[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


 
     CYBERSECURITY: DHS' ROLE, FEDERAL EFFORTS, AND NATIONAL POLICY

=======================================================================

                                HEARING

                               before the

                     COMMITTEE ON HOMELAND SECURITY

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 16, 2010

                               __________

                           Serial No. 111-71

                               __________

       Printed for the use of the Committee on Homeland Security

                                     

[GRAPHIC] [TIFF OMITTED] TONGRESS.#13


                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________

                  U.S. GOVERNMENT PRINTING OFFICE
64-697                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California          Peter T. King, New York
Jane Harman, California              Lamar Smith, Texas
Peter A. DeFazio, Oregon             Daniel E. Lungren, California
Eleanor Holmes Norton, District of   Mike Rogers, Alabama
    Columbia                         Michael T. McCaul, Texas
Zoe Lofgren, California              Charles W. Dent, Pennsylvania
Sheila Jackson Lee, Texas            Gus M. Bilirakis, Florida
Henry Cuellar, Texas                 Paul C. Broun, Georgia
Christopher P. Carney, Pennsylvania  Candice S. Miller, Michigan
Yvette D. Clarke, New York           Pete Olson, Texas
Laura Richardson, California         Anh ``Joseph'' Cao, Louisiana
Ann Kirkpatrick, Arizona             Steve Austria, Ohio
Bill Pascrell, Jr., New Jersey       Tom Graves, Georgia
Emanuel Cleaver, Missouri
Al Green, Texas
James A. Himes, Connecticut
Mary Jo Kilroy, Ohio
Dina Titus, Nevada
William L. Owens, New York
Vacancy
Vacancy
                    I. Lanier Avant, Staff Director
                     Rosaline Cohen, Chief Counsel
                     Michael Twinchek, Chief Clerk
                Robert O'Connor, Minority Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Peter T. King, a Representative in Congress From 
  the State of New York, and Ranking Member, Committee on 
  Homeland Security..............................................     2
The Honorable Laura Richardson, a Representative in Congress From 
  the State of California:
  Prepared Statement.............................................     3

                               Witnesses

Mr. Gregory Schaffer, Assistant Secretary, Cybersecurity and 
  Communications, Department of Homeland Security:
  Oral Statement.................................................     5
  Prepared Statement.............................................     6
Mr. Richard L. Skinner, Inspector General, Department of Homeland 
  Security:
  Oral Statement.................................................    13
  Prepared Statement.............................................    14
Mr. Gregory C. Wilshusen, Director, Information Technology, 
  Government Accountability Office:
  Oral Statement.................................................    20
  Prepared Statement.............................................    21
Mr. Stewart A. Baker, Partner, Steptoe & Johnson, LLP:
  Oral Statement.................................................    27
  Prepared Statement.............................................    28

                                Appendix

Questions From Chairman Bennie G. Thompson of Mississippi........    57


     CYBERSECURITY: DHS' ROLE, FEDERAL EFFORTS, AND NATIONAL POLICY

                              ----------                              


                        Wednesday, June 16, 2010

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to call, at 10:00 a.m., in Room 
311, Cannon House Office Building, Hon. Bennie G. Thompson 
[Chairman of the committee] presiding.
    Present: Representatives Thompson, Harman, Lofgren, Jackson 
Lee, Cuellar, Clarke, Richardson, Kirkpatrick, Cleaver, Green, 
Himes, King, Smith, Lungren, McCaul, and Dent.
    Chairman Thompson. The Committee on Homeland Security will 
come to order. The committee is meeting today to receive 
testimony on ``Cybersecurity: DHS's Role, Federal Efforts, and 
National Policy.'' I want to thank the witnesses for appearing 
here today.
    Today's hearing entitled ``Cybersecurity: DHS's Role, 
Federal Efforts, and National Policy'' will examine the 
Department of Homeland Security's efforts to secure cyberspace. 
Since 1997, GAO has designated information security as a high-
risk area in the Federal Government. Ten years later, 
information security is still high risk. Some would say that it 
is the difficulty of this task that keeps us from achieving it, 
but I know that few things worth doing are easy. Security of 
the Federal Government's network from a wide array of cyber 
attackers is not easy, but few tasks are more necessary.
    According to GAO, the cybersecurity incidents reported by 
Federal agencies have increased 400 percent in the last 4 
years, from 5,503 incidents in fiscal year 2006 to about 30,000 
incidents in fiscal year 2009. Whether military or 
intelligence-gathering operations of foreign nations, domestic 
or international terrorist groups, lone wolf, hate-driven 
individuals, common criminals or thrill-seeking hackers, those 
attempting to infiltrate and export this country's computer 
networks are both numerous and determined. But they will not 
win if we match their determination with our resolve and defeat 
their abundance with our expertise.
    As the lead agency for cybersecurity in a Federal civilian 
agency, the Department of Homeland Security is responsible for 
guiding and directing the Federal efforts to defeat this 
multifaceted cyber enemy.
    So my question today is: Does the Department have what it 
needs to win the war? US-CERT, the office within the Department 
that is charged with leading our cyber defense effort, has 
significant deficiencies. It does not have sufficient staff to 
analyze security information. It cannot develop internal 
capacity because contractors outnumber Federal employees by 3 
to 1. It has not developed leadership consistency because US-
CERT has had four directors in 5 years. Given these 
administrative failures, it should come as no surprise that 
day-to-day operations may suffer.
    According to the President's National Security Strategy 
released this month, Federal cyber networks must be secure, 
trustworthy, and resilient. DHS must be a major actor in this 
Nation's effort to secure the Federal computer networks.
    In addition to the Federal Government, DHS must reach out 
to State, local, and Tribal governments as well as the private 
sector to assure the protection and resiliency of our cyber 
infrastructure. But none of this can occur without adequate 
staffing, planning, and funding. Today we must pledge to become 
as committed to secure our networks as our enemies are 
committed to breach them.
    Again, I want to thank our witnesses for agreeing to attend 
and testify today, and I look forward to that testimony.
    [The statement of Chairman Thompson follows:]

           Prepared Statement of Chairman Bennie G. Thompson
                             June 16, 2010

    Today's hearing, entitled ``Cybersecurity: DHS' Role, Federal 
Efforts, and National Policy'' will examine the Department of Homeland 
Security's efforts to secure cyberspace. Since 1997, GAO has designated 
information security as a high-risk area in the Federal Government. Ten 
years later, information security is still high-risk.
    Some would say that it is the difficulty of this task that keeps us 
from achieving it. But I know that few things worth doing are easy. 
Securing the Federal Government's networks from a wide array of cyber 
attackers is not easy. But few tasks are more necessary.
    According to GAO, the cybersecurity incidents reported by Federal 
agencies have increased 400 percent in the last 4 years. From 5,503 
incidents in fiscal year 2006 to about 30,000 incidents in fiscal year 
2009. Whether the military or intelligence-gathering operations of 
foreign nations; domestic or international terrorist groups; lone wolf 
hate-driven individuals; common criminals, or thrill-seeking hackers, 
those attempting to infiltrate and exploit this country's computer 
networks are both numerous and determined.
    But they will not win if we match their determination with our 
resolve and defeat their abundance with our expertise. As the lead 
agency for cybersecurity in Federal civilian agencies, the Department 
of Homeland security is responsible for guiding and directing the 
Federal efforts to defeat this multi-faceted cyber enemy. So my 
question today is: Does the Department have what it needs to win this 
war?
    US-CERT--the office within the Department that is charged with 
leading our cyber defense efforts has significant deficiencies. It does 
not have sufficient staff to analyze security information. It cannot 
develop internal capacity because contractors outnumber Federal 
employees by about 3 to 1. It has not developed leadership consistency 
because US-CERT has had four directors in 5 years. Given these 
administrative failings, it should come as no surprise that day-to-day 
operations may suffer.
    According to the President's National Security Strategy released 
last month, Federal cyber networks must be ``secure, trustworthy, and 
resilient.''
    DHS must be a major actor in this Nation's efforts to secure the 
Federal computer networks. In addition to the Federal Government, DHS 
must reach out to State, local, and Tribal governments as well as the 
private sector to assure the protection and resiliency of our cyber 
infrastructure. But none of this can occur without adequate staffing, 
planning, and funding. Today, we must pledge to become as committed to 
secure our networks as our enemies are committed to breach them.

    Chairman Thompson. The Chairman now recognizes the Ranking 
Member of the full committee, the gentleman from New York, Mr. 
King, for an opening statement.
    Mr. King. Thank you, Mr. Chairman. Thank you for holding 
this hearing, which the Republican Members requested several 
months ago, to address the serious and growing threat of cyber 
attacks on our Government and private sector networks. I would 
like to thank all of the witnesses appearing today and 
especially welcome back Stewart Baker. It is great to see him 
and to thank him for his terrific service for the Department of 
Homeland Security. Great to see you, Stu.
    We requested this hearing because cyber attacks have risen 
to epidemic levels in the United States and are increasing. 
Critical intellectual property is regularly stolen and fraud is 
rampant. As stated in the National Security Strategy, quote, 
cybersecurity threats represent one of the most serious, 
National security, public safety, and economic challenges we 
face as a Nation. The Deputy Assistant of the FBI's Cyber 
Division has said that cyber attackers pose a threat to the 
existence of the United States as we know it.
    General Alexander, recently appointed head of the U.S. 
Cyber Command, noted that cyber threats are evolving from data 
theft and temporary disruption to sabotage, which give the 
United States pause for concern. The former DNI, Mike 
McConnell, stated, if the Nation went to war today in a cyber 
war, we would lose.
    The United States needs a robust plan for migrating cyber 
threats, yet the Federal response remains fragmented. The 
United States needs to move forward with continuous monitoring 
of Federal network traffic for malicious activity so that we 
can increase situational awareness and fight cyber attacks in 
real time. The cyber threat must be anticipated and not 
addressed after the fact.
    I would note that Chairman Lieberman and Senator Collins 
recently took a major step forward in coordinating and 
clarifying Federal policy when they introduced the Protecting 
Cyberspace As a National Asset Act of 2010. In a very positive 
step, the Lieberman-Collins bill codifies the role of the 
Department of Homeland Security as the lead agency to 
coordinate the protection of Federal systems against cyber 
attacks and to coordinate with the private sector on the 
protection of critical information infrastructure.
    The bill also empowered DHS with the enforcement authority 
necessary to carry out its mission. That lack of adequate 
departmental authority was prominently raised in the Inspector 
General's report that was released today, and this committee 
should work quickly to address that serious deficiency.
    I strongly support the legislation introduced by Chairman 
Lieberman and Senator Collins, and I look forward to working 
with my House colleagues to introduce companion legislation 
promptly.
    I thank the Chairman and I yield back the balance of my 
time.
    Chairman Thompson. Other Members of the committee are 
reminded that under committee rules opening statements may be 
submitted for the record.
    [The statement of Hon. Richardson follows:]

            Prepared Statement of Honorable Laura Richardson
                             June 16, 2010

    Mr. Chairman, thank you for convening this hearing today on the 
Department of Homeland Security's efforts to secure cyberspace. I thank 
our distinguished panel of witnesses for appearing before us today to 
share with us the work they are doing on this issue and their 
recommendations for what else needs to be done.
    The National cybersecurity effort is a top Presidential priority. 
It was not until 2008 that the Bush administration sought to reevaluate 
the Federal mission in cyberspace, so I am pleased that this reform 
effort is one of President Obama's main concerns. Our Government and 
the Congress is years late in coming up with a comprehensive security 
effort for cyberspace, as cybersecurity threats represent one of the 
most serious National security, public safety, and economic challenges 
faced by this Nation. A complete cybersecurity policy and plan is a key 
component of keeping our homeland safe, so I am pleased that today this 
committee will get a chance to delve into the issues surrounding this 
policy.
    As the Government and the private sector rely more and more on 
computers and digitized information in our everyday life, we also face 
more and more risks on that front. For example, in the Federal sector, 
many kinds of information may present an appealing target including 
National security information, taxpayer data, Social Security records, 
medical records and proprietary data. Just this past week, a 
cybersecurity sweep at Penn State University, a State university, found 
the Social Security numbers of 25,000 individuals may have been exposed 
to a security breach because of infected computers.
    It concerns me that in the fiscal year 2009 Government 
Accountability Office (GAO) performance and accountability reports, 21 
of 24 major Federal agencies noted that inadequate information system 
controls over their financial systems and information were either a 
material weakness or a significant deficiency. There were numerous 
reasons cited for this inadequacy, including lack of awareness, 
understanding, and interest of technical and policy issues in Executive 
and Legislative branches. If we do not make cybersecurity a priority, 
our security will continue to be in jeopardy.
    I realize that addressing this problem has been a difficult 
challenge for the Department of Homeland Security due to the number of 
agencies involved, funding levels, and need for direction. However, 
this hearing is an excellent opportunity to examine what Congress can 
do to further DHS's efforts in this area. I look forward to the 
testimony of our distinguished panel of witnesses as to where 
improvements need to be made.
    Thank you again, Mr. Chairman, for convening this hearing. I yield 
back the balance of my time.

    Chairman Thompson. I welcome our witnesses today. We will 
have only one panel of witnesses.
    Our first witness is Mr. Greg Schaffer, the Assistant 
Secretary for Cybersecurity and Communications. Mr. Schaffer 
oversees, among other things, the operations of the National 
Cybersecurity Division, which includes the United States 
Computer Emergency Readiness Team, US-CERT. Welcome, Mr. 
Schaffer.
    Our second witness, no stranger to this committee, Mr. 
Richard Skinner, the Department of Homeland Security Inspector 
General. As Inspector General, Mr. Skinner is responsible for 
overseeing audits, investigations, and inspections relating to 
the programs and operations of the Department. Welcome, Mr. 
Skinner.
    Our third witness is Mr. Greg Wilshusen, Director of 
Information of Security Issues at the Government Accountability 
Office. GAO serves as the principal and trusted investigative 
arm of Congress. GAO has performed dozens of engagements on the 
topic of cybersecurity, many of them at the request of this 
committee. Welcome, Mr. Wilshusen.
    Our final witness, no stranger to this committee either, 
Mr. Stewart Baker. Mr. Baker is former Assistant Secretary for 
Policy at the Department of Homeland Security. He is currently 
a partner in Steptoe & Johnson, LLP, as well as an author of a 
recently released text on matters of interest. Welcome.
    We thank our witnesses for being here today. Without 
objection, the witnesses' full statement will be inserted in 
the record. I now recognize Assistant Secretary Schaffer to 
summarize his statement for 5 minutes.

      STATEMENT OF GREGORY SCHAFFER, ASSISTANT SECRETARY, 
   CYBERSECURITY AND COMMUNICATIONS, DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Schaffer. Chairman Thompson, Ranking Member King, and 
distinguished Members of the committee, it is a pleasure to 
appear before you today to discuss the Department of Homeland 
Security cybersecurity mission. I will provide an update on our 
efforts to better secure the systems and networks of the 
Federal Executive branch and of the critical infrastructure 
while strengthening our public-private partnerships. The 
President has clearly laid out DHS's roles and responsibilities 
for protecting Nationally critical civilian networks. DHS has 
the lead to secure Federal civilian systems, sometimes 
described as the dot-gov domain. DHS works with critical 
infrastructure and key resources owners and operators to 
bolster their cybersecurity preparedness, risk mitigation, and 
infinite response capabilities.
    At the Department, we have focused our efforts on enhancing 
the cybersecurity posture of the Nation by improving our 
capacity to prevent, identify, respond to, and recover from 
cyber threats, which are becoming more targeted, more 
sophisticated, and more numerous.
    The administration's focus on addressing these threats is 
clear. Consistent with the President's cyberspace policy 
review, the Department has a number of foundational and 
forward-looking efforts underway to reduce cyber risk. 
Elevating these cyber risk reduction efforts, the Department's 
Quadrennial Homeland Security Review made cybersecurity one of 
the Department's top five mission areas. The QHSR details two 
overarching goals for cybersecurity: To help create a safe, 
secure, and resilient cyber environment and to promote 
cybersecurity knowledge and innovation. DHS's work towards 
these goals is carried out largely within the Office of 
Cybersecurity and Communications, which I lead, a component of 
the National Protection and Programs Directorate with 
significant contributions being made by other DHS offices.
    I would like to highlight a few of the key programs today. 
First, the Trusted Internet Connection Initiative is working to 
reduce and consolidate external access points across the 
Federal enterprise, manage security requirements, and ensure 
compliance with program policies. This will help create an 
efficient and manageable frontline of defense for Federal 
Executive branch civilian networks.
    Second, the Department is deploying EINSTEIN 2 to these TIC 
locations to monitor incoming and outgoing traffic for 
malicious activity. EINSTEIN 2 is currently deployed and 
operational at 11 of 19 planned departments and agencies. The 
EINSTEIN 2 system is already providing us with, on average, 
visibility into more than 278,000 indicators of potential 
malicious activity a month.
    Additionally, DHS is building upon the enhanced situational 
awareness that EINSTEIN 2 provides. We are working with the 
private sector, the National Security Agency, and a wide range 
of other Federal partners to test the technology for the third 
phase of EINSTEIN, an intrusion prevention system which will 
provide DHS with the capability to automatically detect 
malicious activity and disable attempted intrusions before harm 
can be done to our critical networks and systems.
    Furthermore, CS&C is implementing a defense in depth 
approach to cybersecurity. We are doing this through 
complementary efforts, including initiatives such as the OMB's 
new FISMA reporting requirements, shifting away from paper 
compliance and towards implementing solutions that actually 
improve cybersecurity. DHS will provide operational support to 
agencies by monitoring and reporting progress to ensure the new 
OMB guidance is effectively implemented.
    Another aspect of defense in depth is the protection of 
critical infrastructure and key resources from cyber threats. 
As part of this effort, the DHS Control System Security Program 
works to protect critical infrastructure by providing 
expertise, tools, and leadership to the owners of control 
systems. DHS has trained more than 14,000 control system 
operators and has assisted in vulnerability assessments 
throughout the country. Additionally, our Industrial Control 
Systems Cyber Emergency Response Team, the ICS-CERT provides 
on-site support for incident response.
    As we move forward, public-private cooperation is growing 
ever more important. We are developing a National cyber 
incident response plan that will define cyber incident roles 
and responsibilities and will provide all levels of Government 
and the private sector with a better understanding of how to 
respond to a cyber event during a crisis.
    It is important to note that continued success is reliant 
upon increasing the numbers of dedicated and skilled people at 
the Department. To this end, the National Cybersecurity 
Division tripled its Federal workforce from 35 to 118 in fiscal 
year 2009 and we hope to more than double that number to 260 in 
fiscal year 2010. Over the past year since I took office, my 
staff and I have worked closely with the GAO, the Inspector 
General, and this committee to improve organizational 
efficiencies and implement recommendations in line with 
Departmental priorities and our overarching approach to 
cybersecurity. To this end, I think both GAO and the Inspector 
General will agree that much progress has been made.
    I would like to thank the committee for the strong support 
you have provided to the Department and thank you for this 
opportunity to testify, and I would be happy to answer any 
questions that you may have.
    [The statement of Mr. Schaffer follows:]

                 Prepared Statement of Gregory Schaffer
                             June 16, 2010

                              INTRODUCTION

    Mr. Chairman, Ranking Member King, and distinguished Members of the 
committee, it is a pleasure to appear before you today to discuss the 
Department of Homeland Security's (DHS) cybersecurity mission. I will 
provide an update on our efforts to better solidify the Federal 
Executive branch civilian networks and systems, critical 
infrastructure, and our public-private partnerships. At the Department, 
our efforts are focused on enhancing the cybersecurity posture of the 
Nation by improving our capacity to prevent, identify, respond to, and 
recover from cyber threats.
    As a nation, it is essential that we are aware of, and focused on, 
the cyber threat. Just as important, the Government must be able to 
move quickly and purposefully to address cyber threats as malicious 
actors rapidly change techniques, technology, and tradecraft. As you 
know, Mr. Chairman, threats are becoming more targeted, more 
sophisticated, and more numerous.

             OVERVIEW OF DHS CYBERSECURITY RESPONSIBILITIES

    DHS is responsible for helping Federal Executive branch civilian 
departments and agencies to secure their unclassified networks, often 
called the dot-gov domain. DHS also works closely with partners across 
Government and in industry assisting them with the protection of 
private sector critical infrastructure networks. The Department has a 
number of foundational and forward-looking efforts under way, many of 
which stem from the Comprehensive National Cybersecurity Initiative 
(CNCI).
    The President has described our networks, as ``strategic National 
assets'' and called the growing number of attacks on these networks 
``one of the most serious economic and National security threats our 
Nation faces.'' The President has also clearly laid out the roles and 
responsibilities for protecting Nationally critical civilian networks:
   DHS has the lead to secure Federal civilian systems, 
        sometimes described as the dot-gov domain.
   DHS works with critical infrastructure and key resources 
        (CIKR) owners and operators--whether private sector, State, or 
        municipality-owned--to bolster their cyber security 
        preparedness, risk mitigation, and incident response 
        capabilities, in coordination with other Federal Sector-
        Specific Agencies as appropriate.
    The CNCI comprises a number of mutually reinforcing initiatives 
with the following major goals designed to help secure the United 
States in cyberspace:
   Establish a front line of defense against today's immediate 
        threats by creating or enhancing shared situational awareness 
        of network vulnerabilities, threats, and events within the 
        Federal Government--and ultimately with State, local, and 
        Tribal governments and private sector partners--and the ability 
        to act quickly to reduce current vulnerabilities and prevent 
        intrusions.
   Defend against the full spectrum of threats by enhancing 
        U.S. counterintelligence capabilities and increasing the 
        security of the supply chain for key information technologies.
   Strengthen the future cybersecurity environment by expanding 
        cyber education; coordinating and redirecting research and 
        development efforts across the Federal Government; and working 
        to define and develop strategies to deter hostile or malicious 
        activity in cyberspace.
    DHS plays a key role in many of the activities supporting these 
goals and works closely with our Federal partners to secure our 
critical information infrastructure in a number of ways. We are 
reducing and consolidating the number of external connections Federal 
agencies have to the internet through the Trusted Internet Connections 
(TIC) initiative. Further, DHS continues to deploy its intrusion 
detection capability, known as EINSTEIN 2, to those TICs. Through the 
United States Computer Emergency Readiness Team (US-CERT), we are 
working more closely than ever with our partners in the private sector 
and across the Federal Government to share what we learn from our 
EINSTEIN deployments and to deepen our collective understanding, 
identify threats collaboratively, and develop effective security 
responses. In addition, the Department has a role in the Federal 
Government for cybersecurity research and development (R&D). The DHS 
Science and Technology (S&T) Directorate's Cyber Security R&D (CSRD) 
program funds activities addressing core vulnerabilities in the 
internet, finding and eliminating malicious software in operational 
networks and hosts, and detecting and defending against large-scale 
attacks and emerging threats on our country's critical infrastructures. 
The CSRD program includes the full R&D lifecycle--research, 
development, testing, evaluation, and transition--to produce 
unclassified solutions that can be implemented in both the public and 
private sectors. The S&T Directorate has established a Nationally 
recognized cybersecurity R&D portfolio addressing many of today's most 
pressing cybersecurity challenges. The CSRD program has funded research 
that today is realized in more than 18 open-source and commercial 
products that provide capabilities, including the following: Secure 
thumb drives, root kit detection, worm and distributed denial of 
service detection, defenses against phishing, network vulnerability 
assessment, software analysis, and security for process control 
systems.
    President Obama determined that the CNCI and its associated 
activities should evolve to become key elements of the broader National 
cybersecurity strategy. These CNCI initiatives and its associated 
activities will play the central role in implementing many of the key 
recommendations of President Obama's Cyberspace Policy Review: Assuring 
a Trusted and Resilient Information and Communications Infrastructure.
    With the publication of the Cyberspace Policy Review on May 29, 
2009, DHS and its components have developed a long-range vision of 
cybersecurity for the Department's--and the Nation's--homeland security 
enterprise. This effort resulted in the elevation of cybersecurity to 
one of the Department's five priority missions, as articulated in the 
Quadrennial Homeland Security Review (QHSR), an overarching framework 
for the Department that defines our key priorities and goals and 
outlines a strategy for achieving them. Within the cybersecurity 
mission area, the QHSR details two overarching goals: To help create a 
safe, secure, and resilient cyber environment, and to promote 
cybersecurity knowledge and innovation.
    In alignment with the QHSR, Secretary Napolitano has consolidated 
the Department's cybersecurity efforts under the coordination of the 
National Protection and Programs Directorate (NPPD) and its Deputy 
Under Secretary who also serves as the Director of the National Cyber 
Security Center. As NPPD leadership, we are moving aggressively to 
build a world-class cybersecurity team, and we have identified three 
key priorities that enable and establish a ``system-of-systems'' 
approach encompassing the people, processes, and technologies needed to 
create a front line of defense and grow the Nation's capacity to 
respond to new and emerging threats. Most immediately, we are focusing 
on three priorities:
    1. Continue enhancement of the EINSTEIN system's capabilities as a 
        critical tool in protecting our Federal Executive branch 
        civilian departments and agencies.
    2. Develop the National Cyber Incident Response Plan (NCIRP) in 
        full collaboration with the private sector and other key 
        stakeholders. The NCIRP will ensure that all National 
        cybersecurity partners understand their roles in cyber incident 
        response and are prepared to participate in a coordinated and 
        managed process. The NCIRP will be tested this fall during the 
        Cyber Storm III National Cyber Exercise.
    3. Increase the security of automated control systems that operate 
        elements of our National critical infrastructure. Working with 
        owners and operators of the Nation's critical infrastructure 
        and cyber networks, we will continue to conduct vulnerability 
        assessments, develop training, and educate the control systems 
        community on cyber risks and mitigation solutions.
    DHS also bears primary responsibility for raising public awareness 
about threats to our Nation's cyber systems and networks. Every October 
DHS, in coordination with other Federal agencies, governments, and 
private industry, makes a concerted effort to educate the public 
through the National Cybersecurity Awareness Month (NCSAM) campaign, 
and we are making progress. For example, in 2009, the Secretary of 
Homeland Security and the Deputy Secretary of Defense jointly opened 
the campaign, we engaged in our most significant outreach ever, and all 
50 States, the District of Columbia, and the U.S. Territory of American 
Samoa, as well as seven Tribal governments, endorsed NCSAM.
    Teamwork--ranging from intra-agency to international 
collaboration--is essential to securing cyberspace. Simply put, the 
cybersecurity mission cannot be accomplished by any one agency or even 
solely within the Federal realm; it requires teamwork and coordination 
across all sectors because it touches every aspect of our lives. 
Together, we can leverage resources, personnel, and skill sets that are 
needed to accomplish the cybersecurity mission. The fiscal year 2011 
NPPD budget request for cybersecurity strengthens the on-going work in 
each of the Department's offices to fulfill our unified mission.
    The Office of Cybersecurity and Communications (CS&C), a component 
of NPPD, is focused on reducing risk to the Nation's communications and 
IT infrastructures and the sectors that depend upon them, and enabling 
timely response and recovery of these infrastructures under all 
circumstances. CS&C also coordinates National security and emergency 
preparedness communications planning and provisioning for the Federal 
Government and other stakeholders. CS&C is comprised of three 
divisions: the National Cyber Security Division (NCSD), the Office of 
Emergency Communications, and the National Communications System.
    NCSD collaborates with the private sector, Government, military, 
and intelligence stakeholders to conduct risk assessments and mitigate 
vulnerabilities and threats to information technology assets and 
activities affecting the operation of the civilian Government and 
private sector critical cyber infrastructures. NCSD also provides cyber 
threat and vulnerability analysis, early warning, and incident response 
assistance for public and private sector constituents. To that end, 
NCSD carries out the majority of DHS' responsibilities under the CNCI.
    Within NCSD, US-CERT leverages technical competencies in Federal 
network operations and threat analysis centers to develop knowledge and 
knowledge management practices. US-CERT provides a single, accountable 
focal point to support Federal stakeholders as they make key 
operational and implementation decisions and secure the Federal 
Executive branch civilian networks. US-CERT's holistic approach enables 
Federal stakeholders to address cybersecurity challenges in a manner 
that maximizes value while minimizing risks associated with technology 
and security investments. Further, US-CERT analyzes threats and 
vulnerabilities, disseminates cyber threat warning information, and 
coordinates with partners and customers to achieve shared situational 
awareness related to the Nation's cyber infrastructure.
    DHS is responsible for supporting Federal Executive branch civilian 
agencies in the protection and defense of their networks and systems. 
The Department's strategy, which supports a layered defense, requires 
situational awareness of the state of Federal networks, an early 
warning capability, near real-time and automatic identification of 
malicious activity, and the ability to disable intrusions before harm 
is done. DHS, through NCSD and US-CERT, developed a ``system-of-
systems'' approach to support its cybersecurity mission (noted above). 
This overall system-of-systems is known as the National Cybersecurity 
Protection System (NCPS), in which DHS is deploying a customized 
intrusion detection system, known as EINSTEIN 2, to Federal Executive 
branch civilian agencies to assist them in protecting their computers, 
networks, and information.
    None of this is possible, however, without a comprehensive 
understanding of Federal Executive branch civilian networks from an 
enterprise perspective. The CNCI TIC initiative provides the Federal 
Government this understanding by reducing and consolidating external 
access points across the Federal enterprise, assisting with the 
managing security requirements for Federal agency network and security 
operations centers, and establishing a compliance program to monitor 
Federal agency adherence to TIC policies.
    The Department is installing EINSTEIN 2 capabilities on Federal 
Executive branch civilian networks in distinct but interconnected 
steps. The first step, under the TIC initiative, is the consolidation 
of external connections and application of appropriate protections 
thereto. This will help create an efficient and manageable front line 
of defense for Federal Executive branch civilian networks. The goal is 
to get down to less than 100 physical locations. Our Program has been 
working with departments and agencies to better understand how civilian 
agencies configure their external connections, including internet 
access points, and improve security for those connections. In parallel 
with learning about how agencies are configured, we are working with 
OMB and departments and agencies to consolidate their external 
connections and as they do that DHS is deploying EINSTEIN 2 to these 
TIC locations to monitor incoming and outgoing traffic for malicious 
activity directed toward the Federal Executive branch's civilian 
unclassified computer networks and systems. EINSTEIN 2 uses passive 
sensors to identify when unauthorized users attempt to gain access to 
those networks. EINSTEIN 2 is currently deployed and operational at 11 
of 19 departments and agencies. The EINSTEIN 2 system is already 
providing us with, on average, visibility into more than 278,000 
indicators of potentially malicious activity per month.
    The TIC initiative and EINSTEIN 2 deployments are critical pieces 
of the Federal Government's defense-in-depth cybersecurity strategy. 
DHS is also building upon the enhanced situational awareness that 
EINSTEIN 2 provides. We currently are working with the private sector, 
the National Security Agency, and a wide range of other Federal 
partners to test the technology for the third phase of EINSTEIN, an 
intrusion-prevention system which will provide DHS with the capability 
to automatically detect malicious activity and disable attempted 
intrusions before harm is done to our critical networks and systems.
    For all these deployments, it is important to note that EINSTEIN 
capabilities are being carefully designed in close consultation with 
civil rights and civil liberties and privacy experts--protecting civil 
rights, civil liberties, and privacy remains fundamental to all of our 
efforts.
    These accomplishments are reliant upon increasing the number of 
dedicated and skilled people at CS&C. To this end, NCSD tripled its 
Federal workforce from 35 to 118 in fiscal year 2009, and we hope to 
more than double that number to 260 in fiscal year 2010. We are moving 
aggressively to build a world-class cybersecurity team, and we are 
focusing on key priorities that address people, processes, and 
technology.
    Recently, the Office of Management and Budget (OMB) and the 
President's Cybersecurity Coordinator issued new Federal Information 
Security Management Act (FISMA) reporting requirements that will help 
our cybersecurity workforce to inculcate a culture of cyber safety. The 
new requirements are designed to shift efforts away from compliance on 
paper and towards implementing solutions that actually improve 
cybersecurity. The new reporting requirements will automate certain 
security-related activities and incorporate tools that correlate and 
analyze information, giving the Government's cyber leaders manageable 
and actionable information that will enable timely decision-making. DHS 
will provide additional operational support to agencies in securing 
their networks by monitoring and reporting agency progress to ensure 
the new OMB/Cybersecurity Office guidance is effectively implemented. 
This new reporting follows a three-tiered approach:
   Data feeds directly from department and agency security 
        management tools--agencies are already required to report most 
        of this information. It includes summary information on areas 
        such as inventory, systems and services, hardware, software, 
        and external connections.
   Government-wide benchmarking on security posture will help 
        to determine the adequacy and effectiveness of information 
        security and privacy policies, procedures, and practices 
        throughout the Government.
   Agency-specific interviews will be focused on specific 
        threats each agency faces and will inform the official FISMA 
        report to Congress.
    Sensitive information is routinely stolen from both Government and 
private sector networks, undermining confidence in our information 
systems, the information collection and sharing process, and the 
information these systems contain. As bad as the loss of precious 
National intellectual capital is, we increasingly face threats that are 
even greater. We can never be certain that our information 
infrastructure will remain accessible and reliable during a time of 
crisis, but we can reduce the risks.
    Perhaps more ominously, malicious cyber activity can 
instantaneously result in virtual or physical consequences that 
threaten National and economic security as well as public health and 
safety or an individual's civil rights and civil liberties and privacy. 
Thus, while we strive to prevent loss of intellectual capital from our 
networks, we are also working to ensure that the systems that support 
the essential functions that underpin American society--critical 
infrastructure and key resources (CIKR)--are protected from cyber 
threats.
    Of particular importance are those systems that operationally 
control our critical infrastructure, such as the energy grid and 
communications networks. These systems must remain accessible and 
reliable during times of crisis. Understanding the nexus between the 
physical and the cyber worlds is an essential mission area for the 
Department, and one that must permeate all of our efforts.
    At DHS, we are very aware that some critical infrastructure 
elements are so vital to our Nation that their destruction or 
incapacitation would have a debilitating impact on National security 
and economic well-being. We recognize that partnering with the private 
sector to assist in securing critical infrastructure is one of our most 
important missions. One key priority is DHS' control systems security 
program, which provides expertise, tools, and leadership to the owners 
of control systems. A cyber attack on a control system could result in 
dire physical consequences, even loss of life. We are providing 
operational support to the control systems community through our 
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
    ICS-CERT provides on-site support for incident response and 
forensic analysis at the request of the affected entity. It also shares 
and coordinates vulnerability information and threat analysis through 
information products and situational alerts. Through our advanced 
vulnerability discovery laboratory, we identify vulnerabilities in 
control systems and develop and distribute mitigation strategies in 
partnership with both private sector vendors and operators. The control 
system program also provides tools (such as the Cyber Security 
Evaluation Tool) and training to increase stakeholder awareness of the 
evolving risks to control systems. To date, DHS has helped train more 
than 14,000 control system operators in the classroom and on the web on 
how to deal with a variety of cyber attacks. We also created a 
collection of recommended practices and informational products to 
assist owners and operators in improving the security of their control 
systems.
    DHS conducts site assessments of selected CIKR facilities (and 
encourages self-assessments by owners and operators of additional 
facilities) to identify vulnerabilities and recommend enhancements. In 
late 2009, we took steps to meet increasing industry requests by 
implementing a dedicated cybersecurity evaluations program that ensures 
vulnerabilities identified in our key cyber infrastructure are done so 
under a consistent and formal framework of evaluation. The program 
office is working closely with industry to bolster their cybersecurity 
preparedness, risk mitigation, and incident response capabilities. 
Through this direct outreach, we expect to improve our capacity to 
measure private sector performance in managing cybersecurity. We 
conduct these assessments in close partnership with NPPD's Office of 
Infrastructure Protection, recognizing the need to intertwine physical 
security with cybersecurity. In just the last few weeks, we have had 
teams in Washington, Massachusetts, Missouri, Arizona, and North Dakota 
to look at individual facilities, regional clusters of critical 
infrastructure, control systems, and business networks.
    In addition to work done with the ICS-CERT, DHS has other efforts 
designed to help protect critical infrastructure and key resources. In 
2006, we established the Cross-Sector Cyber Security Working Group to 
address cross-sector cyber risk and explore interdependencies between 
and among various sectors. The working group serves as a forum to bring 
Government and the private sector together to address common 
cybersecurity elements across the 18 CIKR sectors. They share 
information and provide input to key policy documents, such as the 
National Strategy for Trusted Identities in Cyberspace. The Department 
conducts its critical infrastructure protection activities under the 
National Infrastructure Protection Plan (NIPP) framework to facilitate 
effective coordination between Government infrastructure protection 
programs and the infrastructure protection and resilience activities of 
the owners and operators of CIKR resources.
    To secure critical infrastructure, the NIPP relies on the sector 
partnership with the Federal Government. This includes Sector 
Coordinating Councils and their associated Information Sharing and 
Analysis Centers, the Homeland Security Information Network, technology 
and service providers, specific topical working groups, and partners 
from across the 18 CIKR sectors. These information-sharing mechanisms 
will continue to enhance and facilitate information exchange throughout 
the CIKR community, private sector, and Government--making everyone's 
networks and systems more secure.
    The Information Technology Sector Baseline Risk Assessment (ITSRA) 
is an example of public and private sector information sharing. The 
completion of the ITSRA last fall was a significant milestone for both 
the NIPP sector partnership model and for the IT Sector Specific Plan 
implementation. This important effort identifies strategic and 
National-level risks to the IT sector and will inform risk management 
activities across the IT sector this year. It will also focus 
additional attention on important cross-sector IT risk-related 
dependencies and inform both Government and industry mitigations, 
research and development priorities, and resource decisions.
    In this sense, it is a true force multiplier in that many sectors 
are apt to benefit from the IT sector's close working relationship with 
the public sector. DHS will continue to work with IT sector partners to 
use the IT sector risk management methodology to identify appropriate 
responses for the risks identified for each IT sector critical 
function. This will prioritize mitigation activities and inform 
corresponding risk management strategies to provide the greatest 
reduction to the National-level risks identified in the ITSRA. The 2010 
Communications Sector Risk Assessment, which is currently under way, 
will outline security measures that will better support business 
operations and form the basis of meaningful infrastructure protection 
metrics. This assessment will complement the ITSRA's functions-based 
approach and augment its 2008 assessment.
    As we move forward, public-private cooperation is growing ever more 
important. We are building on already successful partnerships and 
looking forward to new opportunities. DHS is moving toward greater, 
more actionable sharing of information with the private sector based on 
new analytical insights derived from a comprehensive understanding of 
the Government-wide cyber domain. DHS has initiated several pilot 
programs that enable the mutual sharing of cybersecurity information at 
various classification levels:
   DHS and Michigan are conducting a proof-of-concept pilot in 
        which the EINSTEIN 1 network flow monitoring technology helps 
        secure Michigan's dot-gov networks. The purpose of this study 
        is to help State governments enhance their cybersecurity and to 
        increase DHS overall cyber situational awareness.
   DHS, the Department of Defense (DOD), and the Financial 
        Services Information Sharing and Analysis Center have launched 
        a pilot designed to help protect key critical networks and 
        infrastructure within the financial services sector by sharing 
        actionable, sensitive information--in both directions--to 
        mitigate the impact of attempted cyber intrusions. This builds 
        on the products and success of DOD's Defense Industrial Base 
        initiative. This pilot is currently at the For Official Use 
        Only level, but shortly will be enhanced to include Secret-
        level information.
   We are also working on a pilot that brings together State 
        fusion centers and private sector owners and operators of 
        critical infrastructure to provide access to Secret-level 
        classified cybersecurity information. The Cybersecurity 
        Partners Local Access Plan is a pilot initiative allowing 
        security-cleared owners and operators of CIKR, as well as State 
        Chief Information Security Officers and Chief Information 
        Officers, to access Secret-level cybersecurity information and 
        participate in Secret-level video teleconference calls via 
        their local fusion centers, allowing classified information 
        sharing outside of Washington, DC.
   DHS has instituted a Top Secret/Sensitive Compartmented 
        Information clearance program for CIKR representatives to 
        enable their engagement in analysis of the most sensitive 
        cybersecurity threat information.
    The Department also is working in the areas of software assurance 
and supply chain management so that Government and private sector 
partners can work together to solve what is a potentially serious 
security issue. We believe software developers must automate security 
and institutionalize it from the beginning in an effort to change the 
current security posture from reactive to proactive.
    Shifting to a proactive posture will also help prevent threats from 
entering our critical systems and networks, to which end software 
assurance and supply chain management are so vitally important. By 
definition, the private sector will have the largest role in developing 
solutions for more secure software and in supply chain management. To 
be sure, the Government can help by driving security requirements, but 
we need to be creative and collaborative in developing partnerships 
between and among the private and public sector cyber communities to 
exchange information and ideas.
    We need to develop a cybersecurity culture that realizes that 
everyone--Government, corporate, or private--has a vested stake in all 
aspects of cybersecurity. For example, we need to evaluate and reflect 
upon each software failure and break in the supply chain to gain 
greater process insights and develop long-term software assurance and 
supply chain management solutions. To do this, we will need to 
authenticate people, processes, and devices. In other words, we need to 
develop inherently secure business practices in supplying critical 
products. In terms of software, this means we need mechanisms that 
allow computer code to stand on its own merits and speak for itself.
    As I mentioned earlier, DHS is taking steps to improve the overall 
cybersecurity posture of the Nation. Our approach interlocks 
strategically with other efforts that are on-going across the Federal 
Government, private sector, and across the country in States and 
localities. One of our most important initiatives is our effort to 
improve cybersecurity incident handling and response processes via the 
National Cyber Incident Response Plan, or NCIRP. The goal of the NCIRP 
is to build upon the concepts and methodologies of the National 
Response Framework, the National Incident Management System, and the 
NIPP. This is an interagency effort in coordination with State, local, 
Tribal and private sector partners to define the cyber incident roles 
and responsibilities across a wide spectrum of stakeholders. The plan 
will provide Federal agencies; State, local, and Tribal governments; 
and the private sector with a better understanding of how to respond to 
a cyber event during a crisis or under normal operating conditions. We 
will test the plan during the Cyber Storm III National Cyber Exercise 
this fall.
    The NCIRP will be crucial for effective incident response, which 
will leverage the strength of our new operations center. During the 
first quarter of fiscal year 2010, DHS launched the National 
Cybersecurity and Communications Integration Center (NCCIC), a facility 
that improves our capability and capacity to detect, prevent, respond, 
and mitigate disruptions of the Nation's cyber and communications 
systems. The NCCIC collocates vital IT and communications operations 
centers, thereby converging existing incident response mechanisms and 
better reflecting the reality of technological convergence. Under the 
NIPP partnership framework, the collaborative activity of the NCCIC 
blends together the interdependent missions of the National 
Coordinating Center for Telecommunications, US-CERT, the DHS Office of 
Intelligence and Analysis, and the National Cyber Security Center. We 
are working through the legal and operational details to enable the 
planned inclusion of private sector representation on the NCCIC floor.

                               CONCLUSION

    I appreciate the opportunity to speak with you today about the 
progress that the Department has made and the road ahead for future 
improvements to our Nation's cybersecurity. DHS is committed to working 
collaboratively with our public, private, academic, and interagency 
partners to ensure that the cyber elements of our Nation's critical 
infrastructure are secure. We strive to ensure that these systems are 
robust enough to withstand attacks, responsive enough to recover from 
attacks, and resilient enough to sustain critical operations. We will 
continue to build upon our efforts and create more effective 
partnership opportunities that will allow us to make our Nation's 
critical infrastructure safer and more secure.
    Again, thank you for this opportunity to testify. I would be happy 
to answer any questions you may have.

    Chairman Thompson. Thank you for your testimony, Mr. 
Schaffer.
    We are now recognizing Inspector General Skinner to 
summarize his statement for 5 minutes.

STATEMENT OF RICHARD L. SKINNER, INSPECTOR GENERAL, DEPARTMENT 
                      OF HOMELAND SECURITY

    Mr. Skinner. Thank you. Good morning, Chairman Thompson and 
Ranking Member King and Members of the committee. Thank you for 
inviting me here today to discuss the results of our most 
recent report on the Department of Homeland Security's U.S. 
Community Emergency Readiness Team, or as we refer to it as US-
CERT. If I can indulge the committee for just a few seconds, I 
would like to introduce three staff members that I brought with 
me today, and that is Frank Deffer, Barbara Bartuska, and 
Shannon Frenyea, who were very instrumental in the preparation 
of this report and very instrumental in a lot of our IT work in 
the Department. I am often referred to as a cyber immigrant; 
that is, I was not born into this cyber world. So a lot of this 
stuff is very, very foreign to me and I rely very heavily on 
the people that I brought with me today to advise me.
    No one here in this room I am sure questions the importance 
of cybersecurity. Our economy, our critical infrastructure, our 
National security all relies on technology and I think we have 
a very important mission here, departmentally and in security, 
to make sure we protect that technology.
    The Department in my opinion has come a long way since 9/11 
in protecting cybersecurity, particularly in the last 2 years. 
They have been working very, very hard in building 
relationships and building partnerships and developing 
guidelines and issuing reports and building infrastructure 
within the Department to address cybersecurity on a National 
scale. But as our audit demonstrated, there is a lot more that 
needs to be done. There are a lot of challenges out there. We 
raise essentially five issues that we think have or is 
hindering our ability to move forward.
    One is sustaining leadership. Over the last 5 years, US-
CERT has had five directors. In our opinion, we think that in 
fact can impede and is in fact impeding our ability to move 
forward. Without the leadership to direct our strategic plans 
and guide our day-to-day operations, it is going to slow us 
down.
    The second thing is the investment of resources. It was not 
until 2008 did the Secretary of Department of Homeland Security 
identify cybersecurity as a top priority. Now, when you 
interpret that into dollars, it was not until 2010 were the 
funds put aside or increased to allow the Department to build 
its cybersecurity capabilities. If you look at 2008, I think 
there were only 38 people working in US-CERT. There is now 
authorization to bring that up to 98 people. But I believe as 
of this past week or as of last Friday, there was only 55 of 
those people on board. For a variety of reasons it is very, 
very difficult not to just bring bodies on board, but to bring 
the right talent on board. There is a lot of efforts underway 
to bring those people on board. But it is slow. Until we have 
those resources, we are going to continue to run into 
impediments in implementing our National cybersecurity 
strategy.
    The third thing I think that is very important--and this is 
where I think Congress can play a very important role--and that 
is the lack of authority to enforce its guidelines and its 
recommendations. The US-CERT makes recommendations to other 
Federal agencies and to its critical infrastructure and issues 
guidelines. What the they cannot do is compel compliance and 
until they have that authority or until there are mechanisms in 
place to ensure that compliance is, in fact, taking place, we 
are going to continue to experience problems.
    The fourth thing I think that needs to be recognized is 
that we are not in this alone. This is a partnership. We rely 
very, very heavily on the private sector and within our Federal 
partners. If you look around, one of the things that I thought 
was very interesting when we did our review is that it was only 
21 Federal agents or 20 Federal agencies, one State agency that 
has EINSTEIN or installed EINSTEIN into their infrastructure. 
Twenty-one in all of Federal Government. There is a variety of 
reasons why we are not moving faster there. One, IT could be a 
resource issue, a financial issue, it could be a technological 
issue. But there is many reasons why we cannot install more. 
But we need to put pressure on our Federal partners, our 
stakeholders in the private sector, to start taking 
cybersecurity a little more seriously, or a lot more seriously 
and start using the tools that we have developed to help them 
to secure their networks, communication systems and their 
computers.
    The last thing I would like to just mention I think is 
something that we can do a better job of, but it requires 
additional resources and it requires an investment of time. 
That is our outreach efforts, our education, and our training 
programs in our communications with our partners and our 
stakeholders. I know we have come a long way. We are doing a 
lot better job of that. The Department is doing a lot better 
job of that. But we still have a long way to go.
    Many of the stakeholders we talked to during the course of 
our audit complained, No. 1, that they didn't understand 
EINSTEIN; No. 2, they weren't adequately trained on EINSTEIN 
once they did have it; No. 3, they did not feel that the 
information was being adequately shared as a result of some of 
the work that US-CERT is doing. We recommend in our report that 
in essence we need to explore better ways to ensure that our 
partners are fully informed and understand what we are doing, 
why we are doing it, and when we are doing it. I think that can 
go a long way. That is education, training, and outreach and 
communications.
    In summary, let me just say there is a lot of progress 
here, but nonetheless, there is a lot more that needs to be 
done and I think that we are heading in the right direction. I 
think US-CERT is heading in the right direction, the Department 
is heading in the right direction. We are starting to invest 
resources, but it is going to take time. It is not going to 
happen next week. It is going to take a sustained effort.
    Thank you. That concludes my opening remarks. As always, of 
course, I will be happy to answer any questions you may have.
    [The statement of Mr. Skinner follows:]

                Prepared Statement of Richard L. Skinner
                             June 16, 2010

    Chairman Thompson, Ranking Member King, and Members of the 
committee: Thank you for inviting me here today to discuss the 
Department of Homeland Security's U.S. Computer Emergency Readiness 
Team, or US-CERT.
    My testimony today will address US-CERT's progress made thus far, 
and remaining challenges for its analysis and warning program. The 
information provided in this testimony is contained in our June 2010 
report, ``U.S. Computer Emergency Readiness Team Makes Progress in 
Securing Cyberspace, but Challenges Remain'' (OIG-10-94).

                               BACKGROUND

    The Department of Homeland Security (DHS) is responsible for 
developing the National cyberspace security response system, which 
includes providing crisis management support and coordinating with 
other agencies to provide warning information. The National Cyber 
Security Division (NCSD) created US-CERT in 2003 to protect the Federal 
Government network infrastructure by coordinating efforts to defend 
against and respond to cyber attacks. Specifically, US-CERT is 
responsible for analyzing and reducing cyber threats and 
vulnerabilities, disseminating cyber threat warning information, and 
coordinating cyber incident response activities.
    Additionally, US-CERT collaborates with Federal agencies, the 
private sector, the research community, academia, State, local, and 
Tribal governments, and international partners. Through coordination 
with various National security incident response centers in responding 
to potential security events and threats on both classified and 
unclassified networks, US-CERT disseminates cybersecurity information 
to the public.
    Further, NCSD developed the National Cybersecurity Protection 
System, operationally known as Einstein, to provide US-CERT with a 
situational awareness snapshot of the health of the Federal 
Government's cyberspace. US-CERT manages Einstein and maintains its 
public website and secure portal to fulfill the mission. Technologies, 
such as Einstein, enable US-CERT to detect unusual and previously 
identified network traffic patterns and trends that signal 
unauthorized, threatening, or risky networks activities and categorize 
anomalous activity that could pose a risk to US-CERT constituents. US-
CERT uses other systems in addition to Einstein. Through fusion of 
information received from all of these sources, US-CERT is able to 
prioritize and escalate cyber activity appropriately, coordinate 
incident response activities, and share alerts, warnings, and 
mitigation strategies regarding threats and vulnerabilities.
Actions Taken to Address Cybersecurity
    US-CERT has made progress in developing and implementing the 
capabilities to detect and mitigate cyber incidents across Federal 
agencies' networks. Similarly, US-CERT leads and coordinates efforts to 
improve the Nation's cybersecurity posture, promote cyber information 
sharing, and mitigate cyber risks.
    For example, the Office of Cybersecurity and Communications 
developed the National Cybersecurity and Communications Integration 
Center (NCCIC), which is a unified operations center to address 
security threats and incidents that may affect the Nation's critical 
information systems and network infrastructure. The NCCIC consists of 
the following organizations: National Communications System, National 
Coordinating Center; NCSD, US-CERT; NCSD Industrial Control System 
Cyber Emergency Response Team; Office of Intelligence and Analysis; 
National Cybersecurity Center; Department and Agency, Security 
Operations Centers; Law Enforcement and Intelligence Community; and the 
private sector. Specifically, the NCCIC helps DHS to fulfill its 
mission to secure cyberspace by supporting the decision making process 
for the Federal Government, and enabling incident response through 
shared situational awareness. As a result, the NCCIC serves as the 
``central repository'' for the cyber protection efforts of the Federal 
Government and its private sector partners.
    Other actions designed to improve the expertise of US-CERT staff 
and information sharing include the following:
   Conducting in-person and on-line training to increase 
        individual's knowledge, skills, and abilities regarding 
        specific information topics that are relevant to US-CERT 
        operations. Training relates to packet capture analysis and 
        signature development; malware; and web browser security.
   Participating in public and private sector working groups to 
        promote information sharing and collaboration. The working 
        groups assist in the coordination and mitigation of computer 
        and cybersecurity incidents as well as the development of best 
        security practices.
   Distributing US-CERT products regarding specific 
        vulnerabilities and situational awareness, as well as quarterly 
        trend and analysis reports, to public and private sectors.

Improvements Needed to Strengthen the Cybersecurity Program
    Notwithstanding its many accomplishments over the past several 
years, US-CERT is still hindered in its ability to provide an effective 
analysis and warning program for the Federal Government in a number of 
ways. Specifically, US-CERT does not have the appropriate enforcement 
authority to help mitigate security incidents. Additionally, it is not 
sufficiently staffed to perform its mission. Further, US-CERT has not 
finalized and approved its performance measures and policies and 
procedures related to cybersecurity efforts.
            Enforcement Authority Could Help Mitigate Security 
                    Incidents
    US-CERT does not have the appropriate enforcement authority to 
ensure that agencies comply with mitigation guidance concerning threats 
and vulnerabilities. It needs the authority to enforce its 
recommendations so that Federal agencies' systems and networks are 
protected from potential cyber threats. Without this authority, US-CERT 
is limited in its ability to mitigate effectively ever evolving 
security threats and vulnerabilities.
    However, US-CERT was not given the authority to compel agencies to 
implement its recommendations to ensure that system vulnerabilities and 
incidents are remediated timely. US-CERT management officials stated 
that the proposed Federal Information Security Management Act (FISMA) 
2008 legislation would have given it some leverage to implement 
incident response and cybersecurity recommendations. For example, the 
proposed legislation would have required agencies to address incidents 
that impair their security. Further, the agencies would have had to 
collaborate with others if necessary to address the incidents. 
Additionally, agencies would be required to respond to incidents no 
later than 24 hours after discovery or provide notice to US-CERT as to 
why no action was taken. Finally, agencies would have had to ensure 
that information security vulnerabilities were mitigated timely. Since 
the proposed legislation was not approved, US-CERT remains without 
enforcement authority.
    US-CERT's notices contain recommendations that address the threats 
and vulnerabilities in Federal agencies' infrastructures. Additionally, 
US-CERT products help to update Federal information security policy and 
guidance. However, without the enforcement authority to implement 
recommendations, US-CERT continues to be hindered in coordinating the 
protection of Federal cyberspace.

            Additional Staffing Could Help Meet Mission
    US-CERT does not have sufficient staff to perform its 24/7 
operations as well as to analyze security information timely. US-CERT 
is charged with providing response support and defense against cyber 
attacks for the Federal Civil Executive branch (.gov) and information 
sharing and collaboration with State and local government, industry, 
and international partners. Without sufficient staffing, US-CERT cannot 
completely fulfill its responsibilities to analyze data and reports to 
reduce cyber threats and vulnerabilities as well as support the public 
and private sectors.
    Although US-CERT's authorized positions were increased from 38 in 
2008 to 98 in 2010, as of January 2010, only 45 positions are filled. 
In October 2009, the DHS Secretary announced that cybersecurity is an 
urgent priority for the Nation and the Department would hire additional 
cyber analysts, developers, and engineers to ensure that crucial 
computer networks are not vulnerable to possible cyber attacks. 
Currently, US-CERT augments its staffing shortages by contractor 
support.

            Strategic Plan and Performance Measures are Needed
    US-CERT has not developed a strategic plan to formalize goals, 
objectives, and milestones. Specifically, US-CERT has not identified or 
prioritized key activities for the division to monitor its progress in 
accomplishing its mission and goals. Without a strategic plan and 
performance measures, US-CERT may have difficulty in achieving its goal 
to provide response support and defense against potential cyber attacks 
for the Federal Government.
    According to program officials, US-CERT is developing a strategic 
plan and revising the performance measures to align with the strategic 
plan. The strategic plan should describe how US-CERT will perform its 
critical role by identifying and aligning goals, objectives, and 
milestones through a variety of means and strategies. Also, the 
strategic plan should contain performance measures related to specific 
programs, initiatives, products, and outcomes.
    As the sophistication and effectiveness of cyber attacks have been 
steadily advancing in recent years, a strategic plan can help US-CERT 
to ensure that critical milestones and goals are accomplished in a 
timely manner. Further, strategic plan and performance measures will 
aid US-CERT in evaluating its progress in building an effective 
organization capable of mitigating long-term cyber threats and 
vulnerabilities and improve program operations by promoting the 
appropriate application of information resources.

            Policies and Procedures Have Not Been Approved
    US-CERT has not approved its policies and procedures to ensure that 
management and operational controls are implemented to defend against, 
analyze, and respond to cyber attacks. Without the approved policies 
and procedures, US-CERT may be hindered in its ability to respond to 
security incidents effectively and promote continuity of operations and 
consistency.
    Leadership and staff turnover and a continually evolving mission 
have hindered US-CERT's past efforts to update its standard operating 
procedures. Under the prior director, US-CERT outsourced to contractors 
off-site the function to maintain and update procedures. The process of 
updating the procedures discontinued once the director departed. 
Further, US-CERT officials determined that the outsourced procedures 
did not fully address the mission or the day-to-day activities that 
cyber analysts encounter. According to the officials, outsourcing off-
site was not the best method to update these policies and procedures 
since US-CERT personnel have a better understanding of its mission. 
After internal reassessment, US-CERT officials decided to use 
contractor support on-site to develop more concise and direct SOPs.
    Currently, US-CERT is in the process of developing appropriately 
80-90 standard operating procedures (SOP) for its four sections 
pertaining to various areas of activity, such as, network and targeted 
analyses, malware submission handling, and signature template 
development. The goal is to have a structure that maps to functions, 
roles, the organization, and the mission. US-CERT is attempting to make 
the procedures understandable and practical with contents based on 
analysts' experiences.

Better Information Sharing and Communication Can Enhance Coordination 
        Efforts With the Public
    US-CERT needs to improve its information sharing and communication 
efforts with Federal agencies to ensure that threats and 
vulnerabilities are mitigated timely. Specifically, officials from 
other Federal agencies expressed concerns that US-CERT was unable to 
share near real-time data and classified and detailed information to 
address security incidents.
    We interviewed officials from eight Federal agencies to obtain 
feedback on Einstein and to determine whether US-CERT shared sufficient 
information and communicated effectively. Overall, these agency 
officials indicated that Einstein is an effective tool but expressed 
concerns regarding the effectiveness of US-CERT's information sharing 
and communication.
    Officials from six agencies expressed concerns regarding US-CERT 
not sharing Einstein data and analysis results. According to some of 
the Federal agency officials we interviewed, US-CERT agreed that they 
would have access to the Einstein flow data but subsequently did not 
provide the information. This data could assist agencies in performing 
analyses with their locally collected data to identify potential 
threats and vulnerabilities. Also, agency officials stated that it 
would be helpful for US-CERT to list which agencies are being attacked 
and provide common trends to other agencies to determine whether the 
incident is isolated or systemic.
    Further, agencies indicated that US-CERT has not provided 
sufficient training on the Einstein program. Some agencies indicated 
that they received compact disk, portable document format brochures, 
and handbooks about the Einstein program, while other agencies received 
nothing. Agencies indicated that they would like to receive additional 
Einstein training from US-CERT.
    US-CERT officials acknowledged that there are communications issues 
regarding sharing classified and detailed information with other 
agencies. For example, US-CERT collects and posts information from 
several systems and sources to different portals, all of which have 
different classification levels. As a result, US-CERT officials believe 
that communications needs could be best addressed by developing a 
consolidated information sharing portal. The consolidated portal could 
provide a multiple classification platform and serve as a central 
repository to meet the needs of the stakeholders.
    A challenge US-CERT faces is that many intelligence agencies 
communicate classified information on Top Secret/Sensitive 
Compartmented Information networks. Since not all agencies have access 
to classified networks, US-CERT is limited in what it can convey. Some 
agencies do not have secure facilities, equipment, and cleared 
personnel to send or receive classified information.
    Additionally, US-CERT has to deal with the various network 
architectures of the different agencies. Since US-CERT does not have 
access to each agency's architecture, it is imperative to have the 
agency Chief Information Officer (CIO) and Chief Information Security 
Officer (CISO) involved in addressing cyber activities. Establishing 
direct, regular communication with agency CIOs/CISOs or key security 
assurance personnel ensures that US-CERT's cybersecurity efforts are 
implemented. For example, US-CERT and the CIO/CISO can determine what 
should be implemented to improve the agency's situational awareness. 
Further, they can address network and cybersecurity challenges such as 
fragmented infrastructures, legacy systems, and limited budgets.
    Currently, US-CERT uses working groups and portals to share 
information with the public and private sectors. For example, US-CERT 
established the Joint Agency Cyber Knowledge Exchange and Government 
Forum of Incident Response and Security Teams (GFIRST) to facilitate 
collaboration on detecting and mitigating threats to the ``.gov'' 
domain and to encourage proactive and preventative security practices. 
The Joint Agency Cyber Knowledge Exchange meetings are held at a 
classified level to discuss threat-related tactics, techniques, and 
protocol. Additionally, US-CERT disseminates various reports and 
notices through the GFIRST and US-CERT portals. Products US-CERT 
disseminates include: Situational Awareness Reports, Critical 
Infrastructure Information Notices, Federal Information Notices, Early 
Warning Indicator Notices, and Malware Initial Findings Reports. These 
products contain a summary of the incident, mitigation strategies, and 
best practices. The products are disseminated to stakeholders on an as-
needed, daily, monthly, or quarterly basis.
    It is essential that US-CERT and the public and private sectors 
share cybersecurity information to ensure that appropriate steps can be 
taken to mitigate the potential effect of a cyber incident. US-CERT 
cannot defend against and respond consistently and effectively to 
cyberactivity without other agencies' involvement. By sharing potential 
security threats collected through its data sources, US-CERT can 
provide agencies with detailed information regarding attacks to their 
networks.

Improved Situational Awareness and Identification of Network Anomalies 
        Can Better Protect Federal Cyberspace
    US-CERT is unable to monitor Federal cyberspace in real time. The 
tools US-CERT uses do not allow real-time analyses of network traffic. 
As a result, US-CERT will continue to be challenged in protecting the 
Federal cyberspace from security-related threats.
    Currently, US-CERT maintains near real-time situational awareness 
as it performs information aggregation activities. US-CERT collects 
data real-time but it must perform analysis on the data in near real-
time. Cyber analysts receive information from a variety of sources and 
other US-CERT activities to identify potential incidents and to assess 
their possible scope and impact on the Nation's cyber infrastructure.
    Einstein is being deployed in three different versions, whereby, 
each builds on the capabilities of the previous version:
   Einstein 1 (E1) collects and relies on net flow analysis 
        capability and uses net flow collectors. Net flow data is 
        queried for analysis.
   Einstein 2 (E2) is an intrusion detection system, but is 
        still passive, performing analysis while traffic is continuous. 
        E2 looks for anomalous activity from net flow information based 
        on every session between two computers on the internet. E2 is 
        more beneficial for detecting and mitigating cyber incidents 
        because of its ability to analyze packet data. Additionally, E2 
        performs full session packet analysis.
   Einstein 3 (E3) draws on commercial technology and 
        specialized Government technology to conduct real-time full 
        packet inspection and threat-based decision-making on network 
        traffic entering or leaving the Executive branch networks. This 
        system also deploys an intrusion prevention feature.
    With Einstein, US-CERT can gather more network traffic information 
and identify cyber activity patterns. However, US-CERT cannot capture 
all network traffic because Einstein has not been deployed to all 
Federal agencies. Initially, the deployment of E1 to Federal agencies 
was entirely voluntary. In September 2008, OMB made Einstein part of 
the Trusted Internet Connections initiative and required all agencies 
to install sensors on their networks.
    As of October 2009, NCSD's Network Security Deployment Branch had 
deployed E1 to 19 agencies and E2 to 8 agencies. Currently, US-CERT is 
conducting a pilot exercise of E3 to evaluate its capabilities. 
According to the Comprehensive National Cybersecurity Initiative and 
US-CERT officials, E3 will contain real-time full packet inspection and 
an intrusion prevention feature. These additions should give US-CERT 
better response and monitoring capabilities.
    According to US-CERT officials, many agencies have not installed 
Einstein because they have not consolidated their gateways to the 
internet. Further, some agencies have fragmented networks and must 
upgrade their architectures before Einstein can be deployed.
    Additionally, US-CERT does not have an automated correlation tool 
to identify trends and anomalies. With this vast amount of network 
traffic, US-CERT experienced a long lead time to analyze potential 
security threats or abnormalities. To reduce the lead time, NCSD 
purchased an automated correlation tool to analyze the vast amount of 
data from Einstein. However, US-CERT is currently experiencing problems 
with reconfiguring the tool to collect data and understand the overall 
data flow. US-CERT management stated that it may be 6 months before the 
problems are corrected and the benefits of the system can be seen.
    An effective analysis and warning program is critical to secure the 
Federal information technology infrastructure. For US-CERT to perform 
its responsibilities successfully it must have sufficient state-of-the-
art technical and analytical tools and technologies to identify, 
detect, analyze, and respond to cyber attacks. Additionally, 
cybersecurity information can provide the public and private sectors 
with valuable input for mitigating risks and threats, protecting 
against malicious attacks, and prioritizing security improvement 
efforts.

                     CONCLUSION AND RECOMMENDATIONS

    US-CERT has made progress in implementing a cybersecurity program 
to assist Federal agencies in protecting their information technology 
systems against cyber threats. Specifically, it has facilitated 
cybersecurity information sharing with the public and private sectors 
through various working groups, issuing notices, bulletins, and 
reports, and web postings. Further, Office of Cybersecurity and 
Communications established a unified operations center, which includes 
US-CERT, to address threats and incidents affecting the Nation's 
critical information technology and cyber infrastructure. To increase 
the skills and expertise of its staff, US-CERT has developed a 
technical mentoring program to offer cybersecurity and specialized 
training.
    While progress has been made, US-CERT still faces numerous 
challenges in effectively reducing the cybersecurity risks and 
protecting the Nation's critical infrastructure. US-CERT must continue 
to improve its ability to analyze and reduce cyber threats and 
vulnerabilities and to disseminate information through a cohesive 
effort between public and private sectors.
    We recommended in our report that the Under Secretary of National 
Protection and Programs Directorate (NPPD) require the Director of NCSD 
to:
   Establish specific outcome-based performance measures and a 
        strategic plan to ensure that US-CERT can achieve its mission, 
        objectives, and milestones.
   Approve policies and procedures to ensure that US-CERT can 
        effectively detect, process, and mitigate incidents as well as 
        perform its roles and responsibilities in a consistent manner.
   Improve communications with Federal agency CIOs and CISOs to 
        address their concerns, to identify areas of improvement about 
        the program, and to enhance US-CERT's ability to combat 
        cybersecurity challenges.
   Establish a consolidated, multiple classification level 
        portal that can be accessed by the Federal partners that 
        includes real-time incident response-related information and 
        reports.
   Develop a process to distribute and share Einstein trends, 
        anomalies, and common/reoccurring attacks with other Federal 
        agencies.
   Provide training to Federal agencies on using available 
        features of Einstein to foster better cooperation in analyzing 
        and mitigating security incidents.
   Establish a capability to share real-time Einstein 
        information with Federal agencies partners to assist them in 
        the analysis and mitigation of incidents.
    Mr. Chairman and Members of the committee, you can be sure that my 
office is committed to continuing our oversight efforts for this 
challenging and complex issue in the months and years ahead.
    This concludes my prepared statement, and I welcome any questions 
from you or Members of the committee.

    Chairman Thompson. Well, I am sure we will. Thank you for 
your testimony.
    I now recognize Director Wilshusen to summarize his 
statement for 5 minutes.

   STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
          TECHNOLOGY, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairman Thompson, Ranking Member King, and 
Members of the committee, thank you very much for inviting me 
today to testify at today's hearing on cybersecurity.
    Pervasive and sustained cyber attacks continue to pose a 
potentially devastating threat to the systems and operations of 
the Federal Government. In recent testimony, the Director for 
National Intelligence highlighted that many nation-states, 
terrorist networks, and organized criminal groups have the 
capability to target U.S. information infrastructure for 
intelligence collection, intellectual property theft, or 
disruption.
    The ever-increasing dependence of Federal agencies on 
information systems to carry out essential everyday operations 
can make them vulnerable to an array of cyber-based risks. 
Thus, it is increasingly important that the Federal Government 
carry out a concerted effort to safeguard its systems and the 
information they contain.
    Today I would describe cyber threats to Federal systems and 
cyber-based critical infrastructures, the control deficiencies 
that make Federal systems vulnerable to those threats, and 
opportunities that exist for improving Federal cybersecurity.
    Mr. Chairman, cyber-based threats to Federal systems and 
critical infrastructure are evolving and growing. These threats 
can come from a variety of sources, including criminals and 
foreign nations as well as hackers and disgruntled employees. 
These potential attackers have various techniques at their 
disposal, which can vastly enhance the reach and impact of 
their actions. For example, cyber attackers do not need to be 
physically close to their assets. Their attacks can easily 
cross State and national borders, and cyber attackers can more 
readily preserve their anonymity.
    Further, the interconnectivity between information systems, 
the internet and other infrastructure creates additional 
avenues for such attacks. Consistent with this, reports of 
security incidents from Federal agencies are on the rise, as 
the Chairman pointed out earlier, increasing by over 400 
percent from fiscal year 2006 to 2009.
    Compounding the growing number and kinds of threats, GAO 
and agency inspectors general have identified significant 
security control deficiencies on Federal systems. Indeed, most 
agencies have weaknesses in most types of security controls 
such as access controls, configuration management, and security 
management. These weakness affect the security of both 
financial and nonfinancial systems, including systems essential 
to achieving agency missions. They also continue to place 
Federal assets at risk of inadvertent or deliberate misuse, 
financial information at risk of unauthorized modification or 
destruction, and critical operations at risk of disruption.
    Fortunately, Mr. Chairman, multiple opportunities exist to 
improve Federal cybersecurity. To address, identify 
deficiencies in agency security controls and shortfalls in 
their information security programs, GAO and agency IGs have 
made hundreds of recommendations over the past several years, 
many of which agencies are implementing. In addition, the White 
House, the Department of Homeland Security, and other Federal 
agencies have undertaken several Government-wide initiatives 
intended to enhance Federal security. While progress is made on 
these initiatives, they all face challenges that requires 
sustained attention, and GAO has made recommendations for 
improving the implementation and effectiveness of these 
initiatives.
    Further, the Department of Homeland Security also needs to 
fulfill its key cybersecurity responsibilities such as 
developing capabilities for ensuring the protection of cyber-
based critical infrastructures and developing a robust cyber 
analysis and warning capability.
    Finally, a GAO-convened panel of experts has made several 
recommendations for improving the Nation's cybersecurity 
strategy, including, for example, developing a National 
strategy that articulates the goals, objectives, and priorities 
and that focuses more on prioritizing assets and assessing and 
reducing vulnerabilities and on developing additional plans. 
Realizing these opportunities for improvement can help provide 
additional insurance to the Federal information systems and 
critical cyber-based infrastructures are effectively protected.
    Mr. Chairman, this concludes my opening statement. I would 
be happy to answer any questions.
    [The statement of Mr. Wilshusen follows:]

               Prepared Statement of Gregory C. Wilshusen

    Chairman Thompson and Members of the committee: Thank you for the 
opportunity to testify at today's hearing on cybersecurity regarding 
our recent work on challenges facing Federal efforts to protect systems 
and critical infrastructure from cyber-based threats.
    Pervasive and sustained cyber attacks against the United States 
continue to pose a potentially devastating impact on Federal systems 
and operations. In February 2010, the Director of National Intelligence 
testified that many nation-states, terrorist networks, and organized 
criminal groups have the capability to target elements of the U.S. 
information infrastructure for intelligence collection, intellectual 
property theft, or disruption.\1\ As recently as July 2009, press 
accounts reported that a widespread and coordinated attack over the 
course of several days targeted websites operated by major Government 
agencies, including the Departments of Homeland Security and Defense, 
the Federal Aviation Administration, and the Federal Trade Commission, 
causing disruptions to the public availability of Government 
information. Such attacks highlight the importance of developing a 
concerted response to safeguard Federal information systems.
---------------------------------------------------------------------------
    \1\ Director of National Intelligence, Annual Threat Assessment of 
the U.S. Intelligence Community for the Senate Select Committee on 
Intelligence, statement before the Senate Select Committee on 
Intelligence (Feb. 2, 2010).
---------------------------------------------------------------------------
    In my testimony today, I will describe: (1) Cyber threats to 
Federal information systems and cyber-based critical infrastructures, 
(2) control deficiencies that make Federal systems vulnerable to those 
threats, and (3) opportunities that exist for improving Federal 
cybersecurity. In preparing this statement in June 2010, we relied on 
our previous reports on Federal information security. These reports 
contain detailed overviews of the scope and methodology we used. The 
work on which this statement is based was performed in accordance with 
generally accepted Government auditing standards. Those standards 
require that we plan and perform audits to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provided a reasonable basis for our findings and conclusions 
based on our audit objectives.

                               BACKGROUND

    As computer technology has advanced, Federal agencies have become 
dependent on computerized information systems to carry out their 
operations and to process, maintain, and report essential information. 
Virtually all Federal operations are supported by automated systems and 
electronic data, and agencies would find it difficult, if not 
impossible, to carry out their missions without these information 
assets. Information security is thus critically important. Conversely, 
ineffective information security controls can result in significant 
risks. Examples of such risks include the following:
   Resources, such as Federal payments and collections, could 
        be lost or stolen.
   Sensitive information, such as National security 
        information, taxpayer data, Social Security records, medical 
        records, and proprietary business information, could be 
        inappropriately accessed and used for identity theft or 
        espionage.
   Critical operations, such as those supporting critical 
        infrastructure, National defense, and emergency services could 
        be disrupted.
   Agency missions could be undermined by embarrassing 
        incidents that result in diminished confidence in the ability 
        of Federal organizations to conduct operations and fulfill 
        their responsibilities.

   FEDERAL SYSTEMS AND INFRASTRUCTURES FACE INCREASING CYBER THREATS

    Threats to Federal information systems and cyber-based critical 
infrastructures are evolving and growing. Government officials are 
concerned about attacks from individuals and groups with malicious 
intent, such as criminals, terrorists, and foreign nations. Federal law 
enforcement and intelligence agencies have identified multiple sources 
of threats to our Nation's critical information systems, including 
foreign nations engaged in espionage and information warfare, 
criminals, hackers, virus writers, and disgruntled employees and 
contractors.
    These groups and individuals have a variety of attack techniques at 
their disposal. Furthermore, as we have previously reported,\2\ the 
techniques have characteristics that can vastly enhance the reach and 
impact of their actions, such as the following:
---------------------------------------------------------------------------
    \2\ GAO, Cybercrime: Public and Private Entities Face Challenges in 
Addressing Cyber Threats, GAO-07-705 (Washington, DC: June 22, 2007).
---------------------------------------------------------------------------
   Attackers do not need to be physically close to their 
        targets to perpetrate a cyber attack.
   Technology allows actions to easily cross multiple State and 
        national borders.
   Attacks can be carried out automatically, at high speed, and 
        by attacking a vast number of victims at the same time.
   Attackers can easily remain anonymous.
    The connectivity between information systems, the internet, and 
other infrastructures creates opportunities for attackers to disrupt 
telecommunications, electrical power, and other critical services. As 
Government, private sector, and personal activities continue to move to 
networked operations, the threat will continue to grow.

Reported Security Incidents Are on the Rise
    Consistent with the evolving and growing nature of the threats to 
Federal systems, agencies are reporting an increasing number of 
security incidents. These incidents put sensitive information at risk. 
Personally identifiable information about U.S. citizens has been lost, 
stolen, or improperly disclosed, thereby potentially exposing those 
individuals to loss of privacy, identity theft, and financial crimes. 
Reported attacks and unintentional incidents involving critical 
infrastructure systems demonstrate that a serious attack could be 
devastating. Agencies have experienced a wide range of incidents 
involving data loss or theft, computer intrusions, and privacy 
breaches, underscoring the need for improved security practices.
    When incidents occur, agencies are to notify the Department of 
Homeland Security's (DHS) Federal information security incident 
center--the United States Computer Emergency Readiness Team (US-CERT). 
As shown in figure 1, the number of incidents reported by Federal 
agencies to US-CERT has increased dramatically over the past 4 years, 
from 5,503 incidents reported in fiscal year 2006 to about 30,000 
incidents in fiscal year 2009 (over a 400 percent increase). 



    The four most prevalent types of incidents and events reported to 
US-CERT during fiscal year 2009 were: (1) Malicious code (software that 
infects an operating system or application), (2) improper usage (a 
violation of acceptable computing use policies), (3) unauthorized 
access (where an individual gains logical or physical access to a 
system without permission), and (4) investigation (unconfirmed 
incidents that are potentially malicious or anomalous activity deemed 
by the reporting entity to warrant further review).

          VULNERABILITIES PERVADE FEDERAL INFORMATION SYSTEMS

    The growing threats and increasing number of reported incidents 
highlight the need for effective information security policies and 
practices. However, serious and widespread information security control 
deficiencies continue to place Federal assets at risk of inadvertent or 
deliberate misuse, financial information at risk of unauthorized 
modification or destruction, sensitive information at risk of 
inappropriate disclosure, and critical operations at risk of 
disruption. GAO has designated information security as a high-risk area 
in the Federal Government since 1997.
    In their fiscal year 2009 performance and accountability reports, 
21 of 24 major Federal agencies noted that inadequate information 
system controls over their financial systems and information were 
either a material weakness or a significant deficiency.\3\
---------------------------------------------------------------------------
    \3\ A material weakness is a deficiency, or combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented, or detected and corrected on a timely 
basis. A significant deficiency is a deficiency, or combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit attention by those charged with 
governance. A control deficiency exists when the design or operation of 
a control does not allow management or employees, in the normal course 
of performing their assigned functions, to prevent, or detect and 
correct misstatements on a timely basis.
---------------------------------------------------------------------------
    Similarly, our audits have identified control deficiencies in both 
financial and nonfinancial systems, including vulnerabilities in 
critical Federal systems. For example, we reported in September 2008 
\4\ that, although the Los Alamos National Laboratory--one of the 
Nation's weapons laboratories--implemented measures to enhance the 
information security of its unclassified network, vulnerabilities 
continued to exist in several critical areas. Similarly, in October 
2009 \5\ we reported that the National Aeronautics and Space 
Administration (NASA)--the civilian agency that oversees U.S. 
aeronautical and space activities--had not always implemented 
appropriate controls to sufficiently protect the confidentiality, 
integrity, and availability of the information and systems supporting 
its mission directorates.
---------------------------------------------------------------------------
    \4\ GAO, Information Security: Actions Needed to Better Protect Los 
Alamos National Laboratory's Unclassified Computer Network, GAO-08-1001 
(Washington, DC: Sept. 9, 2008).
    \5\ GAO, Information Security: NASA Needs to Remedy Vulnerabilities 
in Key Networks, GAO-10-4 (Washington, DC: Oct. 15, 2009).
---------------------------------------------------------------------------
        OPPORTUNITIES EXIST FOR ENHANCING FEDERAL CYBERSECURITY

    Over the past several years, we and agency inspectors general have 
made hundreds of recommendations to agencies for actions necessary to 
resolve prior significant control deficiencies and information security 
program shortfalls. For example, we recommended that agencies correct 
specific information security deficiencies related to user 
identification and authentication, authorization, boundary protections, 
cryptography, audit and monitoring, physical security, configuration 
management, segregation of duties, and contingency planning. We have 
also recommended that agencies fully implement comprehensive, 
agencywide information security programs by correcting weaknesses in 
risk assessments, information security policies and procedures, 
security planning, security training, system tests and evaluations, and 
remedial actions. The effective implementation of these recommendations 
will strengthen the security posture at these agencies. Agencies have 
implemented or are in the process of implementing many of our 
recommendations.
    In addition, the White House, OMB, and certain Federal agencies 
have undertaken several Government-wide initiatives that are intended 
to enhance information security at Federal agencies. However, these 
initiatives face challenges that require sustained attention:
   Comprehensive National Cybersecurity Initiative (CNCI).--In 
        January 2008, President Bush initiated a series of 12 projects 
        aimed primarily at improving the Department of Homeland 
        Security's (DHS) and other Federal agencies' efforts to protect 
        against intrusion attempts and anticipate future threats.\6\ 
        The initiative is intended to reduce vulnerabilities, protect 
        against intrusions, and anticipate future threats against 
        Federal Executive branch information systems. As we recently 
        reported,\7\ the White House and Federal agencies have 
        established interagency groups to plan and coordinate CNCI 
        activities. However, the initiative faces challenges in 
        achieving its objectives related to securing Federal 
        information, including better defining agency roles and 
        responsibilities, establishing measures of effectiveness, and 
        establishing an appropriate level of transparency. Until these 
        challenges are adequately addressed, there is a risk that CNCI 
        will not fully achieve its goals.
---------------------------------------------------------------------------
    \6\ The White House, National Security Presidential Directive--54/
Homeland Security Presidential Directive--23 (Washington, DC: Jan. 8, 
2008).
    \7\ GAO, Cybersecurity: Progress Made but Challenges Remain in 
Defining and Coordinating the Comprehensive National Initiative, GAO-
10-338 (Washington, DC: Mar. 5, 2010).
---------------------------------------------------------------------------
   Federal Desktop Core Configuration (FDCC).--For this 
        initiative, OMB directed agencies that have workstations with 
        Windows XP and/or Windows Vista operating systems to adopt 
        security configurations developed by the National Institute of 
        Standards and Technology, the Department of Defense, and DHS. 
        The goal of this initiative is to improve information security 
        and reduce overall information technology operating costs. We 
        recently reported \8\ that while agencies have taken actions to 
        implement FDCC requirements, none of the agencies has fully 
        implemented all configuration settings on their applicable 
        workstations. In our report we recommended that OMB, among 
        other things, issue guidance on assessing the risks of agencies 
        having deviations from the approved settings and monitoring 
        compliance with FDCC.
---------------------------------------------------------------------------
    \8\ GAO, Information Security: Agencies Need to Implement Federal 
Desktop Core Configuration Requirements, GAO-10-202 (Washington, DC: 
Mar. 12, 2010).
---------------------------------------------------------------------------
   Einstein.--This is a computer network intrusion detection 
        system that analyzes network flow information from 
        participating Federal agencies and is intended to provide a 
        high-level perspective from which to observe potential 
        malicious activity in computer network traffic. We recently 
        reported \9\ that as of September 2009, fewer than half of the 
        23 agencies reviewed had executed the required agreements with 
        DHS, and Einstein 2 had been deployed to 6 agencies. Agencies 
        that participated in Einstein 1 cited improved identification 
        of incidents and mitigation of attacks, but determining whether 
        the initiative is meeting its objectives will likely remain 
        difficult because DHS lacks performance measures that address 
        how agencies respond to alerts.
---------------------------------------------------------------------------
    \9\ GAO, Information Security: Concerted Effort Needed to 
Consolidate and Secure Internet Connections at Federal Agencies, GAO-
10-237 (Washington, DC: Mar. 12, 2010).
---------------------------------------------------------------------------
   Trusted Internet Connections (TIC) Initiative.--This is an 
        effort designed to optimize individual agency network services 
        through a common solution for the Federal Government. The 
        initiative is to facilitate the reduction of external 
        connections, including internet points of presence. We recently 
        reported \10\ that none of the 23 agencies we reviewed met all 
        of the requirements of the TIC initiative, and most agencies 
        experienced delays in their plans for reducing and 
        consolidating connections. However, most agencies reported that 
        they have made progress toward reducing and consolidating their 
        external connections and implementing security capabilities.
---------------------------------------------------------------------------
    \10\ GAO-10-237.
---------------------------------------------------------------------------
DHS Needs to Fully Satisfy Its Cybersecurity Responsibilities
    Federal law and policy \11\ establish DHS as the focal point for 
efforts to protect our Nation's computer-reliant critical 
infrastructures \12\--a responsibility known as cyber critical 
infrastructure protection, or cyber CIP. We have reported since 2005 
that DHS has yet to fully satisfy its key responsibilities for 
protecting these critical infrastructures. Our reports included 
recommendations that are essential for DHS to address in order to fully 
implement its responsibilities. We summarized these recommendations 
into key areas listed in table 1.
---------------------------------------------------------------------------
    \11\ These include The Homeland Security Act of 2002, Homeland 
Security Presidential Directive--7, and the National Strategy to Secure 
Cyberspace.
    \12\ Critical infrastructures are systems and assets, whether 
physical or virtual, so vital to the Nation that their incapacity or 
destruction would have a debilitating impact on National security, 
National economic security, National public health or safety, or any 
combination of those matters. Federal policy established 18 critical 
infrastructure sectors: Agriculture and food; banking and finance; 
chemical; commercial facilities; communications; critical 
manufacturing; dams; defense industrial base; emergency services; 
energy; Government facilities; information technology; National 
monuments and icons; nuclear reactors, materials, and waste; postal and 
shipping; public health and health care; transportation systems; and 
water.

           TABLE 1.--KEY CYBERSECURITY AREAS IDENTIFIED BY GAO
------------------------------------------------------------------------

------------------------------------------------------------------------
     Bolstering cyber analysis and warning capabilities.
     Improving cybersecurity of infrastructure control systems.
     Strengthening DHS's ability to help recover from Internet
      disruptions.
     Reducing organizational inefficiencies.
     Completing actions identified during cyber exercises.
     Developing sector-specific plans that fully address all of the
      cyber-related criteria.
     Securing internal information systems.
------------------------------------------------------------------------
     Source: GAO.

    DHS has since developed and implemented certain capabilities to 
satisfy aspects of its responsibilities, but the Department still has 
not fully implemented our recommendations, and thus further action 
needs to be taken to address these areas. For example, in July 2008, we 
reported \13\ that DHS's US-CERT did not fully address 15 key 
attributes of cyber analysis and warning capabilities related to: (1) 
Monitoring network activity to detect anomalies, (2) analyzing 
information and investigating anomalies to determine whether they are 
threats, (3) warning appropriate officials with timely and actionable 
threat and mitigation information, and (4) responding to the threat. 
For example, US-CERT provided warnings by developing and distributing a 
wide array of notifications; however, these notifications were not 
consistently actionable or timely. As a result, we recommended that the 
Department address shortfalls associated with the 15 attributes in 
order to fully establish a National cyber analysis and warning 
capability as envisioned in the National strategy. DHS agreed in large 
part with our recommendations and has reported that it is taking steps 
to implement them.
---------------------------------------------------------------------------
    \13\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in 
Establishing a Comprehensive National Capability, GAO-08-588 
(Washington, DC: Jul. 31, 2008).
---------------------------------------------------------------------------
    Similarly, in September 2008, we reported that since conducting a 
major cyber attack exercise, called Cyber Storm, DHS had demonstrated 
progress in addressing eight lessons it had learned from these 
efforts.\14\ However, its actions to address the lessons had not been 
fully implemented. Specifically, while it had completed 42 of the 66 
activities identified, the Department had identified 16 activities as 
on-going and 7 as planned for the future.\15\ Consequently, we 
recommended that DHS schedule and complete all of the corrective 
activities identified in order to strengthen coordination between 
public and private sector participants in response to significant cyber 
incidents. DHS concurred with our recommendation. Since that time, DHS 
has continued to make progress in completing some identified activities 
but has yet to do so for others.
---------------------------------------------------------------------------
    \14\ GAO, Critical Infrastructure Protection: DHS Needs To Fully 
Address Lessons Learned from Its First Cyber Storm Exercise, GAO-08-825 
(Washington, DC: Sept. 9, 2008).
    \15\ At that time, DHS reported that one other activity had been 
completed, but the Department was unable to provide evidence 
demonstrating its completion.
---------------------------------------------------------------------------
Improving the National Cybersecurity Strategy
    Because the threats to Federal information systems and critical 
infrastructure have persisted and grown, efforts have recently been 
undertaken by the Executive branch to review the Nation's cybersecurity 
strategy. In February 2009, President Obama directed the National 
Security Council and Homeland Security Council to conduct a 
comprehensive review to assess the United States' cybersecurity-related 
policies and structures. The resulting report, Cyberspace Policy 
Review: Assuring a Trusted and Resilient Information and Communications 
Infrastructure, recommended, among other things, appointing an official 
in the White House to coordinate the Nation's cybersecurity policies 
and activities, creating a new National cybersecurity strategy, and 
developing a framework for cyber research and development.\16\ In 
response to one of these actions, the President appointed a 
cybersecurity coordinator in December 2009. We recently initiated a 
review to assess the progress made by the Executive branch in 
implementing the report's recommendations.
---------------------------------------------------------------------------
    \16\ The White House, Cyberspace Policy Review: Assuring a Trusted 
and Resilient Information and Communications Infrastructure 
(Washington, DC: May 29, 2009).
---------------------------------------------------------------------------
    We also testified in March 2009 on needed improvements to the 
Nation's cybersecurity strategy.\17\ In preparation for that testimony, 
we obtained the views of experts (by means of panel discussions) on 
critical aspects of the strategy, including areas for improvement. The 
experts, who included former Federal officials, academics, and private 
sector executives, highlighted 12 key improvements that are, in their 
view, essential to improving the strategy and our National 
cybersecurity posture. The key strategy improvements identified by 
cybersecurity experts are listed in table 2.
---------------------------------------------------------------------------
    \17\ GAO, National Cybersecurity Strategy: Key Improvements Are 
Needed to Strengthen the Nation's Posture, GAO-09-432T (Washington, DC: 
Mar. 10, 2009).

 TABLE 2.--KEY STRATEGY IMPROVEMENTS IDENTIFIED BY CYBERSECURITY EXPERTS
------------------------------------------------------------------------

------------------------------------------------------------------------
     Develop a National strategy that clearly articulates strategic
      objectives, goals, and priorities.
     Establish White House responsibility and accountability for
      leading and overseeing National cybersecurity policy.
     Establish a governance structure for strategy implementation.
     Publicize and raise awareness about the seriousness of the
      cybersecurity problem.
     Create an accountable, operational cybersecurity organization.
     Focus more actions on prioritizing assets, assessing
      vulnerabilities, and reducing vulnerabilities than on developing
      additional plans.
     Bolster public-private partnerships through an improved value
      proposition and use of incentives.
     Focus greater attention on addressing the global aspects of
      cyberspace.
     Improve law enforcement efforts to address malicious activities
      in cyberspace.
     Place greater emphasis on cybersecurity research and development,
      including consideration of how to better coordinate Government
      and private sector efforts.
     Increase the cadre of cybersecurity professionals.
     Make the Federal Government a model for cybersecurity, including
      using its acquisition function to enhance cybersecurity aspects
      of products and services.
------------------------------------------------------------------------
     Source: GAO analysis of opinions solicited during expert panels.

    These recommended improvements to the National strategy are in 
large part consistent with our previous reports and extensive research 
and experience in this area.\18\ Until they are addressed, our Nation's 
most critical Federal and private sector cyber infrastructure remain at 
unnecessary risk of attack from our adversaries.
---------------------------------------------------------------------------
    \18\ We are currently conducting additional reviews related to 
these improvements.
---------------------------------------------------------------------------
    In summary, the threats to Federal information systems are evolving 
and growing, and Federal systems are not sufficiently protected to 
consistently thwart the threats. Unintended incidents and attacks from 
individuals and groups with malicious intent have the potential to 
cause significant damage to the ability of agencies to effectively 
perform their missions, deliver services to constituents, and account 
for their resources. To help in meeting these threats, opportunities 
exist to improve information security throughout the Federal 
Government. The prompt and effective implementation of the hundreds of 
recommendations by us and by agency inspectors general to mitigate 
information security control deficiencies and fully implement agency-
wide security programs would strengthen the protection of Federal 
information systems, as would efforts by DHS to develop better 
capabilities to meets its responsibilities, and the implementation of 
recommended improvements to the National cybersecurity strategy. Until 
agencies fully and effectively implement these recommendations, Federal 
information and systems will remain vulnerable.
    Mr. Chairman, this completes my prepared statement. I would be 
happy to answer any questions you or other Members of the committee 
have at this time.

    Chairman Thompson. Thank you very much for your testimony.
    I now recognize Mr. Baker, to summarize his statement for 5 
minutes.

 STATEMENT OF STEWART A. BAKER, PARTNER, STEPTOE & JOHNSON, LLP

    Mr. Baker. Thank you, Chairman Thompson. It is a pleasure 
to be here, Ranking Member King, Members of the committee. As 
you mentioned, Mr. Chairman, I have recently finished a book 
that deals with this problem and I thought that might be useful 
just to point out that while two past Presidents have raised 
this issue and concerns about security, we have never been able 
to talk about the risks in unclassified terms. But there was a 
study done, a completely unclassified study done of the Dalai 
Lama's network and what happened to the Dalai Lama's network 
recently that is completely unclassified and gives us a sense 
of just how urgent this problem was.
    The Dalai Lama's network is actually very secure, it is 
well run and currently administered, and they understand that 
they are the subject of a lot of attacks. One person in that 
organization opened an e-mail from someone that they trusted. 
They opened an attachment that had survived anti-virus 
scrutiny. That one click, opening that one attachment, gave 
attackers access first to this person's machine, they 
downloaded information about that machine, uploaded 
compromising equipment that allowed them to compromise that 
machine and the network. When they were done, they were able to 
turn on the camera and watch that fellow at work, log every 
keystroke, turn on his mic and listen to him, download from the 
network all of the Dalai Lama's negotiating positions in the 
international negotiations.
    These are things that are happening to us as well. Everyone 
in this room if they are of interest to a foreign power could 
have that happen to them. Crooks are doing the same thing. They 
have begun using these same tools to compromise electronic fund 
transfer authorities that people have to steal hundreds of 
millions of dollars from American businesses. This is really a 
crisis.
    On the question of what--whether DHS, as the Chairman says, 
has what it needs, I think the answer is not yet. I think it is 
clear that this administration has taken the problem seriously, 
but probably has not moved quickly enough to address all of the 
issues. This committee can help, as can the President, by 
making it quite clear that the authorities, that it is granting 
DHS the kind of authority that it needs to address these 
problems. More authority would be particularly welcome.
    Two last points that I would raise. First, the Senate bill 
deals with a number of security issues and is a very good first 
step towards solving some of the security problems that we 
have.
    The last point that I would make is simply the BP oil spill 
shows us how much damage a single company can do that the 
company cannot then redress. If we had known how bad things 
were, how many corners were being cut in the industry before 
that oil spill, we would have demanded action on the part of 
industry as well as the Government. Well, we do know that we 
face exactly that kind of crisis in the context of 
cybersecurity. We are going to have a meltdown of our critical 
and National infrastructure, and now is the time to begin 
raising the standards.
    Thank you.
    [The statement of Mr. Baker follows:]

                 Prepared Statement of Stewart A. Baker
                             June 16, 2010

    Chairman Thompson, Ranking Member King, Members of the committee, 
it is a pleasure to appear before you again on a topic of such 
importance. I am Stewart Baker, formerly the Assistant Secretary for 
Policy at the Department of Homeland Security, and I am speaking for 
myself.
    I was responsible for cybersecurity policy while at DHS, and since 
leaving the Department, I have been practicing law and writing a book 
on, among other things, the risks posed by computer insecurity. I'm 
celebrating the release of the book today by attending this hearing, 
and I'm happy to share some of what I learned with you today. (Chapters 
of the book itself are also being made available for free on-line at 
www.skatingonstilts.com.)
    The first and most important thing to know about the cybersecurity 
crisis is that you no longer need a clearance to understand how bad 
things are. For a decade or more, Presidents told us that we faced such 
a crisis, but they were never able to provide much detail. The crisis 
was classified. As a result, Americans didn't pay much attention, and 
they certainly weren't galvanized to action.
    Thanks to a group of security researchers in Canada and elsewhere, 
though, we now have a good, unclassified analysis of what a cyberattack 
looks like. It is not pretty. And it is certainly not reassuring. If 
anything should stir the country to action on cybersecurity, it is the 
story of what was done to the Dalai Lama's computer network.
    The Dalai Lama and his office have been using the internet since 
the 1990s. His network administrators understand security risks, and 
they've been careful about computer security for years. They've 
implemented the standard defenses against network attacks.
    But even so, they kept getting signals that their communications 
had been compromised. So they called in a team of computer security 
experts.
    What the experts found was deeply troubling, and not just for the 
Dalai Lama.
    Some of the Dalai Lama's staff participate in internet forums. They 
chat with other, like-minded individuals about the Dalai Lama's goals 
and activities. Sometimes one of their online acquaintances sends them 
Word or .PDF documents relevant to those activities.
    No surprises there. Most of us have done most of those things.
    But the experts concluded that hackers had monitored these forums 
and then forged an email from a forum participant to a member of the 
Dalai Lama's staff. Attached to the email was a document of mutual 
interest. When the staff member opened the document, he also activated 
a piece of malware packed with it. While the staff member was reading 
the document, the malware installed itself in the background.
    The malware was cleverly designed; two-thirds of commercial 
antivirus software programs would have missed it. (Hackers often 
subscribe to antivirus software so they can test their malware against 
it at leisure.) Even if one attachment were stopped, it was a simple 
matter to retransmit the message using a different bit of malware; the 
attackers could keep trying until something got through.
    Once installed, the malware would ``phone home,'' uploading 
information about the victim's computer and files to a control server 
operated by the hackers.
    Next, the captured computer would download more malware to install 
on the staff member's machine. This was often a complete administrative 
program that would allow the attackers to completely control the 
staffer's computer, and in some cases the entire network.
    The administrative malware took full advantage of today's 
technology. It featured a graphic interface with dropdown menus 
offering even an unsophisticated attacker a wide variety of options.
    Want to record every keystroke as the user types so you can steal 
all his passwords? Check one of the options on the menu.
    Want to turn on the user's microphone, turning it into a bug so you 
can listen to the office conversations? Check another box.
    Want video straight from the user's desktop camera? That's just 
another option on the menu.
    In the end, the Dalai Lama's office was living a version of 
Orwell's 1984. Telescreens in each room spied on the occupants. But in 
this version of 1984, Big Brother didn't even have to pay for this spy 
equipment. It had been purchased and installed by the victims.
    Once the hackers had compromised a single computer on the network, 
it wasn't hard to compromise more. Every time an infected computer sent 
a document by email, malware could be attached to the file. The 
recipient couldn't possibly be suspicious; the email and attachment 
were exactly what he expected to receive from his colleague, and it had 
been reviewed by an antivirus program. He opened the document. The 
malware installed itself in the background. The cycle began again. It 
was an entire network of surveillance, dubbed Ghostnet by the security 
team.
    Ghostnet has lessons for all of us, including Members of this 
committee. Do you rely on standard commercial antivirus software to 
scan attachments? Do you open documents sent by people you've 
encountered on-line? How about documents from sources, contributors, or 
constituents? How about colleagues, coworkers, and staff? Of course, 
you do. So do I. And that means that most of us are no more able to 
defend ourselves from this attack than the Dalai Lama was.
    That means we have no guarantee that foreign governments have not 
penetrated our home or even our office computer networks in the same 
way as the Dalai Lama, no guarantee that they are not monitoring our 
every keystroke on-line.
    Indeed, when I talk to computer security experts about how to 
defend against intrusions, they usually tell me to assume that the 
intrusions have happened before and will happen again. Because there's 
no way to stop them. At best, you might be able to catch the intruders 
when they try to steal your data. But you can't count on that, either.
    Now that we understand the scope of the problem, what are we doing 
about it?
    So far, not much. That's not a recent development, either. 
President Clinton cautioned a decade ago, in January 1999, that, ``We 
must be ready--ready if our adversaries try to use computers to disable 
power grids, banking, communications and transportation networks, 
police, fire, and health services--or military assets.'' A year later 
he proposed a series of measures to address the security problem.
    Two years later, President George W. Bush created a special adviser 
on cybersecurity who spent a year developing a computer security 
strategy.
    Neither effort made much headway. The public didn't see the 
problem. The network attacks that alarmed official Washington were 
classified. Officials couldn't talk about them.
    Meanwhile, privacy and business interests worked overtime to 
persuade the public that National security concerns were overwrought. 
The real risk was Government monitoring and Government regulation, they 
insisted.
    And that, by and large, was the view that prevailed--twice, and 
under two Presidents. Nothing was done about computer security that 
anyone in the privacy or business lobbies might object to.
    In 2009, President Obama became the third President who promised to 
make computer security a top priority. Shortly after taking office, the 
Obama administration produced a security strategy. Once again, though, 
the strategy lacked punch. It failed to call for any action that could 
possibly irritate business or privacy groups.
    Since then, the President has belatedly appointed an experienced 
security professional to the National Security Council. DHS has begun 
hiring a large number of security professionals, and it is rolling out 
the least controversial incarnations of the Government's intrusion 
detection system, called Einstein. But the administration has shown no 
sense of urgency in addressing the massive problems we face, especially 
in the private sector, where most of our critical infrastructure can be 
found.
    That's why I'm pleased to be able to say that the Senate Homeland 
Security Committee has risen to the challenge. It recently offered a 
bipartisan and comprehensive bill that would address the problem in a 
responsible fashion. Senators Joe Lieberman (I-Connecticut), Susan 
Collins (R-Maine), and Tom Carper (D-Delaware) have introduced a bill 
that offers a real opportunity to improve the Nation's cybersecurity.
    I'm going to set aside the ``boxology'' imposed by the act--a new 
White House Office for Cybersecurity Policy headed by a Senate-
confirmed director, and a new freestanding security office (the NCCC) 
at DHS, which would include the existing U.S. Computer-Emergency 
Response Team (US-CERT) and would be responsible for detecting, 
preventing, analyzing, and warning of attacks. This office too would be 
headed by a political appointee who would be Senate-confirmed and would 
report directly to the Secretary of Homeland Security. If that were all 
the bill did, it would not add greatly to our security.
    The real substance of the bill lies in the requirements it would 
impose on those critical infrastructures selected by the Secretary for 
coverage. (```Critical infrastructure'' is defined by statute as 
``systems and assets, whether physical or virtual, so vital to the 
United States that the incapacity or destruction of such systems and 
assets would have a debilitating impact on security, national economic 
security, national public health or safety, or any combination of those 
matters private sector.'')
    First, the NCCC would, in coordination with the private sector, 
identify cyber vulnerabilities in covered infrastructures, and submit 
the findings to Congress. After consulting with the private sector, the 
NCCC would then issue regulations creating ``risk-based'' security 
performance requirements for covered infrastructures. Owners and 
operators of the infrastructures would then select the specific 
security measures they will implement to satisfy the security 
performance requirement, and submit a compliance plan to the NCCC. 
Owners and operators would have the flexibility to implement any 
security measures that the Director determines would satisfy the 
security performance requirements. But, they would have to certify that 
they are in compliance, and would be subject to penalties if an audit 
by the NCCC determines that they are not. Those companies that meet the 
requirements would obtain some protection from liability, including 
immunity from punitive damages and limits on non-economic damages.
    Second, critical infrastructure companies would be required to 
report to the NCCC ``any incident affecting [their] information 
infrastructure . . . to the extent the incident might indicate an 
actual or potential cyber vulnerability, or exploitation of a cyber 
vulnerability.'' (``Information infrastructure'' means the ``underlying 
framework that information systems and assets rely on to process, 
transmit, receive, or store information electronically, including 
programmable electronic devices and communications networks and any 
associated hardware, software, or data.'') This requirement would sweep 
far more broadly than the data breach notification rules that presently 
exist at the State level, since it would include ``any incident'' that 
indicates even a ``potential cyber vulnerability.'' But information 
shared with the NCCC would be protected from public disclosure.
    Third, the bill would authorize the President to declare a National 
cyber emergency, which would then trigger the issuance by the NCCC of 
specific emergency measures to protect the continuing operations of 
critical infrastructure. Those measures would expire after 30 days 
unless the President or NCCC Director extended them. The emergency 
measures would have to be the ``least disruptive'' means necessary, and 
could not be used to avoid the requirements of the rules for 
intercepting phone calls or emails for law enforcement or intelligence 
purposes. Owners of covered critical infrastructures would have to 
comply with the emergency measures unless the NCCC approved alternative 
measures suggested by the infrastructures. Those owners that comply 
would be immune from civil suit in some instances, or would be 
protected from punitive damages and damages for non-economic harm in 
others.
    I have no doubt that this bill will prove controversial. Privacy 
groups will tell us that the Government can't be trusted with any 
authority over the computer networks on which we depend. Business 
groups will tell us that Government regulation will raise costs and 
stifle innovation. I have no doubt that the proposed legislation will 
need to be modified as it makes its way through Congress. But I 
strongly urge this committee to give it careful consideration.
    Today, we have a new, and troubling, example of what can happen if 
Government fails to take responsibility early for avoiding a serious 
risk.
    As I speak, oil has been escaping from BP's Deepwater Horizon spill 
for nearly 2 months. As the spill shows, private companies are quite 
capable of setting the stage for catastrophes well beyond their ability 
to remedy. We properly expect the Government to regulate companies to 
address risks that can't be internalized by the companies taking the 
risks. And when disaster strikes despite those efforts, we expect the 
President to have the authority to respond. The Government is paying 
the price today for the actions it didn't take in the months and years 
before the blowout.
    The same thing will be true, in spades, if another country launches 
a computer network attack on U.S. infrastructure. Do we want the 
Government to look as helpless in response to such an attack as it 
looks today in response to the BP spill?
    Bad as the spill is, the country still has electric power, working 
phones, and a banking system. If we are attacked, we can't count on any 
of those things. But without something like the Senate bill, the 
President will be even more helpless to respond to the attack than he 
has been to respond to the oil spill.
    Put simply, the country can't afford a disaster on that scale. And 
neither can its leaders.

    Chairman Thompson. Thank you very much. I am not certain 
when the book signing will be, Mr. Baker, but I am sure we will 
hear from you. Thank you very much. Let me thank our witnesses 
for their testimony, and we will now start with our 
questioning. I will begin.
    Mr. Schaffer, can you tell the committee your guesstimate 
of how many times our systems are hacked on a daily basis, if 
you know?
    Mr. Schaffer. Sir, I couldn't give you an estimate of how 
many times our systems are hacked on a daily basis. I can tell 
you that our systems, like most of the internet, is under a 
constant barrage of attacks from a variety of known actors, 
ranging from basic criminals, sophisticated criminals to 
nation-state actors. So there is a wide range of attackers out 
there taking advantage of the vulnerabilities that are in the 
infrastructure. The Federal Government, like all others who 
leverage that infrastructure, are subject to attacks.
    Chairman Thompson. To what extent are we able to deter 
those attacks?
    Mr. Schaffer. I think that we are making progress towards 
deterring those attacks on a regular basis through the various 
programs like EINSTEIN and the Trusted Internet Connection, 
reduction of our connections to the open internet through 
deploying intrusion capabilities that allow us to have 
situational awareness and that give warnings of mitigation to 
the departments and agencies.
    Chairman Thompson. Ten percent, 20 percent, 30 percent?
    Mr. Schaffer. Sir, I wouldn't venture to guess the 
percentage because until you know the entire attack surface, it 
is hard to know what we are----
    Chairman Thompson. So we don't know?
    Mr. Schaffer. I would say we don't know the full extent of 
what is being blocked, no.
    Chairman Thompson. Mr. Skinner, do you have any information 
on that?
    Mr. Skinner. No, Mr. Chairman, I do not. One of the things 
that we did identify doing our audit, there is big gaps out 
there. We are only monitoring through EINSTEIN those 21 
agencies. Those that are not signed into, we cannot adequately 
monitor, so that there is no way to see what is going on with 
these others agencies.
    Chairman Thompson. Thank you. Mr. Schaffer, since we 
monitor those 21, can you give us the statistics on those?
    Mr. Schaffer. Sir, what we have deployed today--we are 
deployed to and operational at with the EINSTEIN 2 technology--
--
    Chairman Thompson. Have we deployed EINSTEIN 2?
    Mr. Schaffer. We have deployed EINSTEIN 2 to 11 of 19 
agencies that it is currently planned for, yes.
    Chairman Thompson. So we couldn't do it with EINSTEIN 1?
    Mr. Schaffer. EINSTEIN 1 was a flow monitor. It allows us 
to see the traffic moving through and then we would do analysis 
on the traffic.
    Chairman Thompson. Give me what EINSTEIN 2 has provided.
    Mr. Schaffer. EINSTEIN 2 is showing us about 278,000 
indications of potential malicious activity at the perimeter of 
our networks on a monthly basis today with the deployments that 
we have. That doesn't mean that all of those attacks were 
successful. It simply means that there is indications of 
malicious activity 278,000 times on the average month.
    Chairman Thompson. Okay. In the event of a cyber attack to 
our system who is in charge?
    Mr. Schaffer. Sir, in event of a cyber attack on our 
civilian networks, our Executive branch civilian networks, DHS 
has the lead to manage that response. The various departments 
and agencies, including the Department of Defense, the NSA, 
various others, would all be involved and engaged depending on 
what the nature of the attack looked like, where the attackers 
were focusing their energies and what was needed in order to 
execute on the response.
    Chairman Thompson. So Mr. Wilshusen, can you provide any 
more information on the question of who is in charge based on 
your review?
    Mr. Wilshusen. I think that is one of the challenges that 
needs to be addressed, is who is actually in charge. With the 
White House Cybersecurity Coordinator in place now, what is his 
role relative to those at DHS? I think that is certainly a 
valid challenge that still remains to be addressed.
    Chairman Thompson. So is it we are not quite sure who is in 
charge or what? Mr. Wilshusen.
    Mr. Wilshusen. I think that is the case, yes.
    Chairman Thompson. Mr. Skinner, with respect to the 
overreliance on outside contractors to staff this operation, do 
you see that as a vulnerability for that Department?
    Mr. Skinner. I believe what we should be doing is in fact 
inherently governmental, we should be using our own employees. 
Right now that is the only alternative we have. It is better to 
have cleared contractors than to have no one. The contractors 
have been very, very useful in filling the gap until we can 
fill up our resources.
    Chairman Thompson. Mr. Schaffer, at what point do you 
think, given the goodness of Congress to provide authority for 
significant staffing of your operation, that you can complete 
that mission?
    Mr. Schaffer. Mr. Chairman, we have been staffing up within 
the National Cybersecurity Division significantly and in 
particular at US-CERT. At the start of fiscal year 2009 we had 
16 people at US-CERT. At the start of 2010, we had 31. Today we 
have 55. We have another 25 in the pipeline going through 
security that have been offered jobs. So by the end of the year 
for US-CERT, we anticipate that we would have about 80 Federal 
staff in place.
    Chairman Thompson. So by the end of the year you will have 
80 people. How long did it take you to hire 80 people?
    Mr. Schaffer. Again, the ramp-up has been fairly steep, 
sir. But we went from 16 at the start of fiscal year 2009 to 
hopefully 80 at the end of fiscal year 2010.
    Chairman Thompson. So in 2 years you hope to hire 80 
people?
    Mr. Schaffer. Sir, the type of people that we need to hire, 
as mentioned by some of the gentlemen to my left, are not 
easily found. The skill sets that we are looking for are very 
specific and very high level of skill and capability in 
cybersecurity and they are sought after by every department and 
agency that is trying to implement their program, by the 
private sector players who are anxious to ensure that their 
systems are correctly defended. These are the type of people 
that we are looking for that are in very high demand and we are 
looking for the right ones in order to fulfill the mission.
    Chairman Thompson. Thank you. I yield to the Ranking 
Member.
    Mr. King. Thank you, Mr. Chairman. This is sort of a 
follow-up to the Chairman's line of questioning.
    Mr. Schaffer, if a sophisticated cyber attack were launched 
today or tomorrow against the financial systems, banks, New 
York Stock Exchange, who coordinates the Federal response and 
whose authorities are triggered?
    Mr. Schaffer. Again, I think that it is clear that 
ultimately the White House is responsible for coordination and 
the coordinator, Howard Schmidt, has that ultimate 
responsibility. Within the interagency, there are lanes where 
different agencies would have responsibility, lead 
responsibility for the defense of the networks and for the dot-
com space. With the financial services industry, I believe DHS 
has the lead. We are in the process of building out a National 
Cyber Incident Response Plan, and that plan will more clearly 
define the roles and responsibilities of the different 
departments and agencies, how DOD, DOJ, DHS and others will 
participate and play their various roles. That plan is being 
developed as an interagency process as well as in cooperation 
with the private sector entities that would have to play a 
large role because they own so much of the infrastructure and 
will have to provide so much of the support in a major 
incident.
    Mr. King. That doesn't make me confident, though, that if 
we were attacked tomorrow everyone would know how to respond. 
It seems like you are still trying to work your way through 
that.
    Mr. Schaffer. We are certainly in the process of finalizing 
the National Cyber Incident Response Plan. Until that is 
finalized and moved through the interagency process, there will 
be some questions. But we are in the process of trying to get 
to clarity there.
    Mr. King. Does anyone else wish to comment on the immediacy 
of that threat as to what would happen if we were attacked 
tomorrow? Stewart.
    Mr. Baker. There is no doubt that we are not prepared to 
address a major cyber attack today. I don't want to 
overemphasize the importance of sorting out all of the lanes in 
the road because in a crisis the President will take charge, he 
will own this. It won't be Howard Schmidt, it will be the 
President who has to make sure that this problem is solved. I 
believe that rather than focusing too much on which box goes 
where or who has what authority, the important thing is to make 
sure that the resources are there, that there is bipartisan 
support for hiring people quickly to address these problems, 
and that we find much better ways to work with the private 
sector, which I think at this point has no clue who would be 
their contact point or what their responsibilities would be. 
That is something that I think the Senate bill does a good job 
of starting to address.
    Mr. King. Let me ask you that then, about the Lieberman-
Collins bill. What are the greatest advantages offered by the 
legislation?
    Mr. Baker. I think first it responds to the need to deal 
with the fact that the risks are principally in the private 
sector and much of the infrastructure is in private sector 
hands, and yet a desire to avoid heavy-handed regulation by 
saying we are going to pick out the most critical 
infrastructure, we are going to impose performance requirements 
on the critical infrastructure and make sure they can meet 
certain standards any way they want and then requires a 
reporting of incidents that raise questions about whether the 
infrastructure will actually function and an ability in an 
emergency for the President to say this is what has to happen 
first, this is what has to happen second, and to make sure that 
the private sector responds. An authority that clearly when you 
look at things like financial meltdown or the BP oil spill, the 
President has to have and he doesn't really have in this area.
    Mr. King. In your testimony, Mr. Baker, you talk about the 
lack of a sense of urgency in addressing the massive problems 
with cybersecurity. How can we best address this lack of 
urgency? How do we get this out to the departments, to the 
people, to the society as a whole?
    Mr. Baker. Clearly the President needs to own this and to 
move forward with a number of the issues that really have been 
hanging fire since the beginning of the administration. I don't 
say that this President is alone in not having solved the 
problem. Two other Presidents have said this is a crisis, we 
need to address it, and have not fully addressed it. But he 
clearly needs to make it a priority for every part of 
Government to address this problem.
    Congress can do the same by strengthening DHS's 
authorities. We need to make it clear to industry that this is 
our top priority because the next time we get into a serious 
international conflict, we could lose large parts of our cyber 
infrastructure to attackers.
    Mr. King. Thank you. I thought you were going to suggest 
that everybody read your book. But in any event, I yield back.
    Thank you.
    Chairman Thompson. The Chairman now recognizes the 
gentlelady from California, Ms. Lofgren for 5 minutes.
    Ms. Lofgren. Thank you, Mr. Chairman. Thanks for having 
this hearing. I think it is very important, and I hope that we 
will have other opportunities in addition to this one to review 
these matters. I was happy to read the IG's report and I think 
there is some useful suggestions in there. I was actually 
disappointed, I did not realize that US-CERT did not have 
automated correlation tools. That is something that ought to be 
remedied pretty promptly.
    But I want to get into the capacity issue. There has been a 
discussion that the U.S. Government authority, DHS or OMB I 
guess for that matter, ought to have more authority, and it 
seems to me without more capacity, we are not in a very good 
position to be asking for more authority.
    I am not as troubled by the idea of having contractors on 
board provided that they are adequately directed and supervised 
for this reason. I see the kids walking over the line to 
graduate with their Ph.D.s in computer science at Stanford, and 
I don't know that we are going to succeed in getting those 
young people to apply for a Federal job, but we need them. We 
are going to have to pay them a lot of money, more than the GS 
scale provides. Even then we will be lucky to get some of them. 
So provided that we are using contractors to attract really 
people that are in that competitive league I would personally 
encourage that we do so and promptly. Not that those young 
people necessarily have the managerial skills that are 
necessary to organize the responses, but the technical skills 
cannot be replicated by someone who is 5 or 6 years out from 
the academic studies, in my opinion.
    So you can comment if you want on that. I also wanted to 
comment on where we are vis-a-vis the critical infrastructure. 
I am mindful that it really has been many years since we have 
had somebody in the White House with expertise on cyber, and I 
was glad to see that the President appointed Howard Schmidt, 
who has a background, who is an old hand. But the thing is he 
can't do the operations. He is looking to the civilian sector I 
hope in DHS, which I think is better suited theoretically than 
OMB. What I do want is to have sufficient capacity in DHS so 
that we don't end with up the NSA running this program. Because 
if you look at the entire panoply of expertise that resides in 
the Federal Government, you would have to say they have 
probably the most to offer today in terms of just raw 
expertise.
    So what is the strategy to get the talented people we need 
as soon as possible? Are we paying enough? I come from Silicon 
Valley. Hiring, it has woken up. All the big companies are 
hiring now. The economy is coming, so we are about to have an 
even more competitive job market. Now is the time to grab those 
young people.
    Mr. Schaffer. Congresswoman, I think that there is no 
question that we are trying to execute expeditiously to hire as 
many people as we are authorized to have within the program. 
Indeed, we expect within NCSD, and I think you have to look at 
all of NCSD, not just US-CERT, to realize all of the programs 
and execute well, not just US-CERT with the situational 
awareness and the dissemination of information, but also the 
programs designed to go into the departments and agencies and 
make repairs, as well as the programs designed to get 
information out to the critical infrastructure players and 
assist them in dealing with incidents and being prepared for 
incidents. So in NCSD, the numbers there are significant as 
well. We went from 35 on staff in 2009 to 118 in--beginning of 
2010 to about 193 today with 46----
    Ms. Lofgren. Could I ask you, since our time is limited? 
Could you follow up--you don't need to give me the names--but 
the individuals and kind of their profile, where did they get 
their Ph.D., what year did they get their Ph.D., just so I can 
have a sense of the personnel that has been selected?
    Mr. Schaffer. We can certainly get that.
    Ms. Lofgren. I would appreciate that. I just want to say 
that I think we are so far behind where we need to be, really a 
decade of serious neglect honestly, that I am worried. It is 
not because of whether there will be cyber attacks. There are 
right now and there will be more.
    I continue to be concerned not only about our lack of 
preparation internally within the Government, but the 
coordination between clinical infrastructure that is held for 
the most part outside the Federal Government, either by private 
sectors or in some cases non-Federal public sectors, in energy 
development, energy transmission, water storage, water 
movement, financial sectors and the like.
    I don't think that they are as prepared--certainly the IT 
sector is all over this, but that doesn't mean that the non-IT 
sector has taken even minimally adequate steps. We have to do 
much more with those critical infrastructures sectors, and I 
don't think that we are really ready yet. I would like to see, 
Mr. Chairman, if in 6 months' time or 4 months' time we could 
have a better plan, maybe everyone in a workshop or closed 
session on where the benchmarks are, how we are getting there 
in terms of these major critical infrastructure sectors.
    I know my time is up. I thank you for your indulgence, Mr. 
Chairman.
    Chairman Thompson. Thank you very much. I look forward to 
making sure that information is provided. Also, Mr. Schaffer, 
staff met with you on June 9 and there was some information 
requested at that meeting that is yet to be provided. So we 
need to remind you to pick out where it is in the system and 
get it to them.
    Mr. Schaffer. Mr. Chairman, I know that is underway.
    Chairman Thompson. Thank you. The gentleman from Texas, Mr. 
McCaul, for 5 minutes.
    Mr. McCaul. Thank you, Mr. Chairman. In my judgment, this 
is probably one of the most serious National security threats 
we have today. Because everything is tied to the networks. We 
know there have been massive intrusions into the Federal 
networks. We know that espionage is taking place. If foreign 
agents were to cull paper files leaving the Pentagon, it would 
be on the front page of the Washington Post, and yet I think 
that is happening in the virtual world and no one is talking 
about it. The cyber warfare capability is growing every day. 
There was a denial-of-service attack last 4th of July. Imagine 
a stronger denial-of-service attack that hit the United States 
and shut power grids and energy sectors.
    We held hearings last Congress on this issue, then Chairman 
Langevin and I, and we asked a question of: Who is in charge? 
Nobody seemed to know the answer to that question. Since that 
time it is a little more, I think, clarified that DHS has a 
responsibility to defend the Nation from cyber attacks. We have 
tremendous offensive capability, but I am afraid our defensive 
capability is lacking. That is the weakness and sense of 
vulnerability. I think that is where we need to be 
strengthening our National asset, as the Chairman referred to. 
This is for--actually Mr. Schaffer and Mr. Skinner, the 
coordination with DHS and the other organizations. We have NSA, 
DOD that are very good at the offensive capability, but they 
are not working with, in my view, adequately enough with DHS to 
better prepare and defend this Nation.
    Can you comment on that?
    Mr. Schaffer. Thank you, Congressman. Actually, our 
relationship and cooperation with NSA is fairly extensive and 
quite productive. They support our mission in a variety of ways 
with technical assistance on various programs. The EINSTEIN 
program in particular, where we are currently conducting an 
exercise on new EINSTEIN 3 intrusion prevention capabilities, 
is supported by assistance from NSA. We work with DOD on a 
variety of initiatives in order to execute well and leverage 
the information that they can bring to bear on the commercial 
side and for the civilian branch departments and agencies in 
the dot-gov space.
    So our goal is to bring all of the resources of the Federal 
enterprise to the fight to defend the networks. I think the 
problem for all of us today is that defense loses in cyber too 
much of the time because the ecosystem was not designed and 
built from the beginning to be a good place to defend yourself. 
So offense has the advantage, and until we change that we will 
continue to have some challenges. But I think we are working 
very hard across the interagency and in cooperation with both 
the White House and our partners at DOD to try to bring all of 
the resources to the fight.
    Mr. McCaul. That is good to hear. We worked with CSIS to 
issue a report to the President, recommendations that in terms 
of this coordination role that this be coordinated from the 
White House, had to be elevated to the White House level. A 
Cyber Coordinator position had to be created. That has been 
done. Howard Schmidt is the cyber coordinator. I am concerned 
that his requisite authorities are not strong enough to carry 
out that mission and that responsibility.
    Mr. Skinner, I know in your report you talk about the White 
House responsibility for leading and oversee a National 
cybersecurity policy. Chairman Langevin and I introduced a bill 
to make this cyber coordinator position a Senate-confirmed 
position with an Office of Cyberspace in the requisite budget 
authority to give them the authorities necessary to carry out 
the coordination mission. Do you have any comments or thoughts 
on that?
    Mr. Skinner. We did not look at the authorities or the 
responsibilities of the White House per se. What we were 
focusing on is the authorities within US-CERT and how they can 
compel their partners, their stakeholders, and the Federal 
agencies to comply with or provide assurances that they are 
addressing or reacting to recommendations and guidance provided 
by DHS and that we just focused on that one particular issue.
    Mr. McCaul. I just think that needs to be strengthened in 
my judgment.
    Last set point, my time is running out. Private sector 
coordination. We have the Information Sharing Analysis Centers, 
the ISACs. Can you tell me, Mr. Schaffer, how that has 
improved, if it has?
    Mr. Schaffer. The Department, of course, is leveraging the 
ISACs as well as all of the NIP structure, the 18 sectors and 
their sector coordinating councils to execute well in terms of 
getting information out to the private sector. I think with the 
MS-ISAC and the IT-ISAC, the financial services ISAC, we have 
various projects on-going to expand our connectivity to those 
organizations. So for the financial sector, for example, you 
have an on-going pilot where we are using DOD information, DHS 
information, and the financial services industry information, 
bringing that together in a way that anonymizes the private 
sector data so that they are more willing to bring the 
information forward so that that can be shared among those 
organizations, operationally improving all of our security 
posture.
    So we have got some projects, I think, that really do 
leverage those ISACs and take advantage of what they can bring 
to the fight.
    Mr. McCaul. Thank you very much. I see my time has expired.
    Chairman Thompson. Thank you. The gentleman from Missouri 
for 5 minutes, Mr. Cleaver.
    Mr. Cleaver. Thank you, Mr. Chairman. Yesterday our 
subcommittee of this committee dealt with the Office of 
Disability Integration and Coordination and I was concerned 
there that they had insufficient funding to do the job they 
were commissioned to do. I find myself today equally concerned 
about and frustrated over the fact that the GAO believes the 
staffing is not sufficient to fulfill this Herculean mission 
you have, Mr. Schaffer. If we have 98 positions authorized and 
we have only filled 38 of those positions, it means that we are 
fighting a cyberspace war with only half our troops. I would 
like to note what the problem is in filling all of the 
positions and doing so quickly.
    Mr. Schaffer. Thank you, Congressman. I think that today we 
are at 55. So we have made some progress since when the report 
being referenced was issued. We have 25 more in the pipeline 
which will get us to about 80 by the end of the fiscal year. 
The challenge is in identifying the right people and getting 
them to accept positions and to come on board here with us to 
move things forward. Again, it is a space where there are a 
limited number of resources that really can fulfill the 
mission, go through the security clearance process, and be able 
to staff us the way we need to be staffed.
    We augment those positions with contractors. Right now US-
CERT is leveraging about 230 contract staff. The process of 
ramping up in this space is challenging and we are doing 
everything that we can to aggressively hire. We will reach our 
full complement within all of NCSD in terms of the authorized 
positions we think by the end of the year. So we are doing 
everything we can to be aggressive about getting the positions 
filled.
    Mr. Cleaver. That is refreshing to hear because if 
something should happen, we get beat up twice. We have the 
incident and then the pain of we weren't paying attention, we 
didn't have the sufficient staff to deal with the problem.
    Let me skip down. I represent Kansas City, Missouri, and an 
area around it. Kansas City is the second-largest freight rail 
center in the Nation. As freight rail companies turn more to 
internet to control its signals and dispatching, it also means 
that they become more and more vulnerable to cyber threats.
    Is there something being done with regard to the private 
sector in this battle that we find ourselves fighting? If so, 
what can we do to enhance it? What can this committee do to 
enhance that relationship and coordination?
    Mr. Schaffer. Yes, sir. That area is indeed one of our 
primary areas of focus at the Department. The control system, 
the industrial control system security is paramountly important 
because, as you point out, connectivity to the internet of 
those systems is increasing. So we have done several things. We 
stood up this year, last year the ICS, the Industrial Control 
System Computer Emergency Response Team. That team provides 
assistance to the private sector. We have trained 14,000 
individuals in industrial control vulnerability and defense. We 
are putting out teams to do a vulnerability assessment and to 
assist the private sector in understanding what their 
particular system might be vulnerable to and how to implement 
mitigation strategies.
    We have flyaway teams that are capable of going out during 
an incident to assist a private sector entity with a problem so 
that it doesn't involve a breakdown of the control systems, a 
power grid going out or water system failing and such.
    We are working hard to put out best practices and 
information so that the private sector has the best thinking 
from the Government around how to defend these systems. We hope 
to get in front of the problem as more and more of these 
industrial controls are attached and leveraging the IP-based 
networks that the IT systems have long been attached to. So we 
see that as a primary area to focus attention on, and we are 
doing a lot to try to expand in that space.
    Mr. Cleaver. Thank you, Mr. Chairman.
    Chairman Thompson. Thank you very much. The Chairman now 
recognizes the gentleman from Texas, Mr. Smith, for 5 minutes.
    Mr. Smith. Thank you, Mr. Chairman. Mr. Wilshusen, first 
question to you, and that is I believe it was March 2009 when 
you made your recommendations to Department of Homeland 
Security. That is about 15 months ago. What percentage of your 
recommendations have been implemented to date?
    Mr. Wilshusen. Are you referring to the National strategy?
    Mr. Smith. Yes.
    Mr. Wilshusen. That is one thing we are still following up 
on in terms of the recommendations DHS is making some progress 
with----
    Mr. Smith. I know they are making some progress and I have 
heard today they have a ways to go. I am asking you though what 
percentage of that strategy have they actually implemented now, 
15 months later?
    Mr. Wilshusen. Well, of the National strategy, not all of 
the issues would actually pertain to DHS.
    Mr. Smith. Okay. Of the ones that pertain to DHS.
    Mr. Wilshusen. That I would have to get back to you in 
terms of the very specific numbers on those.
    Mr. Smith. I am not asking for a specific number, I am just 
asking for a guesstimate.
    Mr. Wilshusen. I would say at present it is probably about 
30 to 40 percent.
    Mr. Smith. Thirty to 40 percent after 15 months? Okay. 
Thank you for that response.
    Mr. Baker, how would you compare the private to the Federal 
Government as far as its ability to deter cyber attacks?
    Mr. Baker. Parts of the private sector are clearly well 
ahead of the Federal Government. Financial institutions have 
stronger systems in place. They have since for about 5 or 8 
years been actively monitoring every packet that comes in and 
rejecting any packet that appears to be malware using very 
sophisticated signatures. We are barely at the point of getting 
about half of our institutions to monitor what is coming in, 
which only tells them that they have been screwed. It doesn't 
tell them that they are protected. So we have got--we are 
talking about installing systems that monitor the malware as it 
comes in. Prevention, actually rejecting them, is going to wait 
still for many agencies for months or years, and a lot of that 
is hung up in lawyers, you know, wringing their hands about 
whether they can really implement those programs.
    Mr. Smith. Private sector ahead. Thank you.
    Let me address my next question to you, Mr. Skinner and Mr. 
Wilshusen and Mr. Baker, and it is this. All you have said in 
one way or another that the Federal Government, the 
administration has been slow in implementing or taking the 
necessary steps to protect the Federal Government against cyber 
attacks.
    What are the consequences of this continued vulnerability 
to the country? Mr. Skinner.
    Mr. Skinner. If I may begin, it definitely puts us at risk. 
We have to understand why this was not a top priority within 
the Department. One, we were new, established in 2002, 2003.
    Second, we had to establish priorities, and there was only 
so many resources that can go around. We focused, the 
Department focused its attention on border security and air 
security. As we matured in those areas, then we turned, the 
Department turned its attention to cybersecurity.
    Unfortunately, the train has left the station. We are now 
chasing the problem as opposed to being ahead of the problem. 
We have a long way to go. But at least we recognize that we 
have a serious problem here, a serious threat here that needs 
to be controlled, and that is where we are headed right now.
    Mr. Smith. Thank you. Mr. Wilshusen.
    Mr. Wilshusen. I think the risk is very significant to 
Federal systems as well as to critical infrastructure that is 
cyber-based. We have reported on a number of occasions on 
incidents that have occurred and the resulting effect of that 
which resulted in at some points personally identifiable 
information being disclosed to unauthorized individuals, to 
vast amounts of information related to various different 
security programs being exfiltrated out to their organizations 
and individuals. So the risk is very real and significant to 
the Federal Government.
    Mr. Smith. Thank you. Mr. Baker, I am going to go to my 
last question because I only have a short period of time left, 
but I do address it to all three of you all. Mr. Skinner and 
Mr. Wilshusen, you have just said that we are at risk. So my 
last question is this: What are the odds of the United States 
sustaining a debilitating cyber attack in the next year? I 
know, again, that forces to you guess, but are the odds great? 
Are they low? Give us some indication of how vulnerable we are 
and how much at risk we are. Mr. Skinner.
    Mr. Skinner. Congressman, I just wouldn't want to venture 
to because it would be a wild guess. But we are vulnerable. It 
could be significant.
    Mr. Smith. If you say we are vulnerable and at risk that is 
pretty significant, too. Mr. Wilshusen.
    Mr. Wilshusen. Again, I couldn't hazard a guess as to the 
percentage. But it is more than what we should be and more than 
what Federal agencies should be able to protect their systems.
    Mr. Smith. Okay. Mr. Baker.
    Mr. Baker. If we end up in a serious conflict with five or 
10 very sophisticated countries, we will be attacked and we 
will not know how to respond. So the real question is: Are we 
going to end up in a conflict like that? One of the things I 
worry about is that we will not defend our interests, the 
interest of our allies for fear of a cyber attack. That could 
happen at any time.
    Mr. Smith. Thank you very much. All very informative. Thank 
you, Mr. Chairman.
    Chairman Thompson. Thank you. The Chairman now recognizes 
the gentlelady from California, Ms. Harman, for 5 minutes.
    Ms. Harman. Thank you, Mr. Chairman. I want to express my 
solidarity with Mr. Skinner as a cyber immigrant. That may 
apply to many of us over a certain age, but I would observe 
that the number of students who have been wandering, or not 
wandering but walking in an orderly way in and out of this 
hearing probably have come to these issues more naturally than 
we have. But we are catching up. Let me observe that on behalf 
of the older class. We are catching up, and the business is 
urgent.
    The visual image that we all have on our television sets is 
of a broken pipe, a mile under water spewing tens of thousands 
of gallons of oil and natural gas with no easy or immediate 
solution in sight. I would just analogize that to a major cyber 
attack where we could have a broken network or networks spewing 
tens of thousands of bits of information on critical 
infrastructure, National security and mission-critical data, 
financial and personal data, et cetera. It could be as 
devastating or more devastating than the environmental 
catastrophe that is unfolding on our TV sets.
    Does anyone disagree with this? No. Right.
    So as Mr. Baker said, ``We are going to have a meltdown.'' 
I see this as urgent business. It is nice to talk about how we 
could reorganize things, but I think we need to try to catch 
the problem, not just chase the problem, as Mr. Skinner said we 
are presently doing.
    This is not a criticism of you gentlemen, and it is not a 
criticism of the Members of the committee either. We have all 
been trying to get our arms around this. But we don't have our 
arms around this yet. Am I correct? Right. Okay.
    So let me say a couple of things. First of all, I agree 
with Mr. King that the Lieberman-Collins bill is excellent, and 
he and I have been talking about this. I have also talked to 
the Chairman about it. I just want to tell Mr. King that I do 
plan to cosponsor the bill with him.
    Mr. King. Will the gentlelady yield for one second?
    Ms. Harman. Sure.
    Mr. King. I will be the lead cosponsor on your bill.
    Ms. Harman. Did I just hear him giving me some power over 
something?
    Mr. King. You are getting it.
    Ms. Harman. My, my. Bipartisanship thrives in this 
institution. At any rate, thank you. But I think it is an 
excellent effort. I am sure it will change as it goes through 
the legislative process, but it will be a good thing to work 
with our counterparts in the Senate on this as we worked with 
our counterparts in the Senate on the SAFE Ports Act. Mr. 
Lungren remembers that. To good end. We ended up with a very 
good law.
    At any rate, I think it will give the Government new powers 
and new focus and perhaps, I hope, provide the sustained 
leadership that Mr. Skinner said we urgently need.
    But I also want to ask about something else. I don't think, 
as we have been discussing this this morning, and perhaps I 
missed a little bit of the conversation although I was trying 
to hear it, that we have adequately addressed the other side of 
this. We need to protect our systems. We need to get our arms 
around this problem and act aggressively. I believe that, and I 
will support efforts to do that.
    But we also need to make sure that we don't overdo it, that 
we are considering the fact that as we protect our security, we 
also want to protect our liberty. I have often said that 
security and liberty are not a zero sum game. We either get 
more of both or less of both. In saying that, I borrow from Ben 
Franklin, who thought of this 230 years ago.
    So that raises a question of something this administration 
has not acted on, and that is standing up the Privacy and Civil 
Liberties Oversight Board that was mandated in the 2004 
intelligence reform law that has been on the books for 6 years. 
The last administration made some effort at this, but we have 
not yet seen any names proposed for the confirmable positions 
for this board, and I just want to ask you, in my last 45 
seconds, any of you who would like to address this issue of 
civil liberties and the need for the Privacy and Civil 
Liberties Oversight Board.
    Mr. Schaffer. I would certainly chime in to say that the 
Department of Homeland Security believes that civil rights and 
civil liberties is a critically important part of how we 
address the cybersecurity issue, and we try to build a program 
that is focused on that from the start rather than trying to 
bolt it on at the end. We have resources within my office and 
within the Department that focus on everything that we are 
doing in that space. We have published several privacy impact 
analysis statements. We certainly believe that that is a 
critical part of the puzzle, and we very much want to make sure 
that we are focused on it as we go forward.
    Ms. Harman. Thank you. Any other comments?
    Mr. Skinner. I would just like to add that during the 
course of our review, we did validate, in fact, the Department 
is, takes very, very seriously the CR/CL, the civil rights/
civil liberties, and the privacy of individuals as they build 
these systems.
    Ms. Harman. Thank you, Mr. Skinner. Anyone else?
    Mr. Baker. I will simply add that some of that hand-
wringing that I think the lawyers are doing about oh, can we 
really look at and reject packets that are coming in is based 
on the fear of privacy concerns. So at a minimum, we have to 
have a mechanism for having these privacy issues raised and 
resolved quickly and not let them hang up important action too 
long.
    Ms. Harman. Thank you, Mr. Chairman.
    Chairman Thompson. Thank you very much. The Chairman now 
recognizes the gentleman from California, Mr. Lungren, for 5 
minutes.
    Mr. Lungren. Thank you very much, Mr. Chairman. Thank you 
for having this hearing. This is one of the most important 
issues we have facing us.
    Cybersecurity is the last among the various categories of 
security that we are really dedicating ourselves to. That is 
not a criticism of this committee. It just is a fact. The 
urgency that we need in responding to all of the threats out 
there in this new terrorist world is missing, unfortunately, 
across this country, and no more than in this particular place.
    Mr. Smith--excuse me--Mr. Baker, I have not bought your 
book, but I have read chapters because people should know they 
go to his website. I happened across it by accident, but once I 
saw those eyebrows I knew it was you, and fascinating and very 
informative and very, very effective.
    One of the things I think we ought to make clear is when 
Mr. Schaffer talks about 278,000 attacks per month, that is not 
a static number. That number is going up. It is almost 
exponential if you talk to people in the outside world about 
what is happening everywhere in the cyber world. So people 
ought to understand, 278,000 a month sounds big. Wait till next 
month and wait till next year. It is not just the Government 
sector, it is the private sector, and it is happening every 
single day.
    Maybe we need to find ways to explain it to the public a 
little easier. I was just sitting here listening to some of the 
phrases we use. We want to get in front of the problem. We want 
to ramp up in this space. We want to stand this up. I 
appreciate that is the way we talk back here. No one talks like 
that back home. We have got a big problem that we have to deal 
with. Right now people ought to know how serious it is.
    Mr. Baker, when you talked about the example of what 
happened to the Dalai Lama, and that he had a sophisticated 
network with all the protections in it and the damage that was 
done by a single person as a part of that network who received 
an e-mail from what he thought was a trusted individual who had 
an attachment and he clicked on to that attachment and that 
invaded the whole system and eventually allowed somebody from 
the outside to capture the system.
    Mr. Baker. That is right.
    Mr. Lungren. That is not unusual or idiosyncratic to that 
network, correct?
    Mr. Baker. Oh, we are all subject to this.
    Mr. Lungren. Let me ask you this. With respect to that 
particular attack, what success has there been in attributing 
those attacks to its origins, do you know?
    Mr. Baker. The people who did the study, some of them 
announced that they believed that it was the Chinese 
Government. Others refused to make that conclusion but 
presented evidence that suggested that the Chinese Government 
was behind it.
    Mr. Lungren. But it is not an easy thing to see the origin.
    Mr. Baker. It is almost impossible.
    Mr. Lungren. That is what people have to understand. You 
might be able to see the attack, but once you find the attack 
and even deal with the attack, sometimes it is difficult to 
find out who did it and they move on to another potential 
attack.
    Look, we could always have more money and have more people. 
I mean, everybody who comes before us says that. I understand 
that. I just want to ask the four of you, with the money we 
have now, with the authority that exists now, with the 
personnel that exists now under the authority given to you by 
this Congress, given to the Executive branch by this Congress, 
can we do a better job? Can we do a significantly better job? 
Or is the answer always going to be we could do a better job if 
we had more money and we had more personnel? In other words, 
are we doing the best we can with those we have? I don't mean 
this as a criticism of this administration. I have lauded this 
administration for giving real leadership to this area. But I 
am just asking current status.
    Mr. Wilshusen. No, sir, we are not doing as best as we can 
to secure our systems. On our engagements we consistently find 
that security has not been effectively implemented on devices. 
It is not due to not having the particular tool or the 
capability. It is just the controls are available, it is a 
matter of configuring specific devices to be more secure than 
what they presently are.
    Mr. Lungren. Getting people to use them, right?
    Mr. Wilshusen. Getting them to use them and implement the 
security so----
    Mr. Lungren. We just started with passwords in this 
Congress about 6 months ago. I have had more static from 
Members on the fact that the password has to be entered within 
30 minutes. I have had Members ask for 12 hours, 24 hours. If 
Members can't understand, and what I would like perhaps Mr. 
Baker and Mr. Schaffer to talk about is, some Members say to 
me, well, look. No one's interested in the information I have 
here. I don't have secure information on here.
    What are the potential for someone being able to latch on 
to one of these machines and be able to access it with Members 
who don't have classified information on the instrument?
    Mr. Baker. I would say first, you are going to take that 
machine and plug it into the entire network in order to 
download and sync up your e-mail. So you are, whatever happens 
to your machine will happen to the entire network.
    Second, we all have things that we would just as soon not 
see in the newspaper. If you hand over those secrets to someone 
who is hostile to the United States and they are in a position 
to at some point either embarrass someone who is opposed to 
them, or help somebody that has done them a favor, or to 
blackmail them with a secret, that is a disaster for U.S. 
networks.
    Mr. Lungren. What about an analogy to what happened to the 
Dalai Lama? They were able to listen to his negotiating 
position.
    Members of Congress might have information that can be 
heard over this just talking about what they understand the 
negotiating position of the administration to be, what they 
have heard from a witness, or what they believe the position of 
the administration ought to be.
    Mr. Baker. You are carrying around something that, if 
compromised, will tell whoever has compromised it where you are 
every second of the day and will allow them to turn it on and 
listen to you while you are talking to people and you won't 
even necessarily know that is happening.
    Mr. Lungren. That is not just with our system in the House 
of Representatives. This is virtually all systems that are out 
there.
    Mr. Baker. There are security holes in virtually every one 
of them.
    Mr. Lungren. Would you agree, Mr. Schaffer?
    Mr. Schaffer. I would. I guess I would also say that it is 
not just about what is on an individual device because that 
device, if compromised, can be used as an attack vector against 
other devices. So if we all size our risk management to what we 
have on the device, we will not get enough security for the 
society as a whole. That is one of the challenges that we have 
in this space.
    Mr. Lungren. Thank you very much, Mr. Chairman. I just 
wanted people to understand the nature of this crisis as it 
directly affects everybody here. If it affects us in this way, 
it affects the Executive branch and it affects the private 
sector, financial services, every industry out there.
    Thank you very much, Mr. Chairman.
    Chairman Thompson. Thank you. The Chairman now recognizes 
the gentleman from Texas, Mr. Green.
    Mr. Green. Thank you, Mr. Chairman. I thank the witnesses 
for appearing today. Your testimony has been quite revealing 
and, to a very limited extent, somewhat frightening. You are 
probably as old as I am, and I suspect you are familiar with 
the movie, the sci-fi movie, ``The Day the Earth Stood Still.'' 
It seems that we may be heading toward a scenario similar to 
that, perhaps not that same one, unless we act expeditiously.
    The ability to intrude brings along with it the ability to 
manipulate. Intrusion can be very harmful, but manipulation can 
be deadly. We have got to thwart the ability to manipulate not 
only information, but also manipulate machines, as we have 
identified the phone earlier, but devices, trains, planes, and 
to a certain extent, automobiles because of the way the 
technology is advancing with the automotive industry.
    So the first question I have for you is, is this more a 
question of will or is it more a question of way in terms of 
getting to the ultimate solution? If we had 100 percent of the 
will necessary to do this, can we find the way to thwart 
intrusion, given that the technology for intrusion 
metamorphoses on a daily basis? So help me, please, Mr. Baker. 
Is this more a question of will or way?
    Mr. Baker. Let me say I think your observation that 
intrusion can lead to manipulation is a critical one. This is a 
two-fer for foreign governments. First they spy on us using our 
systems, and then when we go to war they take down the systems 
when we need them. So it is a very serious problem.
    I do think that this is more a matter of will than way, 
that we can solve some of these problems. We are going to need 
to take action to make sure that we can actually respond to 
attacks and attribute the attacks to the people who are making 
those efforts. That means probably architectural changes in our 
approach to the internet. We need to be able to track back and 
find the people who actually launched that attack. That is 
going to require substantial changes in our architecture, but 
we can do it. If we do that we can deter a lot of these 
attacks.
    Mr. Green. Would anyone else care to respond?
    Mr. Wilshusen. I would agree that certainly will is a key 
part of it because the capabilities to protect many of the 
systems and networks that we have are available. But at the 
same time, I think you are right on. In terms of the 
manipulation and integrity of data it is critical. We often 
talk about the disclosure of information and how that can be 
very harmful. But if you are able to manipulate data it can 
have even more devastating impact to agencies and to military 
during conflicts, so I think you are right on track with that 
line of questioning. I do agree that it is probably more will 
than way. But way also has an aspect, too, because technology 
tends to outpace security.
    Mr. Green. Anyone else?
    Mr. Schaffer. I would echo that thought that there is a big 
will portion, but there is a way portion as well. The 
technology that we have today, the way that we are constructed 
enterprise-wide for the internet, has some challenges that will 
have to be addressed and fixed. If you look at the studies that 
have been done about applying known security technologies, they 
usually say that that would cover 80 percent of the intrusion 
sets. There is some percent that we don't have current 
technology to eliminate and we have got to focus some research 
and development efforts in those spaces in order to get to that 
last percentage.
    Mr. Green. Well, my time is nearly up, so I will just 
conclude with thank you again for sharing with us. My hope is 
that we will take to heart what you have called to our 
attention and make the necessary changes so that we will have 
both will and way and thwart these efforts. I yield back.
    Chairman Thompson. Thank you very much. The Chairman now 
recognizes the gentleman from Pennsylvania, Mr. Dent, for 5 
minutes.
    Mr. Dent. Thank you, Mr. Chairman. Good morning.
    Mr. Baker, I would like to talk about the issues of 
fragmentation and you know, how do we really address the 
fragmentation in Federal agencies. Specifically, you know, how 
is the Federal Government's overall cybersecurity effort 
affected by the ability of the diverse number of agencies and 
departments such as the FTC, the SEC, and others to issue 
directives and rulings that establish cyber standards.
    Mr. Baker. I think there is a serious fragmentation problem 
both in terms of authority of DHS and the CERT over Executive 
branch agencies. In the private sector we long ago would have 
unified a number of the security measures and networks that 
different agencies have. But I also believe that both the FTC 
and the FCC have slightly distorted people's security 
priorities. The FTC has made it extraordinarily painful to 
allow anybody's Social Security number ever to escape your 
system. Now that is a serious problem, but it is nowhere near 
as serious as some of the other attacks that people are not 
prioritizing today because they are focused principally on the 
privacy regulations that the FTC administers.
    Mr. Dent. My follow-up question deals with, do we need to 
address the authority of the White House Coordinator for DHS?
    Mr. Baker. To my mind, no. At the end of the day, the 
coordinator speaks for the President and he reflects the 
President's priorities. If he makes it clear that he expects 
people to respond quickly to the coordinator's requirements, it 
will happen. So I am not convinced that large changes in his 
authority are essential.
    Mr. Dent. Okay. In the Ghostnet case study that you 
discussed in your testimony, you portray an astonishingly 
intrusive intelligence operation that was carried out against 
the Dalai Lama through a cyber attack to the point that the 
hackers had knowledge of every on-line activity carried out by 
the attacked parties. What success has there been in 
attributing those attacks to its origins?
    Mr. Baker. There is no absolute attribution that has been 
made. There was a lot of evidence that suggested that the 
people who were carrying out that attack were also looking for 
intelligence from a number of other targets that would be 
highly of interest to the Chinese Government. But there was no 
absolute determination of who was responsible for that attack.
    Mr. Dent. Thank you. To Mr. Wilshusen, GAO has noted 
several deficiencies for securing Federal information 
infrastructure, such as inadequate testing, certification, and 
accreditation of systems, failure to enter interagency 
agreements. As an overall trend, are the Federal Government's 
cybersecurity efforts improving? What do you think is the 
greatest obstacle towards realizing stronger security?
    Mr. Wilshusen. I think to answer your first question first 
in terms of what are some of the challenges or obstacles, one 
is just the complexity and dynamic nature of the Federal 
computing environment. It is geographically dispersed, in many 
cases technologically diverse. As well as there is a large 
number and evolving threat, vulnerabilities and business 
practices that all impact the ability to secure information on 
Federal systems. There are a number of initiatives underway 
that are intended to help improve the security over those 
systems. The other Members, or the other witnesses have talked 
about some of those, particular, Einstein; another one is the 
Federal Desktop Core Configuration Initiative, as well as the 
Comprehensive National Cyber Security Initiative. We reviewed 
each of those initiatives and found challenges with each of 
those particular initiatives in terms of being able to 
effectively implement security and made some recommendations on 
that. But there are efforts under way. There is progress being 
made, but again, it is a major obstacle to overcome.
    Mr. Dent. Mr. Schaffer and Mr. Skinner have an observation 
on that question?
    Mr. Skinner. Yes. I do believe it begins with the basics. 
It begins with the employees. I think we have to have a very 
robust oversight program. We have to have a robust 
accountability program. That is, if you are not complying, then 
you need to be held accountable. It begins at the lowest 
levels, not at the highest levels. I think it is something we 
have to continually hammer home to all employees that you, as 
an individual, have been given certain rights. You have certain 
responsibilities that go with those rights and that we will 
provide you the oversight to ensure that you are helping us 
help the Government secure its systems.
    Mr. Schaffer. I would certainly say that the scope of the 
problem and the complexity of the networks and the different 
levels of capability within the departments and agencies to 
execute is one of the challenges that we will all face as we 
move forward in this space. At the Department we have been 
increasing our capability both in terms of people, resources, 
and otherwise to work with the departments and agencies to 
improve security across a range of programs that have been 
mentioned before.
    FISMA changes are coming that will allow us to focus on not 
a paper exercise but real operational continuous monitoring 
kind of solutions to know where we are within the departments 
and agencies, but the departments and agencies themselves need 
to have the resources in order to execute on the advice and 
recommendations and remediation steps that DHS can try to put 
forward. But they have got to be able to execute within their 
own network environments. As mentioned, very diverse.
    Mr. Dent. I see my time has expired and I would just like 
to, Mr. Chairman, extend my support to the cybersecurity 
initiative of Senators Lieberman and Collins. I think the 
Chairman, Ranking Member rather, and Representative Harman have 
also expressed similar support, and Mr. Lungren too. Thank you.
    Chairman Thompson. Thank you. The Chairman now recognizes 
the gentlelady from New York, Ms. Clarke, for 5 minutes.
    Ms. Clarke. Thank you very much, Mr. Chairman. The 
Subcommittee on Emerging Threats, Cybersecurity, and Science 
and Technology have done a great deal in this space over the 
past year and a half. We have coordinated many hearings, 
roundtable discussions, and briefings on this topic, and I want 
to thank you, Mr. Chairman, and the Ranking Member, Mr. King, 
for holding this full committee cybersecurity hearing today. It 
is good to see Assistant Secretary Schaffer, who has been 
instrumental in providing guidance to me and the other Members 
during our many roundtable discussions and briefings on the 
Hill, and I want to thank you, Assistant Secretary, and the 
other Members of the panel for joining us today.
    I know this hearing is more focused on domestic affairs and 
efforts, but as we all know, cyberspace has no borders and no 
boundaries. I would like to add another dimension to our 
discussion this morning. Our ability to protect U.S. networks 
is inextricably linked to our ability to coordinate with our 
international partners on cybersecurity. There is a growing 
awareness of the problem of international cyber attacks, 
although the pace of the development is slower and irregular.
    This March I introduced H.R. 4962, the International Cyber 
Crime Reporting and Cooperation Act, which would enhance 
America's cooperation with other countries to combat cyber 
crime and keep America safe. Chairman Thompson, Ranking Member 
King, Ms. Loretta Sanchez of California, and Ms. Laura 
Richardson of California are among the bipartisan cosponsors 
that also serve on this committee. Senators Gillibrand and 
Hatch are the lead Senate sponsors of the bill on the Senate 
side.
    Recent foreign-based attacks on the computer systems of 
U.S. Federal agencies and commercial companies highlight the 
vulnerability of the interconnectedness of the networks that 
comprise the internet, as well as the need to adequately 
address the global security and governance of cyberspace. 
Federal law and policy give a number of Federal entities 
responsibilities for representing U.S. cyberspace interests 
abroad in collaboration with the private sector.
    More recently, the President appointed a National 
Cybersecurity Coordinator charged with improving the Nation's 
cybersecurity leadership. The Chairman, Ranking Member, and I 
requested a forthcoming GAO study to identify, among other 
things, challenges to effective U.S. involvement in global 
cyberspace security and governance efforts.
    I wanted to take this opportunity to highlight this issue, 
so I will begin my line of questioning on this issue. Mr. 
Wilshusen, what obstacles remain between the United States and 
our international allies on the subject of global cybersecurity 
information sharing, and what can the United States do to 
overcome those obstacles?
    To Mr. Schaffer, what is DHS doing to foster international 
coordination and information sharing on cybersecurity?
    Mr. Wilshusen. Well, I guess I will start. Thank you. Well, 
one of the obstacles is just making sure that we have a 
coherent, cogent strategy for dealing with the international 
parties and making sure that the various different parties 
involved with the Federal Government have their roles 
identified and that they are working collaboratively with the 
international bodies.
    It is also important that as we look at various different 
aspects related to international security arrangements, it 
deals with just some of the issues related to, for example, at 
securities incidents attribution and being able to identify 
perpetrators of such attacks across borders, particularly 
making sure we have the arrangements in place with other 
nations in order to foster and promote active investigations of 
those incidents. So making sure that those arrangements in 
place are going to be very important, too.
    Mr. Schaffer. Congresswoman, the Department of Homeland 
Security is definitely focused on international as being a 
critical part of what we need to do in order to be successful. 
As you point out, it is impossible to protect our networks 
without having the assistance of our international partners.
    I traveled to Spain not too long ago for an EU ministerial 
with the Secretary, where cyber is one of the topics that we 
discussed with the European Union. We are working extensively 
with members of the international watch and warning network, 15 
nations that are engaged with us on incident response level 
work for cyber and who will be participating with us in the 
Cyber Storm III exercise so that we can look at how our CERT 
capabilities can leverage and be working with our international 
partners during an incident.
    We also participate in the Meridian Conference. We hosted 
last year a group of international visitors focused on 
cybersecurity, particularly in the nature of industrial control 
spaces, and we do lots of bilateral meetings on the 
international realm as well to try to address cybersecurity 
issues.
    As you know, there is not a consistent base of capability 
in all of the countries who are our partners and we are trying 
to provide assistance where we can and to learn lessons from 
those who are more sophisticated that may have done some things 
that we haven't done yet. So we are working hard to work with 
our international partners to make progress.
    Ms. Clarke. Thank you very much, gentlemen. Thank you, Mr. 
Chairman.
    Chairman Thompson. Thank you. The Chairman now recognizes 
the gentlelady from Texas, Ms. Jackson Lee, for 5 minutes.
    Ms. Jackson Lee. I, too, add my appreciation to the full 
committee Chairman and Ranking Member for holding this hearing 
and to the witnesses as well. I want to be probative on maybe 
some of the same questions that have been asked but maybe all 
have not asked them, and to try and probe as to where we are. 
So I would like to focus my attention on Mr. Skinner; just make 
this comment that we rushed to establish Department of Homeland 
Security in the wake of 9/11. Just as a moment of history, we 
started with a select committee in this House, and then we 
developed the structure as the Senate did for the Department 
and merging a number of different distinct disciplines in one 
big, if you will, umbrella, under one big umbrella, and we 
rushed to do it.
    So my question to you, Mr. Skinner, is: What did we do 
wrong at the very beginning as it relates to cybersecurity and 
the priority that was given when the Department was 
established, just on your historical perspective?
    Mr. Skinner. Those were very emotional times and I think 
when we brought the Department together back in 2003, 2002-2003 
time frame, I believe the attention was on protecting our air 
security and protecting our borders to ensure that we did not 
have a physical attack, a repeat. Cybersecurity, while everyone 
recognized that was an issue to be dealt with, I don't think 
just elevated at that point in time in our psyche as something 
that we needed to address immediately. Time has passed. Over 
time we are now learning that we cannot ignore cybersecurity. 
The technology is moving so fast and our reliance and 
dependability on that technology has become increasing daily 
and we are beginning to realize that if we want to protect our 
borders, we have to protect our cybersecurity. That is so 
important. I think it is something that we are starting to 
recognize and we are starting to do. We have come a long way 
with regards to our border security.
    Ms. Jackson Lee. So in essence, the start of our focus was 
air security. This traveled, when we speak of the Government, 
this traveled through the Bush administration. This was no 
different in terms of the issue of staffing and focus. This 
sort of is an on-going problem. Is that my understanding?
    Mr. Skinner. That is correct, yes.
    Ms. Jackson Lee. So we now have a moment in history where 
the technology has risen to a level of ultimate superiority and 
it is at a crisis point at which you believe there may be some 
action.
    So let me just focus in something that is very troubling to 
me, and that is the question of DHS not being able to enforce 
the other agencies to protect their systems.
    Tell me, in a very quick answer, what that means. What are 
you saying?
    Mr. Skinner. That means, essentially they do not have 
statutory authority to compel their stakeholders, the other 
Federal agencies that they make recommendations to and provide 
guidance to, to compel them to respond to or correct problems 
that are being identified.
    Ms. Jackson Lee. Which means that it leaves us vulnerable 
in certain important areas. For example, and I am just calling 
these agencies' names, not pointing them out. But we have got 
the Department of Justice, we have got the CIA, we have got 
NASA, we have got agencies that hold proprietary information, 
Department of Transportation, that would be vulnerable if they 
were not responding.
    Let me ask the Secretary: What do you do now with respect 
to trying to get our Federal agencies to enforce and protect 
their cyber systems?
    Mr. Schaffer. The process today when we identify a 
vulnerability or we see information coming over the Einstein 
system that suggests that an attack has been focused on a 
particular department or agency is to provide the information 
about the attack, to provide mitigation strategies, to work 
with the department or agency on methodologies and best 
practices to avoid the attacks in the future. But as Mr. 
Skinner points out, we do not currently have the authority to 
require the department or agency----
    Ms. Jackson Lee. But what specific authority do you need? I 
know legislation is moving. But what specific authority do you 
need?
    Mr. Schaffer. The administration at this point is looking 
at the bill that has been discussed at length here. It has not 
established a position yet on that bill or what specific 
authorities may be necessary. We are continuing to work with 
the departments and agencies to execute well against the 
threats and vulnerabilities that we identify through the 
systems that we have. We are seeing good cooperation from a lot 
of the departments and agencies to make progress. But at this 
point we don't have an administration position that I can give 
you on specific authorities that we need.
    Ms. Jackson Lee. Well, I would encourage you to continue to 
work with this committee. I think we are at a crisis point 
where that position needs to be established. I think as we 
leave this hearing we can confirm that agencies are not 
listening or not responding to the lack of an authority that 
you have to enforce them protecting the most important assets 
that the American people have, and that is for proprietary 
information. So I look forward to you really getting back with 
this committee since the administration has made great strides 
and it needs to complete the task.
    I yield back.
    Chairman Thompson. Thank you. The Chairman now recognizes 
the gentlelady from California for 5 minutes, Ms. Richardson.
    Ms. Richardson. Thank you, Mr. Chairman. If you know 
anything about my district, you know that it is very 
infrastructure rich. In fact, when Secretary Napolitano had an 
opportunity to come to my district, she was shocked at the 
ports, the bridges, the water treatment facilities, surf 
plants, just on and on.
    So I would like to start off my first question having to do 
with the National critical infrastructure. I have been a little 
disappointed that the last Secretary that we have had and the 
current one has not been a supporter of really true cargo 
inspection. I personally believe that that is going to be 
something that we will have to deal with. One of the things we 
are currently doing is we are relying upon, we do screening in 
terms of looking at the data, but we are not actually 
inspecting the cargo. So I would like to get your thoughts on 
what you think in terms of our potential vulnerabilities of 
really relying upon data and information, assuming that so and 
so, who we have never had a problem with, is sending such and 
such, which they say is cargo in there is A-okay, which is 
really we are relying upon data and not facts. I just wanted to 
get your thoughts.
    Mr. Skinner. Congresswoman, this is something that we are 
currently looking at. It does make us, if we do not have 
adequate verification, validation programs, and internal 
controls to ensure that these certifications that we are 
obtaining and that we can trust these people, yes, that makes 
us very, very vulnerable, and that is something that we are 
studying as I sit here today and hopefully to have a report out 
within the next year.
    Ms. Richardson. If you could keep this committee abreast of 
your progress and hopefully, before next year, but keep us 
abreast on our progress. Thank you, sir.
    The second question I actually wanted to ask you, Mr. 
Skinner, the enforcement authority for Federal cyber security 
policy results with the OMB. With no disrespect to our other 
colleagues here, do you support this position, this line?
    Mr. Skinner. I can't comment. I am really not in a position 
to comment on that at this point in time. I will be happy to 
get back to you. I have to learn more about what their 
enforcement authorities are.
    Ms. Richardson. Okay. Then to you, Mr. Schaffer, in 
addition to being on Homeland Security, I am on Transportation 
and Infrastructure. One of the biggest new things that we are 
hoping will be here soon is NextGen. I wanted to get your 
thoughts that NextGen is the program, really the air traffic 
controllers' new system that will enable us to have more, 
better information and what we do, but again it makes us very 
vulnerable if someone were to take over the NextGen system and 
suddenly having planes going in all the wrong directions and 
such a reliance upon data which is moving away from pilots. I 
wanted to get your thoughts. Have you started looking at the 
potential cyber issues there? Cybersecurity issues?
    Mr. Schaffer. Congresswoman, I would have to get back to 
you on the specific details. I do think that we are engaged 
with a group that is working on that program, but I don't know 
the details off the top of my head in terms of what our 
engagement has been.
    I would just say that, as a practical matter, there are 
many systems that are looking to leverage new technology, and 
they all need to have security as a critical part of the 
development of the system rather than an add-on after the fact. 
So to the extent that we can bring a security mentality to the 
development of new technologies that are coming into the 
Federal Government, we will be in a much better position in the 
future to have a more secure infrastructure than if we don't do 
that and then have to try to bolt security solutions on after 
the fact.
    So I certainly would encourage thinking about those 
security issues at the early stages of the process. We will get 
back to you with exactly what our involvement has been thus 
far.
    Ms. Richardson. With no discouragement to the company that 
is actually designing it, what will you be doing to ensure that 
just because the company says, like what we are living through 
right now with the spill in the Gulf, what will you be doing to 
ensure that there is, in fact, true security and protection 
versus just a company telling you so?
    Mr. Schaffer. Again, I will have to get back in terms of 
what our role in that process will actually be, but we will 
certainly get that information to you.
    Ms. Richardson. Okay. Then finally I would just like to 
follow up on something that Representative Jackson Lee said. 
One thing I am learning from watching the results of the oil 
spill is, you didn't say that there was any additional 
authority that you thought you needed or could share with us at 
this time. What I would say is that I am learning it is we 
better know in advance. So rather than us waiting and then all 
of sudden we have to decide whether we really have authority to 
do some things, if things don't go right we need to be prepared 
to step up and we need to give you the authority to do so.
    Thank you very much. I yield back.
    Chairman Thompson. Thank you very much. I have a couple of 
questions I would like to ask before we close this hearing.
    Mr. Skinner, your report mentions the fact that a number of 
agencies said that they have not received sufficient training 
on the Einstein system, and that for some reason Homeland isn't 
sharing this data with them. Are you aware of that?
    Mr. Skinner. I know what you are referring to. As far as 
training, yes, there were some of these stakeholders that felt 
that the training could have been more intense or face-to-face 
and they thought that presented a problem to them. As far as 
information sharing is concerned, there are those agencies that 
said that they would like to have more information with regards 
to reported breaches as they come through. The problem with 
that, and I am sure the Assistant Secretary Schaffer can 
address this better than I, is that this is a lot of raw data. 
A lot of it is false leads. Many of the agencies that are 
asking for this may not have the capability to analyze it 
themselves, and we can inundate them with unnecessary 
information that could really not help their cause but slow 
their cause down.
    Chairman Thompson. Okay. So what is the fix for that?
    Mr. Skinner. What we are suggesting is the Department 
explore with other agencies what can we share. Who is capable 
of handling this information. Who has the clearances, who has 
the security clearances that allow them to look at this data. 
That is the other thing. A couple of these agencies did not 
have security clearances, and yet they wanted to look at 
classified documentation.
    So I think, No. 1, we have to sit down with our partners 
and explore what can be shared and educate our partners as to 
why certain things can't be shared and why you don't want it to 
be shared.
    Chairman Thompson. Mr. Assistant Secretary.
    Mr. Schaffer. Mr. Chairman, we definitely have a plan to 
expand our ability to provide information to our Government 
customers as we go forward, and that includes building portals 
that will allow them to get access to certain kinds of 
information that we can provide that wouldn't violate the 
classification rules obviously. We also have plans to put in 
place resources, human resources that will be able to be 
dedicated to individual departments and agencies so that they 
will have a single resource that they can reach out to and ask 
questions of at any time and get the answers that they need in 
order to execute well.
    But Mr. Skinner is quite right that the volume of data is 
definitely an issue in terms of raw data that needs to be 
processed. As everyone has noted, the need to have highly 
skilled and capable individuals who can analyze that data and 
turn it into information that is executable is one of the 
challenges for US-CERT, and one of the things that we are doing 
better all the time. But to expect each department and agency 
to be able to do that independently as well is probably a big 
lift, and that is one of the challenges here.
    Chairman Thompson. Well, I guess not independently, but at 
some point you should be able to move something that is of 
importance to that agency.
    Mr. Schaffer. Yes, sir. We do that today. We share the 
information. Once we have processed and we have got real 
information as opposed to raw data, we are pushing that 
information to the departments and agencies so that they have 
actionable things that they can go execute against. It is 
access to the raw data that we find probably wouldn't be useful 
to them because of the volume and because of the need to do all 
of this extensive analysis.
    Chairman Thompson. Back to a question Ms. Richardson and 
Ms. Jackson Lee talked about relative to OMB and their 
enforcement of US-CERT requirements. Mr. Baker, since you might 
be one of two people who can answer that question on the panel 
without any--take a shot at that. I mean, what do you think the 
problem with that approach is?
    Mr. Baker. The difficulty with telling other agencies what 
they have to do in this area is you are basically telling them 
to spend money that they were planning to spend on something 
else on computer security, which isn't going to make their 
lives any easier at all. So they are just--it feels like they 
are taking a budget cut. Therefore, you need OMB's support 
before you can do that. Either OMB is going to say we can find 
money for you to do that or they are going to say I am sorry, 
you are just going to have to take the cut. So without OMB 
being part of this process it isn't actually going to work. My 
suggestion would be that it may be that DHS needs bigger 
negotiating tools in this area, but we are never going to get 
OMB out of this process and we shouldn't be trying. That would 
be my suggestion.
    Chairman Thompson. Mr. Wilshusen.
    Mr. Wilshusen. Well, certainly OMB does have that role with 
the budget and approving budgets for agencies. It also is 
responsible under the current law, FISMA, for approving and/or 
reviewing and approving or disapproving agencies' information 
security programs. So they have that authority now to go 
through and review agencies' security programs and approve 
them.
    Has it been doing it? Not really. It is something we have 
commented on in the past about their ability to actually review 
and approve agencies' security programs. Basically that is 
happening now through the FISMA reporting process. We have 
commented in the past that the measures and security metrics 
that OMB has established for agencies to report under that 
process have really not been sufficient to really gauge the 
effectiveness of agency and security programs. Those measures 
generally just address compliance issues and how many systems 
have been tested and evaluated, how many individuals have been 
given training, for example, without really addressing how 
effective those security protections and measures are.
    So OMB certainly has a role and has had a role in trying to 
assure that agencies have adequate information security 
programs. But it has not really done that to the extent that it 
probably should have done in the past.
    Chairman Thompson. Mr. Assistant Secretary.
    Mr. Schaffer. Mr. Chairman, I will just point out that OMB 
has recently issued a letter that gives to DHS some of the 
responsibilities with respect to executing on some of those 
reporting pieces. So we are going to be moving in a direction 
that gets away from what is a paper-based compliance, once-a-
year process to a much more operationally focused, continuous 
monitoring kind of solution. We will have interviews with the 
departments and agencies to make sure we understand what they 
are actually executing on. We will have benchmarking 
capabilities that will let us see what other departments and 
agencies are doing and show the individual departments what 
they have got, and we will have continuous reporting out of the 
actual management systems that are used by the departments and 
agencies to look at their own systems flowing into the FISMA 
reporting tool.
    So I think we are moving in a direction that will address 
some of those challenges that we have had historically.
    Chairman Thompson. With respect to the authority to enforce 
compliance, are you of the opinion that you need that 
authority?
    Mr. Schaffer. Mr. Chairman, as I said, I apologize that I 
am not in a position to answer a question on what authorities 
we might need at this point. The Department and administration 
are working through the process of coming up with our answer to 
the authorities question and when we can do that I am sure it 
will be provided.
    Chairman Thompson. I am certain. Mr. Skinner.
    Mr. Skinner. Yes. We do believe they need that authority. 
What we haven't defined and I think what needs to be worked out 
is: How do we exercise that authority and how do you compel 
compliance?
    Chairman Thompson. Mr. Wilshusen.
    Mr. Wilshusen. One of the issues under FISMA has been even 
within a particular agency, not even looking at across the 
Federal Government, is that FISMA required and gave authorities 
to the agencies' individual CIOs. Even in FISMA it just said 
that CIOs and their certified information security officers, 
I'm sorry, are responsible for ensuring compliance but did not 
include enforcing compliance. That one word even made a 
difference within agencies, particularly larger departments 
that may have multiple components. In some instance, for 
example, like VA, a number of years ago, the central chief 
information security officer really did not have that much 
authority to compel or enforce compliance with policy issues 
across the Department. So the enforcement is really a key 
consideration in this particular respect.
    Chairman Thompson. Mr. Baker.
    Mr. Baker. Of course they need that authority. It is an 
unnatural act for another department to take binding guidance 
from another department and until Congress makes it clear and 
the President makes it clear that, by God, they are going to 
have to do it, they are not going to do it.
    Chairman Thompson. Three out of four in agreement is not 
bad. I understand, Mr. Assistant Secretary, believe me, but I 
have to ask the question. I thank the committee. You have been 
absolutely excellent with your responses to the questions of 
the committee at this point, and I want to thank you for your 
testimony.
    Before concluding, I would like to remind our witnesses 
that the Members of the committee may have additional questions 
for you and we will ask that you respond expeditiously in 
writing to those questions. There have been some requests of 
certain witnesses here today. Hearing no further business, the 
committee stands adjourned.
    [Whereupon, at 12:00 p.m., the committee was adjourned.]


                            A P P E N D I X

                              ----------                              

  Questions From Chairman Bennie G. Thompson of Mississippi for Greg 
                                Schaffer

    Question 1a. The IG report states that US-CERT does not have 
sufficient staff to meet its mission. Although US-CERT's authorized 
positions were increased from 38 in 2008 to 98 in 2010, as of January 
2010, only 45 positions are filled.
    Would you give us an update on how many of the 98 authorized 
positions for fiscal year 2010 have been filled?
    Answer. Of the 98 authorized positions, the United States Computer 
Emergency Readiness Team (US-CERT) currently has 56 full-time positions 
filled and 22 positions with selections in the on-boarding pipeline. It 
is important to note that the 98 positions is the target for the end of 
the fiscal year--in fiscal 2009, we tripled the number of cybersecurity 
personnel within NPPD, and we are doubling that number again this 
fiscal year. The snapshot staffing number in the IG report was already 
outdated by the time it was released; our numbers will continue to 
increase as we continue to grow.
    Question 1b. What is the reason for the slow process in addressing 
US-CERT's staffing needs?
    Answer. There are inherent challenges with rapidly on-boarding and 
recruiting technical experts; chief among the reasons is the need for 
high-level clearances, skills required, and competition for higher-
paying jobs in the private sector. However, hiring is the National 
Protection and Programs Directorate's (NPPD's) No. 1 management 
priority. We have more personnel in the hiring process for NPPD than 
ever before. Internally, NPPD has been working closely to streamline 
the overall hiring process, and within the National Cyber Security 
Division (NCSD), overall Federal employees have increased from 43 at 
the end of fiscal year 2008 to 198 current Federal employees.
    Question 1c. Of the personnel increase from 38 to 98, how many can 
be attributed to the Secretary's Balanced Workforce Strategy to convert 
contractors to authorized FTEs?
    Answer. NCSD has focused recruitment efforts for these positions on 
hiring the best and brightest from a large and diverse pool of 
candidates. NCSD has, therefore, looked to a variety of sources to fill 
Government positions. Approximately 20 percent of the individuals hired 
to fill converted positions previously held the positions as 
contractors.
    Question 2a. The IG reported that due to the staffing shortage at 
US-CERT, contractors are used to augment the staff.
    How many contractor personnel currently work on US-CERT program 
activities?
    Answer. Currently, the National Cyber Security Division (NCSD)/
United States Computer Emergency Readiness Team (US-CERT) has 185 
contractors supporting US-CERT program activities, 86 of which are 
currently on-site.
    Question 2b. How many contractor positions are slated for 
conversion to Government positions as part of the Secretary's Balanced 
Workforce Strategy in fiscal year 2011?
    Answer. NCSD is currently assessing staffing requirements beyond 
the number of personnel authorized in the President's fiscal year 2011 
budget request to address staffing shortages.
    Question 2c. How many additional positions did the administration 
request for fiscal year 2011 to properly address the critical staffing 
shortage at US-CERT's?
    Answer. With the projected fiscal year 2011 budget approval, NCSD 
requested a total of 42 new positions of which 22 are to support US-
CERT.
    Question 2d. Who are the contractors tasked to support US-CERT?
    Answer. Currently, Booz Allen Hamilton (BAH), General Dynamics 
(GD), MITRE, ESP Group LLC, and CMU Software Engineering Institute 
(SEI) support US-CERT through existing contracts.
    Question 2e. What type of support do these contractors provide? Can 
these support activities be in-sourced?
    Answer. The contractors provide a wide variety of support 
including: Program management, financial management, and performance 
management; 24/7/365 integration and reporting (meaning there is 
someone operationally staffed every hour of every day of the year); and 
operations support services (such as incident handling, continuity of 
operations, malicious code analysis, contingency planning, and trend 
tracking, etc.).
    US-CERT also receives contract support to assess and recommend 
improvements to applications, tools, and business processes related to 
identification, analysis, and publication of timely information about 
critical cyber threats; vulnerability analysis support; technical 
mentoring and conference support; acquisition planning; incident 
investigations; and identification of emerging technologies.
    NCSD believes that a balanced approach to staffing, which includes 
a mix of contractors and Federal employees, is the most effective 
method for resource allocation. We are aggressively growing our Federal 
workforce, and looking closely at how best and most appropriately to 
augment our expanding team with contract support. As such, NCSD is 
developing a needs assessment to ensure the right ratio of contractors 
to Federal employees is hired in the out years.

  Questions From Chairman Bennie G. Thompson of Mississippi for Greg 
                                Schaffer

    Question 1. What are the technical analyst's responsibilities?
    Answer. Responsibilities include testing and implementing latest 
tools and technologies to improve the capabilities of the Einstein 
Program, performing administrative oversight to ensure that the 
Einstein program complies with applicable laws, and creating and 
testing new signature profiles to track and detect potential threats 
against the Federal civilian Government network infrastructure. Other 
responsibilities include:
   Examining raw data from a wide variety of information 
        sources (e.g. malware and digital media) to detect potential 
        attacks and vulnerabilities and recommend mitigation strategies 
        on potential attacks and vulnerabilities detected. Technical 
        analysts also perform a thorough technical analysis of data to 
        understand the nature of the attacks, threats, and 
        vulnerabilities.
   Providing temporary on-site incident response assistance to 
        investigate, respond, and analyze suspicious activities at 
        departments/agencies.
   Preparing various reports to summarize the initial findings 
        and detailed analysis of the malware or incidents that contains 
        mitigation strategies to improve situational awareness.
   Providing malware guidance to incident handling operations 
        staff as necessary.
   Providing peer review for quality assurance of dynamic and 
        static analysis activities.
    Question 2. What specifically are these additional duties?
    Answer. As of January 2010, US-CERT has filled only 45 of its 
authorized 98 positions. Additional duties for some GS-9 technical 
analysts include acting in a management capacity, instead of examining 
and analyzing network traffic for suspicious activities and 
coordinating cyber defense with other agencies. Other duties include 
developing standard operating procedures, providing on-the-job training 
to new staff, and mentoring junior staff and obtaining systems access 
to perform their job functions. However, we believe the mentoring and 
on-the-job training should be provided by managers or supervisors, not 
technical analysts.
    Question 3. Would you consider these duties inherently 
Governmental?
    Answer. Staff supervision such as providing mentoring to junior 
staff is considered inherently Governmental. However, the functions 
should be performed by supervisors. The technical analyst's 
responsibilities listed below may be performed by contractors:
   Examining raw data to detect potential attacks and 
        vulnerabilities and recommend mitigation strategies on 
        potential attacks and vulnerabilities detected.
   Performing thorough analysis of data to understand the 
        nature of the attacks, threats, and vulnerabilities.
   Providing temporary on-site incident response assistance to 
        investigate, respond, and analyze suspicious activities at 
        departments/agencies.
   Preparing various reports to summarize the initial findings 
        and detailed analysis of the malware or incidents that contains 
        mitigation strategies to improve situational awareness.
   Providing malware guidance to incident handling operations 
        staff as necessary.
   Providing peer review for quality assurance of dynamic and 
        static analysis activities.
    Question 4. Should new positions be created to perform these 
duties?
    Answer. More resources can always help US-CERT to perform its 
mission. However, the technical analysts are performing these duties 
because US-CERT cannot fill its authorized positions. Creating 
additional positions will not mitigate US-CERT's inability to hire and 
retain qualified staff. US-CERT's staffing shortage is primarily caused 
by leadership turnovers and the Department's rigorous suitability 
clearance process.
    For example, US-CERT has had four directors in the past 5 years. 
Further, due to the Department's rigorous suitability clearance 
process, it takes US-CERT a significant amount of time to fill its 
critical positions. According to a former director, it takes 9 to 12 
months for new applicants to begin working at US-CERT even if they 
already have a top secret clearance. As a result, staffing shortages 
force current analysts to perform additional duties, instead of 
fulfilling the technical analyst role for which they were hired.

                                 
