this field. We \nhave also received invaluable assistance from the Department of \nDefense, the intelligence community, the FBI and from elements of the \nDepartment of Homeland Security. Let me also note that you, Mr. \nChairman, and your colleague Representative McCaul, have provided \nessential support and guidance during the course of our work. Your \nleadership has been crucial for shaping the report and in moving the \nCommission forward.\n    The starting point for the Commission's work was that the lack of \ncyber security and the loss of information were doing unacceptable \ndamage to the United States. It has been 10 years since the first \nreports called attention to America's vulnerability in cyberspace. \nUnfortunately, the situation has gotten worse, not better, during the \nintervening decade. That cyberspace now provides the foundation for \nmuch of our economic activity is not readily apparent. However, those \nwho wish to do harm to the United States have not failed to notice the \nopportunities created by the weaknesses of U.S. networks. There has \nbeen damaging losses of valuable information. These losses occurred in \nboth the Government and the private sector, creating major risks for \nnational security and doing major damage to U.S. global \ncompetitiveness. We are also deeply concerned by the idea that these \nintruders, since they were able to successfully enter U.S. networks to \nsteal information without being detected, could just as well be leaving \nsomething behind, malicious software that could be triggered in a \ncrisis to disrupt critical services or infrastructure.\n    I should note that when we began our work, the administration had \nnot announced its National Cyber Security Initiative. We appreciate the \nwillingness of some Departments to share the details of this highly \nclassified activity to those of us who hold the appropriate clearances. \nAs a group, we believe this initiative has begun to make a tremendous \ncontribution to improving U.S. national security and we applaud those \nwho are struggling to implement it. We have adjusted our work in light \nof the Initiative; it has brought progress, but there is still much \nwork to be done.\n    The CSIS Cyber Commission hopes to have finished its work by \nNovember of this year. So our discussion today must necessarily reflect \nthat in some instance, the group has not finished its work on key \nrecommendations. What I and my colleagues can do, however, is brief the \ncommittee on the issues we have identified and some of the options we \nare considering.\n    Let me begin by noting our two most important findings. The first \nis that cyber security is now one of the most important national \nsecurity challenges facing the United States. This is not some \nhypothetical catastrophe. We are under attack and taking damage. Our \nsecond finding is that the United States is not organized and lacks a \ncoherent national strategy for addressing this challenge.\n    These two findings inform our work and our recommendations, and the \nCommission has identified several broad areas where we recommend that \nthe next administration take immediate action. These are to develop a \ncomprehensive national security strategy for cyberspace; to reorganize \nthe governance of cyberspace to provide accountability and authority; \nto rebuild relationships with the private sector; to modernize \ncyberspace authorities; and use regulation and Federal acquisitions to \nshape markets.\n\n                           NATIONAL STRATEGY\n\n    In light of our conclusion that cyberspace must now be part of that \nnational security strategy, our recommendations call for the use of all \ninstruments of U.S. power to secure cyberspace. We identify five \nprinciple instruments--diplomatic, military, economic, law enforcement \nand intelligence--to achieve this and will recommend that the next \nadministration make use of them in a coordinated and well-resourced \nnational approach.\n\n                         DIPLOMATIC INITIATIVES\n\n    The diplomatic aspects of cyber security have been among the least \ndeveloped elements of U.S. policy. Our vision of a diplomatic strategy \ninvolves advocacy, cooperation and norms. It is patterned after the \nU.S. experience in building international cooperation in non-\nproliferation. Increasingly, all nations and all peoples depend on \ncyberspace to conduct their daily affairs and this provides \nopportunities for cooperation. We will recommend that the United States \nadvocate measures to secure cyberspace in every multilateral initiative \nwhere it is appropriate, just as we have advocated measures to advance \nnonproliferation or to combat terrorism.\n\n                          MILITARY AND DEFENSE\n\n    Much of the discussion of the military aspects of cybersecurity is \nnecessarily classified. This limits what our Commission can say on \noffensive information warfare. However, we discussed several essential \ntopics. These included how to improve deterrence, how to link strategy \nto an appropriate doctrine for use, and how to train and equip forces. \nThe most important conclusion we reached is that credible offensive \ncapabilities are necessary to deter potential attackers.\n    The United States has a doctrine for military operations in \ncyberspace, but we believe this doctrine will need to be expanded if it \nis to be effective. Doctrine provides guidance on the exercise of the \nvarious and overlapping legal authorities that apply to cyberspace, \nidentifying when the use of law enforcement, military or intelligence \nauthorities are appropriate. An expanded doctrine should specify \nrelationships among agencies and lay out the decisionmaking process for \nvarious actions. Our initial conclusion is that the next administration \nshould refine existing doctrine and create processes to work through \nthe issues of deterrence and strategic operations in cyberspace.\n\n                             ECONOMIC TOOLS\n\n    Our review suggests that the United States would benefit from \nmaking greater use of the economic tools available to it. These tools \ninclude using international economic programs and organizations to \npromote cyber security, to develop norms and sanctions for \ninternational behavior, to work with international standards bodies and \nto invest in research and development in cybersecurity. A concrete \nexample of this would be our bilateral trade negotiations with Russia. \nWhile the Russians had to improve their performance to many legal and \ntrade requirements, they were not asked for better national performance \nin securing cyberspace. This must change.\n\n                    INTELLIGENCE AND LAW ENFORCEMENT\n\n    Our review of cybersecurity efforts found that the intelligence \ncommunity has led the efforts to improve U.S. national cybersecurity. \nTo foreshadow our discussion of organizational issues, we considered \nrecommending that the intelligence community be formally given the lead \nrole in securing cyberspace, but ultimately decided that this would be \npolitically infeasible. Our recommendations emphasize that its primary \nrole in securing cyberspace will be to support diplomatic, military, \nand domestic elements of a comprehensive strategy.\n    We were also impressed by the work of the Federal law enforcement \ncommunity. Our recommendations will emphasize that an important \nactivity for law enforcement is to work with other nations, as part of \na larger diplomatic strategy, to shrink the ``sanctuaries'' available \nfor cybercrime. Another essential law enforcement function is to ensure \nadequate protections for privacy and civil liberties in any cyber \ninitiative. A comprehensive response to cyber attack need not come at \nthe expense of civil liberties, and success will depend in some measure \non the ability of the Government to assure Americans that their rights \nare being safeguarded. We believe this assurance requires a commitment \nfrom the White House and vigorous congressional oversight.\n    We believe that the new administration has an opportunity to build \non the NCSI to create a coherent national strategy. This strategy \nshould be one of the first policy documents that it issues. Moving to a \nstrategy for cyberspace that focuses on using all the tools of national \npower creates an important challenge however. We found that the current \nability to organize and coordinate the use of diplomatic, military, \neconomic, intelligence and law enforcement activities is inadequate. \nThis will need to change improve cybersecurity.\n\n                              ORGANIZATION\n\n    It did not take long for our group to conclude that our national \nefforts in cyberspace are disorganized. None of the existing \ncybersecurity structures are adequate. We found that the central \nproblems in the current Federal organization for cybersecurity are the \nlack of a strategic focus, overlapping missions, poor coordination and \ncollaboration, and diffuse responsibility. Much of the problem resides \nwith the performance and capabilities of the Department of Homeland \nSecurity. While the Department's performance has improved in recent \nyears, making this Department more effective will be an immediate task \nfor the next administration. However, our view is that any improvement \nto the Nation's cybersecurity must go outside of DHS to be effective, \nand this will require rethinking the roles of DHS and the Homeland \nSecurity Council.\n    Given DHS's weaknesses, we considered a number of alternatives. The \nintelligence community has the necessary capabilities but giving it a \nlead role poses serious constitutional problems. DOD is well suited to \nmanage a national mission, but giving it the lead suggests a \nmilitarization of cyberspace. We concluded that only the White House \nhas the necessary authority and oversight for cybersecurity.\n    Simply appointing a czar, however, will not work. Czars in \nWashington tend to be either temporary or marginalized. Longing for a \nczar is a symptom of our industrial-age governmental organization. We \nare developing recommendations on how to leverage information \ntechnology to increase security while improving the efficiency, and \ntransparency of Government operations. Our thinking on this has been \nshaped in part by the implementation of the Intelligence Reform and \nTerrorist Prevention Act, which imposed a new, more collaborative \nstructure on the intelligence community. This is still a work in \nprogress, but the IC's experience shows that the combination of a \ncongressional mandate, adequate authorities, and a focus on \n``enterprise'' solutions (e.g. those that cut across traditional agency \nbarriers) can improve Federal performance.\n    We believe that the next administration's response to the \ncybersecurity challenge provides an opportunity to test new approaches \nto Federal organization that better leverage the use of cyberspace and \nsocial networking technologies to improve Government performance. It is \ntime to move to an information-age Government. The Commission is \nconsidering several options for how best to achieve this. Our view is \nthat this new model of governance must be based in the Executive Office \nof the President and make collaboration among agencies one of its \nmissions.\n\n                      PUBLIC-PRIVATE PARTNERSHIPS\n\n    The committee knows that the United States works with a variety of \ngroups created to improve information sharing or build public-private \npartnerships. Based on a series of interviews, we found almost \nuniversal recognition that the status quo is not meeting the needs of \nGovernment or the private sector with respect to collaboration.\n    Our work concentrated on two problems that must be addressed if \nthere is to be improvement. The first is to rebuild trust between the \nGovernment and the private sector. The second is to focus on \ninfrastructures that are truly critical for cybersecurity--the sectors \nthat provide the large national networks that create cyberspace--\ntelecommunications, electricity, and finance.\n    We heard in numerous interviews that trust is the foundation of a \nsuccessful Government/private sector relationship. We also heard that \nin the last few years, despite the profusion of advisory bodies and \ndespite good intentions on all sides, trust between Government and the \nprivate sector has declined. Our recommendations will call for \nsimplifying structure and building trust relationships. Information \nsharing, which drove much of the original thinking about how to work \nwith the private sector, should become a secondary goal in our view.\n\n                               REGULATION\n\n    Our group had a long debate over the role of regulation and whether \nthere has been market failure in cybersecurity. Our conclusion is that \ngreater regulation is necessary, but that prescriptive, command-and-\ncontrol regulation will not produce a higher standard for security in \ncritical cyber infrastructure. We are exploring a new approach to \nregulation that builds on and blends the strengths of the public and \nprivate sectors.\n    Based on this committee's hearings on NERC and FERC, we are \nexploring approaches that build on your vision of how NERC/FERC should \nwork. This approach would task existing regulatory agencies for \ntelecommunications, finance, and electrical power to devise regulations \nthat embed cybersecurity requirements in a regulatory and compliance \nframework. To achieve this while avoiding the drawbacks of regulation, \nthe Federal Government must find new ways to coordinate among agencies. \nWe plan to recommend a ``federated'' approach to regulation that \nreduces the fragmentation and inconsistency found in cybersecurity \nregulation.\n\n                        IDENTITY AND ATTRIBUTION\n\n    One of the new regulations we think are necessary for cybersecurity \ninvolve authentication of identity for critical infrastructures in \ncyberspace. The current internet is anonymous. Anonymity can preserve \nprivacy and civil liberties, but it can also enable malicious behavior. \nWe have concluded that the Government must require better \nauthentication for critical infrastructure, and that this can be done \nin a way that protects privacy and confidentiality.\n    We started with the principle that unknown individuals or \nindividuals using fraudulent identities should not be able to easily \naccess critical infrastructure. We are developing a technology-neutral, \n``opt-in'' approach to digital credentials for critical infrastructure, \nbased on precedents from the work of the FDIC and the experience of the \nDepartment of Defense.\n    Our view is that it will be feasible to create a system where those \nwho did not want to be authenticated could choose not to participate \nwithout penalty, but those who offer on-line services and wished to \nrestrict them to authenticated individuals would not have that right \ndenied to them. We recognize the sensitivity of any recommendation to \nrequire authentication and believe that no measure that does not \nadequately protect civil liberties will succeed, but we have concluded \nthat security cannot be improved without better authentication of \nidentity.\n\n                  MODERNIZE AUTHORITIES FOR CYBERSPACE\n\n    We heard many times in our interviews that a legal structure that \nis a decade or two old ill-serves the Nation when it comes to \ncybersecurity. Some of this is due to transaction speed--an event in \ncyberspace may happen in seconds, but determining which authority to \nuse in response can take hours or days (and we heard that the \n``default'' authority is Title 3--law enforcement--as this is the set \nof authorities that is least likely to pose risks for civil liberties).\n    We believe that the next administration should work with Congress \nto revise three authorities: Title 3 investigative authorities related \nto cyberspace; the Clinger-Cohen Act and the Federal Information \nSecurity Management Act; and the distinction in law between national \nsecurity and civilian agency systems currently embedded in many \nauthorities. Revising existing authorities to serve the Nation \neffectively in cyberspace will be a complex legal operation that will \nrequire Congress and the new administration to work closely together, \nbut it is an unavoidable challenge.\n\n                        RESOURCES AND INCENTIVES\n\n    Our discussions and interviews suggest that the Federal Government \nhas not made full use of its powers to change market conditions in ways \nthat will improve cybersecurity. It can increase the inputs and \nresources available for cybersecurity by supporting training and \neducation. It can expand and focus its investment in research. It can \nencourage the deployment of more secure products and protocols by using \nits purchasing power--the Federal Government does not have a dominant \nmarket share in IT, but it is the largest single customer for most IT \nproducts and it can use this to move the market in positive directions.\n    Our recommendations will call for changes in acquisitions \nrequirements, collaborative work with companies on standards and best \npractices, and investment in human capital and in research to \naccelerate the rate at which we secure cyberspace. In this, we will \nrecommend that a new administration build off OMB's Federal Desktop \nCore Configuration initiative.\n    Cooperation with private sector will be essential for success. \nLeveraging Government and industry partnerships can produce major \nimprovements in security. Moreover, the development of more secure \nconfigurations must involve those international standards bodies who \nhave been working in this area.\n    Our review suggests that the United States would benefit if it \ndeveloped a national cyber education and training program. Our \nrecommendation is that the United States develop an institutionalized \nprogram that establishes minimal standards for skills and knowledge \nsufficient to meet the cyber mission and enable attractive career \npaths.\n    The Federal Government is one of the largest purchasers of \ntelecommunications services in the world--perhaps the largest. A \nPresidential mandate that the United States would only contract with \ntelecommunications carriers that use DNS SEC would rapidly drive the \nmarket and provide benefits beyond the Federal Government. This \nrecommendation is attractive because it could also be adopted by State \nand local governments.\n\n                     INFORMATION ASSURANCE METRICS\n\n    A central part of any effort to judge whether a product or \ninitiative has improved security is to identify or develop the metrics \nthat can measure progress. There is no doubt that achieving compliance \nwith best security practice is a basic foundation that is valuable and \nshould be measured--what we lack is the ability to go beyond that with \nmeaningful measures of security that inform the system owner on their \nactual risk profile, and how best to make intelligent investments in \nmaking the IT system more secure and reducing the overall risk.\n\n            ASSURING INDUSTRIAL CONTROL SYSTEM CYBERSECURITY\n\n    Industrial Control Systems (also known as SCADA) are an integral \npart of electric power, oil, water, gasoline, chemicals, manufacturing, \nmining, transportation, food processing, etc. by providing control and \nsafe shutdown of the processes for these facilities. Computer cyber \nvulnerabilities can affect the safe, functional performance of these \nsystems and processes. We are working with experts in this field to \ndevelop recommendation on how to improve the security of ICS. These \nrecommendations will probably be linked to our recommendation to \ndevelop a new regulatory approach for cyber security.\n\n               RESEARCH AND DEVELOPMENT FOR CYBERSECURITY\n\n    Although technology is only a part of the cybersecurity challenge, \nthe next administration has an opportunity to use research and \ndevelopment to improve the security of computer and communications \nsystems and the information created and stored within them.\n    Our initial work suggests that the United States needs a \ncoordinated and strategic focus for Federal investments in \ncybersecurity R&D. Both basic research--often performed at universities \nand with benefits realized over the long term--and applied research--\nwhich uses existing technology to address near-term problems--must be \npart of this strategy. Just as the Department of Defense has \nsuccessfully marshaled R&D to provide military advantage to the United \nStates since the 1940's, the United States must harness R&D to \nAmerica's cybersecurity needs.\n    One area we are considering for R&D involves re-engineering the \ninternet, which operates with protocols written in the 1970's and \n1980's. A simple analogy would be to ask if it is safe to drive a 30-\nyear-old car that still uses its original equipment. WE believe it is \ntime to upgrade. Many of outside experts suggested that we remember \nthat cyberspace is a human construct and that the internet's \narchitecture, with research and international cooperation, can be \nsignificantly improved. This is a bold and complex recommendation that \nwill require a coordinated effort managed by the White House as part of \na larger strategy, but it is not out of reach.\n\n                               NEXT STEPS\n\n    The Commission's goal is a package of implementable recommendations \nthat could help to guide both a legislative agenda and presidential \npolicy documents. We are on track to have this done within the next 2 \nmonths. Several difficult issues remain, including how to move from an \nindustrial age model of governance to one better suited for the \ninformation age, how to scope and design a new approach to regulation, \nwhere to locate the authorities for cyberspace within the Federal \nGovernment, and how to make public-private partnership more efficient. \nI am confident that with your help and guidance we can resolve these \nissues and offer our recommendation to the next administration, the \nCongress and the American public. Thank you again for this opportunity \nand I would be happy to take any questions you may have.\n\n    Mr. Langevin. Before I go to questions, I just wanted to \nmention that there will be a continuation of today's hearing \nbasically on Thursday, the same subject of the CSIS \nCommission's preliminary findings, that takes place on Thursday \nbefore the House Permanent Select Committee on Intelligence. I \nsuspect that this hearing and the one on Thursday will be just \nthe first of many, both on the work of the CSIS Commission, but \non cybersecurity overall as we head into the next Congress.\n    With that, I want to thank the witnesses for their \ntestimony. I will remind each of the Members that they will \nhave 5 minutes to question the panel. I will now recognize \nmyself for questions.\n    Let me just start with a few general questions for the \npanel. Based on your professional judgment and knowledge of \nDHS's state of preparedness, are we adequately prepared for a \nmajor cyber attack? Is the U.S. Government effectively \norganized to meet that cybersecurity threat? Why has DHS \nstruggled to fill its mission? Finally, should DHS lead the \ncybersecurity mission in the U.S. Government?\n    It is a general question for the panel, so whoever would \nlike to----\n    Mr. Powner. Mr. Chairman, based on the work we have done \nfor you over the years, I think the short answer is that we are \nnot prepared for major significant events, especially when you \nstart looking at multiple events. I will point to a couple key \nbodies of work that we focused on. If you looked at a major \ninternet disruption, are we prepared to really deal with a \nmajor internet disruption from a public-private point of view? \nNo. If you look at the cyber exercises that have been conducted \nto date, there are a lot of lessons learned that have come out \nof those, a lot of basic things that still need to be in place: \ncommunications, how we involve law enforcement and those types \nof things. So we are not well prepared today.\n    Mr. Lewis. I would agree with that, Mr. Chairman. We are \nnot prepared. I think DHS has struggled, for a number of \nreasons. One of the most important is that it really doesn't \nhave the authority to direct other departments and agencies. If \nanything, its authority has probably declined as other \ndepartments have moved out on this issue. So it is hard for \nus--I began in this effort by thinking that we should \nstrengthen DHS. We did not receive much encouragement when we \nput that forward to either the experts we talked to, to people \nwithin Government, or to even members of my own Commission. So \nI was shot down by my own Commission.\n    Should it lead? There are things that only DHS can do, and \nit is appropriate to locate them there. We are in the process \nof trying to determine what those are. But our view, I think I \nspeak for the Commission, is that many of these functions need \nto move to the White House. This is now a serious national \nsecurity problem. It needs to be treated as such. It needs to \nbe taken under the leadership of the National Security Council. \nSo our view is while there are things DHS should do, \ncybersecurity now needs to receive White House attention.\n    General Raduege. I would just add, Mr. Chairman, that I \nbelieve in my travels I have heard numerous times other nations \nlooking to the United States for leadership in cybersecurity \nstrategy. I think that just underlines the fact that the \ninternet is certainly a global network, and it has \ninternational proportions. So with what Dr. Lewis has just \nmentioned, I would add that we need an international focus on \nthis. It is a national security issue, but it has international \nproportions.\n    Mr. Kurtz. Just to build on what others have said, as Jim \npointed out, this is really no longer just a homeland security \nissue, it is a national security issue. That is, if you will, a \nchange significantly since DHS was stood up. Now we have \nespionage on a massive scale by our adversaries. That I think \ntakes it really--much of the responsibility out of the hands of \nthe Department of Homeland Security. That is not their fault.\n    However, point No. 2 is there really is no one in charge \nright now at DHS. That is why they have struggled. When you \nlook across the spectrum at DHS, you have an Under Secretary, \nyou have an Assistant Secretary for Policy. We have others that \nare supposedly working side-by-side, but really are not working \nside-by-side. It is as though you have several people with \ntheir hands on the steering wheel, and there is really no \ncommon direction as to which way to go.\n    Also, as General Raduege said, we have several other \nagencies that have assumed significant responsibilities. So \nsomeone has got to be in charge.\n    The final point is--and that we can't lose sight of in this \nreorganization--is how do we have someone in charge but still \nrecognize that this is the information infrastructure we are \ntalking about? So traditional command-and-control that we are \nused to seeing inside DOD and other places may not be the most \nappropriate way to go; that we need to establish better means \nof collaboration. That is one of the issues that the Commission \nhas looked at.\n    Mr. Langevin. Let me--it is probably a good segue into my \nnext question--it is a known fact in Washington whoever \ncontrols the purse strings controls the mission. This might \nexplain why DHS as the coordinating body has been so very \nunsuccessful in achieving goals and securing cyberspace. Who \nshould have budget authority over the Federal Government's \ncybersecurity missions? Where should this authority lie? What \nrole should OMB have?\n    We can just go right down the line again if you would like \nto have your input.\n    Mr. Powner. Mr. Chairman, we look at and I look at the \nentire IT budget of the Federal Government, $70 billion that we \nspend. In terms of authority, DHS does not have the purse \nstrings, that is clear. The authority is dispersed. Then what \nhappens not only in cybersecurity but in the whole IT arena is \nwe don't have enough oversight on how that money is spent.\n    So I think going forward, consistent with some of the \nCommission's recommendations, we ought to look at creating \norganizations that control the purse strings as well as have \nthe appropriate authorities moving forward.\n    Mr. Lewis. Thank you, Mr. Chairman. That is a good \nquestion. It is one that we struggled with in the Commission. I \nam sure that people at OMB will be happy to know that we moved \nthe budget authorities all around the Federal Government for a \nwhile, and I don't think we have quite figured out where to put \nthem.\n    What I will say, though, is I think the sense of where we \nare coming out is that, you know, OMB has to be the place that \ncoordinates budgets. That is what they do for the President. \nBut we do need somebody that provides oversight, coordination, \ncollaboration among Federal agencies. This is also a White \nHouse function, but not an OMB function.\n    So what we are suggesting is that when it comes to budget \nfunctions, keep them at OMB. When it comes to policy functions, \nmove them somewhere into the White House. We are looking at a \nnumber of suggestions on where that should be. But currently \nOMB kind of acts in both a policy role and a budget role, and \nwe think it is time to focus them on their budget \nresponsibilities.\n    Mr. Langevin. Are you suggesting that OMB would ultimately \nhave veto power over policy since they control the budget, or \nhow would that work?\n    Mr. Lewis. I think we want it to work more like other \nagencies. So if I can use the example of the work that has been \ndone to reform the intelligence community; which is, you have a \nnew figure at the top of the different agencies in the \nintelligence community, the Director of National Intelligence. \nThat director coordinates the budget for all those agencies and \nthen works with OMB to come up with the President's submission \nto Congress.\n    So I think what we are looking for is something that will \nreach across all the agencies but continue the pattern we have \nnow. Some of the reasons we are suggesting that is only for \npractical reasons. OMB has the expertise. They have the \noversight of the whole budget. It can work in other agencies \nsuch as Defense or the intelligence community when they are \nstrong. So I think, create the strong entity and this will not \nbe an issue.\n    General Raduege. I would say that the example of Director \nof National Intelligence is new. I believe we have seen areas, \nas Dr. Lewis has mentioned, that have brought new insight and \nperspective to 16 formerly intelligence community activities \nthat were acting without an overseer. I think there has been \ngood progress made to establish common priorities and common \ndirection across the 16 independent intelligence activities \nwith the DNI oversight.\n    Mr. Kurtz. Just to add on once again to what has been said, \nthe question of OMB is a bit complicated when it comes to \ninformation systems because it is not only the budgetary \nauthority they have, but it is, if you will, the authority they \nhave under FISMA to set policy on information systems. So that \ngives them a little bit of a different edge than we find in \nmany other situations. I think that situation needs to be \nreconciled.\n    The Commission may well come out that the FISMA-related \nauthorities of OMB maybe need to be pulled out and placed into \nanother--placed into another entity perhaps associated with the \nWhite House.\n    When it comes to the budget-related issues, though, the \nODNI model is good, but I would offer two other similar models, \nand that is the drug czar, where the drug czar had, if you \nwill, oversight of the budget, could put together specific \nprograms, make sure agencies were adequately funding them.\n    Similarly, that was done in the case of counterterrorism, \ninformally. When I was in the White House and we got into \ncounterterrorism-related budgets, when we saw agencies that \nweren't necessarily doing enough, we would go directly to OMB \nand to the agencies and say we really needed to bolster these \nprograms. It worked fairly effectively when we had proper \nsupport from others in the West Wing.\n    Mr. Langevin. Thank the panel for their answers to those \nquestions. The Chair now yields to the Ranking Member for 5 \nminutes for questions.\n    Mr. McCaul. Thank you, Mr. Chairman, thank you again for \nyour great leadership, as I mentioned in my opening statement.\n    I agree, Mr. Kurtz, it is no longer just a homeland \nsecurity issue, this is a national security issue that doesn't \nreally know borders. There are no borders to cyberspace. It is \ninternational in its scope. We have seen the vulnerabilities in \nterms of shutting down power grids, the financial sectors, the \naviation sectors, the potential damage that could be done.\n    I see my good friend and colleague Al Green has joined us, \nrepresenting the Houston area. We have seen first-hand how the \nnatural disasters I mentioned in my opening statement have \ncaused tremendous damage, destruction, loss of human life. This \nis again a man-made threat.\n    In our hearings the one thing that seemed like a common \ntheme was that no one--who is in charge was the question. Even \nthough I think we tried to relegate a lot of that authority to \nDHS, the authority wasn't direct. The coordination has not been \nwhere we would like it to be. Certainly, with respect to the \nDOD and the NSA, you have such great expertise in this area in \nterms of the operations side. We didn't see the coordination \nthat I frankly would have liked to have seen better \ncoordination between those who know how to do this offensively \non the operations side and those who need to do this \ndefensively to protect the United States.\n    Let me just add to this as well just the massive intrusions \nthat we have seen in the Federal networks and the amount of \ninformation, data that has been stolen. I would like to know \nhow these recommendations will help prevent that type of \nintrusion that we have seen more in the form of espionage. The \ncyber warfare issues arise.\n    Let me say also that I am very pleased with these \nrecommendations in terms of putting somebody that has the \nPresident's ear in charge of this, so it elevates this to the \nPresidential level. I think that has been somewhat lacking. I \nthink that will provide the coordination necessary between all \nthese relevant agencies.\n    How we do that, whether it is in the NSC or putting an \noffice in the Executive Office of the President, I think all \nthose are very good ideas that I know you are entertaining and \nhave put forth. How do these make us safer?\n    Then, General Raduege, you talked, I thought very \nimportantly, about the international focus. What is the \nvehicle, what would be the vehicle for coordinating with other \ncountries that we believe to be friendly? There are a lot of \ncountries that aren't friendly to us that are trying to get \nthis technology offensively.\n    General Raduege. Thank you for that question, Mr. McCaul. \nAs I have traveled and talked to other leaders in other \nNations, they are looking for answers in preparing their own \ncybersecurity strategies. So a simple question that they would \nask me was who should we come to talk to in the United States \nthat we can talk with about your overarching strategy for \nprotecting cyberspace? That was a very difficult question, \nbecause I reflected on the number of activities and bodies and \norganizations that have a piece. But there was never one place \nthat I could recommend that they go to talk to to get the \noverarching view that you would work, initially at least, \nacross international borders. So there was no one individual \nwho had the perspective of the entire national perspective and \nstrategy over the United States.\n    So that is why our recommendations of our Commission was to \nhave someone that really could speak as the authority, and with \nthe President's ear, to know that what we were telling other \nNations as far as our priority of this very important activity \nis at the Presidential level, and this is where you can get \nyour answers, and this is the kind of strategy that we have, \nand let's work together across borders, national borders, in \nsecuring cyberspace as a global capability for all of us.\n    Mr. McCaul. Thank you, General Raduege.\n    Dr. Lewis, you said we are not prepared today. I tend to \nagree with that assessment to some extent. With respect to the \nprivate sector, that is a tremendous challenge. I think your \nwords were we need to restore the trust. I agree the sharing of \nthe information and the coordination with the private sector \nhas not been where it needs to be, I think, to adequately \nprotect this country.\n    The idea of sharing information is a difficult one. After \n9/11, we had sharing of information between the intelligence \nside, the law enforcement side, the breaking down the walls of \ncommunication, you know, enhancing communications. You run into \nsome problems with the private sector. I wanted to get your \ninput from the Commission's recommendations on how to most \neffectively enhance that coordination and sharing of \ninformation.\n    Two major hurdles. One is when you are dealing with the \nintelligence community you have clearances and you have \nclassified information. Second, a private entity, a business, \nis going to be reluctant to share with the Federal Government \ninformation, and particularly information regarding \nvulnerabilities within their company that they have witnessed, \nwithout adequate protection that that will not get somehow \nleaked or be accessible to some sort of requests from the \nFederal Government. How do you propose to overcome those or \nmeet those challenges and overcome those hurdles?\n    Mr. Lewis. Thank you. We had a long series of discussions \nwith many people involved in the current partnerships \norganizations. We also talked with several of the leaders of \nthe British Center for the Protection of National \nInfrastructure on how they do public-private relationships. We \ntalked with a number of companies that aren't involved. So we \ndid a lot of interviews on this, and we did hear some common \nmessages.\n    I think where we came out was, first, you need to \nrestructure. You know, there are groups, ISACs, SECs, these \nhave a function in supporting DHS. They don't do what we need \nto do in cybersecurity. So we are recommending thinking of \nchanging that a little bit. The first thing, drawing on the \nexperience of the NSTAC, which General Raduege was involved in, \ndrawing on the experience of the British with CPNI, drawing on \nsome earlier U.S. initiatives. We think you need to develop a \nPresidential-level advisory body, maybe something like the \nPresident's Export Council, like the NSTAC, senior-level \nfigures who come regularly, who meet with senior-level people \nin the administration who have the clearances, who exchange \ninformation, and, because this is a long-term relationship, \nbuild trust. You need that relationship for trust. We used to \nhave that before some functions moved to DHS. Through no fault \nof its own, that trust is no longer there. So we think this is \none of the things that needs to go back to the White House.\n    The other issue--and we are struggling with it a little \nbit--is, as you noted, companies don't like to share \ninformation if they think it is revealing something to their \ncompetitors or if they are giving the Government something and \nnever get anything back. We think you need a new kind of \norganization that fixes both those problems, something that we \nhave been calling an operational organization. When companies \nrun into problems they do collaborate, right? But they \ncollaborate informally now. They don't do it through the \nexisting structures.\n    So we are looking for a way to capture that informal \ncollaboration, to create affinity groups around a particular \nproblem, and then use that as the vehicle to drive an \noperational approach.\n    In both of these cases, though, the new senior-level \nadvisory body and the new operational body, information sharing \nwould be a tool. It wouldn't be the goal. Information sharing \nseemed really important after 9/11. Now I think we recognize it \nis just one way to achieve our mission, which is to secure the \nNation's networks more comprehensively.\n    Mr. McCaul. All right. I like the creativity in trying to \ndeal with this. If I could just indulge the Chair for one more \nquestion. With respect to regulations, that always certainly \nraises a lot of issues. But this new concept is not a mandate, \na prescriptive type of regulation. Can you expand on what this \nnew concept would be with respect to any sort of regulatory \nscheme coming out of these recommendations?\n    Mr. Lewis. Certainly. Let me walk you through where we are \nand note that we haven't reached the end of the path. So if I \nend abruptly, please excuse me. But we had a discussion: Can we \nrely on the market? After some back-and-forth, we decided no, \nthat you needed to have some additional regulation.\n    We then decided, though, this isn't national regulation or \nbroad regulation. You don't need to give DHS the authority to \nregulate cyberspace. That is unnecessary. There are in the \nthree critical infrastructures we identified--telecom, finance, \nelectricity--existing regulatory authorities. I should note we \nhave depended in many ways on the work GAO has done on this. \nThe study they are releasing today has been very helpful in \nguiding us. So our recommendations will change somewhat as we \nwork through the new material they have provided.\n    In those three structures, though, you have plenty of \nregulatory bodies. They have some authority. What they don't \nhave is a way to coordinate or a way to figure out if what they \nare doing is adequate. So what we would like is for some new \nentity, probably in the White House, to be able to provide an \napproach that finds, you know, common things that agencies can \ndo with their regulated sectors to find sort of minimal \nthresholds for security, and that finds a way to build \ncollaboration. So we are looking to do this in as light a \nmanner as possible.\n    Command-and-control regulation, I think we have all agreed \nprescriptive regulation will not work. But at the same time, as \nyou discovered in your NERC/FERC hearings, just giving the \ncompanies their head and saying, ``Good luck and write back \nwhen you have something to tell'' is also insufficient. So we \nare hoping we can come up with what we have been calling an \nideal NERC/FERC approach. I know after the hearing, both NERC \nand FERC have gone off and are trying to redo how they approach \nthis problem. We are learning from them. So that is what we are \nlooking at.\n    Mr. McCaul. Well, thank you very much. Just let me close by \nsaying thank you to the three members of the Commission and all \nthe members of the Commission who provided such a great public \nservice to this Nation. Thank you.\n    Mr. Langevin. I thank the gentleman. The Chair now \nrecognizes the gentleman from New Jersey for 5 minutes.\n    Mr. Pascrell. Thank you, Mr. Chairman. Mr. Chairman, it is \ninteresting that the GAO presentation and report by the \nCommission, although not finished yet, are pretty close. \nInteresting. There is no national strategy, which would mean to \nme we are waiting for the politick to take into effect. We are \nstill at risk in this area. We lack a specific focus. I think \nthose were your words, Dr. Lewis.\n    Mr. Lewis. Yes.\n    Mr. Pascrell. So I have some comments to make and then I \nhave some questions. I think that let's be real, Mr. Chairman. \nThis administration has been a disaster when it comes to \ncybersecurity since 2003 when they got rid of Richard Clarke. \nIt has been all downhill since. It wasn't until the DNI came \ninto effect last year and started shaking things up that they \nshowed any initiative whatsoever.\n    So let's name names and let's talk about accountability, \nbecause I think that we have been so concerned about being \npolitically correct, that is why we haven't corrected the \nvulnerability. We are good at it, both sides of the aisle. This \nis not partisan. The last time I checked, we have at least four \npeople over at DHS who claim to be in charge of cybersecurity.\n    Dr. Lewis, I want you to interrupt me if I say anything \nthat is not true. Just interrupt me.\n    Mr. Lewis. You are on track so far.\n    Mr. Pascrell. It is no wonder that we are in the shape we \nare in today. Robert Jamison, the Under Secretary who leads the \nship, apparently, gave himself a solid C in cybersecurity last \ntime he came before the full committee.\n    Mr. Chairman, when was getting a C a good mark? I know what \nthe nuns used to tell me. You are on the way to D. You \nremember, Mr. Chairman, that shortly after, the chief \ninformation officer told us, ``You don't know what you don't \nknow.'' That is rather startling. He was promoted to Deputy \nUnder Secretary. These are the individuals in charge of \ncybersecurity in DHS.\n    Now, the White House has been equally fill-in-the-blank. \nThey announced a new initiative and then overclassified \neverything. The Senate tried for months to get them to make the \ninformation public so we could have a public dialog about some \nof these things. The White House naturally refused to budge. \nThen yesterday I see that the Special Assistant to the \nPresident is giving a talk about the Nation's cybersecurity \nposture. I don't know if you heard it or read it. They had the \ngall to charge Government employees $50 to attend it to hear \nthis guy talk.\n    Now, a lot of things have been said about New Jersey, but \nthere has got to be some transparency here as to what in God's \nname is going on. To hear about an initiative that they refused \nto talk about for months.\n    I am hoping that Mr. Kurtz, who was Special Assistant to \nthe President when he worked for Richard Clarke, and the other \npanelists might have some insight for us about this sad state \nof affairs.\n    So let me ask all of you, from your dealings with these \npeople, these folks who I named--I gave you names--is \ncybersecurity an issue of national security that is being taken \nseriously or is it simply a political football that people are \ntrying to build a legacy out of? Who wants to take the first \ncrack?\n    Mr. Lewis. I will go first. You know, in some ways I am \ngoing to defend the administration a little bit, which would \nprobably be a surprise to them.\n    We had a lunch with Admiral McConnell shortly before he was \nconfirmed as the Director of National Intelligence. At that \nlunch somebody asked him: What is the one thing that keeps you \nup at night? You know, I thought he was going to say Iraq or \nNorth Korea. He said cybersecurity. I was shocked. So he at \nleast has been focused on this from the time he took office. I \ngive him credit for that.\n    The Comprehensive National Cybersecurity Initiative is \nactually a very useful series of steps. It is doing the TIC, \nEINSTEIN, the FDCC. Some of the other activities have made some \nuseful progress. One of the things I know people are worried \nabout, one of the things we want to help with in the Commission \nis not to have a fumble. You know, we have made a little \nprogress in the last year. When the administration changes the \nnorm, whether it is a Democratic or a Republican \nadministration, you know, is to sort of start over. We can't \nafford that.\n    So we want to say some of the things that have come out of \nthis initiative have been good. I agree with you completely, it \nwould be a lot easier to avoid that fumble if this wasn't \nclassified Top Secret.\n    I think yesterday's presentation by a series of \nadministration figures was useful. I understand in part that \nwas in reaction to the hearing today and a way to get some \ninformation out. So you can take credit for that. But I think \nthey have done some good things. We do have a lot of work to \ndo, I couldn't agree with you more. But there are folks who are \ntrying.\n    Mr. Pascrell. General.\n    General Raduege. Thank you, sir. To answer your questions, \nI believe there are people who are taking this issue very \nseriously. I believe, though, that they are frustrated, as I \ntalk with them individually in social settings and professional \nsettings, of how massive this issue really is. They are \nfrustrated with their organizations, they are frustrated with \nwhere this issue lies in their organization, at what level, and \nthe processes that are involved with trying to coordinate \nactions for a national-level serious issue with the patchwork \nand the centers of brilliance, but also the centers of \nincompetence that are throughout the daily workings and \ndealings that they are faced with.\n    Mr. Pascrell. Thank you. Mr. Kurtz.\n    Mr. Kurtz. Let me try to answer by a bit of a story first. \nBack at the end of June, DHS convened a meeting to discuss \nProject 12, which is, if you will, the one element of the \ninitiative that relates to the private sector. At the head of \nthe table we had several senior people from the Department of \nHomeland Security, including Under Secretary Jamison, Secretary \nBaker, Secretary Garcia, and Admiral Brown.\n    What was so discouraging about that day, and it was a day \nthat I will never forget--and I worked in Government for a long \nperiod of time, but it was really a travesty--we had in-\nfighting between the DHS senior leadership as to how to \nproceed. It demonstrated in spades the lack of leadership, the \nfact that no one was in charge at DHS. What was really \nsickening about it was that we had probably 70 or so people \nfrom the private sector there who have spent a lot of time over \nthe past several years trying to work with the Department, and \nyet again had been asked to put together some material for the \nDepartment to digest on how they could work together, but the \nDepartment basically threw it overboard, wasn't listening to \nthe private sector. That was incredibly discouraging to \nwitness.\n    I will say Admiral Brown sat at that meeting, saw what \nhappened, and I think has been trying to work a way forward. So \nI don't want to implicate Admiral Brown in this at all.\n    The second point is I do find it also very discouraging \nthat it took so long for the White House to come out and speak \nabout this publicly. Even when they did, it was in kind of a \nstrange manner, having an event at an association, whereas it \nwasn't, if you will, a public event.\n    What is really discouraging, taking all of that into \naccount, is the Comprehensive National Cyber Initiative is \nactually not bad. It was a good-news story for the White House. \nIt was a good-news story for the administration. But they \nsought to overclassify, to make it political, to see that CSIS \nwas only out to go after them, when in the end, CSIS, Jim \nLewis, John Hamre, opened the door to several agencies to come \nin and brief, and they took us up on that. DOD, the DNI, FBI, \nNCIS all came to brief us. Elements of DHS came to brief us. \nNot all. The White House in all cases discouraged people from \nparticipating.\n    Mr. Pascrell. Why?\n    Mr. Kurtz. You ask them. I don't know the answer.\n    Mr. Pascrell. That is a good answer. Okay.\n    Mr. Lewis. Can I add one thing too, too, sir? We all three \nof us still have our clearances. All three of us have worked on \nvery highly classified programs. All three of us have gotten \nbriefed on the Cybersecurity Initiative. There is no reason to \nclassify it. We know what classified programs look like. There \nare a couple parts in this that, yeah, they are classified. But \nmost of it, it could be open.\n    Mr. Pascrell. I think the Chairman is noting this. How \nabout Mr. Powner?\n    Mr. Powner. Clearly, our work over the years has showed \nthat DHS has been completely ineffective in fulfilling their \nresponsibilities as the cybersecurity focal point. I want to \njust--and you know, we see this a lot where everyone points \nfingers and we don't have authority and the whole bit. \nExecutives get paid to break down the bureaucracy and get \nthings done. That hasn't happened.\n    Mr. Pascrell. Thank you, Mr. Powner.\n    Thank you very much. Mr. Chairman. I want to hang a \nquestion out there, and I don't want an answer. I want us to \nthink about it very seriously, though. If we are attacked in \ncyberspace, therefore, what level of response is appropriate?\n    Thank you, Mr. Chairman.\n    Mr. Langevin. Thank the gentleman for his questions. The \ngentleman from Texas, Mr. Green, has 5 minutes for questions.\n    Mr. Green. Thank you, Mr. Chairman. I am not sure exactly \nwhere to go after all that I have heard. I thank all of you for \ntaking the time to be a part of trying to assist your \nGovernment, and for your candor. I will tell you we don't hear \nthis type of straightforward talk, straight talk, if you will, \nthat often. I appreciate the fact that you have been absolutely \ncandid about this.\n    I am going to go in a slightly different direction, \nalthough I have enjoyed hearing concerns about who should be in \ncharge. In your review of this, did you conclude that the \ntechnology does exist to actually have cybersecurity?\n    Mr. Lewis. The short answer would be yes. Now, people would \nbe surprised at that. You can never secure things 100 percent, \njust as your car can never be 100 percent safe. But there is a \nlot we could do. There are things where spending on research \nwould help, but we have not taken advantage of all of the \ntechnology that is available.\n    Mr. Green. Yes, sir.\n    Mr. Kurtz. Well, I would agree with what Jim is offering. \nThere are lots of interesting technologies out there that can \nbe deployed, and there are some questions as to where they are \nmost effectively deployed in order to better protect the \nnetworks, in other words, at the edge or in the core. That is \none of the issues we are, in fact, wrestling with in the area \nof regulation, as to what might carriers or ISPs--what should \nthey consider doing in order to better protect the networks?\n    So the technologies exist. But, however, rubbing up against \nthat is the open nature of the internet and anonymity on the \ninternet. In these two, the desire to be secure, the desire to \nhave private communications, and at the same time use the same \nvehicle for anonymous communications, they conflict. That is an \nissue that, at least over the past 48 hours in the e-mail going \nback and forth among commissioners, is a real issue to seek to \ntry to find a way forward on. It is not clear.\n    Mr. Green. Yes, sir.\n    General Raduege. I would just say, Congressman, that the \ntechnology definitely exists, but it always has to be \nrefreshed.\n    In this particular area of information technology and the \nspeed that the internet and all of our information networks \nwork at and the sophisticated attackers that we have out there \nand those who are always trying to gain some advantage, the \ntechnology has to keep up as they gain in their ability to do \nevil to us, whether it is in the areas of national security \nperspectives or in cybercrime or even the eventuality of \nperhaps terrorist activity.\n    Mr. Powner. What we see in our work is primarily an issue \nwith--not with the technology but with individuals; do we have \ncyber analysts, criminal investigators, and those types of \nexpertise in the Federal agencies such as DHS and other places.\n    Mr. Green. Hence, is it fair to conclude--and I suspect \nthat this has already been stated--but if the technology \nexists, and we are still at an unacceptable level of \nvulnerability, then it is clearly a question of leadership?\n    Yes, sir.\n    Mr. Kurtz. Yes, it is a question of leadership. It is also \na question of putting in place the mechanisms to promote \ncollaboration, if in the space of just the Federal Government, \nin securing its own networks, is putting in place the \ncollaboration mechanisms.\n    Actually, the Comprehensive National Cyber Initiative \nenvisions some of that. Unfortunately, as far as execution on \nthe initiative, one of the key centers associated with that, \nthe National Cyber Security Center has, if you will, not been \nable to proceed because it has not received adequate funding in \nsupport. So it is struggling. Similarly, the US-CERT, which has \nresponsibilities in this area, is struggling as well.\n    So it is, if you will, not just technology. It is putting \nthe organizations together with the right technology and \ncollaboration mechanisms in order to achieve better security.\n    Mr. Green. On the question of leadership--and I know that \nis a very broad statement, leadership, and I understand it--\nshould this leadership emanate with the Congress? Or should we \ncontinue to allow the executive to prescribe, mandate which \nDepartment, who is going to be in charge? Or do you think that \nwe need to, here in Congress, give some additional sense of \ndirection, if you will?\n    Mr. Kurtz. Well, I think, first, the effort by Chairman \nLangevin and a call to establish a caucus, a cyber caucus, here \nin the House at least, is a very good idea. Because I think, in \nworking on this issue in the past, there are several committees \nof jurisdiction up here on Capitol Hill, and trying to get \neverybody on the same page and come up with a common waveform \nis difficult.\n    At the same time, if Congress could do that, then I think \nthere could be, if you will, more focused direction from \nCapitol Hill as to where the executive branch might ultimately \nfocus. But I think the executive branch, for its part, should \nand can reorganize itself to have more authority and oversight \nwithin the EOP, the Executive Office of the President.\n    Mr. Lewis. It is strange, in following on Paul's remarks, \nCongress has to be involved in this. One of the things we have \nconcluded is that it won't work unless you have both Congress \nand the executive branch. What we need is vigorous oversight, \nwhich this committee has provided. We have seen how useful it \ncan be, but we need more of it. We need the right authorities. \nPeople mentioned FISMA, Clinger-Cohen, some other authorities, \nTitle 3, Title 18. We have authorities that were very often \nwritten in the 1970's. Only Congress can update them to fit the \nage we live in now.\n    You know, and finally we need the right level of funding. \nCongress has been so far in cybersecurity. In fact, you have \nbeen generous ahead of knowing what the plans were to spend the \nmoney, so I congratulate you on that. It is a first. But we do \nneed Congress to continue to support building the \ninfrastructure that will let us be more secure.\n    So these are things that neither branch can do by \nthemselves, and we have to find a way to build the partnership \nbetween you two for this to work.\n    Mr. Green. Thank you, Mr. Chairman.\n    Just a closing comment. Given the comments that have been \nmade, we have some duty to respond. Hopefully we will find a \nway to get that done, because the vulnerability being offset by \nthe technology, and if that doesn't occur, and then we do have \nan attack, obviously people are going to want to know why we \ndidn't do more.\n    Thank you.\n    Mr. Langevin. I thank the gentleman for his questions, as \nwell as his final statement. I agree, there is no issue that is \nas important right now as cybersecurity. As we go forward, it \nposes a significant national security challenge to the United \nStates, not just now but well into the future, particularly \nbecause it is such a moving target. We are going to have to try \nto continue to stay one step ahead of those who may wish us \nharm. This is not a partisan issue, and we need to stay united \nand well-coordinated on the effort to have a comprehensive \ncybersecurity strategy as we go forward.\n    With that, I will have just one final question, and then I \nam going to yield to the Ranking Member for a closing comment \nas well.\n    Since this administration is coming to an end and there \nwill be a new administration coming in, we are just now \nstarting to really have a comprehensive, coordinated response \nand strategy on cybersecurity for the 21st century and for the \n44th presidency.\n    Can I ask the panel, have you studied the Presidential \ncandidates' platforms? What they are proposing in terms of \ncybersecurity? What efforts will the Commission make to place \nits report on the desk of the new administration?\n    I will leave that for the panel, whoever would like to \nbegin first.\n    Mr. Lewis. I will start, Mr. Chairman.\n    We have been working with the campaigns. We have kept them \ninformed from the start of the Commission. There are several \npeople on the Commission involved in both campaigns.\n    When we began this, we picked three campaigns as the ones \nlikely to make it to the finish line. Of the two that are \nthere, they were among the three we picked. So we do have \ncontacts.\n    We hope and have reached out to both of the campaigns now \nto have more detailed briefings, briefings with more senior \nmembers of each campaign. We waited, on your recommendation, I \nmight add, for the conventions. Now that the conventions are \nover, we have asked, can the Chairman go and brief on our \nrecommendations? So I think in the next month or so, we will \nhave that opportunity.\n    Mr. Langevin. Very good.\n    General Raduege. I would say, Mr. Chairman, that I have \nbeen encouraged by both candidates in the fact that they have \nboth recognized cybersecurity in their statements and needing \ngreater investment and greater attention, and the fact that it \nappears like they both recommend that this be a top priority in \ntheir administration.\n    Mr. Langevin. Very good.\n    Mr. Kurtz, anything to add in closing?\n    Mr. Kurtz. No, that is fine.\n    Mr. Langevin. Okay. Very good.\n    With that, I will yield to the Ranking Member for a \ncomment.\n    Mr. McCaul. I thank the Chairman.\n    You know, as I look at the pictures of the World Trade \nCenter behind the witnesses, and the Pentagon, you know, \nassociating myself with Congressman Green's remarks, we don't \nwant to be sitting here some day with a cyber 9/11 and say, \nwhat could we have done differently to stop that from \nhappening? I think that is the whole vision of this commission \nand the value of this commission.\n    There are some very good men and women serving at the \nFederal level and serving in our military and serving at NSA \nand serving at DHS, who sincerely want to protect this Nation. \nI believe there are many that are doing a fine job. This \ncommission is not in the business, in my view at least, it was \nnot my vision that this commission would be in the business of \nfinger-pointing and partisanship. In fact, what we attempted to \ndo--this is one of the rare times that I have seen, frankly, \nthat we have been able to come together, I think. The beauty of \nit is coming together in a bipartisan way, with a nonpartisan \ncommission that is simply just trying to protect America. I \nthink that is the value that the next administration and the \nnext President will see in this and, I think, the American \npeople.\n    Thank you.\n    Mr. Langevin. Very good. I thank the Ranking Member for his \ncomments.\n    I just want to thank the panel again for their testimony \ntoday, particularly for the great work that the GAO has been \ndoing over the years. Thank you for your contributions and \nservice to this subcommittee in particular.\n    I want to thank the members of the CSIS Commission who are \nhere today for your great leadership, dedication. You, as well, \nperform a great service to our Nation. We are all grateful for \nyour dedication, your patriotism and for the countless hours \nthat you put into this effort to better secure the Nation \nagainst cybersecurity attack and just cybersecurity in general.\n    So, with that, I want to again thank the witnesses for \ntheir valuable testimony and the Members for their questions.\n    The Members of the subcommittee may have additional \nquestions for the witnesses, and we will ask that you respond \nexpeditiously in writing to those questions.\n    Again, we remind everyone that this will be one of many \nhearings that will take place going forward. The next hearing \nwill be before the House Permanent Select Committee on \nIntelligence that will occur on Thursday.\n    Hearing no further business, the subcommittee now stands \nadjourned.\n    [Whereupon, at 3:40 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"