b'<html>\n<title> - CYBERSECURITY: NETWORK THREATS AND POLICY CHALLENGES</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n          CYBERSECURITY: NETWORK THREATS AND POLICY CHALLENGES \n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n      SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, AND THE INTERNET\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 1, 2009\n\n                               __________\n\n                           Serial No. 111-35\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n72-884 PDF                       WASHINGTON : 2012 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \nWashington, DC 20402-0001 \n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                     HENRY A. WAXMAN, California\n                                Chairman\nJOHN D. DINGELL, Michigan            JOE BARTON, Texas\n  Chairman Emeritus                    Ranking Member\nEDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas\nRICK BOUCHER, Virginia               FRED UPTON, Michigan\nFRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida\nBART GORDON, Tennessee               NATHAN DEAL, Georgia\nBOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky\nANNA G. ESHOO, California            JOHN SHIMKUS, Illinois\nBART STUPAK, Michigan                JOHN B. SHADEGG, Arizona\nELIOT L. ENGEL, New York             ROY BLUNT, Missouri\nGENE GREEN, Texas                    STEVE BUYER, Indiana\nDIANA DeGETTE, Colorado              GEORGE RADANOVICH, California\n  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania\nLOIS CAPPS, California               MARY BONO MACK, California\nMICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon\nJANE HARMAN, California              LEE TERRY, Nebraska\nTOM ALLEN, Maine                     MIKE ROGERS, Michigan\nJANICE D. SCHAKOWSKY, Illinois       SUE WILKINS MYRICK, North Carolina\nHILDA L. SOLIS, California           JOHN SULLIVAN, Oklahoma\nCHARLES A. GONZALEZ, Texas           TIM MURPHY, Pennsylvania\nJAY INSLEE, Washington               MICHAEL C. BURGESS, Texas\nTAMMY BALDWIN, Wisconsin             MARSHA BLACKBURN, Tennessee\nMIKE ROSS, Arkansas                  PHIL GINGREY, Georgia\nANTHONY D. WEINER, New York          STEVE SCALISE, Louisiana\nJIM MATHESON, Utah\nG.K. BUTTERFIELD, North Carolina\nCHARLIE MELANCON, Louisiana\nJOHN BARROW, Georgia\nBARON P. HILL, Indiana\nDORIS O. MATSUI, California\nDONNA M. CHRISTENSEN, Virgin \n  Islands\nKATHY CASTOR, Florida\nJOHN P. SARBANES, Maryland\nCHRISTOPHER MURPHY, Connecticut\nZACHARY T. SPACE, Ohio\nJERRY McNERNEY, California\nBETTY SUTTON, Ohio\nBRUCE BRALEY, Iowa\nPETER WELCH, Vermont    \n\n      Subcommittee on Communications, Technology, and the Internet\n\n                         RICK BOUCHER, Virginia\n                                 Chairman\nEDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan\nBART GORDON, Tennessee                 Ranking Member\nBOBBY L. RUSH, Illinois              J. DENNIS HASTERT, Illinois\nANNA G. ESHOO, California            CLIFF STEARNS, Florida\nBART STUPAK, Michigan                NATHAN DEAL, Georgia\nDIANA DeGETTE, Colorado              BARBARA CUBIN, Wyoming\nMICHAEL F. DOYLE, Pennsylvania       JOHN SHIMKUS, Illinois\nJAY INSLEE, Washington               HEATHER WILSON, New Mexico\nANTHONY D. WEINER, New York          CHARLES W. ``CHIP\'\' PICKERING, \nG.K. BUTTERFIELD, North Carolina         Mississippi\nCHARLIE MELANCON, Louisiana          VITO FOSELLA, New York\nBARON P. HILL, Indiana               GEORGE RADANOVICH, California\nDORIS O. MATSUI, California          MARY BONO MACK, California\nDONNA M. CHRISTENSEN, Virgin         GREG WALDEN, Oregon\n  Islands                            LEE TERRY, Nebraska\nKATHY CASTOR, Florida                MIKE FERGUSON, New Jersey\nCHRISTOPHER S. MURPHY, Connecticut\nZACHARY T. SPACE, Ohio\nJERRY McNERNEY, California\nPETER WELCH, Vermont\nJOHN D. DINGELL, Michigan (ex \n    officio)\n\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Anthony D. Weiner, a Representative in Congress from the \n  State of New York, opening statement...........................\n\n                               Witnesses\n\nDan Kaminsky, Director of Penetration Testing, IOActive..........\n    Prepared statement...........................................\nRodney L. Joffe, Senior Vice President and Senior Technologist, \n  NeuStar........................................................\n    Prepared statement...........................................\nLarry Clinton, President and CEO, Internet Security Alliance.....\n    Prepared statement...........................................\nGreg Nojeim, Senior Counsel, Center for Democracy and Technology.\n    Prepared statement...........................................\n\n\n          CYBERSECURITY: NETWORK THREATS AND POLICY CHALLENGES\n\n                              ----------                              \n\n\n                          FRIDAY, MAY 1, 2009\n\n              House of Representatives,    \nSubcommittee on Communications, Technology,\n                                  and the Internet,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 1:04 p.m., in \nRoom 2123, Rayburn House Office Building, Hon. Anthony D. \nWeiner presiding.\n    Present: Representative Weiner.\n    Staff Present: Amy Levine, Senior Counsel; Greg Guice, \nCounsel; Sarah Fisher, Special Assistant; Amy Bender, Minority \nCounsel; Neil Fried, Minority Senior Counsel; and Sam Costello, \nMinority Assistant.\n\n OPENING STATEMENT OF HON. ANTHONY D. WEINER, A REPRESENTATIVE \n             IN CONGRESS FROM THE STATE OF NEW YORK\n\n    Mr. Weiner. Welcome to the hearing of the Energy and \nCommerce Subcommittee on Communications, Technology, and the \nInternet.\n    I welcome the witnesses.\n    Since April 17th, President Obama has had on his desk \nrecommendations of a panel that has been studying cybersecurity \npolicies and structures of our government. Already we have \nheard a push and pull going on behind the scenes and \nincreasingly in public about some of the thorniest questions \nthat that panel will consider.\n    Today we will offer some advice.\n    This committee will have the jurisdiction to implement the \npolicies that are recommended by the President, and \nnotwithstanding the activities in some other committees, which \nwe welcome, the jurisdiction for these matters will be here in \nthe Telecommunications Subcommittee and in the Energy and \nCommerce Committee.\n    We will hear from a brilliant set of witnesses, but we will \nnot hear from someone from the administration for some reasons \nobvious and some reasons not so. The obvious is I don\'t think \nthey know what their policies will be. So asking them to \ntestify on them might be premature. But also we wanted to, by \ndesign, to have a conversation here among interested parties in \nthe community that would allow us to inform our reactions to \nthe administration\'s proposals that will be forthcoming.\n    In fact, cybersecurity is not a singular problem. It is at \nleast three. There are, of course, the issues of personal \nsecurity, issues of spam and nuisance, but also identity theft \nand the like. This is also an issue of critical infrastructure \nand protecting it, the economic security of our country and, \nfrankly, the increasingly interconnected economies of all of \nthe countries of the world.\n    And of course, this is a national security issue. An issue \nthat has been seemingly increasingly brought to the public\'s \nattention with stories that fill up the newspapers on \neverything from fighter jet plans being stolen to Chinese-based \nspying on Tibet and some of the other countries. We have heard \njust about a story a day.\n    We will endeavor to ask and answer some of the big \nquestions that the President is going to be wrestling with. How \ndo we respond to or mitigate or work around or generally \nrespond to the inherent paradox that is the Internet? Its \nopenness, its openness to innovation, its openness to \ndemocratization; but also its openness to mischief and mischief \nmakers and often things worse than mischief.\n    For the most part, Congress has been wise in resisting the \ntemptation for heavy-handed intervention, and that has served \nthe Internet well and has served our country well.\n    We also have to ask the question that has been dominating \nthe discussions at the White House. Who should be in charge of \ncombating the mischief maker, the con artists or the \nterrorists; not only what agency of government but whether or \nnot it should be government at all, and if so, what \nrelationship between government and the private sector? With \ngovernment, of course, you often get the inevitable heavy-\nhandedness and secrecy, but you do get strong centralized \naction when it is needed. With the private sector you get \nentrepreneurship, creativity but you also get silos of self-\ninterest that don\'t always make for vigorous system-wide \ndefense.\n    One thing is sure. This cancer can\'t be exorcised with a \nrusty axe; we need to use a scalpel.\n    Third, we have to ask the questions, are we destined to \nconstantly fight the last war when it comes to cybersecurity? \nIs the cycle of discovery, warning, insulation inevitable?\n    Conficker gave us an interesting and good example of this. \nTiffany and my staff put together a timeline of the Conficker \nvirus, and here is what she wrote.\n    On December 29, 2008 Conficker.B is first detected; \nConficker.A updates itself to Conficker.B.\n    February 20, 2009, Conficker.C is discovered; Conficker.B \nupdates itself to Conficker.C.\n    March 4th, Conficker.D is discovered; Conficker.C updates \nitself to Conficker.D.\n    April 7, 2009, Conficker.E is discovered; Conficker.D \nupdates itself to Conficker.E.\n    Conficker.E downloads scareware and spyware onto computers. \nIt deletes automatic updates of computer systems and prompts a \nfake need to update one\'s computer. And when individuals buy \nthe software protection Conficker.E offers, the computer \ndownloads spyware onto the computer. This is a dynamic that \nclearly does not lend itself very well to discovering the \nproblem, addressing the problem, moving on to the next problem.\n    Maybe cat and mouse is our only option. Maybe, though, we \ndon\'t need a military-type approach but more an approach that \nwe in government use at say NIH or the Food and Drug \nAdministration, where government helps to augment creative \nsolutions, help with some of the R&D, and then let the private \nsector go off and implement them.\n    And then, of course, there are the more provocative \nquestions that we might not have time to touch on today, such \nas John Markoff in the New York Times asking the question, do \nwe need a new Internet all together? Or the provocative title \nof Jonathan Zittrain\'s great book, "The Future of the Internet \nand How to Stop It."\n    The witnesses we have before us will offer us an \nopportunity to answer some but not all of these questions. This \nis a conversation that inevitably has to take place not only \nhere in Congress but in the businesses around the Internet and \nin the coffee shops and parlors of people\'s personal \nexperiences and, of course, over at the White House.\n    Now it is my honor to introduce the witnesses we have \nbefore us today.\n\n STATEMENTS OF DAN KAMINSKY, DIRECTOR OF PENETRATION TESTING, \n  IOACTIVE; RODNEY L. JOFFE, SENIOR VICE PRESIDENT AND SENIOR \n   TECHNOLOGIST, NEUSTAR; LARRY CLINTON, PRESIDENT AND CEO, \n INTERNET SECURITY ALLIANCE; AND GREG NOJEIM, SENIOR COUNSEL, \n              CENTER FOR DEMOCRACY AND TECHNOLOGY\n\n    Mr. Weiner. Dan Kaminsky is the director of penetration \ntesting at IOActive, where he focuses on design capabilities \nand vulnerabilities of network protocols. He is probably most \nfamous for having discovered a fundamental flaw in the Domain \nName System or DNS that would allow him to reassign Web \naddresses, take over banking sites, or disrupt the flow of data \nover the Internet. Thankfully, he was a good hacker and brought \nthis flaw to the attention of those entities that were in a \nposition to fix it.\n    Dan Kaminsky, you are our first witness.\n    You are recognized for 5 minutes. I know you have presented \nsome testimony already, so feel free to summarize as you see as \nappropriate.\n\n                   STATEMENT OF DAN KAMINSKY\n\n    Mr. Kaminsky. Thank you very much. Hello, everyone. Members \nof the subcommittee, please allow me to express my appreciation \nfor offering me this opportunity to testify today.\n    I am, as said, the director of penetration testing at \nIOActive. I spent the last 10 years of my career working for \nFortune 500 companies, including Cisco, Avaya, and Microsoft to \nhelp secure their systems.\n    It was an interesting experience fixing DNS, working with \nall the people that needed to be in a position to actually get \nthe fix out, get the fix deployed and ultimately protect the \necosystem. It was an example of a public-private partnership. \nWe worked with USCERT in order to get communication out to the \nFederal agencies that themselves had to get software out. And \nit was a remarkable, remarkable experience for all parties. It \nwas a highlight of 2008; 2008 was not, however, an easy year.\n    Verizon business actually every year puts out a report \ncalled the Data Breach Investigation Report. In an industry \nthat always struggles to have good data to work with, Verizon \nactually did a wonderful thing and has for the last few years \nin summarizing what they see in their limited sample of their \ncustomers base. And what they saw was astonishing. Over 285 \nmillion records were compromised last year, just from their \ncustomer base. According to Verizon, this is more than every \nother year they had seen combined. Worse, over 91 percent of \nthose compromised records, most of which were payment card \ninformation, over 91 percent of those were traced going back to \norganized crime.\n    We have worldwide problems, and we live in a much more \ndangerous world than when I first started doing computer \nsecurity years ago. The reality is, hacking is no longer about \nkids. It is about people with kids who would like to feed them. \nAttackers have had years to figure out the absolute best ways \nthat they can monetize their access. Recently, they actually \nmanaged to coordinate a widespread attack against the ATM \ninfrastructure in which, in 49 cities, $9 million was extracted \nfrom ATMs using purloined ATM data.\n    Beyond that, extortion, something we have almost no \ninformation on, is rumored to be becoming an extraordinary \nproblem not merely hitting the sides or gambling or pornography \naspects of the economy but actually standard businesses.\n    As you mentioned, Conficker. Conficker, it turns out, was a \nremarkable success. If Conficker had come out in 2003, pretty \nmuch every single computer on the Internet, at least every \nWindows machine, would have been compromised. Since 2003, \nWindows has become a much, much more secure platform. The \nactual result of the work from 2003 was probably over 99 \npercent of the machines that otherwise would have been \naffected, infected by Conficker never had a problem. That is \nwhat happened when we--that is the result of our scans and our \nmonitoring of the situation.\n    That being said, a percentage of a large number is still a \nlarge number, and we have had to deal with millions and \nmillions of machines infected. What was most scary about \nConficker is, thus far, we still have no idea what the authors \nof it want.\n    So where do most of these compromises come from? How is \nthis happening? A lot of problems are in software. This is \ntrue. There is a lot of buggy software out there. But according \nto the Verizon business report, over 60 percent of actual \npenetrations that led to loss of data did not come from buggy \ncode; they came from our simple inability to strongly \nauthenticate other nodes on the Internet, default passwords, \nlack of passwords, lack of insufficiently strong passwords. It \nturns out authentication is in huge amounts of trouble on the \nInternet today, and the data suggests it is leading directly to \ncompromises of personal information.\n    Now people may say, why are we still using passwords? Why \nis this problem still there? It turns out it is because it is \nthe only way to reasonably make things work at all. It turns \nout, if something doesn\'t work, people won\'t use it, even if it \nis theoretically more secure.\n    This is ultimately why I become a supporter of the \ntechnology known as DNSSEC. DNSSEC on its face is a method to \nfix DNS, but it is not just that. DNSSEC ultimately allows us \nto use DNS\'s power for allowing communication across \norganizational lines, ultimately trust across organizational \nlines, and allows us to apply cryptographic strength to that \ntrust so it can be used not just for existing systems or not \njust for locating systems but for actually authenticating them \nand ultimately authenticating the people on the other side. It \nwill take some work. It will take a lot of work, but I see it \nas the key towards making a new security authenticating \necosystem.\n    Thank you.\n    [The prepared statement of Mr. Kaminsky follows:]******** \nINSERT 1-1 ********\n    Mr. Weiner. Thank you.\n    Our next witness is Rodney Joffe. He is the senior vice \npresident and senior technologist for NeuStar. He is a renowned \nexpert on security flaws in the Internet. He also participated \nin the Department of Homeland Security\'s Cyber Storm II, a \nmultinational cybersecurity exercise that examines security \npreparedness and response capabilities across a variety of \ninfrastructures.\n    Mr. Joffe, you are recognized for 5 minutes.\n\n                  STATEMENT OF RODNEY L. JOFFE\n\n    Mr. Joffe. Good afternoon, Chairman Weiner.\n    I am, as you say, the senior vice president, senior \ntechnologist for NeuStar.\n    NeuStar provides innovative services that enable trusted \ncommunication across networks, applications, enterprises around \nthe world. A major portion of that is involvement with \ndirectories. I joined NeuStar in 2006 when UltraDNS, which is a \ncompany I founded, was acquired by NeuStar.\n    DNS is the core directory that really routes traffic on the \nInternet. Every one of us uses it all the time. Any computing \nmachine makes use of DNS. The technology itself basically deals \nwith the fact that, as humans, we recognize and we are able to \nuse words. Computers understand numbers, in this particular \ncase, IP addresses, and they require the IP addresses to be \nable to move traffic or to be able to get you from one site to \nanother. The DNS, simply put, is the directory that converts \nnames to numbers and vice versa.\n    So, for example, if I want to go to www.house.gov, I put \nthat into an Internet browser, and the DNS would convert that \nto the IP address, 204.141.87.18, and the computing device is \nthen able to get you to the House server, and the screen \nappears on your computer.\n    So NeuStar also provides the core directory service for the \n.biz and the .us top level domains, as well as 17 other top \nlevel domains, including a number of other country codes. So, \nfor example, we provide the service for Canada, .ca; for the \nUnited Kingdom; and for Japan. We also provide the directory \nservice for anyone attempting to reach many of the Fortune 500 \nor the e2000 sites. So, in all, we serve about 4,000 \ncorporations and government departments around the world and \nabout 15 million domain names.\n    I really appreciate you inviting me to speak about the \nparticular threats, and I appreciate the fact that the \ncommittee has actually taken an interest.\n    Probably the oldest reason for Internet attacks is that of \nego bragging. There are three real reasons. The perpetrators \nbehind those kinds of attacks are generally young and immature, \nand they are intent on showing their prowess with computer \nprogramming with little or no regard for the damage that they \ncause in their attacks.\n    The second and most common category is for financial gain. \nIn this case, the attacks are committed by individuals as well \nas by organized gangs of criminals. They include large spam e-\nmail that you have mentioned; the interception and illegal use \nof computer data, which you have also mentioned, most commonly \nbank data and credit card data, extortion schemes, which have \nbeen around for quite a while; and Distributed Denial of \nService attacks. In DDOS or Distributed Denial of Service \nAttacks, botnets, which are large groups of thousands, hundreds \nof thousands, sometimes millions of machines all working \ntogether, that have been previously infected, will be used and \nrented by criminals in the underground. Not only for \nthemselves, but they rent them out. It is a business. The \ncriminal then commands the botnet to try and reach a specific \nsite. The result is that a Web site, for example, is hit by \nmillions of hackers at the same time in an attempt to overwhelm \nthe site and take it down. Frequently, it is successful.\n    An important thing to note here is that it would require \nfewer than 10,000 strategically located compromised machines \nwith some reasonable knowledge to disable a sizable portion of \nthe U.S. Internet. It doesn\'t take many machines.\n    Generally though the botnets involve hundreds of thousands \nbecause the people who build these botnets have no real cost. \nThey are using our resources, and botnets are built almost \nautomatically. We have seen notes where kids go off to school, \ncome back, and take a look at how many bots they have added to \ntheir botnet while they have been at school. We have actually \nseen discussion in the underground about that.\n    Another lesson on the very dangerous kind of malicious \nbehavior that exists in cyberspace which is known as DNS cache \npoisoning. This is something that Dan has discovered as you \nknow, last year. Thanks to Dan, we are a lot safer than we \nwere.\n    But effectively what happens with DNS cash poisoning is \nthat your ISP\'s caching service are poisoned. The DNS is \npointed to a fake site. When you go to your bank, you end up at \na Web site that looks just like your bank, but actually isn\'t. \nIt belongs to criminals. And what they do is they ask you for \nyour password, ask for your user ID, and then they go ahead and \nmake use of that to make transfers and to empty your account.\n    The third category we talk about is cyberterrorism, which \nreally relates to generally nation-state issues. Over the last \n2 years, there have been at least three public attacks \nreportedly on nation-states. We know that one of them probably \nis, countries we all recognize Estonia, Georgia and Kyrgyzstan. \nAdditionally, The Wall Street Journal reported on April 8th of \nthis year, as you mentioned, critical infrastructure facilities \nhad been compromised.\n    It is really important to note over here that, while most \npeople are unaware of the attacks, these attacks are going on \nall the time, and our industry is reasonably successful in \nbeing able to actually stop some of those attacks before they \nbecome public. But the attacks are occurring all of the time.\n    On April 12th, talking about banking, most of this is \ntheoretical, on April 12th, the DNS servers of a major \nBrazilian ISP, Virtua were compromised. Their cache was \npoisoned for the entry of one of the largest banks in Brazil, \nBradesco, making use of the kinds of things that Dan had talked \nabout. Users of that bank were redirected to a fake Web site, \nand it took about 5 hours before the bank and the ISP were able \nto realize that, in fact, the recent entry had been poisoned. \nThe bank was reasonably open in their statement when they said, \napproximately 1 percent of our customers were affected by this. \nBut that represents almost 150,000 individuals who could \npossibly have had their accounts compromised during one event. \nAnd this is an event in one country over the course of 5 hours.\n    The other event is one that you have touched on already, \nand with indulgence, I will perhaps expand a bit more, which is \non the Conficker botnet, the Conficker worm.\n    We have an industry group called the Conficker Working \nGroup, an unofficial group that came together in the private \nsector to deal with a real threat, an immediate threat of \nConficker. They have been working around the clock to dismantle \nthe botnet with no real success. On the 8th of April, as you \nsaid, it took the first steps with version E. You had mentioned \nearlier that it had upgraded from version D to version E. It \nwasn\'t just an upgrade. It was also the first time we got some \ninsight into how the botnet was actually going to be used. It \nwas used to sell fake antivirus. If you have seen those pop-ups \non your computer screen, where it may say that you are \ninfected, you normally expect that to show from your antivirus \nsoftware. In fact, if you were infected with Conficker, there \nwere no messages from your antivirus software. It was actually \nfrom the criminal group behind it. They then advertise some \nsoftware that you could purchase online there and then, enter \nyour credit card, your personal information and download their \nsoftware. Of course, their software doesn\'t disable the virus. \nIt installs more malicious software, and the job is now even \nmore difficult.\n    As a sobering side note on this, last month, in \ncollaboration with one of the other members of the Conficker \nWorking Group from Georgia Tech, we identified at least 300 \ncritical medical devices from a single manufacturer. We \nstumbled on it. It is not that easy to tell what it is. There \nwere at least 300 medical devices that were infected with \nConficker. The hospitals had no idea. The manufacturer had no \nidea. When we called them, they were obviously shocked. These \ndevices are used in hospitals to allow doctors to view high-\nintensity scans, MRI for example, CT scans. And they are often \nfound in ICU facilities. They are connected to local area \nnetworks. They should never, ever have been connected to the \nInternet, and according to the manufacturers, they weren\'t. \nHowever, they were connected at some stage to the Internet \nbecause they were infected, and they were checking in with us.\n    The way we know they are infected is that we run systems \nthat those devices will connect to. Worse, after we had \nnotified the manufacturer and the hospitals involved, and we \nare obviously doing our best for hospitals around the world, we \nwere told that, because of FDA rules that they referred to as \n510(k) regulations, 90 days notice was required before the \nsystems could be modified to remove the infections and the \nvulnerabilities. In some cases, clearly, there can be a \ndisconnect between government rules which are meant to protect \nconsumers and today\'s cyber threats which sometimes result in \ndelaying and hindering the ability to fix problems as in the \nmedical system.\n    So based on my long experience in operating large networks \nconnected to the Internet, I think one of the most important \nareas for Congress to concentrate on is improving the \ncommunication both between the public and the private sectors \nand across those sectors. The Department of Homeland Security \noperates USCERT, which is part of its mission to act as a \nliaison between public and private sectors. It is a start, in \nmy view, but it is woefully understaffed, and it is woefully \nunderfunded for the enormous task that is put before it. \nIdeally, I would like to see much more focussed collaboration, \nas that Dan had mentioned and I assume that you have heard \nbefore.\n    In summary, we face enormous escalating threats from all \nparts of cyberspace both to the economy and to the safety and \nwell-being of many citizens. So, beyond the normal perennial \ncall for additional resources, we need to concentrate on \nimproving the collaboration between industry and government; \nbetween different government departments; and between the U.S. \nand foreign governments.\n    Mr. Chairman, thank you for the opportunity to address you \nand the rest of the committee, and I am happy to answer any \nquestions.\n    [The prepared statement of Mr. Joffe follows:]******** \nINSERT 1-2 ********\n    Mr. Weiner. Thank you, Mr. Joffe.\n    Our next witness is Larry Clinton. He is the president and \nCEO of the Internet Security Alliance, an organization that \nrepresents corporate security interest and provides a forum for \ninformation sharing on information-security issues. Mr. Clinton \nis also a member of the GAO\'s expert panel which will make \nrecommendations to the Obama administration on cybersecurity.\n    Mr. Clinton, welcome. You are recognized for 5 minutes.\n\n                   STATEMENT OF LARRY CLINTON\n\n    Mr. Clinton. Thank you, Mr. Chairman, and thank you for \ninviting us to have this hearing, and we are delighted to \nparticipate.\n    Mr. Chairman, virtually our entire economy, our defense \nsystem, our culture, now depend on electronic communication \nsystems that are extremely vulnerable and under constant \nattack. The vast majority of these systems are owned and \noperated by the private sector.\n    Unfortunately, virtually all the economic incentives \nregarding cybersecurity favor the attackers. Attacks are \nrelatively cheap. The area to defend is virtually limitless. \nDefense residing in separate although connected systems is \ndifficult to coordinate and expensive compared to the return on \ninvestment.\n    The good news is that we know a great deal about how to \nprevent and stop these attacks. The bad news is, we are just \nnot doing it. The PricewaterhouseCooper\'s Global Information \nSecurity Study of over 1,000 companies found that those that \nfollowed the industry best practices could prevent, almost \nentirely mitigate the attacks against them. The 2008 Data \nBreach Investigations Report previously referred to studied \nmore than 500 forensic engagements over a 4-year period and \nconcluded that 87 percent of the breaches could have been \navoided if reasonable and identifiable security practices had \nbeen followed. Robert Bigman, chief of information assurance \nfor the CIA, has stated publicly that most of the attacks that \nhe sees are not that sophisticated, and 80 to 90 percent of \nthem could be prevented with due diligence.\n    However, we cannot solve cybersecurity problems by \nattempting to adapt 19th Century models to a 21st Century \nproblem. A common theme from some policymakers who are \nrelatively new to the cybersecurity problem tend to say, well \nif industry won\'t do this on their own, we will just have to \nregulate them. The Internet Security Alliance believes that \nsuch an approach is short-sighted and does not reflect the \nnecessary understanding of the new breed of technologies \ncreated by the Internet to begin with. Federal regulatory \nmandates are best designed to combat corporate malfeasance, and \nthat is not the problem we are facing with Internet security.\n    Even if Congress would enact an enlightened statute, it \nwould only have reach to our national borders, and this is an \ninternational problem. A set of U.S. regulations would place \nU.S. industry at a competitive disadvantage in the global \nmarketplace at the time when we can least afford it.\n    Specific regulations would likely be too static to the \ntechnology, and the threat vectors constantly change; while \nflexible or conceptual regulations may be too general to have \nany real effect. Regulations are often subject to political \npressure, making minimum standards de facto ceilings, something \nlike what we have with campaign finance.\n    We need a better system, a 21st Century system. \nFortunately, there are signs that the Obama administration \nunderstands the need for a modern approach to cybersecurity \nthat appreciates the economic issues as much as the technical \nones. President Obama assigned Melissa Hathaway of the National \nSecurity Council to conduct a review of our Nation\'s \ncybersecurity status. Although the report has not been made \nfully public, Ms. Hathaway did provide a preview a week ago in \nSilicon Valley.\n    Among the specifics from the report she did share was \nacceptance of the principle that, quote, previous attempts to \ndeal with cybersecurity in isolation have failed in no small \npart because cybersecurity only succeeds in the context of \nbroader economic progress. In particular, Ms. Hathaway \nspecifically cited the need for government to work with the \nprivate sector to, quote, improve market incentives. This is a \nsignificant departure from the previous administration\'s view, \nwhich was that the market would emerge spontaneously to address \nthese problems. That did not happen.\n    Ms. Hathaway is correct. We need to improve market \nincentives. Consistent with this view, the Internet Security \nAlliance asks Congress to consider enacting what we call the \nCyber Safety Act. The Cyber Safety Act is an affirmative and \ncontemporary approach to dealing with the 21st Century problems \nof cybersecurity. In brief, we suggest that government\'s role \nis not to prescribe mandatory regulation but rather provide \nmarket incentives for the private sector entities to adopt the \nsecurity practices and standards and technologies that have \nalready been empirically demonstrated to work. There are a wide \nrange of incentives which have already been used in various \nsectors of the economy, such as insurance, liability \nprotections, procurement awards programs, SBA loans, et cetera. \nAll these achieve government goals. What we are suggesting is \nthat these should now be applied to cybersecurity.\n    Government ought to designate a range of public and private \nsector entities which can serve as a qualifying set for \nstandards and practices. Government ought to then fund research \nused to evaluate the standards, practices and technologies \ndeveloped on an ongoing basis with the sole criteria being \ntheir effectiveness. Private sector entities that can \ndemonstrate compliance with the standards and practices would \nbe deemed effective and would qualify for the incentives. What \nwe are attempting to do here through the Cyber Safety Act is to \nchange the economics of cybersecurity by constructing a market \nthat makes private organizations want to continually invest in \ncybersecurity in their own economic self-interest. Only then \ncan we create the sort of sustainable and evolving system of \ncybersecurity that we need.\n    The purpose of this system is to defend the national \nsecurity\'s interest, and thus it is worth the relatively modest \ninvestment that the government would have to make in order to \nprovide the incentives. The present research and the expert \ntestimony shows that by motivating the widespread adoption of \nthe practices that have already been demonstrated to work, the \nvast majority of the problem we are experiencing can be quickly \naddressed.\n    However, there is a small but critical 10 to 15 percent of \nattacks that will not be addressed in this fashion. My written \nstatement goes into some detail on a number of these problems, \nincluding the supply chain, the incongruity with laws that were \nwritten in the 1980s to current technology, the need to change \nthe basis for security from protecting the instruments like the \ncomputers to protecting the data itself. All of these will \nrequire a lot more work than what we are proposing with the \nCyber Safety Act.\n    We look forward to working with the committee both to \naddress the 90 percent of the problem that is basically low-\nhanging fruit as well as the 10 percent of the problem that is \ngoing to require substantially more work.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Clinton follows:]******** \nINSERT 1-3 ********\n    Mr. Weiner. Thank you, Mr. Clinton.\n    Our final panelist before we begin questions is Gregory \nNojeim. He is the senior counsel and director of the Project on \nFreedom, Security and Technology at the Center for Democracy \nand Technology. He has been integral in bringing together broad \ncoalitions from across the political spectrum to limit the \nthreats to privacy and civil liberties posed by government \nmonitoring of the Internet and other communications.\n    Mr. Nojeim, you are recognized for 5 minutes.\n\n                    STATEMENT OF GREG NOJEIM\n\n    Mr. Nojeim. Thank you, Chairman Weiner.\n    It is really a pleasure to testify today on behalf of CDT. \nOur organization is a nonprofit organization, and we are \ndedicated to keeping the Internet open, innovative and free.\n    So it won\'t surprise you that most of my comments today \nwill focus on the communications infrastructure as opposed to \nother infrastructure systems and, in particular, on the \nInternet.\n    Cybersecurity policies should distinguish between \ngovernment systems and systems that are owned and operated by \nthe private sector. Policy toward government systems can be \nmuch more proscriptive. It can be much more top-down than \npolicy toward private systems.\n    Congress should also distinguish between the elements of \nthe critical infrastructure operated by the private sector that \nprimarily support free speech and those that do not. As an \nexample, measures that might be appropriate for securing the \ncontrol systems of a pipeline, they might not be right for \nsecuring the Internet. It might be wise, for example, to \nrequire a particular kind of authentication of a user of an \ninformation system that controls a pipeline. But it might not \nbe wise to require that same kind of authentication for a \ncomputer user in the privacy of their own home while they are \nsurfing the Internet.\n    The characteristics that have made the Internet successful, \nopenness, decentralization, user control, things that you \nmentioned in your opening statement, Mr. Chairman; these things \ncan be put at risk if heavy-handed cybersecurity policies are \napplied to all critical infrastructure. This subcommittee \nshould make protection of these attributes an essential part of \nits cybersecurity mission.\n    It is also important to ensure that cybersecurity measures \ndo not result in a governmental entity monitoring private \ncommunications networks for intrusions. Monitoring these \nsystems is the job of private sector communications providers, \nand they already do this.\n    The government can help them do a better job. It can help \nthem develop tools that allow communications providers to \nmonitor for intrusions in the least intrusive way. But it \nshould not be in the business of monitoring private networks \nitself. Nor should the government be in the business of \nshutting down Internet traffic to compromised critical \ninfrastructure information systems in the private sector.\n    While some have proposed giving the President this \nextraordinary power over all critical infrastructures, we \nbelieve it should extend only to governmental systems. Such \nauthority applied to private systems would empower a President \nto coerce unwise, even illegal activity. To our knowledge, no \ncircumstance has yet arisen that would justify a Presidential \nOrder to cut off Internet traffic to a private critical \ninfrastructure system when the operators of that system think \nit should not be cut off.\n    We also urge you to carefully address two overarching \nrecurring cybersecurity policy problems. The first is excessive \nsecrecy. The subcommittee should work to improve the \ntransparency of the cybersecurity program. Transparency builds \ntrust with the private sector, and that is essential to foster \nits cooperation. It also enhances public understanding of the \nnature and justification for any impact on users of \ncybersecurity measures. Transparency also promotes essential \naccountability.\n    The second overarching problem is improving information \nsharing between the private sector and the government. Starting \nwith the right questions about information sharing will help in \nsettling on the right answers.\n    Exactly what information held by the private sector has not \nbeen shared with the government when it was specifically \nrequested? What reasons were given for the decision not to \nshare? Why aren\'t existing information-sharing structures--I am \nsorry. Why are existing information-sharing structures like \nUSCERT falling short? And what additional market incentives \nwould encourage the private sector to share threat and \ninformation solutions? Generally, as you approach these and \nother cybersecurity problems, we urge you to favor market-based \nmeasures over mandates. And we ask that you consider carefully \nthe impact on the Internet of measures proposed for securing \nall critical infrastructure systems. Thank you.\n    [The prepared statement of Mr. Nojeim follows:]******** \nINSERT 1-4 ********\n    Mr. Weiner. Thank you very much.\n    I would like to begin the conversation looking at, first, \nin some, as much as we can do in English, some of how the big \nstories of the day have emerged. When we read in The Wall \nStreet Journal and elsewhere that computer spies have breached \na fighter jet project; when The New York Times reports that a \nvast spy system lutes computers in 103 countries, walk me \nthrough a little bit about, and while you can\'t answer with \ncertitude, a little bit of how we suspect these things have \nhappened and why it is that the cat is a few steps behind the \nmouse on these things.\n    Mr. Kaminsky, you can start. You can choose either one of \nthese. Walk me through about why this is more complicated than \nsimply saying, let\'s just read some code, close some back doors \nand solve this problem.\n    Mr. Kaminsky. I would say there tend to be two main ways \nthat attackers seem to be getting in. There are more, but I \nwill go with two. The first way is that the software that is \nexposed on the Web for remote access, remote management, remote \njust data collection, while operating systems themselves have \ngotten significantly more secure over the last few years, the \nactual software that is exposed that drives Web sites tends to \nbe homegrown and very poorly audited.\n    So a very common technique that attackers use is what is \nknown as sequel injection, where they actually communicate with \nthe Web front end and messages are sent to the database back \nend. And the messages, unfortunately, are insufficiently \nsanitized or cleaned, and the database is caused to run \narbitrary attacker software. That is the most common \nimplementation flaw.\n    The other method is what I referred to earlier in my talk \nwhere I was talking about authentication techniques. According \nto the Verizon business report, 4 out of 10 of the times when \nthey saw an actual compromise occur, they actually found that \nthere was remote management--remote management there \nspecifically for third parties, for third-party vendors, using \npasswords that were either known or could be easily guessed. So \nwe don\'t have the exact details, or at least I certainly do not \nhave the exact details on how the joint strike fighter data was \nlost. But in terms of what was lost from server side, you will \nsee either compromises on the Web site or compromises on remote \nmanagement through default passwords.\n    One third case which should be brought up is that we do \nhave issues with actual desktops and browsers themselves, where \nan individual desktop inside of an organization will be \ncompromised through the Web browser through what is called a \ndrive-by download, and that drive-by download will cause that \nindividual host to be a jumping-off point for an attacker to \nthen attack other assets within the organization.\n    Mr. Weiner. So that then leads us to Mr. Clinton\'s \ntestimony that if you know these things, and these things \nthankfully keep you in business, Mr. Kaminsky, does the panel \nagree--maybe Mr. Kaminsky, you want to expand upon this--but if \nan overwhelming number of the attacks happen in a certain \nprescribed way and that if there are certain steps you can take \nto protect yourself, and I think Mr. Clinton\'s testimony was 80 \nto 90 percent if you follow certain protocols; is this a \nproblem people have, people being sloppy and what we are \nlooking at is we figuring out ways to make them less sloppy?\n    Mr. Clinton, is that a fair summary of at least that \nportion of your testimony?\n    Mr. Clinton. Thank you, Mr. Chairman.\n    In part. I wouldn\'t say that it is necessarily people being \nsloppy, but there is some sloppiness involved. I would go up a \nlevel.\n    First of all, I would never dream of getting into a \ntechnical discussion with my colleague on the right. I will \njust accept everything he says as true.\n    I would operate at a different level. He can tell you in \ngreat detail why a particular attack happened. But once we have \nplugged that hole, the attackers are going to move to another \nhole. So while we can, you know, patch various holes in the \nInternet, they are going to continue to find new holes.\n    What we have to do, in our opinion, is change the system. \nWe have to change the economics of it. The reason we don\'t have \nall of these things patched in the first place is because users \ndon\'t like security. It makes it harder to use, costs money; \nbusinesses the don\'t like it. What we have to do is change the \nsystem, so that instead of people trying to view cybersecurity \nas a cost center or a bother, they have got to view it as \nsomething they want to do so that we can change the economic \ndynamics of it. And that is what we are arguing for.\n    So it is certainly true that if we had the right \nincentives, people could fairly, quickly, and easily, according \nto the research and the CIA, could reasonably mitigate enormous \npercentages. I am not sure if it really is 90 percent, but that \nis what several studies say. If it was 80 percent, it would be \nan enormous advantage. And we would have to do this on a \ncontinuing basis. Once we put up a system of--once we \nimplemented all the best practices that the Verizon study \nsuggests and we were able to stop this 80 percent, we would \nhave to continue to work on that system because the attackers \nare going to say, okay, they have plugged all those holes; we \nare going to go after some others. So we have to do this on an \nongoing basis, so the system has to continually grow because \nthe system continually grows and changes.\n    Mr. Weiner. Doesn\'t this face the conflict, then, that it \nis in Google\'s interest to patch things that attack Google. It \nis in Verizon\'s interest, notwithstanding this industry-wide \nreport, to attack things that attack Verizon?\n    Mr. Clinton. Right.\n    Mr. Weiner. Where does the system-added conversation \nhappen?\n    Mr. Nojeim raises concerns about we the government entering \ninto that field, but where should that conversation happen \nwhere someone is thinking about the system-wide protection? \nWhat is the recommendation of the witnesses on that?\n    Mr. Kaminsky.\n    Mr. Kaminsky. Too much of this discussion happens in the \ncontext of, how can we apply more pressure to people? How can \nwe push them? How can we force them, or at least in the nicest \nway, how can we incentivize them? I don\'t think enough of the \ndiscussion happens around, how can we reduce the cost of \ndelivering a secure solution? Users don\'t like security because \nsecurity is too expensive and too difficult to deploy. Some of \nthe most expensive failed information-technology projects in \nthe world, we are talking in the $100 million scale and up, \nhave been in systems that have attempted to do \ncryptographically asserted authentication.\n    A major role that government can play here is in giving all \ncompanies, giving Google, giving Verizon, giving Microsoft, \ngiving us all one shared base that we can start building trust \non. The Department of Commerce is doing an enormous amount of \npainful and thankless work to get DNSSEC to be something that \ncan actually work with a central root of trust. The advantage \nto this is not just that we fix DNS. It is that we take so much \nof security technology, which has been a lot of promise and not \nas much user-opting-in as we might like, to make this stuff \ninexpensive enough so that it is actually something that can be \ndeployed. People want security, but they want their systems to \nwork after, and they don\'t want their costs to explode. DNSSEC \ncan help that.\n    Mr. Clinton. If I could just quickly, Mr. Chairman. And I \nwould agree with what he said, but to get to your broader issue \nof, how do we get everybody to do this, it is because everybody \nhas got to see some sort of benefit to doing it. I mean, the \nproblem that we have is, this is a joint system, and the \nvulnerability is distributed. And they may be trying to get \nto--China, for example, may be trying to get to the Pentagon. \nThey don\'t attack the Pentagon directly. They don\'t even attack \nRaytheon, that is linked to the Pentagon. They attack \nRaytheon\'s subcontractor, and by getting to Raytheon\'s \nsubcontractor, they get to Raytheon, and through that they get \nto--so we have to get out to that subcontractor. And the \nsubcontractor in the current system says, well--the Pentagon \nsays, we will give a contract to Raytheon, and they will \nenhance their security, which they do. They have very good \nsecurity. And we will tell them to enforce it on the \nsubcontractor. So Raytheon attempts to do that. So the \nsubcontractor says, I am sorry, it is just not worth it for me. \nI don\'t want the business. I mean, this is like 5 percent of my \nbusiness. I am not going to change over my entire information \nsecurity system. They walk away from the business, which is bad \nfrom everybody\'s point of view. What we are advocating is, we \nneed to have an incentive in place, a small business loan, an \ninsurance benefit, something--there are lots of them--so that \nthe subcontractor now wants to keep his or her security \ncompletely up to date. So that we have an incentive for \nRaytheon that is a procurement contract; we have an incentive \nfor the subcontractor, maybe you know, the ability to get an \nSBA loan or a lower insurance rate, and so that everybody has--\nwe need a system-wide set of incentives, and the incentives are \ngoing to be different for different people. This is not a one-\nsize-fits-all world. We have to stop thinking of it that way. \nWe need a network of incentives to address a network security \nissue.\n    Mr. Weiner. It is puzzling, though, it is puzzling though \nthat we need to offer incentives for a government contractor of \nRaytheon to do what is intuitive, which is to not share \nterabytes of information on the Internet with hackers. I am not \nquite sure that the--I mean, it strikes me that this gets back \nto the question and answer; how do you make sure that the silos \nof security extend--I mean are systematic?\n    Mr. Joffe.\n    Mr. Joffe. Thank you, Mr. Chairman.\n    There are a couple of fundamental things to think about \nhere. We talk about incentives. There are some fundamental \nissues. When it comes to incentives, one of the key things that \nI find when I talk to large corporations that have issues is, \nthey say, well, what is in it for me? And that is really the \nthing that should drive the incentives. The incentives will be \ndifferent, but as long as you can show someone what is in it \nfor them.\n    One of the problems we have now is that there are--the \nissues could affect so many parts of the world and so many \nparts of the commercial world that people say, why would I step \nup and fix my part of the problem if other people aren\'t fixing \ntheir part of the problem? Someone else will do it. It seems to \nbe a driving theme in most of the meetings I end up having.\n    And until I can point out how it affects someone \nspecifically, they really say, not our problem. People don\'t \nthink about it as being their problem.\n    The second thing is that the bad guys are as good as we \nare. One of the problems that we are facing and doesn\'t seem to \nbe sort of dealt with much is that the people behind most of \nthese attacks are as good as we are if not better. For some \nother reason, it almost seems like the bad guys are us. The \nlevel of sophistication, the things that we see, for example, \nin Conficker using, you know, certainly state-of-the-art and \nbest-of-breed techniques.\n    If I was a university professor, grading something like \nConficker.E, it would have a very, very high grade. They have \ndone everything right. We don\'t seem to be able to do it. Maybe \nit is because you go to the typical large government \ncontractor, and there are 50,000 or 60,000 people who are \ninvolved with software development in some way. It seems to be \nvery difficult for us to be able to control that, and there \ndoesn\'t seem to be enough of an incentive overall for the \ncompanies to take a holistic approach until you see the front \npage of the Wall Street Journal. Then, all of a sudden, \neveryone wakes up.\n    Finally, there are two different ways that this happens. \nOne of the ways--and I don\'t know--obviously, I know nothing \nabout the Joint Strike Fighter issue. But in many cases, this \nis determined breaches by humans where someone works away at \nfinding the problem. They have all the time in the world. They \nhave a lot of patience, and they work their way through \nbreaking into a system, including using social engineering. A \nlot of things that have been found have been as a result of \nsocial engineering. The issue with USB drives, for example, \nwhich not only was an issue for the Federal Government but is \nan issue with Conficker. One of the major reinfection vectors \nwe see now is people cleaning their machines off, but before \nthey do that, they copy their key documents onto a USB dongle. \nClean the system, rebuild it, go through all the effort and \nplug the dongle back in, in order to copy their key documents \nacross, and they are getting reinfected. That is what we are \nseeing with Conficker.\n    The first way is human breach. The second way is, a lot of \nthe attacks aren\'t as a result of conscious attacks. You get \nsomething like Conficker or Torpig or one of the large botnets. \nThey go out there and become like vacuum cleaners. They do \ntheir work in an automated process. We don\'t even know in many \ncases how systems got infected because they theoretically \naren\'t connected to the Internet. The mystery behind the \nbotnet, what they are able to do is sit and look at the net \nresult of the vacuum cleaner.\n    If you think about this, there are over 4 million machines \ncurrently infected, we think, with Conficker. We don\'t know \nwhere many of them are. We see a lot of them checking but not \nall of them. If someone behind that botnet wanted to, all they \nwould have to do is perhaps use it as a giant search engine, \nbasically say, show me any document or give me anything that \nhas somewhere on the hard drive the word "nuclear," the word \n"blueprint," the word "trigger"; come back and find it for me. \nAnd all they have to do is sit back and wait. And over the \ncourse of a short period of time, those 4 million machines will \nlook at their local drives and because, as we now know, many of \nthem are actually sitting behind corporate firewalls, they will \nthen examine all of the shared drives.\n    They are basically no different than the human sitting \nbehind the computer that is infected. They will look at all the \nshared drives and examine all of the documents looking for that \nword. Very little work. Somewhere or other, out of maybe a \ntoken Congress IP address that maybe is even connected to a \nhome modem, they will find the right set of documents, absorb \nthose, send them back to the miscreant. And before we know it, \nyou have the front page of the Wall Street Journal.\n    Mr. Weiner. Mr. Nojeim.\n    Mr. Nojeim. Just a couple of thoughts on this. One is that \nthe bad guys in the fighter jet incident didn\'t get the best \ninformation. They didn\'t get the most sensitive information. \nThat was on a separate system. And maybe one answer is that, at \nthe time of procurement, the government better describes what \nhas to be on a separate system that is not connected to the \nInternet. Procurement can be a very powerful tool in your war \nchest, if you will, for dealing with this problem.\n    Another thing to think about is that Raytheon is probably \nprotecting its systems in the way that it thinks is most \nappropriate. It has got people whose job is to do that, and \nthey are acting in the way they think is best. If the \ngovernment believes that they should be acting in a different \nway, that additional security measures should be in place, then \nit should be up to the government to pay for those additional \nmeasures and the compensation could be through credits, could \nbe through tax credits, or it could also be through a \nprocurement provision so that you get extra money if you take \nextra steps.\n    Raytheon may not have protected that subsidiary in the same \nway that it protected other more sensitive systems. If that \nsubsidiary needs to be protected, then maybe Raytheon doesn\'t \nget the contract. And if it does get the contract, maybe the \ncontract also pays for such protections.\n    Mr. Weiner. Well, let me use that as a jumping-off point to \nsome of the other threats; that some have been realized, some \nhave been unrealized. Can you talk a little bit about the \ndanger of expanding the use of smart metering on our electric \ngrid and the vulnerability that it extends to the notion that \nour electric grid might be vulnerable. Some of our colleagues \non the Energy and Commerce Committee talk about empowering FERC \nto regulate these things further. Let\'s think about, not the \nchallenges of the past, but let\'s think about some of the \nthings that we might be vulnerable to.\n    The electric grid, as I understand it, by and large is not \nsusceptible to a wide-scale attack because it is by and large \nnot attached to the Internet in a large measure. Is it a source \nof concern to any members of the panel that our energy \ninfrastructure might be susceptible to attack?\n    Mr. Kaminsky.\n    Mr. Kaminsky. There is an old joke from the NSA which is \nthat all networks are connected; it is just a matter of how \nfast.\n    The energy industry is, on the one hand, completely \ndifferent than the rest of technology and, on the other hand, \nno different at all. The 1990s saw a tremendous increase in our \nuse of personal computing technologies and information \ntechnologies to, quite frankly, make work more efficient. The \nenergy industry has not been immune from that.\n    One of the technologies that we have seen spreading, at \nleast in recent design, has been an ability for the actual \npower meters to communicate with one another, for them to \ncreate a peer-to-peer mesh as one meter speaks to another meter \nspeaks to another meter. This technology is being done by \npeople who, frankly, have not had to deal with the last 10 \nyears of attacks. And on analysis, we have seen these meters \nactually able to be compromised remotely.\n    Where we are today with the energy industry, which is there \nare a lot of information systems, there is a lot of \ncommunication going on, there is a lot of gear that has trouble \ndealing with attackers today, and the only thing preventing \npretty widespread attack is a lack of connectivity. With \nconnectivity growing more and more, that is a temporary solve. \nThe future, the future of widespread meter-to-meter \ncommunication based on the evidence that I have seen thus far \ndoes have me concerned. I would like to see more security for \nthose meters.\n    Mr. Weiner. And are there steps that can be taken? Or is \nthe technology of the smart grid too new to have best practices \nin this field?\n    Mr. Kaminsky. I think we know how to make secure devices. I \ndon\'t think that that is the problem. I think the problem is \nthat the devices, as they have been made, have not been made \nwith that knowledge. So this would be the sort of thing that \ncertification and independent evaluation would improve. We know \nhow to do it. It is just the devices that have been built thus \nfar, when we actually test them, they tend to fall over.\n    Mr. Weiner. Mr. Joffe.\n    Mr. Joffe. Thank you, Mr. Chairman.\n    One of the biggest problems that we face is that the \nInternet was never designed to do the things that it is doing \ntoday. There are control systems. There are systems that were \nnever designed to be on the open Internet. But the open \nInternet, one of the great values is the fact that it allows \nyou to communicate fairly cheaply and fairly easily with other \ncomputing devices.\n    Traditionally we used point-to-point connections. There are \nhome-monitoring devices for people who have medical conditions \nthat traditionally made use of a dial-up line and a dial-up \nmodem to communicate that to a doctor\'s office or a hospital. \nAnd people realized very rapidly that if you made use of the \nInternet, the existing cable connection or DSL connection, you \ncould have much faster, much more reliable connectivity. So the \ndevices were moved on to the open Internet without \nunderstanding from a design point of view that, at that point, \nthe security requirements were different.\n    The same thing is happening in the power industry. The \npower industry devices are being developed by not necessarily \npeople who are in the power industry but people who are in the \ncomputing industry. So they develop devices and the device is \nthen used by the power industry who are used to a closed \nnetwork. But by its very nature, those home devices, the smart \nmeters are going to have to rely on the open Internet. If they \nmade use of the technology that the power industry was used to, \nwhich was point-to-point secured connections, or in fact the \nsame techniques that existed in the phone industry, there \nwouldn\'t be an issue. But there is a disconnect between them. \nPerhaps it is an educational issue where you have the wrong \ngroups of people getting the right training.\n    As Dan had mentioned over there, we certainly know that \nsecurity is an issue. But the people that build the devices, \nwhen they first design them, don\'t think about security first; \nthey think about functionality first. And security is an \nafterthought, and it really shouldn\'t be. It should be embedded \nin the system.\n    Mr. Weiner. Mr. Clinton.\n    Mr. Clinton. I agree with Mr. Kaminsky and Mr. Joffe both \nwith regard to the fact that we can build more secure devices, \nthey will be more expensive. But the point I want to add is we \nalso have to operate these systems better.\n    The single biggest vulnerability that we have is not \ntechnical at all, it is the insider threat. Depending on which \nstudy you read, a third to half of the problems that we have \nare from people on the inside. These are people with keys to \nthe technology. You can have the best technology in the world \nand the best security in the world, but if you just fired your \nIT guy, and he has put in a back door and he wants to come into \nyour system, he will do it. That is 30 to 50 percent of the \nproblems.\n    So we not only need to have good technology, we need to \nhave incentives for people to use the technology. Again, this \nis a systemwide problem. It involves technology and human \nresources. It involves the economy and legal compliance. It \ninvolves a variety of things. It is not going to be fixed when \nsomebody comes up with a new device.\n    Mr. Weiner. I want to talk about a couple more emerging \nthreats, but before we do, I think we should touch on Conficker \nand what the state of play today is. It is exactly 1 month from \nApril 1st, the day Conficker was supposed to bite. There have \nbeen some things that have happened since then.\n    Who would be best to tell us what is the state of play with \nConficker right now, whether it is still something people \nshould be concerned about; and more troubling to a layman like \nmyself, why is it that we literally have the code right there \nin front of us and it is such a vexing issue? What does it say? \nWhat is it doing? It seems to me there has to be at least \nsomeone who can read it, who is at least as smart as the guy \nwho wrote it and say this thing is going to turn all microwaves \non.\n    Mr. Kaminsky, can you give us as best you can in English \nlanguage, and I know how difficult it is when you are dealing \nwith these technical matters, where does it stand? Are we going \nto get up to Conficker.P? Tell us whether we are learning \nanything. Just give us a an update on where we are with that.\n    Mr. Kaminsky. Not a problem.\n    So it used to be that if someone wrote malicious software, \nthey wrote it, it was out there. You could analyze it and tear \nit apart and figure out exactly what it is and what it is going \nto do. That is how things used to be.\n    The new generation of attacks are not about it does what it \ndoes, and it can\'t do anything more. The new generation of \nattacks, as Mr. Joffe said, are all very much about go back to \nthe attacker and find out what would you like? Would you like \nme to search for documents? Would you like me to search for \nupdates? Would you like me to do anything you can possibly \nimagine?\n    That is what has made things difficult. Conficker is quite \npossibly the single most analyzed piece of software in the last \n10 years; but we can\'t tell you everything it is going to do \nbecause we don\'t know because the attackers have not issued the \ncommands or have not released the actual software in a general \nsense. It always goes and retrieves updates.\n    What made Conficker special, and what continues to make it \nspecial, is that it is actively being maintained and actively \ndefending against the security community\'s effort. That does \nnot mean that the security community has been lost and unable \nto do anything about it. We have had entire months of \nrestricting Conficker\'s ability to update itself and manage \nitself. Through the public-private partnership of the Conficker \nWorking Group, Conficker.B\'s entire update strategy was pretty \ntightly constrained. That is what ended up leading to their \nneed to do an April 1 date. On April 1 they moved from the \ndefenses that were successful in February and March to what we \nwere unable to defend against in April. Technical terms: They \nmoved from using 250 domain names a day, which we could \nregister, to 50,000 domain names a day, which would be too \ndifficult to block.\n    The state of play as it is today is we have very, very good \ntools for quickly scanning networks, identifying where \nConficker is so that it can be quickly cleaned.\n    In order to actually get rid of Conficker, it was never, at \nleast in my perspective, about how do we pressure people into \ndoing it, because pressure will only go so far. It was how do \nwe make it less expensive, less difficult, less time-intensive \nto actually find this on networks.\n    Since a little bit before April 1, we have had fantastic \ntools for sweeping networks to find this. Now it just is a \nmatter of people running those tools and cleaning it off their \nnetworks. There are still a few million nodes, but it is going \ndown every day.\n    Mr. Weiner. You said that Conficker had the ability to go \nfrom 250 to 50,000 with an order. Can it keep ahead of you, or \nare you closing more doors than it is opening as it goes day by \nday?\n    Mr. Kaminsky. I will yield time to Mr. Joffe in a second, \nbut I will say that I don\'t think that we will be able to stop \nthe Conficker authors from sending updates. I do, however, \nthink we will always be able to detect the Conficker-infected \nhosts. The Conficker authors are doing a lot to try to defend \nthemselves from being found and caught.\n    The place where I think we have a sustainable advantage is \nit appears no matter what they do, we can always find them so \nwe can determine we need to clear them.\n    Mr. Weiner. Let me ask you this: This being the new state \nof the art in these things, are other hackers and other \ntroublemakers able to look at the Conficker virus and say, huh, \nthat is a cool way or a vexing way or a troublesome way for us \nto do our business in the future? Is there now out in the world \nthis new model which is going to mean that the cat and mouse \ngame is going to extend to other hackers who are going to use \nthe same device?\n    Mr. Kaminsky. Honestly, I think that is a fair statement of \nthe situation. One person has gone ahead and taken a lot of the \nworst practices, as opposed to best practices. Someone has \nactually demonstrated the worst practices for how you make \nsomething that doesn\'t just compromise a network today, but has \na sustainable advantage, an update advantage. So I do thing \nthat we will see more things of that type.\n    Mr. Joffe. Mr. Chairman, there is an interesting thing to \nnote about Conficker and April 1. Most of the press saw April 1 \nas the day when Conficker would suddenly erupt. It was going to \nbe like Y2K.\n    We knew already that we had been able to disassemble a fair \namount of the software. We knew that April 1 represented one \nthing only, which was a change in the mechanism that Conficker \nwas going to make use of.\n    Up until then, as Mr. Kaminsky mentioned, we had been able \nto control, or we thought we had been able to control, the \nspread of it. They changed the mechanism on April 1. But on \nApril 7 and April 8, as you pointed out, it went to \nConficker.E. Conficker.E did two things. The first thing it did \nwas it updated Conficker.D to a new mechanism for both \nspreading and communicating.\n    The second thing that it did was it enabled the download of \nanother piece of software called Waledac, which is another form \nof malicious software. It enabled the downloading and \ninstallation of that, with some very interesting pieces to it. \nWe don\'t know if the authors of Waledac are the same as the \nauthors of Conficker, but it is very clear these are \nbusinessmen.\n    What Conficker seems to have done is downloaded Waledac, \nbut done it for 2 weeks only. It is a very interesting process. \nIt is almost as if the authors of Conficker rented the use of \nConficker to the authors of Waledac to download Waledac, and \nafter 2 weeks to delete it.\n    What we have been able to see from disassembling some of \nit, I think it is on May 3 or May 5, any installations of \nWaledac done by Conficker will be deleted. These people are \nvery, very smart.\n    One of the things you asked: Don\'t we know who is behind \nit? Can\'t we interrupt it? The cryptography that is used in \nauthenticating between the controller and these machines is so \nsophisticated; in fact, it didn\'t exist in the public. The \nparticular thing that they are using, which is something called \nMD6, was actually submitted for the NIST competition for the \nnew cryptography that will be sort of authorized for the \ngovernment networks in 2013. They had used this 5 weeks after \nthe submission from Ron Rivest. They had this in place and were \nusing it. It uses a level of cryptography that, as far as we \nknow in the private world, there aren\'t enough computing cycles \nto be able to crack that in any way. It is being used to \nauthenticate the updates.\n    So we can see the software, and we know the machines are \ninfected. We can disinfect machines with a lot of effort. But \nwhat we cannot do is something people have asked: Isn\'t it \nsimple to just act as if you are the controller and tell the \nworm to disable itself? The worm doesn\'t listen to us because \nwe don\'t have the right signature. We don\'t have that crypto \ncapability. They are doing a much better job with cryptography \nthan we are.\n    Mr. Weiner. This is detective work, but is one of the \nemerging theories that what Conficker is is a delivery device \nfor or a distribution device for other spammers or hackers or \nmalware delivery? Like we will rent it to you. This is a great \nmoving vehicle. For 2 weeks we will let you use it, and we are \ngoing to rent it to someone else for the next 2 weeks, and this \nis just the way that it gets around.\n    Mr. Kaminsky. It is all about monetization. It is about \nwhat can they do to make money from their millions and millions \nof infected nodes. In this case, they have made money by \nrenting it to other people who have their own strategies.\n    The one thing I would really like the committee to be aware \nof is there is no reason what Conficker does to one company is \nthe same thing that it does to another company. There is no \nreason what Conficker does to one computer is going to be the \nsame as what it does to another.\n    Mr. Weiner. It is an operating system?\n    Mr. Kaminsky. It pretty much is. It is a remote-control \nmechanism, and you can make an individual host--one host do one \nthing and another do another. If that is the best way you can \nmake money, go right ahead.\n    Mr. Weiner. I want to touch on one or two more potential \nhorrors of the future, if not the present. One is the \nproliferation of mobile computing devices, cellular devices and \nwireless devices. Is there a reason why we haven\'t seen--and \nmaybe we have, but not in the same highly publicized way--the \nwide-scale hacking of those devices? More computing is now \ngoing there. More communications are now going to handheld \ndevices. Is this the next frontier of cyberwarfare? Have the \ncybersecurity threats already begun there? Are there reasons \nwhy it is less able to do because the technology is not as \nsophisticated as the network? Tell me if there is reason to \nbelieve that could be a vulnerability of the future.\n    Mr. Kaminsky. Mobile phones have become operating systems. \nThey are quite a bit more complex than the computers we were \nusing back in the 1990s.\n    The reason we have not seen attacks against them in \nsignificant count thus far is not because they are more secure. \nAny engineer who has actually taken a look I do not want to say \nhas run away screaming, but has certainly found themselves \nconcerned.\n    The bad guys figure things out, but not immediately. We are \nbasically enjoying something of a time lag in between when \nthere is awareness of being a problem and when the hackers have \nbuilt up the expertise to be able to exploit it. This will \nchange over the years, mainly because at the end of the day, \nall of the things that we have managed to really clean up in \noperating systems and really fix up there, not all of them have \nmade it into the mobile phones at this time. That is just the \nreality of things.\n    Mr. Weiner. Mr. Clinton, do you see the sense of the \ninfrastructure limitations and the infrastructure \nvulnerabilities have been addressed? And I guess one reason it \nwould be easier to protect is there is a finite number of \nwireless carriers with a finite number of technological pinch \npoints.\n    Does it seem like the industry on the wireless side has \ntaken these best practices and have done what you described as \nthe need that 80 or 90 percent of the attacks can be protected \nif you make best practices?\n    Mr. Clinton. I really don\'t know if I can say that about \nthe wireless industry; although generally, the major carriers \ndo a pretty good job.\n    The core problem, though, as I understand it, not to delve \ntoo much in areas that Mr. Joffe and Mr. Kaminsky can answer \nbetter, the Internet is really inherently insecure. The core \nprotocols that the Internet was built on were built 35 years \nago. Nobody was thinking about security. They are pretty much \ncompletely insecure at their core, which is why we have a patch \nsystem to solve these problems. As long as we are using these \ncore protocols, whichare basically the same protocols we are \nusing on the mobile systems now, they are going to be insecure, \ntoo.\n    The only thing that I would add here is, I think we need to \nbe careful by focusing just on kind of the high-profile issues \nlike Conficker. I mean, I do a lot of speeches on this and \nsometimes go out and people say, I used to hear a lot about \nwhat you do. There was the Love Bug and Blaster; I don\'t hear \nabout those thing, Conficker notwithstanding. I guess you guys \nsolved that.\n    Of course, that is not the case at all. We have simply \nmoved largely from an era--an era, 5, 10 years ago--5 years \nago, where the hackers were focused on large-scale public \ndemonstrations of their ability, to an era where we are really \nfocused on designer malware, and the goal is not to show what \nyou can do, it is to steal money.\n    So we are really not sure how much stuff is out there. A \nlot of the problem with extortion is people are simply buying \nsilence.\n    I would caution against just thinking, if we can solve \nConficker kinds of things, we have solved this. I think it is \nharder than that.\n    Mr. Kaminsky. I wanted to clarify. There is at least one \nmobile platform which has been paranoid for years and years, \nand I can say this because I know the years. The BlackBerry \nResearch in Motion guys have worked for as long as I have known \nthem to build a secure mobile platform. At least in that case, \nI can say people have looked at it, and their stuff is pretty \ngood.\n    In fact, a lot of people kind of shrugged their shoulders \nat the "ObamaBerry" controversy. It is not like President Obama \nis the first person to ever be putting sensitive information \ninto their BlackBerry.\n    Mr. Weiner. Mr. Kaminsky, you don\'t do any consulting work \nfor BlackBerry, do you?\n    Mr. Kaminsky. No.\n    Mr. Weiner. I just wanted to make sure that I didn\'t get \nsome Apple lobbyist complaining or anything.\n    Mr. Joffe.\n    Mr. Joffe. One thing to remember is that mobile devices \nused to be telephones, but they are now becoming much more of a \ncomputing platform. We go after Microsoft a lot in terms of \ntheir operating system. That is not necessarily where the \nproblem is. It is the applications that people download and use \non those devices.\n    We are beginning to see a move towards mobile payments, for \nexample. One of the things that you have to be very careful \nabout is when we look at the mobile payment applications, they \nsit on top of the operating system, on top of the phone. They \nhave to be looked at on their own because you can have the most \nsecure platform you want. If you have an application that \nenables problems, it doesn\'t matter how good the operating \nsystem, the application itself would be insecure. That is where \nthe problems, most of the problems that we have seen today, are \ncoming from.\n    Don\'t think of it as a wireless device. It is nothing more \nthan an existing computer, and it is just as vulnerable and has \nto be looked at very carefully in the same way we do on regular \ncomputing devices.\n    Mr. Weiner. Finally, on the challenges that we face, how do \nwe know that a router manufactured in China doesn\'t have some \nlistening ability built into it for Chinese Government \nofficials? Or some computer chip that is made doesn\'t have a \ncircuit switch that permits anything on that computer to be, \nwith the right command, listened to or going to the right \nWebsite? How do we know that hacking in is not the issue, that \nbuilding in might not be the issue?\n    Mr. Clinton, you are nodding the most, so why don\'t you \nstart.\n    Mr. Clinton. We are very concerned with this problem. My \norganization started 3 years ago in conjunction with our \npartners, Carnegie Mellon, to take a look at exactly this \nproblem. And basically, to put it in short form, I think we \nhave come to the opinion that we need to learn how to build \nsecure systems, understanding that some of the parts may be \ninsecure.\n    We do think, and we have amended our statement, a fairly \nextensive additional piece of work that we did with Carnegie \nMellon and Scott Borg at the Cyber Consequences Unit to move \ntowards developing a framework so that we can put in an \nextended system of protections so that we can secure the IT \nsupply chain, which is inherently globalized, is going to stay \ninherently globalized, and is going to be built in part by \npeople who we don\'t know. They don\'t have a Social Security \nsystem in India. But we can put in, we think, by using a fairly \nsystemic framework that we have tried to begin the articulation \nfrom in some of our additional comments, which we also supplied \nto Ms. Hathaway, a system where we can again change the \neconomics so that we can make it in our best interest and our \nsuppliers\' best interest to understand that it is in their best \ninterest to keep these systems truly supplied in a secure \nfashion, rather than allow them to be counterfeited or in some \nway hurt.\n    The one thing that I would say in addition to this is that \nwe try to take a risk-management approach to this. So while we \nare very secure, we are very worried about the supply chain. \nThis is a problem that is generally not a big problem, we \nthink, for industry. The reason is it is usually easier and \nless costly if you are going to attack Bank of America to \nattack it through software or one of these traditional hacks. \nIt is much harder and more difficult to do it through a supply-\nchain attack by putting something in the computer.\n    However, from the government\'s perspective, this is an \nextremely serious problem, because if a weapons system could be \ninfected through a manufactured attack, you can\'t detect it. \nYou don\'t get rid of it when the software is there. And the \nchances--it is absolutely possible to put in a back door or a \nTrojan horse, a logic bomb that will stay there and not be \nactivated until we launch a weapons system, and then the \nweapons system could either not work or turn around and go \nagainst us. So it is a very serious problem.\n    And if you are a nation state, and you are thinking of \nweapons of mass destruction, then a supply-chain attack could \nbecome very attractive to you, much more attractive to you than \nif you are just trying to steal credit card information.\n    Mr. Weiner. Let me pick up on something you said. It is \neasier not to do it on the supply chain. If you are a nation, \nif you are China, and you have a lot of manufacturing going on \nwithin your boundaries, and you have the ability to manipulate \nbranch managers, could it also be a source for our \ncounterefforts? One thing that we have that the rest of the \nworld envies, we have the technological expertise, and we have \na lot of the companies that manufacture these parts are within \nour walls. A lot of the chip manufacturers are U.S.-based \ncompanies. Why couldn\'t we install things on these chips to \nmake them--if we want to throw a switch, as we tiptoe into Mr. \nNojeim\'s area of expertise, why don\'t we install a switch that \ngoes into these routers that lets us shut them down if they \nfall into the hands of Iran or a foreign power? I mean, it \nseems to me that it might actually be in the interest of the \nChinese to be doing it to us and the interest of us to be doing \nit to the Chinese, no?\n    Mr. Clinton. On the weapons system, I think this is a big \nproblem. In terms of the economic sort of stuff that we have \nbeen discussing here, the personal identifiable information \nsort of thing, one of the things that is a good thing about the \nglobalized economy is that it is, frankly, not in China\'s \ninterest to have lack of confidence on the Internet or to \nundermine the American economy. They are big investors in the \nAmerican economy, so it is probably not so much in their \ninterest to do that.\n    But if you think of it in a military sense, I would not be \nshocked to hear that we have people who are thinking about \ndoing it offensively from our point of view. And certainly the \nexpectation is that some of our opponents are thinking about \ndoing it from their point of view, and that is why this kind of \nframework that we have suggested in our written testimony needs \nto be developed a lot more.\n    Mr. Weiner. Mr. Kaminsky, if I were to manufacture a router \nthat had a piece of code or something built into it, and you \nhad enough time to look at it, could you find it?\n    Mr. Kaminsky. It would be difficult. The reality is attacks \nat the level where the actual hardware has been corrupted in \nthe first place are very, very difficult to find. The \nresearchers that Mr. Clinton spoke about at Carnegie Mellon \nUniversity have done some preliminary work in attempting to \ndetect these actual back doors, but at the level where it is \nbaked into the circuitry, it is actually very difficult to \nfind.\n    What is not difficult, however, is if you are the one doing \nthe baking, you can pretty much make hardware that no matter \nwhat software is run on top, you can ultimately get an exploit \ninto that operating system. So whatever operating system, \nwhatever software, if you control the underlying hardware, you \ncontrol the underlying logic, you can make a back door, and you \nwill control that system.\n    Although it is true that we have a lot of very creative \ncompanies in the United States, the reality is a lot of the \ndevelopment of both hardware and indeed secure software happens \noutside the United States: China, India, Taiwan and so on. That \nis just the reality of the market as it is today.\n    Mr. Weiner. That sounds like a pretty frightening \nconclusion, so let\'s start to end the conversation today \ntalking about the conflict that is going on now within the \nObama administration about who should be in charge of this and \nwhat they should do.\n    It seems to me, Mr. Nojeim, that there does seem to be \nsufficient risk that we do want to give the tools to government \nto be able to--if the risk grows too big too fast to critical \ninfrastructure, to our country, to a weapons system that might \nbe used against us, there needs to be some check on the basic \nethos of the Internet being a completely democratized, fairly \nloose-knit organization. Some have taken that argument to the \nextension of saying, all right, the supervisory/governing \nagency that should be at the top of the organizational chart of \ncybersecurity should be an intelligence or defense agency. What \ndo you say?\n    Mr. Nojeim. We don\'t think that is the right approach, and \nthere are a few reasons for that. And the Agency we are talking \nabout is the National Security Agency, for the most part.\n    NSA has a role, I think, in protecting classified \ngovernment systems, military systems. But it is not necessarily \nthe case, and it probably isn\'t the case, that the NSA would be \nthe best entity to protect a private system that is not in the \nclassified realm, it is not in the defense realm.\n    Let me illustrate it this way. If I am Mr. Kaminsky, and I \nam working for Microsoft, I might know my systems better than \nanyone else would know them. The fact that the NSA has \nexperience in penetrating other systems of foreign countries \nabroad doesn\'t necessarily make it the best entity to protect \nsystems. Also, the NSA, it wears two hats. Those different \nroles tug in opposite directions in the cybersecurity area.\n    One, it is charged with breaking the codes of foreign \ngovernments and penetrating their systems, finding \nvulnerabilities. But if it was given a lead role in \ncybersecurity over private systems, that role would conflict \nwith the need to patch up systems that are being used in the \nUnited States. Sometimes it is exactly the same system.\n    So if NSA finds a vulnerability abroad--\n    Mr. Weiner. Meaning that you wouldn\'t want to tip off a \nforeign power that you have spotted this weakness because it \nmight exist in our own?\n    Mr. Nojeim. Because they wear these two hats of finding the \nvulnerabilities, and then wanting to plug vulnerabilities in \nthe same software that is on our systems, I think that is a \nvery difficult thing for them to handle, and it probably makes \nthem an inappropriate leader.\n    I should add that the head of the NSA at the RSA conference \njust a couple of weeks ago said, we don\'t want this lead role. \nWe don\'t want to be doing that.\n    Mr. Weiner. I think there was some element of kabuki dance \ngoing on there.\n    I think we now understand that one of the reasons that this \n60-day review has dragged on, and I don\'t think there has been \nan appointment of a chief technology officer, one of the \nreasons is that they are legitimately hung up on this. Any \nadvice? Is there a need to have all of these disparate agencies \nthat deal with cybersecurity? Is there a need to have them \nunder one umbrella? There does seem to be consensus among folks \nwho have looked at this that there is too much interagency back \nand forth, elbow throwing, and planning on who is responsible \nfor what that doesn\'t lend itself well to a true emergency \nresponse.\n    Do you have any advice to offer the President, Mr. Clinton?\n    Mr. Clinton. First of all, we generally stay away from this \nbecause, being a private-sector organization, we are always \ntelling government, don\'t micromanage us. So we generally try \nto stay away from offering advice.\n    One of my board members would answer this metaphorically by \nsaying if the cybersystem were a soldier on the battlefield \nwith an open wound, and the Intelligence Community were the \ndoctor, the Intelligence Community\'s approach to that would be \nto look into that wound and say, my, isn\'t that interesting, as \nopposed to, fix it. And we need people who are going to fix it, \nnot try to exploit the vulnerability.\n    The one piece of advice that we would offer to the \nadministration is regardless of whether you locate this person \nat the Department of Commerce, such as the Senate bill would \nsuggest, or DHS, where it is supposedly now, or NSA, the \nimportant thing is not where it sits, but that you do have an \nindividual or an organization, it could be a group of \nindividuals, who have actual control from the government\'s \nperspective. That individual needs to have budgetary authority \nand the ability to oversee the other organizations. It can\'t be \njust kind of a figurehead position.\n    So it is less important to us where that person sits, \nalthough we tend to think it should be somewhere within the \nWhite House structure, but that person actually have the \nability to do the coordination. And we also think that \ngovernment\'s first role here is to get government\'s house in \norder rather than try to figure out how they are going to deal \nwith the private sector, which is why I think the model we have \nsuggested, which is a collaborative model, is something that we \nwould ask the committee to take a look at.\n    Mr. Kaminsky. There is a scenario that I think has been \nuseful for explaining to people just the scale of problem that \nwe have.\n    Consider a situation where a major top 10 Website is broken \ninto, not directly but through their ad network. The \nadvertising network is made to deliver an exploit for the Adobe \nAcrobat document software. The documents are loaded. They cause \ncode execution on anyone who goes to that Web page. The code \nloads up a botnet. That botnet is used to do two things. First, \nit sends banking credentials from the infected host to the \nattacker. Second, it floods various Websites on the Internet \nwith malicious traffic in a desire to force an extortionary \nattempt to be successful.\n    Whose fault is this? Is this the fault of the top 10 \nWebsite? Is it the fault of the ad network? Is it the fault of \nAdobe? Or is it the fault of Microsoft for writing the \noperating system, or the user for using the operating system? \nIs it the fault of the bank for having credentials at all? Is \nit the fault of the people who pay extortionary prices?\n    The fault is the bad guy. The bad guy caused this, and \neverybody else has a natural alliance against that bad guy.\n    The problems that we are trying to solve are smeared across \ncompany boundaries, individual boundaries; and, indeed, are \nsmeared across the public-private boundary. I agree with what \nhas been said earlier. I don\'t think that I am qualified to \nknow who or where there should be authority, but there actually \ndoes need to be a coordinating authority across all of these \ndisparate actors to guide the public-private partnership \ntowards actually fixing the scale of problems that we face \ntoday.\n    Mr. Weiner. Mr. Joffe.\n    Mr. Joffe. Thank you, Mr. Chairman.\n    From my point of view, I, like Dan, come from the geek side \nof the house, and we don\'t play in politics and are down in the \ntrenches. The only way we are going to solve this is by, first \nof all, acknowledging there is an issue, which is exactly what \nthe White House has done with the 60-day review process, the \nother hearings that have been heard on the Hill, and this \nhearing. The fact that we are having this kind of hearing, this \nis remarkable to us in the technical world. Eight, nine years \nago, none of us would have been seen up here unless we were \ninvolved in something else. So it is really important that \nthere are hearings and we acknowledge there is a problem, and \nacknowledge that every one of us has a part to play in it: \nprivate industry, the government.\n    At the end of the day, someone has to make a decision when \nthere is a problem. But what we really have to do is make sure \nthat we get together and talk about the problems and recognize \nthem. As Dan said, we are all united against an enemy. The \nenemy may not be the bad guy who is trying to steal \ncredentials. Nation states also represent problems for us. \nNation state threats are just as large and just as damaging, if \nnot more damaging. There are some organizations that don\'t care \nabout the financial impact or being able to download plans for \nthe Joint Strike Fighter; they want to seek the complete \noverthrow and maybe the complete destruction of the United \nStates. And that matters as well.\n    We have to all work together with all of the stakeholders, \nfolks on the technical side, folks on the policy side, people \non the business side, to try and be able to recognize the \nproblems, be able to find solutions, fund the solutions and \nbuild the solutions. As long as we are doing that, I think on \nthe technical side we are happy. Who runs it doesn\'t really \nmatter as long as it works. If it doesn\'t work, I am sure in a \ncouple of years\' times, there will be a new leader.\n    Mr. Weiner. Mr. Nojeim, it does matter, doesn\'t it?\n    Mr. Nojeim. I think it does ultimately, because where the \nwork is located will have an impact on industry participation. \nAnd from our perspective, from what we have seen talking to key \nplayers in the industry is that one of the things that concerns \nthem is that the program hasn\'t been transparent enough. If \nthey share information, they don\'t know how it will be used and \nwhere it goes next. So there is this natural tendency to hold \nback and to think about what happens next.\n    Where the program is located, where the operations are \nlocated impacts on transparency. And so far transparency has \nbeen lacking.\n    From our view, our perspective, it makes sense to have a \ncoordinating body at the White House to do some policy work, to \nset budgets and do that kind of high-level thinking about this. \nBut operations, they need to be at a lower level, I think. And \nDHS is a natural place for a lot of this work.\n    Mr. Weiner. Perhaps. I think there is the concern that this \nis generally part of a larger conversation about how you foster \nall that comes from the Internet, good and bad; how you make \nsure. As I said in my opening remarks, we have resisted the \ntemptation to be heavy-handed plenty of times before. As the \nInternet emerged, and there were dirty pictures and hateful \nspeech, these other types of things, sometimes we have gotten \nit right, and I think we got it wrong with gambling. I think to \nsome degree we lurch back and forth, but we have basically \ndefaulted to a position where we have tried to keep our hands \noff to the greatest extent possible.\n    I think the vulnerability is that you want to keep hands \noff, and you don\'t want to create a situation where you give \ntoo much authority to an agency that is used to collecting \ninformation and not used to disseminating it, but you want to \nhave a situation where we acknowledge that this does represent \na bona fide natural security threat. To whom do you give the \nauthority to do what? Do you give the President the authority \nto have an on/off switch?\n    You referred to this in your testimony.\n    Do you give the President or the NSA or the Commerce \nDepartment the authority to go ahead and start experimenting \nwith a second tier of the Internet? These are things that we \nare going to use to plug in important things like the electric \ngrid or our military secrets or the like.\n    I think one of the things that you four gentlemen have been \nhelpful in shedding light on is that we really are going to \nhave more of these headlines. We do need to be cautious. We go \nthrough our cycles in American civic life where we see a couple \npeople bitten by sharks, and suddenly there is an explosion of \nshark bites going on. There have been tens of thousands of \nattacks that go on. Recently the New York City Police \nDepartment said that they get attacked about 70,000 times a \nday. And we have to make sure that we don\'t allow the tail to \nwag the dog here. We want to be thoughtful about it. I think \nyour testimony has been instructive.\n    Also, I think it is pretty clear, whether it be the \nCommerce Department or some role for the FCC, we here on the \nCommerce Committee are committed and frankly have a history of \ndealing with these issues, looking at not only the security \nside, but the commerce side and the energy side. If you look at \nthe things that we have talked about today, the Internet \nitself, interstate commerce, energy issues, commerce issues and \nthe like, I think that this is probably going to be the \ncommittee where a lot of these things are going to get \ndiscussed even further.\n    Before I recess, I just want to offer some thanks to people \nwho have helped in addition to those of you who have testified. \nThe record will remain open. If there is anything you would \nlike to submit in written form, any questions and answers you \nwould like to submit for the record, we will certainly be happy \nto take it.\n    I just want to thank Tiffany Guarascio of my staff; Amy \nLevine, Tim Powderly, Roger Sherman and Greg Guice of the \ncommittee staff; our friends on the Minority side; and all of \nmy colleagues, as well as the Chairman Mr. Boucher, who has \nbeen very active and involved on many of these issues.\n    I thank you all for your testimony. This adjourns the \nhearing.\n    [Whereupon, at 2:41 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n'