b'<html>\n<title> - CYBERSECURITY: DHS\' ROLE, FEDERAL EFFORTS, AND NATIONAL POLICY</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n     CYBERSECURITY: DHS\' ROLE, FEDERAL EFFORTS, AND NATIONAL POLICY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JUNE 16, 2010\n\n                               __________\n\n                           Serial No. 111-71\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n\n                                     \n\n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n64-697                    WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c9aeb9a689aabcbabda1aca5b9e7aaa6a4e7">[email&#160;protected]</a>  \n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nLoretta Sanchez, California          Peter T. King, New York\nJane Harman, California              Lamar Smith, Texas\nPeter A. DeFazio, Oregon             Daniel E. Lungren, California\nEleanor Holmes Norton, District of   Mike Rogers, Alabama\n    Columbia                         Michael T. McCaul, Texas\nZoe Lofgren, California              Charles W. Dent, Pennsylvania\nSheila Jackson Lee, Texas            Gus M. Bilirakis, Florida\nHenry Cuellar, Texas                 Paul C. Broun, Georgia\nChristopher P. Carney, Pennsylvania  Candice S. Miller, Michigan\nYvette D. Clarke, New York           Pete Olson, Texas\nLaura Richardson, California         Anh ``Joseph\'\' Cao, Louisiana\nAnn Kirkpatrick, Arizona             Steve Austria, Ohio\nBill Pascrell, Jr., New Jersey       Tom Graves, Georgia\nEmanuel Cleaver, Missouri\nAl Green, Texas\nJames A. Himes, Connecticut\nMary Jo Kilroy, Ohio\nDina Titus, Nevada\nWilliam L. Owens, New York\nVacancy\nVacancy\n                    I. Lanier Avant, Staff Director\n                     Rosaline Cohen, Chief Counsel\n                     Michael Twinchek, Chief Clerk\n                Robert O\'Connor, Minority Staff Director\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable Peter T. King, a Representative in Congress From \n  the State of New York, and Ranking Member, Committee on \n  Homeland Security..............................................     2\nThe Honorable Laura Richardson, a Representative in Congress From \n  the State of California:\n  Prepared Statement.............................................     3\n\n                               Witnesses\n\nMr. Gregory Schaffer, Assistant Secretary, Cybersecurity and \n  Communications, Department of Homeland Security:\n  Oral Statement.................................................     5\n  Prepared Statement.............................................     6\nMr. Richard L. Skinner, Inspector General, Department of Homeland \n  Security:\n  Oral Statement.................................................    13\n  Prepared Statement.............................................    14\nMr. Gregory C. Wilshusen, Director, Information Technology, \n  Government Accountability Office:\n  Oral Statement.................................................    20\n  Prepared Statement.............................................    21\nMr. Stewart A. Baker, Partner, Steptoe & Johnson, LLP:\n  Oral Statement.................................................    27\n  Prepared Statement.............................................    28\n\n                                Appendix\n\nQuestions From Chairman Bennie G. Thompson of Mississippi........    57\n\n\n     CYBERSECURITY: DHS\' ROLE, FEDERAL EFFORTS, AND NATIONAL POLICY\n\n                              ----------                              \n\n\n                        Wednesday, June 16, 2010\n\n                     U.S. House of Representatives,\n                            Committee on Homeland Security,\n                                                    Washington, DC.\n    The committee met, pursuant to call, at 10:00 a.m., in Room \n311, Cannon House Office Building, Hon. Bennie G. Thompson \n[Chairman of the committee] presiding.\n    Present: Representatives Thompson, Harman, Lofgren, Jackson \nLee, Cuellar, Clarke, Richardson, Kirkpatrick, Cleaver, Green, \nHimes, King, Smith, Lungren, McCaul, and Dent.\n    Chairman Thompson. The Committee on Homeland Security will \ncome to order. The committee is meeting today to receive \ntestimony on ``Cybersecurity: DHS\'s Role, Federal Efforts, and \nNational Policy.\'\' I want to thank the witnesses for appearing \nhere today.\n    Today\'s hearing entitled ``Cybersecurity: DHS\'s Role, \nFederal Efforts, and National Policy\'\' will examine the \nDepartment of Homeland Security\'s efforts to secure cyberspace. \nSince 1997, GAO has designated information security as a high-\nrisk area in the Federal Government. Ten years later, \ninformation security is still high risk. Some would say that it \nis the difficulty of this task that keeps us from achieving it, \nbut I know that few things worth doing are easy. Security of \nthe Federal Government\'s network from a wide array of cyber \nattackers is not easy, but few tasks are more necessary.\n    According to GAO, the cybersecurity incidents reported by \nFederal agencies have increased 400 percent in the last 4 \nyears, from 5,503 incidents in fiscal year 2006 to about 30,000 \nincidents in fiscal year 2009. Whether military or \nintelligence-gathering operations of foreign nations, domestic \nor international terrorist groups, lone wolf, hate-driven \nindividuals, common criminals or thrill-seeking hackers, those \nattempting to infiltrate and export this country\'s computer \nnetworks are both numerous and determined. But they will not \nwin if we match their determination with our resolve and defeat \ntheir abundance with our expertise.\n    As the lead agency for cybersecurity in a Federal civilian \nagency, the Department of Homeland Security is responsible for \nguiding and directing the Federal efforts to defeat this \nmultifaceted cyber enemy.\n    So my question today is: Does the Department have what it \nneeds to win the war? US-CERT, the office within the Department \nthat is charged with leading our cyber defense effort, has \nsignificant deficiencies. It does not have sufficient staff to \nanalyze security information. It cannot develop internal \ncapacity because contractors outnumber Federal employees by 3 \nto 1. It has not developed leadership consistency because US-\nCERT has had four directors in 5 years. Given these \nadministrative failures, it should come as no surprise that \nday-to-day operations may suffer.\n    According to the President\'s National Security Strategy \nreleased this month, Federal cyber networks must be secure, \ntrustworthy, and resilient. DHS must be a major actor in this \nNation\'s effort to secure the Federal computer networks.\n    In addition to the Federal Government, DHS must reach out \nto State, local, and Tribal governments as well as the private \nsector to assure the protection and resiliency of our cyber \ninfrastructure. But none of this can occur without adequate \nstaffing, planning, and funding. Today we must pledge to become \nas committed to secure our networks as our enemies are \ncommitted to breach them.\n    Again, I want to thank our witnesses for agreeing to attend \nand testify today, and I look forward to that testimony.\n    [The statement of Chairman Thompson follows:]\n\n           Prepared Statement of Chairman Bennie G. Thompson\n                             June 16, 2010\n\n    Today\'s hearing, entitled ``Cybersecurity: DHS\' Role, Federal \nEfforts, and National Policy\'\' will examine the Department of Homeland \nSecurity\'s efforts to secure cyberspace. Since 1997, GAO has designated \ninformation security as a high-risk area in the Federal Government. Ten \nyears later, information security is still high-risk.\n    Some would say that it is the difficulty of this task that keeps us \nfrom achieving it. But I know that few things worth doing are easy. \nSecuring the Federal Government\'s networks from a wide array of cyber \nattackers is not easy. But few tasks are more necessary.\n    According to GAO, the cybersecurity incidents reported by Federal \nagencies have increased 400 percent in the last 4 years. From 5,503 \nincidents in fiscal year 2006 to about 30,000 incidents in fiscal year \n2009. Whether the military or intelligence-gathering operations of \nforeign nations; domestic or international terrorist groups; lone wolf \nhate-driven individuals; common criminals, or thrill-seeking hackers, \nthose attempting to infiltrate and exploit this country\'s computer \nnetworks are both numerous and determined.\n    But they will not win if we match their determination with our \nresolve and defeat their abundance with our expertise. As the lead \nagency for cybersecurity in Federal civilian agencies, the Department \nof Homeland security is responsible for guiding and directing the \nFederal efforts to defeat this multi-faceted cyber enemy. So my \nquestion today is: Does the Department have what it needs to win this \nwar?\n    US-CERT--the office within the Department that is charged with \nleading our cyber defense efforts has significant deficiencies. It does \nnot have sufficient staff to analyze security information. It cannot \ndevelop internal capacity because contractors outnumber Federal \nemployees by about 3 to 1. It has not developed leadership consistency \nbecause US-CERT has had four directors in 5 years. Given these \nadministrative failings, it should come as no surprise that day-to-day \noperations may suffer.\n    According to the President\'s National Security Strategy released \nlast month, Federal cyber networks must be ``secure, trustworthy, and \nresilient.\'\'\n    DHS must be a major actor in this Nation\'s efforts to secure the \nFederal computer networks. In addition to the Federal Government, DHS \nmust reach out to State, local, and Tribal governments as well as the \nprivate sector to assure the protection and resiliency of our cyber \ninfrastructure. But none of this can occur without adequate staffing, \nplanning, and funding. Today, we must pledge to become as committed to \nsecure our networks as our enemies are committed to breach them.\n\n    Chairman Thompson. The Chairman now recognizes the Ranking \nMember of the full committee, the gentleman from New York, Mr. \nKing, for an opening statement.\n    Mr. King. Thank you, Mr. Chairman. Thank you for holding \nthis hearing, which the Republican Members requested several \nmonths ago, to address the serious and growing threat of cyber \nattacks on our Government and private sector networks. I would \nlike to thank all of the witnesses appearing today and \nespecially welcome back Stewart Baker. It is great to see him \nand to thank him for his terrific service for the Department of \nHomeland Security. Great to see you, Stu.\n    We requested this hearing because cyber attacks have risen \nto epidemic levels in the United States and are increasing. \nCritical intellectual property is regularly stolen and fraud is \nrampant. As stated in the National Security Strategy, quote, \ncybersecurity threats represent one of the most serious, \nNational security, public safety, and economic challenges we \nface as a Nation. The Deputy Assistant of the FBI\'s Cyber \nDivision has said that cyber attackers pose a threat to the \nexistence of the United States as we know it.\n    General Alexander, recently appointed head of the U.S. \nCyber Command, noted that cyber threats are evolving from data \ntheft and temporary disruption to sabotage, which give the \nUnited States pause for concern. The former DNI, Mike \nMcConnell, stated, if the Nation went to war today in a cyber \nwar, we would lose.\n    The United States needs a robust plan for migrating cyber \nthreats, yet the Federal response remains fragmented. The \nUnited States needs to move forward with continuous monitoring \nof Federal network traffic for malicious activity so that we \ncan increase situational awareness and fight cyber attacks in \nreal time. The cyber threat must be anticipated and not \naddressed after the fact.\n    I would note that Chairman Lieberman and Senator Collins \nrecently took a major step forward in coordinating and \nclarifying Federal policy when they introduced the Protecting \nCyberspace As a National Asset Act of 2010. In a very positive \nstep, the Lieberman-Collins bill codifies the role of the \nDepartment of Homeland Security as the lead agency to \ncoordinate the protection of Federal systems against cyber \nattacks and to coordinate with the private sector on the \nprotection of critical information infrastructure.\n    The bill also empowered DHS with the enforcement authority \nnecessary to carry out its mission. That lack of adequate \ndepartmental authority was prominently raised in the Inspector \nGeneral\'s report that was released today, and this committee \nshould work quickly to address that serious deficiency.\n    I strongly support the legislation introduced by Chairman \nLieberman and Senator Collins, and I look forward to working \nwith my House colleagues to introduce companion legislation \npromptly.\n    I thank the Chairman and I yield back the balance of my \ntime.\n    Chairman Thompson. Other Members of the committee are \nreminded that under committee rules opening statements may be \nsubmitted for the record.\n    [The statement of Hon. Richardson follows:]\n\n            Prepared Statement of Honorable Laura Richardson\n                             June 16, 2010\n\n    Mr. Chairman, thank you for convening this hearing today on the \nDepartment of Homeland Security\'s efforts to secure cyberspace. I thank \nour distinguished panel of witnesses for appearing before us today to \nshare with us the work they are doing on this issue and their \nrecommendations for what else needs to be done.\n    The National cybersecurity effort is a top Presidential priority. \nIt was not until 2008 that the Bush administration sought to reevaluate \nthe Federal mission in cyberspace, so I am pleased that this reform \neffort is one of President Obama\'s main concerns. Our Government and \nthe Congress is years late in coming up with a comprehensive security \neffort for cyberspace, as cybersecurity threats represent one of the \nmost serious National security, public safety, and economic challenges \nfaced by this Nation. A complete cybersecurity policy and plan is a key \ncomponent of keeping our homeland safe, so I am pleased that today this \ncommittee will get a chance to delve into the issues surrounding this \npolicy.\n    As the Government and the private sector rely more and more on \ncomputers and digitized information in our everyday life, we also face \nmore and more risks on that front. For example, in the Federal sector, \nmany kinds of information may present an appealing target including \nNational security information, taxpayer data, Social Security records, \nmedical records and proprietary data. Just this past week, a \ncybersecurity sweep at Penn State University, a State university, found \nthe Social Security numbers of 25,000 individuals may have been exposed \nto a security breach because of infected computers.\n    It concerns me that in the fiscal year 2009 Government \nAccountability Office (GAO) performance and accountability reports, 21 \nof 24 major Federal agencies noted that inadequate information system \ncontrols over their financial systems and information were either a \nmaterial weakness or a significant deficiency. There were numerous \nreasons cited for this inadequacy, including lack of awareness, \nunderstanding, and interest of technical and policy issues in Executive \nand Legislative branches. If we do not make cybersecurity a priority, \nour security will continue to be in jeopardy.\n    I realize that addressing this problem has been a difficult \nchallenge for the Department of Homeland Security due to the number of \nagencies involved, funding levels, and need for direction. However, \nthis hearing is an excellent opportunity to examine what Congress can \ndo to further DHS\'s efforts in this area. I look forward to the \ntestimony of our distinguished panel of witnesses as to where \nimprovements need to be made.\n    Thank you again, Mr. Chairman, for convening this hearing. I yield \nback the balance of my time.\n\n    Chairman Thompson. I welcome our witnesses today. We will \nhave only one panel of witnesses.\n    Our first witness is Mr. Greg Schaffer, the Assistant \nSecretary for Cybersecurity and Communications. Mr. Schaffer \noversees, among other things, the operations of the National \nCybersecurity Division, which includes the United States \nComputer Emergency Readiness Team, US-CERT. Welcome, Mr. \nSchaffer.\n    Our second witness, no stranger to this committee, Mr. \nRichard Skinner, the Department of Homeland Security Inspector \nGeneral. As Inspector General, Mr. Skinner is responsible for \noverseeing audits, investigations, and inspections relating to \nthe programs and operations of the Department. Welcome, Mr. \nSkinner.\n    Our third witness is Mr. Greg Wilshusen, Director of \nInformation of Security Issues at the Government Accountability \nOffice. GAO serves as the principal and trusted investigative \narm of Congress. GAO has performed dozens of engagements on the \ntopic of cybersecurity, many of them at the request of this \ncommittee. Welcome, Mr. Wilshusen.\n    Our final witness, no stranger to this committee either, \nMr. Stewart Baker. Mr. Baker is former Assistant Secretary for \nPolicy at the Department of Homeland Security. He is currently \na partner in Steptoe & Johnson, LLP, as well as an author of a \nrecently released text on matters of interest. Welcome.\n    We thank our witnesses for being here today. Without \nobjection, the witnesses\' full statement will be inserted in \nthe record. I now recognize Assistant Secretary Schaffer to \nsummarize his statement for 5 minutes.\n\n      STATEMENT OF GREGORY SCHAFFER, ASSISTANT SECRETARY, \n   CYBERSECURITY AND COMMUNICATIONS, DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Mr. Schaffer. Chairman Thompson, Ranking Member King, and \ndistinguished Members of the committee, it is a pleasure to \nappear before you today to discuss the Department of Homeland \nSecurity cybersecurity mission. I will provide an update on our \nefforts to better secure the systems and networks of the \nFederal Executive branch and of the critical infrastructure \nwhile strengthening our public-private partnerships. The \nPresident has clearly laid out DHS\'s roles and responsibilities \nfor protecting Nationally critical civilian networks. DHS has \nthe lead to secure Federal civilian systems, sometimes \ndescribed as the dot-gov domain. DHS works with critical \ninfrastructure and key resources owners and operators to \nbolster their cybersecurity preparedness, risk mitigation, and \ninfinite response capabilities.\n    At the Department, we have focused our efforts on enhancing \nthe cybersecurity posture of the Nation by improving our \ncapacity to prevent, identify, respond to, and recover from \ncyber threats, which are becoming more targeted, more \nsophisticated, and more numerous.\n    The administration\'s focus on addressing these threats is \nclear. Consistent with the President\'s cyberspace policy \nreview, the Department has a number of foundational and \nforward-looking efforts underway to reduce cyber risk. \nElevating these cyber risk reduction efforts, the Department\'s \nQuadrennial Homeland Security Review made cybersecurity one of \nthe Department\'s top five mission areas. The QHSR details two \noverarching goals for cybersecurity: To help create a safe, \nsecure, and resilient cyber environment and to promote \ncybersecurity knowledge and innovation. DHS\'s work towards \nthese goals is carried out largely within the Office of \nCybersecurity and Communications, which I lead, a component of \nthe National Protection and Programs Directorate with \nsignificant contributions being made by other DHS offices.\n    I would like to highlight a few of the key programs today. \nFirst, the Trusted Internet Connection Initiative is working to \nreduce and consolidate external access points across the \nFederal enterprise, manage security requirements, and ensure \ncompliance with program policies. This will help create an \nefficient and manageable frontline of defense for Federal \nExecutive branch civilian networks.\n    Second, the Department is deploying EINSTEIN 2 to these TIC \nlocations to monitor incoming and outgoing traffic for \nmalicious activity. EINSTEIN 2 is currently deployed and \noperational at 11 of 19 planned departments and agencies. The \nEINSTEIN 2 system is already providing us with, on average, \nvisibility into more than 278,000 indicators of potential \nmalicious activity a month.\n    Additionally, DHS is building upon the enhanced situational \nawareness that EINSTEIN 2 provides. We are working with the \nprivate sector, the National Security Agency, and a wide range \nof other Federal partners to test the technology for the third \nphase of EINSTEIN, an intrusion prevention system which will \nprovide DHS with the capability to automatically detect \nmalicious activity and disable attempted intrusions before harm \ncan be done to our critical networks and systems.\n    Furthermore, CS&C is implementing a defense in depth \napproach to cybersecurity. We are doing this through \ncomplementary efforts, including initiatives such as the OMB\'s \nnew FISMA reporting requirements, shifting away from paper \ncompliance and towards implementing solutions that actually \nimprove cybersecurity. DHS will provide operational support to \nagencies by monitoring and reporting progress to ensure the new \nOMB guidance is effectively implemented.\n    Another aspect of defense in depth is the protection of \ncritical infrastructure and key resources from cyber threats. \nAs part of this effort, the DHS Control System Security Program \nworks to protect critical infrastructure by providing \nexpertise, tools, and leadership to the owners of control \nsystems. DHS has trained more than 14,000 control system \noperators and has assisted in vulnerability assessments \nthroughout the country. Additionally, our Industrial Control \nSystems Cyber Emergency Response Team, the ICS-CERT provides \non-site support for incident response.\n    As we move forward, public-private cooperation is growing \never more important. We are developing a National cyber \nincident response plan that will define cyber incident roles \nand responsibilities and will provide all levels of Government \nand the private sector with a better understanding of how to \nrespond to a cyber event during a crisis.\n    It is important to note that continued success is reliant \nupon increasing the numbers of dedicated and skilled people at \nthe Department. To this end, the National Cybersecurity \nDivision tripled its Federal workforce from 35 to 118 in fiscal \nyear 2009 and we hope to more than double that number to 260 in \nfiscal year 2010. Over the past year since I took office, my \nstaff and I have worked closely with the GAO, the Inspector \nGeneral, and this committee to improve organizational \nefficiencies and implement recommendations in line with \nDepartmental priorities and our overarching approach to \ncybersecurity. To this end, I think both GAO and the Inspector \nGeneral will agree that much progress has been made.\n    I would like to thank the committee for the strong support \nyou have provided to the Department and thank you for this \nopportunity to testify, and I would be happy to answer any \nquestions that you may have.\n    [The statement of Mr. Schaffer follows:]\n\n                 Prepared Statement of Gregory Schaffer\n                             June 16, 2010\n\n                              INTRODUCTION\n\n    Mr. Chairman, Ranking Member King, and distinguished Members of the \ncommittee, it is a pleasure to appear before you today to discuss the \nDepartment of Homeland Security\'s (DHS) cybersecurity mission. I will \nprovide an update on our efforts to better solidify the Federal \nExecutive branch civilian networks and systems, critical \ninfrastructure, and our public-private partnerships. At the Department, \nour efforts are focused on enhancing the cybersecurity posture of the \nNation by improving our capacity to prevent, identify, respond to, and \nrecover from cyber threats.\n    As a nation, it is essential that we are aware of, and focused on, \nthe cyber threat. Just as important, the Government must be able to \nmove quickly and purposefully to address cyber threats as malicious \nactors rapidly change techniques, technology, and tradecraft. As you \nknow, Mr. Chairman, threats are becoming more targeted, more \nsophisticated, and more numerous.\n\n             OVERVIEW OF DHS CYBERSECURITY RESPONSIBILITIES\n\n    DHS is responsible for helping Federal Executive branch civilian \ndepartments and agencies to secure their unclassified networks, often \ncalled the dot-gov domain. DHS also works closely with partners across \nGovernment and in industry assisting them with the protection of \nprivate sector critical infrastructure networks. The Department has a \nnumber of foundational and forward-looking efforts under way, many of \nwhich stem from the Comprehensive National Cybersecurity Initiative \n(CNCI).\n    The President has described our networks, as ``strategic National \nassets\'\' and called the growing number of attacks on these networks \n``one of the most serious economic and National security threats our \nNation faces.\'\' The President has also clearly laid out the roles and \nresponsibilities for protecting Nationally critical civilian networks:\n  <bullet> DHS has the lead to secure Federal civilian systems, \n        sometimes described as the dot-gov domain.\n  <bullet> DHS works with critical infrastructure and key resources \n        (CIKR) owners and operators--whether private sector, State, or \n        municipality-owned--to bolster their cyber security \n        preparedness, risk mitigation, and incident response \n        capabilities, in coordination with other Federal Sector-\n        Specific Agencies as appropriate.\n    The CNCI comprises a number of mutually reinforcing initiatives \nwith the following major goals designed to help secure the United \nStates in cyberspace:\n  <bullet> Establish a front line of defense against today\'s immediate \n        threats by creating or enhancing shared situational awareness \n        of network vulnerabilities, threats, and events within the \n        Federal Government--and ultimately with State, local, and \n        Tribal governments and private sector partners--and the ability \n        to act quickly to reduce current vulnerabilities and prevent \n        intrusions.\n  <bullet> Defend against the full spectrum of threats by enhancing \n        U.S. counterintelligence capabilities and increasing the \n        security of the supply chain for key information technologies.\n  <bullet> Strengthen the future cybersecurity environment by expanding \n        cyber education; coordinating and redirecting research and \n        development efforts across the Federal Government; and working \n        to define and develop strategies to deter hostile or malicious \n        activity in cyberspace.\n    DHS plays a key role in many of the activities supporting these \ngoals and works closely with our Federal partners to secure our \ncritical information infrastructure in a number of ways. We are \nreducing and consolidating the number of external connections Federal \nagencies have to the internet through the Trusted Internet Connections \n(TIC) initiative. Further, DHS continues to deploy its intrusion \ndetection capability, known as EINSTEIN 2, to those TICs. Through the \nUnited States Computer Emergency Readiness Team (US-CERT), we are \nworking more closely than ever with our partners in the private sector \nand across the Federal Government to share what we learn from our \nEINSTEIN deployments and to deepen our collective understanding, \nidentify threats collaboratively, and develop effective security \nresponses. In addition, the Department has a role in the Federal \nGovernment for cybersecurity research and development (R&D). The DHS \nScience and Technology (S&T) Directorate\'s Cyber Security R&D (CSRD) \nprogram funds activities addressing core vulnerabilities in the \ninternet, finding and eliminating malicious software in operational \nnetworks and hosts, and detecting and defending against large-scale \nattacks and emerging threats on our country\'s critical infrastructures. \nThe CSRD program includes the full R&D lifecycle--research, \ndevelopment, testing, evaluation, and transition--to produce \nunclassified solutions that can be implemented in both the public and \nprivate sectors. The S&T Directorate has established a Nationally \nrecognized cybersecurity R&D portfolio addressing many of today\'s most \npressing cybersecurity challenges. The CSRD program has funded research \nthat today is realized in more than 18 open-source and commercial \nproducts that provide capabilities, including the following: Secure \nthumb drives, root kit detection, worm and distributed denial of \nservice detection, defenses against phishing, network vulnerability \nassessment, software analysis, and security for process control \nsystems.\n    President Obama determined that the CNCI and its associated \nactivities should evolve to become key elements of the broader National \ncybersecurity strategy. These CNCI initiatives and its associated \nactivities will play the central role in implementing many of the key \nrecommendations of President Obama\'s Cyberspace Policy Review: Assuring \na Trusted and Resilient Information and Communications Infrastructure.\n    With the publication of the Cyberspace Policy Review on May 29, \n2009, DHS and its components have developed a long-range vision of \ncybersecurity for the Department\'s--and the Nation\'s--homeland security \nenterprise. This effort resulted in the elevation of cybersecurity to \none of the Department\'s five priority missions, as articulated in the \nQuadrennial Homeland Security Review (QHSR), an overarching framework \nfor the Department that defines our key priorities and goals and \noutlines a strategy for achieving them. Within the cybersecurity \nmission area, the QHSR details two overarching goals: To help create a \nsafe, secure, and resilient cyber environment, and to promote \ncybersecurity knowledge and innovation.\n    In alignment with the QHSR, Secretary Napolitano has consolidated \nthe Department\'s cybersecurity efforts under the coordination of the \nNational Protection and Programs Directorate (NPPD) and its Deputy \nUnder Secretary who also serves as the Director of the National Cyber \nSecurity Center. As NPPD leadership, we are moving aggressively to \nbuild a world-class cybersecurity team, and we have identified three \nkey priorities that enable and establish a ``system-of-systems\'\' \napproach encompassing the people, processes, and technologies needed to \ncreate a front line of defense and grow the Nation\'s capacity to \nrespond to new and emerging threats. Most immediately, we are focusing \non three priorities:\n    1. Continue enhancement of the EINSTEIN system\'s capabilities as a \n        critical tool in protecting our Federal Executive branch \n        civilian departments and agencies.\n    2. Develop the National Cyber Incident Response Plan (NCIRP) in \n        full collaboration with the private sector and other key \n        stakeholders. The NCIRP will ensure that all National \n        cybersecurity partners understand their roles in cyber incident \n        response and are prepared to participate in a coordinated and \n        managed process. The NCIRP will be tested this fall during the \n        Cyber Storm III National Cyber Exercise.\n    3. Increase the security of automated control systems that operate \n        elements of our National critical infrastructure. Working with \n        owners and operators of the Nation\'s critical infrastructure \n        and cyber networks, we will continue to conduct vulnerability \n        assessments, develop training, and educate the control systems \n        community on cyber risks and mitigation solutions.\n    DHS also bears primary responsibility for raising public awareness \nabout threats to our Nation\'s cyber systems and networks. Every October \nDHS, in coordination with other Federal agencies, governments, and \nprivate industry, makes a concerted effort to educate the public \nthrough the National Cybersecurity Awareness Month (NCSAM) campaign, \nand we are making progress. For example, in 2009, the Secretary of \nHomeland Security and the Deputy Secretary of Defense jointly opened \nthe campaign, we engaged in our most significant outreach ever, and all \n50 States, the District of Columbia, and the U.S. Territory of American \nSamoa, as well as seven Tribal governments, endorsed NCSAM.\n    Teamwork--ranging from intra-agency to international \ncollaboration--is essential to securing cyberspace. Simply put, the \ncybersecurity mission cannot be accomplished by any one agency or even \nsolely within the Federal realm; it requires teamwork and coordination \nacross all sectors because it touches every aspect of our lives. \nTogether, we can leverage resources, personnel, and skill sets that are \nneeded to accomplish the cybersecurity mission. The fiscal year 2011 \nNPPD budget request for cybersecurity strengthens the on-going work in \neach of the Department\'s offices to fulfill our unified mission.\n    The Office of Cybersecurity and Communications (CS&C), a component \nof NPPD, is focused on reducing risk to the Nation\'s communications and \nIT infrastructures and the sectors that depend upon them, and enabling \ntimely response and recovery of these infrastructures under all \ncircumstances. CS&C also coordinates National security and emergency \npreparedness communications planning and provisioning for the Federal \nGovernment and other stakeholders. CS&C is comprised of three \ndivisions: the National Cyber Security Division (NCSD), the Office of \nEmergency Communications, and the National Communications System.\n    NCSD collaborates with the private sector, Government, military, \nand intelligence stakeholders to conduct risk assessments and mitigate \nvulnerabilities and threats to information technology assets and \nactivities affecting the operation of the civilian Government and \nprivate sector critical cyber infrastructures. NCSD also provides cyber \nthreat and vulnerability analysis, early warning, and incident response \nassistance for public and private sector constituents. To that end, \nNCSD carries out the majority of DHS\' responsibilities under the CNCI.\n    Within NCSD, US-CERT leverages technical competencies in Federal \nnetwork operations and threat analysis centers to develop knowledge and \nknowledge management practices. US-CERT provides a single, accountable \nfocal point to support Federal stakeholders as they make key \noperational and implementation decisions and secure the Federal \nExecutive branch civilian networks. US-CERT\'s holistic approach enables \nFederal stakeholders to address cybersecurity challenges in a manner \nthat maximizes value while minimizing risks associated with technology \nand security investments. Further, US-CERT analyzes threats and \nvulnerabilities, disseminates cyber threat warning information, and \ncoordinates with partners and customers to achieve shared situational \nawareness related to the Nation\'s cyber infrastructure.\n    DHS is responsible for supporting Federal Executive branch civilian \nagencies in the protection and defense of their networks and systems. \nThe Department\'s strategy, which supports a layered defense, requires \nsituational awareness of the state of Federal networks, an early \nwarning capability, near real-time and automatic identification of \nmalicious activity, and the ability to disable intrusions before harm \nis done. DHS, through NCSD and US-CERT, developed a ``system-of-\nsystems\'\' approach to support its cybersecurity mission (noted above). \nThis overall system-of-systems is known as the National Cybersecurity \nProtection System (NCPS), in which DHS is deploying a customized \nintrusion detection system, known as EINSTEIN 2, to Federal Executive \nbranch civilian agencies to assist them in protecting their computers, \nnetworks, and information.\n    None of this is possible, however, without a comprehensive \nunderstanding of Federal Executive branch civilian networks from an \nenterprise perspective. The CNCI TIC initiative provides the Federal \nGovernment this understanding by reducing and consolidating external \naccess points across the Federal enterprise, assisting with the \nmanaging security requirements for Federal agency network and security \noperations centers, and establishing a compliance program to monitor \nFederal agency adherence to TIC policies.\n    The Department is installing EINSTEIN 2 capabilities on Federal \nExecutive branch civilian networks in distinct but interconnected \nsteps. The first step, under the TIC initiative, is the consolidation \nof external connections and application of appropriate protections \nthereto. This will help create an efficient and manageable front line \nof defense for Federal Executive branch civilian networks. The goal is \nto get down to less than 100 physical locations. Our Program has been \nworking with departments and agencies to better understand how civilian \nagencies configure their external connections, including internet \naccess points, and improve security for those connections. In parallel \nwith learning about how agencies are configured, we are working with \nOMB and departments and agencies to consolidate their external \nconnections and as they do that DHS is deploying EINSTEIN 2 to these \nTIC locations to monitor incoming and outgoing traffic for malicious \nactivity directed toward the Federal Executive branch\'s civilian \nunclassified computer networks and systems. EINSTEIN 2 uses passive \nsensors to identify when unauthorized users attempt to gain access to \nthose networks. EINSTEIN 2 is currently deployed and operational at 11 \nof 19 departments and agencies. The EINSTEIN 2 system is already \nproviding us with, on average, visibility into more than 278,000 \nindicators of potentially malicious activity per month.\n    The TIC initiative and EINSTEIN 2 deployments are critical pieces \nof the Federal Government\'s defense-in-depth cybersecurity strategy. \nDHS is also building upon the enhanced situational awareness that \nEINSTEIN 2 provides. We currently are working with the private sector, \nthe National Security Agency, and a wide range of other Federal \npartners to test the technology for the third phase of EINSTEIN, an \nintrusion-prevention system which will provide DHS with the capability \nto automatically detect malicious activity and disable attempted \nintrusions before harm is done to our critical networks and systems.\n    For all these deployments, it is important to note that EINSTEIN \ncapabilities are being carefully designed in close consultation with \ncivil rights and civil liberties and privacy experts--protecting civil \nrights, civil liberties, and privacy remains fundamental to all of our \nefforts.\n    These accomplishments are reliant upon increasing the number of \ndedicated and skilled people at CS&C. To this end, NCSD tripled its \nFederal workforce from 35 to 118 in fiscal year 2009, and we hope to \nmore than double that number to 260 in fiscal year 2010. We are moving \naggressively to build a world-class cybersecurity team, and we are \nfocusing on key priorities that address people, processes, and \ntechnology.\n    Recently, the Office of Management and Budget (OMB) and the \nPresident\'s Cybersecurity Coordinator issued new Federal Information \nSecurity Management Act (FISMA) reporting requirements that will help \nour cybersecurity workforce to inculcate a culture of cyber safety. The \nnew requirements are designed to shift efforts away from compliance on \npaper and towards implementing solutions that actually improve \ncybersecurity. The new reporting requirements will automate certain \nsecurity-related activities and incorporate tools that correlate and \nanalyze information, giving the Government\'s cyber leaders manageable \nand actionable information that will enable timely decision-making. DHS \nwill provide additional operational support to agencies in securing \ntheir networks by monitoring and reporting agency progress to ensure \nthe new OMB/Cybersecurity Office guidance is effectively implemented. \nThis new reporting follows a three-tiered approach:\n  <bullet> Data feeds directly from department and agency security \n        management tools--agencies are already required to report most \n        of this information. It includes summary information on areas \n        such as inventory, systems and services, hardware, software, \n        and external connections.\n  <bullet> Government-wide benchmarking on security posture will help \n        to determine the adequacy and effectiveness of information \n        security and privacy policies, procedures, and practices \n        throughout the Government.\n  <bullet> Agency-specific interviews will be focused on specific \n        threats each agency faces and will inform the official FISMA \n        report to Congress.\n    Sensitive information is routinely stolen from both Government and \nprivate sector networks, undermining confidence in our information \nsystems, the information collection and sharing process, and the \ninformation these systems contain. As bad as the loss of precious \nNational intellectual capital is, we increasingly face threats that are \neven greater. We can never be certain that our information \ninfrastructure will remain accessible and reliable during a time of \ncrisis, but we can reduce the risks.\n    Perhaps more ominously, malicious cyber activity can \ninstantaneously result in virtual or physical consequences that \nthreaten National and economic security as well as public health and \nsafety or an individual\'s civil rights and civil liberties and privacy. \nThus, while we strive to prevent loss of intellectual capital from our \nnetworks, we are also working to ensure that the systems that support \nthe essential functions that underpin American society--critical \ninfrastructure and key resources (CIKR)--are protected from cyber \nthreats.\n    Of particular importance are those systems that operationally \ncontrol our critical infrastructure, such as the energy grid and \ncommunications networks. These systems must remain accessible and \nreliable during times of crisis. Understanding the nexus between the \nphysical and the cyber worlds is an essential mission area for the \nDepartment, and one that must permeate all of our efforts.\n    At DHS, we are very aware that some critical infrastructure \nelements are so vital to our Nation that their destruction or \nincapacitation would have a debilitating impact on National security \nand economic well-being. We recognize that partnering with the private \nsector to assist in securing critical infrastructure is one of our most \nimportant missions. One key priority is DHS\' control systems security \nprogram, which provides expertise, tools, and leadership to the owners \nof control systems. A cyber attack on a control system could result in \ndire physical consequences, even loss of life. We are providing \noperational support to the control systems community through our \nIndustrial Control Systems Cyber Emergency Response Team (ICS-CERT).\n    ICS-CERT provides on-site support for incident response and \nforensic analysis at the request of the affected entity. It also shares \nand coordinates vulnerability information and threat analysis through \ninformation products and situational alerts. Through our advanced \nvulnerability discovery laboratory, we identify vulnerabilities in \ncontrol systems and develop and distribute mitigation strategies in \npartnership with both private sector vendors and operators. The control \nsystem program also provides tools (such as the Cyber Security \nEvaluation Tool) and training to increase stakeholder awareness of the \nevolving risks to control systems. To date, DHS has helped train more \nthan 14,000 control system operators in the classroom and on the web on \nhow to deal with a variety of cyber attacks. We also created a \ncollection of recommended practices and informational products to \nassist owners and operators in improving the security of their control \nsystems.\n    DHS conducts site assessments of selected CIKR facilities (and \nencourages self-assessments by owners and operators of additional \nfacilities) to identify vulnerabilities and recommend enhancements. In \nlate 2009, we took steps to meet increasing industry requests by \nimplementing a dedicated cybersecurity evaluations program that ensures \nvulnerabilities identified in our key cyber infrastructure are done so \nunder a consistent and formal framework of evaluation. The program \noffice is working closely with industry to bolster their cybersecurity \npreparedness, risk mitigation, and incident response capabilities. \nThrough this direct outreach, we expect to improve our capacity to \nmeasure private sector performance in managing cybersecurity. We \nconduct these assessments in close partnership with NPPD\'s Office of \nInfrastructure Protection, recognizing the need to intertwine physical \nsecurity with cybersecurity. In just the last few weeks, we have had \nteams in Washington, Massachusetts, Missouri, Arizona, and North Dakota \nto look at individual facilities, regional clusters of critical \ninfrastructure, control systems, and business networks.\n    In addition to work done with the ICS-CERT, DHS has other efforts \ndesigned to help protect critical infrastructure and key resources. In \n2006, we established the Cross-Sector Cyber Security Working Group to \naddress cross-sector cyber risk and explore interdependencies between \nand among various sectors. The working group serves as a forum to bring \nGovernment and the private sector together to address common \ncybersecurity elements across the 18 CIKR sectors. They share \ninformation and provide input to key policy documents, such as the \nNational Strategy for Trusted Identities in Cyberspace. The Department \nconducts its critical infrastructure protection activities under the \nNational Infrastructure Protection Plan (NIPP) framework to facilitate \neffective coordination between Government infrastructure protection \nprograms and the infrastructure protection and resilience activities of \nthe owners and operators of CIKR resources.\n    To secure critical infrastructure, the NIPP relies on the sector \npartnership with the Federal Government. This includes Sector \nCoordinating Councils and their associated Information Sharing and \nAnalysis Centers, the Homeland Security Information Network, technology \nand service providers, specific topical working groups, and partners \nfrom across the 18 CIKR sectors. These information-sharing mechanisms \nwill continue to enhance and facilitate information exchange throughout \nthe CIKR community, private sector, and Government--making everyone\'s \nnetworks and systems more secure.\n    The Information Technology Sector Baseline Risk Assessment (ITSRA) \nis an example of public and private sector information sharing. The \ncompletion of the ITSRA last fall was a significant milestone for both \nthe NIPP sector partnership model and for the IT Sector Specific Plan \nimplementation. This important effort identifies strategic and \nNational-level risks to the IT sector and will inform risk management \nactivities across the IT sector this year. It will also focus \nadditional attention on important cross-sector IT risk-related \ndependencies and inform both Government and industry mitigations, \nresearch and development priorities, and resource decisions.\n    In this sense, it is a true force multiplier in that many sectors \nare apt to benefit from the IT sector\'s close working relationship with \nthe public sector. DHS will continue to work with IT sector partners to \nuse the IT sector risk management methodology to identify appropriate \nresponses for the risks identified for each IT sector critical \nfunction. This will prioritize mitigation activities and inform \ncorresponding risk management strategies to provide the greatest \nreduction to the National-level risks identified in the ITSRA. The 2010 \nCommunications Sector Risk Assessment, which is currently under way, \nwill outline security measures that will better support business \noperations and form the basis of meaningful infrastructure protection \nmetrics. This assessment will complement the ITSRA\'s functions-based \napproach and augment its 2008 assessment.\n    As we move forward, public-private cooperation is growing ever more \nimportant. We are building on already successful partnerships and \nlooking forward to new opportunities. DHS is moving toward greater, \nmore actionable sharing of information with the private sector based on \nnew analytical insights derived from a comprehensive understanding of \nthe Government-wide cyber domain. DHS has initiated several pilot \nprograms that enable the mutual sharing of cybersecurity information at \nvarious classification levels:\n  <bullet> DHS and Michigan are conducting a proof-of-concept pilot in \n        which the EINSTEIN 1 network flow monitoring technology helps \n        secure Michigan\'s dot-gov networks. The purpose of this study \n        is to help State governments enhance their cybersecurity and to \n        increase DHS overall cyber situational awareness.\n  <bullet> DHS, the Department of Defense (DOD), and the Financial \n        Services Information Sharing and Analysis Center have launched \n        a pilot designed to help protect key critical networks and \n        infrastructure within the financial services sector by sharing \n        actionable, sensitive information--in both directions--to \n        mitigate the impact of attempted cyber intrusions. This builds \n        on the products and success of DOD\'s Defense Industrial Base \n        initiative. This pilot is currently at the For Official Use \n        Only level, but shortly will be enhanced to include Secret-\n        level information.\n  <bullet> We are also working on a pilot that brings together State \n        fusion centers and private sector owners and operators of \n        critical infrastructure to provide access to Secret-level \n        classified cybersecurity information. The Cybersecurity \n        Partners Local Access Plan is a pilot initiative allowing \n        security-cleared owners and operators of CIKR, as well as State \n        Chief Information Security Officers and Chief Information \n        Officers, to access Secret-level cybersecurity information and \n        participate in Secret-level video teleconference calls via \n        their local fusion centers, allowing classified information \n        sharing outside of Washington, DC.\n  <bullet> DHS has instituted a Top Secret/Sensitive Compartmented \n        Information clearance program for CIKR representatives to \n        enable their engagement in analysis of the most sensitive \n        cybersecurity threat information.\n    The Department also is working in the areas of software assurance \nand supply chain management so that Government and private sector \npartners can work together to solve what is a potentially serious \nsecurity issue. We believe software developers must automate security \nand institutionalize it from the beginning in an effort to change the \ncurrent security posture from reactive to proactive.\n    Shifting to a proactive posture will also help prevent threats from \nentering our critical systems and networks, to which end software \nassurance and supply chain management are so vitally important. By \ndefinition, the private sector will have the largest role in developing \nsolutions for more secure software and in supply chain management. To \nbe sure, the Government can help by driving security requirements, but \nwe need to be creative and collaborative in developing partnerships \nbetween and among the private and public sector cyber communities to \nexchange information and ideas.\n    We need to develop a cybersecurity culture that realizes that \neveryone--Government, corporate, or private--has a vested stake in all \naspects of cybersecurity. For example, we need to evaluate and reflect \nupon each software failure and break in the supply chain to gain \ngreater process insights and develop long-term software assurance and \nsupply chain management solutions. To do this, we will need to \nauthenticate people, processes, and devices. In other words, we need to \ndevelop inherently secure business practices in supplying critical \nproducts. In terms of software, this means we need mechanisms that \nallow computer code to stand on its own merits and speak for itself.\n    As I mentioned earlier, DHS is taking steps to improve the overall \ncybersecurity posture of the Nation. Our approach interlocks \nstrategically with other efforts that are on-going across the Federal \nGovernment, private sector, and across the country in States and \nlocalities. One of our most important initiatives is our effort to \nimprove cybersecurity incident handling and response processes via the \nNational Cyber Incident Response Plan, or NCIRP. The goal of the NCIRP \nis to build upon the concepts and methodologies of the National \nResponse Framework, the National Incident Management System, and the \nNIPP. This is an interagency effort in coordination with State, local, \nTribal and private sector partners to define the cyber incident roles \nand responsibilities across a wide spectrum of stakeholders. The plan \nwill provide Federal agencies; State, local, and Tribal governments; \nand the private sector with a better understanding of how to respond to \na cyber event during a crisis or under normal operating conditions. We \nwill test the plan during the Cyber Storm III National Cyber Exercise \nthis fall.\n    The NCIRP will be crucial for effective incident response, which \nwill leverage the strength of our new operations center. During the \nfirst quarter of fiscal year 2010, DHS launched the National \nCybersecurity and Communications Integration Center (NCCIC), a facility \nthat improves our capability and capacity to detect, prevent, respond, \nand mitigate disruptions of the Nation\'s cyber and communications \nsystems. The NCCIC collocates vital IT and communications operations \ncenters, thereby converging existing incident response mechanisms and \nbetter reflecting the reality of technological convergence. Under the \nNIPP partnership framework, the collaborative activity of the NCCIC \nblends together the interdependent missions of the National \nCoordinating Center for Telecommunications, US-CERT, the DHS Office of \nIntelligence and Analysis, and the National Cyber Security Center. We \nare working through the legal and operational details to enable the \nplanned inclusion of private sector representation on the NCCIC floor.\n\n                               CONCLUSION\n\n    I appreciate the opportunity to speak with you today about the \nprogress that the Department has made and the road ahead for future \nimprovements to our Nation\'s cybersecurity. DHS is committed to working \ncollaboratively with our public, private, academic, and interagency \npartners to ensure that the cyber elements of our Nation\'s critical \ninfrastructure are secure. We strive to ensure that these systems are \nrobust enough to withstand attacks, responsive enough to recover from \nattacks, and resilient enough to sustain critical operations. We will \ncontinue to build upon our efforts and create more effective \npartnership opportunities that will allow us to make our Nation\'s \ncritical infrastructure safer and more secure.\n    Again, thank you for this opportunity to testify. I would be happy \nto answer any questions you may have.\n\n    Chairman Thompson. Thank you for your testimony, Mr. \nSchaffer.\n    We are now recognizing Inspector General Skinner to \nsummarize his statement for 5 minutes.\n\nSTATEMENT OF RICHARD L. SKINNER, INSPECTOR GENERAL, DEPARTMENT \n                      OF HOMELAND SECURITY\n\n    Mr. Skinner. Thank you. Good morning, Chairman Thompson and \nRanking Member King and Members of the committee. Thank you for \ninviting me here today to discuss the results of our most \nrecent report on the Department of Homeland Security\'s U.S. \nCommunity Emergency Readiness Team, or as we refer to it as US-\nCERT. If I can indulge the committee for just a few seconds, I \nwould like to introduce three staff members that I brought with \nme today, and that is Frank Deffer, Barbara Bartuska, and \nShannon Frenyea, who were very instrumental in the preparation \nof this report and very instrumental in a lot of our IT work in \nthe Department. I am often referred to as a cyber immigrant; \nthat is, I was not born into this cyber world. So a lot of this \nstuff is very, very foreign to me and I rely very heavily on \nthe people that I brought with me today to advise me.\n    No one here in this room I am sure questions the importance \nof cybersecurity. Our economy, our critical infrastructure, our \nNational security all relies on technology and I think we have \na very important mission here, departmentally and in security, \nto make sure we protect that technology.\n    The Department in my opinion has come a long way since 9/11 \nin protecting cybersecurity, particularly in the last 2 years. \nThey have been working very, very hard in building \nrelationships and building partnerships and developing \nguidelines and issuing reports and building infrastructure \nwithin the Department to address cybersecurity on a National \nscale. But as our audit demonstrated, there is a lot more that \nneeds to be done. There are a lot of challenges out there. We \nraise essentially five issues that we think have or is \nhindering our ability to move forward.\n    One is sustaining leadership. Over the last 5 years, US-\nCERT has had five directors. In our opinion, we think that in \nfact can impede and is in fact impeding our ability to move \nforward. Without the leadership to direct our strategic plans \nand guide our day-to-day operations, it is going to slow us \ndown.\n    The second thing is the investment of resources. It was not \nuntil 2008 did the Secretary of Department of Homeland Security \nidentify cybersecurity as a top priority. Now, when you \ninterpret that into dollars, it was not until 2010 were the \nfunds put aside or increased to allow the Department to build \nits cybersecurity capabilities. If you look at 2008, I think \nthere were only 38 people working in US-CERT. There is now \nauthorization to bring that up to 98 people. But I believe as \nof this past week or as of last Friday, there was only 55 of \nthose people on board. For a variety of reasons it is very, \nvery difficult not to just bring bodies on board, but to bring \nthe right talent on board. There is a lot of efforts underway \nto bring those people on board. But it is slow. Until we have \nthose resources, we are going to continue to run into \nimpediments in implementing our National cybersecurity \nstrategy.\n    The third thing I think that is very important--and this is \nwhere I think Congress can play a very important role--and that \nis the lack of authority to enforce its guidelines and its \nrecommendations. The US-CERT makes recommendations to other \nFederal agencies and to its critical infrastructure and issues \nguidelines. What the they cannot do is compel compliance and \nuntil they have that authority or until there are mechanisms in \nplace to ensure that compliance is, in fact, taking place, we \nare going to continue to experience problems.\n    The fourth thing I think that needs to be recognized is \nthat we are not in this alone. This is a partnership. We rely \nvery, very heavily on the private sector and within our Federal \npartners. If you look around, one of the things that I thought \nwas very interesting when we did our review is that it was only \n21 Federal agents or 20 Federal agencies, one State agency that \nhas EINSTEIN or installed EINSTEIN into their infrastructure. \nTwenty-one in all of Federal Government. There is a variety of \nreasons why we are not moving faster there. One, IT could be a \nresource issue, a financial issue, it could be a technological \nissue. But there is many reasons why we cannot install more. \nBut we need to put pressure on our Federal partners, our \nstakeholders in the private sector, to start taking \ncybersecurity a little more seriously, or a lot more seriously \nand start using the tools that we have developed to help them \nto secure their networks, communication systems and their \ncomputers.\n    The last thing I would like to just mention I think is \nsomething that we can do a better job of, but it requires \nadditional resources and it requires an investment of time. \nThat is our outreach efforts, our education, and our training \nprograms in our communications with our partners and our \nstakeholders. I know we have come a long way. We are doing a \nlot better job of that. The Department is doing a lot better \njob of that. But we still have a long way to go.\n    Many of the stakeholders we talked to during the course of \nour audit complained, No. 1, that they didn\'t understand \nEINSTEIN; No. 2, they weren\'t adequately trained on EINSTEIN \nonce they did have it; No. 3, they did not feel that the \ninformation was being adequately shared as a result of some of \nthe work that US-CERT is doing. We recommend in our report that \nin essence we need to explore better ways to ensure that our \npartners are fully informed and understand what we are doing, \nwhy we are doing it, and when we are doing it. I think that can \ngo a long way. That is education, training, and outreach and \ncommunications.\n    In summary, let me just say there is a lot of progress \nhere, but nonetheless, there is a lot more that needs to be \ndone and I think that we are heading in the right direction. I \nthink US-CERT is heading in the right direction, the Department \nis heading in the right direction. We are starting to invest \nresources, but it is going to take time. It is not going to \nhappen next week. It is going to take a sustained effort.\n    Thank you. That concludes my opening remarks. As always, of \ncourse, I will be happy to answer any questions you may have.\n    [The statement of Mr. Skinner follows:]\n\n                Prepared Statement of Richard L. Skinner\n                             June 16, 2010\n\n    Chairman Thompson, Ranking Member King, and Members of the \ncommittee: Thank you for inviting me here today to discuss the \nDepartment of Homeland Security\'s U.S. Computer Emergency Readiness \nTeam, or US-CERT.\n    My testimony today will address US-CERT\'s progress made thus far, \nand remaining challenges for its analysis and warning program. The \ninformation provided in this testimony is contained in our June 2010 \nreport, ``U.S. Computer Emergency Readiness Team Makes Progress in \nSecuring Cyberspace, but Challenges Remain\'\' (OIG-10-94).\n\n                               BACKGROUND\n\n    The Department of Homeland Security (DHS) is responsible for \ndeveloping the National cyberspace security response system, which \nincludes providing crisis management support and coordinating with \nother agencies to provide warning information. The National Cyber \nSecurity Division (NCSD) created US-CERT in 2003 to protect the Federal \nGovernment network infrastructure by coordinating efforts to defend \nagainst and respond to cyber attacks. Specifically, US-CERT is \nresponsible for analyzing and reducing cyber threats and \nvulnerabilities, disseminating cyber threat warning information, and \ncoordinating cyber incident response activities.\n    Additionally, US-CERT collaborates with Federal agencies, the \nprivate sector, the research community, academia, State, local, and \nTribal governments, and international partners. Through coordination \nwith various National security incident response centers in responding \nto potential security events and threats on both classified and \nunclassified networks, US-CERT disseminates cybersecurity information \nto the public.\n    Further, NCSD developed the National Cybersecurity Protection \nSystem, operationally known as Einstein, to provide US-CERT with a \nsituational awareness snapshot of the health of the Federal \nGovernment\'s cyberspace. US-CERT manages Einstein and maintains its \npublic website and secure portal to fulfill the mission. Technologies, \nsuch as Einstein, enable US-CERT to detect unusual and previously \nidentified network traffic patterns and trends that signal \nunauthorized, threatening, or risky networks activities and categorize \nanomalous activity that could pose a risk to US-CERT constituents. US-\nCERT uses other systems in addition to Einstein. Through fusion of \ninformation received from all of these sources, US-CERT is able to \nprioritize and escalate cyber activity appropriately, coordinate \nincident response activities, and share alerts, warnings, and \nmitigation strategies regarding threats and vulnerabilities.\nActions Taken to Address Cybersecurity\n    US-CERT has made progress in developing and implementing the \ncapabilities to detect and mitigate cyber incidents across Federal \nagencies\' networks. Similarly, US-CERT leads and coordinates efforts to \nimprove the Nation\'s cybersecurity posture, promote cyber information \nsharing, and mitigate cyber risks.\n    For example, the Office of Cybersecurity and Communications \ndeveloped the National Cybersecurity and Communications Integration \nCenter (NCCIC), which is a unified operations center to address \nsecurity threats and incidents that may affect the Nation\'s critical \ninformation systems and network infrastructure. The NCCIC consists of \nthe following organizations: National Communications System, National \nCoordinating Center; NCSD, US-CERT; NCSD Industrial Control System \nCyber Emergency Response Team; Office of Intelligence and Analysis; \nNational Cybersecurity Center; Department and Agency, Security \nOperations Centers; Law Enforcement and Intelligence Community; and the \nprivate sector. Specifically, the NCCIC helps DHS to fulfill its \nmission to secure cyberspace by supporting the decision making process \nfor the Federal Government, and enabling incident response through \nshared situational awareness. As a result, the NCCIC serves as the \n``central repository\'\' for the cyber protection efforts of the Federal \nGovernment and its private sector partners.\n    Other actions designed to improve the expertise of US-CERT staff \nand information sharing include the following:\n  <bullet> Conducting in-person and on-line training to increase \n        individual\'s knowledge, skills, and abilities regarding \n        specific information topics that are relevant to US-CERT \n        operations. Training relates to packet capture analysis and \n        signature development; malware; and web browser security.\n  <bullet> Participating in public and private sector working groups to \n        promote information sharing and collaboration. The working \n        groups assist in the coordination and mitigation of computer \n        and cybersecurity incidents as well as the development of best \n        security practices.\n  <bullet> Distributing US-CERT products regarding specific \n        vulnerabilities and situational awareness, as well as quarterly \n        trend and analysis reports, to public and private sectors.\n\nImprovements Needed to Strengthen the Cybersecurity Program\n    Notwithstanding its many accomplishments over the past several \nyears, US-CERT is still hindered in its ability to provide an effective \nanalysis and warning program for the Federal Government in a number of \nways. Specifically, US-CERT does not have the appropriate enforcement \nauthority to help mitigate security incidents. Additionally, it is not \nsufficiently staffed to perform its mission. Further, US-CERT has not \nfinalized and approved its performance measures and policies and \nprocedures related to cybersecurity efforts.\n            Enforcement Authority Could Help Mitigate Security \n                    Incidents\n    US-CERT does not have the appropriate enforcement authority to \nensure that agencies comply with mitigation guidance concerning threats \nand vulnerabilities. It needs the authority to enforce its \nrecommendations so that Federal agencies\' systems and networks are \nprotected from potential cyber threats. Without this authority, US-CERT \nis limited in its ability to mitigate effectively ever evolving \nsecurity threats and vulnerabilities.\n    However, US-CERT was not given the authority to compel agencies to \nimplement its recommendations to ensure that system vulnerabilities and \nincidents are remediated timely. US-CERT management officials stated \nthat the proposed Federal Information Security Management Act (FISMA) \n2008 legislation would have given it some leverage to implement \nincident response and cybersecurity recommendations. For example, the \nproposed legislation would have required agencies to address incidents \nthat impair their security. Further, the agencies would have had to \ncollaborate with others if necessary to address the incidents. \nAdditionally, agencies would be required to respond to incidents no \nlater than 24 hours after discovery or provide notice to US-CERT as to \nwhy no action was taken. Finally, agencies would have had to ensure \nthat information security vulnerabilities were mitigated timely. Since \nthe proposed legislation was not approved, US-CERT remains without \nenforcement authority.\n    US-CERT\'s notices contain recommendations that address the threats \nand vulnerabilities in Federal agencies\' infrastructures. Additionally, \nUS-CERT products help to update Federal information security policy and \nguidance. However, without the enforcement authority to implement \nrecommendations, US-CERT continues to be hindered in coordinating the \nprotection of Federal cyberspace.\n\n            Additional Staffing Could Help Meet Mission\n    US-CERT does not have sufficient staff to perform its 24/7 \noperations as well as to analyze security information timely. US-CERT \nis charged with providing response support and defense against cyber \nattacks for the Federal Civil Executive branch (.gov) and information \nsharing and collaboration with State and local government, industry, \nand international partners. Without sufficient staffing, US-CERT cannot \ncompletely fulfill its responsibilities to analyze data and reports to \nreduce cyber threats and vulnerabilities as well as support the public \nand private sectors.\n    Although US-CERT\'s authorized positions were increased from 38 in \n2008 to 98 in 2010, as of January 2010, only 45 positions are filled. \nIn October 2009, the DHS Secretary announced that cybersecurity is an \nurgent priority for the Nation and the Department would hire additional \ncyber analysts, developers, and engineers to ensure that crucial \ncomputer networks are not vulnerable to possible cyber attacks. \nCurrently, US-CERT augments its staffing shortages by contractor \nsupport.\n\n            Strategic Plan and Performance Measures are Needed\n    US-CERT has not developed a strategic plan to formalize goals, \nobjectives, and milestones. Specifically, US-CERT has not identified or \nprioritized key activities for the division to monitor its progress in \naccomplishing its mission and goals. Without a strategic plan and \nperformance measures, US-CERT may have difficulty in achieving its goal \nto provide response support and defense against potential cyber attacks \nfor the Federal Government.\n    According to program officials, US-CERT is developing a strategic \nplan and revising the performance measures to align with the strategic \nplan. The strategic plan should describe how US-CERT will perform its \ncritical role by identifying and aligning goals, objectives, and \nmilestones through a variety of means and strategies. Also, the \nstrategic plan should contain performance measures related to specific \nprograms, initiatives, products, and outcomes.\n    As the sophistication and effectiveness of cyber attacks have been \nsteadily advancing in recent years, a strategic plan can help US-CERT \nto ensure that critical milestones and goals are accomplished in a \ntimely manner. Further, strategic plan and performance measures will \naid US-CERT in evaluating its progress in building an effective \norganization capable of mitigating long-term cyber threats and \nvulnerabilities and improve program operations by promoting the \nappropriate application of information resources.\n\n            Policies and Procedures Have Not Been Approved\n    US-CERT has not approved its policies and procedures to ensure that \nmanagement and operational controls are implemented to defend against, \nanalyze, and respond to cyber attacks. Without the approved policies \nand procedures, US-CERT may be hindered in its ability to respond to \nsecurity incidents effectively and promote continuity of operations and \nconsistency.\n    Leadership and staff turnover and a continually evolving mission \nhave hindered US-CERT\'s past efforts to update its standard operating \nprocedures. Under the prior director, US-CERT outsourced to contractors \noff-site the function to maintain and update procedures. The process of \nupdating the procedures discontinued once the director departed. \nFurther, US-CERT officials determined that the outsourced procedures \ndid not fully address the mission or the day-to-day activities that \ncyber analysts encounter. According to the officials, outsourcing off-\nsite was not the best method to update these policies and procedures \nsince US-CERT personnel have a better understanding of its mission. \nAfter internal reassessment, US-CERT officials decided to use \ncontractor support on-site to develop more concise and direct SOPs.\n    Currently, US-CERT is in the process of developing appropriately \n80-90 standard operating procedures (SOP) for its four sections \npertaining to various areas of activity, such as, network and targeted \nanalyses, malware submission handling, and signature template \ndevelopment. The goal is to have a structure that maps to functions, \nroles, the organization, and the mission. US-CERT is attempting to make \nthe procedures understandable and practical with contents based on \nanalysts\' experiences.\n\nBetter Information Sharing and Communication Can Enhance Coordination \n        Efforts With the Public\n    US-CERT needs to improve its information sharing and communication \nefforts with Federal agencies to ensure that threats and \nvulnerabilities are mitigated timely. Specifically, officials from \nother Federal agencies expressed concerns that US-CERT was unable to \nshare near real-time data and classified and detailed information to \naddress security incidents.\n    We interviewed officials from eight Federal agencies to obtain \nfeedback on Einstein and to determine whether US-CERT shared sufficient \ninformation and communicated effectively. Overall, these agency \nofficials indicated that Einstein is an effective tool but expressed \nconcerns regarding the effectiveness of US-CERT\'s information sharing \nand communication.\n    Officials from six agencies expressed concerns regarding US-CERT \nnot sharing Einstein data and analysis results. According to some of \nthe Federal agency officials we interviewed, US-CERT agreed that they \nwould have access to the Einstein flow data but subsequently did not \nprovide the information. This data could assist agencies in performing \nanalyses with their locally collected data to identify potential \nthreats and vulnerabilities. Also, agency officials stated that it \nwould be helpful for US-CERT to list which agencies are being attacked \nand provide common trends to other agencies to determine whether the \nincident is isolated or systemic.\n    Further, agencies indicated that US-CERT has not provided \nsufficient training on the Einstein program. Some agencies indicated \nthat they received compact disk, portable document format brochures, \nand handbooks about the Einstein program, while other agencies received \nnothing. Agencies indicated that they would like to receive additional \nEinstein training from US-CERT.\n    US-CERT officials acknowledged that there are communications issues \nregarding sharing classified and detailed information with other \nagencies. For example, US-CERT collects and posts information from \nseveral systems and sources to different portals, all of which have \ndifferent classification levels. As a result, US-CERT officials believe \nthat communications needs could be best addressed by developing a \nconsolidated information sharing portal. The consolidated portal could \nprovide a multiple classification platform and serve as a central \nrepository to meet the needs of the stakeholders.\n    A challenge US-CERT faces is that many intelligence agencies \ncommunicate classified information on Top Secret/Sensitive \nCompartmented Information networks. Since not all agencies have access \nto classified networks, US-CERT is limited in what it can convey. Some \nagencies do not have secure facilities, equipment, and cleared \npersonnel to send or receive classified information.\n    Additionally, US-CERT has to deal with the various network \narchitectures of the different agencies. Since US-CERT does not have \naccess to each agency\'s architecture, it is imperative to have the \nagency Chief Information Officer (CIO) and Chief Information Security \nOfficer (CISO) involved in addressing cyber activities. Establishing \ndirect, regular communication with agency CIOs/CISOs or key security \nassurance personnel ensures that US-CERT\'s cybersecurity efforts are \nimplemented. For example, US-CERT and the CIO/CISO can determine what \nshould be implemented to improve the agency\'s situational awareness. \nFurther, they can address network and cybersecurity challenges such as \nfragmented infrastructures, legacy systems, and limited budgets.\n    Currently, US-CERT uses working groups and portals to share \ninformation with the public and private sectors. For example, US-CERT \nestablished the Joint Agency Cyber Knowledge Exchange and Government \nForum of Incident Response and Security Teams (GFIRST) to facilitate \ncollaboration on detecting and mitigating threats to the ``.gov\'\' \ndomain and to encourage proactive and preventative security practices. \nThe Joint Agency Cyber Knowledge Exchange meetings are held at a \nclassified level to discuss threat-related tactics, techniques, and \nprotocol. Additionally, US-CERT disseminates various reports and \nnotices through the GFIRST and US-CERT portals. Products US-CERT \ndisseminates include: Situational Awareness Reports, Critical \nInfrastructure Information Notices, Federal Information Notices, Early \nWarning Indicator Notices, and Malware Initial Findings Reports. These \nproducts contain a summary of the incident, mitigation strategies, and \nbest practices. The products are disseminated to stakeholders on an as-\nneeded, daily, monthly, or quarterly basis.\n    It is essential that US-CERT and the public and private sectors \nshare cybersecurity information to ensure that appropriate steps can be \ntaken to mitigate the potential effect of a cyber incident. US-CERT \ncannot defend against and respond consistently and effectively to \ncyberactivity without other agencies\' involvement. By sharing potential \nsecurity threats collected through its data sources, US-CERT can \nprovide agencies with detailed information regarding attacks to their \nnetworks.\n\nImproved Situational Awareness and Identification of Network Anomalies \n        Can Better Protect Federal Cyberspace\n    US-CERT is unable to monitor Federal cyberspace in real time. The \ntools US-CERT uses do not allow real-time analyses of network traffic. \nAs a result, US-CERT will continue to be challenged in protecting the \nFederal cyberspace from security-related threats.\n    Currently, US-CERT maintains near real-time situational awareness \nas it performs information aggregation activities. US-CERT collects \ndata real-time but it must perform analysis on the data in near real-\ntime. Cyber analysts receive information from a variety of sources and \nother US-CERT activities to identify potential incidents and to assess \ntheir possible scope and impact on the Nation\'s cyber infrastructure.\n    Einstein is being deployed in three different versions, whereby, \neach builds on the capabilities of the previous version:\n  <bullet> Einstein 1 (E1) collects and relies on net flow analysis \n        capability and uses net flow collectors. Net flow data is \n        queried for analysis.\n  <bullet> Einstein 2 (E2) is an intrusion detection system, but is \n        still passive, performing analysis while traffic is continuous. \n        E2 looks for anomalous activity from net flow information based \n        on every session between two computers on the internet. E2 is \n        more beneficial for detecting and mitigating cyber incidents \n        because of its ability to analyze packet data. Additionally, E2 \n        performs full session packet analysis.\n  <bullet> Einstein 3 (E3) draws on commercial technology and \n        specialized Government technology to conduct real-time full \n        packet inspection and threat-based decision-making on network \n        traffic entering or leaving the Executive branch networks. This \n        system also deploys an intrusion prevention feature.\n    With Einstein, US-CERT can gather more network traffic information \nand identify cyber activity patterns. However, US-CERT cannot capture \nall network traffic because Einstein has not been deployed to all \nFederal agencies. Initially, the deployment of E1 to Federal agencies \nwas entirely voluntary. In September 2008, OMB made Einstein part of \nthe Trusted Internet Connections initiative and required all agencies \nto install sensors on their networks.\n    As of October 2009, NCSD\'s Network Security Deployment Branch had \ndeployed E1 to 19 agencies and E2 to 8 agencies. Currently, US-CERT is \nconducting a pilot exercise of E3 to evaluate its capabilities. \nAccording to the Comprehensive National Cybersecurity Initiative and \nUS-CERT officials, E3 will contain real-time full packet inspection and \nan intrusion prevention feature. These additions should give US-CERT \nbetter response and monitoring capabilities.\n    According to US-CERT officials, many agencies have not installed \nEinstein because they have not consolidated their gateways to the \ninternet. Further, some agencies have fragmented networks and must \nupgrade their architectures before Einstein can be deployed.\n    Additionally, US-CERT does not have an automated correlation tool \nto identify trends and anomalies. With this vast amount of network \ntraffic, US-CERT experienced a long lead time to analyze potential \nsecurity threats or abnormalities. To reduce the lead time, NCSD \npurchased an automated correlation tool to analyze the vast amount of \ndata from Einstein. However, US-CERT is currently experiencing problems \nwith reconfiguring the tool to collect data and understand the overall \ndata flow. US-CERT management stated that it may be 6 months before the \nproblems are corrected and the benefits of the system can be seen.\n    An effective analysis and warning program is critical to secure the \nFederal information technology infrastructure. For US-CERT to perform \nits responsibilities successfully it must have sufficient state-of-the-\nart technical and analytical tools and technologies to identify, \ndetect, analyze, and respond to cyber attacks. Additionally, \ncybersecurity information can provide the public and private sectors \nwith valuable input for mitigating risks and threats, protecting \nagainst malicious attacks, and prioritizing security improvement \nefforts.\n\n                     CONCLUSION AND RECOMMENDATIONS\n\n    US-CERT has made progress in implementing a cybersecurity program \nto assist Federal agencies in protecting their information technology \nsystems against cyber threats. Specifically, it has facilitated \ncybersecurity information sharing with the public and private sectors \nthrough various working groups, issuing notices, bulletins, and \nreports, and web postings. Further, Office of Cybersecurity and \nCommunications established a unified operations center, which includes \nUS-CERT, to address threats and incidents affecting the Nation\'s \ncritical information technology and cyber infrastructure. To increase \nthe skills and expertise of its staff, US-CERT has developed a \ntechnical mentoring program to offer cybersecurity and specialized \ntraining.\n    While progress has been made, US-CERT still faces numerous \nchallenges in effectively reducing the cybersecurity risks and \nprotecting the Nation\'s critical infrastructure. US-CERT must continue \nto improve its ability to analyze and reduce cyber threats and \nvulnerabilities and to disseminate information through a cohesive \neffort between public and private sectors.\n    We recommended in our report that the Under Secretary of National \nProtection and Programs Directorate (NPPD) require the Director of NCSD \nto:\n  <bullet> Establish specific outcome-based performance measures and a \n        strategic plan to ensure that US-CERT can achieve its mission, \n        objectives, and milestones.\n  <bullet> Approve policies and procedures to ensure that US-CERT can \n        effectively detect, process, and mitigate incidents as well as \n        perform its roles and responsibilities in a consistent manner.\n  <bullet> Improve communications with Federal agency CIOs and CISOs to \n        address their concerns, to identify areas of improvement about \n        the program, and to enhance US-CERT\'s ability to combat \n        cybersecurity challenges.\n  <bullet> Establish a consolidated, multiple classification level \n        portal that can be accessed by the Federal partners that \n        includes real-time incident response-related information and \n        reports.\n  <bullet> Develop a process to distribute and share Einstein trends, \n        anomalies, and common/reoccurring attacks with other Federal \n        agencies.\n  <bullet> Provide training to Federal agencies on using available \n        features of Einstein to foster better cooperation in analyzing \n        and mitigating security incidents.\n  <bullet> Establish a capability to share real-time Einstein \n        information with Federal agencies partners to assist them in \n        the analysis and mitigation of incidents.\n    Mr. Chairman and Members of the committee, you can be sure that my \noffice is committed to continuing our oversight efforts for this \nchallenging and complex issue in the months and years ahead.\n    This concludes my prepared statement, and I welcome any questions \nfrom you or Members of the committee.\n\n    Chairman Thompson. Well, I am sure we will. Thank you for \nyour testimony.\n    I now recognize Director Wilshusen to summarize his \nstatement for 5 minutes.\n\n   STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION \n          TECHNOLOGY, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Chairman Thompson, Ranking Member King, and \nMembers of the committee, thank you very much for inviting me \ntoday to testify at today\'s hearing on cybersecurity.\n    Pervasive and sustained cyber attacks continue to pose a \npotentially devastating threat to the systems and operations of \nthe Federal Government. In recent testimony, the Director for \nNational Intelligence highlighted that many nation-states, \nterrorist networks, and organized criminal groups have the \ncapability to target U.S. information infrastructure for \nintelligence collection, intellectual property theft, or \ndisruption.\n    The ever-increasing dependence of Federal agencies on \ninformation systems to carry out essential everyday operations \ncan make them vulnerable to an array of cyber-based risks. \nThus, it is increasingly important that the Federal Government \ncarry out a concerted effort to safeguard its systems and the \ninformation they contain.\n    Today I would describe cyber threats to Federal systems and \ncyber-based critical infrastructures, the control deficiencies \nthat make Federal systems vulnerable to those threats, and \nopportunities that exist for improving Federal cybersecurity.\n    Mr. Chairman, cyber-based threats to Federal systems and \ncritical infrastructure are evolving and growing. These threats \ncan come from a variety of sources, including criminals and \nforeign nations as well as hackers and disgruntled employees. \nThese potential attackers have various techniques at their \ndisposal, which can vastly enhance the reach and impact of \ntheir actions. For example, cyber attackers do not need to be \nphysically close to their assets. Their attacks can easily \ncross State and national borders, and cyber attackers can more \nreadily preserve their anonymity.\n    Further, the interconnectivity between information systems, \nthe internet and other infrastructure creates additional \navenues for such attacks. Consistent with this, reports of \nsecurity incidents from Federal agencies are on the rise, as \nthe Chairman pointed out earlier, increasing by over 400 \npercent from fiscal year 2006 to 2009.\n    Compounding the growing number and kinds of threats, GAO \nand agency inspectors general have identified significant \nsecurity control deficiencies on Federal systems. Indeed, most \nagencies have weaknesses in most types of security controls \nsuch as access controls, configuration management, and security \nmanagement. These weakness affect the security of both \nfinancial and nonfinancial systems, including systems essential \nto achieving agency missions. They also continue to place \nFederal assets at risk of inadvertent or deliberate misuse, \nfinancial information at risk of unauthorized modification or \ndestruction, and critical operations at risk of disruption.\n    Fortunately, Mr. Chairman, multiple opportunities exist to \nimprove Federal cybersecurity. To address, identify \ndeficiencies in agency security controls and shortfalls in \ntheir information security programs, GAO and agency IGs have \nmade hundreds of recommendations over the past several years, \nmany of which agencies are implementing. In addition, the White \nHouse, the Department of Homeland Security, and other Federal \nagencies have undertaken several Government-wide initiatives \nintended to enhance Federal security. While progress is made on \nthese initiatives, they all face challenges that requires \nsustained attention, and GAO has made recommendations for \nimproving the implementation and effectiveness of these \ninitiatives.\n    Further, the Department of Homeland Security also needs to \nfulfill its key cybersecurity responsibilities such as \ndeveloping capabilities for ensuring the protection of cyber-\nbased critical infrastructures and developing a robust cyber \nanalysis and warning capability.\n    Finally, a GAO-convened panel of experts has made several \nrecommendations for improving the Nation\'s cybersecurity \nstrategy, including, for example, developing a National \nstrategy that articulates the goals, objectives, and priorities \nand that focuses more on prioritizing assets and assessing and \nreducing vulnerabilities and on developing additional plans. \nRealizing these opportunities for improvement can help provide \nadditional insurance to the Federal information systems and \ncritical cyber-based infrastructures are effectively protected.\n    Mr. Chairman, this concludes my opening statement. I would \nbe happy to answer any questions.\n    [The statement of Mr. Wilshusen follows:]\n\n               Prepared Statement of Gregory C. Wilshusen\n\n    Chairman Thompson and Members of the committee: Thank you for the \nopportunity to testify at today\'s hearing on cybersecurity regarding \nour recent work on challenges facing Federal efforts to protect systems \nand critical infrastructure from cyber-based threats.\n    Pervasive and sustained cyber attacks against the United States \ncontinue to pose a potentially devastating impact on Federal systems \nand operations. In February 2010, the Director of National Intelligence \ntestified that many nation-states, terrorist networks, and organized \ncriminal groups have the capability to target elements of the U.S. \ninformation infrastructure for intelligence collection, intellectual \nproperty theft, or disruption.\\1\\ As recently as July 2009, press \naccounts reported that a widespread and coordinated attack over the \ncourse of several days targeted websites operated by major Government \nagencies, including the Departments of Homeland Security and Defense, \nthe Federal Aviation Administration, and the Federal Trade Commission, \ncausing disruptions to the public availability of Government \ninformation. Such attacks highlight the importance of developing a \nconcerted response to safeguard Federal information systems.\n---------------------------------------------------------------------------\n    \\1\\ Director of National Intelligence, Annual Threat Assessment of \nthe U.S. Intelligence Community for the Senate Select Committee on \nIntelligence, statement before the Senate Select Committee on \nIntelligence (Feb. 2, 2010).\n---------------------------------------------------------------------------\n    In my testimony today, I will describe: (1) Cyber threats to \nFederal information systems and cyber-based critical infrastructures, \n(2) control deficiencies that make Federal systems vulnerable to those \nthreats, and (3) opportunities that exist for improving Federal \ncybersecurity. In preparing this statement in June 2010, we relied on \nour previous reports on Federal information security. These reports \ncontain detailed overviews of the scope and methodology we used. The \nwork on which this statement is based was performed in accordance with \ngenerally accepted Government auditing standards. Those standards \nrequire that we plan and perform audits to obtain sufficient, \nappropriate evidence to provide a reasonable basis for our findings and \nconclusions based on our audit objectives. We believe that the evidence \nobtained provided a reasonable basis for our findings and conclusions \nbased on our audit objectives.\n\n                               BACKGROUND\n\n    As computer technology has advanced, Federal agencies have become \ndependent on computerized information systems to carry out their \noperations and to process, maintain, and report essential information. \nVirtually all Federal operations are supported by automated systems and \nelectronic data, and agencies would find it difficult, if not \nimpossible, to carry out their missions without these information \nassets. Information security is thus critically important. Conversely, \nineffective information security controls can result in significant \nrisks. Examples of such risks include the following:\n  <bullet> Resources, such as Federal payments and collections, could \n        be lost or stolen.\n  <bullet> Sensitive information, such as National security \n        information, taxpayer data, Social Security records, medical \n        records, and proprietary business information, could be \n        inappropriately accessed and used for identity theft or \n        espionage.\n  <bullet> Critical operations, such as those supporting critical \n        infrastructure, National defense, and emergency services could \n        be disrupted.\n  <bullet> Agency missions could be undermined by embarrassing \n        incidents that result in diminished confidence in the ability \n        of Federal organizations to conduct operations and fulfill \n        their responsibilities.\n\n   FEDERAL SYSTEMS AND INFRASTRUCTURES FACE INCREASING CYBER THREATS\n\n    Threats to Federal information systems and cyber-based critical \ninfrastructures are evolving and growing. Government officials are \nconcerned about attacks from individuals and groups with malicious \nintent, such as criminals, terrorists, and foreign nations. Federal law \nenforcement and intelligence agencies have identified multiple sources \nof threats to our Nation\'s critical information systems, including \nforeign nations engaged in espionage and information warfare, \ncriminals, hackers, virus writers, and disgruntled employees and \ncontractors.\n    These groups and individuals have a variety of attack techniques at \ntheir disposal. Furthermore, as we have previously reported,\\2\\ the \ntechniques have characteristics that can vastly enhance the reach and \nimpact of their actions, such as the following:\n---------------------------------------------------------------------------\n    \\2\\ GAO, Cybercrime: Public and Private Entities Face Challenges in \nAddressing Cyber Threats, GAO-07-705 (Washington, DC: June 22, 2007).\n---------------------------------------------------------------------------\n  <bullet> Attackers do not need to be physically close to their \n        targets to perpetrate a cyber attack.\n  <bullet> Technology allows actions to easily cross multiple State and \n        national borders.\n  <bullet> Attacks can be carried out automatically, at high speed, and \n        by attacking a vast number of victims at the same time.\n  <bullet> Attackers can easily remain anonymous.\n    The connectivity between information systems, the internet, and \nother infrastructures creates opportunities for attackers to disrupt \ntelecommunications, electrical power, and other critical services. As \nGovernment, private sector, and personal activities continue to move to \nnetworked operations, the threat will continue to grow.\n\nReported Security Incidents Are on the Rise\n    Consistent with the evolving and growing nature of the threats to \nFederal systems, agencies are reporting an increasing number of \nsecurity incidents. These incidents put sensitive information at risk. \nPersonally identifiable information about U.S. citizens has been lost, \nstolen, or improperly disclosed, thereby potentially exposing those \nindividuals to loss of privacy, identity theft, and financial crimes. \nReported attacks and unintentional incidents involving critical \ninfrastructure systems demonstrate that a serious attack could be \ndevastating. Agencies have experienced a wide range of incidents \ninvolving data loss or theft, computer intrusions, and privacy \nbreaches, underscoring the need for improved security practices.\n    When incidents occur, agencies are to notify the Department of \nHomeland Security\'s (DHS) Federal information security incident \ncenter--the United States Computer Emergency Readiness Team (US-CERT). \nAs shown in figure 1, the number of incidents reported by Federal \nagencies to US-CERT has increased dramatically over the past 4 years, \nfrom 5,503 incidents reported in fiscal year 2006 to about 30,000 \nincidents in fiscal year 2009 (over a 400 percent increase). \n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    The four most prevalent types of incidents and events reported to \nUS-CERT during fiscal year 2009 were: (1) Malicious code (software that \ninfects an operating system or application), (2) improper usage (a \nviolation of acceptable computing use policies), (3) unauthorized \naccess (where an individual gains logical or physical access to a \nsystem without permission), and (4) investigation (unconfirmed \nincidents that are potentially malicious or anomalous activity deemed \nby the reporting entity to warrant further review).\n\n          VULNERABILITIES PERVADE FEDERAL INFORMATION SYSTEMS\n\n    The growing threats and increasing number of reported incidents \nhighlight the need for effective information security policies and \npractices. However, serious and widespread information security control \ndeficiencies continue to place Federal assets at risk of inadvertent or \ndeliberate misuse, financial information at risk of unauthorized \nmodification or destruction, sensitive information at risk of \ninappropriate disclosure, and critical operations at risk of \ndisruption. GAO has designated information security as a high-risk area \nin the Federal Government since 1997.\n    In their fiscal year 2009 performance and accountability reports, \n21 of 24 major Federal agencies noted that inadequate information \nsystem controls over their financial systems and information were \neither a material weakness or a significant deficiency.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ A material weakness is a deficiency, or combination of \ndeficiencies, in internal control such that there is a reasonable \npossibility that a material misstatement of the entity\'s financial \nstatements will not be prevented, or detected and corrected on a timely \nbasis. A significant deficiency is a deficiency, or combination of \ndeficiencies, in internal control that is less severe than a material \nweakness, yet important enough to merit attention by those charged with \ngovernance. A control deficiency exists when the design or operation of \na control does not allow management or employees, in the normal course \nof performing their assigned functions, to prevent, or detect and \ncorrect misstatements on a timely basis.\n---------------------------------------------------------------------------\n    Similarly, our audits have identified control deficiencies in both \nfinancial and nonfinancial systems, including vulnerabilities in \ncritical Federal systems. For example, we reported in September 2008 \n\\4\\ that, although the Los Alamos National Laboratory--one of the \nNation\'s weapons laboratories--implemented measures to enhance the \ninformation security of its unclassified network, vulnerabilities \ncontinued to exist in several critical areas. Similarly, in October \n2009 \\5\\ we reported that the National Aeronautics and Space \nAdministration (NASA)--the civilian agency that oversees U.S. \naeronautical and space activities--had not always implemented \nappropriate controls to sufficiently protect the confidentiality, \nintegrity, and availability of the information and systems supporting \nits mission directorates.\n---------------------------------------------------------------------------\n    \\4\\ GAO, Information Security: Actions Needed to Better Protect Los \nAlamos National Laboratory\'s Unclassified Computer Network, GAO-08-1001 \n(Washington, DC: Sept. 9, 2008).\n    \\5\\ GAO, Information Security: NASA Needs to Remedy Vulnerabilities \nin Key Networks, GAO-10-4 (Washington, DC: Oct. 15, 2009).\n---------------------------------------------------------------------------\n        OPPORTUNITIES EXIST FOR ENHANCING FEDERAL CYBERSECURITY\n\n    Over the past several years, we and agency inspectors general have \nmade hundreds of recommendations to agencies for actions necessary to \nresolve prior significant control deficiencies and information security \nprogram shortfalls. For example, we recommended that agencies correct \nspecific information security deficiencies related to user \nidentification and authentication, authorization, boundary protections, \ncryptography, audit and monitoring, physical security, configuration \nmanagement, segregation of duties, and contingency planning. We have \nalso recommended that agencies fully implement comprehensive, \nagencywide information security programs by correcting weaknesses in \nrisk assessments, information security policies and procedures, \nsecurity planning, security training, system tests and evaluations, and \nremedial actions. The effective implementation of these recommendations \nwill strengthen the security posture at these agencies. Agencies have \nimplemented or are in the process of implementing many of our \nrecommendations.\n    In addition, the White House, OMB, and certain Federal agencies \nhave undertaken several Government-wide initiatives that are intended \nto enhance information security at Federal agencies. However, these \ninitiatives face challenges that require sustained attention:\n  <bullet> Comprehensive National Cybersecurity Initiative (CNCI).--In \n        January 2008, President Bush initiated a series of 12 projects \n        aimed primarily at improving the Department of Homeland \n        Security\'s (DHS) and other Federal agencies\' efforts to protect \n        against intrusion attempts and anticipate future threats.\\6\\ \n        The initiative is intended to reduce vulnerabilities, protect \n        against intrusions, and anticipate future threats against \n        Federal Executive branch information systems. As we recently \n        reported,\\7\\ the White House and Federal agencies have \n        established interagency groups to plan and coordinate CNCI \n        activities. However, the initiative faces challenges in \n        achieving its objectives related to securing Federal \n        information, including better defining agency roles and \n        responsibilities, establishing measures of effectiveness, and \n        establishing an appropriate level of transparency. Until these \n        challenges are adequately addressed, there is a risk that CNCI \n        will not fully achieve its goals.\n---------------------------------------------------------------------------\n    \\6\\ The White House, National Security Presidential Directive--54/\nHomeland Security Presidential Directive--23 (Washington, DC: Jan. 8, \n2008).\n    \\7\\ GAO, Cybersecurity: Progress Made but Challenges Remain in \nDefining and Coordinating the Comprehensive National Initiative, GAO-\n10-338 (Washington, DC: Mar. 5, 2010).\n---------------------------------------------------------------------------\n  <bullet> Federal Desktop Core Configuration (FDCC).--For this \n        initiative, OMB directed agencies that have workstations with \n        Windows XP and/or Windows Vista operating systems to adopt \n        security configurations developed by the National Institute of \n        Standards and Technology, the Department of Defense, and DHS. \n        The goal of this initiative is to improve information security \n        and reduce overall information technology operating costs. We \n        recently reported \\8\\ that while agencies have taken actions to \n        implement FDCC requirements, none of the agencies has fully \n        implemented all configuration settings on their applicable \n        workstations. In our report we recommended that OMB, among \n        other things, issue guidance on assessing the risks of agencies \n        having deviations from the approved settings and monitoring \n        compliance with FDCC.\n---------------------------------------------------------------------------\n    \\8\\ GAO, Information Security: Agencies Need to Implement Federal \nDesktop Core Configuration Requirements, GAO-10-202 (Washington, DC: \nMar. 12, 2010).\n---------------------------------------------------------------------------\n  <bullet> Einstein.--This is a computer network intrusion detection \n        system that analyzes network flow information from \n        participating Federal agencies and is intended to provide a \n        high-level perspective from which to observe potential \n        malicious activity in computer network traffic. We recently \n        reported \\9\\ that as of September 2009, fewer than half of the \n        23 agencies reviewed had executed the required agreements with \n        DHS, and Einstein 2 had been deployed to 6 agencies. Agencies \n        that participated in Einstein 1 cited improved identification \n        of incidents and mitigation of attacks, but determining whether \n        the initiative is meeting its objectives will likely remain \n        difficult because DHS lacks performance measures that address \n        how agencies respond to alerts.\n---------------------------------------------------------------------------\n    \\9\\ GAO, Information Security: Concerted Effort Needed to \nConsolidate and Secure Internet Connections at Federal Agencies, GAO-\n10-237 (Washington, DC: Mar. 12, 2010).\n---------------------------------------------------------------------------\n  <bullet> Trusted Internet Connections (TIC) Initiative.--This is an \n        effort designed to optimize individual agency network services \n        through a common solution for the Federal Government. The \n        initiative is to facilitate the reduction of external \n        connections, including internet points of presence. We recently \n        reported \\10\\ that none of the 23 agencies we reviewed met all \n        of the requirements of the TIC initiative, and most agencies \n        experienced delays in their plans for reducing and \n        consolidating connections. However, most agencies reported that \n        they have made progress toward reducing and consolidating their \n        external connections and implementing security capabilities.\n---------------------------------------------------------------------------\n    \\10\\ GAO-10-237.\n---------------------------------------------------------------------------\nDHS Needs to Fully Satisfy Its Cybersecurity Responsibilities\n    Federal law and policy \\11\\ establish DHS as the focal point for \nefforts to protect our Nation\'s computer-reliant critical \ninfrastructures \\12\\--a responsibility known as cyber critical \ninfrastructure protection, or cyber CIP. We have reported since 2005 \nthat DHS has yet to fully satisfy its key responsibilities for \nprotecting these critical infrastructures. Our reports included \nrecommendations that are essential for DHS to address in order to fully \nimplement its responsibilities. We summarized these recommendations \ninto key areas listed in table 1.\n---------------------------------------------------------------------------\n    \\11\\ These include The Homeland Security Act of 2002, Homeland \nSecurity Presidential Directive--7, and the National Strategy to Secure \nCyberspace.\n    \\12\\ Critical infrastructures are systems and assets, whether \nphysical or virtual, so vital to the Nation that their incapacity or \ndestruction would have a debilitating impact on National security, \nNational economic security, National public health or safety, or any \ncombination of those matters. Federal policy established 18 critical \ninfrastructure sectors: Agriculture and food; banking and finance; \nchemical; commercial facilities; communications; critical \nmanufacturing; dams; defense industrial base; emergency services; \nenergy; Government facilities; information technology; National \nmonuments and icons; nuclear reactors, materials, and waste; postal and \nshipping; public health and health care; transportation systems; and \nwater.\n\n           TABLE 1.--KEY CYBERSECURITY AREAS IDENTIFIED BY GAO\n------------------------------------------------------------------------\n\n------------------------------------------------------------------------\n     Bolstering cyber analysis and warning capabilities.\n     Improving cybersecurity of infrastructure control systems.\n     Strengthening DHS\'s ability to help recover from Internet\n      disruptions.\n     Reducing organizational inefficiencies.\n     Completing actions identified during cyber exercises.\n     Developing sector-specific plans that fully address all of the\n      cyber-related criteria.\n     Securing internal information systems.\n------------------------------------------------------------------------\n     Source: GAO.\n\n    DHS has since developed and implemented certain capabilities to \nsatisfy aspects of its responsibilities, but the Department still has \nnot fully implemented our recommendations, and thus further action \nneeds to be taken to address these areas. For example, in July 2008, we \nreported \\13\\ that DHS\'s US-CERT did not fully address 15 key \nattributes of cyber analysis and warning capabilities related to: (1) \nMonitoring network activity to detect anomalies, (2) analyzing \ninformation and investigating anomalies to determine whether they are \nthreats, (3) warning appropriate officials with timely and actionable \nthreat and mitigation information, and (4) responding to the threat. \nFor example, US-CERT provided warnings by developing and distributing a \nwide array of notifications; however, these notifications were not \nconsistently actionable or timely. As a result, we recommended that the \nDepartment address shortfalls associated with the 15 attributes in \norder to fully establish a National cyber analysis and warning \ncapability as envisioned in the National strategy. DHS agreed in large \npart with our recommendations and has reported that it is taking steps \nto implement them.\n---------------------------------------------------------------------------\n    \\13\\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in \nEstablishing a Comprehensive National Capability, GAO-08-588 \n(Washington, DC: Jul. 31, 2008).\n---------------------------------------------------------------------------\n    Similarly, in September 2008, we reported that since conducting a \nmajor cyber attack exercise, called Cyber Storm, DHS had demonstrated \nprogress in addressing eight lessons it had learned from these \nefforts.\\14\\ However, its actions to address the lessons had not been \nfully implemented. Specifically, while it had completed 42 of the 66 \nactivities identified, the Department had identified 16 activities as \non-going and 7 as planned for the future.\\15\\ Consequently, we \nrecommended that DHS schedule and complete all of the corrective \nactivities identified in order to strengthen coordination between \npublic and private sector participants in response to significant cyber \nincidents. DHS concurred with our recommendation. Since that time, DHS \nhas continued to make progress in completing some identified activities \nbut has yet to do so for others.\n---------------------------------------------------------------------------\n    \\14\\ GAO, Critical Infrastructure Protection: DHS Needs To Fully \nAddress Lessons Learned from Its First Cyber Storm Exercise, GAO-08-825 \n(Washington, DC: Sept. 9, 2008).\n    \\15\\ At that time, DHS reported that one other activity had been \ncompleted, but the Department was unable to provide evidence \ndemonstrating its completion.\n---------------------------------------------------------------------------\nImproving the National Cybersecurity Strategy\n    Because the threats to Federal information systems and critical \ninfrastructure have persisted and grown, efforts have recently been \nundertaken by the Executive branch to review the Nation\'s cybersecurity \nstrategy. In February 2009, President Obama directed the National \nSecurity Council and Homeland Security Council to conduct a \ncomprehensive review to assess the United States\' cybersecurity-related \npolicies and structures. The resulting report, Cyberspace Policy \nReview: Assuring a Trusted and Resilient Information and Communications \nInfrastructure, recommended, among other things, appointing an official \nin the White House to coordinate the Nation\'s cybersecurity policies \nand activities, creating a new National cybersecurity strategy, and \ndeveloping a framework for cyber research and development.\\16\\ In \nresponse to one of these actions, the President appointed a \ncybersecurity coordinator in December 2009. We recently initiated a \nreview to assess the progress made by the Executive branch in \nimplementing the report\'s recommendations.\n---------------------------------------------------------------------------\n    \\16\\ The White House, Cyberspace Policy Review: Assuring a Trusted \nand Resilient Information and Communications Infrastructure \n(Washington, DC: May 29, 2009).\n---------------------------------------------------------------------------\n    We also testified in March 2009 on needed improvements to the \nNation\'s cybersecurity strategy.\\17\\ In preparation for that testimony, \nwe obtained the views of experts (by means of panel discussions) on \ncritical aspects of the strategy, including areas for improvement. The \nexperts, who included former Federal officials, academics, and private \nsector executives, highlighted 12 key improvements that are, in their \nview, essential to improving the strategy and our National \ncybersecurity posture. The key strategy improvements identified by \ncybersecurity experts are listed in table 2.\n---------------------------------------------------------------------------\n    \\17\\ GAO, National Cybersecurity Strategy: Key Improvements Are \nNeeded to Strengthen the Nation\'s Posture, GAO-09-432T (Washington, DC: \nMar. 10, 2009).\n\n TABLE 2.--KEY STRATEGY IMPROVEMENTS IDENTIFIED BY CYBERSECURITY EXPERTS\n------------------------------------------------------------------------\n\n------------------------------------------------------------------------\n     Develop a National strategy that clearly articulates strategic\n      objectives, goals, and priorities.\n     Establish White House responsibility and accountability for\n      leading and overseeing National cybersecurity policy.\n     Establish a governance structure for strategy implementation.\n     Publicize and raise awareness about the seriousness of the\n      cybersecurity problem.\n     Create an accountable, operational cybersecurity organization.\n     Focus more actions on prioritizing assets, assessing\n      vulnerabilities, and reducing vulnerabilities than on developing\n      additional plans.\n     Bolster public-private partnerships through an improved value\n      proposition and use of incentives.\n     Focus greater attention on addressing the global aspects of\n      cyberspace.\n     Improve law enforcement efforts to address malicious activities\n      in cyberspace.\n     Place greater emphasis on cybersecurity research and development,\n      including consideration of how to better coordinate Government\n      and private sector efforts.\n     Increase the cadre of cybersecurity professionals.\n     Make the Federal Government a model for cybersecurity, including\n      using its acquisition function to enhance cybersecurity aspects\n      of products and services.\n------------------------------------------------------------------------\n     Source: GAO analysis of opinions solicited during expert panels.\n\n    These recommended improvements to the National strategy are in \nlarge part consistent with our previous reports and extensive research \nand experience in this area.\\18\\ Until they are addressed, our Nation\'s \nmost critical Federal and private sector cyber infrastructure remain at \nunnecessary risk of attack from our adversaries.\n---------------------------------------------------------------------------\n    \\18\\ We are currently conducting additional reviews related to \nthese improvements.\n---------------------------------------------------------------------------\n    In summary, the threats to Federal information systems are evolving \nand growing, and Federal systems are not sufficiently protected to \nconsistently thwart the threats. Unintended incidents and attacks from \nindividuals and groups with malicious intent have the potential to \ncause significant damage to the ability of agencies to effectively \nperform their missions, deliver services to constituents, and account \nfor their resources. To help in meeting these threats, opportunities \nexist to improve information security throughout the Federal \nGovernment. The prompt and effective implementation of the hundreds of \nrecommendations by us and by agency inspectors general to mitigate \ninformation security control deficiencies and fully implement agency-\nwide security programs would strengthen the protection of Federal \ninformation systems, as would efforts by DHS to develop better \ncapabilities to meets its responsibilities, and the implementation of \nrecommended improvements to the National cybersecurity strategy. Until \nagencies fully and effectively implement these recommendations, Federal \ninformation and systems will remain vulnerable.\n    Mr. Chairman, this completes my prepared statement. I would be \nhappy to answer any questions you or other Members of the committee \nhave at this time.\n\n    Chairman Thompson. Thank you very much for your testimony.\n    I now recognize Mr. Baker, to summarize his statement for 5 \nminutes.\n\n STATEMENT OF STEWART A. BAKER, PARTNER, STEPTOE & JOHNSON, LLP\n\n    Mr. Baker. Thank you, Chairman Thompson. It is a pleasure \nto be here, Ranking Member King, Members of the committee. As \nyou mentioned, Mr. Chairman, I have recently finished a book \nthat deals with this problem and I thought that might be useful \njust to point out that while two past Presidents have raised \nthis issue and concerns about security, we have never been able \nto talk about the risks in unclassified terms. But there was a \nstudy done, a completely unclassified study done of the Dalai \nLama\'s network and what happened to the Dalai Lama\'s network \nrecently that is completely unclassified and gives us a sense \nof just how urgent this problem was.\n    The Dalai Lama\'s network is actually very secure, it is \nwell run and currently administered, and they understand that \nthey are the subject of a lot of attacks. One person in that \norganization opened an e-mail from someone that they trusted. \nThey opened an attachment that had survived anti-virus \nscrutiny. That one click, opening that one attachment, gave \nattackers access first to this person\'s machine, they \ndownloaded information about that machine, uploaded \ncompromising equipment that allowed them to compromise that \nmachine and the network. When they were done, they were able to \nturn on the camera and watch that fellow at work, log every \nkeystroke, turn on his mic and listen to him, download from the \nnetwork all of the Dalai Lama\'s negotiating positions in the \ninternational negotiations.\n    These are things that are happening to us as well. Everyone \nin this room if they are of interest to a foreign power could \nhave that happen to them. Crooks are doing the same thing. They \nhave begun using these same tools to compromise electronic fund \ntransfer authorities that people have to steal hundreds of \nmillions of dollars from American businesses. This is really a \ncrisis.\n    On the question of what--whether DHS, as the Chairman says, \nhas what it needs, I think the answer is not yet. I think it is \nclear that this administration has taken the problem seriously, \nbut probably has not moved quickly enough to address all of the \nissues. This committee can help, as can the President, by \nmaking it quite clear that the authorities, that it is granting \nDHS the kind of authority that it needs to address these \nproblems. More authority would be particularly welcome.\n    Two last points that I would raise. First, the Senate bill \ndeals with a number of security issues and is a very good first \nstep towards solving some of the security problems that we \nhave.\n    The last point that I would make is simply the BP oil spill \nshows us how much damage a single company can do that the \ncompany cannot then redress. If we had known how bad things \nwere, how many corners were being cut in the industry before \nthat oil spill, we would have demanded action on the part of \nindustry as well as the Government. Well, we do know that we \nface exactly that kind of crisis in the context of \ncybersecurity. We are going to have a meltdown of our critical \nand National infrastructure, and now is the time to begin \nraising the standards.\n    Thank you.\n    [The statement of Mr. Baker follows:]\n\n                 Prepared Statement of Stewart A. Baker\n                             June 16, 2010\n\n    Chairman Thompson, Ranking Member King, Members of the committee, \nit is a pleasure to appear before you again on a topic of such \nimportance. I am Stewart Baker, formerly the Assistant Secretary for \nPolicy at the Department of Homeland Security, and I am speaking for \nmyself.\n    I was responsible for cybersecurity policy while at DHS, and since \nleaving the Department, I have been practicing law and writing a book \non, among other things, the risks posed by computer insecurity. I\'m \ncelebrating the release of the book today by attending this hearing, \nand I\'m happy to share some of what I learned with you today. (Chapters \nof the book itself are also being made available for free on-line at \nwww.skatingonstilts.com.)\n    The first and most important thing to know about the cybersecurity \ncrisis is that you no longer need a clearance to understand how bad \nthings are. For a decade or more, Presidents told us that we faced such \na crisis, but they were never able to provide much detail. The crisis \nwas classified. As a result, Americans didn\'t pay much attention, and \nthey certainly weren\'t galvanized to action.\n    Thanks to a group of security researchers in Canada and elsewhere, \nthough, we now have a good, unclassified analysis of what a cyberattack \nlooks like. It is not pretty. And it is certainly not reassuring. If \nanything should stir the country to action on cybersecurity, it is the \nstory of what was done to the Dalai Lama\'s computer network.\n    The Dalai Lama and his office have been using the internet since \nthe 1990s. His network administrators understand security risks, and \nthey\'ve been careful about computer security for years. They\'ve \nimplemented the standard defenses against network attacks.\n    But even so, they kept getting signals that their communications \nhad been compromised. So they called in a team of computer security \nexperts.\n    What the experts found was deeply troubling, and not just for the \nDalai Lama.\n    Some of the Dalai Lama\'s staff participate in internet forums. They \nchat with other, like-minded individuals about the Dalai Lama\'s goals \nand activities. Sometimes one of their online acquaintances sends them \nWord or .PDF documents relevant to those activities.\n    No surprises there. Most of us have done most of those things.\n    But the experts concluded that hackers had monitored these forums \nand then forged an email from a forum participant to a member of the \nDalai Lama\'s staff. Attached to the email was a document of mutual \ninterest. When the staff member opened the document, he also activated \na piece of malware packed with it. While the staff member was reading \nthe document, the malware installed itself in the background.\n    The malware was cleverly designed; two-thirds of commercial \nantivirus software programs would have missed it. (Hackers often \nsubscribe to antivirus software so they can test their malware against \nit at leisure.) Even if one attachment were stopped, it was a simple \nmatter to retransmit the message using a different bit of malware; the \nattackers could keep trying until something got through.\n    Once installed, the malware would ``phone home,\'\' uploading \ninformation about the victim\'s computer and files to a control server \noperated by the hackers.\n    Next, the captured computer would download more malware to install \non the staff member\'s machine. This was often a complete administrative \nprogram that would allow the attackers to completely control the \nstaffer\'s computer, and in some cases the entire network.\n    The administrative malware took full advantage of today\'s \ntechnology. It featured a graphic interface with dropdown menus \noffering even an unsophisticated attacker a wide variety of options.\n    Want to record every keystroke as the user types so you can steal \nall his passwords? Check one of the options on the menu.\n    Want to turn on the user\'s microphone, turning it into a bug so you \ncan listen to the office conversations? Check another box.\n    Want video straight from the user\'s desktop camera? That\'s just \nanother option on the menu.\n    In the end, the Dalai Lama\'s office was living a version of \nOrwell\'s 1984. Telescreens in each room spied on the occupants. But in \nthis version of 1984, Big Brother didn\'t even have to pay for this spy \nequipment. It had been purchased and installed by the victims.\n    Once the hackers had compromised a single computer on the network, \nit wasn\'t hard to compromise more. Every time an infected computer sent \na document by email, malware could be attached to the file. The \nrecipient couldn\'t possibly be suspicious; the email and attachment \nwere exactly what he expected to receive from his colleague, and it had \nbeen reviewed by an antivirus program. He opened the document. The \nmalware installed itself in the background. The cycle began again. It \nwas an entire network of surveillance, dubbed Ghostnet by the security \nteam.\n    Ghostnet has lessons for all of us, including Members of this \ncommittee. Do you rely on standard commercial antivirus software to \nscan attachments? Do you open documents sent by people you\'ve \nencountered on-line? How about documents from sources, contributors, or \nconstituents? How about colleagues, coworkers, and staff? Of course, \nyou do. So do I. And that means that most of us are no more able to \ndefend ourselves from this attack than the Dalai Lama was.\n    That means we have no guarantee that foreign governments have not \npenetrated our home or even our office computer networks in the same \nway as the Dalai Lama, no guarantee that they are not monitoring our \nevery keystroke on-line.\n    Indeed, when I talk to computer security experts about how to \ndefend against intrusions, they usually tell me to assume that the \nintrusions have happened before and will happen again. Because there\'s \nno way to stop them. At best, you might be able to catch the intruders \nwhen they try to steal your data. But you can\'t count on that, either.\n    Now that we understand the scope of the problem, what are we doing \nabout it?\n    So far, not much. That\'s not a recent development, either. \nPresident Clinton cautioned a decade ago, in January 1999, that, ``We \nmust be ready--ready if our adversaries try to use computers to disable \npower grids, banking, communications and transportation networks, \npolice, fire, and health services--or military assets.\'\' A year later \nhe proposed a series of measures to address the security problem.\n    Two years later, President George W. Bush created a special adviser \non cybersecurity who spent a year developing a computer security \nstrategy.\n    Neither effort made much headway. The public didn\'t see the \nproblem. The network attacks that alarmed official Washington were \nclassified. Officials couldn\'t talk about them.\n    Meanwhile, privacy and business interests worked overtime to \npersuade the public that National security concerns were overwrought. \nThe real risk was Government monitoring and Government regulation, they \ninsisted.\n    And that, by and large, was the view that prevailed--twice, and \nunder two Presidents. Nothing was done about computer security that \nanyone in the privacy or business lobbies might object to.\n    In 2009, President Obama became the third President who promised to \nmake computer security a top priority. Shortly after taking office, the \nObama administration produced a security strategy. Once again, though, \nthe strategy lacked punch. It failed to call for any action that could \npossibly irritate business or privacy groups.\n    Since then, the President has belatedly appointed an experienced \nsecurity professional to the National Security Council. DHS has begun \nhiring a large number of security professionals, and it is rolling out \nthe least controversial incarnations of the Government\'s intrusion \ndetection system, called Einstein. But the administration has shown no \nsense of urgency in addressing the massive problems we face, especially \nin the private sector, where most of our critical infrastructure can be \nfound.\n    That\'s why I\'m pleased to be able to say that the Senate Homeland \nSecurity Committee has risen to the challenge. It recently offered a \nbipartisan and comprehensive bill that would address the problem in a \nresponsible fashion. Senators Joe Lieberman (I-Connecticut), Susan \nCollins (R-Maine), and Tom Carper (D-Delaware) have introduced a bill \nthat offers a real opportunity to improve the Nation\'s cybersecurity.\n    I\'m going to set aside the ``boxology\'\' imposed by the act--a new \nWhite House Office for Cybersecurity Policy headed by a Senate-\nconfirmed director, and a new freestanding security office (the NCCC) \nat DHS, which would include the existing U.S. Computer-Emergency \nResponse Team (US-CERT) and would be responsible for detecting, \npreventing, analyzing, and warning of attacks. This office too would be \nheaded by a political appointee who would be Senate-confirmed and would \nreport directly to the Secretary of Homeland Security. If that were all \nthe bill did, it would not add greatly to our security.\n    The real substance of the bill lies in the requirements it would \nimpose on those critical infrastructures selected by the Secretary for \ncoverage. (```Critical infrastructure\'\' is defined by statute as \n``systems and assets, whether physical or virtual, so vital to the \nUnited States that the incapacity or destruction of such systems and \nassets would have a debilitating impact on security, national economic \nsecurity, national public health or safety, or any combination of those \nmatters private sector.\'\')\n    First, the NCCC would, in coordination with the private sector, \nidentify cyber vulnerabilities in covered infrastructures, and submit \nthe findings to Congress. After consulting with the private sector, the \nNCCC would then issue regulations creating ``risk-based\'\' security \nperformance requirements for covered infrastructures. Owners and \noperators of the infrastructures would then select the specific \nsecurity measures they will implement to satisfy the security \nperformance requirement, and submit a compliance plan to the NCCC. \nOwners and operators would have the flexibility to implement any \nsecurity measures that the Director determines would satisfy the \nsecurity performance requirements. But, they would have to certify that \nthey are in compliance, and would be subject to penalties if an audit \nby the NCCC determines that they are not. Those companies that meet the \nrequirements would obtain some protection from liability, including \nimmunity from punitive damages and limits on non-economic damages.\n    Second, critical infrastructure companies would be required to \nreport to the NCCC ``any incident affecting [their] information \ninfrastructure . . . to the extent the incident might indicate an \nactual or potential cyber vulnerability, or exploitation of a cyber \nvulnerability.\'\' (``Information infrastructure\'\' means the ``underlying \nframework that information systems and assets rely on to process, \ntransmit, receive, or store information electronically, including \nprogrammable electronic devices and communications networks and any \nassociated hardware, software, or data.\'\') This requirement would sweep \nfar more broadly than the data breach notification rules that presently \nexist at the State level, since it would include ``any incident\'\' that \nindicates even a ``potential cyber vulnerability.\'\' But information \nshared with the NCCC would be protected from public disclosure.\n    Third, the bill would authorize the President to declare a National \ncyber emergency, which would then trigger the issuance by the NCCC of \nspecific emergency measures to protect the continuing operations of \ncritical infrastructure. Those measures would expire after 30 days \nunless the President or NCCC Director extended them. The emergency \nmeasures would have to be the ``least disruptive\'\' means necessary, and \ncould not be used to avoid the requirements of the rules for \nintercepting phone calls or emails for law enforcement or intelligence \npurposes. Owners of covered critical infrastructures would have to \ncomply with the emergency measures unless the NCCC approved alternative \nmeasures suggested by the infrastructures. Those owners that comply \nwould be immune from civil suit in some instances, or would be \nprotected from punitive damages and damages for non-economic harm in \nothers.\n    I have no doubt that this bill will prove controversial. Privacy \ngroups will tell us that the Government can\'t be trusted with any \nauthority over the computer networks on which we depend. Business \ngroups will tell us that Government regulation will raise costs and \nstifle innovation. I have no doubt that the proposed legislation will \nneed to be modified as it makes its way through Congress. But I \nstrongly urge this committee to give it careful consideration.\n    Today, we have a new, and troubling, example of what can happen if \nGovernment fails to take responsibility early for avoiding a serious \nrisk.\n    As I speak, oil has been escaping from BP\'s Deepwater Horizon spill \nfor nearly 2 months. As the spill shows, private companies are quite \ncapable of setting the stage for catastrophes well beyond their ability \nto remedy. We properly expect the Government to regulate companies to \naddress risks that can\'t be internalized by the companies taking the \nrisks. And when disaster strikes despite those efforts, we expect the \nPresident to have the authority to respond. The Government is paying \nthe price today for the actions it didn\'t take in the months and years \nbefore the blowout.\n    The same thing will be true, in spades, if another country launches \na computer network attack on U.S. infrastructure. Do we want the \nGovernment to look as helpless in response to such an attack as it \nlooks today in response to the BP spill?\n    Bad as the spill is, the country still has electric power, working \nphones, and a banking system. If we are attacked, we can\'t count on any \nof those things. But without something like the Senate bill, the \nPresident will be even more helpless to respond to the attack than he \nhas been to respond to the oil spill.\n    Put simply, the country can\'t afford a disaster on that scale. And \nneither can its leaders.\n\n    Chairman Thompson. Thank you very much. I am not certain \nwhen the book signing will be, Mr. Baker, but I am sure we will \nhear from you. Thank you very much. Let me thank our witnesses \nfor their testimony, and we will now start with our \nquestioning. I will begin.\n    Mr. Schaffer, can you tell the committee your guesstimate \nof how many times our systems are hacked on a daily basis, if \nyou know?\n    Mr. Schaffer. Sir, I couldn\'t give you an estimate of how \nmany times our systems are hacked on a daily basis. I can tell \nyou that our systems, like most of the internet, is under a \nconstant barrage of attacks from a variety of known actors, \nranging from basic criminals, sophisticated criminals to \nnation-state actors. So there is a wide range of attackers out \nthere taking advantage of the vulnerabilities that are in the \ninfrastructure. The Federal Government, like all others who \nleverage that infrastructure, are subject to attacks.\n    Chairman Thompson. To what extent are we able to deter \nthose attacks?\n    Mr. Schaffer. I think that we are making progress towards \ndeterring those attacks on a regular basis through the various \nprograms like EINSTEIN and the Trusted Internet Connection, \nreduction of our connections to the open internet through \ndeploying intrusion capabilities that allow us to have \nsituational awareness and that give warnings of mitigation to \nthe departments and agencies.\n    Chairman Thompson. Ten percent, 20 percent, 30 percent?\n    Mr. Schaffer. Sir, I wouldn\'t venture to guess the \npercentage because until you know the entire attack surface, it \nis hard to know what we are----\n    Chairman Thompson. So we don\'t know?\n    Mr. Schaffer. I would say we don\'t know the full extent of \nwhat is being blocked, no.\n    Chairman Thompson. Mr. Skinner, do you have any information \non that?\n    Mr. Skinner. No, Mr. Chairman, I do not. One of the things \nthat we did identify doing our audit, there is big gaps out \nthere. We are only monitoring through EINSTEIN those 21 \nagencies. Those that are not signed into, we cannot adequately \nmonitor, so that there is no way to see what is going on with \nthese others agencies.\n    Chairman Thompson. Thank you. Mr. Schaffer, since we \nmonitor those 21, can you give us the statistics on those?\n    Mr. Schaffer. Sir, what we have deployed today--we are \ndeployed to and operational at with the EINSTEIN 2 technology--\n--\n    Chairman Thompson. Have we deployed EINSTEIN 2?\n    Mr. Schaffer. We have deployed EINSTEIN 2 to 11 of 19 \nagencies that it is currently planned for, yes.\n    Chairman Thompson. So we couldn\'t do it with EINSTEIN 1?\n    Mr. Schaffer. EINSTEIN 1 was a flow monitor. It allows us \nto see the traffic moving through and then we would do analysis \non the traffic.\n    Chairman Thompson. Give me what EINSTEIN 2 has provided.\n    Mr. Schaffer. EINSTEIN 2 is showing us about 278,000 \nindications of potential malicious activity at the perimeter of \nour networks on a monthly basis today with the deployments that \nwe have. That doesn\'t mean that all of those attacks were \nsuccessful. It simply means that there is indications of \nmalicious activity 278,000 times on the average month.\n    Chairman Thompson. Okay. In the event of a cyber attack to \nour system who is in charge?\n    Mr. Schaffer. Sir, in event of a cyber attack on our \ncivilian networks, our Executive branch civilian networks, DHS \nhas the lead to manage that response. The various departments \nand agencies, including the Department of Defense, the NSA, \nvarious others, would all be involved and engaged depending on \nwhat the nature of the attack looked like, where the attackers \nwere focusing their energies and what was needed in order to \nexecute on the response.\n    Chairman Thompson. So Mr. Wilshusen, can you provide any \nmore information on the question of who is in charge based on \nyour review?\n    Mr. Wilshusen. I think that is one of the challenges that \nneeds to be addressed, is who is actually in charge. With the \nWhite House Cybersecurity Coordinator in place now, what is his \nrole relative to those at DHS? I think that is certainly a \nvalid challenge that still remains to be addressed.\n    Chairman Thompson. So is it we are not quite sure who is in \ncharge or what? Mr. Wilshusen.\n    Mr. Wilshusen. I think that is the case, yes.\n    Chairman Thompson. Mr. Skinner, with respect to the \noverreliance on outside contractors to staff this operation, do \nyou see that as a vulnerability for that Department?\n    Mr. Skinner. I believe what we should be doing is in fact \ninherently governmental, we should be using our own employees. \nRight now that is the only alternative we have. It is better to \nhave cleared contractors than to have no one. The contractors \nhave been very, very useful in filling the gap until we can \nfill up our resources.\n    Chairman Thompson. Mr. Schaffer, at what point do you \nthink, given the goodness of Congress to provide authority for \nsignificant staffing of your operation, that you can complete \nthat mission?\n    Mr. Schaffer. Mr. Chairman, we have been staffing up within \nthe National Cybersecurity Division significantly and in \nparticular at US-CERT. At the start of fiscal year 2009 we had \n16 people at US-CERT. At the start of 2010, we had 31. Today we \nhave 55. We have another 25 in the pipeline going through \nsecurity that have been offered jobs. So by the end of the year \nfor US-CERT, we anticipate that we would have about 80 Federal \nstaff in place.\n    Chairman Thompson. So by the end of the year you will have \n80 people. How long did it take you to hire 80 people?\n    Mr. Schaffer. Again, the ramp-up has been fairly steep, \nsir. But we went from 16 at the start of fiscal year 2009 to \nhopefully 80 at the end of fiscal year 2010.\n    Chairman Thompson. So in 2 years you hope to hire 80 \npeople?\n    Mr. Schaffer. Sir, the type of people that we need to hire, \nas mentioned by some of the gentlemen to my left, are not \neasily found. The skill sets that we are looking for are very \nspecific and very high level of skill and capability in \ncybersecurity and they are sought after by every department and \nagency that is trying to implement their program, by the \nprivate sector players who are anxious to ensure that their \nsystems are correctly defended. These are the type of people \nthat we are looking for that are in very high demand and we are \nlooking for the right ones in order to fulfill the mission.\n    Chairman Thompson. Thank you. I yield to the Ranking \nMember.\n    Mr. King. Thank you, Mr. Chairman. This is sort of a \nfollow-up to the Chairman\'s line of questioning.\n    Mr. Schaffer, if a sophisticated cyber attack were launched \ntoday or tomorrow against the financial systems, banks, New \nYork Stock Exchange, who coordinates the Federal response and \nwhose authorities are triggered?\n    Mr. Schaffer. Again, I think that it is clear that \nultimately the White House is responsible for coordination and \nthe coordinator, Howard Schmidt, has that ultimate \nresponsibility. Within the interagency, there are lanes where \ndifferent agencies would have responsibility, lead \nresponsibility for the defense of the networks and for the dot-\ncom space. With the financial services industry, I believe DHS \nhas the lead. We are in the process of building out a National \nCyber Incident Response Plan, and that plan will more clearly \ndefine the roles and responsibilities of the different \ndepartments and agencies, how DOD, DOJ, DHS and others will \nparticipate and play their various roles. That plan is being \ndeveloped as an interagency process as well as in cooperation \nwith the private sector entities that would have to play a \nlarge role because they own so much of the infrastructure and \nwill have to provide so much of the support in a major \nincident.\n    Mr. King. That doesn\'t make me confident, though, that if \nwe were attacked tomorrow everyone would know how to respond. \nIt seems like you are still trying to work your way through \nthat.\n    Mr. Schaffer. We are certainly in the process of finalizing \nthe National Cyber Incident Response Plan. Until that is \nfinalized and moved through the interagency process, there will \nbe some questions. But we are in the process of trying to get \nto clarity there.\n    Mr. King. Does anyone else wish to comment on the immediacy \nof that threat as to what would happen if we were attacked \ntomorrow? Stewart.\n    Mr. Baker. There is no doubt that we are not prepared to \naddress a major cyber attack today. I don\'t want to \noveremphasize the importance of sorting out all of the lanes in \nthe road because in a crisis the President will take charge, he \nwill own this. It won\'t be Howard Schmidt, it will be the \nPresident who has to make sure that this problem is solved. I \nbelieve that rather than focusing too much on which box goes \nwhere or who has what authority, the important thing is to make \nsure that the resources are there, that there is bipartisan \nsupport for hiring people quickly to address these problems, \nand that we find much better ways to work with the private \nsector, which I think at this point has no clue who would be \ntheir contact point or what their responsibilities would be. \nThat is something that I think the Senate bill does a good job \nof starting to address.\n    Mr. King. Let me ask you that then, about the Lieberman-\nCollins bill. What are the greatest advantages offered by the \nlegislation?\n    Mr. Baker. I think first it responds to the need to deal \nwith the fact that the risks are principally in the private \nsector and much of the infrastructure is in private sector \nhands, and yet a desire to avoid heavy-handed regulation by \nsaying we are going to pick out the most critical \ninfrastructure, we are going to impose performance requirements \non the critical infrastructure and make sure they can meet \ncertain standards any way they want and then requires a \nreporting of incidents that raise questions about whether the \ninfrastructure will actually function and an ability in an \nemergency for the President to say this is what has to happen \nfirst, this is what has to happen second, and to make sure that \nthe private sector responds. An authority that clearly when you \nlook at things like financial meltdown or the BP oil spill, the \nPresident has to have and he doesn\'t really have in this area.\n    Mr. King. In your testimony, Mr. Baker, you talk about the \nlack of a sense of urgency in addressing the massive problems \nwith cybersecurity. How can we best address this lack of \nurgency? How do we get this out to the departments, to the \npeople, to the society as a whole?\n    Mr. Baker. Clearly the President needs to own this and to \nmove forward with a number of the issues that really have been \nhanging fire since the beginning of the administration. I don\'t \nsay that this President is alone in not having solved the \nproblem. Two other Presidents have said this is a crisis, we \nneed to address it, and have not fully addressed it. But he \nclearly needs to make it a priority for every part of \nGovernment to address this problem.\n    Congress can do the same by strengthening DHS\'s \nauthorities. We need to make it clear to industry that this is \nour top priority because the next time we get into a serious \ninternational conflict, we could lose large parts of our cyber \ninfrastructure to attackers.\n    Mr. King. Thank you. I thought you were going to suggest \nthat everybody read your book. But in any event, I yield back.\n    Thank you.\n    Chairman Thompson. The Chairman now recognizes the \ngentlelady from California, Ms. Lofgren for 5 minutes.\n    Ms. Lofgren. Thank you, Mr. Chairman. Thanks for having \nthis hearing. I think it is very important, and I hope that we \nwill have other opportunities in addition to this one to review \nthese matters. I was happy to read the IG\'s report and I think \nthere is some useful suggestions in there. I was actually \ndisappointed, I did not realize that US-CERT did not have \nautomated correlation tools. That is something that ought to be \nremedied pretty promptly.\n    But I want to get into the capacity issue. There has been a \ndiscussion that the U.S. Government authority, DHS or OMB I \nguess for that matter, ought to have more authority, and it \nseems to me without more capacity, we are not in a very good \nposition to be asking for more authority.\n    I am not as troubled by the idea of having contractors on \nboard provided that they are adequately directed and supervised \nfor this reason. I see the kids walking over the line to \ngraduate with their Ph.D.s in computer science at Stanford, and \nI don\'t know that we are going to succeed in getting those \nyoung people to apply for a Federal job, but we need them. We \nare going to have to pay them a lot of money, more than the GS \nscale provides. Even then we will be lucky to get some of them. \nSo provided that we are using contractors to attract really \npeople that are in that competitive league I would personally \nencourage that we do so and promptly. Not that those young \npeople necessarily have the managerial skills that are \nnecessary to organize the responses, but the technical skills \ncannot be replicated by someone who is 5 or 6 years out from \nthe academic studies, in my opinion.\n    So you can comment if you want on that. I also wanted to \ncomment on where we are vis-a-vis the critical infrastructure. \nI am mindful that it really has been many years since we have \nhad somebody in the White House with expertise on cyber, and I \nwas glad to see that the President appointed Howard Schmidt, \nwho has a background, who is an old hand. But the thing is he \ncan\'t do the operations. He is looking to the civilian sector I \nhope in DHS, which I think is better suited theoretically than \nOMB. What I do want is to have sufficient capacity in DHS so \nthat we don\'t end with up the NSA running this program. Because \nif you look at the entire panoply of expertise that resides in \nthe Federal Government, you would have to say they have \nprobably the most to offer today in terms of just raw \nexpertise.\n    So what is the strategy to get the talented people we need \nas soon as possible? Are we paying enough? I come from Silicon \nValley. Hiring, it has woken up. All the big companies are \nhiring now. The economy is coming, so we are about to have an \neven more competitive job market. Now is the time to grab those \nyoung people.\n    Mr. Schaffer. Congresswoman, I think that there is no \nquestion that we are trying to execute expeditiously to hire as \nmany people as we are authorized to have within the program. \nIndeed, we expect within NCSD, and I think you have to look at \nall of NCSD, not just US-CERT, to realize all of the programs \nand execute well, not just US-CERT with the situational \nawareness and the dissemination of information, but also the \nprograms designed to go into the departments and agencies and \nmake repairs, as well as the programs designed to get \ninformation out to the critical infrastructure players and \nassist them in dealing with incidents and being prepared for \nincidents. So in NCSD, the numbers there are significant as \nwell. We went from 35 on staff in 2009 to 118 in--beginning of \n2010 to about 193 today with 46----\n    Ms. Lofgren. Could I ask you, since our time is limited? \nCould you follow up--you don\'t need to give me the names--but \nthe individuals and kind of their profile, where did they get \ntheir Ph.D., what year did they get their Ph.D., just so I can \nhave a sense of the personnel that has been selected?\n    Mr. Schaffer. We can certainly get that.\n    Ms. Lofgren. I would appreciate that. I just want to say \nthat I think we are so far behind where we need to be, really a \ndecade of serious neglect honestly, that I am worried. It is \nnot because of whether there will be cyber attacks. There are \nright now and there will be more.\n    I continue to be concerned not only about our lack of \npreparation internally within the Government, but the \ncoordination between clinical infrastructure that is held for \nthe most part outside the Federal Government, either by private \nsectors or in some cases non-Federal public sectors, in energy \ndevelopment, energy transmission, water storage, water \nmovement, financial sectors and the like.\n    I don\'t think that they are as prepared--certainly the IT \nsector is all over this, but that doesn\'t mean that the non-IT \nsector has taken even minimally adequate steps. We have to do \nmuch more with those critical infrastructures sectors, and I \ndon\'t think that we are really ready yet. I would like to see, \nMr. Chairman, if in 6 months\' time or 4 months\' time we could \nhave a better plan, maybe everyone in a workshop or closed \nsession on where the benchmarks are, how we are getting there \nin terms of these major critical infrastructure sectors.\n    I know my time is up. I thank you for your indulgence, Mr. \nChairman.\n    Chairman Thompson. Thank you very much. I look forward to \nmaking sure that information is provided. Also, Mr. Schaffer, \nstaff met with you on June 9 and there was some information \nrequested at that meeting that is yet to be provided. So we \nneed to remind you to pick out where it is in the system and \nget it to them.\n    Mr. Schaffer. Mr. Chairman, I know that is underway.\n    Chairman Thompson. Thank you. The gentleman from Texas, Mr. \nMcCaul, for 5 minutes.\n    Mr. McCaul. Thank you, Mr. Chairman. In my judgment, this \nis probably one of the most serious National security threats \nwe have today. Because everything is tied to the networks. We \nknow there have been massive intrusions into the Federal \nnetworks. We know that espionage is taking place. If foreign \nagents were to cull paper files leaving the Pentagon, it would \nbe on the front page of the Washington Post, and yet I think \nthat is happening in the virtual world and no one is talking \nabout it. The cyber warfare capability is growing every day. \nThere was a denial-of-service attack last 4th of July. Imagine \na stronger denial-of-service attack that hit the United States \nand shut power grids and energy sectors.\n    We held hearings last Congress on this issue, then Chairman \nLangevin and I, and we asked a question of: Who is in charge? \nNobody seemed to know the answer to that question. Since that \ntime it is a little more, I think, clarified that DHS has a \nresponsibility to defend the Nation from cyber attacks. We have \ntremendous offensive capability, but I am afraid our defensive \ncapability is lacking. That is the weakness and sense of \nvulnerability. I think that is where we need to be \nstrengthening our National asset, as the Chairman referred to. \nThis is for--actually Mr. Schaffer and Mr. Skinner, the \ncoordination with DHS and the other organizations. We have NSA, \nDOD that are very good at the offensive capability, but they \nare not working with, in my view, adequately enough with DHS to \nbetter prepare and defend this Nation.\n    Can you comment on that?\n    Mr. Schaffer. Thank you, Congressman. Actually, our \nrelationship and cooperation with NSA is fairly extensive and \nquite productive. They support our mission in a variety of ways \nwith technical assistance on various programs. The EINSTEIN \nprogram in particular, where we are currently conducting an \nexercise on new EINSTEIN 3 intrusion prevention capabilities, \nis supported by assistance from NSA. We work with DOD on a \nvariety of initiatives in order to execute well and leverage \nthe information that they can bring to bear on the commercial \nside and for the civilian branch departments and agencies in \nthe dot-gov space.\n    So our goal is to bring all of the resources of the Federal \nenterprise to the fight to defend the networks. I think the \nproblem for all of us today is that defense loses in cyber too \nmuch of the time because the ecosystem was not designed and \nbuilt from the beginning to be a good place to defend yourself. \nSo offense has the advantage, and until we change that we will \ncontinue to have some challenges. But I think we are working \nvery hard across the interagency and in cooperation with both \nthe White House and our partners at DOD to try to bring all of \nthe resources to the fight.\n    Mr. McCaul. That is good to hear. We worked with CSIS to \nissue a report to the President, recommendations that in terms \nof this coordination role that this be coordinated from the \nWhite House, had to be elevated to the White House level. A \nCyber Coordinator position had to be created. That has been \ndone. Howard Schmidt is the cyber coordinator. I am concerned \nthat his requisite authorities are not strong enough to carry \nout that mission and that responsibility.\n    Mr. Skinner, I know in your report you talk about the White \nHouse responsibility for leading and oversee a National \ncybersecurity policy. Chairman Langevin and I introduced a bill \nto make this cyber coordinator position a Senate-confirmed \nposition with an Office of Cyberspace in the requisite budget \nauthority to give them the authorities necessary to carry out \nthe coordination mission. Do you have any comments or thoughts \non that?\n    Mr. Skinner. We did not look at the authorities or the \nresponsibilities of the White House per se. What we were \nfocusing on is the authorities within US-CERT and how they can \ncompel their partners, their stakeholders, and the Federal \nagencies to comply with or provide assurances that they are \naddressing or reacting to recommendations and guidance provided \nby DHS and that we just focused on that one particular issue.\n    Mr. McCaul. I just think that needs to be strengthened in \nmy judgment.\n    Last set point, my time is running out. Private sector \ncoordination. We have the Information Sharing Analysis Centers, \nthe ISACs. Can you tell me, Mr. Schaffer, how that has \nimproved, if it has?\n    Mr. Schaffer. The Department, of course, is leveraging the \nISACs as well as all of the NIP structure, the 18 sectors and \ntheir sector coordinating councils to execute well in terms of \ngetting information out to the private sector. I think with the \nMS-ISAC and the IT-ISAC, the financial services ISAC, we have \nvarious projects on-going to expand our connectivity to those \norganizations. So for the financial sector, for example, you \nhave an on-going pilot where we are using DOD information, DHS \ninformation, and the financial services industry information, \nbringing that together in a way that anonymizes the private \nsector data so that they are more willing to bring the \ninformation forward so that that can be shared among those \norganizations, operationally improving all of our security \nposture.\n    So we have got some projects, I think, that really do \nleverage those ISACs and take advantage of what they can bring \nto the fight.\n    Mr. McCaul. Thank you very much. I see my time has expired.\n    Chairman Thompson. Thank you. The gentleman from Missouri \nfor 5 minutes, Mr. Cleaver.\n    Mr. Cleaver. Thank you, Mr. Chairman. Yesterday our \nsubcommittee of this committee dealt with the Office of \nDisability Integration and Coordination and I was concerned \nthere that they had insufficient funding to do the job they \nwere commissioned to do. I find myself today equally concerned \nabout and frustrated over the fact that the GAO believes the \nstaffing is not sufficient to fulfill this Herculean mission \nyou have, Mr. Schaffer. If we have 98 positions authorized and \nwe have only filled 38 of those positions, it means that we are \nfighting a cyberspace war with only half our troops. I would \nlike to note what the problem is in filling all of the \npositions and doing so quickly.\n    Mr. Schaffer. Thank you, Congressman. I think that today we \nare at 55. So we have made some progress since when the report \nbeing referenced was issued. We have 25 more in the pipeline \nwhich will get us to about 80 by the end of the fiscal year. \nThe challenge is in identifying the right people and getting \nthem to accept positions and to come on board here with us to \nmove things forward. Again, it is a space where there are a \nlimited number of resources that really can fulfill the \nmission, go through the security clearance process, and be able \nto staff us the way we need to be staffed.\n    We augment those positions with contractors. Right now US-\nCERT is leveraging about 230 contract staff. The process of \nramping up in this space is challenging and we are doing \neverything that we can to aggressively hire. We will reach our \nfull complement within all of NCSD in terms of the authorized \npositions we think by the end of the year. So we are doing \neverything we can to be aggressive about getting the positions \nfilled.\n    Mr. Cleaver. That is refreshing to hear because if \nsomething should happen, we get beat up twice. We have the \nincident and then the pain of we weren\'t paying attention, we \ndidn\'t have the sufficient staff to deal with the problem.\n    Let me skip down. I represent Kansas City, Missouri, and an \narea around it. Kansas City is the second-largest freight rail \ncenter in the Nation. As freight rail companies turn more to \ninternet to control its signals and dispatching, it also means \nthat they become more and more vulnerable to cyber threats.\n    Is there something being done with regard to the private \nsector in this battle that we find ourselves fighting? If so, \nwhat can we do to enhance it? What can this committee do to \nenhance that relationship and coordination?\n    Mr. Schaffer. Yes, sir. That area is indeed one of our \nprimary areas of focus at the Department. The control system, \nthe industrial control system security is paramountly important \nbecause, as you point out, connectivity to the internet of \nthose systems is increasing. So we have done several things. We \nstood up this year, last year the ICS, the Industrial Control \nSystem Computer Emergency Response Team. That team provides \nassistance to the private sector. We have trained 14,000 \nindividuals in industrial control vulnerability and defense. We \nare putting out teams to do a vulnerability assessment and to \nassist the private sector in understanding what their \nparticular system might be vulnerable to and how to implement \nmitigation strategies.\n    We have flyaway teams that are capable of going out during \nan incident to assist a private sector entity with a problem so \nthat it doesn\'t involve a breakdown of the control systems, a \npower grid going out or water system failing and such.\n    We are working hard to put out best practices and \ninformation so that the private sector has the best thinking \nfrom the Government around how to defend these systems. We hope \nto get in front of the problem as more and more of these \nindustrial controls are attached and leveraging the IP-based \nnetworks that the IT systems have long been attached to. So we \nsee that as a primary area to focus attention on, and we are \ndoing a lot to try to expand in that space.\n    Mr. Cleaver. Thank you, Mr. Chairman.\n    Chairman Thompson. Thank you very much. The Chairman now \nrecognizes the gentleman from Texas, Mr. Smith, for 5 minutes.\n    Mr. Smith. Thank you, Mr. Chairman. Mr. Wilshusen, first \nquestion to you, and that is I believe it was March 2009 when \nyou made your recommendations to Department of Homeland \nSecurity. That is about 15 months ago. What percentage of your \nrecommendations have been implemented to date?\n    Mr. Wilshusen. Are you referring to the National strategy?\n    Mr. Smith. Yes.\n    Mr. Wilshusen. That is one thing we are still following up \non in terms of the recommendations DHS is making some progress \nwith----\n    Mr. Smith. I know they are making some progress and I have \nheard today they have a ways to go. I am asking you though what \npercentage of that strategy have they actually implemented now, \n15 months later?\n    Mr. Wilshusen. Well, of the National strategy, not all of \nthe issues would actually pertain to DHS.\n    Mr. Smith. Okay. Of the ones that pertain to DHS.\n    Mr. Wilshusen. That I would have to get back to you in \nterms of the very specific numbers on those.\n    Mr. Smith. I am not asking for a specific number, I am just \nasking for a guesstimate.\n    Mr. Wilshusen. I would say at present it is probably about \n30 to 40 percent.\n    Mr. Smith. Thirty to 40 percent after 15 months? Okay. \nThank you for that response.\n    Mr. Baker, how would you compare the private to the Federal \nGovernment as far as its ability to deter cyber attacks?\n    Mr. Baker. Parts of the private sector are clearly well \nahead of the Federal Government. Financial institutions have \nstronger systems in place. They have since for about 5 or 8 \nyears been actively monitoring every packet that comes in and \nrejecting any packet that appears to be malware using very \nsophisticated signatures. We are barely at the point of getting \nabout half of our institutions to monitor what is coming in, \nwhich only tells them that they have been screwed. It doesn\'t \ntell them that they are protected. So we have got--we are \ntalking about installing systems that monitor the malware as it \ncomes in. Prevention, actually rejecting them, is going to wait \nstill for many agencies for months or years, and a lot of that \nis hung up in lawyers, you know, wringing their hands about \nwhether they can really implement those programs.\n    Mr. Smith. Private sector ahead. Thank you.\n    Let me address my next question to you, Mr. Skinner and Mr. \nWilshusen and Mr. Baker, and it is this. All you have said in \none way or another that the Federal Government, the \nadministration has been slow in implementing or taking the \nnecessary steps to protect the Federal Government against cyber \nattacks.\n    What are the consequences of this continued vulnerability \nto the country? Mr. Skinner.\n    Mr. Skinner. If I may begin, it definitely puts us at risk. \nWe have to understand why this was not a top priority within \nthe Department. One, we were new, established in 2002, 2003.\n    Second, we had to establish priorities, and there was only \nso many resources that can go around. We focused, the \nDepartment focused its attention on border security and air \nsecurity. As we matured in those areas, then we turned, the \nDepartment turned its attention to cybersecurity.\n    Unfortunately, the train has left the station. We are now \nchasing the problem as opposed to being ahead of the problem. \nWe have a long way to go. But at least we recognize that we \nhave a serious problem here, a serious threat here that needs \nto be controlled, and that is where we are headed right now.\n    Mr. Smith. Thank you. Mr. Wilshusen.\n    Mr. Wilshusen. I think the risk is very significant to \nFederal systems as well as to critical infrastructure that is \ncyber-based. We have reported on a number of occasions on \nincidents that have occurred and the resulting effect of that \nwhich resulted in at some points personally identifiable \ninformation being disclosed to unauthorized individuals, to \nvast amounts of information related to various different \nsecurity programs being exfiltrated out to their organizations \nand individuals. So the risk is very real and significant to \nthe Federal Government.\n    Mr. Smith. Thank you. Mr. Baker, I am going to go to my \nlast question because I only have a short period of time left, \nbut I do address it to all three of you all. Mr. Skinner and \nMr. Wilshusen, you have just said that we are at risk. So my \nlast question is this: What are the odds of the United States \nsustaining a debilitating cyber attack in the next year? I \nknow, again, that forces to you guess, but are the odds great? \nAre they low? Give us some indication of how vulnerable we are \nand how much at risk we are. Mr. Skinner.\n    Mr. Skinner. Congressman, I just wouldn\'t want to venture \nto because it would be a wild guess. But we are vulnerable. It \ncould be significant.\n    Mr. Smith. If you say we are vulnerable and at risk that is \npretty significant, too. Mr. Wilshusen.\n    Mr. Wilshusen. Again, I couldn\'t hazard a guess as to the \npercentage. But it is more than what we should be and more than \nwhat Federal agencies should be able to protect their systems.\n    Mr. Smith. Okay. Mr. Baker.\n    Mr. Baker. If we end up in a serious conflict with five or \n10 very sophisticated countries, we will be attacked and we \nwill not know how to respond. So the real question is: Are we \ngoing to end up in a conflict like that? One of the things I \nworry about is that we will not defend our interests, the \ninterest of our allies for fear of a cyber attack. That could \nhappen at any time.\n    Mr. Smith. Thank you very much. All very informative. Thank \nyou, Mr. Chairman.\n    Chairman Thompson. Thank you. The Chairman now recognizes \nthe gentlelady from California, Ms. Harman, for 5 minutes.\n    Ms. Harman. Thank you, Mr. Chairman. I want to express my \nsolidarity with Mr. Skinner as a cyber immigrant. That may \napply to many of us over a certain age, but I would observe \nthat the number of students who have been wandering, or not \nwandering but walking in an orderly way in and out of this \nhearing probably have come to these issues more naturally than \nwe have. But we are catching up. Let me observe that on behalf \nof the older class. We are catching up, and the business is \nurgent.\n    The visual image that we all have on our television sets is \nof a broken pipe, a mile under water spewing tens of thousands \nof gallons of oil and natural gas with no easy or immediate \nsolution in sight. I would just analogize that to a major cyber \nattack where we could have a broken network or networks spewing \ntens of thousands of bits of information on critical \ninfrastructure, National security and mission-critical data, \nfinancial and personal data, et cetera. It could be as \ndevastating or more devastating than the environmental \ncatastrophe that is unfolding on our TV sets.\n    Does anyone disagree with this? No. Right.\n    So as Mr. Baker said, ``We are going to have a meltdown.\'\' \nI see this as urgent business. It is nice to talk about how we \ncould reorganize things, but I think we need to try to catch \nthe problem, not just chase the problem, as Mr. Skinner said we \nare presently doing.\n    This is not a criticism of you gentlemen, and it is not a \ncriticism of the Members of the committee either. We have all \nbeen trying to get our arms around this. But we don\'t have our \narms around this yet. Am I correct? Right. Okay.\n    So let me say a couple of things. First of all, I agree \nwith Mr. King that the Lieberman-Collins bill is excellent, and \nhe and I have been talking about this. I have also talked to \nthe Chairman about it. I just want to tell Mr. King that I do \nplan to cosponsor the bill with him.\n    Mr. King. Will the gentlelady yield for one second?\n    Ms. Harman. Sure.\n    Mr. King. I will be the lead cosponsor on your bill.\n    Ms. Harman. Did I just hear him giving me some power over \nsomething?\n    Mr. King. You are getting it.\n    Ms. Harman. My, my. Bipartisanship thrives in this \ninstitution. At any rate, thank you. But I think it is an \nexcellent effort. I am sure it will change as it goes through \nthe legislative process, but it will be a good thing to work \nwith our counterparts in the Senate on this as we worked with \nour counterparts in the Senate on the SAFE Ports Act. Mr. \nLungren remembers that. To good end. We ended up with a very \ngood law.\n    At any rate, I think it will give the Government new powers \nand new focus and perhaps, I hope, provide the sustained \nleadership that Mr. Skinner said we urgently need.\n    But I also want to ask about something else. I don\'t think, \nas we have been discussing this this morning, and perhaps I \nmissed a little bit of the conversation although I was trying \nto hear it, that we have adequately addressed the other side of \nthis. We need to protect our systems. We need to get our arms \naround this problem and act aggressively. I believe that, and I \nwill support efforts to do that.\n    But we also need to make sure that we don\'t overdo it, that \nwe are considering the fact that as we protect our security, we \nalso want to protect our liberty. I have often said that \nsecurity and liberty are not a zero sum game. We either get \nmore of both or less of both. In saying that, I borrow from Ben \nFranklin, who thought of this 230 years ago.\n    So that raises a question of something this administration \nhas not acted on, and that is standing up the Privacy and Civil \nLiberties Oversight Board that was mandated in the 2004 \nintelligence reform law that has been on the books for 6 years. \nThe last administration made some effort at this, but we have \nnot yet seen any names proposed for the confirmable positions \nfor this board, and I just want to ask you, in my last 45 \nseconds, any of you who would like to address this issue of \ncivil liberties and the need for the Privacy and Civil \nLiberties Oversight Board.\n    Mr. Schaffer. I would certainly chime in to say that the \nDepartment of Homeland Security believes that civil rights and \ncivil liberties is a critically important part of how we \naddress the cybersecurity issue, and we try to build a program \nthat is focused on that from the start rather than trying to \nbolt it on at the end. We have resources within my office and \nwithin the Department that focus on everything that we are \ndoing in that space. We have published several privacy impact \nanalysis statements. We certainly believe that that is a \ncritical part of the puzzle, and we very much want to make sure \nthat we are focused on it as we go forward.\n    Ms. Harman. Thank you. Any other comments?\n    Mr. Skinner. I would just like to add that during the \ncourse of our review, we did validate, in fact, the Department \nis, takes very, very seriously the CR/CL, the civil rights/\ncivil liberties, and the privacy of individuals as they build \nthese systems.\n    Ms. Harman. Thank you, Mr. Skinner. Anyone else?\n    Mr. Baker. I will simply add that some of that hand-\nwringing that I think the lawyers are doing about oh, can we \nreally look at and reject packets that are coming in is based \non the fear of privacy concerns. So at a minimum, we have to \nhave a mechanism for having these privacy issues raised and \nresolved quickly and not let them hang up important action too \nlong.\n    Ms. Harman. Thank you, Mr. Chairman.\n    Chairman Thompson. Thank you very much. The Chairman now \nrecognizes the gentleman from California, Mr. Lungren, for 5 \nminutes.\n    Mr. Lungren. Thank you very much, Mr. Chairman. Thank you \nfor having this hearing. This is one of the most important \nissues we have facing us.\n    Cybersecurity is the last among the various categories of \nsecurity that we are really dedicating ourselves to. That is \nnot a criticism of this committee. It just is a fact. The \nurgency that we need in responding to all of the threats out \nthere in this new terrorist world is missing, unfortunately, \nacross this country, and no more than in this particular place.\n    Mr. Smith--excuse me--Mr. Baker, I have not bought your \nbook, but I have read chapters because people should know they \ngo to his website. I happened across it by accident, but once I \nsaw those eyebrows I knew it was you, and fascinating and very \ninformative and very, very effective.\n    One of the things I think we ought to make clear is when \nMr. Schaffer talks about 278,000 attacks per month, that is not \na static number. That number is going up. It is almost \nexponential if you talk to people in the outside world about \nwhat is happening everywhere in the cyber world. So people \nought to understand, 278,000 a month sounds big. Wait till next \nmonth and wait till next year. It is not just the Government \nsector, it is the private sector, and it is happening every \nsingle day.\n    Maybe we need to find ways to explain it to the public a \nlittle easier. I was just sitting here listening to some of the \nphrases we use. We want to get in front of the problem. We want \nto ramp up in this space. We want to stand this up. I \nappreciate that is the way we talk back here. No one talks like \nthat back home. We have got a big problem that we have to deal \nwith. Right now people ought to know how serious it is.\n    Mr. Baker, when you talked about the example of what \nhappened to the Dalai Lama, and that he had a sophisticated \nnetwork with all the protections in it and the damage that was \ndone by a single person as a part of that network who received \nan e-mail from what he thought was a trusted individual who had \nan attachment and he clicked on to that attachment and that \ninvaded the whole system and eventually allowed somebody from \nthe outside to capture the system.\n    Mr. Baker. That is right.\n    Mr. Lungren. That is not unusual or idiosyncratic to that \nnetwork, correct?\n    Mr. Baker. Oh, we are all subject to this.\n    Mr. Lungren. Let me ask you this. With respect to that \nparticular attack, what success has there been in attributing \nthose attacks to its origins, do you know?\n    Mr. Baker. The people who did the study, some of them \nannounced that they believed that it was the Chinese \nGovernment. Others refused to make that conclusion but \npresented evidence that suggested that the Chinese Government \nwas behind it.\n    Mr. Lungren. But it is not an easy thing to see the origin.\n    Mr. Baker. It is almost impossible.\n    Mr. Lungren. That is what people have to understand. You \nmight be able to see the attack, but once you find the attack \nand even deal with the attack, sometimes it is difficult to \nfind out who did it and they move on to another potential \nattack.\n    Look, we could always have more money and have more people. \nI mean, everybody who comes before us says that. I understand \nthat. I just want to ask the four of you, with the money we \nhave now, with the authority that exists now, with the \npersonnel that exists now under the authority given to you by \nthis Congress, given to the Executive branch by this Congress, \ncan we do a better job? Can we do a significantly better job? \nOr is the answer always going to be we could do a better job if \nwe had more money and we had more personnel? In other words, \nare we doing the best we can with those we have? I don\'t mean \nthis as a criticism of this administration. I have lauded this \nadministration for giving real leadership to this area. But I \nam just asking current status.\n    Mr. Wilshusen. No, sir, we are not doing as best as we can \nto secure our systems. On our engagements we consistently find \nthat security has not been effectively implemented on devices. \nIt is not due to not having the particular tool or the \ncapability. It is just the controls are available, it is a \nmatter of configuring specific devices to be more secure than \nwhat they presently are.\n    Mr. Lungren. Getting people to use them, right?\n    Mr. Wilshusen. Getting them to use them and implement the \nsecurity so----\n    Mr. Lungren. We just started with passwords in this \nCongress about 6 months ago. I have had more static from \nMembers on the fact that the password has to be entered within \n30 minutes. I have had Members ask for 12 hours, 24 hours. If \nMembers can\'t understand, and what I would like perhaps Mr. \nBaker and Mr. Schaffer to talk about is, some Members say to \nme, well, look. No one\'s interested in the information I have \nhere. I don\'t have secure information on here.\n    What are the potential for someone being able to latch on \nto one of these machines and be able to access it with Members \nwho don\'t have classified information on the instrument?\n    Mr. Baker. I would say first, you are going to take that \nmachine and plug it into the entire network in order to \ndownload and sync up your e-mail. So you are, whatever happens \nto your machine will happen to the entire network.\n    Second, we all have things that we would just as soon not \nsee in the newspaper. If you hand over those secrets to someone \nwho is hostile to the United States and they are in a position \nto at some point either embarrass someone who is opposed to \nthem, or help somebody that has done them a favor, or to \nblackmail them with a secret, that is a disaster for U.S. \nnetworks.\n    Mr. Lungren. What about an analogy to what happened to the \nDalai Lama? They were able to listen to his negotiating \nposition.\n    Members of Congress might have information that can be \nheard over this just talking about what they understand the \nnegotiating position of the administration to be, what they \nhave heard from a witness, or what they believe the position of \nthe administration ought to be.\n    Mr. Baker. You are carrying around something that, if \ncompromised, will tell whoever has compromised it where you are \nevery second of the day and will allow them to turn it on and \nlisten to you while you are talking to people and you won\'t \neven necessarily know that is happening.\n    Mr. Lungren. That is not just with our system in the House \nof Representatives. This is virtually all systems that are out \nthere.\n    Mr. Baker. There are security holes in virtually every one \nof them.\n    Mr. Lungren. Would you agree, Mr. Schaffer?\n    Mr. Schaffer. I would. I guess I would also say that it is \nnot just about what is on an individual device because that \ndevice, if compromised, can be used as an attack vector against \nother devices. So if we all size our risk management to what we \nhave on the device, we will not get enough security for the \nsociety as a whole. That is one of the challenges that we have \nin this space.\n    Mr. Lungren. Thank you very much, Mr. Chairman. I just \nwanted people to understand the nature of this crisis as it \ndirectly affects everybody here. If it affects us in this way, \nit affects the Executive branch and it affects the private \nsector, financial services, every industry out there.\n    Thank you very much, Mr. Chairman.\n    Chairman Thompson. Thank you. The Chairman now recognizes \nthe gentleman from Texas, Mr. Green.\n    Mr. Green. Thank you, Mr. Chairman. I thank the witnesses \nfor appearing today. Your testimony has been quite revealing \nand, to a very limited extent, somewhat frightening. You are \nprobably as old as I am, and I suspect you are familiar with \nthe movie, the sci-fi movie, ``The Day the Earth Stood Still.\'\' \nIt seems that we may be heading toward a scenario similar to \nthat, perhaps not that same one, unless we act expeditiously.\n    The ability to intrude brings along with it the ability to \nmanipulate. Intrusion can be very harmful, but manipulation can \nbe deadly. We have got to thwart the ability to manipulate not \nonly information, but also manipulate machines, as we have \nidentified the phone earlier, but devices, trains, planes, and \nto a certain extent, automobiles because of the way the \ntechnology is advancing with the automotive industry.\n    So the first question I have for you is, is this more a \nquestion of will or is it more a question of way in terms of \ngetting to the ultimate solution? If we had 100 percent of the \nwill necessary to do this, can we find the way to thwart \nintrusion, given that the technology for intrusion \nmetamorphoses on a daily basis? So help me, please, Mr. Baker. \nIs this more a question of will or way?\n    Mr. Baker. Let me say I think your observation that \nintrusion can lead to manipulation is a critical one. This is a \ntwo-fer for foreign governments. First they spy on us using our \nsystems, and then when we go to war they take down the systems \nwhen we need them. So it is a very serious problem.\n    I do think that this is more a matter of will than way, \nthat we can solve some of these problems. We are going to need \nto take action to make sure that we can actually respond to \nattacks and attribute the attacks to the people who are making \nthose efforts. That means probably architectural changes in our \napproach to the internet. We need to be able to track back and \nfind the people who actually launched that attack. That is \ngoing to require substantial changes in our architecture, but \nwe can do it. If we do that we can deter a lot of these \nattacks.\n    Mr. Green. Would anyone else care to respond?\n    Mr. Wilshusen. I would agree that certainly will is a key \npart of it because the capabilities to protect many of the \nsystems and networks that we have are available. But at the \nsame time, I think you are right on. In terms of the \nmanipulation and integrity of data it is critical. We often \ntalk about the disclosure of information and how that can be \nvery harmful. But if you are able to manipulate data it can \nhave even more devastating impact to agencies and to military \nduring conflicts, so I think you are right on track with that \nline of questioning. I do agree that it is probably more will \nthan way. But way also has an aspect, too, because technology \ntends to outpace security.\n    Mr. Green. Anyone else?\n    Mr. Schaffer. I would echo that thought that there is a big \nwill portion, but there is a way portion as well. The \ntechnology that we have today, the way that we are constructed \nenterprise-wide for the internet, has some challenges that will \nhave to be addressed and fixed. If you look at the studies that \nhave been done about applying known security technologies, they \nusually say that that would cover 80 percent of the intrusion \nsets. There is some percent that we don\'t have current \ntechnology to eliminate and we have got to focus some research \nand development efforts in those spaces in order to get to that \nlast percentage.\n    Mr. Green. Well, my time is nearly up, so I will just \nconclude with thank you again for sharing with us. My hope is \nthat we will take to heart what you have called to our \nattention and make the necessary changes so that we will have \nboth will and way and thwart these efforts. I yield back.\n    Chairman Thompson. Thank you very much. The Chairman now \nrecognizes the gentleman from Pennsylvania, Mr. Dent, for 5 \nminutes.\n    Mr. Dent. Thank you, Mr. Chairman. Good morning.\n    Mr. Baker, I would like to talk about the issues of \nfragmentation and you know, how do we really address the \nfragmentation in Federal agencies. Specifically, you know, how \nis the Federal Government\'s overall cybersecurity effort \naffected by the ability of the diverse number of agencies and \ndepartments such as the FTC, the SEC, and others to issue \ndirectives and rulings that establish cyber standards.\n    Mr. Baker. I think there is a serious fragmentation problem \nboth in terms of authority of DHS and the CERT over Executive \nbranch agencies. In the private sector we long ago would have \nunified a number of the security measures and networks that \ndifferent agencies have. But I also believe that both the FTC \nand the FCC have slightly distorted people\'s security \npriorities. The FTC has made it extraordinarily painful to \nallow anybody\'s Social Security number ever to escape your \nsystem. Now that is a serious problem, but it is nowhere near \nas serious as some of the other attacks that people are not \nprioritizing today because they are focused principally on the \nprivacy regulations that the FTC administers.\n    Mr. Dent. My follow-up question deals with, do we need to \naddress the authority of the White House Coordinator for DHS?\n    Mr. Baker. To my mind, no. At the end of the day, the \ncoordinator speaks for the President and he reflects the \nPresident\'s priorities. If he makes it clear that he expects \npeople to respond quickly to the coordinator\'s requirements, it \nwill happen. So I am not convinced that large changes in his \nauthority are essential.\n    Mr. Dent. Okay. In the Ghostnet case study that you \ndiscussed in your testimony, you portray an astonishingly \nintrusive intelligence operation that was carried out against \nthe Dalai Lama through a cyber attack to the point that the \nhackers had knowledge of every on-line activity carried out by \nthe attacked parties. What success has there been in \nattributing those attacks to its origins?\n    Mr. Baker. There is no absolute attribution that has been \nmade. There was a lot of evidence that suggested that the \npeople who were carrying out that attack were also looking for \nintelligence from a number of other targets that would be \nhighly of interest to the Chinese Government. But there was no \nabsolute determination of who was responsible for that attack.\n    Mr. Dent. Thank you. To Mr. Wilshusen, GAO has noted \nseveral deficiencies for securing Federal information \ninfrastructure, such as inadequate testing, certification, and \naccreditation of systems, failure to enter interagency \nagreements. As an overall trend, are the Federal Government\'s \ncybersecurity efforts improving? What do you think is the \ngreatest obstacle towards realizing stronger security?\n    Mr. Wilshusen. I think to answer your first question first \nin terms of what are some of the challenges or obstacles, one \nis just the complexity and dynamic nature of the Federal \ncomputing environment. It is geographically dispersed, in many \ncases technologically diverse. As well as there is a large \nnumber and evolving threat, vulnerabilities and business \npractices that all impact the ability to secure information on \nFederal systems. There are a number of initiatives underway \nthat are intended to help improve the security over those \nsystems. The other Members, or the other witnesses have talked \nabout some of those, particular, Einstein; another one is the \nFederal Desktop Core Configuration Initiative, as well as the \nComprehensive National Cyber Security Initiative. We reviewed \neach of those initiatives and found challenges with each of \nthose particular initiatives in terms of being able to \neffectively implement security and made some recommendations on \nthat. But there are efforts under way. There is progress being \nmade, but again, it is a major obstacle to overcome.\n    Mr. Dent. Mr. Schaffer and Mr. Skinner have an observation \non that question?\n    Mr. Skinner. Yes. I do believe it begins with the basics. \nIt begins with the employees. I think we have to have a very \nrobust oversight program. We have to have a robust \naccountability program. That is, if you are not complying, then \nyou need to be held accountable. It begins at the lowest \nlevels, not at the highest levels. I think it is something we \nhave to continually hammer home to all employees that you, as \nan individual, have been given certain rights. You have certain \nresponsibilities that go with those rights and that we will \nprovide you the oversight to ensure that you are helping us \nhelp the Government secure its systems.\n    Mr. Schaffer. I would certainly say that the scope of the \nproblem and the complexity of the networks and the different \nlevels of capability within the departments and agencies to \nexecute is one of the challenges that we will all face as we \nmove forward in this space. At the Department we have been \nincreasing our capability both in terms of people, resources, \nand otherwise to work with the departments and agencies to \nimprove security across a range of programs that have been \nmentioned before.\n    FISMA changes are coming that will allow us to focus on not \na paper exercise but real operational continuous monitoring \nkind of solutions to know where we are within the departments \nand agencies, but the departments and agencies themselves need \nto have the resources in order to execute on the advice and \nrecommendations and remediation steps that DHS can try to put \nforward. But they have got to be able to execute within their \nown network environments. As mentioned, very diverse.\n    Mr. Dent. I see my time has expired and I would just like \nto, Mr. Chairman, extend my support to the cybersecurity \ninitiative of Senators Lieberman and Collins. I think the \nChairman, Ranking Member rather, and Representative Harman have \nalso expressed similar support, and Mr. Lungren too. Thank you.\n    Chairman Thompson. Thank you. The Chairman now recognizes \nthe gentlelady from New York, Ms. Clarke, for 5 minutes.\n    Ms. Clarke. Thank you very much, Mr. Chairman. The \nSubcommittee on Emerging Threats, Cybersecurity, and Science \nand Technology have done a great deal in this space over the \npast year and a half. We have coordinated many hearings, \nroundtable discussions, and briefings on this topic, and I want \nto thank you, Mr. Chairman, and the Ranking Member, Mr. King, \nfor holding this full committee cybersecurity hearing today. It \nis good to see Assistant Secretary Schaffer, who has been \ninstrumental in providing guidance to me and the other Members \nduring our many roundtable discussions and briefings on the \nHill, and I want to thank you, Assistant Secretary, and the \nother Members of the panel for joining us today.\n    I know this hearing is more focused on domestic affairs and \nefforts, but as we all know, cyberspace has no borders and no \nboundaries. I would like to add another dimension to our \ndiscussion this morning. Our ability to protect U.S. networks \nis inextricably linked to our ability to coordinate with our \ninternational partners on cybersecurity. There is a growing \nawareness of the problem of international cyber attacks, \nalthough the pace of the development is slower and irregular.\n    This March I introduced H.R. 4962, the International Cyber \nCrime Reporting and Cooperation Act, which would enhance \nAmerica\'s cooperation with other countries to combat cyber \ncrime and keep America safe. Chairman Thompson, Ranking Member \nKing, Ms. Loretta Sanchez of California, and Ms. Laura \nRichardson of California are among the bipartisan cosponsors \nthat also serve on this committee. Senators Gillibrand and \nHatch are the lead Senate sponsors of the bill on the Senate \nside.\n    Recent foreign-based attacks on the computer systems of \nU.S. Federal agencies and commercial companies highlight the \nvulnerability of the interconnectedness of the networks that \ncomprise the internet, as well as the need to adequately \naddress the global security and governance of cyberspace. \nFederal law and policy give a number of Federal entities \nresponsibilities for representing U.S. cyberspace interests \nabroad in collaboration with the private sector.\n    More recently, the President appointed a National \nCybersecurity Coordinator charged with improving the Nation\'s \ncybersecurity leadership. The Chairman, Ranking Member, and I \nrequested a forthcoming GAO study to identify, among other \nthings, challenges to effective U.S. involvement in global \ncyberspace security and governance efforts.\n    I wanted to take this opportunity to highlight this issue, \nso I will begin my line of questioning on this issue. Mr. \nWilshusen, what obstacles remain between the United States and \nour international allies on the subject of global cybersecurity \ninformation sharing, and what can the United States do to \novercome those obstacles?\n    To Mr. Schaffer, what is DHS doing to foster international \ncoordination and information sharing on cybersecurity?\n    Mr. Wilshusen. Well, I guess I will start. Thank you. Well, \none of the obstacles is just making sure that we have a \ncoherent, cogent strategy for dealing with the international \nparties and making sure that the various different parties \ninvolved with the Federal Government have their roles \nidentified and that they are working collaboratively with the \ninternational bodies.\n    It is also important that as we look at various different \naspects related to international security arrangements, it \ndeals with just some of the issues related to, for example, at \nsecurities incidents attribution and being able to identify \nperpetrators of such attacks across borders, particularly \nmaking sure we have the arrangements in place with other \nnations in order to foster and promote active investigations of \nthose incidents. So making sure that those arrangements in \nplace are going to be very important, too.\n    Mr. Schaffer. Congresswoman, the Department of Homeland \nSecurity is definitely focused on international as being a \ncritical part of what we need to do in order to be successful. \nAs you point out, it is impossible to protect our networks \nwithout having the assistance of our international partners.\n    I traveled to Spain not too long ago for an EU ministerial \nwith the Secretary, where cyber is one of the topics that we \ndiscussed with the European Union. We are working extensively \nwith members of the international watch and warning network, 15 \nnations that are engaged with us on incident response level \nwork for cyber and who will be participating with us in the \nCyber Storm III exercise so that we can look at how our CERT \ncapabilities can leverage and be working with our international \npartners during an incident.\n    We also participate in the Meridian Conference. We hosted \nlast year a group of international visitors focused on \ncybersecurity, particularly in the nature of industrial control \nspaces, and we do lots of bilateral meetings on the \ninternational realm as well to try to address cybersecurity \nissues.\n    As you know, there is not a consistent base of capability \nin all of the countries who are our partners and we are trying \nto provide assistance where we can and to learn lessons from \nthose who are more sophisticated that may have done some things \nthat we haven\'t done yet. So we are working hard to work with \nour international partners to make progress.\n    Ms. Clarke. Thank you very much, gentlemen. Thank you, Mr. \nChairman.\n    Chairman Thompson. Thank you. The Chairman now recognizes \nthe gentlelady from Texas, Ms. Jackson Lee, for 5 minutes.\n    Ms. Jackson Lee. I, too, add my appreciation to the full \ncommittee Chairman and Ranking Member for holding this hearing \nand to the witnesses as well. I want to be probative on maybe \nsome of the same questions that have been asked but maybe all \nhave not asked them, and to try and probe as to where we are. \nSo I would like to focus my attention on Mr. Skinner; just make \nthis comment that we rushed to establish Department of Homeland \nSecurity in the wake of 9/11. Just as a moment of history, we \nstarted with a select committee in this House, and then we \ndeveloped the structure as the Senate did for the Department \nand merging a number of different distinct disciplines in one \nbig, if you will, umbrella, under one big umbrella, and we \nrushed to do it.\n    So my question to you, Mr. Skinner, is: What did we do \nwrong at the very beginning as it relates to cybersecurity and \nthe priority that was given when the Department was \nestablished, just on your historical perspective?\n    Mr. Skinner. Those were very emotional times and I think \nwhen we brought the Department together back in 2003, 2002-2003 \ntime frame, I believe the attention was on protecting our air \nsecurity and protecting our borders to ensure that we did not \nhave a physical attack, a repeat. Cybersecurity, while everyone \nrecognized that was an issue to be dealt with, I don\'t think \njust elevated at that point in time in our psyche as something \nthat we needed to address immediately. Time has passed. Over \ntime we are now learning that we cannot ignore cybersecurity. \nThe technology is moving so fast and our reliance and \ndependability on that technology has become increasing daily \nand we are beginning to realize that if we want to protect our \nborders, we have to protect our cybersecurity. That is so \nimportant. I think it is something that we are starting to \nrecognize and we are starting to do. We have come a long way \nwith regards to our border security.\n    Ms. Jackson Lee. So in essence, the start of our focus was \nair security. This traveled, when we speak of the Government, \nthis traveled through the Bush administration. This was no \ndifferent in terms of the issue of staffing and focus. This \nsort of is an on-going problem. Is that my understanding?\n    Mr. Skinner. That is correct, yes.\n    Ms. Jackson Lee. So we now have a moment in history where \nthe technology has risen to a level of ultimate superiority and \nit is at a crisis point at which you believe there may be some \naction.\n    So let me just focus in something that is very troubling to \nme, and that is the question of DHS not being able to enforce \nthe other agencies to protect their systems.\n    Tell me, in a very quick answer, what that means. What are \nyou saying?\n    Mr. Skinner. That means, essentially they do not have \nstatutory authority to compel their stakeholders, the other \nFederal agencies that they make recommendations to and provide \nguidance to, to compel them to respond to or correct problems \nthat are being identified.\n    Ms. Jackson Lee. Which means that it leaves us vulnerable \nin certain important areas. For example, and I am just calling \nthese agencies\' names, not pointing them out. But we have got \nthe Department of Justice, we have got the CIA, we have got \nNASA, we have got agencies that hold proprietary information, \nDepartment of Transportation, that would be vulnerable if they \nwere not responding.\n    Let me ask the Secretary: What do you do now with respect \nto trying to get our Federal agencies to enforce and protect \ntheir cyber systems?\n    Mr. Schaffer. The process today when we identify a \nvulnerability or we see information coming over the Einstein \nsystem that suggests that an attack has been focused on a \nparticular department or agency is to provide the information \nabout the attack, to provide mitigation strategies, to work \nwith the department or agency on methodologies and best \npractices to avoid the attacks in the future. But as Mr. \nSkinner points out, we do not currently have the authority to \nrequire the department or agency----\n    Ms. Jackson Lee. But what specific authority do you need? I \nknow legislation is moving. But what specific authority do you \nneed?\n    Mr. Schaffer. The administration at this point is looking \nat the bill that has been discussed at length here. It has not \nestablished a position yet on that bill or what specific \nauthorities may be necessary. We are continuing to work with \nthe departments and agencies to execute well against the \nthreats and vulnerabilities that we identify through the \nsystems that we have. We are seeing good cooperation from a lot \nof the departments and agencies to make progress. But at this \npoint we don\'t have an administration position that I can give \nyou on specific authorities that we need.\n    Ms. Jackson Lee. Well, I would encourage you to continue to \nwork with this committee. I think we are at a crisis point \nwhere that position needs to be established. I think as we \nleave this hearing we can confirm that agencies are not \nlistening or not responding to the lack of an authority that \nyou have to enforce them protecting the most important assets \nthat the American people have, and that is for proprietary \ninformation. So I look forward to you really getting back with \nthis committee since the administration has made great strides \nand it needs to complete the task.\n    I yield back.\n    Chairman Thompson. Thank you. The Chairman now recognizes \nthe gentlelady from California for 5 minutes, Ms. Richardson.\n    Ms. Richardson. Thank you, Mr. Chairman. If you know \nanything about my district, you know that it is very \ninfrastructure rich. In fact, when Secretary Napolitano had an \nopportunity to come to my district, she was shocked at the \nports, the bridges, the water treatment facilities, surf \nplants, just on and on.\n    So I would like to start off my first question having to do \nwith the National critical infrastructure. I have been a little \ndisappointed that the last Secretary that we have had and the \ncurrent one has not been a supporter of really true cargo \ninspection. I personally believe that that is going to be \nsomething that we will have to deal with. One of the things we \nare currently doing is we are relying upon, we do screening in \nterms of looking at the data, but we are not actually \ninspecting the cargo. So I would like to get your thoughts on \nwhat you think in terms of our potential vulnerabilities of \nreally relying upon data and information, assuming that so and \nso, who we have never had a problem with, is sending such and \nsuch, which they say is cargo in there is A-okay, which is \nreally we are relying upon data and not facts. I just wanted to \nget your thoughts.\n    Mr. Skinner. Congresswoman, this is something that we are \ncurrently looking at. It does make us, if we do not have \nadequate verification, validation programs, and internal \ncontrols to ensure that these certifications that we are \nobtaining and that we can trust these people, yes, that makes \nus very, very vulnerable, and that is something that we are \nstudying as I sit here today and hopefully to have a report out \nwithin the next year.\n    Ms. Richardson. If you could keep this committee abreast of \nyour progress and hopefully, before next year, but keep us \nabreast on our progress. Thank you, sir.\n    The second question I actually wanted to ask you, Mr. \nSkinner, the enforcement authority for Federal cyber security \npolicy results with the OMB. With no disrespect to our other \ncolleagues here, do you support this position, this line?\n    Mr. Skinner. I can\'t comment. I am really not in a position \nto comment on that at this point in time. I will be happy to \nget back to you. I have to learn more about what their \nenforcement authorities are.\n    Ms. Richardson. Okay. Then to you, Mr. Schaffer, in \naddition to being on Homeland Security, I am on Transportation \nand Infrastructure. One of the biggest new things that we are \nhoping will be here soon is NextGen. I wanted to get your \nthoughts that NextGen is the program, really the air traffic \ncontrollers\' new system that will enable us to have more, \nbetter information and what we do, but again it makes us very \nvulnerable if someone were to take over the NextGen system and \nsuddenly having planes going in all the wrong directions and \nsuch a reliance upon data which is moving away from pilots. I \nwanted to get your thoughts. Have you started looking at the \npotential cyber issues there? Cybersecurity issues?\n    Mr. Schaffer. Congresswoman, I would have to get back to \nyou on the specific details. I do think that we are engaged \nwith a group that is working on that program, but I don\'t know \nthe details off the top of my head in terms of what our \nengagement has been.\n    I would just say that, as a practical matter, there are \nmany systems that are looking to leverage new technology, and \nthey all need to have security as a critical part of the \ndevelopment of the system rather than an add-on after the fact. \nSo to the extent that we can bring a security mentality to the \ndevelopment of new technologies that are coming into the \nFederal Government, we will be in a much better position in the \nfuture to have a more secure infrastructure than if we don\'t do \nthat and then have to try to bolt security solutions on after \nthe fact.\n    So I certainly would encourage thinking about those \nsecurity issues at the early stages of the process. We will get \nback to you with exactly what our involvement has been thus \nfar.\n    Ms. Richardson. With no discouragement to the company that \nis actually designing it, what will you be doing to ensure that \njust because the company says, like what we are living through \nright now with the spill in the Gulf, what will you be doing to \nensure that there is, in fact, true security and protection \nversus just a company telling you so?\n    Mr. Schaffer. Again, I will have to get back in terms of \nwhat our role in that process will actually be, but we will \ncertainly get that information to you.\n    Ms. Richardson. Okay. Then finally I would just like to \nfollow up on something that Representative Jackson Lee said. \nOne thing I am learning from watching the results of the oil \nspill is, you didn\'t say that there was any additional \nauthority that you thought you needed or could share with us at \nthis time. What I would say is that I am learning it is we \nbetter know in advance. So rather than us waiting and then all \nof sudden we have to decide whether we really have authority to \ndo some things, if things don\'t go right we need to be prepared \nto step up and we need to give you the authority to do so.\n    Thank you very much. I yield back.\n    Chairman Thompson. Thank you very much. I have a couple of \nquestions I would like to ask before we close this hearing.\n    Mr. Skinner, your report mentions the fact that a number of \nagencies said that they have not received sufficient training \non the Einstein system, and that for some reason Homeland isn\'t \nsharing this data with them. Are you aware of that?\n    Mr. Skinner. I know what you are referring to. As far as \ntraining, yes, there were some of these stakeholders that felt \nthat the training could have been more intense or face-to-face \nand they thought that presented a problem to them. As far as \ninformation sharing is concerned, there are those agencies that \nsaid that they would like to have more information with regards \nto reported breaches as they come through. The problem with \nthat, and I am sure the Assistant Secretary Schaffer can \naddress this better than I, is that this is a lot of raw data. \nA lot of it is false leads. Many of the agencies that are \nasking for this may not have the capability to analyze it \nthemselves, and we can inundate them with unnecessary \ninformation that could really not help their cause but slow \ntheir cause down.\n    Chairman Thompson. Okay. So what is the fix for that?\n    Mr. Skinner. What we are suggesting is the Department \nexplore with other agencies what can we share. Who is capable \nof handling this information. Who has the clearances, who has \nthe security clearances that allow them to look at this data. \nThat is the other thing. A couple of these agencies did not \nhave security clearances, and yet they wanted to look at \nclassified documentation.\n    So I think, No. 1, we have to sit down with our partners \nand explore what can be shared and educate our partners as to \nwhy certain things can\'t be shared and why you don\'t want it to \nbe shared.\n    Chairman Thompson. Mr. Assistant Secretary.\n    Mr. Schaffer. Mr. Chairman, we definitely have a plan to \nexpand our ability to provide information to our Government \ncustomers as we go forward, and that includes building portals \nthat will allow them to get access to certain kinds of \ninformation that we can provide that wouldn\'t violate the \nclassification rules obviously. We also have plans to put in \nplace resources, human resources that will be able to be \ndedicated to individual departments and agencies so that they \nwill have a single resource that they can reach out to and ask \nquestions of at any time and get the answers that they need in \norder to execute well.\n    But Mr. Skinner is quite right that the volume of data is \ndefinitely an issue in terms of raw data that needs to be \nprocessed. As everyone has noted, the need to have highly \nskilled and capable individuals who can analyze that data and \nturn it into information that is executable is one of the \nchallenges for US-CERT, and one of the things that we are doing \nbetter all the time. But to expect each department and agency \nto be able to do that independently as well is probably a big \nlift, and that is one of the challenges here.\n    Chairman Thompson. Well, I guess not independently, but at \nsome point you should be able to move something that is of \nimportance to that agency.\n    Mr. Schaffer. Yes, sir. We do that today. We share the \ninformation. Once we have processed and we have got real \ninformation as opposed to raw data, we are pushing that \ninformation to the departments and agencies so that they have \nactionable things that they can go execute against. It is \naccess to the raw data that we find probably wouldn\'t be useful \nto them because of the volume and because of the need to do all \nof this extensive analysis.\n    Chairman Thompson. Back to a question Ms. Richardson and \nMs. Jackson Lee talked about relative to OMB and their \nenforcement of US-CERT requirements. Mr. Baker, since you might \nbe one of two people who can answer that question on the panel \nwithout any--take a shot at that. I mean, what do you think the \nproblem with that approach is?\n    Mr. Baker. The difficulty with telling other agencies what \nthey have to do in this area is you are basically telling them \nto spend money that they were planning to spend on something \nelse on computer security, which isn\'t going to make their \nlives any easier at all. So they are just--it feels like they \nare taking a budget cut. Therefore, you need OMB\'s support \nbefore you can do that. Either OMB is going to say we can find \nmoney for you to do that or they are going to say I am sorry, \nyou are just going to have to take the cut. So without OMB \nbeing part of this process it isn\'t actually going to work. My \nsuggestion would be that it may be that DHS needs bigger \nnegotiating tools in this area, but we are never going to get \nOMB out of this process and we shouldn\'t be trying. That would \nbe my suggestion.\n    Chairman Thompson. Mr. Wilshusen.\n    Mr. Wilshusen. Well, certainly OMB does have that role with \nthe budget and approving budgets for agencies. It also is \nresponsible under the current law, FISMA, for approving and/or \nreviewing and approving or disapproving agencies\' information \nsecurity programs. So they have that authority now to go \nthrough and review agencies\' security programs and approve \nthem.\n    Has it been doing it? Not really. It is something we have \ncommented on in the past about their ability to actually review \nand approve agencies\' security programs. Basically that is \nhappening now through the FISMA reporting process. We have \ncommented in the past that the measures and security metrics \nthat OMB has established for agencies to report under that \nprocess have really not been sufficient to really gauge the \neffectiveness of agency and security programs. Those measures \ngenerally just address compliance issues and how many systems \nhave been tested and evaluated, how many individuals have been \ngiven training, for example, without really addressing how \neffective those security protections and measures are.\n    So OMB certainly has a role and has had a role in trying to \nassure that agencies have adequate information security \nprograms. But it has not really done that to the extent that it \nprobably should have done in the past.\n    Chairman Thompson. Mr. Assistant Secretary.\n    Mr. Schaffer. Mr. Chairman, I will just point out that OMB \nhas recently issued a letter that gives to DHS some of the \nresponsibilities with respect to executing on some of those \nreporting pieces. So we are going to be moving in a direction \nthat gets away from what is a paper-based compliance, once-a-\nyear process to a much more operationally focused, continuous \nmonitoring kind of solution. We will have interviews with the \ndepartments and agencies to make sure we understand what they \nare actually executing on. We will have benchmarking \ncapabilities that will let us see what other departments and \nagencies are doing and show the individual departments what \nthey have got, and we will have continuous reporting out of the \nactual management systems that are used by the departments and \nagencies to look at their own systems flowing into the FISMA \nreporting tool.\n    So I think we are moving in a direction that will address \nsome of those challenges that we have had historically.\n    Chairman Thompson. With respect to the authority to enforce \ncompliance, are you of the opinion that you need that \nauthority?\n    Mr. Schaffer. Mr. Chairman, as I said, I apologize that I \nam not in a position to answer a question on what authorities \nwe might need at this point. The Department and administration \nare working through the process of coming up with our answer to \nthe authorities question and when we can do that I am sure it \nwill be provided.\n    Chairman Thompson. I am certain. Mr. Skinner.\n    Mr. Skinner. Yes. We do believe they need that authority. \nWhat we haven\'t defined and I think what needs to be worked out \nis: How do we exercise that authority and how do you compel \ncompliance?\n    Chairman Thompson. Mr. Wilshusen.\n    Mr. Wilshusen. One of the issues under FISMA has been even \nwithin a particular agency, not even looking at across the \nFederal Government, is that FISMA required and gave authorities \nto the agencies\' individual CIOs. Even in FISMA it just said \nthat CIOs and their certified information security officers, \nI\'m sorry, are responsible for ensuring compliance but did not \ninclude enforcing compliance. That one word even made a \ndifference within agencies, particularly larger departments \nthat may have multiple components. In some instance, for \nexample, like VA, a number of years ago, the central chief \ninformation security officer really did not have that much \nauthority to compel or enforce compliance with policy issues \nacross the Department. So the enforcement is really a key \nconsideration in this particular respect.\n    Chairman Thompson. Mr. Baker.\n    Mr. Baker. Of course they need that authority. It is an \nunnatural act for another department to take binding guidance \nfrom another department and until Congress makes it clear and \nthe President makes it clear that, by God, they are going to \nhave to do it, they are not going to do it.\n    Chairman Thompson. Three out of four in agreement is not \nbad. I understand, Mr. Assistant Secretary, believe me, but I \nhave to ask the question. I thank the committee. You have been \nabsolutely excellent with your responses to the questions of \nthe committee at this point, and I want to thank you for your \ntestimony.\n    Before concluding, I would like to remind our witnesses \nthat the Members of the committee may have additional questions \nfor you and we will ask that you respond expeditiously in \nwriting to those questions. There have been some requests of \ncertain witnesses here today. Hearing no further business, the \ncommittee stands adjourned.\n    [Whereupon, at 12:00 p.m., the committee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n  Questions From Chairman Bennie G. Thompson of Mississippi for Greg \n                                Schaffer\n\n    Question 1a. The IG report states that US-CERT does not have \nsufficient staff to meet its mission. Although US-CERT\'s authorized \npositions were increased from 38 in 2008 to 98 in 2010, as of January \n2010, only 45 positions are filled.\n    Would you give us an update on how many of the 98 authorized \npositions for fiscal year 2010 have been filled?\n    Answer. Of the 98 authorized positions, the United States Computer \nEmergency Readiness Team (US-CERT) currently has 56 full-time positions \nfilled and 22 positions with selections in the on-boarding pipeline. It \nis important to note that the 98 positions is the target for the end of \nthe fiscal year--in fiscal 2009, we tripled the number of cybersecurity \npersonnel within NPPD, and we are doubling that number again this \nfiscal year. The snapshot staffing number in the IG report was already \noutdated by the time it was released; our numbers will continue to \nincrease as we continue to grow.\n    Question 1b. What is the reason for the slow process in addressing \nUS-CERT\'s staffing needs?\n    Answer. There are inherent challenges with rapidly on-boarding and \nrecruiting technical experts; chief among the reasons is the need for \nhigh-level clearances, skills required, and competition for higher-\npaying jobs in the private sector. However, hiring is the National \nProtection and Programs Directorate\'s (NPPD\'s) No. 1 management \npriority. We have more personnel in the hiring process for NPPD than \never before. Internally, NPPD has been working closely to streamline \nthe overall hiring process, and within the National Cyber Security \nDivision (NCSD), overall Federal employees have increased from 43 at \nthe end of fiscal year 2008 to 198 current Federal employees.\n    Question 1c. Of the personnel increase from 38 to 98, how many can \nbe attributed to the Secretary\'s Balanced Workforce Strategy to convert \ncontractors to authorized FTEs?\n    Answer. NCSD has focused recruitment efforts for these positions on \nhiring the best and brightest from a large and diverse pool of \ncandidates. NCSD has, therefore, looked to a variety of sources to fill \nGovernment positions. Approximately 20 percent of the individuals hired \nto fill converted positions previously held the positions as \ncontractors.\n    Question 2a. The IG reported that due to the staffing shortage at \nUS-CERT, contractors are used to augment the staff.\n    How many contractor personnel currently work on US-CERT program \nactivities?\n    Answer. Currently, the National Cyber Security Division (NCSD)/\nUnited States Computer Emergency Readiness Team (US-CERT) has 185 \ncontractors supporting US-CERT program activities, 86 of which are \ncurrently on-site.\n    Question 2b. How many contractor positions are slated for \nconversion to Government positions as part of the Secretary\'s Balanced \nWorkforce Strategy in fiscal year 2011?\n    Answer. NCSD is currently assessing staffing requirements beyond \nthe number of personnel authorized in the President\'s fiscal year 2011 \nbudget request to address staffing shortages.\n    Question 2c. How many additional positions did the administration \nrequest for fiscal year 2011 to properly address the critical staffing \nshortage at US-CERT\'s?\n    Answer. With the projected fiscal year 2011 budget approval, NCSD \nrequested a total of 42 new positions of which 22 are to support US-\nCERT.\n    Question 2d. Who are the contractors tasked to support US-CERT?\n    Answer. Currently, Booz Allen Hamilton (BAH), General Dynamics \n(GD), MITRE, ESP Group LLC, and CMU Software Engineering Institute \n(SEI) support US-CERT through existing contracts.\n    Question 2e. What type of support do these contractors provide? Can \nthese support activities be in-sourced?\n    Answer. The contractors provide a wide variety of support \nincluding: Program management, financial management, and performance \nmanagement; 24/7/365 integration and reporting (meaning there is \nsomeone operationally staffed every hour of every day of the year); and \noperations support services (such as incident handling, continuity of \noperations, malicious code analysis, contingency planning, and trend \ntracking, etc.).\n    US-CERT also receives contract support to assess and recommend \nimprovements to applications, tools, and business processes related to \nidentification, analysis, and publication of timely information about \ncritical cyber threats; vulnerability analysis support; technical \nmentoring and conference support; acquisition planning; incident \ninvestigations; and identification of emerging technologies.\n    NCSD believes that a balanced approach to staffing, which includes \na mix of contractors and Federal employees, is the most effective \nmethod for resource allocation. We are aggressively growing our Federal \nworkforce, and looking closely at how best and most appropriately to \naugment our expanding team with contract support. As such, NCSD is \ndeveloping a needs assessment to ensure the right ratio of contractors \nto Federal employees is hired in the out years.\n\n  Questions From Chairman Bennie G. Thompson of Mississippi for Greg \n                                Schaffer\n\n    Question 1. What are the technical analyst\'s responsibilities?\n    Answer. Responsibilities include testing and implementing latest \ntools and technologies to improve the capabilities of the Einstein \nProgram, performing administrative oversight to ensure that the \nEinstein program complies with applicable laws, and creating and \ntesting new signature profiles to track and detect potential threats \nagainst the Federal civilian Government network infrastructure. Other \nresponsibilities include:\n  <bullet> Examining raw data from a wide variety of information \n        sources (e.g. malware and digital media) to detect potential \n        attacks and vulnerabilities and recommend mitigation strategies \n        on potential attacks and vulnerabilities detected. Technical \n        analysts also perform a thorough technical analysis of data to \n        understand the nature of the attacks, threats, and \n        vulnerabilities.\n  <bullet> Providing temporary on-site incident response assistance to \n        investigate, respond, and analyze suspicious activities at \n        departments/agencies.\n  <bullet> Preparing various reports to summarize the initial findings \n        and detailed analysis of the malware or incidents that contains \n        mitigation strategies to improve situational awareness.\n  <bullet> Providing malware guidance to incident handling operations \n        staff as necessary.\n  <bullet> Providing peer review for quality assurance of dynamic and \n        static analysis activities.\n    Question 2. What specifically are these additional duties?\n    Answer. As of January 2010, US-CERT has filled only 45 of its \nauthorized 98 positions. Additional duties for some GS-9 technical \nanalysts include acting in a management capacity, instead of examining \nand analyzing network traffic for suspicious activities and \ncoordinating cyber defense with other agencies. Other duties include \ndeveloping standard operating procedures, providing on-the-job training \nto new staff, and mentoring junior staff and obtaining systems access \nto perform their job functions. However, we believe the mentoring and \non-the-job training should be provided by managers or supervisors, not \ntechnical analysts.\n    Question 3. Would you consider these duties inherently \nGovernmental?\n    Answer. Staff supervision such as providing mentoring to junior \nstaff is considered inherently Governmental. However, the functions \nshould be performed by supervisors. The technical analyst\'s \nresponsibilities listed below may be performed by contractors:\n  <bullet> Examining raw data to detect potential attacks and \n        vulnerabilities and recommend mitigation strategies on \n        potential attacks and vulnerabilities detected.\n  <bullet> Performing thorough analysis of data to understand the \n        nature of the attacks, threats, and vulnerabilities.\n  <bullet> Providing temporary on-site incident response assistance to \n        investigate, respond, and analyze suspicious activities at \n        departments/agencies.\n  <bullet> Preparing various reports to summarize the initial findings \n        and detailed analysis of the malware or incidents that contains \n        mitigation strategies to improve situational awareness.\n  <bullet> Providing malware guidance to incident handling operations \n        staff as necessary.\n  <bullet> Providing peer review for quality assurance of dynamic and \n        static analysis activities.\n    Question 4. Should new positions be created to perform these \nduties?\n    Answer. More resources can always help US-CERT to perform its \nmission. However, the technical analysts are performing these duties \nbecause US-CERT cannot fill its authorized positions. Creating \nadditional positions will not mitigate US-CERT\'s inability to hire and \nretain qualified staff. US-CERT\'s staffing shortage is primarily caused \nby leadership turnovers and the Department\'s rigorous suitability \nclearance process.\n    For example, US-CERT has had four directors in the past 5 years. \nFurther, due to the Department\'s rigorous suitability clearance \nprocess, it takes US-CERT a significant amount of time to fill its \ncritical positions. According to a former director, it takes 9 to 12 \nmonths for new applicants to begin working at US-CERT even if they \nalready have a top secret clearance. As a result, staffing shortages \nforce current analysts to perform additional duties, instead of \nfulfilling the technical analyst role for which they were hired.\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'