b"<html>\n<title> - ASSESSING CYBERSECURITY ACTIVITIES AT NIST AND DHS</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n                        ASSESSING CYBERSECURITY\n                       ACTIVITIES AT NIST AND DHS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 25, 2009\n\n                               __________\n\n                           Serial No. 111-39\n\n                               __________\n\n     Printed for the use of the Committee on Science and Technology\n\n\n     Available via the World Wide Web: http://www.science.house.gov\n\n                                 ______\n                  U.S. GOVERNMENT PRINTING OFFICE\n50-325                    WASHINGTON : 2009\n-----------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n\n                   HON. BART GORDON, Tennessee, Chair\nJERRY F. COSTELLO, Illinois          RALPH M. HALL, Texas\nEDDIE BERNICE JOHNSON, Texas         F. JAMES SENSENBRENNER JR., \nLYNN C. WOOLSEY, California              Wisconsin\nDAVID WU, Oregon                     LAMAR S. SMITH, Texas\nBRIAN BAIRD, Washington              DANA ROHRABACHER, California\nBRAD MILLER, North Carolina          ROSCOE G. BARTLETT, Maryland\nDANIEL LIPINSKI, Illinois            VERNON J. EHLERS, Michigan\nGABRIELLE GIFFORDS, Arizona          FRANK D. LUCAS, Oklahoma\nDONNA F. EDWARDS, Maryland           JUDY BIGGERT, Illinois\nMARCIA L. FUDGE, Ohio                W. TODD AKIN, Missouri\nBEN R. LUJAN, New Mexico             RANDY NEUGEBAUER, Texas\nPAUL D. TONKO, New York              BOB INGLIS, South Carolina\nPARKER GRIFFITH, Alabama             MICHAEL T. MCCAUL, Texas\nSTEVEN R. ROTHMAN, New Jersey        MARIO DIAZ-BALART, Florida\nJIM MATHESON, Utah                   BRIAN P. BILBRAY, California\nLINCOLN DAVIS, Tennessee             ADRIAN SMITH, Nebraska\nBEN CHANDLER, Kentucky               PAUL C. BROUN, Georgia\nRUSS CARNAHAN, Missouri              PETE OLSON, Texas\nBARON P. HILL, Indiana\nHARRY E. MITCHELL, Arizona\nCHARLES A. WILSON, Ohio\nKATHLEEN DAHLKEMPER, Pennsylvania\nALAN GRAYSON, Florida\nSUZANNE M. KOSMAS, Florida\nGARY C. PETERS, Michigan\nVACANCY\n                                 ------                                \n\n               Subcommittee on Technology and Innovation\n\n                      HON. DAVID WU, Oregon, Chair\nDONNA F. EDWARDS, Maryland           ADRIAN SMITH, Nebraska\nBEN R. LUJAN, New Mexico             JUDY BIGGERT, Illinois\nPAUL D. TONKO, New York              W. TODD AKIN, Missouri\nDANIEL LIPINSKI, Illinois            PAUL C. BROUN, Georgia\nHARRY E. MITCHELL, Arizona               \nGARY C. PETERS, Michigan                 \nBART GORDON, Tennessee               RALPH M. HALL, Texas\n                 MIKE QUEAR Subcommittee Staff Director\n        MEGHAN HOUSEWRIGHT Democratic Professional Staff Member\n            TRAVIS HITE Democratic Professional Staff Member\n         HOLLY LOGUE PRUTZ Democratic Professional Staff Member\n             DAN BYERS Republican Professional Staff Member\n                  VICTORIA JOHNSTON Research Assistant\n\n\n                            C O N T E N T S\n\n                             June 25, 2009\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative David Wu, Chair, Subcommittee on \n  Technology and Innovation, Committee on Science and Technology, \n  U.S. House of Representatives..................................     8\n    Written Statement............................................     9\n\nStatement by Representative Adrian Smith, Ranking Minority \n  Member, Subcommittee on Technology and Innovation, Committee on \n  Science and Technology, U.S. House of Representatives..........     9\n    Written Statement............................................    10\n\nPrepared Statement by Representative Harry E. Mitchell, Member, \n  Subcommittee on Technology and Innovation, Committee on Science \n  and Technology, U.S. House of Representatives..................    11\n\n                               Witnesses:\n\nMr. Gregory C. Wilshusen, Director, Information Security Issues, \n  U.S. Government Accountability Office\n    Oral Statement...............................................    11\n    Written Statement............................................    13\n    Biography....................................................    24\n\nMr. Mark Bregman, Executive Vice President and Chief Technology \n  Officer, Symantec Corporation\n    Oral Statement...............................................    24\n    Written Statement............................................    28\n    Biography....................................................    32\n\nMr. Scott Charney, Corporate Vice President, Trustworthy \n  Computing, Microsoft Corporation\n    Oral Statement...............................................    32\n    Written Statement............................................    34\n    Biography....................................................    40\n\nMr. Jim Harper, Director of Information Policy Studies, The Cato \n  Institute\n    Oral Statement...............................................    41\n    Written Statement............................................    43\n    Biography....................................................    65\n\nDiscussion.......................................................    65\n\n\n           ASSESSING CYBERSECURITY ACTIVITIES AT NIST AND DHS\n\n                              ----------                              \n\n\n                        THURSDAY, JUNE 25, 2009\n\n                  House of Representatives,\n         Subcommittee on Technology and Innovation,\n                       Committee on Science and Technology,\n                                                    Washington, DC.\n\n    The Subcommittee met, pursuant to call, at 2:07 p.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. David Wu \n[Chair of the Subcommittee] presiding.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                            hearing charter\n\n               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                        Assessing CyberSecurity\n\n                       Activities at NIST and DHS\n\n                        thursday, june 25, 2009\n                          2:00 p.m.-4:00 p.m.\n                   2318 rayburn house office building\n\nI. Purpose\n\n    On Thursday, June 25, 2009, the Subcommittee on Technology and \nInnovation will convene a hearing to assess the cybersecurity efforts \nof the Department of Homeland Security (DHS) and the National Institute \nof Standards and Technology (NIST). In reviewing the activities of the \nagencies' cybersecurity programs, the hearing will solicit the input of \nprivate-sector experts on how federal cybersecurity activities can \nenhance privately-owned critical infrastructure, better monitor federal \nnetworks, and more clearly define cybersecurity performance with \nmetrics and success criteria.\n\nII. Witnesses\n\nMr. Greg Wilshusen is the Director of Information Security Issues at \nthe Government Accountability Office.\n\nMr. Mark Bregman is the Executive Vice President and Chief Technology \nOfficer of Symantec Corporation.\n\nMr. Scott Charney is the Corporate Vice President of Microsoft's \nTrustworthy Computing Group.\n\nMr. Jim Harper is the Director of Information Policy Studies at the \nCato Institute.\n\nIII. Overview\n\n    In January 2008, the Bush Administration established, through a \nseries of classified executive directives, the Comprehensive National \nCybersecurity Initiative (CNCI). While the goal of the initiative was \nto secure federal systems, a number of security experts have expressed \nconcern that the classified nature of the CNCI has inhibited active \nengagement with the private sector despite the fact that 85 percent of \nthe Nation's critical infrastructure is owned and operated by private \nentities. While experts are concerned by the lack of transparency and \npublic-private cooperation under the CNCI, they have also urged \nPresident Obama to build upon the existing structure of CNCI. In \nFebruary 2009, the Obama Administration called for a 60-day review of \nthe national cybersecurity strategy. The President's review required \nthe development of a framework that would ensure that the CNCI was \nadequately funded, integrated, and coordinated among federal agencies, \nthe private sector, and State and local authorities.\n    On May 29, 2009, the Administration released its Cyberspace Policy \nReview. The review recommended an increased level of interagency \ncooperation amongst all departments and agencies. The active exchange \nof information concerning attacks, vulnerabilities, research, and \nsecurity strategies is essential to the efficient and effective defense \nof federal computer systems. The review team also emphasized the need \nfor the Federal Government to partner with the private sector to \nguarantee a secure and reliable infrastructure. Furthermore, it \nhighlighted the need for increased public awareness, the education and \nexpansion of the Information Technology (IT) workforce, and the \nimportance of advancing cybersecurity research and development.\n    The hearing will address recommendations made in the Cyberspace \nPolicy Review and a recent report from the GAO.\\1\\ DHS currently \nmonitors the federal civilian networks for cyber attacks and \ncoordinates the gathering and dissemination of information on cyber \nattacks to federal agencies and private industry. The policy review and \nGAO report highlight deficiencies in both the operations and \ncoordination roles. The policy review also calls on a more proactive \nplan for collaboration with international standards bodies and an end \nto the cybersecurity distinctions between national security and other \nfederal networks. NIST currently develops and promulgates standards to \nhelp secure the federal civilian network systems. Finally, both reports \ncall for an increase in effective public/private partnerships, despite \na current high number of coordination councils and advisory boards. The \npolicy review states that the high number of coordinating groups has \nleft some participants frustrated with unclear roles and \nresponsibilities and an excess of plans and recommendations.\n---------------------------------------------------------------------------\n    \\1\\ National Cybersecurity Strategy: Key Improvements Are Needed to \nStrengthen the Nation's Posture, Government Accountability Office, \nhttp://www.gao.gov/new.items/d09432t.pdf\n\n---------------------------------------------------------------------------\nIV. Issues and Concerns\n\nOperations\n    The Cyberspace Policy Review called for the review of some of the \nDHS cybersecurity programs. It recommends a review of the ``operational \nconcept and the implementation of the National Cyber Security Center \n(NCSC) to determine whether its proposed responsibilities, resource \nstrategy, and governance are adequate to enable it to provide the \nshared situational awareness necessary to support cyber incident \nresponse efforts.'' This center was also specifically discussed in the \nreport from GAO in its recommendation that DHS needed to ensure that \nthere are distinct and transparent lines of authority and \nresponsibility assigned to DHS organizations with cybersecurity roles \nand responsibilities. The same report also mentioned DHS difficulties \nin hiring and retaining adequately trained staff that has been \nhindering the function of the NCSC.\n    The Cyberspace Policy Review also recommended that DHS continue to \npursue the goal of the Trusted Internet Connection program to reduce \nthe number of government network connections to the Internet but to \nreconsider goals and timelines based on a realistic assessment of the \nchallenges. DHS uses the trusted connections and monitoring devices to \nprotect the federal civilian networks. The review calls for the \nevaluation and continuation of these pilot deployments of intrusion \ndetection and prevention systems in consultation with the civil \nliberties and privacy community. The lessons learned from these \ndeployments could be used with other networks, such as those operated \nby the State governments.\n\nStandards\n    A major recommendation from industry experts indicates the need to \nend the bifurcation of minimum cybersecurity standards amongst \nmilitary, national security, and federal civilian networks. A recent \ndraft report from NIST proposes a unified set of standards that meet \nthis recommendation.\\2\\ The use of a single set of basic standards and \nminimum security requirements will simplify acquisition of network \ncomponents and ease the assessment of cybersecurity performance.\n---------------------------------------------------------------------------\n    \\2\\ Recommended Security Controls for Federal Information Systems \nand Organizations, National Institute of Standards and Technology \nSpecial Publication 800-53 DRAFT, http://csrc.nist.gov/publications/\ndrafts/800-53/800-53-rev3-FPD-clean.pdf\n---------------------------------------------------------------------------\n    The review team also recommends that the Federal Government \ndetermine a strategy to work with international partners to develop \ncybersecurity standards and legal framework with which to deal with \ncybercrime. Internationally-consistent policies will provide a simpler \nset of cybersecurity guidelines for international companies and for \nprosecution of cybercriminals. Additionally, the review recommends that \nthe Federal Government coordinate with international partners and \nstandards bodies to support next-generation global communications \ncapabilities.\n\nCritical Infrastructure\n    Critical infrastructure represents a challenge because much of it \nis privately-owned, yet could represent a major vulnerability to the \nsecurity of the Nation. The Cyberspace Policy Review called for \nincreased coordination and integration of current efforts among all \nfederal departments and agencies, and with private industry to assist \nin securing critical infrastructure. Currently, an assortment of \npublic-private partnerships, advisory boards, and information sharing \nmechanisms exists across the Federal Government, such as the Critical \nInfrastructure Partnership Advisory Council (CIPAC), IT-Sector \nCoordinating Council (IT-SCC), National Infrastructure Advisory \nCouncil, and Information Security and Privacy Advisory Board (ISPAB).\n\nMetrics\n    Throughout its recommendations, the review team highlights the need \nfor the increased use of performance metrics to guide strategies and to \nmake key planning decisions. Cybersecurity efforts are traditionally \nassessed by detailing the number of initiatives and funding spent on \nthese initiatives. A set of metrics based on actual outcomes of \nefforts, instead of output of initiatives and funds would better assess \nthe current activities and identify areas for improvement. They \nrecommend the development of a formal program assessment framework that \nwould guide departments and agencies in defining the purpose, goal, and \nsuccess criteria for each program. This framework could then be used as \na basis for implementing a performance-based budgeting process, setting \npriorities for research and development initiatives, and assisting in \ndevelopment of the next-generation networks.\n\nV. Background\n\n    In the current system, responsibilities for the security of federal \nnetwork systems fall to many different agencies. The National Security \nAgency (NSA) is responsible for all classified network systems. The \nDepartment of Defense (DOD) is responsible for military network systems \nand DHS is responsible for all federal civilian network systems. \nAdditionally, DHS is responsible for communicating information on cyber \nattacks to other federal agencies. NIST develops and promulgates \nstandards to help secure the federal civilian network systems, along \nwith their other roles that will be discussed below. The Office of \nManagement and Budget (OMB) implements and enforces the standards set \nby NIST. Three key agencies, National Science Foundation (NSF), DHS and \nDOD (specifically the Defense Advanced Research Projects Agency (DARPA) \n) fund the majority of cybersecurity research and development (R&D).\n\nDepartment of Homeland Security\n\n    As tasked in Homeland Security Presidential Directive (HSPD) 7, \nDHS, ``. . . shall be responsible for coordinating the overall national \neffort to enhance the protection of the critical infrastructure and key \nresources of the United States. The Secretary shall serve as the \nprincipal federal official to lead, integrate, and coordinate \nimplementation of efforts among federal departments and agencies, State \nand local governments, and the private sector to protect critical \ninfrastructure and key resources.'' As a response to HSPD-7, DHS \ncreated the National Cyber Security Division (NCSD), detailed below. In \n2008, HSPD-23, which was mostly classified, called for a central \nlocation to gather all of the cybersecurity information on attacks and \nvulnerabilities. DHS created the NCSC to meet this need.\n\nNational Cybersecurity Division\n    The NCSD is the operational arm of DHS's cybersecurity group and \nhandles a host of tasks: they detect and analyze cyber attacks, \ndisseminate cyber attack warnings to other Federal Government agencies, \nconduct cybersecurity exercises, and help reduce software \nvulnerabilities. The budget request for the NCSD is $400 million, an \nincrease of $87 million above FY 2009.\n\n        <bullet>  United States Computer Emergency Readiness Team\n\n           Within NCSD, the U.S. Computer Emergency Readiness Team (US-\n        CERT) monitors the federal civilian network systems on a 24/7 \n        basis and issues warnings to both federal agencies and the \n        public through the National Cyber Alert System when cyber \n        attacks occur.\n\n           EINSTEIN--The EINSTEIN program is an intrusion detection \n        system which US-CERT uses to monitor the federal civilian \n        network connections for unauthorized traffic.\n\n        <bullet>  National Cyber Response Coordination Group\n\n           The National Cyber Response Coordination Group (NCRCG), \n        composed of US-CERT and the cybersecurity groups of DOD, \n        Federal Bureau of Investigation (FBI), NSA, and the \n        intelligence community, coordinates the federal response to a \n        cyber attack. Once an attack is detected, a warning is issued \n        through the NCRCG to all federal agencies and the public.\n\n        <bullet>  Cyber Storm\n\n           Cyber Storm is a biennial cybersecurity exercise that allows \n        participants to assess their ability to prepare for, protect \n        from, and respond to cyber attacks that are occurring on a \n        large-scale and in real-time. Cyber Storm exercises have taken \n        place in 2006 and 2008, with five countries, 18 federal \n        agencies, nine U.S. states, and over 40 private sector \n        companies.\n\n        <bullet>  Software Assurance Program\n\n           The Software Assurance Program maintains a clearinghouse of \n        information gathered from federal and private industry \n        cybersecurity efforts, as well as university research, for \n        public use. The Program has established Working Groups focused \n        on specific software areas and holds regular forums to help \n        encourage collaboration.\n\nNational Cyber Security Center\n    The NCSC was created in 2008 to act as a coordinating group for \nconsolidating, assessing, and disseminating information on cyber \nattacks and vulnerabilities gathered from the cybersecurity efforts of \nDOD, DHS, NSA, FBI, and the intelligence community. By collecting \ninformation from all of these departments, the NCSC was established to \nprovide a single source of critical cybersecurity information for all \npublic and private stakeholders. Funding for NCSC in FY 2010 is $4 \nmillion.\n\nCyber Security Research and Development Center\n    Cyber security research within DHS is planned, managed, and \ncoordinated through the Science and Technology Directorate's Cyber \nSecurity Research and Development Center. This center supports the \nresearch efforts of the Homeland Security Advanced Research Projects \nAgency (HSARPA), coordinates the testing and evaluation of \ntechnologies, and manages technology transfer efforts. The FY 2010 \nbudget includes $37.2 million for cyber security R&D at DHS; this is an \nincrease of $6.6 million over FY 2009.\n\nNational Institute of Standards and Technology\n\n    NIST is tasked with protecting the federal information technology \nnetwork by developing and promulgating cybersecurity standards for \nfederal civilian network systems (Federal Information Processing \nStandard [FIPS]), identifying methods for assessing effectiveness of \nsecurity requirements, conducting tests to validate security in \ninformation systems, and conducting outreach exercises. These tasks \nwere appointed to NIST in the Computer Security Act of 1987. In the \nFederal Information Security Management Act of 2002, OMB was tasked to \ndevelop implementation plans and enforce the use of the FIPS developed \nby NIST. Cybersecurity activities are conducted through NIST's \nInformation Technology Laboratory which has a budget request of $72 \nmillion for FY 2010, including $15 million in support of the CNCI and \n$29 million for Computer Security Information Assurance (CSIA) R&D.\n\nComputer Security Division\n    The Computer Security Division (CSD) within the Information \nTechnology Laboratory houses the cybersecurity activities of NIST and \nis divided into four groups.\n\n        <bullet>  Security Technology\n\n           The Security Technology group focuses on cryptography and \n        online identity authentication. These foci ensure that access \n        to information is only granted to the appropriate users and \n        done so in a secure manner using technologies such as: \n        cryptographic protocols and interfaces, public key certificate \n        management, biometrics, and smart tokens.\n\n        <bullet>  Systems and Network Security\n\n           The Systems and Network Security group maintains a number of \n        databases and checklists that are designed to assist public and \n        private network users in configuration of more secure systems. \n        The group also conducts research in all areas of network \n        security technology to develop new standards and transfer \n        technologies to the public.\n\n                 National Checklist Program--This program helps develop \n                and maintain checklists to guide network users to \n                configure network systems with basic security settings.\n\n                 National Vulnerability Database--This database \n                contains information on known vulnerabilities in \n                software and fixes for these vulnerabilities.\n\n                 Federal Desktop Core Configuration--This program \n                supplies security configurations for all federal \n                civilian network systems using either Microsoft Windows \n                XP or Vista. By supplying a standard configuration, \n                this program enables security professionals to default \n                to a known secure configuration for all new desktop \n                computers and when experiencing a cyber attack.\n\n        <bullet>  Security Management and Assistance\n\n           This group extends information security training, awareness \n        and education programs to both public and private parties.\n\n                 Information Security and Privacy Advisory Board)--This \n                board advises NIST, the Secretary of Commerce, and OMB \n                on information security and privacy issues pertaining \n                to federal civilian network systems. They also review \n                proposed standards and guidelines developed by NIST.\n\n                 Small Business Corner--This program provides workshops \n                for small business owners to learn how to secure \n                business information on small networks in a practical \n                and cost-effective manner.\n\n        <bullet>  Security Testing and Metrics\n\n           The Security Testing and Metrics group develops methods and \n        baselines to test security products and validate products for \n        government use.\n\n    Chair Wu. Good afternoon. I would like to welcome everyone \nto today's hearing on the cybersecurity activities of the \nNational Institute of Standards and Technology (NIST) and the \nDepartment of Homeland Security (DHS). This is the third \nhearing the Science and Technology Committee has held on this \nvery, very important issue.\n    The prior hearings discussed the research and development \nneeds for improved cybersecurity and federal agencies' \nresponses to recommendations made in the Cyberspace Policy \nReview.\n    All of us, in both public and private sectors, rely on IT \n(Information Technology) networks to manage a great many things \nranging from online bank accounts to the power grid. With this \nincreased reliance on networks, we have become more sensitive \nto the security of these networks. To support cybersecurity \nefforts, the prior Administration implemented an estimated $40 \nbillion Comprehensive National Cybersecurity Initiative in \nJanuary of 2008.\n    This year alone, DHS and NIST have requested over $500 \nmillion for their cybersecurity efforts, with an additional \n$340 million requested for research through the Networking and \nInformation Technology Research and Development (NITRD) \nProgram. Even by government standards, almost $850 million is a \nfair amount of money.\n    Despite the substantial funding levels and many hours spent \nby federal employees on this issue, the assessment remains the \nsame: overall, our cybersecurity remains poor.\n    The Administration's Cyberspace Policy Review emphasized \nthe recommendations made in previous reports: first, bolster \ncybersecurity operations protecting the federal network \nsystems; second, improve interagency and private sector \ncoordination; third, modernize and coordinate the research \nagenda; and fourth, enhance public education on cybersecurity. \nThis committee wants to understand the impediments that have \nprevented similar recommendations from being successfully \nimplemented in the past.\n    I believe one key recommendation made in the Cyberspace \nPolicy Review is the need for objectives and metrics to \naccurately measure cybersecurity performance. The development \nof these metrics would provide a base from which we could \nimprove program assessment, budgeting, research and development \nprioritization, and strategic planning.\n    This recommendation mirrors the Subcommittee's belief that \nagencies should be accountable for real-world outcomes, rather \nthan outputs measured in terms of money spent, projects \nsupported, and interagency meetings, which is how the agencies \ncategorized their success at a Subcommittee hearing last week.\n    As is generally the case, we have many recommendations, but \nthe devil is in the details. I hope that in addition to making \nsuggestions on this hearing's issues, our witnesses can tell us \nwhat is required to implement their recommendations.\n    I want to thank our witnesses for appearing before us \ntoday, and now I would like to recognize my friend and \ncolleague, Mr. Smith from Nebraska, for his opening statement.\n    [The prepared statement of Chair Wu follows:]\n\n                  Prepared Statement of Chair David Wu\n\n    Good afternoon. I want to welcome everyone to today's hearing on \nthe cybersecurity activities of the National Institute of Standards and \nTechnology and the Department of Homeland Security. This is the third \nhearing the Science and Technology Committee has held on this critical \nissue.\n    The previous hearings discussed the research and development needs \nfor improved cybersecurity and federal agencies' responses to \nrecommendations made in the Cyberspace Policy Review.\n    All of us, in both public and private sectors, rely on IT networks \nto manage everything from online bank accounts to the power grid. With \nthis increased reliance on networks, we have become more sensitive to \nthe security of these networks. To support cybersecurity efforts, the \nprevious administration implemented an estimated $40 billion \nComprehensive National Cybersecurity Initiative in January 2008.\n    This year alone, DHS and NIST have requested over $500 million for \ntheir cybersecurity efforts, with an additional $340 million requested \nfor research through the Networking and Information Technology Research \nand Development Program. Even by government standards, almost $850 \nmillion is a lot of money.\n    Despite the substantial funding levels and many hours spent by \nfederal employees on this issue, the assessment remains the same: our \ncybersecurity is poor.\n    The Administration's Cyberspace Policy Review re-emphasized the \nrecommendations made in previous reports: first, bolster cybersecurity \noperations protecting the federal network systems; second, improve \ninteragency and private sector coordination; third, modernize the \nresearch agenda; and fourth, enhance public education on cybersecurity. \nThis committee wants to wants to understand the impediments that have \nprevented similar recommendations from being successfully implemented \nin the past.\n    I believe one key recommendation made in the Cyberspace Policy \nReview is the need for objectives and metrics to accurately measure \ncybersecurity performance. The development of these metrics would \nprovide a base from which we could improve program assessment, \nbudgeting, research and development prioritization, and strategic \nplanning.\n    This recommendation mirrors the Subcommittee's belief that agencies \nshould be accountable for real-world outcomes, rather than outputs \nmeasured in terms of money spent, projects supported, and interagency \nmeetings, which is how the agencies categorized their success at a \nSubcommittee hearing last week.\n    As is generally the case, we have many recommendations, but the \ndevil is in the details. I hope that in addition to making suggestions \non this hearing's issues, our witnesses can tell us what is required to \nimplement their recommendations.\n\n    Mr. Smith. Thank you, Mr. Chair, for calling the hearing \ntoday on cybersecurity, the third in a series of hearings held \nby the Committee this month.\n    While the Committee's jurisdiction on cybersecurity issues \nis generally limited to two agencies, DHS and NIST, because of \ntheir broad roles and responsibilities, the activities of both \nagencies directly impact not only the entire Federal Government \nbut also many private sector computer security stakeholders. \nAccordingly, we have the benefit of being able to examine \ncybersecurity through a very broad lens and the opportunity to \ninfluence the debate on the Government's actions in the most \nimportant and pressing policy areas.\n    To this end, I would like to briefly outline what I see as \nthe key, high-level, outstanding questions which drive the \ndirection of cybersecurity policy for this committee and \nCongress as we do go forward.\n    First, as we explored last week with respect to protection \nof government networks, are we confident the reported $30 \nbillion effort comprising the Administration's Comprehensive \nNational Cybersecurity Initiative, CNCI, is appropriately \nfocused, and will DHS's centerpiece EINSTEIN program provide \neffective and lasting security? If not, what are the best \nalternatives to this investment and focus area, and perhaps \nmore importantly, how do we do a better job at measuring \ncybersecurity so we can more systematically evaluate technology \nand policy options and perhaps even fit in a hearing between \nvotes?\n    The largest outstanding questions, however, revolve around \nthe nature of the relationship between the government and the \nprivate sector and efforts to secure non-government systems. \nStakeholders on all sides place a great deal of emphasis on \nstrengthening public-private partnerships to secure critical \ninfrastructure, but beyond the well-established goals of \nimproving information sharing and policy dialogue, the precise \nfeatures of the desired partnerships as well as the scope of \nwhat constitutes critical infrastructure have remained largely \nundefined. Does this entail a new regulatory regime at DHS or \nNIST, new liability protections, or incentives for private \nsector actors or some combination thereof? Are there other \ninnovative partnership models which could be explored?\n    These are all weighty questions which will not be answered \nat this hearing or in the immediate future, but I believe they \nrequire the careful attention of Congress going forward as we \nconsider legislative options to improve network security.\n    I thank the Chair for assembling an excellent panel today. \nThank you for being here, and I look forward to the productive \ndiscussion.\n    [The prepared statement of Mr. Smith follows:]\n\n           Prepared Statement of Representative Adrian Smith\n\n    Mr. Chairman, thank you for calling this hearing today on \ncybersecurity--the third in a series of hearings held by the Committee \nthis month.\n    While the Subcommittee's jurisdiction on cybersecurity issues is \ngenerally limited to two agencies--DHS and NIST--because of their broad \nroles and responsibilities, the activities of both of these agencies \ndirectly impact not only the entire Federal Government but also many \nprivate sector computer security stakeholders.\n    Accordingly, we have the benefit of being able to examine \ncybersecurity through a very broad lens, and the opportunity to \ninfluence the debate on--and the government's actions in--the most \nimportant and pressing policy areas.\n    To this end, I would like to briefly outline what I see as the key, \nhigh-level outstanding questions that should drive the direction of \ncybersecurity policy for this committee and for Congress as we go \nforward.\n    First, as we explored last week with respect to protection of \ngovernment networks, are we confident that the reported $30 billion \neffort that comprises the Administration's Comprehensive National \nCybersecurity Initiative (CNCI) is appropriately focused, and will \nDHS's centerpiece ``EINSTEIN'' program provide effective and lasting \nsecurity? If not, what are the best alternatives to this investment and \nfocus area? And perhaps more importantly, how do we do a better job at \nmeasuring cybersecurity so we can more systematically evaluate \ntechnology and policy options?\n    The largest outstanding questions, however, revolve around the \nnature of the relationship between the government and the private \nsector in efforts to secure non-government systems. Stakeholders on all \nsides place a great deal of emphasis placed on strengthening ``public-\nprivate partnerships'' to secure ``critical infrastructure,'' but \nbeyond the well established goals of improving information sharing and \npolicy dialogue, the precise features of the desired ``partnerships''--\nas well as the scope of what constitutes ``critical infrastructure''--\nhave remained largely undefined. Does this entail a new regulatory \nregime at DHS or NIST, new liability protections or incentives for \nprivate sector actors, or some combination thereof? Are there other \ninnovative ``partnership'' models that should be explored?\n    These are all weighty questions that will not be answered at this \nhearing or in the immediate future, but I believe they require the \ncareful attention of Congress going forward as we consider legislative \noptions to improve network security.\n    I thank the Chairman for assembling an excellent panel today, and I \nlook forward to a productive discussion.\n\n    Chair Wu. Thank you, Mr. Smith. And as you all probably \nnoticed from the bells, votes have been called. This will be a \nsubstantial series of votes. I want to apologize to the \nwitnesses and all the participants here for the inconvenience, \nbut I just want to note that these votes are called without \nconsideration for any of the individual Members and rarely of \nany individual Committee. But what I intend to do is proceed to \nintroduce the witnesses, and we may be able to get through the \ntestimony of one or two witnesses before Mr. Smith and I and \nthe other Members who come here will have to leave to vote, and \nthen we will recess this hearing until after the last vote at \nwhich time we will reconvene and finish the testimony and \nproceed to questions.\n    [The prepared statement of Mr. Mitchell follows:]\n\n         Prepared Statement of Representative Harry E. Mitchell\n\n    Thank you, Mr. Chairman.\n    As the world becomes increasingly connected through the Internet, \nit is critical to ensure that we have a secure and reliable cyberspace \npolicy.\n    Today we will be discussing the cybersecurity efforts of the \nDepartment of Homeland Security (DHS) and the National Institute of \nStandards and Technology (NIST).\n    Specifically, we will be learning more from the private sector on \nhow federal cybersecurity activities can enhance privately-owned \ncritical infrastructure, better monitor federal networks, and more \nclearly define cybersecurity performance with metrics and success \ncriteria.\n    I look forward to hearing more from our witnesses on how the \nFederal Government can partner with the private sector to guarantee an \neffective and secure cyberspace policy.\n    I yield back.\n\n    Chair Wu. And with that, it is my pleasure to introduce our \nwitnesses. Mr. Greg Wilshusen is the Director of Information \nSecurity Issues at the Government Accountability Office (GAO). \nMr. Mark Bregman is the Executive Vice President and Chief \nTechnology Officer of Symantec Corporation. Mr. Scott Charney \nis the Corporate Vice President of Microsoft's Trustworthy \nComputer Group, and Mr. Harper is the Director of Information \nPolicy Studies at the Cato Institute.\n    You each will have five minutes for your spoken testimony. \nYour written testimony will be included in the record in its \nentirety. And when you complete all of your testimony, we will \nstart with questions. At that point, each Member will have five \nminutes to ask questions.\n    Mr. Wilshusen, please proceed.\n\n STATEMENT OF MR. GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION \n     SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Chair Wu, Ranking Member Smith, thank you \nfor the opportunity to testify at today's hearing on the \ncybersecurity activities performed by the Department of \nHomeland Security and the National Institute of Standards and \nTechnology.\n    Federal laws and policy have assigned important roles and \nresponsibilities to DHS and NIST with securing computer systems \nand networks. DHS is charged with coordinating the protection \nof cyber-critical infrastructures, much of which is owned by \nthe private sector, and securing its own computer systems, \nwhile NIST is responsible for developing standards and \nguidelines for implementing security controls over computer \nsystems and information.\n    Today I will describe cybersecurity efforts at DHS and \nNIST, including partnership activities with the private sector \nand the use of cybersecurity performance metrics in the Federal \nGovernment.\n    Over the past three years, GAO has consistently reported \nthat DHS has yet to fully satisfy its key responsibilities, \nincluding those for coordinating and protection of cyber-\ncritical infrastructures in serving as the primary federal \nfocal point for cybersecurity efforts. While the department has \nachieved some successes, shortcomings exist in key areas \nincluding bolstering cyber analysis and warning capabilities, \nimproving the security of infrastructure control systems, \nstrengthening its ability to help facilitate recovery from \nInternet disruptions, reducing organizational inefficiencies, \ncompleting actions identified during cyber exercises, and \nsecuring internal information systems.\n    We have made about 90 recommendations to assist DHS in \naddressing these shortcomings. The department has implemented \nsome of our recommendations but still has not fully satisfied \nmost of them and thus needs to take further action to address \nthese areas.\n    Pursuant to its responsibilities under the Federal \nInformation Security Management Act, or FISMA, NIST has \ndeveloped a suite of mandatory standards and guidelines that \nare intended to assist agencies in developing and implementing \ninformation security programs and in managing risk to agency \noperations and assets. In addition, NIST has worked with both \npublic- and private-sector entities to enhance its \ncybersecurity products. The resulting guidance and tools \nprovided by NIST serve as important resources that federal \nagencies can apply to their information security programs.\n    Mr. Chair, as the old adage goes, what gets measured gets \ndone, and so it is with the security measures that agencies use \nto report on their progress implementing the requirements of \nFISMA.\n    According to the performance metrics established by the \nOffice of Management and Budget (OMB), agencies generally \nreported increasing compliance in implementing key \ncybersecurity control activities. However, GAO and agency IGs \n(Inspector Generals) continue to report significant weaknesses \nin controls. This dichotomy exists in part because the OMB-\ndefined metrics generally measure whether or not a control \nactivity has been implemented, not how well it has been \nimplemented. As a result, reported metrics may not provide a \ncomplete picture of the agency's cybersecurity posture. \nProviding information on the effectiveness of controls and \nprocesses could further enhance the usefulness of the data for \nmanagement and oversight of agency information security \nprograms.\n    In summary, Mr. Chair, DHS has not fully satisfied its \ncybersecurity responsibilities and needs to take further action \nto address shortcomings in several areas, including its efforts \nto coordinate with the private sector to ensure protection of \nour nation's cyber-critical infrastructures. NIST has developed \na significant number of standards and guidelines for \ninformation security and continues to assist organizations in \nimplementing security controls, and while NIST's role is to \ndevelop guidance, it remains the responsibility of federal \nagencies to effectively implement and sustain security over \ntheir systems. Developing and using metrics that measure how \nwell agencies implement important controls can contribute to \nincreased focus on the effective implementation of federal \ninformation security.\n    Mr. Chair, this concludes my opening statement, and I would \nbe happy to answer questions at the appropriate time.\n    [The prepared statement of Mr. Wilshusen follows:]\n\n               Prepared Statement of Gregory C. Wilshusen\n\nChairman Wu and Members of the Subcommittee:\n\n    Thank you for the opportunity to participate in today's hearing on \ncomputer-based (cyber) security activities at the Department of \nHomeland Security (DHS) and the National Institute of Standards and \nTechnology (NIST). Cyber security is a critical consideration for any \norganization that depends on information systems and computer networks \nto carry out its mission or business. The need for a vigilant approach \nto cyber security has been demonstrated by the pervasive and sustained \ncyber attacks against the United States and others that continue to \npose significant risks to computer systems and networks and the \noperations and critical infrastructures that they support.\n    In my testimony today, I will describe cyber security activities at \nDHS and NIST, including those activities related to establishing \npublic/private partnerships with the owners of critical infrastructure. \nIn addition, I will discuss the use of cyber security-related metrics \nin the Federal Government. In preparing for this testimony, we relied \non our previous reports on federal information security and on DHS's \nefforts to fulfill its national cyber security responsibilities. We \nalso relied on a draft report of our review of agencies' implementation \nof the Federal Information Security Management Act (FISMA).\\1\\ These \nreports contain detailed overviews of the scope of our work and the \nmethodology we used.\n---------------------------------------------------------------------------\n    \\1\\ FISMA was enacted as title III, E-Government Act of 2002, Pub. \nL. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). It permanently \nauthorized and strengthened information security program, evaluation, \nand annual reporting requirements for federal agencies. The act also \nassigns specific responsibilities to agency heads and chief information \nofficers, NIST, and the Office of Management and Budget (OMB).\n---------------------------------------------------------------------------\n    The work on which this testimony is based was performed in \naccordance with generally accepted government auditing standards. Those \nstandards require that we plan and perform audits to obtain sufficient, \nappropriate evidence to provide a reasonable basis for our findings and \nconclusions based on our audit objectives. We believe that the evidence \nobtained provides a reasonable basis for our findings and conclusions \nbased on our audit objectives.\n\nBackground\n\n    As computer technology has advanced, federal agencies have become \ndependent on computerized information systems to carry out their \noperations and to process, maintain, and report essential information. \nVirtually all federal operations are supported by computer systems and \nelectronic data, and agencies would find it difficult, if not \nimpossible, to carry out their missions, deliver services to the \npublic, and account for their resources without these cyber assets. \nInformation security is thus especially important for federal agencies \nto ensure the confidentiality, integrity, and availability of their \nsystems and data. Conversely, ineffective information security controls \ncan result in significant risk to a broad array of government \noperations and assets, as the following examples illustrate:\n\n        <bullet>  Computer resources could be used for unauthorized \n        purposes or to launch attacks on other computer systems.\n\n        <bullet>  Sensitive information, such as personally \n        identifiable information, intellectual property, and \n        proprietary business information could be inappropriately \n        disclosed, browsed, or copied for purposes of identity theft, \n        espionage, or other types of crime.\n\n        <bullet>  Critical operations, such as those supporting \n        critical infrastructure, national defense, and emergency \n        services, could be disrupted.\n\n        <bullet>  Data could be added, modified, or deleted for \n        purposes of fraud, subterfuge, or disruption.\n\n    Government officials are increasingly concerned about attacks from \nindividuals and groups with malicious intent, such as criminals, \nterrorists, and adversarial foreign nations. For example, in February \n2009, the Director of National Intelligence testified that foreign \nnations and criminals have targeted government and private sector \nnetworks to gain a competitive advantage and potentially disrupt or \ndestroy them, and that terrorist groups have expressed a desire to use \ncyber attacks as a means to target the United States.\\2\\ The growing \nconnectivity between information systems, the Internet, and other \ninfrastructures creates opportunities for attackers to disrupt \ntelecommunications, electrical power, and other critical \ninfrastructures. As government, private sector, and personal activities \ncontinue to move to networked operations, digital systems add ever more \ncapabilities, wireless systems become more ubiquitous, and the design, \nmanufacture, and service of information technology have moved overseas, \nthe threat will continue to grow.\n---------------------------------------------------------------------------\n    \\2\\ Statement of the Director of National Intelligence before the \nSenate Select Committee on Intelligence, Annual Threat Assessment of \nthe Intelligence Community for the Senate Select Committee on \nIntelligence (Feb. 12, 2009).\n\nDHS Is a Focal Point for National Cyber Security Efforts\n\n    Federal law and policy\\3\\ establish DHS as the focal point for \nefforts to protect our nation's computer-reliant critical \ninfrastructures\\4\\--a practice known as cyber critical infrastructure \nprotection, or cyber CIP. In this capacity, the department has multiple \ncyber security-related roles and responsibilities. In 2005, we \nidentified, and reported on, 13 key cyber security responsibilities.\\5\\ \nThey include, among others, (1) developing a comprehensive national \nplan for CIP, including cyber security; (2) developing partnerships and \ncoordinating with other federal agencies, State and local governments, \nand the private sector; (3) developing and enhancing national cyber \nanalysis and warning capabilities; (4) providing and coordinating \nincident response and recovery planning, including conducting incident \nresponse exercises; and (5) identifying, assessing, and supporting \nefforts to reduce cyber threats and vulnerabilities, including those \nassociated with infrastructure control systems.\\6\\ Within DHS, the \nNational Protection and Programs Directorate has primary responsibility \nfor assuring the security, resiliency, and reliability of the Nation's \ncyber and communications infrastructure.\n---------------------------------------------------------------------------\n    \\3\\ These include the Homeland Security Act of 2002, Homeland \nSecurity Presidential Directive-7, and the National Strategy to Secure \nCyberspace.\n    \\4\\ Critical infrastructures are systems and assets, whether \nphysical or virtual, so vital to nations that their incapacity or \ndestruction would have a debilitating impact on national security, \nnational economic security, national public health or safety, or any \ncombination of those matters. Federal policy established 18 critical \ninfrastructure sectors: agriculture and food, banking and finance, \nchemical, commercial facilities, communications, critical \nmanufacturing, dams, defense industrial base, emergency services, \nenergy, government facilities, information technology, national \nmonuments and icons, nuclear reactors, materials and waste, postal and \nshipping, public health and health care, transportation systems, and \nwater.\n    \\5\\ GAO, Critical Infrastructure Protection: Department of Homeland \nSecurity Faces Challenges in Fulfilling Cybersecurity Responsibilities, \nGAO-05-434 (Washington, D.C.: May 26, 2005) and Critical Infrastructure \nProtection: Challenges in Addressing Cybersecurity, GAO-05-827T \n(Washington, D.C.: July 19, 2005).\n    \\6\\ Control systems are computer-based systems that perform vital \nfunctions in many of our nation's critical infrastructures, including \nelectric power generation, transmission, and distribution; oil and gas \nrefining and pipelines; water treatment and distribution; chemical \nproduction and processing; railroads and mass transit; and \nmanufacturing.\n---------------------------------------------------------------------------\n    DHS is also responsible for securing its own computer networks, \nsystems, and information. FISMA requires the department to develop and \nimplement an agencywide information security program to provide \nsecurity for the information and information systems that support the \noperations and assets of the agency. Within DHS, the Chief Information \nOfficer is responsible for ensuring departmental compliance with \nfederal information security requirements.\n\nNIST Is Responsible for Establishing Federal Standards and Guidance for \n                    Information Security\n\n    FISMA tasks NIST--a component within the Department of Commerce--\nwith responsibility for developing standards and guidelines, including \nminimum requirements, for (1) information systems used or operated by \nan agency or by a contractor of an agency or other organization on \nbehalf of the agency and (2) providing adequate information security \nfor all agency operations and assets, except for national security \nsystems. The Act specifically required NIST to develop, for systems \nother than national security systems, (1) standards to be used by all \nagencies to categorize all their information and information systems \nbased on the objectives of providing appropriate levels of information \nsecurity, according to a range of risk levels; (2) guidelines \nrecommending the types of information and information systems to be \nincluded in each category; and (3) minimum information security \nrequirements for information and information systems in each category. \nNIST also is required to develop a definition of and guidelines for \ndetection and handling of information security incidents as well as \nguidelines developed in conjunction with the Department of Defense and \nthe National Security Agency for identifying an information system as a \nnational security system. Within NIST, the Computer Security Division \nof the Information Technology Laboratory is responsible for developing \ninformation security-related standards and guidelines.\n    FISMA also requires NIST to take other actions that include:\n\n        <bullet>  conducting research, as needed, to determine the \n        nature and extent of information security vulnerabilities and \n        techniques for providing cost-effective information security;\n\n        <bullet>  developing and periodically revising performance \n        indicators and measures for agency information security \n        policies and practices;\n\n        <bullet>  evaluating private sector information security \n        policies and practices and commercially available information \n        technologies, to assess potential application by agencies to \n        strengthen information security; and\n\n        <bullet>  assisting the private sector, in using and applying \n        the results of its activities required by FISMA.\n\n    In addition, the Cyber Security Research and Development Act\\7\\ \nrequired NIST to develop checklists to minimize the security risks for \neach hardware or software system that is, or likely to become, widely \nused within the Federal Government.\n---------------------------------------------------------------------------\n    \\7\\ Cyber Security Research and Development Act, Pub. L. No. 107-\n305, 116 Stat. 2367 (Nov. 27, 2002).\n\nMetrics Established to Evaluate Information Security Programs\n\n    FISMA also requires the Office of Management and Budget (OMB) to \ndevelop policies, principles, standards, and guidelines on information \nsecurity and to report annually to Congress on agency compliance with \nthe requirements of the Act. OMB has provided instructions to federal \nagencies and their inspectors general for preparing annual FISMA \nreports. These instructions focus on metrics related to the performance \nof key control activities such as developing a complete inventory of \nmajor information systems, providing security training to personnel, \ntesting and evaluating security controls, testing contingency plans, \nand certifying and accrediting systems. FISMA reporting provides \nvaluable information on the status and progress of agency efforts to \nimplement effective security management programs.\n\nRecent Efforts to Improve National Cyber Security Strategy\n\n    Because the threats to federal information systems and critical \ninfrastructure have persisted and grown, President Bush in January 2008 \nbegan to implement a series of initiatives--commonly referred to as the \nComprehensive National Cybersecurity Initiative aimed primarily at \nimproving DHS's and other federal agencies' efforts to protect against \nintrusion attempts and anticipate future threats.\\8\\ Since then, \nPresident Obama (in February 2009) directed the National Security \nCouncil and Homeland Security Council to conduct a comprehensive review \nto assess the United States' cyber security-related policies and \nstructures. The resulting report, ``Cyberspace Policy Review: Assuring \na Trusted and Resilient Information and Communications \nInfrastructure,'' recommended, among other things, appointing an \nofficial in the White House to coordinate the Nation's cyber security \npolicies and activities, creating a new national cyber security \nstrategy, and developing a framework for cyber research and \ndevelopment.\\9\\ In addition, we testified in March 2009\\10\\ that a \npanel of experts identified 12 key areas of the national cyber security \nstrategy requiring improvement, such as developing a national strategy \nthat clearly articulates strategic objectives, goals, and priorities; \nbolstering the public/private partnership; and placing a greater \nemphasis on cyber security research and development.\n---------------------------------------------------------------------------\n    \\8\\ The White House, National Security Presidential Directive 54/\nHomeland Security Presidential Directive 23 (Washington, D.C.: Jan. 8, \n2008).\n    \\9\\ The White House, Cyberspace Policy Review: Assuring a Trusted \nand Resilient Information and Communications Infrastructure \n(Washington, D.C.: May 29, 2009).\n    \\10\\ GAO, National Cybersecurity Strategy: Key Improvements Are \nNeeded To Strengthen the Nation's Posture, GAO-09-432T (Washington, \nD.C.: March 10, 2009).\n\nDHS Has Yet to Fully Satisfy Its Cyber Security Responsibilities\n\n    We have reported since 2005 that DHS has yet to comprehensively \nsatisfy its key responsibilities for protecting computer-reliant \ncritical infrastructures. Our reports included about 90 recommendations \nthat we summarized into key areas, including those listed in Table 1, \nthat are essential for DHS to address in order to fully implement its \nresponsibilities. DHS has since developed and implemented certain \ncapabilities to satisfy aspects of its responsibilities, but the \ndepartment still has not fully implemented our recommendations, and \nthus further action needs to be taken to address these areas.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\nBolstering Cyber Analysis and Warning Capabilities\n\n    In July 2008, we identified\\11\\ that cyber analysis and warning \ncapabilities included (1) monitoring network activity to detect \nanomalies, (2) analyzing information and investigating anomalies to \ndetermine whether they are threats, (3) warning appropriate officials \nwith timely and actionable threat and mitigation information, and (4) \nresponding to the threat. These four capabilities are comprised of 15 \nkey attributes, including establishing a baseline understanding of the \nNation's critical network assets and integrating analysis work into \npredictive analyses of broader implications or potential future \nattacks.\n---------------------------------------------------------------------------\n    \\11\\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in \nEstablishing a Comprehensive National Capability, GAO-08-588 \n(Washington, D.C.: July 31, 2008).\n---------------------------------------------------------------------------\n    We concluded that while DHS's United States Computer Emergency \nReadiness Team (US-CERT) demonstrated aspects of each of the key \nattributes, it did not fully incorporate all of them. For example, as \npart of its monitoring, US-CERT obtained information from numerous \nexternal information sources; however, it had not established a \nbaseline of the Nation's critical network assets and operations. In \naddition, while it investigated whether identified anomalies \nconstituted actual cyber threats or attacks as part of its analysis, it \ndid not integrate its work into predictive analyses of broader \nimplications or potential future attacks, nor did it have the \nanalytical or technical resources to analyze multiple, simultaneous \ncyber incidents. The organization also provided warnings by developing \nand distributing a wide array of attack and other notifications; \nhowever, these notifications were not consistently actionable or \ntimely--i.e., providing the right information to the right persons or \ngroups as early as possible to give them time to take appropriate \naction. Further, while the team responded to a limited number of \naffected entities in its efforts to contain and mitigate an attack, \nrecover from damages, and remediate vulnerabilities, it did not possess \nthe resources to handle multiple events across the Nation.\n    We also concluded that without fully implementing the key \nattributes, US-CERT did not have the full complement of cyber analysis \nand warning capabilities essential to effectively perform its national \nmission. As a result, we made 10 recommendations to the department to \naddress shortfalls associated with the 15 attributes in order to fully \nestablish a national cyber analysis and warning capability. DHS \nconcurred and agreed to implement 9 of our 10 recommendations.\n\nImproving Cyber Security of Infrastructure Control Systems\n\n    In a September 2007 report and October 2007 testimony, we \nreported\\12\\ that DHS was sponsoring multiple control systems security \ninitiatives, including an effort to improve control systems cyber \nsecurity using vulnerability evaluation and response tools. However, \nDHS had not established a strategy to coordinate the various control \nsystems activities across federal agencies and the private sector, and \nit did not effectively share information on control system \nvulnerabilities with the public and private sectors. Accordingly, we \nrecommended that DHS develop a strategy to guide efforts for securing \ncontrol systems and establish a rapid and secure process for sharing \nsensitive control system vulnerability information. In response, DHS \nrecently began developing a strategy and a process to share sensitive \ninformation.\n---------------------------------------------------------------------------\n    \\12\\ GAO, Critical Infrastructure Protection: Multiple Efforts to \nSecure Control Systems Are Under Way, but Challenges Remain, GAO-07-\n1036 (Washington, D.C.: Sept. 10, 2007) and Critical Infrastructure \nProtection: Multiple Efforts to Secure Control Systems Are Under Way, \nbut Challenges Remain, GAO-08-119T (Washington, D.C.: Oct. 17, 2007).\n\nStrengthening DHS's Ability to Help Recovery from Internet Disruption\n\n    We reported and later testified\\13\\ in 2006 that the department had \nbegun a variety of initiatives to fulfill its responsibility for \ndeveloping an integrated public/private plan for Internet recovery in \ncase of a major disruption. However, we determined that these efforts \nwere not comprehensive or complete. As such, we recommended that DHS \nimplement nine actions to improve the department's ability to \nfacilitate public/private efforts to recover the Internet.\n---------------------------------------------------------------------------\n    \\13\\ GAO, Internet Infrastructure: Challenges in Developing a \nPublic/Private Recovery Plan, GAO-06-863T (Washington, D.C.: July 28, \n2006); and Internet Infrastructure: DHS Faces Challenges in Developing \na Joint Public/Private Recovery Plan, GAO-06-672 (Washington, D.C.: \nJune 16, 2006).\n---------------------------------------------------------------------------\n    In October 2007, we testified\\14\\ that the department had made \nprogress in implementing our recommendations; however, seven of the \nnine had not been completed. For example, it revised key plans in \ncoordination with private industry infrastructure stakeholders, \ncoordinated various Internet recovery-related activities, and addressed \nkey challenges to Internet recovery planning. However, it has not, \namong other things, finalized recovery plans and defined the \ninterdependencies among DHS's various working groups and initiatives. \nIn other words, it has not completed an integrated private/public plan \nfor Internet recovery. As a result, we concluded that the Nation lacked \ndirection from the department on how to respond in such a contingency. \nWe also noted that these incomplete efforts indicated that DHS and the \nNation were not fully prepared to respond to a major Internet \ndisruption. To date, an integrated public/private plan for Internet \nrecovery does not exist.\n---------------------------------------------------------------------------\n    \\14\\ GAO, Internet Infrastructure: Challenges in Developing a \nPublic/Private Recovery Plan, GAO-08-212T (Washington, D.C.: Oct. 23, \n2007).\n\nReducing Organizational Inefficiencies\n\n    In June 2008, we reported\\15\\ on the status of DHS's efforts to \nestablish an integrated operations center that it agreed to adopt per \nrecommendations from a DHS-commissioned expert task force. We \ndetermined that while DHS had taken the first step towards integrating \ntwo operations centers--the National Coordination Center Watch and US-\nCERT, it had yet to implement the remaining steps, complete a strategic \nplan, or develop specific tasks and milestones for completing the \nintegration. We concluded that until the two centers were fully \nintegrated, DHS was at risk of being unable to efficiently plan for and \nrespond to disruptions to communications infrastructure and the data \nand applications that travel on this infrastructure, increasing the \nprobability that communications will be unavailable or limited in times \nof need. As a result, we recommended that the department complete its \nstrategic plan and define tasks and milestones for completing remaining \nintegration steps so that we are better prepared to provide an \nintegrated response to disruptions to the communications \ninfrastructure. DHS concurred with our first recommendation and stated \nthat it would address the second recommendation as part of finalizing \nits strategic plan.\n---------------------------------------------------------------------------\n    \\15\\ GAO, Critical Infrastructure Protection: Further Efforts \nNeeded to Integrate Planning for and Response to Disruption on \nConverged Voice and Data Networks, GAO-08-607 (Washington, D.C.: June \n26, 2008).\n\nCompleting Corrective Actions Identified During a Cyber Exercise\n\n    In September 2008, we reported\\16\\ on a major DHS-coordinated cyber \nattack exercise called Cyber Storm, which occurred in 2006 and included \nlarge-scale simulations of multiple concurrent attacks involving the \nFederal Government, states, foreign governments, and private industry. \nWe determined that DHS had identified eight lessons learned from this \nexercise, such as the need to improve interagency coordination groups \nand the exercise program. We also concluded that while DHS had \ndemonstrated progress in addressing the lessons learned, more needed to \nbe done. Specifically, while the department completed 42 of the 66 \nactivities identified to address the lessons learned, it identified 16 \nactivities as ongoing and seven as planned for the future.\\17\\ In \naddition, DHS provided no timetable for the completion dates of the \nongoing activities. We noted that until DHS scheduled and completed its \nremaining activities, it was at risk of conducting subsequent exercises \nthat repeated the lessons learned during the first exercise. \nConsequently, we recommended that DHS schedule and complete the \nidentified corrective activities so that its cyber exercises can help \nboth public and private sector participants coordinate their responses \nto significant cyber incidents. DHS agreed with the recommendation. To \ndate, DHS has continued to make progress in completing some identified \nactivities but has yet to do so for others.\n---------------------------------------------------------------------------\n    \\16\\ GAO, Critical Infrastructure Protection: DHS Needs To Fully \nAddress Lessons Learned from Its First Cyber Storm Exercise, GAO-08-825 \n(Washington, D.C.: Sept. 9, 2008).\n    \\17\\ At that time, DHS reported that one other activity had been \ncompleted, but the department was unable to provide evidence \ndemonstrating its completion.\n\nDeveloping Sector Specific Plans that Fully Address All of the Cyber-\n                    Related Criteria\n\n    In 2007, we reported and testified\\18\\ on the cyber security \naspects of CIP plans for 17 critical infrastructure sectors, referred \nto as sector-specific plans. Lead federal agencies, referred to as \nsector-specific agencies, are responsible for coordinating critical \ninfrastructure protection efforts with the public and private \nstakeholders in their respective sectors. DHS guidance requires each of \nthe sector-specific agencies to develop plans to address how the \nsectors' stakeholders would implement the national plan and how they \nwould improve the security of their assets, systems, networks, and \nfunctions.\n---------------------------------------------------------------------------\n    \\18\\ GAO, Critical Infrastructure Protection: Sector-Specific \nPlans' Coverage of Key Cyber Security Elements Varies, GAO-08-64T \n(Washington D.C.: October 31, 2007) and Critical Infrastructure \nProtection: Sector-Specific Plans' Coverage of Key Cyber Security \nElements Varies, GAO-08-113 (Washington D.C.: Oct. 31, 2007).\n---------------------------------------------------------------------------\n    We determined that none of the plans fully addressed the 30 key \ncyber security-related criteria described in DHS guidance. Further, \nwhile several sectors' plans fully addressed many of the criteria, \nothers were less comprehensive. In addition to the variations in the \nextent to which the plans covered aspects of cyber security, there was \nalso variance among the plans in the extent to which certain criteria \nwere addressed. Consequently, we recommended\\19\\ that DHS request that \nthe sector-specific agencies, fully address all cyber-related criteria \nby September 2008 so that stakeholders within the infrastructure \nsectors will effectively identify, prioritize, and protect the cyber \naspects of their CIP efforts. We are currently reviewing the progress \nmade in the sector specific plans.\n---------------------------------------------------------------------------\n    \\19\\ GAO-08-113.\n---------------------------------------------------------------------------\n    We testified in March 2009\\20\\ regarding the need to bolster \npublic/private partnerships associated with cyber CIP. According to \npanel members, there are not adequate economic and other incentives \n(i.e., a value proposition) for greater investment and partnering with \nowners and operators of critical cyber assets and functions. \nAccordingly, panelists stated that the Federal Government should \nprovide valued services (such as offering useful threat or analysis and \nwarning information) or incentives (such as grants or tax reductions) \nto encourage action by and effective partnerships with the private \nsector. They also suggested that public and private sector entities use \nmeans such as cost-benefit analyses to ensure the efficient use of \nlimited cyber security-related resources. We are also currently \ninitiating a review of the status of the public/private partnerships in \ncyber CIP.\n---------------------------------------------------------------------------\n    \\20\\ GAO-09-432T.\n\nSecuring Internal Information Systems\n\n    Besides weaknesses relating to external cyber security \nresponsibilities, DHS had not secured its own information systems. In \nJuly 2007, we reported\\21\\ that DHS systems supporting the US-VISIT \nprogram\\22\\ were riddled with significant information security control \nweaknesses that place sensitive information--including personally \nidentifiable information--at increased risk of unauthorized and \npossibly undetected disclosure and modification, misuse, and \ndestruction, and place program operations at increased risk of \ndisruption. Weaknesses existed in all control areas and computing \ndevice types reviewed. For example, DHS had not implemented controls to \neffectively prevent, limit, and detect access to computer networks, \nsystems, and information. To illustrate, it had not (1) adequately \nidentified and authenticated users in systems supporting US-VISIT, (2) \nsufficiently limited access to US-VISIT information and information \nsystems, and (3) ensured that controls adequately protected external \nand internal network boundaries. In addition, it had not always ensured \nthat responsibilities for systems development and system production had \nbeen sufficiently segregated, and had not consistently maintained \nsecure configurations on the application servers and workstations at a \nkey data center and ports of entry. As a result, intruders, as well as \ngovernment and contractor employees, could potentially bypass or \ndisable computer access controls and undertake a wide variety of \ninappropriate or malicious acts. These acts could include tampering \nwith data; browsing sensitive information; using computer resources for \ninappropriate purposes, such as launching attacks on other \norganizations; and disrupting or disabling computer-supported \noperations. According to the department, it has started remediation \nactivities to strengthen security over these systems and implement our \nrecommendations.\n---------------------------------------------------------------------------\n    \\21\\ GAO, Information Security: Homeland Security Needs to \nImmediately Address Significant Weaknesses in Systems Supporting the \nUS-VISIT Program, GAO-07-870 (Washington, D.C.: July 13, 2007).\n    \\22\\ The US-VISIT program was established by DHS to record and \ntrack the entry and departure of foreign visitors who pass through U.S. \nports of entry by air, land, or sea; to verify their identities; and to \nauthenticate their travel documentation.\n---------------------------------------------------------------------------\n    In January 2009, we briefed congressional staff on security \nweaknesses associated with the development of systems supporting the \nTransportation Security Administration's (TSA) Secure Flight \nprogram.\\23\\ Specifically, TSA had not taken sufficient steps to ensure \nthat operational safeguards and substantial security measures were \nfully implemented to minimize the risk that the systems will be \nvulnerable to abuse and unauthorized access from hackers and other \nintruders. For example, TSA had not completed testing and evaluating \nkey security controls, performed disaster recovery tests, or corrected \nhigh- and moderate-risk vulnerabilities. Accordingly, we recommended \nthat TSA take steps to complete security testing, mitigate known \nvulnerabilities, and update key security documentation prior to initial \noperations. TSA subsequently undertook a number of actions to complete \nthese activities. In May 2009, we concluded that TSA had generally met \nits requirements related to systems information security and satisfied \nour recommendations.\\24\\\n---------------------------------------------------------------------------\n    \\23\\ This briefing contained information on our initial January \n2009 assessment and recommendations. TSA, a component of DHS, developed \nan advanced passenger pre-screening program known as Secure Flight that \nwill allow TSA to match airline passenger information against terrorist \nwatch-list records.\n    \\24\\ GAO, Aviation Security: TSA Has Completed Key Activities \nAssociated with Implementing Secure Flight, but Additional Actions Are \nNeeded to Mitigate Risks, GAO-09-292 (Washington, D.C.: May 13, 2009).\n\nNIST Has Developed Important Federal Information Security Standards and \n                    Guidelines\n\n    NIST has taken steps to address its FISMA-mandated responsibilities \nby developing a suite of required security standards and guidelines as \nwell as other publications that are intended to assist agencies in \ndeveloping and implementing information security programs and \neffectively managing risks to agency operations and assets. In addition \nto developing specific standards and guidelines, NIST developed a set \nof activities to help agencies manage a risk-based approach for an \neffective information security program. These activities are known as \nthe NIST Risk Management Framework. Several special publications \nsupport this framework and collectively provide guidance that agencies \ncan apply to their information security programs for selecting the \nappropriate security controls for information systems--including the \nminimum controls necessary to protect individuals and the operations \nand assets of the organization.\n    NIST has developed and issued the following documents to meet its \nFISMA mandated responsibilities:\n\n        <bullet>  Federal Information Processing Standards Publication \n        199, Standards for Security Categorization of Federal \n        Information and Information Systems, February 2004. This \n        standard addresses NIST's requirement for developing standards \n        for categorizing information and information systems. It \n        requires agencies to categorize their information systems as \n        low-impact, moderate-impact, or high-impact for the security \n        objectives of confidentiality, integrity, and availability. The \n        security categories are based on the harm or potential impact \n        to an organization should certain events occur which jeopardize \n        the information and information systems needed by the \n        organization to accomplish its assigned mission, protect its \n        assets, fulfill its legal responsibilities, maintain its day-\n        to-day functions, and protect individuals. Security categories \n        are to be used in conjunction with vulnerability and threat \n        information in assessing the risk to an organization.\n\n        <bullet>  Special Publication 800-60 Volume I, revision 1, \n        Volume I: Guide for Mapping Types of Information and \n        Information Systems to Security Categories, August 2008. This \n        guide is to assist Federal Government agencies with \n        categorizing information and information systems. It is \n        intended to help agencies consistently map security impact \n        levels to types of (1) information (e.g., privacy, medical, \n        proprietary, financial, investigation); and (2) information \n        systems (e.g., mission critical, mission support, \n        administrative). Furthermore, it is intended to facilitate \n        application of appropriate levels of information security \n        according to a range of levels of impact or consequences that \n        might result from the unauthorized disclosure, modification, or \n        use of the information or information system.\n\n        <bullet>  Federal Information Processing Standards Publication \n        200, Minimum Security Requirements for Federal Information and \n        Information Systems, March 2006. This is the second of the \n        mandatory security standards and specifies minimum security \n        requirements for information and information systems supporting \n        the executive agencies of the Federal Government and a risk-\n        based process for selecting the security controls necessary to \n        satisfy the minimum security requirements. Specifically, this \n        standard specifies minimum security requirements for federal \n        information and information systems in 17 security-related \n        areas. Federal agencies are required to meet the minimum \n        security requirements through the use of the security controls \n        in accordance with NIST Special Publication 800-53.\n\n        <bullet>  Special Publication 800-61, revision 1, Computer \n        Security Incident Handling Guide, March 2008. This publication \n        is intended to assist organizations in establishing computer \n        security incident response capabilities and handling incidents \n        efficiently and effectively. It provides guidelines for \n        organizing a computer security incident response capability; \n        handling incidents from initial preparation through post-\n        incident lessons learned phase; and handling specific types of \n        incidents, such as denial of service, malicious code, \n        unauthorized access, and inappropriate usage.\n\n        <bullet>  Special Publication 800-59, Guideline for Identifying \n        an Information System as a National Security System, August \n        2003. The purpose of this guide is to assist agencies in \n        determining which, if any, of their systems are national \n        security systems as defined by FISMA and are to be governed by \n        applicable requirements for such systems.\n\n        <bullet>  Special Publication 800-55, Performance Measurement \n        Guide for Information Security, July 2008. The purpose of this \n        guide is to assist in the development, selection, and \n        implementation of measures to be used at the information system \n        and program levels. These measures indicate the effectiveness \n        of security controls applied to information systems and \n        supporting information security programs.\n\n        <bullet>  Special Publication 800-30, Risk Management Guide for \n        Information Technology Systems, July 2002. This guide provides \n        a foundation for the development of an effective risk \n        management program, containing both the definitions and the \n        practical guidance necessary for assessing and mitigating risks \n        identified within IT systems. It also provides information on \n        the selection of cost-effective security controls that can be \n        used to mitigate risk for the better protection of mission-\n        critical information and the IT systems that process, store, \n        and carry this information.\n\n        <bullet>  Special Publication 800-18, revision 1, Guide for \n        Developing Security Plans for Federal Information Systems, \n        February 2006. This guide provides basic information on how to \n        prepare a system security plan and is designed to be adaptable \n        in a variety of organizational structures and used as a \n        reference by those having assigned responsibility for \n        activities related to security planning.\n\n    NIST is also in the process of developing, updating, and revising a \nnumber of special publications related to information security, \nincluding the following:\n\n        <bullet>  Special Publication 800-37, revision 1, Guide for \n        Security Authorization of Federal Information Systems, August \n        2008. This publication is intended to, among other things, \n        support the development of a common security authorization \n        process for federal information systems. According to NIST, the \n        new security authorization process changes the traditional \n        focus from the stovepipe, organization-centric, static-based \n        approaches and provides the capability to more effectively \n        manage information system-related security risks in highly \n        dynamic environments of complex and sophisticated cyber \n        threats, ever increasing system vulnerabilities, and rapidly \n        changing missions. The process is designed to be tightly \n        integrated into enterprise architectures and ongoing system \n        development life cycle processes, promote the concept of near \n        real-time risk management, and capitalize on current and \n        previous investments in technology, including automated support \n        tools.\n\n        <bullet>  Special Publication 800-39, second public draft, \n        Managing Risk from Information Systems An Organizational \n        Perspective, April 2008. The purpose of this publication is to \n        provide guidelines for managing risk to organizational \n        operations and assets, individuals, other organizations, and \n        the Nation resulting from the operation and use of information \n        systems. According to NIST, the risk management concepts \n        described in the publication are intentionally broad-based, \n        with the specific details of assessing risk and employing \n        appropriate risk mitigation strategies provided by supporting \n        NIST security standards and guidelines.\n\n        <bullet>  Special Publication 800-53, revision 3, Recommended \n        Security Controls for Federal Information Systems and \n        Organizations, June 2009. This publication has been updated \n        from the previous versions to include a standardized set of \n        management, operational, and technical controls intended to \n        provide a common specification language for information \n        security for federal information systems processing, storing, \n        and transmitting both national security and non national \n        security information.\n\n        <bullet>  Draft IR-7502, The Common Configuration Scoring \n        System (CCSS): Metrics for Software Security Configuration \n        Vulnerabilities. This publication defines proposed measures for \n        the severity of software security configuration issues and \n        provides equations that can be used to combine the measures \n        into severity scores for each configuration issue.\n\n    In addition, NIST has other ongoing and planned activities that are \nintended to enhance information security programs, processes, and \ncontrols. For example, it is supporting the development of a program \nfor credentialing public and private sector organizations to provide \nsecurity assessment services for federal agencies. To support \nimplementation of the credentialing program and aid security \nassessments, NIST is participating or will participate in the following \ninitiatives:\n\n        <bullet>  Training includes development of training courses, \n        NIST publication quick start guides, and frequently asked \n        questions to establish a common understanding of the standards \n        and guidelines supporting the NIST Risk Management Framework.\n\n        <bullet>  Product and Services Assurance Assessment includes \n        defining criteria and guidelines for evaluating products and \n        services used in the implementation of controls outlined in \n        NIST SP 800-53.\n\n        <bullet>  Support Tools includes identifying or developing \n        common protocols, programs, reference materials, checklists, \n        and technical guides supporting implementation and assessment \n        of SP 800-53-based security controls in information systems.\n\n        <bullet>  Mapping initiative includes identifying common \n        relationships and the mappings of FISMA standards, guidelines, \n        and requirements with International Organization for \n        Standardization (ISO) standards for information security \n        management, quality management, and laboratory testing and \n        accreditation.\n\n    These planned efforts include implementing a program for validating \nsecurity tools.\n\nOther Collaborative Activities Undertaken by NIST\n\n    NIST collaborated with a broad constituency--federal and non-\nfederal--to develop documents to assist information security \nprofessionals. For example, NIST worked with the Office of the Director \nof National Intelligence, the Department of Defense, and the Committee \non National Security Systems to develop a common process for \nauthorizing federal information systems for operation. This resulted in \na major revision to NIST Special Publication 800-37, currently issued \nas an initial public draft. NIST also collaborated with these \norganizations on Special Publication 800-53 and Special Publication \n800-53A to provide guidelines for selecting and specifying security \ncontrols for Federal Government information systems and to help \nagencies develop plans and procedures for assessing the effectiveness \nof these controls. NIST also interacted with the DHS to incorporate \nguidance on safeguards and countermeasures for federal industrial \ncontrol systems in Special Publication 800-53.\n    NIST is also working with public and private sector entities to \nestablish specific mappings and relationships between the security \nstandards and guidelines developed by NIST and the ISO and \nInternational Electrotechnical Commission Information Security \nManagement System standard. For example, the latest draft of Special \nPublication 800-53 introduces a three-part strategy for harmonizing the \nFISMA security standards and guidelines with international security \nstandards including an updated mapping table for security controls.\n    NIST also undertook other information security activities, \nincluding:\n\n        <bullet>  developing Federal Desktop Core Configuration \n        checklists and\n\n        <bullet>  continuing a program of outreach and awareness \n        through organizations such as the Federal Computer Security \n        Program Managers' Forum and the Federal Information Systems \n        Security Educators' Association.\n\n    Through NIST's efforts, agencies have access to additional tools \nand guidance that can be applied to their information security \nprograms.\n\nOpportunities for Improving Information Security Metrics\n\n    Despite federal agencies reporting increased compliance in \nimplementing key information security control activities for fiscal \nyear 2008, opportunities exist to improve the metrics used in annual \nreporting. The information security metrics developed by OMB focus on \ncompliance with information security requirements and the \nimplementation of key control activities. OMB requires federal agencies \nto report on key information security control activities as part of the \nFISMA-mandated annual report on federal information security. To \nfacilitate the collection and reporting of information from federal \nagencies, OMB developed a suite of information security metrics, \nincluding the following:\n\n        <bullet>  percentage of employees and contractors receiving \n        security awareness training,\n\n        <bullet>  percentage of employees with significant security \n        responsibilities receiving specialized security training,\n\n        <bullet>  percentage of systems tested and evaluated annually,\n\n        <bullet>  percentage of systems with tested contingency plans,\n\n        <bullet>  percentage of agencies with complete inventories of \n        major systems, and\n\n        <bullet>  percentage of systems certified and accredited.\n\n    In May 2009, we testified\\25\\ that federal agencies generally \nreported increased compliance in implementing most of the key \ninformation security control activities for fiscal year 2008, as \nillustrated in Figure 1.\n---------------------------------------------------------------------------\n    \\25\\ GAO, Information Security: Agencies Make Progress in \nImplementation of Requirements, but Significant Weaknesses Persist, \nGAO-09-701T (Washington, D.C.: May 19, 2009).\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    However, reviews at 24 major federal agencies\\26\\ continue to \nhighlight deficiencies in their implementation of information security \npolicies and procedures. For example, in their fiscal year 2008 \nperformance and accountability reports, 20 of 24 major agencies noted \nthat their information system controls over their financial systems and \ninformation were either a material weakness or a significant \ndeficiency.\\27\\ In addition, 23 of the 24 agencies did not have \nadequate controls in place to ensure that only authorized individuals \ncould access or manipulate data on their systems and networks. We also \nreported that agencies did not consistently (1) identify and \nauthenticate users to prevent unauthorized access; (2) enforce the \nprinciple of least privilege to ensure that authorized access was \nnecessary and appropriate; (3) establish sufficient boundary protection \nmechanisms; (4) apply encryption to protect sensitive data on networks \nand portable devices; and (5) log, audit, and monitor security-relevant \nevents. Furthermore, those agencies also had weaknesses in their \nagency-wide information security programs.\n---------------------------------------------------------------------------\n    \\26\\ The 24 major departments and agencies are the Departments of \nAgriculture, Commerce, Defense, Education, Energy, Health and Human \nServices, Homeland Security, Housing and Urban Development, the \nInterior, Justice, Labor, State, Transportation, the Treasury, and \nVeterans Affairs; the Environmental Protection Agency, General Services \nAdministration, National Aeronautics and Space Administration, National \nScience Foundation, Nuclear Regulatory Commission, Office of Personnel \nManagement, Small Business Administration, Social Security \nAdministration, and U.S. Agency for International Development.\n    \\27\\ A material weakness is a significant deficiency, or \ncombination of significant deficiencies, that results in more than a \nremote likelihood that a material misstatement of the financial \nstatements will not be prevented or detected. A significant deficiency \nis a control deficiency, or combination of control deficiencies, that \nadversely affects the entity's ability to initiate, authorize, record, \nprocess, or report financial data reliably in accordance with generally \naccepted accounting principles such that there is more than a remote \nlikelihood that a misstatement of the entity's financial statements \nthat is more than inconsequential will not be prevented or detected. A \ncontrol deficiency exists when the design or operation of a control \ndoes not allow management or employees, in the normal course of \nperforming their assigned functions, to prevent or detect misstatements \non a timely basis.\n---------------------------------------------------------------------------\n    An underlying reason for the apparent dichotomy of increased \ncompliance with security requirements and continued deficiencies in \nsecurity controls is that the metrics defined by OMB and used for \nannual information security reporting do not generally measure the \neffectiveness of the controls and processes that are key to \nimplementing an agency-wide security program. Results of our prior and \nongoing work indicated that, for example, annual reporting did not \nalways provide information on the quality or effectiveness of the \nprocesses agencies use to implement information security controls. \nProviding information on the effectiveness of controls and processes \ncould further enhance the usefulness of the data for management and \noversight of agency information security programs.\n    In summary, DHS has not fully satisfied aspects of its key cyber \nsecurity responsibilities, one of which includes its efforts to protect \nour nation's cyber critical infrastructure and still needs to take \nfurther action to address the key areas identified in our recent \nreports, including enhancing partnerships with the private sector. In \naddition, although DHS has taken actions to remedy security weaknesses \nin its Secure Flight program, it still needs to address our remaining \nrecommendations for strengthening controls for systems supporting the \nUS-VISIT program. In taking these actions, DHS can improve its own \ninformation security as well as increase its credibility to external \nparties in providing leadership on cyber security. NIST has developed a \nsignificant number of standards and guidelines for information security \nand continues to assist organizations in implementing security controls \nover their systems and information. While NIST's role is to develop \nguidance, it remains the responsibility of federal agencies to \neffectively implement and sustain sufficient security over their \nsystems. Developing and using metrics that measure how well agencies \nimplement security controls can contribute to increased focus on the \neffective implementation of federal information security.\n    Chairman Wu, this concludes my statement. I would be happy to \nanswer questions at the appropriate time.\n\nAcknowledgements\n\n    Key contributors to this report include Michael Gilmore (Assistant \nDirector), Charles Vrabel (Assistant Director), Bradley Becker, Larry \nCrosland, Lee McCracken, and Jayne Wilson.\n\n                   Biography for Gregory C. Wilshusen\n    Gregory Wilshusen is Director of Information Security Issues at \nGAO, where he leads information security-related studies and audits of \nthe Federal Government. He has over 28 years of auditing, financial \nmanagement, and information systems experience. Prior to joining GAO in \n1997, Mr. Wilshusen held a variety of public and private sector \npositions. He was a senior systems analyst at the Department of \nEducation. He also served as the Controller for the North Carolina \nDepartment of Environment, Health, and Natural Resources, and held \nsenior auditing positions at Irving Burton Associates, Inc. and the \nU.S. Army Audit Agency. He's a certified public accountant, certified \ninternal auditor, and certified information systems auditor. He holds a \nB.S. degree in business administration (accounting) from the University \nof Missouri and an M.S. in information management from George \nWashington University's School of Engineering and Applied Sciences.\n\n    Chair Wu. Thank you very much, Mr. Wilshusen. And I think \nat this point I am going to recess the hearing for both \nprudential reasons. We have plenty of time to get to the Floor, \nbut also I think this is an important set of topics, and I \nwould hate for any of the Members of Congress or the staff to \nbe watching the clock ticking down, rather than paying \nattention to these very, very important topics.\n    So at this point we will adjourn until after the last vote. \nI am sorry, we will recess until after the last vote in this \nseries of votes.\n    [Recess.]\n    Chair Wu. This hearing will come back to order. I thank \neveryone for their forbearance.\n    Mr. Bregman, please proceed.\n\n  STATEMENT OF MR. MARK BREGMAN, EXECUTIVE VICE PRESIDENT AND \n         CHIEF TECHNOLOGY OFFICER, SYMANTEC CORPORATION\n\n    Mr. Bregman. Chair Wu, Ranking Member Smith, Members of the \nCommittee, good afternoon, and thank you for the opportunity to \ntestify today on cybersecurity efforts at NIST and DHS.\n    As a global information security leader, Symantec protects \nmore people from on-line threats than anyone in the world by \nassuring the security, availability and integrity of their \ninformation. We are headquartered in California, and are the \nfourth largest software company with operations in 40 \ncountries. We employ over 18,000 people, including several of \nwhich are located in the Chair's district in Beaverton, and I \nwant to thank you for your support there.\n    Symantec releases an annual Internet Security Threat Report \nwhich is a comprehensive analysis of information security \nthreat activity that analyzes network-based threats on \nconsumers and business. We compile the data via our global \nintelligence network which consists of over 40,000 sensors \nmonitoring computer activity in 180 countries. So in short, if \nthere is a class of threat on the Internet, we're aware of it.\n    This year's report found that while vulnerabilities \ncontinue to increase dramatically, the scope and size and \nsophistication of cyber attacks is also growing dramatically. \nThey are becoming much more targeted and more dangerous to our \nnation's critical infrastructure and our economic security.\n    The most common type of attack during this period targeting \nour government's critical infrastructure was denial of service \nattacks, accounting for about half of the top-ten threats in \n2008. Denial of service attacks are a threat to the government \nand critical infrastructure since the purpose of such attacks \nis to disrupt the availability of high-profile web sites and \nother network services and render them inaccessible to users \nand employees.\n    These kinds of attacks are often associated with political \nprotests and were used to disrupt the Estonian government web \nsites in 2007 as well as the Georgian government web sites that \nwere rendered inaccessible during the Georgia-Russia conflict \nin 2008. But denial of service attacks are just one type of \ncyber threat that affects government and critical \ninfrastructure.\n    As the 60-day cyber review rightly points out, \ncybersecurity risks pose some of the most serious economic and \nnational security challenges of the 21st century, and we \napplaud the President's commitment to take action on \ncybersecurity. We hope that the coordinator will be elevated \nwithin the White House to have the appropriate decision-making \nand budget authority that is necessary to set strategic \ndirection for the Nation, to empower our government agencies \nand private sector to do their mission in a coordinated and \nbalanced way, and take a more prominent role in international \ncyber policy.\n    Cybersecurity isn't a civilian or military problem or even \na government problem. It is a universal problem. All networks, \nmilitary, government, civilian and commercial are based on the \nsame computers, same networking hardware technologies, same \nInternet protocols, many of the same software packages. We are \nall the target of the same attack tools and tactics. In \naddition, since most of the Nation's critical IT infrastructure \nis in commercial hands, hackers consistently go after both \nmilitary and civilian targets.\n    We all have the same security challenges, so solutions must \nbe shared. I want to underscore today that cybersecurity is a \nshared government and private-sector responsibility. We need \ntransparent and accountable government processes, as well as \ncutting-edge government cybersecurity programs to improve \nsecurity for everybody.\n    So with that in mind, let me turn to what DHS and NIST's \nrespective roles and responsibilities are or could be in \ncybersecurity. We have seen a marked improvement in the \nDepartment of Homeland Security in their engagement with the \nprivate sector. Under the National Infrastructure Protection \nPlan construct, DHS is the lead department for engaging the IT \nsector, and Symantec and other private stakeholders, through \nthe Sector Coordinating Councils, have provided input to DHS on \na number of the Comprehensive National Cyber Initiative \nprojects. We have been engaged with DHS and several other cyber \npolicy initiatives, including resiliency, incentives, metrics, \nrisk assessment, information sharing, and cyber exercises.\n    There are few areas in which we believe more can continue \nto be done by the department and private sector jointly, \nincluding establishing a front-line cyber defense, seeking ways \nto defend against threats to the supply chain, and taking \ncybersecurity to the next level through workforce education.\n    In cyberspace, we have a very rich base from the commercial \nsector. This is quite different from other historic government \nmodels for addressing front-line national defense where much of \nthe solution comes from government or the defense industrial \nbase. The U.S. Government could benefit greatly if the private \ncybersecurity sector were brought in more consistently to \nassist in the development of cybersecurity solutions. One \nexample was mentioned earlier where more input from the private \nsector could be helpful to DHS would be in project EINSTEIN.\n    Today, the private sector has not been formally asked to \nparticipate in DHS's global supply chain initiative, despite \nthe fact that much of the supply chain the government cares \nabout is in the hands of the private sector. If more \ninformation is not shared by the government on the threats or \nrisks that government sees, then how can the private sector do \nmore to protect against these threats and risks?\n    Symantec is a co-founder of SAFECODE, a non-profit \norganization created for companies to share software assurance \nand supply chain best practices. We strongly urge the \nDepartment of Homeland Security, Department of Defense (DOD), \nNIST, and other agencies to work closely with SAFECODE and its \nmember companies to work collaboratively in addressing supply \nchain and software assurance.\n    DHS has also taken a lead role in education and awareness. \nFor example, it is a sponsor and an active participant in the \nNational Cyber Security Alliance and staysafeonline.gov. The \npurpose of NCSA is to educate consumers, K-12, higher \neducation, and small business on how to protect themselves and \ntheir data in cyber infrastructure.\n    DHS is also working with NCSA and other stakeholders to \ndevelop a plan for the development and retention of trained \ncybersecurity professional workforce within the government, and \nwe certainly support these.\n    DHS has a role to play in the area of cybersecurity R&D \n(research and development). We believe that much of the work \ncompleted by the S&T (Science and Technology) Directorate is \nimportant and that R&D determined to be not commercially viable \nshould be funded by the government. I respectfully ask that the \nU.S. Government engage with the private sector more on the R&D \ncollectively to collaborate on common problems.\n    Given this committee's jurisdiction, I would like to \ncomment on NIST's mission on cybersecurity. It is very \nimportant through the promotion of national standards, in \nparticular the work NIST does with federal agencies, industries \nand academia, to research, develop and deploy information \nsecurity standards and technologies is critical. As these \nstandards become more important, NIST's role and responsibility \nwill continue to grow, and with that we believe NIST's funding \nlevel is not adequate and should be increased.\n    NIST has played a leading role in the development of FISMA \nguidelines and federal information processing standards, and as \nCongress looks to reform FISMA, we will look to NIST for \nappropriate guidance and standards.\n    Symantec has worked closely with NIST on Common Criteria \nfor several years, and we fully support Common Criteria because \nit offers many advantages, including international \ncertification framework for products. As the lead technical \nstandards organization for the Federal Government, NIST has a \ncritical role to play in revising the protection profiles and \nimproving Common Criteria, and we ask that NIST become an \nactive member of NIAP (National Information Assurance \nPartnership) again and would like to see them play an even more \nactive role in other international consensus standard bodies \nand organizations.\n    NIST has contributed to raising the quality of federal \ninformation security by promoting operational norms and by \nhelping agencies to find model security processes. Experience \nshows that federal standards aligned with established \ncommercial practices generally succeed, whereas unique \ngovernment-only standards, such as the Government Open Systems \nInterconnection Profile, have achieved poor results.\n    Whether rigid or flexible, standards must be appropriate \nfor the activities being regulated. They must be mindful of the \nmarket drivers. Credible federal mandates must strike a balance \nbetween ideal and practical standards, including setting \nreasonable expectations for compliance in the huge base of \ninstalled federal systems. NIST's guidelines strike a balance \nbetween general rules of thumb for all agencies and local \nknowledge and expertise of on-the-ground federal officials. \nHowever, fixed, inflexible process standards can't easily \naccommodate these situations.\n    So in summary, the constantly changing cyber threat \nlandscape and its reliance on human activity, coupled with \nrapidly changing technology, makes it essential that security \ndoctrine remains flexible.\n    I strongly recommend that NIST also engage with the private \nsector to include development of an independent supply chain \nverification process that will allow us to validate software \nintegrity, focusing more on how technology is developed and \nless on where it is developed globally. The near-term action \nplan within the President's cyber review requires establishment \nof cybersecurity performance metrics, and this is another area \nthat is ripe with opportunity, and we believe NIST should be a \nkey driver of this activity, working with the private sector \nand other agencies.\n    In addition to cybersecurity metrics, NIST should consider \ncollaborating more with the private sector and other areas such \nas cloud computing architecture and standards, SCAP (Security \nContent Automation Protocol) and other data taxonomy standards, \nhealth IT, and Smart Grid architecture with security standards \nbuilt in from the beginning.\n    We also want to stress the importance of NIST working with \nprivate sector to ensure the agreed-upon standards, protocols, \nand requirements are rolled out with reasonable timelines and \nmilestones to meet realistic commercial product development \nroadmaps.\n    In conclusion, we believe that both the Department of \nHomeland Security and NIST have done much to carry the cyber \ntorch forward in many areas. However, there is much work still \nto be done and much more collaboration that needs to take place \nwith the private sector. We stand committed to working with the \nAdministration and Congress to improve cybersecurity, and I \nwould like to thank you, Chair Wu, for allowing me the \nopportunity to testify before the distinguished Members of this \ncommittee.\n    [The prepared statement of Mr. Bregman follows:]\n\n                   Prepared Statement of Mark Bregman\n\n    Good afternoon, Chairman Wu, Ranking Member Smith, and Members of \nthe Subcommittee on Technology and Innovation. Thank you for the \nopportunity to speak about cyber security activities at NIST and DHS.\n    I come before you today as Chief Technology Officer of Symantec \nCorporation, the global leader in providing information security \nsolutions. We protect consumers and businesses by assuring the \nsecurity, availability and integrity of their information. \nHeadquartered in Cupertino, California, Symantec is the world's fourth \nlargest software company with operations in more than 40 countries and \nover 18,000 employees.\n    In April, Symantec released our Internet Security Threat Report \nwhich is widely acknowledged to be the most comprehensive analysis of \ninformation security activity for today's economy. The Report includes \nan analysis of network based attacks including those on small \nbusinesses with a review of known threats, vulnerabilities, and \nsecurity risks. Symantec has provided this report since 2002.\n    This year's report showed that the cyber attacks are growing in \nsize, scope and sophistication. They are becoming more targeted and \nmore dangerous to our critical infrastructure on which our economy \ndepends. Vulnerabilities also continue to increase dramatically.\n    The most common type of attack this period targeting government and \ncritical infrastructure organizations was denial-of-service attacks, \naccounting for 49 percent of the top 10 in 2008. Denial of Service \n(DoS) attacks are a threat to government and critical infrastructures \nsince the purpose of such attacks is to disrupt the availability of \nhigh-profile web sites or other network services and make them \ninaccessible to users and employees. This could result in the \ndisruption of internal and external communications, making it \npractically impossible for employees and users to access potentially \ncritical information. Because these attacks often receive greater \nexposure than those that take a single user off-line, especially for \nhigh-profile government web sites, they could also result in damage to \nthe organization's reputation. A successful DoS attack on a government \nnetwork could also severely undermine confidence in government \ncompetence, and impair the defense and protection of government \nnetworks.\n    DoS attacks can often be associated with political protests, since \nthey are intended to render a site inaccessible in the same way that a \nphysical protest attempts to block access to a service or location. \nThey can also be associated with conflict whereby one country may \nattempt to block Web traffic or take web sites off-line. As such, the \nhigh percentage of DoS attacks may be an attempt to express \ndisagreement with targeted organization or countries. Examples of these \ntypes of attacks targeting governments were the DoS attacks that \ndisrupted and took Estonian governmental web sites off-line in 2007 and \nthe Georgia government web sites that were rendered inaccessible during \nthe Georgia-Russia conflict in 2008.\n    SMTP, or simple mail transfer protocol, is designed to facilitate \nthe delivery of e-mail messages across the Internet. E-mail servers \nusing SMTP as a service are likely targeted by attackers because \nexternal access is required to deliver e-mail. In addition to illegally \naccessing networks, attackers who compromise e-mail servers may also be \nattempting to use the e-mail servers to send spam or harvest e-mail \naddresses for targeted phishing attacks. Because spam can often consume \nhigh quantities of unauthorized network bandwidth, these e-mails can \ndisrupt or overwhelm e-mail services, which could result in DoS \nconditions. Successful SMTP attacks against government and critical \ninfrastructure organizations could also allow attackers to spoof \nofficial government communications and obtain credentials in order to \nlaunch further attacks. These organizations heavily rely on e-mail as a \ncommunication method and as such, it is essential that e-mail traffic \nbe secured. This is just one example of the type of threat affecting \ngovernment and critical infrastructure sectors in cyberspace today.\n    As the President so eloquently articulated in May when he released \nthe 60 day cyber review,\n\n         ``The globally-interconnected digital information and \n        communications infrastructure known as ``cyberspace'' underpins \n        almost every facet of modern society and provides critical \n        support for the U.S. economy, civil infrastructure, public \n        safety and national security.'' The report goes on to say \n        ``Cyber security risks pose some of the most serious economic \n        and national security challenges of the 21st century.''\n\n    We applaud the President's personal commitment to take the action \nthat is so desperately needed around cyber security and look forward to \nworking soon with the new cyber security coordinator, other agencies \nand stakeholders to develop the strategy, policies, and operational \nplans necessary to improve cyber security. We hope that the coordinator \nwill be elevated within the White House and have the appropriate \npolicy, decision-making and budget review authorities necessary to set \nthe strategic direction for the Nation, empower agencies and the \nprivate sector to do their mission in a coordinated and balanced way, \nand take a more prominent role in international cyber policy.\n\nCyber Security: A Shared Public and Private Sector Responsibility\n\n    Cyber security isn't a civilian or military problem, or even a \ngovernment problem--it's a universal problem. All networks, military, \ngovernment, civilian and commercial, use the same computers, the same \nnetworking hardware, the same Internet protocols and the same software \npackages. We all are the targets of the same attack tools and tactics. \nIt's not even that government targets are somehow even more \ndifferentiated; these days, most of our nation's critical IT \ninfrastructure is in commercial hands. Government-sponsored or civilian \nhackers go after both military and civilian targets.\n    GAO reports indicate that government problems include insufficient \naccess controls, a lack of encryption where necessary, poor network \nmanagement, failure to install patches, inadequate audit procedures, \nand incomplete or ineffective information security programs. These \naren't top security issues; these are the same managerial problems that \nevery corporate CIO wrestles with.\n    We all have the same information security challenges, so solutions \nmust be shared. If the government has any innovative ideas to solve its \ncyber security problems, certainly a lot of us could benefit from those \nsolutions. In addition, we need transparent and accountable government \nprocesses, using commercial security products. Finally, we also need \ngovernment cyber security programs that improve security for everyone.\n    Now, I will keep the remainder of my comments focused on what DHS \nand NIST's respective roles and responsibilities are or should be in \ncyberspace.\n\nDHS' Cyber Roles and Responsibilities\n\n    Let me start with the Department of Homeland Security or ``DHS.'' \nUnder the National Infrastructure Protection Plan construct, DHS is the \nlead department for engaging with the IT Sector. In addition to the 60-\nday roll-out, there has been a lot of talk regarding the \n``Comprehensive National Cyber Initiative'' or ``CNCI.'' Symantec and \nother private sector stakeholders, through the Sector Coordinating \nCouncils, have been able to participate and provide input into DHS on a \nnumber of the Initiative's projects, including Project 12 regarding \npublic-private partnerships, Project 4 on leap ahead technologies, and \nProject 10 on deterrence and the need for global norms of behavior in \ncyberspace. The private sector and DHS have been in engaged in a number \nof other projects and activities to address a myriad of cyber policy \nissues, including resiliency, incentives, metrics, risk assessments, \ninformation sharing, and cyber exercises just to name a few. We have \nseen a marked improvement over the last couple of years by the DHS and \ntheir engagement with the private sector.\n    There are a few areas we believe more can be done by the Department \nof Homeland Security and private sector jointly. As you heard from Dr. \nFonash last week, there are three areas in which DHS has focused their \npriorities around CNCI: Establishing a front line of defense, seeking \nways to defend against a full spectrum of threats through supply chain \nand intelligence, and taking cyber security to the next level through \nworkforce education.\n\n1) Front Line of Defense: In cyberspace we have a very rich, \ntraditional base from the commercial sector very different from other \nhistorical government models for addressing national security issues \nwhere much of the solutions come from government or defense \ncontractors. With that in mind, it could benefit the U.S. Government \ngreatly if the private sector were brought in more consistently to \nassist in the development of cyber security solutions to address \nprojects and other key cyber challenges. We would like to see more \ncollaboration between the public and private sector on these programs \nso that the government can learn about what technologies may be more \napplicable now to address today or tomorrow's threats. One example of \nwhere more input from the private sector could be helpful is Project \nEINSTEIN. Project EINSTEIN was developed to detect network intrusions \nand create better situational awareness. However, since its inception a \nnumber of years ago, the threats and technologies used to prevent or \nmitigate against these threats have changed dramatically. No longer is \ndelayed detection of threats and intrusions and delayed simply enough. \nThe need for data prevention technologies and near or real-time \nsituational awareness capabilities are imperative. We hope the public \nsector leverages the expertise and technology that the private\n\n2) Supply Chain: In last week's hearing, there was a lot of discussion \nby the government witnesses on the importance of protecting our global \nsupply chain. We heard about the work that the Department of Homeland \nSecurity and Department of Defense are undertaking to lead the CNCI \nProject on this topic. To date, the private sector has not been \nformally asked to participate in this activity despite the fact that \nmuch of the supply chain that government cares about is in the hands of \nthe private sector. We as a company take actions on what we know and \nthe risks we face. However, if more information is not shared by the \ngovernment on the threats or risks they see, how can we do more to \nprotect against the threats or risks that we have not been informed \nabout? Additionally, we believe that much of the expertise and best \npractices for protecting supply chain reside within the private sector. \nLet me give you one example.\n    Symantec is a co-founder of SAFECODE, a non-profit organization \ncreated for companies to share software assurance and supply chain best \npractices. We strongly urge the Department of Homeland Security, \nDepartment of Defense, NIST and other agencies to work closely with \nSAFECODE and its member companies to work collaboratively in addressing \nsupply chain and software assurance. This collaboration could focus on \ninformation sharing of supply chain threats and vulnerabilities and \ndevelopment of best practices and standards.\n\n3) Education and Awareness: DHS has taken a lead role in this area. For \nexample, DHS is a sponsor and active participant in the National Cyber \nSecurity Alliance (NCSA) and staysafeonline.gov. The purpose of NCSA, a \n501c3, is to educate consumers, K-12, higher education, and small and \nmedium sized businesses the steps they need to take in order to use the \nInternet safety and securely, protecting themselves, their data and the \ncyber infrastructure. The President's 60-day cyber review recognized \nthe good work of the NCSA and highlights the need for formal K-12 \neducation and curriculum to address cyber safety, cyber security and \ncyber ethics (C3) within schools. NCSA and DHS will be working with \nother key stakeholders to develop this C3 framework. In addition to a \nK-12 curriculum framework, NCSA has established a volunteer program (C-\nSAVE) for computer security professionals to teach cyber security in \nschools and is working to conduct a small and medium-sized business \nstudy to identify current cyber practices, gaps, resource needs, and \nways to effectively communicate with this important audience. There are \nmany more activities underway which can be found at \nwww.staysafeonline.gov.\n\n4) Workforce and Training: In addition to education and awareness \nresponsibilities, DHS is working with several agencies, NCSA and other \nstakeholders to develop a plan for the development and retention of a \ntrained cyber security professional workforce that can meet the \nincreasing demand and gaps within the government. DHS is also \ndeveloping a program to retrain the current workforce in the public and \nprivate sector to ensure they have the most up-to-date skills and \ncapabilities to address today's technology and cyber security demands. \nWe fully support these activities and believe this appropriate work for \nDHS to engage in with other interagency partners.\n\n5) Exercises and National Incident Response Planning: The 60-day \nreview's near-term action plan calls for ``a cyber security incident \nresponse plan to enhance public-private partnerships with an eye toward \nstreamlining, aligning, and providing resources to optimize \ncontribution and engagement.'' We believe that DHS is well positioned \nto help lead these efforts and ask that the private sector be included \nearly on in the development process.\n\n6) R&D: DHS has a role to play in the area of cyber security R&D \nthrough the Science and Technology Directorate. The S&T Directorate \nmaps their R&D projects based on the needs of their primary internal \ncustomer, the Cyber Security and Communications Directorate. We believe \nthat much of the work completed by the S&T Directorate is very \nimportant and believe that increased funding is necessary in order for \nthe S&T Directorate to meet their customers' needs. We also believe \nthat a more formal process of identifying priorities and coordinating \nwith internal customers is necessary. We also believe that DHS writ \nlarge, in their capacity as the Government Specific Agency for \ninteracting with the IT and Communications Sectors, must have a formal \nprocess of engaging with the private sector on the CNCI R&D Project. It \nis not surprising that the private sector spends more than the U.S. \nGovernment on R&D. It is also not surprising that both the public and \nprivate sector have limited resources with which to spend on R&D.\n\n    Imagine if we could work together to identify what the collective \nproblems and priorities are for government and industry, determine \nwhich of those priorities are commercially viable and therefore should \nnot be funded by government, and identify the gaps and/or redundancies \nthat exist. Those projects which may be redundant can be de-conflicted \nand re-allocated. Those priorities that are gaps and not determined to \nbe commercially viable could then be funded by government. This process \nwould allow us all to maximize our collective resources to the fullest \nextent possible and ensure that we are working from a coordinated \nroadmap and set of priorities. We respectfully ask that the U.S. \nGovernment engage with the private sector to the extent possible in \nthis area. Some initial challenges or problem areas for R&D \nconsideration could include: Attribution, Situational Awareness, Early \nWarning, and ID management.\n\nNIST's Roles and Responsibilities\n\n    In addition to DHS' role, NIST's mission in cyber security is very \nimportant. Beginning with its founding in 1901 as the National Bureau \nof Standards, NIST has played a key role in U.S. commerce through \npromotion of various national standards. In particular, the work NIST \ndoes with federal agencies, industry and academia to research, develop \nand deploy information security standards and technology is critical. \nAs cyber security standards and metrics become increasingly important, \nNIST's role and responsibility will continue to grow. With that, we \nbelieve NIST's funding level is not adequate and should increase so \nthey can meet the community's growing needs and requirements.\n\nFISMA: Since its inception, NIST has played a leading role in the \ndevelopment of FISMA guidelines and Federal Information Processing \nStandards (FIPS). As Congress looks to reform FISMA, we will look to \nNIST for appropriate guidance and standards.\n\nCommon Criteria/NIAP and other international standards activities: \nSymantec has been involved with Common Criteria evaluations for several \nyears. In fact, our Symantec Enterprise Firewall was the first product \nto be certified against the U.S. Government's application firewall \nprotection profile. We currently have several products currently \ncertified. Symantec supports the Common Criteria because it offers many \nadvantages, including an international certification framework for \nproducts. Based on the results of evaluations against the Basic and \nMedium Robustness Protection Profiles and comments from vendors and \ngovernment customers, NIAP, the U.S. Government implementation arm for \nCommon Criteria, has determined that the current U.S. Protection \nProfile Robustness model needs to be revised. The original \nimplementation did not create the necessary test plans and \ndocumentation needed to achieve consistent results across different \nproducts evaluated in different labs. As a result, NSA is creating a \nStandard Protection Profile, which will replace any corresponding U.S. \nGovernment Protection Profile. NSA plans to work with industry, \ngovernment stakeholders, and the Common Criteria community to create \nthese Protection Profiles. As the lead technical standards organization \nfor the Federal Government, we believe that NIST has a critical role to \nplay in revising the protection profiles and improving Common Criteria. \nWe ask that NIST become an active member of NIAP again and would like \nto see them play an even more active role in other international \nconsensus standards bodies and organizations.\n\nFlexible NIST Federal Security Standards: NIST has contributed to \nraising the quality of federal information security by promoting \noperational norms and by helping agencies to find model security \nprocesses. Experience shows that federal standards aligned with \nestablished commercial practices generally succeed. However, unique \ngovernment-only standards, such as the Government Open Systems \nInterconnection Profile (GOSIP), have achieved poor results.\n    Whether flexible or rigid, standards must be appropriate for the \nactivities being regulated, and they must be mindful of market drivers \nand required precision. The precision and specificity in standards vary \nconsiderably according to their goals and purposes. For example, some \ntechnical standards, such as communications protocols, must be very \nprecise and rigid because of a need for inter-operation among many \nvendors' products.\n    Thus, credible federal mandates must strike a balance between ideal \nand practical standards, including setting realistic expectations for \ncompliance in the huge base of installed federal systems. Additionally, \nwe must remember that compliance will be put in jeopardy if the \nstandards are perceived to be unreasonable or not viable.\n    First, standards require reliable metrics to enable tracking of \ncompliance. Second, they must be introduced at a specific point in the \nproduct life cycle when customers seek standard products and \nmanufacturers are no longer competing on features. Third, there must be \na compelling market benefit supporting use of a standard. Finally, \nstandards must be appropriate for the application being standardized.\n    NIST's guidelines strike a balance between general rules of thumb \nfor all agencies and the local knowledge and expertise of on-the-ground \nfederal officials. However, fixed, inflexible process standards cannot \neasily accommodate all of these situations. In summary, the constant \nchanging cyber threat landscape and its high reliance on human activity \ncoupled with the rapid changes in technology make it essential that \nsecurity doctrine remains flexible.\n\nMetrics: The near-term action plan within the President's cyber review \nrequires the establishment of cyber security performance metrics. This \nis an area ripe with opportunity and we believe NIST should be a key \ndriver of this activity working with the private sector and other \nagencies.\n    In addition to cyber security metrics, there are some areas we \nbelieve NIST should consider collaborating more with the private sector \non, including: Cloud Computing architecture and standards, SCAP and \nother data taxonomy standards, Supply Chain best practices, Health IT, \nand Smart Grid architecture with security standards built in. We also \nwant to stress the importance of NIST and OMB working with the private \nsector to ensure that agreed upon standards, protocols and requirements \nare rolled out with the reasonable timelines and milestones to meet \nrealistic commercial product development roadmaps.\n    In conclusion, we believe both the Department of Homeland Security \nand NIST have done much to carry the cyber torch forward in several \nareas. However, there is much more work to be done and much more \ncollaboration that needs to take place with the private sector. We \nstand committed to working with the Administration and Congress to \nimprove cyber security.\n    Thank you again, Chairman Wu, for allowing me the opportunity to \ntestify before the distinguished Members of the House Science \nSubcommittee on Technology and Innovation regarding cyber security \nresponsibilities for DHS and NIST. I am happy to answer any questions \nthat any Members of the Committee may have.\n\n                       Biography for Mark Bregman\n\n    Mark Bregman is Executive Vice President and Chief Technology \nOfficer at Symantec, responsible for the Symantec Research Labs, \nSymantec Security Response and shared technologies, emerging \ntechnologies, architecture and standards, localization and secure \ncoding, and developing the technology strategy for the company. Bregman \nguides Symantec's investments in advanced research and is responsible \nfor the company's development centers in India and China.\n    Additionally, Bregman leads the field technical enablement team, \nwhich works closely with the technical sales team to ensure they are \nprepared to assist customers in managing the impact of changing and \nemerging technical requirements.\n    Bregman joined Symantec through the company's merger with Veritas \nSoftware, where he served as chief technology officer, responsible for \ncross-product integration, advanced product development, merger and \nacquisition strategy, and the company's engineering development centers \nin India and China.\n    Prior to joining Veritas, Bregman was CEO of Airmedia, a wireless \nInternet firm.\n    Previously, Bregman spent 16 years at IBM where he led the RS/6000 \nand Pervasive Computing divisions and held senior management positions \nin IBM Research and IBM Japan. He was also technical assistant to IBM \nCEO Lou Gerstner.\n    Bregman holds a Bachelor's degree in physics from Harvard College \nand a Master's degree and doctorate in physics from Columbia \nUniversity. He is a member of the Visiting Committee to the Harvard \nUniversity Libraries, a member of the American Physical Society, and a \nsenior member of IEEE. He also serves on the Board of Directors of \nShoreTel and the Bay Area Science and Innovation Consortium.\n\n    Chair Wu. Thank you very much, Mr. Bregman. Mr. Charney, \nplease proceed.\n\n   STATEMENT OF MR. SCOTT CHARNEY, CORPORATE VICE PRESIDENT, \n          TRUSTWORTHY COMPUTING, MICROSOFT CORPORATION\n\n    Mr. Charney. Thank you, Chair Wu. Thank you, Member Smith, \nMembers of the Subcommittee. Thank you for the opportunity to \nappear today at this important hearing on cybersecurity.\n    My name is Scott Charney. I am the Corporate Vice President \nfor Trustworthy Computing at Microsoft. In cyberspace today, we \nare locked in an escalating and sometimes hidden conflict. \nCyber threats have grown in sophistication, expanding from \nopportunistic viruses and worms that were once disruptive and \nsometimes damaging to include very targeted, stealthy and \npersistent attacks. In the information age, any individual can \nengage in activities formerly limited to nation states, and any \nnation, regardless of traditional measures of power and \nsophistication, can gain economic and military advantage \nthrough cyber programs. The lack of identity for hardware, \nsoftware and people on the Internet also makes it difficult to \ndetermine the source of an attack. Understanding the sources \nand the motivations of attacks is essential to ensuring the \nappropriateness of response. Absent strong attribution \nabilities which balance security and privacy, international and \nnational strategies to deter cyber attacks will not succeed. \nAttribution can and must be a top priority to improve \ncyberspace security moving forward.\n    The challenge for the government today is that it must \nbalance dual and often interrelated roles to manage cyber \nthreats effectively. The government is responsible for \nprotecting public safety and national security, and it is also \nresponsible for managing a large IT infrastructure. I support \nthe near-term action plan in the recently released White House \n60-day review and specifically the action to prepare an updated \nnational strategy to secure the information and communications \ninfrastructure.\n    Just as we need an updated national strategy to ensure the \nNation's cybersecurity, the government must also implement an \neffective model for managing its own cybersecurity. Such a \nmodel would include a centrally managed horizontal security \nfunction to provide a foundation of government-wide policy \nstandards and oversight. And because each federal agency has \nits own mission, customers, partners, and threats, there must \nalso be vertical security functions resident in each agency to \nensure that agency-specific missions are accomplished and \nagency-specific risks are managed appropriately.\n    Let us turn to the more specific roles for DHS and NIST. \nThe hybrid model I just outlined could be applied more \neffectively to the federal enterprise. In this implementation, \nDHS and NIST would provide the horizontal, centrally managed \ncybersecurity functions, and individual agencies would have \nvertical functions to manage their unique risks. Simply stated, \nthe Department of Homeland Security should set security control \npolicy articulating minimum cybersecurity baselines, goals, and \noutcomes. DHS should also develop processes to exchange and \nfoster implementation of best practices so that agencies can \nmore quickly achieve higher levels of security when necessary. \nNIST should create government-wide standards to help agencies \nmeet the security control policy set by DHS. To realize the \nvalue created by analyzing data horizontally, DHS and NIST must \nhave the right data, they must analyze that data, and the data \nmust drive action. This will require enhanced cybersecurity \nmonitoring, audit, and analytics to gain valuable insights on \nthe real-time health of the federal enterprise and enable agile \nactions to mitigate and respond to incidents.\n    Agencies should continue to have the responsibility and \naccountability for creating documented information security \nprograms, assessing their risks, implementing effective \nmanagement controls, and responding to agency incidents. This \nis the vertical function in the hybrid model.\n    In conclusion, as long as threats evolve, so must our \nefforts to protect against them. Technology alone will not \ncreate the trust necessary to security cyberspace. \nTechnological innovation must be aligned with social, \npolitical, economic, and IT forces to enable change. Microsoft \nhelps drive and shape these forces with partners in the \necosystem to create a safe and more trusted Internet. The \nUnited States must similarly drive forward with a clear vision \nand holistic information-age strategies to combat threats to \nnational and economic security and to public safety.\n    Thank you again, Chair Wu, for providing me the opportunity \nto testify before the distinguished Members of the Subcommittee \non Technology and Innovation, and I am happy to answer any \nquestions you may have.\n    [The prepared statement of Mr. Charney follows:]\n\n                  Prepared Statement of Scott Charney\n\n    Chairman Wu, Ranking Member Smith, and Members of the Subcommittee, \nthank you for the opportunity to appear today at this important hearing \non cyber security and for entering my written testimony into the record \nof this committee. My name is Scott Charney, and I am the Corporate \nVice President for Trustworthy Computing at Microsoft. I also served as \none of four Co-Chairs of the Center for Strategic and International \nStudies (CSIS) Commission on Cybersecurity for the 44th Presidency. \nPrior to joining Microsoft, I was Chief of the Computer Crime and \nIntellectual Property Section in the Criminal Division of the United \nStates (U.S.) Department of Justice. I was involved in nearly every \nmajor hacker prosecution in the U.S. from 1991 to 1999; worked on \nlegislative initiatives, such as the National Information \nInfrastructure Protection Act that was enacted in 1996; and chaired the \nG8 Subgroup on High Tech Crime from its inception in 1996 until I left \ngovernment service in 1999.\n    Today I will share a brief assessment of cyberspace security and \ndiscuss:\n\n        1)  Establishing Information Age security strategies for \n        government;\n\n        2)  Advancing federal civilian enterprise security; and\n\n        3)  Clarifying roles and enhancing capabilities for the \n        Department of Homeland Security (DHS) and the National \n        Institute of Standards and Technology (NIST).\n\nCyberspace Security: Understanding the Evolving Threats\n\n    We are locked in an escalating and sometimes hidden conflict in \ncyberspace. The battle of bits and bytes has very real consequences for \nAmerica, other nations, the private sector, and all other Internet \nusers. Cyber attack joins terrorism and weapons of mass destruction as \none of the new, asymmetric threats that puts the U.S. and other \ngovernments at risk. Cyber security has improved, but these \nimprovements have not kept pace with the increasing availability and \nvalue of data, nor the number or sophistication of cyber attacks. In \nthe Information Age, governments, industries, and consumers around the \nworld rely on globally connected networks and cyber systems, and create \nand store volumes of sensitive data electronically. Such data, \nparticularly when not well secured, presents an attractive target for \nthose seeking competitive or strategic advantage, or financial gain.\n    The resulting cybercrime economy is complex, sophisticated, and \ngrowing. It has numerous participants, some willing (malware \ndevelopers) and some unwilling (victims of cyber attacks); some clearly \ngood (security researchers that disclose vulnerabilities responsibly) \nand some clearly bad (vulnerability traffickers). Over the past decade, \nattacks that bad actors carry out have also grown in sophistication, \nexpanding from opportunistic viruses and worms that were disruptive and \nsometimes damaging to very targeted, stealthy, and persistent attacks. \nIn today's evolving cybercrime economy, any individual can engage in \nactivities formerly limited to nation-states, and any nation, \nregardless of traditional measures of sophistication, can gain economic \nand military advantage through cyber programs.\n    When self-replicating computer worms entered the public \nconsciousness several years ago, it was in the form of malware, such as \nWin32/MSBlast, Win32/Sasser, and Win32/Slammer, that exploited \nvulnerabilities to spread rapidly and caused system disruption or \nfailure. These threats were highly visible and garnered significant \nattention. Exploit-based worms, while still a concern, have receded \nfrom prominence as Microsoft and other software vendors have reduced \nthe vulnerabilities these worms relied on to spread, and users deployed \nsecurity technologies meant to thwart these attacks. With the \ntraditional vectors of mass propagation reduced significantly, today's \nprominent worms rely much more on social engineering techniques to gain \naccess to information technology (IT) environments, like enterprise \nnetworks and consumer machines. A gap in the application and oversight \nof enterprise-wide and consumer security controls, as well as \ninsufficient monitoring and analysis of the real-time health of \nnetworks, can create significant risk both nationally and globally.\n    Today Microsoft tracks more than 30,000 types of malware families \nand some of these families have millions of variants. There are \ninfections by these variants in machines around the world, but linking \nan infected machine with the cyber attacker who infected it is very \ndifficult. The lack of identity for hardware, software, data, and \npeople on the Internet makes it difficult to determine the source of \nattacks, yet knowing the source is essential to ensuring the \nappropriateness of response. Attribution of cyber attacks is one of the \nmost fundamental challenges facing the international community. Absent \nstrong attribution abilities, international and national strategies to \ndeter cyber attacks will not succeed.\n    Microsoft has long recognized the growing need to improve software \nsecurity to counter cyber threats. In 2002, Microsoft changed the way \nit built software by implementing the Security Development Lifecycle \n(SDL). The SDL provides customers with high quality, well-engineered \nand rigorously tested software that helps withstand malicious attacks \nby requiring threat models to be built at design time and requiring \nthat specific security milestones be met at each stage of the \ndevelopment process. Every Internet-facing or enterprise-class product \nfrom Microsoft is required to go through the SDL, resulting in \nmeasurable improvements in the security and privacy of Microsoft's \nsoftware. We also continue to work with partners in the computing \necosystem to help better protect our mutual customers and all Internet \nusers. For example, we are members of the Software Assurance Forum for \nExcellence in Code (SAFECode)\\1\\ which promotes the advancement of \ndemonstrably effective software assurance methods. These efforts are \nessential in reducing the attack surface of products. Technology alone, \nhowever, will not create the trust necessary to realize the full \npotential of the Internet. Technological innovation must be aligned \nwith social, political, economic and IT forces to enable change. \nWorking with partners in the ecosystem, Microsoft is advancing End-to-\nEnd Trust,\\2\\ driving and shaping these forces to create a safer, more \ntrusted Internet.\n---------------------------------------------------------------------------\n    \\1\\ www.safecode.org; members include EMC, Juniper, Microsoft \nNokia, SAP, and Symantec.\n    \\2\\ www.microsoft.com/endtoendtrust\n---------------------------------------------------------------------------\n    What can government do to counter this underground cybercrime \neconomy? First, understanding the nature of cyber threats is critical. \nBreaking down the complexity of the cyber threat is necessary to inform \nthe useful allocation of resources for defense and to guide more \neffective risk management. Our defenses must consider the diversity of \nplayers, motivations, and methods in the cybercrime economy, and must \neither raise the costs for adversaries to carry out attacks or decrease \nthe value of successful attacks. Lowering the return on investment for \ncyber attacks can deter some bad actors or lessen the consequences of \nattacks that do occur.\n\nEstablishing Information Age Security Strategies for Government\n\n    Government must balance dual, and often interrelated, roles to \neffectively manage emerging cyber threats. First, as a public policy \nentity, the government is responsible for protecting public safety, as \nwell as economic and national security. In this capacity, the United \nStates must develop a national cyberspace strategy to address the full \nspectrum of significant risks presented by the Information Age. But the \nFederal Government is also a large and widely distributed enterprise, \nwith countless globally distributed ?customers? (e.g., citizens who \nwant to connect with their government), partners, operations, networks, \nand resources. Although distinct, the policy and enterprise roles are \nnot entirely separate, as each affects and informs the other.\n\nArchitecting a Comprehensive and Coordinated National Strategy\n    The recently released White House Cyberspace Policy Review: \nAssuring a Trusted and Resilient Information and Communications \nInfrastructure outlined key policy challenges the Nation faces as a \nresult of the dynamic cyber threat landscape.\\3\\ The White House review \nrecognized that:\n---------------------------------------------------------------------------\n    \\3\\ http://www.whitehouse.gov/assets/documents/\nCyberspace<INF>-</INF>Policy<INF>-</INF>Review<INF>-</INF>final.pdf\n\n         The Federal Government is not organized to address this \n        growing problem effectively now or in the future. \n        Responsibilities for cyber security are distributed across a \n        wide array of federal departments and agencies, many with \n        overlapping authorities, and none with sufficient decision \n        authority to direct actions that deal with often conflicting \n        issues in a consistent way. The government needs to integrate \n        competing interests to derive a holistic vision and plan to \n        address the cyber security-related issues confronting the \n        United States. The Nation needs to develop the policies, \n        processes, people, and technology required to mitigate cyber \n---------------------------------------------------------------------------\n        security-related risks.\n\n    I support the near-term action plan in the review, which includes \nactivities to appoint a lead policy official in the White House, staff \na National Security Council Directorate, and prepare an updated \nnational strategy to secure information and communications \ninfrastructure.\n    This is a significant undertaking that will require continued White \nHouse and Congressional leadership. National security strategies create \na framework to employ all elements of national power--economic, \ndiplomatic, law enforcement, military, and intelligence. A \ncomprehensive cyberspace security strategy must include these elements \nand articulate how they will be employed to ensure national security, \neconomic security, and public safety, and to assure delivery of \ncritical services to the American public. In the Industrial Age, power \nwas generally based on physical might; in the Information Age, power is \nderived from information, knowledge, and communications.\n\nConstructing An Information Age Security Model\n    Just as we need a new national strategy to ensure the Nation's \ncyber security, the government must also carefully determine an \neffective model for managing government-wide cyber security. In this \nregard, one can view the Federal Government as a large collection of \nbusinesses with different missions, partners, customers, data, assets, \nand risks. There are some responsibilities and practices (e.g., \ndeveloping information security plans, implementing the Federal Desktop \nCore Configuration (FDCC) ) that should be done by each and every \nfederal agency. The number and diversity of component organizations, \nfunctions, and systems, however, means that a fully centralized model \nfor managing security will not work. Each agency has a unique security \nparadigm with differing threats, so each agency needs to manage its own \nrisk.\n    If some security controls should be applied uniformly across the \ngovernment, but other security controls need to be carefully tailored \nto address an agency's mission and risks, it becomes clear that the \ngovernment needs to establish a hybrid model for information security \nthat improves security across the federal enterprise and fosters \nagility to counter ever-changing threats. A hybrid model could create a \nholistic security framework for managing and reducing the attack \nsurface of the federal enterprise. Such a model would include:\n\n        <bullet>  A centrally managed horizontal security function to \n        provide a foundation of government-wide policy, standards, and \n        oversight; as well as\n\n        <bullet>  Vertical security functions resident in individual \n        agencies to manage their risks.\n\n    This combination of horizontal and vertical functions ensures that \nminimum security goals and standards are set, yet provides agencies the \nflexibility to manage risks appropriately for their unique operating \nenvironments.\n\nAdvancing Federal Civilian Enterprise Security\n\n    For more than 25 years, the Federal Government has been struggling \nto evolve its policy, organizational, and operational information \nsecurity management frameworks. Over two decades, legislation has been \npassed that has incrementally established and enhanced authority, \norganization, and accountability. The three most important elements of \nthe foundation include: the Paperwork Reduction Act of 1980,\\4\\ which \ncentralized government-wide responsibilities into the Office of \nManagement and Budget (OMB); the Clinger-Cohen Act,\\5\\ which \nestablished dedicated Chief Information Officers for the major \ndepartments and agencies across the government; and the Federal \nInformation Security Management Act (FISMA),\\6\\ which created the first \ncomprehensive information security framework for the Federal \nGovernment. Additionally, OMB mandated implementation of the FDCC by \nFebruary 2008. The FDCC mandate requires Federal agencies to \nstandardize desktop configurations to meet FDCC requirements and is \nintended to improve security, reduce costs, and decrease application-\ncompatibility issues. This was an attempt to create government-wide \npolicy and standards, but it lacked the oversight and supporting \ncapabilities to be implemented effectively.\n---------------------------------------------------------------------------\n    \\4\\ P.L. 96-511, December 11, 1980.\n    \\5\\ P.L. 104-106, February 10, 1996. The law, initially entitled \nthe Information Technology Management Reform Act (ITMRA), as \nsubsequently renamed the Clinger-Cohen Act in P.L. 104-208, September \n30, 1996.\n    \\6\\ P.L. 107-347, December 17, 2002.\n---------------------------------------------------------------------------\n    Understanding what exists and conducting periodic tests of controls \ndoes not create the strategic and operational information security \ncommensurate with the sophisticated Information Age threats that now \nconfront agencies. Congress should consider how to implement an \neffective model for managing the security of the federal enterprise, \nbuild enhanced cyber security capabilities within the government, and \nfund agencies appropriately to fulfill their vertical and, in some \ncases, horizontal responsibilities. There are two basic options I see: \ncoordinated incremental change or comprehensive reform. Incremental \nchange may be more appealing to agencies and the under-resourced \nindividuals responsible for cyber security, but slow change may be \ninadequate and ineffective to counter evolving threats. Comprehensive \nreform, however, will substantially challenge the status quo. Such \nreform would require a sustained commitment of the Executive and \nLegislative branches to construct an innovative and agile federal \nenterprise for the Information Age.\n\nDefining Clear Roles for DHS and NIST\n    The hybrid model I outlined above could be applied more effectively \nto the federal enterprise to improve security and increase agility. In \nthis implementation, DHS and NIST would provide the horizontal \nfunction, and individual agencies would have vertical functions:\n\n        <bullet>  Horizontal Functions:\n\n                \x17  Department of Homeland Security: DHS should set \n                security control policy, articulating cyber security \n                goals and outcomes. Put another way, DHS should develop \n                ``minimum baselines for security'' and work with the \n                standards community where appropriate. DHS should also \n                develop processes to exchange and foster implementation \n                of best practices that exceed minimum standards so that \n                agencies can more quickly achieve higher levels of \n                security when necessary to address their own unique \n                agency risks.\n\n                \x17  National Institute of Standards and Technology: NIST \n                should create government-wide standards to help \n                agencies meet the security control policy set by DHS. \n                NIST's Special Publication (SP) 800-53, Recommended \n                Security Controls for Federal Information Systems\\7\\ is \n                an example of standards created by NIST that apply \n                government-wide. NIST should, like DHS, also help \n                agencies exceed any government-wide minimum standards.\n---------------------------------------------------------------------------\n    \\7\\ Federal Information Processing Standards (FIPS), including \n``Standards for Security Categorization of Federal Information and \nInformation Systems'' and ``Minimum Security Requirements for Federal \nInformation and Information Systems'' also provide guidance.\n\n        <bullet>  Vertical Function in Individual Agencies: Agencies \n        should continue to have responsibility for--and accountability \n        for--assessing their risks and implementing effective \n        management controls. This includes activities to configure and \n        patch systems, build effective incident response capabilities, \n        identify and detect unauthorized access, test security controls \n        regularly, audit for compliance, and implement security changes \n        based upon testing, auditing, and environment changes. \n        Agencies' risk management should be a continuous cycle of \n        related activities performed as part of a documented \n---------------------------------------------------------------------------\n        information security program.\n\nClarifying Roles and Enhancing Capabilities for DHS and NIST\n\n    To fulfill the horizontal function described above, DHS and NIST \nneed to have clear roles and enhanced capabilities. I will briefly \ndescribe some of the successes of and challenges to each of these \norganizations, and then focus my remarks on how to enhance their \ncapabilities and funding so they may successfully provide the \nhorizontal security function for the federal enterprise.\n\nDHS\n    DHS is in a state of transition, with changes in vision and \nleadership underway, so an assessment of its efforts must separate the \npast from the future.\n    DHS has partnered well with industry in the IT and Communications \nSectors for infrastructure protection and that partnership is producing \nresults. The partnership has advanced both strategic risk management \nand operational information sharing. For example, industry and \ngovernment will be releasing shortly the IT Sector Risk Assessment \ncalled for in the National Infrastructure Protection Plan. The Risk \nAssessment outlines several mitigations (e.g., robust coordinated \nresponse and out-of-band data delivery) that public and private sector \nowners and operators can implement to better manage sector-wide risk. \nDHS is also improving how it facilitates distribution of actionable \ninformation (via Critical Infrastructure Information Notices and \nFederal Information Notices), which enables more timely implementation \nof security updates and helps to reduce malware infections such as the \nConficker worm. This partnership is essential because cyber security is \na shared challenge that involves government as well as the owners, \noperators, and vendors that make cyberspace possible. To date, this \npartnership does not yet fully extend into the cyber security research \nand development (R&D) portfolio managed by the DHS Science and \nTechnology Directorate. This gap must be addressed to provide greater \nawareness of and, where possible, coordination across public and \nprivate sector R&D activities.\n    But DHS has struggled without an actual strategic plan for cyber \nsecurity. As a result, its efforts have not always focused on the right \nareas and were not optimized for effectiveness. The lack of a cohesive \nvision was exacerbated by constant changes in leadership, lack of \npersonnel, and inadequate funding for its mission. The Comprehensive \nNational Cybersecurity Initiative (CNCI) was an important catalyst to \ndrive improvements in DHS. It outlined specific initiatives in key \nareas, provided greater funding, and enabled more rapid increases in \nstaff. The CNCI, however, still did not provide the coordinated vision \nthat is needed. Moving forward, DHS should develop a strategic vision \nand look to build on its strengths in partnership, information sharing, \nand growing security capabilities to function in the horizontal role I \noutlined above.\n\nNIST\n    NIST has also contributed significantly to advancements in cyber \nsecurity, and must continue to do so in the future. The Information \nTechnology Laboratory is an important voice in the cyber security \nconversation, and its Computer Security Division is doing valuable \nwork, such as creating NIST's cyber guidance and hosting the \nInformation Security Automation Program to automate technical security \noperations. The Computer Security Division, unfortunately, is not \nsufficiently resourced to address the growth in its responsibilities \nand workload.\n    This growth is proportionate with the continuing pace of \ntechnological innovation. For example, NIST is advancing two important \ninitiatives for newer technologies and services that will each have \nconsiderable cyber security implications: Securing the SmartGrid and \nCloud Computing. In particular, NIST's cloud computing work is focused \non the effective and secure use of cloud computing in the government \nand private sector. As NIST continues to explore cloud computing and \ncloud security, I would suggest it focus on three areas:\n\n        <bullet>  Utilize a risk-based information security program \n        that assesses and prioritizes security and operational threats;\n\n        <bullet>  Promote regular maintenance and update of security \n        controls that mitigate risk; and\n\n        <bullet>  Support international standards frameworks and \n        certifications that ensure controls are designed appropriately \n        and are operating effectively.\n\n    The Computer Security Division should continue to focus on \nstandards, and its resources should be increased to meet those \nexpanding responsibilities. NIST's cyber security efforts will also \ncontinue to grow and benefit from increasing the partnership with the \nprivate sector, and more specifically, the IT and Communications \nSectors. With greater resources, NIST will make a more dramatic impact \non the cyber security of the computing ecosystem.\n\nEnhanced Capabilities\n    DHS and NIST both must build on their successes, overcome \nchallenges, and expand their capabilities to support government-wide \npolicy, standards, and oversight of cyber security. I will outline five \ncore capabilities that I believe should exist as part of a government-\nwide horizontal function for the federal enterprise. These capabilities \nmust be operationalized in the agencies to meet basic security \nrequirements; however, my discussion below focuses on the government-\nwide horizontal function provided by NIST and DHS and the enhanced \nvalue created by analyzing data across the government infrastructure. \nNIST should provide the standards to enable these capabilities, and DHS \nshould provide the operational aspect of each.\n    The growing connectivity of systems, number of devices, and value \nof information that exists in the federal enterprise means that it is \ncritically important to improve the trustworthiness of connections and \ntransactions to reduce risk. The five capabilities outlined below will \nprovide value in the near-term, but that value will only increase as \nthe federal enterprise develops better ways to ensure that hardware, \nsoftware and data can be trusted and that those connecting to its \nnetworks are who they claim to be and can only do what they are \nauthorized to do. Improving identity and authentication of these \nelements in the federal enterprise will empower better trust decisions \nand increase accountability.\n\n         Security Monitoring: Watching the real-time health of the \n        networks involves more than traditional network monitoring. In \n        addition to security data from intrusion detection systems, the \n        government could also use information provided by IT assets, \n        such as routers, hosts, and proxy servers, to evaluate its \n        operational and security status. By taking advantage of the \n        general purpose sensors that are built into every well-managed \n        infrastructure, government can gain greater insight on the \n        real-time health of the networks and take action to mitigate \n        risks and respond to incidents.\n\n         Audit: Meaningful audit data can improve agencies' cyber \n        security posture because audit drives behavior, and it provides \n        accountability. The audit capabilities I am referring to are \n        more than comprehensive yearly reporting; they include \n        continuous audit, with spot checks and periodic evaluations, as \n        well as quarterly and annual reporting. Quarterly or annual \n        reporting provides a snapshot of overall security posture and \n        trends, while the spot and periodic evaluations can be used to \n        assess the adequacy of controls and compliance to defined \n        requirements.\n\n         Advanced Analytics: The large amounts of monitoring and audit \n        data must ultimately be turned into insights that can be used \n        to inform more effective cyber security responses. That \n        response may be operational as discussed below, or it may be \n        more strategic and involve changes in policies, controls, and \n        oversight. It may also be a combination of both, with \n        operational incidents informing longer-term decisions. Either \n        way, for this to happen, government must have the right data, \n        must analyze that data in the context of the federal \n        enterprise, and that data must drive action. Fusing together \n        disparate data from a variety of organizations and systems to \n        create a common operational picture is challenging; building \n        the analytic capabilities (e.g., correlation) to derive \n        valuable insights is even harder. The monitoring and audit \n        capabilities I mentioned earlier would create a baseline of \n        data about the real-time health and overall trends in security \n        across the Federal Government. DHS can combine this with threat \n        information from the Intelligence Community and advanced \n        technical analyses to create an operational awareness of the \n        attack surface of the Federal Government in ways simply not \n        possible in the private sector. This is the power of innovative \n        government analytics--insights gained from this fusion not only \n        inform horizontal response, but also transition back to the \n        vertical functions resident in the departments and agencies to \n        manage steady State risks. It can even aid the private sector \n        if the government is willing to share the analysis.\n\n         Agile Response: Building Information Age security in the \n        federal enterprise will make it a better partner with the \n        private sector for improving operational security. Over the \n        past 10 years, there have been several attempts to improve \n        operational coordination between and among key government and \n        private sector stakeholders, but these have met with limited \n        success. I strongly support creating a more effective model for \n        operational collaboration to move us from the less effective \n        government-led partnerships of the past to a more dynamic and \n        collaborative approach involving cyber security leaders from \n        government, industry, and academia. A collaboration framework \n        for public private partnerships should include focused efforts \n        to:\n\n                <bullet>  Exchange threat and technical data (at the \n                unclassified level as much as possible) to enable \n                meaningful action, with rules and mechanisms that \n                permit both sides to protect sensitive data. This \n                approach is a shift from past practices that viewed \n                information sharing as an objective as opposed to a \n                tool;\n\n                <bullet>  Create global situational awareness to \n                understand the state of the computing ecosystem and \n                events that may affect it;\n\n                <bullet>  Analyze risks (threats, vulnerabilities, and \n                consequences) and develop mitigation strategies; and\n\n                <bullet>  When necessary and consistent with their \n                respective roles, respond to threats.\n\n         Innovative Security Controls: The technologies used in \n        enterprises today often grow faster than security organizations \n        can make sense of them. Since computing technologies will \n        continue to advance at a rapid pace, organizations creating \n        security policy, standards, and technologies must consider how \n        transformative changes in technology (e.g., wireless, RFID, \n        peer-to-peer networks) create different risks and require \n        different controls to maintain or improve security.\n\nMoving Forward\n\n    One of the greatest challenges facing government is measuring its \nprogress in improving cyber security. Are things better, worse, or the \nsame? What is ``success''? I strongly advocate for tracking progress, \nbut must also caution against thinking of cyber security in terms of \nsuccess and failure. Recognizing that cyberspace threats are not going \nto disappear and that attackers will be persistent and adaptive, it is \nnot about risk elimination but risk management. As long as threats \nevolve, so must our efforts to protect against them. The U.S. must \nbuild holistic Information Age strategies to combat these threats in a \ncoordinated manner. Reducing the attack surface of the federal \nenterprise and mitigating broad classes of threat will require \nfundamental changes. According to OMB, federal agencies spent \napproximately $6.2 billion (approximately 9.2 percent of the total IT \nportfolio) securing the government's total IT investment of \napproximately $68 billion for the fiscal year 2008.\\8\\ But these \nresources and the current capabilities they fund do not provide \nsufficient defense. Absent agile government-wide security policies, \nstandards, and oversight capabilities, the federal enterprise will \npresent an unacceptably easy target. There is mounting proof that we \nmust build an Information Age security model that creates a horizontal \n(cross-government) set of security requirements and builds, on top of \nthat horizontal layer, agency specific protections to ensure that the \ngovernment (generally) and each agency can fulfill its mission and \nprotect the security of its information network.\n---------------------------------------------------------------------------\n    \\8\\ Fiscal year 2008 FISMA Report to Congress.\n\n                      Biography for Scott Charney\n\n    Scott Charney serves as Corporate Vice President of Microsoft's \nTrustworthy Computing (TwC) Group within the Core Operating System \nDivision. The group's mission is to drive Trustworthy Computing \nprinciples and processes within Microsoft and throughout the IT \necosystem. This includes working with business groups throughout the \ncompany to ensure their products and services uphold Microsoft's \nsecurity and privacy policies, controls and best practices. The TwC \ngroup also collaborates with the rest of the computer industry and the \ngovernment to increase public awareness, education and other \nsafeguards.\n    In addition, Charney oversees Microsoft's efforts to address \ncritical infrastructure protection, Engineering Excellence, network \nsecurity, and industry outreach about privacy and security.\n    Charney possesses a wealth of computer privacy and security \nexperience in both the government and the private sector. Before \njoining Microsoft in 2002, he was a principal for the professional \nservices organization PricewaterhouseCoopers (PwC), where he led the \nfirm's Cybercrime Prevention and Response Practice. He provided \ncomputer security services to Fortune 500 companies and smaller \nenterprises. These services included designing and building computer \nsecurity systems, testing existing systems and conducting cybercrime \ninvestigations.\n    Before PwC, Charney served as Chief of the Computer Crime and \nIntellectual Property Section (CCIPS) in the Criminal Division of the \nU.S. Department of Justice. As the leading federal prosecutor for \ncomputer crimes, he helped prosecute nearly every major hacker case in \nthe United States from 1991 to 1999. He co-authored the original \nFederal Guidelines for Searching and Seizing Computers, the federal \nComputer Fraud and Abuse Act, federal computer crime sentencing \nguidelines and the Criminal Division's policy on appropriate computer \nuse and workplace monitoring. He also chaired the Group of Eight \nnations (G8) Subgroup on High-Tech Crime, served as Vice Chair and head \nof the U.S. delegation to an ad hoc group of experts on global \ncryptography policy for the Organization for Economic Cooperation and \nDevelopment (OECD). In addition, he was a member of the U.S. delegation \nto OECD's Group of Experts on Security, Privacy and Intellectual \nProperty Rights in the Global Information Infrastructure.\n    Charney also served as an assistant district attorney in Bronx \nCounty, N.Y., where he later was named Deputy Chief of the \nInvestigations Bureau. In addition to supervising 23 prosecutors, he \ndeveloped a computer-tracking system that was later used throughout the \ncity for tracking criminal cases.\n    Charney has received numerous professional awards, including the \nprestigious John Marshall Award for Outstanding Legal Achievement in \n1995 and the Attorney General's Award for Distinguished Service in \n1998. He was nominated to the Information System Security Association's \nHall of Fame in 2000. That same year, the Washington Chapter of the \nArmed Forces Communications and Electronics Association presented him \nwith its award for excellence in critical electronic infrastructure \nprotection. Among his other affiliations, he served on the American Bar \nAssociation Task Force on Electronic Surveillance, the American Health \nLawyers Association Task Force on Security and Electronic Signature \nRegulations, the Software Engineering Institute Advisory Board at \nCarnegie-Mellon University, and the Privacy Working Group of the \nClinton Administration's Information Infrastructure Task Force.\n    He holds a law degree with honors from Syracuse University in \nSyracuse, N.Y., and Bachelor's degrees in history and English from the \nState University of New York in Binghamton.\n\n    Chair Wu. Thank you very much, Mr. Charney. Mr. Harper, \nplease proceed.\n\n  STATEMENT OF MR. JIM HARPER, DIRECTOR OF INFORMATION POLICY \n                  STUDIES, THE CATO INSTITUTE\n\n    Mr. Harper. Thank you. Thank you very much, Chair Wu. Thank \nyou Ranking Member Smith for having me here to testify on \ncybersecurity activities at DHS and NIST today.\n    I welcome your oversight and your focus on results rather \nthan output, such as dollars spent. This is very important work \nbut not very easy.\n    As I tried to illustrate in my written submission, talking \nabout cybersecurity is like talking about securing all the \nthings we prize. Cybersecurity is many different problems, and \nit would be a mistake to believe that a discreet number of \nactivities or a discreet set of government policies could solve \nall of them. I am concerned in the cybersecurity area there is \na common practice of threat exaggeration and that that could \nbuffalo this Congress to adopt policies that are not balanced \nand that ultimately waste resources, frustrate innovation, and \nthreaten privacy and civil liberties.\n    Yesterday I came across an article in the Boston Review \ncalled Cyberscare on this very topic, and if it would please \nyou, I would be happy to submit it for the record.\n    I was pleased, by the way, also to see that my co-panelists \nand colleagues didn't engage in threat exaggeration here and \nspoke about cybersecurity seriously without hyping threats.\n    I would like to feature one cybersecurity policy that I \nthink has been lost in some of the cyber terrorism, cyber \nwarfare cacophony, and that is the policy of keeping critical \ninfrastructure off the public Internet. This policy is a proven \nsuccess, but some policy-makers I believe have ignored it, \nthinking that all resources should be on the public Internet or \nmanaged over the public Internet. So I encourage you and your \ncolleagues to keep in mind the policy of keeping the true \ncritical infrastructure off the 'net. That takes care of the \nlion's share of many security problems.\n    As I said, cybersecurity society-wide is many, many \ndifferent problems, and I think your goal in Congress should \nnot be to solve cybersecurity but to determine the systems, the \nsocial and legal systems, that will best discover and propagate \ngood security technology and practices. You might think of a \nhierarchy of legal mechanisms that Congress could consider for \nadvancing that goal starting with contracts, considering also \ntort liability and arriving last at prescriptive regulation.\n    Because the government is a large consumer of technology, \nit is well-positioned to positively affect the cybersecurity \necology, and NIST's standards are integral to that process. As \na representative and worker at the Cato Institute, I would like \nto see the Federal Government a smaller purchaser of things, \nbut while it is a large market actor, its buying decisions can \nhelp the market for secure technology products advance.\n    One way, obviously, is by setting high security standards \nin its purchasing. A second is to consider pushing technology \nproviders to accept the risk of loss when their products are \nnot sufficiently secure.\n    There is a market failure in technology when insecure \ntechnology harms networks or harms other users. I wouldn't leap \nto regulating in these cases, though, especially because none \nof us know efficiently and effectively how to solve these \nproblems. Nobody knows what a regulation would say. For getting \nbuyers and sellers of technology to internalize risks, I think \nliability should be the preferred mechanism. Liability is an \nopen-ended process of discovery. As courts discover the legal \ndoctrines that will help them prevent cyber harms, buyers and \nsellers of technology will have to discover the technologies \nand practices that prevent cyber harms.\n    Concerns for me arise when the government steps out of its \nrole as a market participant and becomes a market dominator, a \nregulator, a partner or investor with private-sector entities. \nStandards are difficult things as you, and my co-panelists know \nwell. When done right, they are extraordinarily valuable, and \nthat can't be overstated. But when done wrong, they can distort \nmarkets or threaten privacy and civil liberties. I briefly note \nin my written testimony a potential concern with a standard, \nFIPS 201, and one of the witnesses in your earlier hearings \nmentioned that FIPS 201, an identity standard for federal \nemployees and contractors, was becoming a national rather than \na government standard. I work extensively on national ID \nissues, and I am concerned with the idea of a single standard \nfor identification throughout the country.\n    I am suspicious of various public-private partnerships in \nthe cybersecurity area and elsewhere. They can be valuable, and \nthreat information sharing is valuable, but they can also \nsuppress competition, they can foster security monoculture, \nimmunize responsible parties from liability, and as I mentioned \nbefore, threaten privacy and civil liberties.\n    I will conclude my remarks there, and thank you again for \nhaving us here. You are looking at important issues in a \ncareful way, and I appreciate that. Thank you again.\n    [The prepared statement of Mr. Harper follows:]\n\n                    Prepared Statement of Jim Harper\n\nExecutive Summary\n\n    Cyber security is a bigger, more multi-faceted problem than the \ngovernment can solve, and it certainly cannot solve the whole range of \ncyber security problems quickly.\n    With a few exceptions, cyber security is less urgent than many \ncommentators allege. There is no argument, of course, that cyber \nsecurity is not important.\n    The policy of keeping true critical infrastructure off the public \nInternet has been lost in the ``cyber security'' cacophony. It is a \nsimple security practice that will take care of many threats against \ntruly essential assets.\n    The goal of policy-makers should be not to solve cyber security, \nbut to determine the systems that will best discover and propagate good \nsecurity technology and practices.\n    As a market participant, the Federal Government is well positioned \nto effect the cyber security ecology positively, with NIST standards \nintegral to that process. The Federal Government may also advance cyber \nsecurity by shifting risk to sellers of technology by contract.\n    For the market failure that is on exhibit when insecure technology \nharms networks or other users, liability is preferable to regulation \nfor discovering who should bear responsibility.\n    When the Federal Government abandons its role of market participant \nand becomes a market dominator, regulator, ``partner,'' or investor \nwith private sector entities, a number of risks arise, including \nthreats to privacy and civil liberties, weakened competition and \ninnovation, and waste of taxpayer dollars.\n\nIntroduction\n\n    Chairman Wu, Ranking Member Smith, and Members of the Subcommittee, \nthank you for inviting me to address you in this hearing on the cyber \nsecurity activities of the National Institute of Standards and \nTechnology and the Department of Homeland Security. The hearings you \nhave conducted so far are a valuable contribution to the national \ndiscussion, as I hope my participation in this hearing will be valuable \nas well.\n    My name is Jim Harper and I am Director of Information Policy \nStudies at the Cato Institute. In that role, I study and write about \nthe difficult problems of adapting law and policy to the challenges of \nthe information age. I also maintain an online federal spending \nresource called WashingtonWatch.com. Cato is a market liberal, or \nlibertarian, think-tank, and I pay special attention to preserving and \nrestoring our nation's founding, constitutional traditions of \nindividual liberty, limited government, free markets, peace, and the \nrule of law.\n    I serve as an advisor to the Department of Homeland Security on its \nData Integrity and Privacy Advisory Committee, and my primary focus in \ngeneral is on privacy and civil liberties. I am not a technologist or a \ncyber security expert, but a lawyer familiar with technology and \nsecurity issues. As a former committee counsel in both the House and \nSenate, I also blend an understanding of lawmaking and regulatory \nprocesses with technology and security. I hope this background and my \nperspective enhance your consideration of the many challenging issues \nfalling under the name ``cyber security.''\n    In my testimony, I will spend a good deal of time on fundamental \nproblems in cyber security and the national cyber security discussion \nso far. I will then apply this thinking to some of the policies NIST, \nDHS, and other agencies are working on.\n\nThe Use and Misuse of ``Cyberspace'' and ``Cyber Security''\n\n    One of the profound challenges you face in setting ``cyber \nsecurity'' policy is the framing of the issue. ``Cyberspace'' is \ninsecure, we all believe, and by making it integral to our lives, we \nare importing insecurity, as individuals and as a nation.\n    In some senses this is true, and ``securing cyberspace'' is a \nhelpful way of thinking about the problem. But it also promotes over-\ngeneralization, suggesting that a bounded set of behaviors called \n``cyber security'' can resolve things.\n    A new world or ``space'' is indeed coming into existence through \nthe development of communications networks, protocols, software, \nsensors, commerce, and content. In many ways, this world is distinct \nand different from the physical space that we occupy. In \n``cyberspace,'' we now do many of the things we used to do only in \nphysical space: we shop, debate, read the news, work, gossip, manage \nour financial affairs, and so on. Businesses and government agencies, \nof course, conduct their operations in the new ``cyberspace'' as well.\n    It is even helpful to extend this analogy and imagine \n``cyberspace'' as organized like the physical world. Think of personal \ncomputers as people's homes. Their attachments to the network analogize \nto driveways, which connect to roads and then highways. (Perhaps phones \nand hand-held devices are data-bearing cars and motorcycles.) E-mails, \nfinancial files, and pictures are the personal possessions that could \nbe stolen out of houses and private vehicles, leading to privacy loss.\n    Corporate and government networks are cyberspace's office \nbuildings. Business data, personnel files, and intellectual property \nare the goods that sometimes get left on the loading dock, personnel \nfiles and business places that are left on the desk in an executive's \noffice overnight, and so on. They can be stolen from the ``office \nbuildings'' in data breaches.\n    How do you secure these places and things from theft, both casual \nand organized? How do you prevent fires, maintain water and electric \nservice, ensure delivery of food, and prevent outbreaks of disease? How \ndo you defend against military invasion or weapons of mass destruction \nin this all-new ``space''?\n    These problems are harder to solve in some senses, and not as hard \nto solve in others. Consider, for example, that the ``houses'' and \n``office buildings'' of cyberspace can be reconstituted in minutes or \nhours if software and data have been properly backed up. Lost \npossessions can be ``regained'' just as quickly--though copies of them \nmay permanently be found elsewhere. ``Cyberspace'' has many \nresiliencies that real space lacks.\n    On the other hand, ``diseases'' (new exploits) multiply much more \nquickly and broadly than in the real world. ``Cyber-public-health'' \nmeasures like mandated vaccinations (the required use of security \nprotocols) are important, though they may be unreliable. On a global \npublic medium like the Internet, they would have to be mandated by an \nauthority or authorities with global jurisdiction and authority over \nevery computing device, which is unlikely and probably undesirable.\n    The analogy between cyberspace and real space shows that ``cyber \nsecurity'' is not a small universe of problems, but thousands of \ndifferent problems that will be handled in thousands of different ways \nby millions of people over the coming decades. Securing cyberspace \nmeans tackling thousands of technology problems, business problems, \neconomics problems, and law enforcement problems.\n    In my opinion, if it takes decades to come up with solutions, that \nis fine. The security of things in ``real'' space has developed in an \niterative process over hundreds and, in some cases, thousands of years. \nEven ``simple'' security devices like doors, locks, and windows involve \nfascinating and intricate security, utility, and convenience trade-offs \nthat are hard even for experts to summarize.\n    Many would argue, of course, that we do not have decades to figure \nout cyber security. But I believe that, with few exceptions, most of \nthese assertions are mistaken. Your ability to craft sound cyber \nsecurity policies for the government is threatened by the \nbreathlessness of public discussion that is common in this field.\n\nCalm Down, Slow Down\n\n    Overuse of urgent rhetoric is a challenge to setting balanced cyber \nsecurity policy. Threat exaggeration has become boilerplate in the \ncyber security area, it seems, and while cyber security is important, \noverstatement of the problems will promote imbalanced responses that \nare likely to sacrifice our wealth, progress, and privacy.\n    For example, comparisons between ``cyberattack'' and conventional \nmilitary attack are overwrought. As one example (which I select only \nbecause it is timely), the Center for a New American Security is \nhosting a cyber security event this week, and the language of the \ninvitation says: ``[A] cyberattack on the United States' \ntelecommunications, electrical grid, or banking system could pose as \nserious a threat to U.S. security as an attack carried out by \nconventional forces.'' \\1\\\n---------------------------------------------------------------------------\n    \\1\\ Center for a New American Security, ``Developing a National \nCybersecurity Strategy'' web page (visited June 23, 2009) http://\nwww.cnas.org/node/2818\n---------------------------------------------------------------------------\n    As a statement of theoretical extremes, it is true: The \ninconvenience and modest harms posed by a successful crack of our \ncommunications or data infrastructure could be more serious than an \ninvasion by an ill-equipped, small army. But as a serious assertion \nabout real threats, an attack by conventional forces (however unlikely) \nwould be entirely more serious than any realistic cyberattack. We would \nstand to lose national territory, which cannot be reconstituted by \nrebooting, repairing software, and reloading backed-up files.\n    The Center for Strategic and International Studies' influential \nreport, Securing Cyberspace for the 44th Presidency, said similarly \nthat cyber security ``is a strategic issue on par with weapons of mass \ndestruction and global jihad.'' \\2\\ Many weapons of mass destruction \nare less destructive than people assume, and the threat of global jihad \nappears to be waning, but threats to our communications networks, \ncomputing facilities, and data stores pale in comparison to true WMD \nlike nuclear weapons. Controlling the risk of nuclear attack remains \nwell above cyber security in any sound ranking of strategic national \npriorities.\n---------------------------------------------------------------------------\n    \\2\\ CSIS Commission on Cybersecurity for the 44th Presidency, \n``Securing Cyberspace for the 44th Presidency,'' p. 15 (2008) http://\nwww.csis.org/media/csis/pubs/081208<INF>-</INF>securing \ncyberspace<INF>-</INF>44.pdf [hereinafter ``CSIS Report''].\n---------------------------------------------------------------------------\n    It is a common form of threat exaggeration to cite the raw number \nof attacks on sensitive networks, like the Department of Defense's. It \nsuffers hundreds of millions of attacks per year. But happily most of \nthese ``attacks'' are repetitious use of the same attack. They are \nmounted by ``script kiddies''--unsophisticated know-nothings who get \ncopies of others' attacks and run them on the chance that they will \nfind an open door.\n    The defense against this is to continually foreclose attacks and \ngenres of attack as they develop, the way the human body develops \nantibodies to germs and viruses. Securing against these attacks is \nimportant work, and it is not always easy, but it is an ongoing, stable \npractice in network management and a field of ongoing study in computer \nscience. The attacks may continue to come in the millions, but this is \nless concerning when immunities and fail-safes are in place and \ncontinuously being updated.\n    In his generally balanced speech on cyber security, President Obama \ncited a threat he termed ``weapons of mass disruption.'' \\3\\ Again, \nanalogy to the devastation that might be done by nuclear weapons is \nmisleading. Inconvenience and disruption are bad things, they can be \ncostly, and in the extreme case deadly--again, cyber security is \nimportant--but securing against the use of real weapons on the U.S. and \nits people is a more important government role.\n---------------------------------------------------------------------------\n    \\3\\ ``Remarks by the President on Securing Our Nation's Cyber \nInfrastructure,'' (May 29, 2009) http://www.whitehouse.gov/\nthe<INF>-</INF>press<INF>-</INF>office/Remarks-by-the-President-on-\nSecuring-Our-Nations-Cyber-Infrastructure/.\n---------------------------------------------------------------------------\n    In a similar vein, a commentator on the National Journal's national \nsecurity experts blog recently said, ``Cyberterrorism is here to stay \nand will grow bigger.'' \\4\\ Cyberterrorism is not here, and thus it is \nnot in a position to stay.\n---------------------------------------------------------------------------\n    \\4\\ http://security.nationaljournal.com/2009/06/how-can-cyberspace-\nbe-protecte.php\n---------------------------------------------------------------------------\n    Provocative statements of this type lack a key piece of foundation: \nThey do not rest on a sound strategic model whereby opponents of the \nUnited States and U.S. power would use the capabilities they actually \nhave to gain strategic advantage.\n    Take cyberterrorism. With communications networks, computing \ninfrastructure, and data stores under regular attack from a variety of \nquarters--and regularly strengthening to meet them--it is highly \nunlikely that terrorists can pull off a cyber security event disruptive \nenough to instill widespread fear of further disruption. Fear is a \nnecessary element for terrorism to work its will, of course. The \nimpotence of computer problems to instill fear renders \n``cyberterrorism'' an unlikely threat. This is not to deny the \nimportance of preventing the failure of infrastructure, of course.\n    Cyberattacks by foreign powers have a similarly implausible \nstrategic logic. The advantage gained by a disabling attack on private \nand civilian government infrastructure would be largely economic, with \nperhaps some psychological effects. Such attacks would not plausibly \n``soften up'' the United States for invasion. But committing such \nattacks would risk harsh responses if the perpetrators were found, and \nconventional intelligence methods are undoubtedly keenly tuned to doing \nso. Ultimately, a foreign government's cyberattack on the United States \nwould have to be a death-blow, as it would risk eliciting ruinous \nresponses. This makes it very unlikely that a cyberattack on civilian \ninfrastructure would be a tool of true war.\n    Attacking military communications infrastructure and data does have \na rational strategic logic, of course. And the testimony your committee \nreceived from Dr. Leheny of the Defense Advanced Research Project \nAgency at your June 16 hearing illustrates some of what the Defense \nDepartment is doing to anticipate and prevent attacks on this true \ncritical infrastructure.\n    The more plausible strategic use of attacks on communications and \ndata infrastructure is not ``cyberterrorism'' or ``cyberattack,'' but \nwhat might be called ``cybersapping'': Infiltrating networks to gain \nbusiness intelligence, intellectual property, money, personal and \nfinancial data, and perhaps strategic government information. These \ninfiltrations can slowly degrade the advantages that the U.S. economy \nand government have over others. They are important to address \ndiligently and promptly. But they are not a reason to panic and \noverreact.\n    A final example of cyber security boilerplate that deserves mention \nis the alleged weakness of military information systems. The story that \nconfidential files about the Joint Strike Fighter were compromised \nearlier this year has become a standard dire warning about our national \nvulnerability. But many are conveniently forgetting the other half of \nthe story, even though it is available right there in some of the \nearliest reporting. According to a contemporaneous story on CNN.com:\n\n         [O]fficials insisted that none of the information accessed was \n        highly sensitive data. The plane uses stealth and other highly \n        sensitive electronic equipment, but it does not appear that \n        information on those systems was compromised, because it is \n        stored on computers that are not connected to the Internet, \n        according to the defense officials.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ Mike Mount, ``Hackers Stole Data on Pentagon's Newest Fighter \nJet,'' CNN.com (Apr. 21, 2009) http://www.cnn.com/2009/US/04/21/\npentagon.hacked/index.html\n\n    The compromise of some data about the Joint Strike Fighter is \nregrettable, but this is also a story of cyber security success. The \nkey security policy of keeping the most sensitive data away from the \npublic Internet successfully protected that data. The Department of \nDefense deserves credit for instituting and maintaining that policy.\n    Cyber security is important, but exaggerating threats and failures \nas a matter of routine will lead to poor policy-making. Do not let the \nurgency of many statements about cyber security ``buffalo'' you into \nprecipitous, careless, and intrusive policies.\n    Exhortation about some cyber security policies seem to be pushing \nothers off the table, like the policy so successful at protecting the \nmost important information about the Joint Strike Fighter. The simple, \nelegant policy of keeping truly critical infrastructure off the public \nInternet is not receiving enough discussion.\n\nCritical Infrastructure: Off the Internet\n\n    At the confirmation hearing of Commerce Secretary Gary Locke \nearlier this year, Senator Jay Rockefeller stated his view of the cyber \nsecurity problem in no uncertain terms. Of cyberattack, he said:\n\n         It's an act which can shut this country down--shut down its \n        electricity system, its banking system, shut down really \n        anything we have to offer. It is an awesome problem . . .. It \n        is a fearsome, awesome problem.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ See ``Jay Rockefeller: Internet Should Have Never Existed,'' \nYouTube (posted Mar. 20, 2009) http://www.youtube.com/\nwatch?v=Ct9xzXUQLuY\n\n    What is fearsome is the embedded premise that everything important \nto our country would be put on the Internet rather than controlled over \nseparate, dedicated networks. This is not true, as the example of the \nJoint Strike Fighter example illustrates. And it turns out that many \nimportant functions in government and society are indeed handled by \ndedicated communications networks.\n    Cato Institute adjunct fellow Timothy B. Lee, a Ph.D. student in \ncomputer science at Princeton University and an affiliate of the Center \nfor Information Technology Policy, commented on the Estonian \ncyberattacks last year:\n\n         [S]ome mission-critical activities, including voting and \n        banking, are carried out via the Internet in some places. But \n        to the extent that that's true, the lesson of the Estonian \n        attacks isn't that the Internet is ``critical infrastructure'' \n        on par with electricity and water, but that it's stupid to \n        build ``critical infrastructure'' on top of the public \n        Internet. There's a reason that banks maintain dedicated \n        infrastructure for financial transactions, that the power grid \n        has a dedicated communications infrastructure, and that \n        computer security experts are all but unanimous that Internet \n        voting is a bad idea.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ Tim Lee, ``The Internet Isn't `Critical Infrastructure,' '' \nTechDirt (May 27, 2008) http://www.techdirt.com/articles/20080522/\n1905471205.shtml\n\n    Tim has also noted that the Estonia attacks did not reach \nparliament, ministries, banks, and media--just their web sites. Access \nto some businesses and government agencies went down, but their core \nfunctions were not compromised.\n    Yet this policy--of keeping critical functions away from the \nInternet--has received almost no discussion in the recent major reports \non cyber security. The White House's Cyberspace Policy Review did not \nhighlight this approach,\\8\\ and the President's speech presenting the \nreview did not either. The CSIS report also did not emphasize this \nsimple, straightforward method for securing truly critical functions.\n---------------------------------------------------------------------------\n    \\8\\ ``Cyberspace Policy Review: Assuring a Trusted and Resilient \nInformation and Communications Infrastructure,'' The White House \n(undated) http://www.whitehouse.gov/assets/documents/\nCyberspace<INF>-</INF>Policy<INF>-</INF>Review<INF>-</INF>final.pdf; \n``Remarks by the President on Securing Our Nation's Cyber \nInfrastructure,'' (May 29, 2009) http://www.whitehouse.gov/\nthe<INF>-</INF>press<INF>-</INF>office/Remarks-by-the-President-on-\nSecuring-Our-Nations-Cyber-Infrastructure/\n---------------------------------------------------------------------------\n    Where security is truly at a premium, the lion's share of securing \ninfrastructure against cyberattack can be achieved by the simple policy \nof fully decoupling it from the Internet.\n    ``Criticality'' has become a popular line to draw in discussions of \ncyber security, of course, and the meaning of the term is in no way \nsettled. A 2003 Congressional Research Service report explored the \ndimensions of the concept at the time.\\9\\ My study of ``criticality'' \nis cursory, but the CSIS report's suggestion is sensible, if loosely \ndrawn:\n---------------------------------------------------------------------------\n    \\9\\ John Moteff et al., Resources, Science, and Industry Division, \nCongressional Research Service, ``Critical Infrastructures: What Makes \nan Infrastructure Critical?'' CRS Order Code RL31556 (updated Jan. 29, \n2003) http://www.fas.org/irp/crs/RL31556.pdf\n\n         [C]ritical means that, if the function or service is \n        disrupted, there is immediate and serious damage to key \n        national functions such as U.S. military capabilities or \n        economic performance. It does not mean slow erosion or annoying \n        disruptions.\\10\\\n---------------------------------------------------------------------------\n    \\10\\ CSIS Report, p. 44.\n\n    In my mind, criticality should probably turn on whether compromise \nof the resource would immediately and proximately endanger life and \nhealth. Immediacy is an important limitation because resources that can \nbe promptly repaired to prevent harm should be made resilient that way \nrather than treated as critical infrastructure.\n    Proximity to harm is also important to prevent ``criticality'' \ngrade-inflation. The loss of electric power for even an hour will kill \npeople on respirators in hospitals, for example, but the proximate \nsolution to such foreseeable risks is to have backup power systems at \nhospitals-not to make the entire electricity grid critical \ninfrastructure on that basis.\n    If it is to be a focal point for cyber security policies, the \nnotion of ``critical infrastructure'' must be sharply circumscribed. \nGiven the special treatment accorded critical infrastructure by \ngovernment, private entities will all clamor for that status, and the \ngovernment will be stuck protecting thousands of things that are kind \nof important, rather than the networks and data that are immediately \nneeded for protecting life and health.\n    Keeping the small universe of truly critical infrastructure \nentirely separate from the public Internet, and encouraging private \noperators of critical infrastructure to do so, is a policy that has not \nreceived enough discussion so far. It deserves a great deal more.\n    But this is one among dozens of policy choices to deal with \nthousands of problems. The many complex challenges lumped together as \n``cyber security'' cannot be solved by any one expert, group of \nexperts, legislature, regulatory body, or commission. It has too many \nmoving parts.\n    Rather than trying to address cyber security in toto, I recommend \naddressing the problem at a level once-removed: By asking what systems \nwe should use to address cyber security. There are a variety of social \nmechanisms, each with merits and demerits.\n\nCyber Security Through Contract\n\n    In my testimony so far, I have argued against over-generalization \nand over-heated rhetoric around cyber security. Cyber security is many \ndifferent problems, only some of which are urgent.\n    None of this is to deny that cyber security is a serious and \nimportant challenge. I applaud the work of the Defense Department to \nsecure its critical information, and find very interesting DARPA's \ninnovative work to develop networks over which our military branches \ncan conduct their very important functions. These are two examples \namong many government-wide efforts to secure true critical \ninfrastructure.\n    But what about the rest of the country's communications and data \ninfrastructure? Is the entire Nation's cyberstuff a ``strategic \nnational asset,'' as the President suggested in his speech on cyber \nsecurity?\\11\\ Should it all come under a military or quasi-military \ncommand-and-control operation?\n---------------------------------------------------------------------------\n    \\11\\ ``Remarks by the President on Securing Our Nation's Cyber \nInfrastructure,'' (May 29, 2009) http://www.whitehouse.gov/\nthe<INF>-</INF>press<INF>-</INF>office/Remarks-by-the-President-on-\nSecuring-Our-Nations-Cyber-Infrastructure/\n---------------------------------------------------------------------------\n    The CSIS study called for a ``comprehensive national security \nstrategy for cyberspace'' and stated accordingly and unflinchingly that \nthe government should ``regulate cyberspace.'' \\12\\ The report also \nlaid our cyber security woes at the feet of the market: ``We have \ndeferred to market forces in the hope that they would produce enough \nsecurity to mitigate national security threats. It is not surprising \nthat . . . industrial organization and over-reliance on the market has \nnot produced success.'' \\13\\\n---------------------------------------------------------------------------\n    \\12\\ CSIS Report, pp. 1-2.\n    \\13\\ CSIS Report, p. 12.\n---------------------------------------------------------------------------\n    Competition and markets should not be passed over in favor of \nregulation. Indeed, the argument for regulation begs the central \nquestion: What do we want from our technical infrastructures so that we \nhave appropriate security? What would a cyber security regulation say? \nNobody yet knows.\n    To illustrate, FISMA the Federal Information Security Management \nAct, has not taken care of cyber security for the Federal Government. \nFederal chief information security officers and others rightly \ncriticize the government's self-regulation for its focus on compliance \nreporting and paperwork at the expense of addressing known \nproblems.\\14\\\n---------------------------------------------------------------------------\n    \\14\\ See, e.g., Government Futures, ``The 2009 State of \nCybersecurity from the Federal CISO's Perspective--An (ISC)2 Report'' \n(April 2009) http://media.haymarketmedia.com/Documents/7/\nFederalCISOSurveyReport--1638.pdf.\n---------------------------------------------------------------------------\n    If the Federal Government knew how to do cyber security well, FISMA \nwould be a to-do list that more or less secured the federal enterprise. \nWe would not have the cyber security problem all agree we have. But the \npractices that lead to successful cyber security have not yet been \ndiscovered. Regulations to implement these undiscovered practices would \nnot help.\n    Success in cyber security is not easy to define. Professor Ed \nFelten from Princeton University's Center for Information Technology \nPolicy points out that the ideal is not perfect security, but optimal \nsecurity--the efficient point where investments in security avoid equal \nor greater losses.\\15\\ Communications and computing devices are meant \nto process, display, and transmit information that they often acquire \nfrom other resources. To make them useful, we must embrace the risk of \nopening them up to other computers, software, and data. Some level of \ninsecurity is what makes the Internet, computing, and ``cyberspace'' so \nuseful and valuable.\n---------------------------------------------------------------------------\n    \\15\\ Nestor Abreu, ``Conversation: Debugging our Cyber-Security \nPolicy'' (podcast at minute 12:00) (Feb. 27, 2009) http://\ncitp.princeton.edu/blog/2009/02/27/conversation-debugging-our-cyber-\nsecurity-policy/\n---------------------------------------------------------------------------\n    Again, the question is what processes we can use to discover \noptimal or near-optimal cyber security products and behaviors, then \npropagate them throughout the society.\n    Criticisms of the market are not misplaced, though they may be mis-\nfocused. The market for communications and computing technologies is \nvery immature. Many products are rushed to market without adequate \nsecurity testing. Many are delivered with insecure settings enabled by \ndefault. My impression also is that most are sold without any warranty \nof fitness for the purposes users will put them to, leaving all risk of \nfailure with buyers who are poorly positioned to make sound security \njudgments. There are several ways to address these problems.\n    As this committee is aware, the Federal Government is one of the \nlargest purchasers--if not the largest purchaser--of information \ntechnology in the world. This is not the preferred state of affairs \nfrom my perspective, but there is no reason to deny that its purchasing \ndecisions can affect the improvement of products available on the \nmarket.\n    Thanks to entities like the National Institute of Standards and \nTechnology, the Federal Government is also one of the most \nsophisticated purchasers of technology. As other witnesses and \nadvocates have articulated better than I can, the government can drive \nmaturation in the market for technology products by setting standards \nand defaults for the products and services it buys.\n    The Federal Government can also insist on shifting the risk of loss \nfrom the buyer to the seller. Contracts with technology sellers can \ninclude guarantees that their products are fit for the purposes to \nwhich they will be put--including, of course, secure operation.\n    Federal buyers should expect to pay more if they demand fitness and \nsecurity guarantees, of course, but more secure products have more \nvalue. Sellers will have to do more thorough development and more \nrigorous security testing. Because they currently bear little or no \nrisk of loss, technology sellers will probably howl at the prospect of \nbearing risk, but ready to step in will be technology sellers willing \nto produce better, more secure, and more reliable products for the \npremium that gets them.\n    As a large market participant, the Federal Government can have a \ngood influence on the security ecology without resorting to intrusive \nregulation. Whether it creates a ``gold standard'' for security in \ntechnologies purchased in the private sector, or whether it moves the \nmarket toward contract-based liability for technology sellers, the \nFederal Government can help the technology market mature.\n\nCyber Security Through Tort Liability\n\n    There is more to criticism of the market for cyber security than \n``lack of maturity,'' however. There is also an arguable market failure \nin the area of technology products and services, caused by a lack of \nmaturity in the law. I was pleased that the executive summary of the \nWhite House Cyberspace Policy Review cited a short paper I wrote \narguing that updated tort law would be superior to regulation for \ncuring the market.\\16\\\n---------------------------------------------------------------------------\n    \\16\\ Much of Jim Harper, ``Government-Run Cyber Security? No, \nThanks,'' Cato Institute TechKnowledge #123 (March 13, 2009) http://\nwww.cato.org/tech/tk/090313-tk.html, is incorporated into this \ntestimony.\n---------------------------------------------------------------------------\n    A market failure exists when the market price of a good does not \ninclude the costs or benefits of externalities (harmful or beneficial \nside effects that occur in the production, distribution, or consumption \nof a good). Producers or consumers may have little incentive to alter \nactivities that contribute to air pollution, for example, when the \ncosts of pollution do not affect their costs. Likewise, users of \ncomputers that are insecure may harm the network or other users, such \nas when malware infects a computer and uses it to launch spam or \ndistributed denial-of-service attacks.\n    When there is no contractual relations between the parties, getting \nnetwork operators, data owners, and computer users to internalize risks \ncan be done one of two ways: Regulation--you mandate certain \nbehaviors--or liability--you make them pay for harms they cause others. \nRegulation and liability each have strengths and weaknesses, but I \nbelieve a liability regime is ultimately superior.\n    One of the main problems with regulation--especially in a dynamic \nfield like technology--is that it requires a small number of people to \nfigure out how things are going to work for an unknown and indefinite \nfuture. Those kinds of smarts do not exist.\n    So regulators often punt: When the Financial Services Modernization \nAct tasked the Federal Trade Commission with figuring out how to secure \nfinancial information, it did not do that. Instead, the ``Safeguards \nRule'' \\17\\ (similarly to FISMA) simply requires financial institutions \nto have a security plan. If something goes wrong, the FTC will go back \nin and either find the plan lacking or find that it was violated.\n---------------------------------------------------------------------------\n    \\17\\ See Federal Trade Commission, ``Protecting Customers' Personal \nInformation: The Safeguards Rule'' web page (visited June 23, 2009) \nhttp://www.ftc.gov/bcp/edu/microsites/idtheft/business/safeguards.html\n---------------------------------------------------------------------------\n    Another weakness of regulation is that it tends to be too broad. In \nan area where risks exist, regulation will ban entire swaths of \nbehavior rather than selecting among the good and bad. In 1998, for \nexample, Congress passed the Children's Online Privacy Protection Act, \nand the FTC set up an impossible-to-navigate regime for parental \napproval of the web sites their children could use.\\18\\ Today, no child \nhas been harmed by a site that complies with COPPA because they are so \nrare. The market for serving children entertaining and educational \ncontent is a shadow of what it could be.\n---------------------------------------------------------------------------\n    \\18\\ See Federal Trade Commission, ``You, Your Privacy Policy, and \nCOPPA: How to Comply with the Children's Online Privacy Protection \nAct'' web page (visited June 23, 2009) http://www.ftc.gov/bcp/edu/pubs/\nbusiness/idtheft/bus51.pdf\n---------------------------------------------------------------------------\n    Regulators and regulatory agencies are also subject to ``capture.'' \nIndustries have historically co-opted the agencies intended to control \nthem and turned those agencies toward insulating incumbents from \ncompetition.\\19\\\n---------------------------------------------------------------------------\n    \\19\\ See Timothy B. Lee, ``The Durable Internet: Preserving Network \nNeutrality without Regulation,'' Cato Policy Analysis #626 (Nov. 12, \n2008) http://www.cato.org/\npub<INF>-</INF>display.php?pub<INF>-</INF>id=9775\n---------------------------------------------------------------------------\n    And regulation often displaces individual justice. The Fair Credit \nReporting Act preempted state law causes of action against credit \nbureaus that, thus, cannot be held liable for defamation when their \nreports wrongfully cause someone to be denied credit. ``Privacy'' \nregulations under the Health Insurance Portability and Accountability \nAct gave enforcement powers to an obscure office in the Department of \nHealth and Human Services. While a compliance kabuki dance goes on \noverhead, people who have suffered privacy violations are diverted to \nseeking redress by the grace of a federal agency.\n    Tort liability is based on the idea that someone who does harm, or \nallows harm to occur, should be responsible to the injured party. The \nrole of law and government is to prevent individuals from harming one \nanother. When a person drives a car, builds a building, runs a hotel, \nor installs a light switch, he or she owes it to anyone who might be \ninjured to keep them safe. A rule of this type could apply to owners \nand operators of networks and databases, and possibly even to software \nwriters and computer owners.\n    A liability regime is better at discovering and solving problems \nthan regulation. Owners faced with paying for harms they cause will use \nthe latest knowledge and their intimacy with their businesses to \nprotect the public. Like regulation, a liability regime will not catch \na new threat the first time it appears, but as soon as a threat is \nknown, all actors must improve their practices to meet it. Unlike \nregulations, which can take decades to update, liability updates \nautomatically.\n    Liability also leaves more room for innovation. Anything that \ncauses harm is forbidden, but anything that does not cause harm is \nallowed. Entrepreneurs who are free to experiment will discover \nconsumer-beneficial products and services that improve health, welfare, \nlife, and longevity.\n    Liability rules are not always crystal clear, of course, but when \ncases of harm are alleged in tort law, the parties meet in a courtroom \nbefore a judge, and the judge neutrally adjudicates what harm was done \nand who is responsible. When an agency enforces its own regulation, it \nis not neutral: Agencies work to ``send messages,'' to protect their \npowers and budgets, and to foster future careers for their staffs.\n    Especially in the high-tech world of today, it is hard to prove \ncausation. The forensic skill to determine who was responsible for an \ninformation-age harm is still too rare. But regulation is equally \nsubject to evasion. And liability acts not through lawsuits won, but by \ncreating a protective incentive structure.\n    One risk unique to liability is that advocates will push to do more \nwith it than compensate actual harms. Some would treat the creation of \nrisk as a ``harm,'' arguing, for example, that companies should pay \nsomeone or do something about potential identity fraud just because a \ndata breach created the risk of it. They often should, but blanket \nregulations like that actually promote too much information security, \nlowering consumer welfare as people are protected against things that \ndo not actually harm them.\n    It is also true that the tort liability system has been abused in \nsome cases. Plaintiffs' bars have sought to turn litigation into \nanother regulatory mechanism--or a cash cow. State common law reforms \nto meet these challenges are in order; dismissing the common law out of \nhand is not.\n    There are dozens of complexities to how the tort law would operate \nin the cyber security area, of course. The common law is a system of \ndiscovery that crafts doctrines to meet emerging challenges. I cannot \npredict each challenge common law courts would encounter and how they \nwould address them, but the growth of common law doctrines to prevent \nharm is an important alternative to the heavy hand of regulation.\n    As complex and changing as cyber security is, the Federal \nGovernment has no capability to institute a protective program for the \nentire country. While it secures its own networks, the Federal \nGovernment should observe the growth of state common law duties that \nrequire network operators, data owners, and computer users to secure \ntheir own infrastructure and assets. (They in turn will divide up \nresponsibility efficiently by contract.) This is the best route to \ndiscovering and patching security flaws in all the implements of our \ninformation economy and society.\n    Between the two, contract and tort liability can provide a seamless \nweb of cyber security incentives, spreading risks to the parties most \ncapable of controlling them and bearing their costs. Regulation pushes \nresponsibility to protect where it is politically palatable, not where \nit is economically most efficient or best done. Regulation often \nshields the private sector from liability, foisting risk onto the \npublic--one of the concerns I will turn to next.\n\nStandards, Public-Private Partnerships, and the Risks Thereof\n\n    As a market participant, the Federal Government can play an \nimportant role in promoting secure products and practices. When it \nleaves the role of market participant and becomes a market dominator, a \nregulator, a ``partner,'' or investor with private sector entities, a \nnumber of risks arise, including threats to privacy and civil \nliberties, weakened competition and innovation, and waste of taxpayer \ndollars. I will address selected examples of NIST and DHS activity in \nthat light.\n    As a standard-setting organization for the Federal Government, NIST \nis a valuable resource--not just for the government but for the \ncybersecurity ecology. But standards are tricky business. What may be \nappropriate in one context may not be in another.\n    An area of keen interest to me as an advocate for privacy and civil \nliberties is the avoidance of a national ID system in the United \nStates. My book, Identity Crisis: How Identification is Overused and \nMisunderstood, sought to reveal the demerits in having a U.S. national \nID. The REAL ID Act of 2005, which attempted to create a national ID \nsystem in the United States, has foundered for a variety of reasons. \nUnfortunately, a bill recently introduced in the Senate would seek to \nrevive this national ID program.\\20\\\n---------------------------------------------------------------------------\n    \\20\\ S. 1261, The PASS ID Act (111th Cong., 1st Sess.) http://\nwww.washingtonwatch.com/bills/show/\n111<INF>-</INF>SN<INF>-</INF>1261.html\n---------------------------------------------------------------------------\n    Accurate identification or ``identity security'' is important in \nsome contexts, but less so in others. Anonymity and obscurity are \nimportant protections for Americans' privacy and freedom to speak and \nact as they wish. Ultimately, I believe a diverse and competitive \nidentity and credentialing system will deliver all the benefits that \ndigital identity systems can provide, without the surveillance.\n    So I was concerned to see one bullet point in the testimony of Cita \nFurlani from NIST at your recent joint hearing. She characterized \nNIST's identity and credentialing management standard for federal \nemployees and contractors (FIPS 201) as ``becoming the de facto \nnational standard.'' \\21\\\n---------------------------------------------------------------------------\n    \\21\\ Testimony of Ms. Cita Furlani, Director, Information \nTechnology Laboratory, National Institute of Standards and Technology \n(NIST), to a hearing entitled ``Agency Response to Cyberspace Policy \nReview,'' Subcommittee on Technology & Innovation, Committee on Science \nand Technology, United States House of Representatives, p. 4 (June 16, \n2009) http://democrats.science.house.gov/Media/file/Commdocs/hearings/\n2009/Tech/16jun/Furlani<INF>-</INF>Testimony.pdf\n---------------------------------------------------------------------------\n    It is unclear exactly what this means, of course, and I do not view \nFIPS 201 as the foremost threatened national ID standard at this time. \nBut the needs in identity and credentialing outside the Federal \nGovernment are quite different from those within the government. The \nsame market dominance that makes the Federal Government such a \npotential boon to cyber security could make it an equal bane to privacy \nand civil liberties should FIPS 201 be adopted widely by State \ngovernments for their employees, by states for their drivers' licenses \nand IDs, and in private-sector employment and access control. The same \nis probably true of other standards in other ways.\n    Cyber security standard-setting for Federal Government purchasing \nand use should present few problems. It can often be beneficial when it \ndrives forward the cyber security marketplace. But pressing standards \nonto the private sector where they are not a good fit--in delicate \nareas such as personal information handling--creates concerns.\n    Professor Schneider from Cornell said it well in your first hearing \nof this series:\n\n         [T]he Internet is as much a social construct as a \n        technological one, and we need to understand what effects \n        proposed technological changes could have; forgoing social \n        values like anonymity and privacy (in some sense, analogous to \n        freedom of speech and assembly) in order to make the Internet \n        more trustworthy might significantly limit the Internet's \n        utility to some, and thus not be seen as progress.\\22\\\n---------------------------------------------------------------------------\n    \\22\\ Testimony of Dr. Fred B. Schneider, Samuel B. Eckert Professor \nof Computer Science, Cornell University, to a hearing entitled ``Cyber \nSecurity R&D,'' Subcommittee on Technology & Innovation, Committee on \nScience and Technology, United States House of Representatives, p. 4 \n(June 10, 2009) http://democrats.science.house.gov/Media/file/Commdocs/\nhearings/2009/Research/10jun/Scheider<INF>-</INF>Testimony.pdf\n\n    A different array of concerns arises from nominal ``public-private \npartnerships.'' The concept is much ballyhooed among governments and \ncorporations because it suggests happiness and cooperation. But I am \nnot enthusiastic about a joining of hands between the government and \nthe corporate sector.\n    Public-private partnerships take many forms, of course. The least \nobjectionable are information-sharing arrangements like the Department \nof Homeland Security's US-CERT, or United States Computer Emergency \nReadiness Team. But consumers, the society, and our economy do not get \nthe best from corporations when they cooperate, much less when they \ncooperate with government. Markets squeeze the most out of the business \nsector when competitors are nakedly pitted against each other and \nforced to compete on every dimension of their products and services, \nincluding cyber security.\n    Programs like US-CERT run the risk of diminishing competition and \ninnovation in cyber security. Vulnerability warning is not a public \ngood; it can be provided privately by companies competing against each \nother to do the best job for their clients. ``Free'' taxpayer-funded \nvulnerability warning will tend to squeeze private providers out of the \nmarket.\n    This risks lowering overall consumer welfare, especially if it \nleads to cyber security monoculture. ``Monoculture'' is the idea that \nuniformity among security systems is a weakness. In a security \nmonoculture, one flaw could be exploited in many domains at once, \nbringing them all down and creating problems that would not have \nmaterialized in a diverse security environment.\n    With US-CERT this is only a risk. Public-private partnerships of \nother stripes raise more powerful concerns.\n    Earlier in my testimony, I wrote about how liability can promote \ncyber security. It is equally the case that the absence of liability \ncan degrade security. If public-private partnerships confuse lines of \nresponsibility for security, the results can be very bad indeed.\n    Consider how responsibility for passenger air transportation was \nmixed before the 9/11 attacks. Airlines nominally provided security, \nbut they had to obey the dictates of the Federal Aviation \nAdministration. Were something bad to happen, both entities were in a \nposition to deny responsibility.\n    Flying a plane into a building had been written about in a 1994 \nnovel--and kamikaze attacks were, of course, a tactic of the Japanese \nin World War II--but on 9/11 hijacking protocols had not been seriously \nrevamped since the 1970s, when absconding to Cuba was the chief goal of \nmost airline takeovers.\n    After 9/11, neither airlines nor the Federal Aviation \nAdministration shouldered responsibility. The airlines moved swiftly to \ncapitalize on emotion and patriotism, getting Congress to shield them \nfrom liability, give them an infusion of taxpayer dollars, and take \nover their security obligations. This ``public-private partnership'' in \nsecurity was a disaster from start to finish, and remains so. The party \nultimately bearing the loss--and still at risk today--was the American \ntaxpayer and traveler.\n    This illustration is not to suggest that cyber security failures \nthreaten attacks equivalent to 9/11. It is simply to suggest that the \nbetter role of the government is to stand apart from industry and to \narbitrate liability when a company has failed to meet its contractual \nor tort-based obligations.\n    Public-private partnerships may also be conduits for transferring \ntaxpayer funds to corporations, or to universities who do research for \ncorporations. While reviewing the testimonies presented to you in \nearlier hearings, I was impressed by the nearly uniform requests for \ntaxpayer money.\n    Much of the money requested would go to research that industry \nneeds to do a good job. In other words, it is research they would fund \nthemselves in the absence of a subsidy. Using a small amount of money \ntaken from each taxpayer, Congress can give money to corporations and \nclaim a role in the production of security, even though the \ncorporations would have put their own money to that use themselves. \nThis is another form of ``partnership'' where the American taxpayer \nloses.\n    When the Federal Government abandons the role of market participant \nand neutral arbiter, difficulties arise. Though NIST standards are \nuseful for the Federal Government--and many of them can apply well in \nthe private sector--they may not be appropriately forced on the private \nsector when the government is market-dominant. Government-corporate \ncollaboration raises many risks: security monoculture; mixed \nresponsibility and weakened security; and simple waste of taxpayer \ndollars.\n    Cyber security is special, but not so special that principles about \nthe limited role of government should go by the wayside. We will get \nthe best security and the best deal for taxpayers and the public if the \ngovernment remains within its proper sphere.\n\nConclusion\n\n    Cyber security is a huge topic, and I have ranged widely across it \nin my imperfect testimony. I hope it is more clear that ``cyber \nsecurity'' is a bigger, more multi-faceted problem than the government \ncan solve, and government certainly cannot solve the whole range of \ncyber security problems quickly.\n    Happily, with a few exceptions, cyber security is also less urgent \nthan many commentators allege. ``Cyberattack'' or ``cyberterrorism'' \nmight be replaced by ``cybersapping'' of the country's assets and \ntechnology as the threat we should promptly and diligently address. \nThere is no argument, of course, that cyber security is not important.\n    I am concerned that the policy of keeping true critical \ninfrastructure off the public Internet has been lost in the cyber \nsecurity cacophony. It is a simple, elegant practice that will take \ncare of many threats against truly essential assets.\n    The government will not fix the Nation's cyber security. Your goal \nas policy-makers should be one level removed: to determine the system \nthat will best discover and propagate good cyber security practices.\n    As a market participant, the Federal Government is well positioned \nto effect the cyber security ecology positively, with NIST standards \nintegral to that process. The Federal Government may also advance cyber \nsecurity by shifting risk to sellers of technology by contract.\n    For the market failure that is on exhibit when insecure technology \nharms networks or other users, liability is a preferable mechanism to \nregulation for discovering who should bear the responsibility to \nprotect.\n    When the Federal Government abandons its role of market participant \nand becomes a market dominator, regulator, ``partner,'' or investor \nwith private sector entities, a number of risks arise, including \nthreats to privacy and civil liberties, weakened competition and \ninnovation, and waste of taxpayer dollars.\n    I appreciate the chance to share these ideas with you, and I hope \nthat they will aid the Committee's deliberations.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                        Biography for Jim Harper\n\n    As Director of Information Policy Studies at the Cato Institute, \nJim Harper focuses on the difficult challenges of adapting law and \npolicy to the unique problems of the information age. Harper is a \nmember of the Department of Homeland Security's Data Privacy and \nIntegrity Advisory Committee. His work has been cited by USA Today, the \nAssociated Press, and Reuters. He has appeared on Fox News Channel, \nCBS, and MSNBC, and other media. His scholarly articles have appeared \nin the Administrative Law Review, the Minnesota Law Review, and the \nHastings Constitutional Law Quarterly. Recently, Harper wrote the book \nIdentity Crisis: How Identification Is Overused and Misunderstood. \nHarper is the Editor of Privacilla.org, a web-based think tank devoted \nexclusively to privacy, and he maintains online federal spending \nresource WashingtonWatch.com. He holds a J.D. from UC Hastings College \nof Law.\n\n                               Discussion\n\n    Chair Wu. Thank you very much, Mr. Harper. And at this \npoint, we will open for our first round of questions, and the \nChair recognizes himself.\n    You each referred at least in part to cybersecurity \nperformance metrics, and apparently we have not been as good at \ndeveloping them as we should. What have been some of the \nimpediments and how can we be better off if we are better at \ndeveloping them?\n    Mr. Wilshusen. Well, I guess I will start. One of the \nthings about the metrics that have been developed by OMB for \nFISMA reporting purposes is that the metrics themselves \nprobably served a useful purpose when they were first \ndeveloped, and this was several years ago. The ones they had \ndeveloped were primarily implementation-related metrics that \naddressed whether or not a control has been activated and \nimplemented.\n    When they were first developed several years ago, many of \nthe federal agencies were not performing some very basic \nsecurity controls. And so over the intervening years as \nagencies increasingly performed these control activities, it is \nnatural to start taking a look at these metrics and see, do \nthey need to evolve as well? Is there a need to continue to \nreport whether or not agencies are implementing specific \ncontrols when they are all up in the 90-plus percentile of \nperforming these controls over their systems?\n    So now it is important to look at, well, how well are these \nagencies implementing these controls and looking at different \ntypes of measures. We have an engagement that is ongoing right \nnow, looking at how leading organizations develop and use \nmetrics to gauge and monitor their information security \nactivities and will be issuing a report later this summer about \nthat particular topic. But one thing that we have noted \npreviously is that it is probably time to start measuring how \nwell agencies are actually implementing controls and the \neffectiveness of the control activities, rather than just mere \nimplementation of those specific control activities.\n    Chair Wu. Several of you referred to having a unified \nstandard or set of standards for the Federal Government, that \nis, we currently have a division between defense applications \nand civilian governmental applications, and I just wanted to \nconfirm that is a consensus view of the panel, that the \ndivision between DOD and NSA (National Security Agency) on the \none hand, and DHS and NIST on the other, is maybe one rooted in \njurisdiction but not rooted in utility or the sense of the \nfield.\n    Mr. Charney. Yeah, I would agree with that. As the Co-Chair \nof the CSIS (Center for Strategic and International Studies) \nCommission on Cyber Security, one of the things we noted, there \nwere historical reasons in the past why there was a clear \ndelineation between the national security world and the \ncivilian world. But to some extent, in cyber networks, a lot of \nthese things tend to merge together. And when you are trying to \ndevise the best security practices, you want to take all of \nyour great capabilities and knowledge and bring that together \nand have holistic programs in cybersecurity. So bringing them \ntogether is helpful.\n    Chair Wu. And I would like to walk that over a little bit \nfurther. Getting to the civilian non-governmental sector, my \nunderstanding is that there are different cybersecurity \nstandards for different fields, whether you are dealing with \nhealth care, banking, and these have developed over time. Would \nthere be a utility in developing consensus standards for \ncybersecurity for the civilian non-governmental sector, and Mr. \nHarper may not like this, or will that field de facto borrow \nwhat governmental standards exist or is it not possible to \nbetter develop cybersecurity standards for that field at this \npoint in time?\n    Mr. Charney. No, I actually think it is possible. One of \nthe things that we have done at Microsoft is we looked at the \ndifferent regulations that impose certain security requirements \non information systems. So you have things like Graham Leach \nBliley for financial data, you have PCI, which is the credit \ncard standard for securing credit card data, you have HIPAA \n(Health Insurance Portability and Accountability Act) for \nhealth care data. It turns out most of these regulations \nactually promote the same concepts in terms of the framework, \nwhich is reasonable security controls based on traditional risk \nmanagement principles.\n    So what we did is we looked at all those laws and then we \nmapped the controls that are necessary to an international \nstandard. ISO standard 27001 by the International Standards \nOrganization is a standard for controls around IT systems. And \nwe have actually gotten ISO certification for one of our \nlargest properties and networks.\n    So I think the short answer is there is a lot of similarity \nin these regimes. Having a unified standard that people can map \nto is a good and healthy thing, and the other nice thing, of \ncourse, is the threats of all of those standards can always be \nmodified to address new environments.\n    Chair Wu. Well, I see nodding heads there. I just want to \nask one quick follow-up on this topic before I yield to Mr. \nSmith. Would NIST and NIST's existing activities in the field \nbe a logical place to begin working on consensus private-sector \nstandards? Anyone on the panel?\n    Mr. Bregman. I think so, but I think it has to be done in \ncollaboration with the private sector, and I think it is a \nlogical place to bring together the various constituencies to \ncoalesce the standards into an overarching set of security \nguidelines and standards.\n    Chair Wu. Mr. Wilshusen, Mr. Charney, Mr. Harper, any \ncomments on that?\n    Mr. Wilshusen. I would also agree, and NIST does have a \nmechanism in place where it coordinates and collaborates with \nthe International Standards Organizations, or ISO rather, and \nit would be a logical place to start.\n    Mr. Harper. I will voice the concern that I think you \nanticipated from me. Federal-developed standards should be \navailable to the private sector and perhaps produced in \ncollaboration with the private sector. There is a touch of \nconcern, though, that the Federal Government, as a large market \nactor, would drive standards into the marketplace that don't \nmeet the needs on the other side of the security equation which \ninclude privacy and anonymity and that kind of thing.\n    So standards are important, they are good, but it is not a \ngiven that all federal-developed standards should be imported \ninto the marketplace. They have to go through a different \nseries of tests for private adoption, I think.\n    Chair Wu. Yeah, what we are working on here is the divide \nbetween the public sector and the private sector, and NIST \ntraditionally has played a light leadership role in assisting \nthe private sector to develop consensus, bottom-up developed \nstandards from players in particular arenas. At least that is \nwhat I was asking about, and I take that to be the answers of \nthe other panelists. Mr. Charney.\n    Mr. Charney. Yes, if I could just say I think you are \nright. It is one thing for NIST to develop standards for the \ngovernment's own use, but to be clear, NIST also participates \nin international standards organizations with members of \nindustry. So if you are looking at standards that would apply \nmore broadly than the government, there are four that already \nexist to do that. The government and industry participates in \nthat, so the mechanism is there to work it through that \nprocess.\n    Chair Wu. Thank you very much. Mr. Smith, you are \nrecognized for five minutes.\n    Mr. Smith. Thank you, Mr. Chair. Mr. Harper suggested in \nhis testimony that the critical infrastructure vulnerabilities \nshould be addressed by physically separating such \ninfrastructure from the public Internet as similar to the DOD \nnetwork. What is your response to that, Mr. Charney and Mr. \nBregman and Mr. Wilshusen?\n    Mr. Bregman. I think it is impractical in many cases \nbecause it is one thing in the realm of DOD or the intelligence \ncommunity to operate in a separate environment, but in many \ncases, other parts of government have to interact with \ncitizenry, they have to interact with private sector in the \ncourse of their normal operations. And the challenge in \ncybersecurity is, as soon as I connect my perhaps well-\ndefended, well-defined network to someone else, I have opened \nmyself up to vulnerabilities that may be present in the other \ncomponents that I don't control. And so there is a real risk in \nisolating government function in the attempt to achieve this \nsecurity through isolation and becoming much less effective.\n    So I think the real challenge is finding ways to develop \nsecurity and secure the cyber infrastructure, even in a world \nin which it isn't an isolated, totally controlled environment \nfor the government.\n    Mr. Charney. I would echo those points, and if you think \nabout some of the evolving models, like a Smart Grid, for \nexample, where people's homes can communicate intelligent power \nconsumption information to the power grid so that they can draw \npower at appropriate times or feed power back into the grid, I \ndon't know how you do that by creating a power infrastructure \nthat is isolated from all the citizens that need to connect to \nit. I think the trend of these private critical infrastructures \nare basically becoming Internet enabled because of the huge \nbusiness imperative, efficiency cost-drivers and other things \nthat are really critical to the success of these new \ntechnologies.\n    Mr. Wilshusen. And it is our experience, too, in the \nreviews that we have done at the Tennessee Valley Authority \nwhen we looked at the control systems and the security over the \ncontrol systems that the trend is to go to more IP-based type \nof systems to run these control systems. Now, while that is--it \nreally helps and serves additional benefits to the company to \nenable such control protocols, but it also raises the risk \nbecause of the risk associated with running those IP-based \nsystems can now extend to control systems. So agencies need to \nmake sure that they assess those risks and take the appropriate \nsteps to secure against and mitigate those risks. But certainly \ndue to the benefits, the trend seems to be going more toward an \nIP-based type of network and structure.\n    Mr. Smith. Mr. Harper.\n    Mr. Harper. I would anticipate these criticisms of what I \nhad said, and they are not wrong, they are not unfair. And the \nway I thought about it was that criticality should be a very, \nvery tightly circumscribed adjective, and I have dealt with it \na little bit in my written testimony, though I wouldn't call \nmyself an expert. Criticality should be when there is an \nimmediate and proximate danger to life and health from the loss \nof an asset. That is under basically a definition that I have \nworked on. There is a lot of history behind it that didn't go \ninto my testimony which is why there is a lot of stuff out \nthere that is referred to as critical infrastructure that I \nwould not.\n    But if again, something would immediately injure life and \nhealth proximately, so the example of an electrical grid going \ndown, it could kill people in a hospital, for example, to lose \nelectric power for an hour, people who are on a heart-lung \ndevice, that kind of thing. Well, it is not proximate because \nwhat you do for a likely risk like that is you put electrical \ninfrastructure at the hospital that would take care of things \nwhen the broader infrastructure went down.\n    So again, these are fair comments. I think the critical \ninfrastructure should be very tightly defined to a small \nuniverse of assets.\n    Mr. Smith. Okay. Thank you. And another one, we heard that \nliability is preferable to regulation as a tool for \ninternalizing any market failures that exist in terms of \nprivate-sector cybersecurity. I was wondering, Mr. Bregman and \nMr. Charney, how do Symantec and Microsoft feel about this, if \nyou could elaborate?\n    Mr. Charney. So we have repeatedly said that you have to \nthink about different ways to motivate the markets to do the \nright thing, and there are many ways to do that, everything \nfrom incentives to regulation and liability. The biggest \nchallenge in the software industry I believe is that software \nis extremely complex and it is not entirely clear what the \nreasonable practice would be in developing security today and \nhow you could apply them uniformly in the spectrum of people \nwho make software. So it is not just about large companies. I \nmean, one of the great things about the Internet is it creates \nthis incredible innovative environment where people in their \ngarage can develop software and distribute it around the globe. \nAnd this has led to a lot of great, innovative technologies. \nAnd I don't know how they survive under a regime that is laden \nwith a lot of up-front costs.\n    Having said that, I think there are better ways to get \nthere. One of the things that we have been active proponents of \nis reforming Common Criteria, which is the method by which the \ngovernment evaluates products for security and that then \naffects purchasing acquisitions in the government. And I think \nif the government wants to drive better security practices, one \nof the ways to do that is to use Common Criteria reform and \nacquisition regulations to achieve that result. I think that \ndrives a much more effective and efficient process. It also \nallows, you know, still a very innovative and low barrier to \nentry environment.\n    Mr. Bregman. I would echo Mr. Charney's remarks, but I \nwould add two other things. I think not only is software very \ncomplex, but any software that is delivered by a supplier \nbecomes part of an even more complex integrated solution, and \nin most cases where we have seen vulnerability at the system \nlevel, it is traceable to configuration that is outside the \ncore of any given product, but it is the interaction in the \ncustomer's environment or in the user's environment which opens \nup the vulnerabilities. That is something that is very hard to \nlegislate liability around without putting tremendous \nconstraints on what people are willing to supply.\n    And related to that I think, and I was also echoing Mr. \nCharney's remarks, liability as a way to control this will \nstifle a lot of the innovation which is what we need in order \nto get ahead of the threat. And so I would be fearful that if \nliability were to be the tool primarily used to improve \nsecurity, we would actually see the opposite effect. There \nwould be retrenchment on the part of suppliers and fear to try \ninnovative, new solutions.\n    Mr. Smith. So maybe I hear you saying you would not \nadvocate liability in addition to regulation?\n    Mr. Bregman. That is correct.\n    Mr. Smith. Mr. Wilshusen, can you elaborate on your \nfindings on the impact of such things?\n    Mr. Wilshusen. Yes, in a couple areas. One, regarding the \nuse of Common Criteria, we did a review several years ago \nlooking at the National Information Assurance Program, or NIAP, \nwhich is a program in which NIST and NSA at that time \nestablished and certified laboratories to examine the security \ncontrols that were designed into these products. One of the \nproblems that we identified as a challenge to overcome was just \nthe length of time that it took these laboratories to go \nthrough and evaluate the security of these products. In many of \nthese cases, some of the vendors indicated that by the time \nthey went through the process, the technology and the \napplications were already obsolete. There were newer versions \nout there. So to implement that, we are going to need to have \nsome sort of measure and mechanism that will allow a speedy and \na quicker response time to evaluate such products.\n    There is also another mechanism that government can use, in \naddition to providing incentives, through its procurement \npolicy. The government procures $60, $70 billion worth of IT \nproducts and services a year. It can use that leverage and \nspecify the requirements that it needs, or security \nrequirements for the products that it requires which can help \nmaybe move markets into an area where they implement security \nor design security into their products more readily.\n    Mr. Smith. Thank you. Thank you, Mr. Chair.\n    Chair Wu. Thank you, Mr. Smith. We have had several \ndifferent cybersecurity czars, and at least a couple of them \nhave departed or resigned. Can the panel comment on whether \nthere is integral problems in the way that we have tried to \nstructure a cybersecurity program at the federal level?\n    Mr. Wilshusen. I will tread lightly here, but I think one \nof the issues that may be resolved as we go forward with the \nnew official, the cybersecurity official in the White House, \none of the concerns is going to be what authorities and what \ncontrol he or she will have over budgets and strategy and what \nwill be his or her levers of power to effect change? And I \ndon't know if decisions about that exist, but that would be \njust one of the challenges I will say in trying to make sure \nthat conditions are established to where the official can be \nproductive in that role.\n    Chair Wu. Well, Mr. Wilshusen, you are from the GAO, and \nyou are supposed to give it to us unvarnished. What I am \nhearing between the lines is that this is a difficult field \nwith a lot of responsibility and perhaps not enough line \nauthority in budget to accomplish the mission or the multiple \nmissions.\n    Mr. Wilshusen. And it will depend upon what their role and \nresponsibilities are, I would agree.\n    Chair Wu. Mr. Bregman, do you have anything to add to this?\n    Mr. Bregman. I would agree with that. I think appropriate \ndecision-making and budget authority is going to be necessary \nbecause a key part of the role is helping coordinate the \nstrategic direction across the various parts of government and \nalso, coordinating better on an international front. One of the \nchallenges is this is not a problem that occurs just within our \nown borders. It is borderless. And so better coordination \nglobally is going to be an important part of this as well.\n    Chair Wu. Thank you. Several of you referred to the \nimportance of public-private partnerships and coordinating with \nthe private sector. What in our structure today is not creating \nthe kinds of public-private partnerships that we need and what \nkind of incentives should we try to build in?\n    Mr. Charney. Since the early '90s, we have been talking \nabout this public-private partnership, and it was really a \nreflection of the fact that the private sector designs, \ndeploys, and maintains about 90 percent of the critical \ninfrastructure.\n    And so government is in an interesting situation here, \nunlike things like nuclear weapons where they had both \nresponsibility and control, here they have responsibility for \npublic safety and national security but they don't control the \nassets to be protected or maintained.\n    And so the idea of a partnership is the right idea. I think \nit got off on the wrong foot. In large part, early efforts at \npartnership were focused on information sharing, and there was \na lot of discussion that industry and government should share \ninformation about threats and vulnerabilities.\n    The problem is information sharing is not an objective, it \nis a tool. You share information so you can do something. \nSharing information just for the sake of sharing information \ndoesn't make any operational change that makes security better. \nSo the first problem is the wrong focus, focus on sharing \ninstead of action.\n    The second thing is that the government has been concerned \nfor understandable reasons about not playing and picking \nfavorites in the marketplace. So it often took the view that it \nhas to share with everyone or no one. And of course, when you \nshare with everyone, when you share a lot of information about \nvulnerabilities, threats and risks too broadly, you actually \nmake the problem worse, and if you share with no one, then \nthere is nothing.\n    And so I think in addition to focusing on what information \nto share, that is, how is this information actionable, the next \nquestion is who is it actionable by and we have to share it \nwith the organizations, people, companies, whatever, who can do \nsomething with the information specifically and not worry so \nmuch about sharing with everyone or no one because that is not \na productive model.\n    Chair Wu. Mr. Charney, is one of your criticisms of the \ncurrent advisory committees and coordinating committees that \nthey are mechanisms for sharing information and that that \nbecomes an end-goal rather than a tool for accomplishing \nmission objectives?\n    Mr. Charney. That is correct, although there has been \neffort in recent times to refocus on more operational security \nissues and share actionable information, but there was a long \nhistory of having the wrong focus.\n    Chair Wu. Thank you. I might have a couple more questions, \nbut at this time I am going to yield to my colleague, Mr. \nSmith, for five minutes.\n    Mr. Smith. If Mr. Charney or others would still like to \nmaybe elaborate on what exactly the partnership would look \nlike, I mean, I think you started down that track. But \nobviously it can be difficult to define. I know that sometimes \npartnerships are overstated here on the hill, but if you could \nelaborate?\n    Mr. Charney. I would be delighted to. In addition to the \nmisfocus, I don't think the partnership ever had the right \nphilosophical underpinning. Here is the way I see the problem. \nMarkets actually do deliver some level of security. Customers \ndemand it and markets deliver it. Governments need a level of \nsecurity for public safety and national security that often \nexceeds what the market will provide. Markets are not designed \nto do national security. You cannot make a market case for the \nCold War. In those situations, the government steps in and does \nthings. It seems to me that the proper basis of a partnership \nis to figure out how much security you are going to get from \nthe market through its natural proclivities and a little more \nbecause companies do have a sense of corporate responsibility. \nThey do care about public safety and national security, so they \ndo a little more than the markets would require. Then you have \nto figure out what the government thinks it really needs, and \nthe key is filling the gap between what the market will provide \nand what the government sees as necessary. And then there are a \nlot of ways to fill that gap. Acquisition regulations are an \nexample to drive the market in a particular direction, \nregulation, standardization. There are many ways to fill a gap, \ntax incentives.\n    So the real key, and I think the basis of the partnership, \nis to focus on meeting the requirements that span between where \nmarkets are and what government wants and figure out the right \nway to incentivize the right behaviors so the products take you \nwhere you want to go.\n    Mr. Smith. Any one else?\n    Mr. Harper. I will briefly comment on it some more. I think \nthe question of public-private partnerships--I agree in large \npart with what Mr. Charney said, that partnerships formed up to \nshare information as if that was the goal. The problem is goal-\nsetting and then asking what achieves that goal, and I think it \nhas been the idea, well, let us have a public-private \npartnership.\n    In an area I have a relative amount of experience, Homeland \nSecurity issues. Everyone said data sharing, you know, connect \nthe dots, and nobody knows exactly what that means. It is a \nmore difficult problem.\n    I would prefer to see the government play the role of \npartner that you see in security of houses and buildings in a \ngiven city. The primary responsibility is on the holder of \nprivate infrastructure to secure the house with locks on the \nwindows and doors, and when something really goes wrong and \nthere is criminal behavior afoot, the police are called or if \nthe police have information about what is afoot, they contact \nthe community. That is a public-private partnership that I \nthink is a success, but putting together programs to try to \ndescribe that don't really work. What works is when the \ngovernment stays in its law enforcement and national security \nrole for the most part, and the private sector for the most \npart takes the role of securing its own infrastructure. That \ndoesn't mean they can't work together, but I don't think the \nfocus has to be on them working together to improve security It \nworks with them separately.\n    Mr. Smith. Thank you. Mr. Bregman, relevant to EINSTEIN and \nthe program there and the software, obviously it was developed \na number of years ago and the focus was on threats and \nintrusions, and perhaps that is not enough of a focus now. \nWould you concur with that?\n    Mr. Bregman. I think we see a very, very rapidly evolving \nthreat landscape, and EINSTEIN was developed with somewhat \nlooking at the then-current threat landscape. And so given the \nlong lead time and deployment lead time, it is not taking \nadvantage of the best practice, best technologies that are \ncurrently available in the private sector. And I think that is \nan area where, again, private sector working together with \ngovernment could do a much better job of looking forward, \nanticipating things, and being closer to the leading edge of \nprotection as opposed to looking backward at what the previous \nthreats were and then going through a rather cumbersome \ndevelopment process to deploy something which is inadequate \nwhen it is deployed.\n    Mr. Smith. Okay. Thank you.\n    Chair Wu. Several of you have referred to the importance of \nsetting goals rather than processes. And also I think there has \nbeen reference to having a more crisp strategy for \ncybersecurity. What are the components that we need to put \ntogether to develop a strategy or a means of accomplishing a \nclear set of goals?\n    Mr. Charney. It seems to me there are two separate issues, \nand it comes back to a comment in my testimony about the \ngovernment as a policy arm and the government as a large IT \nenterprise. So part of the goal of developing a comprehensive \nstrategy is recognizing that the way cyberspace works today, \nthere are some very interesting challenges about how you secure \nit and also respond to incidents.\n    I will give you a somewhat classic example. There have been \nwidespread reports in the media about attacks on U.S. Defense \nDepartment systems. There are a lot of interesting questions \nabout what constitutes cyber warfare. When can you shoot back? \nWhat does it mean to do collateral damage on the Internet? \nThese are hard policy questions, and it is even an interesting \nquestion of whether or not you want to respond in a cyber way \nor impose a trade sanction. You know, because cyberspace of \ncourse ties all our economies together, just like it ties all \nour systems together. And so the government has to think very \nholistically about diplomatic efforts, intelligence efforts, \nmilitary efforts, economic efforts, and law enforcement efforts \nand integrate them into a strategy and set norms because right \nnow around the world we now have norms on certain behaviors, \nlike proliferation of weapons of mass destruction or \nproliferation of nuclear material. We don't even have norms on \nwhat constitutes appropriate cyber conduct around the world. \nAnd as a result of that, countries internationally haven't \ndeveloped the processes, procedures and strategies to deal with \nthese issues because the Internet is sovereign agnostic, even \nthough sovereignty is very much well and alive.\n    And so in the policy space, this is one of the reasons why \nthe commission recommended the advisor has to be at the White \nHouse and could not sit in any one agency because thinking \nabout this problem comprehensively means that the government \nhas to think about all the tools in its arsenal and how to \nimplement as one government. On the IT infrastructure \nprotection side, that is when you get into very specific \ncontrols where you want security controls in place, and I would \necho the comments made earlier about the need to actually test \nthe efficacy of those controls, make sure they are doing what \nyou think they are doing, and making sure they are always \ncurrent. And as I said, there are international standards now \nas well as regulations that require controls be put in place. \nSo to some extent, the more I think about some of these issues, \nwe are reaching the point, at least in the network enterprise, \nwhere the philosophy is right, and we are getting to the point \nof we need to execute well and we need to focus on execution. \nAnd that requires being rigorous about putting your policies in \nplace, testing your controls, having audits done whether they \nare internal, self-certifications, or external to make sure you \nare achieving your desired levels of security.\n    Chair Wu. Well, I think we have surfaced a lot of concerns \nabout the lack of--the dearth of rules of the road for the \nInternet, but Mr. Charney, your reference to accords about WMD \n(Weapons of Mass Destruction) and so on brings to mind that we \nhave been able to work, at least try to work, on rules for \nwarfare for 4,000 years at least, and the early versions of the \nInternet are at most 30 years old, and cyberspace probably is \nmore like in the teens than anything else.\n    So in essence, we are here all together at the inception, \nand some of the decision we make will have reverberations down \nthe road.\n    Let me ask you a question about research. There is a set of \nchallenges about identifying research priorities at DHS and \ncommentary that this process should include private industry to \na larger extent. Can you give us your best analysis of the \nresearch that is currently being done at either NIST or DHS?\n    Mr. Bregman. I think when we think about research in the \ncybersecurity space, there are several different objectives. \nThere obviously is the primary objective of the research itself \nand the outcome of that research and with the goal that one \nwould think of ultimately impacting technologies and products \nwhich could be delivered and implemented. And so that is an \narea where linking the research activities with the industrial \nbase is important because to exploit them, there is going to \nhave to be some commercialization that takes place.\n    The other dimension of research is that setting the \nresearch agenda is a very good way to stimulate along side \ninvestment, both by private sector and sort of intellectual \ncapital investment within the academic world. And I think one \nof the things we need to improve our cybersecurity posture is a \nlarger cadre of expertise at all levels, people who can be the \nnext generation leading researchers but also practitioners in \ngovernment and in private sector and carefully aligning the \nresearch agenda with the interests of DHS, NIST, and the \nprivate sector, and using that to create interest within the \nacademic community will draw more students, some more people \ninto that area and that field and create a much larger \ncommunity of expertise.\n    Chair Wu. Mr. Wilshusen, or anyone else, anything to add to \nthe research agenda or research strategy?\n    Mr. Wilshusen. We haven't looked at--in fact, we just \nreceived a request to look at research and development in \ncybersecurity. That was a couple of weeks ago, and we are just \nstarting a review of that within the Federal Government. But \nabout four years ago we did a review over cybersecurity \nresearch and development and looking at the NITRD and the group \nthat was responsible for coming up with a plan for conducting \ncybersecurity within the Federal Government, and we found that \nwhile there were some overall goals and objectives that were \nidentified, there really wasn't a clear, concise plan on how to \nconduct and how to perform and fund which particular projects. \nAnd so making sure that there is a clear consideration of what \nthe goals are and coming up with a plan to fund those projects \nI think will be important.\n    Mr. Harper. Mr. Chair, if I may?\n    Chair Wu. Yes, Mr. Harper.\n    Mr. Harper. It often falls to me to be the skunk at the \ngarden party, and I enjoy it. Research that benefits----\n    Chair Wu. Animals of all stripes are of value.\n    Mr. Harper. Research that benefits industry really is \nsubsidy. And I want research done. I think everybody does, but \nresearch that is funded by industry goes then into the price of \nproducts and is paid for then by the users of the security \ntechnologies, rather than taxpayers, many of which don't use \nthe Internet and live perfectly good lives without it.\n    Chair Wu. Mr. Charney.\n    Mr. Charney. Yes, I actually don't disagree, and earlier I \nsaid the philosophy of the partnership should be that the \ngovernment doesn't do what the market is already delivering but \ndo something else. That is true in research, too. So industry \ndoes a lot of research, and we do research that we can monetize \nand commercialize. And there is other very hard research that \nwe can't do because there is no economic model that permits it. \nRemember, the Internet was a government research effort which \nhas revolutionized the world. It came out of DARPA (Defense \nAdvanced Research Projects Agency).\n    So I think it is really important that the government as \npart of its strategy do two things, one, invest in the research \nthat actually advances the overall strategy that we have talked \nabout to create a more secure environment, but also do the \nthings that industry won't do. And to be clear, Mr. Bregman's \npoint about commercialization is not the same as financing \nindustry research. The Internet, which was invented by the \ngovernment, was then commercialized by the private sector \nbecause the government made it available. That is not exactly \nfunding industry research. It is saying invest in things that \nwill find a place in the commercial market so it gets \nwidespread adoption so that everyone benefits from the \nresearch. But do research that won't otherwise happen and is \nconsistent with your cybersecurity strategy.\n    Chair Wu. Well, perhaps as an artifact of the Committee \nthat I sit on, or it is a natural draw, but my bias is toward \nthe direction that we underfund research rather than over \npurchase research. Compared to other, immediately pressing \nneeds, there is the tendency to address those pressing needs, \nrather than something which is long-term.\n    Something else which we underfund publicly is education. \nThe market would probably not fund education properly, and \nalong those lines I think several of you mentioned the role \nthat education, consumer education, user education, could play \nin improving cybersecurity at relatively low cost. Can you \nidentify some things that we could be doing either as a society \nor as a government to use that education tool more effectively \nto enhance cybersecurity?\n    Mr. Bregman. Well, Mr. Chair, you mentioned the fact that \nthe cyber world that we are living in today is only maybe \ndozens of years old, and it is changing at a pace which is much \nmore rapid than the generational shift. And I think there is a \nvery important role in educating our citizens on how to behave \nand what are the norms and what are the risks and what are the \nprocesses to use to protect oneself in the cyber world. And I \nthink that it requires government to take the role particularly \nof coordinating that delivery of that education because if it \ndelivered in a very fragmented way, it is just confusing to the \npopulous.\n    Some of the programs that are in place today, NCSA and \nothers, I think are good starting points for government \ncollaborating with private sectors to bring that education to \nthe mass market citizenry.\n    Mr. Wilshusen. And there are several federal programs which \nallow, for example, Scholarship for Service in which the \nFederal Government offers scholarships and repays student loans \nfor graduates who have studied in cybersecurity and then decide \nto work for the Federal Government. So there are various \ndifferent programs available now, like an education assistance \nprogram, that can help bring those individuals with information \nsecurity degrees into the federal workplace.\n    Chair Wu. Thank you all very much. You have traveled a long \nway, and this is a large, bedeviling set of topics. We have \nonly had the opportunity to ask a few questions and not engage \nacross the breadth and depth of this topic. If there are things \nthat you would like to comment on or tell us at this point, I \nwould like to open this to all the witnesses. You can just go \nfrom left to right or right to left so that those things that \nyou might wake up tonight or tomorrow and say, gee, I wish I \nhad said that. This is your chance of laying it out in the \nrecord.\n    Mr. Wilshusen. One thing I would just like to add related \nto the research and development question that came up earlier \nis that the results of the research and development activities \nshould be made available, and particularly those funded by the \nFederal Government. There is a requirement under the E-\nGovernment Act that federally funded research, particularly in \nthe cybersecurity, maintain the results in repositories. What \nwe found several years ago is that the results of many of the \nefforts were not being considered and placed into these \nrepositories, thereby making them unavailable for other \nresearchers who might have benefited from the knowledge gained \nfrom those research efforts.\n    Chair Wu. Thank you.\n    Mr. Bregman. Well, I would like to start by thanking the \nCommittee for taking on this task. I think as the Chair \nmentioned, it is a very complex problem and one that is \nchanging very rapidly, and it is very important that this \ncommittee and other parts of the government focus on it.\n    I think there has been increased focus, and we see \nimprovement in the work we do with DHS and with NIST and with \nother parts of government. We need to continue that and \naccelerate that momentum if we are going to be able to really \nprotect our nation in the face of this increasing cyber threat. \nThank you.\n    Chair Wu. Thank you.\n    Mr. Charney. Thank you. I do want to comment one further \npoint about education, in particular. We have spent a lot of \ntime educating consumers about some of the basic steps they can \ntake to protect themselves on the network, and I think this is \nimportant to do and we will all continue to do it.\n    The challenge it seems to me is in part that IT technology \nis very opaque to end-users. My mother is 79 and found e-mail, \nbless her heart, and when I talk to her about security issues, \nshe really does not want to become a security IT professional. \nShe remembers the day of the telephone where it just worked and \nif something went wrong, the telephone company took care of it. \nAnd I think to some extent we have to think about models that \nprovide consumers a higher level of protection with less work. \nAnd I don't think we are going to get there unless we start \nthinking about some very hard problems, some of which I \noutlined in my testimony about things like attribution. How \ndoes my mother know where her mail really came from or who \nreally wrote the software that is being asked to be installed \non her system? And how do we think of the role of Internet \nservice providers who are the choke points to the Internet and \nmight be able to look at machines and clean infected machines? \nThere are a lot of difficult, challenging things we have to do. \nThere are some very interesting models. If you think about WHO, \nthe World Health Organization, and the way we deal with \npandemics. You know, they are called viruses and worms for a \nreason in the computer world because they propagate in many of \nthe same ways. And we have to start thinking about other models \nthat have worked and how we bring new protections to the \nInternet because the ability to create malicious malware and \npropagate it worldwide at machine speed, virtually at the speed \nof light, is going to continue unabated. Human beings are not \ngoing to be able to react fast enough to respond to machine-\nbased attacks.\n    And so one of the areas for intense research and \ndevelopment and one of the things we have to think about is how \nwe are going to protect people in this environment where things \nmove that quickly and things change so rapidly.\n    Chair Wu. Thank you very much, Mr. Charney. Mr. Harper.\n    Mr. Harper. Just briefly before I close, I thought I would \ncome back to the question of liability, which Mr. Smith asked \nsome of the other witnesses, and they made the case, a fair \ncase, that software is very complex and so finding liability \nfor negligent failure to secure a technology product would be \nhard to do. It also could frustrate innovation, and I think \nthat is also true. Those things are true of regulation as well, \nand so maybe if there is consensus on the panel it might be \nthat government contracting is the best way using well-\ndeveloped NIST standards as the best way to advance the market \nfor technology products, and then liability and regulation \nshould be distant second and third places.\n    I think that the Federal Government has a role as a market \nactor in promoting standards, though it is not a given that \ngovernment-created standards should be adopted in the private \nmarketplace. Its best role, for the most part, is as an outside \nreferee and policeman, rather than as a partner or participant \nin a public-private partnership. And for fun, I will note the \nfact that just before the hearing started, I tweeted the fact \nthat I would be speaking in a hearing, and people could tune in \nand see this hearing. Hopefully they did. But one of the \nresponses was a friend who pointed me to a web site where \npeople's self-important tweets are collected. And so I think I \nwill be ratcheting back on my use of twitter. Thanks for having \nus this afternoon.\n    Chair Wu. Thank you all very much. There are many, many \ninsights which were very interesting, sometimes surprising, and \nalways very thoughtful. I think that is one of the benefits of \nbeing able to hear from people who are able to think deeply and \nconsider topics. Thank you all very, very much for coming \nbefore the Committee this afternoon.\n    The record will remain open for two weeks for additional \nstatements from the Members and for answers to any follow-up \nquestions that the Committee may ask the witnesses. The \nwitnesses are now excused, and the hearing is adjourned. Thank \nyou very much.\n    [Whereupon, at 5:00 p.m., the Subcommittee was adjourned.]\n\n                                   \x17\n\x1a\n</pre></body></html>\n"