b"<html>\n<title> - [H.A.S.C. No. 111-128]PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION TECHNOLOGY AND CYBERSECURITY ACTIVITIES</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                         [H.A.S.C. No. 111-128] \n \n   PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION \n                TECHNOLOGY AND CYBERSECURITY ACTIVITIES \n\n                               __________\n\n                                HEARING\n\n                               BEFORE THE\n\n   SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES\n\n                                 OF THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                           FEBRUARY 25, 2010\n\n                                     \n              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n58-308 PDF                       WASHINGTON : 2010 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n   SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES\n\n                LORETTA SANCHEZ, California, Chairwoman\nADAM SMITH, Washington               JEFF MILLER, Florida\nMIKE McINTYRE, North Carolina        FRANK A. LoBIONDO, New Jersey\nROBERT ANDREWS, New Jersey           JOHN KLINE, Minnesota\nJAMES R. LANGEVIN, Rhode Island      BILL SHUSTER, Pennsylvania\nJIM COOPER, Tennessee                K. MICHAEL CONAWAY, Texas\nJIM MARSHALL, Georgia                THOMAS J. ROONEY, Florida\nBRAD ELLSWORTH, Indiana              MAC THORNBERRY, Texas\nPATRICK J. MURPHY, Pennsylvania\nBOBBY BRIGHT, Alabama\nSCOTT MURPHY, New York\n                 Kevin Gates, Professional Staff Member\n               Alex Kugajevsky, Professional Staff Member\n                     Andrew Tabler, Staff Assistant\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n                                  2010\n\n                                                                   Page\n\nHearing:\n\nThursday, February 25, 2010, Private Sector Perspectives on \n  Department of Defense Information Technology and Cybersecurity \n  Activities.....................................................     1\n\nAppendix:\n\nThursday, February 25, 2010......................................    21\n                              ----------                              \n\n                      THURSDAY, FEBRUARY 25, 2010\n   PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION \n                TECHNOLOGY AND CYBERSECURITY ACTIVITIES\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nConaway, Hon. K. Michael, a Representative from Texas, \n  Subcommittee on Terrorism, Unconventional Threats and \n  Capabilities...................................................     3\nSanchez, Hon. Loretta, a Representative from California, \n  Chairwoman, Subcommittee on Terrorism, Unconventional Threats \n  and Capabilities...............................................     1\n\n                               WITNESSES\n\nBodenheimer, David Z., Partner, Crowell and Moring, LLP..........     5\nBond, Phillip J., President and CEO, TechAmerica.................     3\nSchneider, Dr. Fred B., Samuel B. Eckert Professor of Computer \n  Science, Cornell University, Computing Research Association....     7\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Bodenheimer, David Z.........................................    44\n    Bond, Phillip J..............................................    29\n    Miller, Hon. Jeff, a Representative from Florida, Ranking \n      Member, Subcommittee on Terrorism, Unconventional Threats \n      and Capabilities...........................................    27\n    Sanchez, Hon. Loretta........................................    25\n    Schneider, Dr. Fred B........................................    72\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    Mr. Marshall.................................................   105\n\nQuestions Submitted by Members Post Hearing:\n\n    [There were no Questions submitted post hearing.]\n   PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION \n                TECHNOLOGY AND CYBERSECURITY ACTIVITIES\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n     Subcommittee on Terrorism, Unconventional Threats and \n                                              Capabilities,\n                       Washington, DC, Thursday, February 25, 2010.\n    The subcommittee met, pursuant to call, at 2:06 p.m., in \nroom 2118, Rayburn House Office Building, Hon. Loretta Sanchez \n(chairwoman of the subcommittee) presiding.\n\n  OPENING STATEMENT OF HON. LORETTA SANCHEZ, A REPRESENTATIVE \n    FROM CALIFORNIA, CHAIRWOMAN, SUBCOMMITTEE ON TERRORISM, \n            UNCONVENTIONAL THREATS AND CAPABILITIES\n\n    Ms. Sanchez. Good afternoon. Before we begin, this is my \nfirst subcommittee hearing as chairwoman for this subcommittee, \nand I would like to share that I am extremely honored to be \nserving in this new role, and I look forward to working with \nthe subcommittee members and staff.\n    I would like to welcome you all and thank you for joining \nus today to discuss cybersecurity, a high priority issue for \nthe Department of Defense [DOD] and for the security of this \nnation as a whole and, I think, on an individual basis a high \npriority for many people who value their privacy.\n    Today our witnesses will be providing us with private \nsector perspectives on the Department of Defense's information \ntechnology [IT] and cybersecurity activities. Cybersecurity is \nan issue that I have been following very closely for many \nyears, including in my role as vice chair of the Homeland \nSecurity Committee. Cyber threats have only recently received, \nI think, the attention that we should have been giving them the \nentire time, particularly within the defense community. DOD is \ncontinually working to gain a better understanding of \ncybersecurity and how to best protect this nation's cyberspace.\n    There have been many mainstream discussions in the press \nregarding cybersecurity lately, in particular because of the \nGoogle incident. However, there have been a number of high \nprofile events against the DOD and others, including cyber \nattacks against Estonia and Georgian government forces, reports \nof intrusions into contractor networks to exfiltrate data on \nthe F-35 Joint Strike Fighter, intrusions in to the networks \nthat control our electricity grid, and intrusions on Pentagon \ne-mails as well.\n    Those are only a few of the incidents that we know of. Many \npeople are unaware that our systems, especially our defense \nnetworks, are attacked on a daily basis. In the Department of \nDefense there are more than 15,000 different computer networks \nwhich are operated across 4,000 military installations around \nthe world. We must protect those systems and ensure that \ninformation on them is only available to authorized personnel, \nand we must not only be prepared to respond quickly and \neffectively to cyber attacks but we need to invest what is \nnecessary in particular resources to protect our systems.\n    That is why it is important that the government engage the \nprivate sector as a partner in cybersecurity and not simply as \nthe technology provider that you have been for such a long \ntime. There is a vast array of intellectual capital and \nexpertise in the private sector. I should know because I am \nfrom California and a lot of the cyber people live there.\n    It is not consulted on key strategic questions, even though \nsome of those decisions have as much impact on industry as on \ngovernment, because sometimes government becomes the standard \nand then others take from them.\n    We should recognize that the private sector is very much a \npart of the DOD family, and we should treat it that way. DOD \nworks with countless defense industries, and these industries \nmust also be held responsible for handling classified and \nsensitive unclassified information appropriately.\n    While DOD may find it difficult to engage with industry, \nthat is not the case for Congress, and we feel that gaining \ninsight from the private sector is essential. We hope that the \nwitnesses today will share their views on a broad range of \ntopics to further inform our awareness of these issues as we \nwork with the DOD to craft an appropriate strategy for \ndefending and operating our cyberspace.\n    I feel the views of our private sector witnesses are a \nvaluable complement to those views that we have within the DOD. \nFor example, understanding the implications of how the recent \nQDR addressed the issue of cyberspace would be, I think, \nvaluable to us and we would love to hear the thoughts on the \nproposed directions for the new established Cyber Command that \nthe DOD has set.\n    A major focus of this subcommittee is on the science and \ntechnology [S&T] programs of the DOD, so getting an outside \nview on the proposed research agenda would also be valuable. \nAnd with a proposed increase of more than $70 million in new \nfunding for computer science and security research in the S&T \nbudget this year I would like to better understand, from a \nprivate sector perspective, if we are investing in the right \nthing.\n    If not, what should we be investing in and how much would \nthat cost us? Because I believe we must better protect our \ninformation networks before we experience more situations where \nstate and non-state actors are able to infiltrate our systems \nand not only steal data on our weapons system but also put \nlives in danger by disrupting military operations on our front \nlines.\n    [The prepared statement of Ms. Sanchez can be found in the \nAppendix on page 25.]\n    So let me quickly introduce our three witnesses. Today we \nhave Mr. Phil Bond, who is the president and CEO [Chief \nExecutive \nOfficer] of TechAmerica; Mr. David Bodenheimer, who is a \npartner of Crowell and Moring; and Dr. Fred Schneider, a \nprofessor of computer science at Cornell University.\n    All written testimony submitted by the witnesses will be \nincluded in the hearing record. Also, a reminder for \nsubcommittee members that we will be adhering to the five-\nminute rule for questions. Once again, I want to thank our \nwitnesses for being here, and I would now like to yield to my \nranking member from Florida, Mr.--oh, Mr. Miller is not here.\n    Who are we ranking? Okay. Sorry.\n    Mr. Conaway, from Texas? From Texas----\n    Mr. Conaway. Yes, ma'am. Madam Chairman, your situational \nawareness is magnificent, yes.\n    Ms. Sanchez. From Texas?\n    Mr. Conaway. Texas.\n    Ms. Sanchez [continuing]. Will be filling in for Mr. \nMiller, and we will hear the opening statement from your side.\n\n  STATEMENT OF HON. K. MICHAEL CONAWAY, A REPRESENTATIVE FROM \n TEXAS, SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND \n                          CAPABILITIES\n\n    Mr. Conaway. Well, Madam Chairman, thank you very much, and \nwelcome to the chair of the subcommittee. Looking forward to \nseeing you in your new role. It will not be long before none of \nus will remember Adam Smith and the role he played for a number \nof years as chairman. So congratulations, and look forward to \nworking with you.\n    Rather than read Jeff Miller's statement--Jeff is on the \nfloor working on the Intel reauthorization bill, which I will \nhave to go as well in a few minutes, but I would ask unanimous \nconsent to submit his written opening statement for the record \nand--if that is all right?\n    Ms. Sanchez. Perfect. I am sure Mr. Miller wrote something \nthat is very, very good and we will put it in the record. And \nif you will yield back----\n    [The prepared statement of Mr. Miller can be found in the \nAppendix on page 27.]\n    Mr. Conaway. All right, yield back.\n    Ms. Sanchez [continuing]. I would again ask our witnesses \none at a time to summarize your written testimony. We did \nreceive it, and I think we even received it on time, which is \ngreat. And we will ask you to summarize in five minutes. We try \nto adhere to the five-minute rule here.\n    And we will begin with Mr. Bond.\n\n  STATEMENT OF PHILLIP J. BOND, PRESIDENT AND CEO, TECHAMERICA\n\n    Mr. Bond. Thank you, Chairwoman Sanchez and members of the \ncommittee. Privilege to be here on behalf of TechAmerica and \nrepresenting some 1,200 member companies across the country.\n    Let me begin by thanking the chair and the members of the \ncommittee for raising these important issues and holding the \nhearing. Our members in our association share the panel \nmembers' concerns about these vital topics and the need to \napply technology to every aspect of national security, from the \nbasement offices in the Pentagon to the warfighters in the \nbattlefield.\n    We share a commitment to protecting these critical networks \nand infrastructure from attacks and disruption. Today I want to \nfocus on two fundamental themes here: IT, which includes the \nprocurement thereof; and then cybersecurity, including \ninformation assurance.\n    We believe that the inability of our IT acquisition process \nto keep pace with innovation indeed threatens our warfighters' \ntechnical advantage, and notably our adversaries are not tied \nup in the same red tape. Deputy Secretary Lynn put it well when \nhe said: With IT technology changes faster than the \nrequirements, faster than the budget process, faster than the \nacquisition milestone process. For all these reasons the normal \nacquisition process does not work for information technology.\n    To solve that problem, we recommend first that DOD should \nbuild a new cadre of acquisition professionals, people \ndedicated solely to purchase of large systems, much as is done \nin the private sector. The Department also needs greater \nflexibility in budgeting. We cannot afford to wait too much \ntime in a world where cycles are so short.\n    There also is a need to restore and enhance commercial IT \nproducts and their use. There is an inadequate supply of STEM-\ncarrying [Science, Technology, Engineering and Mathematics] \ndegree workforce out there and that is a long-term challenge. \nAnother long-term challenge is basic research. We are certainly \nsupportive of substantial increases in basic research scheduled \nfor DOD in the coming year.\n    On the second broad theme of cybersecurity and the related \ntopic of information assurance, let me acknowledge the critical \nnatures the chair mentioned about the collaboration between DOD \nand the private sector. In our view, DOD's dialogue with the \nprivate sector has been incomplete so far in this area--\ncertainly engaged with the Defense Industrial Base, with system \nintegrators that are a part of TechAmerica, but the vast \nmajority of the commercial software development world is not a \npart of that conversation and needs to be. They have not been \nformally involved.\n    Related to any of these kinds of discussions about the \ncollaboration on information assurance and--is a discussion of \nsupply chains--excuse me. Again, here, government needs to work \nwith industry to understand the global deployment, the benefits \nof it, and the risks of it. And then once you assess the risk, \nshare the risk so that the very best minds in the private \nsector can help.\n    We would encourage some specific steps refocusing and \nreforming the existing certification processes, identifying \ncommercial sector best practices and tools to expand their use \nwithin the government realm. We also would recommend creating a \ngovernance structure for assurance. We underscore the need to \naccelerate--accelerate the efforts in this regard.\n    Now, I want to suggest one idea in particular that we, as \nan association, have begun to explore, which is--the threat to \nnational security is real. And perhaps there are other models \nwe can use to bring the best of the private sector into \ncollaboration with the best of the public sector.\n    So if you think of the Reserve model, which allows \nreservists to keep their civilian jobs, come in and do \nservice--do their national service--and perhaps have the \ngovernment salary supplemented by the private sector. But that \nlegal framework might well apply so that leading cyber \ncompanies could donate talent on tours of duty, much like \nreservists, and really help the national security.\n    Finally, we think it is important to underscore that the \nleadership of DOD and the warfighter ultimately traces itself \nback to our leadership in the private sector in innovation and \nbelieve that therefore the Department should take an interest \nin the private sector leadership of American companies.\n    Let me make one other point quickly in summing up, which is \nthat we note there are many efforts in information assurance \nand global supply chain assurance. So we encourage the \nadministration to look at a single authority to consolidate and \ncoordinate those.\n    And finally, Madam Chair, we would ask that the \nsubcommittee consider a strategic review of Title X to see if \nin this information age there aren't some antiquated \nauthorities that just have not kept up with the pace of \ntechnology that could be updated for the good of our nation's \nsecurity.\n    Thank you.\n    [The prepared statement of Mr. Bond can be found in the \nAppendix on page 29.]\n    Ms. Sanchez. Thank you, Mr. Bond.\n    And now we will hear from Mr. Bodenheimer.\n\nSTATEMENT OF DAVID Z. BODENHEIMER, PARTNER, CROWELL AND MORING, \n                              LLP\n\n    Mr. Bodenheimer. Chairwoman Sanchez and members of the \ncommittee, thank you for your leadership on cybersecurity \nissues. Without cybersecurity we cannot maintain military \nsuperiority or economic security, and a vital key to \ncybersecurity is a robust public-private partnership. Quite \nbluntly, government and industry will either succeed together \nor fail separately.\n    I am David Bodenheimer, a partner in the law firm of \nCrowell & Moring, where I head the homeland security practice, \nspecialized in government contracts, and work on ABA [American \nBar Association] committees focusing on cybersecurity issues. \nToday I appear in my personal capacity to talk about \ncybersecurity, a topic that keeps me busy during the day and \nawake at night.\n    I will not dwell on the threat today. Nearly everybody \nagrees that the cybersecurity threat is imminent, relentless, \nand catastrophic, and it is getting worse. The cyber barbarians \nare stealing our secrets and our technology, they are \nplundering our databases and private information, and they are \nhacking into our critical infrastructure systems.\n    The real question is not the threat, but what we do about \nit. I have six points, six suggestions--Winston Churchill would \nsay that is five too many, but let me see how many I cover--six \nareas where the Department of Defense and the private sector \nmust work in tandem.\n    Number one: We must supercharge the public-private \npartnership. With the same urgency that we mobilized the \nindustrial base in World War II, we need a public-private \npartnership to attack today's cybersecurity threat so it does \nnot become tomorrow's digital Pearl Harbor.\n    With the Defense Industrial Base Initiative, DOD has made a \nfine start with its pilot program for bilateral partnerships. \nNow we need to move from limited partnership to full \npartnership. Instead of a bilateral model with a few companies \nwe need a bigger tent with more private sector players and \nbroader participation. Additionally, full partnership should \ninvolve a two-way exchange of information before the decisions \nand strategy are cast in concrete.\n    Number two: We need more effective information-sharing. If \nwe cannot connect the dots our cyber defenses are just another \nMaginot Line begging for a cyber ambush from the rear.\n    Too often the public sector gets information that is too \nlittle, too late, and too classified. For effective \ninformation-sharing the private sector needs timely data \nexchanges with context and analysis, two-way sharing not a one-\nway pipeline, and less classification with greater access.\n    Number three: We need clear, firm, and consistent cyber \nstandards. Working to inconsistent cyber standards works about \nas well as serving two masters. It just doesn't work very well.\n    Multiple inconsistent standards drive industry crazy, and \nit is not just a military versus civilian standard issue. \nSometimes even the Army, Navy, and Air Force don't agree. \nGetting clear, firm, and synchronized standards would give us \nbetter cyber defense at a lower cost.\n    Number four: We must encourage development of breakthrough \ntechnologies. The Department of Defense, specifically DARPA \n[Defense Advanced Research Projects Agency], brought us the \nInternet. We need that same big-brain research to deliver \nbreakthrough technologies for cybersecurity that can leapfrog \nour cyber enemies, but at a cost we can afford.\n    Innovation can be energized in other ways as well, such as \ntechnology clearinghouses, DARPA prizes, and private \nfellowships. For cybersecurity, the more brains the better.\n    Number five: We need to stimulate cyber defense through \nliability safe harbors. Getting sued and penalized is a \nsurefire way to shut down information-sharing and technology \ninnovation.\n    For effective cybersecurity the private sector must share \ninformation not only with the Department of Defense but also \nits industry partners. To encourage that sharing we need safe \nharbors so that industry partners can meet minimum security \nstandards and are not penalized with antitrust suits and other \nsanctions for cooperating.\n    Safe harbors can also accelerate innovation, such as we \nhave with the SAFETY Act. We need to expand that so it also \napplies to companies in the cyber industry as well.\n    Number six: We need to assure due process and dispute \nresolution. In every partnership, partners sometimes disagree. \nIn the government contracts business, pulling the plug on a \ngovernment contractor that is connected to the DOD systems is \neffectively a cyber death sentence.\n    A private party should not be unplugged when someone else \nis responsible for a security breach. A disputes resolution \nprocess--perhaps a cyber board of appeal of independent IT \nexperts--would allow government to do its job while assuring \ndue process for private sector in the event of such disputes.\n    As an old Navy guy I am proud to appear before this \nhistoric committee. We thank you for your leadership on this \nissue and welcome your comments.\n    Thank you.\n    [The prepared statement of Mr. Bodenheimer can be found in \nthe Appendix on page 44.]\n    Ms. Sanchez. Thank you so much to the gentleman.\n    And now, Dr. Schneider for five minutes or less.\n\nSTATEMENT OF DR. FRED B. SCHNEIDER, SAMUEL B. ECKERT PROFESSOR \n  OF COMPUTER SCIENCE, CORNELL UNIVERSITY, COMPUTING RESEARCH \n                          ASSOCIATION\n\n    Dr. Schneider. Thank you for inviting me here to testify. I \nwant to focus on cybersecurity research and education. Military \nand civilian computing systems need to tolerate failures and to \nwithstand attacks, but they don't. They are not trustworthy. \nAnd our dependence on these systems is increasing both for \npeace time and war time operations, often with system users \nignorant of what they depend on and the risks of that \ndependence.\n    Moreover, we operate in a reactive mode and we improve \ndefenses only after they have been penetrated. We thus prepare \nto fight the last battle rather than the next one. This means \nattackers always win round one.\n    We need to move beyond this reactive stance to a proactive \none. In short, we must build systems whose trustworthiness \nderives from first principles.\n    The proactive approach requires having a science base for \ncybersecurity. Since we don't have one we need to develop one. \nBut doing that will require making significant investments in \nresearch and the investments will have to be made on a \ncontinuing basis, for without continuity few will be inclined \nto make the intellectual commitment necessary to enter the \nfield.\n    Unfortunately, cybersecurity will never be a solved \nproblem. We are not going to find a magic bullet solution. \nAttackers grow evermore sophisticated. The systems themselves \nchange as do the deployment settings, bringing new \nopportunities for attack and disruption.\n    So what research needs to be done? There have been 19 \nstudies by federal agencies since 1997 each concerned with that \nquestion, each offering some kind of cybersecurity research \nagenda. And there is remarkable agreement among them all, so it \nis time to move beyond the list-making phase and embark on \nexecution.\n    I will offer two observations about the conduct of \ncybersecurity research, though. First, when the work is \nclassified it cannot engage many of the country's top \nresearchers, it necessarily receives less scrutiny by a diverse \ncommunity of experts, and it will be slow to impact the \ncivilian infrastructure on which even the military so depends.\n    Second, cybersecurity once was funded by a diverse ecology \nof agencies and instruments--DARPA, MURI [Multidisciplinary \nUniversity Research Initiative], AFOSR [Air Force Office of \nScientific Research], ONR [Office of Naval Research], ARO [Army \nResearch Office], all within DOD, plus NSF [National Science \nFoundation], DHS [Department of Homeland Security], and some \nothers. This diversity was valuable because different agencies \nhave different needs, goals, cultures, and style.\n    But the diversity has been eroding. Getting that restored \nshould be a priority, and it would undoubtedly bring better \nvalue for research dollars spent.\n    I earlier made the observation that today's systems are not \nas trustworthy as they need to be. The number of adequately \ntrained cybersecurity professionals is obviously a factor here.\n    To start, universities need to hire more faculty and to \nteach cybersecurity courses and to expand their programs. \nSignificant increases in research funding will promote this.\n    In addition, employers need incentives to hire system \ndevelopers who have adequate training in cybersecurity. \nGovernment policies can help here but they can also cause grave \ndamage. Some have advocated a cybersecurity credential for \nsystem developers as a forcing function.\n    The medical profession is a useful point of departure as \nit, too, is concerned with matters of life and death. Here, \nobtaining a credential requires far more than passing an exam. \nIt requires years of postgraduate study in which the curriculum \nhas been set by the most respected thinkers and practitioners \nin the field.\n    Second, credential-holders are required to stay current \nthrough courses sanctioned by the institution that issues \ncredentials. Finally, the threat of legal action, such as \nmalpractice litigation against a credential-holder incentivized \nprofessionals to engage in best practices. Eliminate any of \nthese three aspects and I have grave doubts that the--about the \nsuccess of the resulting scheme.\n    In closing, let me observe that the armed forces have a \nlong and distinguished record of supporting research and \neducation in cybersecurity and in systems trustworthiness, but \nour adversaries are now overtaking those early modest \ninvestments. We must now move from a reactive mode to a \nproactive one, which means creating a science base and \nsignificantly ramping up our research, and while we need to \ncreate a workforce that is up to the challenges of today and \ntomorrow, we need to be thoughtful about any policy incentives \nwe impose to promote that.\n    Thank you.\n    [The prepared statement of Dr. Schneider can be found in \nthe Appendix on page 72.]\n    Ms. Sanchez. Thank you, gentlemen.\n    I will remind my colleagues that we are going to work under \nthe five-minute rule, and I will begin by asking questions.\n    Once again, thank you for being with us.\n    Dr. Schneider, you said we need to develop a science basis \nfor cybersecurity, and then you spoke about how the medical \nprofession trains and takes 10, 12, 15 years sometimes before \nthey go out and really do their work. What would you envision \nwould be a science-based cybersecurity pod?\n    What would it look like? Who would fund it? Would it be at \nsome universities? How would we get the cross-pollenization of \ndifferent things going on?\n    Dr. Schneider. There is an active research community in \nuniversities, and I would expect that most of the revolutionary \nideas would come from that community. By a science base I would \nhope we come up with laws, like physical laws, that are \nindependent of technology, independent of specific application \nproblems, but that inform all our decisions about how to build \nsystems.\n    And like we see in the medical profession, there is applied \nresearch, there are people who develop drugs, and there is \nbasic medical science research. And without this basic medical \nscience research we don't understand the mechanisms under which \ndiseases operate, and therefore we don't have a chance of \ndeveloping palliatives or cures.\n    And so really, medical research progresses on two planes. \nThere is a basic research that builds a foundation and it \nenables specific research problem--topics to depart and address \nspecific diseases, and I would expect that to happen in this \nsetting as well.\n    Ms. Sanchez. Thank you.\n    Gentlemen, we just passed the cybersecurity bill in the \nHouse maybe about two or three weeks ago, and one of the \namendments that I put onto it was to make it a little bit \neasier for academia to, in particular, respond and work with us \nat the government level, at the DOD level, to--with respect to \nthe security clearances and this type of thing. What do you \nthink are the major walls that are in place from having the \npublic sector, the working public sector, the people who are \ncommercializing some of this--actually doing their own basic \nresearch most of the time and commercializing, but also taking \nbasic research we have and doing things.\n    What would you say are some of the barriers to working with \nour Defense Department or other departments of our federal \ngovernment with respect to information-sharing and thought-\nsharing, and what would you say it is from the academic \nperspective from our universities and research centers?\n    And any of you can answer, or all of you, or----\n    Dr. Schneider.\n    Dr. Schneider. So, the risk of doing this is it might make \nvisible to our adversaries what is working and what is not \nworking, and that is primarily the concern about revealing \nclassified data to a broader community. On the other hand, it \nseems pretty clear that we overclassify content with respect to \ncybersecurity. And there is a grave risk that academics and \nothers who don't have access to this information will solve the \nwrong problem.\n    Mr. Bond. Let me add to that if I can. This is one of the \nreasons why we advocated this potential review of Title X to \nlook at a number of things through that prism, because in a \nnetworked world we can bring people and ideas together more \neasily--academics with government, private sector and public \nsector. There are a number of rules, regulations, laws, \nauthorities in place built in earlier times for good reasons \nand rationales of the time but which today represent large and \nsmall obstacles to just that collaboration.\n    If I can, with the analogy used earlier to the medical \nresearch efforts, the difference is you can't really talk to \nthe disease or even the particle if it is really, really basic \nkind of physics research you are doing, but in this case we can \ntalk to not only leading--leading thinkers and leading \ncompanies are talking to some of the folks who are engaged in \nthis kind of gray world between perpetrators and the rest of \nthe world. So there are collaborations and conversations. We \ncan learn more about what the adversary is doing, bring that \nthrough academic and private sector partners so that we get to \nthat forward-looking agenda that Dr. Schneider talked about in \nhis testimony.\n    Ms. Sanchez. Mr. Bodenheimer.\n    Mr. Bodenheimer. I would agree that there are, indeed, \nlegal barriers to the information-sharing between DOD and the \nprivate sector. There was a recent report in the U.S. STRATCOM \n[Strategic Command], which identified about 23 different laws \nbearing upon the public-private partnership in information-\nsharing. About ten of those have a direct effect upon the \ninformation-sharing issues.\n    We need a dual-pronged approach. One, as Mr. Bond said, we \ndo need to look at some of those laws to determine whether \nthere needs to be additional authority for DOD to share the \ninformation with the private sector. In addition, there are \nmodels for sharing the information, such as in the U.S. \nSTRATCOM report, by using a nonprofit organization to receive \nthe information and effectively serve as a clearinghouse.\n    I also agree with Dr. Schneider that overclassification has \nbeen an issue. I think that we do need some institutionalized \nmethods, such as technology clearinghouses, with restrictions \non access but still access so that industry and the Department \nof Defense can, in fact, work together.\n    Ms. Sanchez. I see that my time is up, and I am going to \npass on to Mr. Marshall, my colleague from Georgia. Georgia?\n    Mr. Marshall. Thank you, Madam Chair. Congratulations on \nheading up the committee.\n    You note that there aren't a lot of members present, and it \nis not that we are all over attending the health care summit or \nwatching the health care summit. We are certainly busy and we \ntend to focus on things that we think we might, you know, add \nsome value to, and that might explain why so few of us are \nhere.\n    I am a former law professor, you know, reasonably well-\neducated. I use computers all the time, and it is very \ndifficult for me to follow a lot of--your suggestions actually \nare fairly straightforward and so I can follow the suggestions, \nI just don't have a sense of--enough of a sense of the problem, \nof the structure we currently have that is attempting to \naddress this problem, and whether that structure that we \ncurrently have--those individuals who are currently doing this \nwho have expertise I don't come close to having nor will I ever \nhave--are the right experts to have. Are they appropriately \nstructured? Do they have the appropriate authorities?\n    So I have to assume that you all are here because you do \nhave some familiarity with how we, the government, are \ncurrently structured to try and analyze, understand this issue \nand then make recommendations to Congress concerning how we \nshould proceed--make recommendations to Congress for how we \nshould proceed. I fully accept Secretary Lynn's statement and \nyour description of the urgency of this. There is no doubt in \nmy mind that this is critically important; I just have no clue \nwhat direction to go in.\n    So with your familiarity with our structure can you tell me \nwhether or not you are kind of comfortable with who is there, \nhow they are organized, and what they are doing to try and \ntackle these issues that you are addressing today?\n    Mr. Bond. Let me take a first stab at your question, which \nI think is a good one and I note the attendance as well, which \nI think tells us in the industry something about our need to be \nbetter in terms of educating and engaging policymakers on \nthis----\n    Ms. Sanchez. Mr. Bond.\n    Mr. Bond. Yes.\n    Ms. Sanchez. I might note for the record that the intel \nauthorization is--intelligence authorization bill is up on the \nfloor and many of the members who tend to be on this committee \nare interested in some of the matters there, so it could very \npossibly be--yes, and you know, we were shut down for two weeks \nhere so everybody is trying to catch up. So it could be a \nmatter of the timing as well as a matter of the fact that the \nintel bill is on the floor that we may not see some of the \npeople here. But I know everybody is interested in it, and it \nis a very complicated, very difficult issue to get our hands \naround, but it is not because of you three.\n    Mr. Marshall. If I could reclaim my time here, it is \ndefinitely not because of the three of you, but I have been on \nthis committee now for a while, and we have had hearings like \nthis in the past, and they are typically not very well \nattended. And it is not because we aren't alarmed; it is not \nbecause we don't worry about this problem. It is because we \ndon't really understand it very well.\n    And so we are hoping that we are appropriately organized, \nthat we have the right people in the government organized \nappropriately to try and listen to folks like you and come up \nwith the right suggestions for us, whether it is change the \nlaw, increase funding here or there, and that is my question: \nDo you feel like we do have those folks in place and that they \nare going to--and who are they, and how are they--are they \nappropriately organized, they are going to make the right \nrecommendations?\n    Mr. Bond. I think there is an awful lot of talent across \nthe government applied against some of these things, and \nindeed, as I tried to point out in my testimony, sometimes too \nmuch talent.\n    So if there are 12 different efforts on the same topic--\nthat was what is behind our recommendation that the \nadministration maybe look at a coordinator to bring those \ntogether; that was in information assurance. We also have the \nchallenge of legal prohibitions on co-locating private sector \nand public sector folks together to work on some problems, and \nthis challenge cries out for exactly that kind of thing.\n    Mr. Marshall. Okay, so you, having said that, are there--\ndoes Bill Lynn, for example, or the people who are advising him \nconcerning these issues, do they agree? Have they made a \nsuggestion to us the we modify the law in a certain way that \nwould then permit them to do the kind of collaboration that \nthey think is advisable and that you have in mind maybe?\n    Mr. Bond. On that last specific point, not that we are \naware of. We have had direct conversations with Secretary \nNapolitano about it from a DHS perspective, so I know that she \nis aware of that, and Phil Reitinger over there has identified \nthat as something he would like to address. So those kind of \ndiscussions are going on, certainly.\n    Another one I would mention that is a specific challenge, I \nthink, to Capitol Hill is the speed of innovation is so much \nfaster than the speed of legislation that issues around budget \nflexibility, the color of money and when that money dies, how \nmuch flexibility you can have to respond quickly in a fast-\nchanging technology environment, those would be challenges here \nwith that branch of government that has the power of the purse.\n    Mr. Bodenheimer. I would like to add to what Mr. Bond said. \nOne of the things that we do see is a divided structure within \nDOD and the civilian agencies. One of the things that Congress \nhas done well is to bring both from the Senate and the House \nside the staffs together into cyberjams, and it would be great \nto see a model like that, you know, within DOD and the civilian \nside as well.\n    We need to bring together the standards that we see on the \nDOD side with those on the civilian side and the IC \n[intelligence community] in a way that we have a single set of \nstandards. We need the government--the executive agency \nspeaking with a single voice.\n    Mr. Marshall. Just to sort of give you an idea of how far \nbehind you I am, I--a single set of standards. What does that \nmean? You just want to stop it all, so, I mean, that is how \nbasic my--there is a standard of acceptable--there is an \nacceptable level of----\n    You don't really need to tell me. I have never going to \nhave that kind of expertise. I just want to know that the right \npeople are in place doing the right things.\n    Dr. Schneider. So, the good news is you have some very good \npeople. The bad news is they are not working in a context in \nwhich they can get the job done. And I am a professional \ncomputer scientist; I am going to become an amateur \ngovernmentist and point something out.\n    The Defense Department is dependent on lots of stuff that \nis highly vulnerable--the power grid, the communications \ninfrastructure in the public sector as well as stuff that they \noperate themselves. There are some obvious things to make this \nbetter. You could imagine a staged plan where you start \naddressing short-term things, you worry about 10-year-out \nproblems, and you worry about investing in research long-term.\n    If you go into the Pentagon and look around you will find \nnobody who is doing this, but what is worse is you will not \nfind anybody who believes this is his or her job. There is \nnobody who feels it is job number one to create a program and \nto execute on it.\n    With the appointment of Howard Schmidt in the White House \nyou could argue for the nation at large there has been some \nmovement in this direction, but the Defense Department cannot \ndepend on the efforts for the nation at large. Your needs are \nslightly different; your needs are more critical, and there \nneeds to be somebody there. The people exist but nobody has \nthat job.\n    Mr. Marshall. Why don't we just go back and forth? There \nare only two of us.\n    Okay. My impression jives with what I think I heard from a \nfew of you, and that is that the technology that we use for \nmost of our systems lags behind a little bit, and I think in \npart it is because of the process that we go through in order \nto develop it, and then the concerns that we have concerning \nchanging it. You know, so we change it here, how is it going to \nbe compatible there? If we make this change how are we going to \ntrain people, et cetera?\n    And I wonder, is there an accepted mechanism for us to \nevaluate the effective--it would be very helpful if there were \nsome way to--an accepted way where, you know--not going to be a \nlot of argument about this--to evaluate the talent and \nproductivity of the folks that we have that are developing our \nsoftware?\n    We have got a lot of software engineers out there that we \nare relying upon, I guess people who could be working for \nGoogle or Microsoft or what have you but they happen to be \nworking for us on software for UAVs [Unmanned Aerial Vehicles], \non software for communication, et cetera, in addition to \ncybersecurity stuff. How do we evaluate whether or not they're \nas talented as they need to be and productive as they need to \nbe?\n    Mr. Bond. Let me take a first stab at that. It strikes at \nsome fundamental issues, so I appreciate the question.\n    Much of the talent does come through private sector \npartners on a lot of the large projects and there are a number \nof metrics in the--from the very initial stages through \ncontract performance and other things. I would take the \nquestion, if I could, and try to get back to you on how far \ndown the chain those go to individual engineers and how much \ntransparency there may be there.\n    So with your----\n    Mr. Marshall. No, no, that would be great.\n    Mr. Bond [continuing]. Forbearance we will try to take that \nand get back to you with something.\n    [The information referred to can be found in the Appendix \non page 105.]\n    Mr. Marshall. And Dr. Schneider, if you would, I mean, the \ncommittee staff here is great and they have been really working \non this issue for some time, and so if you could, if you would \nget back with committee staff on that. And then, Dr. Schneider, \nin your case, your thoughts concerning the absence of a mission \nwithin the Pentagon, people specifically tasked to these kinds \nof issues, if you could--it may be that it is in your \ntestimony. If it is not, if you could share that with us in \nwriting that would be very helpful if you could detail that.\n    And I am sorry, I interrupted--other thoughts about how we \nevaluate, or, you know, do we have the right talent pool, is it \nappropriately productive?\n    Mr. Bodenheimer. One of the things that we need to do is to \nmake cyber sexy to the people that are in the software \nbusiness. For example, my nephew is an IT wizard. He has no \ninterest in becoming involved in cybersecurity because there \nare so many other opportunities, and I think part of it is a \nmarketing job and part of it is a credentialing job to make \ncybersecurity professionals stand out. That would make a \ndifference.\n    Dr. Schneider. I am curious about your interest in \nevaluating the quality of people since ultimately we really \nwant to evaluate the quality of the artifacts they produce. And \nif, for example, we could evaluate the quality of what they \nbuilt--how secure it was--then we would have an easy way to \ndetermine how good the people who built it are. Certainly when \nyou are going to buy a car you read Consumer Reports or \nsomething and they discuss the car, they don't discuss the \nengineers.\n    The bad news is, we don't really have a way to measure \nsecurity. We don't have a way to measure security or return on \ninvestment from defenses, and this isn't--and this is a hard \nfundamental problem. It is not something we are going to crack \nin the near term. It is something everybody appreciates is a \nbig difficulty.\n    There is a famous quote that says, ``If you can't measure \nsomething you really don't understand it,'' and the field is \nwell aware of this. And this is a fundamental disconnect.\n    And the reason it is a difficult problem is because you \ndon't know what to measure it against. You would like to \nmeasure it against some hypothetical attacker, but as soon as \nyou deploy a defense the attacker gets wise and now you don't \nknow what to measure it against because the attacker may go in \nany number of directions.\n    So this is the sort of problem that has eluded the field \nfor some time. This is one of the reasons I have been \nadvocating for the kind of science base, because I think that \nis the only hope for getting these measurements. But I think in \nthe limit, we really want to be able to evaluate artifacts and \nnot evaluate people.\n    Mr. Bond. I would, if I could, just quickly observe, too, \nthere are a number of private sector-based efforts to measure \nthe reliability and kind of fundamental code within software \nprograms to increase your understanding of the assurance and \nreliability of that, and I wanted to acknowledge and then agree \nwith Dr. Schneider's point, too, that one way of measuring that \nis to look at the overall product, and is it working, and the \ndifferent levels of certification and other things.\n    Approaches to information assurance have tended to look at \nit that way: Okay, let us break it down by level of \nsensitivity, and therefore greater certification or greater \nassurance as you climb up that stack. So each would have a \ndifferent metric assigned to it.\n    Ms. Sanchez. Gentlemen, what effect does having all these \nformer--these legacy systems in the Department of Defense and \nsort of trying to hold on information and bring it forward and \nmove on--I mean, this is one of the reasons why we have had at \nleast hardware, in particular, sort of encumbered, if you will, \nin the sense of trying to bring forward these legacy systems. \nHow does that impede us, or are we at the point where we could \njust do a sort of data dump and move forward into the next \ngeneration of whatever hardware and software will look like?\n    Are we in the process of doing that or are we still--I am \nthinking in particular to the DOD. Are we still encumbered with \nthat? And I say that in the very naivest terms because I know, \nyou know, if we have a fire in some warehouse where the files \nof our veterans are we could lose--I mean, there have been \ncases where we lose everything we know about them, basically, \nand we have to reconstruct from what they might have on hand. \nHow does the legacy issue affect an ability for us, from the \nDOD standpoint, to move forward into this new arena?\n    Mr. Bond. I will take a first shot at that: I think that in \nthe rapid changing environment that we are in, the information \nage, legacy systems are something that everybody deals with, \nand perhaps government more than many others because \ngovernment, to a large extent, is in the information business \nwith its citizens and everything else, so I think that is a \nconstant. And large and small companies deal with it every day, \ntoo. At my association I am sure most of my employees think our \nsystems are too old and would like something new and so forth, \nso that is a constant.\n    What it takes me back to, though, is the recommendation--\nand this is really why we need a panel of some experts to help \non these large-scale things, because it is like a multilevel \nchess game, you have a lot of things you have to factor in. How \nyou are going to move information from the legacy systems, how \nmuch of those are interoperable? Is the new system going to be \nbackward-compatible as you look at the next challenge and next \ngeneration?\n    These are exactly the kinds of things that private sector \ncompanies are dealing with all the time and could help the \nagency deal with, but I think to best assist that would be kind \nof an expert panel that can help on these, because these are \nvery large, complex systems, old and new, that the Department \nneeds to keep that warfighter at the very front on the edge.\n    Mr. Bodenheimer. Let me address that from an acquisition \nstandpoint. Many of these systems are in the process of being \nreplaced through various ERP [Enterprise Resource Planning] \nprocurements within the Department of Defense, you know, \nreplacing the stovepipe systems and the legacy systems.\n    I think one of the most important things we can do is make \nsure that the contracts for replacing those old systems include \nthe requirements for information assurance and information \nsecurity in them. And in addition, I think that we need to take \na hard look to determine whether the existing DOD standards--\nfor example, the defense information assurance certification \nand accreditation program, DIACAP--is the right standard, is a \nsufficient minimum standard for applying to updating these \nlegacy systems.\n    Dr. Schneider. New systems are more secure than old \nsystems, but if you read the newspapers the front page is about \nattacks against new systems. I don't believe that moving to \ntoday's new systems is going to appreciably change how \nvulnerable DOD is to cyber attacks.\n    I think the only way to change things is to build systems \ndifferently, and that requires a different force field, whether \nit is economic policy, legislative, that changes the equation \nabout how people are prepared to make investments when they \nbuild the system, whether they are prepared to spend more time \ntesting the system, whether they are prepared to sacrifice \ncomplexity, because complexity gives attackers an edge. But \njust upgrading our systems to the latest is not going to \nappreciably change the vulnerability of DOD systems.\n    Mr. Marshall. I am certain that software engineers, as they \ndevelop products, have security in mind as they do so. How \ncould you not? I mean, it is just sort of--it is all around you \nand your packages, your product is not going to be as \nattractive in handling--you are not going to--it won't be as \nattractive to the market, if the market is something that wants \nsecurity, if you can't somehow establish the security.\n    Within the private sector when large software packages are \nbeing developed does the company go so far as to actually have \nred teams that are trying to figure out ways to attack the \nproduct, to destroy the product, to--you know, what are the--it \nis not just relying on the software engineer who is designing \nthe product to come up with security that is adequate, but \nactually trying to attack it. Do we have that?\n    I guess, Dr. Schneider, if we don't have anybody within DOD \nthat is really specifically charged with the responsibility of \nworrying about these security issues we probably don't have red \nteams that are actually out there trying to penetrate or \nsystems.\n    Dr. Schneider. No, actually DOD has some of the finest red \nteams in the world. What we don't have in DOD is somebody who \nis worried about the road map and making investments and \nexecuting on a plan to move the field and move DOD forward so \nthat DOD is less vulnerable to all of the attacks that exist \ntoday----\n    Mr. Marshall. Well, if we have got the best red team in the \nworld we are obviously concerned about cybersecurities, and yet \nwe are not appropriately structured because we are not--we \ndon't have the right mindset or the right division of \nresponsibilities, or our attention isn't drawn to this \nadequately as we develop systems? Is that what you are saying?\n    Dr. Schneider. Yes, sir.\n    Mr. Marshall. And yet, here we are. It is national \nsecurity. We know cybersecurity is an issue. It is hard for me \nto believe that we wouldn't have cybersecurity in mind as we \ndevelop our software products.\n    Dr. Schneider. Yes, sir. It is very disturbing.\n    Mr. Marshall. So you have made the statement that, in fact, \nwe have this lack. How do you, you know--because frankly, if \nthe chairlady here was convinced there was such a lacking this \ncommittee would be moving forward with whatever needs to be \ndone in order to make sure that that gets fixed. So would DOD \nagree?\n    If we went to the folks in DOD who are principally \nresponsible for this at maybe the undersecretary level and we \nsaid, ``Geez, you know, Dr. Schneider says we are not \nstructured appropriately. We don't have the right mindset. The \nproducts that we are producing are inadequate because of this \nfailing.'' Would they say, ``Yes, that is true''?\n    Dr. Schneider. I couldn't put words in their mouth, but I \nbelieve there are people who see it this way, yes.\n    Mr. Bond. If I can, I probably see it a little bit \ndifferently. I do think DOD is moving exactly that direction \nwith the Cyber Command. There is a senior official in charge of \ninformation assurance, which goes to the supply chains and so \nforth. And I think in recent years, to your basic point, that \nthere has been a greater emphasis and understanding of the need \nto build security into software even though companies certainly \ntest, because their reputation and their brand is going to be \nat risk and can be--somebody can choose another product with \nthe click of a mouse.\n    But that said, there is much greater awareness just in the \nlast few years, nationally and throughout the software \ncommunity--the entire high tech community--to put more \nattention and effort into building security in from the very \nbeginning so that it is not just patches and things you bolt on \nthe edge of your network or onto the software, but you build it \nin from the very beginning. And so that should continue to \nincrease because the risk and importance is only growing, but I \ndo observe that in the last few years I think both the private \nsector and DOD and the public sector generally have been moving \nin that direction.\n    Ms. Sanchez. And I think that we have seen that, in \nparticular working on the homeland side, with respect to the \ncivilian side of the federal government. We certainly have seen \na bigger impetus to--a momentum to try to get that done, and \nobviously also coming out of the White House and their \ncybersecurity czar.\n    Did you have a comment----\n    Mr. Bodenheimer. Yes, Chairwoman. One of the things that I \nthink DOD would agree upon is we do need the regulations--the \nacquisition regulations--out in public with comment and \ndiscussions. This is one area that the Department of Defense \nhas shown leadership. They have prepared a set of acquisition \nregulations specifically addressing the information security \nissues. That puts DOD ahead of a number of other agencies which \nhave not issued those regulations.\n    I think it would be a great thing to get those regulations \nthrough OMB and out into the public so we can comment and get \nthose regulations improved and as good as they can be. It would \nthen provide a gold standard for other agencies to use that as \na model for acquisition.\n    Ms. Sanchez. Let me ask you, what is the role of the \nDefense Security Service in working with industry to secure \nindustry unclassified networks? Do they have a role in any of \nthis?\n    Mr. Bond. If I can----\n    Ms. Sanchez. Mr. Bond.\n    Mr. Bond [continuing]. I would just volunteer to get you \nmore detailed input from some of our member companies----\n    Ms. Sanchez. That would be great.\n    Mr. Bond [continuing]. On exactly their perspective and \nwhat they would have the chair know about that.\n    Ms. Sanchez. I would like to see that. Great.\n    Do you have any more questions, Mr.----\n    Mr. Marshall. Yes, I do.\n    Mr. Bond, were you the one that suggested Reserve \nofficers--Reserve--has that proposal been kicked around with \nDOD?\n    Mr. Bond. This is something that arose out of a \nconversation between CEOs and chief information security \nofficers out in Silicon Valley with Secretary Napolitano where \nshe talked about her--the challenge that agency has in getting \nenough skilled professionals in to meet the cybersecurity needs \nof DHS and the palpable frustration of everybody else around \nthe table that they want to help defend their country and they \nfeel like they can't. They want to give executives to the \ngovernment for a short period of time; they want to supplement \ntheir salary or do whatever they can to try to help defend \ntheir country and they feel like they can't.\n    And so we began to look and talk to others in government \nabout models that might already exist that would be a good \nframework that policymakers could quickly understand and the \nreservist model suggested to us seems to be one that everybody \ncan understand quickly and say, ``Okay, great. You keep your \ncivilian job, you get to supplement the government salary, and \nyou get to come back to your civilian job. But in the meantime, \ngo help defend your country.''\n    Ms. Sanchez. And it sounds like a great idea. We ran into \nthis on Homeland, actually, having been on Homeland since the \ninception of that committee, in just trying to fill the \ncybersecurity czar position over there in the Homeland \nDepartment. I would--and I am estimating--but having lived \nthrough it I would guess that 50 percent of the time that \nposition was vacant, and that the other 50 percent of the \ntime--I am talking about the first 5 years' worth--I believe we \nhad six czars, and that the median stay of that--those czars \nmight have been 6 or 7 months.\n    And the biggest problem we found was how do we pay them for \nwhat they are worth to come over and do that? And in fact, we \nhad one of them who was supplemented, I believe through a \nuniversity, maybe MIT [Massachusetts Institute of Technology] \nor one of the others that was a Northeastern University.\n    And there was a total outcry when the newspapers came out \nwith the fact that they were funded by the university and only \ntaking the $160K, or whatever, that we were paying the czar but \nhad a total compensation package of $400 because--$400,000 \nbecause they were being subsidized by some university who, by \nthe way, the deanship of that university or the flagship of \nthat university was a private company. And therefore wasn't it \namazing that this czar guy was considering that the best stuff \nwas coming from, oh, by the way, the company that was funding \nthe university's program that was basically funding--you know, \nI mean, you can imagine the iterations of what we went through \nwith this.\n    So the answer is, the reservist model is a new thing for me \nto think about, but it is very difficult to figure out how we \ndo that--and that is one of the things we have to think through \nif we do take a look at that--because, without naming names but \nmore or less my--what I remember of the situation was people \ndidn't stay very long because they weren't paid. If they were \npaid from the outside it was a problem.\n    These people came, they stayed for a while. What did they \ndo when they left? They came back and they were the contractors \nto the Homeland Department to bring in, you know, other \npeople's goods trying to sell us. So it is a very--it is a very \nslippery slope on how we get people to come in and give us good \ninformation, do the patriotic thing to their country, and at \nthe same time not be partial to whatever it is their company is \nselling.\n    Mr. Bond. Couldn't agree more on exactly some of the \nchallenges. I think one of the things that appeals to many of \nthe executives involved about the reservist model is that it \ncould be more widespread, so it is not about what any one \nindividual and how they are gaming the system. The American \npeople understand the reservist concept as well, and it could \nbe a range of talent, too--it might be mid-level; it might be \nsenior level folks for a while--but could be a range, and that \ntherefore maybe that might be enough to get over some of those \nobstacles you identified.\n    I guess it does, in my mind, two other things: One, it \nunderscores that this really is urgency. This is about national \nsecurity and if we are serious about it then we should bring \nmore people and talent to bear on it. And it goes to a point \nthat was raised earlier about making cybersecurity a little bit \nsexy, you know, that no matter where you work in the industry \nyou can spend some time helping defend your country might be \nvery appealing.\n    Ms. Sanchez. Thank you.\n    Mr. Marshall. Could I ask----\n    Ms. Sanchez. I will allow one more question.\n    Mr. Marshall. Pardon me?\n    Ms. Sanchez. I will allow you one more question.\n    Mr. Marshall. You are all familiar with how software \nprogrammers and others--you know, mid-level and higher level--\nthe reservists typically come in for a brief period, leave for \na brief period. How long do you think they would have to come \nin in order to be effective?\n    Mr. Bond. Well, I----\n    Mr. Marshall. On average.\n    Mr. Bond. This is----\n    Mr. Marshall. Too much in the weeds?\n    Mr. Bond. Well, no. I just think the answer would vary. I \nthink just, you know, there might be longer tours of duty, \nthere might be particular talents that you want to bring in, a \nshorter term on a project. So I think it probably would vary.\n    But also it is very much something notionally that some \nleaders in the space have talked about and have not had the \nbenefit of enough thought and research yet to be a full-bodied \nproposal to you. But I think it does underscore how much the \nindustry wants to help and how frustrated that they are.\n    Mr. Marshall. You know, it would be great--if you are \nrepresenting 1,200 companies you obviously have resources. I \nthink it would be wonderful if you could pull some folks \ntogether and explore this with some detail and get it to us, \nget it to DOD, you know, get it to whoever. And I think the \nchair listed some of the concerns that we would have; no doubt \nthere are others out there as well. But the potential seems \nfairly obvious to me.\n    Dr. Schneider, I hear you when you say we should be looking \nat the quality of the product. I did mention productivity as \nwell as talent, and in this arena, just like many others, \nobviously the talent of the workforce has a lot to say or to--a \nmajor effect on the quality of the product that you wind up \ngetting, let alone productivity.\n    And so I hear Mr. Bond saying, and I think all of you would \nagree, that, you know, to the extent that we can organize \nourselves in a way that brings to the table the best talent \nthat the country has to offer to try to tackle this problem \nthat affects both national security and--at a public level and \na private level--then we ought to be doing that if there is a \nway to do that.\n    And I don't have to--I will never be an expert in this \narea, and I don't have to be an expert in this area in order to \nunderstand that we need to fund it, and if the right people are \nin place giving us advice concerning how to go about funding it \nthen we will do it.\n    Mr. Bond. Well, I will commit to you that we will get back \nto you. Next week in San Francisco is the world's largest \ncybersecurity trade show. We will have a number of the CEOs who \nare affiliated with our association meeting at that and I will \nconvey your message to them and we will get back to you with \nsome thoughts.\n    Mr. Marshall. Thank you.\n    Ms. Sanchez. Gentlemen, thank you so much for being before \nour committee. As is the usual course of business, members will \nhave some--a few days to ask some additional questions in \nwriting and put them to you. We hope that you would answer them \nfairly quickly for our committee.\n    And with no other questions out there we will close the \ncommittee. Adjourned.\n    [Whereupon, at 3:09 p.m., the subcommittee was adjourned.]\n     \n=======================================================================\n\n                            A P P E N D I X\n\n                      Thursday, February 25, 2010\n\n=======================================================================\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                      Thursday, February 25, 2010\n\n=======================================================================\n      \n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n      \n=======================================================================\n\n              WITNESS RESPONSES TO QUESTIONS ASKED DURING\n\n                              THE HEARING\n\n                      Thursday, February 25, 2010\n\n=======================================================================\n\n             RESPONSE TO QUESTION SUBMITTED BY MR. MARSHALL\n\n    Mr. Bond.\n\n \n                                                                Federal  Avg.    Private Sector\n                                                                 Annual  Wage     Avg. Annual          Wage\n                                                                    (2008)        Wage (2008)      Differential\n \nComputer Systems Design and Related Services                          $53,355          $88,698              66%\nEngineering Services                                                  $76,732          $79,363               3%\nResearch and Development in Physical, Engineering, and Life           $89,732          $97,709               9%\n Sciences\n \n\n\nSource: Bureau of Labor Statistics, QCEW Database.\n\nEDUCATION\n\n    For-profit firms are the largest employer of individuals with \nscience and engineering degrees.\n\n     For-profit firms employ 47% of individuals whose highest degree is \nin science and engineering, compared to 13% employed by the government. \n(The rest are employed by colleges/universities, nonprofits, or are \nself-employed)\n     For-profit firms employ 28% of individuals with science and \nengineering doctorates, compared to 9% employed by the government. (The \nlargest employers here are 4 year colleges and universities which \naccount for 42%.)\n\nSource: National Science Board. 2010. Science and Engineering \nIndicators 2010. Arlington, VA: National Science Foundation. P. 3-24. \n[See page 13.]\n\n                                  <all>\n\x1a\n</pre></body></html>\n"