[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


                         [H.A.S.C. No. 111-128] 
 
   PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION 
                TECHNOLOGY AND CYBERSECURITY ACTIVITIES 

                               __________

                                HEARING

                               BEFORE THE

   SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                              HEARING HELD

                           FEBRUARY 25, 2010

                                     
              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

58-308 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 
















   SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND CAPABILITIES

                LORETTA SANCHEZ, California, Chairwoman
ADAM SMITH, Washington               JEFF MILLER, Florida
MIKE McINTYRE, North Carolina        FRANK A. LoBIONDO, New Jersey
ROBERT ANDREWS, New Jersey           JOHN KLINE, Minnesota
JAMES R. LANGEVIN, Rhode Island      BILL SHUSTER, Pennsylvania
JIM COOPER, Tennessee                K. MICHAEL CONAWAY, Texas
JIM MARSHALL, Georgia                THOMAS J. ROONEY, Florida
BRAD ELLSWORTH, Indiana              MAC THORNBERRY, Texas
PATRICK J. MURPHY, Pennsylvania
BOBBY BRIGHT, Alabama
SCOTT MURPHY, New York
                 Kevin Gates, Professional Staff Member
               Alex Kugajevsky, Professional Staff Member
                     Andrew Tabler, Staff Assistant





























                            C O N T E N T S

                              ----------                              

                     CHRONOLOGICAL LIST OF HEARINGS
                                  2010

                                                                   Page

Hearing:

Thursday, February 25, 2010, Private Sector Perspectives on 
  Department of Defense Information Technology and Cybersecurity 
  Activities.....................................................     1

Appendix:

Thursday, February 25, 2010......................................    21
                              ----------                              

                      THURSDAY, FEBRUARY 25, 2010
   PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION 
                TECHNOLOGY AND CYBERSECURITY ACTIVITIES
              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Conaway, Hon. K. Michael, a Representative from Texas, 
  Subcommittee on Terrorism, Unconventional Threats and 
  Capabilities...................................................     3
Sanchez, Hon. Loretta, a Representative from California, 
  Chairwoman, Subcommittee on Terrorism, Unconventional Threats 
  and Capabilities...............................................     1

                               WITNESSES

Bodenheimer, David Z., Partner, Crowell and Moring, LLP..........     5
Bond, Phillip J., President and CEO, TechAmerica.................     3
Schneider, Dr. Fred B., Samuel B. Eckert Professor of Computer 
  Science, Cornell University, Computing Research Association....     7

                                APPENDIX

Prepared Statements:

    Bodenheimer, David Z.........................................    44
    Bond, Phillip J..............................................    29
    Miller, Hon. Jeff, a Representative from Florida, Ranking 
      Member, Subcommittee on Terrorism, Unconventional Threats 
      and Capabilities...........................................    27
    Sanchez, Hon. Loretta........................................    25
    Schneider, Dr. Fred B........................................    72

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    Mr. Marshall.................................................   105

Questions Submitted by Members Post Hearing:

    [There were no Questions submitted post hearing.]
   PRIVATE SECTOR PERSPECTIVES ON DEPARTMENT OF DEFENSE INFORMATION 
                TECHNOLOGY AND CYBERSECURITY ACTIVITIES

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
     Subcommittee on Terrorism, Unconventional Threats and 
                                              Capabilities,
                       Washington, DC, Thursday, February 25, 2010.
    The subcommittee met, pursuant to call, at 2:06 p.m., in 
room 2118, Rayburn House Office Building, Hon. Loretta Sanchez 
(chairwoman of the subcommittee) presiding.

  OPENING STATEMENT OF HON. LORETTA SANCHEZ, A REPRESENTATIVE 
    FROM CALIFORNIA, CHAIRWOMAN, SUBCOMMITTEE ON TERRORISM, 
            UNCONVENTIONAL THREATS AND CAPABILITIES

    Ms. Sanchez. Good afternoon. Before we begin, this is my 
first subcommittee hearing as chairwoman for this subcommittee, 
and I would like to share that I am extremely honored to be 
serving in this new role, and I look forward to working with 
the subcommittee members and staff.
    I would like to welcome you all and thank you for joining 
us today to discuss cybersecurity, a high priority issue for 
the Department of Defense [DOD] and for the security of this 
nation as a whole and, I think, on an individual basis a high 
priority for many people who value their privacy.
    Today our witnesses will be providing us with private 
sector perspectives on the Department of Defense's information 
technology [IT] and cybersecurity activities. Cybersecurity is 
an issue that I have been following very closely for many 
years, including in my role as vice chair of the Homeland 
Security Committee. Cyber threats have only recently received, 
I think, the attention that we should have been giving them the 
entire time, particularly within the defense community. DOD is 
continually working to gain a better understanding of 
cybersecurity and how to best protect this nation's cyberspace.
    There have been many mainstream discussions in the press 
regarding cybersecurity lately, in particular because of the 
Google incident. However, there have been a number of high 
profile events against the DOD and others, including cyber 
attacks against Estonia and Georgian government forces, reports 
of intrusions into contractor networks to exfiltrate data on 
the F-35 Joint Strike Fighter, intrusions in to the networks 
that control our electricity grid, and intrusions on Pentagon 
e-mails as well.
    Those are only a few of the incidents that we know of. Many 
people are unaware that our systems, especially our defense 
networks, are attacked on a daily basis. In the Department of 
Defense there are more than 15,000 different computer networks 
which are operated across 4,000 military installations around 
the world. We must protect those systems and ensure that 
information on them is only available to authorized personnel, 
and we must not only be prepared to respond quickly and 
effectively to cyber attacks but we need to invest what is 
necessary in particular resources to protect our systems.
    That is why it is important that the government engage the 
private sector as a partner in cybersecurity and not simply as 
the technology provider that you have been for such a long 
time. There is a vast array of intellectual capital and 
expertise in the private sector. I should know because I am 
from California and a lot of the cyber people live there.
    It is not consulted on key strategic questions, even though 
some of those decisions have as much impact on industry as on 
government, because sometimes government becomes the standard 
and then others take from them.
    We should recognize that the private sector is very much a 
part of the DOD family, and we should treat it that way. DOD 
works with countless defense industries, and these industries 
must also be held responsible for handling classified and 
sensitive unclassified information appropriately.
    While DOD may find it difficult to engage with industry, 
that is not the case for Congress, and we feel that gaining 
insight from the private sector is essential. We hope that the 
witnesses today will share their views on a broad range of 
topics to further inform our awareness of these issues as we 
work with the DOD to craft an appropriate strategy for 
defending and operating our cyberspace.
    I feel the views of our private sector witnesses are a 
valuable complement to those views that we have within the DOD. 
For example, understanding the implications of how the recent 
QDR addressed the issue of cyberspace would be, I think, 
valuable to us and we would love to hear the thoughts on the 
proposed directions for the new established Cyber Command that 
the DOD has set.
    A major focus of this subcommittee is on the science and 
technology [S&T] programs of the DOD, so getting an outside 
view on the proposed research agenda would also be valuable. 
And with a proposed increase of more than $70 million in new 
funding for computer science and security research in the S&T 
budget this year I would like to better understand, from a 
private sector perspective, if we are investing in the right 
thing.
    If not, what should we be investing in and how much would 
that cost us? Because I believe we must better protect our 
information networks before we experience more situations where 
state and non-state actors are able to infiltrate our systems 
and not only steal data on our weapons system but also put 
lives in danger by disrupting military operations on our front 
lines.
    [The prepared statement of Ms. Sanchez can be found in the 
Appendix on page 25.]
    So let me quickly introduce our three witnesses. Today we 
have Mr. Phil Bond, who is the president and CEO [Chief 
Executive 
Officer] of TechAmerica; Mr. David Bodenheimer, who is a 
partner of Crowell and Moring; and Dr. Fred Schneider, a 
professor of computer science at Cornell University.
    All written testimony submitted by the witnesses will be 
included in the hearing record. Also, a reminder for 
subcommittee members that we will be adhering to the five-
minute rule for questions. Once again, I want to thank our 
witnesses for being here, and I would now like to yield to my 
ranking member from Florida, Mr.--oh, Mr. Miller is not here.
    Who are we ranking? Okay. Sorry.
    Mr. Conaway, from Texas? From Texas----
    Mr. Conaway. Yes, ma'am. Madam Chairman, your situational 
awareness is magnificent, yes.
    Ms. Sanchez. From Texas?
    Mr. Conaway. Texas.
    Ms. Sanchez [continuing]. Will be filling in for Mr. 
Miller, and we will hear the opening statement from your side.

  STATEMENT OF HON. K. MICHAEL CONAWAY, A REPRESENTATIVE FROM 
 TEXAS, SUBCOMMITTEE ON TERRORISM, UNCONVENTIONAL THREATS AND 
                          CAPABILITIES

    Mr. Conaway. Well, Madam Chairman, thank you very much, and 
welcome to the chair of the subcommittee. Looking forward to 
seeing you in your new role. It will not be long before none of 
us will remember Adam Smith and the role he played for a number 
of years as chairman. So congratulations, and look forward to 
working with you.
    Rather than read Jeff Miller's statement--Jeff is on the 
floor working on the Intel reauthorization bill, which I will 
have to go as well in a few minutes, but I would ask unanimous 
consent to submit his written opening statement for the record 
and--if that is all right?
    Ms. Sanchez. Perfect. I am sure Mr. Miller wrote something 
that is very, very good and we will put it in the record. And 
if you will yield back----
    [The prepared statement of Mr. Miller can be found in the 
Appendix on page 27.]
    Mr. Conaway. All right, yield back.
    Ms. Sanchez [continuing]. I would again ask our witnesses 
one at a time to summarize your written testimony. We did 
receive it, and I think we even received it on time, which is 
great. And we will ask you to summarize in five minutes. We try 
to adhere to the five-minute rule here.
    And we will begin with Mr. Bond.

  STATEMENT OF PHILLIP J. BOND, PRESIDENT AND CEO, TECHAMERICA

    Mr. Bond. Thank you, Chairwoman Sanchez and members of the 
committee. Privilege to be here on behalf of TechAmerica and 
representing some 1,200 member companies across the country.
    Let me begin by thanking the chair and the members of the 
committee for raising these important issues and holding the 
hearing. Our members in our association share the panel 
members' concerns about these vital topics and the need to 
apply technology to every aspect of national security, from the 
basement offices in the Pentagon to the warfighters in the 
battlefield.
    We share a commitment to protecting these critical networks 
and infrastructure from attacks and disruption. Today I want to 
focus on two fundamental themes here: IT, which includes the 
procurement thereof; and then cybersecurity, including 
information assurance.
    We believe that the inability of our IT acquisition process 
to keep pace with innovation indeed threatens our warfighters' 
technical advantage, and notably our adversaries are not tied 
up in the same red tape. Deputy Secretary Lynn put it well when 
he said: With IT technology changes faster than the 
requirements, faster than the budget process, faster than the 
acquisition milestone process. For all these reasons the normal 
acquisition process does not work for information technology.
    To solve that problem, we recommend first that DOD should 
build a new cadre of acquisition professionals, people 
dedicated solely to purchase of large systems, much as is done 
in the private sector. The Department also needs greater 
flexibility in budgeting. We cannot afford to wait too much 
time in a world where cycles are so short.
    There also is a need to restore and enhance commercial IT 
products and their use. There is an inadequate supply of STEM-
carrying [Science, Technology, Engineering and Mathematics] 
degree workforce out there and that is a long-term challenge. 
Another long-term challenge is basic research. We are certainly 
supportive of substantial increases in basic research scheduled 
for DOD in the coming year.
    On the second broad theme of cybersecurity and the related 
topic of information assurance, let me acknowledge the critical 
natures the chair mentioned about the collaboration between DOD 
and the private sector. In our view, DOD's dialogue with the 
private sector has been incomplete so far in this area--
certainly engaged with the Defense Industrial Base, with system 
integrators that are a part of TechAmerica, but the vast 
majority of the commercial software development world is not a 
part of that conversation and needs to be. They have not been 
formally involved.
    Related to any of these kinds of discussions about the 
collaboration on information assurance and--is a discussion of 
supply chains--excuse me. Again, here, government needs to work 
with industry to understand the global deployment, the benefits 
of it, and the risks of it. And then once you assess the risk, 
share the risk so that the very best minds in the private 
sector can help.
    We would encourage some specific steps refocusing and 
reforming the existing certification processes, identifying 
commercial sector best practices and tools to expand their use 
within the government realm. We also would recommend creating a 
governance structure for assurance. We underscore the need to 
accelerate--accelerate the efforts in this regard.
    Now, I want to suggest one idea in particular that we, as 
an association, have begun to explore, which is--the threat to 
national security is real. And perhaps there are other models 
we can use to bring the best of the private sector into 
collaboration with the best of the public sector.
    So if you think of the Reserve model, which allows 
reservists to keep their civilian jobs, come in and do 
service--do their national service--and perhaps have the 
government salary supplemented by the private sector. But that 
legal framework might well apply so that leading cyber 
companies could donate talent on tours of duty, much like 
reservists, and really help the national security.
    Finally, we think it is important to underscore that the 
leadership of DOD and the warfighter ultimately traces itself 
back to our leadership in the private sector in innovation and 
believe that therefore the Department should take an interest 
in the private sector leadership of American companies.
    Let me make one other point quickly in summing up, which is 
that we note there are many efforts in information assurance 
and global supply chain assurance. So we encourage the 
administration to look at a single authority to consolidate and 
coordinate those.
    And finally, Madam Chair, we would ask that the 
subcommittee consider a strategic review of Title X to see if 
in this information age there aren't some antiquated 
authorities that just have not kept up with the pace of 
technology that could be updated for the good of our nation's 
security.
    Thank you.
    [The prepared statement of Mr. Bond can be found in the 
Appendix on page 29.]
    Ms. Sanchez. Thank you, Mr. Bond.
    And now we will hear from Mr. Bodenheimer.

STATEMENT OF DAVID Z. BODENHEIMER, PARTNER, CROWELL AND MORING, 
                              LLP

    Mr. Bodenheimer. Chairwoman Sanchez and members of the 
committee, thank you for your leadership on cybersecurity 
issues. Without cybersecurity we cannot maintain military 
superiority or economic security, and a vital key to 
cybersecurity is a robust public-private partnership. Quite 
bluntly, government and industry will either succeed together 
or fail separately.
    I am David Bodenheimer, a partner in the law firm of 
Crowell & Moring, where I head the homeland security practice, 
specialized in government contracts, and work on ABA [American 
Bar Association] committees focusing on cybersecurity issues. 
Today I appear in my personal capacity to talk about 
cybersecurity, a topic that keeps me busy during the day and 
awake at night.
    I will not dwell on the threat today. Nearly everybody 
agrees that the cybersecurity threat is imminent, relentless, 
and catastrophic, and it is getting worse. The cyber barbarians 
are stealing our secrets and our technology, they are 
plundering our databases and private information, and they are 
hacking into our critical infrastructure systems.
    The real question is not the threat, but what we do about 
it. I have six points, six suggestions--Winston Churchill would 
say that is five too many, but let me see how many I cover--six 
areas where the Department of Defense and the private sector 
must work in tandem.
    Number one: We must supercharge the public-private 
partnership. With the same urgency that we mobilized the 
industrial base in World War II, we need a public-private 
partnership to attack today's cybersecurity threat so it does 
not become tomorrow's digital Pearl Harbor.
    With the Defense Industrial Base Initiative, DOD has made a 
fine start with its pilot program for bilateral partnerships. 
Now we need to move from limited partnership to full 
partnership. Instead of a bilateral model with a few companies 
we need a bigger tent with more private sector players and 
broader participation. Additionally, full partnership should 
involve a two-way exchange of information before the decisions 
and strategy are cast in concrete.
    Number two: We need more effective information-sharing. If 
we cannot connect the dots our cyber defenses are just another 
Maginot Line begging for a cyber ambush from the rear.
    Too often the public sector gets information that is too 
little, too late, and too classified. For effective 
information-sharing the private sector needs timely data 
exchanges with context and analysis, two-way sharing not a one-
way pipeline, and less classification with greater access.
    Number three: We need clear, firm, and consistent cyber 
standards. Working to inconsistent cyber standards works about 
as well as serving two masters. It just doesn't work very well.
    Multiple inconsistent standards drive industry crazy, and 
it is not just a military versus civilian standard issue. 
Sometimes even the Army, Navy, and Air Force don't agree. 
Getting clear, firm, and synchronized standards would give us 
better cyber defense at a lower cost.
    Number four: We must encourage development of breakthrough 
technologies. The Department of Defense, specifically DARPA 
[Defense Advanced Research Projects Agency], brought us the 
Internet. We need that same big-brain research to deliver 
breakthrough technologies for cybersecurity that can leapfrog 
our cyber enemies, but at a cost we can afford.
    Innovation can be energized in other ways as well, such as 
technology clearinghouses, DARPA prizes, and private 
fellowships. For cybersecurity, the more brains the better.
    Number five: We need to stimulate cyber defense through 
liability safe harbors. Getting sued and penalized is a 
surefire way to shut down information-sharing and technology 
innovation.
    For effective cybersecurity the private sector must share 
information not only with the Department of Defense but also 
its industry partners. To encourage that sharing we need safe 
harbors so that industry partners can meet minimum security 
standards and are not penalized with antitrust suits and other 
sanctions for cooperating.
    Safe harbors can also accelerate innovation, such as we 
have with the SAFETY Act. We need to expand that so it also 
applies to companies in the cyber industry as well.
    Number six: We need to assure due process and dispute 
resolution. In every partnership, partners sometimes disagree. 
In the government contracts business, pulling the plug on a 
government contractor that is connected to the DOD systems is 
effectively a cyber death sentence.
    A private party should not be unplugged when someone else 
is responsible for a security breach. A disputes resolution 
process--perhaps a cyber board of appeal of independent IT 
experts--would allow government to do its job while assuring 
due process for private sector in the event of such disputes.
    As an old Navy guy I am proud to appear before this 
historic committee. We thank you for your leadership on this 
issue and welcome your comments.
    Thank you.
    [The prepared statement of Mr. Bodenheimer can be found in 
the Appendix on page 44.]
    Ms. Sanchez. Thank you so much to the gentleman.
    And now, Dr. Schneider for five minutes or less.

STATEMENT OF DR. FRED B. SCHNEIDER, SAMUEL B. ECKERT PROFESSOR 
  OF COMPUTER SCIENCE, CORNELL UNIVERSITY, COMPUTING RESEARCH 
                          ASSOCIATION

    Dr. Schneider. Thank you for inviting me here to testify. I 
want to focus on cybersecurity research and education. Military 
and civilian computing systems need to tolerate failures and to 
withstand attacks, but they don't. They are not trustworthy. 
And our dependence on these systems is increasing both for 
peace time and war time operations, often with system users 
ignorant of what they depend on and the risks of that 
dependence.
    Moreover, we operate in a reactive mode and we improve 
defenses only after they have been penetrated. We thus prepare 
to fight the last battle rather than the next one. This means 
attackers always win round one.
    We need to move beyond this reactive stance to a proactive 
one. In short, we must build systems whose trustworthiness 
derives from first principles.
    The proactive approach requires having a science base for 
cybersecurity. Since we don't have one we need to develop one. 
But doing that will require making significant investments in 
research and the investments will have to be made on a 
continuing basis, for without continuity few will be inclined 
to make the intellectual commitment necessary to enter the 
field.
    Unfortunately, cybersecurity will never be a solved 
problem. We are not going to find a magic bullet solution. 
Attackers grow evermore sophisticated. The systems themselves 
change as do the deployment settings, bringing new 
opportunities for attack and disruption.
    So what research needs to be done? There have been 19 
studies by federal agencies since 1997 each concerned with that 
question, each offering some kind of cybersecurity research 
agenda. And there is remarkable agreement among them all, so it 
is time to move beyond the list-making phase and embark on 
execution.
    I will offer two observations about the conduct of 
cybersecurity research, though. First, when the work is 
classified it cannot engage many of the country's top 
researchers, it necessarily receives less scrutiny by a diverse 
community of experts, and it will be slow to impact the 
civilian infrastructure on which even the military so depends.
    Second, cybersecurity once was funded by a diverse ecology 
of agencies and instruments--DARPA, MURI [Multidisciplinary 
University Research Initiative], AFOSR [Air Force Office of 
Scientific Research], ONR [Office of Naval Research], ARO [Army 
Research Office], all within DOD, plus NSF [National Science 
Foundation], DHS [Department of Homeland Security], and some 
others. This diversity was valuable because different agencies 
have different needs, goals, cultures, and style.
    But the diversity has been eroding. Getting that restored 
should be a priority, and it would undoubtedly bring better 
value for research dollars spent.
    I earlier made the observation that today's systems are not 
as trustworthy as they need to be. The number of adequately 
trained cybersecurity professionals is obviously a factor here.
    To start, universities need to hire more faculty and to 
teach cybersecurity courses and to expand their programs. 
Significant increases in research funding will promote this.
    In addition, employers need incentives to hire system 
developers who have adequate training in cybersecurity. 
Government policies can help here but they can also cause grave 
damage. Some have advocated a cybersecurity credential for 
system developers as a forcing function.
    The medical profession is a useful point of departure as 
it, too, is concerned with matters of life and death. Here, 
obtaining a credential requires far more than passing an exam. 
It requires years of postgraduate study in which the curriculum 
has been set by the most respected thinkers and practitioners 
in the field.
    Second, credential-holders are required to stay current 
through courses sanctioned by the institution that issues 
credentials. Finally, the threat of legal action, such as 
malpractice litigation against a credential-holder incentivized 
professionals to engage in best practices. Eliminate any of 
these three aspects and I have grave doubts that the--about the 
success of the resulting scheme.
    In closing, let me observe that the armed forces have a 
long and distinguished record of supporting research and 
education in cybersecurity and in systems trustworthiness, but 
our adversaries are now overtaking those early modest 
investments. We must now move from a reactive mode to a 
proactive one, which means creating a science base and 
significantly ramping up our research, and while we need to 
create a workforce that is up to the challenges of today and 
tomorrow, we need to be thoughtful about any policy incentives 
we impose to promote that.
    Thank you.
    [The prepared statement of Dr. Schneider can be found in 
the Appendix on page 72.]
    Ms. Sanchez. Thank you, gentlemen.
    I will remind my colleagues that we are going to work under 
the five-minute rule, and I will begin by asking questions.
    Once again, thank you for being with us.
    Dr. Schneider, you said we need to develop a science basis 
for cybersecurity, and then you spoke about how the medical 
profession trains and takes 10, 12, 15 years sometimes before 
they go out and really do their work. What would you envision 
would be a science-based cybersecurity pod?
    What would it look like? Who would fund it? Would it be at 
some universities? How would we get the cross-pollenization of 
different things going on?
    Dr. Schneider. There is an active research community in 
universities, and I would expect that most of the revolutionary 
ideas would come from that community. By a science base I would 
hope we come up with laws, like physical laws, that are 
independent of technology, independent of specific application 
problems, but that inform all our decisions about how to build 
systems.
    And like we see in the medical profession, there is applied 
research, there are people who develop drugs, and there is 
basic medical science research. And without this basic medical 
science research we don't understand the mechanisms under which 
diseases operate, and therefore we don't have a chance of 
developing palliatives or cures.
    And so really, medical research progresses on two planes. 
There is a basic research that builds a foundation and it 
enables specific research problem--topics to depart and address 
specific diseases, and I would expect that to happen in this 
setting as well.
    Ms. Sanchez. Thank you.
    Gentlemen, we just passed the cybersecurity bill in the 
House maybe about two or three weeks ago, and one of the 
amendments that I put onto it was to make it a little bit 
easier for academia to, in particular, respond and work with us 
at the government level, at the DOD level, to--with respect to 
the security clearances and this type of thing. What do you 
think are the major walls that are in place from having the 
public sector, the working public sector, the people who are 
commercializing some of this--actually doing their own basic 
research most of the time and commercializing, but also taking 
basic research we have and doing things.
    What would you say are some of the barriers to working with 
our Defense Department or other departments of our federal 
government with respect to information-sharing and thought-
sharing, and what would you say it is from the academic 
perspective from our universities and research centers?
    And any of you can answer, or all of you, or----
    Dr. Schneider.
    Dr. Schneider. So, the risk of doing this is it might make 
visible to our adversaries what is working and what is not 
working, and that is primarily the concern about revealing 
classified data to a broader community. On the other hand, it 
seems pretty clear that we overclassify content with respect to 
cybersecurity. And there is a grave risk that academics and 
others who don't have access to this information will solve the 
wrong problem.
    Mr. Bond. Let me add to that if I can. This is one of the 
reasons why we advocated this potential review of Title X to 
look at a number of things through that prism, because in a 
networked world we can bring people and ideas together more 
easily--academics with government, private sector and public 
sector. There are a number of rules, regulations, laws, 
authorities in place built in earlier times for good reasons 
and rationales of the time but which today represent large and 
small obstacles to just that collaboration.
    If I can, with the analogy used earlier to the medical 
research efforts, the difference is you can't really talk to 
the disease or even the particle if it is really, really basic 
kind of physics research you are doing, but in this case we can 
talk to not only leading--leading thinkers and leading 
companies are talking to some of the folks who are engaged in 
this kind of gray world between perpetrators and the rest of 
the world. So there are collaborations and conversations. We 
can learn more about what the adversary is doing, bring that 
through academic and private sector partners so that we get to 
that forward-looking agenda that Dr. Schneider talked about in 
his testimony.
    Ms. Sanchez. Mr. Bodenheimer.
    Mr. Bodenheimer. I would agree that there are, indeed, 
legal barriers to the information-sharing between DOD and the 
private sector. There was a recent report in the U.S. STRATCOM 
[Strategic Command], which identified about 23 different laws 
bearing upon the public-private partnership in information-
sharing. About ten of those have a direct effect upon the 
information-sharing issues.
    We need a dual-pronged approach. One, as Mr. Bond said, we 
do need to look at some of those laws to determine whether 
there needs to be additional authority for DOD to share the 
information with the private sector. In addition, there are 
models for sharing the information, such as in the U.S. 
STRATCOM report, by using a nonprofit organization to receive 
the information and effectively serve as a clearinghouse.
    I also agree with Dr. Schneider that overclassification has 
been an issue. I think that we do need some institutionalized 
methods, such as technology clearinghouses, with restrictions 
on access but still access so that industry and the Department 
of Defense can, in fact, work together.
    Ms. Sanchez. I see that my time is up, and I am going to 
pass on to Mr. Marshall, my colleague from Georgia. Georgia?
    Mr. Marshall. Thank you, Madam Chair. Congratulations on 
heading up the committee.
    You note that there aren't a lot of members present, and it 
is not that we are all over attending the health care summit or 
watching the health care summit. We are certainly busy and we 
tend to focus on things that we think we might, you know, add 
some value to, and that might explain why so few of us are 
here.
    I am a former law professor, you know, reasonably well-
educated. I use computers all the time, and it is very 
difficult for me to follow a lot of--your suggestions actually 
are fairly straightforward and so I can follow the suggestions, 
I just don't have a sense of--enough of a sense of the problem, 
of the structure we currently have that is attempting to 
address this problem, and whether that structure that we 
currently have--those individuals who are currently doing this 
who have expertise I don't come close to having nor will I ever 
have--are the right experts to have. Are they appropriately 
structured? Do they have the appropriate authorities?
    So I have to assume that you all are here because you do 
have some familiarity with how we, the government, are 
currently structured to try and analyze, understand this issue 
and then make recommendations to Congress concerning how we 
should proceed--make recommendations to Congress for how we 
should proceed. I fully accept Secretary Lynn's statement and 
your description of the urgency of this. There is no doubt in 
my mind that this is critically important; I just have no clue 
what direction to go in.
    So with your familiarity with our structure can you tell me 
whether or not you are kind of comfortable with who is there, 
how they are organized, and what they are doing to try and 
tackle these issues that you are addressing today?
    Mr. Bond. Let me take a first stab at your question, which 
I think is a good one and I note the attendance as well, which 
I think tells us in the industry something about our need to be 
better in terms of educating and engaging policymakers on 
this----
    Ms. Sanchez. Mr. Bond.
    Mr. Bond. Yes.
    Ms. Sanchez. I might note for the record that the intel 
authorization is--intelligence authorization bill is up on the 
floor and many of the members who tend to be on this committee 
are interested in some of the matters there, so it could very 
possibly be--yes, and you know, we were shut down for two weeks 
here so everybody is trying to catch up. So it could be a 
matter of the timing as well as a matter of the fact that the 
intel bill is on the floor that we may not see some of the 
people here. But I know everybody is interested in it, and it 
is a very complicated, very difficult issue to get our hands 
around, but it is not because of you three.
    Mr. Marshall. If I could reclaim my time here, it is 
definitely not because of the three of you, but I have been on 
this committee now for a while, and we have had hearings like 
this in the past, and they are typically not very well 
attended. And it is not because we aren't alarmed; it is not 
because we don't worry about this problem. It is because we 
don't really understand it very well.
    And so we are hoping that we are appropriately organized, 
that we have the right people in the government organized 
appropriately to try and listen to folks like you and come up 
with the right suggestions for us, whether it is change the 
law, increase funding here or there, and that is my question: 
Do you feel like we do have those folks in place and that they 
are going to--and who are they, and how are they--are they 
appropriately organized, they are going to make the right 
recommendations?
    Mr. Bond. I think there is an awful lot of talent across 
the government applied against some of these things, and 
indeed, as I tried to point out in my testimony, sometimes too 
much talent.
    So if there are 12 different efforts on the same topic--
that was what is behind our recommendation that the 
administration maybe look at a coordinator to bring those 
together; that was in information assurance. We also have the 
challenge of legal prohibitions on co-locating private sector 
and public sector folks together to work on some problems, and 
this challenge cries out for exactly that kind of thing.
    Mr. Marshall. Okay, so you, having said that, are there--
does Bill Lynn, for example, or the people who are advising him 
concerning these issues, do they agree? Have they made a 
suggestion to us the we modify the law in a certain way that 
would then permit them to do the kind of collaboration that 
they think is advisable and that you have in mind maybe?
    Mr. Bond. On that last specific point, not that we are 
aware of. We have had direct conversations with Secretary 
Napolitano about it from a DHS perspective, so I know that she 
is aware of that, and Phil Reitinger over there has identified 
that as something he would like to address. So those kind of 
discussions are going on, certainly.
    Another one I would mention that is a specific challenge, I 
think, to Capitol Hill is the speed of innovation is so much 
faster than the speed of legislation that issues around budget 
flexibility, the color of money and when that money dies, how 
much flexibility you can have to respond quickly in a fast-
changing technology environment, those would be challenges here 
with that branch of government that has the power of the purse.
    Mr. Bodenheimer. I would like to add to what Mr. Bond said. 
One of the things that we do see is a divided structure within 
DOD and the civilian agencies. One of the things that Congress 
has done well is to bring both from the Senate and the House 
side the staffs together into cyberjams, and it would be great 
to see a model like that, you know, within DOD and the civilian 
side as well.
    We need to bring together the standards that we see on the 
DOD side with those on the civilian side and the IC 
[intelligence community] in a way that we have a single set of 
standards. We need the government--the executive agency 
speaking with a single voice.
    Mr. Marshall. Just to sort of give you an idea of how far 
behind you I am, I--a single set of standards. What does that 
mean? You just want to stop it all, so, I mean, that is how 
basic my--there is a standard of acceptable--there is an 
acceptable level of----
    You don't really need to tell me. I have never going to 
have that kind of expertise. I just want to know that the right 
people are in place doing the right things.
    Dr. Schneider. So, the good news is you have some very good 
people. The bad news is they are not working in a context in 
which they can get the job done. And I am a professional 
computer scientist; I am going to become an amateur 
governmentist and point something out.
    The Defense Department is dependent on lots of stuff that 
is highly vulnerable--the power grid, the communications 
infrastructure in the public sector as well as stuff that they 
operate themselves. There are some obvious things to make this 
better. You could imagine a staged plan where you start 
addressing short-term things, you worry about 10-year-out 
problems, and you worry about investing in research long-term.
    If you go into the Pentagon and look around you will find 
nobody who is doing this, but what is worse is you will not 
find anybody who believes this is his or her job. There is 
nobody who feels it is job number one to create a program and 
to execute on it.
    With the appointment of Howard Schmidt in the White House 
you could argue for the nation at large there has been some 
movement in this direction, but the Defense Department cannot 
depend on the efforts for the nation at large. Your needs are 
slightly different; your needs are more critical, and there 
needs to be somebody there. The people exist but nobody has 
that job.
    Mr. Marshall. Why don't we just go back and forth? There 
are only two of us.
    Okay. My impression jives with what I think I heard from a 
few of you, and that is that the technology that we use for 
most of our systems lags behind a little bit, and I think in 
part it is because of the process that we go through in order 
to develop it, and then the concerns that we have concerning 
changing it. You know, so we change it here, how is it going to 
be compatible there? If we make this change how are we going to 
train people, et cetera?
    And I wonder, is there an accepted mechanism for us to 
evaluate the effective--it would be very helpful if there were 
some way to--an accepted way where, you know--not going to be a 
lot of argument about this--to evaluate the talent and 
productivity of the folks that we have that are developing our 
software?
    We have got a lot of software engineers out there that we 
are relying upon, I guess people who could be working for 
Google or Microsoft or what have you but they happen to be 
working for us on software for UAVs [Unmanned Aerial Vehicles], 
on software for communication, et cetera, in addition to 
cybersecurity stuff. How do we evaluate whether or not they're 
as talented as they need to be and productive as they need to 
be?
    Mr. Bond. Let me take a first stab at that. It strikes at 
some fundamental issues, so I appreciate the question.
    Much of the talent does come through private sector 
partners on a lot of the large projects and there are a number 
of metrics in the--from the very initial stages through 
contract performance and other things. I would take the 
question, if I could, and try to get back to you on how far 
down the chain those go to individual engineers and how much 
transparency there may be there.
    So with your----
    Mr. Marshall. No, no, that would be great.
    Mr. Bond [continuing]. Forbearance we will try to take that 
and get back to you with something.
    [The information referred to can be found in the Appendix 
on page 105.]
    Mr. Marshall. And Dr. Schneider, if you would, I mean, the 
committee staff here is great and they have been really working 
on this issue for some time, and so if you could, if you would 
get back with committee staff on that. And then, Dr. Schneider, 
in your case, your thoughts concerning the absence of a mission 
within the Pentagon, people specifically tasked to these kinds 
of issues, if you could--it may be that it is in your 
testimony. If it is not, if you could share that with us in 
writing that would be very helpful if you could detail that.
    And I am sorry, I interrupted--other thoughts about how we 
evaluate, or, you know, do we have the right talent pool, is it 
appropriately productive?
    Mr. Bodenheimer. One of the things that we need to do is to 
make cyber sexy to the people that are in the software 
business. For example, my nephew is an IT wizard. He has no 
interest in becoming involved in cybersecurity because there 
are so many other opportunities, and I think part of it is a 
marketing job and part of it is a credentialing job to make 
cybersecurity professionals stand out. That would make a 
difference.
    Dr. Schneider. I am curious about your interest in 
evaluating the quality of people since ultimately we really 
want to evaluate the quality of the artifacts they produce. And 
if, for example, we could evaluate the quality of what they 
built--how secure it was--then we would have an easy way to 
determine how good the people who built it are. Certainly when 
you are going to buy a car you read Consumer Reports or 
something and they discuss the car, they don't discuss the 
engineers.
    The bad news is, we don't really have a way to measure 
security. We don't have a way to measure security or return on 
investment from defenses, and this isn't--and this is a hard 
fundamental problem. It is not something we are going to crack 
in the near term. It is something everybody appreciates is a 
big difficulty.
    There is a famous quote that says, ``If you can't measure 
something you really don't understand it,'' and the field is 
well aware of this. And this is a fundamental disconnect.
    And the reason it is a difficult problem is because you 
don't know what to measure it against. You would like to 
measure it against some hypothetical attacker, but as soon as 
you deploy a defense the attacker gets wise and now you don't 
know what to measure it against because the attacker may go in 
any number of directions.
    So this is the sort of problem that has eluded the field 
for some time. This is one of the reasons I have been 
advocating for the kind of science base, because I think that 
is the only hope for getting these measurements. But I think in 
the limit, we really want to be able to evaluate artifacts and 
not evaluate people.
    Mr. Bond. I would, if I could, just quickly observe, too, 
there are a number of private sector-based efforts to measure 
the reliability and kind of fundamental code within software 
programs to increase your understanding of the assurance and 
reliability of that, and I wanted to acknowledge and then agree 
with Dr. Schneider's point, too, that one way of measuring that 
is to look at the overall product, and is it working, and the 
different levels of certification and other things.
    Approaches to information assurance have tended to look at 
it that way: Okay, let us break it down by level of 
sensitivity, and therefore greater certification or greater 
assurance as you climb up that stack. So each would have a 
different metric assigned to it.
    Ms. Sanchez. Gentlemen, what effect does having all these 
former--these legacy systems in the Department of Defense and 
sort of trying to hold on information and bring it forward and 
move on--I mean, this is one of the reasons why we have had at 
least hardware, in particular, sort of encumbered, if you will, 
in the sense of trying to bring forward these legacy systems. 
How does that impede us, or are we at the point where we could 
just do a sort of data dump and move forward into the next 
generation of whatever hardware and software will look like?
    Are we in the process of doing that or are we still--I am 
thinking in particular to the DOD. Are we still encumbered with 
that? And I say that in the very naivest terms because I know, 
you know, if we have a fire in some warehouse where the files 
of our veterans are we could lose--I mean, there have been 
cases where we lose everything we know about them, basically, 
and we have to reconstruct from what they might have on hand. 
How does the legacy issue affect an ability for us, from the 
DOD standpoint, to move forward into this new arena?
    Mr. Bond. I will take a first shot at that: I think that in 
the rapid changing environment that we are in, the information 
age, legacy systems are something that everybody deals with, 
and perhaps government more than many others because 
government, to a large extent, is in the information business 
with its citizens and everything else, so I think that is a 
constant. And large and small companies deal with it every day, 
too. At my association I am sure most of my employees think our 
systems are too old and would like something new and so forth, 
so that is a constant.
    What it takes me back to, though, is the recommendation--
and this is really why we need a panel of some experts to help 
on these large-scale things, because it is like a multilevel 
chess game, you have a lot of things you have to factor in. How 
you are going to move information from the legacy systems, how 
much of those are interoperable? Is the new system going to be 
backward-compatible as you look at the next challenge and next 
generation?
    These are exactly the kinds of things that private sector 
companies are dealing with all the time and could help the 
agency deal with, but I think to best assist that would be kind 
of an expert panel that can help on these, because these are 
very large, complex systems, old and new, that the Department 
needs to keep that warfighter at the very front on the edge.
    Mr. Bodenheimer. Let me address that from an acquisition 
standpoint. Many of these systems are in the process of being 
replaced through various ERP [Enterprise Resource Planning] 
procurements within the Department of Defense, you know, 
replacing the stovepipe systems and the legacy systems.
    I think one of the most important things we can do is make 
sure that the contracts for replacing those old systems include 
the requirements for information assurance and information 
security in them. And in addition, I think that we need to take 
a hard look to determine whether the existing DOD standards--
for example, the defense information assurance certification 
and accreditation program, DIACAP--is the right standard, is a 
sufficient minimum standard for applying to updating these 
legacy systems.
    Dr. Schneider. New systems are more secure than old 
systems, but if you read the newspapers the front page is about 
attacks against new systems. I don't believe that moving to 
today's new systems is going to appreciably change how 
vulnerable DOD is to cyber attacks.
    I think the only way to change things is to build systems 
differently, and that requires a different force field, whether 
it is economic policy, legislative, that changes the equation 
about how people are prepared to make investments when they 
build the system, whether they are prepared to spend more time 
testing the system, whether they are prepared to sacrifice 
complexity, because complexity gives attackers an edge. But 
just upgrading our systems to the latest is not going to 
appreciably change the vulnerability of DOD systems.
    Mr. Marshall. I am certain that software engineers, as they 
develop products, have security in mind as they do so. How 
could you not? I mean, it is just sort of--it is all around you 
and your packages, your product is not going to be as 
attractive in handling--you are not going to--it won't be as 
attractive to the market, if the market is something that wants 
security, if you can't somehow establish the security.
    Within the private sector when large software packages are 
being developed does the company go so far as to actually have 
red teams that are trying to figure out ways to attack the 
product, to destroy the product, to--you know, what are the--it 
is not just relying on the software engineer who is designing 
the product to come up with security that is adequate, but 
actually trying to attack it. Do we have that?
    I guess, Dr. Schneider, if we don't have anybody within DOD 
that is really specifically charged with the responsibility of 
worrying about these security issues we probably don't have red 
teams that are actually out there trying to penetrate or 
systems.
    Dr. Schneider. No, actually DOD has some of the finest red 
teams in the world. What we don't have in DOD is somebody who 
is worried about the road map and making investments and 
executing on a plan to move the field and move DOD forward so 
that DOD is less vulnerable to all of the attacks that exist 
today----
    Mr. Marshall. Well, if we have got the best red team in the 
world we are obviously concerned about cybersecurities, and yet 
we are not appropriately structured because we are not--we 
don't have the right mindset or the right division of 
responsibilities, or our attention isn't drawn to this 
adequately as we develop systems? Is that what you are saying?
    Dr. Schneider. Yes, sir.
    Mr. Marshall. And yet, here we are. It is national 
security. We know cybersecurity is an issue. It is hard for me 
to believe that we wouldn't have cybersecurity in mind as we 
develop our software products.
    Dr. Schneider. Yes, sir. It is very disturbing.
    Mr. Marshall. So you have made the statement that, in fact, 
we have this lack. How do you, you know--because frankly, if 
the chairlady here was convinced there was such a lacking this 
committee would be moving forward with whatever needs to be 
done in order to make sure that that gets fixed. So would DOD 
agree?
    If we went to the folks in DOD who are principally 
responsible for this at maybe the undersecretary level and we 
said, ``Geez, you know, Dr. Schneider says we are not 
structured appropriately. We don't have the right mindset. The 
products that we are producing are inadequate because of this 
failing.'' Would they say, ``Yes, that is true''?
    Dr. Schneider. I couldn't put words in their mouth, but I 
believe there are people who see it this way, yes.
    Mr. Bond. If I can, I probably see it a little bit 
differently. I do think DOD is moving exactly that direction 
with the Cyber Command. There is a senior official in charge of 
information assurance, which goes to the supply chains and so 
forth. And I think in recent years, to your basic point, that 
there has been a greater emphasis and understanding of the need 
to build security into software even though companies certainly 
test, because their reputation and their brand is going to be 
at risk and can be--somebody can choose another product with 
the click of a mouse.
    But that said, there is much greater awareness just in the 
last few years, nationally and throughout the software 
community--the entire high tech community--to put more 
attention and effort into building security in from the very 
beginning so that it is not just patches and things you bolt on 
the edge of your network or onto the software, but you build it 
in from the very beginning. And so that should continue to 
increase because the risk and importance is only growing, but I 
do observe that in the last few years I think both the private 
sector and DOD and the public sector generally have been moving 
in that direction.
    Ms. Sanchez. And I think that we have seen that, in 
particular working on the homeland side, with respect to the 
civilian side of the federal government. We certainly have seen 
a bigger impetus to--a momentum to try to get that done, and 
obviously also coming out of the White House and their 
cybersecurity czar.
    Did you have a comment----
    Mr. Bodenheimer. Yes, Chairwoman. One of the things that I 
think DOD would agree upon is we do need the regulations--the 
acquisition regulations--out in public with comment and 
discussions. This is one area that the Department of Defense 
has shown leadership. They have prepared a set of acquisition 
regulations specifically addressing the information security 
issues. That puts DOD ahead of a number of other agencies which 
have not issued those regulations.
    I think it would be a great thing to get those regulations 
through OMB and out into the public so we can comment and get 
those regulations improved and as good as they can be. It would 
then provide a gold standard for other agencies to use that as 
a model for acquisition.
    Ms. Sanchez. Let me ask you, what is the role of the 
Defense Security Service in working with industry to secure 
industry unclassified networks? Do they have a role in any of 
this?
    Mr. Bond. If I can----
    Ms. Sanchez. Mr. Bond.
    Mr. Bond [continuing]. I would just volunteer to get you 
more detailed input from some of our member companies----
    Ms. Sanchez. That would be great.
    Mr. Bond [continuing]. On exactly their perspective and 
what they would have the chair know about that.
    Ms. Sanchez. I would like to see that. Great.
    Do you have any more questions, Mr.----
    Mr. Marshall. Yes, I do.
    Mr. Bond, were you the one that suggested Reserve 
officers--Reserve--has that proposal been kicked around with 
DOD?
    Mr. Bond. This is something that arose out of a 
conversation between CEOs and chief information security 
officers out in Silicon Valley with Secretary Napolitano where 
she talked about her--the challenge that agency has in getting 
enough skilled professionals in to meet the cybersecurity needs 
of DHS and the palpable frustration of everybody else around 
the table that they want to help defend their country and they 
feel like they can't. They want to give executives to the 
government for a short period of time; they want to supplement 
their salary or do whatever they can to try to help defend 
their country and they feel like they can't.
    And so we began to look and talk to others in government 
about models that might already exist that would be a good 
framework that policymakers could quickly understand and the 
reservist model suggested to us seems to be one that everybody 
can understand quickly and say, ``Okay, great. You keep your 
civilian job, you get to supplement the government salary, and 
you get to come back to your civilian job. But in the meantime, 
go help defend your country.''
    Ms. Sanchez. And it sounds like a great idea. We ran into 
this on Homeland, actually, having been on Homeland since the 
inception of that committee, in just trying to fill the 
cybersecurity czar position over there in the Homeland 
Department. I would--and I am estimating--but having lived 
through it I would guess that 50 percent of the time that 
position was vacant, and that the other 50 percent of the 
time--I am talking about the first 5 years' worth--I believe we 
had six czars, and that the median stay of that--those czars 
might have been 6 or 7 months.
    And the biggest problem we found was how do we pay them for 
what they are worth to come over and do that? And in fact, we 
had one of them who was supplemented, I believe through a 
university, maybe MIT [Massachusetts Institute of Technology] 
or one of the others that was a Northeastern University.
    And there was a total outcry when the newspapers came out 
with the fact that they were funded by the university and only 
taking the $160K, or whatever, that we were paying the czar but 
had a total compensation package of $400 because--$400,000 
because they were being subsidized by some university who, by 
the way, the deanship of that university or the flagship of 
that university was a private company. And therefore wasn't it 
amazing that this czar guy was considering that the best stuff 
was coming from, oh, by the way, the company that was funding 
the university's program that was basically funding--you know, 
I mean, you can imagine the iterations of what we went through 
with this.
    So the answer is, the reservist model is a new thing for me 
to think about, but it is very difficult to figure out how we 
do that--and that is one of the things we have to think through 
if we do take a look at that--because, without naming names but 
more or less my--what I remember of the situation was people 
didn't stay very long because they weren't paid. If they were 
paid from the outside it was a problem.
    These people came, they stayed for a while. What did they 
do when they left? They came back and they were the contractors 
to the Homeland Department to bring in, you know, other 
people's goods trying to sell us. So it is a very--it is a very 
slippery slope on how we get people to come in and give us good 
information, do the patriotic thing to their country, and at 
the same time not be partial to whatever it is their company is 
selling.
    Mr. Bond. Couldn't agree more on exactly some of the 
challenges. I think one of the things that appeals to many of 
the executives involved about the reservist model is that it 
could be more widespread, so it is not about what any one 
individual and how they are gaming the system. The American 
people understand the reservist concept as well, and it could 
be a range of talent, too--it might be mid-level; it might be 
senior level folks for a while--but could be a range, and that 
therefore maybe that might be enough to get over some of those 
obstacles you identified.
    I guess it does, in my mind, two other things: One, it 
underscores that this really is urgency. This is about national 
security and if we are serious about it then we should bring 
more people and talent to bear on it. And it goes to a point 
that was raised earlier about making cybersecurity a little bit 
sexy, you know, that no matter where you work in the industry 
you can spend some time helping defend your country might be 
very appealing.
    Ms. Sanchez. Thank you.
    Mr. Marshall. Could I ask----
    Ms. Sanchez. I will allow one more question.
    Mr. Marshall. Pardon me?
    Ms. Sanchez. I will allow you one more question.
    Mr. Marshall. You are all familiar with how software 
programmers and others--you know, mid-level and higher level--
the reservists typically come in for a brief period, leave for 
a brief period. How long do you think they would have to come 
in in order to be effective?
    Mr. Bond. Well, I----
    Mr. Marshall. On average.
    Mr. Bond. This is----
    Mr. Marshall. Too much in the weeds?
    Mr. Bond. Well, no. I just think the answer would vary. I 
think just, you know, there might be longer tours of duty, 
there might be particular talents that you want to bring in, a 
shorter term on a project. So I think it probably would vary.
    But also it is very much something notionally that some 
leaders in the space have talked about and have not had the 
benefit of enough thought and research yet to be a full-bodied 
proposal to you. But I think it does underscore how much the 
industry wants to help and how frustrated that they are.
    Mr. Marshall. You know, it would be great--if you are 
representing 1,200 companies you obviously have resources. I 
think it would be wonderful if you could pull some folks 
together and explore this with some detail and get it to us, 
get it to DOD, you know, get it to whoever. And I think the 
chair listed some of the concerns that we would have; no doubt 
there are others out there as well. But the potential seems 
fairly obvious to me.
    Dr. Schneider, I hear you when you say we should be looking 
at the quality of the product. I did mention productivity as 
well as talent, and in this arena, just like many others, 
obviously the talent of the workforce has a lot to say or to--a 
major effect on the quality of the product that you wind up 
getting, let alone productivity.
    And so I hear Mr. Bond saying, and I think all of you would 
agree, that, you know, to the extent that we can organize 
ourselves in a way that brings to the table the best talent 
that the country has to offer to try to tackle this problem 
that affects both national security and--at a public level and 
a private level--then we ought to be doing that if there is a 
way to do that.
    And I don't have to--I will never be an expert in this 
area, and I don't have to be an expert in this area in order to 
understand that we need to fund it, and if the right people are 
in place giving us advice concerning how to go about funding it 
then we will do it.
    Mr. Bond. Well, I will commit to you that we will get back 
to you. Next week in San Francisco is the world's largest 
cybersecurity trade show. We will have a number of the CEOs who 
are affiliated with our association meeting at that and I will 
convey your message to them and we will get back to you with 
some thoughts.
    Mr. Marshall. Thank you.
    Ms. Sanchez. Gentlemen, thank you so much for being before 
our committee. As is the usual course of business, members will 
have some--a few days to ask some additional questions in 
writing and put them to you. We hope that you would answer them 
fairly quickly for our committee.
    And with no other questions out there we will close the 
committee. Adjourned.
    [Whereupon, at 3:09 p.m., the subcommittee was adjourned.]
     
=======================================================================

                            A P P E N D I X

                      Thursday, February 25, 2010

=======================================================================

              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                      Thursday, February 25, 2010

=======================================================================
      

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
      
=======================================================================

              WITNESS RESPONSES TO QUESTIONS ASKED DURING

                              THE HEARING

                      Thursday, February 25, 2010

=======================================================================

             RESPONSE TO QUESTION SUBMITTED BY MR. MARSHALL

    Mr. Bond.

 
                                                                Federal  Avg.    Private Sector
                                                                 Annual  Wage     Avg. Annual          Wage
                                                                    (2008)        Wage (2008)      Differential
 
Computer Systems Design and Related Services                          $53,355          $88,698              66%
Engineering Services                                                  $76,732          $79,363               3%
Research and Development in Physical, Engineering, and Life           $89,732          $97,709               9%
 Sciences
 


Source: Bureau of Labor Statistics, QCEW Database.

EDUCATION

    For-profit firms are the largest employer of individuals with 
science and engineering degrees.

     For-profit firms employ 47% of individuals whose highest degree is 
in science and engineering, compared to 13% employed by the government. 
(The rest are employed by colleges/universities, nonprofits, or are 
self-employed)
     For-profit firms employ 28% of individuals with science and 
engineering doctorates, compared to 9% employed by the government. (The 
largest employers here are 4 year colleges and universities which 
account for 42%.)

Source: National Science Board. 2010. Science and Engineering 
Indicators 2010. Arlington, VA: National Science Foundation. P. 3-24. 
[See page 13.]

                                  
