[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


 
  CYBERSECURITY: EMERGING THREATS, VULNERABILITIES, AND CHALLENGES IN 
                  SECURING FEDERAL INFORMATION SYSTEMS 

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                     ORGANIZATION, AND PROCUREMENT

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 5, 2009

                               __________

                           Serial No. 111-51

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                      http://www.house.gov/reform

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

56-581 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 















              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York         DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida
JOHN F. TIERNEY, Massachusetts       MARK E. SOUDER, Indiana
WM. LACY CLAY, Missouri              TODD RUSSELL PLATTS, Pennsylvania
DIANE E. WATSON, California          JOHN J. DUNCAN, Jr., Tennessee
STEPHEN F. LYNCH, Massachusetts      MICHAEL R. TURNER, Ohio
JIM COOPER, Tennessee                LYNN A. WESTMORELAND, Georgia
GERALD E. CONNOLLY, Virginia         PATRICK T. McHENRY, North Carolina
MIKE QUIGLEY, Illinois               BRIAN P. BILBRAY, California
MARCY KAPTUR, Ohio                   JIM JORDAN, Ohio
ELEANOR HOLMES NORTON, District of   JEFF FLAKE, Arizona
    Columbia                         JEFF FORTENBERRY, Nebraska
PATRICK J. KENNEDY, Rhode Island     JASON CHAFFETZ, Utah
DANNY K. DAVIS, Illinois             AARON SCHOCK, Illinois
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
------ ------

                      Ron Stroman, Staff Director
                Michael McCarthy, Deputy Staff Director
                      Carla Hultberg, Chief Clerk
                  Larry Brady, Minority Staff Director

  Subcommittee on Government Management, Organization, and Procurement

                 DIANE E. WATSON, California, Chairman
PAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California
JIM COOPER, Tennessee                AARON SCHOCK, Illinois
GERALD E. CONNOLLY, Virginia         JOHN J. DUNCAN, Jr., Tennessee
HENRY CUELLAR, Texas                 JEFF FLAKE, Arizona
JACKIE SPEIER, California            ------ ------
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
MIKE QUIGLEY, Illinois




















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 5, 2009......................................     1
Statement of:
    Lentz, Robert F., Deputy Assistant Secretary of Defense for 
      Cyber, Identity, and Information Assurance, U.S. Department 
      of Defense; and John Streufert, Deputy Chief Information 
      Officer for Information Security, Bureau of Information 
      Resource Management, U.S. Department of State..............     7
        Lentz, Robert F..........................................     7
        Streufert, John..........................................    37
    Wilshusen, Gregory, Director, Information Security Issues, 
      Government Accountability Office; James Andrew Lewis, 
      director and senior fellow, Technology and Public Policy 
      Program, Center for Strategic and International Studies; 
      Marcus H. Sachs, director, Sans Internet Storm Center, Sans 
      Institute; Lieutenant General Harry D. Raduege, Jr., 
      retired, co-chairman, CSIS Commission on Cybersecurity for 
      the 44th Presidency; and Liesyl I. Franz, vice president, 
      Information Security and Global Public Policy, Techamerica.    55
        Franz, Liesyl I..........................................   102
        Lewis, James Andrew......................................    77
        Raduege, Lieutenant General Harry D., Jr.................    98
        Sachs, Marcus H..........................................    86
        Wilshusen, Gregory.......................................    55
Letters, statements, etc., submitted for the record by:
    Franz, Liesyl I., vice president, Information Security and 
      Global Public Policy, Techamerica, prepared statement of...   104
    Lentz, Robert F., Deputy Assistant Secretary of Defense for 
      Cyber, Identity, and Information Assurance, U.S. Department 
      of Defense, prepared statement of..........................     9
    Lewis, James Andrew, director and senior fellow, Technology 
      and Public Policy Program, Center for Strategic and 
      International Studies, prepared statement of...............    79
    Raduege, Lieutenant General Harry D., Jr., retired, co-
      chairman, CSIS Commission on Cybersecurity for the 44th 
      Presidency, prepared statement of..........................   100
    Sachs, Marcus H., director, Sans Internet Storm Center, Sans 
      Institute, prepared statement of...........................    89
    Streufert, John, Deputy Chief Information Officer for 
      Information Security, Bureau of Information Resource 
      Management, U.S. Department of State, prepared statement of    40
    Wilshusen, Gregory, Director, Information Security Issues, 
      Government Accountability Office, prepared statement of....    58


  CYBERSECURITY: EMERGING THREATS, VULNERABILITIES, AND CHALLENGES IN 
                  SECURING FEDERAL INFORMATION SYSTEMS

                              ----------                              


                          TUESDAY, MAY 5, 2009

                  House of Representatives,
            Subcommittee on Government Management, 
                     Organization, and Procurement,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2 p.m., in 
room 2154, Rayburn House Office Building, Hon. Diane E. Watson 
(chairwoman of the subcommittee) presiding.
    Present: Representatives Watson, Connolly, Cuellar, 
Bilbray, and Issa [ex officio].
    Staff present: Bert Hammond, staff director; Valerie Van 
Buren, clerk, Adam Bordes, professional staff; Adam Fromm, 
minority chief clerk and Member liaison; Dr. Christopher 
Bright, minority senior professional staff; and Molly Boyl and 
John Ohly, minority professional staff.
    Ms. Watson. The committee will now come to order. Today's 
hearing will examine the Federal Government's efforts to secure 
its networks and cyber-based critical infrastructure assets. We 
will also look at the changing threat and vulnerability 
landscape against Federal networks and how legislation to 
counter these elements oughtto be crafted.
    Without objection, the Chair and the ranking minority 
member will have 5 minutes to make opening statements followed 
by opening statements not to exceed 3 minutes by any other 
Member who seeks recognition.
    Without objection, Members and witnesses may have 5 
legislative days to submit a written statement or extraneous 
materials for the record.
    I want to welcome our witnesses and I want to welcome the 
Members who are here. This hearing on threats, vulnerabilities, 
and challenges in securing the Federal Government's information 
systems and infrastructure is very necessary and very 
important. Our distinguished witnesses are here; we look 
forward to your testimony.
    I will preface my remarks by stating that today's hearing 
is only the beginning of our efforts in this Congress to 
strengthen the Federal Government's information security 
posture. I know many of my subcommittee colleagues, including 
Ranking Member Bilbray, recognize the critical national 
security issues associated with cyberattacks from both domestic 
and foreign sources. I look forward to working with them in 
developing legislation this session to counter these threats.
    Furthermore, I want to express my disappointment that DHS 
will not be providing a member of its new senior leadership to 
testify before us today. With all of the proposals under 
consideration in Congress for improving our cybersecurity 
posture, I think today was a missed opportunity for the 
Protection and Programs Directorate to explain the value they 
bring to the table. It is my sincere hope that they will become 
more engaging with this subcommittee as we move forward on 
these issues.
    According to the Director of National Intelligence's 2009 
Threat Assessment, the cybersecurity threat landscape continues 
to expand as the number of actors using cyberspace for 
attacking and disrupting our Federal critical infrastructure 
proliferate. These actors include foreign governments, 
terrorist organizations, individuals with nefarious motives, 
and plain old-fashioned criminal syndicates looking to use 
cyberspace as a tool for compromising Federal networks and 
Government operations.
    Cyberattacks against Government networks are nothing new, 
but their complexity and disruptive capabilities have increased 
significantly in recent years. In the past few weeks alone, we 
have become aware of reported breeches to critical DOD programs 
such as the Joint Strike Fighter and Marine One Presidential 
Helicopter, as well as to the Air Force's air traffic control 
system. Congress has also been the target of cyberattacks 
originating from the People's Republic of China on numerous 
occasions dating back to 2006. These episodes are a threat to 
our national security interests and our ability to conduct 
Government business without disruption.
    Complicating matters are advances in technology that enable 
cyber-criminals of all stripes to remain ahead of Federal 
information security efforts. As new commercial IT products and 
services become more widely available, such as wireless 
networks and devices, file sharing applications or peer-to-peer 
software, and new services like cloud computing, we often fail 
to incorporate effective security controls to correspond with 
their use.
    A significant focus of today's hearing is our lack of a 
harmonized framework for organizing and coordinating 
Government-wide information security policies and practices. 
Although there are many reasons for this, I will mention some 
that come to my mind: To begin, we currently have too many 
cooks in the kitchen. The OMB, DHS, and DOD all have a major 
role in the security of our information infrastructure. 
Furthermore, DHS has thus far failed miserably in its charge to 
manage cyber-response and coordination efforts for Federal 
agency stockholders through duplicativee, overlapping divisions 
within the Protection and Programs Directorate. Last, it 
remains unclear how efforts under the administration's mostly 
classified Comprehensive National Cybersecurity Initiative are 
aligned with current statutory and regulatory requirements for 
both civilian and military networks. Until there are uniform 
principles, policies, and requirements established for all 
agencies, I fear that our patchwork approach to cybersecurity 
will have a minimal effect in securing our information 
infrastructure.
    Over the past decade, the Federal Government has made 
significant progress in the area of information security. Laws 
such as the Federal Information Security Management Act have 
forced agencies to recognize the need for stronger physical, 
technical, and administrative safeguards for IT assets in order 
to counter the ever-increasing number of threats in cyberspace. 
Nevertheless, such policies have only scratched the surface for 
determining what our real cyber vulnerabilities are. More 
importantly, these efforts have done nothing to ensure that 
Government contractors who operate systems on an agency's 
behalf have adequate security measures in place. To me, this is 
unacceptable and must be addressed in any future legislative 
proposals.
    In summary, I hope our witnesses will provide us with a 
comprehensive, high level assessment of our current posture and 
capabilities for adjusting to new cyber-based threats and 
vulnerabilities. I would also welcome your recommendations for 
legislative principles that would promote a more harmonized and 
uniform approach to cybersecurity across the Government's 
systems.
    Once again, I thank our panelists for joining us today. I 
look forward to your testimony.
    I now recognize our ranking member, Mr. Bilbray.
    Mr. Bilbray. Thank you, Madam Chair. Madam Chair, first of 
all I would like to introduce for the record a written opening 
statement, please.
    Ms. Watson. Without objection.
    Mr. Bilbray. Thank you. Madam Chair, I want to thank you 
for having this hearing.
    It is sad that DHS had to cancel out on Friday because I 
think this is one of those real critical elements where there 
can be not just bipartisan cooperation in this body but coequal 
cooperation with the executive branch to address this issue.
    I just hope that we all recognize we are having a hearing 
today and remember that when the 9/11 Commission came down 
about how 9/11 could happen, it was because the Federal 
Government did not go back and reevaluate structures and 
firewalls that had been created from the Watergate period. And 
it really didn't think it was important enough to be bothered 
with reinvestigating what could have happened here.
    I think what we need to recognize is, if we are old enough 
to remember the Y2K fear, the impact of a Y2K created, 
designed, and executed with intent. That is just the tip of the 
iceberg of what we could face.
    Madam Chair, I want to thank you for having this hearing, 
and having it with or without the Department of Homeland 
Security. I think that we need the discussion now and early to 
make sure our procedures are in a manner that faces the new 
threats rather than trying to fight the battles of the past. I 
hope that you and I can work together to make sure that we do 
not find ourselves where we were with 9/11 and saying, 
doggonit, why didn't we take care of this when we had a chance.
    I am very proud to work with you and with the other Members 
here to make sure we can look back and say, thank God we did 
the right thing when we had a chance and time to do it. I 
appreciate the chance and being able to participate with you in 
this.
    Ms. Watson. I would like now to call on Mr. Connolly for 
his opening statement.
    Mr. Connolly. Thank you, Madam Chairman. Thank you so much 
for holding this important hearing. The number of incidents in 
which hackers have broken into Government files and systems, it 
seems to me, should impel Congress and the administration to 
take all possible steps to secure our systems.
    The permeability of our systems is a risk not only to our 
national security but the future of our economic 
competitiveness as well. The ability of hackers to gain access 
to information from private companies about recent innovations 
reduces the potential for new economic growth and the incentive 
to innovate.
    We are fortunate to be working with an administration that 
is tackling the problem aggressively by reviewing current 
cybersecurity policy and preparing potential reforms.
    The testimony we are going to hear today paints a grim 
picture of the current state of cybersecurity but also suggests 
that there are some security steps that can be taken quickly 
and relatively easily. Mr. Sachs notes that 90 percent of 
security breeches addressed in a recent report were actually 
easily preventable. And according to Mr. Lewis, only one third 
of affected agencies have complied with Homeland Security 
Policy Directive No. 12, which suggested using secure network 
credentialing for employees.
    By the way, something that underscores your point, Madam 
Chairman, and that of Mr. Bilbray is that it is too bad that 
DHS is not here today. My guess is that legislation is going to 
come out of this committee on the subject and DHS needs to be 
at the table. This committee has an important role, obviously, 
in identifying immediate steps the Federal Government can take 
to enhance cybersecurity.
    The committee will also hear testimony from Mr. Lewis, who 
has stated that, ``It is possible that the Internet as it is 
currently architected can never be secure.'' That is a pretty 
provocative statement, if true. From the statement, one would 
infer that a separate Internet-type system for Government usage 
will ultimately be necessary. That is an equally provocative 
conclusion. I look forward to hearing from all of the witnesses 
about whether the creation of a whole separate system is indeed 
a practical or efficient way to achieve cybersecurity, or if it 
is necessary.
    Again, I want to thank you, Madam Chairman, for holding 
this hearing. I look forward to working with my colleagues and 
the administration to enhance cybersecurity by building upon 
what we learn from today's critical hearing.
    Ms. Watson. I now yield to Mr. Issa.
    Mr. Issa. Thank you, Madam Chair. As we hear today, the 
problems of cybersecurity continue to be vexing. We are going 
to continue to see these kinds of shortfalls.
    What this committee uniquely has a role of looking at is 
the Government in its broadest sense. So hopefully today as we 
go through both the hearing and the questions that follow, we 
will begin asking the tougher questions.
    First of all, is there any reason to be throwing the kinds 
of dollars spread over the entire Government as we did in the 
Supplemental in the Cybersecurity Initiative without demanding 
fixed results? Many of the dollars that have been spent under 
the previous administration and continue to be spent under this 
administration are essentially for upgrades. These can be 
completely bypassed if the Department of Defense's Secretary of 
Defense fails to have his own staff adhere to procedures for 
security as has previously been reported in the press.
    Additionally, the gentleman made a good point: Do we need a 
separate Internet? Certainly, supernet and other theoretically 
closed systems have been penetrated by those same failures like 
the use of USB key fobs and the failure to lock down disk 
drives, floppy disks, and other devices that allow for 
penetration around, if you will, a closed system.
    I am most concerned to hear that even our newest aircraft 
design was penetrated, in a sense, on a system that was 
designed to be closed. These and other failures show us that 
the money we have thrown at the problem, although spent, was 
mostly spent for the same business as usual Maginot Line that 
failed to protect France from the Germans and fails to protect 
us from hackers on the Internet.
    Madam Chair, when we spend the kinds of tens of billions of 
dollars both in the classified and unclassified world, we do so 
with good intention. But if we do not begin working smarter, 
using techniques to attack our enemies, getting to the hacker 
before the hacker gets to us, changing or at least attempting 
to change international law so that it will allow us to 
consider acts by the Chinese and other less openly hostile 
governments as aggressive acts of cyberwar, then we do not and 
will not have the kind of peace we want.
    Madam Chair, during my tenure on the Select Committee on 
Intelligence, as I saw one after another failure to secure the 
Department of Defense and other agencies no matter how much we 
hardened, I became convinced that in fact we talk about 
cybersecurity as though it is appropriately international 
espionage, international crime and yet we do not deal with it 
in a way that is appropriate. We do not in a hostile way 
routinely shut down the hackers, whether they are in Venezuela, 
China, or 100 other countries around the world. As a matter of 
fact, it is considered to be bad form for us to retaliate to 
somebody even as they hack into the House of Representatives.
    So Madam Chair, I would hope that our questioning will go 
beyond how we can throw money at the problem and whether in 
fact we need international conventions and a will to deal with 
people who come through the Internet and attempt to hack us in 
a way in which the response is as punitive to them in a 
nonviolent but equally effective way as any other act of war. 
With that, I yield back.
    Ms. Watson. Mr. Cuellar.
    Mr. Cuellar. Thank you, Madam Chair. Thank you for having 
this meeting. As we look at the challenges in securing Federal 
information systems, I think, Madam Chair, that it is important 
that the Congress and the executive branch work together to 
develop this blueprint to protect our Federal information. One 
of the things is to have hearings like this where we can have 
the Department of Defense, the State Department, and other 
folks sit down.
    But to have one of the agencies that is in charge of 
protecting our homeland, the Department of Homeland Security--
and I am one of the chairmen of one of the subcommittees in 
Homeland--I am a little disappointed that they are not here. 
Apparently, my understanding was that you all gave them 3 or 4 
weeks advance notice to be here and I guess they just canceled 
this last Friday. What was the rationale about that? If I may 
inquire of the chairwoman, what was the rationale for them not 
being here?
    Ms. Watson. We couldn't get the Director and the next 
person in line had a family emergency. We sought someone else 
at the upper levels but they could not attend. We are going to 
work on that so they will be in attendance at future hearings.
    Mr. Cuellar. Do we have anybody from the congressional 
liaison from Homeland Security present here today? I am sure we 
have somebody here.
    Ms. Watson. Apparently not. Nobody is jumping to put their 
hand up. So we will just assume.
    Mr. Cuellar. We will assume there is nobody here. Well, 
again, I can understand a family reason, but I do understand 
that there are other folks who can come here.
    I do want to mention that I am a big supporter of Homeland 
Security but they do have a record of missing over 120 
congressional mandates that we have set for them. I have spoken 
to the new Secretary and she assures me that they are going to 
work on deadlines and all that. But I think showing up is 
probably the first step to show a little cooperation with the 
Congress.
    I hope there is another time when we can bring him here. I 
am sure we can set up something where if somebody can't come 
in, I am sure the second or the third person can come in. 
Because we are losing an opportunity.
    The folks who are here today spent a lot of time to be 
here, a lot of time preparing. I know it doesn't mean that they 
just show up. It is a lot of hours in preparing to be here. It 
would have been nice if we would have had Homeland here so we 
can get a perspective from the Department of Defense, the State 
Department, and Homeland. We are losing an opportunity.
    But Madam Chair, I look forward to working with you and the 
other members of the committee.
    Ms. Watson. I think as they get their footing they will 
cooperate with our committee. We will assure Members and the 
public that they will be part of this. We cannot continue to 
assess the information given, and maybe we will have to have a 
classified session with them, but for sure we will seek their 
input and their participation. I know they will cooperate. We 
will guarantee you that.
    All right, if there are no further opening statements, we 
will now turn to our first panel. It is a policy of this 
Committee on Oversight and Government Reform to swear all 
witnesses before they testify. I would like to ask you both to 
please stand and raise your right hands.
    [Witnesses sworn.]
    Ms. Watson. Let the record reflect that the witnesses 
answered in the affirmative. Thank you. I will now introduce 
our panelists.
    The first is Mr. Robert F. Lentz, the Deputy Assistant 
Secretary of Defense for Cyber, Identity, and Information 
Assurance at the Department of Defense. Since November 2000, he 
has been the Chief Information Assurance Officer for the 
Department of Defense and oversees a Defense-wide Information 
Assurance Cyber Program which plans, monitors, coordinates, and 
investigates IA cyber activities across DOD.
    The other witness, Mr. Streufert, is the Deputy Chief 
Information Officer for Information Security at the Department 
of State. He is responsible for providing oversight and 
guidance for information assurance activities including 
security policy development, risk management, system 
authorization, training and awareness, compliance reporting, 
and performance measures. Prior to his tenure at State, he 
served in various IT management roles at USAID, USDA, and the 
U.S. Navy.
    I ask that each of the witnesses give a brief summary of 
your testimony. Keep this summary under 5 minutes in duration 
if possible. Your complete written statement will be included 
in the hearing record.
    Mr. Lentz, would you please proceed?

 STATEMENTS OF ROBERT F. LENTZ, DEPUTY ASSISTANT SECRETARY OF 
 DEFENSE FOR CYBER, IDENTITY, AND INFORMATION ASSURANCE, U.S. 
    DEPARTMENT OF DEFENSE; AND JOHN STREUFERT, DEPUTY CHIEF 
    INFORMATION OFFICER FOR INFORMATION SECURITY, BUREAU OF 
   INFORMATION RESOURCE MANAGEMENT, U.S. DEPARTMENT OF STATE

                  STATEMENT OF ROBERT F. LENTZ

    Mr. Lentz. Good afternoon, Chairwoman Watson, Congressman 
Bilbray, and members of the subcommittee. I am pleased to 
appear before the subcommittee to discuss initiatives to 
enhance the Department's and the Nation's information assurance 
cybersecurity posture.
    This is a critical priority for the Department of Defense. 
With information and information technology assets distributed 
over a vast enterprise with diverse domestic and international 
partners, we know that we cannot execute operations without the 
GIG, the Global Information Grid which is our DOD network. The 
GIG is where business goods and services are coordinated; where 
medical information resides; where intelligence data is fused; 
where weapons platforms are designed, built, and maintained; 
where commanders control forces; and where training, readiness, 
morale, and welfare are sustained.
    Maintaining freedom of action in cyberspace is critical to 
the Department and to the Nation. Therefore, the Department is 
focused on building and operating the GIG as a joint global 
enterprise. This enterprise network approach coupled with 
skilled users, defenders, and first responders in partnership 
with the intelligence and Homeland Security communities will 
allow us to more readily identify and respond to cyberattacks.
    The DOD Information Assurance Cybersecurity Program is thus 
aimed at ensuring that DOD missions and operations continue 
under any cyber situation or condition and that the cyber 
components of DOD weapons systems perform as expected. There 
are many examples of current initiatives in my statement for 
the record. I will quickly highlight a few this afternoon.
    To protect sensitive data on mobile and portable devices 
like laptops, we help make discounted encryption products 
available to all Federal, State, local, and tribal government 
agencies and to NATO. Since July 2007, this program has 
resulted in a U.S. Government cost avoidance of approximately 
$98 million.
    To address cybersecurity risks to the defense industrial 
base, we have put in place a multifaceted pilot for threat and 
vulnerability information sharing, incident reporting, and 
damage assessments.
    For the global supply chain, the Department has launched a 
program to protect mission critical systems. This year, we are 
establishing four Centers of Excellence to support program 
executive offices and supply chain risk mitigation throughout 
the system lifecycle. Additionally, we are executing 
vulnerability assessments in accordance with the 2009 National 
Defense Appropriations Act.
    We continue to rely on the National Centers of Academic 
Excellence in IA education for critical cybersecurity skills. 
There are currently 94 Centers in 38 States and in the District 
of Columbia. One of those Centers, as an example, the 
University of Nebraska at Omaha cosponsored and hosted last 
year's fifth annual cyber defense workshop.
    In 2008, the Department helped bring cybersecurity to the 
Wounded Warrior Program. Wounded, disabled, and transitioning 
veterans are receiving no cost vocational training in digital 
forensics, a critical technical shortfall for the Nation and 
the Department. The program started out at Walter Reed and is 
now being expanded to other DOD and VA hospitals.
    To further harden our networks against cyberattacks, the 
Department is implementing the Federal Desktop Core 
Configuration. This is a pivotal Government and industry 
cooperative venture starting with ubiquitous Microsoft products 
to make computers more stable and defensible.
    In conclusion, the DOD CIO is working toward a resilient 
and defendable core network for the Department and for the 
Nation in the face of the daunting security challenges you 
talked about. We are preparing the GIG and the GIG-dependent 
missions to operate under duress and we are doing so under 
conditions of rising hostility. I am happy to take questions.
    [The prepared statement of Mr. Lentz follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. Watson. You may proceed.

                  STATEMENT OF JOHN STREUFERT

    Mr. Streufert. Good afternoon, Madam Chairwoman Watson, 
Ranking Member Bilbray, and distinguished members of the 
subcommittee. I am pleased to have this opportunity to testify 
before the subcommittee regarding the Department's of State 
capabilities for combating cyber threats, detecting and 
mitigating vulnerabilities, and securing the Department's 
global information and technology infrastructure. My statement 
will describe key elements of the Department's information 
security program.
    Madam Chairwoman, as you know from your time at the 
Department of State, we serve as the diplomatic front line in 
over 270 overseas posts. This global reach affords the 
Department a unique perspective on cybersecurity as we provide 
for the confidentiality, integrity, and availability of a 
worldwide network for the 50,000 users of the Department and 
the application software that they put to work. The foreign 
policy mission makes an inviting target for attack by highly 
skilled cyber adversaries.
    However, the Department's layered approach to risk 
management allows multiple levels of protection. This 
protection is accomplished by implementing a matrix of 
technical, operational, and management security controls. In my 
dual roles as Chief Information Security Officer and Deputy 
Chief Information Officer for Information Security, I am part 
of an integrated team. Together, technical and operational 
security experts of the Department work in close coordination 
with the DOD and others to satisfy mission essential 
requirements from our command and control capabilities, network 
and critical infrastructure protection, law enforcement, and 
intelligence community support.
    The scope of cyber activity the Department faces in a 
typical week includes blocking 3\1/2\ million spam emails, 
intercepting 4,500 viruses, and detecting over a million 
external probes to our networks. The Department maintains a 24 
x 7 network watch program that guards against external 
penetration, compromise, or misuse of the Department's cyber 
assets.
    Analysts stationed at our network monitoring center serve 
as continuous sentries for inappropriate network activity. The 
analysts perform preliminary assessments to confirm the nature 
and source of suspicious network security events. Those matters 
deemed significant are escalated to our Computer Incident 
Response Team [CIRT], for in depth analyses and corrective 
action. CIRT analysts track all reported actions through 
completion and coordinate incident response actions with all 
stakeholders including our internal Department security units, 
the Department of Homeland Security, US-CERT, and law 
enforcement entities.
    To combat increasingly sophisticated cyberattacks, the 
Department's of State Cyber Threat Analysis Program provides 
early warnings about potential cyber incidents. This team of 
technical analysts performs essential in depth assessments of 
network intrusions and helps to coordinate the Department's 
response to sophisticated cyberattacks. In addition, they 
perform proactive penetration testing and network forensic 
analyses to detect and resolve significant threat issues.
    The Global Security Scanning program at the Department 
serves multiple essential purposes covering all of its domestic 
and overseas locations. Electronic tools perform functions that 
include confirming what is connected to the Department's 
networks; assuring that computers, networks, and software are 
in the safest of configuration settings; locating system 
vulnerabilities that need correction; and collecting evidence 
for cybersecurity investigations. Global Scanning is 
complemented by our computer security officers that are posted 
both regionally and locally for overseas embassies and 
consulates as our boots on the ground.
    To strengthen its operational capability, the Department 
has created the Risk Scoring Program to help pinpoint and 
correct the worst network and system vulnerabilities on any 
particular day both locally and for our networks worldwide. 
Risk points are assigned for cyber threats consistent with 
vulnerabilities defined in the National Institute of Standards 
and Technology guidelines.
    Every computer and server connected to the Department of 
State network is scanned worldwide on a continual basis. Based 
on progress in reducing vulnerabilities overseas and at 
headquarters organizations, each entity is graded from an A to 
an F for their work during the last month. In this sense, it 
functions like a daily quiz where at the end of the month there 
is a test and a grade is given.
    Madam Chairman, we are pleased to report that an embassy as 
far flung as the one in Kolonia where you served currently has 
an A+ with perfect ratings in 6 of 10 categories we evaluate, 
notwithstanding how far it is from many other industrialized 
centers.
    Since July 2008, overall risk on the Department's key 
unclassified network has been reduced by nearly 80 percent in 
overseas sites and 55 percent in domestic locations.
    The Department's Cybersecurity Incident Program was formed 
to address consequences for acts of cyber misuse or abuse by 
individuals. The Cybersecurity Incident Program applies to all 
Department system users and defines infractions and violations. 
More serious violations are cases where the failure to comply 
with a specific Department policy exists and results in damage 
or the potential of significant damage to the Department's 
cyber infrastructure. Along the notification of an incident, an 
investigation is undertaken incorporating several Department 
organizations charged with gathering what is necessary to 
ensure a prompt and appropriate response to the cyber event 
while protecting the rights of the accused.
    For those that are found to have committed an infraction or 
violation, the consequences available to the Department range 
from a letter of warning to suspension of network access. In 
select cases, further disciplinary action has been recommended 
or referral for criminal prosecution.
    Madam Chairwoman, I want to conclude by reiterating that 
the Department's strategy and programs are continually adapting 
to match the ever changing threats to cybersecurity. We believe 
we have the policies, technology, business processes, and 
partnerships in place to evolve and meet the continuing 
challenges of security threats in the cyberspace environment.
    I thank you and the subcommittee members for this 
opportunity to speak before you today. I would be pleased to 
respond to your questions.
    [The prepared statement of Mr. Streufert follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. Watson. Thank you so much for your testimony. We are 
now going to move to the question period and proceed under the 
5-minute rule. I will make my statement and than I will 
recognize the ranking member, Mr. Bilbray for 5 minutes as 
well.
    These questions will be for both panelists. You can respond 
as soon as I finish. When we talk about cyberattacks against 
Government agencies, we often fail to determine the purpose of 
the attacks being carried out such as those for economic gain, 
espionage purposes, or simply to disable or to disrupt 
Government operations. If possible, I would like both of you to 
offer some general observations on the differences or the 
similarities between cyberattacks from both domestic and 
international sources. Are there distinguishable motives or 
things for either source? Do certain groups target specific 
networks or cyber infrastructure in their activities, or do 
they look for the weakest link in the chain for attack?
    I am very pleased that Kolonia in the Micronesian Islands 
is following a good example and that they are A+. That is a 
little personal thing, there.
    But if you will start, Mr. Lentz, I would appreciate it.
    Mr. Lentz. I think your question is a very good one because 
the state of cyber threats has changed dramatically over the 
last several years. In fact, what we are seeing in the past 18 
months is a significant rise in cyber crime activity, a 
significant rise. Before that, it was pretty much exclusively 
in the hacker domain where we would get a lot of our cyber 
events occurring. That skill set has dramatically improved in 
terms of its skill craft as well.
    But going to your question, the state of play, because 
cyber criminals now can use the Internet to make lots of money, 
provides them a playing field that is very rich with targets of 
opportunity. So that is a significant concern of all of us, 
particularly other sectors of the U.S. Government and of course 
the private sector.
    But the other aspect of this is one that we in the 
Department of Defense are of course always concerned about, the 
threat against our national security systems and our weapons 
programs. We always have to be prepared for a nation-state or 
surrogate of a nation-state to take action against our networks 
either for espionage or for other denial of service purposes in 
conflict. So that is the other aspect of this problem, which is 
continuing to grow in sophistication. It is one that we are 
very concerned about and we have to be prepared for.
    Ms. Watson. Mr. Lentz, naturally there is probably little 
you can tell us in an opening statement or in your statement 
about the recent breeches to the Joint Strike Fighter and 
Marine One programs. But I do, however, feel obligated to ask 
you about some general background that is consistent with what 
is part of the public record. So can you tell us where you are 
in determining the sources of the breeches and whether they 
were government sponsored or private cyber criminals at work 
there?
    Mr. Lentz. As you said, Madam Chairwoman, this issue is 
very sensitive. We are prepared to give the committee a 
classified briefing of the details of the investigation. Much 
of this investigation right now is held in law enforcement 
channels under warrants. It is an ongoing investigation. That 
is the current position where we are. It is a very important 
priority of ours to get to the bottom of this.
    Ms. Watson. I know that technology improves every single 
day. I am wondering if the personnel who work on our posts are 
well equipped with the knowledge of how it operates and the 
uses. Do you then train, say the new Ambassadors and the 
embassy staffs, along these lines of the increases in 
technology?
    Mr. Lentz. Training and education awareness is without a 
doubt one of our top priorities. In my opinion, I think it is 
our most important priority because people are what run our 
network. We improve awareness training every single year. One 
of the things that we are doing a lot more of, to go to the 
heart of your excellent question, is leadership training. That 
is one of our highest priorities right now, to the highest 
levels of our Department, to make sure that general officers 
and senior officials coming into the Department are briefed in 
an in depth form on the cyber threat. It is a very big priority 
to include our mission partners in places like embassies to 
make sure. We team with State Department in collaborative 
efforts to do the same thing.
    Ms. Watson. Mr. Streufert, do you want to comment?
    Mr. Streufert. To your question of training, we place an 
extraordinarily high value on the current Federal Information 
Security Management Act. It encourages that there is annual 
awareness training. At the State Department, by one method or 
another, we provide sometimes oral briefings to the most senior 
leadership of the Department of State, or in other cases, 
remote distance learning. For the balance of the Department, we 
see training to be extraordinarily beneficial as our users are 
an important part in the protection of the information that the 
Department of State has and what we are asked to protect.
    The State Department has initiated a pilot project for a 
method of training called Tips of the Day. What we do, when the 
computer users log on in the morning, is to provide them two or 
three sentences of instruction and then, to those connected in 
what we expect to pilot in two of our bureaus here in the 
coming weeks, a true/false question. Then we keep track of 
those answers and the level of understanding about basic 
security awareness.
    We found this to be a particularly beneficial mechanism at 
an earlier point of testing after a laptop was lost in one part 
of the Government. This occurred at USAID. We very quickly went 
out and reinforced that personally identifying information 
should not be carried out of a Government space without prior 
arrangements, which has evolved to become encryption to later 
events.
    So along with Mr. Lentz, we believe that training is a very 
essential part to keep our users leaning forward to complement 
the important changes we make in technology.
    Ms. Watson. My own time is up. I will recognize the ranking 
member, Mr. Bilbray, for 5 minutes.
    Mr. Bilbray. Thank you, Madam Chair. Thank you for having a 
loud mic this time around. I appreciate the technology 
advancement.
    Mr. Lentz, sadly there are a whole lot of things we can't 
talk about here in public. So I guess that is sort of an 
indication of how important this issue is going to be.
    There is a lot of discussion about how secure our systems 
are within the structure and whatever. But I want to sort of 
back off and go down to the fact of who has access into these 
systems, especially the contractors. Right now, within the 
Department itself, we verify before we hire somebody in house 
who they are and what they are. We use E-Verify to classify 
that, right? Within the Department itself, we use E-Verify?
    Mr. Lentz. That is right.
    Mr. Bilbray. But we have delayed--correct me if I am wrong, 
you may be doing this with your contractors--but right now the 
administration has delayed the implementation of E-Verify from 
February I guess until late June. Are you now with your 
contractors that are being brought in to work on a lot of these 
projects, are you now by policy requiring e-verification of 
every employee so we know they are who they are, or at least 
have the justification to know that the Social Security and 
other information they have given is viable?
    Mr. Lentz. My understanding is we do not use E-Verify 
within the Department of Defense. So I can't really respond to 
that particular question. We can take that for the record and 
talk to DSS and get some specifics.
    Mr. Bilbray. I just think that kind of the minimum is that 
we make sure that everybody is checked. As far as I know, you 
are supposed to be using it in house. Members of Congress use 
it. Everybody in the Federal system is supposed to be E-
Verifying whenever we hire.
    The trouble is when we bring the contractors in. We have 
had situations where contractors have been working on nuclear 
powered ships and it was a major concern. I just want to make 
sure that we put the same level of security on our information 
systems that we put to our nuclear ships. That is make sure 
that any contractor who is coming in, who has access to our 
systems, has at least been checked that they are who they claim 
to be. That is the first level of security we ought to talk 
about.
    So I would ask that you take a look at that. I think, God 
forbid, we wouldn't want to have next month come out and 
everyone say, well, why didn't we implement this earlier. There 
were things that Congress couldn't even discuss in public but 
people that hadn't been checked were being allowed into the 
system. I ask that we see what kinds of systems, first of all, 
we have to make sure the access into the system is only people 
that have been qualified.
    In that category, generally what efforts underway do we 
have to secure the contractors' networks and their material?
    Mr. Lentz. First to go back to your first question, one 
program that we have instituted in the Department of Defense is 
a program called FICS, which stands for Federated Identity 
Credentialing Service. It is a program we have working with 
industry to, in a federated way, to recognize their security 
clearance process. Then using electronic authentication 
capabilities, we can in fact recognize their entrance into the 
Department of Defense installations.
    Mr. Bilbray. Now that electronic, is that biometric or is 
that just the pass card system?
    Mr. Lentz. It is currently using PKI, Public Key 
Infrastructure technology. That is the same technology we use 
in the Department of Defense to implement Homeland Security 
Presidential Directive No. 12 pervasively throughout the 
Department. So that technology is proven.
    Mr. Bilbray. Is there biometric confirmation in that?
    Mr. Lentz. It does not currently leverage biometrics but we 
do have a program for three factor authentication underway to 
pilot that throughout the Department.
    To the other part of your question, we have our defense 
industrial base effort that we launched a little less than 2 
years ago. That effort is aggressively going after the control 
of unclassified information that resides on our contractor 
systems. We have a pilot underway with a number of our top 
industrial partners to help protect their networks to the same 
level that we are protecting our own.
    As I mentioned in my oral remarks, this program has proven 
to be very successful both in getting very timely threat 
information to our industrial base partners, but also for them 
to provide us very timely information on incidents that they 
have occurring on their networks. We use a very strong policy 
framework and legal framework to protect the equities of each 
of us to make sure that information flows near real time if at 
all possible.
    Mr. Bilbray. Madam Chair, I wasn't planning on following 
this line but I have sort of fallen into the fact that the 
first line of defense against somebody messing with our 
information system is to make sure the people we hire to help 
do the work aren't people we don't want on there.
    I have just quickly a question because my time is up. Do we 
have the same access system going into the Pentagon today that 
we had during 9/11? It sure looked like the same system to me. 
Have we upgraded and put biometrics or anything else on the 
Pentagon?
    Mr. Lentz. No, sir.
    Mr. Bilbray. I just think that is something we need to talk 
about in the future. I appreciate it, Madam Chair.
    Ms. Watson. Mr. Connolly.
    Mr. Connolly. Thank you, Madam Chair. Let me ask each of 
you, in your respective agencies, what keeps you up at night? 
What is your sense of the biggest threat you worry about? Is it 
hacking into the system? Is it just a breech of security 
because somebody is not careful? Is it unwarranted inquiries 
into classified and/or unclassified systems? Is it the far 
flung enterprise you each represent?
    Mr. Streufert, I think you mentioned 280 locations around 
the world for the State Department. There must be an equal 
number in the Defense Department. Levels of security have to 
very given that far flung enterprise.
    I would just like to have some sense from each of you in 
terms of the Defense Department and the State Department of 
your sense of the nature of the threat and how well equipped we 
are from your point of view to address that threat.
    Mr. Streufert. Congressman, an aspect that keeps me up at 
night is precisely the one that you mention on how far flung 
the Department of State is, particularly in conjunction with 
the comments that a number of Members have made and Mr. Lentz 
about how sophisticated and evolving the threat is.
    The reality is that we could have new threats which would 
appear overnight. In practical terms, if we don't have a tool 
that is capable of diagnosing that threat, we could have 
difficulties that could get away from us and potentially cause 
harm.
    So I think that the future of protecting Federal networks 
is likely to aim in the direction of trying to find those sets 
of tools that could be made available to those within the .gov 
network, which you made appropriate reference to, to figure out 
how we can protect the information that the American public 
entrusts with those of us at the national level and distributed 
throughout the other parts of the Federal Government and in the 
States. I think that is a very challenging area. We just have 
to watch the continually evolving threats and figure out a way 
that we can step up to them.
    Mr. Lentz. As Chairwoman Watson said, what keeps me up at 
night is the pervasiveness of this threat when we talk about 
cyber espionage and the amount of information that is getting 
stolen, from not just the Government's potential networks but 
the Nation at large. The technology edge that we have 
currently, especially when it comes to innovation, is one that 
we have to protect very, very carefully. I think that keeps me 
up at night, not only as a Government employee but as a private 
citizen.
    The second thing is, from a DOD standpoint, the threat of a 
nation-state in terms of what it can do if hostilities rise to 
that point. We have to have the best protection mechanisms in 
place and redundancy in our capability to withstand a very 
sophisticated nation-state, in light of the fact that all of 
our systems and networks and people are now so dependent upon 
the network and information to be successful, as we see in the 
Information Age. Those are the two things that keep me up.
    Mr. Connolly. The suggestion has been made that the very 
nature of the architecture of the Internet as such an open 
system, so all-encompassing, that by its very nature it is 
subject to compromise. There is just no getting around it. Have 
you given thought to creating parallel systems that are closed 
for the U.S. Government? Would it work?
    Presumably, the same techniques for hacking into or 
compromising even a secure system on the existing Internet 
could likewise be applied to a parallel closed system. I would 
be interested in whether your respective agencies have examined 
that and what you think about the practicality of it.
    Mr. Streufert. This is an area that we looked to under the 
Committee on National Security Systems, in which Mr. Lentz 
plays a very active part and I am privileged to participate at 
a number of their activities each year. There are some 
technologies that are being worked on in the Department of 
Defense that seem to hold the best prospects for protecting 
information of national security importance, but also of the 
nature of protecting personally identifying information as an 
example.
    The use of the Internet has both risks and potential 
benefits for the American public. As an example, with the 
consular function, which I know the Madam Chairwoman 
understands very well, we are able to support the needs of the 
public through some online activities which make it easier for 
people at a distance to obtain visas and passports. On the 
other hand, that same technology which is an aid to the 
American people is a potential risk.
    There are a number of technologies that DOD is evaluating 
for virtual operating systems. They permit the possibility that 
if there would be a potential threat to the computer system, 
there would be a refresh of the image of that computer on its 
next use so that the regular work could go forward. And that is 
just one of many techniques that we try to work with the 
Department of Defense on.
    Mr. Connolly. I would ask unanimous consent that Mr. Lentz 
be allowed to answer. My time is up. But if we could just hear 
the Department of Defense response, if that is acceptable?
    Ms. Watson. Go ahead.
    Mr. Connolly. I thank the Chair.
    Mr. Lentz. We completely agree that network resiliency, the 
ability of our network to be able to withstand and maintain 
continuity of operations under any form of attack, is a very 
high priority of ours. We are designing in every day as many 
measures as possible to ensure that from the top secret 
sensitive networks to our command and control secret networks 
we can withstand that kind of sophisticated attack. So we are 
investing as much as we can to harden that network to do that.
    I will say that the growth, as I said, of technology and 
the escalation of the threat pose a significant challenge to us 
every single day. We must continue to invest and leap ahead 
with technologies to stay further ahead of our adversaries 
instead of just keeping pace with them.
    Ms. Watson. Mr. Cuellar.
    Mr. Cuellar. Thank you, Madam Chair. I think we understand 
the threats that we are seeing now have been increasing by 
large numbers. For example, the Department of Homeland Security 
reported in 2007 that they had received about 18,000 cyber 
related incidents. The Department of Defense, according to GAO 
the Department of Defense had received approximately 6 million 
scans or probes daily from unidentified areas. The Department 
of Energy, the Los Alamos National Laboratory reported 
receiving an estimated 10 million probes of its classified 
systems per month to 2007. I think we have seen even 
congressional offices that have been subject to some of these 
attacks also.
    I guess one of my questions has to do with lessons learned 
and what cooperation, communication we have with the different 
agencies. What best practices are we learning from each other?
    Just looking at body language, and I am probably wrong, do 
you all know each other? Do you talk?
    Mr. Streufert. Yes.
    Mr. Lentz. Constantly.
    Mr. Cuellar. But do you all work on a professional basis in 
the sense of this is what we learned, this is what has happened 
in the State Department, this is what has happened at the 
Defense Department?
    Mr. Streufert. Yes.
    Mr. Cuellar. What are the lessons learned that you can tell 
us that we can share and that the Intelligence Committee or the 
intelligence community can share with each other? I am sure 
each agency is learning something on those cyber attacks and 
how we defend each other, but how do you share that with 
another agency? It might be that somebody is learning something 
that could help another agency.
    Mr. Lentz. One of the things that has been a huge priority 
of ours over the last several years, as you stated in your 
statistics you said earlier, is the pace by which our network 
is being scanned. The immensity of that threat is such that our 
intelligence agencies and our law enforcement agencies are 
richly connected these days sharing information. From our Joint 
Task Force for Global Network Operations within the Department 
of Defense to the Defense Cyber Crime Center, which is our 
front door for our defense industrial base FE
    Mr. Cuellar. By the way, let me interrupt. GAO reported in 
2007 that you all had 6 million unauthorized probes and scans 
but I think in your testimony you referenced 360 million.
    Mr. Lentz. That is correct.
    Mr. Cuellar. So did it increase from 6 million to 360 
million?
    Mr. Lentz. That is correct. That reflects several things.
    One, it just reflects, as the chairwoman said, the 
immensity of the threat. The threat is increasing 
exponentially. The amount of individuals and machines, what we 
call in our techie parlance botnets, that are out there, 
machines pinging the network, probing our network, has grown 
exponentially.
    In addition, we have better sensoring technology within our 
network now versus 2006. It is now able to allow us to better 
understand and better have knowledge of these probes and scans 
that are occurring on our network.
    Also, our Computer Emergency Response Teams are now working 
very much closely together. They collect these statistics that 
are now reported up, which is what reflected in the more 
updated report.
    That goes to the heart of your very good question. All 
these centers are working together to be able to share 
information. The one challenge that we have is protecting 
information and not letting it out as fast as possible. That is 
a cultural issue that must be dealt with. That is one that I 
think is probably the biggest Achilles heel that we have.
    We need to have law enforcement and the intelligence 
community make sure that they open up information as fast as 
possible because we are talking about real time threats that 
therefore need real time responses and situation awareness. So 
we therefore are all learning from each other to deal with 
that.
    Mr. Cuellar. But what protocols do you all have in place 
that gets you to provide your lessons learned to, let us say, 
the gentleman next to you from the State Department? What are 
the protocols?
    Like you were saying, it is moving so quickly. There is a 
scan and a probe here, and there is something new here. How do 
we share that? What protocols do we have in place to provide 
that communication and coordination with other Federal 
agencies?
    Mr. Streufert. Congressman, there are things happening on 
many different levels, beneficially simultaneously. Perhaps 
what we can learn from this is that we need to get better and 
better. These include daily video conferences that are held 
between the key components of the Government.
    Mr. Cuellar. Does that include Homeland Security?
    Mr. Streufert. Yes.
    Mr. Cuellar. OK. Thank you.
    Mr. Streufert. The regular interactions between US-CERT and 
the civilian agencies are very active. We are discussing 
signatures in particular threats, responding to things like the 
recent Conficker and a number of the other threats.
    At the State Department, we have a unit which analyzes 
threats. Because we are members of a country team and have so 
many locations overseas at embassies and consulates, we are 
available to assist them if there is identification of a 
particular problem and they ask about it. We can proactively 
reach in their direction.
    All of these I think are beginnings of an effort where we 
as a country, if we can become the strongest team among 
nations, we will do the best in a very rapidly evolving area.
    Mr. Cuellar. I want to thank both of you and the men and 
women who work with you. I know the future challenges are just 
amazing. So I really appreciate the work that you all do. Thank 
you.
    Ms. Watson. I want to thank the panel for your testimony. 
There are a couple of things we would like to set up a 
classified briefing about. We will get together with you to 
determine the time. I think there is far more information that 
we need to know as part of this hearing or subsequent to this 
hearing. So we will be in touch with you.
    That is the bell that says we have three bills on the floor 
to vote on. I will dismiss this panel. Thank you very much. You 
may be dismissed now.
    Mr. Bilbray. Madam Chair, before they are dismissed I would 
just ask one thing. There is this big issue, to followup on my 
colleagues, that is the issue that was brought up by the Center 
for Strategic and International Studies and the concept of 
having a coordinator in the White House for oversight on all of 
these agencies. I would ask that you respond in writing 
specifically to your concerns or your support or whatever you 
have about the concept of having a designated person in the 
White House itself to be able to coordinate this.
    I appreciate my colleagues bringing up this issue because 
those firewalls and all the problems we had in 9/11, we are 
seeing we have the same problems here.
    Ms. Watson. Without objection, we will ask for the 
committee to raise that question. We will ask for responses as 
soon as possible.
    With that, we will dismiss. We will recess this committee 
hearing. We will come back, I would say, it would be close to 4 
p.m. for panel II. Sorry for the break but we need to get to 
the floor. Thank you so much for your testimony.
    [Recess.]
    Ms. Watson. I would like to invite our second panel of 
witnesses to come forward. You are already in your seats. It is 
the policy, as you know, of this committee to swear in all 
witnesses before they testify. I would like to ask all of you 
to please stand and raise your right hands.
    [Witnesses sworn.]
    Ms. Watson. Thank you. You may be seated. Let the record 
reflect that the witnesses answered in the affirmative. Now I 
will take a moment to introduce our distinguished panelists.
    Mr. Gregory Wilshusen serves as the Director of Information 
Security Issues at GAO. His work involves examining Federal 
information security practices and trends at Federal agencies. 
He is GAO's leading expert on FISMA implementation.
    James Andrew Lewis directs the CSIS Technology and Public 
Policy Program. He is a Senior Fellow and most recently served 
as Project Director of the CSIS Commission on Cybersecurity for 
the 44th Presidency. Before joining CSIS, he was a career 
diplomat who worked on a range of national security issues 
during his Federal service, including several bilateral 
agreements on security and technology.
    Lieutenant General Harry D. Raduege retired after 35 years 
in the U.S. military where he last served as the Director of 
the Defense Information Systems Agency. He also served as co-
chair of the CSIS Commission of Cybersecurity for the 44th 
Presidency.
    Mr. Marcus Sachs is the Director of the SANS Internet Storm 
Center, an all volunteer Internet early warning service 
sponsored by the SANS Institute in Bethesda, MD. His 
professional experience includes a 20 year military career as 
an Officer in the U.S. Army followed by 2 years of Federal 
civilian service at the White House as part of the National 
Security Counsel and at the U.S. Department of Homeland 
Security.
    Then we have Liesyl I. Franz. She is the Vice President for 
Information Security and Global Public Policy at TechAmerica. 
Prior to her current position, she worked at the Department of 
Homeland Security and in Government Relations for EDS.
    Now, I will ask that each one of the witness please give a 
brief summary of your testimony. Keep this summary, if you can, 
under 5 minutes in duration because your complete written 
statement will be included in the hearing record.
    Mr. Wilshusen, please proceed.

STATEMENTS OF GREGORY WILSHUSEN, DIRECTOR INFORMATION SECURITY 
 ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; JAMES ANDREW LEWIS, 
   DIRECTOR AND SENIOR FELLOW, TECHNOLOGY AND PUBLIC POLICY 
PROGRAM, CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES; MARCUS 
H. SACHS, DIRECTOR, SANS INTERNET STORM CENTER, SANS INSTITUTE; 
LIEUTENANT GENERAL HARRY D. RADUEGE, JR., RETIRED, CO-CHAIRMAN, 
 CSIS COMMISSION ON CYBERSECURITY FOR THE 44TH PRESIDENCY; AND 
   LIESYL I. FRANZ, VICE PRESIDENT, INFORMATION SECURITY AND 
               GLOBAL PUBLIC POLICY, TECHAMERICA

                 STATEMENT OF GREGORY WILSHUSEN

    Mr. Wilshusen. Chairwoman Watson, thank you for the 
opportunity to participate in today's hearing on the threats, 
vulnerabilities, and challenges in securing Federal information 
systems.
    Information security is a critical consideration for any 
organization that depends on information systems and computer 
networks to carry out its mission or business. The need for a 
vigilant approach to information security has been demonstrated 
by the pervasive and sustained cyber-based attacks against the 
United States that continue to pose significant risks to 
systems and to the operations and critical infrastructures that 
they support.
    Cyber threats to Federal systems and cyber-based critical 
infrastructures are evolving and growing. These threats can be 
intentional or unintentional, targeted or non-targeted. They 
can come from a variety of sources such as foreign nations 
engaged in espionage and information warfare, criminals seeking 
monetary gain, hackers and virus writers proving their mettle, 
and disaffected employees and contractors working within an 
organization. Moreover, these groups and individuals have a 
variety of attack techniques at their disposal.
    Cyber exploitation activity has grown more sophisticated, 
more targeted, and more serious. Perhaps reflective in part of 
the evolving and growing nature of these threats to Federal 
systems, the number of incidents reported to US-CERT tripled 
during fiscal years 2006 through 2008 from about 5,500 to over 
16,800 incidents. Agencies have experienced a wide range of 
incidents involving data loss or theft, computer intrusions, 
and privacy breeches.
    These factors highlight the need for effective security 
policies and practices. However serious and widespread, control 
deficiencies and vulnerabilities continue to place Federal 
assets at risk of inadvertent or deliberate misuse, financial 
information at risk of unauthorized modification or 
destruction, sensitive information at the risk of inappropriate 
disclosure, and critical operations at risk of disruption.
    Over the past several years, GAO has made hundreds of 
recommendations to assist agencies in countering cyber threats, 
mitigating identified vulnerabilities, and strengthening 
security controls over Federal information systems. Effective 
implementations of these recommendations will help agencies to 
prevent, limit, and detect unauthorized access to computerized 
networks and systems; help ensure that only authorized users 
can read, alter, or delete data; better manage the 
configuration of security features for hardware and software; 
assure that changes to those configurations are systematically 
controlled; better plan for contingencies which can prevent 
significant disruptions of computer-dependent operations; and 
to fully implement an agency-wide information security program 
that provides protections commensurate with the risk and 
magnitude of harm resulting from the unauthorized access, use, 
disclosure, or modification of its information and systems. 
This includes those operated by contractors.
    Agencies have implemented or are in the process of 
implementing many of our recommendations. Nevertheless, 
agencies will continue to face significant challenges in 
securing their systems and information going forward. For 
example, the complexity of highly diverse, dispersed, and 
interconnected Federal computing environments; the 
preponderance of defective software; the increasing reliance on 
contractors for operational IT support; and the emergence of 
new technologies, threats, vulnerabilities, and business 
practices will continue to challenge the abilities of agencies 
to sufficiently safeguard their information technology 
resources.
    To help address these and other challenges, sustained 
commitment, oversight, and improvements to the national 
cybersecurity strategy are needed to strengthen Federal 
information security. Chairwoman Watson, this concludes my 
opening statement.
    I will be happy to answer questions at the appropriate 
time.
    [The prepared statement of Mr. Wilshusen follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. Watson. Thank you.
    Mr. Lewis.

                STATEMENT OF JAMES ANDREW LEWIS

    Mr. Lewis. Thank you. I thank the committee for the 
opportunity to testify.
    Digital networks provide real economic benefit but the 
combination of greater reliance on networks and inadequate 
attention to security has made our Nation vulnerable. My 
written statement lists a number of publically known incidents 
that occurred just in the last year.
    The failure to secure America's information infrastructure 
weakens the United States and makes our competitors stronger. 
The real risk lies is the long term damage to our economic 
competitiveness and technological leadership. We are everyone's 
target. Cyber attacks could provide the capability to disrupt 
key services as in the case of an opponent who accesses a 
utilities control system. But the immediate problem is the loss 
of intellectual property and advanced commercial and military 
technology to foreign competitors.
    Right now, attackers have the advantage. The principal 
threat comes from well financed and innovative opponents. The 
most skilled are foreign military and intelligence services 
with immense resources and experience. The first Russian hack 
of DOD computers, for example, occurred more than 25 years ago. 
They have been continuing to engage in this sort of activity 
ever since. These government agencies, however, are almost 
matched by highly sophisticated cyber criminals who buy and 
sell tools and data in virtual black markets and who are safe 
from the threat of prosecution.
    The sources of vulnerability are outdated policy and laws 
and inadequate technologies. The Internet as it is currently 
configured and governed cannot be secured. If we continue on 
the course we are on today where we have not learned how to 
balance efficiency and security, these vulnerabilities will 
only grow.
    The United States has been trying to improve cybersecurity 
for more than a decade. The last 12 months have seen some 
progress. The Obama administration has identified cyber 
security as an important national security issue. But we are 
still mired in debate.
    There are arguments that the Government should only secure 
its own networks and lead by example. This won't work because 
we are really all on one big network, Government and private 
sector, America and foreigners. It is like saying we should 
tune up half the car and hope that the other spark plugs are 
inspired.
    Some say that since most networks are privately owned, we 
should rely on the private sector for defense. This is like 
saying that since most airplanes are private, we should depend 
on the airlines to defend our airspace. National security is a 
function that only the Government can perform adequately.
    People worry that if we secure our networks, it will damage 
America's ability to innovate. But more investment in 
innovation, which I applaud, is pointless if we are only going 
to share it for free with our foreign competitors.
    We need a comprehensive Government-led approach to secure 
cyberspace. In recognition of this, the CSIS Cybersecurity 
Commission, which some of us served on, recommended a broad 
national approach, the creation of a strong White House cyber 
advisor with clear authorities, and the development of a 
national security strategy that would use all the tools of U.S. 
power.
    Government policy will determine whether we fail or 
succeed. Government acquisition rules can create a market for 
more secure products. A revised FISMA would improve agencies' 
security and provide a template for the private sector. 
International engagement, expanded law enforcement, a judicious 
use of regulatory powers, and investment education and research 
can change the situation from one where we are losing to one 
where we are at least holding our own.
    The problems we face in cyberspace, espionage, crime, and 
risk to critical infrastructure, will not go away. But the 
risks they pose can be reduced by coordinated Government 
action.
    As you know, the administration is struggling to conclude 
its 60 day review. Ideally, the review will lead to a strong 
White House cyber advisor. Without this, cybersecurity in the 
United States will always be underpowered. But with so many 
different interests involved, there is a risk that the 
administration will come up with a solution that makes everyone 
happy. The only people who will benefit from this will be 
foreign intelligence agencies and cyber criminals.
    I thank you for the opportunity to testify. I will be happy 
to take your questions.
    [The prepared statement of Mr. Lewis follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. Watson. Thank you.
    Mr. Sachs.

                  STATEMENT OF MARCUS H. SACHS

    Mr. Sachs. Thank you, Madam Chairwoman. I appreciate the 
opportunity to appear before the committee to discuss the 
important topic of cybersecurity and the challenges if securing 
Federal information systems. The committee's interest in this 
topic is timely and crucial to the security of our Nation's 
most sensitive information. My written testimony is fairly 
detailed so I will just summarize it now by covering most of 
the main points.
    I would like to look back over our shoulders at how we got 
to this troublesome position we are in today. Decisions made in 
the 1980's about Government purchases of commercial off the 
shelf [COTS], computer hardware and software in lieu of 
expensive, specially hardened systems made sense when most 
home, business, and Government computer users did not have 
access to networks but instead relied on floppy disks. That is 
what we used to call the old sneakernet. This is how we moved 
and transferred files between computers.
    Back in those days, the malicious code inside the Federal 
Government's desktop computers was primarily in the form of 
disk-based viruses. They had little fun names like Brain or 
Concept. They really weren't much more than an annoyance. In 
fact, back then, to gain access to a Government desktop 
computer or file server, you generally had to have physical 
contact with it or you had to have the ability to talk a 
Government employee into accessing it for you.
    Theft of floppy disks, backup tapes, and printer outputs 
were the methods that were used by our adversaries to steal 
sensitive information contained on our Government computer 
systems.
    This started to change in the middle 1990's as more 
organizations connected their computers to the global Internet 
and threats beyond the borders of the United States began to 
take advantage of that connectivity. The growth of Government 
outsourcing and the increasing dependence on Government 
contractors also added to the problem of protecting sensitive 
data since information was no longer uniquely stored on 
Government computers and behind layers of rigid security 
barriers.
    Also in the 1990's the .com explosion happened and the 
Internet became a common household word. Nuisance viruses and 
Web site defacements were the weapons that both adolescents and 
political protestors, as well as others, used to express their 
views. In fact, we had a string in the late 1990's of hundreds 
of .gov Web sites that were defaced. It was a very embarrassing 
situation for cia.gov, Congress.gov, speaker.gov, and 
whitehouse.gov.
    But while these Web site defacements were a very visible 
sign of the difficulties we faced, a less visible conflict on 
two fronts was brewing that we continue to deal with today. 
That is cyber crime and cyber espionage.
    In my written testimony, I outline several actions that the 
Government has already taken since the middle 1990's in terms 
of new organizations and new partnerships with the private 
sector. But let me just summarize briefly five items I think we 
should do to continue making the Internet more secure.
    The first is that Government's most important role is truly 
to set the example. If the Government were to manage its own 
computer networks in a manner that can be an exemplar for 
others to follow, then we in the private sector can point to 
the Government and say, follow them and do as they do.
    Second, the Government must use its acquisition powers to 
improve everybody's ability to secure cyberspace. There was a 
large effort by the Air Force, OMB, NSA, DISA, NIST, Microsoft, 
and others to build what today we call the Federal Desktop Core 
Configuration. That standard can not only be used by the 
Federal Government but by any organization that uses Windows XP 
and Windows Vista operating systems. This is the type of 
leadership we need. It can't stop with just Windows. We need to 
have all software secured and we can use that procurement angle 
to do that.
    Third, the Government must develop a career field for 
cyberspace professionals. We are talking about initial entry 
all the way to senior executives. If we don't immediately 
address this problem, we will never be able to secure the 
Federal Government's networks. Security is not about applying 
just the latest patch or running the latest anti-virus 
software. It is also about culture and risk management and 
leadership. It truly is about the people.
    Fourth, we need to think about how we view cyberspace and, 
in particular, how we view the Internet. If we think about 
industrialism from the 19th century, cyberspace is really 
industrialism of the 21st century. It is what fuels our 
economy. We cannot allow it to become a combat zone. We can't 
let the criminals take it over. We can't let the spies 
dominate. We need to change this conversation and argue that 
cyberspace is the cornerstone of America's global leadership 
and our economic prosperity as we go forward in this century. 
If we look at cyberspace through the lens of economics, perhaps 
then we will find some better approaches to secure it.
    Fifth, cyberspace exists because of the combined work of 
the Federal Government and the private sector with the 
scientists, researchers, investors, and other leaders. It is 
not the single domain of either Government or the private 
sector. It must be protected from damage by both parties 
working in unison. We have come a long way over the past 
several decades in building strong public/private partnerships. 
We cannot let those relationships weaken or dissolve.
    The last thing I want to mention briefly is that industry 
has been doing quite a bit of research as well, trying to find 
out how intrusions happen, how breeches occur. One of the most 
remarkable reports is this one that Verizon Business has come 
up with. This is the second year. What it tells us is that 
almost everything is preventable. These breeches that are 
costing millions of dollars in credit cards and others are all 
preventable largely if we just do simple steps. If we follow 
the rules we have already come up with, this goes away.
    It is inexcusable that in 2009 our Nation seems to be 
unable to prevent our adversaries from breaking into our 
networks. It is also inexcusable that we continue to run our 
computer networks as though they are some magical enterprise 
only understandable by geeks and nerds. Cyberspace does belong 
to all of us and we are all part of the solution to making it 
more secure.
    Madam Chairwoman, I again appreciate the opportunity to 
appear before the committee. I look forward to answering any 
questions.
    [The prepared statement of Mr. Sachs follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. Watson. Thank you.
    Mr. Raduege.

    STATEMENT OF LIEUTENANT GENERAL HARRY D. RADUEGE, JUNIOR

    General Raduege. Chairwoman Watson, Ranking Member Bilbray, 
and members of the subcommittee, thank you for the opportunity 
to join in today's hearing to discuss efforts to protect our 
Nation from current and emerging cyber threats and 
vulnerability of our Nation's critical infrastructures to 
exploitation, attack, and disruption.
    Relentless and continuing cyber intrusions into Federal 
Government systems, defense industrial base companies, and 
supporting critical infrastructures continue to pose serious 
national security risks to our Nation. While I understand the 
main focus of this hearing is centered primarily on Federal 
Government systems, I would also point out that cyber crime is 
an escalating problem that affects all citizens and businesses.
    The cyber threat has no boundaries. In fact, a variety of 
studies have identified the serious implications of cyber crime 
focused on stealing financial and personal information and the 
tremendous economic impact of this profit driven activity. The 
problem of cyber threats affects not only our national security 
but also our economy and the privacy of all our citizens.
    Cybersecurity is an issue that is front and center from a 
public policy perspective as the new administration grapples 
with how to handle an overall national cyber strategy. Various 
reports have come out over the past several months, including 
the Center for Strategic and International Studies Commission 
on Cybersecurity for the 44th Presidency. I was privileged to 
co-chair this Commission. This important effort provided 
findings and recommendations to secure cyberspace for the 
country and to help guide policymaking. It called for immediate 
action to create a comprehensive national security strategy for 
cyberspace.
    The new administration has cybersecurity high on its agenda 
and is making a serious effort to take what has already been 
done and improve our national cyber posture. While I am 
hopeful, there is still much to be done. Improving the security 
of our Federal networks and Nation's digital infrastructures 
will be a long term effort. But immediate, focused attention on 
this significant challenge is absolutely critical.
    As our Commission report noted, cybersecurity is now a 
major national security problem for the United States. In 
response, we need to focus all tools of national power, 
diplomatic, economic, military, intelligence gathering, and law 
enforcement, on this critical issue.
    I would like to briefly highlight three challenges facing 
the Federal Government's information systems and critical cyber 
infrastructure assets.
    First, despite the increased attention by this 
administration and the 60 day cybersecurity review led by Ms. 
Melissa Hathaway, it is imperative that the Federal Government 
be organized properly for the emerging threats and 
vulnerabilities in securing Federal information systems. 
Currently, our networks and systems are under continuous and 
relentless cyber assault. We are losing a significant amount of 
personal and sensitive data every day. Even worse, we are 
losing competitive advantage globally.
    The Federal Government must become a model for cyber 
security and it must start by securing our networks and 
information as quickly as possible. While efforts like the 
Comprehensive National Cybersecurity Initiative will bear fruit 
over time, we need leadership throughout the Federal Government 
to make this a focus area. Securing our networks and protecting 
information on those networks is an important matter of public 
trust. Government must be well organized to lead.
    Second, raising the level of education and awareness of the 
seriousness of the threats is imperative. Those who work in the 
cybersecurity business clearly understand the magnitude of the 
problems and are very concerned about the current state of 
affairs. However, for many in both Government and industry the 
threats are abstract, the implications are not fully 
understood, and their ability to help is unclear. An aggressive 
outreach and awareness campaign is needed in creating a 
cybersecurity mindset to raise the level of knowledge of 
Federal leaders and the work force that our Nation is 
constantly under cyber attack. We need to ensure that every 
person who logs onto a system connected to the Federal 
enterprise is properly educated and trained to protect the 
information with which they have been entrusted.
    Third, there is a need for clearly delineated roles and 
responsibilities within the Federal Government for 
cybersecurity. While the administration is focused on 
addressing this concern, it is critical to ensure a successful 
cybersecurity strategy. A properly structured and resourced 
organization that leverages and integrates the capabilities of 
the private sector, civilian government, law enforcement, 
military, intelligence community, and our Nation's 
international allies to address incidents against critical 
cyber infrastructure systems and functions is essential.
    In summary, our Nation and, in particular, Federal networks 
and systems are under relentless cyber assault. While many good 
efforts are underway, much more in needed, faster. The Federal 
Government must focus on understanding cyber risk and take 
appropriate action to secure its networks and become a model 
for others. Today, that is not the case. We also must change 
the culture of the Federal work force by raising and 
maintaining awareness of cyber threats that are focused on 
gaining access to our networks every day, 24 hours a day. 
Finally, we must clearly identify who is in charge with respect 
to Federal cybersecurity.
    Madam Chair, this concludes my statement. I would be happy 
to answer any questions that you or members of the subcommittee 
may have at this time.
    [The prepared statement of General Raduege follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. Watson. Thank you.
    Ms. Franz.

                  STATEMENT OF LIESYL I. FRANZ

    Ms. Franz. Madam Chair, thank you and Ranking Member 
Bilbray for the opportunity to appear today and to provide the 
technology industry's perspective on cybersecurity and securing 
Federal information systems.
    Today's highly interconnected environment presents great 
opportunities to innovate and create economic prosperity, but 
it also presents challenges as my fellow witnesses have clearly 
descried today. But let me highlight two clear trends. First, 
the attackers are more sophisticated and increasingly able to 
target their attacks more directly and efficiently. Second, the 
insider threat is a prevalent concern that illustrates that 
technology alone is not the only problem or the only solution. 
It is people and processes as well. We see three key elements 
to better securing Government information systems.
    First, the President should act quickly to appoint a senior 
cybersecurity advisor that reports directly to the President. 
He or she should have the authority needed to develop, 
coordinate, and execute upon the President's cybersecurity 
priorities in partnership with Congress, industry, and other 
stakeholders. A cybersecurity advisor reporting directly to the 
President is the surest way to muster the perspective and 
authority necessary to protect the United States in cyberspace.
    Crucial elements to making progress are a strategy that 
includes ensuring senior level attention to cybersecurity as a 
national priority, developing a comprehensive and coordinated 
strategy across the Government in partnership with the private 
sector, and integrating cybersecurity into the deliberation on 
the issues of highest national concern such as economic 
prosperity and technological innovation.
    We commend the President for initiating a 60 day 
cybersecurity review and its consultative process. We look 
forward to its release.
    Second, we need to reform the Federal Information Security 
Management Act. We were a big champion of FISMA when it was 
enacted in 2002 but it should evolve to meet today's demands, 
moving beyond compliance to more effective security measures. 
In previous testimony before this committee's Subcommittee on 
Information Policy, Census, and National Archives, we described 
six areas for improvement. We provide that for your reference 
and look forward to working with you on new FISMA reform 
proposals.
    Third, we must strengthen the public/private partnership to 
address both strategic and operational concerns both here at 
home and globally. That partnership is critical to addressing 
cybersecurity risks throughout the ecosystem which will 
positively impact Federal systems as well. We support the 
partnership model that was established in the National 
Infrastructure Protection Plan. The NIPP is not perfect but it 
has improved over time and it provides a framework for 
strategic and operational collaboration going forward.
    A key component is the IT Information Sharing and Analysis 
Center, which is the operational focal point of the IT sector. 
There are similar ISACs, or Information Sharing and Analysis 
Centers, for other sectors. We continue to recommend two-way 
information sharing and analysis about specific threats between 
the industry and Government, and the colocation of Government 
and industry experts working side by side on a continuous basis 
to address those threats.
    Industry is playing a key role in cybersecurity and 
critical information infrastructure protection. Allow me to 
outline it. We participate in the IT ISAC. We participate in 
the NIPP and are concluding a baseline risk assessment for the 
IT sector. We participate in the standards making process 
through international standards bodies. Many companies provide 
the products and services used to protect systems and networks, 
and they are innovating to do more. Many companies utilize 
those products and services in their own enterprise and in 
their enterprise solutions for customers including the Federal 
Government agencies. Additionally, discrete efforts are 
underway addressing software assurance and next generation 
response and security engineering.
    All of these efforts rely on partnership between the public 
and private sectors. Together we do need to find ways to 
achieve wider adoption of solutions, standards, and best 
practices for greater overall security.
    We commend the Congress for its early focus in this session 
on cybersecurity issues and this subcommittee for convening 
this panel today. We look forward to working with you. Again, 
thank you for the opportunity to appear today and express 
industry's perspective. I would be happy to answer any 
questions you may have.
    [The prepared statement of Ms. Franz follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. Watson. Thank you so much. I am going to throw out a 
question. I would like all the panelists to take part. It is 
similar to the one that I offered our first panel. How have the 
changes in technology such as the network architecture and the 
use of wireless devices and networks changed the approach that 
is needed for Federal cybersecurity?
    Let me go on with the next one. Senator Rockefeller and 
Snowe recently introduced legislation that included provisions 
to establish a cybersecurity office in the White House along 
with Federal acquisition and procurement requirements for IT. 
These recommendations are also offered in the recent CSIS 
report for the new administration. I would welcome to hear from 
anyone that would like to address it first.
    Mr. Wilshusen. I guess I will hit it off first. With regard 
to wireless security, increasingly the Federal Government is 
using that technology. We did a report back in 2005, I believe, 
which identified that Federal agencies had not taken sufficient 
steps to adequately secure the use of wireless security.
    Obviously, there are some tremendous benefits that can 
accrue from using such technologies. It provides greater 
mobility and opportunities for individuals to perform services 
that they normally would not be able to do if they were 
tethered to a workstation at their desks. So clearly there are 
some benefits in using such technologies. But with the 
introduction of these types of technologies into the workplace, 
agencies need to assess the risk associated with those 
technologies and then take appropriate steps to mitigate those 
risks.
    In our review, we found that they had not adequately done 
that. In many cases, they had not identified the types of 
vulnerabilities that such technologies would place, did not 
provide sufficient policies or procedures to mitigate those 
vulnerabilities, and did not take sufficient steps to train 
their staffs on how to appropriately and securely use these 
types of technologies.
    So with the introduction of any new technologies, I would 
just say that there are some basic steps that need to occur in 
order to facilitate their secure use.
    Mr. Lewis. Thank you, Madam Chairman. One of the things 
that we have looked at in some of our work was who are the 
architects of the Federal Government. If you start looking at 
it a little bit, you find out it is people named Grover 
Cleveland and Herbert Hoover. This is good, but it is maybe 
time to modernize how Government operates a little bit. The 
question is how do we do that. One way to do that is to take 
advantage of the technologies you described. But as my 
colleague from GAO has said, when we take advantage of them--
and we absolutely have to--we also have to think about 
security. Usually what happens is we do one and we don't do the 
other and then we are surprised. So I think it is essential to 
modernize but we need to do it in a secure fashion.
    Mr. Sachs. Thank you. I think we are talking mostly 
technologies so we will get to Senator Rockefeller's bill in a 
moment.
    Technology, of course, is something that our country has 
been a leader in since we started. There is no turning back 
there. The employees of the Federal Government are just like 
you and me and our kids and our grandparents, the people that 
are around us. We have most of these technologies at home. We 
want to bring them into work. The private sector has the same 
problem. So when new things come along such as wireless or 
handhelds or even new applications like the social networking 
sites, Twitter, Facebook, and things like that, there is 
naturally this desire to bring that back into the workspace, 
which could be the Federal Government or it could be the 
private sector.
    We want to do the same thing at work as we do at home. That 
is a natural desire. Even with our cars, we would like to use 
that as the way to get around and not depend on having an 
office-provided or Government-provided vehicle that we have to 
wait in line for at a motor pool to have it available.
    So our challenge then is as new technologies come along, as 
Mr. Lewis said, is that we have a unique situation with the 
Federal Government with the security of very sensitive 
information. These are the crown jewels of our Nation. These 
technologies make those crown jewels now exposed not just to 
local people but to the entire planet. This we have not faced 
before. Our adversaries can get into our hard drives remotely 
in a matter of milliseconds from virtually anywhere on the 
planet.
    When we bring in new technologies, we bring in new 
exposures and new vulnerabilities, things we really haven't 
thought about. It takes a little while before we understand it, 
and after a while we begin to secure it. But our mindset needs 
to change. This is not the same as industrial technologies or 
new ways of doing aircraft or cars. These technologies are 
global and they expose us globally, literally within 
milliseconds.
    So as long as we can grasp that and understand it, with 
that new mindset we can encourage employees to use the new 
technologies. But we have to show them how to use them so we 
don't put the Government's and our people's crown jewels at 
risk of being taken by our adversaries.
    General Raduege. Thank you very much. I think it is 
interesting to point out that the intranet started in the 
Department of Defense not too many years ago. Of course, it 
grew into an Internet. Now the global community uses the 
benefits of that Internet and that way of communicating 
globally. We are stressing these days more and more open 
communications. We are more connected. Of course, we have 
become as a result more productive. We would describe this 
perhaps as entering an age of interdependence, though. We have 
become very dependent on each other for our world economies, 
our national securities, and our prosperities.
    With more of these connections, though, and some estimate 
that by next year we will have 2 billion individuals and users 
connected to the Internet, we have become more vulnerable. Of 
course, the cyber criminals have found a new avenue for making 
money. It has become syndicated now. There has been an 
explosive growth of activity in cyber crime, as you are very 
well familiar. So with your first question about how the 
networks have changed, this is what we have seen. It has been 
exponential growth with exponential opportunity, but also the 
threats and vulnerabilities are very real.
    Ms. Watson. Ms. Franz.
    Ms. Franz. I would just like to add the notion, to echo my 
colleague's comment, about technology being very exciting, very 
innovative, and contributing to the productivity, economic 
growth, and prosperity which retains our leadership in the 
global economy. However, new technology does provide 
challenges.
    Industry is responding in many ways. One, we talked a lot 
about technology and training. We talked about empowering the 
user to use these technologies more securely. In addition, 
industry is increasingly baking security into its products and 
services. That is something that we heard a lot about in recent 
weeks during the RSA Conference in San Francisco in April, 
which is a great place to learn where some of these new 
technologies are going.
    I think with regard to the Federal Government, though, one 
thing they can do is look at their procurement strategies and 
see if they can't be nimbler in adapting to the adoption of 
these new technologies not only for the benefits that they 
bring, but the security aspects that they bring as well.
    Ms. Watson. Thank you. I would like to go back to the GAO 
and Mr. Wilshusen. Recently, you completed work looking at the 
information security controls and practices at both the Los 
Alamos National Laboratory and the Tennessee Valley Authority. 
Can you cite some of the major information security control 
deficiencies in both studies? Are there similarities in the 
deficiencies of both entities? What are the challenges for 
them?
    If you feel this is information that we don't need to 
share, then we will take it up in the classified section. But 
what can you tell us at this point?
    Mr. Wilshusen. I can certainly address those issues I think 
at a high enough level where it won't be disruptive or 
compromising to the security at those organizations.
    We have identified, as we do on most of our examinations of 
information security controls at agencies, a number of 
significant vulnerabilities at both the Los Alamos National 
Laboratory and at the TVA.
    With regard to the TVA, we looked at the security controls 
and the network security controls over its corporate network as 
well as the networks supporting the control systems that 
operate key infrastructures operated by the Tennessee Valley 
Authority. We found a number of vulnerabilities related to 
controls that were insufficient to adequately identify and 
validate the identity of users in the access privileges granted 
to those users.
    We found weaknesses with regard to the firewalls that were 
in place at those organizations, which could allow certain 
firewalls to either be bypassed or not adequately segregate and 
prevent network traffic that should not be passed through those 
devises.
    We also found a number of problems associated with their 
auditing and monitoring capabilities. Those are the controls 
which agencies use to try to identify, detect, and then respond 
to unauthorized traffic or security incidents.
    So we find pretty much weaknesses in most of the general 
control areas that we look at. We found those at both Los 
Alamos and at TVA.
    With respect to TVA, we found not only the cybersecurity 
related weaknesses but also physical security weaknesses as 
well. Combined with the cybersecurity weaknesses that we 
identified, these placed the control systems and networks that 
we examined at risk to both internal and external threats.
    Ms. Watson. Well, some have made the case that our military 
agencies have better technical and organizational capabilities 
for addressing cybersecurity in the Federal Government when 
compared with the multiple operational layers of DHS. Can you 
comment on whether DHS has adequate or similar capabilities for 
operational cybersecurity?
    Mr. Wilshusen. As you may know, back in 2003 President Bush 
issued the National Strategy to Secure Cyberspace. As part of 
that strategy, DHS was the focal point for much of the Federal 
cybersecurity efforts.
    Over the past several years, GAO has identified and 
consistently reported that DHS has not consistently implemented 
or met those responsibilities. In total, we issued about 30 
recommendations on various different core elements related to 
protecting cybersecurity. As a result, we have found that DHS 
has just not adequately performed their responsibilities for a 
number of different reasons, not the least of which is the 
significant turnover in their leadership and key personnel 
positions in the cybersecurity area.
    Ms. Watson. I just thought the agency was too big. Putting 
them all under one roof, when you have had the experience of 
being the master of your unit and now you have to report to 
someone else, it just wasn't going to work out all that 
efficiently.
    But let me hear from the rest of you. We will just go down 
the line.
    Mr. Lewis. This is a serious problem and it is not going to 
be easy to fix. We would all prefer that it be a civilian 
agency. Everyone thought it should be DHS. But as my colleagues 
have said, they are not yet capable of performing the mission. 
So one of the questions you want to ask is how long do you want 
to wait. Depending on who you talk to, they say DHS could be 
ready in 3 years or 5 years or 10 years. We can't wait 3 or 5 
years.
    The dilemma is the only place that really has the 
capability now is the Department of Defense, particularly the 
National Security Agency. But when you say that, you 
immediately trigger Constitutional concerns. You trigger the 
memory of the FISA debate. We have a problem. The people who 
could do this best are in the intelligence community, but we 
are not comfortable with that. The people who would be the 
civilian focal point for this aren't ready or capable.
    So how do we fix that problem? That is a very difficult 
issue and it is one I think we are going to have to wrestle 
with for the next couple of years.
    Mr. Sachs. As one of the guys that was there when we opened 
the doors for DHS in the spring and summer of 2003, we had a 
lot of euphoria about what we could do. We had this beautiful 
charter in front of us and the pasture was green. We look back 
on those days now, and I see Mr. Lewis chuckling.
    The summer of 2003 was when the Blaster Worm hit. There 
were outages in the power sector. I am sure we all recall that. 
When the agency was young, still maybe she had a lot of naivete 
about it, but we did quite well because we didn't know what we 
couldn't do or what we weren't supposed to do.
    Unfortunately, in my opinion, what has happened over the 
years is the agency has been unable to grow in the manner that 
we were hoping that it would. It has been unable to take on the 
challenges and the responsibilities that we hoped it would. 
There have been a lot of politics surrounding them, as you are 
aware. There has been a lot of media scrutiny. There has been a 
lot of private sector scrutiny and international scrutiny. DHS 
is very big. It encompasses parts of 24 different Federal 
agencies that were pulled together. There is a culture that has 
to be stitched in. Underlying all of this, of course, is 
cyberspace, this thing that we are all very familiar with. And 
they have the role of making it secure.
    I don't envy my counterparts at DHS. This is a tough 
mission that they have in front of them. They have very good 
people that are there but they are constrained by a lot of 
things that are beyond their control. I think one of the best 
things we could do is really get out of their way and let them, 
particularly in cyberspace, let them do what they need to do. 
Give them the latitude, the ability to grow, the ability to 
hire the right people, and let those people run. Give them the 
pasture and let them do what they need to do.
    I believe the private sector is more than willing to work 
with DHS. Many of us do spend our days over at the Department. 
We have some very strong public/private bonds that have been 
built over the years. We all do want to make this work.
    A key to all of this is leadership. We need to get some 
good appointments. We need to get strong people, people who are 
dedicated in service to their country and are willing to be 
there year after year, people that we in industry are willing 
to work with. I think we can do that.
    I have a lot of optimism for the Department and I do look 
forward in the next coming years or so to seeing big changes 
there.
    But just to go back to the military because I spent 20 
years there. The military has a very old culture. We have to 
recognize that. It has been around over 200 years. DHS is only 
6 years old. We cannot expect DHS to perform like a 200 year 
old department. It just is not there yet. So patience, I beg of 
you. We will get there with them.
    General Raduege. Madam Chair, I come from a military 
background, as you noted earlier, having spent 35 years on 
active duty. I was serving during the time in 1998 when in the 
Department of Defense we recognized the fact that our computers 
were being attacked. So the responsibility was given to the 
U.S. Space Command at that time to create some sort of a 
program to defend our computer networks. I was privileged to 
serve at that time within the U.S. Space Command. The program 
we put together in 1998 has grown over the years to now what is 
considered by many to be a very outstanding program.
    The Department of Defense also has the benefit of a command 
and control system and network where individuals work for each 
person. You know exactly who you work for. There are orders 
that can be given and they have to be followed based on the 
requirements of the Uniform Code of Military Justice. That is 
what the command and control of the Department of Defense is 
all about. Our other organizations, though, don't have that 
kind of a structure.
    I would point out that in my years, now over a decade of 
working with this area that initially was called computer 
network defense and now has gone into a cybersecurity type of 
terminology, that there are a number of departments in our 
Federal Government that have key roles in this. I would just 
point out the Department of Homeland Security, the Department 
of Defense, the intelligence community, the Department of 
State, the Department of Commerce, the Department of Justice, 
and the Department of Interior just to mention a few that have 
key roles in a national strategy for securing cyberspace.
    I believe it is for that reason, the realization that 
someone had to be in control of that and have some sort of 
oversight, and for that reason--I was proud to serve with our 
Center for Strategic and International Studies Cybersecurity 
Commission--we recommend that we consider an individual in the 
White House that would have the opportunity to create policy 
and to provide oversight and a balanced Federal program across 
all the Federal departments and agencies. We feel like that is 
a critical way to have someone in charge to move us forward in 
this critical area.
    Ms. Watson. Thank you.
    Ms. Franz.
    Ms. Franz. Thank you. I don't have much to add to the very 
good comments of my fellow witnesses except probably to put 
things slightly in perspective with regard to the relationship 
between DHS and DOD. We should remember that DHS had very 
limited resources both from a staffing perspective and from a 
funding perspective in its early days. Since the beginning, it 
has leveraged the manpower of DOD and the systems and 
strategies that had been used in DOD. So that has been a 
positive impact, I would say.
    But it does need to be its own entity. It has a different 
mission. It has a different perimeter and parameters than the 
Department of Defense has. So it does need to build its own 
manpower. Importantly as well, it really needs its own 
facilities that provide it a base of operations. That has been 
a challenge since the very beginning. It was a challenge when I 
was there in the National Cybersecurity Division and it remains 
a challenge today.
    DOD has a more impressive facility and a capable one. That 
should be no surprise given the funding differences between the 
two. So resources, manpower, and facilities are really key to 
making some improvements soon.
    Ms. Watson. I want to go back to Mr. Lewis again. I think 
the other panelists have been addressing this issue. But as 
part of the CNCI, there is an ongoing debate as to what role 
the DHS ought to have as a leading agency charged to coordinate 
and respond to cyber related incidents.
    I wish they would have been here today to answer these 
questions. But do you think, and I think many of you have 
commented on it already, does DHS have the technical or 
operational capabilities to be in charge of handling cyber?
    Mr. Lewis. Well, you have heard some of the answer earlier. 
They have a really good team there now. There are some really 
good folks. That is an improvement. They do have a shortage of 
resources, facilities, trained folks, and money. It is hard to 
believe after all these years, but they are not equipped.
    I was talking to someone who was over at DHS Cyber Division 
last week and they said the staffing is running at about 30 
percent. So for every one person who is there, there are two 
who are missing. I don't know if that is right. This is what I 
was told. But I have heard repeatedly from many people that 
severe resource problems put them at a disadvantage. They don't 
have the trained people.
    Now, they do have a very important mission. The NCSD, the 
National Cybersecurity Division, should be the place 
responsible for securing the .gov networks. It has to work with 
critical infrastructure. It has to work with the private 
sector. That is enough, particularly when they aren't staffed 
or funded. They don't need to pick up more missions. But the 
missions they have are really important and we should hopefully 
make them capable of carrying them out.
    As I say, though, there is a great team there now. It is 
probably the best team they have had in a long time. So there 
is a chance.
    Ms. Watson. Let us hope. I want to go to you, Mr. Sachs. 
From your Government experience which dates back to the Clinton 
administration's 1998 Presidential Directive for securing 
critical infrastructure sectors, what are the so called lessons 
learned that the Federal Government has improved upon over the 
past decade? Conversely, where are we not learning? What are we 
not learning from our mistakes?
    Mr. Sachs. The middle 1990's, the concern was one of the 
critical infrastructures. We saw .com growing. We knew that 
Russian bank robbers were breaking in. The Air Force had 
intrusions at Roane [phonetic] Laboratory. There was this 
understanding that the Internet, while great, was offering 
these new problems that we really didn't know how to get our 
hands around.
    The bombing of Oklahoma City in 1995 was the big eye 
opener. Not only were children and people killed there, but we 
had quite a few Government computer systems in that building 
that were destroyed when that bomb went off. We found within 
minutes that several Government department data bases literally 
weren't there. They had chosen that building because they 
thought physically it was in the middle of nowhere. Nobody was 
going to attack it. It was far, far away from Washington and 
New York City and places a terrorist would go after. They 
realized that this linkage between physical and cyber was more 
than just science fiction; it really did exist. A terrorist 
attack doing something physical could have an effect in 
cyberspace. So that set forth a series of congressional 
hearings and White House investigations. DOD and others got 
involved.
    There was an exercise in 1997, highly classified at the 
time but today we can read all about it, called Eligible 
Receiver. It showed that portions of the Defense Department's 
networks could be reached from the civilian networks, from 
home. Literally, I could dial into the Internet and gain access 
to classified computers. We were that porous back in the 
1990's. So a lot has come since then.
    As General Raduege mentioned, the JTF-CND was created in 
1998 as part of that. I was part of that group also that stood 
that up. We immediately took upon ourselves to secure the 
Defense Department, not North American cyberspace. This wasn't 
like a NORAD for the Internet. But even just looking at DOD, we 
found we were extremely porous. We had Web sites that listed 
flight schedules for Generals. We had Web sites that showed 
full bunker maps of all the nuclear facilities. I mean, it was 
unbelievable what information we were making available to our 
adversaries. That was on unclassified Web sites, not even 
talking about access to what we thought was classified.
    So since then, I think the big lesson that has been learned 
is that information seeks to be free. If you put information 
somewhere, if you put it on a hard drive, doggonit it will 
attempt even on its own to leak out. But we make it easy. We 
connect sensitive computers to the wide open Internet. We allow 
our employees to swap files back and forth. We don't train 
them. We don't teach our employees, both in the private sector 
as well as Government, the danger of cross-connections. The 
actual information is ones and zeros that are on hard drives, 
but we don't teach them how much risk that can put our Nation 
against.
    Our adversaries on the other hand understand this game 
fully. The Chinese in the late 1990's published their doctrine 
of unrestricted warfare. Many of us read it; looked at it; and 
said yes, they got it. They understand it. We looked at 
ourselves and our doctrines and policies didn't even come 
close. In our arrogance, because we invented the Internet and 
everything speaks English online, we were thinking that this is 
ours and we can control it. But they understood it. We are 
seeing this today. This has now come back around to bite us.
    So this is our challenge going forward, as we look back at 
the 1990's and as we look at this decade as it comes to an end 
here in a few months. We have learned so much about cyber 
crime, cyber espionage, military actions online, and even just 
what people want to do and what society wants to do with the 
networks. So as we go forward, 2010 and the years beyond, the 
Internet doesn't go away. Cyberspace doesn't go away. It is 
really just part of what we are.
    I think the Federal Government, in a partnership with the 
private sector and with America, has to face this challenge 
head on. We take the Internet as what it is. It is an economic 
engine. It is the fuel for recovery. It is exactly what we need 
to stimulate us, to use some of the terms that have been used 
here. We must protect it. We must guard it like that and think 
about it economically. Otherwise, we lose and we lose big. Our 
adversaries, again, they understand this game and they are able 
to think in front of us.
    Ms. Watson. Let me get to General Raduege. It seems to me, 
and I think we have all mentioned this, that the Federal 
Government has too many cooks in the kitchen for cyber 
coordination and organization. This is a fair assessment. I 
think all of you have been saying that. As the former head of 
DISA, could you offer up some thoughts on where the Government 
could improve its organizational hierarchy for cybersecurity 
across the entire agency community?
    General Raduege. Madam Chair, as I mentioned, I think we 
need to have someone at the top of this hierarchy of our Nation 
that can give the proper guidance and policy, the proper 
oversight, and can lead from the top in putting together a 
comprehensive approach to addressing cyberspace and what it 
means to us in our future.
    I also wanted to comment on the fact that this doesn't 
require cyber science. It boils down a lot also to management 
techniques and policies. For example, a lot of computers are 
broken into through electronic means. But we also don't have 
the proper governance, the proper policies and procedures in 
managing our capabilities when people steal laptops from our 
vehicles, steal them from our cars, or when we just lose our 
computer capabilities. So a lot of this also boils down to 
policies and procedures of managing the capabilities. In many 
cases, we are just too careless with our cyber equipment.
    So I would state that as something that we need to develop 
additional governance around and better procedures. This gets 
back to the part about the education and awareness, and 
developing a cyber mindset. We just don't realize how 
vulnerable we are to just someone picking and choosing the 
computers that we allow access to on a daily basis.
    I can tell you that the organization that I am with now in 
civilian life stresses this with every employee all the time. 
So now when I travel, I think twice when I am in my hotel room. 
I never leave my hotel room and allow my computer to stay 
there. As a matter of fact, I don't even lock it in those 
little safes they provide. I carry that computer around with me 
on my person at all times because in the organization I am 
with, our name is our reputation. To lose a computer to someone 
who steals it would be devastating to our business 
opportunities. So it is something that we have stressed in our 
education process.
    Ms. Watson. Let me just ask, do you have a backup? Could 
you put a chip in there so you will know, so it will signal you 
wherever it is? Would you not have a backup to what you have on 
your computer?
    General Raduege. I have backups to what is on my computer 
but I want to make sure that unauthorized individuals don't 
gain access to my computer and the networks that I am 
authorized to operate in.
    Ms. Watson. Well, couldn't a chip signal you some way that 
it is out of your control? If your computer is not with you, 
could it signal you so you could turn it off or destroy what is 
on there or black it out? It seems that we have technology that 
would work that way.
    General Raduege. We have a lot of technology and a lot of 
technology could be put into place that would have that kind of 
a capability. But most individuals I don't think operate in 
that fashion today. So it is a very manual process of 
controlling the asset that is in your possession.
    Ms. Watson. Let us go to Ms. Franz now. There seems to be a 
significant amount of resistance from industry regarding policy 
proposals that would establish standards for information 
security controls and software assurance for Government 
systems. Can you explain this to me, why there is this 
resistance?
    Ms. Franz. Certainly. I am not sure I would characterize it 
as resistance from the industry to discuss the kinds of things 
that may be needed to address specific issues and specific 
problems. As I mentioned in my remarks, the industry is 
involved in standard making processes in international 
standards making bodies. They see a benefit to standards for 
both interoperability and for security concerns.
    I think the issue is around proposals that may come that 
are trying to address some of the problems but don't do so 
either in a targeted way or in a consultative way with 
industry, the way we see it happen in those exchanges in the 
international standard making bodies, for example. So I 
wouldn't say it is a resistance to identifying clear needs and 
then taking steps in a partnership fashion, in a consultative 
fashion to find out the best way to address those needs.
    There can always be unintended consequences from either 
regulation or standards or, dare I say, even legislation that 
may have a broad brush and not address the concern 
specifically. It can have unintended consequences for the 
impact on industry and consumers and Government users, for 
example.
    Ms. Watson. I would like to have each one of you give us 
one concluding statement that you feel will help us. We are 
going to be making recommendations. We might have a bill; we 
might just make some strong recommendations to the executive 
branch. But what would your last input be that you think would 
be helpful? Let us start with the GAO.
    Mr. Wilshusen. I think I would suggest that you ensure that 
in your bill you establish mechanisms for establishing 
accountability over the actions that agencies need to take. 
Assure that they are held to task to implement those particular 
requirements, whatever you may include in your bill. I think 
accountability is key. That would be my one remark.
    Ms. Watson. Mr. Lewis.
    Mr. Lewis. Thank you. I would say we need to come up with a 
plan. We need to put the White House in charge of that plan and 
we need to get moving on it. We have been doing this now for 10 
years and we are worse than when we started.
    On the accountability note, I think one thing that Congress 
can do, and one thing that legislation can certainly do, is you 
have the authority and the oversight responsibility to hold 
Government and the private sector accountable for when there 
are lapses. There certainly have been enough lapses in the last 
few years.
    Mr. Sachs. I would like to also highlight the people. I 
think this is the real angle that could make a very good 
nucleus of anything in the future. There are three groups that 
really make all of this work.
    There are Government officials and people who work within 
the Government. They know each other; they are very 
professional.
    There is the private sector. I am talking about the private 
sector that is profit oriented, that do the work. They run the 
carriers and so forth.
    Then there is this third group of volunteers who are the 
unsung heros, the ones that collaborate. This Conficker Worm 
that was going around recently largely was solved by a 
volunteer effort that has come together. There was no formal 
approach toward that leadership. We have seen this over the 
years that this type of problem solving tends to just come out 
of nowhere by the volunteers. So they are very important, those 
three groups. But I highlight that because of the people piece.
    In cybersecurity, the professionals like myself and the 
rest of the panel here who do what we do, we still need to have 
our profession professionalized. You will see this called for 
in the CSIS report. I believe Senator Rockefeller has it in his 
bill, the notion that says that those who are professional in 
this world need to become professional. We need to be 
certified; we need to be licensed.
    It is more than just passing an exam but actually licensed 
and bonded. We do this with real estate sales people. We do it 
with people who groom dogs. We do it with lawyers and countless 
other professions. Right now, the essence of our Nation, 
trillions of dollars of value, is being managed by very good 
people but we don't have a licensing or a licensed profession.
    Now, we don't solve that overnight. This may take years. 
The profession needs to do it ourselves. But it would be 
helpful if the Congress would think about how to enable that, 
how to help the profession become professional.
    Ms. Watson. Thank you for that input. General.
    General Raduege. Madam Chair, I would say for one point 
that is different than those already expressed, that I would 
stress the fact that we could significantly improve Federal 
cybersecurity by operationalizing the intent of the FISMA 
legislation. By doing that, we would also use performance based 
measurements for security so that we really are measuring the 
operation of security throughout our Federal networks instead 
of just an audit of the checklist.
    Ms. Watson. Thank you.
    Ms. Franz.
    Ms. Franz. I think I would like to respond to your comment 
about too many cooks in the kitchen. I wouldn't want to leave 
the impression that we have too many people working on 
cybersecurity these days because I don't think any of us would 
agree that is the case.
    However, we don't have a head chef. Let us create a head 
chef. Let us empower the cooks in each of the agencies, or 
their kitchens, to do their jobs. Let us give them empowerment 
before we measure them. Then let us look at making changes that 
enable rather than prohibit the partnership to really operate 
the way that it could in a shared environment.
    Ms. Watson. I think I have heard over and over, General, 
that you need somebody to head up the Joint Chiefs of Staff.
    I think your input has been very, very valuable to us. We 
have it all recorded. We have your reports. We will be reaching 
out to you again. With your statements, we are going to adjourn 
this meeting but we will be back in touch. Thank you so much 
for your testimony.
    The meeting is adjourned without objection.
    [Whereupon, at 5:10 p.m., the subcommittee was adjourned.]

                                 
