[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



 
                         REVIEWING THE FEDERAL 
                         CYBERSECURITY MISSION

=======================================================================



                                HEARING

                               before the

                        SUBCOMMITTEE ON EMERGING
                        THREATS, CYBERSECURITY,
                       AND SCIENCE AND TECHNOLOGY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 10, 2009

                               __________

                            Serial No. 111-5

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC] [TIFF OMITTED] TONGRESS.#13


                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________



                  U.S. GOVERNMENT PRINTING OFFICE
51-633                    WASHINGTON : 2009
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California          Peter T. King, New York
Jane Harman, California              Lamar Smith, Texas
Peter A. DeFazio, Oregon             Mark E. Souder, Indiana
Eleanor Holmes Norton, District of   Daniel E. Lungren, California
    Columbia                         Mike Rogers, Alabama
Zoe Lofgren, California              Michael T. McCaul, Texas
Sheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania
Henry Cuellar, Texas                 Gus M. Bilirakis, Florida
Christopher P. Carney, Pennsylvania  Paul C. Broun, Georgia
Yvette D. Clarke, New York           Candice S. Miller, Michigan
Laura Richardson, California         Pete Olson, Texas
Ann Kirkpatrick, Arizona             Anh ``Joseph'' Cao, Louisiana
Ben Ray Lujan, New Mexico            Steve Austria, Ohio
Bill Pascrell, Jr., New Jersey
Emanuel Cleaver, Missouri
Al Green, Texas
James A. Himes, Connecticut
Mary Jo Kilroy, Ohio
Eric J.J. Massa, New York
Dina Titus, Nevada
Vacancy
                    I. Lanier Avant, Staff Director
                     Rosaline Cohen, Chief Counsel
                     Michael Twinchek, Chief Clerk
                Robert O'Connor, Minority Staff Director
                                 ------                                

   SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND 
                               TECHNOLOGY

                 Yvette D. Clarke, New York, Chairwoman
Loretta Sanchez, California          Daniel E. Lungren, California
Laura Richardson, California         Paul C. Broun, Georgia
Ben Ray Lujan, New Mexico            Steve Austria, Ohio
Mary Jo Kilroy, Ohio                 Peter T. King, New York (Ex 
Bennie G. Thompson, Mississippi (Ex      Officio)
    Officio)
                      Jacob Olcott, Staff Director
       Dr. Chris Beck, Senior Advisor for Science and Technology
                        Daniel M. Wilkins, Clerk
               Coley O'Brien, Minority Subcommittee Lead


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Yvette D. Clark, a Representative in Congress From 
  the State of New York, and Chairwoman, Subcommittee on Emerging 
  Threats, Cybersecurity, and Science and Technology.............     1
The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Ranking Member, Subcommittee 
  on Emerging Threats, Cybersecurity, and Science and Technology.     3
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security..............................................     5

                               Witnesses

Mr. David Powner, Director, Information Technology Management 
  Issues, Government Accountability Office:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
Mr. Scott Charney, Vice President, Trustworthy Computing, 
  Microsoft:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17
Mr. Amit Yoran, Chairman and Chief Executive Officer, NetWitness 
  Corporation:
  Oral Statement.................................................    24
  Prepared Statement.............................................    26
Ms. Mary Ann Davidson, Chief Security Officer, Oracle 
  Corporation:
  Oral Statement.................................................    31
  Prepared Statement.............................................    33
Mr. James A. Lewis, Project Director, Center for Strategic and 
  International Studies:
  Oral Statement.................................................    35
  Prepared Statement.............................................    37


                         REVIEWING THE FEDERAL 
                         CYBERSECURITY MISSION

                              ----------                              


                        Tuesday, March 10, 2009

             U.S. House of Representatives,
                    Committee on Homeland Security,
      Subcommittee on Emerging Threats, Cybersecurity, and 
                                    Science and Technology,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:53 p.m., in 
Room 311, Cannon House Office Building, Hon. Yvette D. Clarke 
[Chairwoman of the subcommittee], presiding.
    Present: Representatives Clarke, Richardson, Lujan, Kilroy, 
Thompson [ex officio], Lungren, Broun, and Austria.
    Ms. Clarke. The subcommittee will come to order. The 
subcommittee is meeting today to receive testimony on reviewing 
the Federal Cybersecurity Mission. I will begin by recognizing 
myself for an opening statement.
    Good afternoon, and thank you to all the witnesses for 
appearing before us today. I am pleased to chair today's 
hearing, my first as Chair of the Emerging Threats, 
Cybersecurity and Science Technology Subcommittee. While there 
may be a number of new faces here on the dais, I can assure 
everyone that this subcommittee will continue to address many 
of the same issues from the 110th Congress. Over the next 2 
years, we will continue our oversight over nuclear detection 
programs, radiological threats, public health threats, 
cybersecurity and the Science and Technology Directorate. I 
also look forward to working in the same bipartisan spirit that 
the previous Chairman and Ranking Member carried on their work.
    Mr. Lungren, I know that you take this responsibility as 
seriously as I do, and I look forward to partnering with you 
over the next 2 years to ensure the safety and security of the 
American people, American businesses, American infrastructure 
and the American way of life.
    Today's hearing will be the first of three cybersecurity 
hearings that the subcommittee will hold this month. It is easy 
to understand why this issue dominates our agenda. We rely on 
information technology in every aspect of our lives, from our 
electric grid, banking systems, military and Government 
functions, to our e-mail, Web browsers, and iTunes.
    Interconnected computers and networks have led to amazing 
developments in our society. Increased productivity, knowledge, 
services, and revenues are all benefits generated by our modern 
networked world. But in our rush to network everything, few 
stopped to consider the security ramifications of this new 
world we were creating. So we find ourselves in an extremely 
dangerous situation today. Too many vulnerabilities exist on 
too many critical networks which are exposed to too many 
skilled attackers who can inflict too many damages to our 
systems. Unfortunately, to this day, too few people are even 
aware of these dangers and and fewer still are doing anything 
about it. This committee will continue to sound the alarm 
bells, raise awareness of the problems we face, and hold those 
in charge accountable for their inaction.
    This hearing comes at a critical moment in our Nation's 
approach to their cyber threat. There is no more significant 
threat to our national and economic security than that which we 
face in cyberspace. We, the United States, must do everything 
equally significant to meet this challenge.
    We are approximately halfway through the National Security 
Council's 60-day interagency review of the Federal 
Cybersecurity Mission which began on February 16. The review is 
being conducted by Melissa Hathaway, senior director of the 
NSC, on orders from President Obama and the National Security 
Adviser. The goal for the review is to develop a strategic 
framework to ensure the U.S. Government's cybersecurity 
initiatives are appropriately integrated, resourced, and 
coordinated with Congress and the private sector. I commend the 
President for his vision in making cybersecurity a priority for 
his administration and for requesting this review.
    Given this committee's leadership role in cybersecurity 
policy development, we look forward to working with Ms. 
Hathaway and her team. Thankfully, their review does not have 
to start from scratch. I encourage the review team to rely upon 
the extensive hearing record of this committee in the 110th 
Congress, and from the work that our witnesses have already 
undertaken in that area.
    The CSIS Commission report and the many GAO reports which 
Mr. Powner's team have produced over the years contain dozens 
of outstanding recommendations that, if actually implemented, 
will improve our national security posture. That message bears 
repeating. The previous 2 decades have seen countless reports 
from America's thought leaders in cybersecurity, containing 
hundreds of recommendations about how to improve America's 
posture in cyberspace. What has been lacking is the courage and 
leadership to actually implement these recommendations.
    Now is the time to act. To ensure our national and economic 
security, now is the time we must act. The U.S. Government must 
chart a new course to secure cyberspace. Maintaining the status 
quo will not be enough to keep America secure. Now is the time 
for the Government to stop planning and start acting.
    There are three key issues that I believe this review must 
address.
    The 60-day review. First, this review must call for a 
national strategy for cyberspace. The previous administration 
drafted a high-level national security strategy in 2002 that 
presented problems and possible solutions to some of the same 
cybersecurity issues that we face today. Unfortunately, that 
strategy stopped short of mandating security changes. Without 
teeth, the strategy was never implemented. We need a strategy 
that uses all of the tools of the U.S. power in a coordinated 
fashion, but more importantly, we need to hold our agencies 
accountable for implementing that strategy.
    That leads me to my second requirement, leadership. A lack 
of high-level leadership on cybersecurity has cost our country 
dearly over the last several years. The review must clearly 
delineate roles and responsibilities of each agency involved in 
the governance of cybersecurity at the Federal level, including 
DSA, NSA, and DOD; but most importantly, it must describe how 
the White House will coordinate policy and budgets for each of 
these different responsibilities. The CSIS Commission 
recommended, and I fully support, an assistant to the President 
of Cyberspace Security in the Executive Office of the 
President, along with support staff to coordinate this effort.
    Third, the review must address the many policy and legal 
shortfalls that exist in protecting our critical infrastructure 
from cyber attack. Unfortunately, critical infrastructure 
systems remain the area of greatest vulnerability. While the 
previous administration relied on a voluntary protection system 
throughout many of the 18 credible infrastructure sectors, I 
believe this administration should seek to use a combination of 
regulations and incentives to ensure that our electricity grid, 
including the Smart Grid, water facilities, financial systems, 
and other key infrastructures are properly secured. The 
framework of this approach should be addressed in the review.
    To the witnesses appearing before us today, I thank you for 
being here. I welcome your thoughts on the issues I have just 
discussed, as well as your opinions on what an effective 
national cybersecurity review should look like.
    I intend for this subcommittee, as well as the full 
committee, to continue to play a role in shaping our national 
security posture.
    I would like to just take a moment to acknowledge that we 
have been joined by the Chairman of this committee, the full 
committee, Chairman Bennie Thompson. I think this amplifies the 
importance of today's hearing.
    The Chair now recognizes the Ranking Member of the 
subcommittee, the gentleman from California, Mr. Lungren, for 
an opening statement.
    Mr. Lungren. Thank you very much, Chairwoman Clark. Thank 
you for the bipartisan manner in which you have approached the 
organization of this subcommittee and the informal meetings 
that we have had. I am looking forward to working with you and 
with our colleagues who are here present and the others who are 
Members of this subcommittee, particularly our Chairman, Mr. 
Thompson, and our Ranking Member of the full committee, Mr. 
King.
    We need in this Congress to address the many threats and 
challenges that face us and that are under the jurisdiction of 
this subcommittee. Cybersecurity is certainly one of, if not 
the most paramount challenge that we have, and I support your 
decision to highlight the cyber threat with this, our first 
official hearing.
    When I chaired the subcommittee in the 109th Congress that 
had cyber, the issue of cybersecurity within its jurisdiction, 
I realized that our first challenge was educating our 
colleagues and the public on the seriousness of the growing 
cyber threat. After our classified cyber threat briefing last 
week, it is clear that much, much more needs to be done.
    In the words of today's witness, David Powner of GAO, our 
Nation is under cyber attack and our present strategy and its 
implementation have not been fully effective in mitigating the 
threat. Now, I don't believe that this is because people wanted 
this to be the case or that there was any conscious effort on 
the part of Members of Congress or previous administrations or 
people in the private sector. I just think it is a point of 
fact that what you can't see, can't feel, can't hear, can't 
touch, sometimes is not what you pay attention to. 
Cybersecurity, the cyber world which is so important to us, is 
embedded in so much of what we do but we don't see it.
    I use the old analogy of the refrigerator. I open the 
refrigerator, and all I want is cold milk. I really don't care 
how it works. We have that attitude toward the cyber world that 
is embedded in everything that we do. But we can't have that 
attitude. I believe it is particularly true regarding our 
information infrastructure, which includes our 
telecommunications and computer networks and systems and the 
data they contain. Information technology and computer networks 
increase information sharing and collaboration, which does a 
tremendous thing: It raises our productivity, lowers ours costs 
and improves performance. Would that the rest of our economy 
could do as well.
    However, the rapid growth of the internet and our 
interconnected computer systems and its networks have, as you 
so rightly said, made us increasingly vulnerable to things such 
as cyber crime, cyber espionage, and cyber terrorism. I fully 
agree with the central finding of the CSIS Commission's report 
that cybersecurity is one of the most important security 
challenges this Nation faces. U.S. cyberspace should be 
declared a vital national asset, perhaps even a critical 
national asset. This would help the Federal Government marshal 
its resources and implement a Comprehensive National 
Cybersecurity Strategy.
    I have felt for some time that we are playing catch-up in 
detecting and defending against the increasing number and 
sophistication of today's cyber threats, whether they are of 
the mischievous nature, of the organized crime nature, of the 
nation-state nature. I agree we need a national cybersecurity 
strategy, understanding that cyberspace can't be secured by 
Government alone, and that is a very important point that we 
have to stress. However, the Government does need to reorganize 
and focus its national cyber efforts if we hope to defeat the 
new cyber threats.
    I would also suggest we need a true public/private 
cybersecurity partnership based on trust and cooperation to 
protect against this new cyber threat. The private sector, 
let's make it clear, designs, deploys and maintains much of the 
Nation's critical infrastructure. Therefore, we must honor 
their experience, their expertise and their ingenuity--that is, 
that which is found in the private sector--into a trusted 
partnership with Government, a partnership where both sides 
benefit and therefore are eager to cooperate and share 
information. It just seems to me that in many cases we should 
be setting certain standards or goals but not setting the means 
to get there because the cyber world moves so fast, we really 
can't catch up with this. Government, by its very nature, moves 
more slowly. I don't want anything that we do to depress the 
creativity of the private sector. Therein lies our greatest 
opportunity to protect ourselves.
    I believe the CSIS report's recommendation to create three 
new public/private groups designed to foster better trust and 
cooperation on cyber issues is the right approach. They would 
be a new Presidential advisory committee that connects the 
White House to the important private-sector cyberspace 
entities; a national town hall organization that provides 
dialog for education and discussion; and a new cyber 
operational organization.
    The Bush administration recognized the growing threat on 
our national security from cyberspace, proposed a Comprehensive 
National Cybersecurity Initiative in 2008. The CSIS Commission 
came to a similar conclusion in their December report, 
``Securing Cyberspace for the 44th President,'' stating only a 
Comprehensive National Security Strategy that embraces both 
domestic and international aspects of cybersecurity will make 
us more secure. Well said.
    Everyone seems to agree that we need to do more, so I am 
anxious to hear the testimony of our expert witnesses today to 
help us on that journey so that we may do that which needs to 
be done to meet this 21st century threat.
    Once again I thank you, Madam Chairwoman, for the time.
    Ms. Clarke. The Chairwoman now recognizes the Chairman of 
the full Committee on Homeland Security, the gentleman from 
Mississippi, Mr. Thompson, for an opening statement.
    Mr. Thompson. Thank you very much, Madam Chairwoman.
    Good afternoon. I believe this is the ninth oversight 
hearing the Homeland Security Committee has held on Federal 
cybersecurity issues since the beginning of the 110th Congress, 
and I thank you, Madam Chairwoman, for continuing our oversight 
efforts. This is a particularly timely hearing, given the 
recent resignation of Mr. Beckstrom as director of the National 
Cybersecurity Center.
    Some of our biggest challenges in the Federal 
cybersecurity, reported by dozens of independent observers, 
including GAO and CSIS, have come as a result of ineffective 
leadership, unclear organizational structure and poorly defined 
roles and responsibilities from agencies and private sector. 
This is why I, along with many of my colleagues, were very 
optimistic when Mr. Beckstrom was brought on to lead the 
National Cybersecurity Center. He has expertise in 
organizational structure. He has worked extensively in the 
private sector. But Mr. Beckstrom did not have experience in 
working miracles, and that is the unfortunate position that the 
previous administration put him in. Without clear authority or 
budget, he was placed in a no-win situation.
    In his resignation letter, Mr. Beckstrom candidly described 
the control that is wielded by NSA over the cybersecurity 
mission today. This parallels the thoughts of some of our 
witnesses here today.
    I don't disagree with the public statements made recently 
by the DNI, who said that the NSA houses most of the cyber 
talent in the Federal Government. But I don't think the answer 
to our problems in cyberspace comes from giving control of the 
entire Federal Cybersecurity Mission to NSA. I want to clearly 
state that this committee believes that there should be a 
creditable civilian government cybersecurity capability that 
interfaces with, but is not controlled by the NSA. According to 
GAO, DHS has not proven itself up to the challenge yet. From 
our work with DHS through the years, I don't disagree, but 
there are pockets within DHS showing signs of improvement. US-
CERT and the controlled security system program are two of 
these programs that I believe are demonstrating progress.
    I hope the administration can strike the balance between 
civilian and military cybersecurity capabilities. We here in 
Congress are looking toward this administration for leadership 
on this critical issue. I share the Chair's optimism about the 
President's commitment to cybersecurity, and I hope that, at 
the end of the 60-day review, we here in Congress will have a 
clear understanding of the President's vision for 
cybersecurity.
    I yield back the balance of my time, Madam Chairwoman.
    Ms. Clarke. Other Members of the subcommittee are reminded 
that under the committee rules, opening statements may be 
submitted for the record.
    I welcome our distinguished panel of witnesses. Our first 
witness is Dave Powner, director for information technology 
management issues at the Government Accountability Office. Mr. 
Powner and his team have produced a number of outstanding 
reports for this subcommittee throughout the last several 
years, and we are pleased to welcome him back.
    Our second witness is Scott Charney, corporate vice 
president of Microsoft's trustworthy computing group. Prior to 
Microsoft, Mr. Charney was a principal for 
PriceWaterhouseCoopers, where he led the firm's cyber crime 
prevention and response practice. Mr. Charney also served as 
chief of the computer crime and intellectual property section 
in the criminal division of the U.S. Department of Justice. Mr. 
Charney was also co-chair of the CSIS Commission on 
Cybersecurity. Welcome.
    Our third witness is Mr. Amit Yoran, chairman and chief 
executive officer of NetWitness Corporation, a leading provider 
of network security products. Prior to NetWitness, he was 
director of the national cybersecurity division at the 
Department of Homeland Security. He was also chief executive 
officer and advisor to Incutel, the venture capital arm of the 
CIA. Mr. Yoran is a member of the CSIS Cybersecurity 
Commission.
    Our fourth witness is Mary Ann Davidson, the chief 
secretary--excuse me--the Chief Security Officer at Oracle 
Corporation, where she is responsible for Oracle product 
security, as well as security evaluations and assessments. Ms. 
Davidson represents Oracle on the Information Technology ISAC. 
She has served on the Defense Science Board and is a member of 
the CSIS Cybersecurity Commission. Welcome, Ms. Davidson. 
Nothing against the secretary, but you are chief security 
officer.
    Our fifth witness is Jim Lewis, the director of the Center 
for Strategic and International Studies and Technology and 
Public Policy Program. He is also program manager for the CSIS 
Commission on Cybersecurity for the 44th Presidency. Mr. Lewis 
has also been a regular witness before this subcommittee, so 
welcome to you also.
    Without objection, the witnesses' full statements will be 
inserted into the record.
    I now ask each witness to summarize his or her statement 
for 5 minutes, beginning with Mr. Powner.

  STATEMENT OF DAVID POWNER, DIRECTOR, INFORMATION TECHNOLOGY 
      MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Powner. Madam Chairwoman, Chairman Thompson, Ranking 
Member Lungren, Members of the subcommittee, thank you for 
inviting us to testify on cybersecurity recommendations for the 
new administration. Over the past several years, our work for 
the subcommittee has highlighted many areas requiring better 
leadership and management of our Nation's cyber-critical 
infrastructure, including improving cybersecurity of control 
systems, strengthening our ability to respond to internet 
disruptions, bolstering cyber analysis, and warning 
capabilities and addressing cyber crime.
    This afternoon I will provide a progress report of our on-
going work for you, Madam Chairwoman, looking at improvements 
to our Nation's cybersecurity strategy. Specifically, we held 
panel discussions with nationally recognized experts and these 
discussions, coupled with GAO's extensive work in this area, 
have resulted in 12 specific recommendations for the new 
administration to improve the approach to protecting both 
Government systems and our Nation's cyber-critical 
infrastructures. I will now briefly discuss each of the 12.
    No. 1, develop a national strategy that clearly articulates 
strategic objectives and priorities and provides a means for 
enforcing action and accountability. The current strategy does 
not do this, nor does it contain requirements to hold 
responsible organizations accountable.
    No. 2, establish a White House office responsible and 
accountable for leading and overseeing the National 
Cybersecurity Policy. Currently, DHS is our national security 
focal point, and they have not delivered on this 
responsibility.
    No. 3, establish a governance structure for strategy 
implementation. Create a governing body, similar to a board of 
directors, responsible for reporting and measuring on the 
strategic priorities. This body should be led by senior 
executives from key Federal agencies, as well as key sectors. 
It should be noted that our experts stress that not all Federal 
agencies and sectors are key cyber players.
    No. 4, acknowledge we are in a cyber war with criminal and 
adversarial nations. Publicize the severity of prior attacks 
and raise awareness that we are constantly under attack.
    No. 5, create or designate an accountable operational 
cybersecurity organization. White House-led is not the silver 
bullet, and DHS has a troubled reputation to overcome. Despite 
tremendous capability, there are concerns about this being an 
intelligence organization, because a secretive culture runs 
counter to the need to partner with the private sector. Our 
experts suggested a cyber defense organization. Clearly, there 
was no consensus on where this organization should reside, and 
this will be a tough policy question whether the best approach 
is to create another organization and how.
    No. 6, focus less on creating plans and more on 
prioritizing, assessing and securing cyber assets. We have 
created many plans that largely go unused. We need to create a 
prioritized list of our Nation's cyber assets and work toward 
securing them.
    No. 7, bolster public/private partnerships by providing 
more incentives for private sector participation.
    No. 8, focus greater attention on the global aspects of 
cyberspace. We should work toward an international global cyber 
strategy and use international agreements to focus 
cybersecurity issues and thwart cyber crime, like the Council 
of Europe's cyber crime convention.
    No. 9, modernize our legal framework to better address 
cyber criminals. Domestic and international law is outdated and 
it needs to be revised to make it easier to catch and prosecute 
criminals.
    No. 10, better coordinate Government and private sector 
cyber R&D. Cyber R&D is underfunded and not coordinated.
    No. 11, increase the number of skilled cyber professionals, 
including criminal investigators. Experts suggested that the 
cybersecurity discipline should be a profession that is 
licensed.
    No. 12, make the Federal Government a model for 
cybersecurity. The CNCI initiative is a good first step, but 
the Federal Government has much room for improvement.
    In summary, Madam Chairwoman, many large cybersecurity 
policy questions loom for the Obama administration and the 
Congress. GAO, CSIS and our expert panel recommendations need 
to be strongly considered as the game plan is defined over the 
next several months to provide a more secure cyber America.
    This concludes my statement, and I look forward to your 
questions.
    [The statement of Mr. Powner follows:]
                   Prepared Statement of David Powner
                             March 10, 2009
                             gao highlights
    Highlights of GAO-09-432T, a testimony to the Subcommittee on 
Emerging Threats, Cybersecurity, and Science and Technology, Committee 
on Homeland Security, House of Representatives.
Why GAO Did This Study
    Pervasive and sustained computer-based (cyber) attacks against 
Federal and private-sector infrastructures pose a potentially 
devastating impact to systems and operations and the critical 
infrastructures that they support. To address these threats, President 
Bush issued a 2003 national strategy and related policy directives 
aimed at improving cybersecurity Nation-wide. Congress and the 
Executive branch, including the new administration, have subsequently 
taken actions to examine the adequacy of the strategy and identify 
areas for improvement. Nevertheless, GAO has identified this area as 
high-risk and has reported on needed improvements in implementing the 
national cybersecurity strategy.
    In this testimony, you asked GAO to summarize: (1) Key reports and 
recommendations on the national cybersecurity strategy, and (2) the 
views of experts on how to strengthen the strategy. In doing so, GAO 
relied on its previous reports related to the strategy and conducted 
panel discussions with key cybersecurity experts to solicit their views 
on areas for improvement.
What GAO Recommends
    GAO has previously made about 30 recommendations, mostly directed 
at DHS, to improve our Nation's cybersecurity strategy efforts. DHS in 
large part has concurred with GAO's recommendations and, in many cases, 
has actions planned and under way to implement them.
   national cybersecurity strategy.--key improvements are needed to 
                    strengthen the nation's posture
What GAO Found
    Over the last several years, GAO has consistently reported that the 
Department of Homeland Security (DHS) has yet to fully satisfy its 
responsibilities designated by the national cybersecurity strategy. To 
address these shortfalls, GAO has made about 30 recommendations in key 
cybersecurity areas including the 5 listed in the table below. While 
DHS has since developed and implemented certain capabilities to satisfy 
aspects of its cybersecurity responsibilities, it still has not fully 
satisfied the recommendations, and thus further action needs to be 
taken to fully address these areas.

 TABLE 1.--KEY CYBERSECURITY AREAS IDENTIFIED BY GAO AS NEEDING FURTHER
                                 ACTION
------------------------------------------------------------------------
                 Item No.
------------------------------------------------------------------------
1........................................  Bolstering cyber analysis and
                                            warning capabilities.
2........................................  Completing actions identified
                                            during cyber exercises.
3........................................  Improving cybersecurity of
                                            infrastructure control
                                            systems.
4........................................  Strengthening DHS's ability
                                            to help recover from
                                            internet disruptions.
5........................................  Addressing cybercrime.
------------------------------------------------------------------------
Source: GAO analysis of prior GAO reports.

    In discussing the areas addressed by GAO's recommendations as well 
as other critical aspects of the strategy, GAO's panel of cybersecurity 
experts identified 12 key areas requiring improvement (see table 
below). GAO found these to be largely consistent with its reports and 
its extensive research and experience in the area.

 TABLE 2.--KEY STRATEGY IMPROVEMENTS IDENTIFIED BY CYBERSECURITY EXPERTS
------------------------------------------------------------------------
                 Item No.
------------------------------------------------------------------------
1........................................  Develop a national strategy
                                            that clearly articulates
                                            strategic objectives, goals,
                                            and priorities.
2........................................  Establish White House
                                            responsibility and
                                            accountability for leading
                                            and overseeing national
                                            cybersecurity policy.
3........................................  Establish a governance
                                            structure for strategy
                                            implementation.
4........................................  Publicize and raise awareness
                                            about the seriousness of the
                                            cybersecurity problem.
5........................................  Create an accountable,
                                            operational cybersecurity
                                            organization.
6........................................  Focus more actions on
                                            prioritizing assets,
                                            assessing vulnerabilities,
                                            and reducing vulnerabilities
                                            than on developing
                                            additional plans.
7........................................  Bolster public/private
                                            partnerships through an
                                            improved value proposition
                                            and use of incentives.
8........................................  Focus greater attention on
                                            addressing the global
                                            aspects of cyberspace.
9........................................  Improve law enforcement
                                            efforts to address malicious
                                            activities in cyberspace.
10.......................................  Place greater emphasis on
                                            cybersecurity research and
                                            development, including
                                            consideration of how to
                                            better coordinate Government
                                            and private sector efforts.
11.......................................  Increase the cadre of
                                            cybersecurity professionals.
12.......................................  Make the Federal Government a
                                            model for cybersecurity,
                                            including using its
                                            acquisition function to
                                            enhance cybersecurity
                                            aspects of products and
                                            services.
------------------------------------------------------------------------
Source: GAO analysis of opinions solicited during expert panels.

    Until GAO's recommendations are fully addressed and the above 
improvements are considered, our Nation's Federal and private-sector 
infrastructure systems remain at risk of not being adequately 
protected. Consequently, in addition to fully implementing GAO's 
recommendations, it is essential that the improvements be considered by 
the new administration as it begins to make decisions on our Nation's 
cybersecurity strategy.
    Madam Chair and Members of the subcommittee: Thank you for the 
opportunity to join in today's hearing to discuss efforts to protect 
our Nation from cybersecurity threats. Pervasive and sustained 
computer-based (cyber) attacks against the United States and others 
continue to pose a potentially devastating impact to systems and 
operations and the critical infrastructures that they support. To 
address these threats, President Bush issued a 2003 national strategy 
and related policy directives aimed at improving cybersecurity Nation-
wide, including both Government systems and those cyber critical 
infrastructures owned and operated by the private sector.\1\
---------------------------------------------------------------------------
    \1\ Critical infrastructures are systems and assets, whether 
physical or virtual, so vital to nations that their incapacity or 
destruction would have a debilitating impact on national security, 
national economic security, national public health or safety, or any 
combination of those matters. Federal policy established 18 critical 
infrastructure sectors: Agriculture and food, banking and finance, 
chemical, commercial facilities, communications, critical 
manufacturing, dams, defense industrial base, emergency services, 
energy, Government facilities, information technology, national 
monuments and icons, nuclear reactors, materials and waste, postal and 
shipping, public health and health care, transportation systems, and 
water.
---------------------------------------------------------------------------
    Because the threats have persisted and grown, a commission--
commonly referred to as the Commission on Cybersecurity for the 44th 
Presidency and chaired by two congressmen and industry officials--was 
established in August 2007 to examine the adequacy of the strategy and 
identify areas for improvement.\2\ At about the same time, the Bush 
administration began to implement a series of initiatives aimed 
primarily at improving cybersecurity within the Federal Government. 
More recently, in February 2009, President Obama initiated a review of 
the Government's overall cybersecurity strategy and supporting 
activities.
---------------------------------------------------------------------------
    \2\ The commission was created by the Center for Strategic and 
International Studies (CSIS), a bipartisan, nonprofit organization 
that, among other things, provides strategic insights and policy 
solutions to decision-makers. Entitled the CSIS Commission on 
Cybersecurity for the 44th Presidency, the body was co-chaired by 
Representative James Langevin, Representative Michael McCaul, Scott 
Charney (Microsoft), and Lt. General Harry Raduege, USAF (Ret).
---------------------------------------------------------------------------
    Today, as requested, I will discuss: (1) Our reports, containing 
about 30 recommendations, on the national cybersecurity strategy and 
related efforts, and (2) the results of expert panels we convened to 
discuss how to strengthen the strategy and our Nation's cybersecurity 
posture. In preparing for this testimony, we relied on our previous 
reports on Federal efforts to fulfill national cybersecurity 
responsibilities. These reports contain detailed overviews of the scope 
and methodology we used. We also obtained the views of nationally 
recognized cybersecurity experts by means of two panel discussions on 
the effectiveness of the current national cybersecurity strategy and 
recommendations for improvement. In summarizing the panel discussions, 
we provided all panel members an opportunity to comment on our written 
summaries, and their comments were incorporated as appropriate. The 
panelists' names and titles are in appendix I. We conducted our work in 
support of this testimony during February and March 2009, in the 
Washington, DC, area. The work on which this testimony is based was 
performed in accordance with generally accepted Government auditing 
standards.
                               background
    Government officials are concerned about attacks from individuals 
and groups with malicious intent, such as criminals, terrorists, and 
adversarial foreign nations. For example, in February 2009, the 
director of national intelligence testified that foreign nations and 
criminals have targeted Government and private sector networks to gain 
a competitive advantage and potentially disrupt or destroy them, and 
that terrorist groups have expressed a desire to use cyber attacks as a 
means to target the United States.\3\ The director also discussed that 
in August 2008, the national government of Georgia's Web sites were 
disabled during hostilities with Russia, which hindered the 
Government's ability to communicate its perspective about the conflict.
---------------------------------------------------------------------------
    \3\ Statement of the Director of National Intelligence before the 
Senate Select Committee on Intelligence, Annual Threat Assessment of 
the Intelligence Community for the Senate Select Committee on 
Intelligence (Feb. 12, 2009).
---------------------------------------------------------------------------
    The Federal Government has developed a strategy to address such 
cyber threats. Specifically, President Bush issued the 2003 National 
Strategy to Secure Cyberspace \4\ and related policy directives, such 
as Homeland Security Presidential Directive 7,\5\ that specify key 
elements of how the Nation is to secure key computer-based systems, 
including both Government systems and those that support critical 
infrastructures owned and operated by the private sector. The strategy 
and related policies also establish the Department of Homeland Security 
(DHS) as the focal point for cyber CIP and assign the Department 
multiple leadership roles and responsibilities in this area. They 
include: (1) Developing a comprehensive national plan for CIP, 
including cybersecurity; (2) developing and enhancing national cyber 
analysis and warning capabilities; (3) providing and coordinating 
incident response and recovery planning, including conducting incident 
response exercises; (4) identifying, assessing, and supporting efforts 
to reduce cyber threats and vulnerabilities, including those associated 
with infrastructure control systems;\6\ and (5) strengthening 
international cyberspace security. In addition, the strategy and 
related policy direct DHS and other relevant stakeholders to use risk 
management principles to prioritize protection activities within and 
across the 18 critical infrastructure sectors in an integrated, 
coordinated fashion.
---------------------------------------------------------------------------
    \4\ The White House, The National Strategy to Secure Cyberspace 
(Washington, DC: February 2003).
    \5\ The White House, Homeland Security Presidential Directive 7 
(Washington, DC: Dec. 17, 2003).
    \6\ Control systems are computer-based systems that perform vital 
functions in many of our Nation's critical infrastructures, including 
electric power generation, transmission, and distribution; oil and gas 
refining and pipelines; water treatment and distribution; chemical 
production and processing; railroads and mass transit; and 
manufacturing.
---------------------------------------------------------------------------
    Because the threats have persisted and grown, President Bush in 
January 2008 began to implement a series of initiatives--commonly 
referred to as the Comprehensive National Cybersecurity Initiative 
(CNCI)--aimed primarily at improving DHS and other Federal agencies' 
efforts to protect against intrusion attempts and anticipate future 
threats.\7\ While these initiatives have not been made public, the 
Director of National Intelligence stated that they include defensive, 
offensive, research and development, and counterintelligence efforts, 
as well as a project to improve public/private partnerships.\8\ 
Subsequently, in December 2008, the Commission on Cybersecurity for the 
44th Presidency reported, among other things, that the failure to 
protect cyberspace was an urgent national security problem and made 25 
recommendations aimed at addressing shortfalls with the strategy and 
its implementation.\9\ Since then, President Obama (in February 2009) 
initiated a review of the cybersecurity strategy and supporting 
activities. The review is scheduled to be completed in April 2009.
---------------------------------------------------------------------------
    \7\ The White House, National Security Presidential Directive 54/
Homeland Security Presidential Directive 23 (Washington, DC: Jan. 8, 
2008).
    \8\ Statement of the director of national intelligence before the 
Senate Select Committee on Intelligence, Annual Threat Assessment of 
the Intelligence Community for the Senate Select Committee on 
Intelligence (Feb. 12, 2009).
    \9\ Center for Strategic and International Studies, Securing 
Cyberspace for the 44th Presidency, A Report of the CSIS Commission on 
Cybersecurity for the 44th Presidency (Washington, DC: December 2008).
---------------------------------------------------------------------------
gao has made recommendations to address shortfalls with key aspects of 
         national cybersecurity strategy and its implementation
    Over the last several years we have reported on our Nation's 
efforts to fulfill essential aspects of its cybersecurity strategy. In 
particular, we have reported consistently since 2005 that DHS has yet 
to fully satisfy its cybersecurity responsibilities designated by the 
strategy. To address these shortfalls, we have made about 30 
recommendations in key cybersecurity areas including the 5 listed in 
Table 1. DHS has since developed and implemented certain capabilities 
to satisfy aspects of its cybersecurity responsibilities, but the 
Department still has not fully satisfied our recommendations, and thus 
further action needs to be taken to address these areas.

 TABLE 1.--KEY CYBERSECURITY AREAS IDENTIFIED BY GAO AS NEEDING FURTHER
                                 ACTION
------------------------------------------------------------------------
                 Item No.
------------------------------------------------------------------------
1........................................  Bolstering cyber analysis and
                                            warning capabilities.
2........................................  Completing actions identified
                                            during cyber exercises.
3........................................  Improving cybersecurity of
                                            infrastructure control
                                            systems.
4........................................  Strengthening DHS's ability
                                            to help recover from
                                            internet disruptions.
5........................................  Addressing cybercrime.
------------------------------------------------------------------------
Source: GAO analysis of prior GAO reports.

    In July 2008, we reported \10\ that DHS's United States Computer 
Emergency Readiness Team (US-CERT) did not fully address 15 key cyber 
analysis and warning attributes related to: (1) Monitoring network 
activity to detect anomalies, (2) analyzing information and 
investigating anomalies to determine whether they are threats, (3) 
warning appropriate officials with timely and actionable threat and 
mitigation information, and (4) responding to the threat. For example, 
US-CERT provided warnings by developing and distributing a wide array 
of notifications; however, these notifications were not consistently 
actionable or timely. As a result, we recommended that the Department 
address shortfalls associated with the 15 attributes in order to fully 
establish a national cyber analysis and warning capability as 
envisioned in the national strategy. DHS agreed in large part with our 
recommendations.
---------------------------------------------------------------------------
    \10\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in 
Establishing a Comprehensive National Capability, GAO-08-588 
(Washington, DC: July 31, 2008).
---------------------------------------------------------------------------
    In September 2008, we reported \11\ that since conducting a major 
cyber attack exercise, called Cyber Storm, DHS had demonstrated 
progress in addressing eight lessons it had learned from these efforts. 
However, its actions to address the lessons had not been fully 
implemented. Specifically, while it had completed 42 of the 66 
activities identified, the Department had identified 16 activities as 
on-going and 7 as planned for the future.\12\ Consequently, we 
recommended that DHS schedule and complete all of the corrective 
activities identified in order to strengthen coordination between 
public and private sector participants in response to significant cyber 
incidents. DHS concurred with our recommendation. To date, DHS has 
continued to make progress in completing some identified activities but 
has yet to do so for others.
---------------------------------------------------------------------------
    \11\ GAO, Critical Infrastructure Protection: DHS Needs To Fully 
Address Lessons Learned From Its First Cyber Storm Exercise, GAO-08-825 
(Washington, DC: Sept. 9, 2008).
    \12\ At that time, DHS reported that one other activity had been 
completed, but the Department was unable to provide evidence 
demonstrating its completion.
---------------------------------------------------------------------------
    In a September 2007 report and an October 2007 testimony, we 
reported \13\ that consistent with the national strategy requirement to 
identify and reduce threats and vulnerabilities, DHS was sponsoring 
multiple control systems security initiatives, including an effort to 
improve control systems cybersecurity using vulnerability evaluation 
and response tools. However, DHS had not established a strategy to 
coordinate the various control systems activities across Federal 
agencies and the private sector, and it did not effectively share 
information on control system vulnerabilities with the public and 
private sectors. Accordingly, we recommended that DHS develop a 
strategy to guide efforts for securing control systems and establish a 
rapid and secure process for sharing sensitive control system 
vulnerability information. DHS recently began developing a strategy and 
a process to share sensitive information.
---------------------------------------------------------------------------
    \13\ GAO, Critical Infrastructure Protection: Multiple Efforts to 
Secure Control Systems Are Under Way, but Challenges Remain, GAO-07-
1036 (Washington, DC: Sept. 10, 2007) and Critical Infrastructure 
Protection: Multiple Efforts to Secure Control Systems Are Under Way, 
but Challenges Remain, GAO-08-119T (Washington, DC: Oct. 17, 2007).
---------------------------------------------------------------------------
    We reported and later testified \14\ in 2006 that the Department 
had begun a variety of initiatives to fulfill its responsibility, as 
called for by the national strategy, for developing an integrated 
public/private plan for Internet recovery. However, we determined that 
these efforts were not comprehensive or complete. As such, we 
recommended that DHS implement nine actions to improve the Department's 
ability to facilitate public/private efforts to recover the internet in 
case of a major disruption. In October 2007, we testified \15\ that the 
Department had made progress in implementing our recommendations; 
however, seven of the nine have not been completed. To date, an 
integrated public/private plan for internet recovery does not exist.
---------------------------------------------------------------------------
    \14\ GAO, Internet Infrastructure: DHS Faces Challenges in 
Developing a Joint Public/Private Recovery Plan, GAO-06-672 
(Washington, DC: June 16, 2006) and Internet Infrastructure: Challenges 
in Developing a Public/Private Recovery Plan, GAO-06-863T (Washington, 
DC: July 28, 2006).
    \15\ GAO, Internet Infrastructure: Challenges in Developing a 
Public/Private Recovery Plan, GAO-08-212T (Washington, DC: Oct. 23, 
2007).
---------------------------------------------------------------------------
    In 2007, we reported \16\ that public and private entities \17\ 
faced a number of challenges in addressing cybercrime, including 
ensuring adequate analytical and technical capabilities for law 
enforcement and conducting investigations and prosecuting cybercrimes 
that cross national and State borders.
---------------------------------------------------------------------------
    \16\ GAO, Cybercrime: Public and Private Entities Face Challenges 
in Addressing Cyber Threats, GAO-07-705 (Washington, DC: June 2007).
    \17\ These public and private entities include the Departments of 
Justice, Homeland Security, and Defense, and the Federal Trade 
Commission, internet security providers and software developers.
---------------------------------------------------------------------------
cybersecurity experts highlighted key improvements needed to strengthen 
                   the nation's cybersecurity posture
    In addition to our recommendations on improving key aspects of the 
national cybersecurity strategy and its implementation, we also 
obtained the views of experts (by means of panel discussions) on these 
and other critical aspects of the strategy, including areas for 
improvement. The experts, who included former Federal officials, 
academics, and private sector executives, highlighted 12 key 
improvements that are, in their view, essential to improving the 
strategy and our national cybersecurity posture. These improvements are 
in large part consistent with our above-mentioned reports and extensive 
research and experience in this area. They include:
    1. Develop a national strategy that clearly articulates strategic 
objectives, goals, and priorities.--The strategy should, among other 
things: (1) Include well-defined strategic objectives, (2) provide 
understandable goals for the Government and the private sector (end 
game), (3) articulate cyber priorities among the objectives, (4) 
provide a vision of what secure cyberspace should be in the future, (5) 
seek to integrate Federal Government capabilities, (6) establish 
metrics to gauge whether progress is being made against the strategy, 
and (7) provide an effective means for enforcing action and 
accountability when there are progress shortfalls. According to expert 
panel members, the CNCI provides a good set of tactical initiatives 
focused on improving primarily Federal cybersecurity; however, it does 
not provide strategic objectives, goals, and priorities for the Nation 
as a whole.
    2. Establish White House responsibility and accountability for 
leading and overseeing national cybersecurity policy.--The strategy 
makes DHS the focal point for cybersecurity; however, according to 
expert panel members, DHS has not met expectations and has not provided 
the high-level leadership needed to raise cybersecurity to a national 
focus. Accordingly, panelists stated that to be successful and to send 
the message to the Nation and cyber critical infrastructure owners that 
cybersecurity is a priority, this leadership role needs to be elevated 
to the White House. In addition, to be effective, the office must have, 
among other things, commensurate authority--for example, over budgets 
and resources--to implement and employ appropriate incentives to 
encourage action.
    3. Establish a governance structure for strategy implementation.--
The strategy establishes a public/private partnership governance 
structure that includes 18 critical infrastructure sectors, 
corresponding Government and sector coordinating councils, and cross-
sector councils. However, according to panelists, this structure is 
Government-centric and largely relies on personal relationships to 
instill trust to share information and take action. In addition, 
although all sectors are not of equal importance in regard to their 
cyber assets and functions, the structure treats all sectors and all 
critical cyber assets and functions equally. To ensure effective 
strategy implementation, experts stated that the partnership structure 
should include a committee of senior government representatives (for 
example, the Departments of Defense, Homeland Security, Justice, State, 
and the Treasury and the White House) and private sector leaders 
representing the most critical cyber assets and functions. Expert panel 
members also suggested that this committee's responsibilities should 
include measuring and periodically reporting on progress in achieving 
the goals, objectives, and strategic priorities established in the 
national strategy and building consensus to hold involved parties 
accountable when there are progress shortfalls.
    4. Publicize and raise awareness about the seriousness of the 
cybersecurity problem.--Although the strategy establishes cyberspace 
security awareness as a priority, experts stated that many national 
leaders in business and Government, including in Congress, who can 
invest resources to address cybersecurity problems are generally not 
aware of the severity of the risks to national and economic security 
posed by the inadequacy of our Nation's cybersecurity posture and the 
associated intrusions made more likely by that posture. Expert panel 
members suggested that an aggressive awareness campaign is needed to 
raise the level of knowledge of leaders and the general populace that 
our Nation is constantly under cyber attack.
    5. Create an accountable, operational cybersecurity organization.--
DHS established the National Cyber Security Division (within the Office 
of Cybersecurity and Communications) to be responsible for leading 
national day-to-day cybersecurity efforts; however, according to 
panelists, this has not enabled DHS to become the national focal point 
as envisioned. Panel members stated that currently, DOD and other 
organizations within the intelligence community that have significant 
resources and capabilities have come to dominate Federal efforts. They 
told us that there also needs to be an independent cybersecurity 
organization that leverages and integrates the capabilities of the 
private sector, civilian government, law enforcement, military, 
intelligence community, and the Nation's international allies to 
address incidents against the Nation's critical cyber systems and 
functions. However, there was not consensus among our expert panel 
members regarding where this organization should reside.
    6. Focus more actions on prioritizing assets and functions, 
assessing vulnerabilities, and reducing vulnerabilities than on 
developing additional plans.--The strategy recommends actions to 
identify critical cyber assets and functions, but panelists stated that 
efforts to identify which cyber assets and functions are most critical 
to the Nation have been insufficient. According to panel members, 
inclusion in cyber critical infrastructure protection efforts and lists 
of critical assets are currently based on the willingness of the person 
or entity responsible for the asset or function to participate and not 
on substantiated technical evidence. In addition, the current strategy 
establishes vulnerability reduction as a key priority; however, 
according to panelists, efforts to identify and mitigate known 
vulnerabilities have been insufficient. They stated that greater 
efforts should be taken to identify and eliminate common 
vulnerabilities and that there are techniques available that should be 
used to assess vulnerabilities in the most critical, prioritized cyber 
assets and functions.
    7. Bolster public/private partnerships through an improved value 
proposition and use of incentives.--While the strategy encourages 
action by owners and operators of critical cyber assets and functions, 
panel members stated that there are not adequate economic and other 
incentives (i.e., a value proposition) for greater investment and 
partnering in cybersecurity. Accordingly, panelists stated that the 
Federal Government should provide valued services (such as offering 
useful threat or analysis and warning information) or incentives (such 
as grants or tax reductions) to encourage action by and effective 
partnerships with the private sector. They also suggested that public 
and private sector entities use means such as cost-benefit analyses to 
ensure the efficient use of limited cybersecurity-related resources.
    8. Focus greater attention on addressing the global aspects of 
cyberspace.--The strategy includes recommendations to address the 
international aspects of cyberspace but, according to panelists, the 
United States is not addressing global issues impacting how cyberspace 
is governed and controlled. They added that, while other nations are 
actively involved in developing treaties, establishing standards, and 
pursuing international agreements (such as on privacy), the United 
States is not aggressively working in a coordinated manner to ensure 
that international agreements are consistent with U.S. practice and 
that they address cybersecurity and cybercrime considerations. Panel 
members stated that the United States should pursue a more coordinated, 
aggressive approach so that there is a level playing field globally for 
U.S. corporations and enhanced cooperation among government agencies, 
including law enforcement. In addition, a panelist stated that the 
United States should work towards building consensus on a global cyber 
strategy.
    9. Improve law enforcement efforts to address malicious activities 
in cyberspace.--The strategy calls for improving investigative 
coordination domestically and internationally and promoting a common 
agreement among nations on addressing cybercrime. According to a 
panelist, some improvements in domestic law have been made (e.g., 
enactment of the PROTECT Our Children Act of 2008), but implementation 
of this act is a work in process due to its recent passage. Panel 
members also stated that current domestic and international law 
enforcement efforts, including activities, procedures, methods, and 
laws are too outdated and outmoded to adequately address the speed, 
sophistication, and techniques of individuals and groups, such as 
criminals, terrorists, and adversarial foreign nations with malicious 
intent. An improved law enforcement is essential to more effectively 
catch and prosecute malicious individuals and groups and, with stricter 
penalties, deter malicious behavior.
    10. Place greater emphasis on cybersecurity research and 
development, including consideration of how to better coordinate 
Government and private sector efforts.--While the strategy recommends 
actions to develop a research and development agenda and coordinate 
efforts between the Government and private sectors, experts stated that 
the United States is not adequately focusing and funding research and 
development efforts to address cybersecurity or to develop the next 
generation of cyberspace to include effective security capabilities. In 
addition, the research and development efforts currently underway are 
not being well coordinated between Government and the private sector.
    11. Increase the cadre of cybersecurity professionals.--The 
strategy includes efforts to increase the number and skills of 
cybersecurity professionals but, according to panelists, the results 
have not created sufficient numbers of professionals, including 
information security specialists and cybercrime investigators. Expert 
panel members stated that actions to increase the number professionals 
with adequate cybersecurity skills should include: (1) Enhancing 
existing scholarship programs (e.g., Scholarship for Service) and (2) 
making the cybersecurity discipline a profession through testing and 
licensing.
    12. Make the Federal Government a model for cybersecurity, 
including using its acquisition function to enhance cybersecurity 
aspects of products and services.--The strategy establishes securing 
the Government's cyberspace as a key priority and advocates using 
Federal acquisition to accomplish this goal. Although the Federal 
Government has taken steps to improve the cybersecurity of agencies 
(e.g., beginning to implement the CNCI initiatives), panelists stated 
that it still is not a model for cybersecurity. Further, they said the 
Federal Government has not made changes in its acquisition function and 
the training of Government officials in a manner that effectively 
improves the cybersecurity capabilities of products and services 
purchased and used by Federal agencies.
    In summary, our Nation is under cyber attack, and the present 
strategy and its implementation have not been fully effective in 
mitigating the threat. This is due in part to the fact that there are 
further actions needed by DHS to address key cybersecurity areas, 
including fully addressing our recommendations. In addition, nationally 
recognized experts have identified improvements aimed at strengthening 
the strategy and in turn, our cybersecurity posture. Key improvements 
include developing a national strategy that clearly articulates 
strategic objectives, goals, and priorities; establishing White House 
leadership; improving governance; and creating a capable and respected 
operational lead organization. Until the recommendations are fully 
addressed and these improvements are considered, our Nation's most 
critical Federal and private sector infrastructure systems remain at 
unnecessary risk to attack from our adversaries. Consequently, in 
addition to fully implementing our recommendations, it is essential 
that the Obama administration consider these improvements as it reviews 
our Nation's cybersecurity strategy and begins to make decisions on 
moving forward.
    Madam Chair, this concludes my statement. I would be happy to 
answer any questions that you or Members of the subcommittee may have 
at this time.
    If you have any questions on matters discussed in this testimony, 
please contact me. Other key contributors to this testimony include 
Bradley Becker, Camille Chaires, Michael Gilmore, Nancy Glover, Kush 
Malhotra, Gary Mountjoy, Lee McCracken, and Andrew Stavisky.

    Ms. Clarke. Thank you very much.
    Our next witness, I now recognize Mr. Charney to summarize 
his statement for 5 minutes.

    STATEMENT OF SCOTT CHARNEY, VICE PRESIDENT, TRUSTWORTHY 
                      COMPUTING, MICROSOFT

    Mr. Charney. Chairwoman Clark, Ranking Member Lungren, Mr. 
Thompson and Members of the subcommittee, thank you for the 
opportunity to appear today to provide a perspective on 
reviewing the Federal Cybersecurity Mission. As you know, I 
served as one of four co-chairs of the CSIS Commission on 
Cybersecurity for the 44th Presidency with Representatives Jim 
Langevin of Rhode Island and Michael McCaul of Texas and 
General Harry Raduege.
    I will address four themes that cross many of the 
recommendations made in the Commission's report.
    First, we have an immediate need for a comprehensive White 
House Coordinated National Strategy for Cyber Space Security.
    Second, we need to to evolve and focus the public/private 
partnership model.
    Third, we should consider a new regulatory model designed 
to ensure that greater regulation, if enacted, protects 
innovation while providing appropriate Government oversight of 
cybersecurity issues.
    Fourth, the internet needs an appropriately deployed 
identity metasystem, if we are to make the internet 
dramatically more secure but protect important social values 
such as privacy and free speech. I will address each of these 
in turn.
    First, the need for a Comprehensive and Coordinated 
National Strategy could not be more clear. In the information 
age, a country's success is dependent upon information, 
knowledge, and communications. While the growth of the internet 
in the early 1990's created new beneficial opportunities for 
all, including individuals, businesses, and governments, it 
also created unprecedented opportunities for those who would 
misuse technology. It permits individual criminals, organized 
crime groups, and nation-states to target all types of 
sensitive information, from personal information to business 
information to military information.
    It is therefore clear that our country's future success 
requires a Comprehensive Cybersecurity Strategy that engages 
the relevant agencies of the Government and brings to bear all 
elements of national power including economic, diplomatic, law 
enforcement, military, and intelligence authorities.
    When one recognizes the breadth of the challenge, and the 
need for a massively decentralized but coordinated response 
among the Federal agencies, it becomes clear that our National 
Cybersecurity Strategy and its implementation should be led by 
the White House. Of course, any successful strategy must 
include protecting one's own networks from attack. Here it is 
critical that the Government and private sector work together 
to improve the state of computer security. Why is partnership 
required? It is because the private sector drives the design, 
development, and implementation of the products and services 
that power cyberspace.
    We must also have the right objectives. For years the goal 
of the partnership has been information sharing which will not, 
without more, secure America's infrastructures. We must 
establish a more meaningful public/private partnership where 
the partners work in complementary fashion toward the clearly 
identified objective of securing America's networks. Consistent 
with this philosophy the partnership should focus on sharing 
information that is actionable and building mechanisms that 
enable meaningful action to be taken.
    With regard to regulation, the Government and private 
sector should jointly determine the level of security provided 
by markets, the level of security needed to protect national 
security, and how the gap between what the markets will provide 
and what national security demands can be filled most 
effectively.
    While this is not a call for broad regulation, it is a 
recognition that appropriately tailored legislation, 
legislation that is technology-neutral and recognizes the best 
practices created by the innovative private sector may be an 
important component of any national cybersecurity effort. The 
fact is, markets respond to customer demand, and most customers 
know more security issues today than in the past will not pay 
for the level of security necessary to protect national 
security. In short, establishing a cohesive national strategy, 
a robust public/private partnership and a security model that 
takes advantage of industry best practices, Government 
influence, and tailored regulations can dramatically advance 
security.
    Finally, creating the ability to identify what person and 
which device is sending a particular data stream in cyberspace 
must be part of an effective cybersecurity strategy. Even 
sophisticated attackers face difficult challenges and find 
their access restricted because of better authentication. 
Stronger authentication can also help us create safe places for 
our children to learn on-line, for businesses to interact with 
customers, and for Government to serve its citizens.
    In addition, because the use of digital IDs also reduces 
the need to authenticate people by having them provide private 
details about themselves, stronger authentication can enhance 
both security and privacy. Thus, as part of an overall 
cybersecurity strategy, the Government should accelerate the 
adoption of authentication technologies by actions such as 
issuing and accepting digital credentials in appropriate 
circumstances and working to integrate privacy issues into the 
design, development, and operation of the resulting identity 
metasystem.
    In conclusion, let me say there are complex challenges that 
obviously will not be solved overnight. Securing America's 
future in the information age depends upon creating a 
comprehensive national strategy for cyberspace security, one 
that simplifies, organizes, and enables effective operational 
partnerships among the Government, private sector, and internet 
citizens. There is both an opportunity and a need for 
leadership as we focus the Nation's attentions on the 
importance of cybersecurity.
    I thank this committee for raising this important issue, 
for considering my written testimony as part of the record, and 
I look forward to your questions.
    [The statement of Mr. Charney follows:]
                  Prepared Statement of Scott Charney
                             March 10, 2009
    Chairwoman Clark, Ranking Member Lungren, and Members of the 
subcommittee, thank you for the opportunity to appear today at this 
important hearing on cybersecurity. My name is Scott Charney, and I am 
the corporate vice president for trustworthy computing at Microsoft. I 
served as one of four co-chairs of the Center for Strategic and 
International Studies' (CSIS) Commission on Cybersecurity for the 44th 
Presidency. I served on the Commission as an industry expert with more 
than 18 years of security technology experience in both the public and 
private sectors, and have a long history of leading domestic and 
international cybersecurity efforts.
    Prior to joining Microsoft, I was chief of the computer crime and 
intellectual property section in the criminal division of the U.S. 
Department of Justice. I was involved in nearly every major hacker 
prosecution in the United States from 1991 to 1999, worked on 
legislative initiatives, such as the National Information 
Infrastructure Protection Act that was enacted in 1996, and chaired the 
G8 Subgroup on High Tech Crime from its inception in 1996 until I left 
Government service in 1999.
    Representative Jim Langevin (D-RI), Representative Michael McCaul 
(R-TX), Lt. Gen. Harry Raduege, USAF (Ret.), and I led the CSIS 
Commission effort, along with project director Jim Lewis of the Center 
for Strategic and International Studies, to identify key cybersecurity 
challenges facing the new administration and provide a set of 
recommendations to address those challenges. Guided by our 
Congressional co-chairs, we assembled a group of individuals with 
cybersecurity experience in both Government and industry. The aim of 
the group was to identify both short-term recommendations that the next 
administration could implement quickly to make a noticeable improvement 
in the Nation's cybersecurity, and longer-term recommendations that are 
critical to the Nation's future cyber-objectives.
    Thank you for the opportunity to appear today to provide a 
perspective on ``Reviewing the Federal Cybersecurity Mission.'' I would 
like to address four specific themes that cross the Commission 
recommendations including: (1) The need for a comprehensive and 
coordinated national strategy for cyberspace security; (2) the 
imperative to radically evolve and elevate the public-private 
partnership model; (3) the need for an identity metasystem that makes 
the internet dramatically more secure while protecting important social 
values such as privacy and free speech; and (4) the necessity for a new 
regulatory model that protects innovation while providing appropriate 
Government oversight.
            comprehensive and coordinated national strategy
    As the CSIS Commission report makes clear, we are locked in an 
escalating and sometimes hidden conflict in cyberspace. The battle of 
bits and bytes has very real consequences for America, other nations, 
the private sector, and even what we have come to call ``the internet 
citizen.'' Cyberattack joins terrorism and weapons of mass destruction 
as one of the new, asymmetric threats that puts the United States and 
its allies at risk. To be clear, there are risks to cyberspace other 
than those related to security; for example, the increasing number of 
machines and applications creates a very complex environment with 
challenging reliability issues, and our increased dependence on 
information technology makes the availability of systems a national and 
international imperative. But for the purposes of this testimony, I 
will confine my remarks to security.
    The information age has arrived, but the United States has not yet 
built a comprehensive national cyberspace security strategy. The need 
for such a strategy has never been more urgent. America's leadership in 
a connected world cannot be assumed from its leadership in the 
industrial world. In cyberspace, the country does not remain 
unchallenged, as recent events have clearly proved. Some of the 
challenges we face include:
   America's reliance on interdependent global networks;
   The misuse of information technologies to support violent 
        extremism;
   The ability of any individual to engage in activities 
        formerly limited to nation-states (e.g., cyber-military 
        espionage and cyber-warfare); and
   The ability of any nation, regardless of traditional 
        measures of sophistication, to gain economic and military 
        advantage through cyber programs.
    In addition to these challenges, the Internet citizen--those 
individuals who use cyberspace for social and commercial interactions--
is critically relevant to any solution. Unsecured computers can turn 
everyday users into a launch platform for attacks. Fear about on-line 
security and availability can have sweeping economic consequences. 
Trust in cyberspace, on the other hand, can create new opportunities, 
markets, and possibilities.
    The United States must plan, organize, and act accordingly to 
develop a national cyberspace security strategy that can address these 
challenges. Historically, national security strategies have been 
characterized by their employment of all elements of U.S. power--
economic, diplomatic, law enforcement, military and intelligence. A 
comprehensive cyberspace security strategy must include these elements 
and articulate how they will be employed to ensure national security 
and public safety, ensure economic prosperity, and assure delivery of 
critical services to the American public. Such a strategy must also 
recognize the ever-mounting importance of economic security. In the 
industrial age, power was generally based on physical might; in the 
information age, power is derived from information, knowledge, and 
communications.
    In my opinion, there are three fundamental attributes that span all 
of the elements of national power. Articulating and advancing a clear 
understanding of norms, attribution, and deterrence in the context of 
cybersecurity can dramatically improve the national and international 
cyberspace ecosystem.
    Norms.--U.S. foreign policy and diplomatic engagements on issues 
        related to cyberspace security are not as focused as our 
        efforts to combat terrorism or stem proliferation of nuclear 
        weapons. I believe that the United States should marshal its 
        significant diplomatic skills and expertise to advocate for 
        cyberspace security and increase multilateral cooperation. I 
        would caution that advocacy and cooperation are not goals in 
        themselves. We need to focus advocacy and cooperation efforts 
        toward specific outcomes. For example, working with like-minded 
        nations to define clearly articulated norms of nation-state 
        behavior in cyberspace could help to deter state support for 
        cyberattacks or hold nation-states that support such efforts 
        accountable for their actions.
    Attribution.--Attribution of cyberattacks is one of the most 
        fundamental challenges facing the international community and 
        the United States. The inability to attribute attacks can 
        greatly impede the effectiveness of the Nation's response. Too 
        often, valuable time is lost trying to determine if an attack 
        or penetration of a system was an isolated criminal incident or 
        one perpetrated by a foreign intelligence organization. 
        Attributing the source is essential to ensuring the 
        appropriateness of response--criminal prosecution or military/
        diplomatic measures. Absent strong attribution abilities, 
        international and national strategies to deter acts will not be 
        taken seriously by the community of attackers who thrive on 
        this diagnostic weakness, nor by criminals that prey on 
        citizens' inboxes and on-line accounts. Thus, we must focus on 
        identity and authentication in cyberspace and enhancing swift 
        international cooperation on cyberattacks.
    Deterrence.--Deterrence did not happen overnight in the Cold War; 
        the concept and strategy took several years to develop. 
        Deterrence in the information age is perhaps even more 
        complicated due to the lack of attribution and the inability to 
        identify strong mechanisms to prevent hostile actions. But the 
        United States can learn important lessons from the nuclear 
        experience. In the Cold War, the United States kept sensitive 
        information secret, but disclosed enough about our strategy and 
        capabilities that allies and adversaries alike understood our 
        commitment to national security and our ability to protect it. 
        We must do the same for cyberspace.
      Deterrence is very difficult when adversaries and bad actors are 
        motivated and persistent. In order to improve cyberspace 
        security in a meaningful way, deterrence requires a clear and 
        unambiguous commitment by our Nation and understanding by the 
        spectrum of bad actors--from cybercriminals, to organized 
        crime, to nation-states--that violations of our cybersecurity 
        have consequences. What makes deterrence successful is 
        commitment, broadly known and broadly felt.
    The sheer number of extremely important issues that transcend 
agency boundaries suggests that the coordination of any national 
cybersecurity strategy must reside within the one organization 
responsible for ensuring that the Government acts as one Government. If 
the Government wants to use all the instruments of its power--economic, 
diplomatic, law enforcement, military, and intelligence--then the 
center of gravity must be in the White House. I support the 
Commission's recommendations that, if implemented, would elevate the 
priority of cybersecurity and improve its strategic coordination. 
Creating a National Office for Cyberspace in the Executive Office of 
the President will provide the interagency coordination required to 
identify, assess, and manage cyberspace risks.
    This office does not need to assume or manage all cybersecurity 
functions; rather, it should have a tightly defined mandate to develop 
strategy and coordinate the implementation of that strategy by the 
agencies that have jurisdiction over the elements of national power. It 
must also be recognized that the White House office will be best able 
to provide strategic leadership only when the agencies of Government 
responsible for executing their respective cybersecurity 
responsibilities are staffed with experienced and competent 
professionals who are resourced appropriately.
    As you know, President Obama has directed the National Security 
Council and Homeland Security Council to initiate a 60-day review of 
the plans, programs, and activities under way throughout the Government 
that address cyberspace security. According to the White House, the 
review will build upon existing policies and structures to formulate a 
new vision for a national public-private partnership and an action plan 
to: Enhance economic prosperity and facilitate market leadership for 
the U.S. information and communications industry; deter, prevent, 
detect, defend against, respond to, and remediate disruptions and 
damage to U.S. communications and information infrastructure; ensure 
U.S. capabilities to operate in cyberspace in support of national 
goals; and safeguard the privacy rights and civil liberties of our 
citizens.\1\
---------------------------------------------------------------------------
    \1\ http://www.whitehouse.gov/blog/09/03/02/Cyber-review-underway/.
---------------------------------------------------------------------------
    A successful cyberspace security strategy requires more than a plan 
and an organization; it requires partnership. The private sector drives 
the design, development, and implementation of the products and 
services that power cyberspace. Our technical expertise and experience 
in the global marketplace make us key partners in developing national 
and international cyberspace security strategies. For more than a 
decade, the Government and the private sector have partnered to address 
various aspects of cybersecurity, but this partnership has not achieved 
the robust results that are needed to protect cyberspace effectively. 
Therefore, my next key recommendation is to redesign that partnership.
  radically evolve public-private partnerships to advance cyberspace 
                                security
    Cyberspace security is a shared challenge and requires Government 
and the private sector to work together. The private sector designs, 
deploys, and maintains much of the Nation's critical infrastructure. 
However, the private sector faces unique challenges because its 
customer base and supply chains are global. It also builds commercial 
products that can be targeted by sophisticated advisories, including 
nation-states. Private sector firms are increasingly being forced to 
think about security challenges that cannot reasonably be mitigated by 
commercially realistic development practices, especially as users 
remain price-sensitive.
    The Government also faces challenges. Unlike certain other 
traditional aspects of national security, cyberspace cannot be secured 
by the Government alone; it requires a coordinated effort involving the 
owners, operators, and vendors that make cyberspace possible. The 
bifurcation of responsibility (the Government must protect national 
security) and control (it does not manage the assets or provide the 
functions that must be protected) dictates the need for a close 
partnership with clearly defined roles and responsibilities that 
optimizes the capabilities of participating stakeholders.
    Since the 1990s, well-intended public-private partnerships have 
been created to address this need, yielding a perplexing array of 
advisory groups with overlapping missions, different stakeholders with 
varying capabilities, insufficiently articulated roles and 
responsibilities, and plans with literally hundreds upon hundreds of 
recommendations. In the few instances where groups overcame 
institutional adversities and developed meaningful recommendations, the 
repeated unwillingness or inability to implement those recommendations 
at the Federal level has damaged the partnership significantly. Absent 
a comprehensive national strategy and clear purpose, both Government 
and private sector stakeholders will continue to struggle to be 
effective.
    Advancing cyberspace security requires a radical evolution of 
public-private partnerships as we currently know them. What does 
radical evolution mean? The Federal Government and private sector 
stakeholders must articulate a new philosophy for collaboration, one 
that starts with a very simple premise: Government and private sector 
efforts should be synergistic and efficient. This requires that the 
Government and private sector: (1) Identify those security requirements 
that will be fulfilled by the market; (2) identify national security 
requirements; and (3) identify how the gap between market security and 
national security can be filled. This effort must be focused on 
protecting functions (e.g., communications) as opposed to simply 
physical assets. Moreover, we must build operational partnerships that 
let us effectively mitigate and respond to threats. Finally, to the 
extent important work is on-going, the parties must identify what works 
and have the courage to retire what does not, even though retiring 
organizations may be viewed as draconian by those who have invested in 
these efforts in the past.
    As part of the evolution, it is important that the public-private 
partnership concentrate on what is truly critical to cyberspace 
security and build trusted and effective collaboration between 
Government and private sector stakeholders.
What functions are critical?
    The Commission identified four critical cyber-infrastructures:

   Energy;
   Finance;
   Converging information technology and communications;\2\ and
---------------------------------------------------------------------------
    \2\ Outside the United States, this is referred to as the ICT 
sector. See ``Telecommunications Task Group Final Report,'' CSIS 
Cybersecurity Commission http://www.csis.org/media/csis/pubs/
081028_telecomm_task_group.pdf, for more information on why ``the 
boundary between information, information technology, and 
telecommunications services has become almost indistinguishable.''
---------------------------------------------------------------------------
   Government services (including State and municipal 
        governments).

    This is not to suggest that all these infrastructures are 
identical. If power fails, the cascading effect is immediate and 
significant; by contrast, the result of an attack on Government will 
depend upon what Government service is affected. In essence, energy and 
information technology and communications form the backbone of 
cyberspace, and the availability of Government services and finance are 
particularly important for national security. While other 
infrastructures depend on cyberspace, an interruption of their 
operations would not broadly affect cyberspace itself. If energy, 
finance, the converging information technology and communications 
networks, along with Government services, can continue to function as 
intended while under attack, cyberspace will continue to support the 
Nation. Thus, these infrastructures should be the focus of a more 
attentive cyberspace security effort.
Trusted and Effective Collaboration
    The majority of public-private partnership efforts to date have 
focused on information sharing. While information sharing is important, 
it cannot be--as it had been to date--the end goal; rather, we must 
focus instead on sharing information that is actionable and then taking 
action. The CSIS Commission recommended three new partnership groups to 
advance beyond information sharing to enable trust and action. I will 
focus my comments on the two that would most significantly and 
immediately enhance our cybersecurity and resiliency by permitting 
better strategy development and operational collaboration.
            Evolve Strategic Presidential Advisory Bodies
    Trust is the foundation of a successful partnership between 
Government and the private sector. In the past few years, despite good 
intentions on both sides, trust between Government and the private 
sector has declined. Trust is built on personal relationships and in 
small groups, with parity of stakeholders and demonstrated commitment. 
Large, diffuse groups with floating engagements among a range of 
participants are not conducive to building the level of dialogue that 
promotes trust. When the President brings C-Level officers to the table 
and addresses challenges in a trusted forum, he can drive a powerful 
set of changes in the cyber-ecosystem. Advisory committees that engage 
senior-level Government and private sector personnel, such as the 
National Security and Telecommunications Advisory Committee (NSTAC) and 
the National Infrastructure Advisory Council (NIAC), have served past 
presidents well. However, the split between national security and 
emergency preparedness communications and cybersecurity is artificial 
and dangerous. In the information age, with its converged information 
technology and communications infrastructure, the distinction between 
these two groups creates overlap and limits progress on developing and 
improving cyberspace security capabilities. Accordingly, the Commission 
recommended establishing the President's Committee for Secure 
Cyberspace to replace the NSTAC and NIAC.
    In addition to establishing the proposed Committee for Secure 
Cyberspace as a C-level membership organization operated under Federal 
Advisory Committee Act, the administration should act to reform current 
decision-making bodies in Government that do not have private sector 
involvement. For example, the Joint Telecommunications Resources Board 
(JTRB), which is chaired by the Office of Science and Technology 
Policy, consists of agencies, such as the Department of Defense (DOD), 
the Department of Homeland Security, the General Services 
Administration, and the Department of Commerce.\3\ The JTRB is 
chartered to make decisions on how to prioritize telecommunications 
resources in non-wartime crisis, yet absent an effective channel into 
the private sector, the JTRB would be challenged to fulfill its 
charter. Another parallel entity is the National Cyber Response 
Coordination Group, an organization intended to help identify and 
coordinate response to a cyber-based crisis. Unfortunately, this 
interagency Government group does not have a meaningful way to engage 
the private sector, thus limiting its strategic and tactical 
effectiveness.
---------------------------------------------------------------------------
    \3\ Executive Order 12472, ``Assignment of National Security and 
Emergency Preparedness Telecommunications Functions,'' section 2(b)(3), 
April 3, 1984, available at http://www.ncs.gov/library/policy_docs/
eo_12472.html.
---------------------------------------------------------------------------
            Create Operational Collaboration
    Over the past 10 years, there have been several attempts to improve 
operational coordination between and among key Government and private 
sector stakeholders, but these have met with limited success. For 
example, the private sector has invested and maintained information 
sharing and analysis centers, but they are all too often ignored by 
Government agencies. The Commission recommended creating a new 
organization, the Center for Cybersecurity Operations (CCSO), to 
address operational issues that affect cyber infrastructure.
    I strongly support creating a more effective model for operational 
collaboration to move us from the less effective partnerships of the 
past to a more dynamic and collaborative self-governing approach 
involving cybersecurity leaders from Government, industry, and 
academia.
    Collaboration is not about plans; it is about outcomes. To create 
actual operational collaboration, we must learn from the experiences of 
the past. Collaboration is more than information sharing and is more 
than coordination; collaboration involves stakeholders working 
together, jointly assessing operational risks, and developing and 
implementing mitigation strategies. I would like to add to the 
Commission recommendation and suggest that an effective collaboration 
framework for public-private partnerships should include focused 
efforts to:

   Exchange technical data (at the unclassified level as much 
        as possible), with rules and mechanisms that permit both sides 
        to protect sensitive data;
   Create global situational awareness to understand the state 
        of the computing ecosystem and events that may affect it;
   Analyze the risks (threat, vulnerabilities, and 
        consequences) and develop mitigation strategies;
   When necessary and consistent with their respective roles, 
        respond to threats; and
   Develop cyber threat and risk analytics as a shared 
        discipline. For example, one could combine Government and 
        private sector information and then use the private sector's 
        expertise in analyzing large data sets in pseudonymous ways to 
        get new insights into computer security without raising privacy 
        concerns.

    What needs to be accomplished over the long term, and the 
operational mission, must be clear and articulated; the roles of 
Government and industry must be well-defined; and all participants must 
demonstrate commitment and continuity to achieve success. The goal is a 
trusted and focused collaborative alliance for both strategy and 
operations among the Government, academia, and the private sector.
           take action today to create a more secure tomorrow
    On-line collaboration, commerce, and, in some instances, public 
safety depend on trust. Today the mechanisms to provide authentication 
and attribution in cyberspace do not meet the needs of the internet 
citizen, enterprises, or governments. The lack of trust stems in part 
from our inability to manage on-line identities effectively and the 
excessive reliance on voluntary efforts to close key gaps in security.
Identity Imperatives
    In the context of national security, weak identification and 
authentication limits an organization's ability to enforce security 
policies to protect sensitive information and systems, and hinders 
effective Government and industry response to cyber attacks. From an 
economic security perspective, these weaknesses prevent internet users 
from taking reasonable steps to protect themselves from dangerous 
parties. Creating the ability to know reliably the person and/or device 
that is sending a particular data stream in cyberspace must be part of 
an effective cybersecurity strategy. Even sophisticated attackers face 
difficult challenges--and find their access restricted--because of 
better authentication.
    This need for improved identity and authentication in cyberspace 
has been documented in numerous forums, and Government and industry are 
progressing on multiple initiatives to address it. For example, in the 
United States, the Federal Financial Institutions Examination Council's 
(FFIEC) Guidance for Authentication in an Internet Banking Environment 
has spurred the use of stronger authentication in online banking. The 
experience of the DOD was that intrusion into its networks fell by more 
than 50 percent when it implemented Common Access Cards (CAC). Homeland 
Security Presidential Directive 12 (HSPD-12) (``Policy for a Common 
Identification Standard for Federal Employees and Contractors'') is 
another U.S. authentication initiative which requires Federal agencies 
to improve their identity and credentialing processes, using smart 
cards to secure both physical and logical access to Federal facilities 
and networks. These and other Federal initiatives have had success, but 
it is often limited to the sector or domain for which they are 
attempting to affect change.
    Past efforts to radically improve identity management for 
cybersecurity have not failed due to lack of awareness regarding the 
problem, nor a lack of efforts to address it. Much more simply, there 
are too many disparate efforts resulting in stove-piped policies and 
technologies that conflict and compete with each other, instead of 
driving toward a coordinated, interoperable, scalable security- and 
privacy-sensitive solution. There is also, particularly in the consumer 
sector, a serious ``chicken-and-egg'' problem: Consumers are not 
interested in robust on-line identity tokens because Government and 
commercial sites do not consume them, and Government and commercial 
sites do not build technology to consume such tokens because, after 
all, no consumer has them. I want to re-emphasize a point made earlier: 
Any successful public-private partnership should start with the premise 
that the Government should fill market gaps in security. Thus, as part 
of an overall cybersecurity strategy, the Government should accelerate 
the adoption of authentication technologies by supporting the creation 
and use of digital credentials. This would include issuing and 
accepting such credentials in appropriate circumstances, catalyzing the 
private sector market for digital identities, and establishing the 
appropriate governance structure for the issuance, use, revocation, and 
destruction of digital credentials.
    The use of digital IDs also reduces the need to authenticate people 
by having them provide private details about themselves, known as 
Personally Identifiable Information or PII. This usage would reduce the 
need to transmit, store, and use private information to identify 
individuals, thus increasing privacy and helping prevent crimes such as 
identity theft. Stronger authentication, combined with appropriate 
rules regarding the use of such authentication mechanisms, could 
enhance both security and privacy.
    I recognize that efforts to improve authentication raise sensitive 
privacy and civil liberties issues, but it is possible to improve 
authentication for critical functions without unduly compromising our 
values.\4\ This can be done if we integrate privacy issues into the 
design, development, and operation of the identity metasystem.
---------------------------------------------------------------------------
    \4\ For more on this topic, including how the Government can ensure 
privacy is protected in a better authenticated environment, see the 
White Paper on Establishing End-to-End Trust, www.microsoft.com/
endtoendtrust (pp. 6-7).
---------------------------------------------------------------------------
The Role of Regulation
    Opinions vary widely on how industry and Government can best work 
together to more effectively increase cybersecurity across critical 
infrastructures and Government. But even if public and private 
cooperation is optimized and operationalized, that will not provide the 
level of security necessary to meet national security demands. This is 
true because markets respond to customer demand and most customers, 
even though more aware of security issues today than in the past, will 
not pay for the level of security likely necessary to protect national 
security.
    This recognition, however, does not mean the first step to address 
the gaps between the current and desired states of security should be 
broad-based regulation. Rather, the Government should encourage a 
balanced approach, one that combines industry self-regulation with 
Government influence (through, for example, procurement regulations) 
and then includes carefully tailored regulation when necessary. I 
believe such a combined approach can be highly effective without unduly 
raising the costs for users and stifling the very innovation that is 
needed to make infrastructures more secure.
    When security gaps are identified--and neither market forces nor 
non-regulatory Government intervention suffices to address that gap--
Government should focus on adopting the regulatory model suggested by 
the CSIS Commission. In this model, industry identifies the best 
practices, and the Government ensures their adoption and works to 
harmonize requirements across sectors. I would also add that any 
Government regulation should follow certain key principles: It should 
solve a clearly identified problem; it should neither be under-
inclusive (fail to solve the problem fully) nor over-inclusive (address 
more than the problem); it should not be crafted in a way that creates 
unintended consequences; and it should be technology-neutral and not 
create hard-to-modify statutorily imposed technology requirements that 
stifle innovation and prevent further enhancements in security.
    Progress in cyberspace security is not without cost. Voluntary 
efforts have closed many security gaps but have not done enough. 
Establishing a cohesive national strategy with a robust public-private 
partnership will create a framework for tailored regulations that can 
advance identity and trust in a manner that markets alone cannot.
                             moving forward
    The first major Presidential document on emerging threats in 
cyberspace was published more than a decade ago when the President's 
Commission on Critical Infrastructure Protection released its seminal 
report.\5\ At that time, only 1.7% of the world's population (70 
million people) had internet access. In the years that have followed, 
the world has changed dramatically. Attacks have evolved from exploits 
designed to garner attention to targeted stealth attacks that are 
designed for more nefarious purposes, such as conducting identity 
theft, economic espionage, and military espionage. In 2008, almost a 
quarter of the world's population (more than 1.5 billion people) had 
internet access, and it continues to grow.\6\ The rise of the internet 
has permitted new forms of social connection, and created new 
educational and economic opportunities. But the richness of cyberspace 
also permits criminals, foreign intelligence organizations, and nation-
states to exploit cyberspace for profit, espionage, or conflict. 
Securing America's future in the information age depends upon creating 
a comprehensive national strategy for cyberspace security, one that 
simplifies, organizes and enables operational partnerships between and 
among Government and private-sector stakeholders, including internet 
citizens.
---------------------------------------------------------------------------
    \5\ http://cip.gmu.edu/archive/
5_PCCIPCriticalFoundations_1097_full_report.pdf.
    \6\ http://www.internetworldstats.com/emarketing.htm.

    Ms. Clarke. I thank you for your testimony.
    I now recognize Mr. Yoran to summarize his statement for 5 
minutes.

STATEMENT OF AMIT YORAN, CHAIRMAN AND CHIEF EXECUTIVE OFFICER, 
                    NET WITNESS CORPORATION

    Mr. Yoran. Ms. Chairwoman and Members of the committee, 
thank you for the opportunity to testify on Reviewing the 
Federal Cybersecurity Mission and for your attention to this 
important topic. My name is Amit Yoran and I have a lot to say, 
so I will skip reading my bio and jump right into it.
    An effective national cyber effort must leverage the 
intelligence community's superior technical acumen and 
scalability. However, it is in grave peril if this effort is 
dominated by the intelligence community. Simply put, the 
intelligence community has always and will always prioritize 
its own collection efforts over the defensive and protection 
mission of our Government's and Nation's digital systems. When 
intelligence operations discover a compromise, the decision to 
inform system defenders or not lacks transparency. Mission 
conflict exists between those defending systems and those 
attempting to collect intelligence or counter-intelligence 
insights.
    The current series of cyber programs called for billions of 
dollars in funding for intelligence and centralized security 
efforts, but are designed with very little emphasis on helping 
defenders better protect the systems housing our valuable data 
and business processes.
    For instance, the Center for Disease Control, which houses 
sensitive research and information about biological threats 
such as anthrax, has ongoing cyber incidents which it lacks the 
personnel and technologies to adequately investigate. In the 
face of spending billions more on centralized cyber 
intelligence activities, the CDC's cyber budget is being cut by 
37 percent. Intelligence focused on national efforts are 
overclassified, to the point where catastrophic consequences 
are highly probable. High levels of classification prevent the 
sharing of information necessary to adequately defend our 
systems.
    For instance, IP addresses, when classified, cannot be 
loaded into defensive monitor systems. It also creates 
insurmountable hurdles when working with a broad range of 
Government IT staffs that do not have appropriate clearances, 
let alone when trying to work with, communicate, and partner 
with the private sector. Classification cannot be used 
effectively as a cyber defensive technique, only one for 
avoiding responsibility and accountability. Overclassification 
leads to a narrowly limited review of any program.
    One of the hard lessons learned from the terrorist 
surveillance program is that such a limited review can lead to 
ineffective legal vetting of a program. The cyber mission 
cannot be plagued by the same flaws as the TSP.
    An immediate, thorough, and transparent legal analysis of 
the governance authority's privacy requirements should be 
performed on the efforts used to both protect our CT systems as 
well as all cyber collection activities. Given the broad 
concerns of overclassification and its cascading consequences, 
conducting these reviews must be a high-priority task.
    Cyber research investments are practically nonexistent at a 
time when bold new visions need to be explored. The Department 
of Homeland Security has demonstrated inefficiency and 
leadership failure in its cyber efforts. While pockets of 
progress have been made, administrative incompetence and 
political infighting have squandered meaningful advancement for 
years now, while our adversaries continue to aggressively press 
their advantage.
    DHS has repeatedly failed to attract or retain the 
leadership and technical acumen required to successfully lead 
in the cyber mission. While the tendency would be to move the 
cyber mission to the NSA, it would be ill-advised for all the 
reasons I provide in my much longer written testimony.
    We must enable civil government to succeed in its mission 
of defense or also concede that the private sector, too, cannot 
succeed in its defensive mission and subjugate them to 
intelligence support. DHS is the natural and appropriate place 
for public/private partnership and cooperative activities, 
including those in cyber.
    The current set of public/private partnerships is at best 
ill-defined. They categorically suffer from meaningful value 
creation or private sector incentives for participation. Such 
incentives might include tax credits, fines, liability levers, 
public recognition, or even occur at an operational level 
through mechanisms such as the sharing of threat intelligence, 
technical knowledge, incident response report, to name just a 
few.
    Trust relationships when dealing in cybersecurity matters 
are absolutely critical. In discussions among privacy and civil 
liberties group, the role of the NSA in monitoring or defending 
U.S. networks is debated. Should such intelligence programs 
exist, DHS should be very cautious before participating in, 
supporting or engagement in these activities.
    The Department's ability to fulfill its primary mission and 
responsibilities may be permanently damaged by a loss of public 
confidence and trust. At a bare minimum, in order to preserve 
this trust, any interacting with domestic intelligence efforts 
should be explicitly and clearly articulated.
    Sufficient transparency may serve to increase public trust 
and confidence and offset concerns raised by uncertainty and 
the uninformed. DHS must be formally charged with and enabled 
to build an effective cyber capability in support of securing 
our Federal civilian systems. Special provisions should be made 
in the hiring, contracting, human resources, and political 
issues within the cyber mission of DHS to prevent it from 
remaining a victim of the Department's broader administrative 
failures.
    DHS should be given specific emergency authorities to 
address security concerns in civil systems, to include the 
ability to measure compliance with security standards, 
protocols, and practices, and take decisive action where 
organizations are not applying reasonable standards of care. At 
present, the operation's cybersecurity arm of DHS, US-CERT, 
remains politically torn apart into three components, 
completely subjugated to a cadre of detailees from the 
intelligence community.
    In order to regain efficiency, the Department's operational 
security activities must be reconsolidated in the US-CERT. This 
operational mission is not resourced to succeed with less than 
20 Government FTEs and a budget of only $67 million.
    Ms. Clarke. Mr. Yoran, I am just going to ask if you can 
summarize and we will probably pick up on more of your 
testimony through questions. Of course, we have your full 
testimony in the record.
    Mr. Yoran. Yes, Madam Chairwoman.
    The newly focused DHS US-CERT should report directly to the 
Secretary of DHS, just as NTOC reports to the Director of NSA. 
The cyber responsibilities of the Department must not remain 
buried in the Department or, alternatively, they must be 
removed and placed in an independent agency where they can 
succeed. Thank you.
    [The statement of Mr. Yoran follows:]
                    Prepared Statement of Amit Yoran
                             March 10, 2009
    Ms. Chairwoman and Ranking Member, thank you for the opportunity to 
testify before the Homeland Security Committee on Reviewing the Federal 
Cybersecurity Mission.
    My name is Amit Yoran and I am the CEO of the NetWitness 
Corporation, a company providing next generation cybersecurity 
monitoring technologies to the U.S. Government and private sector, 
including Fortune 500 companies delivering critical infrastructure 
cyber protection to the Nation. I serve as a member of the CSIS Cyber 
Commission advising the 44th Presidency and on numerous security 
industry advisory bodies.
    Previously I have served as the first Director of the National 
Cyber Security Division (NCSD) in standing up the United States 
Computer Emergency Readiness Team (US-CERT) and Einstein program at the 
Department of Homeland Security (DHS), as founder and CEO of Riptech, a 
leading managed security services provider, and as manager of the 
Vulnerability Analysis Program (VAP) of the U.S. Department of 
Defense's Computer Emergency Response Team (DoD CERT). I received 
Bachelor of Science degree in Computer Science from the United States 
Military Academy at West Point and Master of Science in Computer 
Science from The George Washington University.
    Over the past 15 years, automation and use of computer systems has 
permeated every aspect of modern life. Our Nation is entirely reliant 
upon computer systems and networked technologies in everything from 
national security and intelligence activities to commerce and business 
operations to power production and transmission to personal 
communications and correspondences.
    Today's internet has become one of the unifying fabrics driving 
globalization at an increasingly accelerated pace. It represents the 
core means by which personal and organizational interactions occur 
whether those communications take the form of internet email or simply 
phone calls, which invariably traverse the cyber realm. Beyond its role 
as a communications medium, computer-based automation and technology 
are the driving forces behind every major industrial and economic base 
in the world. Simply put, computer technologies and communications 
represent the greatest threat to and opportunity for expansion of the 
U.S. values system.
                evolving into a national cyber strategy
    The past 2 years have brought about an unprecedented level of 
Federal focus and attention on cyber security matters culminating in a 
portfolio of activities commonly referred to as the Comprehensive 
National Cyber Initiative (CNCI). Advocacy for CNCI under the Bush 
administration resided in the Office of the Director of National 
Intelligence (ODNI), under whose charge the billions of dollars in 
programs were conceived and orchestrated. While many of the CNCI 
programs are well intended and designed, there are several significant 
flaws in adopting the Bush administration's CNCI as an on-going 
national cyber strategy.
   White House leadership. The Obama White House is currently 
        conducting a comprehensive 60-day review of cyber. The purpose 
        of the review is to develop a strategic framework to ensure 
        that ``initiatives in this area are appropriately integrated, 
        resourced and coordinated both within the Executive Branch and 
        with Congress and the private sector.'' This review effort will 
        culminate in recommending an optimal White House organizational 
        structure for dealing with the cyber challenges facing our 
        national and economic security as well as ``an action plan on 
        identifying and prioritizing further work in this area.'' For 
        the reasons outlined below, an effective national effort to 
        address cybersecurity can only succeed through continuous, 
        active, and decisive White House leadership.
   Intelligence.
     An effective national cyber strategy must leverage the 
            strength of the intelligence community. As information and 
            computer-based technologies increasingly permeate how the 
            world works, opportunities abound to improve the types, 
            quantity, and quality of intelligence the community can 
            provide at various levels of classification to its 
            consumers. In the primary intelligence functions of 
            collection, analysis, and dissemination, cyberspace can 
            provide an effective aspect to operations. The volumes of 
            information and the diversity of sources can quickly become 
            overwhelming. The intelligence community must continue to 
            refine its ability to evaluate the quality and value of 
            such information and accurately assess it in order to 
            assure its appropriate dissemination to decisionmakers. 
            This should include improved functionality around 
            attribution in cyberspace.
     There is a clear and distinct conflict of interest between 
            intelligence objectives and those of system operators. 
            Simply put, intelligence organizations prioritize the 
            intelligence and counter-intelligence missions; which in 
            cyber focuses on monitoring adversaries, determining their 
            methods and techniques, tracking their activities to a 
            point of origin, and determination of compromise scope, and 
            attack intent and adversary's objectives. While these are 
            very important, they frequently conflict directly with the 
            information assurance objectives of system owners and 
            operators, who are primarily concerned with system defense 
            and protection, and in the event of compromise, a speedy 
            restoration to a functional and assured state. This 
            distinction in core objectives is critical because it 
            represents the difference between programmatic emphasis on 
            information gathering, or system resilience and 
            availability. For instance, intelligence and law 
            enforcement entities often prioritize attack attribution, 
            while almost no emphasis is placed on attribution by those 
            defending systems. Rather than sharing information with 
            operators and better informing them as to how they can 
            defend and monitor themselves, an intelligence community-
            centric mindset around cyber would limit information 
            exchange and instead focus on enabling the intelligence 
            community to perform an expanded and aggregated monitoring 
            program. Such a monitoring program would face significant 
            cost and scalability impediments. We must remember the 
            purpose for a monitoring program. Are we in fact monitoring 
            to enable better defenses? Who makes the decisions to 
            inform the defense? It is a clear conflict of interest for 
            those who collect to make this decision. The decision 
            should be a balanced one. Prioritizing the intelligence 
            mission also has significant resource allocation 
            implications. Amid news stories of billions of dollars in 
            cyber spending under CNCI a majority of resources are going 
            to intelligence and centralized monitoring activities. For 
            instance, the Center for Disease Control, where sensitive 
            information resides about biological threats, such as 
            anthrax, has on-going incidents which they do not have the 
            manpower or technology to adequately investigate. In the 
            face of these challenges, this year the CDC's cybersecurity 
            budget will be reduced by 37%.
     For ill-defined reasons, the CNCI led by ODNI has been 
            shrouded by a high degree of secrecy and lack of 
            transparency. The plan itself is so classified that even 
            Members of Congress have not been provided copies and 
            industry has had no access to the document. While the need 
            for high levels of classification may exist in certain 
            components of a national cyber effort, such as offensive 
            capabilities or for the protection of sources and methods, 
            such a broad over-classification is counterproductive to 
            supporting an effective cyber defense. Such information is 
            prevented from being shared with operators, most of which 
            do not hold adequate clearances and creates significant 
            hurdles when trying to defend unclassified systems. In 
            recent examples adversary internet addresses used in 
            attacks and their various attack methods have been 
            classified to the point they were not broadly available for 
            defensive purposes or provided through channels. In 
            numerous cases this roadblock prevented information from 
            being used effectively in cyber defense and provided 
            further advantage to our adversaries. If you cannot or will 
            not share useful information with cyber defenders, their 
            job is made far more difficult. As the private sector is 
            increasingly the target of foreign intelligence efforts, a 
            national cyber effort will need to further evolve its 
            abilities in working with the private sector. Most 
            importantly, over-classifying a national cyber strategy 
            prevents adequate public review and debate to assure that 
            the programs are designed optimally, contain the highest 
            level of innovation, and are well-aligned with and informed 
            by the total body of knowledge of the cyber security 
            profession. Often classification is used to hide weaknesses 
            found. Classification cannot be used effectively as a cyber 
            defensive technique, only one for avoiding responsibility 
            and accountability. Over-classification leads to a narrowly 
            limited review of any program. One of the hard-learned 
            lessons from the Terrorist Surveillance Program (TSP) is 
            that such limited review can lead to ineffective legal 
            vetting of a program. The cyber mission cannot be plagued 
            by the same flaws as the TSP has been.
     Intel loss/gain analysis has historically been performed 
            by the intelligence community's judgment without 
            substantive subject matter input from those whose systems 
            are being damaged. If the intelligence community takes on a 
            leadership role for the cyber mission it is likely that 
            additional monitoring programs will be put in place to find 
            the adversary. While the technical acumen within NSA is 
            strong, better controls over operations would be needed to 
            reduce the natural emphasis on collection and instead 
            prioritize the protection and availability of Government 
            and industry systems. The cyber mission suffers in favor of 
            the intelligence mission all too often. While protecting 
            sources and methods, the intelligence community needs to 
            better inform public and private sectors on the threat 
            environment and how they can better defend themselves. 
            Moreover, some organizations may be less likely to act 
            responsibly and invest properly in monitoring and defending 
            their own systems if they feel as though they can rely on 
            some federated intelligence monitoring operation.
   Research and Development. The current paradigm in cyber 
        security is not likely to change significantly through improved 
        security products, monitoring, and incident response 
        capabilities. While the private sector makes significant 
        investment in incremental product, application, and protocol 
        improvements; fundamental research is required to meaningfully 
        improve the security of the cyber and critical infrastructures.
     According to the CSIS Commission work, ``The federal 
            government plans to spend about $143 billion in 2009 on 
            R&D. We estimate that two-tenths of 1 percent of that will 
            go to cybersecurity.'' An inherently Government investment 
            must drive long-term research agendas in cybersecurity, 
            where private sector focus on shorter-term 
            commercialization limits results to more tactical or 
            incremental advancements. The Department of Homeland 
            Security's Science and Technology Directorate invests less 
            than $20 million per year on cybersecurity research 
            efforts, a far cry from any responsible level of resource 
            allocation.
     The Government should not use this money to be in the 
            security product development business, especially via 
            classified venues. In an overwhelming majority of 
            instances, Government cyber requirements are substantially 
            similar to if not exactly the same as the private sector 
            and only in the rare cases where they are not or in 
            classified instances, do specific tactical Government 
            development efforts make sense to consider. In addition, it 
            is a fact that there is a severe lack of qualified 
            engineers needed to develop these systems. Today, the 
            majority of these engineers are employed by the security 
            industry. The Government and intelligence community should 
            guide and assist in functional requirements for the 
            development of technologies which can help us best address 
            the sophisticated cyber threat environment, not enter the 
            product development business. The resulting improvement in 
            security technologies will not only benefit the Government 
            in protecting its systems, but will also benefit the 
            Nation's critical infrastructure operators and rest of the 
            shared internet fabric that joins our digital world. 
            Additionally, Government development efforts have stranded 
            enterprise cyber defenders without the benefits of product 
            management, maintenance, and professional support.
   Standards and Acquisition reform. The CSIS Commission report 
        provides a lot of insight into how the Government can 
        positively improve its situation as well as security of private 
        networks by leveraging its expertise in standards, setting and 
        using its procurement size to effect product vendor behaviors. 
        We also need to consider more dynamic methods for systems 
        procurement and lifecycle management as the current processes 
        seem marginally nimble enough to enable the purchase of a 
        battle tank or fighter jet. Antiquated and poorly maintained 
        systems compound our challenges. The systems on Federal 
        networks average 5 years old. Unlike responsible parties in the 
        private sector, Federal networks frequently do not have 
        centralized patching, vulnerability understanding, or adequate 
        monitoring technologies and processes. Simply put, they are not 
        achieving or maintaining an appropriate standard of care by any 
        responsible measure. It should be understood the reasons for 
        this are a lack of IT and IT security governance. The 
        technology here is not overly complex; the real challenge is 
        the people and the process. The average Government executive, 
        whether DoD or civil, stays in his/her position for an average 
        of 18 months. There is little or no reason to look ahead at the 
        next executive's tenure and budget or plan for the life cycle 
        management or security of a system 18 months later. In 
        addition, because planning was not done in the previous 
        executive's tenure, the system the executive has to care for is 
        more likely than not to be in an unkempt, dated, and insecure 
        state. There is no governance mechanism or motivation for 
        Government systems to plan, budget, or perform best practice 
        life-cycle management which can significantly reduce risk of 
        loss. Please see the recently published Consensus Audit 
        Guidelines for a reasonable approach to minimal security 
        practices.
   Legal Review and Privacy Oversight.
     Congress and the Obama Administration must work together 
            to modernize authorities. FISMA and Clinger-Cohen are dated 
            and fraught with politics and games. Without hard-hitting, 
            detailed legislation that structures governance and 
            authorities no program will succeed. Today the CNCI is not 
            codified. HSPDs 54 and 23 are not supported by legislation, 
            therefore are not mandated. An immediate, thorough, and 
            transparent legal analysis of the governance, authorities, 
            and privacy requirements should be performed on both the 
            efforts used to protect IT systems as well as an analysis 
            with the requisite understanding of intelligence and 
            national security law for all cyber collection activities. 
            Given the broad concerns of over-classification, conducting 
            these reviews must be a high priority task.
     An effective national cyber function requires an informed 
            privacy function. Privacy issues need proper review and 
            advocacy when designing various Government cyber security 
            programs, especially those of the intelligence and law 
            enforcement communities. An effective program should be 
            implemented in a non-partisan fashion by qualified privacy 
            professionals who are not members of the executive or 
            legislative branches and have fixed terms of service 
            without eligibility for reappointment or extension terms. 
            Security can be implemented with and even contribute to 
            enhanced privacy, but it is not easy and often not without 
            strong and deliberate privacy advocacy and oversight.
   Homeland Security.
     The Department of Homeland Security (DHS) has demonstrated 
            inefficiency and leadership failure in its cyber efforts. 
            While pockets of progress have been made, administrative 
            incompetence and political infighting have squandered 
            meaningful progress and for years now our adversaries 
            continue to aggressively press their advantage. Recently, 
            the Director of National Intelligence, Admiral Dennis 
            Blair, told the House intelligence committee that, ``the 
            NSA, rather than the Department of Homeland Security which 
            currently oversees cybersecurity, has the smarts and the 
            skills to secure cyberspace.'' In his assessment of both 
            organizations he is absolutely correct. DHS has repeated 
            failed to either attract or retain the leadership and 
            technical acumen required to successfully lead in the cyber 
            mission space. On a number of occasions proven, talented, 
            and knowledgeable leaders from within the Government or 
            successful experts from private sector have joined the 
            Department in hopes of meaningful contribution. In its 
            cyber responsibilities DHS has a consistent track record 
            for tolerating political infighting, individual egos, and 
            shenanigans over prioritizing and executing its cyber 
            responsibilities in a mature fashion. While the tendency 
            would be to migrate the cyber mission to the NSA, that 
            would be ill-advised for all of the reasons provided 
            earlier. In Rod Beckstrom's resignation letter last week, 
            he states, ``NSA effectively controls DHS cyber efforts 
            thru detailees, technology insertion and the proposed move 
            of NPPD and the NCSC to a Ft. Meade NSA facility. NSA 
            currently dominates most national cyber efforts . . . The 
            intelligence culture is very different than a network 
            operations or security culture. In addition, the threats to 
            our democratic processes are significant if all top level 
            government network security and monitoring are handled by 
            any one organization.'' This could not have been more 
            accurately stated. We must enable civil government to 
            succeed at this mission. This being said, it is far past 
            time we fix the DHS problems and move forward.
     Public-Private Partnership. In addition to defining 
            increased security functionality and assurances for 
            Commercial Off the Shelf Software (COTS), the Government 
            must work more closely with the private sector and 
            understand their businesses if it is to be effective in 
            constructing useful partnership programs. Programs managed 
            in a vacuum by the intelligence community at a highly 
            classified level are unlikely to work well and in concert 
            with system operators within the Federal Government, let 
            alone in the private sector, where not only are mission 
            objectives completely foreign, but where there are very few 
            people with Government clearances. Government programs need 
            to focus on open dialog and information exchange, and 
            enabling the private sector to better understand the 
            security challenges they face and how they might be 
            overcome with the help of the Government. DHS is the 
            natural and appropriate placement for public-private 
            partnership and cooperative activities, including those in 
            cyber security. The current set of public-private 
            partnerships are at best ill-defined. While well-
            intentioned and occasionally valuable information is 
            brought to the Department, they categorically suffer from 
            meaningful value creation to the private sector. A deeper 
            understanding of how cyber defense and security operations 
            are implemented in the private sector is required by those 
            crafting the evolution of these programs so that adequate 
            incentives can be appropriately incorporated going forward. 
            Such incentives might include tax consequences, fines, 
            liability levers, public recognition, or even occur at an 
            operational level, such as the sharing of threat 
            intelligence, technical knowledge or incident response 
            support to name just a few. Due to its fluid nature, trust 
            relationships when dealing in cyber security matters are at 
            least as strongly emphasized as in physical security. In 
            news reports and discussions among privacy and civil 
            liberties groups the role of the NSA in monitoring or 
            defending domestic private networks is debated. Should such 
            intelligence programs exist, DHS should be very careful to 
            distance itself from participation, support, or engagement 
            in these activities. The Department's ability to fulfill 
            its primary mission and responsibilities may be permanently 
            damaged by a loss of public confidence and trust. At a bare 
            minimum, in order to preserve public trust, its interaction 
            with domestic intelligence collection efforts should be 
            explicitly and clearly articulated.
     NCSC and US-CERT. Congress and the administration should 
            focus DHS where it can have the greatest positive impact. 
            The Department's culture migrates toward increasing its own 
            mission scope and infrequently emphasizes a crawl, walk, 
            run mentality. Sometimes, it's just time to close 
            PowerPoint and Word, stop the rhetoric and simply roll the 
            sleeves up and begin the actual work at hand. For instance, 
            spending the Department's limited resources on advocacy 
            programs for better software development, where the 
            Department has very limited experience, expertise, and 
            credibility is of exceptionally limited value.
     The US-CERT works to support the security of Government 
            networks through design, deployment and monitoring the 
            Einstein series of programs to enhance situational 
            awareness, be the centralized incident reporting authority 
            for the Federal civilian networks, facilitate efficient 
            incident response and cleanup efforts, support the private 
            sector through information exchange with critical 
            infrastructure operators, and working with IT and IT 
            security product vendors to assure that they can address 
            the needs of the broader Federal Government and critical 
            infrastructures.
        At present the US-CERT remains torn apart into three arms; a 
            technology deployment arm (lead by an intelligence 
            community detailee), a security arm (managing the Trusted 
            Internet Connection program), and the operations arm 
            (performing the core US-CERT mission). This stove-piping 
            has added political strife, inability to spend 2009 money 
            this year, and defocusing all from accomplishing the single 
            US-CERT mission. In order to regain any efficiency, the 
            Department's operational security role, which has been 
            ripped apart by years of political infighting, must be 
            reconsolidated in the US-CERT. The critical work of the US-
            CERT with its operational mission is not resourced to 
            succeed (fewer than 20 Government FTEs, a budget of only 
            $67 million out of the Department's $355 million spend on 
            cybersecurity). Additionally, the US-CERT must be lead by a 
            single Federal civil executive.
        The coordination function of the National Cyber Security Center 
            is underutilized. Rod Beckstrom's recent resignation claims 
            that only 8 weeks of the annual funding have been provided 
            to it. His concerns for NSA management control of DHS' 
            cyber efforts apply to the US-CERT as well, which reports 
            to detailee from the USSS, who reports to detailee from 
            NSA/Navy. All special assistants around the Acting 
            Assistant Secretary are also NSA detailees. The US-CERT 
            must be provided appropriate staffing levels to move 
            forward and given adequate funding. Not doing so cannot 
            help but send the strongest message to the cyber community, 
            the rest of Government, the intelligence community, and the 
            private sector that cybersecurity does not matter to DHS 
            leadership and the Department's role is unnecessary. A 
            newly focused cyber mission must report directly to the 
            Secretary of DHS. This critical mission has been sought 
            aggressively by so many parties, but resisted so strongly 
            by the Department responsible for its successful execution. 
            Cyber must not remain buried in the bureaucracy of DHS or, 
            alternatively, it must be removed and placed where it can 
            succeed.
    The House Homeland Security Committee and Congress should work with 
the Executive branch to assure these fundamental changes are made:
    1. DHS must be charged with and enabled to build an effective cyber 
        capability in support of securing Federal civilian systems.
      a. Make special provisions in the hiring, contracting, human 
            resources, political issues within the cyber mission of DHS 
            to prevent it from remaining a victim of the Department's 
            broader administrative failures.
      b. Enable the US-CERT to stand up the capabilities necessary to 
            assist in the defense of Federal civil government as a 
            component of the Federal civil agency charged with 
            defending the homeland.
      c. DHS should also be given specific emergency authorities to 
            specifically address security concerns in civil systems, to 
            include the ability to measure compliance with security 
            standard, protocols, and practices and take decisive action 
            where organizations are not applying reasonable standards 
            of care.
    2. Flesh out, define roles, responsibilities and authorities of 
        DHS, DoJ, DoD, NSA, and other Federal departments and agencies 
        engaged in securing digital infrastructure. Such a framework 
        should be publicly stated so that trust and confidence in cyber 
        programs can be restored. It will also be a critical step in 
        guiding more informed and consistent interactions with the 
        private sector. Steps must also be put in place to allow the 
        White House, Congress, departments and agencies to have 
        visibility, input, and clear oversight into the process and 
        solutions.
    3. Adequately resourcing for success.
      a. A large-scale reallocation of the DHS cyber monies toward the 
            programs which are operational and provide meaningful value 
            add to its responsibilities to the Federal civil networks 
            is needed.
      b. There exists stronger network controls and millions of dollars 
            spent by DoD and NSA to protect the DoD networks, and that 
            they still are under-resourced to adequately defend 
            themselves. Only a fraction of that is being spent to 
            defend Federal civilian systems and in reality those 
            networks are by comparison 10 times larger than the Defense 
            Department's.
    Thank you for the opportunity to testify. I would be happy to 
answer any questions you may have at this time.

    Ms. Clarke. I thank you as well for your testimony.
    I now recognize Ms. Davidson to summarize her statement for 
5 minutes.

STATEMENT OF MARY ANN DAVIDSON, CHIEF SECURITY OFFICER, ORACLE 
                          CORPORATION

    Ms. Davidson. Chairwoman Clarke, Members of the 
subcommittee, my name is Mary Ann Davidson. I am Chief Security 
Officer for Oracle. Thank you for the opportunity to testify 
regarding the important issue of cybersecurity.
    The Declaration of Independence states all men are created 
equal. All information systems, however, are not. The truth of 
the statement should be self-evident but it isn't, and therein 
lies a risk to our freedoms. The ubiquity, flexibility, and 
configurability of information systems has led to circumstances 
in which software designed for a particular purpose and 
environment is too often deployed in an environment it was 
never designed for, without any thought or explicit acceptance 
of the risks in so doing. There is no substitute for knowing up 
front what you need software for, how it is going to be 
deployed, and what risks you can accept and what risks you 
won't. The time to make these determinations is during 
procurement, not afterwards.
    The Navy does not purchase container ships and try to 
deploy them as aircraft carriers, nor does the Air Force 
purchase Gulfstream V's and try to configure them as F-22 
Raptors. While there is nothing wrong with container ships or 
Gulfstream V's, they were not designed for the operational 
needs or the threat environment that aircraft carriers and F-
22s were designed for.
    Why then is information technology somehow different? It 
isn't. Good security, like good hardware, starts in 
procurement: Knowing what you need, how it will be used, and 
explicitly describing the threat environment for deployment. 
Use procurement wisely and aggressively.
    This brings me to my second point. Information technology 
is mission-critical not merely mission-enabling. Our entire 
economy rests on an IT backbone; in particular, our homeland 
security and our military's ability to prosecute war rests on 
an IT backbone. DOD continues to invest in network-centric 
operations, which is all about getting the right information to 
the right warrior at the right time and the right battlespace. 
This makes the network itself the battlefield and therefore, 
DOD needs to enhance the treatment of information systems as a 
core mission specialty as well as using information systems 
offensively. Absent this capability, the DOD will not be able 
to use IT as the force multiplier it is.
    Just as General Patton knew his tanks and their technical 
capabilities very well, not just merely how to deploy them, our 
military and homeland security leaders need to know and how to 
deploy and embrace the full capability of IT. Putting it 
differently, do we envision having a contractor at the helm of 
an aircraft carrier? If not, then why would our cyber offense 
be any different? General Patton also knew that the 3rd Army 
would stop without supplies of gas. Netcentric armies stop 
without supplies of information. Only by holding capability for 
both function and esteem can offense inform defense.
    This brings me to my third point. We are in a conflict. 
Some would say a war. Let's call it what it is. Given the 
diversity of potentially hostile entities building cadres of 
cyber warriors probing our systems, including our defense 
systems for weaknesses, infiltrating U.S. Government networks 
and making similar attempts against American businesses and 
critical industries, is there any other conclusion to be 
reached?
    There are three obvious outgrowths from the above 
statement. One is that you can't win a war if you don't admit 
you are in one. The second is that nobody wins on defense. The 
third is that we need a doctrine for how we intercede in 
cyberspace that covers both offense and defense and maps to 
existing legal and societal principles in the off-line world.
    In short, Congress should consider developing a 21st 
century application of the Monroe Doctrine. The need for a 
framework to guide the Government's role in response to foreign 
aggression is a point that Melissa Hathaway has specifically 
noted during her review and an area where this subcommittee can 
work with the National Security Council.
    You may recall that the Monroe Doctrine, introduced in 
1823, said that further efforts by European governments to 
interfere with the States in the Americas, the Western 
Hemisphere, would be viewed by the United States as acts of 
aggression, and the United States would intervene. The Monroe 
Doctrine is one of our longest-standing foreign policy tenets, 
invoked on multiple occasions by multiple Presidents. We have, 
as the expression goes, sent in the Marines and the rest of our 
Armed Forces to uphold it.
    Some may argue that cyberspace is virtual and unsuited to 
declared spheres of influence. But even internet protocol 
addresses mapped to physical devices in physical locations we 
care about: Critical infrastructures such as a server for a 
utility company in New York or a bank in California. Note that 
the Monroe Doctrine did not detail the same intervention or 
even specific intervention for each perceived act of 
aggression. Merely laid out ``Here is our turf, stay out or 
face the consequences,'' language that allowed great 
flexibility in terms of potential responses.
    We need not militarize all elements of U.S. cyberspace any 
more than invoking the Monroe Doctrine meant creating permanent 
military encampments throughout the Western Hemisphere. The 
advantages of invoking a Monroe Doctrine in cyberspace would be 
to put the world on notice that the United States has cyber 
turf, and the second is that we will defend our turf. We need 
to do both now.
    Thank you and I look forward to your questions.
    [The statement of Ms. Davidson follows:]
                Prepared Statement of Mary Ann Davidson
    Chairwoman Clark, Members of the subcommittee, my name is Mary Ann 
Davidson, and I am Chief Security Officer for Oracle. For more than 30 
years, information security has been a central part of Oracle's 
software DNA, and is a big reason why the Federal Government is 
Oracle's largest customer. Thank you for the opportunity to testify 
regarding the important issue of cybersecurity.
1. The Declaration of Independence states ``All men are created 
        equal.'' All information systems, however, are not.
    This truth of this statement should be self-evident but it isn't, 
and therein lies a risk to our freedoms. The ubiquity, flexibility, and 
configurability of information systems has led to circumstances in 
which software designed for a particular purpose and environment is too 
often deployed in an environment it was never designed for, without any 
thought or explicit acceptance of the risks in so doing. Without 
properly scoping our requirements we are faced with an all-or-nothing 
approach to cyberspace, simultaneously putting at risk our civil 
liberties, our homeland security and the women and men of our armed 
forces.
    Let me give you a present-day example: I had a most frightening 
conversation with a highly placed official in the Defense Department 
who said that DoD wanted to use popular social networking software and 
that (direct quote) ``you in industry need to secure it.'' My response 
to that statement: ``What is DoD going to use the software FOR? `Hi, 
I'm an al Qaeda operative. I like long walks on the beach and IEDs. 
Will you friend me?' '' Without an appropriate context, I noted to the 
gentleman, there is no magic security dust we in industry can sprinkle 
on technology that is already ``out there and being used,'' especially 
if we do not know what it is being used for. Certainly there are 
legitimate scenarios where we may want to permit our troops to use 
social networking software as a morale booster, including contact with 
their family and friends, but the technical and policy-based security 
requirements around that use case are different from a use case where 
the DoD might use similar technology for operational purposes.
    There is no substitute for knowing upfront what you need software 
for, how it is going to be deployed, and what risks you can accept and 
what risks you won't. The time to make those determinations is during 
procurement, not after. The Navy does not purchase container ships and 
try to deploy them as aircrafts carriers. Nor does the Air Force 
purchase Gulfstream Vs and try to configure them as F-22 Raptors. There 
is nothing wrong with container ships or Gulfstream Vs, by the way, but 
they were not designed for the operational needs or--and I emphasize 
this last point--threat environment that aircraft carriers and F-22s 
were designed for. Why, then, is information technology somehow 
``different?'' It isn't. Private industry and Government agencies have 
varying use cases and threat environments in cyberspace, just as they 
share different requirements in the real world. And where privately run 
information systems can benefit from defensive technologies informed by 
our offensive capabilities--to use a metaphor--this rising tide will 
lift all ships in cyberspace.
    Unfortunately, many think software is so flexible and configurable, 
that one size fits all applications. It doesn't. The military already 
knows this, but sometimes they need an occasional reminder. When I was 
a naval officer, I had many different uniforms: dress blues, dress 
whites, tropical whites, khakis, and utility greens. Each had its 
purpose. Should one be foolish enough to wear dress blues to a 
firefight, it isn't merely that you will be breaking uniform 
regulations; you aren't going to be adequately protected, either. You 
wear body armor to a firefight. While cost is one consideration in 
deployment, it need not be the only one, unless we plan on digging up 
old Lee-Enfield rifles and giving them to the Marine Corps instead of 
the M-16s they now use. ``You get what you pay for'' is as true in 
software as in anything else.
    Good security, like good hardware starts in procurement: Knowing 
what you need, how it will be used, and explicitly describing the 
threat environment for deployment. Use procurement wisely and 
aggressively.
    This brings me to my second point.
2. Information technology is mission critical, not merely mission 
        enabling.
    Our entire economy rests on an IT backbone: The acronym ``IT'' 
therefore represents ``infrastructure technology'' as much as 
``information technology.'' In particular, our homeland security and 
our military's ability to prosecute war rests on an IT backbone. DoD 
continues to invest in network-centric operations, which is all about 
getting the right information to the right warrior at the right time in 
the right battlespace. Therefore, the network itself is the battlefield 
because the network is what our enemies will attack if they want to 
deny us the ability to use our own technology (or in an attempt to use 
our technology against us).
    Given that DoD has bet the farm on information systems, they need 
to enhance its treatment of information systems as a core mission 
specialty in supporting roles as well as using information systems 
offensively as a warfare specialty. Absent this capability, the DoD 
will not able to fully use IT as the force multiplier it can be. Just 
as Patton knew his tanks and their technical capabilities very well, 
not just merely how to deploy them, our military and homeland security 
leaders need to know and embrace the full capability of IT. Putting it 
differently, do we envision having a contractor at the helm of an in-
theatre aircraft carrier? If not, then why would our cyber offense be 
any different? Note that the ability to deploy and support systems 
itself is also a critical mission specialty, just as, say, supply/
logistics is a staff function in the military but a critical one. 
Patton knew very well that armies stop without supplies of gas; net-
centric armies stop without supporting information systems. 
Furthermore, only by holding capability for both functions in esteem 
can ``offense inform defense'' and vice versa.
    We must also remember the strength of the American economy rests on 
the flexibility afforded the private sector to innovate and market 
those innovations globally. In the same way our Nation's electrical 
grid, pipelines, roads, and railways support our military but are not 
run by our military, our critical cyber infrastructures and the 
companies who create them cannot simply fall under military control. Of 
course our Government should defend our cyber interests, but in the 
same way we would abhor a military presence at every intersection, we 
must also ensure civilian control over the normal operation of our 
digital highways.
    This brings me to my third point.
3. We are in a conflict--some would say a war. Let's call it what it 
        is.
    Given the diversity of potentially hostile entities building cadres 
of cyberwarriors, probing our systems--including our defense systems--
for weaknesses, infiltrating U.S. Government networks and making 
similar attempts against American businesses and critical industries, 
is there any other conclusion to be reached? Whatever term we use, 
there are three obvious outgrowths from the above statement. One is 
that you can't win a ``conflict''--or war--if you don't admit you are 
in one. The second is that nobody wins on defense. The third is that we 
need a doctrine for how we intercede in cyberspace that covers both 
offense and defense and maps to existing legal and societal principles 
in the off-line world. In short, Congress should consider developing a 
21st century application of a Monroe-like Doctrine. The need for a 
framework to guide the Government's role in response to foreign 
aggression is a point that Melissa Hathaway has already noted during 
her 60-day interagency review of the Federal cybersecurity mission, and 
an area where this subcommittee can productively collaborate with the 
National Security Council.
    For those a tad rusty on their U.S. history, the Monroe Doctrine 
(introduced December 2, 1823) said that further efforts by European 
governments to interfere with states in the Americas--the Western 
hemisphere--would be viewed by the United States as acts of aggression 
and the United States would intervene. The Monroe Doctrine is one of 
our longest-standing foreign policy tenets: Invoked on multiple 
occasions by multiple presidents, including Teddy Roosevelt, Calvin 
Coolidge, Herbert Hoover, and John Kennedy. We have, as the expression 
goes, sent in the Marines--and the rest of our armed forces--to support 
the Monroe Doctrine.
    Note that the Monroe Doctrine did not detail the same intervention 
or even specific intervention for each perceived act of aggression, 
merely laid out ``here is our turf; stay out or face the consequences'' 
language that allowed great flexibility in terms of potential 
responses. Some may argue that cyberspace is ``virtual'' and unsuited 
to declared spheres of influence. But even internet protocol (IP) 
addresses map to physical devices in physical locations we care about--
critical infrastructures such as a server for a utility company in New 
York, for example, or a bank in California.
    The advantages of invoking a Monroe-like Doctrine in cyberspace 
would be to put the world on notice that the United States has cyber 
``turf,'' (properly and narrowly scoped--we should not claim all 
cyberspace as our turf). The second is that we will defend our turf. We 
need to do both. Now.
    As I mentioned earlier, having a military response capability does 
not mean militarizing all elements of U.S. cyberspace any more than 
invoking the Monroe Doctrine meant necessarily creating permanent 
encampments throughout the Western hemisphere. Nor should a cyber-
Monroe Doctrine lead to permanent Government encampments in private 
networks, or become a mandate for unilateral intervention in all of 
cyberspace. With proper guidance, various Government agencies and the 
private sector can find their natural role in guarding our cyber 
infrastructures in a framework similar to how we currently protect our 
real-world interests.
    To summarize:
   Technology is only a force multiplier if you pick the right 
        technology for the intended use and intended threat 
        environment. The Government must make security an explicit part 
        of procurement, funding appropriately skilled staff to execute 
        these procurement requirements while recognizing that some non-
        commercial requirements will incur additional costs.
   We need a skilled cadre of Government information technology 
        professionals--both offense (in the military) and defense 
        (throughout the entire Government).
   We need the cyber-equivalent of the Monroe Doctrine for our 
        21st-century information age that respects the boundaries of 
        our shared ownership of the Nation's cyber infrastructure.

    Ms. Clarke. We thank you for your testimony.
    I now recognize Mr. Lewis to summarize his statement for 5 
minutes.

   STATEMENT OF JAMES A. LEWIS, PROJECT DIRECTOR, CENTER FOR 
              STRATEGIC AND INTERNATIONAL STUDIES

    Mr. Lewis. Thank you and thank you to the committee for the 
opportunity to testify. The new administration has a real 
opportunity to improve our Nation's security in cyberspace, but 
there are many difficult issues it has to address, and the work 
of this committee will be essential in helping to guide that 
effort.
    You know, the President has directed the National Security 
Council to undertake a 60-day review. This review is an 
important step. Cyberspace, as you have heard, has become one 
of the central pillars of our economy and our national 
security. Securing cyberspace will help enable recovery and 
future growth. Officials involved in the review have told me it 
is forward-looking, with a broad scope. It will lay out a 
strategic framework for the United States.
    In my testimony, I would like to discuss how to assess the 
review. The Center for Strategic and International Studies 
issued a report in December on steps the next President could 
take. We made many recommendations and whether you like our 
recommendations or not, I believe strongly that we identified 
the right issues. Any review that does not address the issues 
we identified will be inadequate.
    Among our recommendations there are two that I think are 
crucial. The first is the need for clear leadership from the 
White House, and the second is a comprehensive plan for moving 
ahead. We undertook a long discussion of who should lead the 
Federal cybersecurity effort. It looked at many agencies: 
Defense, FBI, GSA, DHS, the intelligence community. We were 
concerned with agency authorities and competencies, but also 
with the signal that a lead agency would send to the public and 
to the world. The United States should avoid being perceived as 
militarizing the internet, and it should avoid solutions that 
give rise to concerns over privacy and civil liberties. In the 
end, we decided only the White House had the necessary 
authority.
    Clear White House leadership is essential, but it has to be 
accompanied by a truly strategic plan, a truly strategic plan--
a truly comprehensive plan, I am sorry.
    What does comprehensive mean? It means going beyond an 
effort to secure Government networks. It means integrating 
offensive and defensive strategies and looking at how to 
improve attribution and identity in cyberspace. It means 
engaging with foreign nations, something we have not done 
particularly well. It means accepting that the Federal 
Government must use its regulatory powers if we are to make any 
progress.
    I want to emphasize the need to develop regulatory 
strategies, because this has been largely overlooked in 
previous national efforts. Regulation is necessary when market 
forces alone will not provide security. We were careful to note 
in our report that a new approach is needed, one that avoids 
both prescriptive regulations, but also rules, that are so 
diluted as to be meaningless. New regulation must be developed 
in partnership with the private sector, but with the Government 
setting the goals and ensuring compliance.
    My own view is that regulation is essential if we are to 
give substance to public/private partnerships. Regulation gives 
us an opportunity to improve cybersecurity in critical 
infrastructure, something this committee has worked on in the 
past and you will be working on, I understand, in the future. 
The work of this committee has made a tremendous contribution. 
It helped guide us in writing the report. Regulation of 
critical infrastructure will become increasingly important. The 
stimulus package envisions spending on infrastructure and it 
will build security in. This is a good idea, but when we come 
to the question of what precisely needs to be done to make new 
projects secure, we don't know the answer, and we don't have 
the time or the people to develop that answer.
    A failure to invest in infrastructure modernization for 
almost 2 decades has made it impossible to build both quickly 
and securely. Smart Grid projects are an example of this. Smart 
Grid uses, for example, advanced meters to measure and manage 
the flow of electricity. These new meters are based on network 
technologies. Unfortunately, if the new smart meters are not 
secure, they can be hacked. Regulation can play a role in 
remedying this by giving Government the ability to mandate 
actions that mitigate our new vulnerabilities. But if we do not 
build the regulatory foundation now, the United States will be 
put at risk.
    Let me summarize quickly. It is always difficult batting 
clean-up because everyone has already said everything. But we 
need somebody in charge at the White House who will implement a 
comprehensive plan. That plan has to include strategies for 
international engagement and for domestic regulation. Then we 
need to move out.
    Okay. I thank the committee and look forward to your 
questions.
    [The statement of Mr. Lewis follows:]
                  Prepared Statement of James A. Lewis
                             March 10, 2009
    I thank the committee for the opportunity to testify on the Federal 
Cybersecurity Mission. I believe that the new administration has a real 
opportunity to make a significant difference in improving our Nation's 
security in cyberspace, but there are many difficult issues that it 
must address. The work of this committee will be essential for helping 
to guide that effort.
    As you know, the President directed that the National Security 
Council undertake a 60-day review of the U.S. approach to 
cybersecurity. Federal officials involved in the review have told me 
that this is a forward-looking effort with a broad scope. It looks 
beyond securing Federal networks, which was the focus of the last 
administration's efforts, and will endeavor to lay out a strategic 
framework for the United States.
    The decision to undertake this broad review is an important step 
forward for our Nation. Cyberspace has become one of the central 
pillars of our economy and our national security. The adoption of 
network technologies since the 1990's by the United States has been a 
source of both competitive advantage and the rapid growth. The digital 
infrastructure is now essential. More importantly, expanding our 
digital advantage offers the possibility for continued increases in 
productivity and innovation. Securing cyberspace will help enable 
recovery and future growth.
    Reaping the full advantage of digital technologies will require 
real improvement in cybersecurity. Estimates of the damage to our 
economy are imprecise, but millions of dollars are lost each year to 
fraud and theft, millions of dollars worth of intellectual property 
lost to foreign competitors, with the total easily reaching into the 
billion. One of my fears is that as we increase spending on research 
and science as part of the stimulus package, we are actually 
subsidizing the research of our economic and military competitors since 
they can easily access work that cost us millions to develop for only a 
few dollars.
    There is of course additional risk that insecure digital networks 
could allow foreign militaries and intelligence services, criminals, or 
other groups, to disrupt the provision of crucial services that are 
either provided by or depend upon digital technologies. It is easy to 
overstate the consequences of this sort of attack, and much of the 
discussion of cybersecurity over the last decade has involved some very 
silly and exaggerated scenarios for national disaster, but the risk is 
real and growing, and any national security strategy that does not 
address it is inadequate.
    Where are we today in cyber security? From one perspective, we are 
in remarkably bad shape. In the last year, we have seen the networks of 
the two Presidential campaigns, secure networks at the U.S. Central 
Command and computer networks in Congress and other Federal agencies 
penetrated by outsiders. 2007 saw a number of significant penetrations 
of major Federal agencies by an unknown foreign power. The Secretary of 
Defense's unclassified email was hacked. The Department of Commerce's 
Bureau responsible for high tech exports off-line for more than a 
month. The networks of the Departments of State and Energy, NASA, and 
other Federal agencies were penetrated and according to public reports, 
immense quantities of information downloaded. The networks of Federal 
contractors, the defense industry and other leading companies were also 
penetrated. Again, our statistics on this are imprecise, as companies 
prefer to conceal their losses or in many instances may not even be 
aware they have been hacked. Poor cybersecurity damages national 
security and drains our economy.
    In response to this crisis, the Bush administration created its 
Comprehensive National Cybersecurity Initiative (known as CNCI). This 
initiative made real progress in securing Federal networks. CNCI 
included Einstein, a technology that monitors Federal networks for 
intrusion. It included the Trusted Internet Connection initiative, TIC. 
It looked at the question of how to use Federal procurements to improve 
cybersecurity in an effort know as the Federal Desktop core 
Configuration--FDCC. The CNCI included several other initiatives and 
projects, some of which were underway by the time the Bush 
administration ended. Overall, it was a major step forward.
    However, the CNCI had several major drawbacks. It began in the last 
year of the Bush administration. This late start was a serious 
impediment and one advantage for the Obama administration is that it 
came into office understanding that securing cyberspace is a major 
strategic issue. The CNCI was highly and unnecessarily classified. A 
few of its elements deserved being labeled top secret, but most did 
not, and the difficulties that over-classification created for 
coordinating with the private sector and with our allies seriously 
impeded the Bush administration effort. Finally, and most importantly, 
the Comprehensive National Cybersecurity Initiative, despite its name, 
was not comprehensive.
    This was its greatest failing. The CNCI focused on the ``dot.gov'' 
space, on Government networks, and while this is important, it is 
inadequate for cybersecurity. The task involves a global network 
largely operated by the private sector. The CNCI did not have a serious 
international component and it did not adequately address how to secure 
critical infrastructure or the ``dot.com'' space where most commercial 
activity takes place. These were serious shortcomings, and they point 
to crucial areas for work by the new administration.
    At the same time that the previous administration began work on the 
CNCI, the Center for Strategic and International Studies created a 
commission to develop recommendations for the 44th Presidency on how to 
improve cybersecurity. CSIS is a nonpartisan, nonprofit research center 
organization headquartered in Washington, DC with more than 200 staff 
and a large network of affiliated experts. Its research focus is on 
security in a changing global environment. CSIS has been working on 
cybersecurity issues for many years and this work led us, in the face 
of the damaging events of 2007, to establish this Commission. When we 
began our work and for many months afterwards, we did not know of the 
CNCI. Officials involved in the CSNI initially declined our invitations 
to participate in order to preserve the initiative's secrecy.
    The report produced by this commission--I note that the other 
private sector witnesses on this panel were members of the group--laid 
out a truly comprehensive approach to securing cyberspace. Thirty-eight 
thousand copies have been downloaded from the CSIS Web site. We were 
guided by the conclusions that Federal disorganization and an over-
reliance on voluntary efforts had damaged our national security. To 
summarize our recommendations:
   Create a comprehensive national security strategy for 
        cyberspace that uses all the tools of U.S. power in a 
        coordinated fashion--international engagement and diplomacy; 
        military planning and doctrine; economic policy tools; and the 
        involvement of the intelligence and law enforcement 
        communities.
   Publish a public doctrine for cyberspace. The President 
        should state publicly that the cyber infrastructure of the 
        United States is a vital asset for national security and the 
        economy and that the United States will protect it, using all 
        instruments of national power.
   Clarify governance and responsibility for cyber security and 
        establish White House leadership for cybersecurity based on 
        Presidential Strategy and Directives.
   Use regulation to set minimum standards for securing 
        cyberspace, to ensure that the delivery of critical services 
        can continue when we are attacked.
   Mandate strong authentication for access to critical 
        infrastructure. Strong authentication can significantly improve 
        defense, if it is done in a way that protects privacy and civil 
        liberties.
   Use acquisitions policies and rule to drive security, to 
        encourage the development and use of products and services that 
        are secure, based on standards and guidelines developed in 
        partnership with industry.
   Build human capital and improved technologies for securing 
        cyberspace by expanding research, training, and education.
   Refocus and strengthen public-private partnerships and focus 
        them on action, not information sharing. Build on the CNCI 
        effort, as part of a larger and more transparent comprehensive 
        effort to secure cyberspace.
    It is a lengthy list, but this reflects the overarching importance 
of cyberspace to our Nation and the complexity of the problems involved 
in securing it. I believe that the issues we identified are central for 
improving national security and the 60-day review must address them.
    Two recommendations deserve additional scrutiny in the context of 
the 60-day review. These are governance and regulation. We had a 
lengthy set of discussions in the CSIS commission on how best to 
organize for cyberspace. We considered many agencies for the lead role, 
including the Departments of Defense and Homeland Security, the FBI, 
the General Services Administration, and the intelligence community.
    Three problems drove us to reject an agency-led approach. First, 
the mandate of any one agency would have to be greatly expanded to 
fully cover cybersecurity. Agency legal authorities differ widely and 
none--law enforcement, military or intelligence--are by themselves 
adequate for the range of cyber problems. We did not think that a super 
agency with broad domestic and international powers made sense. Public 
perception is important. Giving the intelligence community the lead in 
cybersecurity, although initially attractive to some of us because of 
the strong capabilities these agencies possess, would trigger powerful 
antibodies in the privacy community and the public, particularly after 
the experience of the previous administration's warrantless 
surveillance program and the struggles over FISA renewal.
    The previous administration gave the Department of Homeland 
Security a central role in cybersecurity. We concluded that this was a 
mistake. While DHS has an important role to play, it lacks the 
competencies to deal with the range of issues involved in cybersecurity 
or to successfully engage in conflict with foreign militaries and 
intelligence services. DHS also lacks the interagency stature to direct 
other, more powerful agencies.
    Giving DOD the lead could be interpreted as ``militarizing'' the 
internet and would likely also provoke a reaction from both the privacy 
and the international communities. Foreign nations track U.S. policies 
closely and a decision to give DOD the lead in securing cyber space 
would be interpreted as a decision by the United States to make 
military action the focus of its cyber efforts. This would not be in 
our interest, as we will need to build a collaborative international 
approach to improve security.
    At the end of the discussion, we concluded that only the White 
House had the authority to bring many large and powerful agencies to 
follow a common agenda and to coordinate with each other. A successful 
approach to cybersecurity blends intelligence, law enforcement, 
military, diplomatic, and domestic regulatory functions. Coordinating 
these various functions can be best done from the White House. In 
recommending a White House lead, we emphasized that a ``cyber czar'' is 
not the right solution. The new administration went through a brief 
fascination with czars of various shapes and flavors for different 
issues; our view is that for cyber security, the overly centralized 
approach implied by a czar will fail. The White House and only the 
White House can set strategy and policy, ensure that agencies are 
following them and resolve agency disputes.
    Regulation is the second issue that deserves extra attention. Our 
report concluded that the market would never deliver adequate security 
and the Government must establish regulatory thresholds for critical 
infrastructure. We proposed a new, more flexible approach to developing 
regulation that was based on close cooperation with industry in 
developing standards and an avoidance of prescriptive regulations that 
spell out in precise detail what companies must do.
    Regulation poses a number of challenges. The United States does not 
need regulations that are costly to implement yet deliver little in the 
way of improved security. Nor does the United States need regulations 
that are so diluted as to be meaningless. Finding the required balance 
will be difficult, but if we fail to use regulation to improve our 
national cyber security, if we do not identify mandatory actions to 
secure the digital infrastructure, the Obama administration will have 
no more success than any of its predecessors.
    The stimulus package has inadvertently complicated the issue of 
regulation. The package includes significant funding for infrastructure 
projects, such as the Smart Grid. The package envisions that spending 
on infrastructure will build security into new projects. All this is 
good, but we then come to the question of what precisely needs to be 
done to make these new projects secure? Unfortunately, we do not know 
the answer to this and we do not have the time or people needed to 
develop that answer. A failure to invest in infrastructure 
modernization for more than a decade has makes it impossible to build 
both quickly and securely.
    ``Smart Grid'' projects are an example of this problem. It uses 
advanced meters to measure the flow of electricity and allow it to be 
better managed. These new meters are based on internet technology. 
Unfortunately, if the new ``smart'' meters are not secure, they can be 
``hacked,'' taken over by attackers, and used to disrupt the delivery 
of electricity. The United States does not have the guidelines it needs 
to guide make infrastructure secure.
    I am not recommending that we delay stimulus investments while we 
sort out the requirements for cybersecurity. The most pressing task 
facing the new administration is to mitigate the suffering that the 
recession has brought and to take the steps needed to reduce 
unemployment and restore growth. Infrastructure investment is an 
important part of this. Years of underinvestment in infrastructure have 
put us in this unfortunate situation. However, regulation can play a 
role in remedying this problem, by giving Government the ability to 
identify and mandate actions that mitigate new vulnerabilities. For 
example, a requirement that electrical companies strengthen 
authentication of identity on their control networks would improve 
security. But if we do not build the regulatory foundation now, the 
United States will be put at risk, and the task of laying the 
foundation falls squarely on the 60-day review.
    Regulation can also help reshape and strengthen public-private 
partnerships. For more than a decade, the public dialogue has revolved 
around threadbare ideas on the need to defer to the private sector as 
it owns and operates the bulk of the critical infrastructure and on 
information sharing as an alternative to Government mandates. In fact, 
the result has been to make public-private partnership less attractive 
or less important. The partnership groups often serve a largely 
``representational'' function rather than one that is oriented towards 
action. Companies do not have ``skin in the game.'' Regulate them, and 
they will come. Regulation is the key to improving public private 
partnerships, particularly if these partnerships are tasked with 
developing and maintain the standards upon which regulation must be 
based.
    This administration has a unique opportunity. The United States has 
pursued a market-led approach to cybersecurity for more than a decade. 
This approach is inadequate. Now is the time to identify where 
regulation is needed to improve cybersecurity. Our recommendation was 
to begin with critical infrastructure--if a service is truly critical, 
we should not be afraid to require action to secure it.
    I began by asking where we are today in cybersecurity and answered 
that, from one perspective, we are in remarkably bad shape. From 
another perspective, however, we are at a moment of tremendous 
opportunity. This administration can define an integrated and 
comprehensive Federal approach to securing cyberspace, something no 
previous administration has been able to do. The complexity of the 
problem means that it will take much longer than 60 days to put in 
place the policies, structures, and regulations we will need. However, 
if the 60-day review can establish a clear governance structure led 
from the White House, if it lays out a broad plan of action for moving 
ahead, including the development of a comprehensive national security 
strategy and the use of regulatory authorities to secure critical 
infrastructure, and if this administration acts upon it, the review 
will be a success.

    Ms. Clarke. We thank you for your testimony.
    I thank all of the witnesses for their testimony, and I 
will remind each Member that he or she will have 5 minutes to 
question the panel.
    I will now recognize myself for questions. This first 
question goes to the entire panel. You all have spent a great 
deal of time putting together cyber recommendations for this 
administration. I want to express my gratitude for your work. 
The statements during the campaign and the decision to do a 
comprehensive review suggest that this administration is 
committed to a real change in our approach. My question is: How 
do we judge whether the review has been a success, and what 
specific things should we be looking at to determine if we are 
moving in the right direction?
    Mr. Powner. A couple of thoughts here. Looking at whether 
the review is a success, and echoing what Dr. Lewis mentioned, 
there have been already a fair number of very good 
recommendations through the CSIS report. Clearly, the experts 
we talked to had some additional recommendations. One, that 
that review needs to take into consideration those many 
recommendations. The other thing is looking back on this 
historically, even back to the mid-1980's, we really need to 
look at a new organization. DHS-led hasn't really cut it. 
Recently, an 18-sector approach where all sectors are created 
equal, I am not certain that that is the right approach either. 
Moving forward we need to look at certain things: A new 
organizational structure; greater prioritization; and clearly 
more accountability for those organizations that are in charge.
    Ms. Clarke. Anyone have anything else to add to that?
    Mr. Lewis. Well, we know what a bad plan looks like because 
we have lived through at least a couple of them. I think that 
if we were looking at this plan, we would want clear 
leadership, some comprehensive strategies that include both 
international and regulatory, that look at combining 
intelligence, military, law enforcement, diplomatic engagement. 
We would want a commitment to action. At the end of the day, if 
we see those three things--leadership, planning, action--we 
should be better off.
    Ms. Clarke. Let me then move on and direct this question to 
Mr. Powner. I know that the CSIS Commission met with the review 
team last week. Have you met with the review team yet?
    Mr. Powner. No, we have not. We are in the process of 
trying to get that scheduled.
    Ms. Clarke. Would you please let us know how we can help 
facilitate that meeting?
    Mr. Powner. We will.
    Ms. Clarke. My next question, and it is ironic because I 
understand that Mr. Beckstrom has joined us in the audience, 
and I would like to thank him for his service and express my 
regret for our inability to retain his talent and expertise. 
But late on Friday, Mr. Rod Beckstrom announced that he was 
resigning as Director of the National Cybersecurity Center. I 
think this is a loss for the community and it is unfortunate 
that Mr. Beckstrom's skills weren't put to good use. In his 
resignation letter he acknowledges the critical importance of 
the NSA, but said that their dominance in cybersecurity today 
is a bad strategy.
    Can you all comment on what you agree or disagree with in 
these comments and what role the NSA should play alongside DHS? 
Mr. Charney.
    Mr. Charney. Yes. So there is no question that the center 
of technical expertise in the Government, particularly on the 
operational side, is within NSA. However, I agree with the 
comments made earlier, that at the end of the day, if you want 
the public to trust that the networks are being secured well 
and in a transparent fashion, the mission cannot reside in NSA. 
So I think it is really important to empower DHS to take the 
necessary operational role and have a relationship with NSA 
that captures and utilizes their technical expertise.
    Ms. Clarke. Anyone else want to comment? Okay. I am going 
to move on to my next question.
    On March 24, this subcommittee will hold a hearing entitled 
``Securing the Smart Grid from Cyber Attack''. We will be 
discussing a number of technological issues related to the new 
advanced metering technologies that are being developed and 
deployed.
    But this question has to do with policy. What Federal 
agency is in charge of defending against the cyber attack 
launched by a nation-state against our electric grid and what 
agencies do you think should be in charge of defending against 
such an attack? Any thoughts on that issue?
    Mr. Yoran. Ms. Chairwoman, this is an issue that we have 
been trying to tackle for some time, initially with a National 
Cyber Incident Response Working Group, co-chaired by the 
Department of Homeland Security, Department of Justice and the 
Department of Defense. It is an issue that I think is one that 
ought to be a key focus for Melissa Hathaway as she conducts 
her 60-day review, understanding exactly what the authorities 
are, the priorities, the technical capabilities that exist in 
various pockets of the Federal Government, and how they can be 
brought to bear most effectively so that that planning can 
occur before any time of crisis.
    Mr. Lewis. I was just going to add, for me the answer would 
be FERC or the NRC or maybe the Department of Energy. I say 
that because they have the relationships with the companies. 
They know how the stuff works. They are the people who have the 
regulatory authorities. The last thing you want is somebody new 
charging in in a crisis and saying, ``I am in charge, do what I 
say.'' So I would say look at the folks who are doing this now.
    One of the things that this committee has done that has 
been very useful is hold those regulatory agencies accountable 
and get them to move out a bit more smartly. I think that would 
be a good direction to continue.
    Mr. Powner. Chairwoman Clarke, if I can just add to your 
question on who is responsible for defending--and I want to 
make sure we are real clear on this. If it is a response--if we 
are answering that in terms of response I agree it is muddy. It 
could be various Federal agencies and entities in charge of 
that response, depending on the severity of the attack. But in 
charge of defending the grid, it is those public utility 
companies that own the grid.
    Ms. Clarke. Well, thank you very much. My time is up. I now 
recognize the Ranking Member of the subcommittee, the gentleman 
from California, Mr. Lungren, for questions.
    Mr. Lungren. Thank you very much, Madam Chairwoman, and 
thank you all for being here. I appreciate the contributions 
you all have made and there are so many questions to ask. Let 
me just try one very, very quickly.
    Dr. Lewis, you were very specific about saying that the 
person who should be in charge of the leader of the new 
comprehensive cybersecurity ought to be in the White House.
    Mr. Charney, if I understand what you said, I thought you 
felt the DHS could be stood up to have that responsibility.
    Mr. Charney. Sir, to be clear, there is a difference 
between developing a strategy and coordinating it through the 
Federal agencies and the individual responsibility of the 
various agencies.
    Mr. Lungren. Right.
    Mr. Charney. So if you are going to look at a national 
strategy that has to determine some very difficult questions 
like when is a cyber attack an act of war and what is a 
proportional response, those kinds of key decisions are to be 
done at the White House level. But you also need an operational 
capability, things like US-CERT, an agency to help the other 
agencies deploy best practices. So I view DHS as more 
operational of implementing the strategy, but I think strategic 
elements and the cross-government cooperation has to be at the 
White House.
    Mr. Lewis. I agree completely with that. I think if you 
look at the agencies, I agree completely FBI has a role, DOD 
has a role, DHS has a role, the intelligence----
    Mr. Lungren. I understand they all have roles. My question 
has been--I think Mr. Charney responded to it and I have 
articulated it before, but I am concerned about a lack of 
urgency not only in the Congress, in the White House, in the 
public domain with respect to the threat, No. 1; and, No. 2, 
how we do it?
    As we have seen DHS develop and pull itself together, I 
think it is actually starting to get its sea legs and frankly I 
think doing a far much better job today than it was 2, 3, 4, 5 
years ago. That is part of what happens when you stand up an 
agency like that.
    But there is the question of a sense of urgency. The 
President and his particular delegate in the White House can 
set the policy, but how do you make sure people follow it? We 
all know CIOs in the various departments and agencies have a 
natural protective mechanism about how it ought to be done. We 
understand that you have got DOD, you have got NSA, you have 
got the FBI and all of them, and all of them believe they have 
a certain respected expertise.
    How do you engage that sense of urgency throughout the 
Federal establishment that has not been there? I am not trying 
to blame anybody. I am just trying to state a fact because it 
hasn't been there in the public either. How do we leapfrog to 
that position where we have that policy established at the 
White House on the one hand, but then we have the 
implementation or operational motivation and authority? Because 
if the various individuals responsible for the various agencies 
and departments think they can just kind of shrug when they get 
the call from the person at DHS, it doesn't drive what I want 
to be driven here. Mr. Yoran.
    Mr. Yoran. Sir, I think that is a very important issue, 
when they get the call from DHS, that they have to feel a sense 
of urgency in getting it fixed or, more importantly, not feel 
like they can rely on DHS doing the monitoring, where the 
intelligence community is protecting them. Everybody has to 
feel a sense of responsibility and ultimately be held 
accountable for the protection of the information and the 
systems that they manage and need in order to accomplish their 
core mission. Until the Executive branch or any branch of 
Government holds senior leadership accountable for flaws in the 
security culture, lapses in security which are a result of lack 
of due care or negligence if you want, until there is some 
accountability there, I don't think we are going to see 
meaningful change.
    Mr. Lungren. Let me follow up and ask a slightly different 
way. That is, how do we maintain those people that have the 
quality that can do that job, and how do we attract others to 
those kinds of jobs? In other words, you can't pay them as much 
as the private sector can pay them. It is like when people go 
in the military service or do some other type of service. They 
do it in part because they are making a contribution, but they 
know their contribution is going to be utilized. It is going to 
be valuable. It is going to be effective.
    How do we raise that level of appreciation so it is not 
just accountability, but it is also responsibility in the sense 
that it is recognized throughout the establishment, both 
private sector and public sector?
    Ms. Davidson. I believe that one of these--this is one of 
the issues I tried to touch upon, which is if you don't 
actually have a career path, you see there are people whose job 
it is to do information technology. Information technology will 
continue to be the janitorial service of many organizations 
where we are cleaning up other people's messes. It absolutely 
is critical. One of the things that we do to try to make people 
understand how critical it is is to, quite honestly in our own 
company, to go into various meetings and say, let me show that 
a particular tack isn't theoretical; I am going to hack your 
software. This is exactly how I can do this. This is exactly 
how I can corrupt a system.
    That creates some of the awareness. It is scary but it is 
necessary. Either that or we wait until we get a real attack.
    In terms of, you are talking about compensation trying--we 
do actually elevate those security professionals to give them 
some recognition within their jobs so they get training, they 
get recognition. It is recognized as a specialty that is held 
in esteem. As you point out, you can't always give people more 
money, but you can give people respect. I think you need both 
of those to show what is possible and to show that the, if you 
will, the warriors who defend it do a good job at it, and that 
creates the environment by which people who are able to 
actually do that kind of work are respected.
    Mr. Lungren. Could I ask one real quick question, maybe for 
a quick response? That is, how will we enforce the new Davidson 
doctrine that you articulated to protect our cyberspace?
    Mr. Lewis. Let me try. All of us have worked in the Federal 
Government for a long time, and if you want power, there are a 
couple of things that give you power: Access to the President, 
control of the budget, control of policy. For me, the only 
place you are going to do that is in the White House. If I have 
the access to the President, control of your budget, and I can 
say what the policy is and know that the President or the Vice 
President or the National Security Adviser will back me up, I 
will get agencies to do whatever I want. That is what we need.
    So you want to know who is going to enforce the Davidson 
doctrine? It is a good name for it, by the way. You know, we 
have to put that at the White House.
    Ms. Clarke. I now recognize Mr. Lujan from New Mexico for 5 
minutes.
    Mr. Lujan. Thank you, Madam Chairwoman. I am going to just 
jump right into this, because there are many questions I think 
that need to be asked, and I am not sure if we will run out of 
time with doing this.
    But specifically with what we are discussing today with 
understanding that DHS is the lead agency for the Nation's 
cybersecurity and the key components that exist within DHS, 
what are your thoughts--and I don't know if we want to start 
with Mr. Powner, and then I will move down the line a bit--but 
from the perspective of having DHS move away from their near 
exclusive internal focus on cybersecurity issues and more 
toward development and deployment of software and hardware 
solutions to protect critical infrastructure projects?
    Mr. Powner. We have done a lot of work with the DHS. DHS 
clearly is the lead cybersecurity focal point for the Nation. 
Even working with our critical infrastructure owners, if you 
look at policy and law and how that is laid out, it is pretty 
clear that they have not lived up to those responsibilities. So 
the question going forward is, do we want to keep working with 
them as the operational entity that is the lead or do we just 
designate them an operational role and put someone else in 
charge of primarily coordinating with the private sector, with 
the intelligence community, and with the military 
organizations? We would think the latter.
    Mr. Charney. I think it is really important to get the 
organizational structure right. Every Federal agency needs to 
deploy IT systems for their business operations, and therefore, 
every Federal agency needs a CIO and a CSO, a chief security 
officer, who manages security at that agency. Now, when you 
have a distributed organization--and certainly Microsoft is 
one--you end up with a lot of different, essentially business 
groups, that are running IT that will service their business 
mission, and that is fine.
    The role that DHS should play in coordination with NST that 
sets standards for civilian agencies, and NSA because of their 
technical expertise, is to decide what the minimum bar is for 
security that should be required to be implemented by the 
various agencies. You know, in any environment there are things 
that you have to do, things that would be good to do, and best 
practices that you might like to deploy. Understanding what is 
required versus what is recommended versus what is a best 
practice is really important.
    But I don't think you can have, for example, DHS making 
hardware and software decisions for the various agencies 
because the hardware and software that is deployed has to map 
to the agency mission. But DHS could say, as a requirement of 
deploying whatever you are going to deploy, there are certain 
security things that must be done: You must have a documented 
information security program; you must have technical controls 
and people controls in place to manage risk; you need an 
incident response plan in place because bad things will happen.
    I think that is the appropriate function of DHS.
    Mr. Lujan. Mr. Yoran, before you answer that, I think that 
is a perfect segue into an issue that I want to raise.
    Within our New Mexico DOE and New Mexico laboratories, 
there is a real opportunity with the work that they are working 
on to improve the Nation's cybersecurity posture by bringing 
the resources to bear on this critical problem. So in speaking 
specifically to some of the IT teams that are being discussed 
and making sure that we have a centralized point to be able to 
have access, whether it is to the President or to others as we 
are talking about this issue, what are your thoughts in taking 
advantage of the expertise that lies in some of our Nation's 
DOE laboratories that are working with specific issues, some 
which are partnered with DOD responsibilities as well?
    Mr. Charney. It is obviously critically important to grab 
expertise wherever it resides, and one of the things DHS should 
be doing is discovering and then propagating best practices 
across the Government and the private sector. So I think that 
would be a key thing to do.
    Mr. Lujan. Thank you. Madam Chairwoman, if I may shift a 
little bit and get your perspective.
    As we are moving forward with the deployment of Smart Grid, 
including the importance of communications and the potential 
threats that could exist from attacks, what is the importance 
of making sure that we are taking into consideration the 
elements and inventories across the country and making sure we 
have adequate protections for our critical infrastructure like 
electricity, renewable generation areas, and the backbone of 
really what will essentially be our Smart Grid?
    Ms. Davidson. I do think that there are entities who are 
looking at that in their role with the utilities. But if I 
could actually back up a little earlier than that, if you think 
of this as a supply chain, one of the things that actually 
needs to change that none of us touched upon, part of the 
reason we have these difficulties--I don't think anybody sits 
down and says I think I am going to deploy a system that is 
hopelessly insecure and will leak like a sieve. It isn't merely 
awareness. It is that a lot of the people who are building 
these at the grassroots level do not understand that they have 
any responsibility and they don't learn to think like an 
attacker. That starts with the university system.
    It is not just computer science and electrical engineering, 
it is people who are building these control systems. If you can 
change one thing, if you can get the people designing and 
building those things to assume, think like a hacker, assume 
your system will be attacked, then they will design 
differently. They will build differently. They will deploy 
differently. By the time someone like a utility gets something, 
they will still have to ask intelligent questions in 
procurement, but they won't have to sit around and wonder, I 
wonder if anybody had a clue whether somebody is going to try 
to attack the power grid?
    We have to move the supply chain for security-aware people 
all the way back into the university systems. Unfortunately, 
having gone to the universities--I believe Scott has as well--
you get a resounding nonresponse from universities when you 
ask, do you teach secure coding practice in all of your 
engineering and control system disciplines?
    Mr. Lewis. On the question, the national labs are actually 
places that you could look for. Both Sandia, which has done 
some excellent work, also Idaho National labs, NERC, FERC, NST, 
Department of Energy, these are all the people who could help 
us make sure that Smart Grid is secure.
    Ms. Clarke. Mr. Lujan, we will be covering that territory 
in about 2 weeks when we do our Smart Grid hearings. So this is 
a precursor to it.
    I would like to now recognize Mr. Broun of Georgia for 5 
minutes.
    Mr. Broun. Thank you, Madam Chairwoman.
    First, I want to respectfully disagree with those of you 
all that think that the White House is the place to put central 
control of this problem, for the simple reason that I am 
disappointed that we haven't been more aggressive in our last 
administration, and I don't know what kind of aggressiveness we 
are going to have in this administration to try to solve this 
problem.
    As I have learned more and more about it I am extremely, 
extremely concerned about our national security, not only from 
a military perspective but an economic perspective.
    At home, I have utilized Koperski, I have used Norton, I 
have used McAfee to try to make sure that my own home computer 
networks are secure and have a firewall that are in place. I 
have just recently learned how inadequate those programs are. 
So I think we have to have a national effort to develop some 
kind of very, very strong national security and economic 
security type of plan.
    But I think this committee and the Department of Homeland 
Security is the best place to do that, for the simple reason 
that in the administration you have personalities and different 
focuses and those sorts of things. I do agree we need to have a 
central focus, but I don't think the White House is that place. 
I think this committee ought to be setting policy, and not the 
White House frankly; and the Department of Homeland Security I 
think is the best way to try to coordinate things within the 
interagency efforts to make sure that we stay secure, whether 
it is DOD, Department of Energy or all the other sources as 
well as within the private sector.
    Having said all that, I believe in the private sector, I 
believe in the marketplace, and I think innovation and 
development comes probably best in the private sector and not 
from governmental sources. Can the Government secure our 
cyberspace without private sector involvement, and how much 
private sector involvement do we need in that? I just throw 
that open to the panel.
    Mr. Powner. Well, clearly 85 percent of the cyber-critical 
infrastructure associated with this Nation is owned by someone 
other than the Federal Government. So the Federal Government 
can't do it. The key is partnering with them, where those 
private sector owners view the Federal Government as a credible 
partner that provides a valuable service. I think that is what 
has been determined with DHS with their US-CERT operations 
where we share threat information. The message really going 
forward is we in the Federal Government, whether it is DHS or 
whether it is the White House, they need to do a much better 
job where they are viewed as a credible partner in helping the 
private sector secure it.
    Mr. Yoran. I would just add to that a little bit. I agree 
that centralized coordination is required. I think the 
Department of Homeland Security's key role can be in protecting 
the dot.gov, the Federal civilian agencies. I don't think the 
DHS can effectively lead sort of offensive capabilities we 
would need in cyber or counterintelligence capabilities we 
would need in cyber, nor do I think the Department of Defense 
would subjugate their cybersecurity efforts, which are 
necessary for conducting warfare today, to the Department of 
Homeland Security.
    However, I agree with you entirely that the best thing 
Government can do is fund some fundamental long-term research, 
but ultimately rely on the private sector and commercial 
products for the development of IT technologies that have more 
security and IT security technologies that have more capability 
by refining their requirements and using their procurement and 
acquisition capabilities to drive those products and features 
into the commercial software versus trying to develop 
technologies in Government development efforts.
    Mr. Broun. My time is about up but I appreciate y'all's 
comments. I have got a hundred questions to ask you all and 
don't have the time to do that. I appreciate y'all's efforts.
    I see this as a critical national security interest. In 
fact, just in the commercial sector, if we have an attack, 
which we are having every day on commercial entities, if we 
have an attack on our commercial entities, it can totally wreck 
this Nation. So I think we have got to find a solution, and I 
look forward to your answers that--I am going to give you all 
some questions in written form and and I appreciate y'all's 
candid answers to that.
    I think we need to act and act now. Government doesn't do 
that very well. It is very slow in acting, and that is the 
reason why I want to try to get the private sector involved as 
much as we possibly can, because I think the private sector can 
be more innovative and can act quicker and can find real 
solutions to this. We need to have some coordinated efforts, 
and I think the Department of Homeland Security is the best way 
to do that.
    Thank you, Madam Chairwoman.
    Ms. Clarke. The Chairwoman recognizes for 5 minutes the 
gentleman from Ohio, Mr. Austria.
    Mr. Austria. Thank you, Madam Chairwoman. To our committee, 
thank you for your testimony today. I appreciate it very much.
    I want to follow up on some of the questions that were 
asked earlier and more on the role of homeland security in your 
opinion. When you look at the jurisdiction, the electricity, 
the grid was brought up earlier, and you testified that you 
know it has fallen on the Department of Energy. Sometimes we 
see things intertwined between the different departments, 
whether it be DOD, Department of Justice. What do you see as 
Homeland Security's role or jurisdiction as a department? I 
would open that up to the entire panel.
    Mr. Yoran. I think that Homeland Security's greatest impact 
can be summed up in three key areas. The first is in US-CERT 
series of programs and operations to help protect the dot.gov, 
the Federal civilian systems and agencies.
    The second is in cross-critical infrastructure issues. 
Clearly, the Department of Energy and other regulatory bodies 
define security standards, measure their effectiveness, and 
have many levers for forcing change in the private sector.
    I think the third is sort of working on issues where the 
failure of one critical infrastructure or the security levels 
in one critical infrastructure don't address the requirements 
of another industry, of another sector of our economy.
    The third area is in interaction with the private sector 
through a series of well-defined public/private partnerships 
with specific objectives and also with value-add and incentives 
in the private sector for their voluntary participation.
    Mr. Charney. I suggest the way to think about this is 
separating out the horizontal from the vertical. There are a 
lot of things in IT that are horizontal on which all the 
verticals depend. So robust authentication, knowing who is 
connecting to your network, you need to know whether you are 
telecom, energy, or something else.
    There are other things that are unique to vertical sectors. 
The energy SCADA systems may be different than phone SCADA 
systems. As a result of that, I think when you think of DHS' 
role, I view it as kind of the horizontal base security, and 
then the sectors and their regulatory agencies have to focus on 
the vertical uniqueness.
    Mr. Austria. Thank you for that. That is why I do agree 
with you. I think we need to have clear leadership and a 
comprehensive strategy and a commitment to take action in those 
areas so that is much better defined.
    Let me jump over to the public/private partnership because 
I do agree with you on that. I have always believed that the 
private sector, which designs and deploys and maintains much of 
our Nation's critical infrastructure is far ahead of Government 
in their ability to detect, to attribute, and to defend against 
a cyber attack.
    Correct me if you think I am wrong, but isn't that, again, 
a reason just to follow up on some of the other questions with 
the public/private sector, that we really should be pursuing 
this to really achieve national security when it comes to 
cyberspace?
    Mr. Charney. Sir, the answer is yes. We all here I think 
are big fans of private sector innovation, but I will say I 
wrote years ago that you couldn't make a market case for the 
Cold War. I mean, there are certain things in national security 
where the markets are not designed to address the problem, 
because when we build products for market we know that we have 
a large customer base that is global and very price-sensitive. 
Some of things that the national security community requires is 
very specific and expensive.
    So it has long been my view that you need a symbiotic 
relationship where--and I described this in my testimony--where 
you figure out what the market will provide, what national 
security needs are, and how Government can help bridge that 
gap. I don't think you can rely on markets alone to bridge the 
gap because markets aren't designed to do that any more than 
they are designed to protect national security and provide law 
enforcement mechanisms. These are things that we tax people for 
and make them pay for from the Government.
    Ms. Davidson. I do agree with Scott largely, but I also 
think that the Government can be a smarter buyer. Even 
something as simple as some transparency in procurement around 
what vendors do and do not do in terms of security, I don't 
think in many cases the questions have ever been asked. It is 
certainly asked at the Defense Department level or the 
intelligence. They want to know how you engineered your 
software. But the average garden-variety agency does not ask 
that. Why would that change things?
    This is something I think, unfortunately, women can 
understand better than men, but I call it the bathing suit 
test. If you have to go out in public in June in a bathing 
suit, along about March you are going to put it on and you are 
going to say I can't believe I look like this; I better get in 
shape before I have to go out in public.
    If people had to disclose, so to speak, their development 
processes related to security, you would want to look a lot 
better by the time you are actually filling in the form. That 
per se is not going to cure all our ills, but it will improve 
what people are buying or at least they will know what they are 
getting and not getting, and they can make smarter decisions as 
purchasers.
    That will not, as Scott I think would agree with, mean that 
we are going to--commercial software, unless it has been 
necessarily engineered to the highest level of software 
assurance that, for example, the intelligence community could 
want. But even raising the baseline would be a very good start. 
It would save people a lot of money they are spending now, 
trying to patch their security and make it harder for bad guys 
to do what they do. Make them work harder.
    Mr. Austria. I understand that my time is up. Thank you. I 
do agree with my colleagues that, you know, cyberspace security 
is critical to our national security. I have other questions 
that I will be glad to submit to our panel. But thank you, 
thank you for your time.
    Ms. Clarke. Thank you. The Chairwoman now recognizes the 
Chairman of the full committee, the gentleman from Mississippi, 
Mr. Thompson.
    Mr. Thompson. Thank you very much, Madam Chairwoman. I was 
listening to the testimony in the rear but I was multitasking, 
too.
    This is basically to each panel member. With the 
information that you have available to you, do you think the 
United States is prepared for a major cyber incident?
    Mr. Powner. No, we are clearly not as prepared as we should 
be. I will go back, several years' work that we did for this 
subcommittee, I think several Congresses ago, looking at 
internet recovery. You can look at what happened with 9/11, 
Katrina, on how we recovered major portions of the internet. 
There were major lessons learned in that.
    The question going forward, do we have--one of the 
requirements in our current national strategy is a joint 
public/private internet recovery plan if we have a major, major 
attack. We still don't have that plan. You need a plan. You 
need to exercise that plan. So I think today we are not 
prepared.
    Mr. Lewis. You can look at the experience of 9/11, and I 
hate to bring it up because it is painful, but one of our co-
chairs who couldn't be here today, Harry Raduege was the 
Director of the Defense Communications Network. On that day, he 
got phone calls from all the major service providers, all the 
big telecom companies, all the big IT companies saying, how can 
we help, what can we do to restore service? I know that Dick 
Clarke, who was also at the White House then, got similar 
calls.
    So you had two people, people who knew who to call, they 
had the existing relationships, and they knew how to do things. 
They knew how to move trucks from Ohio or from Virginia to New 
York or to Washington to rebuild services. We don't have that 
today in cyberspace, and that is one of the things we 
desperately need.
    Ms. Davidson. I would like to tell a story in response, a 
short one. That is, in the 1920's, there was a Marine Corps 
colonel who realized the next war would be with Japan, and it 
is because of him that the Marine Corps developed amphibious 
warfare capability. He saw this in the 1920's, which was long 
before December 7, 1941. So we don't have that much time.
    There are people who are sounding the warning. There are 
people who are trying to do things differently. We are not 
going to have 21 years to get it right. So we do need to act 
now. No, we are not prepared.
    Mr. Thompson. Mr. Yoran.
    Mr. Yoran. Sir, I would say that the nefariousness of cyber 
is the fact that we are experiencing the 9/11 in cyber. It just 
doesn't have the tremendous visibility.
    For over 10 years now, for over a decade now, we have had 
significant incidents going on with foreign adversaries, and 
our national response has basically been to look the other way 
or occasionally have an article in the news media about it. So 
because there is no catastrophic visible outcome, we sort of 
lie in bed at night and are able to sleep, not realizing 
exactly how much damage is occurring. So we are not prepared.
    Mr. Charney. I would never go against my esteemed 
colleagues on this point. I would point out, however, that it 
is important to focus on the nature of the attack so you can 
figure out your strategy for defending. There are attacks 
against confidentiality, we have heard a lot about that, where 
data is taken. There are attacks against integrity where people 
alter critical systems or data that you rely upon. There are 
attacks against availability, and then the systems go down. In 
the availability attacks, I mean one goal is always to keep 
five-ninths of availability, keep the networks up. But the 
other part of any strategy has to be about how fast you can 
reconstitute the capabilities if the capabilities fail.
    So this is one of the reasons it is so important to have a 
comprehensive strategy, because when you think about how you 
are going to reconstitute across multiple networks and maybe 
across multiple time zones, it is actually quite challenging. 
You have to figure out what your strategy is for 
reconstitution, who is in charge, roles and responsibilities, 
what is the interface to the private sector that owns 85 
percent of this infrastructure. The availability problem is in 
some ways different than the confidentiality and the integrity 
problem. It is important to focus on all of them.
    Mr. Thompson. Well, I would like to say, Madam Chairwoman, 
that what we have just heard is very troubling, I think to me 
and the rest of the committee, that we have some work to do. I 
think perhaps at our next hearing we need to bring some of the 
people who have the primary responsibility for the plan, or 
whatever we are operating under, and see if we can get some 
idea as to what they are doing to keep us safe. But I am real 
concerned about it. I would say that both the subcommittee and 
I as Chairman on the full committee will give this our 
undivided attention, and I would look to people like yourselves 
to help provide the leadership, getting us where we need to be. 
I yield back.
    Ms. Clarke. Thank you. Member Lungren.
    Mr. Lungren. Madam Chairwoman, I just wanted to tell you 
this is an outstanding panel that I thank you for putting 
together. I thank all of you for being here. We could go on 
with this for hours. Some of us will probably submit some 
written questions. I know we have already begged your 
indulgence for the time you have given us, but hopefully if you 
could respond to those in a timely fashion, we could maybe talk 
to you later, too, as well. Thank you.
    Ms. Clarke. I thank the witnesses for their valuable 
testimony and the Members for their questions. The Members of 
the subcommittee may have additional questions for the 
witnesses, and we will ask you to respond expeditiously in 
writing to those questions.
    Hearing no further business, the subcommittee stands 
adjourned.
    [Whereupon, at 4:04 p.m., the subcommittee was adjourned.]

                                 
