b"<html>\n<title> - REVIEWING THE FEDERAL CYBERSECURITY MISSION</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n                         REVIEWING THE FEDERAL \n                         CYBERSECURITY MISSION\n\n=======================================================================\n\n\n\n                                HEARING\n\n                               before the\n\n                        SUBCOMMITTEE ON EMERGING\n                        THREATS, CYBERSECURITY,\n                       AND SCIENCE AND TECHNOLOGY\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 10, 2009\n\n                               __________\n\n                            Serial No. 111-5\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n\n                                     \n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n\n                               __________\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n51-633                    WASHINGTON : 2009\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nLoretta Sanchez, California          Peter T. King, New York\nJane Harman, California              Lamar Smith, Texas\nPeter A. DeFazio, Oregon             Mark E. Souder, Indiana\nEleanor Holmes Norton, District of   Daniel E. Lungren, California\n    Columbia                         Mike Rogers, Alabama\nZoe Lofgren, California              Michael T. McCaul, Texas\nSheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania\nHenry Cuellar, Texas                 Gus M. Bilirakis, Florida\nChristopher P. Carney, Pennsylvania  Paul C. Broun, Georgia\nYvette D. Clarke, New York           Candice S. Miller, Michigan\nLaura Richardson, California         Pete Olson, Texas\nAnn Kirkpatrick, Arizona             Anh ``Joseph'' Cao, Louisiana\nBen Ray Lujan, New Mexico            Steve Austria, Ohio\nBill Pascrell, Jr., New Jersey\nEmanuel Cleaver, Missouri\nAl Green, Texas\nJames A. Himes, Connecticut\nMary Jo Kilroy, Ohio\nEric J.J. Massa, New York\nDina Titus, Nevada\nVacancy\n                    I. Lanier Avant, Staff Director\n                     Rosaline Cohen, Chief Counsel\n                     Michael Twinchek, Chief Clerk\n                Robert O'Connor, Minority Staff Director\n                                 ------                                \n\n   SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND \n                               TECHNOLOGY\n\n                 Yvette D. Clarke, New York, Chairwoman\nLoretta Sanchez, California          Daniel E. Lungren, California\nLaura Richardson, California         Paul C. Broun, Georgia\nBen Ray Lujan, New Mexico            Steve Austria, Ohio\nMary Jo Kilroy, Ohio                 Peter T. King, New York (Ex \nBennie G. Thompson, Mississippi (Ex      Officio)\n    Officio)\n                      Jacob Olcott, Staff Director\n       Dr. Chris Beck, Senior Advisor for Science and Technology\n                        Daniel M. Wilkins, Clerk\n               Coley O'Brien, Minority Subcommittee Lead\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Yvette D. Clark, a Representative in Congress From \n  the State of New York, and Chairwoman, Subcommittee on Emerging \n  Threats, Cybersecurity, and Science and Technology.............     1\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Ranking Member, Subcommittee \n  on Emerging Threats, Cybersecurity, and Science and Technology.     3\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security..............................................     5\n\n                               Witnesses\n\nMr. David Powner, Director, Information Technology Management \n  Issues, Government Accountability Office:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     8\nMr. Scott Charney, Vice President, Trustworthy Computing, \n  Microsoft:\n  Oral Statement.................................................    15\n  Prepared Statement.............................................    17\nMr. Amit Yoran, Chairman and Chief Executive Officer, NetWitness \n  Corporation:\n  Oral Statement.................................................    24\n  Prepared Statement.............................................    26\nMs. Mary Ann Davidson, Chief Security Officer, Oracle \n  Corporation:\n  Oral Statement.................................................    31\n  Prepared Statement.............................................    33\nMr. James A. Lewis, Project Director, Center for Strategic and \n  International Studies:\n  Oral Statement.................................................    35\n  Prepared Statement.............................................    37\n\n\n                         REVIEWING THE FEDERAL \n                         CYBERSECURITY MISSION\n\n                              ----------                              \n\n\n                        Tuesday, March 10, 2009\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n      Subcommittee on Emerging Threats, Cybersecurity, and \n                                    Science and Technology,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2:53 p.m., in \nRoom 311, Cannon House Office Building, Hon. Yvette D. Clarke \n[Chairwoman of the subcommittee], presiding.\n    Present: Representatives Clarke, Richardson, Lujan, Kilroy, \nThompson [ex officio], Lungren, Broun, and Austria.\n    Ms. Clarke. The subcommittee will come to order. The \nsubcommittee is meeting today to receive testimony on reviewing \nthe Federal Cybersecurity Mission. I will begin by recognizing \nmyself for an opening statement.\n    Good afternoon, and thank you to all the witnesses for \nappearing before us today. I am pleased to chair today's \nhearing, my first as Chair of the Emerging Threats, \nCybersecurity and Science Technology Subcommittee. While there \nmay be a number of new faces here on the dais, I can assure \neveryone that this subcommittee will continue to address many \nof the same issues from the 110th Congress. Over the next 2 \nyears, we will continue our oversight over nuclear detection \nprograms, radiological threats, public health threats, \ncybersecurity and the Science and Technology Directorate. I \nalso look forward to working in the same bipartisan spirit that \nthe previous Chairman and Ranking Member carried on their work.\n    Mr. Lungren, I know that you take this responsibility as \nseriously as I do, and I look forward to partnering with you \nover the next 2 years to ensure the safety and security of the \nAmerican people, American businesses, American infrastructure \nand the American way of life.\n    Today's hearing will be the first of three cybersecurity \nhearings that the subcommittee will hold this month. It is easy \nto understand why this issue dominates our agenda. We rely on \ninformation technology in every aspect of our lives, from our \nelectric grid, banking systems, military and Government \nfunctions, to our e-mail, Web browsers, and iTunes.\n    Interconnected computers and networks have led to amazing \ndevelopments in our society. Increased productivity, knowledge, \nservices, and revenues are all benefits generated by our modern \nnetworked world. But in our rush to network everything, few \nstopped to consider the security ramifications of this new \nworld we were creating. So we find ourselves in an extremely \ndangerous situation today. Too many vulnerabilities exist on \ntoo many critical networks which are exposed to too many \nskilled attackers who can inflict too many damages to our \nsystems. Unfortunately, to this day, too few people are even \naware of these dangers and and fewer still are doing anything \nabout it. This committee will continue to sound the alarm \nbells, raise awareness of the problems we face, and hold those \nin charge accountable for their inaction.\n    This hearing comes at a critical moment in our Nation's \napproach to their cyber threat. There is no more significant \nthreat to our national and economic security than that which we \nface in cyberspace. We, the United States, must do everything \nequally significant to meet this challenge.\n    We are approximately halfway through the National Security \nCouncil's 60-day interagency review of the Federal \nCybersecurity Mission which began on February 16. The review is \nbeing conducted by Melissa Hathaway, senior director of the \nNSC, on orders from President Obama and the National Security \nAdviser. The goal for the review is to develop a strategic \nframework to ensure the U.S. Government's cybersecurity \ninitiatives are appropriately integrated, resourced, and \ncoordinated with Congress and the private sector. I commend the \nPresident for his vision in making cybersecurity a priority for \nhis administration and for requesting this review.\n    Given this committee's leadership role in cybersecurity \npolicy development, we look forward to working with Ms. \nHathaway and her team. Thankfully, their review does not have \nto start from scratch. I encourage the review team to rely upon \nthe extensive hearing record of this committee in the 110th \nCongress, and from the work that our witnesses have already \nundertaken in that area.\n    The CSIS Commission report and the many GAO reports which \nMr. Powner's team have produced over the years contain dozens \nof outstanding recommendations that, if actually implemented, \nwill improve our national security posture. That message bears \nrepeating. The previous 2 decades have seen countless reports \nfrom America's thought leaders in cybersecurity, containing \nhundreds of recommendations about how to improve America's \nposture in cyberspace. What has been lacking is the courage and \nleadership to actually implement these recommendations.\n    Now is the time to act. To ensure our national and economic \nsecurity, now is the time we must act. The U.S. Government must \nchart a new course to secure cyberspace. Maintaining the status \nquo will not be enough to keep America secure. Now is the time \nfor the Government to stop planning and start acting.\n    There are three key issues that I believe this review must \naddress.\n    The 60-day review. First, this review must call for a \nnational strategy for cyberspace. The previous administration \ndrafted a high-level national security strategy in 2002 that \npresented problems and possible solutions to some of the same \ncybersecurity issues that we face today. Unfortunately, that \nstrategy stopped short of mandating security changes. Without \nteeth, the strategy was never implemented. We need a strategy \nthat uses all of the tools of the U.S. power in a coordinated \nfashion, but more importantly, we need to hold our agencies \naccountable for implementing that strategy.\n    That leads me to my second requirement, leadership. A lack \nof high-level leadership on cybersecurity has cost our country \ndearly over the last several years. The review must clearly \ndelineate roles and responsibilities of each agency involved in \nthe governance of cybersecurity at the Federal level, including \nDSA, NSA, and DOD; but most importantly, it must describe how \nthe White House will coordinate policy and budgets for each of \nthese different responsibilities. The CSIS Commission \nrecommended, and I fully support, an assistant to the President \nof Cyberspace Security in the Executive Office of the \nPresident, along with support staff to coordinate this effort.\n    Third, the review must address the many policy and legal \nshortfalls that exist in protecting our critical infrastructure \nfrom cyber attack. Unfortunately, critical infrastructure \nsystems remain the area of greatest vulnerability. While the \nprevious administration relied on a voluntary protection system \nthroughout many of the 18 credible infrastructure sectors, I \nbelieve this administration should seek to use a combination of \nregulations and incentives to ensure that our electricity grid, \nincluding the Smart Grid, water facilities, financial systems, \nand other key infrastructures are properly secured. The \nframework of this approach should be addressed in the review.\n    To the witnesses appearing before us today, I thank you for \nbeing here. I welcome your thoughts on the issues I have just \ndiscussed, as well as your opinions on what an effective \nnational cybersecurity review should look like.\n    I intend for this subcommittee, as well as the full \ncommittee, to continue to play a role in shaping our national \nsecurity posture.\n    I would like to just take a moment to acknowledge that we \nhave been joined by the Chairman of this committee, the full \ncommittee, Chairman Bennie Thompson. I think this amplifies the \nimportance of today's hearing.\n    The Chair now recognizes the Ranking Member of the \nsubcommittee, the gentleman from California, Mr. Lungren, for \nan opening statement.\n    Mr. Lungren. Thank you very much, Chairwoman Clark. Thank \nyou for the bipartisan manner in which you have approached the \norganization of this subcommittee and the informal meetings \nthat we have had. I am looking forward to working with you and \nwith our colleagues who are here present and the others who are \nMembers of this subcommittee, particularly our Chairman, Mr. \nThompson, and our Ranking Member of the full committee, Mr. \nKing.\n    We need in this Congress to address the many threats and \nchallenges that face us and that are under the jurisdiction of \nthis subcommittee. Cybersecurity is certainly one of, if not \nthe most paramount challenge that we have, and I support your \ndecision to highlight the cyber threat with this, our first \nofficial hearing.\n    When I chaired the subcommittee in the 109th Congress that \nhad cyber, the issue of cybersecurity within its jurisdiction, \nI realized that our first challenge was educating our \ncolleagues and the public on the seriousness of the growing \ncyber threat. After our classified cyber threat briefing last \nweek, it is clear that much, much more needs to be done.\n    In the words of today's witness, David Powner of GAO, our \nNation is under cyber attack and our present strategy and its \nimplementation have not been fully effective in mitigating the \nthreat. Now, I don't believe that this is because people wanted \nthis to be the case or that there was any conscious effort on \nthe part of Members of Congress or previous administrations or \npeople in the private sector. I just think it is a point of \nfact that what you can't see, can't feel, can't hear, can't \ntouch, sometimes is not what you pay attention to. \nCybersecurity, the cyber world which is so important to us, is \nembedded in so much of what we do but we don't see it.\n    I use the old analogy of the refrigerator. I open the \nrefrigerator, and all I want is cold milk. I really don't care \nhow it works. We have that attitude toward the cyber world that \nis embedded in everything that we do. But we can't have that \nattitude. I believe it is particularly true regarding our \ninformation infrastructure, which includes our \ntelecommunications and computer networks and systems and the \ndata they contain. Information technology and computer networks \nincrease information sharing and collaboration, which does a \ntremendous thing: It raises our productivity, lowers ours costs \nand improves performance. Would that the rest of our economy \ncould do as well.\n    However, the rapid growth of the internet and our \ninterconnected computer systems and its networks have, as you \nso rightly said, made us increasingly vulnerable to things such \nas cyber crime, cyber espionage, and cyber terrorism. I fully \nagree with the central finding of the CSIS Commission's report \nthat cybersecurity is one of the most important security \nchallenges this Nation faces. U.S. cyberspace should be \ndeclared a vital national asset, perhaps even a critical \nnational asset. This would help the Federal Government marshal \nits resources and implement a Comprehensive National \nCybersecurity Strategy.\n    I have felt for some time that we are playing catch-up in \ndetecting and defending against the increasing number and \nsophistication of today's cyber threats, whether they are of \nthe mischievous nature, of the organized crime nature, of the \nnation-state nature. I agree we need a national cybersecurity \nstrategy, understanding that cyberspace can't be secured by \nGovernment alone, and that is a very important point that we \nhave to stress. However, the Government does need to reorganize \nand focus its national cyber efforts if we hope to defeat the \nnew cyber threats.\n    I would also suggest we need a true public/private \ncybersecurity partnership based on trust and cooperation to \nprotect against this new cyber threat. The private sector, \nlet's make it clear, designs, deploys and maintains much of the \nNation's critical infrastructure. Therefore, we must honor \ntheir experience, their expertise and their ingenuity--that is, \nthat which is found in the private sector--into a trusted \npartnership with Government, a partnership where both sides \nbenefit and therefore are eager to cooperate and share \ninformation. It just seems to me that in many cases we should \nbe setting certain standards or goals but not setting the means \nto get there because the cyber world moves so fast, we really \ncan't catch up with this. Government, by its very nature, moves \nmore slowly. I don't want anything that we do to depress the \ncreativity of the private sector. Therein lies our greatest \nopportunity to protect ourselves.\n    I believe the CSIS report's recommendation to create three \nnew public/private groups designed to foster better trust and \ncooperation on cyber issues is the right approach. They would \nbe a new Presidential advisory committee that connects the \nWhite House to the important private-sector cyberspace \nentities; a national town hall organization that provides \ndialog for education and discussion; and a new cyber \noperational organization.\n    The Bush administration recognized the growing threat on \nour national security from cyberspace, proposed a Comprehensive \nNational Cybersecurity Initiative in 2008. The CSIS Commission \ncame to a similar conclusion in their December report, \n``Securing Cyberspace for the 44th President,'' stating only a \nComprehensive National Security Strategy that embraces both \ndomestic and international aspects of cybersecurity will make \nus more secure. Well said.\n    Everyone seems to agree that we need to do more, so I am \nanxious to hear the testimony of our expert witnesses today to \nhelp us on that journey so that we may do that which needs to \nbe done to meet this 21st century threat.\n    Once again I thank you, Madam Chairwoman, for the time.\n    Ms. Clarke. The Chairwoman now recognizes the Chairman of \nthe full Committee on Homeland Security, the gentleman from \nMississippi, Mr. Thompson, for an opening statement.\n    Mr. Thompson. Thank you very much, Madam Chairwoman.\n    Good afternoon. I believe this is the ninth oversight \nhearing the Homeland Security Committee has held on Federal \ncybersecurity issues since the beginning of the 110th Congress, \nand I thank you, Madam Chairwoman, for continuing our oversight \nefforts. This is a particularly timely hearing, given the \nrecent resignation of Mr. Beckstrom as director of the National \nCybersecurity Center.\n    Some of our biggest challenges in the Federal \ncybersecurity, reported by dozens of independent observers, \nincluding GAO and CSIS, have come as a result of ineffective \nleadership, unclear organizational structure and poorly defined \nroles and responsibilities from agencies and private sector. \nThis is why I, along with many of my colleagues, were very \noptimistic when Mr. Beckstrom was brought on to lead the \nNational Cybersecurity Center. He has expertise in \norganizational structure. He has worked extensively in the \nprivate sector. But Mr. Beckstrom did not have experience in \nworking miracles, and that is the unfortunate position that the \nprevious administration put him in. Without clear authority or \nbudget, he was placed in a no-win situation.\n    In his resignation letter, Mr. Beckstrom candidly described \nthe control that is wielded by NSA over the cybersecurity \nmission today. This parallels the thoughts of some of our \nwitnesses here today.\n    I don't disagree with the public statements made recently \nby the DNI, who said that the NSA houses most of the cyber \ntalent in the Federal Government. But I don't think the answer \nto our problems in cyberspace comes from giving control of the \nentire Federal Cybersecurity Mission to NSA. I want to clearly \nstate that this committee believes that there should be a \ncreditable civilian government cybersecurity capability that \ninterfaces with, but is not controlled by the NSA. According to \nGAO, DHS has not proven itself up to the challenge yet. From \nour work with DHS through the years, I don't disagree, but \nthere are pockets within DHS showing signs of improvement. US-\nCERT and the controlled security system program are two of \nthese programs that I believe are demonstrating progress.\n    I hope the administration can strike the balance between \ncivilian and military cybersecurity capabilities. We here in \nCongress are looking toward this administration for leadership \non this critical issue. I share the Chair's optimism about the \nPresident's commitment to cybersecurity, and I hope that, at \nthe end of the 60-day review, we here in Congress will have a \nclear understanding of the President's vision for \ncybersecurity.\n    I yield back the balance of my time, Madam Chairwoman.\n    Ms. Clarke. Other Members of the subcommittee are reminded \nthat under the committee rules, opening statements may be \nsubmitted for the record.\n    I welcome our distinguished panel of witnesses. Our first \nwitness is Dave Powner, director for information technology \nmanagement issues at the Government Accountability Office. Mr. \nPowner and his team have produced a number of outstanding \nreports for this subcommittee throughout the last several \nyears, and we are pleased to welcome him back.\n    Our second witness is Scott Charney, corporate vice \npresident of Microsoft's trustworthy computing group. Prior to \nMicrosoft, Mr. Charney was a principal for \nPriceWaterhouseCoopers, where he led the firm's cyber crime \nprevention and response practice. Mr. Charney also served as \nchief of the computer crime and intellectual property section \nin the criminal division of the U.S. Department of Justice. Mr. \nCharney was also co-chair of the CSIS Commission on \nCybersecurity. Welcome.\n    Our third witness is Mr. Amit Yoran, chairman and chief \nexecutive officer of NetWitness Corporation, a leading provider \nof network security products. Prior to NetWitness, he was \ndirector of the national cybersecurity division at the \nDepartment of Homeland Security. He was also chief executive \nofficer and advisor to Incutel, the venture capital arm of the \nCIA. Mr. Yoran is a member of the CSIS Cybersecurity \nCommission.\n    Our fourth witness is Mary Ann Davidson, the chief \nsecretary--excuse me--the Chief Security Officer at Oracle \nCorporation, where she is responsible for Oracle product \nsecurity, as well as security evaluations and assessments. Ms. \nDavidson represents Oracle on the Information Technology ISAC. \nShe has served on the Defense Science Board and is a member of \nthe CSIS Cybersecurity Commission. Welcome, Ms. Davidson. \nNothing against the secretary, but you are chief security \nofficer.\n    Our fifth witness is Jim Lewis, the director of the Center \nfor Strategic and International Studies and Technology and \nPublic Policy Program. He is also program manager for the CSIS \nCommission on Cybersecurity for the 44th Presidency. Mr. Lewis \nhas also been a regular witness before this subcommittee, so \nwelcome to you also.\n    Without objection, the witnesses' full statements will be \ninserted into the record.\n    I now ask each witness to summarize his or her statement \nfor 5 minutes, beginning with Mr. Powner.\n\n  STATEMENT OF DAVID POWNER, DIRECTOR, INFORMATION TECHNOLOGY \n      MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Powner. Madam Chairwoman, Chairman Thompson, Ranking \nMember Lungren, Members of the subcommittee, thank you for \ninviting us to testify on cybersecurity recommendations for the \nnew administration. Over the past several years, our work for \nthe subcommittee has highlighted many areas requiring better \nleadership and management of our Nation's cyber-critical \ninfrastructure, including improving cybersecurity of control \nsystems, strengthening our ability to respond to internet \ndisruptions, bolstering cyber analysis, and warning \ncapabilities and addressing cyber crime.\n    This afternoon I will provide a progress report of our on-\ngoing work for you, Madam Chairwoman, looking at improvements \nto our Nation's cybersecurity strategy. Specifically, we held \npanel discussions with nationally recognized experts and these \ndiscussions, coupled with GAO's extensive work in this area, \nhave resulted in 12 specific recommendations for the new \nadministration to improve the approach to protecting both \nGovernment systems and our Nation's cyber-critical \ninfrastructures. I will now briefly discuss each of the 12.\n    No. 1, develop a national strategy that clearly articulates \nstrategic objectives and priorities and provides a means for \nenforcing action and accountability. The current strategy does \nnot do this, nor does it contain requirements to hold \nresponsible organizations accountable.\n    No. 2, establish a White House office responsible and \naccountable for leading and overseeing the National \nCybersecurity Policy. Currently, DHS is our national security \nfocal point, and they have not delivered on this \nresponsibility.\n    No. 3, establish a governance structure for strategy \nimplementation. Create a governing body, similar to a board of \ndirectors, responsible for reporting and measuring on the \nstrategic priorities. This body should be led by senior \nexecutives from key Federal agencies, as well as key sectors. \nIt should be noted that our experts stress that not all Federal \nagencies and sectors are key cyber players.\n    No. 4, acknowledge we are in a cyber war with criminal and \nadversarial nations. Publicize the severity of prior attacks \nand raise awareness that we are constantly under attack.\n    No. 5, create or designate an accountable operational \ncybersecurity organization. White House-led is not the silver \nbullet, and DHS has a troubled reputation to overcome. Despite \ntremendous capability, there are concerns about this being an \nintelligence organization, because a secretive culture runs \ncounter to the need to partner with the private sector. Our \nexperts suggested a cyber defense organization. Clearly, there \nwas no consensus on where this organization should reside, and \nthis will be a tough policy question whether the best approach \nis to create another organization and how.\n    No. 6, focus less on creating plans and more on \nprioritizing, assessing and securing cyber assets. We have \ncreated many plans that largely go unused. We need to create a \nprioritized list of our Nation's cyber assets and work toward \nsecuring them.\n    No. 7, bolster public/private partnerships by providing \nmore incentives for private sector participation.\n    No. 8, focus greater attention on the global aspects of \ncyberspace. We should work toward an international global cyber \nstrategy and use international agreements to focus \ncybersecurity issues and thwart cyber crime, like the Council \nof Europe's cyber crime convention.\n    No. 9, modernize our legal framework to better address \ncyber criminals. Domestic and international law is outdated and \nit needs to be revised to make it easier to catch and prosecute \ncriminals.\n    No. 10, better coordinate Government and private sector \ncyber R&D. Cyber R&D is underfunded and not coordinated.\n    No. 11, increase the number of skilled cyber professionals, \nincluding criminal investigators. Experts suggested that the \ncybersecurity discipline should be a profession that is \nlicensed.\n    No. 12, make the Federal Government a model for \ncybersecurity. The CNCI initiative is a good first step, but \nthe Federal Government has much room for improvement.\n    In summary, Madam Chairwoman, many large cybersecurity \npolicy questions loom for the Obama administration and the \nCongress. GAO, CSIS and our expert panel recommendations need \nto be strongly considered as the game plan is defined over the \nnext several months to provide a more secure cyber America.\n    This concludes my statement, and I look forward to your \nquestions.\n    [The statement of Mr. Powner follows:]\n                   Prepared Statement of David Powner\n                             March 10, 2009\n                             gao highlights\n    Highlights of GAO-09-432T, a testimony to the Subcommittee on \nEmerging Threats, Cybersecurity, and Science and Technology, Committee \non Homeland Security, House of Representatives.\nWhy GAO Did This Study\n    Pervasive and sustained computer-based (cyber) attacks against \nFederal and private-sector infrastructures pose a potentially \ndevastating impact to systems and operations and the critical \ninfrastructures that they support. To address these threats, President \nBush issued a 2003 national strategy and related policy directives \naimed at improving cybersecurity Nation-wide. Congress and the \nExecutive branch, including the new administration, have subsequently \ntaken actions to examine the adequacy of the strategy and identify \nareas for improvement. Nevertheless, GAO has identified this area as \nhigh-risk and has reported on needed improvements in implementing the \nnational cybersecurity strategy.\n    In this testimony, you asked GAO to summarize: (1) Key reports and \nrecommendations on the national cybersecurity strategy, and (2) the \nviews of experts on how to strengthen the strategy. In doing so, GAO \nrelied on its previous reports related to the strategy and conducted \npanel discussions with key cybersecurity experts to solicit their views \non areas for improvement.\nWhat GAO Recommends\n    GAO has previously made about 30 recommendations, mostly directed \nat DHS, to improve our Nation's cybersecurity strategy efforts. DHS in \nlarge part has concurred with GAO's recommendations and, in many cases, \nhas actions planned and under way to implement them.\n   national cybersecurity strategy.--key improvements are needed to \n                    strengthen the nation's posture\nWhat GAO Found\n    Over the last several years, GAO has consistently reported that the \nDepartment of Homeland Security (DHS) has yet to fully satisfy its \nresponsibilities designated by the national cybersecurity strategy. To \naddress these shortfalls, GAO has made about 30 recommendations in key \ncybersecurity areas including the 5 listed in the table below. While \nDHS has since developed and implemented certain capabilities to satisfy \naspects of its cybersecurity responsibilities, it still has not fully \nsatisfied the recommendations, and thus further action needs to be \ntaken to fully address these areas.\n\n TABLE 1.--KEY CYBERSECURITY AREAS IDENTIFIED BY GAO AS NEEDING FURTHER\n                                 ACTION\n------------------------------------------------------------------------\n                 Item No.\n------------------------------------------------------------------------\n1........................................  Bolstering cyber analysis and\n                                            warning capabilities.\n2........................................  Completing actions identified\n                                            during cyber exercises.\n3........................................  Improving cybersecurity of\n                                            infrastructure control\n                                            systems.\n4........................................  Strengthening DHS's ability\n                                            to help recover from\n                                            internet disruptions.\n5........................................  Addressing cybercrime.\n------------------------------------------------------------------------\nSource: GAO analysis of prior GAO reports.\n\n    In discussing the areas addressed by GAO's recommendations as well \nas other critical aspects of the strategy, GAO's panel of cybersecurity \nexperts identified 12 key areas requiring improvement (see table \nbelow). GAO found these to be largely consistent with its reports and \nits extensive research and experience in the area.\n\n TABLE 2.--KEY STRATEGY IMPROVEMENTS IDENTIFIED BY CYBERSECURITY EXPERTS\n------------------------------------------------------------------------\n                 Item No.\n------------------------------------------------------------------------\n1........................................  Develop a national strategy\n                                            that clearly articulates\n                                            strategic objectives, goals,\n                                            and priorities.\n2........................................  Establish White House\n                                            responsibility and\n                                            accountability for leading\n                                            and overseeing national\n                                            cybersecurity policy.\n3........................................  Establish a governance\n                                            structure for strategy\n                                            implementation.\n4........................................  Publicize and raise awareness\n                                            about the seriousness of the\n                                            cybersecurity problem.\n5........................................  Create an accountable,\n                                            operational cybersecurity\n                                            organization.\n6........................................  Focus more actions on\n                                            prioritizing assets,\n                                            assessing vulnerabilities,\n                                            and reducing vulnerabilities\n                                            than on developing\n                                            additional plans.\n7........................................  Bolster public/private\n                                            partnerships through an\n                                            improved value proposition\n                                            and use of incentives.\n8........................................  Focus greater attention on\n                                            addressing the global\n                                            aspects of cyberspace.\n9........................................  Improve law enforcement\n                                            efforts to address malicious\n                                            activities in cyberspace.\n10.......................................  Place greater emphasis on\n                                            cybersecurity research and\n                                            development, including\n                                            consideration of how to\n                                            better coordinate Government\n                                            and private sector efforts.\n11.......................................  Increase the cadre of\n                                            cybersecurity professionals.\n12.......................................  Make the Federal Government a\n                                            model for cybersecurity,\n                                            including using its\n                                            acquisition function to\n                                            enhance cybersecurity\n                                            aspects of products and\n                                            services.\n------------------------------------------------------------------------\nSource: GAO analysis of opinions solicited during expert panels.\n\n    Until GAO's recommendations are fully addressed and the above \nimprovements are considered, our Nation's Federal and private-sector \ninfrastructure systems remain at risk of not being adequately \nprotected. Consequently, in addition to fully implementing GAO's \nrecommendations, it is essential that the improvements be considered by \nthe new administration as it begins to make decisions on our Nation's \ncybersecurity strategy.\n    Madam Chair and Members of the subcommittee: Thank you for the \nopportunity to join in today's hearing to discuss efforts to protect \nour Nation from cybersecurity threats. Pervasive and sustained \ncomputer-based (cyber) attacks against the United States and others \ncontinue to pose a potentially devastating impact to systems and \noperations and the critical infrastructures that they support. To \naddress these threats, President Bush issued a 2003 national strategy \nand related policy directives aimed at improving cybersecurity Nation-\nwide, including both Government systems and those cyber critical \ninfrastructures owned and operated by the private sector.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ Critical infrastructures are systems and assets, whether \nphysical or virtual, so vital to nations that their incapacity or \ndestruction would have a debilitating impact on national security, \nnational economic security, national public health or safety, or any \ncombination of those matters. Federal policy established 18 critical \ninfrastructure sectors: Agriculture and food, banking and finance, \nchemical, commercial facilities, communications, critical \nmanufacturing, dams, defense industrial base, emergency services, \nenergy, Government facilities, information technology, national \nmonuments and icons, nuclear reactors, materials and waste, postal and \nshipping, public health and health care, transportation systems, and \nwater.\n---------------------------------------------------------------------------\n    Because the threats have persisted and grown, a commission--\ncommonly referred to as the Commission on Cybersecurity for the 44th \nPresidency and chaired by two congressmen and industry officials--was \nestablished in August 2007 to examine the adequacy of the strategy and \nidentify areas for improvement.\\2\\ At about the same time, the Bush \nadministration began to implement a series of initiatives aimed \nprimarily at improving cybersecurity within the Federal Government. \nMore recently, in February 2009, President Obama initiated a review of \nthe Government's overall cybersecurity strategy and supporting \nactivities.\n---------------------------------------------------------------------------\n    \\2\\ The commission was created by the Center for Strategic and \nInternational Studies (CSIS), a bipartisan, nonprofit organization \nthat, among other things, provides strategic insights and policy \nsolutions to decision-makers. Entitled the CSIS Commission on \nCybersecurity for the 44th Presidency, the body was co-chaired by \nRepresentative James Langevin, Representative Michael McCaul, Scott \nCharney (Microsoft), and Lt. General Harry Raduege, USAF (Ret).\n---------------------------------------------------------------------------\n    Today, as requested, I will discuss: (1) Our reports, containing \nabout 30 recommendations, on the national cybersecurity strategy and \nrelated efforts, and (2) the results of expert panels we convened to \ndiscuss how to strengthen the strategy and our Nation's cybersecurity \nposture. In preparing for this testimony, we relied on our previous \nreports on Federal efforts to fulfill national cybersecurity \nresponsibilities. These reports contain detailed overviews of the scope \nand methodology we used. We also obtained the views of nationally \nrecognized cybersecurity experts by means of two panel discussions on \nthe effectiveness of the current national cybersecurity strategy and \nrecommendations for improvement. In summarizing the panel discussions, \nwe provided all panel members an opportunity to comment on our written \nsummaries, and their comments were incorporated as appropriate. The \npanelists' names and titles are in appendix I. We conducted our work in \nsupport of this testimony during February and March 2009, in the \nWashington, DC, area. The work on which this testimony is based was \nperformed in accordance with generally accepted Government auditing \nstandards.\n                               background\n    Government officials are concerned about attacks from individuals \nand groups with malicious intent, such as criminals, terrorists, and \nadversarial foreign nations. For example, in February 2009, the \ndirector of national intelligence testified that foreign nations and \ncriminals have targeted Government and private sector networks to gain \na competitive advantage and potentially disrupt or destroy them, and \nthat terrorist groups have expressed a desire to use cyber attacks as a \nmeans to target the United States.\\3\\ The director also discussed that \nin August 2008, the national government of Georgia's Web sites were \ndisabled during hostilities with Russia, which hindered the \nGovernment's ability to communicate its perspective about the conflict.\n---------------------------------------------------------------------------\n    \\3\\ Statement of the Director of National Intelligence before the \nSenate Select Committee on Intelligence, Annual Threat Assessment of \nthe Intelligence Community for the Senate Select Committee on \nIntelligence (Feb. 12, 2009).\n---------------------------------------------------------------------------\n    The Federal Government has developed a strategy to address such \ncyber threats. Specifically, President Bush issued the 2003 National \nStrategy to Secure Cyberspace \\4\\ and related policy directives, such \nas Homeland Security Presidential Directive 7,\\5\\ that specify key \nelements of how the Nation is to secure key computer-based systems, \nincluding both Government systems and those that support critical \ninfrastructures owned and operated by the private sector. The strategy \nand related policies also establish the Department of Homeland Security \n(DHS) as the focal point for cyber CIP and assign the Department \nmultiple leadership roles and responsibilities in this area. They \ninclude: (1) Developing a comprehensive national plan for CIP, \nincluding cybersecurity; (2) developing and enhancing national cyber \nanalysis and warning capabilities; (3) providing and coordinating \nincident response and recovery planning, including conducting incident \nresponse exercises; (4) identifying, assessing, and supporting efforts \nto reduce cyber threats and vulnerabilities, including those associated \nwith infrastructure control systems;\\6\\ and (5) strengthening \ninternational cyberspace security. In addition, the strategy and \nrelated policy direct DHS and other relevant stakeholders to use risk \nmanagement principles to prioritize protection activities within and \nacross the 18 critical infrastructure sectors in an integrated, \ncoordinated fashion.\n---------------------------------------------------------------------------\n    \\4\\ The White House, The National Strategy to Secure Cyberspace \n(Washington, DC: February 2003).\n    \\5\\ The White House, Homeland Security Presidential Directive 7 \n(Washington, DC: Dec. 17, 2003).\n    \\6\\ Control systems are computer-based systems that perform vital \nfunctions in many of our Nation's critical infrastructures, including \nelectric power generation, transmission, and distribution; oil and gas \nrefining and pipelines; water treatment and distribution; chemical \nproduction and processing; railroads and mass transit; and \nmanufacturing.\n---------------------------------------------------------------------------\n    Because the threats have persisted and grown, President Bush in \nJanuary 2008 began to implement a series of initiatives--commonly \nreferred to as the Comprehensive National Cybersecurity Initiative \n(CNCI)--aimed primarily at improving DHS and other Federal agencies' \nefforts to protect against intrusion attempts and anticipate future \nthreats.\\7\\ While these initiatives have not been made public, the \nDirector of National Intelligence stated that they include defensive, \noffensive, research and development, and counterintelligence efforts, \nas well as a project to improve public/private partnerships.\\8\\ \nSubsequently, in December 2008, the Commission on Cybersecurity for the \n44th Presidency reported, among other things, that the failure to \nprotect cyberspace was an urgent national security problem and made 25 \nrecommendations aimed at addressing shortfalls with the strategy and \nits implementation.\\9\\ Since then, President Obama (in February 2009) \ninitiated a review of the cybersecurity strategy and supporting \nactivities. The review is scheduled to be completed in April 2009.\n---------------------------------------------------------------------------\n    \\7\\ The White House, National Security Presidential Directive 54/\nHomeland Security Presidential Directive 23 (Washington, DC: Jan. 8, \n2008).\n    \\8\\ Statement of the director of national intelligence before the \nSenate Select Committee on Intelligence, Annual Threat Assessment of \nthe Intelligence Community for the Senate Select Committee on \nIntelligence (Feb. 12, 2009).\n    \\9\\ Center for Strategic and International Studies, Securing \nCyberspace for the 44th Presidency, A Report of the CSIS Commission on \nCybersecurity for the 44th Presidency (Washington, DC: December 2008).\n---------------------------------------------------------------------------\ngao has made recommendations to address shortfalls with key aspects of \n         national cybersecurity strategy and its implementation\n    Over the last several years we have reported on our Nation's \nefforts to fulfill essential aspects of its cybersecurity strategy. In \nparticular, we have reported consistently since 2005 that DHS has yet \nto fully satisfy its cybersecurity responsibilities designated by the \nstrategy. To address these shortfalls, we have made about 30 \nrecommendations in key cybersecurity areas including the 5 listed in \nTable 1. DHS has since developed and implemented certain capabilities \nto satisfy aspects of its cybersecurity responsibilities, but the \nDepartment still has not fully satisfied our recommendations, and thus \nfurther action needs to be taken to address these areas.\n\n TABLE 1.--KEY CYBERSECURITY AREAS IDENTIFIED BY GAO AS NEEDING FURTHER\n                                 ACTION\n------------------------------------------------------------------------\n                 Item No.\n------------------------------------------------------------------------\n1........................................  Bolstering cyber analysis and\n                                            warning capabilities.\n2........................................  Completing actions identified\n                                            during cyber exercises.\n3........................................  Improving cybersecurity of\n                                            infrastructure control\n                                            systems.\n4........................................  Strengthening DHS's ability\n                                            to help recover from\n                                            internet disruptions.\n5........................................  Addressing cybercrime.\n------------------------------------------------------------------------\nSource: GAO analysis of prior GAO reports.\n\n    In July 2008, we reported \\10\\ that DHS's United States Computer \nEmergency Readiness Team (US-CERT) did not fully address 15 key cyber \nanalysis and warning attributes related to: (1) Monitoring network \nactivity to detect anomalies, (2) analyzing information and \ninvestigating anomalies to determine whether they are threats, (3) \nwarning appropriate officials with timely and actionable threat and \nmitigation information, and (4) responding to the threat. For example, \nUS-CERT provided warnings by developing and distributing a wide array \nof notifications; however, these notifications were not consistently \nactionable or timely. As a result, we recommended that the Department \naddress shortfalls associated with the 15 attributes in order to fully \nestablish a national cyber analysis and warning capability as \nenvisioned in the national strategy. DHS agreed in large part with our \nrecommendations.\n---------------------------------------------------------------------------\n    \\10\\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in \nEstablishing a Comprehensive National Capability, GAO-08-588 \n(Washington, DC: July 31, 2008).\n---------------------------------------------------------------------------\n    In September 2008, we reported \\11\\ that since conducting a major \ncyber attack exercise, called Cyber Storm, DHS had demonstrated \nprogress in addressing eight lessons it had learned from these efforts. \nHowever, its actions to address the lessons had not been fully \nimplemented. Specifically, while it had completed 42 of the 66 \nactivities identified, the Department had identified 16 activities as \non-going and 7 as planned for the future.\\12\\ Consequently, we \nrecommended that DHS schedule and complete all of the corrective \nactivities identified in order to strengthen coordination between \npublic and private sector participants in response to significant cyber \nincidents. DHS concurred with our recommendation. To date, DHS has \ncontinued to make progress in completing some identified activities but \nhas yet to do so for others.\n---------------------------------------------------------------------------\n    \\11\\ GAO, Critical Infrastructure Protection: DHS Needs To Fully \nAddress Lessons Learned From Its First Cyber Storm Exercise, GAO-08-825 \n(Washington, DC: Sept. 9, 2008).\n    \\12\\ At that time, DHS reported that one other activity had been \ncompleted, but the Department was unable to provide evidence \ndemonstrating its completion.\n---------------------------------------------------------------------------\n    In a September 2007 report and an October 2007 testimony, we \nreported \\13\\ that consistent with the national strategy requirement to \nidentify and reduce threats and vulnerabilities, DHS was sponsoring \nmultiple control systems security initiatives, including an effort to \nimprove control systems cybersecurity using vulnerability evaluation \nand response tools. However, DHS had not established a strategy to \ncoordinate the various control systems activities across Federal \nagencies and the private sector, and it did not effectively share \ninformation on control system vulnerabilities with the public and \nprivate sectors. Accordingly, we recommended that DHS develop a \nstrategy to guide efforts for securing control systems and establish a \nrapid and secure process for sharing sensitive control system \nvulnerability information. DHS recently began developing a strategy and \na process to share sensitive information.\n---------------------------------------------------------------------------\n    \\13\\ GAO, Critical Infrastructure Protection: Multiple Efforts to \nSecure Control Systems Are Under Way, but Challenges Remain, GAO-07-\n1036 (Washington, DC: Sept. 10, 2007) and Critical Infrastructure \nProtection: Multiple Efforts to Secure Control Systems Are Under Way, \nbut Challenges Remain, GAO-08-119T (Washington, DC: Oct. 17, 2007).\n---------------------------------------------------------------------------\n    We reported and later testified \\14\\ in 2006 that the Department \nhad begun a variety of initiatives to fulfill its responsibility, as \ncalled for by the national strategy, for developing an integrated \npublic/private plan for Internet recovery. However, we determined that \nthese efforts were not comprehensive or complete. As such, we \nrecommended that DHS implement nine actions to improve the Department's \nability to facilitate public/private efforts to recover the internet in \ncase of a major disruption. In October 2007, we testified \\15\\ that the \nDepartment had made progress in implementing our recommendations; \nhowever, seven of the nine have not been completed. To date, an \nintegrated public/private plan for internet recovery does not exist.\n---------------------------------------------------------------------------\n    \\14\\ GAO, Internet Infrastructure: DHS Faces Challenges in \nDeveloping a Joint Public/Private Recovery Plan, GAO-06-672 \n(Washington, DC: June 16, 2006) and Internet Infrastructure: Challenges \nin Developing a Public/Private Recovery Plan, GAO-06-863T (Washington, \nDC: July 28, 2006).\n    \\15\\ GAO, Internet Infrastructure: Challenges in Developing a \nPublic/Private Recovery Plan, GAO-08-212T (Washington, DC: Oct. 23, \n2007).\n---------------------------------------------------------------------------\n    In 2007, we reported \\16\\ that public and private entities \\17\\ \nfaced a number of challenges in addressing cybercrime, including \nensuring adequate analytical and technical capabilities for law \nenforcement and conducting investigations and prosecuting cybercrimes \nthat cross national and State borders.\n---------------------------------------------------------------------------\n    \\16\\ GAO, Cybercrime: Public and Private Entities Face Challenges \nin Addressing Cyber Threats, GAO-07-705 (Washington, DC: June 2007).\n    \\17\\ These public and private entities include the Departments of \nJustice, Homeland Security, and Defense, and the Federal Trade \nCommission, internet security providers and software developers.\n---------------------------------------------------------------------------\ncybersecurity experts highlighted key improvements needed to strengthen \n                   the nation's cybersecurity posture\n    In addition to our recommendations on improving key aspects of the \nnational cybersecurity strategy and its implementation, we also \nobtained the views of experts (by means of panel discussions) on these \nand other critical aspects of the strategy, including areas for \nimprovement. The experts, who included former Federal officials, \nacademics, and private sector executives, highlighted 12 key \nimprovements that are, in their view, essential to improving the \nstrategy and our national cybersecurity posture. These improvements are \nin large part consistent with our above-mentioned reports and extensive \nresearch and experience in this area. They include:\n    1. Develop a national strategy that clearly articulates strategic \nobjectives, goals, and priorities.--The strategy should, among other \nthings: (1) Include well-defined strategic objectives, (2) provide \nunderstandable goals for the Government and the private sector (end \ngame), (3) articulate cyber priorities among the objectives, (4) \nprovide a vision of what secure cyberspace should be in the future, (5) \nseek to integrate Federal Government capabilities, (6) establish \nmetrics to gauge whether progress is being made against the strategy, \nand (7) provide an effective means for enforcing action and \naccountability when there are progress shortfalls. According to expert \npanel members, the CNCI provides a good set of tactical initiatives \nfocused on improving primarily Federal cybersecurity; however, it does \nnot provide strategic objectives, goals, and priorities for the Nation \nas a whole.\n    2. Establish White House responsibility and accountability for \nleading and overseeing national cybersecurity policy.--The strategy \nmakes DHS the focal point for cybersecurity; however, according to \nexpert panel members, DHS has not met expectations and has not provided \nthe high-level leadership needed to raise cybersecurity to a national \nfocus. Accordingly, panelists stated that to be successful and to send \nthe message to the Nation and cyber critical infrastructure owners that \ncybersecurity is a priority, this leadership role needs to be elevated \nto the White House. In addition, to be effective, the office must have, \namong other things, commensurate authority--for example, over budgets \nand resources--to implement and employ appropriate incentives to \nencourage action.\n    3. Establish a governance structure for strategy implementation.--\nThe strategy establishes a public/private partnership governance \nstructure that includes 18 critical infrastructure sectors, \ncorresponding Government and sector coordinating councils, and cross-\nsector councils. However, according to panelists, this structure is \nGovernment-centric and largely relies on personal relationships to \ninstill trust to share information and take action. In addition, \nalthough all sectors are not of equal importance in regard to their \ncyber assets and functions, the structure treats all sectors and all \ncritical cyber assets and functions equally. To ensure effective \nstrategy implementation, experts stated that the partnership structure \nshould include a committee of senior government representatives (for \nexample, the Departments of Defense, Homeland Security, Justice, State, \nand the Treasury and the White House) and private sector leaders \nrepresenting the most critical cyber assets and functions. Expert panel \nmembers also suggested that this committee's responsibilities should \ninclude measuring and periodically reporting on progress in achieving \nthe goals, objectives, and strategic priorities established in the \nnational strategy and building consensus to hold involved parties \naccountable when there are progress shortfalls.\n    4. Publicize and raise awareness about the seriousness of the \ncybersecurity problem.--Although the strategy establishes cyberspace \nsecurity awareness as a priority, experts stated that many national \nleaders in business and Government, including in Congress, who can \ninvest resources to address cybersecurity problems are generally not \naware of the severity of the risks to national and economic security \nposed by the inadequacy of our Nation's cybersecurity posture and the \nassociated intrusions made more likely by that posture. Expert panel \nmembers suggested that an aggressive awareness campaign is needed to \nraise the level of knowledge of leaders and the general populace that \nour Nation is constantly under cyber attack.\n    5. Create an accountable, operational cybersecurity organization.--\nDHS established the National Cyber Security Division (within the Office \nof Cybersecurity and Communications) to be responsible for leading \nnational day-to-day cybersecurity efforts; however, according to \npanelists, this has not enabled DHS to become the national focal point \nas envisioned. Panel members stated that currently, DOD and other \norganizations within the intelligence community that have significant \nresources and capabilities have come to dominate Federal efforts. They \ntold us that there also needs to be an independent cybersecurity \norganization that leverages and integrates the capabilities of the \nprivate sector, civilian government, law enforcement, military, \nintelligence community, and the Nation's international allies to \naddress incidents against the Nation's critical cyber systems and \nfunctions. However, there was not consensus among our expert panel \nmembers regarding where this organization should reside.\n    6. Focus more actions on prioritizing assets and functions, \nassessing vulnerabilities, and reducing vulnerabilities than on \ndeveloping additional plans.--The strategy recommends actions to \nidentify critical cyber assets and functions, but panelists stated that \nefforts to identify which cyber assets and functions are most critical \nto the Nation have been insufficient. According to panel members, \ninclusion in cyber critical infrastructure protection efforts and lists \nof critical assets are currently based on the willingness of the person \nor entity responsible for the asset or function to participate and not \non substantiated technical evidence. In addition, the current strategy \nestablishes vulnerability reduction as a key priority; however, \naccording to panelists, efforts to identify and mitigate known \nvulnerabilities have been insufficient. They stated that greater \nefforts should be taken to identify and eliminate common \nvulnerabilities and that there are techniques available that should be \nused to assess vulnerabilities in the most critical, prioritized cyber \nassets and functions.\n    7. Bolster public/private partnerships through an improved value \nproposition and use of incentives.--While the strategy encourages \naction by owners and operators of critical cyber assets and functions, \npanel members stated that there are not adequate economic and other \nincentives (i.e., a value proposition) for greater investment and \npartnering in cybersecurity. Accordingly, panelists stated that the \nFederal Government should provide valued services (such as offering \nuseful threat or analysis and warning information) or incentives (such \nas grants or tax reductions) to encourage action by and effective \npartnerships with the private sector. They also suggested that public \nand private sector entities use means such as cost-benefit analyses to \nensure the efficient use of limited cybersecurity-related resources.\n    8. Focus greater attention on addressing the global aspects of \ncyberspace.--The strategy includes recommendations to address the \ninternational aspects of cyberspace but, according to panelists, the \nUnited States is not addressing global issues impacting how cyberspace \nis governed and controlled. They added that, while other nations are \nactively involved in developing treaties, establishing standards, and \npursuing international agreements (such as on privacy), the United \nStates is not aggressively working in a coordinated manner to ensure \nthat international agreements are consistent with U.S. practice and \nthat they address cybersecurity and cybercrime considerations. Panel \nmembers stated that the United States should pursue a more coordinated, \naggressive approach so that there is a level playing field globally for \nU.S. corporations and enhanced cooperation among government agencies, \nincluding law enforcement. In addition, a panelist stated that the \nUnited States should work towards building consensus on a global cyber \nstrategy.\n    9. Improve law enforcement efforts to address malicious activities \nin cyberspace.--The strategy calls for improving investigative \ncoordination domestically and internationally and promoting a common \nagreement among nations on addressing cybercrime. According to a \npanelist, some improvements in domestic law have been made (e.g., \nenactment of the PROTECT Our Children Act of 2008), but implementation \nof this act is a work in process due to its recent passage. Panel \nmembers also stated that current domestic and international law \nenforcement efforts, including activities, procedures, methods, and \nlaws are too outdated and outmoded to adequately address the speed, \nsophistication, and techniques of individuals and groups, such as \ncriminals, terrorists, and adversarial foreign nations with malicious \nintent. An improved law enforcement is essential to more effectively \ncatch and prosecute malicious individuals and groups and, with stricter \npenalties, deter malicious behavior.\n    10. Place greater emphasis on cybersecurity research and \ndevelopment, including consideration of how to better coordinate \nGovernment and private sector efforts.--While the strategy recommends \nactions to develop a research and development agenda and coordinate \nefforts between the Government and private sectors, experts stated that \nthe United States is not adequately focusing and funding research and \ndevelopment efforts to address cybersecurity or to develop the next \ngeneration of cyberspace to include effective security capabilities. In \naddition, the research and development efforts currently underway are \nnot being well coordinated between Government and the private sector.\n    11. Increase the cadre of cybersecurity professionals.--The \nstrategy includes efforts to increase the number and skills of \ncybersecurity professionals but, according to panelists, the results \nhave not created sufficient numbers of professionals, including \ninformation security specialists and cybercrime investigators. Expert \npanel members stated that actions to increase the number professionals \nwith adequate cybersecurity skills should include: (1) Enhancing \nexisting scholarship programs (e.g., Scholarship for Service) and (2) \nmaking the cybersecurity discipline a profession through testing and \nlicensing.\n    12. Make the Federal Government a model for cybersecurity, \nincluding using its acquisition function to enhance cybersecurity \naspects of products and services.--The strategy establishes securing \nthe Government's cyberspace as a key priority and advocates using \nFederal acquisition to accomplish this goal. Although the Federal \nGovernment has taken steps to improve the cybersecurity of agencies \n(e.g., beginning to implement the CNCI initiatives), panelists stated \nthat it still is not a model for cybersecurity. Further, they said the \nFederal Government has not made changes in its acquisition function and \nthe training of Government officials in a manner that effectively \nimproves the cybersecurity capabilities of products and services \npurchased and used by Federal agencies.\n    In summary, our Nation is under cyber attack, and the present \nstrategy and its implementation have not been fully effective in \nmitigating the threat. This is due in part to the fact that there are \nfurther actions needed by DHS to address key cybersecurity areas, \nincluding fully addressing our recommendations. In addition, nationally \nrecognized experts have identified improvements aimed at strengthening \nthe strategy and in turn, our cybersecurity posture. Key improvements \ninclude developing a national strategy that clearly articulates \nstrategic objectives, goals, and priorities; establishing White House \nleadership; improving governance; and creating a capable and respected \noperational lead organization. Until the recommendations are fully \naddressed and these improvements are considered, our Nation's most \ncritical Federal and private sector infrastructure systems remain at \nunnecessary risk to attack from our adversaries. Consequently, in \naddition to fully implementing our recommendations, it is essential \nthat the Obama administration consider these improvements as it reviews \nour Nation's cybersecurity strategy and begins to make decisions on \nmoving forward.\n    Madam Chair, this concludes my statement. I would be happy to \nanswer any questions that you or Members of the subcommittee may have \nat this time.\n    If you have any questions on matters discussed in this testimony, \nplease contact me. Other key contributors to this testimony include \nBradley Becker, Camille Chaires, Michael Gilmore, Nancy Glover, Kush \nMalhotra, Gary Mountjoy, Lee McCracken, and Andrew Stavisky.\n\n    Ms. Clarke. Thank you very much.\n    Our next witness, I now recognize Mr. Charney to summarize \nhis statement for 5 minutes.\n\n    STATEMENT OF SCOTT CHARNEY, VICE PRESIDENT, TRUSTWORTHY \n                      COMPUTING, MICROSOFT\n\n    Mr. Charney. Chairwoman Clark, Ranking Member Lungren, Mr. \nThompson and Members of the subcommittee, thank you for the \nopportunity to appear today to provide a perspective on \nreviewing the Federal Cybersecurity Mission. As you know, I \nserved as one of four co-chairs of the CSIS Commission on \nCybersecurity for the 44th Presidency with Representatives Jim \nLangevin of Rhode Island and Michael McCaul of Texas and \nGeneral Harry Raduege.\n    I will address four themes that cross many of the \nrecommendations made in the Commission's report.\n    First, we have an immediate need for a comprehensive White \nHouse Coordinated National Strategy for Cyber Space Security.\n    Second, we need to to evolve and focus the public/private \npartnership model.\n    Third, we should consider a new regulatory model designed \nto ensure that greater regulation, if enacted, protects \ninnovation while providing appropriate Government oversight of \ncybersecurity issues.\n    Fourth, the internet needs an appropriately deployed \nidentity metasystem, if we are to make the internet \ndramatically more secure but protect important social values \nsuch as privacy and free speech. I will address each of these \nin turn.\n    First, the need for a Comprehensive and Coordinated \nNational Strategy could not be more clear. In the information \nage, a country's success is dependent upon information, \nknowledge, and communications. While the growth of the internet \nin the early 1990's created new beneficial opportunities for \nall, including individuals, businesses, and governments, it \nalso created unprecedented opportunities for those who would \nmisuse technology. It permits individual criminals, organized \ncrime groups, and nation-states to target all types of \nsensitive information, from personal information to business \ninformation to military information.\n    It is therefore clear that our country's future success \nrequires a Comprehensive Cybersecurity Strategy that engages \nthe relevant agencies of the Government and brings to bear all \nelements of national power including economic, diplomatic, law \nenforcement, military, and intelligence authorities.\n    When one recognizes the breadth of the challenge, and the \nneed for a massively decentralized but coordinated response \namong the Federal agencies, it becomes clear that our National \nCybersecurity Strategy and its implementation should be led by \nthe White House. Of course, any successful strategy must \ninclude protecting one's own networks from attack. Here it is \ncritical that the Government and private sector work together \nto improve the state of computer security. Why is partnership \nrequired? It is because the private sector drives the design, \ndevelopment, and implementation of the products and services \nthat power cyberspace.\n    We must also have the right objectives. For years the goal \nof the partnership has been information sharing which will not, \nwithout more, secure America's infrastructures. We must \nestablish a more meaningful public/private partnership where \nthe partners work in complementary fashion toward the clearly \nidentified objective of securing America's networks. Consistent \nwith this philosophy the partnership should focus on sharing \ninformation that is actionable and building mechanisms that \nenable meaningful action to be taken.\n    With regard to regulation, the Government and private \nsector should jointly determine the level of security provided \nby markets, the level of security needed to protect national \nsecurity, and how the gap between what the markets will provide \nand what national security demands can be filled most \neffectively.\n    While this is not a call for broad regulation, it is a \nrecognition that appropriately tailored legislation, \nlegislation that is technology-neutral and recognizes the best \npractices created by the innovative private sector may be an \nimportant component of any national cybersecurity effort. The \nfact is, markets respond to customer demand, and most customers \nknow more security issues today than in the past will not pay \nfor the level of security necessary to protect national \nsecurity. In short, establishing a cohesive national strategy, \na robust public/private partnership and a security model that \ntakes advantage of industry best practices, Government \ninfluence, and tailored regulations can dramatically advance \nsecurity.\n    Finally, creating the ability to identify what person and \nwhich device is sending a particular data stream in cyberspace \nmust be part of an effective cybersecurity strategy. Even \nsophisticated attackers face difficult challenges and find \ntheir access restricted because of better authentication. \nStronger authentication can also help us create safe places for \nour children to learn on-line, for businesses to interact with \ncustomers, and for Government to serve its citizens.\n    In addition, because the use of digital IDs also reduces \nthe need to authenticate people by having them provide private \ndetails about themselves, stronger authentication can enhance \nboth security and privacy. Thus, as part of an overall \ncybersecurity strategy, the Government should accelerate the \nadoption of authentication technologies by actions such as \nissuing and accepting digital credentials in appropriate \ncircumstances and working to integrate privacy issues into the \ndesign, development, and operation of the resulting identity \nmetasystem.\n    In conclusion, let me say there are complex challenges that \nobviously will not be solved overnight. Securing America's \nfuture in the information age depends upon creating a \ncomprehensive national strategy for cyberspace security, one \nthat simplifies, organizes, and enables effective operational \npartnerships among the Government, private sector, and internet \ncitizens. There is both an opportunity and a need for \nleadership as we focus the Nation's attentions on the \nimportance of cybersecurity.\n    I thank this committee for raising this important issue, \nfor considering my written testimony as part of the record, and \nI look forward to your questions.\n    [The statement of Mr. Charney follows:]\n                  Prepared Statement of Scott Charney\n                             March 10, 2009\n    Chairwoman Clark, Ranking Member Lungren, and Members of the \nsubcommittee, thank you for the opportunity to appear today at this \nimportant hearing on cybersecurity. My name is Scott Charney, and I am \nthe corporate vice president for trustworthy computing at Microsoft. I \nserved as one of four co-chairs of the Center for Strategic and \nInternational Studies' (CSIS) Commission on Cybersecurity for the 44th \nPresidency. I served on the Commission as an industry expert with more \nthan 18 years of security technology experience in both the public and \nprivate sectors, and have a long history of leading domestic and \ninternational cybersecurity efforts.\n    Prior to joining Microsoft, I was chief of the computer crime and \nintellectual property section in the criminal division of the U.S. \nDepartment of Justice. I was involved in nearly every major hacker \nprosecution in the United States from 1991 to 1999, worked on \nlegislative initiatives, such as the National Information \nInfrastructure Protection Act that was enacted in 1996, and chaired the \nG8 Subgroup on High Tech Crime from its inception in 1996 until I left \nGovernment service in 1999.\n    Representative Jim Langevin (D-RI), Representative Michael McCaul \n(R-TX), Lt. Gen. Harry Raduege, USAF (Ret.), and I led the CSIS \nCommission effort, along with project director Jim Lewis of the Center \nfor Strategic and International Studies, to identify key cybersecurity \nchallenges facing the new administration and provide a set of \nrecommendations to address those challenges. Guided by our \nCongressional co-chairs, we assembled a group of individuals with \ncybersecurity experience in both Government and industry. The aim of \nthe group was to identify both short-term recommendations that the next \nadministration could implement quickly to make a noticeable improvement \nin the Nation's cybersecurity, and longer-term recommendations that are \ncritical to the Nation's future cyber-objectives.\n    Thank you for the opportunity to appear today to provide a \nperspective on ``Reviewing the Federal Cybersecurity Mission.'' I would \nlike to address four specific themes that cross the Commission \nrecommendations including: (1) The need for a comprehensive and \ncoordinated national strategy for cyberspace security; (2) the \nimperative to radically evolve and elevate the public-private \npartnership model; (3) the need for an identity metasystem that makes \nthe internet dramatically more secure while protecting important social \nvalues such as privacy and free speech; and (4) the necessity for a new \nregulatory model that protects innovation while providing appropriate \nGovernment oversight.\n            comprehensive and coordinated national strategy\n    As the CSIS Commission report makes clear, we are locked in an \nescalating and sometimes hidden conflict in cyberspace. The battle of \nbits and bytes has very real consequences for America, other nations, \nthe private sector, and even what we have come to call ``the internet \ncitizen.'' Cyberattack joins terrorism and weapons of mass destruction \nas one of the new, asymmetric threats that puts the United States and \nits allies at risk. To be clear, there are risks to cyberspace other \nthan those related to security; for example, the increasing number of \nmachines and applications creates a very complex environment with \nchallenging reliability issues, and our increased dependence on \ninformation technology makes the availability of systems a national and \ninternational imperative. But for the purposes of this testimony, I \nwill confine my remarks to security.\n    The information age has arrived, but the United States has not yet \nbuilt a comprehensive national cyberspace security strategy. The need \nfor such a strategy has never been more urgent. America's leadership in \na connected world cannot be assumed from its leadership in the \nindustrial world. In cyberspace, the country does not remain \nunchallenged, as recent events have clearly proved. Some of the \nchallenges we face include:\n  <bullet> America's reliance on interdependent global networks;\n  <bullet> The misuse of information technologies to support violent \n        extremism;\n  <bullet> The ability of any individual to engage in activities \n        formerly limited to nation-states (e.g., cyber-military \n        espionage and cyber-warfare); and\n  <bullet> The ability of any nation, regardless of traditional \n        measures of sophistication, to gain economic and military \n        advantage through cyber programs.\n    In addition to these challenges, the Internet citizen--those \nindividuals who use cyberspace for social and commercial interactions--\nis critically relevant to any solution. Unsecured computers can turn \neveryday users into a launch platform for attacks. Fear about on-line \nsecurity and availability can have sweeping economic consequences. \nTrust in cyberspace, on the other hand, can create new opportunities, \nmarkets, and possibilities.\n    The United States must plan, organize, and act accordingly to \ndevelop a national cyberspace security strategy that can address these \nchallenges. Historically, national security strategies have been \ncharacterized by their employment of all elements of U.S. power--\neconomic, diplomatic, law enforcement, military and intelligence. A \ncomprehensive cyberspace security strategy must include these elements \nand articulate how they will be employed to ensure national security \nand public safety, ensure economic prosperity, and assure delivery of \ncritical services to the American public. Such a strategy must also \nrecognize the ever-mounting importance of economic security. In the \nindustrial age, power was generally based on physical might; in the \ninformation age, power is derived from information, knowledge, and \ncommunications.\n    In my opinion, there are three fundamental attributes that span all \nof the elements of national power. Articulating and advancing a clear \nunderstanding of norms, attribution, and deterrence in the context of \ncybersecurity can dramatically improve the national and international \ncyberspace ecosystem.\n    Norms.--U.S. foreign policy and diplomatic engagements on issues \n        related to cyberspace security are not as focused as our \n        efforts to combat terrorism or stem proliferation of nuclear \n        weapons. I believe that the United States should marshal its \n        significant diplomatic skills and expertise to advocate for \n        cyberspace security and increase multilateral cooperation. I \n        would caution that advocacy and cooperation are not goals in \n        themselves. We need to focus advocacy and cooperation efforts \n        toward specific outcomes. For example, working with like-minded \n        nations to define clearly articulated norms of nation-state \n        behavior in cyberspace could help to deter state support for \n        cyberattacks or hold nation-states that support such efforts \n        accountable for their actions.\n    Attribution.--Attribution of cyberattacks is one of the most \n        fundamental challenges facing the international community and \n        the United States. The inability to attribute attacks can \n        greatly impede the effectiveness of the Nation's response. Too \n        often, valuable time is lost trying to determine if an attack \n        or penetration of a system was an isolated criminal incident or \n        one perpetrated by a foreign intelligence organization. \n        Attributing the source is essential to ensuring the \n        appropriateness of response--criminal prosecution or military/\n        diplomatic measures. Absent strong attribution abilities, \n        international and national strategies to deter acts will not be \n        taken seriously by the community of attackers who thrive on \n        this diagnostic weakness, nor by criminals that prey on \n        citizens' inboxes and on-line accounts. Thus, we must focus on \n        identity and authentication in cyberspace and enhancing swift \n        international cooperation on cyberattacks.\n    Deterrence.--Deterrence did not happen overnight in the Cold War; \n        the concept and strategy took several years to develop. \n        Deterrence in the information age is perhaps even more \n        complicated due to the lack of attribution and the inability to \n        identify strong mechanisms to prevent hostile actions. But the \n        United States can learn important lessons from the nuclear \n        experience. In the Cold War, the United States kept sensitive \n        information secret, but disclosed enough about our strategy and \n        capabilities that allies and adversaries alike understood our \n        commitment to national security and our ability to protect it. \n        We must do the same for cyberspace.\n      Deterrence is very difficult when adversaries and bad actors are \n        motivated and persistent. In order to improve cyberspace \n        security in a meaningful way, deterrence requires a clear and \n        unambiguous commitment by our Nation and understanding by the \n        spectrum of bad actors--from cybercriminals, to organized \n        crime, to nation-states--that violations of our cybersecurity \n        have consequences. What makes deterrence successful is \n        commitment, broadly known and broadly felt.\n    The sheer number of extremely important issues that transcend \nagency boundaries suggests that the coordination of any national \ncybersecurity strategy must reside within the one organization \nresponsible for ensuring that the Government acts as one Government. If \nthe Government wants to use all the instruments of its power--economic, \ndiplomatic, law enforcement, military, and intelligence--then the \ncenter of gravity must be in the White House. I support the \nCommission's recommendations that, if implemented, would elevate the \npriority of cybersecurity and improve its strategic coordination. \nCreating a National Office for Cyberspace in the Executive Office of \nthe President will provide the interagency coordination required to \nidentify, assess, and manage cyberspace risks.\n    This office does not need to assume or manage all cybersecurity \nfunctions; rather, it should have a tightly defined mandate to develop \nstrategy and coordinate the implementation of that strategy by the \nagencies that have jurisdiction over the elements of national power. It \nmust also be recognized that the White House office will be best able \nto provide strategic leadership only when the agencies of Government \nresponsible for executing their respective cybersecurity \nresponsibilities are staffed with experienced and competent \nprofessionals who are resourced appropriately.\n    As you know, President Obama has directed the National Security \nCouncil and Homeland Security Council to initiate a 60-day review of \nthe plans, programs, and activities under way throughout the Government \nthat address cyberspace security. According to the White House, the \nreview will build upon existing policies and structures to formulate a \nnew vision for a national public-private partnership and an action plan \nto: Enhance economic prosperity and facilitate market leadership for \nthe U.S. information and communications industry; deter, prevent, \ndetect, defend against, respond to, and remediate disruptions and \ndamage to U.S. communications and information infrastructure; ensure \nU.S. capabilities to operate in cyberspace in support of national \ngoals; and safeguard the privacy rights and civil liberties of our \ncitizens.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ http://www.whitehouse.gov/blog/09/03/02/Cyber-review-underway/.\n---------------------------------------------------------------------------\n    A successful cyberspace security strategy requires more than a plan \nand an organization; it requires partnership. The private sector drives \nthe design, development, and implementation of the products and \nservices that power cyberspace. Our technical expertise and experience \nin the global marketplace make us key partners in developing national \nand international cyberspace security strategies. For more than a \ndecade, the Government and the private sector have partnered to address \nvarious aspects of cybersecurity, but this partnership has not achieved \nthe robust results that are needed to protect cyberspace effectively. \nTherefore, my next key recommendation is to redesign that partnership.\n  radically evolve public-private partnerships to advance cyberspace \n                                security\n    Cyberspace security is a shared challenge and requires Government \nand the private sector to work together. The private sector designs, \ndeploys, and maintains much of the Nation's critical infrastructure. \nHowever, the private sector faces unique challenges because its \ncustomer base and supply chains are global. It also builds commercial \nproducts that can be targeted by sophisticated advisories, including \nnation-states. Private sector firms are increasingly being forced to \nthink about security challenges that cannot reasonably be mitigated by \ncommercially realistic development practices, especially as users \nremain price-sensitive.\n    The Government also faces challenges. Unlike certain other \ntraditional aspects of national security, cyberspace cannot be secured \nby the Government alone; it requires a coordinated effort involving the \nowners, operators, and vendors that make cyberspace possible. The \nbifurcation of responsibility (the Government must protect national \nsecurity) and control (it does not manage the assets or provide the \nfunctions that must be protected) dictates the need for a close \npartnership with clearly defined roles and responsibilities that \noptimizes the capabilities of participating stakeholders.\n    Since the 1990s, well-intended public-private partnerships have \nbeen created to address this need, yielding a perplexing array of \nadvisory groups with overlapping missions, different stakeholders with \nvarying capabilities, insufficiently articulated roles and \nresponsibilities, and plans with literally hundreds upon hundreds of \nrecommendations. In the few instances where groups overcame \ninstitutional adversities and developed meaningful recommendations, the \nrepeated unwillingness or inability to implement those recommendations \nat the Federal level has damaged the partnership significantly. Absent \na comprehensive national strategy and clear purpose, both Government \nand private sector stakeholders will continue to struggle to be \neffective.\n    Advancing cyberspace security requires a radical evolution of \npublic-private partnerships as we currently know them. What does \nradical evolution mean? The Federal Government and private sector \nstakeholders must articulate a new philosophy for collaboration, one \nthat starts with a very simple premise: Government and private sector \nefforts should be synergistic and efficient. This requires that the \nGovernment and private sector: (1) Identify those security requirements \nthat will be fulfilled by the market; (2) identify national security \nrequirements; and (3) identify how the gap between market security and \nnational security can be filled. This effort must be focused on \nprotecting functions (e.g., communications) as opposed to simply \nphysical assets. Moreover, we must build operational partnerships that \nlet us effectively mitigate and respond to threats. Finally, to the \nextent important work is on-going, the parties must identify what works \nand have the courage to retire what does not, even though retiring \norganizations may be viewed as draconian by those who have invested in \nthese efforts in the past.\n    As part of the evolution, it is important that the public-private \npartnership concentrate on what is truly critical to cyberspace \nsecurity and build trusted and effective collaboration between \nGovernment and private sector stakeholders.\nWhat functions are critical?\n    The Commission identified four critical cyber-infrastructures:\n\n  <bullet> Energy;\n  <bullet> Finance;\n  <bullet> Converging information technology and communications;\\2\\ and\n---------------------------------------------------------------------------\n    \\2\\ Outside the United States, this is referred to as the ICT \nsector. See ``Telecommunications Task Group Final Report,'' CSIS \nCybersecurity Commission http://www.csis.org/media/csis/pubs/\n081028_telecomm_task_group.pdf, for more information on why ``the \nboundary between information, information technology, and \ntelecommunications services has become almost indistinguishable.''\n---------------------------------------------------------------------------\n  <bullet> Government services (including State and municipal \n        governments).\n\n    This is not to suggest that all these infrastructures are \nidentical. If power fails, the cascading effect is immediate and \nsignificant; by contrast, the result of an attack on Government will \ndepend upon what Government service is affected. In essence, energy and \ninformation technology and communications form the backbone of \ncyberspace, and the availability of Government services and finance are \nparticularly important for national security. While other \ninfrastructures depend on cyberspace, an interruption of their \noperations would not broadly affect cyberspace itself. If energy, \nfinance, the converging information technology and communications \nnetworks, along with Government services, can continue to function as \nintended while under attack, cyberspace will continue to support the \nNation. Thus, these infrastructures should be the focus of a more \nattentive cyberspace security effort.\nTrusted and Effective Collaboration\n    The majority of public-private partnership efforts to date have \nfocused on information sharing. While information sharing is important, \nit cannot be--as it had been to date--the end goal; rather, we must \nfocus instead on sharing information that is actionable and then taking \naction. The CSIS Commission recommended three new partnership groups to \nadvance beyond information sharing to enable trust and action. I will \nfocus my comments on the two that would most significantly and \nimmediately enhance our cybersecurity and resiliency by permitting \nbetter strategy development and operational collaboration.\n            Evolve Strategic Presidential Advisory Bodies\n    Trust is the foundation of a successful partnership between \nGovernment and the private sector. In the past few years, despite good \nintentions on both sides, trust between Government and the private \nsector has declined. Trust is built on personal relationships and in \nsmall groups, with parity of stakeholders and demonstrated commitment. \nLarge, diffuse groups with floating engagements among a range of \nparticipants are not conducive to building the level of dialogue that \npromotes trust. When the President brings C-Level officers to the table \nand addresses challenges in a trusted forum, he can drive a powerful \nset of changes in the cyber-ecosystem. Advisory committees that engage \nsenior-level Government and private sector personnel, such as the \nNational Security and Telecommunications Advisory Committee (NSTAC) and \nthe National Infrastructure Advisory Council (NIAC), have served past \npresidents well. However, the split between national security and \nemergency preparedness communications and cybersecurity is artificial \nand dangerous. In the information age, with its converged information \ntechnology and communications infrastructure, the distinction between \nthese two groups creates overlap and limits progress on developing and \nimproving cyberspace security capabilities. Accordingly, the Commission \nrecommended establishing the President's Committee for Secure \nCyberspace to replace the NSTAC and NIAC.\n    In addition to establishing the proposed Committee for Secure \nCyberspace as a C-level membership organization operated under Federal \nAdvisory Committee Act, the administration should act to reform current \ndecision-making bodies in Government that do not have private sector \ninvolvement. For example, the Joint Telecommunications Resources Board \n(JTRB), which is chaired by the Office of Science and Technology \nPolicy, consists of agencies, such as the Department of Defense (DOD), \nthe Department of Homeland Security, the General Services \nAdministration, and the Department of Commerce.\\3\\ The JTRB is \nchartered to make decisions on how to prioritize telecommunications \nresources in non-wartime crisis, yet absent an effective channel into \nthe private sector, the JTRB would be challenged to fulfill its \ncharter. Another parallel entity is the National Cyber Response \nCoordination Group, an organization intended to help identify and \ncoordinate response to a cyber-based crisis. Unfortunately, this \ninteragency Government group does not have a meaningful way to engage \nthe private sector, thus limiting its strategic and tactical \neffectiveness.\n---------------------------------------------------------------------------\n    \\3\\ Executive Order 12472, ``Assignment of National Security and \nEmergency Preparedness Telecommunications Functions,'' section 2(b)(3), \nApril 3, 1984, available at http://www.ncs.gov/library/policy_docs/\neo_12472.html.\n---------------------------------------------------------------------------\n            Create Operational Collaboration\n    Over the past 10 years, there have been several attempts to improve \noperational coordination between and among key Government and private \nsector stakeholders, but these have met with limited success. For \nexample, the private sector has invested and maintained information \nsharing and analysis centers, but they are all too often ignored by \nGovernment agencies. The Commission recommended creating a new \norganization, the Center for Cybersecurity Operations (CCSO), to \naddress operational issues that affect cyber infrastructure.\n    I strongly support creating a more effective model for operational \ncollaboration to move us from the less effective partnerships of the \npast to a more dynamic and collaborative self-governing approach \ninvolving cybersecurity leaders from Government, industry, and \nacademia.\n    Collaboration is not about plans; it is about outcomes. To create \nactual operational collaboration, we must learn from the experiences of \nthe past. Collaboration is more than information sharing and is more \nthan coordination; collaboration involves stakeholders working \ntogether, jointly assessing operational risks, and developing and \nimplementing mitigation strategies. I would like to add to the \nCommission recommendation and suggest that an effective collaboration \nframework for public-private partnerships should include focused \nefforts to:\n\n  <bullet> Exchange technical data (at the unclassified level as much \n        as possible), with rules and mechanisms that permit both sides \n        to protect sensitive data;\n  <bullet> Create global situational awareness to understand the state \n        of the computing ecosystem and events that may affect it;\n  <bullet> Analyze the risks (threat, vulnerabilities, and \n        consequences) and develop mitigation strategies;\n  <bullet> When necessary and consistent with their respective roles, \n        respond to threats; and\n  <bullet> Develop cyber threat and risk analytics as a shared \n        discipline. For example, one could combine Government and \n        private sector information and then use the private sector's \n        expertise in analyzing large data sets in pseudonymous ways to \n        get new insights into computer security without raising privacy \n        concerns.\n\n    What needs to be accomplished over the long term, and the \noperational mission, must be clear and articulated; the roles of \nGovernment and industry must be well-defined; and all participants must \ndemonstrate commitment and continuity to achieve success. The goal is a \ntrusted and focused collaborative alliance for both strategy and \noperations among the Government, academia, and the private sector.\n           take action today to create a more secure tomorrow\n    On-line collaboration, commerce, and, in some instances, public \nsafety depend on trust. Today the mechanisms to provide authentication \nand attribution in cyberspace do not meet the needs of the internet \ncitizen, enterprises, or governments. The lack of trust stems in part \nfrom our inability to manage on-line identities effectively and the \nexcessive reliance on voluntary efforts to close key gaps in security.\nIdentity Imperatives\n    In the context of national security, weak identification and \nauthentication limits an organization's ability to enforce security \npolicies to protect sensitive information and systems, and hinders \neffective Government and industry response to cyber attacks. From an \neconomic security perspective, these weaknesses prevent internet users \nfrom taking reasonable steps to protect themselves from dangerous \nparties. Creating the ability to know reliably the person and/or device \nthat is sending a particular data stream in cyberspace must be part of \nan effective cybersecurity strategy. Even sophisticated attackers face \ndifficult challenges--and find their access restricted--because of \nbetter authentication.\n    This need for improved identity and authentication in cyberspace \nhas been documented in numerous forums, and Government and industry are \nprogressing on multiple initiatives to address it. For example, in the \nUnited States, the Federal Financial Institutions Examination Council's \n(FFIEC) Guidance for Authentication in an Internet Banking Environment \nhas spurred the use of stronger authentication in online banking. The \nexperience of the DOD was that intrusion into its networks fell by more \nthan 50 percent when it implemented Common Access Cards (CAC). Homeland \nSecurity Presidential Directive 12 (HSPD-12) (``Policy for a Common \nIdentification Standard for Federal Employees and Contractors'') is \nanother U.S. authentication initiative which requires Federal agencies \nto improve their identity and credentialing processes, using smart \ncards to secure both physical and logical access to Federal facilities \nand networks. These and other Federal initiatives have had success, but \nit is often limited to the sector or domain for which they are \nattempting to affect change.\n    Past efforts to radically improve identity management for \ncybersecurity have not failed due to lack of awareness regarding the \nproblem, nor a lack of efforts to address it. Much more simply, there \nare too many disparate efforts resulting in stove-piped policies and \ntechnologies that conflict and compete with each other, instead of \ndriving toward a coordinated, interoperable, scalable security- and \nprivacy-sensitive solution. There is also, particularly in the consumer \nsector, a serious ``chicken-and-egg'' problem: Consumers are not \ninterested in robust on-line identity tokens because Government and \ncommercial sites do not consume them, and Government and commercial \nsites do not build technology to consume such tokens because, after \nall, no consumer has them. I want to re-emphasize a point made earlier: \nAny successful public-private partnership should start with the premise \nthat the Government should fill market gaps in security. Thus, as part \nof an overall cybersecurity strategy, the Government should accelerate \nthe adoption of authentication technologies by supporting the creation \nand use of digital credentials. This would include issuing and \naccepting such credentials in appropriate circumstances, catalyzing the \nprivate sector market for digital identities, and establishing the \nappropriate governance structure for the issuance, use, revocation, and \ndestruction of digital credentials.\n    The use of digital IDs also reduces the need to authenticate people \nby having them provide private details about themselves, known as \nPersonally Identifiable Information or PII. This usage would reduce the \nneed to transmit, store, and use private information to identify \nindividuals, thus increasing privacy and helping prevent crimes such as \nidentity theft. Stronger authentication, combined with appropriate \nrules regarding the use of such authentication mechanisms, could \nenhance both security and privacy.\n    I recognize that efforts to improve authentication raise sensitive \nprivacy and civil liberties issues, but it is possible to improve \nauthentication for critical functions without unduly compromising our \nvalues.\\4\\ This can be done if we integrate privacy issues into the \ndesign, development, and operation of the identity metasystem.\n---------------------------------------------------------------------------\n    \\4\\ For more on this topic, including how the Government can ensure \nprivacy is protected in a better authenticated environment, see the \nWhite Paper on Establishing End-to-End Trust, www.microsoft.com/\nendtoendtrust (pp. 6-7).\n---------------------------------------------------------------------------\nThe Role of Regulation\n    Opinions vary widely on how industry and Government can best work \ntogether to more effectively increase cybersecurity across critical \ninfrastructures and Government. But even if public and private \ncooperation is optimized and operationalized, that will not provide the \nlevel of security necessary to meet national security demands. This is \ntrue because markets respond to customer demand and most customers, \neven though more aware of security issues today than in the past, will \nnot pay for the level of security likely necessary to protect national \nsecurity.\n    This recognition, however, does not mean the first step to address \nthe gaps between the current and desired states of security should be \nbroad-based regulation. Rather, the Government should encourage a \nbalanced approach, one that combines industry self-regulation with \nGovernment influence (through, for example, procurement regulations) \nand then includes carefully tailored regulation when necessary. I \nbelieve such a combined approach can be highly effective without unduly \nraising the costs for users and stifling the very innovation that is \nneeded to make infrastructures more secure.\n    When security gaps are identified--and neither market forces nor \nnon-regulatory Government intervention suffices to address that gap--\nGovernment should focus on adopting the regulatory model suggested by \nthe CSIS Commission. In this model, industry identifies the best \npractices, and the Government ensures their adoption and works to \nharmonize requirements across sectors. I would also add that any \nGovernment regulation should follow certain key principles: It should \nsolve a clearly identified problem; it should neither be under-\ninclusive (fail to solve the problem fully) nor over-inclusive (address \nmore than the problem); it should not be crafted in a way that creates \nunintended consequences; and it should be technology-neutral and not \ncreate hard-to-modify statutorily imposed technology requirements that \nstifle innovation and prevent further enhancements in security.\n    Progress in cyberspace security is not without cost. Voluntary \nefforts have closed many security gaps but have not done enough. \nEstablishing a cohesive national strategy with a robust public-private \npartnership will create a framework for tailored regulations that can \nadvance identity and trust in a manner that markets alone cannot.\n                             moving forward\n    The first major Presidential document on emerging threats in \ncyberspace was published more than a decade ago when the President's \nCommission on Critical Infrastructure Protection released its seminal \nreport.\\5\\ At that time, only 1.7% of the world's population (70 \nmillion people) had internet access. In the years that have followed, \nthe world has changed dramatically. Attacks have evolved from exploits \ndesigned to garner attention to targeted stealth attacks that are \ndesigned for more nefarious purposes, such as conducting identity \ntheft, economic espionage, and military espionage. In 2008, almost a \nquarter of the world's population (more than 1.5 billion people) had \ninternet access, and it continues to grow.\\6\\ The rise of the internet \nhas permitted new forms of social connection, and created new \neducational and economic opportunities. But the richness of cyberspace \nalso permits criminals, foreign intelligence organizations, and nation-\nstates to exploit cyberspace for profit, espionage, or conflict. \nSecuring America's future in the information age depends upon creating \na comprehensive national strategy for cyberspace security, one that \nsimplifies, organizes and enables operational partnerships between and \namong Government and private-sector stakeholders, including internet \ncitizens.\n---------------------------------------------------------------------------\n    \\5\\ http://cip.gmu.edu/archive/\n5_PCCIPCriticalFoundations_1097_full_report.pdf.\n    \\6\\ http://www.internetworldstats.com/emarketing.htm.\n\n    Ms. Clarke. I thank you for your testimony.\n    I now recognize Mr. Yoran to summarize his statement for 5 \nminutes.\n\nSTATEMENT OF AMIT YORAN, CHAIRMAN AND CHIEF EXECUTIVE OFFICER, \n                    NET WITNESS CORPORATION\n\n    Mr. Yoran. Ms. Chairwoman and Members of the committee, \nthank you for the opportunity to testify on Reviewing the \nFederal Cybersecurity Mission and for your attention to this \nimportant topic. My name is Amit Yoran and I have a lot to say, \nso I will skip reading my bio and jump right into it.\n    An effective national cyber effort must leverage the \nintelligence community's superior technical acumen and \nscalability. However, it is in grave peril if this effort is \ndominated by the intelligence community. Simply put, the \nintelligence community has always and will always prioritize \nits own collection efforts over the defensive and protection \nmission of our Government's and Nation's digital systems. When \nintelligence operations discover a compromise, the decision to \ninform system defenders or not lacks transparency. Mission \nconflict exists between those defending systems and those \nattempting to collect intelligence or counter-intelligence \ninsights.\n    The current series of cyber programs called for billions of \ndollars in funding for intelligence and centralized security \nefforts, but are designed with very little emphasis on helping \ndefenders better protect the systems housing our valuable data \nand business processes.\n    For instance, the Center for Disease Control, which houses \nsensitive research and information about biological threats \nsuch as anthrax, has ongoing cyber incidents which it lacks the \npersonnel and technologies to adequately investigate. In the \nface of spending billions more on centralized cyber \nintelligence activities, the CDC's cyber budget is being cut by \n37 percent. Intelligence focused on national efforts are \noverclassified, to the point where catastrophic consequences \nare highly probable. High levels of classification prevent the \nsharing of information necessary to adequately defend our \nsystems.\n    For instance, IP addresses, when classified, cannot be \nloaded into defensive monitor systems. It also creates \ninsurmountable hurdles when working with a broad range of \nGovernment IT staffs that do not have appropriate clearances, \nlet alone when trying to work with, communicate, and partner \nwith the private sector. Classification cannot be used \neffectively as a cyber defensive technique, only one for \navoiding responsibility and accountability. Overclassification \nleads to a narrowly limited review of any program.\n    One of the hard lessons learned from the terrorist \nsurveillance program is that such a limited review can lead to \nineffective legal vetting of a program. The cyber mission \ncannot be plagued by the same flaws as the TSP.\n    An immediate, thorough, and transparent legal analysis of \nthe governance authority's privacy requirements should be \nperformed on the efforts used to both protect our CT systems as \nwell as all cyber collection activities. Given the broad \nconcerns of overclassification and its cascading consequences, \nconducting these reviews must be a high-priority task.\n    Cyber research investments are practically nonexistent at a \ntime when bold new visions need to be explored. The Department \nof Homeland Security has demonstrated inefficiency and \nleadership failure in its cyber efforts. While pockets of \nprogress have been made, administrative incompetence and \npolitical infighting have squandered meaningful advancement for \nyears now, while our adversaries continue to aggressively press \ntheir advantage.\n    DHS has repeatedly failed to attract or retain the \nleadership and technical acumen required to successfully lead \nin the cyber mission. While the tendency would be to move the \ncyber mission to the NSA, it would be ill-advised for all the \nreasons I provide in my much longer written testimony.\n    We must enable civil government to succeed in its mission \nof defense or also concede that the private sector, too, cannot \nsucceed in its defensive mission and subjugate them to \nintelligence support. DHS is the natural and appropriate place \nfor public/private partnership and cooperative activities, \nincluding those in cyber.\n    The current set of public/private partnerships is at best \nill-defined. They categorically suffer from meaningful value \ncreation or private sector incentives for participation. Such \nincentives might include tax credits, fines, liability levers, \npublic recognition, or even occur at an operational level \nthrough mechanisms such as the sharing of threat intelligence, \ntechnical knowledge, incident response report, to name just a \nfew.\n    Trust relationships when dealing in cybersecurity matters \nare absolutely critical. In discussions among privacy and civil \nliberties group, the role of the NSA in monitoring or defending \nU.S. networks is debated. Should such intelligence programs \nexist, DHS should be very cautious before participating in, \nsupporting or engagement in these activities.\n    The Department's ability to fulfill its primary mission and \nresponsibilities may be permanently damaged by a loss of public \nconfidence and trust. At a bare minimum, in order to preserve \nthis trust, any interacting with domestic intelligence efforts \nshould be explicitly and clearly articulated.\n    Sufficient transparency may serve to increase public trust \nand confidence and offset concerns raised by uncertainty and \nthe uninformed. DHS must be formally charged with and enabled \nto build an effective cyber capability in support of securing \nour Federal civilian systems. Special provisions should be made \nin the hiring, contracting, human resources, and political \nissues within the cyber mission of DHS to prevent it from \nremaining a victim of the Department's broader administrative \nfailures.\n    DHS should be given specific emergency authorities to \naddress security concerns in civil systems, to include the \nability to measure compliance with security standards, \nprotocols, and practices, and take decisive action where \norganizations are not applying reasonable standards of care. At \npresent, the operation's cybersecurity arm of DHS, US-CERT, \nremains politically torn apart into three components, \ncompletely subjugated to a cadre of detailees from the \nintelligence community.\n    In order to regain efficiency, the Department's operational \nsecurity activities must be reconsolidated in the US-CERT. This \noperational mission is not resourced to succeed with less than \n20 Government FTEs and a budget of only $67 million.\n    Ms. Clarke. Mr. Yoran, I am just going to ask if you can \nsummarize and we will probably pick up on more of your \ntestimony through questions. Of course, we have your full \ntestimony in the record.\n    Mr. Yoran. Yes, Madam Chairwoman.\n    The newly focused DHS US-CERT should report directly to the \nSecretary of DHS, just as NTOC reports to the Director of NSA. \nThe cyber responsibilities of the Department must not remain \nburied in the Department or, alternatively, they must be \nremoved and placed in an independent agency where they can \nsucceed. Thank you.\n    [The statement of Mr. Yoran follows:]\n                    Prepared Statement of Amit Yoran\n                             March 10, 2009\n    Ms. Chairwoman and Ranking Member, thank you for the opportunity to \ntestify before the Homeland Security Committee on Reviewing the Federal \nCybersecurity Mission.\n    My name is Amit Yoran and I am the CEO of the NetWitness \nCorporation, a company providing next generation cybersecurity \nmonitoring technologies to the U.S. Government and private sector, \nincluding Fortune 500 companies delivering critical infrastructure \ncyber protection to the Nation. I serve as a member of the CSIS Cyber \nCommission advising the 44th Presidency and on numerous security \nindustry advisory bodies.\n    Previously I have served as the first Director of the National \nCyber Security Division (NCSD) in standing up the United States \nComputer Emergency Readiness Team (US-CERT) and Einstein program at the \nDepartment of Homeland Security (DHS), as founder and CEO of Riptech, a \nleading managed security services provider, and as manager of the \nVulnerability Analysis Program (VAP) of the U.S. Department of \nDefense's Computer Emergency Response Team (DoD CERT). I received \nBachelor of Science degree in Computer Science from the United States \nMilitary Academy at West Point and Master of Science in Computer \nScience from The George Washington University.\n    Over the past 15 years, automation and use of computer systems has \npermeated every aspect of modern life. Our Nation is entirely reliant \nupon computer systems and networked technologies in everything from \nnational security and intelligence activities to commerce and business \noperations to power production and transmission to personal \ncommunications and correspondences.\n    Today's internet has become one of the unifying fabrics driving \nglobalization at an increasingly accelerated pace. It represents the \ncore means by which personal and organizational interactions occur \nwhether those communications take the form of internet email or simply \nphone calls, which invariably traverse the cyber realm. Beyond its role \nas a communications medium, computer-based automation and technology \nare the driving forces behind every major industrial and economic base \nin the world. Simply put, computer technologies and communications \nrepresent the greatest threat to and opportunity for expansion of the \nU.S. values system.\n                evolving into a national cyber strategy\n    The past 2 years have brought about an unprecedented level of \nFederal focus and attention on cyber security matters culminating in a \nportfolio of activities commonly referred to as the Comprehensive \nNational Cyber Initiative (CNCI). Advocacy for CNCI under the Bush \nadministration resided in the Office of the Director of National \nIntelligence (ODNI), under whose charge the billions of dollars in \nprograms were conceived and orchestrated. While many of the CNCI \nprograms are well intended and designed, there are several significant \nflaws in adopting the Bush administration's CNCI as an on-going \nnational cyber strategy.\n  <bullet> White House leadership. The Obama White House is currently \n        conducting a comprehensive 60-day review of cyber. The purpose \n        of the review is to develop a strategic framework to ensure \n        that ``initiatives in this area are appropriately integrated, \n        resourced and coordinated both within the Executive Branch and \n        with Congress and the private sector.'' This review effort will \n        culminate in recommending an optimal White House organizational \n        structure for dealing with the cyber challenges facing our \n        national and economic security as well as ``an action plan on \n        identifying and prioritizing further work in this area.'' For \n        the reasons outlined below, an effective national effort to \n        address cybersecurity can only succeed through continuous, \n        active, and decisive White House leadership.\n  <bullet> Intelligence.\n    <bullet> An effective national cyber strategy must leverage the \n            strength of the intelligence community. As information and \n            computer-based technologies increasingly permeate how the \n            world works, opportunities abound to improve the types, \n            quantity, and quality of intelligence the community can \n            provide at various levels of classification to its \n            consumers. In the primary intelligence functions of \n            collection, analysis, and dissemination, cyberspace can \n            provide an effective aspect to operations. The volumes of \n            information and the diversity of sources can quickly become \n            overwhelming. The intelligence community must continue to \n            refine its ability to evaluate the quality and value of \n            such information and accurately assess it in order to \n            assure its appropriate dissemination to decisionmakers. \n            This should include improved functionality around \n            attribution in cyberspace.\n    <bullet> There is a clear and distinct conflict of interest between \n            intelligence objectives and those of system operators. \n            Simply put, intelligence organizations prioritize the \n            intelligence and counter-intelligence missions; which in \n            cyber focuses on monitoring adversaries, determining their \n            methods and techniques, tracking their activities to a \n            point of origin, and determination of compromise scope, and \n            attack intent and adversary's objectives. While these are \n            very important, they frequently conflict directly with the \n            information assurance objectives of system owners and \n            operators, who are primarily concerned with system defense \n            and protection, and in the event of compromise, a speedy \n            restoration to a functional and assured state. This \n            distinction in core objectives is critical because it \n            represents the difference between programmatic emphasis on \n            information gathering, or system resilience and \n            availability. For instance, intelligence and law \n            enforcement entities often prioritize attack attribution, \n            while almost no emphasis is placed on attribution by those \n            defending systems. Rather than sharing information with \n            operators and better informing them as to how they can \n            defend and monitor themselves, an intelligence community-\n            centric mindset around cyber would limit information \n            exchange and instead focus on enabling the intelligence \n            community to perform an expanded and aggregated monitoring \n            program. Such a monitoring program would face significant \n            cost and scalability impediments. We must remember the \n            purpose for a monitoring program. Are we in fact monitoring \n            to enable better defenses? Who makes the decisions to \n            inform the defense? It is a clear conflict of interest for \n            those who collect to make this decision. The decision \n            should be a balanced one. Prioritizing the intelligence \n            mission also has significant resource allocation \n            implications. Amid news stories of billions of dollars in \n            cyber spending under CNCI a majority of resources are going \n            to intelligence and centralized monitoring activities. For \n            instance, the Center for Disease Control, where sensitive \n            information resides about biological threats, such as \n            anthrax, has on-going incidents which they do not have the \n            manpower or technology to adequately investigate. In the \n            face of these challenges, this year the CDC's cybersecurity \n            budget will be reduced by 37%.\n    <bullet> For ill-defined reasons, the CNCI led by ODNI has been \n            shrouded by a high degree of secrecy and lack of \n            transparency. The plan itself is so classified that even \n            Members of Congress have not been provided copies and \n            industry has had no access to the document. While the need \n            for high levels of classification may exist in certain \n            components of a national cyber effort, such as offensive \n            capabilities or for the protection of sources and methods, \n            such a broad over-classification is counterproductive to \n            supporting an effective cyber defense. Such information is \n            prevented from being shared with operators, most of which \n            do not hold adequate clearances and creates significant \n            hurdles when trying to defend unclassified systems. In \n            recent examples adversary internet addresses used in \n            attacks and their various attack methods have been \n            classified to the point they were not broadly available for \n            defensive purposes or provided through channels. In \n            numerous cases this roadblock prevented information from \n            being used effectively in cyber defense and provided \n            further advantage to our adversaries. If you cannot or will \n            not share useful information with cyber defenders, their \n            job is made far more difficult. As the private sector is \n            increasingly the target of foreign intelligence efforts, a \n            national cyber effort will need to further evolve its \n            abilities in working with the private sector. Most \n            importantly, over-classifying a national cyber strategy \n            prevents adequate public review and debate to assure that \n            the programs are designed optimally, contain the highest \n            level of innovation, and are well-aligned with and informed \n            by the total body of knowledge of the cyber security \n            profession. Often classification is used to hide weaknesses \n            found. Classification cannot be used effectively as a cyber \n            defensive technique, only one for avoiding responsibility \n            and accountability. Over-classification leads to a narrowly \n            limited review of any program. One of the hard-learned \n            lessons from the Terrorist Surveillance Program (TSP) is \n            that such limited review can lead to ineffective legal \n            vetting of a program. The cyber mission cannot be plagued \n            by the same flaws as the TSP has been.\n    <bullet> Intel loss/gain analysis has historically been performed \n            by the intelligence community's judgment without \n            substantive subject matter input from those whose systems \n            are being damaged. If the intelligence community takes on a \n            leadership role for the cyber mission it is likely that \n            additional monitoring programs will be put in place to find \n            the adversary. While the technical acumen within NSA is \n            strong, better controls over operations would be needed to \n            reduce the natural emphasis on collection and instead \n            prioritize the protection and availability of Government \n            and industry systems. The cyber mission suffers in favor of \n            the intelligence mission all too often. While protecting \n            sources and methods, the intelligence community needs to \n            better inform public and private sectors on the threat \n            environment and how they can better defend themselves. \n            Moreover, some organizations may be less likely to act \n            responsibly and invest properly in monitoring and defending \n            their own systems if they feel as though they can rely on \n            some federated intelligence monitoring operation.\n  <bullet> Research and Development. The current paradigm in cyber \n        security is not likely to change significantly through improved \n        security products, monitoring, and incident response \n        capabilities. While the private sector makes significant \n        investment in incremental product, application, and protocol \n        improvements; fundamental research is required to meaningfully \n        improve the security of the cyber and critical infrastructures.\n    <bullet> According to the CSIS Commission work, ``The federal \n            government plans to spend about $143 billion in 2009 on \n            R&D. We estimate that two-tenths of 1 percent of that will \n            go to cybersecurity.'' An inherently Government investment \n            must drive long-term research agendas in cybersecurity, \n            where private sector focus on shorter-term \n            commercialization limits results to more tactical or \n            incremental advancements. The Department of Homeland \n            Security's Science and Technology Directorate invests less \n            than $20 million per year on cybersecurity research \n            efforts, a far cry from any responsible level of resource \n            allocation.\n    <bullet> The Government should not use this money to be in the \n            security product development business, especially via \n            classified venues. In an overwhelming majority of \n            instances, Government cyber requirements are substantially \n            similar to if not exactly the same as the private sector \n            and only in the rare cases where they are not or in \n            classified instances, do specific tactical Government \n            development efforts make sense to consider. In addition, it \n            is a fact that there is a severe lack of qualified \n            engineers needed to develop these systems. Today, the \n            majority of these engineers are employed by the security \n            industry. The Government and intelligence community should \n            guide and assist in functional requirements for the \n            development of technologies which can help us best address \n            the sophisticated cyber threat environment, not enter the \n            product development business. The resulting improvement in \n            security technologies will not only benefit the Government \n            in protecting its systems, but will also benefit the \n            Nation's critical infrastructure operators and rest of the \n            shared internet fabric that joins our digital world. \n            Additionally, Government development efforts have stranded \n            enterprise cyber defenders without the benefits of product \n            management, maintenance, and professional support.\n  <bullet> Standards and Acquisition reform. The CSIS Commission report \n        provides a lot of insight into how the Government can \n        positively improve its situation as well as security of private \n        networks by leveraging its expertise in standards, setting and \n        using its procurement size to effect product vendor behaviors. \n        We also need to consider more dynamic methods for systems \n        procurement and lifecycle management as the current processes \n        seem marginally nimble enough to enable the purchase of a \n        battle tank or fighter jet. Antiquated and poorly maintained \n        systems compound our challenges. The systems on Federal \n        networks average 5 years old. Unlike responsible parties in the \n        private sector, Federal networks frequently do not have \n        centralized patching, vulnerability understanding, or adequate \n        monitoring technologies and processes. Simply put, they are not \n        achieving or maintaining an appropriate standard of care by any \n        responsible measure. It should be understood the reasons for \n        this are a lack of IT and IT security governance. The \n        technology here is not overly complex; the real challenge is \n        the people and the process. The average Government executive, \n        whether DoD or civil, stays in his/her position for an average \n        of 18 months. There is little or no reason to look ahead at the \n        next executive's tenure and budget or plan for the life cycle \n        management or security of a system 18 months later. In \n        addition, because planning was not done in the previous \n        executive's tenure, the system the executive has to care for is \n        more likely than not to be in an unkempt, dated, and insecure \n        state. There is no governance mechanism or motivation for \n        Government systems to plan, budget, or perform best practice \n        life-cycle management which can significantly reduce risk of \n        loss. Please see the recently published Consensus Audit \n        Guidelines for a reasonable approach to minimal security \n        practices.\n  <bullet> Legal Review and Privacy Oversight.\n    <bullet> Congress and the Obama Administration must work together \n            to modernize authorities. FISMA and Clinger-Cohen are dated \n            and fraught with politics and games. Without hard-hitting, \n            detailed legislation that structures governance and \n            authorities no program will succeed. Today the CNCI is not \n            codified. HSPDs 54 and 23 are not supported by legislation, \n            therefore are not mandated. An immediate, thorough, and \n            transparent legal analysis of the governance, authorities, \n            and privacy requirements should be performed on both the \n            efforts used to protect IT systems as well as an analysis \n            with the requisite understanding of intelligence and \n            national security law for all cyber collection activities. \n            Given the broad concerns of over-classification, conducting \n            these reviews must be a high priority task.\n    <bullet> An effective national cyber function requires an informed \n            privacy function. Privacy issues need proper review and \n            advocacy when designing various Government cyber security \n            programs, especially those of the intelligence and law \n            enforcement communities. An effective program should be \n            implemented in a non-partisan fashion by qualified privacy \n            professionals who are not members of the executive or \n            legislative branches and have fixed terms of service \n            without eligibility for reappointment or extension terms. \n            Security can be implemented with and even contribute to \n            enhanced privacy, but it is not easy and often not without \n            strong and deliberate privacy advocacy and oversight.\n  <bullet> Homeland Security.\n    <bullet> The Department of Homeland Security (DHS) has demonstrated \n            inefficiency and leadership failure in its cyber efforts. \n            While pockets of progress have been made, administrative \n            incompetence and political infighting have squandered \n            meaningful progress and for years now our adversaries \n            continue to aggressively press their advantage. Recently, \n            the Director of National Intelligence, Admiral Dennis \n            Blair, told the House intelligence committee that, ``the \n            NSA, rather than the Department of Homeland Security which \n            currently oversees cybersecurity, has the smarts and the \n            skills to secure cyberspace.'' In his assessment of both \n            organizations he is absolutely correct. DHS has repeated \n            failed to either attract or retain the leadership and \n            technical acumen required to successfully lead in the cyber \n            mission space. On a number of occasions proven, talented, \n            and knowledgeable leaders from within the Government or \n            successful experts from private sector have joined the \n            Department in hopes of meaningful contribution. In its \n            cyber responsibilities DHS has a consistent track record \n            for tolerating political infighting, individual egos, and \n            shenanigans over prioritizing and executing its cyber \n            responsibilities in a mature fashion. While the tendency \n            would be to migrate the cyber mission to the NSA, that \n            would be ill-advised for all of the reasons provided \n            earlier. In Rod Beckstrom's resignation letter last week, \n            he states, ``NSA effectively controls DHS cyber efforts \n            thru detailees, technology insertion and the proposed move \n            of NPPD and the NCSC to a Ft. Meade NSA facility. NSA \n            currently dominates most national cyber efforts . . . The \n            intelligence culture is very different than a network \n            operations or security culture. In addition, the threats to \n            our democratic processes are significant if all top level \n            government network security and monitoring are handled by \n            any one organization.'' This could not have been more \n            accurately stated. We must enable civil government to \n            succeed at this mission. This being said, it is far past \n            time we fix the DHS problems and move forward.\n    <bullet> Public-Private Partnership. In addition to defining \n            increased security functionality and assurances for \n            Commercial Off the Shelf Software (COTS), the Government \n            must work more closely with the private sector and \n            understand their businesses if it is to be effective in \n            constructing useful partnership programs. Programs managed \n            in a vacuum by the intelligence community at a highly \n            classified level are unlikely to work well and in concert \n            with system operators within the Federal Government, let \n            alone in the private sector, where not only are mission \n            objectives completely foreign, but where there are very few \n            people with Government clearances. Government programs need \n            to focus on open dialog and information exchange, and \n            enabling the private sector to better understand the \n            security challenges they face and how they might be \n            overcome with the help of the Government. DHS is the \n            natural and appropriate placement for public-private \n            partnership and cooperative activities, including those in \n            cyber security. The current set of public-private \n            partnerships are at best ill-defined. While well-\n            intentioned and occasionally valuable information is \n            brought to the Department, they categorically suffer from \n            meaningful value creation to the private sector. A deeper \n            understanding of how cyber defense and security operations \n            are implemented in the private sector is required by those \n            crafting the evolution of these programs so that adequate \n            incentives can be appropriately incorporated going forward. \n            Such incentives might include tax consequences, fines, \n            liability levers, public recognition, or even occur at an \n            operational level, such as the sharing of threat \n            intelligence, technical knowledge or incident response \n            support to name just a few. Due to its fluid nature, trust \n            relationships when dealing in cyber security matters are at \n            least as strongly emphasized as in physical security. In \n            news reports and discussions among privacy and civil \n            liberties groups the role of the NSA in monitoring or \n            defending domestic private networks is debated. Should such \n            intelligence programs exist, DHS should be very careful to \n            distance itself from participation, support, or engagement \n            in these activities. The Department's ability to fulfill \n            its primary mission and responsibilities may be permanently \n            damaged by a loss of public confidence and trust. At a bare \n            minimum, in order to preserve public trust, its interaction \n            with domestic intelligence collection efforts should be \n            explicitly and clearly articulated.\n    <bullet> NCSC and US-CERT. Congress and the administration should \n            focus DHS where it can have the greatest positive impact. \n            The Department's culture migrates toward increasing its own \n            mission scope and infrequently emphasizes a crawl, walk, \n            run mentality. Sometimes, it's just time to close \n            PowerPoint and Word, stop the rhetoric and simply roll the \n            sleeves up and begin the actual work at hand. For instance, \n            spending the Department's limited resources on advocacy \n            programs for better software development, where the \n            Department has very limited experience, expertise, and \n            credibility is of exceptionally limited value.\n    <bullet> The US-CERT works to support the security of Government \n            networks through design, deployment and monitoring the \n            Einstein series of programs to enhance situational \n            awareness, be the centralized incident reporting authority \n            for the Federal civilian networks, facilitate efficient \n            incident response and cleanup efforts, support the private \n            sector through information exchange with critical \n            infrastructure operators, and working with IT and IT \n            security product vendors to assure that they can address \n            the needs of the broader Federal Government and critical \n            infrastructures.\n        At present the US-CERT remains torn apart into three arms; a \n            technology deployment arm (lead by an intelligence \n            community detailee), a security arm (managing the Trusted \n            Internet Connection program), and the operations arm \n            (performing the core US-CERT mission). This stove-piping \n            has added political strife, inability to spend 2009 money \n            this year, and defocusing all from accomplishing the single \n            US-CERT mission. In order to regain any efficiency, the \n            Department's operational security role, which has been \n            ripped apart by years of political infighting, must be \n            reconsolidated in the US-CERT. The critical work of the US-\n            CERT with its operational mission is not resourced to \n            succeed (fewer than 20 Government FTEs, a budget of only \n            $67 million out of the Department's $355 million spend on \n            cybersecurity). Additionally, the US-CERT must be lead by a \n            single Federal civil executive.\n        The coordination function of the National Cyber Security Center \n            is underutilized. Rod Beckstrom's recent resignation claims \n            that only 8 weeks of the annual funding have been provided \n            to it. His concerns for NSA management control of DHS' \n            cyber efforts apply to the US-CERT as well, which reports \n            to detailee from the USSS, who reports to detailee from \n            NSA/Navy. All special assistants around the Acting \n            Assistant Secretary are also NSA detailees. The US-CERT \n            must be provided appropriate staffing levels to move \n            forward and given adequate funding. Not doing so cannot \n            help but send the strongest message to the cyber community, \n            the rest of Government, the intelligence community, and the \n            private sector that cybersecurity does not matter to DHS \n            leadership and the Department's role is unnecessary. A \n            newly focused cyber mission must report directly to the \n            Secretary of DHS. This critical mission has been sought \n            aggressively by so many parties, but resisted so strongly \n            by the Department responsible for its successful execution. \n            Cyber must not remain buried in the bureaucracy of DHS or, \n            alternatively, it must be removed and placed where it can \n            succeed.\n    The House Homeland Security Committee and Congress should work with \nthe Executive branch to assure these fundamental changes are made:\n    1. DHS must be charged with and enabled to build an effective cyber \n        capability in support of securing Federal civilian systems.\n      a. Make special provisions in the hiring, contracting, human \n            resources, political issues within the cyber mission of DHS \n            to prevent it from remaining a victim of the Department's \n            broader administrative failures.\n      b. Enable the US-CERT to stand up the capabilities necessary to \n            assist in the defense of Federal civil government as a \n            component of the Federal civil agency charged with \n            defending the homeland.\n      c. DHS should also be given specific emergency authorities to \n            specifically address security concerns in civil systems, to \n            include the ability to measure compliance with security \n            standard, protocols, and practices and take decisive action \n            where organizations are not applying reasonable standards \n            of care.\n    2. Flesh out, define roles, responsibilities and authorities of \n        DHS, DoJ, DoD, NSA, and other Federal departments and agencies \n        engaged in securing digital infrastructure. Such a framework \n        should be publicly stated so that trust and confidence in cyber \n        programs can be restored. It will also be a critical step in \n        guiding more informed and consistent interactions with the \n        private sector. Steps must also be put in place to allow the \n        White House, Congress, departments and agencies to have \n        visibility, input, and clear oversight into the process and \n        solutions.\n    3. Adequately resourcing for success.\n      a. A large-scale reallocation of the DHS cyber monies toward the \n            programs which are operational and provide meaningful value \n            add to its responsibilities to the Federal civil networks \n            is needed.\n      b. There exists stronger network controls and millions of dollars \n            spent by DoD and NSA to protect the DoD networks, and that \n            they still are under-resourced to adequately defend \n            themselves. Only a fraction of that is being spent to \n            defend Federal civilian systems and in reality those \n            networks are by comparison 10 times larger than the Defense \n            Department's.\n    Thank you for the opportunity to testify. I would be happy to \nanswer any questions you may have at this time.\n\n    Ms. Clarke. I thank you as well for your testimony.\n    I now recognize Ms. Davidson to summarize her statement for \n5 minutes.\n\nSTATEMENT OF MARY ANN DAVIDSON, CHIEF SECURITY OFFICER, ORACLE \n                          CORPORATION\n\n    Ms. Davidson. Chairwoman Clarke, Members of the \nsubcommittee, my name is Mary Ann Davidson. I am Chief Security \nOfficer for Oracle. Thank you for the opportunity to testify \nregarding the important issue of cybersecurity.\n    The Declaration of Independence states all men are created \nequal. All information systems, however, are not. The truth of \nthe statement should be self-evident but it isn't, and therein \nlies a risk to our freedoms. The ubiquity, flexibility, and \nconfigurability of information systems has led to circumstances \nin which software designed for a particular purpose and \nenvironment is too often deployed in an environment it was \nnever designed for, without any thought or explicit acceptance \nof the risks in so doing. There is no substitute for knowing up \nfront what you need software for, how it is going to be \ndeployed, and what risks you can accept and what risks you \nwon't. The time to make these determinations is during \nprocurement, not afterwards.\n    The Navy does not purchase container ships and try to \ndeploy them as aircraft carriers, nor does the Air Force \npurchase Gulfstream V's and try to configure them as F-22 \nRaptors. While there is nothing wrong with container ships or \nGulfstream V's, they were not designed for the operational \nneeds or the threat environment that aircraft carriers and F-\n22s were designed for.\n    Why then is information technology somehow different? It \nisn't. Good security, like good hardware, starts in \nprocurement: Knowing what you need, how it will be used, and \nexplicitly describing the threat environment for deployment. \nUse procurement wisely and aggressively.\n    This brings me to my second point. Information technology \nis mission-critical not merely mission-enabling. Our entire \neconomy rests on an IT backbone; in particular, our homeland \nsecurity and our military's ability to prosecute war rests on \nan IT backbone. DOD continues to invest in network-centric \noperations, which is all about getting the right information to \nthe right warrior at the right time and the right battlespace. \nThis makes the network itself the battlefield and therefore, \nDOD needs to enhance the treatment of information systems as a \ncore mission specialty as well as using information systems \noffensively. Absent this capability, the DOD will not be able \nto use IT as the force multiplier it is.\n    Just as General Patton knew his tanks and their technical \ncapabilities very well, not just merely how to deploy them, our \nmilitary and homeland security leaders need to know and how to \ndeploy and embrace the full capability of IT. Putting it \ndifferently, do we envision having a contractor at the helm of \nan aircraft carrier? If not, then why would our cyber offense \nbe any different? General Patton also knew that the 3rd Army \nwould stop without supplies of gas. Netcentric armies stop \nwithout supplies of information. Only by holding capability for \nboth function and esteem can offense inform defense.\n    This brings me to my third point. We are in a conflict. \nSome would say a war. Let's call it what it is. Given the \ndiversity of potentially hostile entities building cadres of \ncyber warriors probing our systems, including our defense \nsystems for weaknesses, infiltrating U.S. Government networks \nand making similar attempts against American businesses and \ncritical industries, is there any other conclusion to be \nreached?\n    There are three obvious outgrowths from the above \nstatement. One is that you can't win a war if you don't admit \nyou are in one. The second is that nobody wins on defense. The \nthird is that we need a doctrine for how we intercede in \ncyberspace that covers both offense and defense and maps to \nexisting legal and societal principles in the off-line world.\n    In short, Congress should consider developing a 21st \ncentury application of the Monroe Doctrine. The need for a \nframework to guide the Government's role in response to foreign \naggression is a point that Melissa Hathaway has specifically \nnoted during her review and an area where this subcommittee can \nwork with the National Security Council.\n    You may recall that the Monroe Doctrine, introduced in \n1823, said that further efforts by European governments to \ninterfere with the States in the Americas, the Western \nHemisphere, would be viewed by the United States as acts of \naggression, and the United States would intervene. The Monroe \nDoctrine is one of our longest-standing foreign policy tenets, \ninvoked on multiple occasions by multiple Presidents. We have, \nas the expression goes, sent in the Marines and the rest of our \nArmed Forces to uphold it.\n    Some may argue that cyberspace is virtual and unsuited to \ndeclared spheres of influence. But even internet protocol \naddresses mapped to physical devices in physical locations we \ncare about: Critical infrastructures such as a server for a \nutility company in New York or a bank in California. Note that \nthe Monroe Doctrine did not detail the same intervention or \neven specific intervention for each perceived act of \naggression. Merely laid out ``Here is our turf, stay out or \nface the consequences,'' language that allowed great \nflexibility in terms of potential responses.\n    We need not militarize all elements of U.S. cyberspace any \nmore than invoking the Monroe Doctrine meant creating permanent \nmilitary encampments throughout the Western Hemisphere. The \nadvantages of invoking a Monroe Doctrine in cyberspace would be \nto put the world on notice that the United States has cyber \nturf, and the second is that we will defend our turf. We need \nto do both now.\n    Thank you and I look forward to your questions.\n    [The statement of Ms. Davidson follows:]\n                Prepared Statement of Mary Ann Davidson\n    Chairwoman Clark, Members of the subcommittee, my name is Mary Ann \nDavidson, and I am Chief Security Officer for Oracle. For more than 30 \nyears, information security has been a central part of Oracle's \nsoftware DNA, and is a big reason why the Federal Government is \nOracle's largest customer. Thank you for the opportunity to testify \nregarding the important issue of cybersecurity.\n1. The Declaration of Independence states ``All men are created \n        equal.'' All information systems, however, are not.\n    This truth of this statement should be self-evident but it isn't, \nand therein lies a risk to our freedoms. The ubiquity, flexibility, and \nconfigurability of information systems has led to circumstances in \nwhich software designed for a particular purpose and environment is too \noften deployed in an environment it was never designed for, without any \nthought or explicit acceptance of the risks in so doing. Without \nproperly scoping our requirements we are faced with an all-or-nothing \napproach to cyberspace, simultaneously putting at risk our civil \nliberties, our homeland security and the women and men of our armed \nforces.\n    Let me give you a present-day example: I had a most frightening \nconversation with a highly placed official in the Defense Department \nwho said that DoD wanted to use popular social networking software and \nthat (direct quote) ``you in industry need to secure it.'' My response \nto that statement: ``What is DoD going to use the software FOR? `Hi, \nI'm an al Qaeda operative. I like long walks on the beach and IEDs. \nWill you friend me?' '' Without an appropriate context, I noted to the \ngentleman, there is no magic security dust we in industry can sprinkle \non technology that is already ``out there and being used,'' especially \nif we do not know what it is being used for. Certainly there are \nlegitimate scenarios where we may want to permit our troops to use \nsocial networking software as a morale booster, including contact with \ntheir family and friends, but the technical and policy-based security \nrequirements around that use case are different from a use case where \nthe DoD might use similar technology for operational purposes.\n    There is no substitute for knowing upfront what you need software \nfor, how it is going to be deployed, and what risks you can accept and \nwhat risks you won't. The time to make those determinations is during \nprocurement, not after. The Navy does not purchase container ships and \ntry to deploy them as aircrafts carriers. Nor does the Air Force \npurchase Gulfstream Vs and try to configure them as F-22 Raptors. There \nis nothing wrong with container ships or Gulfstream Vs, by the way, but \nthey were not designed for the operational needs or--and I emphasize \nthis last point--threat environment that aircraft carriers and F-22s \nwere designed for. Why, then, is information technology somehow \n``different?'' It isn't. Private industry and Government agencies have \nvarying use cases and threat environments in cyberspace, just as they \nshare different requirements in the real world. And where privately run \ninformation systems can benefit from defensive technologies informed by \nour offensive capabilities--to use a metaphor--this rising tide will \nlift all ships in cyberspace.\n    Unfortunately, many think software is so flexible and configurable, \nthat one size fits all applications. It doesn't. The military already \nknows this, but sometimes they need an occasional reminder. When I was \na naval officer, I had many different uniforms: dress blues, dress \nwhites, tropical whites, khakis, and utility greens. Each had its \npurpose. Should one be foolish enough to wear dress blues to a \nfirefight, it isn't merely that you will be breaking uniform \nregulations; you aren't going to be adequately protected, either. You \nwear body armor to a firefight. While cost is one consideration in \ndeployment, it need not be the only one, unless we plan on digging up \nold Lee-Enfield rifles and giving them to the Marine Corps instead of \nthe M-16s they now use. ``You get what you pay for'' is as true in \nsoftware as in anything else.\n    Good security, like good hardware starts in procurement: Knowing \nwhat you need, how it will be used, and explicitly describing the \nthreat environment for deployment. Use procurement wisely and \naggressively.\n    This brings me to my second point.\n2. Information technology is mission critical, not merely mission \n        enabling.\n    Our entire economy rests on an IT backbone: The acronym ``IT'' \ntherefore represents ``infrastructure technology'' as much as \n``information technology.'' In particular, our homeland security and \nour military's ability to prosecute war rests on an IT backbone. DoD \ncontinues to invest in network-centric operations, which is all about \ngetting the right information to the right warrior at the right time in \nthe right battlespace. Therefore, the network itself is the battlefield \nbecause the network is what our enemies will attack if they want to \ndeny us the ability to use our own technology (or in an attempt to use \nour technology against us).\n    Given that DoD has bet the farm on information systems, they need \nto enhance its treatment of information systems as a core mission \nspecialty in supporting roles as well as using information systems \noffensively as a warfare specialty. Absent this capability, the DoD \nwill not able to fully use IT as the force multiplier it can be. Just \nas Patton knew his tanks and their technical capabilities very well, \nnot just merely how to deploy them, our military and homeland security \nleaders need to know and embrace the full capability of IT. Putting it \ndifferently, do we envision having a contractor at the helm of an in-\ntheatre aircraft carrier? If not, then why would our cyber offense be \nany different? Note that the ability to deploy and support systems \nitself is also a critical mission specialty, just as, say, supply/\nlogistics is a staff function in the military but a critical one. \nPatton knew very well that armies stop without supplies of gas; net-\ncentric armies stop without supporting information systems. \nFurthermore, only by holding capability for both functions in esteem \ncan ``offense inform defense'' and vice versa.\n    We must also remember the strength of the American economy rests on \nthe flexibility afforded the private sector to innovate and market \nthose innovations globally. In the same way our Nation's electrical \ngrid, pipelines, roads, and railways support our military but are not \nrun by our military, our critical cyber infrastructures and the \ncompanies who create them cannot simply fall under military control. Of \ncourse our Government should defend our cyber interests, but in the \nsame way we would abhor a military presence at every intersection, we \nmust also ensure civilian control over the normal operation of our \ndigital highways.\n    This brings me to my third point.\n3. We are in a conflict--some would say a war. Let's call it what it \n        is.\n    Given the diversity of potentially hostile entities building cadres \nof cyberwarriors, probing our systems--including our defense systems--\nfor weaknesses, infiltrating U.S. Government networks and making \nsimilar attempts against American businesses and critical industries, \nis there any other conclusion to be reached? Whatever term we use, \nthere are three obvious outgrowths from the above statement. One is \nthat you can't win a ``conflict''--or war--if you don't admit you are \nin one. The second is that nobody wins on defense. The third is that we \nneed a doctrine for how we intercede in cyberspace that covers both \noffense and defense and maps to existing legal and societal principles \nin the off-line world. In short, Congress should consider developing a \n21st century application of a Monroe-like Doctrine. The need for a \nframework to guide the Government's role in response to foreign \naggression is a point that Melissa Hathaway has already noted during \nher 60-day interagency review of the Federal cybersecurity mission, and \nan area where this subcommittee can productively collaborate with the \nNational Security Council.\n    For those a tad rusty on their U.S. history, the Monroe Doctrine \n(introduced December 2, 1823) said that further efforts by European \ngovernments to interfere with states in the Americas--the Western \nhemisphere--would be viewed by the United States as acts of aggression \nand the United States would intervene. The Monroe Doctrine is one of \nour longest-standing foreign policy tenets: Invoked on multiple \noccasions by multiple presidents, including Teddy Roosevelt, Calvin \nCoolidge, Herbert Hoover, and John Kennedy. We have, as the expression \ngoes, sent in the Marines--and the rest of our armed forces--to support \nthe Monroe Doctrine.\n    Note that the Monroe Doctrine did not detail the same intervention \nor even specific intervention for each perceived act of aggression, \nmerely laid out ``here is our turf; stay out or face the consequences'' \nlanguage that allowed great flexibility in terms of potential \nresponses. Some may argue that cyberspace is ``virtual'' and unsuited \nto declared spheres of influence. But even internet protocol (IP) \naddresses map to physical devices in physical locations we care about--\ncritical infrastructures such as a server for a utility company in New \nYork, for example, or a bank in California.\n    The advantages of invoking a Monroe-like Doctrine in cyberspace \nwould be to put the world on notice that the United States has cyber \n``turf,'' (properly and narrowly scoped--we should not claim all \ncyberspace as our turf). The second is that we will defend our turf. We \nneed to do both. Now.\n    As I mentioned earlier, having a military response capability does \nnot mean militarizing all elements of U.S. cyberspace any more than \ninvoking the Monroe Doctrine meant necessarily creating permanent \nencampments throughout the Western hemisphere. Nor should a cyber-\nMonroe Doctrine lead to permanent Government encampments in private \nnetworks, or become a mandate for unilateral intervention in all of \ncyberspace. With proper guidance, various Government agencies and the \nprivate sector can find their natural role in guarding our cyber \ninfrastructures in a framework similar to how we currently protect our \nreal-world interests.\n    To summarize:\n  <bullet> Technology is only a force multiplier if you pick the right \n        technology for the intended use and intended threat \n        environment. The Government must make security an explicit part \n        of procurement, funding appropriately skilled staff to execute \n        these procurement requirements while recognizing that some non-\n        commercial requirements will incur additional costs.\n  <bullet> We need a skilled cadre of Government information technology \n        professionals--both offense (in the military) and defense \n        (throughout the entire Government).\n  <bullet> We need the cyber-equivalent of the Monroe Doctrine for our \n        21st-century information age that respects the boundaries of \n        our shared ownership of the Nation's cyber infrastructure.\n\n    Ms. Clarke. We thank you for your testimony.\n    I now recognize Mr. Lewis to summarize his statement for 5 \nminutes.\n\n   STATEMENT OF JAMES A. LEWIS, PROJECT DIRECTOR, CENTER FOR \n              STRATEGIC AND INTERNATIONAL STUDIES\n\n    Mr. Lewis. Thank you and thank you to the committee for the \nopportunity to testify. The new administration has a real \nopportunity to improve our Nation's security in cyberspace, but \nthere are many difficult issues it has to address, and the work \nof this committee will be essential in helping to guide that \neffort.\n    You know, the President has directed the National Security \nCouncil to undertake a 60-day review. This review is an \nimportant step. Cyberspace, as you have heard, has become one \nof the central pillars of our economy and our national \nsecurity. Securing cyberspace will help enable recovery and \nfuture growth. Officials involved in the review have told me it \nis forward-looking, with a broad scope. It will lay out a \nstrategic framework for the United States.\n    In my testimony, I would like to discuss how to assess the \nreview. The Center for Strategic and International Studies \nissued a report in December on steps the next President could \ntake. We made many recommendations and whether you like our \nrecommendations or not, I believe strongly that we identified \nthe right issues. Any review that does not address the issues \nwe identified will be inadequate.\n    Among our recommendations there are two that I think are \ncrucial. The first is the need for clear leadership from the \nWhite House, and the second is a comprehensive plan for moving \nahead. We undertook a long discussion of who should lead the \nFederal cybersecurity effort. It looked at many agencies: \nDefense, FBI, GSA, DHS, the intelligence community. We were \nconcerned with agency authorities and competencies, but also \nwith the signal that a lead agency would send to the public and \nto the world. The United States should avoid being perceived as \nmilitarizing the internet, and it should avoid solutions that \ngive rise to concerns over privacy and civil liberties. In the \nend, we decided only the White House had the necessary \nauthority.\n    Clear White House leadership is essential, but it has to be \naccompanied by a truly strategic plan, a truly strategic plan--\na truly comprehensive plan, I am sorry.\n    What does comprehensive mean? It means going beyond an \neffort to secure Government networks. It means integrating \noffensive and defensive strategies and looking at how to \nimprove attribution and identity in cyberspace. It means \nengaging with foreign nations, something we have not done \nparticularly well. It means accepting that the Federal \nGovernment must use its regulatory powers if we are to make any \nprogress.\n    I want to emphasize the need to develop regulatory \nstrategies, because this has been largely overlooked in \nprevious national efforts. Regulation is necessary when market \nforces alone will not provide security. We were careful to note \nin our report that a new approach is needed, one that avoids \nboth prescriptive regulations, but also rules, that are so \ndiluted as to be meaningless. New regulation must be developed \nin partnership with the private sector, but with the Government \nsetting the goals and ensuring compliance.\n    My own view is that regulation is essential if we are to \ngive substance to public/private partnerships. Regulation gives \nus an opportunity to improve cybersecurity in critical \ninfrastructure, something this committee has worked on in the \npast and you will be working on, I understand, in the future. \nThe work of this committee has made a tremendous contribution. \nIt helped guide us in writing the report. Regulation of \ncritical infrastructure will become increasingly important. The \nstimulus package envisions spending on infrastructure and it \nwill build security in. This is a good idea, but when we come \nto the question of what precisely needs to be done to make new \nprojects secure, we don't know the answer, and we don't have \nthe time or the people to develop that answer.\n    A failure to invest in infrastructure modernization for \nalmost 2 decades has made it impossible to build both quickly \nand securely. Smart Grid projects are an example of this. Smart \nGrid uses, for example, advanced meters to measure and manage \nthe flow of electricity. These new meters are based on network \ntechnologies. Unfortunately, if the new smart meters are not \nsecure, they can be hacked. Regulation can play a role in \nremedying this by giving Government the ability to mandate \nactions that mitigate our new vulnerabilities. But if we do not \nbuild the regulatory foundation now, the United States will be \nput at risk.\n    Let me summarize quickly. It is always difficult batting \nclean-up because everyone has already said everything. But we \nneed somebody in charge at the White House who will implement a \ncomprehensive plan. That plan has to include strategies for \ninternational engagement and for domestic regulation. Then we \nneed to move out.\n    Okay. I thank the committee and look forward to your \nquestions.\n    [The statement of Mr. Lewis follows:]\n                  Prepared Statement of James A. Lewis\n                             March 10, 2009\n    I thank the committee for the opportunity to testify on the Federal \nCybersecurity Mission. I believe that the new administration has a real \nopportunity to make a significant difference in improving our Nation's \nsecurity in cyberspace, but there are many difficult issues that it \nmust address. The work of this committee will be essential for helping \nto guide that effort.\n    As you know, the President directed that the National Security \nCouncil undertake a 60-day review of the U.S. approach to \ncybersecurity. Federal officials involved in the review have told me \nthat this is a forward-looking effort with a broad scope. It looks \nbeyond securing Federal networks, which was the focus of the last \nadministration's efforts, and will endeavor to lay out a strategic \nframework for the United States.\n    The decision to undertake this broad review is an important step \nforward for our Nation. Cyberspace has become one of the central \npillars of our economy and our national security. The adoption of \nnetwork technologies since the 1990's by the United States has been a \nsource of both competitive advantage and the rapid growth. The digital \ninfrastructure is now essential. More importantly, expanding our \ndigital advantage offers the possibility for continued increases in \nproductivity and innovation. Securing cyberspace will help enable \nrecovery and future growth.\n    Reaping the full advantage of digital technologies will require \nreal improvement in cybersecurity. Estimates of the damage to our \neconomy are imprecise, but millions of dollars are lost each year to \nfraud and theft, millions of dollars worth of intellectual property \nlost to foreign competitors, with the total easily reaching into the \nbillion. One of my fears is that as we increase spending on research \nand science as part of the stimulus package, we are actually \nsubsidizing the research of our economic and military competitors since \nthey can easily access work that cost us millions to develop for only a \nfew dollars.\n    There is of course additional risk that insecure digital networks \ncould allow foreign militaries and intelligence services, criminals, or \nother groups, to disrupt the provision of crucial services that are \neither provided by or depend upon digital technologies. It is easy to \noverstate the consequences of this sort of attack, and much of the \ndiscussion of cybersecurity over the last decade has involved some very \nsilly and exaggerated scenarios for national disaster, but the risk is \nreal and growing, and any national security strategy that does not \naddress it is inadequate.\n    Where are we today in cyber security? From one perspective, we are \nin remarkably bad shape. In the last year, we have seen the networks of \nthe two Presidential campaigns, secure networks at the U.S. Central \nCommand and computer networks in Congress and other Federal agencies \npenetrated by outsiders. 2007 saw a number of significant penetrations \nof major Federal agencies by an unknown foreign power. The Secretary of \nDefense's unclassified email was hacked. The Department of Commerce's \nBureau responsible for high tech exports off-line for more than a \nmonth. The networks of the Departments of State and Energy, NASA, and \nother Federal agencies were penetrated and according to public reports, \nimmense quantities of information downloaded. The networks of Federal \ncontractors, the defense industry and other leading companies were also \npenetrated. Again, our statistics on this are imprecise, as companies \nprefer to conceal their losses or in many instances may not even be \naware they have been hacked. Poor cybersecurity damages national \nsecurity and drains our economy.\n    In response to this crisis, the Bush administration created its \nComprehensive National Cybersecurity Initiative (known as CNCI). This \ninitiative made real progress in securing Federal networks. CNCI \nincluded Einstein, a technology that monitors Federal networks for \nintrusion. It included the Trusted Internet Connection initiative, TIC. \nIt looked at the question of how to use Federal procurements to improve \ncybersecurity in an effort know as the Federal Desktop core \nConfiguration--FDCC. The CNCI included several other initiatives and \nprojects, some of which were underway by the time the Bush \nadministration ended. Overall, it was a major step forward.\n    However, the CNCI had several major drawbacks. It began in the last \nyear of the Bush administration. This late start was a serious \nimpediment and one advantage for the Obama administration is that it \ncame into office understanding that securing cyberspace is a major \nstrategic issue. The CNCI was highly and unnecessarily classified. A \nfew of its elements deserved being labeled top secret, but most did \nnot, and the difficulties that over-classification created for \ncoordinating with the private sector and with our allies seriously \nimpeded the Bush administration effort. Finally, and most importantly, \nthe Comprehensive National Cybersecurity Initiative, despite its name, \nwas not comprehensive.\n    This was its greatest failing. The CNCI focused on the ``dot.gov'' \nspace, on Government networks, and while this is important, it is \ninadequate for cybersecurity. The task involves a global network \nlargely operated by the private sector. The CNCI did not have a serious \ninternational component and it did not adequately address how to secure \ncritical infrastructure or the ``dot.com'' space where most commercial \nactivity takes place. These were serious shortcomings, and they point \nto crucial areas for work by the new administration.\n    At the same time that the previous administration began work on the \nCNCI, the Center for Strategic and International Studies created a \ncommission to develop recommendations for the 44th Presidency on how to \nimprove cybersecurity. CSIS is a nonpartisan, nonprofit research center \norganization headquartered in Washington, DC with more than 200 staff \nand a large network of affiliated experts. Its research focus is on \nsecurity in a changing global environment. CSIS has been working on \ncybersecurity issues for many years and this work led us, in the face \nof the damaging events of 2007, to establish this Commission. When we \nbegan our work and for many months afterwards, we did not know of the \nCNCI. Officials involved in the CSNI initially declined our invitations \nto participate in order to preserve the initiative's secrecy.\n    The report produced by this commission--I note that the other \nprivate sector witnesses on this panel were members of the group--laid \nout a truly comprehensive approach to securing cyberspace. Thirty-eight \nthousand copies have been downloaded from the CSIS Web site. We were \nguided by the conclusions that Federal disorganization and an over-\nreliance on voluntary efforts had damaged our national security. To \nsummarize our recommendations:\n  <bullet> Create a comprehensive national security strategy for \n        cyberspace that uses all the tools of U.S. power in a \n        coordinated fashion--international engagement and diplomacy; \n        military planning and doctrine; economic policy tools; and the \n        involvement of the intelligence and law enforcement \n        communities.\n  <bullet> Publish a public doctrine for cyberspace. The President \n        should state publicly that the cyber infrastructure of the \n        United States is a vital asset for national security and the \n        economy and that the United States will protect it, using all \n        instruments of national power.\n  <bullet> Clarify governance and responsibility for cyber security and \n        establish White House leadership for cybersecurity based on \n        Presidential Strategy and Directives.\n  <bullet> Use regulation to set minimum standards for securing \n        cyberspace, to ensure that the delivery of critical services \n        can continue when we are attacked.\n  <bullet> Mandate strong authentication for access to critical \n        infrastructure. Strong authentication can significantly improve \n        defense, if it is done in a way that protects privacy and civil \n        liberties.\n  <bullet> Use acquisitions policies and rule to drive security, to \n        encourage the development and use of products and services that \n        are secure, based on standards and guidelines developed in \n        partnership with industry.\n  <bullet> Build human capital and improved technologies for securing \n        cyberspace by expanding research, training, and education.\n  <bullet> Refocus and strengthen public-private partnerships and focus \n        them on action, not information sharing. Build on the CNCI \n        effort, as part of a larger and more transparent comprehensive \n        effort to secure cyberspace.\n    It is a lengthy list, but this reflects the overarching importance \nof cyberspace to our Nation and the complexity of the problems involved \nin securing it. I believe that the issues we identified are central for \nimproving national security and the 60-day review must address them.\n    Two recommendations deserve additional scrutiny in the context of \nthe 60-day review. These are governance and regulation. We had a \nlengthy set of discussions in the CSIS commission on how best to \norganize for cyberspace. We considered many agencies for the lead role, \nincluding the Departments of Defense and Homeland Security, the FBI, \nthe General Services Administration, and the intelligence community.\n    Three problems drove us to reject an agency-led approach. First, \nthe mandate of any one agency would have to be greatly expanded to \nfully cover cybersecurity. Agency legal authorities differ widely and \nnone--law enforcement, military or intelligence--are by themselves \nadequate for the range of cyber problems. We did not think that a super \nagency with broad domestic and international powers made sense. Public \nperception is important. Giving the intelligence community the lead in \ncybersecurity, although initially attractive to some of us because of \nthe strong capabilities these agencies possess, would trigger powerful \nantibodies in the privacy community and the public, particularly after \nthe experience of the previous administration's warrantless \nsurveillance program and the struggles over FISA renewal.\n    The previous administration gave the Department of Homeland \nSecurity a central role in cybersecurity. We concluded that this was a \nmistake. While DHS has an important role to play, it lacks the \ncompetencies to deal with the range of issues involved in cybersecurity \nor to successfully engage in conflict with foreign militaries and \nintelligence services. DHS also lacks the interagency stature to direct \nother, more powerful agencies.\n    Giving DOD the lead could be interpreted as ``militarizing'' the \ninternet and would likely also provoke a reaction from both the privacy \nand the international communities. Foreign nations track U.S. policies \nclosely and a decision to give DOD the lead in securing cyber space \nwould be interpreted as a decision by the United States to make \nmilitary action the focus of its cyber efforts. This would not be in \nour interest, as we will need to build a collaborative international \napproach to improve security.\n    At the end of the discussion, we concluded that only the White \nHouse had the authority to bring many large and powerful agencies to \nfollow a common agenda and to coordinate with each other. A successful \napproach to cybersecurity blends intelligence, law enforcement, \nmilitary, diplomatic, and domestic regulatory functions. Coordinating \nthese various functions can be best done from the White House. In \nrecommending a White House lead, we emphasized that a ``cyber czar'' is \nnot the right solution. The new administration went through a brief \nfascination with czars of various shapes and flavors for different \nissues; our view is that for cyber security, the overly centralized \napproach implied by a czar will fail. The White House and only the \nWhite House can set strategy and policy, ensure that agencies are \nfollowing them and resolve agency disputes.\n    Regulation is the second issue that deserves extra attention. Our \nreport concluded that the market would never deliver adequate security \nand the Government must establish regulatory thresholds for critical \ninfrastructure. We proposed a new, more flexible approach to developing \nregulation that was based on close cooperation with industry in \ndeveloping standards and an avoidance of prescriptive regulations that \nspell out in precise detail what companies must do.\n    Regulation poses a number of challenges. The United States does not \nneed regulations that are costly to implement yet deliver little in the \nway of improved security. Nor does the United States need regulations \nthat are so diluted as to be meaningless. Finding the required balance \nwill be difficult, but if we fail to use regulation to improve our \nnational cyber security, if we do not identify mandatory actions to \nsecure the digital infrastructure, the Obama administration will have \nno more success than any of its predecessors.\n    The stimulus package has inadvertently complicated the issue of \nregulation. The package includes significant funding for infrastructure \nprojects, such as the Smart Grid. The package envisions that spending \non infrastructure will build security into new projects. All this is \ngood, but we then come to the question of what precisely needs to be \ndone to make these new projects secure? Unfortunately, we do not know \nthe answer to this and we do not have the time or people needed to \ndevelop that answer. A failure to invest in infrastructure \nmodernization for more than a decade has makes it impossible to build \nboth quickly and securely.\n    ``Smart Grid'' projects are an example of this problem. It uses \nadvanced meters to measure the flow of electricity and allow it to be \nbetter managed. These new meters are based on internet technology. \nUnfortunately, if the new ``smart'' meters are not secure, they can be \n``hacked,'' taken over by attackers, and used to disrupt the delivery \nof electricity. The United States does not have the guidelines it needs \nto guide make infrastructure secure.\n    I am not recommending that we delay stimulus investments while we \nsort out the requirements for cybersecurity. The most pressing task \nfacing the new administration is to mitigate the suffering that the \nrecession has brought and to take the steps needed to reduce \nunemployment and restore growth. Infrastructure investment is an \nimportant part of this. Years of underinvestment in infrastructure have \nput us in this unfortunate situation. However, regulation can play a \nrole in remedying this problem, by giving Government the ability to \nidentify and mandate actions that mitigate new vulnerabilities. For \nexample, a requirement that electrical companies strengthen \nauthentication of identity on their control networks would improve \nsecurity. But if we do not build the regulatory foundation now, the \nUnited States will be put at risk, and the task of laying the \nfoundation falls squarely on the 60-day review.\n    Regulation can also help reshape and strengthen public-private \npartnerships. For more than a decade, the public dialogue has revolved \naround threadbare ideas on the need to defer to the private sector as \nit owns and operates the bulk of the critical infrastructure and on \ninformation sharing as an alternative to Government mandates. In fact, \nthe result has been to make public-private partnership less attractive \nor less important. The partnership groups often serve a largely \n``representational'' function rather than one that is oriented towards \naction. Companies do not have ``skin in the game.'' Regulate them, and \nthey will come. Regulation is the key to improving public private \npartnerships, particularly if these partnerships are tasked with \ndeveloping and maintain the standards upon which regulation must be \nbased.\n    This administration has a unique opportunity. The United States has \npursued a market-led approach to cybersecurity for more than a decade. \nThis approach is inadequate. Now is the time to identify where \nregulation is needed to improve cybersecurity. Our recommendation was \nto begin with critical infrastructure--if a service is truly critical, \nwe should not be afraid to require action to secure it.\n    I began by asking where we are today in cybersecurity and answered \nthat, from one perspective, we are in remarkably bad shape. From \nanother perspective, however, we are at a moment of tremendous \nopportunity. This administration can define an integrated and \ncomprehensive Federal approach to securing cyberspace, something no \nprevious administration has been able to do. The complexity of the \nproblem means that it will take much longer than 60 days to put in \nplace the policies, structures, and regulations we will need. However, \nif the 60-day review can establish a clear governance structure led \nfrom the White House, if it lays out a broad plan of action for moving \nahead, including the development of a comprehensive national security \nstrategy and the use of regulatory authorities to secure critical \ninfrastructure, and if this administration acts upon it, the review \nwill be a success.\n\n    Ms. Clarke. We thank you for your testimony.\n    I thank all of the witnesses for their testimony, and I \nwill remind each Member that he or she will have 5 minutes to \nquestion the panel.\n    I will now recognize myself for questions. This first \nquestion goes to the entire panel. You all have spent a great \ndeal of time putting together cyber recommendations for this \nadministration. I want to express my gratitude for your work. \nThe statements during the campaign and the decision to do a \ncomprehensive review suggest that this administration is \ncommitted to a real change in our approach. My question is: How \ndo we judge whether the review has been a success, and what \nspecific things should we be looking at to determine if we are \nmoving in the right direction?\n    Mr. Powner. A couple of thoughts here. Looking at whether \nthe review is a success, and echoing what Dr. Lewis mentioned, \nthere have been already a fair number of very good \nrecommendations through the CSIS report. Clearly, the experts \nwe talked to had some additional recommendations. One, that \nthat review needs to take into consideration those many \nrecommendations. The other thing is looking back on this \nhistorically, even back to the mid-1980's, we really need to \nlook at a new organization. DHS-led hasn't really cut it. \nRecently, an 18-sector approach where all sectors are created \nequal, I am not certain that that is the right approach either. \nMoving forward we need to look at certain things: A new \norganizational structure; greater prioritization; and clearly \nmore accountability for those organizations that are in charge.\n    Ms. Clarke. Anyone have anything else to add to that?\n    Mr. Lewis. Well, we know what a bad plan looks like because \nwe have lived through at least a couple of them. I think that \nif we were looking at this plan, we would want clear \nleadership, some comprehensive strategies that include both \ninternational and regulatory, that look at combining \nintelligence, military, law enforcement, diplomatic engagement. \nWe would want a commitment to action. At the end of the day, if \nwe see those three things--leadership, planning, action--we \nshould be better off.\n    Ms. Clarke. Let me then move on and direct this question to \nMr. Powner. I know that the CSIS Commission met with the review \nteam last week. Have you met with the review team yet?\n    Mr. Powner. No, we have not. We are in the process of \ntrying to get that scheduled.\n    Ms. Clarke. Would you please let us know how we can help \nfacilitate that meeting?\n    Mr. Powner. We will.\n    Ms. Clarke. My next question, and it is ironic because I \nunderstand that Mr. Beckstrom has joined us in the audience, \nand I would like to thank him for his service and express my \nregret for our inability to retain his talent and expertise. \nBut late on Friday, Mr. Rod Beckstrom announced that he was \nresigning as Director of the National Cybersecurity Center. I \nthink this is a loss for the community and it is unfortunate \nthat Mr. Beckstrom's skills weren't put to good use. In his \nresignation letter he acknowledges the critical importance of \nthe NSA, but said that their dominance in cybersecurity today \nis a bad strategy.\n    Can you all comment on what you agree or disagree with in \nthese comments and what role the NSA should play alongside DHS? \nMr. Charney.\n    Mr. Charney. Yes. So there is no question that the center \nof technical expertise in the Government, particularly on the \noperational side, is within NSA. However, I agree with the \ncomments made earlier, that at the end of the day, if you want \nthe public to trust that the networks are being secured well \nand in a transparent fashion, the mission cannot reside in NSA. \nSo I think it is really important to empower DHS to take the \nnecessary operational role and have a relationship with NSA \nthat captures and utilizes their technical expertise.\n    Ms. Clarke. Anyone else want to comment? Okay. I am going \nto move on to my next question.\n    On March 24, this subcommittee will hold a hearing entitled \n``Securing the Smart Grid from Cyber Attack''. We will be \ndiscussing a number of technological issues related to the new \nadvanced metering technologies that are being developed and \ndeployed.\n    But this question has to do with policy. What Federal \nagency is in charge of defending against the cyber attack \nlaunched by a nation-state against our electric grid and what \nagencies do you think should be in charge of defending against \nsuch an attack? Any thoughts on that issue?\n    Mr. Yoran. Ms. Chairwoman, this is an issue that we have \nbeen trying to tackle for some time, initially with a National \nCyber Incident Response Working Group, co-chaired by the \nDepartment of Homeland Security, Department of Justice and the \nDepartment of Defense. It is an issue that I think is one that \nought to be a key focus for Melissa Hathaway as she conducts \nher 60-day review, understanding exactly what the authorities \nare, the priorities, the technical capabilities that exist in \nvarious pockets of the Federal Government, and how they can be \nbrought to bear most effectively so that that planning can \noccur before any time of crisis.\n    Mr. Lewis. I was just going to add, for me the answer would \nbe FERC or the NRC or maybe the Department of Energy. I say \nthat because they have the relationships with the companies. \nThey know how the stuff works. They are the people who have the \nregulatory authorities. The last thing you want is somebody new \ncharging in in a crisis and saying, ``I am in charge, do what I \nsay.'' So I would say look at the folks who are doing this now.\n    One of the things that this committee has done that has \nbeen very useful is hold those regulatory agencies accountable \nand get them to move out a bit more smartly. I think that would \nbe a good direction to continue.\n    Mr. Powner. Chairwoman Clarke, if I can just add to your \nquestion on who is responsible for defending--and I want to \nmake sure we are real clear on this. If it is a response--if we \nare answering that in terms of response I agree it is muddy. It \ncould be various Federal agencies and entities in charge of \nthat response, depending on the severity of the attack. But in \ncharge of defending the grid, it is those public utility \ncompanies that own the grid.\n    Ms. Clarke. Well, thank you very much. My time is up. I now \nrecognize the Ranking Member of the subcommittee, the gentleman \nfrom California, Mr. Lungren, for questions.\n    Mr. Lungren. Thank you very much, Madam Chairwoman, and \nthank you all for being here. I appreciate the contributions \nyou all have made and there are so many questions to ask. Let \nme just try one very, very quickly.\n    Dr. Lewis, you were very specific about saying that the \nperson who should be in charge of the leader of the new \ncomprehensive cybersecurity ought to be in the White House.\n    Mr. Charney, if I understand what you said, I thought you \nfelt the DHS could be stood up to have that responsibility.\n    Mr. Charney. Sir, to be clear, there is a difference \nbetween developing a strategy and coordinating it through the \nFederal agencies and the individual responsibility of the \nvarious agencies.\n    Mr. Lungren. Right.\n    Mr. Charney. So if you are going to look at a national \nstrategy that has to determine some very difficult questions \nlike when is a cyber attack an act of war and what is a \nproportional response, those kinds of key decisions are to be \ndone at the White House level. But you also need an operational \ncapability, things like US-CERT, an agency to help the other \nagencies deploy best practices. So I view DHS as more \noperational of implementing the strategy, but I think strategic \nelements and the cross-government cooperation has to be at the \nWhite House.\n    Mr. Lewis. I agree completely with that. I think if you \nlook at the agencies, I agree completely FBI has a role, DOD \nhas a role, DHS has a role, the intelligence----\n    Mr. Lungren. I understand they all have roles. My question \nhas been--I think Mr. Charney responded to it and I have \narticulated it before, but I am concerned about a lack of \nurgency not only in the Congress, in the White House, in the \npublic domain with respect to the threat, No. 1; and, No. 2, \nhow we do it?\n    As we have seen DHS develop and pull itself together, I \nthink it is actually starting to get its sea legs and frankly I \nthink doing a far much better job today than it was 2, 3, 4, 5 \nyears ago. That is part of what happens when you stand up an \nagency like that.\n    But there is the question of a sense of urgency. The \nPresident and his particular delegate in the White House can \nset the policy, but how do you make sure people follow it? We \nall know CIOs in the various departments and agencies have a \nnatural protective mechanism about how it ought to be done. We \nunderstand that you have got DOD, you have got NSA, you have \ngot the FBI and all of them, and all of them believe they have \na certain respected expertise.\n    How do you engage that sense of urgency throughout the \nFederal establishment that has not been there? I am not trying \nto blame anybody. I am just trying to state a fact because it \nhasn't been there in the public either. How do we leapfrog to \nthat position where we have that policy established at the \nWhite House on the one hand, but then we have the \nimplementation or operational motivation and authority? Because \nif the various individuals responsible for the various agencies \nand departments think they can just kind of shrug when they get \nthe call from the person at DHS, it doesn't drive what I want \nto be driven here. Mr. Yoran.\n    Mr. Yoran. Sir, I think that is a very important issue, \nwhen they get the call from DHS, that they have to feel a sense \nof urgency in getting it fixed or, more importantly, not feel \nlike they can rely on DHS doing the monitoring, where the \nintelligence community is protecting them. Everybody has to \nfeel a sense of responsibility and ultimately be held \naccountable for the protection of the information and the \nsystems that they manage and need in order to accomplish their \ncore mission. Until the Executive branch or any branch of \nGovernment holds senior leadership accountable for flaws in the \nsecurity culture, lapses in security which are a result of lack \nof due care or negligence if you want, until there is some \naccountability there, I don't think we are going to see \nmeaningful change.\n    Mr. Lungren. Let me follow up and ask a slightly different \nway. That is, how do we maintain those people that have the \nquality that can do that job, and how do we attract others to \nthose kinds of jobs? In other words, you can't pay them as much \nas the private sector can pay them. It is like when people go \nin the military service or do some other type of service. They \ndo it in part because they are making a contribution, but they \nknow their contribution is going to be utilized. It is going to \nbe valuable. It is going to be effective.\n    How do we raise that level of appreciation so it is not \njust accountability, but it is also responsibility in the sense \nthat it is recognized throughout the establishment, both \nprivate sector and public sector?\n    Ms. Davidson. I believe that one of these--this is one of \nthe issues I tried to touch upon, which is if you don't \nactually have a career path, you see there are people whose job \nit is to do information technology. Information technology will \ncontinue to be the janitorial service of many organizations \nwhere we are cleaning up other people's messes. It absolutely \nis critical. One of the things that we do to try to make people \nunderstand how critical it is is to, quite honestly in our own \ncompany, to go into various meetings and say, let me show that \na particular tack isn't theoretical; I am going to hack your \nsoftware. This is exactly how I can do this. This is exactly \nhow I can corrupt a system.\n    That creates some of the awareness. It is scary but it is \nnecessary. Either that or we wait until we get a real attack.\n    In terms of, you are talking about compensation trying--we \ndo actually elevate those security professionals to give them \nsome recognition within their jobs so they get training, they \nget recognition. It is recognized as a specialty that is held \nin esteem. As you point out, you can't always give people more \nmoney, but you can give people respect. I think you need both \nof those to show what is possible and to show that the, if you \nwill, the warriors who defend it do a good job at it, and that \ncreates the environment by which people who are able to \nactually do that kind of work are respected.\n    Mr. Lungren. Could I ask one real quick question, maybe for \na quick response? That is, how will we enforce the new Davidson \ndoctrine that you articulated to protect our cyberspace?\n    Mr. Lewis. Let me try. All of us have worked in the Federal \nGovernment for a long time, and if you want power, there are a \ncouple of things that give you power: Access to the President, \ncontrol of the budget, control of policy. For me, the only \nplace you are going to do that is in the White House. If I have \nthe access to the President, control of your budget, and I can \nsay what the policy is and know that the President or the Vice \nPresident or the National Security Adviser will back me up, I \nwill get agencies to do whatever I want. That is what we need.\n    So you want to know who is going to enforce the Davidson \ndoctrine? It is a good name for it, by the way. You know, we \nhave to put that at the White House.\n    Ms. Clarke. I now recognize Mr. Lujan from New Mexico for 5 \nminutes.\n    Mr. Lujan. Thank you, Madam Chairwoman. I am going to just \njump right into this, because there are many questions I think \nthat need to be asked, and I am not sure if we will run out of \ntime with doing this.\n    But specifically with what we are discussing today with \nunderstanding that DHS is the lead agency for the Nation's \ncybersecurity and the key components that exist within DHS, \nwhat are your thoughts--and I don't know if we want to start \nwith Mr. Powner, and then I will move down the line a bit--but \nfrom the perspective of having DHS move away from their near \nexclusive internal focus on cybersecurity issues and more \ntoward development and deployment of software and hardware \nsolutions to protect critical infrastructure projects?\n    Mr. Powner. We have done a lot of work with the DHS. DHS \nclearly is the lead cybersecurity focal point for the Nation. \nEven working with our critical infrastructure owners, if you \nlook at policy and law and how that is laid out, it is pretty \nclear that they have not lived up to those responsibilities. So \nthe question going forward is, do we want to keep working with \nthem as the operational entity that is the lead or do we just \ndesignate them an operational role and put someone else in \ncharge of primarily coordinating with the private sector, with \nthe intelligence community, and with the military \norganizations? We would think the latter.\n    Mr. Charney. I think it is really important to get the \norganizational structure right. Every Federal agency needs to \ndeploy IT systems for their business operations, and therefore, \nevery Federal agency needs a CIO and a CSO, a chief security \nofficer, who manages security at that agency. Now, when you \nhave a distributed organization--and certainly Microsoft is \none--you end up with a lot of different, essentially business \ngroups, that are running IT that will service their business \nmission, and that is fine.\n    The role that DHS should play in coordination with NST that \nsets standards for civilian agencies, and NSA because of their \ntechnical expertise, is to decide what the minimum bar is for \nsecurity that should be required to be implemented by the \nvarious agencies. You know, in any environment there are things \nthat you have to do, things that would be good to do, and best \npractices that you might like to deploy. Understanding what is \nrequired versus what is recommended versus what is a best \npractice is really important.\n    But I don't think you can have, for example, DHS making \nhardware and software decisions for the various agencies \nbecause the hardware and software that is deployed has to map \nto the agency mission. But DHS could say, as a requirement of \ndeploying whatever you are going to deploy, there are certain \nsecurity things that must be done: You must have a documented \ninformation security program; you must have technical controls \nand people controls in place to manage risk; you need an \nincident response plan in place because bad things will happen.\n    I think that is the appropriate function of DHS.\n    Mr. Lujan. Mr. Yoran, before you answer that, I think that \nis a perfect segue into an issue that I want to raise.\n    Within our New Mexico DOE and New Mexico laboratories, \nthere is a real opportunity with the work that they are working \non to improve the Nation's cybersecurity posture by bringing \nthe resources to bear on this critical problem. So in speaking \nspecifically to some of the IT teams that are being discussed \nand making sure that we have a centralized point to be able to \nhave access, whether it is to the President or to others as we \nare talking about this issue, what are your thoughts in taking \nadvantage of the expertise that lies in some of our Nation's \nDOE laboratories that are working with specific issues, some \nwhich are partnered with DOD responsibilities as well?\n    Mr. Charney. It is obviously critically important to grab \nexpertise wherever it resides, and one of the things DHS should \nbe doing is discovering and then propagating best practices \nacross the Government and the private sector. So I think that \nwould be a key thing to do.\n    Mr. Lujan. Thank you. Madam Chairwoman, if I may shift a \nlittle bit and get your perspective.\n    As we are moving forward with the deployment of Smart Grid, \nincluding the importance of communications and the potential \nthreats that could exist from attacks, what is the importance \nof making sure that we are taking into consideration the \nelements and inventories across the country and making sure we \nhave adequate protections for our critical infrastructure like \nelectricity, renewable generation areas, and the backbone of \nreally what will essentially be our Smart Grid?\n    Ms. Davidson. I do think that there are entities who are \nlooking at that in their role with the utilities. But if I \ncould actually back up a little earlier than that, if you think \nof this as a supply chain, one of the things that actually \nneeds to change that none of us touched upon, part of the \nreason we have these difficulties--I don't think anybody sits \ndown and says I think I am going to deploy a system that is \nhopelessly insecure and will leak like a sieve. It isn't merely \nawareness. It is that a lot of the people who are building \nthese at the grassroots level do not understand that they have \nany responsibility and they don't learn to think like an \nattacker. That starts with the university system.\n    It is not just computer science and electrical engineering, \nit is people who are building these control systems. If you can \nchange one thing, if you can get the people designing and \nbuilding those things to assume, think like a hacker, assume \nyour system will be attacked, then they will design \ndifferently. They will build differently. They will deploy \ndifferently. By the time someone like a utility gets something, \nthey will still have to ask intelligent questions in \nprocurement, but they won't have to sit around and wonder, I \nwonder if anybody had a clue whether somebody is going to try \nto attack the power grid?\n    We have to move the supply chain for security-aware people \nall the way back into the university systems. Unfortunately, \nhaving gone to the universities--I believe Scott has as well--\nyou get a resounding nonresponse from universities when you \nask, do you teach secure coding practice in all of your \nengineering and control system disciplines?\n    Mr. Lewis. On the question, the national labs are actually \nplaces that you could look for. Both Sandia, which has done \nsome excellent work, also Idaho National labs, NERC, FERC, NST, \nDepartment of Energy, these are all the people who could help \nus make sure that Smart Grid is secure.\n    Ms. Clarke. Mr. Lujan, we will be covering that territory \nin about 2 weeks when we do our Smart Grid hearings. So this is \na precursor to it.\n    I would like to now recognize Mr. Broun of Georgia for 5 \nminutes.\n    Mr. Broun. Thank you, Madam Chairwoman.\n    First, I want to respectfully disagree with those of you \nall that think that the White House is the place to put central \ncontrol of this problem, for the simple reason that I am \ndisappointed that we haven't been more aggressive in our last \nadministration, and I don't know what kind of aggressiveness we \nare going to have in this administration to try to solve this \nproblem.\n    As I have learned more and more about it I am extremely, \nextremely concerned about our national security, not only from \na military perspective but an economic perspective.\n    At home, I have utilized Koperski, I have used Norton, I \nhave used McAfee to try to make sure that my own home computer \nnetworks are secure and have a firewall that are in place. I \nhave just recently learned how inadequate those programs are. \nSo I think we have to have a national effort to develop some \nkind of very, very strong national security and economic \nsecurity type of plan.\n    But I think this committee and the Department of Homeland \nSecurity is the best place to do that, for the simple reason \nthat in the administration you have personalities and different \nfocuses and those sorts of things. I do agree we need to have a \ncentral focus, but I don't think the White House is that place. \nI think this committee ought to be setting policy, and not the \nWhite House frankly; and the Department of Homeland Security I \nthink is the best way to try to coordinate things within the \ninteragency efforts to make sure that we stay secure, whether \nit is DOD, Department of Energy or all the other sources as \nwell as within the private sector.\n    Having said all that, I believe in the private sector, I \nbelieve in the marketplace, and I think innovation and \ndevelopment comes probably best in the private sector and not \nfrom governmental sources. Can the Government secure our \ncyberspace without private sector involvement, and how much \nprivate sector involvement do we need in that? I just throw \nthat open to the panel.\n    Mr. Powner. Well, clearly 85 percent of the cyber-critical \ninfrastructure associated with this Nation is owned by someone \nother than the Federal Government. So the Federal Government \ncan't do it. The key is partnering with them, where those \nprivate sector owners view the Federal Government as a credible \npartner that provides a valuable service. I think that is what \nhas been determined with DHS with their US-CERT operations \nwhere we share threat information. The message really going \nforward is we in the Federal Government, whether it is DHS or \nwhether it is the White House, they need to do a much better \njob where they are viewed as a credible partner in helping the \nprivate sector secure it.\n    Mr. Yoran. I would just add to that a little bit. I agree \nthat centralized coordination is required. I think the \nDepartment of Homeland Security's key role can be in protecting \nthe dot.gov, the Federal civilian agencies. I don't think the \nDHS can effectively lead sort of offensive capabilities we \nwould need in cyber or counterintelligence capabilities we \nwould need in cyber, nor do I think the Department of Defense \nwould subjugate their cybersecurity efforts, which are \nnecessary for conducting warfare today, to the Department of \nHomeland Security.\n    However, I agree with you entirely that the best thing \nGovernment can do is fund some fundamental long-term research, \nbut ultimately rely on the private sector and commercial \nproducts for the development of IT technologies that have more \nsecurity and IT security technologies that have more capability \nby refining their requirements and using their procurement and \nacquisition capabilities to drive those products and features \ninto the commercial software versus trying to develop \ntechnologies in Government development efforts.\n    Mr. Broun. My time is about up but I appreciate y'all's \ncomments. I have got a hundred questions to ask you all and \ndon't have the time to do that. I appreciate y'all's efforts.\n    I see this as a critical national security interest. In \nfact, just in the commercial sector, if we have an attack, \nwhich we are having every day on commercial entities, if we \nhave an attack on our commercial entities, it can totally wreck \nthis Nation. So I think we have got to find a solution, and I \nlook forward to your answers that--I am going to give you all \nsome questions in written form and and I appreciate y'all's \ncandid answers to that.\n    I think we need to act and act now. Government doesn't do \nthat very well. It is very slow in acting, and that is the \nreason why I want to try to get the private sector involved as \nmuch as we possibly can, because I think the private sector can \nbe more innovative and can act quicker and can find real \nsolutions to this. We need to have some coordinated efforts, \nand I think the Department of Homeland Security is the best way \nto do that.\n    Thank you, Madam Chairwoman.\n    Ms. Clarke. The Chairwoman recognizes for 5 minutes the \ngentleman from Ohio, Mr. Austria.\n    Mr. Austria. Thank you, Madam Chairwoman. To our committee, \nthank you for your testimony today. I appreciate it very much.\n    I want to follow up on some of the questions that were \nasked earlier and more on the role of homeland security in your \nopinion. When you look at the jurisdiction, the electricity, \nthe grid was brought up earlier, and you testified that you \nknow it has fallen on the Department of Energy. Sometimes we \nsee things intertwined between the different departments, \nwhether it be DOD, Department of Justice. What do you see as \nHomeland Security's role or jurisdiction as a department? I \nwould open that up to the entire panel.\n    Mr. Yoran. I think that Homeland Security's greatest impact \ncan be summed up in three key areas. The first is in US-CERT \nseries of programs and operations to help protect the dot.gov, \nthe Federal civilian systems and agencies.\n    The second is in cross-critical infrastructure issues. \nClearly, the Department of Energy and other regulatory bodies \ndefine security standards, measure their effectiveness, and \nhave many levers for forcing change in the private sector.\n    I think the third is sort of working on issues where the \nfailure of one critical infrastructure or the security levels \nin one critical infrastructure don't address the requirements \nof another industry, of another sector of our economy.\n    The third area is in interaction with the private sector \nthrough a series of well-defined public/private partnerships \nwith specific objectives and also with value-add and incentives \nin the private sector for their voluntary participation.\n    Mr. Charney. I suggest the way to think about this is \nseparating out the horizontal from the vertical. There are a \nlot of things in IT that are horizontal on which all the \nverticals depend. So robust authentication, knowing who is \nconnecting to your network, you need to know whether you are \ntelecom, energy, or something else.\n    There are other things that are unique to vertical sectors. \nThe energy SCADA systems may be different than phone SCADA \nsystems. As a result of that, I think when you think of DHS' \nrole, I view it as kind of the horizontal base security, and \nthen the sectors and their regulatory agencies have to focus on \nthe vertical uniqueness.\n    Mr. Austria. Thank you for that. That is why I do agree \nwith you. I think we need to have clear leadership and a \ncomprehensive strategy and a commitment to take action in those \nareas so that is much better defined.\n    Let me jump over to the public/private partnership because \nI do agree with you on that. I have always believed that the \nprivate sector, which designs and deploys and maintains much of \nour Nation's critical infrastructure is far ahead of Government \nin their ability to detect, to attribute, and to defend against \na cyber attack.\n    Correct me if you think I am wrong, but isn't that, again, \na reason just to follow up on some of the other questions with \nthe public/private sector, that we really should be pursuing \nthis to really achieve national security when it comes to \ncyberspace?\n    Mr. Charney. Sir, the answer is yes. We all here I think \nare big fans of private sector innovation, but I will say I \nwrote years ago that you couldn't make a market case for the \nCold War. I mean, there are certain things in national security \nwhere the markets are not designed to address the problem, \nbecause when we build products for market we know that we have \na large customer base that is global and very price-sensitive. \nSome of things that the national security community requires is \nvery specific and expensive.\n    So it has long been my view that you need a symbiotic \nrelationship where--and I described this in my testimony--where \nyou figure out what the market will provide, what national \nsecurity needs are, and how Government can help bridge that \ngap. I don't think you can rely on markets alone to bridge the \ngap because markets aren't designed to do that any more than \nthey are designed to protect national security and provide law \nenforcement mechanisms. These are things that we tax people for \nand make them pay for from the Government.\n    Ms. Davidson. I do agree with Scott largely, but I also \nthink that the Government can be a smarter buyer. Even \nsomething as simple as some transparency in procurement around \nwhat vendors do and do not do in terms of security, I don't \nthink in many cases the questions have ever been asked. It is \ncertainly asked at the Defense Department level or the \nintelligence. They want to know how you engineered your \nsoftware. But the average garden-variety agency does not ask \nthat. Why would that change things?\n    This is something I think, unfortunately, women can \nunderstand better than men, but I call it the bathing suit \ntest. If you have to go out in public in June in a bathing \nsuit, along about March you are going to put it on and you are \ngoing to say I can't believe I look like this; I better get in \nshape before I have to go out in public.\n    If people had to disclose, so to speak, their development \nprocesses related to security, you would want to look a lot \nbetter by the time you are actually filling in the form. That \nper se is not going to cure all our ills, but it will improve \nwhat people are buying or at least they will know what they are \ngetting and not getting, and they can make smarter decisions as \npurchasers.\n    That will not, as Scott I think would agree with, mean that \nwe are going to--commercial software, unless it has been \nnecessarily engineered to the highest level of software \nassurance that, for example, the intelligence community could \nwant. But even raising the baseline would be a very good start. \nIt would save people a lot of money they are spending now, \ntrying to patch their security and make it harder for bad guys \nto do what they do. Make them work harder.\n    Mr. Austria. I understand that my time is up. Thank you. I \ndo agree with my colleagues that, you know, cyberspace security \nis critical to our national security. I have other questions \nthat I will be glad to submit to our panel. But thank you, \nthank you for your time.\n    Ms. Clarke. Thank you. The Chairwoman now recognizes the \nChairman of the full committee, the gentleman from Mississippi, \nMr. Thompson.\n    Mr. Thompson. Thank you very much, Madam Chairwoman. I was \nlistening to the testimony in the rear but I was multitasking, \ntoo.\n    This is basically to each panel member. With the \ninformation that you have available to you, do you think the \nUnited States is prepared for a major cyber incident?\n    Mr. Powner. No, we are clearly not as prepared as we should \nbe. I will go back, several years' work that we did for this \nsubcommittee, I think several Congresses ago, looking at \ninternet recovery. You can look at what happened with 9/11, \nKatrina, on how we recovered major portions of the internet. \nThere were major lessons learned in that.\n    The question going forward, do we have--one of the \nrequirements in our current national strategy is a joint \npublic/private internet recovery plan if we have a major, major \nattack. We still don't have that plan. You need a plan. You \nneed to exercise that plan. So I think today we are not \nprepared.\n    Mr. Lewis. You can look at the experience of 9/11, and I \nhate to bring it up because it is painful, but one of our co-\nchairs who couldn't be here today, Harry Raduege was the \nDirector of the Defense Communications Network. On that day, he \ngot phone calls from all the major service providers, all the \nbig telecom companies, all the big IT companies saying, how can \nwe help, what can we do to restore service? I know that Dick \nClarke, who was also at the White House then, got similar \ncalls.\n    So you had two people, people who knew who to call, they \nhad the existing relationships, and they knew how to do things. \nThey knew how to move trucks from Ohio or from Virginia to New \nYork or to Washington to rebuild services. We don't have that \ntoday in cyberspace, and that is one of the things we \ndesperately need.\n    Ms. Davidson. I would like to tell a story in response, a \nshort one. That is, in the 1920's, there was a Marine Corps \ncolonel who realized the next war would be with Japan, and it \nis because of him that the Marine Corps developed amphibious \nwarfare capability. He saw this in the 1920's, which was long \nbefore December 7, 1941. So we don't have that much time.\n    There are people who are sounding the warning. There are \npeople who are trying to do things differently. We are not \ngoing to have 21 years to get it right. So we do need to act \nnow. No, we are not prepared.\n    Mr. Thompson. Mr. Yoran.\n    Mr. Yoran. Sir, I would say that the nefariousness of cyber \nis the fact that we are experiencing the 9/11 in cyber. It just \ndoesn't have the tremendous visibility.\n    For over 10 years now, for over a decade now, we have had \nsignificant incidents going on with foreign adversaries, and \nour national response has basically been to look the other way \nor occasionally have an article in the news media about it. So \nbecause there is no catastrophic visible outcome, we sort of \nlie in bed at night and are able to sleep, not realizing \nexactly how much damage is occurring. So we are not prepared.\n    Mr. Charney. I would never go against my esteemed \ncolleagues on this point. I would point out, however, that it \nis important to focus on the nature of the attack so you can \nfigure out your strategy for defending. There are attacks \nagainst confidentiality, we have heard a lot about that, where \ndata is taken. There are attacks against integrity where people \nalter critical systems or data that you rely upon. There are \nattacks against availability, and then the systems go down. In \nthe availability attacks, I mean one goal is always to keep \nfive-ninths of availability, keep the networks up. But the \nother part of any strategy has to be about how fast you can \nreconstitute the capabilities if the capabilities fail.\n    So this is one of the reasons it is so important to have a \ncomprehensive strategy, because when you think about how you \nare going to reconstitute across multiple networks and maybe \nacross multiple time zones, it is actually quite challenging. \nYou have to figure out what your strategy is for \nreconstitution, who is in charge, roles and responsibilities, \nwhat is the interface to the private sector that owns 85 \npercent of this infrastructure. The availability problem is in \nsome ways different than the confidentiality and the integrity \nproblem. It is important to focus on all of them.\n    Mr. Thompson. Well, I would like to say, Madam Chairwoman, \nthat what we have just heard is very troubling, I think to me \nand the rest of the committee, that we have some work to do. I \nthink perhaps at our next hearing we need to bring some of the \npeople who have the primary responsibility for the plan, or \nwhatever we are operating under, and see if we can get some \nidea as to what they are doing to keep us safe. But I am real \nconcerned about it. I would say that both the subcommittee and \nI as Chairman on the full committee will give this our \nundivided attention, and I would look to people like yourselves \nto help provide the leadership, getting us where we need to be. \nI yield back.\n    Ms. Clarke. Thank you. Member Lungren.\n    Mr. Lungren. Madam Chairwoman, I just wanted to tell you \nthis is an outstanding panel that I thank you for putting \ntogether. I thank all of you for being here. We could go on \nwith this for hours. Some of us will probably submit some \nwritten questions. I know we have already begged your \nindulgence for the time you have given us, but hopefully if you \ncould respond to those in a timely fashion, we could maybe talk \nto you later, too, as well. Thank you.\n    Ms. Clarke. I thank the witnesses for their valuable \ntestimony and the Members for their questions. The Members of \nthe subcommittee may have additional questions for the \nwitnesses, and we will ask you to respond expeditiously in \nwriting to those questions.\n    Hearing no further business, the subcommittee stands \nadjourned.\n    [Whereupon, at 4:04 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"