[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


 
                        ASSESSING CYBERSECURITY
                       ACTIVITIES AT NIST AND DHS

=======================================================================

                                HEARING

                               BEFORE THE

               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

                  COMMITTEE ON SCIENCE AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 25, 2009

                               __________

                           Serial No. 111-39

                               __________

     Printed for the use of the Committee on Science and Technology


     Available via the World Wide Web: http://www.science.house.gov

                                 ______
                  U.S. GOVERNMENT PRINTING OFFICE
50-325                    WASHINGTON : 2009
-----------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092104 Mail: Stop IDCC, Washington, DC 20402ï¿½090001

                  COMMITTEE ON SCIENCE AND TECHNOLOGY

                   HON. BART GORDON, Tennessee, Chair
JERRY F. COSTELLO, Illinois          RALPH M. HALL, Texas
EDDIE BERNICE JOHNSON, Texas         F. JAMES SENSENBRENNER JR., 
LYNN C. WOOLSEY, California              Wisconsin
DAVID WU, Oregon                     LAMAR S. SMITH, Texas
BRIAN BAIRD, Washington              DANA ROHRABACHER, California
BRAD MILLER, North Carolina          ROSCOE G. BARTLETT, Maryland
DANIEL LIPINSKI, Illinois            VERNON J. EHLERS, Michigan
GABRIELLE GIFFORDS, Arizona          FRANK D. LUCAS, Oklahoma
DONNA F. EDWARDS, Maryland           JUDY BIGGERT, Illinois
MARCIA L. FUDGE, Ohio                W. TODD AKIN, Missouri
BEN R. LUJAN, New Mexico             RANDY NEUGEBAUER, Texas
PAUL D. TONKO, New York              BOB INGLIS, South Carolina
PARKER GRIFFITH, Alabama             MICHAEL T. MCCAUL, Texas
STEVEN R. ROTHMAN, New Jersey        MARIO DIAZ-BALART, Florida
JIM MATHESON, Utah                   BRIAN P. BILBRAY, California
LINCOLN DAVIS, Tennessee             ADRIAN SMITH, Nebraska
BEN CHANDLER, Kentucky               PAUL C. BROUN, Georgia
RUSS CARNAHAN, Missouri              PETE OLSON, Texas
BARON P. HILL, Indiana
HARRY E. MITCHELL, Arizona
CHARLES A. WILSON, Ohio
KATHLEEN DAHLKEMPER, Pennsylvania
ALAN GRAYSON, Florida
SUZANNE M. KOSMAS, Florida
GARY C. PETERS, Michigan
VACANCY
                                 ------                                

               Subcommittee on Technology and Innovation

                      HON. DAVID WU, Oregon, Chair
DONNA F. EDWARDS, Maryland           ADRIAN SMITH, Nebraska
BEN R. LUJAN, New Mexico             JUDY BIGGERT, Illinois
PAUL D. TONKO, New York              W. TODD AKIN, Missouri
DANIEL LIPINSKI, Illinois            PAUL C. BROUN, Georgia
HARRY E. MITCHELL, Arizona               
GARY C. PETERS, Michigan                 
BART GORDON, Tennessee               RALPH M. HALL, Texas
                 MIKE QUEAR Subcommittee Staff Director
        MEGHAN HOUSEWRIGHT Democratic Professional Staff Member
            TRAVIS HITE Democratic Professional Staff Member
         HOLLY LOGUE PRUTZ Democratic Professional Staff Member
             DAN BYERS Republican Professional Staff Member
                  VICTORIA JOHNSTON Research Assistant


                            C O N T E N T S

                             June 25, 2009

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative David Wu, Chair, Subcommittee on 
  Technology and Innovation, Committee on Science and Technology, 
  U.S. House of Representatives..................................     8
    Written Statement............................................     9

Statement by Representative Adrian Smith, Ranking Minority 
  Member, Subcommittee on Technology and Innovation, Committee on 
  Science and Technology, U.S. House of Representatives..........     9
    Written Statement............................................    10

Prepared Statement by Representative Harry E. Mitchell, Member, 
  Subcommittee on Technology and Innovation, Committee on Science 
  and Technology, U.S. House of Representatives..................    11

                               Witnesses:

Mr. Gregory C. Wilshusen, Director, Information Security Issues, 
  U.S. Government Accountability Office
    Oral Statement...............................................    11
    Written Statement............................................    13
    Biography....................................................    24

Mr. Mark Bregman, Executive Vice President and Chief Technology 
  Officer, Symantec Corporation
    Oral Statement...............................................    24
    Written Statement............................................    28
    Biography....................................................    32

Mr. Scott Charney, Corporate Vice President, Trustworthy 
  Computing, Microsoft Corporation
    Oral Statement...............................................    32
    Written Statement............................................    34
    Biography....................................................    40

Mr. Jim Harper, Director of Information Policy Studies, The Cato 
  Institute
    Oral Statement...............................................    41
    Written Statement............................................    43
    Biography....................................................    65

Discussion.......................................................    65


           ASSESSING CYBERSECURITY ACTIVITIES AT NIST AND DHS

                              ----------                              


                        THURSDAY, JUNE 25, 2009

                  House of Representatives,
         Subcommittee on Technology and Innovation,
                       Committee on Science and Technology,
                                                    Washington, DC.

    The Subcommittee met, pursuant to call, at 2:07 p.m., in 
Room 2318 of the Rayburn House Office Building, Hon. David Wu 
[Chair of the Subcommittee] presiding.


                            hearing charter

               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

                  COMMITTEE ON SCIENCE AND TECHNOLOGY

                     U.S. HOUSE OF REPRESENTATIVES

                        Assessing CyberSecurity

                       Activities at NIST and DHS

                        thursday, june 25, 2009
                          2:00 p.m.-4:00 p.m.
                   2318 rayburn house office building

I. Purpose

    On Thursday, June 25, 2009, the Subcommittee on Technology and 
Innovation will convene a hearing to assess the cybersecurity efforts 
of the Department of Homeland Security (DHS) and the National Institute 
of Standards and Technology (NIST). In reviewing the activities of the 
agencies' cybersecurity programs, the hearing will solicit the input of 
private-sector experts on how federal cybersecurity activities can 
enhance privately-owned critical infrastructure, better monitor federal 
networks, and more clearly define cybersecurity performance with 
metrics and success criteria.

II. Witnesses

Mr. Greg Wilshusen is the Director of Information Security Issues at 
the Government Accountability Office.

Mr. Mark Bregman is the Executive Vice President and Chief Technology 
Officer of Symantec Corporation.

Mr. Scott Charney is the Corporate Vice President of Microsoft's 
Trustworthy Computing Group.

Mr. Jim Harper is the Director of Information Policy Studies at the 
Cato Institute.

III. Overview

    In January 2008, the Bush Administration established, through a 
series of classified executive directives, the Comprehensive National 
Cybersecurity Initiative (CNCI). While the goal of the initiative was 
to secure federal systems, a number of security experts have expressed 
concern that the classified nature of the CNCI has inhibited active 
engagement with the private sector despite the fact that 85 percent of 
the Nation's critical infrastructure is owned and operated by private 
entities. While experts are concerned by the lack of transparency and 
public-private cooperation under the CNCI, they have also urged 
President Obama to build upon the existing structure of CNCI. In 
February 2009, the Obama Administration called for a 60-day review of 
the national cybersecurity strategy. The President's review required 
the development of a framework that would ensure that the CNCI was 
adequately funded, integrated, and coordinated among federal agencies, 
the private sector, and State and local authorities.
    On May 29, 2009, the Administration released its Cyberspace Policy 
Review. The review recommended an increased level of interagency 
cooperation amongst all departments and agencies. The active exchange 
of information concerning attacks, vulnerabilities, research, and 
security strategies is essential to the efficient and effective defense 
of federal computer systems. The review team also emphasized the need 
for the Federal Government to partner with the private sector to 
guarantee a secure and reliable infrastructure. Furthermore, it 
highlighted the need for increased public awareness, the education and 
expansion of the Information Technology (IT) workforce, and the 
importance of advancing cybersecurity research and development.
    The hearing will address recommendations made in the Cyberspace 
Policy Review and a recent report from the GAO.\1\ DHS currently 
monitors the federal civilian networks for cyber attacks and 
coordinates the gathering and dissemination of information on cyber 
attacks to federal agencies and private industry. The policy review and 
GAO report highlight deficiencies in both the operations and 
coordination roles. The policy review also calls on a more proactive 
plan for collaboration with international standards bodies and an end 
to the cybersecurity distinctions between national security and other 
federal networks. NIST currently develops and promulgates standards to 
help secure the federal civilian network systems. Finally, both reports 
call for an increase in effective public/private partnerships, despite 
a current high number of coordination councils and advisory boards. The 
policy review states that the high number of coordinating groups has 
left some participants frustrated with unclear roles and 
responsibilities and an excess of plans and recommendations.
---------------------------------------------------------------------------
    \1\ National Cybersecurity Strategy: Key Improvements Are Needed to 
Strengthen the Nation's Posture, Government Accountability Office, 
http://www.gao.gov/new.items/d09432t.pdf

---------------------------------------------------------------------------
IV. Issues and Concerns

Operations
    The Cyberspace Policy Review called for the review of some of the 
DHS cybersecurity programs. It recommends a review of the ``operational 
concept and the implementation of the National Cyber Security Center 
(NCSC) to determine whether its proposed responsibilities, resource 
strategy, and governance are adequate to enable it to provide the 
shared situational awareness necessary to support cyber incident 
response efforts.'' This center was also specifically discussed in the 
report from GAO in its recommendation that DHS needed to ensure that 
there are distinct and transparent lines of authority and 
responsibility assigned to DHS organizations with cybersecurity roles 
and responsibilities. The same report also mentioned DHS difficulties 
in hiring and retaining adequately trained staff that has been 
hindering the function of the NCSC.
    The Cyberspace Policy Review also recommended that DHS continue to 
pursue the goal of the Trusted Internet Connection program to reduce 
the number of government network connections to the Internet but to 
reconsider goals and timelines based on a realistic assessment of the 
challenges. DHS uses the trusted connections and monitoring devices to 
protect the federal civilian networks. The review calls for the 
evaluation and continuation of these pilot deployments of intrusion 
detection and prevention systems in consultation with the civil 
liberties and privacy community. The lessons learned from these 
deployments could be used with other networks, such as those operated 
by the State governments.

Standards
    A major recommendation from industry experts indicates the need to 
end the bifurcation of minimum cybersecurity standards amongst 
military, national security, and federal civilian networks. A recent 
draft report from NIST proposes a unified set of standards that meet 
this recommendation.\2\ The use of a single set of basic standards and 
minimum security requirements will simplify acquisition of network 
components and ease the assessment of cybersecurity performance.
---------------------------------------------------------------------------
    \2\ Recommended Security Controls for Federal Information Systems 
and Organizations, National Institute of Standards and Technology 
Special Publication 800-53 DRAFT, http://csrc.nist.gov/publications/
drafts/800-53/800-53-rev3-FPD-clean.pdf
---------------------------------------------------------------------------
    The review team also recommends that the Federal Government 
determine a strategy to work with international partners to develop 
cybersecurity standards and legal framework with which to deal with 
cybercrime. Internationally-consistent policies will provide a simpler 
set of cybersecurity guidelines for international companies and for 
prosecution of cybercriminals. Additionally, the review recommends that 
the Federal Government coordinate with international partners and 
standards bodies to support next-generation global communications 
capabilities.

Critical Infrastructure
    Critical infrastructure represents a challenge because much of it 
is privately-owned, yet could represent a major vulnerability to the 
security of the Nation. The Cyberspace Policy Review called for 
increased coordination and integration of current efforts among all 
federal departments and agencies, and with private industry to assist 
in securing critical infrastructure. Currently, an assortment of 
public-private partnerships, advisory boards, and information sharing 
mechanisms exists across the Federal Government, such as the Critical 
Infrastructure Partnership Advisory Council (CIPAC), IT-Sector 
Coordinating Council (IT-SCC), National Infrastructure Advisory 
Council, and Information Security and Privacy Advisory Board (ISPAB).

Metrics
    Throughout its recommendations, the review team highlights the need 
for the increased use of performance metrics to guide strategies and to 
make key planning decisions. Cybersecurity efforts are traditionally 
assessed by detailing the number of initiatives and funding spent on 
these initiatives. A set of metrics based on actual outcomes of 
efforts, instead of output of initiatives and funds would better assess 
the current activities and identify areas for improvement. They 
recommend the development of a formal program assessment framework that 
would guide departments and agencies in defining the purpose, goal, and 
success criteria for each program. This framework could then be used as 
a basis for implementing a performance-based budgeting process, setting 
priorities for research and development initiatives, and assisting in 
development of the next-generation networks.

V. Background

    In the current system, responsibilities for the security of federal 
network systems fall to many different agencies. The National Security 
Agency (NSA) is responsible for all classified network systems. The 
Department of Defense (DOD) is responsible for military network systems 
and DHS is responsible for all federal civilian network systems. 
Additionally, DHS is responsible for communicating information on cyber 
attacks to other federal agencies. NIST develops and promulgates 
standards to help secure the federal civilian network systems, along 
with their other roles that will be discussed below. The Office of 
Management and Budget (OMB) implements and enforces the standards set 
by NIST. Three key agencies, National Science Foundation (NSF), DHS and 
DOD (specifically the Defense Advanced Research Projects Agency (DARPA) 
) fund the majority of cybersecurity research and development (R&D).

Department of Homeland Security

    As tasked in Homeland Security Presidential Directive (HSPD) 7, 
DHS, ``. . . shall be responsible for coordinating the overall national 
effort to enhance the protection of the critical infrastructure and key 
resources of the United States. The Secretary shall serve as the 
principal federal official to lead, integrate, and coordinate 
implementation of efforts among federal departments and agencies, State 
and local governments, and the private sector to protect critical 
infrastructure and key resources.'' As a response to HSPD-7, DHS 
created the National Cyber Security Division (NCSD), detailed below. In 
2008, HSPD-23, which was mostly classified, called for a central 
location to gather all of the cybersecurity information on attacks and 
vulnerabilities. DHS created the NCSC to meet this need.

National Cybersecurity Division
    The NCSD is the operational arm of DHS's cybersecurity group and 
handles a host of tasks: they detect and analyze cyber attacks, 
disseminate cyber attack warnings to other Federal Government agencies, 
conduct cybersecurity exercises, and help reduce software 
vulnerabilities. The budget request for the NCSD is $400 million, an 
increase of $87 million above FY 2009.

          United States Computer Emergency Readiness Team

           Within NCSD, the U.S. Computer Emergency Readiness Team (US-
        CERT) monitors the federal civilian network systems on a 24/7 
        basis and issues warnings to both federal agencies and the 
        public through the National Cyber Alert System when cyber 
        attacks occur.

           EINSTEIN--The EINSTEIN program is an intrusion detection 
        system which US-CERT uses to monitor the federal civilian 
        network connections for unauthorized traffic.

          National Cyber Response Coordination Group

           The National Cyber Response Coordination Group (NCRCG), 
        composed of US-CERT and the cybersecurity groups of DOD, 
        Federal Bureau of Investigation (FBI), NSA, and the 
        intelligence community, coordinates the federal response to a 
        cyber attack. Once an attack is detected, a warning is issued 
        through the NCRCG to all federal agencies and the public.

          Cyber Storm

           Cyber Storm is a biennial cybersecurity exercise that allows 
        participants to assess their ability to prepare for, protect 
        from, and respond to cyber attacks that are occurring on a 
        large-scale and in real-time. Cyber Storm exercises have taken 
        place in 2006 and 2008, with five countries, 18 federal 
        agencies, nine U.S. states, and over 40 private sector 
        companies.

          Software Assurance Program

           The Software Assurance Program maintains a clearinghouse of 
        information gathered from federal and private industry 
        cybersecurity efforts, as well as university research, for 
        public use. The Program has established Working Groups focused 
        on specific software areas and holds regular forums to help 
        encourage collaboration.

National Cyber Security Center
    The NCSC was created in 2008 to act as a coordinating group for 
consolidating, assessing, and disseminating information on cyber 
attacks and vulnerabilities gathered from the cybersecurity efforts of 
DOD, DHS, NSA, FBI, and the intelligence community. By collecting 
information from all of these departments, the NCSC was established to 
provide a single source of critical cybersecurity information for all 
public and private stakeholders. Funding for NCSC in FY 2010 is $4 
million.

Cyber Security Research and Development Center
    Cyber security research within DHS is planned, managed, and 
coordinated through the Science and Technology Directorate's Cyber 
Security Research and Development Center. This center supports the 
research efforts of the Homeland Security Advanced Research Projects 
Agency (HSARPA), coordinates the testing and evaluation of 
technologies, and manages technology transfer efforts. The FY 2010 
budget includes $37.2 million for cyber security R&D at DHS; this is an 
increase of $6.6 million over FY 2009.

National Institute of Standards and Technology

    NIST is tasked with protecting the federal information technology 
network by developing and promulgating cybersecurity standards for 
federal civilian network systems (Federal Information Processing 
Standard [FIPS]), identifying methods for assessing effectiveness of 
security requirements, conducting tests to validate security in 
information systems, and conducting outreach exercises. These tasks 
were appointed to NIST in the Computer Security Act of 1987. In the 
Federal Information Security Management Act of 2002, OMB was tasked to 
develop implementation plans and enforce the use of the FIPS developed 
by NIST. Cybersecurity activities are conducted through NIST's 
Information Technology Laboratory which has a budget request of $72 
million for FY 2010, including $15 million in support of the CNCI and 
$29 million for Computer Security Information Assurance (CSIA) R&D.

Computer Security Division
    The Computer Security Division (CSD) within the Information 
Technology Laboratory houses the cybersecurity activities of NIST and 
is divided into four groups.

          Security Technology

           The Security Technology group focuses on cryptography and 
        online identity authentication. These foci ensure that access 
        to information is only granted to the appropriate users and 
        done so in a secure manner using technologies such as: 
        cryptographic protocols and interfaces, public key certificate 
        management, biometrics, and smart tokens.

          Systems and Network Security

           The Systems and Network Security group maintains a number of 
        databases and checklists that are designed to assist public and 
        private network users in configuration of more secure systems. 
        The group also conducts research in all areas of network 
        security technology to develop new standards and transfer 
        technologies to the public.

                 National Checklist Program--This program helps develop 
                and maintain checklists to guide network users to 
                configure network systems with basic security settings.

                 National Vulnerability Database--This database 
                contains information on known vulnerabilities in 
                software and fixes for these vulnerabilities.

                 Federal Desktop Core Configuration--This program 
                supplies security configurations for all federal 
                civilian network systems using either Microsoft Windows 
                XP or Vista. By supplying a standard configuration, 
                this program enables security professionals to default 
                to a known secure configuration for all new desktop 
                computers and when experiencing a cyber attack.

          Security Management and Assistance

           This group extends information security training, awareness 
        and education programs to both public and private parties.

                 Information Security and Privacy Advisory Board)--This 
                board advises NIST, the Secretary of Commerce, and OMB 
                on information security and privacy issues pertaining 
                to federal civilian network systems. They also review 
                proposed standards and guidelines developed by NIST.

                 Small Business Corner--This program provides workshops 
                for small business owners to learn how to secure 
                business information on small networks in a practical 
                and cost-effective manner.

          Security Testing and Metrics

           The Security Testing and Metrics group develops methods and 
        baselines to test security products and validate products for 
        government use.

    Chair Wu. Good afternoon. I would like to welcome everyone 
to today's hearing on the cybersecurity activities of the 
National Institute of Standards and Technology (NIST) and the 
Department of Homeland Security (DHS). This is the third 
hearing the Science and Technology Committee has held on this 
very, very important issue.
    The prior hearings discussed the research and development 
needs for improved cybersecurity and federal agencies' 
responses to recommendations made in the Cyberspace Policy 
Review.
    All of us, in both public and private sectors, rely on IT 
(Information Technology) networks to manage a great many things 
ranging from online bank accounts to the power grid. With this 
increased reliance on networks, we have become more sensitive 
to the security of these networks. To support cybersecurity 
efforts, the prior Administration implemented an estimated $40 
billion Comprehensive National Cybersecurity Initiative in 
January of 2008.
    This year alone, DHS and NIST have requested over $500 
million for their cybersecurity efforts, with an additional 
$340 million requested for research through the Networking and 
Information Technology Research and Development (NITRD) 
Program. Even by government standards, almost $850 million is a 
fair amount of money.
    Despite the substantial funding levels and many hours spent 
by federal employees on this issue, the assessment remains the 
same: overall, our cybersecurity remains poor.
    The Administration's Cyberspace Policy Review emphasized 
the recommendations made in previous reports: first, bolster 
cybersecurity operations protecting the federal network 
systems; second, improve interagency and private sector 
coordination; third, modernize and coordinate the research 
agenda; and fourth, enhance public education on cybersecurity. 
This committee wants to understand the impediments that have 
prevented similar recommendations from being successfully 
implemented in the past.
    I believe one key recommendation made in the Cyberspace 
Policy Review is the need for objectives and metrics to 
accurately measure cybersecurity performance. The development 
of these metrics would provide a base from which we could 
improve program assessment, budgeting, research and development 
prioritization, and strategic planning.
    This recommendation mirrors the Subcommittee's belief that 
agencies should be accountable for real-world outcomes, rather 
than outputs measured in terms of money spent, projects 
supported, and interagency meetings, which is how the agencies 
categorized their success at a Subcommittee hearing last week.
    As is generally the case, we have many recommendations, but 
the devil is in the details. I hope that in addition to making 
suggestions on this hearing's issues, our witnesses can tell us 
what is required to implement their recommendations.
    I want to thank our witnesses for appearing before us 
today, and now I would like to recognize my friend and 
colleague, Mr. Smith from Nebraska, for his opening statement.
    [The prepared statement of Chair Wu follows:]

                  Prepared Statement of Chair David Wu

    Good afternoon. I want to welcome everyone to today's hearing on 
the cybersecurity activities of the National Institute of Standards and 
Technology and the Department of Homeland Security. This is the third 
hearing the Science and Technology Committee has held on this critical 
issue.
    The previous hearings discussed the research and development needs 
for improved cybersecurity and federal agencies' responses to 
recommendations made in the Cyberspace Policy Review.
    All of us, in both public and private sectors, rely on IT networks 
to manage everything from online bank accounts to the power grid. With 
this increased reliance on networks, we have become more sensitive to 
the security of these networks. To support cybersecurity efforts, the 
previous administration implemented an estimated $40 billion 
Comprehensive National Cybersecurity Initiative in January 2008.
    This year alone, DHS and NIST have requested over $500 million for 
their cybersecurity efforts, with an additional $340 million requested 
for research through the Networking and Information Technology Research 
and Development Program. Even by government standards, almost $850 
million is a lot of money.
    Despite the substantial funding levels and many hours spent by 
federal employees on this issue, the assessment remains the same: our 
cybersecurity is poor.
    The Administration's Cyberspace Policy Review re-emphasized the 
recommendations made in previous reports: first, bolster cybersecurity 
operations protecting the federal network systems; second, improve 
interagency and private sector coordination; third, modernize the 
research agenda; and fourth, enhance public education on cybersecurity. 
This committee wants to wants to understand the impediments that have 
prevented similar recommendations from being successfully implemented 
in the past.
    I believe one key recommendation made in the Cyberspace Policy 
Review is the need for objectives and metrics to accurately measure 
cybersecurity performance. The development of these metrics would 
provide a base from which we could improve program assessment, 
budgeting, research and development prioritization, and strategic 
planning.
    This recommendation mirrors the Subcommittee's belief that agencies 
should be accountable for real-world outcomes, rather than outputs 
measured in terms of money spent, projects supported, and interagency 
meetings, which is how the agencies categorized their success at a 
Subcommittee hearing last week.
    As is generally the case, we have many recommendations, but the 
devil is in the details. I hope that in addition to making suggestions 
on this hearing's issues, our witnesses can tell us what is required to 
implement their recommendations.

    Mr. Smith. Thank you, Mr. Chair, for calling the hearing 
today on cybersecurity, the third in a series of hearings held 
by the Committee this month.
    While the Committee's jurisdiction on cybersecurity issues 
is generally limited to two agencies, DHS and NIST, because of 
their broad roles and responsibilities, the activities of both 
agencies directly impact not only the entire Federal Government 
but also many private sector computer security stakeholders. 
Accordingly, we have the benefit of being able to examine 
cybersecurity through a very broad lens and the opportunity to 
influence the debate on the Government's actions in the most 
important and pressing policy areas.
    To this end, I would like to briefly outline what I see as 
the key, high-level, outstanding questions which drive the 
direction of cybersecurity policy for this committee and 
Congress as we do go forward.
    First, as we explored last week with respect to protection 
of government networks, are we confident the reported $30 
billion effort comprising the Administration's Comprehensive 
National Cybersecurity Initiative, CNCI, is appropriately 
focused, and will DHS's centerpiece EINSTEIN program provide 
effective and lasting security? If not, what are the best 
alternatives to this investment and focus area, and perhaps 
more importantly, how do we do a better job at measuring 
cybersecurity so we can more systematically evaluate technology 
and policy options and perhaps even fit in a hearing between 
votes?
    The largest outstanding questions, however, revolve around 
the nature of the relationship between the government and the 
private sector and efforts to secure non-government systems. 
Stakeholders on all sides place a great deal of emphasis on 
strengthening public-private partnerships to secure critical 
infrastructure, but beyond the well-established goals of 
improving information sharing and policy dialogue, the precise 
features of the desired partnerships as well as the scope of 
what constitutes critical infrastructure have remained largely 
undefined. Does this entail a new regulatory regime at DHS or 
NIST, new liability protections, or incentives for private 
sector actors or some combination thereof? Are there other 
innovative partnership models which could be explored?
    These are all weighty questions which will not be answered 
at this hearing or in the immediate future, but I believe they 
require the careful attention of Congress going forward as we 
consider legislative options to improve network security.
    I thank the Chair for assembling an excellent panel today. 
Thank you for being here, and I look forward to the productive 
discussion.
    [The prepared statement of Mr. Smith follows:]

           Prepared Statement of Representative Adrian Smith

    Mr. Chairman, thank you for calling this hearing today on 
cybersecurity--the third in a series of hearings held by the Committee 
this month.
    While the Subcommittee's jurisdiction on cybersecurity issues is 
generally limited to two agencies--DHS and NIST--because of their broad 
roles and responsibilities, the activities of both of these agencies 
directly impact not only the entire Federal Government but also many 
private sector computer security stakeholders.
    Accordingly, we have the benefit of being able to examine 
cybersecurity through a very broad lens, and the opportunity to 
influence the debate on--and the government's actions in--the most 
important and pressing policy areas.
    To this end, I would like to briefly outline what I see as the key, 
high-level outstanding questions that should drive the direction of 
cybersecurity policy for this committee and for Congress as we go 
forward.
    First, as we explored last week with respect to protection of 
government networks, are we confident that the reported $30 billion 
effort that comprises the Administration's Comprehensive National 
Cybersecurity Initiative (CNCI) is appropriately focused, and will 
DHS's centerpiece ``EINSTEIN'' program provide effective and lasting 
security? If not, what are the best alternatives to this investment and 
focus area? And perhaps more importantly, how do we do a better job at 
measuring cybersecurity so we can more systematically evaluate 
technology and policy options?
    The largest outstanding questions, however, revolve around the 
nature of the relationship between the government and the private 
sector in efforts to secure non-government systems. Stakeholders on all 
sides place a great deal of emphasis placed on strengthening ``public-
private partnerships'' to secure ``critical infrastructure,'' but 
beyond the well established goals of improving information sharing and 
policy dialogue, the precise features of the desired ``partnerships''--
as well as the scope of what constitutes ``critical infrastructure''--
have remained largely undefined. Does this entail a new regulatory 
regime at DHS or NIST, new liability protections or incentives for 
private sector actors, or some combination thereof? Are there other 
innovative ``partnership'' models that should be explored?
    These are all weighty questions that will not be answered at this 
hearing or in the immediate future, but I believe they require the 
careful attention of Congress going forward as we consider legislative 
options to improve network security.
    I thank the Chairman for assembling an excellent panel today, and I 
look forward to a productive discussion.

    Chair Wu. Thank you, Mr. Smith. And as you all probably 
noticed from the bells, votes have been called. This will be a 
substantial series of votes. I want to apologize to the 
witnesses and all the participants here for the inconvenience, 
but I just want to note that these votes are called without 
consideration for any of the individual Members and rarely of 
any individual Committee. But what I intend to do is proceed to 
introduce the witnesses, and we may be able to get through the 
testimony of one or two witnesses before Mr. Smith and I and 
the other Members who come here will have to leave to vote, and 
then we will recess this hearing until after the last vote at 
which time we will reconvene and finish the testimony and 
proceed to questions.
    [The prepared statement of Mr. Mitchell follows:]

         Prepared Statement of Representative Harry E. Mitchell

    Thank you, Mr. Chairman.
    As the world becomes increasingly connected through the Internet, 
it is critical to ensure that we have a secure and reliable cyberspace 
policy.
    Today we will be discussing the cybersecurity efforts of the 
Department of Homeland Security (DHS) and the National Institute of 
Standards and Technology (NIST).
    Specifically, we will be learning more from the private sector on 
how federal cybersecurity activities can enhance privately-owned 
critical infrastructure, better monitor federal networks, and more 
clearly define cybersecurity performance with metrics and success 
criteria.
    I look forward to hearing more from our witnesses on how the 
Federal Government can partner with the private sector to guarantee an 
effective and secure cyberspace policy.
    I yield back.

    Chair Wu. And with that, it is my pleasure to introduce our 
witnesses. Mr. Greg Wilshusen is the Director of Information 
Security Issues at the Government Accountability Office (GAO). 
Mr. Mark Bregman is the Executive Vice President and Chief 
Technology Officer of Symantec Corporation. Mr. Scott Charney 
is the Corporate Vice President of Microsoft's Trustworthy 
Computer Group, and Mr. Harper is the Director of Information 
Policy Studies at the Cato Institute.
    You each will have five minutes for your spoken testimony. 
Your written testimony will be included in the record in its 
entirety. And when you complete all of your testimony, we will 
start with questions. At that point, each Member will have five 
minutes to ask questions.
    Mr. Wilshusen, please proceed.

 STATEMENT OF MR. GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
     SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chair Wu, Ranking Member Smith, thank you 
for the opportunity to testify at today's hearing on the 
cybersecurity activities performed by the Department of 
Homeland Security and the National Institute of Standards and 
Technology.
    Federal laws and policy have assigned important roles and 
responsibilities to DHS and NIST with securing computer systems 
and networks. DHS is charged with coordinating the protection 
of cyber-critical infrastructures, much of which is owned by 
the private sector, and securing its own computer systems, 
while NIST is responsible for developing standards and 
guidelines for implementing security controls over computer 
systems and information.
    Today I will describe cybersecurity efforts at DHS and 
NIST, including partnership activities with the private sector 
and the use of cybersecurity performance metrics in the Federal 
Government.
    Over the past three years, GAO has consistently reported 
that DHS has yet to fully satisfy its key responsibilities, 
including those for coordinating and protection of cyber-
critical infrastructures in serving as the primary federal 
focal point for cybersecurity efforts. While the department has 
achieved some successes, shortcomings exist in key areas 
including bolstering cyber analysis and warning capabilities, 
improving the security of infrastructure control systems, 
strengthening its ability to help facilitate recovery from 
Internet disruptions, reducing organizational inefficiencies, 
completing actions identified during cyber exercises, and 
securing internal information systems.
    We have made about 90 recommendations to assist DHS in 
addressing these shortcomings. The department has implemented 
some of our recommendations but still has not fully satisfied 
most of them and thus needs to take further action to address 
these areas.
    Pursuant to its responsibilities under the Federal 
Information Security Management Act, or FISMA, NIST has 
developed a suite of mandatory standards and guidelines that 
are intended to assist agencies in developing and implementing 
information security programs and in managing risk to agency 
operations and assets. In addition, NIST has worked with both 
public- and private-sector entities to enhance its 
cybersecurity products. The resulting guidance and tools 
provided by NIST serve as important resources that federal 
agencies can apply to their information security programs.
    Mr. Chair, as the old adage goes, what gets measured gets 
done, and so it is with the security measures that agencies use 
to report on their progress implementing the requirements of 
FISMA.
    According to the performance metrics established by the 
Office of Management and Budget (OMB), agencies generally 
reported increasing compliance in implementing key 
cybersecurity control activities. However, GAO and agency IGs 
(Inspector Generals) continue to report significant weaknesses 
in controls. This dichotomy exists in part because the OMB-
defined metrics generally measure whether or not a control 
activity has been implemented, not how well it has been 
implemented. As a result, reported metrics may not provide a 
complete picture of the agency's cybersecurity posture. 
Providing information on the effectiveness of controls and 
processes could further enhance the usefulness of the data for 
management and oversight of agency information security 
programs.
    In summary, Mr. Chair, DHS has not fully satisfied its 
cybersecurity responsibilities and needs to take further action 
to address shortcomings in several areas, including its efforts 
to coordinate with the private sector to ensure protection of 
our nation's cyber-critical infrastructures. NIST has developed 
a significant number of standards and guidelines for 
information security and continues to assist organizations in 
implementing security controls, and while NIST's role is to 
develop guidance, it remains the responsibility of federal 
agencies to effectively implement and sustain security over 
their systems. Developing and using metrics that measure how 
well agencies implement important controls can contribute to 
increased focus on the effective implementation of federal 
information security.
    Mr. Chair, this concludes my opening statement, and I would 
be happy to answer questions at the appropriate time.
    [The prepared statement of Mr. Wilshusen follows:]

               Prepared Statement of Gregory C. Wilshusen

Chairman Wu and Members of the Subcommittee:

    Thank you for the opportunity to participate in today's hearing on 
computer-based (cyber) security activities at the Department of 
Homeland Security (DHS) and the National Institute of Standards and 
Technology (NIST). Cyber security is a critical consideration for any 
organization that depends on information systems and computer networks 
to carry out its mission or business. The need for a vigilant approach 
to cyber security has been demonstrated by the pervasive and sustained 
cyber attacks against the United States and others that continue to 
pose significant risks to computer systems and networks and the 
operations and critical infrastructures that they support.
    In my testimony today, I will describe cyber security activities at 
DHS and NIST, including those activities related to establishing 
public/private partnerships with the owners of critical infrastructure. 
In addition, I will discuss the use of cyber security-related metrics 
in the Federal Government. In preparing for this testimony, we relied 
on our previous reports on federal information security and on DHS's 
efforts to fulfill its national cyber security responsibilities. We 
also relied on a draft report of our review of agencies' implementation 
of the Federal Information Security Management Act (FISMA).\1\ These 
reports contain detailed overviews of the scope of our work and the 
methodology we used.
---------------------------------------------------------------------------
    \1\ FISMA was enacted as title III, E-Government Act of 2002, Pub. 
L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). It permanently 
authorized and strengthened information security program, evaluation, 
and annual reporting requirements for federal agencies. The act also 
assigns specific responsibilities to agency heads and chief information 
officers, NIST, and the Office of Management and Budget (OMB).
---------------------------------------------------------------------------
    The work on which this testimony is based was performed in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform audits to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives.

Background

    As computer technology has advanced, federal agencies have become 
dependent on computerized information systems to carry out their 
operations and to process, maintain, and report essential information. 
Virtually all federal operations are supported by computer systems and 
electronic data, and agencies would find it difficult, if not 
impossible, to carry out their missions, deliver services to the 
public, and account for their resources without these cyber assets. 
Information security is thus especially important for federal agencies 
to ensure the confidentiality, integrity, and availability of their 
systems and data. Conversely, ineffective information security controls 
can result in significant risk to a broad array of government 
operations and assets, as the following examples illustrate:

          Computer resources could be used for unauthorized 
        purposes or to launch attacks on other computer systems.

          Sensitive information, such as personally 
        identifiable information, intellectual property, and 
        proprietary business information could be inappropriately 
        disclosed, browsed, or copied for purposes of identity theft, 
        espionage, or other types of crime.

          Critical operations, such as those supporting 
        critical infrastructure, national defense, and emergency 
        services, could be disrupted.

          Data could be added, modified, or deleted for 
        purposes of fraud, subterfuge, or disruption.

    Government officials are increasingly concerned about attacks from 
individuals and groups with malicious intent, such as criminals, 
terrorists, and adversarial foreign nations. For example, in February 
2009, the Director of National Intelligence testified that foreign 
nations and criminals have targeted government and private sector 
networks to gain a competitive advantage and potentially disrupt or 
destroy them, and that terrorist groups have expressed a desire to use 
cyber attacks as a means to target the United States.\2\ The growing 
connectivity between information systems, the Internet, and other 
infrastructures creates opportunities for attackers to disrupt 
telecommunications, electrical power, and other critical 
infrastructures. As government, private sector, and personal activities 
continue to move to networked operations, digital systems add ever more 
capabilities, wireless systems become more ubiquitous, and the design, 
manufacture, and service of information technology have moved overseas, 
the threat will continue to grow.
---------------------------------------------------------------------------
    \2\ Statement of the Director of National Intelligence before the 
Senate Select Committee on Intelligence, Annual Threat Assessment of 
the Intelligence Community for the Senate Select Committee on 
Intelligence (Feb. 12, 2009).

DHS Is a Focal Point for National Cyber Security Efforts

    Federal law and policy\3\ establish DHS as the focal point for 
efforts to protect our nation's computer-reliant critical 
infrastructures\4\--a practice known as cyber critical infrastructure 
protection, or cyber CIP. In this capacity, the department has multiple 
cyber security-related roles and responsibilities. In 2005, we 
identified, and reported on, 13 key cyber security responsibilities.\5\ 
They include, among others, (1) developing a comprehensive national 
plan for CIP, including cyber security; (2) developing partnerships and 
coordinating with other federal agencies, State and local governments, 
and the private sector; (3) developing and enhancing national cyber 
analysis and warning capabilities; (4) providing and coordinating 
incident response and recovery planning, including conducting incident 
response exercises; and (5) identifying, assessing, and supporting 
efforts to reduce cyber threats and vulnerabilities, including those 
associated with infrastructure control systems.\6\ Within DHS, the 
National Protection and Programs Directorate has primary responsibility 
for assuring the security, resiliency, and reliability of the Nation's 
cyber and communications infrastructure.
---------------------------------------------------------------------------
    \3\ These include the Homeland Security Act of 2002, Homeland 
Security Presidential Directive-7, and the National Strategy to Secure 
Cyberspace.
    \4\ Critical infrastructures are systems and assets, whether 
physical or virtual, so vital to nations that their incapacity or 
destruction would have a debilitating impact on national security, 
national economic security, national public health or safety, or any 
combination of those matters. Federal policy established 18 critical 
infrastructure sectors: agriculture and food, banking and finance, 
chemical, commercial facilities, communications, critical 
manufacturing, dams, defense industrial base, emergency services, 
energy, government facilities, information technology, national 
monuments and icons, nuclear reactors, materials and waste, postal and 
shipping, public health and health care, transportation systems, and 
water.
    \5\ GAO, Critical Infrastructure Protection: Department of Homeland 
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, 
GAO-05-434 (Washington, D.C.: May 26, 2005) and Critical Infrastructure 
Protection: Challenges in Addressing Cybersecurity, GAO-05-827T 
(Washington, D.C.: July 19, 2005).
    \6\ Control systems are computer-based systems that perform vital 
functions in many of our nation's critical infrastructures, including 
electric power generation, transmission, and distribution; oil and gas 
refining and pipelines; water treatment and distribution; chemical 
production and processing; railroads and mass transit; and 
manufacturing.
---------------------------------------------------------------------------
    DHS is also responsible for securing its own computer networks, 
systems, and information. FISMA requires the department to develop and 
implement an agencywide information security program to provide 
security for the information and information systems that support the 
operations and assets of the agency. Within DHS, the Chief Information 
Officer is responsible for ensuring departmental compliance with 
federal information security requirements.

NIST Is Responsible for Establishing Federal Standards and Guidance for 
                    Information Security

    FISMA tasks NIST--a component within the Department of Commerce--
with responsibility for developing standards and guidelines, including 
minimum requirements, for (1) information systems used or operated by 
an agency or by a contractor of an agency or other organization on 
behalf of the agency and (2) providing adequate information security 
for all agency operations and assets, except for national security 
systems. The Act specifically required NIST to develop, for systems 
other than national security systems, (1) standards to be used by all 
agencies to categorize all their information and information systems 
based on the objectives of providing appropriate levels of information 
security, according to a range of risk levels; (2) guidelines 
recommending the types of information and information systems to be 
included in each category; and (3) minimum information security 
requirements for information and information systems in each category. 
NIST also is required to develop a definition of and guidelines for 
detection and handling of information security incidents as well as 
guidelines developed in conjunction with the Department of Defense and 
the National Security Agency for identifying an information system as a 
national security system. Within NIST, the Computer Security Division 
of the Information Technology Laboratory is responsible for developing 
information security-related standards and guidelines.
    FISMA also requires NIST to take other actions that include:

          conducting research, as needed, to determine the 
        nature and extent of information security vulnerabilities and 
        techniques for providing cost-effective information security;

          developing and periodically revising performance 
        indicators and measures for agency information security 
        policies and practices;

          evaluating private sector information security 
        policies and practices and commercially available information 
        technologies, to assess potential application by agencies to 
        strengthen information security; and

          assisting the private sector, in using and applying 
        the results of its activities required by FISMA.

    In addition, the Cyber Security Research and Development Act\7\ 
required NIST to develop checklists to minimize the security risks for 
each hardware or software system that is, or likely to become, widely 
used within the Federal Government.
---------------------------------------------------------------------------
    \7\ Cyber Security Research and Development Act, Pub. L. No. 107-
305, 116 Stat. 2367 (Nov. 27, 2002).

Metrics Established to Evaluate Information Security Programs

    FISMA also requires the Office of Management and Budget (OMB) to 
develop policies, principles, standards, and guidelines on information 
security and to report annually to Congress on agency compliance with 
the requirements of the Act. OMB has provided instructions to federal 
agencies and their inspectors general for preparing annual FISMA 
reports. These instructions focus on metrics related to the performance 
of key control activities such as developing a complete inventory of 
major information systems, providing security training to personnel, 
testing and evaluating security controls, testing contingency plans, 
and certifying and accrediting systems. FISMA reporting provides 
valuable information on the status and progress of agency efforts to 
implement effective security management programs.

Recent Efforts to Improve National Cyber Security Strategy

    Because the threats to federal information systems and critical 
infrastructure have persisted and grown, President Bush in January 2008 
began to implement a series of initiatives--commonly referred to as the 
Comprehensive National Cybersecurity Initiative aimed primarily at 
improving DHS's and other federal agencies' efforts to protect against 
intrusion attempts and anticipate future threats.\8\ Since then, 
President Obama (in February 2009) directed the National Security 
Council and Homeland Security Council to conduct a comprehensive review 
to assess the United States' cyber security-related policies and 
structures. The resulting report, ``Cyberspace Policy Review: Assuring 
a Trusted and Resilient Information and Communications 
Infrastructure,'' recommended, among other things, appointing an 
official in the White House to coordinate the Nation's cyber security 
policies and activities, creating a new national cyber security 
strategy, and developing a framework for cyber research and 
development.\9\ In addition, we testified in March 2009\10\ that a 
panel of experts identified 12 key areas of the national cyber security 
strategy requiring improvement, such as developing a national strategy 
that clearly articulates strategic objectives, goals, and priorities; 
bolstering the public/private partnership; and placing a greater 
emphasis on cyber security research and development.
---------------------------------------------------------------------------
    \8\ The White House, National Security Presidential Directive 54/
Homeland Security Presidential Directive 23 (Washington, D.C.: Jan. 8, 
2008).
    \9\ The White House, Cyberspace Policy Review: Assuring a Trusted 
and Resilient Information and Communications Infrastructure 
(Washington, D.C.: May 29, 2009).
    \10\ GAO, National Cybersecurity Strategy: Key Improvements Are 
Needed To Strengthen the Nation's Posture, GAO-09-432T (Washington, 
D.C.: March 10, 2009).

DHS Has Yet to Fully Satisfy Its Cyber Security Responsibilities

    We have reported since 2005 that DHS has yet to comprehensively 
satisfy its key responsibilities for protecting computer-reliant 
critical infrastructures. Our reports included about 90 recommendations 
that we summarized into key areas, including those listed in Table 1, 
that are essential for DHS to address in order to fully implement its 
responsibilities. DHS has since developed and implemented certain 
capabilities to satisfy aspects of its responsibilities, but the 
department still has not fully implemented our recommendations, and 
thus further action needs to be taken to address these areas.




Bolstering Cyber Analysis and Warning Capabilities

    In July 2008, we identified\11\ that cyber analysis and warning 
capabilities included (1) monitoring network activity to detect 
anomalies, (2) analyzing information and investigating anomalies to 
determine whether they are threats, (3) warning appropriate officials 
with timely and actionable threat and mitigation information, and (4) 
responding to the threat. These four capabilities are comprised of 15 
key attributes, including establishing a baseline understanding of the 
Nation's critical network assets and integrating analysis work into 
predictive analyses of broader implications or potential future 
attacks.
---------------------------------------------------------------------------
    \11\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in 
Establishing a Comprehensive National Capability, GAO-08-588 
(Washington, D.C.: July 31, 2008).
---------------------------------------------------------------------------
    We concluded that while DHS's United States Computer Emergency 
Readiness Team (US-CERT) demonstrated aspects of each of the key 
attributes, it did not fully incorporate all of them. For example, as 
part of its monitoring, US-CERT obtained information from numerous 
external information sources; however, it had not established a 
baseline of the Nation's critical network assets and operations. In 
addition, while it investigated whether identified anomalies 
constituted actual cyber threats or attacks as part of its analysis, it 
did not integrate its work into predictive analyses of broader 
implications or potential future attacks, nor did it have the 
analytical or technical resources to analyze multiple, simultaneous 
cyber incidents. The organization also provided warnings by developing 
and distributing a wide array of attack and other notifications; 
however, these notifications were not consistently actionable or 
timely--i.e., providing the right information to the right persons or 
groups as early as possible to give them time to take appropriate 
action. Further, while the team responded to a limited number of 
affected entities in its efforts to contain and mitigate an attack, 
recover from damages, and remediate vulnerabilities, it did not possess 
the resources to handle multiple events across the Nation.
    We also concluded that without fully implementing the key 
attributes, US-CERT did not have the full complement of cyber analysis 
and warning capabilities essential to effectively perform its national 
mission. As a result, we made 10 recommendations to the department to 
address shortfalls associated with the 15 attributes in order to fully 
establish a national cyber analysis and warning capability. DHS 
concurred and agreed to implement 9 of our 10 recommendations.

Improving Cyber Security of Infrastructure Control Systems

    In a September 2007 report and October 2007 testimony, we 
reported\12\ that DHS was sponsoring multiple control systems security 
initiatives, including an effort to improve control systems cyber 
security using vulnerability evaluation and response tools. However, 
DHS had not established a strategy to coordinate the various control 
systems activities across federal agencies and the private sector, and 
it did not effectively share information on control system 
vulnerabilities with the public and private sectors. Accordingly, we 
recommended that DHS develop a strategy to guide efforts for securing 
control systems and establish a rapid and secure process for sharing 
sensitive control system vulnerability information. In response, DHS 
recently began developing a strategy and a process to share sensitive 
information.
---------------------------------------------------------------------------
    \12\ GAO, Critical Infrastructure Protection: Multiple Efforts to 
Secure Control Systems Are Under Way, but Challenges Remain, GAO-07-
1036 (Washington, D.C.: Sept. 10, 2007) and Critical Infrastructure 
Protection: Multiple Efforts to Secure Control Systems Are Under Way, 
but Challenges Remain, GAO-08-119T (Washington, D.C.: Oct. 17, 2007).

Strengthening DHS's Ability to Help Recovery from Internet Disruption

    We reported and later testified\13\ in 2006 that the department had 
begun a variety of initiatives to fulfill its responsibility for 
developing an integrated public/private plan for Internet recovery in 
case of a major disruption. However, we determined that these efforts 
were not comprehensive or complete. As such, we recommended that DHS 
implement nine actions to improve the department's ability to 
facilitate public/private efforts to recover the Internet.
---------------------------------------------------------------------------
    \13\ GAO, Internet Infrastructure: Challenges in Developing a 
Public/Private Recovery Plan, GAO-06-863T (Washington, D.C.: July 28, 
2006); and Internet Infrastructure: DHS Faces Challenges in Developing 
a Joint Public/Private Recovery Plan, GAO-06-672 (Washington, D.C.: 
June 16, 2006).
---------------------------------------------------------------------------
    In October 2007, we testified\14\ that the department had made 
progress in implementing our recommendations; however, seven of the 
nine had not been completed. For example, it revised key plans in 
coordination with private industry infrastructure stakeholders, 
coordinated various Internet recovery-related activities, and addressed 
key challenges to Internet recovery planning. However, it has not, 
among other things, finalized recovery plans and defined the 
interdependencies among DHS's various working groups and initiatives. 
In other words, it has not completed an integrated private/public plan 
for Internet recovery. As a result, we concluded that the Nation lacked 
direction from the department on how to respond in such a contingency. 
We also noted that these incomplete efforts indicated that DHS and the 
Nation were not fully prepared to respond to a major Internet 
disruption. To date, an integrated public/private plan for Internet 
recovery does not exist.
---------------------------------------------------------------------------
    \14\ GAO, Internet Infrastructure: Challenges in Developing a 
Public/Private Recovery Plan, GAO-08-212T (Washington, D.C.: Oct. 23, 
2007).

Reducing Organizational Inefficiencies

    In June 2008, we reported\15\ on the status of DHS's efforts to 
establish an integrated operations center that it agreed to adopt per 
recommendations from a DHS-commissioned expert task force. We 
determined that while DHS had taken the first step towards integrating 
two operations centers--the National Coordination Center Watch and US-
CERT, it had yet to implement the remaining steps, complete a strategic 
plan, or develop specific tasks and milestones for completing the 
integration. We concluded that until the two centers were fully 
integrated, DHS was at risk of being unable to efficiently plan for and 
respond to disruptions to communications infrastructure and the data 
and applications that travel on this infrastructure, increasing the 
probability that communications will be unavailable or limited in times 
of need. As a result, we recommended that the department complete its 
strategic plan and define tasks and milestones for completing remaining 
integration steps so that we are better prepared to provide an 
integrated response to disruptions to the communications 
infrastructure. DHS concurred with our first recommendation and stated 
that it would address the second recommendation as part of finalizing 
its strategic plan.
---------------------------------------------------------------------------
    \15\ GAO, Critical Infrastructure Protection: Further Efforts 
Needed to Integrate Planning for and Response to Disruption on 
Converged Voice and Data Networks, GAO-08-607 (Washington, D.C.: June 
26, 2008).

Completing Corrective Actions Identified During a Cyber Exercise

    In September 2008, we reported\16\ on a major DHS-coordinated cyber 
attack exercise called Cyber Storm, which occurred in 2006 and included 
large-scale simulations of multiple concurrent attacks involving the 
Federal Government, states, foreign governments, and private industry. 
We determined that DHS had identified eight lessons learned from this 
exercise, such as the need to improve interagency coordination groups 
and the exercise program. We also concluded that while DHS had 
demonstrated progress in addressing the lessons learned, more needed to 
be done. Specifically, while the department completed 42 of the 66 
activities identified to address the lessons learned, it identified 16 
activities as ongoing and seven as planned for the future.\17\ In 
addition, DHS provided no timetable for the completion dates of the 
ongoing activities. We noted that until DHS scheduled and completed its 
remaining activities, it was at risk of conducting subsequent exercises 
that repeated the lessons learned during the first exercise. 
Consequently, we recommended that DHS schedule and complete the 
identified corrective activities so that its cyber exercises can help 
both public and private sector participants coordinate their responses 
to significant cyber incidents. DHS agreed with the recommendation. To 
date, DHS has continued to make progress in completing some identified 
activities but has yet to do so for others.
---------------------------------------------------------------------------
    \16\ GAO, Critical Infrastructure Protection: DHS Needs To Fully 
Address Lessons Learned from Its First Cyber Storm Exercise, GAO-08-825 
(Washington, D.C.: Sept. 9, 2008).
    \17\ At that time, DHS reported that one other activity had been 
completed, but the department was unable to provide evidence 
demonstrating its completion.

Developing Sector Specific Plans that Fully Address All of the Cyber-
                    Related Criteria

    In 2007, we reported and testified\18\ on the cyber security 
aspects of CIP plans for 17 critical infrastructure sectors, referred 
to as sector-specific plans. Lead federal agencies, referred to as 
sector-specific agencies, are responsible for coordinating critical 
infrastructure protection efforts with the public and private 
stakeholders in their respective sectors. DHS guidance requires each of 
the sector-specific agencies to develop plans to address how the 
sectors' stakeholders would implement the national plan and how they 
would improve the security of their assets, systems, networks, and 
functions.
---------------------------------------------------------------------------
    \18\ GAO, Critical Infrastructure Protection: Sector-Specific 
Plans' Coverage of Key Cyber Security Elements Varies, GAO-08-64T 
(Washington D.C.: October 31, 2007) and Critical Infrastructure 
Protection: Sector-Specific Plans' Coverage of Key Cyber Security 
Elements Varies, GAO-08-113 (Washington D.C.: Oct. 31, 2007).
---------------------------------------------------------------------------
    We determined that none of the plans fully addressed the 30 key 
cyber security-related criteria described in DHS guidance. Further, 
while several sectors' plans fully addressed many of the criteria, 
others were less comprehensive. In addition to the variations in the 
extent to which the plans covered aspects of cyber security, there was 
also variance among the plans in the extent to which certain criteria 
were addressed. Consequently, we recommended\19\ that DHS request that 
the sector-specific agencies, fully address all cyber-related criteria 
by September 2008 so that stakeholders within the infrastructure 
sectors will effectively identify, prioritize, and protect the cyber 
aspects of their CIP efforts. We are currently reviewing the progress 
made in the sector specific plans.
---------------------------------------------------------------------------
    \19\ GAO-08-113.
---------------------------------------------------------------------------
    We testified in March 2009\20\ regarding the need to bolster 
public/private partnerships associated with cyber CIP. According to 
panel members, there are not adequate economic and other incentives 
(i.e., a value proposition) for greater investment and partnering with 
owners and operators of critical cyber assets and functions. 
Accordingly, panelists stated that the Federal Government should 
provide valued services (such as offering useful threat or analysis and 
warning information) or incentives (such as grants or tax reductions) 
to encourage action by and effective partnerships with the private 
sector. They also suggested that public and private sector entities use 
means such as cost-benefit analyses to ensure the efficient use of 
limited cyber security-related resources. We are also currently 
initiating a review of the status of the public/private partnerships in 
cyber CIP.
---------------------------------------------------------------------------
    \20\ GAO-09-432T.

Securing Internal Information Systems

    Besides weaknesses relating to external cyber security 
responsibilities, DHS had not secured its own information systems. In 
July 2007, we reported\21\ that DHS systems supporting the US-VISIT 
program\22\ were riddled with significant information security control 
weaknesses that place sensitive information--including personally 
identifiable information--at increased risk of unauthorized and 
possibly undetected disclosure and modification, misuse, and 
destruction, and place program operations at increased risk of 
disruption. Weaknesses existed in all control areas and computing 
device types reviewed. For example, DHS had not implemented controls to 
effectively prevent, limit, and detect access to computer networks, 
systems, and information. To illustrate, it had not (1) adequately 
identified and authenticated users in systems supporting US-VISIT, (2) 
sufficiently limited access to US-VISIT information and information 
systems, and (3) ensured that controls adequately protected external 
and internal network boundaries. In addition, it had not always ensured 
that responsibilities for systems development and system production had 
been sufficiently segregated, and had not consistently maintained 
secure configurations on the application servers and workstations at a 
key data center and ports of entry. As a result, intruders, as well as 
government and contractor employees, could potentially bypass or 
disable computer access controls and undertake a wide variety of 
inappropriate or malicious acts. These acts could include tampering 
with data; browsing sensitive information; using computer resources for 
inappropriate purposes, such as launching attacks on other 
organizations; and disrupting or disabling computer-supported 
operations. According to the department, it has started remediation 
activities to strengthen security over these systems and implement our 
recommendations.
---------------------------------------------------------------------------
    \21\ GAO, Information Security: Homeland Security Needs to 
Immediately Address Significant Weaknesses in Systems Supporting the 
US-VISIT Program, GAO-07-870 (Washington, D.C.: July 13, 2007).
    \22\ The US-VISIT program was established by DHS to record and 
track the entry and departure of foreign visitors who pass through U.S. 
ports of entry by air, land, or sea; to verify their identities; and to 
authenticate their travel documentation.
---------------------------------------------------------------------------
    In January 2009, we briefed congressional staff on security 
weaknesses associated with the development of systems supporting the 
Transportation Security Administration's (TSA) Secure Flight 
program.\23\ Specifically, TSA had not taken sufficient steps to ensure 
that operational safeguards and substantial security measures were 
fully implemented to minimize the risk that the systems will be 
vulnerable to abuse and unauthorized access from hackers and other 
intruders. For example, TSA had not completed testing and evaluating 
key security controls, performed disaster recovery tests, or corrected 
high- and moderate-risk vulnerabilities. Accordingly, we recommended 
that TSA take steps to complete security testing, mitigate known 
vulnerabilities, and update key security documentation prior to initial 
operations. TSA subsequently undertook a number of actions to complete 
these activities. In May 2009, we concluded that TSA had generally met 
its requirements related to systems information security and satisfied 
our recommendations.\24\
---------------------------------------------------------------------------
    \23\ This briefing contained information on our initial January 
2009 assessment and recommendations. TSA, a component of DHS, developed 
an advanced passenger pre-screening program known as Secure Flight that 
will allow TSA to match airline passenger information against terrorist 
watch-list records.
    \24\ GAO, Aviation Security: TSA Has Completed Key Activities 
Associated with Implementing Secure Flight, but Additional Actions Are 
Needed to Mitigate Risks, GAO-09-292 (Washington, D.C.: May 13, 2009).

NIST Has Developed Important Federal Information Security Standards and 
                    Guidelines

    NIST has taken steps to address its FISMA-mandated responsibilities 
by developing a suite of required security standards and guidelines as 
well as other publications that are intended to assist agencies in 
developing and implementing information security programs and 
effectively managing risks to agency operations and assets. In addition 
to developing specific standards and guidelines, NIST developed a set 
of activities to help agencies manage a risk-based approach for an 
effective information security program. These activities are known as 
the NIST Risk Management Framework. Several special publications 
support this framework and collectively provide guidance that agencies 
can apply to their information security programs for selecting the 
appropriate security controls for information systems--including the 
minimum controls necessary to protect individuals and the operations 
and assets of the organization.
    NIST has developed and issued the following documents to meet its 
FISMA mandated responsibilities:

          Federal Information Processing Standards Publication 
        199, Standards for Security Categorization of Federal 
        Information and Information Systems, February 2004. This 
        standard addresses NIST's requirement for developing standards 
        for categorizing information and information systems. It 
        requires agencies to categorize their information systems as 
        low-impact, moderate-impact, or high-impact for the security 
        objectives of confidentiality, integrity, and availability. The 
        security categories are based on the harm or potential impact 
        to an organization should certain events occur which jeopardize 
        the information and information systems needed by the 
        organization to accomplish its assigned mission, protect its 
        assets, fulfill its legal responsibilities, maintain its day-
        to-day functions, and protect individuals. Security categories 
        are to be used in conjunction with vulnerability and threat 
        information in assessing the risk to an organization.

          Special Publication 800-60 Volume I, revision 1, 
        Volume I: Guide for Mapping Types of Information and 
        Information Systems to Security Categories, August 2008. This 
        guide is to assist Federal Government agencies with 
        categorizing information and information systems. It is 
        intended to help agencies consistently map security impact 
        levels to types of (1) information (e.g., privacy, medical, 
        proprietary, financial, investigation); and (2) information 
        systems (e.g., mission critical, mission support, 
        administrative). Furthermore, it is intended to facilitate 
        application of appropriate levels of information security 
        according to a range of levels of impact or consequences that 
        might result from the unauthorized disclosure, modification, or 
        use of the information or information system.

          Federal Information Processing Standards Publication 
        200, Minimum Security Requirements for Federal Information and 
        Information Systems, March 2006. This is the second of the 
        mandatory security standards and specifies minimum security 
        requirements for information and information systems supporting 
        the executive agencies of the Federal Government and a risk-
        based process for selecting the security controls necessary to 
        satisfy the minimum security requirements. Specifically, this 
        standard specifies minimum security requirements for federal 
        information and information systems in 17 security-related 
        areas. Federal agencies are required to meet the minimum 
        security requirements through the use of the security controls 
        in accordance with NIST Special Publication 800-53.

          Special Publication 800-61, revision 1, Computer 
        Security Incident Handling Guide, March 2008. This publication 
        is intended to assist organizations in establishing computer 
        security incident response capabilities and handling incidents 
        efficiently and effectively. It provides guidelines for 
        organizing a computer security incident response capability; 
        handling incidents from initial preparation through post-
        incident lessons learned phase; and handling specific types of 
        incidents, such as denial of service, malicious code, 
        unauthorized access, and inappropriate usage.

          Special Publication 800-59, Guideline for Identifying 
        an Information System as a National Security System, August 
        2003. The purpose of this guide is to assist agencies in 
        determining which, if any, of their systems are national 
        security systems as defined by FISMA and are to be governed by 
        applicable requirements for such systems.

          Special Publication 800-55, Performance Measurement 
        Guide for Information Security, July 2008. The purpose of this 
        guide is to assist in the development, selection, and 
        implementation of measures to be used at the information system 
        and program levels. These measures indicate the effectiveness 
        of security controls applied to information systems and 
        supporting information security programs.

          Special Publication 800-30, Risk Management Guide for 
        Information Technology Systems, July 2002. This guide provides 
        a foundation for the development of an effective risk 
        management program, containing both the definitions and the 
        practical guidance necessary for assessing and mitigating risks 
        identified within IT systems. It also provides information on 
        the selection of cost-effective security controls that can be 
        used to mitigate risk for the better protection of mission-
        critical information and the IT systems that process, store, 
        and carry this information.

          Special Publication 800-18, revision 1, Guide for 
        Developing Security Plans for Federal Information Systems, 
        February 2006. This guide provides basic information on how to 
        prepare a system security plan and is designed to be adaptable 
        in a variety of organizational structures and used as a 
        reference by those having assigned responsibility for 
        activities related to security planning.

    NIST is also in the process of developing, updating, and revising a 
number of special publications related to information security, 
including the following:

          Special Publication 800-37, revision 1, Guide for 
        Security Authorization of Federal Information Systems, August 
        2008. This publication is intended to, among other things, 
        support the development of a common security authorization 
        process for federal information systems. According to NIST, the 
        new security authorization process changes the traditional 
        focus from the stovepipe, organization-centric, static-based 
        approaches and provides the capability to more effectively 
        manage information system-related security risks in highly 
        dynamic environments of complex and sophisticated cyber 
        threats, ever increasing system vulnerabilities, and rapidly 
        changing missions. The process is designed to be tightly 
        integrated into enterprise architectures and ongoing system 
        development life cycle processes, promote the concept of near 
        real-time risk management, and capitalize on current and 
        previous investments in technology, including automated support 
        tools.

          Special Publication 800-39, second public draft, 
        Managing Risk from Information Systems An Organizational 
        Perspective, April 2008. The purpose of this publication is to 
        provide guidelines for managing risk to organizational 
        operations and assets, individuals, other organizations, and 
        the Nation resulting from the operation and use of information 
        systems. According to NIST, the risk management concepts 
        described in the publication are intentionally broad-based, 
        with the specific details of assessing risk and employing 
        appropriate risk mitigation strategies provided by supporting 
        NIST security standards and guidelines.

          Special Publication 800-53, revision 3, Recommended 
        Security Controls for Federal Information Systems and 
        Organizations, June 2009. This publication has been updated 
        from the previous versions to include a standardized set of 
        management, operational, and technical controls intended to 
        provide a common specification language for information 
        security for federal information systems processing, storing, 
        and transmitting both national security and non national 
        security information.

          Draft IR-7502, The Common Configuration Scoring 
        System (CCSS): Metrics for Software Security Configuration 
        Vulnerabilities. This publication defines proposed measures for 
        the severity of software security configuration issues and 
        provides equations that can be used to combine the measures 
        into severity scores for each configuration issue.

    In addition, NIST has other ongoing and planned activities that are 
intended to enhance information security programs, processes, and 
controls. For example, it is supporting the development of a program 
for credentialing public and private sector organizations to provide 
security assessment services for federal agencies. To support 
implementation of the credentialing program and aid security 
assessments, NIST is participating or will participate in the following 
initiatives:

          Training includes development of training courses, 
        NIST publication quick start guides, and frequently asked 
        questions to establish a common understanding of the standards 
        and guidelines supporting the NIST Risk Management Framework.

          Product and Services Assurance Assessment includes 
        defining criteria and guidelines for evaluating products and 
        services used in the implementation of controls outlined in 
        NIST SP 800-53.

          Support Tools includes identifying or developing 
        common protocols, programs, reference materials, checklists, 
        and technical guides supporting implementation and assessment 
        of SP 800-53-based security controls in information systems.

          Mapping initiative includes identifying common 
        relationships and the mappings of FISMA standards, guidelines, 
        and requirements with International Organization for 
        Standardization (ISO) standards for information security 
        management, quality management, and laboratory testing and 
        accreditation.

    These planned efforts include implementing a program for validating 
security tools.

Other Collaborative Activities Undertaken by NIST

    NIST collaborated with a broad constituency--federal and non-
federal--to develop documents to assist information security 
professionals. For example, NIST worked with the Office of the Director 
of National Intelligence, the Department of Defense, and the Committee 
on National Security Systems to develop a common process for 
authorizing federal information systems for operation. This resulted in 
a major revision to NIST Special Publication 800-37, currently issued 
as an initial public draft. NIST also collaborated with these 
organizations on Special Publication 800-53 and Special Publication 
800-53A to provide guidelines for selecting and specifying security 
controls for Federal Government information systems and to help 
agencies develop plans and procedures for assessing the effectiveness 
of these controls. NIST also interacted with the DHS to incorporate 
guidance on safeguards and countermeasures for federal industrial 
control systems in Special Publication 800-53.
    NIST is also working with public and private sector entities to 
establish specific mappings and relationships between the security 
standards and guidelines developed by NIST and the ISO and 
International Electrotechnical Commission Information Security 
Management System standard. For example, the latest draft of Special 
Publication 800-53 introduces a three-part strategy for harmonizing the 
FISMA security standards and guidelines with international security 
standards including an updated mapping table for security controls.
    NIST also undertook other information security activities, 
including:

          developing Federal Desktop Core Configuration 
        checklists and

          continuing a program of outreach and awareness 
        through organizations such as the Federal Computer Security 
        Program Managers' Forum and the Federal Information Systems 
        Security Educators' Association.

    Through NIST's efforts, agencies have access to additional tools 
and guidance that can be applied to their information security 
programs.

Opportunities for Improving Information Security Metrics

    Despite federal agencies reporting increased compliance in 
implementing key information security control activities for fiscal 
year 2008, opportunities exist to improve the metrics used in annual 
reporting. The information security metrics developed by OMB focus on 
compliance with information security requirements and the 
implementation of key control activities. OMB requires federal agencies 
to report on key information security control activities as part of the 
FISMA-mandated annual report on federal information security. To 
facilitate the collection and reporting of information from federal 
agencies, OMB developed a suite of information security metrics, 
including the following:

          percentage of employees and contractors receiving 
        security awareness training,

          percentage of employees with significant security 
        responsibilities receiving specialized security training,

          percentage of systems tested and evaluated annually,

          percentage of systems with tested contingency plans,

          percentage of agencies with complete inventories of 
        major systems, and

          percentage of systems certified and accredited.

    In May 2009, we testified\25\ that federal agencies generally 
reported increased compliance in implementing most of the key 
information security control activities for fiscal year 2008, as 
illustrated in Figure 1.
---------------------------------------------------------------------------
    \25\ GAO, Information Security: Agencies Make Progress in 
Implementation of Requirements, but Significant Weaknesses Persist, 
GAO-09-701T (Washington, D.C.: May 19, 2009).




    However, reviews at 24 major federal agencies\26\ continue to 
highlight deficiencies in their implementation of information security 
policies and procedures. For example, in their fiscal year 2008 
performance and accountability reports, 20 of 24 major agencies noted 
that their information system controls over their financial systems and 
information were either a material weakness or a significant 
deficiency.\27\ In addition, 23 of the 24 agencies did not have 
adequate controls in place to ensure that only authorized individuals 
could access or manipulate data on their systems and networks. We also 
reported that agencies did not consistently (1) identify and 
authenticate users to prevent unauthorized access; (2) enforce the 
principle of least privilege to ensure that authorized access was 
necessary and appropriate; (3) establish sufficient boundary protection 
mechanisms; (4) apply encryption to protect sensitive data on networks 
and portable devices; and (5) log, audit, and monitor security-relevant 
events. Furthermore, those agencies also had weaknesses in their 
agency-wide information security programs.
---------------------------------------------------------------------------
    \26\ The 24 major departments and agencies are the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, the 
Interior, Justice, Labor, State, Transportation, the Treasury, and 
Veterans Affairs; the Environmental Protection Agency, General Services 
Administration, National Aeronautics and Space Administration, National 
Science Foundation, Nuclear Regulatory Commission, Office of Personnel 
Management, Small Business Administration, Social Security 
Administration, and U.S. Agency for International Development.
    \27\ A material weakness is a significant deficiency, or 
combination of significant deficiencies, that results in more than a 
remote likelihood that a material misstatement of the financial 
statements will not be prevented or detected. A significant deficiency 
is a control deficiency, or combination of control deficiencies, that 
adversely affects the entity's ability to initiate, authorize, record, 
process, or report financial data reliably in accordance with generally 
accepted accounting principles such that there is more than a remote 
likelihood that a misstatement of the entity's financial statements 
that is more than inconsequential will not be prevented or detected. A 
control deficiency exists when the design or operation of a control 
does not allow management or employees, in the normal course of 
performing their assigned functions, to prevent or detect misstatements 
on a timely basis.
---------------------------------------------------------------------------
    An underlying reason for the apparent dichotomy of increased 
compliance with security requirements and continued deficiencies in 
security controls is that the metrics defined by OMB and used for 
annual information security reporting do not generally measure the 
effectiveness of the controls and processes that are key to 
implementing an agency-wide security program. Results of our prior and 
ongoing work indicated that, for example, annual reporting did not 
always provide information on the quality or effectiveness of the 
processes agencies use to implement information security controls. 
Providing information on the effectiveness of controls and processes 
could further enhance the usefulness of the data for management and 
oversight of agency information security programs.
    In summary, DHS has not fully satisfied aspects of its key cyber 
security responsibilities, one of which includes its efforts to protect 
our nation's cyber critical infrastructure and still needs to take 
further action to address the key areas identified in our recent 
reports, including enhancing partnerships with the private sector. In 
addition, although DHS has taken actions to remedy security weaknesses 
in its Secure Flight program, it still needs to address our remaining 
recommendations for strengthening controls for systems supporting the 
US-VISIT program. In taking these actions, DHS can improve its own 
information security as well as increase its credibility to external 
parties in providing leadership on cyber security. NIST has developed a 
significant number of standards and guidelines for information security 
and continues to assist organizations in implementing security controls 
over their systems and information. While NIST's role is to develop 
guidance, it remains the responsibility of federal agencies to 
effectively implement and sustain sufficient security over their 
systems. Developing and using metrics that measure how well agencies 
implement security controls can contribute to increased focus on the 
effective implementation of federal information security.
    Chairman Wu, this concludes my statement. I would be happy to 
answer questions at the appropriate time.

Acknowledgements

    Key contributors to this report include Michael Gilmore (Assistant 
Director), Charles Vrabel (Assistant Director), Bradley Becker, Larry 
Crosland, Lee McCracken, and Jayne Wilson.

                   Biography for Gregory C. Wilshusen
    Gregory Wilshusen is Director of Information Security Issues at 
GAO, where he leads information security-related studies and audits of 
the Federal Government. He has over 28 years of auditing, financial 
management, and information systems experience. Prior to joining GAO in 
1997, Mr. Wilshusen held a variety of public and private sector 
positions. He was a senior systems analyst at the Department of 
Education. He also served as the Controller for the North Carolina 
Department of Environment, Health, and Natural Resources, and held 
senior auditing positions at Irving Burton Associates, Inc. and the 
U.S. Army Audit Agency. He's a certified public accountant, certified 
internal auditor, and certified information systems auditor. He holds a 
B.S. degree in business administration (accounting) from the University 
of Missouri and an M.S. in information management from George 
Washington University's School of Engineering and Applied Sciences.

    Chair Wu. Thank you very much, Mr. Wilshusen. And I think 
at this point I am going to recess the hearing for both 
prudential reasons. We have plenty of time to get to the Floor, 
but also I think this is an important set of topics, and I 
would hate for any of the Members of Congress or the staff to 
be watching the clock ticking down, rather than paying 
attention to these very, very important topics.
    So at this point we will adjourn until after the last vote. 
I am sorry, we will recess until after the last vote in this 
series of votes.
    [Recess.]
    Chair Wu. This hearing will come back to order. I thank 
everyone for their forbearance.
    Mr. Bregman, please proceed.

  STATEMENT OF MR. MARK BREGMAN, EXECUTIVE VICE PRESIDENT AND 
         CHIEF TECHNOLOGY OFFICER, SYMANTEC CORPORATION

    Mr. Bregman. Chair Wu, Ranking Member Smith, Members of the 
Committee, good afternoon, and thank you for the opportunity to 
testify today on cybersecurity efforts at NIST and DHS.
    As a global information security leader, Symantec protects 
more people from on-line threats than anyone in the world by 
assuring the security, availability and integrity of their 
information. We are headquartered in California, and are the 
fourth largest software company with operations in 40 
countries. We employ over 18,000 people, including several of 
which are located in the Chair's district in Beaverton, and I 
want to thank you for your support there.
    Symantec releases an annual Internet Security Threat Report 
which is a comprehensive analysis of information security 
threat activity that analyzes network-based threats on 
consumers and business. We compile the data via our global 
intelligence network which consists of over 40,000 sensors 
monitoring computer activity in 180 countries. So in short, if 
there is a class of threat on the Internet, we're aware of it.
    This year's report found that while vulnerabilities 
continue to increase dramatically, the scope and size and 
sophistication of cyber attacks is also growing dramatically. 
They are becoming much more targeted and more dangerous to our 
nation's critical infrastructure and our economic security.
    The most common type of attack during this period targeting 
our government's critical infrastructure was denial of service 
attacks, accounting for about half of the top-ten threats in 
2008. Denial of service attacks are a threat to the government 
and critical infrastructure since the purpose of such attacks 
is to disrupt the availability of high-profile web sites and 
other network services and render them inaccessible to users 
and employees.
    These kinds of attacks are often associated with political 
protests and were used to disrupt the Estonian government web 
sites in 2007 as well as the Georgian government web sites that 
were rendered inaccessible during the Georgia-Russia conflict 
in 2008. But denial of service attacks are just one type of 
cyber threat that affects government and critical 
infrastructure.
    As the 60-day cyber review rightly points out, 
cybersecurity risks pose some of the most serious economic and 
national security challenges of the 21st century, and we 
applaud the President's commitment to take action on 
cybersecurity. We hope that the coordinator will be elevated 
within the White House to have the appropriate decision-making 
and budget authority that is necessary to set strategic 
direction for the Nation, to empower our government agencies 
and private sector to do their mission in a coordinated and 
balanced way, and take a more prominent role in international 
cyber policy.
    Cybersecurity isn't a civilian or military problem or even 
a government problem. It is a universal problem. All networks, 
military, government, civilian and commercial are based on the 
same computers, same networking hardware technologies, same 
Internet protocols, many of the same software packages. We are 
all the target of the same attack tools and tactics. In 
addition, since most of the Nation's critical IT infrastructure 
is in commercial hands, hackers consistently go after both 
military and civilian targets.
    We all have the same security challenges, so solutions must 
be shared. I want to underscore today that cybersecurity is a 
shared government and private-sector responsibility. We need 
transparent and accountable government processes, as well as 
cutting-edge government cybersecurity programs to improve 
security for everybody.
    So with that in mind, let me turn to what DHS and NIST's 
respective roles and responsibilities are or could be in 
cybersecurity. We have seen a marked improvement in the 
Department of Homeland Security in their engagement with the 
private sector. Under the National Infrastructure Protection 
Plan construct, DHS is the lead department for engaging the IT 
sector, and Symantec and other private stakeholders, through 
the Sector Coordinating Councils, have provided input to DHS on 
a number of the Comprehensive National Cyber Initiative 
projects. We have been engaged with DHS and several other cyber 
policy initiatives, including resiliency, incentives, metrics, 
risk assessment, information sharing, and cyber exercises.
    There are few areas in which we believe more can continue 
to be done by the department and private sector jointly, 
including establishing a front-line cyber defense, seeking ways 
to defend against threats to the supply chain, and taking 
cybersecurity to the next level through workforce education.
    In cyberspace, we have a very rich base from the commercial 
sector. This is quite different from other historic government 
models for addressing front-line national defense where much of 
the solution comes from government or the defense industrial 
base. The U.S. Government could benefit greatly if the private 
cybersecurity sector were brought in more consistently to 
assist in the development of cybersecurity solutions. One 
example was mentioned earlier where more input from the private 
sector could be helpful to DHS would be in project EINSTEIN.
    Today, the private sector has not been formally asked to 
participate in DHS's global supply chain initiative, despite 
the fact that much of the supply chain the government cares 
about is in the hands of the private sector. If more 
information is not shared by the government on the threats or 
risks that government sees, then how can the private sector do 
more to protect against these threats and risks?
    Symantec is a co-founder of SAFECODE, a non-profit 
organization created for companies to share software assurance 
and supply chain best practices. We strongly urge the 
Department of Homeland Security, Department of Defense (DOD), 
NIST, and other agencies to work closely with SAFECODE and its 
member companies to work collaboratively in addressing supply 
chain and software assurance.
    DHS has also taken a lead role in education and awareness. 
For example, it is a sponsor and an active participant in the 
National Cyber Security Alliance and staysafeonline.gov. The 
purpose of NCSA is to educate consumers, K-12, higher 
education, and small business on how to protect themselves and 
their data in cyber infrastructure.
    DHS is also working with NCSA and other stakeholders to 
develop a plan for the development and retention of trained 
cybersecurity professional workforce within the government, and 
we certainly support these.
    DHS has a role to play in the area of cybersecurity R&D 
(research and development). We believe that much of the work 
completed by the S&T (Science and Technology) Directorate is 
important and that R&D determined to be not commercially viable 
should be funded by the government. I respectfully ask that the 
U.S. Government engage with the private sector more on the R&D 
collectively to collaborate on common problems.
    Given this committee's jurisdiction, I would like to 
comment on NIST's mission on cybersecurity. It is very 
important through the promotion of national standards, in 
particular the work NIST does with federal agencies, industries 
and academia, to research, develop and deploy information 
security standards and technologies is critical. As these 
standards become more important, NIST's role and responsibility 
will continue to grow, and with that we believe NIST's funding 
level is not adequate and should be increased.
    NIST has played a leading role in the development of FISMA 
guidelines and federal information processing standards, and as 
Congress looks to reform FISMA, we will look to NIST for 
appropriate guidance and standards.
    Symantec has worked closely with NIST on Common Criteria 
for several years, and we fully support Common Criteria because 
it offers many advantages, including international 
certification framework for products. As the lead technical 
standards organization for the Federal Government, NIST has a 
critical role to play in revising the protection profiles and 
improving Common Criteria, and we ask that NIST become an 
active member of NIAP (National Information Assurance 
Partnership) again and would like to see them play an even more 
active role in other international consensus standard bodies 
and organizations.
    NIST has contributed to raising the quality of federal 
information security by promoting operational norms and by 
helping agencies to find model security processes. Experience 
shows that federal standards aligned with established 
commercial practices generally succeed, whereas unique 
government-only standards, such as the Government Open Systems 
Interconnection Profile, have achieved poor results.
    Whether rigid or flexible, standards must be appropriate 
for the activities being regulated. They must be mindful of the 
market drivers. Credible federal mandates must strike a balance 
between ideal and practical standards, including setting 
reasonable expectations for compliance in the huge base of 
installed federal systems. NIST's guidelines strike a balance 
between general rules of thumb for all agencies and local 
knowledge and expertise of on-the-ground federal officials. 
However, fixed, inflexible process standards can't easily 
accommodate these situations.
    So in summary, the constantly changing cyber threat 
landscape and its reliance on human activity, coupled with 
rapidly changing technology, makes it essential that security 
doctrine remains flexible.
    I strongly recommend that NIST also engage with the private 
sector to include development of an independent supply chain 
verification process that will allow us to validate software 
integrity, focusing more on how technology is developed and 
less on where it is developed globally. The near-term action 
plan within the President's cyber review requires establishment 
of cybersecurity performance metrics, and this is another area 
that is ripe with opportunity, and we believe NIST should be a 
key driver of this activity, working with the private sector 
and other agencies.
    In addition to cybersecurity metrics, NIST should consider 
collaborating more with the private sector and other areas such 
as cloud computing architecture and standards, SCAP (Security 
Content Automation Protocol) and other data taxonomy standards, 
health IT, and Smart Grid architecture with security standards 
built in from the beginning.
    We also want to stress the importance of NIST working with 
private sector to ensure the agreed-upon standards, protocols, 
and requirements are rolled out with reasonable timelines and 
milestones to meet realistic commercial product development 
roadmaps.
    In conclusion, we believe that both the Department of 
Homeland Security and NIST have done much to carry the cyber 
torch forward in many areas. However, there is much work still 
to be done and much more collaboration that needs to take place 
with the private sector. We stand committed to working with the 
Administration and Congress to improve cybersecurity, and I 
would like to thank you, Chair Wu, for allowing me the 
opportunity to testify before the distinguished Members of this 
committee.
    [The prepared statement of Mr. Bregman follows:]

                   Prepared Statement of Mark Bregman

    Good afternoon, Chairman Wu, Ranking Member Smith, and Members of 
the Subcommittee on Technology and Innovation. Thank you for the 
opportunity to speak about cyber security activities at NIST and DHS.
    I come before you today as Chief Technology Officer of Symantec 
Corporation, the global leader in providing information security 
solutions. We protect consumers and businesses by assuring the 
security, availability and integrity of their information. 
Headquartered in Cupertino, California, Symantec is the world's fourth 
largest software company with operations in more than 40 countries and 
over 18,000 employees.
    In April, Symantec released our Internet Security Threat Report 
which is widely acknowledged to be the most comprehensive analysis of 
information security activity for today's economy. The Report includes 
an analysis of network based attacks including those on small 
businesses with a review of known threats, vulnerabilities, and 
security risks. Symantec has provided this report since 2002.
    This year's report showed that the cyber attacks are growing in 
size, scope and sophistication. They are becoming more targeted and 
more dangerous to our critical infrastructure on which our economy 
depends. Vulnerabilities also continue to increase dramatically.
    The most common type of attack this period targeting government and 
critical infrastructure organizations was denial-of-service attacks, 
accounting for 49 percent of the top 10 in 2008. Denial of Service 
(DoS) attacks are a threat to government and critical infrastructures 
since the purpose of such attacks is to disrupt the availability of 
high-profile web sites or other network services and make them 
inaccessible to users and employees. This could result in the 
disruption of internal and external communications, making it 
practically impossible for employees and users to access potentially 
critical information. Because these attacks often receive greater 
exposure than those that take a single user off-line, especially for 
high-profile government web sites, they could also result in damage to 
the organization's reputation. A successful DoS attack on a government 
network could also severely undermine confidence in government 
competence, and impair the defense and protection of government 
networks.
    DoS attacks can often be associated with political protests, since 
they are intended to render a site inaccessible in the same way that a 
physical protest attempts to block access to a service or location. 
They can also be associated with conflict whereby one country may 
attempt to block Web traffic or take web sites off-line. As such, the 
high percentage of DoS attacks may be an attempt to express 
disagreement with targeted organization or countries. Examples of these 
types of attacks targeting governments were the DoS attacks that 
disrupted and took Estonian governmental web sites off-line in 2007 and 
the Georgia government web sites that were rendered inaccessible during 
the Georgia-Russia conflict in 2008.
    SMTP, or simple mail transfer protocol, is designed to facilitate 
the delivery of e-mail messages across the Internet. E-mail servers 
using SMTP as a service are likely targeted by attackers because 
external access is required to deliver e-mail. In addition to illegally 
accessing networks, attackers who compromise e-mail servers may also be 
attempting to use the e-mail servers to send spam or harvest e-mail 
addresses for targeted phishing attacks. Because spam can often consume 
high quantities of unauthorized network bandwidth, these e-mails can 
disrupt or overwhelm e-mail services, which could result in DoS 
conditions. Successful SMTP attacks against government and critical 
infrastructure organizations could also allow attackers to spoof 
official government communications and obtain credentials in order to 
launch further attacks. These organizations heavily rely on e-mail as a 
communication method and as such, it is essential that e-mail traffic 
be secured. This is just one example of the type of threat affecting 
government and critical infrastructure sectors in cyberspace today.
    As the President so eloquently articulated in May when he released 
the 60 day cyber review,

         ``The globally-interconnected digital information and 
        communications infrastructure known as ``cyberspace'' underpins 
        almost every facet of modern society and provides critical 
        support for the U.S. economy, civil infrastructure, public 
        safety and national security.'' The report goes on to say 
        ``Cyber security risks pose some of the most serious economic 
        and national security challenges of the 21st century.''

    We applaud the President's personal commitment to take the action 
that is so desperately needed around cyber security and look forward to 
working soon with the new cyber security coordinator, other agencies 
and stakeholders to develop the strategy, policies, and operational 
plans necessary to improve cyber security. We hope that the coordinator 
will be elevated within the White House and have the appropriate 
policy, decision-making and budget review authorities necessary to set 
the strategic direction for the Nation, empower agencies and the 
private sector to do their mission in a coordinated and balanced way, 
and take a more prominent role in international cyber policy.

Cyber Security: A Shared Public and Private Sector Responsibility

    Cyber security isn't a civilian or military problem, or even a 
government problem--it's a universal problem. All networks, military, 
government, civilian and commercial, use the same computers, the same 
networking hardware, the same Internet protocols and the same software 
packages. We all are the targets of the same attack tools and tactics. 
It's not even that government targets are somehow even more 
differentiated; these days, most of our nation's critical IT 
infrastructure is in commercial hands. Government-sponsored or civilian 
hackers go after both military and civilian targets.
    GAO reports indicate that government problems include insufficient 
access controls, a lack of encryption where necessary, poor network 
management, failure to install patches, inadequate audit procedures, 
and incomplete or ineffective information security programs. These 
aren't top security issues; these are the same managerial problems that 
every corporate CIO wrestles with.
    We all have the same information security challenges, so solutions 
must be shared. If the government has any innovative ideas to solve its 
cyber security problems, certainly a lot of us could benefit from those 
solutions. In addition, we need transparent and accountable government 
processes, using commercial security products. Finally, we also need 
government cyber security programs that improve security for everyone.
    Now, I will keep the remainder of my comments focused on what DHS 
and NIST's respective roles and responsibilities are or should be in 
cyberspace.

DHS' Cyber Roles and Responsibilities

    Let me start with the Department of Homeland Security or ``DHS.'' 
Under the National Infrastructure Protection Plan construct, DHS is the 
lead department for engaging with the IT Sector. In addition to the 60-
day roll-out, there has been a lot of talk regarding the 
``Comprehensive National Cyber Initiative'' or ``CNCI.'' Symantec and 
other private sector stakeholders, through the Sector Coordinating 
Councils, have been able to participate and provide input into DHS on a 
number of the Initiative's projects, including Project 12 regarding 
public-private partnerships, Project 4 on leap ahead technologies, and 
Project 10 on deterrence and the need for global norms of behavior in 
cyberspace. The private sector and DHS have been in engaged in a number 
of other projects and activities to address a myriad of cyber policy 
issues, including resiliency, incentives, metrics, risk assessments, 
information sharing, and cyber exercises just to name a few. We have 
seen a marked improvement over the last couple of years by the DHS and 
their engagement with the private sector.
    There are a few areas we believe more can be done by the Department 
of Homeland Security and private sector jointly. As you heard from Dr. 
Fonash last week, there are three areas in which DHS has focused their 
priorities around CNCI: Establishing a front line of defense, seeking 
ways to defend against a full spectrum of threats through supply chain 
and intelligence, and taking cyber security to the next level through 
workforce education.

1) Front Line of Defense: In cyberspace we have a very rich, 
traditional base from the commercial sector very different from other 
historical government models for addressing national security issues 
where much of the solutions come from government or defense 
contractors. With that in mind, it could benefit the U.S. Government 
greatly if the private sector were brought in more consistently to 
assist in the development of cyber security solutions to address 
projects and other key cyber challenges. We would like to see more 
collaboration between the public and private sector on these programs 
so that the government can learn about what technologies may be more 
applicable now to address today or tomorrow's threats. One example of 
where more input from the private sector could be helpful is Project 
EINSTEIN. Project EINSTEIN was developed to detect network intrusions 
and create better situational awareness. However, since its inception a 
number of years ago, the threats and technologies used to prevent or 
mitigate against these threats have changed dramatically. No longer is 
delayed detection of threats and intrusions and delayed simply enough. 
The need for data prevention technologies and near or real-time 
situational awareness capabilities are imperative. We hope the public 
sector leverages the expertise and technology that the private

2) Supply Chain: In last week's hearing, there was a lot of discussion 
by the government witnesses on the importance of protecting our global 
supply chain. We heard about the work that the Department of Homeland 
Security and Department of Defense are undertaking to lead the CNCI 
Project on this topic. To date, the private sector has not been 
formally asked to participate in this activity despite the fact that 
much of the supply chain that government cares about is in the hands of 
the private sector. We as a company take actions on what we know and 
the risks we face. However, if more information is not shared by the 
government on the threats or risks they see, how can we do more to 
protect against the threats or risks that we have not been informed 
about? Additionally, we believe that much of the expertise and best 
practices for protecting supply chain reside within the private sector. 
Let me give you one example.
    Symantec is a co-founder of SAFECODE, a non-profit organization 
created for companies to share software assurance and supply chain best 
practices. We strongly urge the Department of Homeland Security, 
Department of Defense, NIST and other agencies to work closely with 
SAFECODE and its member companies to work collaboratively in addressing 
supply chain and software assurance. This collaboration could focus on 
information sharing of supply chain threats and vulnerabilities and 
development of best practices and standards.

3) Education and Awareness: DHS has taken a lead role in this area. For 
example, DHS is a sponsor and active participant in the National Cyber 
Security Alliance (NCSA) and staysafeonline.gov. The purpose of NCSA, a 
501c3, is to educate consumers, K-12, higher education, and small and 
medium sized businesses the steps they need to take in order to use the 
Internet safety and securely, protecting themselves, their data and the 
cyber infrastructure. The President's 60-day cyber review recognized 
the good work of the NCSA and highlights the need for formal K-12 
education and curriculum to address cyber safety, cyber security and 
cyber ethics (C3) within schools. NCSA and DHS will be working with 
other key stakeholders to develop this C3 framework. In addition to a 
K-12 curriculum framework, NCSA has established a volunteer program (C-
SAVE) for computer security professionals to teach cyber security in 
schools and is working to conduct a small and medium-sized business 
study to identify current cyber practices, gaps, resource needs, and 
ways to effectively communicate with this important audience. There are 
many more activities underway which can be found at 
www.staysafeonline.gov.

4) Workforce and Training: In addition to education and awareness 
responsibilities, DHS is working with several agencies, NCSA and other 
stakeholders to develop a plan for the development and retention of a 
trained cyber security professional workforce that can meet the 
increasing demand and gaps within the government. DHS is also 
developing a program to retrain the current workforce in the public and 
private sector to ensure they have the most up-to-date skills and 
capabilities to address today's technology and cyber security demands. 
We fully support these activities and believe this appropriate work for 
DHS to engage in with other interagency partners.

5) Exercises and National Incident Response Planning: The 60-day 
review's near-term action plan calls for ``a cyber security incident 
response plan to enhance public-private partnerships with an eye toward 
streamlining, aligning, and providing resources to optimize 
contribution and engagement.'' We believe that DHS is well positioned 
to help lead these efforts and ask that the private sector be included 
early on in the development process.

6) R&D: DHS has a role to play in the area of cyber security R&D 
through the Science and Technology Directorate. The S&T Directorate 
maps their R&D projects based on the needs of their primary internal 
customer, the Cyber Security and Communications Directorate. We believe 
that much of the work completed by the S&T Directorate is very 
important and believe that increased funding is necessary in order for 
the S&T Directorate to meet their customers' needs. We also believe 
that a more formal process of identifying priorities and coordinating 
with internal customers is necessary. We also believe that DHS writ 
large, in their capacity as the Government Specific Agency for 
interacting with the IT and Communications Sectors, must have a formal 
process of engaging with the private sector on the CNCI R&D Project. It 
is not surprising that the private sector spends more than the U.S. 
Government on R&D. It is also not surprising that both the public and 
private sector have limited resources with which to spend on R&D.

    Imagine if we could work together to identify what the collective 
problems and priorities are for government and industry, determine 
which of those priorities are commercially viable and therefore should 
not be funded by government, and identify the gaps and/or redundancies 
that exist. Those projects which may be redundant can be de-conflicted 
and re-allocated. Those priorities that are gaps and not determined to 
be commercially viable could then be funded by government. This process 
would allow us all to maximize our collective resources to the fullest 
extent possible and ensure that we are working from a coordinated 
roadmap and set of priorities. We respectfully ask that the U.S. 
Government engage with the private sector to the extent possible in 
this area. Some initial challenges or problem areas for R&D 
consideration could include: Attribution, Situational Awareness, Early 
Warning, and ID management.

NIST's Roles and Responsibilities

    In addition to DHS' role, NIST's mission in cyber security is very 
important. Beginning with its founding in 1901 as the National Bureau 
of Standards, NIST has played a key role in U.S. commerce through 
promotion of various national standards. In particular, the work NIST 
does with federal agencies, industry and academia to research, develop 
and deploy information security standards and technology is critical. 
As cyber security standards and metrics become increasingly important, 
NIST's role and responsibility will continue to grow. With that, we 
believe NIST's funding level is not adequate and should increase so 
they can meet the community's growing needs and requirements.

FISMA: Since its inception, NIST has played a leading role in the 
development of FISMA guidelines and Federal Information Processing 
Standards (FIPS). As Congress looks to reform FISMA, we will look to 
NIST for appropriate guidance and standards.

Common Criteria/NIAP and other international standards activities: 
Symantec has been involved with Common Criteria evaluations for several 
years. In fact, our Symantec Enterprise Firewall was the first product 
to be certified against the U.S. Government's application firewall 
protection profile. We currently have several products currently 
certified. Symantec supports the Common Criteria because it offers many 
advantages, including an international certification framework for 
products. Based on the results of evaluations against the Basic and 
Medium Robustness Protection Profiles and comments from vendors and 
government customers, NIAP, the U.S. Government implementation arm for 
Common Criteria, has determined that the current U.S. Protection 
Profile Robustness model needs to be revised. The original 
implementation did not create the necessary test plans and 
documentation needed to achieve consistent results across different 
products evaluated in different labs. As a result, NSA is creating a 
Standard Protection Profile, which will replace any corresponding U.S. 
Government Protection Profile. NSA plans to work with industry, 
government stakeholders, and the Common Criteria community to create 
these Protection Profiles. As the lead technical standards organization 
for the Federal Government, we believe that NIST has a critical role to 
play in revising the protection profiles and improving Common Criteria. 
We ask that NIST become an active member of NIAP again and would like 
to see them play an even more active role in other international 
consensus standards bodies and organizations.

Flexible NIST Federal Security Standards: NIST has contributed to 
raising the quality of federal information security by promoting 
operational norms and by helping agencies to find model security 
processes. Experience shows that federal standards aligned with 
established commercial practices generally succeed. However, unique 
government-only standards, such as the Government Open Systems 
Interconnection Profile (GOSIP), have achieved poor results.
    Whether flexible or rigid, standards must be appropriate for the 
activities being regulated, and they must be mindful of market drivers 
and required precision. The precision and specificity in standards vary 
considerably according to their goals and purposes. For example, some 
technical standards, such as communications protocols, must be very 
precise and rigid because of a need for inter-operation among many 
vendors' products.
    Thus, credible federal mandates must strike a balance between ideal 
and practical standards, including setting realistic expectations for 
compliance in the huge base of installed federal systems. Additionally, 
we must remember that compliance will be put in jeopardy if the 
standards are perceived to be unreasonable or not viable.
    First, standards require reliable metrics to enable tracking of 
compliance. Second, they must be introduced at a specific point in the 
product life cycle when customers seek standard products and 
manufacturers are no longer competing on features. Third, there must be 
a compelling market benefit supporting use of a standard. Finally, 
standards must be appropriate for the application being standardized.
    NIST's guidelines strike a balance between general rules of thumb 
for all agencies and the local knowledge and expertise of on-the-ground 
federal officials. However, fixed, inflexible process standards cannot 
easily accommodate all of these situations. In summary, the constant 
changing cyber threat landscape and its high reliance on human activity 
coupled with the rapid changes in technology make it essential that 
security doctrine remains flexible.

Metrics: The near-term action plan within the President's cyber review 
requires the establishment of cyber security performance metrics. This 
is an area ripe with opportunity and we believe NIST should be a key 
driver of this activity working with the private sector and other 
agencies.
    In addition to cyber security metrics, there are some areas we 
believe NIST should consider collaborating more with the private sector 
on, including: Cloud Computing architecture and standards, SCAP and 
other data taxonomy standards, Supply Chain best practices, Health IT, 
and Smart Grid architecture with security standards built in. We also 
want to stress the importance of NIST and OMB working with the private 
sector to ensure that agreed upon standards, protocols and requirements 
are rolled out with the reasonable timelines and milestones to meet 
realistic commercial product development roadmaps.
    In conclusion, we believe both the Department of Homeland Security 
and NIST have done much to carry the cyber torch forward in several 
areas. However, there is much more work to be done and much more 
collaboration that needs to take place with the private sector. We 
stand committed to working with the Administration and Congress to 
improve cyber security.
    Thank you again, Chairman Wu, for allowing me the opportunity to 
testify before the distinguished Members of the House Science 
Subcommittee on Technology and Innovation regarding cyber security 
responsibilities for DHS and NIST. I am happy to answer any questions 
that any Members of the Committee may have.

                       Biography for Mark Bregman

    Mark Bregman is Executive Vice President and Chief Technology 
Officer at Symantec, responsible for the Symantec Research Labs, 
Symantec Security Response and shared technologies, emerging 
technologies, architecture and standards, localization and secure 
coding, and developing the technology strategy for the company. Bregman 
guides Symantec's investments in advanced research and is responsible 
for the company's development centers in India and China.
    Additionally, Bregman leads the field technical enablement team, 
which works closely with the technical sales team to ensure they are 
prepared to assist customers in managing the impact of changing and 
emerging technical requirements.
    Bregman joined Symantec through the company's merger with Veritas 
Software, where he served as chief technology officer, responsible for 
cross-product integration, advanced product development, merger and 
acquisition strategy, and the company's engineering development centers 
in India and China.
    Prior to joining Veritas, Bregman was CEO of Airmedia, a wireless 
Internet firm.
    Previously, Bregman spent 16 years at IBM where he led the RS/6000 
and Pervasive Computing divisions and held senior management positions 
in IBM Research and IBM Japan. He was also technical assistant to IBM 
CEO Lou Gerstner.
    Bregman holds a Bachelor's degree in physics from Harvard College 
and a Master's degree and doctorate in physics from Columbia 
University. He is a member of the Visiting Committee to the Harvard 
University Libraries, a member of the American Physical Society, and a 
senior member of IEEE. He also serves on the Board of Directors of 
ShoreTel and the Bay Area Science and Innovation Consortium.

    Chair Wu. Thank you very much, Mr. Bregman. Mr. Charney, 
please proceed.

   STATEMENT OF MR. SCOTT CHARNEY, CORPORATE VICE PRESIDENT, 
          TRUSTWORTHY COMPUTING, MICROSOFT CORPORATION

    Mr. Charney. Thank you, Chair Wu. Thank you, Member Smith, 
Members of the Subcommittee. Thank you for the opportunity to 
appear today at this important hearing on cybersecurity.
    My name is Scott Charney. I am the Corporate Vice President 
for Trustworthy Computing at Microsoft. In cyberspace today, we 
are locked in an escalating and sometimes hidden conflict. 
Cyber threats have grown in sophistication, expanding from 
opportunistic viruses and worms that were once disruptive and 
sometimes damaging to include very targeted, stealthy and 
persistent attacks. In the information age, any individual can 
engage in activities formerly limited to nation states, and any 
nation, regardless of traditional measures of power and 
sophistication, can gain economic and military advantage 
through cyber programs. The lack of identity for hardware, 
software and people on the Internet also makes it difficult to 
determine the source of an attack. Understanding the sources 
and the motivations of attacks is essential to ensuring the 
appropriateness of response. Absent strong attribution 
abilities which balance security and privacy, international and 
national strategies to deter cyber attacks will not succeed. 
Attribution can and must be a top priority to improve 
cyberspace security moving forward.
    The challenge for the government today is that it must 
balance dual and often interrelated roles to manage cyber 
threats effectively. The government is responsible for 
protecting public safety and national security, and it is also 
responsible for managing a large IT infrastructure. I support 
the near-term action plan in the recently released White House 
60-day review and specifically the action to prepare an updated 
national strategy to secure the information and communications 
infrastructure.
    Just as we need an updated national strategy to ensure the 
Nation's cybersecurity, the government must also implement an 
effective model for managing its own cybersecurity. Such a 
model would include a centrally managed horizontal security 
function to provide a foundation of government-wide policy 
standards and oversight. And because each federal agency has 
its own mission, customers, partners, and threats, there must 
also be vertical security functions resident in each agency to 
ensure that agency-specific missions are accomplished and 
agency-specific risks are managed appropriately.
    Let us turn to the more specific roles for DHS and NIST. 
The hybrid model I just outlined could be applied more 
effectively to the federal enterprise. In this implementation, 
DHS and NIST would provide the horizontal, centrally managed 
cybersecurity functions, and individual agencies would have 
vertical functions to manage their unique risks. Simply stated, 
the Department of Homeland Security should set security control 
policy articulating minimum cybersecurity baselines, goals, and 
outcomes. DHS should also develop processes to exchange and 
foster implementation of best practices so that agencies can 
more quickly achieve higher levels of security when necessary. 
NIST should create government-wide standards to help agencies 
meet the security control policy set by DHS. To realize the 
value created by analyzing data horizontally, DHS and NIST must 
have the right data, they must analyze that data, and the data 
must drive action. This will require enhanced cybersecurity 
monitoring, audit, and analytics to gain valuable insights on 
the real-time health of the federal enterprise and enable agile 
actions to mitigate and respond to incidents.
    Agencies should continue to have the responsibility and 
accountability for creating documented information security 
programs, assessing their risks, implementing effective 
management controls, and responding to agency incidents. This 
is the vertical function in the hybrid model.
    In conclusion, as long as threats evolve, so must our 
efforts to protect against them. Technology alone will not 
create the trust necessary to security cyberspace. 
Technological innovation must be aligned with social, 
political, economic, and IT forces to enable change. Microsoft 
helps drive and shape these forces with partners in the 
ecosystem to create a safe and more trusted Internet. The 
United States must similarly drive forward with a clear vision 
and holistic information-age strategies to combat threats to 
national and economic security and to public safety.
    Thank you again, Chair Wu, for providing me the opportunity 
to testify before the distinguished Members of the Subcommittee 
on Technology and Innovation, and I am happy to answer any 
questions you may have.
    [The prepared statement of Mr. Charney follows:]

                  Prepared Statement of Scott Charney

    Chairman Wu, Ranking Member Smith, and Members of the Subcommittee, 
thank you for the opportunity to appear today at this important hearing 
on cyber security and for entering my written testimony into the record 
of this committee. My name is Scott Charney, and I am the Corporate 
Vice President for Trustworthy Computing at Microsoft. I also served as 
one of four Co-Chairs of the Center for Strategic and International 
Studies (CSIS) Commission on Cybersecurity for the 44th Presidency. 
Prior to joining Microsoft, I was Chief of the Computer Crime and 
Intellectual Property Section in the Criminal Division of the United 
States (U.S.) Department of Justice. I was involved in nearly every 
major hacker prosecution in the U.S. from 1991 to 1999; worked on 
legislative initiatives, such as the National Information 
Infrastructure Protection Act that was enacted in 1996; and chaired the 
G8 Subgroup on High Tech Crime from its inception in 1996 until I left 
government service in 1999.
    Today I will share a brief assessment of cyberspace security and 
discuss:

        1)  Establishing Information Age security strategies for 
        government;

        2)  Advancing federal civilian enterprise security; and

        3)  Clarifying roles and enhancing capabilities for the 
        Department of Homeland Security (DHS) and the National 
        Institute of Standards and Technology (NIST).

Cyberspace Security: Understanding the Evolving Threats

    We are locked in an escalating and sometimes hidden conflict in 
cyberspace. The battle of bits and bytes has very real consequences for 
America, other nations, the private sector, and all other Internet 
users. Cyber attack joins terrorism and weapons of mass destruction as 
one of the new, asymmetric threats that puts the U.S. and other 
governments at risk. Cyber security has improved, but these 
improvements have not kept pace with the increasing availability and 
value of data, nor the number or sophistication of cyber attacks. In 
the Information Age, governments, industries, and consumers around the 
world rely on globally connected networks and cyber systems, and create 
and store volumes of sensitive data electronically. Such data, 
particularly when not well secured, presents an attractive target for 
those seeking competitive or strategic advantage, or financial gain.
    The resulting cybercrime economy is complex, sophisticated, and 
growing. It has numerous participants, some willing (malware 
developers) and some unwilling (victims of cyber attacks); some clearly 
good (security researchers that disclose vulnerabilities responsibly) 
and some clearly bad (vulnerability traffickers). Over the past decade, 
attacks that bad actors carry out have also grown in sophistication, 
expanding from opportunistic viruses and worms that were disruptive and 
sometimes damaging to very targeted, stealthy, and persistent attacks. 
In today's evolving cybercrime economy, any individual can engage in 
activities formerly limited to nation-states, and any nation, 
regardless of traditional measures of sophistication, can gain economic 
and military advantage through cyber programs.
    When self-replicating computer worms entered the public 
consciousness several years ago, it was in the form of malware, such as 
Win32/MSBlast, Win32/Sasser, and Win32/Slammer, that exploited 
vulnerabilities to spread rapidly and caused system disruption or 
failure. These threats were highly visible and garnered significant 
attention. Exploit-based worms, while still a concern, have receded 
from prominence as Microsoft and other software vendors have reduced 
the vulnerabilities these worms relied on to spread, and users deployed 
security technologies meant to thwart these attacks. With the 
traditional vectors of mass propagation reduced significantly, today's 
prominent worms rely much more on social engineering techniques to gain 
access to information technology (IT) environments, like enterprise 
networks and consumer machines. A gap in the application and oversight 
of enterprise-wide and consumer security controls, as well as 
insufficient monitoring and analysis of the real-time health of 
networks, can create significant risk both nationally and globally.
    Today Microsoft tracks more than 30,000 types of malware families 
and some of these families have millions of variants. There are 
infections by these variants in machines around the world, but linking 
an infected machine with the cyber attacker who infected it is very 
difficult. The lack of identity for hardware, software, data, and 
people on the Internet makes it difficult to determine the source of 
attacks, yet knowing the source is essential to ensuring the 
appropriateness of response. Attribution of cyber attacks is one of the 
most fundamental challenges facing the international community. Absent 
strong attribution abilities, international and national strategies to 
deter cyber attacks will not succeed.
    Microsoft has long recognized the growing need to improve software 
security to counter cyber threats. In 2002, Microsoft changed the way 
it built software by implementing the Security Development Lifecycle 
(SDL). The SDL provides customers with high quality, well-engineered 
and rigorously tested software that helps withstand malicious attacks 
by requiring threat models to be built at design time and requiring 
that specific security milestones be met at each stage of the 
development process. Every Internet-facing or enterprise-class product 
from Microsoft is required to go through the SDL, resulting in 
measurable improvements in the security and privacy of Microsoft's 
software. We also continue to work with partners in the computing 
ecosystem to help better protect our mutual customers and all Internet 
users. For example, we are members of the Software Assurance Forum for 
Excellence in Code (SAFECode)\1\ which promotes the advancement of 
demonstrably effective software assurance methods. These efforts are 
essential in reducing the attack surface of products. Technology alone, 
however, will not create the trust necessary to realize the full 
potential of the Internet. Technological innovation must be aligned 
with social, political, economic and IT forces to enable change. 
Working with partners in the ecosystem, Microsoft is advancing End-to-
End Trust,\2\ driving and shaping these forces to create a safer, more 
trusted Internet.
---------------------------------------------------------------------------
    \1\ www.safecode.org; members include EMC, Juniper, Microsoft 
Nokia, SAP, and Symantec.
    \2\ www.microsoft.com/endtoendtrust
---------------------------------------------------------------------------
    What can government do to counter this underground cybercrime 
economy? First, understanding the nature of cyber threats is critical. 
Breaking down the complexity of the cyber threat is necessary to inform 
the useful allocation of resources for defense and to guide more 
effective risk management. Our defenses must consider the diversity of 
players, motivations, and methods in the cybercrime economy, and must 
either raise the costs for adversaries to carry out attacks or decrease 
the value of successful attacks. Lowering the return on investment for 
cyber attacks can deter some bad actors or lessen the consequences of 
attacks that do occur.

Establishing Information Age Security Strategies for Government

    Government must balance dual, and often interrelated, roles to 
effectively manage emerging cyber threats. First, as a public policy 
entity, the government is responsible for protecting public safety, as 
well as economic and national security. In this capacity, the United 
States must develop a national cyberspace strategy to address the full 
spectrum of significant risks presented by the Information Age. But the 
Federal Government is also a large and widely distributed enterprise, 
with countless globally distributed ?customers? (e.g., citizens who 
want to connect with their government), partners, operations, networks, 
and resources. Although distinct, the policy and enterprise roles are 
not entirely separate, as each affects and informs the other.

Architecting a Comprehensive and Coordinated National Strategy
    The recently released White House Cyberspace Policy Review: 
Assuring a Trusted and Resilient Information and Communications 
Infrastructure outlined key policy challenges the Nation faces as a 
result of the dynamic cyber threat landscape.\3\ The White House review 
recognized that:
---------------------------------------------------------------------------
    \3\ http://www.whitehouse.gov/assets/documents/
Cyberspace-Policy-Review-final.pdf

         The Federal Government is not organized to address this 
        growing problem effectively now or in the future. 
        Responsibilities for cyber security are distributed across a 
        wide array of federal departments and agencies, many with 
        overlapping authorities, and none with sufficient decision 
        authority to direct actions that deal with often conflicting 
        issues in a consistent way. The government needs to integrate 
        competing interests to derive a holistic vision and plan to 
        address the cyber security-related issues confronting the 
        United States. The Nation needs to develop the policies, 
        processes, people, and technology required to mitigate cyber 
---------------------------------------------------------------------------
        security-related risks.

    I support the near-term action plan in the review, which includes 
activities to appoint a lead policy official in the White House, staff 
a National Security Council Directorate, and prepare an updated 
national strategy to secure information and communications 
infrastructure.
    This is a significant undertaking that will require continued White 
House and Congressional leadership. National security strategies create 
a framework to employ all elements of national power--economic, 
diplomatic, law enforcement, military, and intelligence. A 
comprehensive cyberspace security strategy must include these elements 
and articulate how they will be employed to ensure national security, 
economic security, and public safety, and to assure delivery of 
critical services to the American public. In the Industrial Age, power 
was generally based on physical might; in the Information Age, power is 
derived from information, knowledge, and communications.

Constructing An Information Age Security Model
    Just as we need a new national strategy to ensure the Nation's 
cyber security, the government must also carefully determine an 
effective model for managing government-wide cyber security. In this 
regard, one can view the Federal Government as a large collection of 
businesses with different missions, partners, customers, data, assets, 
and risks. There are some responsibilities and practices (e.g., 
developing information security plans, implementing the Federal Desktop 
Core Configuration (FDCC) ) that should be done by each and every 
federal agency. The number and diversity of component organizations, 
functions, and systems, however, means that a fully centralized model 
for managing security will not work. Each agency has a unique security 
paradigm with differing threats, so each agency needs to manage its own 
risk.
    If some security controls should be applied uniformly across the 
government, but other security controls need to be carefully tailored 
to address an agency's mission and risks, it becomes clear that the 
government needs to establish a hybrid model for information security 
that improves security across the federal enterprise and fosters 
agility to counter ever-changing threats. A hybrid model could create a 
holistic security framework for managing and reducing the attack 
surface of the federal enterprise. Such a model would include:

          A centrally managed horizontal security function to 
        provide a foundation of government-wide policy, standards, and 
        oversight; as well as

          Vertical security functions resident in individual 
        agencies to manage their risks.

    This combination of horizontal and vertical functions ensures that 
minimum security goals and standards are set, yet provides agencies the 
flexibility to manage risks appropriately for their unique operating 
environments.

Advancing Federal Civilian Enterprise Security

    For more than 25 years, the Federal Government has been struggling 
to evolve its policy, organizational, and operational information 
security management frameworks. Over two decades, legislation has been 
passed that has incrementally established and enhanced authority, 
organization, and accountability. The three most important elements of 
the foundation include: the Paperwork Reduction Act of 1980,\4\ which 
centralized government-wide responsibilities into the Office of 
Management and Budget (OMB); the Clinger-Cohen Act,\5\ which 
established dedicated Chief Information Officers for the major 
departments and agencies across the government; and the Federal 
Information Security Management Act (FISMA),\6\ which created the first 
comprehensive information security framework for the Federal 
Government. Additionally, OMB mandated implementation of the FDCC by 
February 2008. The FDCC mandate requires Federal agencies to 
standardize desktop configurations to meet FDCC requirements and is 
intended to improve security, reduce costs, and decrease application-
compatibility issues. This was an attempt to create government-wide 
policy and standards, but it lacked the oversight and supporting 
capabilities to be implemented effectively.
---------------------------------------------------------------------------
    \4\ P.L. 96-511, December 11, 1980.
    \5\ P.L. 104-106, February 10, 1996. The law, initially entitled 
the Information Technology Management Reform Act (ITMRA), as 
subsequently renamed the Clinger-Cohen Act in P.L. 104-208, September 
30, 1996.
    \6\ P.L. 107-347, December 17, 2002.
---------------------------------------------------------------------------
    Understanding what exists and conducting periodic tests of controls 
does not create the strategic and operational information security 
commensurate with the sophisticated Information Age threats that now 
confront agencies. Congress should consider how to implement an 
effective model for managing the security of the federal enterprise, 
build enhanced cyber security capabilities within the government, and 
fund agencies appropriately to fulfill their vertical and, in some 
cases, horizontal responsibilities. There are two basic options I see: 
coordinated incremental change or comprehensive reform. Incremental 
change may be more appealing to agencies and the under-resourced 
individuals responsible for cyber security, but slow change may be 
inadequate and ineffective to counter evolving threats. Comprehensive 
reform, however, will substantially challenge the status quo. Such 
reform would require a sustained commitment of the Executive and 
Legislative branches to construct an innovative and agile federal 
enterprise for the Information Age.

Defining Clear Roles for DHS and NIST
    The hybrid model I outlined above could be applied more effectively 
to the federal enterprise to improve security and increase agility. In 
this implementation, DHS and NIST would provide the horizontal 
function, and individual agencies would have vertical functions:

          Horizontal Functions:

                  Department of Homeland Security: DHS should set 
                security control policy, articulating cyber security 
                goals and outcomes. Put another way, DHS should develop 
                ``minimum baselines for security'' and work with the 
                standards community where appropriate. DHS should also 
                develop processes to exchange and foster implementation 
                of best practices that exceed minimum standards so that 
                agencies can more quickly achieve higher levels of 
                security when necessary to address their own unique 
                agency risks.

                  National Institute of Standards and Technology: NIST 
                should create government-wide standards to help 
                agencies meet the security control policy set by DHS. 
                NIST's Special Publication (SP) 800-53, Recommended 
                Security Controls for Federal Information Systems\7\ is 
                an example of standards created by NIST that apply 
                government-wide. NIST should, like DHS, also help 
                agencies exceed any government-wide minimum standards.
---------------------------------------------------------------------------
    \7\ Federal Information Processing Standards (FIPS), including 
``Standards for Security Categorization of Federal Information and 
Information Systems'' and ``Minimum Security Requirements for Federal 
Information and Information Systems'' also provide guidance.

          Vertical Function in Individual Agencies: Agencies 
        should continue to have responsibility for--and accountability 
        for--assessing their risks and implementing effective 
        management controls. This includes activities to configure and 
        patch systems, build effective incident response capabilities, 
        identify and detect unauthorized access, test security controls 
        regularly, audit for compliance, and implement security changes 
        based upon testing, auditing, and environment changes. 
        Agencies' risk management should be a continuous cycle of 
        related activities performed as part of a documented 
---------------------------------------------------------------------------
        information security program.

Clarifying Roles and Enhancing Capabilities for DHS and NIST

    To fulfill the horizontal function described above, DHS and NIST 
need to have clear roles and enhanced capabilities. I will briefly 
describe some of the successes of and challenges to each of these 
organizations, and then focus my remarks on how to enhance their 
capabilities and funding so they may successfully provide the 
horizontal security function for the federal enterprise.

DHS
    DHS is in a state of transition, with changes in vision and 
leadership underway, so an assessment of its efforts must separate the 
past from the future.
    DHS has partnered well with industry in the IT and Communications 
Sectors for infrastructure protection and that partnership is producing 
results. The partnership has advanced both strategic risk management 
and operational information sharing. For example, industry and 
government will be releasing shortly the IT Sector Risk Assessment 
called for in the National Infrastructure Protection Plan. The Risk 
Assessment outlines several mitigations (e.g., robust coordinated 
response and out-of-band data delivery) that public and private sector 
owners and operators can implement to better manage sector-wide risk. 
DHS is also improving how it facilitates distribution of actionable 
information (via Critical Infrastructure Information Notices and 
Federal Information Notices), which enables more timely implementation 
of security updates and helps to reduce malware infections such as the 
Conficker worm. This partnership is essential because cyber security is 
a shared challenge that involves government as well as the owners, 
operators, and vendors that make cyberspace possible. To date, this 
partnership does not yet fully extend into the cyber security research 
and development (R&D) portfolio managed by the DHS Science and 
Technology Directorate. This gap must be addressed to provide greater 
awareness of and, where possible, coordination across public and 
private sector R&D activities.
    But DHS has struggled without an actual strategic plan for cyber 
security. As a result, its efforts have not always focused on the right 
areas and were not optimized for effectiveness. The lack of a cohesive 
vision was exacerbated by constant changes in leadership, lack of 
personnel, and inadequate funding for its mission. The Comprehensive 
National Cybersecurity Initiative (CNCI) was an important catalyst to 
drive improvements in DHS. It outlined specific initiatives in key 
areas, provided greater funding, and enabled more rapid increases in 
staff. The CNCI, however, still did not provide the coordinated vision 
that is needed. Moving forward, DHS should develop a strategic vision 
and look to build on its strengths in partnership, information sharing, 
and growing security capabilities to function in the horizontal role I 
outlined above.

NIST
    NIST has also contributed significantly to advancements in cyber 
security, and must continue to do so in the future. The Information 
Technology Laboratory is an important voice in the cyber security 
conversation, and its Computer Security Division is doing valuable 
work, such as creating NIST's cyber guidance and hosting the 
Information Security Automation Program to automate technical security 
operations. The Computer Security Division, unfortunately, is not 
sufficiently resourced to address the growth in its responsibilities 
and workload.
    This growth is proportionate with the continuing pace of 
technological innovation. For example, NIST is advancing two important 
initiatives for newer technologies and services that will each have 
considerable cyber security implications: Securing the SmartGrid and 
Cloud Computing. In particular, NIST's cloud computing work is focused 
on the effective and secure use of cloud computing in the government 
and private sector. As NIST continues to explore cloud computing and 
cloud security, I would suggest it focus on three areas:

          Utilize a risk-based information security program 
        that assesses and prioritizes security and operational threats;

          Promote regular maintenance and update of security 
        controls that mitigate risk; and

          Support international standards frameworks and 
        certifications that ensure controls are designed appropriately 
        and are operating effectively.

    The Computer Security Division should continue to focus on 
standards, and its resources should be increased to meet those 
expanding responsibilities. NIST's cyber security efforts will also 
continue to grow and benefit from increasing the partnership with the 
private sector, and more specifically, the IT and Communications 
Sectors. With greater resources, NIST will make a more dramatic impact 
on the cyber security of the computing ecosystem.

Enhanced Capabilities
    DHS and NIST both must build on their successes, overcome 
challenges, and expand their capabilities to support government-wide 
policy, standards, and oversight of cyber security. I will outline five 
core capabilities that I believe should exist as part of a government-
wide horizontal function for the federal enterprise. These capabilities 
must be operationalized in the agencies to meet basic security 
requirements; however, my discussion below focuses on the government-
wide horizontal function provided by NIST and DHS and the enhanced 
value created by analyzing data across the government infrastructure. 
NIST should provide the standards to enable these capabilities, and DHS 
should provide the operational aspect of each.
    The growing connectivity of systems, number of devices, and value 
of information that exists in the federal enterprise means that it is 
critically important to improve the trustworthiness of connections and 
transactions to reduce risk. The five capabilities outlined below will 
provide value in the near-term, but that value will only increase as 
the federal enterprise develops better ways to ensure that hardware, 
software and data can be trusted and that those connecting to its 
networks are who they claim to be and can only do what they are 
authorized to do. Improving identity and authentication of these 
elements in the federal enterprise will empower better trust decisions 
and increase accountability.

         Security Monitoring: Watching the real-time health of the 
        networks involves more than traditional network monitoring. In 
        addition to security data from intrusion detection systems, the 
        government could also use information provided by IT assets, 
        such as routers, hosts, and proxy servers, to evaluate its 
        operational and security status. By taking advantage of the 
        general purpose sensors that are built into every well-managed 
        infrastructure, government can gain greater insight on the 
        real-time health of the networks and take action to mitigate 
        risks and respond to incidents.

         Audit: Meaningful audit data can improve agencies' cyber 
        security posture because audit drives behavior, and it provides 
        accountability. The audit capabilities I am referring to are 
        more than comprehensive yearly reporting; they include 
        continuous audit, with spot checks and periodic evaluations, as 
        well as quarterly and annual reporting. Quarterly or annual 
        reporting provides a snapshot of overall security posture and 
        trends, while the spot and periodic evaluations can be used to 
        assess the adequacy of controls and compliance to defined 
        requirements.

         Advanced Analytics: The large amounts of monitoring and audit 
        data must ultimately be turned into insights that can be used 
        to inform more effective cyber security responses. That 
        response may be operational as discussed below, or it may be 
        more strategic and involve changes in policies, controls, and 
        oversight. It may also be a combination of both, with 
        operational incidents informing longer-term decisions. Either 
        way, for this to happen, government must have the right data, 
        must analyze that data in the context of the federal 
        enterprise, and that data must drive action. Fusing together 
        disparate data from a variety of organizations and systems to 
        create a common operational picture is challenging; building 
        the analytic capabilities (e.g., correlation) to derive 
        valuable insights is even harder. The monitoring and audit 
        capabilities I mentioned earlier would create a baseline of 
        data about the real-time health and overall trends in security 
        across the Federal Government. DHS can combine this with threat 
        information from the Intelligence Community and advanced 
        technical analyses to create an operational awareness of the 
        attack surface of the Federal Government in ways simply not 
        possible in the private sector. This is the power of innovative 
        government analytics--insights gained from this fusion not only 
        inform horizontal response, but also transition back to the 
        vertical functions resident in the departments and agencies to 
        manage steady State risks. It can even aid the private sector 
        if the government is willing to share the analysis.

         Agile Response: Building Information Age security in the 
        federal enterprise will make it a better partner with the 
        private sector for improving operational security. Over the 
        past 10 years, there have been several attempts to improve 
        operational coordination between and among key government and 
        private sector stakeholders, but these have met with limited 
        success. I strongly support creating a more effective model for 
        operational collaboration to move us from the less effective 
        government-led partnerships of the past to a more dynamic and 
        collaborative approach involving cyber security leaders from 
        government, industry, and academia. A collaboration framework 
        for public private partnerships should include focused efforts 
        to:

                  Exchange threat and technical data (at the 
                unclassified level as much as possible) to enable 
                meaningful action, with rules and mechanisms that 
                permit both sides to protect sensitive data. This 
                approach is a shift from past practices that viewed 
                information sharing as an objective as opposed to a 
                tool;

                  Create global situational awareness to 
                understand the state of the computing ecosystem and 
                events that may affect it;

                  Analyze risks (threats, vulnerabilities, and 
                consequences) and develop mitigation strategies; and

                  When necessary and consistent with their 
                respective roles, respond to threats.

         Innovative Security Controls: The technologies used in 
        enterprises today often grow faster than security organizations 
        can make sense of them. Since computing technologies will 
        continue to advance at a rapid pace, organizations creating 
        security policy, standards, and technologies must consider how 
        transformative changes in technology (e.g., wireless, RFID, 
        peer-to-peer networks) create different risks and require 
        different controls to maintain or improve security.

Moving Forward

    One of the greatest challenges facing government is measuring its 
progress in improving cyber security. Are things better, worse, or the 
same? What is ``success''? I strongly advocate for tracking progress, 
but must also caution against thinking of cyber security in terms of 
success and failure. Recognizing that cyberspace threats are not going 
to disappear and that attackers will be persistent and adaptive, it is 
not about risk elimination but risk management. As long as threats 
evolve, so must our efforts to protect against them. The U.S. must 
build holistic Information Age strategies to combat these threats in a 
coordinated manner. Reducing the attack surface of the federal 
enterprise and mitigating broad classes of threat will require 
fundamental changes. According to OMB, federal agencies spent 
approximately $6.2 billion (approximately 9.2 percent of the total IT 
portfolio) securing the government's total IT investment of 
approximately $68 billion for the fiscal year 2008.\8\ But these 
resources and the current capabilities they fund do not provide 
sufficient defense. Absent agile government-wide security policies, 
standards, and oversight capabilities, the federal enterprise will 
present an unacceptably easy target. There is mounting proof that we 
must build an Information Age security model that creates a horizontal 
(cross-government) set of security requirements and builds, on top of 
that horizontal layer, agency specific protections to ensure that the 
government (generally) and each agency can fulfill its mission and 
protect the security of its information network.
---------------------------------------------------------------------------
    \8\ Fiscal year 2008 FISMA Report to Congress.

                      Biography for Scott Charney

    Scott Charney serves as Corporate Vice President of Microsoft's 
Trustworthy Computing (TwC) Group within the Core Operating System 
Division. The group's mission is to drive Trustworthy Computing 
principles and processes within Microsoft and throughout the IT 
ecosystem. This includes working with business groups throughout the 
company to ensure their products and services uphold Microsoft's 
security and privacy policies, controls and best practices. The TwC 
group also collaborates with the rest of the computer industry and the 
government to increase public awareness, education and other 
safeguards.
    In addition, Charney oversees Microsoft's efforts to address 
critical infrastructure protection, Engineering Excellence, network 
security, and industry outreach about privacy and security.
    Charney possesses a wealth of computer privacy and security 
experience in both the government and the private sector. Before 
joining Microsoft in 2002, he was a principal for the professional 
services organization PricewaterhouseCoopers (PwC), where he led the 
firm's Cybercrime Prevention and Response Practice. He provided 
computer security services to Fortune 500 companies and smaller 
enterprises. These services included designing and building computer 
security systems, testing existing systems and conducting cybercrime 
investigations.
    Before PwC, Charney served as Chief of the Computer Crime and 
Intellectual Property Section (CCIPS) in the Criminal Division of the 
U.S. Department of Justice. As the leading federal prosecutor for 
computer crimes, he helped prosecute nearly every major hacker case in 
the United States from 1991 to 1999. He co-authored the original 
Federal Guidelines for Searching and Seizing Computers, the federal 
Computer Fraud and Abuse Act, federal computer crime sentencing 
guidelines and the Criminal Division's policy on appropriate computer 
use and workplace monitoring. He also chaired the Group of Eight 
nations (G8) Subgroup on High-Tech Crime, served as Vice Chair and head 
of the U.S. delegation to an ad hoc group of experts on global 
cryptography policy for the Organization for Economic Cooperation and 
Development (OECD). In addition, he was a member of the U.S. delegation 
to OECD's Group of Experts on Security, Privacy and Intellectual 
Property Rights in the Global Information Infrastructure.
    Charney also served as an assistant district attorney in Bronx 
County, N.Y., where he later was named Deputy Chief of the 
Investigations Bureau. In addition to supervising 23 prosecutors, he 
developed a computer-tracking system that was later used throughout the 
city for tracking criminal cases.
    Charney has received numerous professional awards, including the 
prestigious John Marshall Award for Outstanding Legal Achievement in 
1995 and the Attorney General's Award for Distinguished Service in 
1998. He was nominated to the Information System Security Association's 
Hall of Fame in 2000. That same year, the Washington Chapter of the 
Armed Forces Communications and Electronics Association presented him 
with its award for excellence in critical electronic infrastructure 
protection. Among his other affiliations, he served on the American Bar 
Association Task Force on Electronic Surveillance, the American Health 
Lawyers Association Task Force on Security and Electronic Signature 
Regulations, the Software Engineering Institute Advisory Board at 
Carnegie-Mellon University, and the Privacy Working Group of the 
Clinton Administration's Information Infrastructure Task Force.
    He holds a law degree with honors from Syracuse University in 
Syracuse, N.Y., and Bachelor's degrees in history and English from the 
State University of New York in Binghamton.

    Chair Wu. Thank you very much, Mr. Charney. Mr. Harper, 
please proceed.

  STATEMENT OF MR. JIM HARPER, DIRECTOR OF INFORMATION POLICY 
                  STUDIES, THE CATO INSTITUTE

    Mr. Harper. Thank you. Thank you very much, Chair Wu. Thank 
you Ranking Member Smith for having me here to testify on 
cybersecurity activities at DHS and NIST today.
    I welcome your oversight and your focus on results rather 
than output, such as dollars spent. This is very important work 
but not very easy.
    As I tried to illustrate in my written submission, talking 
about cybersecurity is like talking about securing all the 
things we prize. Cybersecurity is many different problems, and 
it would be a mistake to believe that a discreet number of 
activities or a discreet set of government policies could solve 
all of them. I am concerned in the cybersecurity area there is 
a common practice of threat exaggeration and that that could 
buffalo this Congress to adopt policies that are not balanced 
and that ultimately waste resources, frustrate innovation, and 
threaten privacy and civil liberties.
    Yesterday I came across an article in the Boston Review 
called Cyberscare on this very topic, and if it would please 
you, I would be happy to submit it for the record.
    I was pleased, by the way, also to see that my co-panelists 
and colleagues didn't engage in threat exaggeration here and 
spoke about cybersecurity seriously without hyping threats.
    I would like to feature one cybersecurity policy that I 
think has been lost in some of the cyber terrorism, cyber 
warfare cacophony, and that is the policy of keeping critical 
infrastructure off the public Internet. This policy is a proven 
success, but some policy-makers I believe have ignored it, 
thinking that all resources should be on the public Internet or 
managed over the public Internet. So I encourage you and your 
colleagues to keep in mind the policy of keeping the true 
critical infrastructure off the 'net. That takes care of the 
lion's share of many security problems.
    As I said, cybersecurity society-wide is many, many 
different problems, and I think your goal in Congress should 
not be to solve cybersecurity but to determine the systems, the 
social and legal systems, that will best discover and propagate 
good security technology and practices. You might think of a 
hierarchy of legal mechanisms that Congress could consider for 
advancing that goal starting with contracts, considering also 
tort liability and arriving last at prescriptive regulation.
    Because the government is a large consumer of technology, 
it is well-positioned to positively affect the cybersecurity 
ecology, and NIST's standards are integral to that process. As 
a representative and worker at the Cato Institute, I would like 
to see the Federal Government a smaller purchaser of things, 
but while it is a large market actor, its buying decisions can 
help the market for secure technology products advance.
    One way, obviously, is by setting high security standards 
in its purchasing. A second is to consider pushing technology 
providers to accept the risk of loss when their products are 
not sufficiently secure.
    There is a market failure in technology when insecure 
technology harms networks or harms other users. I wouldn't leap 
to regulating in these cases, though, especially because none 
of us know efficiently and effectively how to solve these 
problems. Nobody knows what a regulation would say. For getting 
buyers and sellers of technology to internalize risks, I think 
liability should be the preferred mechanism. Liability is an 
open-ended process of discovery. As courts discover the legal 
doctrines that will help them prevent cyber harms, buyers and 
sellers of technology will have to discover the technologies 
and practices that prevent cyber harms.
    Concerns for me arise when the government steps out of its 
role as a market participant and becomes a market dominator, a 
regulator, a partner or investor with private-sector entities. 
Standards are difficult things as you, and my co-panelists know 
well. When done right, they are extraordinarily valuable, and 
that can't be overstated. But when done wrong, they can distort 
markets or threaten privacy and civil liberties. I briefly note 
in my written testimony a potential concern with a standard, 
FIPS 201, and one of the witnesses in your earlier hearings 
mentioned that FIPS 201, an identity standard for federal 
employees and contractors, was becoming a national rather than 
a government standard. I work extensively on national ID 
issues, and I am concerned with the idea of a single standard 
for identification throughout the country.
    I am suspicious of various public-private partnerships in 
the cybersecurity area and elsewhere. They can be valuable, and 
threat information sharing is valuable, but they can also 
suppress competition, they can foster security monoculture, 
immunize responsible parties from liability, and as I mentioned 
before, threaten privacy and civil liberties.
    I will conclude my remarks there, and thank you again for 
having us here. You are looking at important issues in a 
careful way, and I appreciate that. Thank you again.
    [The prepared statement of Mr. Harper follows:]

                    Prepared Statement of Jim Harper

Executive Summary

    Cyber security is a bigger, more multi-faceted problem than the 
government can solve, and it certainly cannot solve the whole range of 
cyber security problems quickly.
    With a few exceptions, cyber security is less urgent than many 
commentators allege. There is no argument, of course, that cyber 
security is not important.
    The policy of keeping true critical infrastructure off the public 
Internet has been lost in the ``cyber security'' cacophony. It is a 
simple security practice that will take care of many threats against 
truly essential assets.
    The goal of policy-makers should be not to solve cyber security, 
but to determine the systems that will best discover and propagate good 
security technology and practices.
    As a market participant, the Federal Government is well positioned 
to effect the cyber security ecology positively, with NIST standards 
integral to that process. The Federal Government may also advance cyber 
security by shifting risk to sellers of technology by contract.
    For the market failure that is on exhibit when insecure technology 
harms networks or other users, liability is preferable to regulation 
for discovering who should bear responsibility.
    When the Federal Government abandons its role of market participant 
and becomes a market dominator, regulator, ``partner,'' or investor 
with private sector entities, a number of risks arise, including 
threats to privacy and civil liberties, weakened competition and 
innovation, and waste of taxpayer dollars.

Introduction

    Chairman Wu, Ranking Member Smith, and Members of the Subcommittee, 
thank you for inviting me to address you in this hearing on the cyber 
security activities of the National Institute of Standards and 
Technology and the Department of Homeland Security. The hearings you 
have conducted so far are a valuable contribution to the national 
discussion, as I hope my participation in this hearing will be valuable 
as well.
    My name is Jim Harper and I am Director of Information Policy 
Studies at the Cato Institute. In that role, I study and write about 
the difficult problems of adapting law and policy to the challenges of 
the information age. I also maintain an online federal spending 
resource called WashingtonWatch.com. Cato is a market liberal, or 
libertarian, think-tank, and I pay special attention to preserving and 
restoring our nation's founding, constitutional traditions of 
individual liberty, limited government, free markets, peace, and the 
rule of law.
    I serve as an advisor to the Department of Homeland Security on its 
Data Integrity and Privacy Advisory Committee, and my primary focus in 
general is on privacy and civil liberties. I am not a technologist or a 
cyber security expert, but a lawyer familiar with technology and 
security issues. As a former committee counsel in both the House and 
Senate, I also blend an understanding of lawmaking and regulatory 
processes with technology and security. I hope this background and my 
perspective enhance your consideration of the many challenging issues 
falling under the name ``cyber security.''
    In my testimony, I will spend a good deal of time on fundamental 
problems in cyber security and the national cyber security discussion 
so far. I will then apply this thinking to some of the policies NIST, 
DHS, and other agencies are working on.

The Use and Misuse of ``Cyberspace'' and ``Cyber Security''

    One of the profound challenges you face in setting ``cyber 
security'' policy is the framing of the issue. ``Cyberspace'' is 
insecure, we all believe, and by making it integral to our lives, we 
are importing insecurity, as individuals and as a nation.
    In some senses this is true, and ``securing cyberspace'' is a 
helpful way of thinking about the problem. But it also promotes over-
generalization, suggesting that a bounded set of behaviors called 
``cyber security'' can resolve things.
    A new world or ``space'' is indeed coming into existence through 
the development of communications networks, protocols, software, 
sensors, commerce, and content. In many ways, this world is distinct 
and different from the physical space that we occupy. In 
``cyberspace,'' we now do many of the things we used to do only in 
physical space: we shop, debate, read the news, work, gossip, manage 
our financial affairs, and so on. Businesses and government agencies, 
of course, conduct their operations in the new ``cyberspace'' as well.
    It is even helpful to extend this analogy and imagine 
``cyberspace'' as organized like the physical world. Think of personal 
computers as people's homes. Their attachments to the network analogize 
to driveways, which connect to roads and then highways. (Perhaps phones 
and hand-held devices are data-bearing cars and motorcycles.) E-mails, 
financial files, and pictures are the personal possessions that could 
be stolen out of houses and private vehicles, leading to privacy loss.
    Corporate and government networks are cyberspace's office 
buildings. Business data, personnel files, and intellectual property 
are the goods that sometimes get left on the loading dock, personnel 
files and business places that are left on the desk in an executive's 
office overnight, and so on. They can be stolen from the ``office 
buildings'' in data breaches.
    How do you secure these places and things from theft, both casual 
and organized? How do you prevent fires, maintain water and electric 
service, ensure delivery of food, and prevent outbreaks of disease? How 
do you defend against military invasion or weapons of mass destruction 
in this all-new ``space''?
    These problems are harder to solve in some senses, and not as hard 
to solve in others. Consider, for example, that the ``houses'' and 
``office buildings'' of cyberspace can be reconstituted in minutes or 
hours if software and data have been properly backed up. Lost 
possessions can be ``regained'' just as quickly--though copies of them 
may permanently be found elsewhere. ``Cyberspace'' has many 
resiliencies that real space lacks.
    On the other hand, ``diseases'' (new exploits) multiply much more 
quickly and broadly than in the real world. ``Cyber-public-health'' 
measures like mandated vaccinations (the required use of security 
protocols) are important, though they may be unreliable. On a global 
public medium like the Internet, they would have to be mandated by an 
authority or authorities with global jurisdiction and authority over 
every computing device, which is unlikely and probably undesirable.
    The analogy between cyberspace and real space shows that ``cyber 
security'' is not a small universe of problems, but thousands of 
different problems that will be handled in thousands of different ways 
by millions of people over the coming decades. Securing cyberspace 
means tackling thousands of technology problems, business problems, 
economics problems, and law enforcement problems.
    In my opinion, if it takes decades to come up with solutions, that 
is fine. The security of things in ``real'' space has developed in an 
iterative process over hundreds and, in some cases, thousands of years. 
Even ``simple'' security devices like doors, locks, and windows involve 
fascinating and intricate security, utility, and convenience trade-offs 
that are hard even for experts to summarize.
    Many would argue, of course, that we do not have decades to figure 
out cyber security. But I believe that, with few exceptions, most of 
these assertions are mistaken. Your ability to craft sound cyber 
security policies for the government is threatened by the 
breathlessness of public discussion that is common in this field.

Calm Down, Slow Down

    Overuse of urgent rhetoric is a challenge to setting balanced cyber 
security policy. Threat exaggeration has become boilerplate in the 
cyber security area, it seems, and while cyber security is important, 
overstatement of the problems will promote imbalanced responses that 
are likely to sacrifice our wealth, progress, and privacy.
    For example, comparisons between ``cyberattack'' and conventional 
military attack are overwrought. As one example (which I select only 
because it is timely), the Center for a New American Security is 
hosting a cyber security event this week, and the language of the 
invitation says: ``[A] cyberattack on the United States' 
telecommunications, electrical grid, or banking system could pose as 
serious a threat to U.S. security as an attack carried out by 
conventional forces.'' \1\
---------------------------------------------------------------------------
    \1\ Center for a New American Security, ``Developing a National 
Cybersecurity Strategy'' web page (visited June 23, 2009) http://
www.cnas.org/node/2818
---------------------------------------------------------------------------
    As a statement of theoretical extremes, it is true: The 
inconvenience and modest harms posed by a successful crack of our 
communications or data infrastructure could be more serious than an 
invasion by an ill-equipped, small army. But as a serious assertion 
about real threats, an attack by conventional forces (however unlikely) 
would be entirely more serious than any realistic cyberattack. We would 
stand to lose national territory, which cannot be reconstituted by 
rebooting, repairing software, and reloading backed-up files.
    The Center for Strategic and International Studies' influential 
report, Securing Cyberspace for the 44th Presidency, said similarly 
that cyber security ``is a strategic issue on par with weapons of mass 
destruction and global jihad.'' \2\ Many weapons of mass destruction 
are less destructive than people assume, and the threat of global jihad 
appears to be waning, but threats to our communications networks, 
computing facilities, and data stores pale in comparison to true WMD 
like nuclear weapons. Controlling the risk of nuclear attack remains 
well above cyber security in any sound ranking of strategic national 
priorities.
---------------------------------------------------------------------------
    \2\ CSIS Commission on Cybersecurity for the 44th Presidency, 
``Securing Cyberspace for the 44th Presidency,'' p. 15 (2008) http://
www.csis.org/media/csis/pubs/081208-securing 
cyberspace-44.pdf [hereinafter ``CSIS Report''].
---------------------------------------------------------------------------
    It is a common form of threat exaggeration to cite the raw number 
of attacks on sensitive networks, like the Department of Defense's. It 
suffers hundreds of millions of attacks per year. But happily most of 
these ``attacks'' are repetitious use of the same attack. They are 
mounted by ``script kiddies''--unsophisticated know-nothings who get 
copies of others' attacks and run them on the chance that they will 
find an open door.
    The defense against this is to continually foreclose attacks and 
genres of attack as they develop, the way the human body develops 
antibodies to germs and viruses. Securing against these attacks is 
important work, and it is not always easy, but it is an ongoing, stable 
practice in network management and a field of ongoing study in computer 
science. The attacks may continue to come in the millions, but this is 
less concerning when immunities and fail-safes are in place and 
continuously being updated.
    In his generally balanced speech on cyber security, President Obama 
cited a threat he termed ``weapons of mass disruption.'' \3\ Again, 
analogy to the devastation that might be done by nuclear weapons is 
misleading. Inconvenience and disruption are bad things, they can be 
costly, and in the extreme case deadly--again, cyber security is 
important--but securing against the use of real weapons on the U.S. and 
its people is a more important government role.
---------------------------------------------------------------------------
    \3\ ``Remarks by the President on Securing Our Nation's Cyber 
Infrastructure,'' (May 29, 2009) http://www.whitehouse.gov/
the-press-office/Remarks-by-the-President-on-
Securing-Our-Nations-Cyber-Infrastructure/.
---------------------------------------------------------------------------
    In a similar vein, a commentator on the National Journal's national 
security experts blog recently said, ``Cyberterrorism is here to stay 
and will grow bigger.'' \4\ Cyberterrorism is not here, and thus it is 
not in a position to stay.
---------------------------------------------------------------------------
    \4\ http://security.nationaljournal.com/2009/06/how-can-cyberspace-
be-protecte.php
---------------------------------------------------------------------------
    Provocative statements of this type lack a key piece of foundation: 
They do not rest on a sound strategic model whereby opponents of the 
United States and U.S. power would use the capabilities they actually 
have to gain strategic advantage.
    Take cyberterrorism. With communications networks, computing 
infrastructure, and data stores under regular attack from a variety of 
quarters--and regularly strengthening to meet them--it is highly 
unlikely that terrorists can pull off a cyber security event disruptive 
enough to instill widespread fear of further disruption. Fear is a 
necessary element for terrorism to work its will, of course. The 
impotence of computer problems to instill fear renders 
``cyberterrorism'' an unlikely threat. This is not to deny the 
importance of preventing the failure of infrastructure, of course.
    Cyberattacks by foreign powers have a similarly implausible 
strategic logic. The advantage gained by a disabling attack on private 
and civilian government infrastructure would be largely economic, with 
perhaps some psychological effects. Such attacks would not plausibly 
``soften up'' the United States for invasion. But committing such 
attacks would risk harsh responses if the perpetrators were found, and 
conventional intelligence methods are undoubtedly keenly tuned to doing 
so. Ultimately, a foreign government's cyberattack on the United States 
would have to be a death-blow, as it would risk eliciting ruinous 
responses. This makes it very unlikely that a cyberattack on civilian 
infrastructure would be a tool of true war.
    Attacking military communications infrastructure and data does have 
a rational strategic logic, of course. And the testimony your committee 
received from Dr. Leheny of the Defense Advanced Research Project 
Agency at your June 16 hearing illustrates some of what the Defense 
Department is doing to anticipate and prevent attacks on this true 
critical infrastructure.
    The more plausible strategic use of attacks on communications and 
data infrastructure is not ``cyberterrorism'' or ``cyberattack,'' but 
what might be called ``cybersapping'': Infiltrating networks to gain 
business intelligence, intellectual property, money, personal and 
financial data, and perhaps strategic government information. These 
infiltrations can slowly degrade the advantages that the U.S. economy 
and government have over others. They are important to address 
diligently and promptly. But they are not a reason to panic and 
overreact.
    A final example of cyber security boilerplate that deserves mention 
is the alleged weakness of military information systems. The story that 
confidential files about the Joint Strike Fighter were compromised 
earlier this year has become a standard dire warning about our national 
vulnerability. But many are conveniently forgetting the other half of 
the story, even though it is available right there in some of the 
earliest reporting. According to a contemporaneous story on CNN.com:

         [O]fficials insisted that none of the information accessed was 
        highly sensitive data. The plane uses stealth and other highly 
        sensitive electronic equipment, but it does not appear that 
        information on those systems was compromised, because it is 
        stored on computers that are not connected to the Internet, 
        according to the defense officials.\5\
---------------------------------------------------------------------------
    \5\ Mike Mount, ``Hackers Stole Data on Pentagon's Newest Fighter 
Jet,'' CNN.com (Apr. 21, 2009) http://www.cnn.com/2009/US/04/21/
pentagon.hacked/index.html

    The compromise of some data about the Joint Strike Fighter is 
regrettable, but this is also a story of cyber security success. The 
key security policy of keeping the most sensitive data away from the 
public Internet successfully protected that data. The Department of 
Defense deserves credit for instituting and maintaining that policy.
    Cyber security is important, but exaggerating threats and failures 
as a matter of routine will lead to poor policy-making. Do not let the 
urgency of many statements about cyber security ``buffalo'' you into 
precipitous, careless, and intrusive policies.
    Exhortation about some cyber security policies seem to be pushing 
others off the table, like the policy so successful at protecting the 
most important information about the Joint Strike Fighter. The simple, 
elegant policy of keeping truly critical infrastructure off the public 
Internet is not receiving enough discussion.

Critical Infrastructure: Off the Internet

    At the confirmation hearing of Commerce Secretary Gary Locke 
earlier this year, Senator Jay Rockefeller stated his view of the cyber 
security problem in no uncertain terms. Of cyberattack, he said:

         It's an act which can shut this country down--shut down its 
        electricity system, its banking system, shut down really 
        anything we have to offer. It is an awesome problem . . .. It 
        is a fearsome, awesome problem.\6\
---------------------------------------------------------------------------
    \6\ See ``Jay Rockefeller: Internet Should Have Never Existed,'' 
YouTube (posted Mar. 20, 2009) http://www.youtube.com/
watch?v=Ct9xzXUQLuY

    What is fearsome is the embedded premise that everything important 
to our country would be put on the Internet rather than controlled over 
separate, dedicated networks. This is not true, as the example of the 
Joint Strike Fighter example illustrates. And it turns out that many 
important functions in government and society are indeed handled by 
dedicated communications networks.
    Cato Institute adjunct fellow Timothy B. Lee, a Ph.D. student in 
computer science at Princeton University and an affiliate of the Center 
for Information Technology Policy, commented on the Estonian 
cyberattacks last year:

         [S]ome mission-critical activities, including voting and 
        banking, are carried out via the Internet in some places. But 
        to the extent that that's true, the lesson of the Estonian 
        attacks isn't that the Internet is ``critical infrastructure'' 
        on par with electricity and water, but that it's stupid to 
        build ``critical infrastructure'' on top of the public 
        Internet. There's a reason that banks maintain dedicated 
        infrastructure for financial transactions, that the power grid 
        has a dedicated communications infrastructure, and that 
        computer security experts are all but unanimous that Internet 
        voting is a bad idea.\7\
---------------------------------------------------------------------------
    \7\ Tim Lee, ``The Internet Isn't `Critical Infrastructure,' '' 
TechDirt (May 27, 2008) http://www.techdirt.com/articles/20080522/
1905471205.shtml

    Tim has also noted that the Estonia attacks did not reach 
parliament, ministries, banks, and media--just their web sites. Access 
to some businesses and government agencies went down, but their core 
functions were not compromised.
    Yet this policy--of keeping critical functions away from the 
Internet--has received almost no discussion in the recent major reports 
on cyber security. The White House's Cyberspace Policy Review did not 
highlight this approach,\8\ and the President's speech presenting the 
review did not either. The CSIS report also did not emphasize this 
simple, straightforward method for securing truly critical functions.
---------------------------------------------------------------------------
    \8\ ``Cyberspace Policy Review: Assuring a Trusted and Resilient 
Information and Communications Infrastructure,'' The White House 
(undated) http://www.whitehouse.gov/assets/documents/
Cyberspace-Policy-Review-final.pdf; 
``Remarks by the President on Securing Our Nation's Cyber 
Infrastructure,'' (May 29, 2009) http://www.whitehouse.gov/
the-press-office/Remarks-by-the-President-on-
Securing-Our-Nations-Cyber-Infrastructure/
---------------------------------------------------------------------------
    Where security is truly at a premium, the lion's share of securing 
infrastructure against cyberattack can be achieved by the simple policy 
of fully decoupling it from the Internet.
    ``Criticality'' has become a popular line to draw in discussions of 
cyber security, of course, and the meaning of the term is in no way 
settled. A 2003 Congressional Research Service report explored the 
dimensions of the concept at the time.\9\ My study of ``criticality'' 
is cursory, but the CSIS report's suggestion is sensible, if loosely 
drawn:
---------------------------------------------------------------------------
    \9\ John Moteff et al., Resources, Science, and Industry Division, 
Congressional Research Service, ``Critical Infrastructures: What Makes 
an Infrastructure Critical?'' CRS Order Code RL31556 (updated Jan. 29, 
2003) http://www.fas.org/irp/crs/RL31556.pdf

         [C]ritical means that, if the function or service is 
        disrupted, there is immediate and serious damage to key 
        national functions such as U.S. military capabilities or 
        economic performance. It does not mean slow erosion or annoying 
        disruptions.\10\
---------------------------------------------------------------------------
    \10\ CSIS Report, p. 44.

    In my mind, criticality should probably turn on whether compromise 
of the resource would immediately and proximately endanger life and 
health. Immediacy is an important limitation because resources that can 
be promptly repaired to prevent harm should be made resilient that way 
rather than treated as critical infrastructure.
    Proximity to harm is also important to prevent ``criticality'' 
grade-inflation. The loss of electric power for even an hour will kill 
people on respirators in hospitals, for example, but the proximate 
solution to such foreseeable risks is to have backup power systems at 
hospitals-not to make the entire electricity grid critical 
infrastructure on that basis.
    If it is to be a focal point for cyber security policies, the 
notion of ``critical infrastructure'' must be sharply circumscribed. 
Given the special treatment accorded critical infrastructure by 
government, private entities will all clamor for that status, and the 
government will be stuck protecting thousands of things that are kind 
of important, rather than the networks and data that are immediately 
needed for protecting life and health.
    Keeping the small universe of truly critical infrastructure 
entirely separate from the public Internet, and encouraging private 
operators of critical infrastructure to do so, is a policy that has not 
received enough discussion so far. It deserves a great deal more.
    But this is one among dozens of policy choices to deal with 
thousands of problems. The many complex challenges lumped together as 
``cyber security'' cannot be solved by any one expert, group of 
experts, legislature, regulatory body, or commission. It has too many 
moving parts.
    Rather than trying to address cyber security in toto, I recommend 
addressing the problem at a level once-removed: By asking what systems 
we should use to address cyber security. There are a variety of social 
mechanisms, each with merits and demerits.

Cyber Security Through Contract

    In my testimony so far, I have argued against over-generalization 
and over-heated rhetoric around cyber security. Cyber security is many 
different problems, only some of which are urgent.
    None of this is to deny that cyber security is a serious and 
important challenge. I applaud the work of the Defense Department to 
secure its critical information, and find very interesting DARPA's 
innovative work to develop networks over which our military branches 
can conduct their very important functions. These are two examples 
among many government-wide efforts to secure true critical 
infrastructure.
    But what about the rest of the country's communications and data 
infrastructure? Is the entire Nation's cyberstuff a ``strategic 
national asset,'' as the President suggested in his speech on cyber 
security?\11\ Should it all come under a military or quasi-military 
command-and-control operation?
---------------------------------------------------------------------------
    \11\ ``Remarks by the President on Securing Our Nation's Cyber 
Infrastructure,'' (May 29, 2009) http://www.whitehouse.gov/
the-press-office/Remarks-by-the-President-on-
Securing-Our-Nations-Cyber-Infrastructure/
---------------------------------------------------------------------------
    The CSIS study called for a ``comprehensive national security 
strategy for cyberspace'' and stated accordingly and unflinchingly that 
the government should ``regulate cyberspace.'' \12\ The report also 
laid our cyber security woes at the feet of the market: ``We have 
deferred to market forces in the hope that they would produce enough 
security to mitigate national security threats. It is not surprising 
that . . . industrial organization and over-reliance on the market has 
not produced success.'' \13\
---------------------------------------------------------------------------
    \12\ CSIS Report, pp. 1-2.
    \13\ CSIS Report, p. 12.
---------------------------------------------------------------------------
    Competition and markets should not be passed over in favor of 
regulation. Indeed, the argument for regulation begs the central 
question: What do we want from our technical infrastructures so that we 
have appropriate security? What would a cyber security regulation say? 
Nobody yet knows.
    To illustrate, FISMA the Federal Information Security Management 
Act, has not taken care of cyber security for the Federal Government. 
Federal chief information security officers and others rightly 
criticize the government's self-regulation for its focus on compliance 
reporting and paperwork at the expense of addressing known 
problems.\14\
---------------------------------------------------------------------------
    \14\ See, e.g., Government Futures, ``The 2009 State of 
Cybersecurity from the Federal CISO's Perspective--An (ISC)2 Report'' 
(April 2009) http://media.haymarketmedia.com/Documents/7/
FederalCISOSurveyReport--1638.pdf.
---------------------------------------------------------------------------
    If the Federal Government knew how to do cyber security well, FISMA 
would be a to-do list that more or less secured the federal enterprise. 
We would not have the cyber security problem all agree we have. But the 
practices that lead to successful cyber security have not yet been 
discovered. Regulations to implement these undiscovered practices would 
not help.
    Success in cyber security is not easy to define. Professor Ed 
Felten from Princeton University's Center for Information Technology 
Policy points out that the ideal is not perfect security, but optimal 
security--the efficient point where investments in security avoid equal 
or greater losses.\15\ Communications and computing devices are meant 
to process, display, and transmit information that they often acquire 
from other resources. To make them useful, we must embrace the risk of 
opening them up to other computers, software, and data. Some level of 
insecurity is what makes the Internet, computing, and ``cyberspace'' so 
useful and valuable.
---------------------------------------------------------------------------
    \15\ Nestor Abreu, ``Conversation: Debugging our Cyber-Security 
Policy'' (podcast at minute 12:00) (Feb. 27, 2009) http://
citp.princeton.edu/blog/2009/02/27/conversation-debugging-our-cyber-
security-policy/
---------------------------------------------------------------------------
    Again, the question is what processes we can use to discover 
optimal or near-optimal cyber security products and behaviors, then 
propagate them throughout the society.
    Criticisms of the market are not misplaced, though they may be mis-
focused. The market for communications and computing technologies is 
very immature. Many products are rushed to market without adequate 
security testing. Many are delivered with insecure settings enabled by 
default. My impression also is that most are sold without any warranty 
of fitness for the purposes users will put them to, leaving all risk of 
failure with buyers who are poorly positioned to make sound security 
judgments. There are several ways to address these problems.
    As this committee is aware, the Federal Government is one of the 
largest purchasers--if not the largest purchaser--of information 
technology in the world. This is not the preferred state of affairs 
from my perspective, but there is no reason to deny that its purchasing 
decisions can affect the improvement of products available on the 
market.
    Thanks to entities like the National Institute of Standards and 
Technology, the Federal Government is also one of the most 
sophisticated purchasers of technology. As other witnesses and 
advocates have articulated better than I can, the government can drive 
maturation in the market for technology products by setting standards 
and defaults for the products and services it buys.
    The Federal Government can also insist on shifting the risk of loss 
from the buyer to the seller. Contracts with technology sellers can 
include guarantees that their products are fit for the purposes to 
which they will be put--including, of course, secure operation.
    Federal buyers should expect to pay more if they demand fitness and 
security guarantees, of course, but more secure products have more 
value. Sellers will have to do more thorough development and more 
rigorous security testing. Because they currently bear little or no 
risk of loss, technology sellers will probably howl at the prospect of 
bearing risk, but ready to step in will be technology sellers willing 
to produce better, more secure, and more reliable products for the 
premium that gets them.
    As a large market participant, the Federal Government can have a 
good influence on the security ecology without resorting to intrusive 
regulation. Whether it creates a ``gold standard'' for security in 
technologies purchased in the private sector, or whether it moves the 
market toward contract-based liability for technology sellers, the 
Federal Government can help the technology market mature.

Cyber Security Through Tort Liability

    There is more to criticism of the market for cyber security than 
``lack of maturity,'' however. There is also an arguable market failure 
in the area of technology products and services, caused by a lack of 
maturity in the law. I was pleased that the executive summary of the 
White House Cyberspace Policy Review cited a short paper I wrote 
arguing that updated tort law would be superior to regulation for 
curing the market.\16\
---------------------------------------------------------------------------
    \16\ Much of Jim Harper, ``Government-Run Cyber Security? No, 
Thanks,'' Cato Institute TechKnowledge #123 (March 13, 2009) http://
www.cato.org/tech/tk/090313-tk.html, is incorporated into this 
testimony.
---------------------------------------------------------------------------
    A market failure exists when the market price of a good does not 
include the costs or benefits of externalities (harmful or beneficial 
side effects that occur in the production, distribution, or consumption 
of a good). Producers or consumers may have little incentive to alter 
activities that contribute to air pollution, for example, when the 
costs of pollution do not affect their costs. Likewise, users of 
computers that are insecure may harm the network or other users, such 
as when malware infects a computer and uses it to launch spam or 
distributed denial-of-service attacks.
    When there is no contractual relations between the parties, getting 
network operators, data owners, and computer users to internalize risks 
can be done one of two ways: Regulation--you mandate certain 
behaviors--or liability--you make them pay for harms they cause others. 
Regulation and liability each have strengths and weaknesses, but I 
believe a liability regime is ultimately superior.
    One of the main problems with regulation--especially in a dynamic 
field like technology--is that it requires a small number of people to 
figure out how things are going to work for an unknown and indefinite 
future. Those kinds of smarts do not exist.
    So regulators often punt: When the Financial Services Modernization 
Act tasked the Federal Trade Commission with figuring out how to secure 
financial information, it did not do that. Instead, the ``Safeguards 
Rule'' \17\ (similarly to FISMA) simply requires financial institutions 
to have a security plan. If something goes wrong, the FTC will go back 
in and either find the plan lacking or find that it was violated.
---------------------------------------------------------------------------
    \17\ See Federal Trade Commission, ``Protecting Customers' Personal 
Information: The Safeguards Rule'' web page (visited June 23, 2009) 
http://www.ftc.gov/bcp/edu/microsites/idtheft/business/safeguards.html
---------------------------------------------------------------------------
    Another weakness of regulation is that it tends to be too broad. In 
an area where risks exist, regulation will ban entire swaths of 
behavior rather than selecting among the good and bad. In 1998, for 
example, Congress passed the Children's Online Privacy Protection Act, 
and the FTC set up an impossible-to-navigate regime for parental 
approval of the web sites their children could use.\18\ Today, no child 
has been harmed by a site that complies with COPPA because they are so 
rare. The market for serving children entertaining and educational 
content is a shadow of what it could be.
---------------------------------------------------------------------------
    \18\ See Federal Trade Commission, ``You, Your Privacy Policy, and 
COPPA: How to Comply with the Children's Online Privacy Protection 
Act'' web page (visited June 23, 2009) http://www.ftc.gov/bcp/edu/pubs/
business/idtheft/bus51.pdf
---------------------------------------------------------------------------
    Regulators and regulatory agencies are also subject to ``capture.'' 
Industries have historically co-opted the agencies intended to control 
them and turned those agencies toward insulating incumbents from 
competition.\19\
---------------------------------------------------------------------------
    \19\ See Timothy B. Lee, ``The Durable Internet: Preserving Network 
Neutrality without Regulation,'' Cato Policy Analysis #626 (Nov. 12, 
2008) http://www.cato.org/
pub-display.php?pub-id=9775
---------------------------------------------------------------------------
    And regulation often displaces individual justice. The Fair Credit 
Reporting Act preempted state law causes of action against credit 
bureaus that, thus, cannot be held liable for defamation when their 
reports wrongfully cause someone to be denied credit. ``Privacy'' 
regulations under the Health Insurance Portability and Accountability 
Act gave enforcement powers to an obscure office in the Department of 
Health and Human Services. While a compliance kabuki dance goes on 
overhead, people who have suffered privacy violations are diverted to 
seeking redress by the grace of a federal agency.
    Tort liability is based on the idea that someone who does harm, or 
allows harm to occur, should be responsible to the injured party. The 
role of law and government is to prevent individuals from harming one 
another. When a person drives a car, builds a building, runs a hotel, 
or installs a light switch, he or she owes it to anyone who might be 
injured to keep them safe. A rule of this type could apply to owners 
and operators of networks and databases, and possibly even to software 
writers and computer owners.
    A liability regime is better at discovering and solving problems 
than regulation. Owners faced with paying for harms they cause will use 
the latest knowledge and their intimacy with their businesses to 
protect the public. Like regulation, a liability regime will not catch 
a new threat the first time it appears, but as soon as a threat is 
known, all actors must improve their practices to meet it. Unlike 
regulations, which can take decades to update, liability updates 
automatically.
    Liability also leaves more room for innovation. Anything that 
causes harm is forbidden, but anything that does not cause harm is 
allowed. Entrepreneurs who are free to experiment will discover 
consumer-beneficial products and services that improve health, welfare, 
life, and longevity.
    Liability rules are not always crystal clear, of course, but when 
cases of harm are alleged in tort law, the parties meet in a courtroom 
before a judge, and the judge neutrally adjudicates what harm was done 
and who is responsible. When an agency enforces its own regulation, it 
is not neutral: Agencies work to ``send messages,'' to protect their 
powers and budgets, and to foster future careers for their staffs.
    Especially in the high-tech world of today, it is hard to prove 
causation. The forensic skill to determine who was responsible for an 
information-age harm is still too rare. But regulation is equally 
subject to evasion. And liability acts not through lawsuits won, but by 
creating a protective incentive structure.
    One risk unique to liability is that advocates will push to do more 
with it than compensate actual harms. Some would treat the creation of 
risk as a ``harm,'' arguing, for example, that companies should pay 
someone or do something about potential identity fraud just because a 
data breach created the risk of it. They often should, but blanket 
regulations like that actually promote too much information security, 
lowering consumer welfare as people are protected against things that 
do not actually harm them.
    It is also true that the tort liability system has been abused in 
some cases. Plaintiffs' bars have sought to turn litigation into 
another regulatory mechanism--or a cash cow. State common law reforms 
to meet these challenges are in order; dismissing the common law out of 
hand is not.
    There are dozens of complexities to how the tort law would operate 
in the cyber security area, of course. The common law is a system of 
discovery that crafts doctrines to meet emerging challenges. I cannot 
predict each challenge common law courts would encounter and how they 
would address them, but the growth of common law doctrines to prevent 
harm is an important alternative to the heavy hand of regulation.
    As complex and changing as cyber security is, the Federal 
Government has no capability to institute a protective program for the 
entire country. While it secures its own networks, the Federal 
Government should observe the growth of state common law duties that 
require network operators, data owners, and computer users to secure 
their own infrastructure and assets. (They in turn will divide up 
responsibility efficiently by contract.) This is the best route to 
discovering and patching security flaws in all the implements of our 
information economy and society.
    Between the two, contract and tort liability can provide a seamless 
web of cyber security incentives, spreading risks to the parties most 
capable of controlling them and bearing their costs. Regulation pushes 
responsibility to protect where it is politically palatable, not where 
it is economically most efficient or best done. Regulation often 
shields the private sector from liability, foisting risk onto the 
public--one of the concerns I will turn to next.

Standards, Public-Private Partnerships, and the Risks Thereof

    As a market participant, the Federal Government can play an 
important role in promoting secure products and practices. When it 
leaves the role of market participant and becomes a market dominator, a 
regulator, a ``partner,'' or investor with private sector entities, a 
number of risks arise, including threats to privacy and civil 
liberties, weakened competition and innovation, and waste of taxpayer 
dollars. I will address selected examples of NIST and DHS activity in 
that light.
    As a standard-setting organization for the Federal Government, NIST 
is a valuable resource--not just for the government but for the 
cybersecurity ecology. But standards are tricky business. What may be 
appropriate in one context may not be in another.
    An area of keen interest to me as an advocate for privacy and civil 
liberties is the avoidance of a national ID system in the United 
States. My book, Identity Crisis: How Identification is Overused and 
Misunderstood, sought to reveal the demerits in having a U.S. national 
ID. The REAL ID Act of 2005, which attempted to create a national ID 
system in the United States, has foundered for a variety of reasons. 
Unfortunately, a bill recently introduced in the Senate would seek to 
revive this national ID program.\20\
---------------------------------------------------------------------------
    \20\ S. 1261, The PASS ID Act (111th Cong., 1st Sess.) http://
www.washingtonwatch.com/bills/show/
111-SN-1261.html
---------------------------------------------------------------------------
    Accurate identification or ``identity security'' is important in 
some contexts, but less so in others. Anonymity and obscurity are 
important protections for Americans' privacy and freedom to speak and 
act as they wish. Ultimately, I believe a diverse and competitive 
identity and credentialing system will deliver all the benefits that 
digital identity systems can provide, without the surveillance.
    So I was concerned to see one bullet point in the testimony of Cita 
Furlani from NIST at your recent joint hearing. She characterized 
NIST's identity and credentialing management standard for federal 
employees and contractors (FIPS 201) as ``becoming the de facto 
national standard.'' \21\
---------------------------------------------------------------------------
    \21\ Testimony of Ms. Cita Furlani, Director, Information 
Technology Laboratory, National Institute of Standards and Technology 
(NIST), to a hearing entitled ``Agency Response to Cyberspace Policy 
Review,'' Subcommittee on Technology & Innovation, Committee on Science 
and Technology, United States House of Representatives, p. 4 (June 16, 
2009) http://democrats.science.house.gov/Media/file/Commdocs/hearings/
2009/Tech/16jun/Furlani-Testimony.pdf
---------------------------------------------------------------------------
    It is unclear exactly what this means, of course, and I do not view 
FIPS 201 as the foremost threatened national ID standard at this time. 
But the needs in identity and credentialing outside the Federal 
Government are quite different from those within the government. The 
same market dominance that makes the Federal Government such a 
potential boon to cyber security could make it an equal bane to privacy 
and civil liberties should FIPS 201 be adopted widely by State 
governments for their employees, by states for their drivers' licenses 
and IDs, and in private-sector employment and access control. The same 
is probably true of other standards in other ways.
    Cyber security standard-setting for Federal Government purchasing 
and use should present few problems. It can often be beneficial when it 
drives forward the cyber security marketplace. But pressing standards 
onto the private sector where they are not a good fit--in delicate 
areas such as personal information handling--creates concerns.
    Professor Schneider from Cornell said it well in your first hearing 
of this series:

         [T]he Internet is as much a social construct as a 
        technological one, and we need to understand what effects 
        proposed technological changes could have; forgoing social 
        values like anonymity and privacy (in some sense, analogous to 
        freedom of speech and assembly) in order to make the Internet 
        more trustworthy might significantly limit the Internet's 
        utility to some, and thus not be seen as progress.\22\
---------------------------------------------------------------------------
    \22\ Testimony of Dr. Fred B. Schneider, Samuel B. Eckert Professor 
of Computer Science, Cornell University, to a hearing entitled ``Cyber 
Security R&D,'' Subcommittee on Technology & Innovation, Committee on 
Science and Technology, United States House of Representatives, p. 4 
(June 10, 2009) http://democrats.science.house.gov/Media/file/Commdocs/
hearings/2009/Research/10jun/Scheider-Testimony.pdf

    A different array of concerns arises from nominal ``public-private 
partnerships.'' The concept is much ballyhooed among governments and 
corporations because it suggests happiness and cooperation. But I am 
not enthusiastic about a joining of hands between the government and 
the corporate sector.
    Public-private partnerships take many forms, of course. The least 
objectionable are information-sharing arrangements like the Department 
of Homeland Security's US-CERT, or United States Computer Emergency 
Readiness Team. But consumers, the society, and our economy do not get 
the best from corporations when they cooperate, much less when they 
cooperate with government. Markets squeeze the most out of the business 
sector when competitors are nakedly pitted against each other and 
forced to compete on every dimension of their products and services, 
including cyber security.
    Programs like US-CERT run the risk of diminishing competition and 
innovation in cyber security. Vulnerability warning is not a public 
good; it can be provided privately by companies competing against each 
other to do the best job for their clients. ``Free'' taxpayer-funded 
vulnerability warning will tend to squeeze private providers out of the 
market.
    This risks lowering overall consumer welfare, especially if it 
leads to cyber security monoculture. ``Monoculture'' is the idea that 
uniformity among security systems is a weakness. In a security 
monoculture, one flaw could be exploited in many domains at once, 
bringing them all down and creating problems that would not have 
materialized in a diverse security environment.
    With US-CERT this is only a risk. Public-private partnerships of 
other stripes raise more powerful concerns.
    Earlier in my testimony, I wrote about how liability can promote 
cyber security. It is equally the case that the absence of liability 
can degrade security. If public-private partnerships confuse lines of 
responsibility for security, the results can be very bad indeed.
    Consider how responsibility for passenger air transportation was 
mixed before the 9/11 attacks. Airlines nominally provided security, 
but they had to obey the dictates of the Federal Aviation 
Administration. Were something bad to happen, both entities were in a 
position to deny responsibility.
    Flying a plane into a building had been written about in a 1994 
novel--and kamikaze attacks were, of course, a tactic of the Japanese 
in World War II--but on 9/11 hijacking protocols had not been seriously 
revamped since the 1970s, when absconding to Cuba was the chief goal of 
most airline takeovers.
    After 9/11, neither airlines nor the Federal Aviation 
Administration shouldered responsibility. The airlines moved swiftly to 
capitalize on emotion and patriotism, getting Congress to shield them 
from liability, give them an infusion of taxpayer dollars, and take 
over their security obligations. This ``public-private partnership'' in 
security was a disaster from start to finish, and remains so. The party 
ultimately bearing the loss--and still at risk today--was the American 
taxpayer and traveler.
    This illustration is not to suggest that cyber security failures 
threaten attacks equivalent to 9/11. It is simply to suggest that the 
better role of the government is to stand apart from industry and to 
arbitrate liability when a company has failed to meet its contractual 
or tort-based obligations.
    Public-private partnerships may also be conduits for transferring 
taxpayer funds to corporations, or to universities who do research for 
corporations. While reviewing the testimonies presented to you in 
earlier hearings, I was impressed by the nearly uniform requests for 
taxpayer money.
    Much of the money requested would go to research that industry 
needs to do a good job. In other words, it is research they would fund 
themselves in the absence of a subsidy. Using a small amount of money 
taken from each taxpayer, Congress can give money to corporations and 
claim a role in the production of security, even though the 
corporations would have put their own money to that use themselves. 
This is another form of ``partnership'' where the American taxpayer 
loses.
    When the Federal Government abandons the role of market participant 
and neutral arbiter, difficulties arise. Though NIST standards are 
useful for the Federal Government--and many of them can apply well in 
the private sector--they may not be appropriately forced on the private 
sector when the government is market-dominant. Government-corporate 
collaboration raises many risks: security monoculture; mixed 
responsibility and weakened security; and simple waste of taxpayer 
dollars.
    Cyber security is special, but not so special that principles about 
the limited role of government should go by the wayside. We will get 
the best security and the best deal for taxpayers and the public if the 
government remains within its proper sphere.

Conclusion

    Cyber security is a huge topic, and I have ranged widely across it 
in my imperfect testimony. I hope it is more clear that ``cyber 
security'' is a bigger, more multi-faceted problem than the government 
can solve, and government certainly cannot solve the whole range of 
cyber security problems quickly.
    Happily, with a few exceptions, cyber security is also less urgent 
than many commentators allege. ``Cyberattack'' or ``cyberterrorism'' 
might be replaced by ``cybersapping'' of the country's assets and 
technology as the threat we should promptly and diligently address. 
There is no argument, of course, that cyber security is not important.
    I am concerned that the policy of keeping true critical 
infrastructure off the public Internet has been lost in the cyber 
security cacophony. It is a simple, elegant practice that will take 
care of many threats against truly essential assets.
    The government will not fix the Nation's cyber security. Your goal 
as policy-makers should be one level removed: to determine the system 
that will best discover and propagate good cyber security practices.
    As a market participant, the Federal Government is well positioned 
to effect the cyber security ecology positively, with NIST standards 
integral to that process. The Federal Government may also advance cyber 
security by shifting risk to sellers of technology by contract.
    For the market failure that is on exhibit when insecure technology 
harms networks or other users, liability is a preferable mechanism to 
regulation for discovering who should bear the responsibility to 
protect.
    When the Federal Government abandons its role of market participant 
and becomes a market dominator, regulator, ``partner,'' or investor 
with private sector entities, a number of risks arise, including 
threats to privacy and civil liberties, weakened competition and 
innovation, and waste of taxpayer dollars.
    I appreciate the chance to share these ideas with you, and I hope 
that they will aid the Committee's deliberations.























                        Biography for Jim Harper

    As Director of Information Policy Studies at the Cato Institute, 
Jim Harper focuses on the difficult challenges of adapting law and 
policy to the unique problems of the information age. Harper is a 
member of the Department of Homeland Security's Data Privacy and 
Integrity Advisory Committee. His work has been cited by USA Today, the 
Associated Press, and Reuters. He has appeared on Fox News Channel, 
CBS, and MSNBC, and other media. His scholarly articles have appeared 
in the Administrative Law Review, the Minnesota Law Review, and the 
Hastings Constitutional Law Quarterly. Recently, Harper wrote the book 
Identity Crisis: How Identification Is Overused and Misunderstood. 
Harper is the Editor of Privacilla.org, a web-based think tank devoted 
exclusively to privacy, and he maintains online federal spending 
resource WashingtonWatch.com. He holds a J.D. from UC Hastings College 
of Law.

                               Discussion

    Chair Wu. Thank you very much, Mr. Harper. And at this 
point, we will open for our first round of questions, and the 
Chair recognizes himself.
    You each referred at least in part to cybersecurity 
performance metrics, and apparently we have not been as good at 
developing them as we should. What have been some of the 
impediments and how can we be better off if we are better at 
developing them?
    Mr. Wilshusen. Well, I guess I will start. One of the 
things about the metrics that have been developed by OMB for 
FISMA reporting purposes is that the metrics themselves 
probably served a useful purpose when they were first 
developed, and this was several years ago. The ones they had 
developed were primarily implementation-related metrics that 
addressed whether or not a control has been activated and 
implemented.
    When they were first developed several years ago, many of 
the federal agencies were not performing some very basic 
security controls. And so over the intervening years as 
agencies increasingly performed these control activities, it is 
natural to start taking a look at these metrics and see, do 
they need to evolve as well? Is there a need to continue to 
report whether or not agencies are implementing specific 
controls when they are all up in the 90-plus percentile of 
performing these controls over their systems?
    So now it is important to look at, well, how well are these 
agencies implementing these controls and looking at different 
types of measures. We have an engagement that is ongoing right 
now, looking at how leading organizations develop and use 
metrics to gauge and monitor their information security 
activities and will be issuing a report later this summer about 
that particular topic. But one thing that we have noted 
previously is that it is probably time to start measuring how 
well agencies are actually implementing controls and the 
effectiveness of the control activities, rather than just mere 
implementation of those specific control activities.
    Chair Wu. Several of you referred to having a unified 
standard or set of standards for the Federal Government, that 
is, we currently have a division between defense applications 
and civilian governmental applications, and I just wanted to 
confirm that is a consensus view of the panel, that the 
division between DOD and NSA (National Security Agency) on the 
one hand, and DHS and NIST on the other, is maybe one rooted in 
jurisdiction but not rooted in utility or the sense of the 
field.
    Mr. Charney. Yeah, I would agree with that. As the Co-Chair 
of the CSIS (Center for Strategic and International Studies) 
Commission on Cyber Security, one of the things we noted, there 
were historical reasons in the past why there was a clear 
delineation between the national security world and the 
civilian world. But to some extent, in cyber networks, a lot of 
these things tend to merge together. And when you are trying to 
devise the best security practices, you want to take all of 
your great capabilities and knowledge and bring that together 
and have holistic programs in cybersecurity. So bringing them 
together is helpful.
    Chair Wu. And I would like to walk that over a little bit 
further. Getting to the civilian non-governmental sector, my 
understanding is that there are different cybersecurity 
standards for different fields, whether you are dealing with 
health care, banking, and these have developed over time. Would 
there be a utility in developing consensus standards for 
cybersecurity for the civilian non-governmental sector, and Mr. 
Harper may not like this, or will that field de facto borrow 
what governmental standards exist or is it not possible to 
better develop cybersecurity standards for that field at this 
point in time?
    Mr. Charney. No, I actually think it is possible. One of 
the things that we have done at Microsoft is we looked at the 
different regulations that impose certain security requirements 
on information systems. So you have things like Graham Leach 
Bliley for financial data, you have PCI, which is the credit 
card standard for securing credit card data, you have HIPAA 
(Health Insurance Portability and Accountability Act) for 
health care data. It turns out most of these regulations 
actually promote the same concepts in terms of the framework, 
which is reasonable security controls based on traditional risk 
management principles.
    So what we did is we looked at all those laws and then we 
mapped the controls that are necessary to an international 
standard. ISO standard 27001 by the International Standards 
Organization is a standard for controls around IT systems. And 
we have actually gotten ISO certification for one of our 
largest properties and networks.
    So I think the short answer is there is a lot of similarity 
in these regimes. Having a unified standard that people can map 
to is a good and healthy thing, and the other nice thing, of 
course, is the threats of all of those standards can always be 
modified to address new environments.
    Chair Wu. Well, I see nodding heads there. I just want to 
ask one quick follow-up on this topic before I yield to Mr. 
Smith. Would NIST and NIST's existing activities in the field 
be a logical place to begin working on consensus private-sector 
standards? Anyone on the panel?
    Mr. Bregman. I think so, but I think it has to be done in 
collaboration with the private sector, and I think it is a 
logical place to bring together the various constituencies to 
coalesce the standards into an overarching set of security 
guidelines and standards.
    Chair Wu. Mr. Wilshusen, Mr. Charney, Mr. Harper, any 
comments on that?
    Mr. Wilshusen. I would also agree, and NIST does have a 
mechanism in place where it coordinates and collaborates with 
the International Standards Organizations, or ISO rather, and 
it would be a logical place to start.
    Mr. Harper. I will voice the concern that I think you 
anticipated from me. Federal-developed standards should be 
available to the private sector and perhaps produced in 
collaboration with the private sector. There is a touch of 
concern, though, that the Federal Government, as a large market 
actor, would drive standards into the marketplace that don't 
meet the needs on the other side of the security equation which 
include privacy and anonymity and that kind of thing.
    So standards are important, they are good, but it is not a 
given that all federal-developed standards should be imported 
into the marketplace. They have to go through a different 
series of tests for private adoption, I think.
    Chair Wu. Yeah, what we are working on here is the divide 
between the public sector and the private sector, and NIST 
traditionally has played a light leadership role in assisting 
the private sector to develop consensus, bottom-up developed 
standards from players in particular arenas. At least that is 
what I was asking about, and I take that to be the answers of 
the other panelists. Mr. Charney.
    Mr. Charney. Yes, if I could just say I think you are 
right. It is one thing for NIST to develop standards for the 
government's own use, but to be clear, NIST also participates 
in international standards organizations with members of 
industry. So if you are looking at standards that would apply 
more broadly than the government, there are four that already 
exist to do that. The government and industry participates in 
that, so the mechanism is there to work it through that 
process.
    Chair Wu. Thank you very much. Mr. Smith, you are 
recognized for five minutes.
    Mr. Smith. Thank you, Mr. Chair. Mr. Harper suggested in 
his testimony that the critical infrastructure vulnerabilities 
should be addressed by physically separating such 
infrastructure from the public Internet as similar to the DOD 
network. What is your response to that, Mr. Charney and Mr. 
Bregman and Mr. Wilshusen?
    Mr. Bregman. I think it is impractical in many cases 
because it is one thing in the realm of DOD or the intelligence 
community to operate in a separate environment, but in many 
cases, other parts of government have to interact with 
citizenry, they have to interact with private sector in the 
course of their normal operations. And the challenge in 
cybersecurity is, as soon as I connect my perhaps well-
defended, well-defined network to someone else, I have opened 
myself up to vulnerabilities that may be present in the other 
components that I don't control. And so there is a real risk in 
isolating government function in the attempt to achieve this 
security through isolation and becoming much less effective.
    So I think the real challenge is finding ways to develop 
security and secure the cyber infrastructure, even in a world 
in which it isn't an isolated, totally controlled environment 
for the government.
    Mr. Charney. I would echo those points, and if you think 
about some of the evolving models, like a Smart Grid, for 
example, where people's homes can communicate intelligent power 
consumption information to the power grid so that they can draw 
power at appropriate times or feed power back into the grid, I 
don't know how you do that by creating a power infrastructure 
that is isolated from all the citizens that need to connect to 
it. I think the trend of these private critical infrastructures 
are basically becoming Internet enabled because of the huge 
business imperative, efficiency cost-drivers and other things 
that are really critical to the success of these new 
technologies.
    Mr. Wilshusen. And it is our experience, too, in the 
reviews that we have done at the Tennessee Valley Authority 
when we looked at the control systems and the security over the 
control systems that the trend is to go to more IP-based type 
of systems to run these control systems. Now, while that is--it 
really helps and serves additional benefits to the company to 
enable such control protocols, but it also raises the risk 
because of the risk associated with running those IP-based 
systems can now extend to control systems. So agencies need to 
make sure that they assess those risks and take the appropriate 
steps to secure against and mitigate those risks. But certainly 
due to the benefits, the trend seems to be going more toward an 
IP-based type of network and structure.
    Mr. Smith. Mr. Harper.
    Mr. Harper. I would anticipate these criticisms of what I 
had said, and they are not wrong, they are not unfair. And the 
way I thought about it was that criticality should be a very, 
very tightly circumscribed adjective, and I have dealt with it 
a little bit in my written testimony, though I wouldn't call 
myself an expert. Criticality should be when there is an 
immediate and proximate danger to life and health from the loss 
of an asset. That is under basically a definition that I have 
worked on. There is a lot of history behind it that didn't go 
into my testimony which is why there is a lot of stuff out 
there that is referred to as critical infrastructure that I 
would not.
    But if again, something would immediately injure life and 
health proximately, so the example of an electrical grid going 
down, it could kill people in a hospital, for example, to lose 
electric power for an hour, people who are on a heart-lung 
device, that kind of thing. Well, it is not proximate because 
what you do for a likely risk like that is you put electrical 
infrastructure at the hospital that would take care of things 
when the broader infrastructure went down.
    So again, these are fair comments. I think the critical 
infrastructure should be very tightly defined to a small 
universe of assets.
    Mr. Smith. Okay. Thank you. And another one, we heard that 
liability is preferable to regulation as a tool for 
internalizing any market failures that exist in terms of 
private-sector cybersecurity. I was wondering, Mr. Bregman and 
Mr. Charney, how do Symantec and Microsoft feel about this, if 
you could elaborate?
    Mr. Charney. So we have repeatedly said that you have to 
think about different ways to motivate the markets to do the 
right thing, and there are many ways to do that, everything 
from incentives to regulation and liability. The biggest 
challenge in the software industry I believe is that software 
is extremely complex and it is not entirely clear what the 
reasonable practice would be in developing security today and 
how you could apply them uniformly in the spectrum of people 
who make software. So it is not just about large companies. I 
mean, one of the great things about the Internet is it creates 
this incredible innovative environment where people in their 
garage can develop software and distribute it around the globe. 
And this has led to a lot of great, innovative technologies. 
And I don't know how they survive under a regime that is laden 
with a lot of up-front costs.
    Having said that, I think there are better ways to get 
there. One of the things that we have been active proponents of 
is reforming Common Criteria, which is the method by which the 
government evaluates products for security and that then 
affects purchasing acquisitions in the government. And I think 
if the government wants to drive better security practices, one 
of the ways to do that is to use Common Criteria reform and 
acquisition regulations to achieve that result. I think that 
drives a much more effective and efficient process. It also 
allows, you know, still a very innovative and low barrier to 
entry environment.
    Mr. Bregman. I would echo Mr. Charney's remarks, but I 
would add two other things. I think not only is software very 
complex, but any software that is delivered by a supplier 
becomes part of an even more complex integrated solution, and 
in most cases where we have seen vulnerability at the system 
level, it is traceable to configuration that is outside the 
core of any given product, but it is the interaction in the 
customer's environment or in the user's environment which opens 
up the vulnerabilities. That is something that is very hard to 
legislate liability around without putting tremendous 
constraints on what people are willing to supply.
    And related to that I think, and I was also echoing Mr. 
Charney's remarks, liability as a way to control this will 
stifle a lot of the innovation which is what we need in order 
to get ahead of the threat. And so I would be fearful that if 
liability were to be the tool primarily used to improve 
security, we would actually see the opposite effect. There 
would be retrenchment on the part of suppliers and fear to try 
innovative, new solutions.
    Mr. Smith. So maybe I hear you saying you would not 
advocate liability in addition to regulation?
    Mr. Bregman. That is correct.
    Mr. Smith. Mr. Wilshusen, can you elaborate on your 
findings on the impact of such things?
    Mr. Wilshusen. Yes, in a couple areas. One, regarding the 
use of Common Criteria, we did a review several years ago 
looking at the National Information Assurance Program, or NIAP, 
which is a program in which NIST and NSA at that time 
established and certified laboratories to examine the security 
controls that were designed into these products. One of the 
problems that we identified as a challenge to overcome was just 
the length of time that it took these laboratories to go 
through and evaluate the security of these products. In many of 
these cases, some of the vendors indicated that by the time 
they went through the process, the technology and the 
applications were already obsolete. There were newer versions 
out there. So to implement that, we are going to need to have 
some sort of measure and mechanism that will allow a speedy and 
a quicker response time to evaluate such products.
    There is also another mechanism that government can use, in 
addition to providing incentives, through its procurement 
policy. The government procures $60, $70 billion worth of IT 
products and services a year. It can use that leverage and 
specify the requirements that it needs, or security 
requirements for the products that it requires which can help 
maybe move markets into an area where they implement security 
or design security into their products more readily.
    Mr. Smith. Thank you. Thank you, Mr. Chair.
    Chair Wu. Thank you, Mr. Smith. We have had several 
different cybersecurity czars, and at least a couple of them 
have departed or resigned. Can the panel comment on whether 
there is integral problems in the way that we have tried to 
structure a cybersecurity program at the federal level?
    Mr. Wilshusen. I will tread lightly here, but I think one 
of the issues that may be resolved as we go forward with the 
new official, the cybersecurity official in the White House, 
one of the concerns is going to be what authorities and what 
control he or she will have over budgets and strategy and what 
will be his or her levers of power to effect change? And I 
don't know if decisions about that exist, but that would be 
just one of the challenges I will say in trying to make sure 
that conditions are established to where the official can be 
productive in that role.
    Chair Wu. Well, Mr. Wilshusen, you are from the GAO, and 
you are supposed to give it to us unvarnished. What I am 
hearing between the lines is that this is a difficult field 
with a lot of responsibility and perhaps not enough line 
authority in budget to accomplish the mission or the multiple 
missions.
    Mr. Wilshusen. And it will depend upon what their role and 
responsibilities are, I would agree.
    Chair Wu. Mr. Bregman, do you have anything to add to this?
    Mr. Bregman. I would agree with that. I think appropriate 
decision-making and budget authority is going to be necessary 
because a key part of the role is helping coordinate the 
strategic direction across the various parts of government and 
also, coordinating better on an international front. One of the 
challenges is this is not a problem that occurs just within our 
own borders. It is borderless. And so better coordination 
globally is going to be an important part of this as well.
    Chair Wu. Thank you. Several of you referred to the 
importance of public-private partnerships and coordinating with 
the private sector. What in our structure today is not creating 
the kinds of public-private partnerships that we need and what 
kind of incentives should we try to build in?
    Mr. Charney. Since the early '90s, we have been talking 
about this public-private partnership, and it was really a 
reflection of the fact that the private sector designs, 
deploys, and maintains about 90 percent of the critical 
infrastructure.
    And so government is in an interesting situation here, 
unlike things like nuclear weapons where they had both 
responsibility and control, here they have responsibility for 
public safety and national security but they don't control the 
assets to be protected or maintained.
    And so the idea of a partnership is the right idea. I think 
it got off on the wrong foot. In large part, early efforts at 
partnership were focused on information sharing, and there was 
a lot of discussion that industry and government should share 
information about threats and vulnerabilities.
    The problem is information sharing is not an objective, it 
is a tool. You share information so you can do something. 
Sharing information just for the sake of sharing information 
doesn't make any operational change that makes security better. 
So the first problem is the wrong focus, focus on sharing 
instead of action.
    The second thing is that the government has been concerned 
for understandable reasons about not playing and picking 
favorites in the marketplace. So it often took the view that it 
has to share with everyone or no one. And of course, when you 
share with everyone, when you share a lot of information about 
vulnerabilities, threats and risks too broadly, you actually 
make the problem worse, and if you share with no one, then 
there is nothing.
    And so I think in addition to focusing on what information 
to share, that is, how is this information actionable, the next 
question is who is it actionable by and we have to share it 
with the organizations, people, companies, whatever, who can do 
something with the information specifically and not worry so 
much about sharing with everyone or no one because that is not 
a productive model.
    Chair Wu. Mr. Charney, is one of your criticisms of the 
current advisory committees and coordinating committees that 
they are mechanisms for sharing information and that that 
becomes an end-goal rather than a tool for accomplishing 
mission objectives?
    Mr. Charney. That is correct, although there has been 
effort in recent times to refocus on more operational security 
issues and share actionable information, but there was a long 
history of having the wrong focus.
    Chair Wu. Thank you. I might have a couple more questions, 
but at this time I am going to yield to my colleague, Mr. 
Smith, for five minutes.
    Mr. Smith. If Mr. Charney or others would still like to 
maybe elaborate on what exactly the partnership would look 
like, I mean, I think you started down that track. But 
obviously it can be difficult to define. I know that sometimes 
partnerships are overstated here on the hill, but if you could 
elaborate?
    Mr. Charney. I would be delighted to. In addition to the 
misfocus, I don't think the partnership ever had the right 
philosophical underpinning. Here is the way I see the problem. 
Markets actually do deliver some level of security. Customers 
demand it and markets deliver it. Governments need a level of 
security for public safety and national security that often 
exceeds what the market will provide. Markets are not designed 
to do national security. You cannot make a market case for the 
Cold War. In those situations, the government steps in and does 
things. It seems to me that the proper basis of a partnership 
is to figure out how much security you are going to get from 
the market through its natural proclivities and a little more 
because companies do have a sense of corporate responsibility. 
They do care about public safety and national security, so they 
do a little more than the markets would require. Then you have 
to figure out what the government thinks it really needs, and 
the key is filling the gap between what the market will provide 
and what the government sees as necessary. And then there are a 
lot of ways to fill that gap. Acquisition regulations are an 
example to drive the market in a particular direction, 
regulation, standardization. There are many ways to fill a gap, 
tax incentives.
    So the real key, and I think the basis of the partnership, 
is to focus on meeting the requirements that span between where 
markets are and what government wants and figure out the right 
way to incentivize the right behaviors so the products take you 
where you want to go.
    Mr. Smith. Any one else?
    Mr. Harper. I will briefly comment on it some more. I think 
the question of public-private partnerships--I agree in large 
part with what Mr. Charney said, that partnerships formed up to 
share information as if that was the goal. The problem is goal-
setting and then asking what achieves that goal, and I think it 
has been the idea, well, let us have a public-private 
partnership.
    In an area I have a relative amount of experience, Homeland 
Security issues. Everyone said data sharing, you know, connect 
the dots, and nobody knows exactly what that means. It is a 
more difficult problem.
    I would prefer to see the government play the role of 
partner that you see in security of houses and buildings in a 
given city. The primary responsibility is on the holder of 
private infrastructure to secure the house with locks on the 
windows and doors, and when something really goes wrong and 
there is criminal behavior afoot, the police are called or if 
the police have information about what is afoot, they contact 
the community. That is a public-private partnership that I 
think is a success, but putting together programs to try to 
describe that don't really work. What works is when the 
government stays in its law enforcement and national security 
role for the most part, and the private sector for the most 
part takes the role of securing its own infrastructure. That 
doesn't mean they can't work together, but I don't think the 
focus has to be on them working together to improve security It 
works with them separately.
    Mr. Smith. Thank you. Mr. Bregman, relevant to EINSTEIN and 
the program there and the software, obviously it was developed 
a number of years ago and the focus was on threats and 
intrusions, and perhaps that is not enough of a focus now. 
Would you concur with that?
    Mr. Bregman. I think we see a very, very rapidly evolving 
threat landscape, and EINSTEIN was developed with somewhat 
looking at the then-current threat landscape. And so given the 
long lead time and deployment lead time, it is not taking 
advantage of the best practice, best technologies that are 
currently available in the private sector. And I think that is 
an area where, again, private sector working together with 
government could do a much better job of looking forward, 
anticipating things, and being closer to the leading edge of 
protection as opposed to looking backward at what the previous 
threats were and then going through a rather cumbersome 
development process to deploy something which is inadequate 
when it is deployed.
    Mr. Smith. Okay. Thank you.
    Chair Wu. Several of you have referred to the importance of 
setting goals rather than processes. And also I think there has 
been reference to having a more crisp strategy for 
cybersecurity. What are the components that we need to put 
together to develop a strategy or a means of accomplishing a 
clear set of goals?
    Mr. Charney. It seems to me there are two separate issues, 
and it comes back to a comment in my testimony about the 
government as a policy arm and the government as a large IT 
enterprise. So part of the goal of developing a comprehensive 
strategy is recognizing that the way cyberspace works today, 
there are some very interesting challenges about how you secure 
it and also respond to incidents.
    I will give you a somewhat classic example. There have been 
widespread reports in the media about attacks on U.S. Defense 
Department systems. There are a lot of interesting questions 
about what constitutes cyber warfare. When can you shoot back? 
What does it mean to do collateral damage on the Internet? 
These are hard policy questions, and it is even an interesting 
question of whether or not you want to respond in a cyber way 
or impose a trade sanction. You know, because cyberspace of 
course ties all our economies together, just like it ties all 
our systems together. And so the government has to think very 
holistically about diplomatic efforts, intelligence efforts, 
military efforts, economic efforts, and law enforcement efforts 
and integrate them into a strategy and set norms because right 
now around the world we now have norms on certain behaviors, 
like proliferation of weapons of mass destruction or 
proliferation of nuclear material. We don't even have norms on 
what constitutes appropriate cyber conduct around the world. 
And as a result of that, countries internationally haven't 
developed the processes, procedures and strategies to deal with 
these issues because the Internet is sovereign agnostic, even 
though sovereignty is very much well and alive.
    And so in the policy space, this is one of the reasons why 
the commission recommended the advisor has to be at the White 
House and could not sit in any one agency because thinking 
about this problem comprehensively means that the government 
has to think about all the tools in its arsenal and how to 
implement as one government. On the IT infrastructure 
protection side, that is when you get into very specific 
controls where you want security controls in place, and I would 
echo the comments made earlier about the need to actually test 
the efficacy of those controls, make sure they are doing what 
you think they are doing, and making sure they are always 
current. And as I said, there are international standards now 
as well as regulations that require controls be put in place. 
So to some extent, the more I think about some of these issues, 
we are reaching the point, at least in the network enterprise, 
where the philosophy is right, and we are getting to the point 
of we need to execute well and we need to focus on execution. 
And that requires being rigorous about putting your policies in 
place, testing your controls, having audits done whether they 
are internal, self-certifications, or external to make sure you 
are achieving your desired levels of security.
    Chair Wu. Well, I think we have surfaced a lot of concerns 
about the lack of--the dearth of rules of the road for the 
Internet, but Mr. Charney, your reference to accords about WMD 
(Weapons of Mass Destruction) and so on brings to mind that we 
have been able to work, at least try to work, on rules for 
warfare for 4,000 years at least, and the early versions of the 
Internet are at most 30 years old, and cyberspace probably is 
more like in the teens than anything else.
    So in essence, we are here all together at the inception, 
and some of the decision we make will have reverberations down 
the road.
    Let me ask you a question about research. There is a set of 
challenges about identifying research priorities at DHS and 
commentary that this process should include private industry to 
a larger extent. Can you give us your best analysis of the 
research that is currently being done at either NIST or DHS?
    Mr. Bregman. I think when we think about research in the 
cybersecurity space, there are several different objectives. 
There obviously is the primary objective of the research itself 
and the outcome of that research and with the goal that one 
would think of ultimately impacting technologies and products 
which could be delivered and implemented. And so that is an 
area where linking the research activities with the industrial 
base is important because to exploit them, there is going to 
have to be some commercialization that takes place.
    The other dimension of research is that setting the 
research agenda is a very good way to stimulate along side 
investment, both by private sector and sort of intellectual 
capital investment within the academic world. And I think one 
of the things we need to improve our cybersecurity posture is a 
larger cadre of expertise at all levels, people who can be the 
next generation leading researchers but also practitioners in 
government and in private sector and carefully aligning the 
research agenda with the interests of DHS, NIST, and the 
private sector, and using that to create interest within the 
academic community will draw more students, some more people 
into that area and that field and create a much larger 
community of expertise.
    Chair Wu. Mr. Wilshusen, or anyone else, anything to add to 
the research agenda or research strategy?
    Mr. Wilshusen. We haven't looked at--in fact, we just 
received a request to look at research and development in 
cybersecurity. That was a couple of weeks ago, and we are just 
starting a review of that within the Federal Government. But 
about four years ago we did a review over cybersecurity 
research and development and looking at the NITRD and the group 
that was responsible for coming up with a plan for conducting 
cybersecurity within the Federal Government, and we found that 
while there were some overall goals and objectives that were 
identified, there really wasn't a clear, concise plan on how to 
conduct and how to perform and fund which particular projects. 
And so making sure that there is a clear consideration of what 
the goals are and coming up with a plan to fund those projects 
I think will be important.
    Mr. Harper. Mr. Chair, if I may?
    Chair Wu. Yes, Mr. Harper.
    Mr. Harper. It often falls to me to be the skunk at the 
garden party, and I enjoy it. Research that benefits----
    Chair Wu. Animals of all stripes are of value.
    Mr. Harper. Research that benefits industry really is 
subsidy. And I want research done. I think everybody does, but 
research that is funded by industry goes then into the price of 
products and is paid for then by the users of the security 
technologies, rather than taxpayers, many of which don't use 
the Internet and live perfectly good lives without it.
    Chair Wu. Mr. Charney.
    Mr. Charney. Yes, I actually don't disagree, and earlier I 
said the philosophy of the partnership should be that the 
government doesn't do what the market is already delivering but 
do something else. That is true in research, too. So industry 
does a lot of research, and we do research that we can monetize 
and commercialize. And there is other very hard research that 
we can't do because there is no economic model that permits it. 
Remember, the Internet was a government research effort which 
has revolutionized the world. It came out of DARPA (Defense 
Advanced Research Projects Agency).
    So I think it is really important that the government as 
part of its strategy do two things, one, invest in the research 
that actually advances the overall strategy that we have talked 
about to create a more secure environment, but also do the 
things that industry won't do. And to be clear, Mr. Bregman's 
point about commercialization is not the same as financing 
industry research. The Internet, which was invented by the 
government, was then commercialized by the private sector 
because the government made it available. That is not exactly 
funding industry research. It is saying invest in things that 
will find a place in the commercial market so it gets 
widespread adoption so that everyone benefits from the 
research. But do research that won't otherwise happen and is 
consistent with your cybersecurity strategy.
    Chair Wu. Well, perhaps as an artifact of the Committee 
that I sit on, or it is a natural draw, but my bias is toward 
the direction that we underfund research rather than over 
purchase research. Compared to other, immediately pressing 
needs, there is the tendency to address those pressing needs, 
rather than something which is long-term.
    Something else which we underfund publicly is education. 
The market would probably not fund education properly, and 
along those lines I think several of you mentioned the role 
that education, consumer education, user education, could play 
in improving cybersecurity at relatively low cost. Can you 
identify some things that we could be doing either as a society 
or as a government to use that education tool more effectively 
to enhance cybersecurity?
    Mr. Bregman. Well, Mr. Chair, you mentioned the fact that 
the cyber world that we are living in today is only maybe 
dozens of years old, and it is changing at a pace which is much 
more rapid than the generational shift. And I think there is a 
very important role in educating our citizens on how to behave 
and what are the norms and what are the risks and what are the 
processes to use to protect oneself in the cyber world. And I 
think that it requires government to take the role particularly 
of coordinating that delivery of that education because if it 
delivered in a very fragmented way, it is just confusing to the 
populous.
    Some of the programs that are in place today, NCSA and 
others, I think are good starting points for government 
collaborating with private sectors to bring that education to 
the mass market citizenry.
    Mr. Wilshusen. And there are several federal programs which 
allow, for example, Scholarship for Service in which the 
Federal Government offers scholarships and repays student loans 
for graduates who have studied in cybersecurity and then decide 
to work for the Federal Government. So there are various 
different programs available now, like an education assistance 
program, that can help bring those individuals with information 
security degrees into the federal workplace.
    Chair Wu. Thank you all very much. You have traveled a long 
way, and this is a large, bedeviling set of topics. We have 
only had the opportunity to ask a few questions and not engage 
across the breadth and depth of this topic. If there are things 
that you would like to comment on or tell us at this point, I 
would like to open this to all the witnesses. You can just go 
from left to right or right to left so that those things that 
you might wake up tonight or tomorrow and say, gee, I wish I 
had said that. This is your chance of laying it out in the 
record.
    Mr. Wilshusen. One thing I would just like to add related 
to the research and development question that came up earlier 
is that the results of the research and development activities 
should be made available, and particularly those funded by the 
Federal Government. There is a requirement under the E-
Government Act that federally funded research, particularly in 
the cybersecurity, maintain the results in repositories. What 
we found several years ago is that the results of many of the 
efforts were not being considered and placed into these 
repositories, thereby making them unavailable for other 
researchers who might have benefited from the knowledge gained 
from those research efforts.
    Chair Wu. Thank you.
    Mr. Bregman. Well, I would like to start by thanking the 
Committee for taking on this task. I think as the Chair 
mentioned, it is a very complex problem and one that is 
changing very rapidly, and it is very important that this 
committee and other parts of the government focus on it.
    I think there has been increased focus, and we see 
improvement in the work we do with DHS and with NIST and with 
other parts of government. We need to continue that and 
accelerate that momentum if we are going to be able to really 
protect our nation in the face of this increasing cyber threat. 
Thank you.
    Chair Wu. Thank you.
    Mr. Charney. Thank you. I do want to comment one further 
point about education, in particular. We have spent a lot of 
time educating consumers about some of the basic steps they can 
take to protect themselves on the network, and I think this is 
important to do and we will all continue to do it.
    The challenge it seems to me is in part that IT technology 
is very opaque to end-users. My mother is 79 and found e-mail, 
bless her heart, and when I talk to her about security issues, 
she really does not want to become a security IT professional. 
She remembers the day of the telephone where it just worked and 
if something went wrong, the telephone company took care of it. 
And I think to some extent we have to think about models that 
provide consumers a higher level of protection with less work. 
And I don't think we are going to get there unless we start 
thinking about some very hard problems, some of which I 
outlined in my testimony about things like attribution. How 
does my mother know where her mail really came from or who 
really wrote the software that is being asked to be installed 
on her system? And how do we think of the role of Internet 
service providers who are the choke points to the Internet and 
might be able to look at machines and clean infected machines? 
There are a lot of difficult, challenging things we have to do. 
There are some very interesting models. If you think about WHO, 
the World Health Organization, and the way we deal with 
pandemics. You know, they are called viruses and worms for a 
reason in the computer world because they propagate in many of 
the same ways. And we have to start thinking about other models 
that have worked and how we bring new protections to the 
Internet because the ability to create malicious malware and 
propagate it worldwide at machine speed, virtually at the speed 
of light, is going to continue unabated. Human beings are not 
going to be able to react fast enough to respond to machine-
based attacks.
    And so one of the areas for intense research and 
development and one of the things we have to think about is how 
we are going to protect people in this environment where things 
move that quickly and things change so rapidly.
    Chair Wu. Thank you very much, Mr. Charney. Mr. Harper.
    Mr. Harper. Just briefly before I close, I thought I would 
come back to the question of liability, which Mr. Smith asked 
some of the other witnesses, and they made the case, a fair 
case, that software is very complex and so finding liability 
for negligent failure to secure a technology product would be 
hard to do. It also could frustrate innovation, and I think 
that is also true. Those things are true of regulation as well, 
and so maybe if there is consensus on the panel it might be 
that government contracting is the best way using well-
developed NIST standards as the best way to advance the market 
for technology products, and then liability and regulation 
should be distant second and third places.
    I think that the Federal Government has a role as a market 
actor in promoting standards, though it is not a given that 
government-created standards should be adopted in the private 
marketplace. Its best role, for the most part, is as an outside 
referee and policeman, rather than as a partner or participant 
in a public-private partnership. And for fun, I will note the 
fact that just before the hearing started, I tweeted the fact 
that I would be speaking in a hearing, and people could tune in 
and see this hearing. Hopefully they did. But one of the 
responses was a friend who pointed me to a web site where 
people's self-important tweets are collected. And so I think I 
will be ratcheting back on my use of twitter. Thanks for having 
us this afternoon.
    Chair Wu. Thank you all very much. There are many, many 
insights which were very interesting, sometimes surprising, and 
always very thoughtful. I think that is one of the benefits of 
being able to hear from people who are able to think deeply and 
consider topics. Thank you all very, very much for coming 
before the Committee this afternoon.
    The record will remain open for two weeks for additional 
statements from the Members and for answers to any follow-up 
questions that the Committee may ask the witnesses. The 
witnesses are now excused, and the hearing is adjourned. Thank 
you very much.
    [Whereupon, at 5:00 p.m., the Subcommittee was adjourned.]

                                   
