b"<html>\n<title> - CYBER SECURITY</title>\n<body><pre>[Senate Hearing 111-724]\n[From the U.S. Government Publishing Office]\n\n\n                                                        S. Hrg. 111-724\n \n                          CYBER SECURITY--2009 \n\n=======================================================================\n\n                                HEARINGS\n\n                               before the\n\n                              COMMITTEE ON\n               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n\n                                 of the\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             APRIL 28, 2009\n\n             CYBER SECURITY: DEVELOPING A NATIONAL STRATEGY\n\n                               __________\n\n                           SEPTEMBER 14, 2009\n\n      CYBER SECURITY: PROTECTING INDUSTRY AGAINST GROWING THREATS\n\n                               __________\n\n       Available via http://www.gpoaccess.gov/congress/index.html\n\n                       Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n51-019 PDF                       WASHINGTON : 2010 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n               JOSEPH I. LIEBERMAN, Connecticut, Chairman\nCARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine\nDANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma\nTHOMAS R. CARPER, Delaware           JOHN McCAIN, Arizona\nMARK PRYOR, Arkansas                 GEORGE V. VOINOVICH, Ohio\nMARY L. LANDRIEU, Louisiana          JOHN ENSIGN, Nevada\nCLAIRE McCASKILL, Missouri           LINDSEY GRAHAM, South Carolina\nJON TESTER, Montana                  ROBERT F. BENNETT, Utah\nROLAND W. BURRIS, Illinois\nMICHAEL F. BENNET, Colorado\n\n                  Michael L. Alexander, Staff Director\n            Deborah p. Parkinson, Professional Staff Member\n              Adam R. Sedgewick, Professional Staff Member\n     Brandon L. Milhorn, Minority Staff Director and Chief Counsel\n                Asha a. Mathew, Minority Senior Counsel\n                    John K. Grant, Minority Counsel\n                  Trina Driessnack Tyrer, Chief Clerk\n         Patricia R. Hogan, Publications Clerk and GPO Detailee\n                    Laura W. Kilbride, Hearing Clerk\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Lieberman............................................ 1, 35\n    Senator Collins.............................................. 3, 37\n    Senator Landrieu.............................................    21\n    Senator Burris...............................................    24\n    Senator Carper...............................................    27\nPrepared statements:\n    Senator Lieberman...........................................71, 148\n    Senator Collins.............................................73, 151\n\n                               WITNESSES\n                        Thursday, April 28, 2009\n\nHon. Stewart A. Baker, Former Assistant Secretary of Homeland \n  Security.......................................................     5\nJames A. Lewis, Director and Senior Fellow, Technology and Public \n  Policy Program, Center for Strategic and International Studies.     7\nAlan Paller, Director of Research, SANS Institute................    10\nTom Kellermann, Vice President of Security Awareness, Core \n  Security Technologies..........................................    14\n\n                       Monday, September 14, 2009\n\nRobert O. Carr, Chairman and Chief Executive Officer, Heartland \n  Payment Systems, Inc...........................................    39\nWilliam B. Nelson, President and Chief Executive Officer, \n  Financial Services Information Sharing and Analysis Center.....    42\nMichael P. Merritt, Assistant Director, Office of Investigations, \n  U.S. Secret Service, U.S. Department of Homeland Security......    47\nPhilip R. Reitinger, Deputy Under Secretary, National Protection \n  and Programs Directorate, U.S. Department of Homeland Security.    50\n\n                     Alphabetical List of Witnesses\n\nBaker, Hon. Stewart A.:\n    Testimony....................................................     5\n    Prepared statement...........................................    75\nCarr, Robert O.:\n    Testimony....................................................    39\n    Prepared statement...........................................   153\nKellermann, Tom:\n    Testimony....................................................    14\n    Prepared statement...........................................   100\nLewis, James A.:\n    Testimony....................................................     7\n    Prepared statement...........................................    86\nMerritt, Michael P.:\n    Testimony....................................................    47\n    Prepared statement...........................................   174\nNelson, William B.:\n    Testimony....................................................    42\n    Prepared statement...........................................   160\nPaller, Alan:\n    Testimony....................................................    10\n    Prepared statement...........................................    90\nReitinger, Philip R.:\n    Testimony....................................................    50\n    Prepared statement...........................................   183\n\n                                APPENDIX\n           RESPONSES TO POST-HEARING QUESTIONS FOR THE RECORD\n\n    Mr. Baker....................................................   114\n    Mr. Lewis....................................................   120\n    Mr. Paller...................................................   129\n    Mr. Kellermann...............................................   135\n    Mr. Reitinger................................................   193\n\n                 ADDITIONAL INFORMATION FOR THE RECORD\n\nJosh Bourne, President, Coalition Against Domain Name Abuse \n  (CADNA), September 14, 2009, prepared statement................   194\n\n \n             CYBER SECURITY: DEVELOPING A NATIONAL STRATEGY\n\n                              ----------                              \n\n\n                        THURSDAY, APRIL 28, 2009\n\n                                     U.S. Senate,  \n                           Committee on Homeland Security  \n                                  and Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10:05 a.m., in \nroom SD-342, Dirksen Senate Office Building, Hon. Joseph I. \nLieberman, Chairman of the Committee, presiding.\n    Present: Senators Lieberman, Carper, Landrieu, Burris, and \nCollins.\n\n            OPENING STATEMENT OF CHAIRMAN LIEBERMAN\n\n    Chairman Lieberman. Good morning. The hearing will come to \norder. Thanks to the witnesses and others who are here.\n    The topic of this hearing is our national strategy for \ncyber security. I am going to put my statement in the record \nand just speak for a few moments.\\1\n\\\\---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Lieberman appears in the \nAppendix on page 71.\n---------------------------------------------------------------------------\n    It is a series of facts that brings the Committee here and \nwhy we are grateful to a very distinguished and informed group \nof witnesses for helping us.\n    The first fact is that America cyberspace is constantly \nunder attack. The second is, the best that I can determine, our \ndefenses to those attacks are inadequate. The third fact is \nthat the Obama Administration, building on work done by the \nBush Administration, has just completed a 60-day review of our \ncyber policy and structures, and we expect soon to see release \nof that report.\n    The fourth fact is that the Department of Homeland Security \n(DHS), which was created out of this Committee and over which \nwe maintain oversight and monitoring our responsibility, has \nthe unique authorities given to it under the statute with \nregard to cyber security.\n    The fifth fact, may be a probability, I believe, as part of \nthe reaction to the report that Melissa Hathaway is doing for \nPresident Obama, that we will be asked to consider, and should \nconsider, some legislative changes or authorizations regarding \nthe role of the Homeland Security Department in its \nresponsibility to protect critical parts of America's \ncyberspace, particularly, the non-defense, governmental \ncyberspace and to be the main point of coordination with the \nprivate sector.\n    So this hearing is really an opportunity for us to learn \nfrom the four of you at this quite significant, potentially \ntransformational moment in the history of America's \nrelationship to cyber warfare, really. I want to just briefly \ndevelop a few of those realities.\n    First, it is very clear, if I can use a harsh word, but I \nwill use it because it is relevant, our enemies in cyberspace, \nwhether they are individual hackers, foreign governments, \nbusiness competitors, organized crime groups, or terrorists, \nseem too often to be one step ahead of our efforts to deter \nthem, and that gap must be closed.\n    From 2003's SQL Slammer to the most recent Conficker worm, \nthousands of worms, viruses, and so-called malware have \ninfected and disabled computers around the world and put \nsensitive data at risk of loss, theft, or improper disclosure. \nPrivacy breaches are a regular occurrence with identity thefts, \nstolen credit cards, or exposure of financial information. \nWithin the Federal Government, millions of dollars worth of \nequipment has been lost and the personal information of \nmillions of veterans, as one example, compromised.\n    In a speech last week, Melissa Hathaway, who is the Acting \nSenior Director for Cyberspace for both the National and \nHomeland Security Councils, told of an incident in which 130 \nautomatic teller machines (ATMs), in 49 cities around the \nworld, were illicitly emptied by cyber theft over a single 30-\nminute period. I mean, that is a stunning reality.\n    The Wall Street Journal reported last week that operational \ninformation for the Joint Strike Fighter, our advanced, \nstealth-capable, tactical air fighter was breached making it \neasier for enemies to defend against it if not to steal some of \nthe highly classified systems within it.\n    We know that there are severe vulnerabilities in our \nelectricity grid and that foreign governments seeking to map \nour infrastructures have intruded into our electricity systems \non a very large scale.\n    So there is all too much evidence that our cyber \ninfrastructure is insecure and, unfortunately, there is a lot \nof evidence that our security capabilities are inadequate to \nthe challenge. GAO and various inspectors general have been \nrepeatedly reporting on these weaknesses. Last December, the \nCenter for Strategic and International Studies (CSIS) issued a \nreport listing a vulnerability of cyber networks as one of our \nNation's major security vulnerabilities, risks.\n    Let me focus just for a moment, for the record, on the \nDepartment of Homeland Security.\n    The cyber security authorities of the Department of \nHomeland Security are not just general under the rubric of \nHomeland Security, but they are clearly outlined in statute and \npresidential directives. Title 2 of the Homeland Security Act \ndirects DHS to lead critical infrastructure protection efforts, \nwhich by definition includes cyber security. Critical \ninfrastructure was defined in that act as ``systems and assets, \nwhether physical or virtual, so vital to the United States that \nthe capacity or destruction of such systems and assets would \nhave a debilitating effect on security, national economic \nsecurity, national public health or safety, or any combination \nof these matters.''\n    In 2003, President Bush released a national strategy to \nsecure cyberspace, which stated that the Department of Homeland \nSecurity would be ``the focal point for the Federal Government \nto manage cyber security.'' Later that year, the White House \nissued Homeland Security Presidential Directive 7 (HSPD-7) to \nimplement the critical infrastructure responsibilities laid out \nin the Homeland Security Act. HSPD-7 reinforced the leadership \nrole of the Department of Homeland Security on cyber security, \nstating, ``The Secretary of Homeland Security will continue to \nmaintain an organization to serve as a focal point for the \nsecurity of cyberspace.''\n    In 2008, President Bush issued Homeland Security \nPresidential Directive 23 (HSPD-23) to implement the \nComprehensive National Cyber Security Initiative, which focused \non the protection of Federal networks. The exact language used \nin HSPD-23 is classified. However, I can say that the directive \naffirmed that the Department of Homeland Security serves as the \nlead Federal agency for the protection of Federal civilian \nnetworks, that is to say all unclassified networks, and for \ncoordinating private sector cyber security efforts.\n    So as we come to this transitional point, we on this \nCommittee feel strongly that the Department of Homeland \nSecurity has, under statute and presidential directive, a \ncentral and critically important role to play. And this \nCommittee, in a sense, is here to ask you how you think DHS has \ncarried out that responsibility--I know you will testify and \nmuch else--and also what we can do to help DHS do the better \njob that we all acknowledge we needed to do.\n    Thank you very much for being here. Senator Collins.\n\n              OPENING STATEMENT OF SENATOR COLLINS\n\n    Senator Collins. Thank you, Mr. Chairman.\n    The information and communication networks that we refer to \nas cyberspace have become critical to our economy, our national \ndefense, and our homeland security. Yet, every week, we learn \nof more threats to our cyber infrastructure. The spector of our \nadversaries disrupting our telecommunications systems, shutting \ndown our electric power, or freezing our financial markets is \nno longer the stuff of science fiction; rather, it is a very \nreal possibility as thousands of cyber attacks are launched \neveryday.\n    For example, intelligence officials tell us that China and \nRussia have attempted to map the American electrical grid and \nhave left behind software that could be activated later perhaps \nto disrupt or destroy components. The Washington Post has \nreported that hackers broke into the Pentagon's Joint Strike \nFighter project and stole information. And last year, as the \nChairman alluded to, cyber thieves secretly implanted circuitry \ninto keypads sold to British supermarkets, which were then used \nto steal account information and personal identification \nnumbers. As these numerous intrusions demonstrate, the cyber \nsecurity threat is real, dangerous, and accelerating.\n    Today, this Committee will examine the practical issues of \nhow the Federal Government should best be organized to counter \nthis threat. An effective response to cyber threats will \nrequire coordination among law enforcement, intelligence \nagencies, and private owners of critical infrastructure. The \nDepartment of Homeland Security is the crucial nexus of these \nrealms.\n    Bringing together these three worlds is precisely the \nreason that Congress created DHS following the terrorist \nattacks of September 11, 2001. The Comprehensive National Cyber \nSecurity Initiative, started last January--and the Chairman \nreferred to it--recognized the value of the Department's unique \nperspective by placing the National Cyber Security Center at \nDHS and charging the Department with the responsibility for \nadvancing coordination and consultation among the many Federal \nentities with cyber security missions. And following up on this \ndirective, last year, Senator Lieberman and I introduced a \nhomeland security reauthorization bill that included cyber \nsecurity provisions that would have increased the \nresponsibilities of the center at DHS.\n    We also need to determine what specific authorities are \nnecessary for DHS to undertake the mission of better securing \nFederal networks and our Nation's critical cyber infrastructure \nas the Department works with but does not supplant the \nimportant roles played by the Department of Defense, the \nintelligence community, Federal law enforcement officials, and \nother agencies.\n    These authorities must allow DHS to address many of the \nmost pressing cyber security issues, including how do you share \ncritical infrastructure on threats and vulnerabilities, \nparticularly with the private sector, since 85 percent of \ncritical infrastructure is privately owned?\n    How do you encourage the adoption of best practices and \nstandards not only across government but throughout our \nNation's critical infrastructure?\n    How do we best generate a strategy that deters terrorists \nand hostile nation states from executing cyber attacks that \npotentially could devastate our critical infrastructure?\n    How do we best go after cyber criminals, not necessarily \nfrom other countries, but within our own country? Sometimes \nthat part is overlooked as we discuss the threat.\n    How do we secure the supply chain to ensure that systems we \npurchase are free from malicious code?\n    And how do we best establish standards and performance \nmetrics that can guide government procurement to encourage \nmanufacturers to incorporate better security into their \nproducts for the benefit of both government and the public at \nlarge?\n    Finally, as we consider the reorganization of cyber \nsecurity activities, I would note that this new Administration \nhas shown a tendency to appoint special assistants and czars \nwithin the White House for virtually every important issue that \nwe are confronting. While I understand the need to shine a \nspotlight on critical problems, the creation of numerous czars \nor special assistants usually leads to conflict, turf battles, \nand confusing lines of authority.\n    Moreover, Congress' ability to effectively oversee \nactivities directed from the Executive Office of the President \nare severely limited. Typically, we cannot call upon those in \nthe White House to come testify before us, and their budget \nrequests are presented with very limited details. So the issue \nof reorganization of cyber security efforts necessarily \ninvolves the discussion of accountability and oversight by \nCongress as well. On an issue as pressing and as complex as \ncyber security, congressional oversight is critical to making \nreal progress.\n    I look forward to exploring these issues with our witnesses \ntoday.\n    Mr. Chairman, you have assembled the top experts, and it is \na pleasure to welcome back to the Committee, of course, Mr. \nBaker, who has been here many times. Thank you for holding this \nimportant hearing.\n    Chairman Lieberman. Thanks, Senator Collins. And thanks for \nthe very thoughtful statement. I appreciate it.\n    Stewart Baker, good to see you again. Welcome back. You \ngraduated from line authority to elder statesman, at an early \nage.\n\n    STATEMENT OF HON. STEWART A. BAKER,\\1\\ FORMER ASSISTANT \n                 SECRETARY OF HOMELAND SECURITY\n\n    Mr. Baker. It is a pleasure to be home again. Thank you, \nChairman Lieberman and Ranking Member Collins. It is also a \npleasure to have graduated from DHS. I served on a commission \nonce, and one of the old hands of the commission said, ``Yes, \nthey have brought back all the people who could not do the job \nto tell us why we should do the things they could not do.'' And \nin that spirit, I would like to talk a little bit about the \ncyberspace crisis that we face and what DHS should do about it.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Baker appears in the Appendix on \npage 75.\n---------------------------------------------------------------------------\n    You both have laid out the problem quite eloquently, and I \nwill not try to repeat that. I would like to explain why I \nthink this problem persists and continues to grow worse. And I \nwill use an example that I have laid out in my testimony.\n    There was a fellow named Howard Crank, a Vietnam vet \nsuffering from diabetes. At home, he got an Internet \nconnection, and the world opened up to him. He could interact \nwith the world. It was a wonderful thing for him, until, \nessentially, scam artists found him and induced him to mortgage \nhis house twice, to max out his credit cards and to go into \nbankruptcy trying to recover the lottery proceeds he was told \nhe had won.\n    Right up until that moment, I think he would have said the \nInternet had done a great thing for him, but interacting with \nthe world, and having the world interact with him, turned out \nto be a disaster because not all of the world intended him \nwell.\n    We are all in that position. We are all getting benefits \ntoday from hooking up to the Internet, from using Internet \nprotocols. They are making our lives easier and they are making \nthe delivery of services and goods cheaper. And yet, every time \nwe hook up to the Internet and expand the reach of those \nnetworks to other parts of our lives, we are creating greater \nrisks. And, at some point the ice could give way and we could \nbe dropped into the lake and lose everything.\n    That is the greatest concern, but today we are not seeing \nany obvious harm to our networks or to our way of life, and \nthat is what has led us to ignore the problem or to minimize \nthe problem.\n    I think it is a tribute to both this Administration and to \nthe last that we are finally beginning to look at the ways in \nwhich we can address this problem more seriously, and I would \nalso like to give credit to Jim Lewis for the Center for \nStrategic and International Studies report which I think very \nprofoundly raised all of the issues that have to be addressed \nif we are going to successfully defend ourselves in cyberspace.\n    That raises, then, as Senator Lieberman and Senator Collins \nboth suggested, the question of how to organize ourselves to \ndefend cyberspace. And here, I would like to draw on my \nexperience. I realized as I was preparing for this hearing, \nthat I have helped to start two of the last three cabinet \ndepartments created in the Federal Government. And I have \nserved on a commission that recommended extensive \norganizational changes in the Federal Government.\n    If I had to do it over again, I am not sure I would do any \nof that. That's because there is a predictable pattern in the \nreorganization of government. You start with a failure. You \nsay, this is not working. We should create another organization \nto solve the problem. And that organization, since you have \njust dreamed it up, does not have any flaws at all. It will do \neverything you want done, and much better than the obviously \nfailed institution that you are looking at today.\n    When comparing an existing institution, where we have real \nfailures, to an imaginary institution that has no flaws, the \nimaginary institution always looks better. Then, of course, \nonce you actually try to start the imaginary organization, the \nimaginary organization discovers that it does not have a \nbudget, it does not have staff, it does not have an executive \nsecretary, it does not have a human relations department to \nbegin hiring people. And pretty soon, that new institution is \ndeep into a cycle of failure of its own, which then leads \npeople to say, well, that is a failure. We should reorganize. \nMaybe we should have this new imaginary organization to do the \njob of the last imaginary organization.\n    I say that because I fear that the one recommendation of \nthe CSIS report that I disagree with most strongly is the one \nthat says, DHS is not doing everything it should. Consequently, \nwe should dream up a new organization, a national cyberspace \noffice that will perform all of the functions that DHS should \nbe performing perfectly and is not performing perfectly.\n    That recourse to an imaginary organization, in my view, is \nprecisely the problem with the CSIS report. We would be much \nbetter, in my view, fixing DHS, which, of course, was given \nmany of these authorities when it was an imaginary organization \nand now is deep into the second cycle, where people find that \nit is not doing the job perfectly. We would be much better off \nbuilding DHS's capability, something that has just begun, I \nthink, seriously for the first time in the last year or two.\n    DHS has now launched on the job of building a genuinely \nstrong cyber security office that can provide guidance across \nthe government, provide services and detailed capabilities to \nthe President. If they are given the opportunity to do that, \nthey will succeed. If they are kicked aside because they cannot \nperform and have not performed every job that they have been \ngiven in the last 5 years, I think that we will be making the \nmistake that we made with other organizations where we have \nsaid, since we do not have a perfect job being done by the \nexisting agencies, let's make up a new agency, and hand them \nthe responsibility.\n    I do not think we want to be in a position 2 years from now \nlooking at a new organization that has been created to carry \nout this mission in the Executive Office of the President and \nsay, ``Well, gee, they have just hired their staff. They have \njust begun to organize their budget. They have just determined \nwho their executive secretary should be. And, so for 2 years, \nwe have been treading water and there have been a lot of \nfailures since then.'' That is a recipe for treading water and \nnot for making improvements.\n    I think we would be better off if we took the capabilities \nthat DHS has and funded them, provided the resources and the \nstaff that DHS needs, and let DHS carry out its \nresponsibilities under guidance from a very strong National \nSecurity Council that can provide the muscle in the interagency \nthat is necessary to actually achieve coordination across the \ngovernment.\n    Very briefly, I will also talk about the question of \nregulation. I think it is clear that some form of regulation is \nnecessary in this area. No private sector agency can be \nexpected to fend off State actors who are bent on infiltrating \nits network. We do not expect Bank of America to fight our wars \nfor us, and if the bank finds itself on the front lines of a \nwar, we should be providing assistance to them at the Federal \nlevel.\n    In fact, there is regulatory authority in many of these \nareas. The Gramm-Leach-Bliley Act requires the financial \nregulators to have substantial authorities over cyber security. \nThe Federal Communications Commission (FCC) has provided, and \ncertainly has substantial authority over, cyber security \nstandards if they choose to use all of their authority. The \nFederal Energy Regulatory Commission (FERC) has some authority. \nWhat is probably missing is some coordination and what I would \ndescribe as nimbleness in responding to new threats. And that I \nthink is something that DHS can do if it is given clear \nauthority and clear--not authority; they have the authority. \nThey need a mandate from the Administration, from the \nPresident, and perhaps from this Committee.\n    Thank you very much.\n    Chairman Lieberman. Thanks, Mr. Baker. That was very \ninteresting testimony, very helpful, and has a certain healthy \ndegree of skepticism that comes with having had considerable \ngovernmental experience. It is a longer view, but it is one \nthat is very valuable to us.\n    Next, we are going to hear from the previously mentioned \nand saluted James Lewis, Director and Senior Fellow, Technology \nand Public Policy Program at the Center for Strategic and \nInternational Studies, which did the report to which both Mr. \nBaker and I referred. Thanks for being here.\n\n  STATEMENT OF JAMES A. LEWIS,\\1\\ DIRECTOR AND SENIOR FELLOW, \nTECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND \n                     INTERNATIONAL STUDIES\n\n    Mr. Lewis. Thanks very much. And I thank the Committee for \nthe opportunity to testify. And also, I applaud your efforts to \ntry and deal with the new security challenges we face. I am so \nglad to be here.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Lewis appears in the Appendix on \npage 86.\n---------------------------------------------------------------------------\n    To summarize the state of cyber security, our networks are \nvulnerable, our opponents are inventive and energetic, and we \nare disorganized. Many people have worked hard in recent years, \nbut the United States is late and we are not doing enough.\n    As a Nation, we have been slow to realize how important \ncyberspace has become for economic and national security, and, \ntherefore, slow to give it the priority it requires. The United \nStates is being dragged down by weak cyber security, losing its \nedge in commerce, innovation, and defense. The problems we \nface, espionage, crime, and risk to critical infrastructure, \nwill never go away, but they can be reduced by coordinated \ngovernment action. Put bluntly, we need a comprehensive \nstrategy and somebody in charge of it.\n    To date, the United States has been unable to produce \neither leadership or a strategy. The 1998 Presidential \nDirective 63 still shapes policy, but it was overly fond of \nczars. The 2003 national strategy to secure cyberspace was \nneutered by ideology and internal conflict. The 2008 \nComprehensive National Cyber Security Initiative (CNCI) has \nsome valuable elements, but it was not comprehensive. It was \nalso hobbled by infighting, and it came far too late.\n    So in 2008, CSIS, as you have heard, put out a report that \nrecommended a comprehensive national approach. We called for \nthe creation of a strong White House cyber advisor with clear \nauthorities and a comprehensive national strategy that would \nuse all the tools of U.S. power, international engagement, \nmilitary activity, economic policy and regulation. Our report \ncontained other important recommendations that I am sure some \nof my fellow witnesses will mention, including the need for \nincreased education, modernization of outdated laws and other \nactivities.\n    While policy must be led from the White House, agencies \nmust carry out implementation and operation activities. \nOperational responsibility for cyber security falls on three \nagencies: The National Security Agency (NSA), the Federal \nBureau of Investigation (FBI) and DHS. The previous \nAdministration assigned DHS the lead role for cyber security, \nbut this was beyond its competencies. DHS is not the agency to \nlead intelligence, military, diplomatic, or law enforcement \nefforts. This does not mean that DHS does not have an important \nrole, and it is time for that agency to begin to perform it.\n    DHS is responsible for protecting critical infrastructure \nand for securing the civilian government networks. It is \nbeginning to build the capabilities needed to carry out these \nmissions, but this will require sustained investment in \nfacilities, technology, and DHS's cyber workforce.\n    To date, cyber security at DHS does not have the resources \nit needs. DHS needs better technologies to secure civilian and \ngovernment networks. The CNCI had a program named Einstein. \nEinstein is inadequate, whether it is Einstein 1, 2, or 3. Who \nknows? Maybe 4 will work. The real question is whether there is \na way for DHS to work with NSA to secure all government \nnetworks. This is, of course, a sensitive topic. NSA has the \ncapabilities. DHS has the responsibility. But there are \ncompelling constitutional reasons for restricting NSA's role. \nHowever, it would be a serious error not to take advantage of \nNSA at a time when our government networks are under sustained \nand successful attack.\n    DHS might also want to reconsider some reorganization \nwithin the National Cyber Security Division (NCSD). Perhaps a \nfirst step would be to merge the U.S. Computer Emergency \nReadiness Team (US-CERT) and the national communications \nsystems and its component into a single entity inside of NCSD.\n    DHS's cyber functions are part of its National Protection \nand Programs Directorate (NPPD). This directorate needs better \nplans to merge physical infrastructure and cyber infrastructure \nprotection. The National Infrastructure Protection Plan is more \nlike a dictionary than a plan. DHS needs short implementable \nplans on how to protect critical infrastructure and assure the \ndelivery of critical services in the face of cyber attack.\n    As part of its critical infrastructure responsibilities, \nDHS is the Federal interface with critical infrastructure \nowners and operators. This is an important role, but the \ncurrent partnerships are inadequate, and DHS might want to look \nat the Department of Defense (DOD) Defense Industrial Base \nInitiative as a model for partnership and information sharing.\n    DHS must be part of the larger regulatory effort to improve \ncyber security. To date, the United States has relied on market \nforces and voluntary action. But to quote the former chairman \nof the Securities and Exchange Commission, ``The last 6 months \nhave made it abundantly clear that voluntary regulation does \nnot work.'' Much of the opposition to regulation involves the \nreplay of warmed-over dot-com ideology and a strong desire by \nthe private sector to escape liability. I am very sympathetic \nto that.\n    As with any complex issue, there is no black or white \nanswer. Too much regulation will damage the economy. Too little \nregulation will damage the economy and also harm national \nsecurity. We need to find a middle course that balances \ncommercial and national security interests. A new Federal \napproach to cyber security must elicit action from the private \nsector that it will not otherwise perform.\n    DHS does not have the regulatory authority for most \ncritical infrastructure when it comes to cyberspace. One thing \nto consider is whether to give DHS new and expansive \nauthorities or whether to use existing authorities with current \nregulatory agencies, like the FCC, FERC, Nuclear Regulatory \nCommission (NRC), Federal Deposit Insurance Corporation (FDIC), \nand there are many others.\n    The Administration has recently concluded a 60-day review \nof cyber security policy. This was a spectacular effort. Most \nof us did not think they would be able to finish on time. And \nwhile few public details have been released, it appears that \nthe White House will play a greater role in organizing and \nleading cyber security policy. There will be greater attention \nto international engagement and to relations with the private \nsector, and there will be closer coordination among agencies.\n    My hope is that the 60-day review leads to a strong White \nHouse cyber advisor with clear authority to set policy and \nguide budgets. More fumbling among agencies will only lead to \ndisaster. But with so many different equities involved in cyber \nsecurity, we face gridlock. There is a regrettable debate over \nhow much authority the White House cyber advisor should have \nover policy and how strenuously the United States should \nprotect its cyber networks. There is a trade off, some say, \nbetween security and innovation. I say this debate is \nregrettable because our opponents are not waiting 60 days to \nattack us.\n    The United States is in a very unfortunate situation. We \nhave made better use of cyberspace than our competitors, and \nthis has provided real economic benefits. Our reliance on \ncyberspace holds the potential for innovation and future \ngrowth. However, the combination of greater reliance and \ninadequate attention to security has left us more vulnerable \nthan our opponents. If we cannot change this, the power and \ninfluence of the United States will shrink, and our prosperity \nand security will be damaged. Congress and the Executive Branch \nhave the opportunity to avert this damage if we can act \ndecisively.\n    I thank you for the opportunity to testify. I will be happy \nto take your questions. Let me say, it was more fun to testify \nagainst Mr. Baker when he was in the government because he was \na little more constrained, but I welcome the opportunity to \ntake your questions.\n    Chairman Lieberman. Thank you.\n    Well, we like Mr. Baker in both roles. He is more \nunpredictable in this one. Both of you, though, have portrayed \na crisis, which this is. And the question is what we can do \ntogether about it. Thanks for your testimony\n    Next, we are going to hear from Alan Paller, Director of \nResearch at the SANS Institute.\n    Thanks so very much for being here.\n\n    STATEMENT OF ALAN PALLER,\\1\\ DIRECTOR OF RESEARCH, SANS \n                           INSTITUTE\n\n    Mr. Paller. Good morning, Senator Lieberman, Senator \nCollins, Senator Carper, and Senator Landrieu. Your taking on \nthis issue is really impressive. It is a complex issue. The \nlanguage is arcane. It is just a pain.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Paller appears in the Appendix on \npage 90.\n---------------------------------------------------------------------------\n    It turns out that you in your opening statement talked \nabout what is really the central problem, which is that there \nis a gap between the attackers and our defenses. What is \nproblematic is that the gap is growing at an increasing rate. \nSo all this discussion is important, but we are falling behind \nat an increasing rate.\n    Let me give you just one simple example. There is a young \nman named Tan Dailin, who is a graduate student at Sichuan \nUniversity. In 2005, the People's Liberation Army (PLA) noticed \nhe was hacking into a computer in Japan, so they picked him up \nand said, wouldn't you like to be a contestant in our annual \ncompetition for who the best hackers are in Chengdu province? \nThat is a southwest province of China.\n    He entered the competition. His team actually won 10,000 \nRenminbi. They put him through a 30-day, 16 hour a day, \nworkshop, where he learned to develop really high-end attacks \nand tuned his skills. And then they put him in competition with \nteams from all of the rest of the military sub-units in the \nSouthwest China, and his team won that. They won 20,000 \nRenminbi. He was famous and important.\n    He set up a little company. No one is exactly sure where \nall the money came from. But that company created the hacks \nthat were found inside--this was September 2005 when he won it. \nBy December, he was found well inside DOD computers. The summer \nof 2006 was a particularly bad summer for the United States \nbecause there were a lot of what are called zero-day attacks, \nwhich are attacks that happened using vulnerabilities that the \nvendor has not patched yet. So there is no defense. And his \nteam was found to have been the team that built six of those 30 \nor so zero-day vulnerabilities.\n    What I am trying to say is that other nations are investing \nheavily in creating massive new technologies, and our defenses \nare childlike. What we have done under the Federal Information \nSecurity Management Act (FISMA) regulations is just \nembarrassing. And the result is much more than the public \nknows. You have not, but the House has had testimony saying the \nCommerce Department and the State Department have been deeply \npenetrated. What has not been told is that every other major \ndepartment has been equally or more deeply penetrated, one so \ngreatly that NSA had to bring their blue teams in just to find \nall of the problems.\n    We do not tell the public that because it is embarrassing, \nbut it is just a symptom of what is happening. Eastern Europe \nhas organized crime groups that recruit developers. But the way \nthey recruit them is with lies and money. And then when they \nfind out that they are working for organized crime, and they do \nnot want to, crime groups use terror. They threaten their \nfamilies. They kill their families if they do not want to work.\n    You talked about the $10 million that was obtained in 30 \nminutes. What was interesting about that case is the reason it \nstopped was the ATMs ran out of money. That was the only \nreason--they were just empty.\n    Chairman Lieberman. Just take a moment and explain why the \n30 minutes. Was that thought to be a period of vulnerability in \nthe systems?\n    Mr. Paller. Well, I did not talk to them. The FBI thinks \nthey assumed they would not get caught doing it if it was short \nenough; that the triggers would not happen. What was \nfascinating is you might ask, how can they get that much money \nout?\n    The attackers actually had control of the computers inside \nthe bank and were raising the limits of how much each of the \ncards could take out of the ATM as the ATMs were being emptied. \nYou normally have a $300 or $500 limit. Those limits just kept \ngrowing, and it was because the attackers had control of the \ncomputers as well as they had made all these white plastic \ncards. But that $10 million is one of thousands of attacks.\n    You heard about the multi-city power outage that the \nhackers did. Why did they do that? Well, it is all extortion. \nIf I have control of your computers, and I say I am going to \ntake the power out, and you say, no, you will not, well, all I \nhave to do is take the power out for 2 days, and every other \nutility will pay. It is a massive money-making scheme, and that \nmoney can be used to buy extremely advanced technologies. Our \ndefenses, the way we have built them under the FISMA \nlegislation are just--they are antagonistic to improve \nsecurity. They are not just not improving security, they are \nactually working against it.\n    But there is a wonderful story I want to share with you. It \nis why I was happy to come today. It is one huge success. It is \na Federal success. It shows not only can the Federal Government \nradically improve security, but that the effect can spill over \ninto the defense industrial base and into the critical \ninfrastructure.\n    It started when NSA was briefing John Gilligan, who is the \nChief Information Officer (CIO) at the Air Force, and they told \nhim they could get into Air Force systems in 30 minutes. And he \nsaid to them, you are not helping us. Tony Sager was the \nbriefer from NSA. John said to Tony, ``You are just not helping \nus. You show us how you break in. We fix everything. A few \nmonths later you are going to come in and break in again.'' \nThis is the key statement. ``Can you get all your attackers \ntogether and tell us what the critical things are we should \nhave done that we should do to protect ourselves?''\n    You hear Melissa Hathaway talking about offense must inform \ndefense. The fundamental error under FISMA was that we asked \nthe people who did not know about offense to tell us how to do \ndefense. You cannot do that. You just cannot do that.\n    So Tony went back and got the attackers together, showed \nJohn how to configure the systems, and they implemented those \nbetter configurations on a half a million computers, but they \nhad to--this is from your opening statement, Senator Collins. \nYou talked about the key role that the private sector plays \nusing procurement. That is the one huge lever you have. There \nis nothing close to it. If you want to change security, the \nlever you have is procurement.\n    So what John did is he went to Microsoft. Microsoft said, \nno, we are not going to give you a different configuration than \nwhat we give everybody else. One size fits all. You have to \ntake the one we give you. And he went to Steve Ballmer and \ntalked him into giving them a more secure configuration. They \nimplemented across a half a million machines. Here are the \nresults.\n    One, it used to take 57 days on average to patch the \nmachines. That is a good number in the Federal Government, 57 \ndays, way too long. Now it is 72 hours and heading down toward \n24. So they were able to change the way they manage computers \nbecause they have these good configurations. They saved $100 \nmillion in procurement. They save more than $100 million every \nyear because they do not have to test the patches on every one \nof their different configurations. And they save $30 million on \nenergy costs because the settings actually were energy-saving \nsettings.\n    But most importantly, because all the experts said this \nwould not happen, the users were significantly happier. The \nhelp desk director at the Air Force reported that their help \ndesk calls were down by 50 percent because the users actually \nwere better off. So here you have much better security, much \nlower costs, and happier users. And Karen Evans, to her credit, \nactually took that initiative and said to the rest of the \ngovernment, let's do that as a government.\n    The challenge right now is that the attackers have gotten \nso far ahead, that is only one piece of what has to be done. So \nJohn went back to Tony and said, what are the rest of the \nthings that have to be done, and he has created a new list of \nthe critical things that must be done to secure Federal \nsystems.\n    The one most important thing in all of that lesson is, the \nFederal Government has the big lever. And it is the $70 billion \nin information technology (IT) procurement that you use each \nyear. When we talk about a public-private partnerships, those \nare endless meetings. I am sure you have sat in on some of \nthem. They go completely different, if you are about to spend a \nhalf a billion dollars, which is what John Gilligan did.\n    The great partnership is: Let's spend little pieces of that \nmoney--I am not saying increase the money. These commercial \norganizations are more than willing to deliver more secure \nsystems. They actually like it, if you will tell them what \nsecure is. That is where NSA comes in. You cannot ask the \nNational Institute of Standards and Technology (NIST) to do it. \nThey do not know what the attacks are. You have to get it from \nNSA and US-CERT.\n    But once you know what the defenses should be, you can use \nprocurement dollars to actually spend less money and have more \nsecure systems. And what I like most about that story is that \nit trickled down. Microsoft now sells that more secure \nconfiguration to the defense industrial base, to the utilities. \nSo you, using your procurement power, actually changed the \nnature of software and hardware so that it has been built more \nsecurely, there is nothing to stop the venders from selling \nthat more secure version to everyone.\n    So the idea of leadership to me is not whether it is a \nWhite House or DHS leadership, it is whether you use the $70 \nbillion a year that you spend on information technology to make \nthe Nation safer. Thanks.\n    Chairman Lieberman. Thanks very much, Mr. Paller. That was \nreally riveting testimony. And it is very important to tell \nthese stories to help laypeople, if you will, get into this.\n    We will enter your statement, along with everybody else's \nstatement, into the record. Also, please take a moment to tell \nus what the SANS Institute is and, therefore, what credibility \nyou bring to this task.\n    Mr. Paller. We are the main teachers. We have about 100,000 \nalumni in 60 countries. We train the FBI, the NSA, the British, \nthe Japanese, and the Indonesians. We teach the very advanced \ncyber security courses, forensics, and intrusion detection. And \nwe also run the Internet Storm Center, which is an early \nwarning system.\n    Chairman Lieberman. That is great. Thank you.\n    Tom Kellermann is the Vice President of Security Awareness, \na pretty good title, for Core Security Technologies. He brings \nanother unique perspective to assist the Committee as we \nundertake this responsibility. So we thank you for being here \nand welcome your testimony now.\n\n  STATEMENT OF TOM KELLERMANN,\\1\\ VICE PRESIDENT OF SECURITY \n             AWARENESS, CORE SECURITY TECHNOLOGIES\n\n    Mr. Kellermann. Thank you, Senator. I greatly appreciate \nthe opportunity to debrief this Committee on serious economic \nand national security risks that we are facing today from a \ncyber perspective. Much of my experience comes from my days at \nthe World Bank Treasury on the security team there. And I will \ncaveat that with the need for all of us to appreciate the Art \nof War by Sun Tzu. We need to really appreciate how offense \ninforms defense, but not only that, how we can better layer \nsecurity and implement policies and programs to create defense \nin depth across not just the Federal Government but critical \ninfrastructures.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Kellermann appears in the \nAppendix on page 100.\n---------------------------------------------------------------------------\n    The horrible events of September 11, 2001, should have \ntaught us a fundamental lesson, which was that non-state actors \nwill use technology against our critical infrastructures. More \nimportantly, it is obvious since September 11, 2001, that \nterrorists' financing has been directly related to the proceeds \nof cyber crime, and the modern day silk road directly relates \nto those bank accounts that were pilfered in that case that \nMelissa Hathaway spoke of at RSA Security.\n    The DHS has done a successful job, I think, regarding \nincreasing the Federal standing per cyber attacks, however, \nthere are some challenges that do detract from these efforts. \nFirst of all, the lack of management continuity. Many of DHS's \nsenior cyber security leadership positions are political \nappointments by nature, and they result in frequent turnover of \nmanagement personnel and changes in priorities and focus of an \norganization's mission. There is an insufficient support \nstructure within DHS to provide fundamental functions to \nsupport cyber security needs, particularly the needs of what I \nconsider the four most functional aspects of the National Cyber \nSecurity Division, which are the Electronic Crimes Task Force, \nthe Secret Service, the US-CERT, and the Federal Network \nSecurity Branch.\n    Specifically, as I relate to this, the Federal Network \nSecurity Branch is no longer the lead when it comes to \nestablishing the standards of cyber security and computing \nacross civilian agencies, and many times it has to defer to the \nOffice of Management and Budget (OMB). So that leadership \nposition should be increased. I think that they should have the \ncapacity to conduct red-teaming exercises against civilian \nagencies to determine where these vulnerabilities are, to \ndetermine where the priorities should be for IT spending.\n    This is a common problem across the Federal Government, \nwhere you have CIOs and Chief Technology Officers (CTOs) \nleading the way vis-a-vis what should be spent on IT and IT \nsecurity. And CIOs' mind-sets are much about productivity, \nefficiency, access to services, and culturally differ from the \ndefensive perspective of Chief Information Security Officer \n(CISO) community. And I think that it is important from a \ngovernance perspective that the perspective be raised to the \ntop, particularly vis-a-vis the allocation of budgets and the \nexpenditures of funds necessary to secure systems.\n    To this point, as evidenced by specific campaigns carried \nout against Federal agencies in recent years and further \nillustrated by recent trends emerging in the larger cyber crime \nlandscape, a true lack of situational awareness and an \ninability to predict the specific methods being utilized by \nelectronic assailants is pervasive throughout the Federal \nGovernment, particularly as it relates to the recognition that \nthe enemy no longer wants to disrupt service; the enemy wants \nto remain persistent and clandestine. The enemy in fact wants \nto launch a cyber insurgency or a cyber infiltration against \nyour systems. And in the end, if they are given command and \ncontrol, they want to remain on mission but also be able to \ncontrol the integrity of your data to manipulate you in any \nwhich way they should feel necessary.\n    To address this dire reality, which has been highlighted \nmost recently by the publicly incidence of energy hacking \nacross the grid, not only in the U.S but overseas, and the \nHeartland payment systems breach, which was one of the most \nmassive financial breaches in the past 50 years--to that note, \nover 200 banks were impacted by the Heartland breach, not just \nthe cards themselves, but those bank systems that were \nconnected to those systems--we need to represent the reality \nhere that cyberspace is an aquatic environment. And if you can \nattack one segment of the water, you can infect the entire \nenvironment.\n    It is important that because of this reality, the Federal \nInformation Security Management Act compels agencies to undergo \nmore frequent, internal assessments to gauge their risk to \ncyber attacks, and not just check-the-box exercises for \ncompliance, but really using the dynamic guidance given that is \nbeing sponsored by Tony Sager and John Gilligan, vis-a-vis the \nCommon Audit Guidelines (CAG). And, specifically, agencies \nshould be required to conduct regularly extensive security \naudits of their IT systems using the red team mentality and \nbest practice identified by folks like Tony Sager, John \nGilligan, and the CAG.\n    In addition, I would ask this Committee to consider the \ncreation of systems of accountability, including penalties for \nthose organizations and civilian agencies who are not properly \naddressing those critical vulnerabilities, and tailoring their \nIT budgets to addressing those critical vulnerabilities. There \nis too much plausible deniability in the system right now, and \npeople do not actually undergo this type of red teaming or \npenetration testing because they want to maintain plausible \ndeniability to insulate themselves from not only the clean up \nbut also the criminal negligence that would come had they not \naddressed or remediated the problems that were found.\n    In addition, we must use these benchmarks to extrapolate \nthis phenomenon to third-party outsourcing. The infamous breach \nof DHS 3 years ago was based on a lack of a standard of care in \ndue diligence enforced by a third-party managed service \nprovider. The previously noted Verizon Data Breach report noted \nthat 39 percent of breaches were directly related to strategic \npartners. This was not cases of strategic partners attacking \nsystems, but those systems of the strategic partners being \ncompromised and used as island hops to transit and attack those \nprimary systems.\n    It is imperative that we grapple with this systemic risk \nimposed by the outsourcing and offshoring of not only American \njobs but the digital ecosystem on which we are heavily \ndependent. In order to promote and create a secure U.S. cyber \necosystem, this Committee should consider mandating that all \nentities who provide managed information security services, of \nany sort to the U.S. Government, or providers of such services \nto critical infrastructures as defined by the National \nInfrastructure Protection Plan (NIPP), at the very least enter \ninto information security service level agreements, which go \nbeyond the service level agreements today, which are \nessentially contracts that have mediocre terms of liability and \nrecourse and are far too much focused on resiliency and up time \nof the data versus the integrity and confidentiality of said \ndata.\n    The agreements must require that these service providers, \nat a minimum, have the same standards of legal and layered \nsecurity as defined by NIST-800-53, but also move forward and \nallow that entity, the primary consumer of those services, to \nconduct audits based on things like the CAG of those systems, \nand mandate remediation timetables of those systems.\n    We must use Federal acquisitions policy to require that \nthese service providers comply with all these individual \nrequirements. Those organizations who already are compliant \nwith FISMA, who are being proactive, should inherently receive \ntax credits or some sort of benefit from the system for being \ngood Samaritans in the cyber landscape.\n    In summary, while the national and worldwide cyber pandemic \nis currently scaling in an exponential manner, I would submit \nthat the significant gains can be realized through the Federal \nGovernment today by the political obligation of more aggressive \nattention to these issues. In this dark hour, we need strong \nbipartisan leadership. The dramatic increase in cyber attacks \nnecessitates action. The recent 60-day cyber review developed \nby Melissa Hathaway represents a great starting point for real \npolicy and strategic leadership, but it cannot be operational \nwithout the good work of DHS and this Committee.\n    It is paramount that this Committee understand that it too \ncan serve a fundamental role of change in defending our \nNation's critical infrastructures from this pervasive \nphenomenon, and I appreciate your consideration of my statement \nand, of course, your public service.\n    Chairman Lieberman. Thanks so much, Mr. Kellermann.\n    That sets it right up for the question period. We will do \n7-minute rounds of questions.\n    Let me make a statement based on what you have said and \nwhat I have learned here on this Committee, but also in the \nArmed Services Committee. We have a lot of overlap between the \ntwo committees.\n    For a number of years, we have been warned in the Armed \nServices Committee of the threat of asymmetrical warfare, which \nis to say the United States has become so strong in what might \nbe called conventional warfare that it would be natural for \nsomebody wanting to do us ill to not try to compete with us on \nthat level, but to look for the weakness, the vulnerability, \nand to attack us in that sense, asymmetrically.\n    The second reality that we are dealing with, of course, is \nthat after September 11, 2001, we are involved with Islamist \nterrorists in a global conflict, in which some of the old, \ntraditional rules of warfare are gone, which is to say, this is \nnot planes against planes, ships against ships, armies against \narmies in conventional battlefields. People strike it as from \nthe dark and have no hesitancy to strike civilian populations, \nas we saw here, painfully, on September 11, 2001.\n    So you put both those together, the warnings that we got \nabout asymmetrical warfare and the new rules of the conflict we \nare in, particularly in which civilian targets are open \ntargets, cyber attacks just jumps right out at you, doesn't it, \nas a major threat to the security of the United States; and \nmakes relevant not just the defense that the Department of \nDefense must provide to defend cyber systems, but all of the \nprivately controlled cyber systems in our country that really \nare in control of our financial system, our power generating \nsystem. You could go on and on; our healthcare system could be \nincapacitated.\n    So I want to invite a reaction. To me, this is a real \ncrisis, but I invite you, if you think I am overstating it, to \nsay that. But here is my concern. If I were an enemy, either a \nstate enemy or a non-state enemy, like a terrorist group \nwanting to do us harm, it seems to me one of the first most \nattractive ways to attack us would be a cyber attack, both \nbecause of the difficulty of finding me, the enemy, but also of \nthe tremendous damage I could do at this point in the status of \nour cyber defenses.\n    Is this true, Mr. Paller?\n    Mr. Paller. I think you are absolutely right, but I do not \nthink the time is yet, meaning I think right now it is easier \nto bring a bomb across the border and blow somebody up. And if \nyou are going to do terror right now, that simply works.\n    As we strengthen the borders, as we make it harder and \nharder to do kinetic attacks, this kind of cyber attack will \nbecome the attack of choice. And the reason that it is such a \nchallenge, that you have to act right now, is that asymmetric \nwarfare means pre-establish and control. So when the Chinese or \nanother Nation gets into a Senate committee computer, they do \nnot get in to steal the data, they get in to steal the data and \nto leave something so that they can change information at \ncritical moments.\n    Chairman Lieberman. Correct.\n    Mr. Paller. So it is now that we have to fix cyber security \nin government and the commercial sector because the war will \ncome later that will be fought in cyberspace. But I do not \nthink we are sitting here waiting for a new attack against the \npower plants of America in the next 6 months.\n    Chairman Lieberman. OK. You in your testimony, Mr. \nKellermann, made some references as to how these both come \ntogether. Organized criminal groups see an opportunity to hold \nup private entities for money by threatening cyber attack or \nactually carrying them out. You raised the question of whether \nthat clearing of the $10 million from the ATMs, some of that \nmoney may have ended up or may have started with organized \ncrime, maybe not, and terrorism usage. But in your written \ntestimony, you used the example of the Bali bombings in 2002 as \nan example of a terrorist attack that was funded by cyber \ncrime.\n    Just take a quick moment and tell us about that.\n    Mr. Kellermann. What is interesting about the Bali bomber, \nImam Samudra, was that he not only financed the attack through \ncredit card fraud and precipitated through cyber crime, but he \nwrote a manifesto of sorts while in an Indonesian prison, \nstressing that Jihad could best be waged by using the money of \nthe infidels to finance the physical acts of terror against the \ninfidels. And you will see actually a spike--and I am sure Mr. \nPaller can speak to this with Internet Storm Center. You have \nseen a spike since in the number of hacker attacks emanating \nout of Indonesia. There is a realization of sorts that this \nRobin Hood mentality, that the lack of resources that these \ncommunities traditionally have, can be acquired through cyber \nmeans because the financial sector is so porous and too over-\nreliant on perimeter defenses.\n    But more importantly, vis-a-vis the different types of non-\nstate actors, you have a dark ages mentality now in the \nunderground, where you literally have communities that are \nassisting other communities without ever meeting them, in a \nvery ephemeral sense, and acquiring the weapons grade \ntechnologies to attack systems, whether or not they have \ncomputer skill sets, as well as the sale of systems that have \nalready been compromised is widespread, as well as financial \ndetails in bank accounts and credit card numbers can be sold \nfor $40 a pop in this system, to any actor, so long as they are \nnot considered a ripper, which is someone who is untrustworthy, \nthat they do not follow through with deals.\n    Chairman Lieberman. I have very little time left, but I \nwant to just draw out, Mr. Baker and Mr. Lewis, on the debate \nyou have about how we should best organize to respond to this.\n    Am I right that both of you agree that the Department of \nHomeland Security should have primary responsibility for non-\ndefense Federal Government computers and for the interaction \nbetween the Federal Government and the private sector in regard \nto cyber defenses? Is that right?\n    I want to say for the record that both are nodding \naffirmatively.\n    So let me understand. Mr. Lewis, you have been very clear. \nYou think there ought to be an office in the White House to \ncoordinate everybody involved, DHS, NSA, DOD, and others.\n    But, Mr. Baker, let me understand what you are suggesting. \nDo you think the Department of Homeland Security should play \nthe overall governmental coordination role or that there is not \nreally a need for one?\n    Mr. Baker. Let me address that. There is a need for more \ncoordination; there is no doubt about it. It would be my \nsuggestion that what is needed is not just a coordinator. This \nis something that the National Security Council does all the \ntime. They coordinate and resolve disputes between agencies, \nand they can lead agencies.\n    What they will need is support in actually identifying the \nprecise steps that ought to be taken on an urgent basis, if \nnecessary, the kind of day-to-day research into the problem and \nthe response to the problem, the development of standards and \nregulatory approaches and procurement standards that we have \nbeen talking about here. Everyone recognizes there needs to be \ngreater detail in the Administration of the actual cyber \nsecurity enterprise, and the question is, should that be done \nat DHS or by some new agency that will be created in the \nExecutive Office of the President. I would suggest that it \nought to be done at DHS.\n    Chairman Lieberman. You would prefer DHS. And insofar as \nthe overall coordination, you would have that be done by \nsomeone working at the NSC or the HSC.\n    Mr. Baker. There is no doubt there needs to be very strong \npresidential leadership, probably through the NSC on this. It \nis really a question of how you staff that leadership.\n    Chairman Lieberman. Right. Thank you. Senator Collins.\n    Senator Collins. Thank you, Mr. Chairman.\n    Mr. Baker, let me resume where the Chairman left off.\n    When Senator Lieberman and I sat down to implement the \nrecommendations of the 9/11 Commission back in 2006, we quickly \nrealized that one of the Commission's recommendations having to \ndo with the placement of the National Counterterrorism Center \n(NCTC), within the Executive Office of the President was not a \ngood idea. And our concern is that it would have placed the \nNCTC largely beyond the reach of congressional oversight, and \nit also would have limited the personnel and budget that the \ncenter could have. And it also had implications for privacy \nconcerns as well.\n    When I hear this debate today, it is very reminiscent of \nthe debate over the placement of the NCTC. One of the issues \nthat we want to avoid is stovepiping again, of having agencies \nthat are not coordinated, that are also beyond the reach of \ncongressional oversight.\n    I know that you followed that debate very closely. Do you \nsee any lessons for us as we decide where the appropriate \nentity is to do this coordination in the decisions that were \nmade back in 2006 with regard to the placement of the National \nCounterterrorism Center?\n    Mr. Baker. I do, actually. And I did follow NCTC's \nimplementation closely, both because of the Commission on the \nPrevention of Weapons of Mass Destruction Proliferation and \nTerrorism and because I knew the first two heads of the NCTC \nand worked with them closely at DHS.\n    I think that the NCTC is a success, and a success in part \nbecause it is not in the Executive Office of the President. It \nis not buffeted by whatever is on the President's plate that \nday. It can actually build institutions, take the long view, \nand approach problems with a bit more discipline than you can \nafford when you are trying to follow the ball in the Executive \nOffice of the President.\n    It also has been able to develop a privacy agenda that I \nthink has worked. The responsibility to report to Congress has \nworked out well for NCTC and I think for the insight of the \nNation into its activities. And I would envision a similar role \nfor DHS. That is to say, when I was at DHS, I saw NCTC in some \nrespects as an extension of the NSC. They worked for the NSC. \nThey were particularly responsive to the President's \npriorities, but because they were outside of the immediate \nbattle rhythm, they could do it on a more disciplined, long-\nterm planning basis. And that is something that I think DHS can \ndo if the President and NSC choose to use them in that way.\n    Senator Collins. Thank you.\n    Mr. Lewis, I want to ask you a more fundamental question \nthat came up in a discussion that the Chairman and I had last \nweek on this issue.\n    If a hostile nation were to shoot missiles at our country's \npower plants and, thus, disabled our electrical grid, we would \nimmediately recognize that as an act of war. And the United \nStates would marshal all of its resources to counter that \naction. Yet, if a hostile nation used computers to achieve \nexactly the same result, a complete disruption of our \nelectrical grid, it is not at all clear that our government \nwould view that as an act of war, assuming we could identify \nwho was behind the attack, which is a whole other issue and \nchallenge in and of itself.\n    It is my understanding that the CSIS report has some \nspecific recommendations to the President on identifying \ncyberspace as a vital asset, and sending a message to those who \nwould attack us, using computers rather than missiles, that we \nwould consider that to be an act of war.\n    Could you talk about that issue for us?\n    Mr. Lewis. Sure, I would be happy to. And let me say that \nwe approached this as a national security problem, and we \nthought cyber security should be treated the way we treat other \nnational security problems, which is that many agencies have a \nrole. No agency has the lead. And so, when you look at our \nforeign policy or our national security policy, it is Defense, \nState, and the intelligence community. And all of them are \ncoordinated by the NSC. And we thought the same sort of \napproach is the only way you can fix cyber security.\n    So, for me, when I listen to Mr. Baker, NCTC is not a good \nmodel. Its mission is too narrow. DHS does not have the \ncapabilities. We do not want DHS making the decision when \nsomething is an act of war or when it is not. That is properly \ngiven to the President. And that is the real issue, when is it \nan act of war?\n    This gets back to some of your earlier statements. The \nChinese have missiles. They are pointed at our power plants or \nat Los Angeles, but they are not going to launch them. They are \nnot going to launch them until they need to. The Chinese right \nnow have an intelligence advantage that exploit all of our \nnetworks, including yours. And they probably have left \nsomething behind that when there is a crisis, they can launch, \njust like they can launch their missiles. So this is not \nsomething that we should be surprised at. People have always \nbeen targeting electrical systems. It is just now they have a \nnew weapon to attack it.\n    Two issues, though. How do you determine who the attacker \nis? My guess right now is we only know perhaps in a quarter of \nthe cases at best who is actually launching the attack. The \nother issue is when you decide to respond and how you respond.\n    A response does not necessarily have to be keyboard versus \nkeyboard, and we usually think of it that way. There is some \ngeek over in China and there is some geek over in the United \nStates. We have to get away from that. We have to say, from the \nWhite House, cyberspace is a vital national asset and we will \nuse all means to protect it. A simple statement like that would \nbe very helpful in putting our enemies on notice.\n    We then have to follow it up with some actions. Again, for \nme that points to who should the lead role be. If you are going \nto expel an attache from an embassy because of a cyber \nincident, this is what you would normally do in espionage, it \nis not a decision that would be made by any one agency. It \nwould be made by a couple of agencies working through the White \nHouse. So we have to start treating this like a grown-up \nnational security problem and getting the real national \nsecurity system involved.\n    Senator Collins. Thank you.\n    Chairman Lieberman. Thanks very much, Senator Collins. \nSenator Landrieu, welcome.\n\n             OPENING STATEMENT OF SENATOR LANDRIEU\n\n    Senator Landrieu. Thank you. And I appreciate the \nleadership of this Committee in an area that I feel very \nstrongly about as well. And our State has made some initial \nsteps working with the Air Force, in particular, to establish \nsome benchmarks on this effort, which is why I am here today \nand want to continue to be involved.\n    Before I ask my questions, Mr. Paller, let me ask what \nhappened to the $10 million? Did they actually get it? Do we \nknow where it is, and was it returned?\n    Mr. Paller. The $10 million is in the hands of the \norganized crime group.\n    Senator Landrieu. And that is----\n    Mr. Paller. It is gone.\n    Senator Landrieu. It is gone.\n    Mr. Paller. And there are several more similar things \nhappening as we speak, like that.\n    Senator Landrieu. I know the primary debate, and it is an \nimportant debate, is how this is coordinated between agencies \nand who might take the lead role, but you have been very clear \nthat there will be many agencies involved.\n    Looking at the sectors that warrant the most protection, \nfrom the financial sector to the utilities sector, other \nsectors, and given, I think, Mr. Kellermann's comments about \nterrorists using our own financial sector and access to it to \nactually fund their operations, how would each of you rank \nthose sectors in terms of importance, since we are behind?\n    If we had to rank in order of efforts to protect, what \norder of sectors do you think is most important?\n    Mr. Kellermann, why don't you go first?\n    Mr. Kellermann. I would say financial sector is actually \nmost important because, right now, for the last 10 years, \norganized crime and non-state actor community in general has \nbeen feasting on financial fraud, whether it is personally \nidentifying information or funds transfer out of systems, which \nis why there has been an 80 percent increase in wire transfer \nfraud this past year.\n    Senator Landrieu. And what would the second area or third \narea be?\n    Mr. Kellermann. I would think there needs to be much more \nattention, actually, being paid to the healthcare sector, \nconsidering that we are trying to digitize health records, \nwhich can all be used to establish lines of credit in the same \nfashion that financial data could, in order to have revenue \nstreams, per se, coming from the developed world into the \ndeveloping world. The energy sector is obviously very \nimportant, the Smart Grid. It is going to create a huge \nsystemic and operational risk that needs to be dealt with, and \nsecurity must not be retrofitted on that.\n    But realistically, the non-state actor community is using \nfinancial information and health information to establish lines \nof credit to finance physical acts of violence against U.S. \ninterest. But more than likely, the state actors who have \nalready penetrated these systems, they are not going to \nactually turn off the systems or change the integrity of the \nsystems until there is actually an international conflict with \nthe United States. So we can wait a little bit vis-a-vis those \nactors due to diplomacy and the need for the DOD to get their \nact together when it comes to cyber security and cyberspace.\n    Senator Landrieu. Would any of you like to add something \nabout--go ahead, Mr. Paller.\n    Mr. Paller. Two completely industrial sectors. I think the \ngreatest losses we could have, the place we have to act most \nquickly is in the defense industrial base. When you hear about \nthe military losing things, it was not the military; it was the \ncontractors. Those firms advise government on how to secure our \nsystems, and then, like shoemakers' children without shoes, \nthey give up all of the data. It needs a lot of attention, and \nDOD, as Mr. Lewis discussed, is already trying to focus on \nthat.\n    The second one for me is the power system. But I think the \nfact that he has two and I have two different ones means that \nyou will find that the only way to fix those is through Federal \nprocurement. If you do not enable them to buy more secure \nsystems baked in, they are not going to be able to do it. You \ncannot fix the security of a system after you have bought it. \nIf the people sell you a broken system, it is broken.\n    Mr. Lewis. Just really quickly, we went through this in the \ncommission, and we identified four sectors. The reason we \nidentified them is we wanted to be able to take punches and \nkeep moving, right? And those were the energy system, \nparticularly, the electrical grid, telecommunications, finance, \nand government services, particularly at the Federal level.\n    If those four can keep operating in the face of attack, we \nwill be able to continue to perform as a nation.\n    Senator Landrieu. Let me ask you, has the Pentagon \nidentified which branch of the Armed Services should take the \nlead on this effort? Is it more natural to the Air Force or to \nthe Army or to the Navy? If anyone would take 30 or 45 seconds \nto briefly describe your views on that.\n    Mr. Lewis. The services all have different capabilities. I \nhear Navy is the best. Do not know that, but that is what I \nhear. DOD has decided to set up a new joint command with all \nthe services, located at Fort Meade.\n    There is a question about where it will be. Right now, it \nis under Strategic Command (STRATCOM) It might become an \nindependent one. But the decision appears to be no one service; \ncreate a joint command, and that is probably the right \ndecision.\n    Senator Landrieu. Is there any role for the National Guard \nthat any of you could foresee in this? And if you would like to \ndescribe or have you thought about that at all?\n    Mr. Paller.\n    Mr. Paller. Definitely. The key is you need practitioner \nknowledge. I train the National Guard guys who go over to Iraq \neach summer. They are wonderful. They have a lot of experience \nthere. They have the skills. So the merger of that skill set of \ntechnology-literate people with the military is one of the \ngreat assets we have.\n    Senator Landrieu. And it seems to me--and Mr. Chairman and \nSenator Collins, I want to particularly stress the idea of the \nNational Guard taking a leadership role, and the idea that the \nkind of people that we need, Mr. Chairman, to man this command \nwould be people that could be recruited from high levels of the \nprivate sector that might not be engaged 20 or 25 years in the \nArmed Services, but would be at very high levels that could be \nrecruited to come into the National Guard, specifically \ncommitted to this mission.\n    So I would urge this Committee to look carefully into the \nrole that they might play, being located in all the States, \nvery close, of course, to the governors and to the State \ngovernment, and a good nexus between the Federal and State \ngovernment. That might be an opportunity.\n    I have many other questions I will ask. I only have 14 \nseconds. So in closing, in terms of education and training in \neither our colleges, universities, or other levels, could you \nmaybe, Mr. Paller, since you are involved with the SANS \nInstitute, give a quick response to what some of our education \ncommittees could be doing in terms of investing in the \nworkforce necessary to create the kind of intellectual strength \nwe need in the coming decade or two for this in our country, \ngiven that so many international students are here and then \nleave with these prerequisite degrees and go back to other \ncountries, some of which are not friendly?\n    Mr. Paller. Big question. I will just give you one quick \nanswer, and I will give you more if you want it later. But the \nquick answer is the most important thing you can do is change \nthe way computer science and computer programming is taught in \nAmerica, because programmers are not taught to write secure \ncode. Every single one of these attacks happens because of a \nprogrammer error, and we are not teaching the kids who write \nsoftware to write software securely. The faculty does not want \nto do it. So if you want to fix something, that is a wonderful \none to fix.\n    Mr. Lewis. Just quickly on that one, the President's speech \nyesterday got it right when he said we have to re-focus on \nscience, technology, engineering, and math; that we have \nunderinvested since the end of the Cold War, and now we are \nbehind. And so it was great to hear yesterday. That will help \ncreate the environment where Mr. Pallen sort of training can \nreally flourish.\n    Mr. Kellermann. If I may, also I think that MBA students \nand MBA programs are very short-sighted because they teach that \ntechnology increases efficiencies and accessibility services, \nand productivity. They do not teach the risk management side of \nimplementing widespread technology or the implications of \nsystemic risk, whether it is outsourcing or offshoring. It is \njust looked at as a win-win and a panacea for fraud actually.\n    Chairman Lieberman. Thanks, Senator Landrieu.\n    Senator Carper is next on the list, but he is in the \nanteroom in a meeting. So I am going to call on Senator Burris \nin a minute.\n    I want to express regret, apologies, to the four witnesses \nthat I have to go off to another meeting. I believe Senator \nLandrieu and I are heading in the same direction. But we are \ngoing to leave you in the able hands of Senator Collins and \nSenator Burris, who will carry the hearing to the conclusion.\n    You have been an excellent panel of witnesses. The reward \nfor this behavior is that we will undoubtedly call you back. \nSenator Collins and I both were briefed by Melissa Hathaway \nlast Friday. And her report is with the President, so we expect \nsome public announcement of this soon. The President has built \non the increases that President Bush asked for some of the \ncyber defense initiatives, in the fiscal year 2010 budget. And \nI expect that we are going to want to take a very active role \nhere, probably including a legislative role. So I thank you \nvery much for a really helpful testimony.\n    With that, Acting Chairman Burris.\n    Senator Burris. Thank you.\n    Chairman Lieberman. You have come a long way very quickly.\n\n              OPENING STATEMENT OF SENATOR BURRIS\n\n    Senator Burris [presiding]. Thank you, Mr. Chairman, and \nRanking Member Collins, and for an excellent testimony from our \ndistinguished panel.\n    One thing that is going through my mind, gentlemen, is a \nsimple question. Mostly, it seems like we are on the defensive \nin all of this. We are doing all the planning to try to protect \nevery aspect of our data from the would be hackers or skilled \nintruders.\n    Are we in this country doing anything on the offense? I \nmean, are we seeking to reach out to some of these would be \nentities and also trying to hack into them to figure out what \nis going on on their side?\n    Mr. Lewis, would you like to take a shot at that?\n    Mr. Lewis. Sure. Let me start, and my colleagues can join \nin.\n    We have offensive capabilities. They are among the best in \nthe world. The problem is what I would call asymmetric \nvulnerabilities. We are a target-rich environment. So even \nthough we are as good as our opponents, they have more stuff to \nshoot at. So, yes, we have offensive capabilities, but we are \nnot in a position where that really is enough to protect us \nright now.\n    Mr. Baker. I would add to that. It is true. I once said \nthat, in contrast to my experience at NSA in the early 1990s \nand my current experience in government, we have gone from a \nsituation in the early 1990s where the score in the game might \nbe one to nothing, sort of like a soccer game, today when it \nmight be 187 to 149. The offense has just taken over the field.\n    Worse from our point of view, we are playing the rest of \nthe world. We are on everybody's top five list as intelligence \ntargets and they are all trying to get into our systems. And so \nfor us to play defense, we really have to play defense against \neverybody else and that is a very demanding requirement.\n    Senator Burris. Now, you mean some of our friendly \ncountries also or where they are so-called friendly----\n    Mr. Baker. As Charles de Gaulle said, nations do not have \nfriends; nations have interests.\n    Senator Burris. Well, the permanent interest arrangement, \nyes.\n    Mr. Lewis. We have some good relations with some treaty \nallies, and then there is the rest of the world. That is a good \nway to think of it.\n    Senator Burris. And we have to try to protect our system \nfrom all of those entities that are trying to get in because we \nare the biggest person on the block, I assume.\n    Mr. Lewis. We are the richest and the easiest.\n    Senator Burris. Which leads to the other question.\n    But to what extent are their turf problems that are being \nresolved in the various entities in these various systems that \nwe are having? And I assume that you, Mr. Lewis, is saying that \nthis should really be controlled by the White House and not by \nDHS.\n    Is turf a problem here in our security interests?\n    Mr. Lewis. There are some really big elephants in the room. \nYou have the Justice Department. You have the Department of \nDefense. You have the State Department. You have the \nintelligence community. These are hard agencies to control, and \nit is very difficult to get them all moving in the same \ndirection unless you have somebody like the National Security \nCouncil kicking on them. And those of us who have been in the \ngovernment know that you do not just tell the Attorney General \nor the Secretary of Defense and he does it. Someone has to have \na reporting relationship, and the only place that exists is the \nPresident.\n    So, yes, there are huge turf battles. Those are not \nnecessarily bad. It would be better if we had fewer turf \nbattles, but the only way we will get there is by establishing \nclear White House leadership.\n    Senator Burris. I am pretty sure we do not put all our eggs \nin one basket, in terms of that would be a security problem if \nthat were to happen.\n    Mr. Lewis. That is right.\n    Senator Burris. But there is a concern of coordinating all \nof this various defensive mechanism, which seems to be a major \nproblem for us to do.\n    Mr. Lewis. I think the place where we have had a little \nconfusion is the distinction between direction and an \noperational role. Nobody wants an operational White House, \nmeaning in a battle, the general does not drive the tank, but \nthe tank driver does not set the policies. We need somebody in \ncharge, but the people who actually implement the policies, who \ncarry them out, who have the day-to-day missions, that should \nclearly be at the agencies, particularly DHS, which has a very \nmajor set of roles here. But none of the individual agencies \nare going to be able to coordinate all the other players on the \nteam, and we have to think of this as a team effort.\n    Senator Burris. Are you saying, Mr. Lewis, that DHS is \nprobably the one that could look at setting the possibly policy \nrules for the other agencies, and there would be some type of \noversight on those policy rules?\n    Mr. Lewis. Not as it is currently configured. And Mr. Baker \nmight disagree with me. But if you are looking for strategic \nthinking, if you are looking for international engagement, if \nyou are looking for intelligence activities, all of those are \nin other agencies outside of DHS. In fact, the most active \nagency has been the Department of Defense. They have the \nNational Defense University. It has done a great deal of work \non defining things like when is it an act of war, what is \ndeterrence in cyberspace. The intellectual capital is not \nlocated in any one agency, and that is why we need to \ncoordinate.\n    Mr. Baker. I do not disagree with much of that. NSA, in \nparticular, is a source of enormous expertise and anyone who \nwants to make policy in this area is going to have to rely very \nheavily on them. Because they are the attackers, they know what \nworks and they can, therefore, inform the defenders. And there \nis no doubt there has to be leadership from the White House and \nsomeone within the White House who is clearly responsible and \nable to make decisions and to drive consensus on the part of \nthe departments.\n    Where I think we may diverge is, I believe that DHS really \nshould be staffing that person with respect to civilian agency \nand private sector coordination. I recognize that DHS has had \ngrowing pains for sure, and a lot of people would like to give \nup on it, but there is no other logical place to do this. In \nthe last year, DHS has made real strides. They have great \nleadership now. And I think they are in a position to do much \nmore than they have done over the last 3 or 4 years.\n    Senator Burris. My time has run out on this round. But one \nquestion I hope that each one of you can respond to very \nquickly, what can we in Congress do in reference to this?\n    Mr. Kellermann, you want to give it a----\n    Mr. Kellermann. I think it is very important that we \nempower DHS to conduct red-teaming exercises across civilian \nagencies and critical infrastructures so they can identify what \nis most vulnerable; to allocate IT resources to fix these \nproblems, so we at least have a benchmark of where we are and \nwhere we need to go beyond the compliance exercises that \ncurrently exist today. As well, I think through acquisitions \npolicy, we need to mandate and require that those who provide \nmanaged services that create the systemic risks, the aquatic \nrisks in the system, should be contractually bound to a \nstandard of care, which has not been established yet.\n    Senator Burris. Mr. Paller.\n    Mr. Paller. The key lever you have is forcing the agencies \nto spend their money to buy security baked in. If you keep \ntelling them to do security after they have bought technology \nthat is broken, they are just not going to be able to do it. So \nyou are a great weapon, and this is the one committee that can \nboth set what needs to be done because you have wonderful \npeople at DHS now working with NSA.\n    Senator Burris. Are you saying put the authority in DHS to \ndeal with the other agencies?\n    Mr. Paller. Yes. The authority that was missing in DHS is \nwhat everybody calls the red button. At DOD, when Defense \nInformation Systems Agency (DISA) says you are doing a bad job \nof security, if the other group says tough, DISA can pull the \nplug.\n    Mr. Paller. So if you want DHS to have the authority you \nare talking about, you have to be able to pull the plug on \ntheir computers. And that is something that Congress has not \nyet been willing to do.\n    Senator Burris. Mr. Lewis, any thought on that as well?\n    Mr. Lewis. Sure. The three things that I think that only \nCongress can do, it can set priorities, it can modernize \nauthorities, and it can provide the resources.\n    Let me talk just for a second on the first authority.\n    If some of us were in a classified briefing from DOD and \nthey said, we are having an attack--this gets to your missile \npoint--how do we respond? Is it Title 10, a military activity? \nIs it Title 50, an intelligence community activity? Or is it \nTitle 3 or some other law enforcement activity?\n    Right now, it is not clear. There is a whole set of \nproblems as to how you could make it clear. But when you look \nat the authorities for response or for defense, they were \nmainly written in the 1980s, and they are out of date.\n    Mr. Baker. I agree with everything that has been said up to \nnow and I would offer this perspective as well. No one is going \nto come to you and say ``I have a turf fight; I would like you \nto take my side.'' Instead, every time changes in policy are \nmade, someone's ox is going to be gored. And you are going to \nhave business groups come to you, contractors who say ``I lost \nthe contract because I had too many breaches, but that was not \nfair''; or ``My product was deemed insufficiently secure, so I \ndid not get the contract and that is not fair''; or ``they are \nregulating me too hard.''\n    All of those things are complaints that you will hear, and \nI ask that you take them with a grain of salt and ask, how are \nwe going to solve the problem if we listen to all those \ncomplaints?\n    Senator Burris. Again, I am way over my time. Senator \nCarper.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Thank you.\n    Welcome. Thank you each for joining us today. And thank you \nfor your testimony today and your responses to our questions. \nAlso thank you for helping to guide me, my staff, and others \nhere in this Committee and the Subcommittee as we attempt to \ndevelop legislation that we hope is going to be helpful in \naddressing the concerns you all have been raising.\n    My staff tells me that each of you has had a chance to take \na look at the bill that we will be introducing later today. As \nyou may recall, it revamps the way that the Federal Government \nhandles cyber security. We do so by creating a new office for \ncyberspace. We focus on actual security instead of paper \ncompliance and strengthen security officers within agencies.\n    You just, in an indirect way, provided some answers to a \nquestion I have. What Senator Burris had just mentioned are \nsome things we can do in the Congress to respond to these \nconcerns. So some ideas of what we can do are embodied in the \ndraft legislation that we expect to introduce later today.\n    Could we just go down the row, and start with Mr. \nKellermann, and just share with us what do you think is good \nabout the bill that we have prepared for introduction and what \nis not so good? And are there some areas in the legislation \nthat need to be added? Is there something that is missing that \nof which we should be mindful?\n    Mr. Kellermann. As you stated earlier, I think that \nelevation of the office is critical. Moving away from paper-\nbased compliance exercises to more dynamic benchmarking is \nfundamental. And increasing accountability is also highly \nimportant and paramount to the success of this.\n    I would like to see, actually, an expansion of it to bring \nto bear the four critical infrastructures that we have \nidentified in the commission report because of the systemic \nnature of this risk, because all of these players, even \nprivate, can contribute through a lack of layered security to \nthe economic and national insecurity of the government of the \nUnited States and the American citizens.\n    Senator Carper. Thank you. Mr. Paller, before you answer, \nlet me just say, in our business, as Senator Collins and \nSenator Burris know, we are always reminded to be on message. \nAnd I just want to say you were really on message. You were as \ngood as anybody I have seen and always brought us back to \nprocurement.\n    Mr. Paller. You have three elements of the bill that are \nwonderful. I happen to be up on them because one of the press \npeople called me at 11 o'clock last night----\n    Senator Carper. How convenient.\n    Mr. Paller. How convenient; exactly.\n    But one is you have attack-based metrics in there, \nmonitoring the things that actually block real attacks. What \npeople have been doing in the name of FISMA is looking at \neverything in the world that might possibly be interesting in \nsecurity, and they have not focused on the things that will \nactually block the known attacks. You also have continuous \nmonitoring.\n    Under FISMA, the government has been looking every 3 years. \nHow long do you think that look lasts after the guy leaves? So \nthere is a continuous monitoring of the critical ones. And the \nthird one you have is procurement, gently, but it is in there.\n    The challenge with the bill is that it also has a bunch of \nother nice things that people who do not want to do those three \nthings will rely on. The bill is great. Whether OMB focuses on \nthose three, and whether you help OMB focus on those three, is \na big issue, but it is a wonderful bill.\n    Senator Carper. Good. Thanks so much. And thanks for your \nhelp in crafting it. Mr. Lewis.\n    Mr. Lewis. You can tell who the guru is because I did not \nget called by the press until this morning.\n    Senator Carper. Well, they called me. I gave him Mr. \nPaller's number [Laughter.]\n    I asked him to wait to a little later in the evening. I \nsaid I think he is out, so maybe around 11 or 12 o'clock.\n    Mr. Lewis. I think the bill is exactly right. It creates \nleadership. It moves to better metrics. It gets away from the \npaper-based approach. We desperately need to fix FISMA, so I \nreally hope this bill goes through.\n    Senator Carper. Thanks so much. Mr. Baker.\n    Mr. Baker. I agree, FISMA is not working very well now, and \nany steps along the lines of the legislation that can focus the \neffort to improve security on real threats rather than moving \npaper would be useful.\n    Senator Carper. Thank you.\n    Let me stick with this a little bit if we could. I \nrecognize that cyberspace is not an issue that is strictly the \nresponsibility of the private sector. It is not the \nresponsibility of civilian agencies. It is not the \nresponsibility of just the Department of Defense or the \nintelligence community.\n    Given that acknowledgment, what office should be \nresponsible for ensuring that information is not only secure \nbut free flowing and ensuring our expectations for privacy and \ncivil liberties?\n    Mr. Baker. In my view, there are really two agencies at the \nheart of this effort, the National Security Agency for the \nsecurity of Defense Department systems and for bringing to bear \nthe sophistication of attackers on the defensive effort, and \nthe Department of Homeland Security which has defensive \nresponsibilities, both for civilian and private sector \nnetworks.\n    There are plenty of other agencies that have enormously \nimportant roles to play, but we do not have enough experts to \nspread them evenly among those agencies. We need to begin \nbuilding a cadre of real cyber security experts on the civilian \nside that can match what NSA can bring to bear in the defense \nside. And I think DHS is where that critical cadre of expertise \nshould be.\n    Senator Carper. All right. Thank you. Mr. Lewis.\n    Mr. Lewis. This has to be a team effort, so I think there \nare many agencies, as Mr. Baker said. I would have added FBI as \nthe third critical agency in your mix. But right now, as one of \nmy colleagues says, it is like a kid's soccer team, a bunch of \n7 year olds, here is the ball, they are all after it. The team \nneeds a coach or a captain, and that is where I would say that \nyour bill gets it exactly right.\n    Senator Carper. All right. Thanks. Mr. Paller.\n    Mr. Paller. I think Mr. Lewis said it fine.\n    Senator Carper. All right. But you did not say it. No, I \nwas just kidding.\n    Everyone has said what needs to be said, except for me, so \nI am going to say it again. But I appreciate your brevity.\n    Mr. Kellermann.\n    Mr. Kellermann. I would concur with those comments, but I \nwould stress one important fact that I think has been lost, and \nthat is the privacy debate. We cannot achieve privacy without \ncyber security. The privacy advocates for a long time now have \nstressed that cyber security somehow impacts privacy. Physical \nsecurity and the use of technology does impact privacy. But, \nrealistically, the government does not have monopoly on Big \nBrother anymore, and that is anyone who can hack. So I think it \nis important that the population respects your efforts in \ntrying to preserve their privacy with these efforts to improve \ncyber security.\n    Senator Carper. I am intrigued by other nations that are \nhacking into our system. I understand the motivation for kids, \nthey do it for fun, the challenge. I can understand the \nmotivation for criminal groups for the monetary gain. There is \na lot of money at stake here and they have the ability to do it \nwithout going into a bank and robbing the bank, but still \ncapture even more money. And I can understand the motivation of \nnations that are hostile to us, like terrorist groups that \nwould like to bring us to our knees. I can see plenty of \nmotivation there.\n    It is less obvious to me when I see a nation with whom we \nhave diplomatic relations, have had for some time, a nation \nwith whom we have a robust trade relationship, a nation that \nbuys enormous amounts of our Treasury securities. For that \nnation to be so anxious to be able to infiltrate our systems \nand, potentially, to undermine our systems, talk to us about \nthat motivation, if you would.\n    Mr. Baker. I think there are two things that are worth \nsaying about this. First, we should not assume that all of the \nattacks on our systems are on behalf of a nation-state. There \nis a kind of shadowy world here that is closer to Sir Francis \nDrake than to an official naval force. That is to say, people \nmaybe protected by their government, encouraged by their \ngovernment, rewarded by their government, but they are also \nfree actors. And there is plenty of that going on in this \nworld--digital privateers, if you will.\n    But it is also true that many nations that we would \nconsider friendly want the best possible intelligence about \nwhat we plan to do because it has a direct effect on their \nnational security. And so they consider it only prudent to try \nto extract as much information from our networks as they can \nget. That does not mean they intend to shut them down, but the \ndifference between extracting information and shutting down the \nnetwork is just a question of what you leave behind when you \nget out. So, we do see nations that we would consider friends \nin our networks for precisely that reason.\n    Senator Carper. All right. Mr. Lewis.\n    Mr. Lewis. We are moving to a more competitive \ninternational environment. And that means, in the Cold War, it \nwas us versus them. Now it is a multi-player game. It is more \nlike baseball where you have many teams, and these teams want \nto get that intelligence benefit.\n    For me, this is basically a spy story. Now, in particular, \nthe Chinese and the Russians, they have been spying on us for \ndecades. They found a new way. It is really cool. They are \ntaking advantage of it. Does that mean they are not also \nplanning to use this as a weapon in the event of a crisis? \nWell, of course, they are planning that. But their primary \nactivity, the primary risk to national security now, lies in \nthe espionage losses that we are suffering.\n    Senator Carper. All right. Thank you. Mr. Paller.\n    Mr. Paller. There is one more dimension of it, the economic \ndimension. They may be military friends, but they may be \neconomic competitors. The head of the British Security Service \n(MI5) sent a letter to the presidents of the 300 largest \ncompanies in the United Kingdom, saying, if you are doing \nbusiness with China, China is using exactly the same techniques \nto break into your computers, and your lawyers' computers, to \ntake the data they need so they can negotiate from a position \nwhere they know more than you do.\n    I know it is true in the United States because the managing \npartner of one of the largest law firms was the first visitor \nin my new house, telling me the FBI had been in to say every \nsingle document of every one of the clients has been taken from \nthe law firm's computers. So there is a massive economic \ndimension to this, in addition to the military intelligence \ndimension.\n    Senator Carper. Thank you. Mr. Kellermann.\n    Mr. Kellermann. To that point, why even focus on research \nand development anymore when you can steal competitors' ideas \nand have competitor advantage in the marketplace? And \nrealistically, why bother actually conducting espionage in the \ntraditional sense, as Mr. Lewis stated, when one can remotely \naccess systems and compromise systems?\n    Senator Carper. All right. That is a lot to chew on, isn't \nit, colleagues? It is a lot to chew on. Thank you so much for \nbeing here today.\n    Senator Burris. Thank you, Senator. We are going to call on \nour Ranking Member, Senator Collins, to see if she has any \nquestions or comments.\n    Senator Collins.\n    Senator Collins. Thank you, Senator. I do have a couple \nmore questions and one comment.\n    Mr. Paller, you and I agree that the Federal Government has \npotentially enormous leverage to improve the security of IT \npurchases just using its purchasing power. I found very \ncompelling the story that you told of a Federal official \nessentially begging the head of Microsoft to provide a more \nsecure configuration.\n    Do you have any specific recommendations for us on how we \ncan use the Federal purchasing power to require the \nincorporation of better computer security in the software and \nhardware that we are purchasing?\n    Mr. Paller. There are two levels you can do it. One is the \nsame level the Air Force is doing, which is to persuade the \nvendors to sell more secure versions of what they now sell. And \nthe way you do that is by setting up a partnership between the \nvendor and DHS and NSA to agree on what that more secure \nconfiguration is.\n    Senator Collins. So to agree on standards?\n    Mr. Paller. On standard configurations.\n    Senator Collins. Standard, yes.\n    Mr. Paller. So that we can all buy a safer version. They \nwill push back, saying ``One size does not fit all.'' And the \nreality is, Microsoft sells one size of Windows to 100 million \npeople. Oracle sells one size of its database to 100,000 \npeople. They all sell one size. So the line ``one size does not \nfit all'' is just a lie.\n    But the more important opportunity for immediate action is \nevery contract--so this is not just the contracts to buy the \nbig stuff. But every contract should have three clauses, and I \nactually put them in my written testimony. I think Ms. Evans \nactually pushed them when she was at OMB. One is you have to \nmake your software work on the secure configuration because if \nyou sell me software that does not work on a secure \nconfiguration of Windows, I have to change Windows or not use \nyour software.\n    Two is, you have to make sure that the 25 most critical \nprogramming errors are not in your software. And I do not \nremember the third one, but it is in the written statement.\n    Senator Collins. Thank you. Those are very helpful \nsuggestions and ones that we should adopt.\n    Mr. Kellermann, you have done a lot of work and research in \nthis area, so I want to bring up an issue we have not talked \nabout today. And that is trafficking in counterfeit information \ntechnology products. That is a global and growing problem. And, \nof course, it is unfair, because it costs legitimate patent and \ncopyright holders millions of dollars of losses each year. But \nalso, it is a security issue because these inferior products \nare far more likely to contain security vulnerabilities, either \ninadvertently because they are sloppily done, or by design.\n    Do we need some sort of concerted global crack down on \ncounterfeiting of IT products to help improve our security?\n    Mr. Kellermann. Yes, I believe we do. And I think the \nmessaging behind that should be focused on the security aspects \nof that software. Even if it is pirated Microsoft operating \nsystem software, it will not be able to receive updates. And so \nit will persistently have vulnerabilities and holes in code. \nAnd be able to message that through the corporations and/or \ngovernments that are purchasing this type of software will be \nimportant for their understanding of the operational risks that \nthey are taking by taking the short cut through the woods in \nthis aspect.\n    Senator Collins. Thank you.\n    Mr. Lewis, I want to end my comments today by disagreeing \nwith you on the record in your description of the National \nCounterterrorism Center (NCTC). Along with Senator Lieberman, I \nam the author of the law that created that center, so I know \nvery well what the NCTC's responsibilities are. And as the law \nsays, not only does the NCTC serve as the primary organization \nwithin the U.S. Government for analyzing and integrating all \nintelligence information, with the exception of domestic \nterrorists, but also it is specifically assigned the role of \nconducting strategic operational planning for counterterrorism \nactivities with all the instruments of international power, \nincluding diplomatic, financial, military, intelligence, \nhomeland security, and law enforcement activities within and \namong the various agencies.\n    Senator Lieberman and I were talking that we remember this \ndebate very well because it was extremely contentious to give \nNCTC the lead role in strategic operational planning. And on \nthis issue, the NCTC reports directly to the President so that \nthe agency has the credibility needed to do the job.\n    Furthermore, I had my staff check this morning, after you \nresponded that NCTC had a very narrow mission, to see whether \nin the new Administration the NCTC is still acting as the lead \nfor all agencies on strategic operational planning. And, \nindeed, it is. In fact, more so in this new Administration.\n    So I just wanted to correct that for the record.\n    Mr. Lewis. Could I add one thing?\n    Senator Collins. You certainly can.\n    Mr. Lewis. You all have done great work, and now I want you \nto do it for cyber security.\n    Senator Collins. As do we. But my point is an entirely \ndifferent point, which is looked at putting NCTC in the office \nof the President. That was the recommendation of the 9/11 \nCommission. And it was one of the few areas--I can only think \nof three of the dozens of recommendations--where we disagreed \nwith the 9/11 Commission and made an informed and considered \nchoice to put this center in the Office of the Director of \nNational Intelligence (ODNI).\n    It was the right decision. It has been judged as success by \nvirtually everyone. And I think we have to be really careful \nabout creating a new office, as Senator Carper had suggested, \nwithin the office of the President for fear that we are going \nto diminish our ability to exercise congressional oversight. We \ncannot call the czars or the heads of offices within the \nExecutive Office of the President before this Committee. We \ncannot. We have very little say over their budget.\n    So I think we have to proceed carefully. That is not to say \nthat we are looking at DHS, as you implied, to make decisions \non declaring war. Obviously, that is not the case. That, \nobviously, is something that the President would do with \ncongressional input, of course. But I think we have to proceed \ncarefully here to make sure that we do not create a whole new \nround of turf battles, inadequate congressional oversight, and \nunclear lines of authority.\n    So I think we need, definitely, to strengthen cyber \nsecurity, and the question before this Committee is how best to \ndo that. And I believe that DHS is the logical agency, given \nhow much of cyber security is in the private sector, to \ncoordinate that role. That does not mean diminishing the role \nof NSA or the Department of Defense. Those have vital roles, \nand the FBI, as well. But this is something that I think is \ngoing to be the subject of a lot of debate.\n    So, Mr. Chairman, I thank you for allowing me to have some \nfinal comments on this important issue. And congratulations on \nbeing the acting Chairman.\n    Senator Burris. Thank you, Madam Ranking Member.\n    Just before we adjourn this hearing, I just want to throw \nout something to this distinguished panel, because I am an old \nbank examiner, I am an old auditor. And I wondered if we could \nnot come up with the old system of having two sets of books.\n    Remember that? I am just wondering if we could not have two \nsets of computer systems. We will let them hack into one system \nand get all the information they want.\n    Has that been processed or brought up?\n    Mr. Lewis. It is an interesting question, and it has come \nup several times in the past. Physically, it is probably not \npossible.\n    Senator Burris. It is not possible. OK.\n    Mr. Lewis. No. But, virtually, meaning you could have two \ndifferent systems running on the same infrastructure, people \nare looking at that. It may not be possible, but it is \ncertainly an idea that is in discussion now.\n    Senator Burris. Well, at least I am on time.\n    Senator Collins. Thank you.\n    Senator Burris. Thank you, Madam Chairman.\n    We want to thank the panel. And as you heard Chairman \nLieberman say, I am pretty sure with your expertise, you will \nbe back.\n    So we will let the witnesses know that the record will be \nopen for 15 days in case witnesses or senators have additional \nquestions or statements.\n    Last, I would like to say, at this time, the hearing is \nadjourned.\n    [Whereupon, at 11:55 a.m., the Committee was adjourned.]\n\n \n       CYBER ATTACKS: PROTECTING INDUSTRY AGAINST GROWING THREATS\n\n                              ----------                              \n\n\n                       MONDAY, SEPTEMBER 14, 2009\n\n                                     U.S. Senate,  \n                       Committee on Homeland Security and  \n                                      Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10:04 a.m., in \nroom SD-342, Dirksen Senate Office Building, Hon. Joseph I. \nLieberman, Chairman of the Committee, presiding.\n    Present: Senators Lieberman and Collins.\n\n            OPENING STATEMENT OF CHAIRMAN LIEBERMAN\n\n    Chairman Lieberman. Good morning, and welcome to this \nhearing, and thanks to our distinguished panel of witnesses and \nto all who are here this morning.\n    There is an old familiar saying that, ``No good deed goes \nunpunished.'' The modern technological corollary of that could \nbe, ``No good invention goes unexploited for bad purposes.''\n    And so, as we will discuss this morning, it is in the world \nof cyberspace, as enemies and criminals have used its \nincreasingly dominant role in our lives to attack our \nbusinesses and our Federal, State, and local governments--\nindeed, in some senses to threaten the continuity of our \nsociety, at its worst.\n    It was only 40 years ago that the first two computers were \nconnected into what is now the Internet. Now nearly the entire \nworld is online. The Internet has led to a wonderful revolution \nin commerce, communications, entertainment, and finance that \nhas added greater efficiency, productivity, convenience, and \neven pleasure to our lives and our enterprises.\n    But, again, it seems that no good invention goes \nunexploited for bad purposes. And that successful computer \nexperiment 40 years ago that gave us this remarkably \ninterconnected world has also given us a global wave of cyber \ncrime that threatens our national security, our economic \nsecurity, and in some direct senses the well-being of \nindividual companies and individual Americans.\n    In a hearing last April, this Committee examined in detail \nthe threats to national security brought on by terrorists, \nnation-states, common hackers, and cyber criminals.\n    We learned a lot at that hearing, for instance, that \ncomputers containing information on the joint strike fighter \nplane and on our electrical grid have been compromised, \npossibly giving our enemies information that could make our \nfighter planes more vulnerable and, at worst, plunge large \nsections of our society into darkness.\n    Today, we are going to focus on a new wave of cyber crime \nin the private sector that is hitting businesses of all sizes \nacross our country and ask the question: What can be done by \nthe public and private sectors to make commercial cyberspace \nmore secure, especially for organizations that cannot afford to \nhave large information technology (IT) staffs on the job 24/7? \nAnd this is where I am grateful to the witnesses for being \nhere.\n    We will hear first from two witnesses from the private \nsector who will describe how real a problem cyber crime is and \nwhat the private sector is doing and can do about it, and then \ntwo witnesses from the Federal Government who will testify to \nwhat the public sector is doing and what more it can do about \nthis problem.\n    Just to validate the reality of it, in one particular \nexample that now is familiar to those who follow this issue, \ncyber criminals operating out of Eastern Europe stole millions \nof dollars from businesses and local governments by first \nsending a seemingly innocuous e-mail to an unsuspecting company \ncomptroller or treasurer. The message contained either a virus \nor an Internet link that installs a tiny piece of computer code \ndesigned to steal passwords.\n    Then, using those passwords to gain entry to accounts, the \ncrooks patiently siphon off amounts of money, and they are \nclever enough, often, to take them in amounts of less than \n$10,000, thus avoiding triggering a bank report under Federal \nanti-money-laundering requirements. Their methods are so \nsophisticated that the traffic often seems to be coming from an \nauthorized computer--which could be a legitimate computer that \nhas been commandeered by the cyber criminal--so the bank or the \nother financial institution does not really know that anything \nis amiss.\n    The money is then transferred to ``money mules.'' It is \namazing how that term ``mules'' turns up in a lot of our \ninvestigatory work here, including people who carry drugs or \nweapons across the border in different directions between the \nU.S. and Mexico. But these a money mules are people recruited \nto set up bank accounts the stolen money can be transferred to \nand who then forward the money to the cyber criminals. Some of \nthese people may not even be aware that they are taking part in \na crime. They are often recruited to become ``local agents'' \nhandling cash transfers for what they believe to be a \nlegitimate company.\n    The cyber gangs find these people over Internet job boards \nby advertising the chance to ``make money from home'' or by \ncontacting people directly who have posted resumes on a \nlegitimate job service. Once the money shows up in the accounts \nthe mules have set up, they are given instructions on how to \nwire it to other accounts which are controlled by the cyber \ncriminals.\n    Using this basic approach, we know that cyber criminals \nhave stolen an awful lot of money, in cases we know $700,000 \nfrom a school district near Pittsburgh; at least $100,000 from \na bank account of an electronics testing firm in Baton Rouge, \nLouisiana; and approximately $1.2 million from a Texas \nmanufacturer. These, of course, are only a few examples of what \nI think can now accurately be described as a cyber crime wave.\n    In 2007, TJX Corporation--the parent company of T.J. Maxx \nand Marshall's--experienced a breach in its wireless networks \nduring which up to 94 million credit and debit card numbers \nwere put at risk of being used illegally.\n    In 2008, the Heartland Payment Systems--whose CEO, Robert \nCarr--is before us today--was targeted by hackers in an attack \nthat compromised at least 130 million credit card accounts.\n    These are just the large intrusions we know about. A lot of \nthese cyber attacks, from what I have learned, go undetected or \nunreported because the victims are frightened to report them, \neither for reasons of security or because they have been \nthreatened, or, frankly, because they do not want it known that \nit happened.\n    This is a real problem that we have to work together to \nstop. Forty years ago, as I said at the outset of my statement, \nthe Internet was a tiny island of interconnected university \ncomputers that was still just an interesting academic \nexperiment.\n    Today the Internet is a vast global system--a kind of new \nstrategic high ground that we call ``cyberspace``--that we \nreally must work together to secure just as any military \ncommander would seize and attempt to secure the high ground of \nany battlefield on which they were engaged.\n    But securing cyberspace is in some senses more complicated, \nthough not, at this moment at least, as physically dangerous to \ndo since the Internet is so, by definition, limitless, \ncertainly in space, and thus, security cannot be achieved by \nthe government or the private sector acting alone, and in some \nsenses it cannot be achieved easily by either or both acting \ntogether. But we have to figure out how to do better at this.\n    A public-private partnership to defend the integrity of \ncyberspace is now urgently essential. Together, business, \ngovernment, and law enforcement throughout the world must come \ntogether to deter these attacks and bring these criminals to \njustice.\n    Our Committee is working on legislation to help to make \nthis so, particularly to further define and strengthen the role \nof the Department of Homeland Security (DHS)--which, of course, \nis the central jurisdiction of the homeland security part of \nour Committee--to strengthen the role of DHS in protecting all \nof us in cyberspace. That is why I look forward to this hearing \nthis morning as a way to help educate the Committee on how best \nwe can produce legislation that will really have the desired \neffect.\n    As always, it has been a pleasure to work with the Ranking \nMember of this Committee, Senator Susan Collins of Maine, and I \ncall on her now.\n\n              OPENING STATEMENT OF SENATOR COLLINS\n\n    Senator Collins. Thank you, Mr. Chairman.\n    Mr. Chairman, as you indicated, we are living in a wondrous \nnew age of global information, an era that is being shaped by \ndigital technology, consumer demand, and amazing innovation.\n    It truly is a remarkable time. Today, without thinking much \nabout it, we send pictures, words, and video over the Web in a \nmatter of seconds. We have immediate, 24/7 access to each \nother, texting and talking over affordable wireless devices. \nTechnology is transforming our culture, our economy, and our \nworld.\n    While we enjoy its many benefits, and most people cannot \nimagine life without computer technology, we must also be aware \nof the risks and dangers posed by this new world.\n    As the Chairman has pointed out, for every communications \nadvance, there is also the risk--indeed, almost the \ninevitability--that the technology will be misused and \nexploited. Indeed, experts estimate that cyber crime has cost \nour national economy nearly $8 billion in losses.\n    Protecting our cyberspace has become critically important. \nIn the past 18 months, this Committee has held three hearings \non the topic of cyber security. Each time, we confronted a new \nline of cyber crime or cyber attacks.\n    Newspaper headlines paint a troubling picture of the state \nof information technology security in this country. This past \nFriday, computer hacker Albert Gonzalez pleaded guilty to \ncharges stemming from the theft of tens of millions of credit \nand debit card numbers from the computers of several major \nretailers, including T.J. Maxx, Marshall's, and Barnes & Noble.\n    According to authorities, this may not have been his only \nmajor cyber crime. In August, he was indicted for his alleged \ninvolvement in the largest credit and debit card data breach \never in our country. Data relating to more than 130 million \ncredit and debit cards were stolen from a number of \ncorporations, including Hannaford Brothers--a Maine-based \nsupermarket chain--and Heartland Payment Systems, whose CEO is \ntestifying before us today.\n    In July, the U.S. and South Korea endured a sizable denial \nof service attack against both government and privately owned \nsystems. The attack--launched by an unknown attacker--used a \nmassive ``bot-net'' of hijacked computers to disrupt six \nFederal agencies, the Washington Post, Nasdaq, and other \ntargets.\n    Most recently, there has been a significant increase in \norganized cyber gangs stealing money from small and mid-sized \ncompanies. The Financial Crimes Enforcement Network reports \nthat wire transfer fraud rose 58 percent in 2008, with \nbusinesses generally forced to swallow substantial losses that \nthey can ill afford in the current economy.\n    Like the Chairman, I am particularly concerned about the \nimpact of cyber crime on our small businesses that do not have \nthe armies of technology security experts available to them \nthat a large corporation may have.\n    These incidents--coupled with the attacks and crimes that \nwe have discussed in our past hearings--should prompt the \nFederal Government to get organized and to make cyber security \na high priority. Thankfully, there has not yet been a ``cyber \n9/11,'' but information technology vulnerabilities are \nregularly exploited to steal billions of dollars, disrupt \ngovernment and business operations, and engage in acts of \nespionage, including the theft of business, personal, and \ngovernment data. These incidents can be devastating to our \nnational security, erode our economic foundations, and ruin \npersonal lives.\n    We are awash in recommendations on how to better secure our \ninformation infrastructure. The Center for Strategic and \nInternational Studies (CSIS), the 60-Day White House Cyberspace \nPolicy Review, and numerous academics and industry stakeholders \nhave suggested numerous ways to improve cyber security. As \nthese latest incidents underscore, however, the time has come \nfor the government to move from simply planning and studying \nreports to taking effective action.\n    Comprehensive cyber security legislation must be a high \npriority for this Congress, and I know that it is a high \npriority for the Chairman and for me. The Department of \nHomeland Security is designated as the lead agency for cyber \nsecurity, but we must ensure that it has more authority to \neffectively carry out its mission, and the Chairman and I are \nworking on legislation that will do just that.\n    A couple of important points that we should be undertaking \nright now: We need to improve information sharing between the \nFederal Government and the private sector. After all, 85 \npercent of critical infrastructure is privately owned.\n    Second, if we encourage the adoption of best practices and \nstandards across the government, and if we encourage, through \nusing our procurement power, computer manufacturers to build \nbetter security into their products, that will benefit the \nprivate sector as well, because the government is such a large \nbuyer.\n    I look forward to discussing how we can strengthen that \npublic-private partnership to ensure the security of this vital \nengine of our economy. Thank you, Mr. Chairman.\n    Chairman Lieberman. Thank you, Senator Collins, for that \nexcellent statement. Again, thanks to the witnesses. Normally, \nMr. Carr, we begin hearings of this kind with the governmental \nwitnesses. I appreciate the cooperation of the governmental \nwitnesses. We thought in telling this story it would be a good \nidea to start with a particular case--Heartland Payment \nSystems--and what the private sector is doing now, and then \ninvite Mr. Merritt and Mr. Reitinger to respond.\n    So our first witness is Robert Carr, Chairman and Chief \nExecutive Officer of Heartland Payment Systems, Inc. Thanks for \nbeing here, and please proceed with your statement.\n\n TESTIMONY OF ROBERT O. CARR,\\1\\ CHAIRMAN AND CHIEF EXECUTIVE \n            OFFICER, HEARTLAND PAYMENT SYSTEMS, INC.\n\n    Mr. Carr. Thank you, Senator. Good morning, Chairman \nLieberman and Ranking Member Collins. My name is Bob Carr, and \nI am the Chairman and CEO of Heartland.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Carr appears in the Appendix on \npage 153.\n---------------------------------------------------------------------------\n    Let me begin by thanking the Committee for this opportunity \nto appear today to share our lessons learned. I will talk about \nthe steps we have taken and what more can and should be done to \nbetter protect our customers and the public from criminal \nhackers.\n    Our primary business is to provide payment card processing \nservices to merchants. This involves facilitating the exchange \nof information and funding between merchants and cardholders' \nissuing banks. Heartland provides full-service electronic \npayment processing services for merchants, including clearing \nand settlement, merchant accounting, and support and risk \nmanagement.\n    When a consumer's card is swiped at one of our merchants, \nwe forward the authorization request through the card brand, \nsuch as Visa or MasterCard, to the issuing bank. We then send \napproval back to the merchant, allowing the purchase to be \nmade. We receive payment from the issuer, pass it on to the \nmerchant, and provide statements and accounting to the \nmerchant. It is important to note that in the course of our \npayment processing business we do not receive cardholder Social \nSecurity numbers, addresses, or unencrypted personal \nidentification number data.\n    We were founded in 1997, and have since grown from 25 \nemployees to over 3,100 employees. As of December 31, 2008, we \nprovided our bank card processing services to approximately \n230,000 merchant locations in America. Our total bank card \nvolume last year was almost $67 billion.\n    On January 20, 2009, we announced the discovery of a \ncriminal breach of our payment systems environment. This attack \ninvolved malicious software. The malware appears to have \nallowed criminal access to in-transit payment card data during \nthe transaction authorization process. This data is not \nrequired to be encrypted while in transit under current payment \ncard industry guidelines.\n    We were pleased to hear the recent news about law \nenforcement's efforts to investigate and prosecute the \nindividuals who make up the criminal syndicate that law \nenforcement believes is responsible for the Heartland breach \nand others like it. Albert Gonzalez, the alleged mastermind of \nattacks on TJX and other retailers, including Barnes & Noble, \nOffice Max, and Dave & Buster's, has pled guilty to charges in \na 19-count indictment. The charges include conspiracy, wire \nfraud, and aggravated identity theft. Mr. Gonzalez is also \naccused of having hacked into our system, as well as that of \nHannaford Brothers, ATMs stationed at 7-Elevens, and two other \nnational retailers. It is reported that he was part of a team \nwith Eastern European criminals who have attacked a variety of \nU.S. companies. We appreciate the efforts law enforcement is \nmaking to stop these attacks and bring these criminals to \njustice.\n    This has been a difficult experience for me and the \ncompany. We have taken a financial charge of approximately $32 \nmillion just in the first 6 months of the year on forensics, \nlegal work, and other related efforts. Unfortunately, the \ncompany is involved in inquiries, investigations, and \nlitigation so I cannot address in more detail the specifics of \nthe intrusion. But I now know that this industry needs to, and \ncan, do more to be better protected against the ever more \nsophisticated methods used by these cyber criminals. I want to \nprovide the Committee with some additional information about \nwhat Heartland is working on to try and prevent such intrusions \nin the future.\n    Let me note two key areas where Heartland is hard at work \nto enhance payment industry security.\n    First, industry and government can be better coordinated. \nThe Financial Services Information Sharing Council and Analysis \nCenter (FS-ISAC), led by Mr. Nelson, has been a great resource \nto a broad range of financial services companies facing cyber \nthreats. However, we could benefit from greater focus on the \npayment processing industry. To address the needs of payment \nprocessors, we recently formed, within the FS-ISAC, the \nPayments Processing Information Sharing Council (PPISC). The \nPPISC provides a forum for sharing information about fraud, \nthreats, vulnerabilities, risk mitigation, and best practices.\n    At the PPISC, we shared with the payment industry members \nthe malware that we discovered had been used to victimize our \ncompany. We did this once I learned that criminals were using \nthis malware to attack the entire industry. I believe that by \nsharing this with others, including our industry competitors, \nwe can better respond to very organized attackers.\n    Second, as reflected in the indictments of Mr. Gonzalez, a \nmodus operandi frequently used by these attackers is to attempt \nto steal payment card data while it is being transferred in the \nclear--meaning it was not encrypted at the time. It is clear to \nme that we can address this vulnerability, and our internal \ntechnology team is now developing a possible solution we call \nE3, or ``end-to-end encryption.'' I believe it is critical we \nimplement new technology, not just at Heartland but industry-\nwide. We, at Heartland, believe we are taking the necessary \nsteps to do that.\n    Heartland is working to deploy E3 to render data unreadable \nto outsiders from the point of card swipe. We plan to use \nspecial point-of-sale terminals, with tamper-resistant security \nmodules to protect cryptographic secrets. We also plan to use \nspecial tools in our processing network, hardware security \nmodules, to protect the cryptography associated with the card \ndata.\n    Our goal is to completely remove payment account numbers of \ncredit and debit cards and magnetic stripe data so that they \nare never accessible in a usable format in the merchant or \nprocessor systems. This includes expiration date, service code, \nand other data. We are taking the necessary steps to implement \nthis E3 solution, and I want to let the Committee know where \nour efforts stand.\n    First, we are working with various suppliers on the \ntechnology to make E3 a reality and more ubiquitous. We are \nhopeful these efforts will minimize the costs to merchants \nwhile not inconveniencing cardholders. This is critical to a \nmore secure payment processing system. We are seeking partners \nwho will not use encryption as an opportunity to unduly profit \nat our expense or the expense of our merchant customers.\n    Second, we believe this potential solution needs to be \nimplemented on an industry-wide basis. We have been working \nwith the Accredited Standards Committee X9 to seek adoption of \na new standard to protect cardholder data in the electronic \npayments industry so all users can benefit from it. Ultimately, \nthe Payment Card Industry Security Council must approve this \nstandard, and we are hopeful it will do so.\n    Third, once the standards are established, we will need the \ncard brands and other financial institutions to cooperate and \nbe willing to implement on their side the encryption system our \nmerchants are willing to use. We have been meeting with the \ncard brands, and we hope we will be able to make progress on \nadoption by the card brands. However, without the cooperation \nof all of the card brands, some of the encrypted data would \nhave to be decrypted--and thereby rendered less secure--prior \nto transmission to the card brands and their issuing banks. I \nam hopeful that each of the card brands will ultimately accept \nencrypted transactions from all payment processors.\n    We are working on these solutions, both technological and \ncooperative, because I don't want any one else in our industry \nor our customers or their customers--the consumers--to fall \nvictim to these cyber criminals. The attacks we face in this \ncountry potentially can have substantial consequences, and we \ncan learn from our experience. While we cannot eliminate the \nrisk, we can make cyber theft more difficult. I look forward to \ncontinuing to work to beat these criminals and appreciate your \nhelp as we continue this battle.\n    I welcome any questions Members have about my testimony \ntoday.\n    Chairman Lieberman. Thank you, Mr. Carr, for that opening \nstatement.\n    Now we will hear from William Nelson, who is President and \nChief Executive Officer of the Financial Services Information \nSharing and Analysis Center, which I have learned is known \ncommonly as FS-ISAC. Thanks, Mr. Nelson. I presume you will \ntell us a little bit about the history of the organization.\n    Mr. Nelson. Yes, I will start with that.\n    Chairman Lieberman. Go right ahead.\n\n    TESTIMONY OF WILLIAM B. NELSON,\\1\\ PRESIDENT AND CHIEF \n EXECUTIVE OFFICER, FINANCIAL SERVICES INFORMATION SHARING AND \n                        ANALYSIS CENTER\n\n    Mr. Nelson. Chairman Lieberman, Ranking Member Collins, my \nname is Bill Nelson, and I am the President and CEO of the FS-\nISAC. I want to thank you for this opportunity to address the \nU.S. Senate Homeland Security and Governmental Affairs \nCommittee on this very important issue.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Nelson appears in the Appendix on \npage 160.\n---------------------------------------------------------------------------\n    The FS-ISAC was formed in 1999 in response to the 1998 \nPresidential Decision Directive 63 that called for the public \nand private sector to work together to address cyber threats to \nthe Nation's critical infrastructures. After September 11, \n2001, and in response to Homeland Security Presidential \nDirective 7 and the Homeland Security Act, the FS-ISAC expanded \nits role to encompass physical threats to our sector.\n    The FS-ISAC is a 501(c)6 nonprofit organization and is \nfunded entirely by its membership firms through dues and by \nsponsors. In 2004, there were only 68 members of the FS-ISAC, \nmostly larger financial services organizations. Since that time \nthe membership has expanded to over 4,100 organizations, \nincluding commercial banks and credit unions of all sizes, \nbrokerage firms, insurance companies, payments processors, and \nover 40 trade associations representing the majority of the \nU.S. financial services sector.\n    The FS-ISAC works closely with various government agencies, \nincluding the U.S. Department of Treasury, the Department of \nHomeland Security, the Federal Reserve; our biggest partner in \nlaw enforcement, the U.S. Secret Service; the Federal Bureau of \nInvestigation (FBI); the National Security Agency (NSA); \nCentral Intelligence Agency (CIA); State and local governments; \nand other government organizations.\n    The overall objective of the FS-ISAC is to protect the \nfinancial services sector against cyber and physical threats. \nIt acts as a trusted third party that allows members to submit \nthreat, vulnerability, and incident information in a trusted \nmanner for the good of the financial services sector. I have \nprovided a complete list of the FS-ISAC information-sharing \nservices and activities in the written testimony. I would, \nhowever, like to mention six of them to give you an idea of how \nthe FS-ISAC meets the information-sharing needs of its members.\n    First and foremost, we provide delivery of timely, \nrelevant, and actionable cyber and physical e-mail alerts from \nvarious sources through our Security Operations Center (SOC). \nThis SOC operation is staffed 24/7 in order to keep our \nmembership apprised of the latest threats, incidents, and \nvulnerabilities. Obviously, the cyber criminal does not work on \na 9 to 5 schedule, and we must be constantly vigilant to \nrespond to their attacks.\n    Second, we have Subject Matter Expert committees consisting \nof volunteers of our member firms. They serve on committees \nthat provide in-depth analyses of the risks to the sector and \nrecommend mitigation and remediation strategies and tactics.\n    Third, member surveys allow members to request information \nregarding security best practices at other organizations. The \nresults of these surveys are then shared with the entire \nmembership.\n    Fourth, we hold regular bi-weekly threat information calls \nfor members to discuss the latest threats, vulnerabilities, and \nincidents. And we frequently have guest speakers from \ngovernment, law enforcement--like the U.S. Secret Service--and \nfrom other sectors that discuss risk-related subjects on these \ncalls.\n    And, five, we conduct emergency conference calls to share \ninformation with the membership and solicit input and \ncollaboration. Last year, we had three emergency calls related \nto cyber threats and two pertaining to physical incidents.\n    And, six, we routinely conduct online presentations and \nhave a regional outreach program to educate small to medium-\nsized regional financial services firms on threats, risks, and \nbest practices.\n    A key factor in all of these activities is trust, and the \nFS-ISAC works to facilitate development of trust between its \nmembers, with other organizations in our sector and with other \nsectors, and with government organizations, particularly the \nlaw enforcement and intelligence communities.\n    Next I would like to briefly mention some of the public-\nprivate sector response to the cyber crime issue. We have been \nworking with law enforcement, financial regulators, and our \nmembers, and we do recognize that the criminal threat to both \naffected institutions and to consumer confidence, in \nparticular, posed by these activities, and we are taking steps \nto address areas of concern.\n    I think the U.S. Secret Service commitment to the financial \nservices sector has been tremendous. They provide classified \nbriefings for us, and they actually have an assigned full-time \nemployee to our sector.\n    Another example of a successful instance of government-\nfinancial services sector information sharing occurred on \nOctober 24 of this year when the FBI, FS-ISAC, and the National \nAutomated Clearinghouse Association (NACHA)--a rulemaking body \nfor the Automated Clearinghouse Network--in case you do not \nknow what that is, if you have direct deposit, you participate \nin the Automated Clearinghouse Network (ACH). We released a \njoint bulletin concerning account takeover activities targeting \nbusiness and corporate customers. And, Senator Lieberman, you \ngot a lot of your information, I think, from that bulletin or \nfrom the Washington Post that got a hold of it.\n    The bulletin described the methods and tools employed in \nrecent fraud activities against small to medium-sized \nbusinesses that have been reported to the FBI. FS-ISAC and \nNACHA subject matter expertise was applied to that FBI case \ninformation to identify the detailed threat detection and risk \nmitigation strategies for financial institutions and their \nbusiness customers. At the same time, we preserved the ongoing \nintegrity of those investigations.\n    The bulletin was distributed to the FS-ISAC, to its over \n4,100 members and its 40 member associations, so we think we \nwere able to reach tens of thousands of financial institutions. \nSo we are pretty sure that the bulletin ultimately reached \nnearly every financial institution in the United States.\n    The FS-ISAC and NACHA developed a comprehensive list of \nrecommendations to financial institutions to educate their \nbusiness customers on the need to use online banking services \nin a secure manner. As a result of this bulletin, financial \nservices firms and their business and corporate customers have \nbecome more aware of some of the online risks facing them and \nhow to detect malicious and criminal activities.\n    The FS-ISAC also works closely with other key financial \nservices industry groups to protect the industry and its \ncustomers against cyber threats. My written testimony details \nsome of these efforts, but I would like to mention one in \nparticular. This year, the American Bankers Association, the \nFS-ISAC, and the Financial Services Roundtable worked with the \nFederal Government's General Services Administration (GSA), the \nInternal Revenue Service (IRS), and the Social Security \nAdministration (SSA) to develop a proposal for better ID \nassurance for online e-Government applications. The goal of \nthis effort is to leverage the ``Know Your Customer'' \nrequirements that banks, credit unions, and other financial \nservices firms employ for ID proofing and turn that into a \nhigher level of assurance for access to online government \napplications. The project is right now in its proposal phase at \npresent and still requires a funding commitment and more \ndefinition around the business model and system architecture. \nHowever, it is a great example of how the public and private \nsector cooperation is beginning to progress in this important \narea of online ID assurance.\n    From a regulatory perspective, financial regulators are \nactively involved in developing regulations and supervisory \nguidance and conducting focused examinations of information \nsecurity, vendor management, and business continuity controls \nat financial institutions and major service providers. There \nare nearly a dozen booklets covering these key cyber security \nand business continuity issues in the Federal Financial \nInstitutions Examination Council (FFIEC) handbook.\n    For the last part of my testimony, I would like to cover \nsix broad recommendations. One is the need to improve cyber \ncrime law enforcement. I think our partners in the United \nStates are doing a great job--the U.S. Secret Service, FBI, and \nothers--but there needs to be better international \ncollaboration in particular regarding investigations and \nprosecutions. Law enforcement in many cases knows the threat \nactors, but in some countries, the governments and law \nenforcement in those countries often protect the cyber \ncriminal.\n    Another area is that private sector firms report that some \nlocal law enforcement agencies require minimum thresholds \nbefore they will take the case. However, evidence indicates \nthat most of these types of attacks are directed at many firms \nand their customers so the cumulative dollar value of the crime \ncommitted may be many times the threshold that has been \nestablished. I think there needs to be improved communication \nat the local level between financial services firms and their \ncyber crime law enforcement contacts and an understanding of \nhow to report these crimes so that action can be taken.\n    I would support Mr. Carr's recommendation also that there \nneeds to be stronger authentication and encryption. Financial \nservices firms, processors and regulators need to encourage \nsmart use of encryption and stronger authentication.\n    We also need to improve financial institution information \nsecurity programs through a flexible and dynamic approach to \ncyber security.\n    And the fourth recommendation I came up with in the \ntestimony is to improve the public-private sector \ncollaboration. We need to expand information sharing between \ngovernment agencies and the financial services industry. As \npart of that, we also need to improve the Internet \ninfrastructure and use Federal procurement power to improve the \nsecurity of software and hardware and services. We would \nsupport the recommendation that Ranking Member Collins and \nSenator Lieberman have come up with.\n    And last is education. There needs to be more public-\nprivate sector collaboration to support educational efforts to \nincrease consumer and business awareness of cyber threats and \nrisk mitigation best practices.\n    In conclusion, industry, law enforcement, regulators, and \nDHS have responded to cyber crime threats against financial \nservices firms and businesses and consumers, but more work \nneeds to be done, and we look forward to making continued \nprogress against cyber threats to our Nation. Thank you.\n    Chairman Lieberman. Thanks, Mr. Nelson. Just a point of \nclarification. When you referred through your statement to \nphysical threats as well as cyber threats as a focus of your \norganization, I think I know what you meant, but why don't you \nclarify it for us?\n    Mr. Nelson. Yes. During Hurricanes Ike and Katrina, we \nstood up operations to be responsive to our sector to make sure \nthey were aware of what was happening. We got really good \nreports from DHS about where power outages were likely to \noccur. In fact, they have a great predictive model for that.\n    We were able to provide information through some of the \ncredit card processors of where merchants were actually \nprocessing transactions, so we knew where food transactions, \nmedicine, building supplies, and other types of key critical \ninformation, where those transactions were processed. We \ndirected that to DHS and to other sources so they could \nallocate resources and send people in the right place to get \nwhat they needed.\n    Chairman Lieberman. That is physical threat from a natural \ndisaster. Do you also include in the category of physical \nthreat protection of physical financial services information \nfrom physical terrorist attacks, not cyber attacks?\n    Mr. Nelson. Yes, we also prepare for physical terrorism. We \nhave services that were actually purchased for that, too. If \nthere is a physical attack, let us say, in London--the \nunderground bombings from a few years ago, we did report that. \nThe Mumbai attacks, we reported that within 15 minutes of them \noccurring. We did not know exactly what was happening, but we \ndid push that information out immediately. So we did report on \nthat.\n    Chairman Lieberman. I will leave this in a minute, but what \nabout actually working with the financial institution? A while \nago there was a lot of concern post-September 11, 2001, that \nthere might be an actual physical attack on Wall Street to \ncreate the obvious disruption that would exist. Is that \nsomething you get involved in? For instance, with an explosive, \na suicide bomb, something of that kind.\n    Mr. Nelson. Yes, we would. If there is any intelligence \nabout that potentially occurring, we may get that from the \nintelligence community. We have over 150 people in our sector \ncleared for secret clearance, and, actually we are looking at \nadding more for top secret clearance. So if there is some \nthreat intelligence about a potential physical threat, we do \npass that on. And if the attack does occur, we report that. And \nwe have a Business Resilience Committee that works on that.\n    Chairman Lieberman. How about preventively or proactively? \nAre you working with member organizations to encourage them or \nassist them in protecting themselves from physical attack of \nthat kind?\n    Mr. Nelson. Yes, we do. We get reports, for instance, some \nof these--the protester threat, for instance, recently. There \nis a G-20 meeting coming up in Pittsburgh. We have put out a \nnumber of reports on that from a source that we have, an \ninternational source that we got information on it, the type of \nthreat actors that may appear at it--some of them actually \nfairly dangerous. They are not all sitting there with non-\nviolent type protests.\n    Chairman Lieberman. Right.\n    Mr. Nelson. There have been violent attacks in some of \nthese cases. So we have been able to report on that and provide \nbest practices on how to deal with it.\n    Chairman Lieberman. OK. Thanks. We will come back to that.\n    Michael Merritt is next, Assistant Director, Office of \nInvestigations, U.S. Secret Service, which is now part of the \nDepartment of Homeland Security. Again, thanks for being here, \nMr. Merritt. Thanks for what you do every day. I hope you will \nbegin by explaining to anybody who is watching this why the \nSecret Service is involved in this field since generally the \npublic sees you almost exclusively as protecting presidents, \nvice presidents, and other public officials.\n\nTESTIMONY OF MICHAEL P. MERRITT,\\1\\ ASSISTANT DIRECTOR, OFFICE \n  OF INVESTIGATIONS, U.S. SECRET SERVICE, U.S. DEPARTMENT OF \n                       HOMELAND SECURITY\n\n    Mr. Merritt. I would be happy to. Good morning. Chairman \nLieberman, Ranking Member Collins. Thank you for the \nopportunity to address this Committee on the Secret Service's \nrole in investigating cyber and computer-related crimes.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Merritt appears in the Appendix \non page 174.\n---------------------------------------------------------------------------\n    While the Secret Service is perhaps best known for \nprotecting our Nation's leaders, we were established in 1865 to \ninvestigate and prevent the counterfeiting of U.S. currency. As \nthe original guardian of the Nation's financial payment system, \nthe Secret Service has established a long history of protecting \nAmerican consumers, industries, and financial institutions from \nfraud. Over the last 144 years, our investigative mission and \nstatutory authority have expanded, and today the Secret Service \nis recognized worldwide for our expertise and innovative \napproaches to detecting, investigating, and preventing \nfinancial fraud.\n    In recent years, we have observed a significant increase in \nthe quality, quantity, and complexity of cyber cases targeting \nfinancial institutions in the United States. With the advent of \ntechnology and the Internet, a transnational ``cyber criminal'' \nhas emerged, resulting in a marked increase in cyber and \ncomputer-related crimes targeting private industry and other \ncritical infrastructures. Current trends show an increase in \nnetwork intrusions, hacking attacks, malicious software, and \naccount takeovers resulting in data breaches affecting every \nsector of the American economy.\n    As the well-trained, well-equipped, and sophisticated cyber \ncriminals continue to target the large corporations who have \nhistorically had more resources and assets in place to protect \ntheir networks, the less sophisticated cyber criminals continue \ntheir attacks against the small and medium-sized businesses \nthat do not have the expertise in place to protect their data.\n    For example, in October 2007, the Secret Service identified \na complex fraud scheme in which servers owned by a payroll \ncompany were compromised by a network intrusion. Subsequently, \nfour debit card accounts belonging to a small Midwestern bank \nwere compromised, distributed via the Internet, and used in a \ncoordinated attack resulting in ATM withdrawals in excess of $5 \nmillion. The withdrawals involved 9,000 worldwide transactions \nin less than 2 days, and the small bank had to file for Chapter \n11 bankruptcy protection.\n    Following the investigative leads generated in this case, \nwe were able to prevent additional losses by notifying victim \ncompanies of the intrusion and compromise, often before the \ncompanies became aware of the illicit activity. For example, \nwhen we discovered that the computer network of a U.S. bank had \nbeen compromised, our prompt notification enabled the bank to \nsignificantly reduce its exposure and avoid potential losses \nexceeding $15 million. Based on these investigative efforts, \nthe Secret Service identified 15 compromised financial \ninstitutions, $3 million in losses, 5,000 compromised accounts, \nand prevented more than $20 million in potential losses to U.S. \nfinancial institutions and consumers.\n    While cyber criminals operate in a world without borders, \nthe law enforcement community does not. The multi-national, \nmulti-jurisdictional nature of these cyber crime cases has \nincreased in complexity and, accordingly, increased the time \nand resources needed for successful investigation and \nadjudication. The anonymity, level of collaboration among cyber \ncriminals, and transnational nature of these crimes have raised \nboth the intricacy of these cases and the level of potential \nharm.\n    To face the emerging threats posed by cyber criminals, we \nhave adopted an innovative, multi-faceted approach. A central \ncomponent of our capabilities for investigating cyber crime is \nthe Electronic Crimes Special Agent Program. Today this program \nis comprised of 1,148 special agents deployed in 98 offices \nthroughout the world who have received training in forensic \nidentification and the preservation and retrieval of \nelectronically stored evidence. They are among the most highly \ntrained experts in law enforcement. Additionally, in \npartnership with the Department, the State of Alabama, and the \nAlabama District Attorneys Association, we have established the \nNational Computer Forensics Institute. The goal of this \nfacility is to provide State and local law enforcement, \nprosecutors, and judges with the necessary training, not only \nto understand cyber crime, but to respond to network intrusion \nincidents and to conduct electronic crime investigations. This \nprogram has been extremely successful, and since opening in May \n2008, we have provided training to 564 State and local law \nenforcement officials representing over 300 agencies from 49 \nStates and two U.S. territories.\n    As cyber cases continue to increase in size, scope, and \ndepth, as an agency we are committed to sharing information and \nresources with our law enforcement partners, academia, and the \nprivate sector. To accomplish this, we have established 28 \nElectronic Crimes Task Forces (ECTFs), including the first \ninternational task force based in Rome, Italy. Currently, \nmembership in our Electronic Crimes Task Forces include nearly \n300 academic partners, over 2,100 international, domestic, \nFederal, State, and local law enforcement partners, and over \n3,100 private sector partners. These partners, who range in \nscope from companies with less than 20 employees to Fortune 500 \ncompanies, enjoy the resources, expertise, and advanced \nresearch provided by the Electronic Crimes Task Forces \ninternational network.\n    In addition, the network that has been established by our \nECTFs was instrumental in making the Secret Service's first \nGlobal Cyber Security Conference last month a resounding \nsuccess. This 3-day conference was designed to share the latest \ninformation in investigative techniques used to combat cyber \ncrime. The conference was attended by personnel from over 370 \nentities representing 11 countries.\n    In addition, to coordinate these investigations at the \nheadquarters level, we have established the Cyber Intelligence \nSection to collect, analyze, and disseminate data in support of \nour cyber investigations and to generate new leads. The Cyber \nIntelligence Section has been instrumental in our success in \ninfiltrating online cyber criminal networks.\n    One such infiltration allowed us to initiate and conduct a \n3-year investigation that eventually led to the identification \nand indictment of 11 perpetrators from the United States, \nEastern Europe, and Asia. This case involved the hacking of \nnine major U.S. retailers and the subsequent theft and sale of \nmore than 40 million credit and debit card numbers, commonly \nreferred to, as it has been in this forum, the TJX \ninvestigation. The total account loss associated with this \ninvestigation is still being assessed. However, one of the \ncorporate victims has already reported expenses of nearly $200 \nmillion resulting from the intrusion.\n    As I have highlighted in my statement, the Secret Service \nhas implemented a number of initiatives pertaining to cyber and \ncomputer-related crimes. Responding to the growth in these \ntypes of crimes and the level of sophistication these criminals \nemploy demands an increasing amount of resources and greater \ncollaboration. It is not a threat of the future. It is a \nchallenge being faced by law enforcement today. Accordingly, we \ndedicate significant resources to increase awareness, educate \nthe public, provide training for law enforcement partners, and \nimprove investigative techniques. The Secret Service is \ncommitted to our mission of safeguarding the Nation's critical \ninfrastructure and financial payment systems. We will continue \nto aggressively investigate cyber and computer-related crimes \nto protect consumers.\n    Chairman Lieberman and Ranking Member Collins, this \nconcludes my prepared statement. Thank you again for this \nopportunity to testify on behalf of the U.S. Secret Service, \nand I will be pleased to answer any questions you might have \nduring this session.\n    Chairman Lieberman. Thanks, Mr. Merritt. I must say I am \nencouraged and impressed by what you have told us about all \nthat the Secret Service is doing. It is very good, both the \noutreach here within the country to the private sector and law \nenforcement, but also based on your very accurate statement \nthat cyber criminals do not know boundaries but law enforcement \nauthorities do; and, therefore, we have to create places and \nperhaps institutions where the good guys can figure out how to \nwork across boundaries with the same speed and effect that the \ncyber criminals do. So I look forward to the question period.\n    Our final witness on the panel is Philip Reitinger, Deputy \nUnder Secretary, National Protection and Programs Directorate \n(NPPD) of the Department of Homeland Security. Mr. Reitinger, \nwe welcome you here, and really welcome you to the Department \ngenerally, with a lot of enthusiasm and high expectations. The \nDepartment was created out of legislation from this Committee. \nWe follow it closely. We feel good about a lot of the progress \nbeing made in the Department. I personally give the Department \nsome good share of the credit for the fact that we have not \nsuffered another major terrorist attack since September 11, \n2001.\n    But it is my conclusion also--and I am not alone--that in \nthis particular area of cyber security, the Department has not \nmoved as quickly and as effectively as it should have. So your \ncoming to this position is very important to a lot of us. \nEverything we know about you says you have the credentials and \nexperience to do the job. So do not screw up. [Laughter.]\n    Chairman Lieberman. Go ahead, Mr. Reitinger.\n\n TESTIMONY OF PHILIP R. REITINGER,\\1\\ DEPUTY UNDER SECRETARY, \n NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT \n                      OF HOMELAND SECURITY\n\n    Mr. Reitinger. Thank you, Chairman Lieberman, Ranking \nMember Collins. It is indeed my commitment not to screw up.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Reitinger appears in the Appendix \non page 183.\n---------------------------------------------------------------------------\n    It is an honor to be here today to talk with the Committee. \nThis is my first opportunity to appear before Congress to \ntestify specifically on cyber-related issues, and I am very \npleased to be here today to do so.\n    I would like to start with the threat, if I might. I think \nthe Committee, the panel, and the audience know that we are \ndealing with an increasingly dynamic and threatening \nenvironment in many ways. Hacker skill is rising across the \nboard. Not only are the best hackers becoming better and \nbetter; ``script kiddies,'' as we used to call them during my \nlaw enforcement days, increasingly have more and more \nsophisticated tools so that they can wreak a high degree of \ndamage without even knowing too much about what they are doing. \nAnd relevant to the topic of information sharing, hackers in \nsome ways remain better at information sharing than we, in \ngovernment, have been. So that is an area of growth for us.\n    There is the general movement toward targeted attacks. Back \nwhen I first got involved in this game, if you will, back in \nthe 1990s, as a line cyber prosecutor in the Computer Crime and \nIntellectual Property Section at the Department of Justice \n(DOJ), hackers mostly were doing things like tearing down Web \npages and putting up pictures on the DOJ Web page of a Nazi \nsymbol and those sorts of things that were annoying, but more \nannoying than anything else. And then we went through the \nperiod of worms where mass disruption took place, but perhaps \nlittle lasting damage.\n    That is not the world we are in anymore. Hackers are after \ninformation of value and actual money, as today's panel \nindicates, and they are increasingly targeting attacks for the \nplaces where they can get value. And that makes things more \nrisky.\n    There are other elements of our risk profile that are \ncontinuing to go up and over which we have little control. I \ncall them connectivity, complexity, and criticality.\n    Connectivity: We are increasingly connecting all of our \nsystems in more and more different ways, so everybody has \nalways-on, high-bandwidth connections, and there are \nincreasingly international connections, and we are building up \nthis vast network that makes us all able to do more but, as the \nChairman indicated in his opening remarks, also makes us more \nvulnerable.\n    Complexity: We are connecting more and more devices, from \nsmart phones to embedded devices; TVs are connected to the \nInternet now. And as we put all of these different devices \ntogether, running many different types of software, the mere \ncomplexity of the ecosystem makes it harder and harder to \nsecure.\n    Last, criticality: We depend on this network of networks \nand the machines that are connected to it every day, not only \nto play, to do things like social networking, but for the basic \nfunctions of our government and economy. And that imposes upon \nus a need not to stand still.\n    I do believe over the last 10 years we have made progress, \nbut we have not made enough. We have to make more. And as the \nCyberspace Policy Review indicated, the status quo is simply \nnot sufficient. We all need to work together in even stronger \npartnership to address the growing threats that we face and, to \necho another of the Chairman's comments, to do so at Internet \nspeed, not just in law enforcement, although working at \nInternet speed in law enforcement is a significant problem.\n    When I was at the Computer Crime and Intellectual Property \nSection, one of the things we did was work on negotiating the \nCouncil of Europe Cyber Crime Convention. That was a first \nstep, but we need to go further to build the law enforcement \nand specifically the operational relationships that are \ninternational and will allow us to respond effectively.\n    I would like to highlight a couple of the things that we \nare doing specifically around partnerships within DHS to \naddress this.\n    First, it is critically important that we continue to build \npartnership across government. This is another area where I \nthink we have been effective but can grow more effective. I \nwell remember the very first hacker case that I did when I \nfirst joined the Computer Crime Section back in the 1990s. I \nwas a DOJ prosecutor, and it was investigated by the Secret \nService. So that was then a Department of Treasury-Department \nof Justice collaboration. We started there. We have continued \nto grow, and we are in a place now where people have come into \npositions across the Federal Government. I think we have put a \nstrong team together not only in DHS but in multiple government \nagencies so that we can work very effectively together.\n    In DHS, we are working very hard to continue to up our game \nand build our capabilities. I am perhaps most focused on the \npeople part of this because I am a big believer that \norganizations fail or succeed based on the people that they \nhave. I have some great people and an awesome team, but I do \nnot have enough of them. I am in the process of trying to grow \nthe National Cyber Security Division. It now has about 111 \npeople on board as of last week, and we want to grow it to 260 \npeople next year. So that is a heavy lift in government, but we \nare committed to doing our best to fulfill it.\n    We also need to continue to work better and faster and more \neffectively with the private sector. I have seen this from both \nsides. I started in the Department of Justice. I worked for the \nDepartment of Defense. I spent about 6 years in the private \nsector where I had the honor of being the President of the \nInformation Technology Information Sharing and Analysis Center \n(IT-ISAC), a companion organization to the FS-ISAC, before I \njoined DHS again earlier this year. And I have seen incredible \ncommitment from people in both the private sector and public \nsector. I believe we have a real opportunity here. And we have \nbuilt partnerships, but there is a lot more to do.\n    In particular, we have built the ways to work together. We \nhave built the framework to work together. Now we need to drive \ntoward outcomes. We need to worry less about having a \npartnership and more about what we can achieve with the \npartnership. So let me highlight a few quick examples of some \nof the things that I think we need to focus on for the coming \nfew months.\n    The first is the National Cyber Incident Response Plan. \nThis was called for in the President's Cyberspace Policy \nReview. It may sound kind of highfalutin' and sort of meta, but \nit is actually not. The idea is that we need, if something bad \nhappens, a mechanism, a very actionable way for all of the \nrelevant government agencies and all of the different entities \nacross the private sector to come together as one Nation--not \none government, not one sector, but one Nation to respond to \nthe incident. And we kicked off that process as called for in \nthe Cyberspace Policy Review. It is a broad process, and we are \ndoing this differently than is the traditional government \nprocess.\n    The traditional process is you get together, you talk and \ntalk and talk, and when it is 99 percent done, you go to the \nprivate sector, and you say, ``What do you think about it?'' Or \nmaybe when it is 100 percent done, you ask them for comments. \nWe are not doing that. We have invited the private sector to \nthe table at the very start so that they can help build the \nfoundations of that plan.\n    Associated with it is the second thing. The private sector \nhas recommended to us for some time that we need to integrate \nour cyber and communications watch capabilities so we can work \ntogether effectively. We are doing that. We are moving towards \nan integrated watch floor that will combine DHS's different \ncyber watch centers, like the National Coordinating Center \n(NCC), which is focused on telecommunications; U.S. Computer \nEmergency Readiness Team (US-CERT), which is focused on IT; and \nthe National Cyber Security Center, which is focused across \ngovernment, will be collocated at the same site and able to \nwork together effectively across government and with the \nprivate sector, growing our relationship with the private \nsector and with State, local, tribal, and territorial \ngovernments, so we have the organizational mechanisms, \npartnerships, and trusted relationships to let us implement \nthat Cyber Incident Response Plan process and also work \ntogether more actively to mitigate incidents before they become \nfull-blown incidents. We are going to test those processes next \nyear as they get developed in the Cyber Storm II exercise \ncurrently scheduled for September 2010.\n    We will also be in the process over the next year of \nlaunching a new and more significant national awareness \ncampaign. We know mostly how to protect systems. Technology is \nnot the barrier. What we need is to get the word out there and \nto raise the awareness, among other things, of end users and \nsome of these small and local businesses, of how they can \nprotect themselves, the simple steps that they can take, and \nwhat the threat looks like. So we are committed to doing that.\n    I am going to drop a quick footnote that the two private \nsector members of the panel early on noted the importance of \nauthentication. I would emphasize that we need to do that. The \nPresident's Cyberspace Policy Review called for the creation of \na Cyber Identity Management Strategy. There is little that we \ncould do that would be more effective to help people protect \nthemselves than to implement strong authentication mechanisms \nthat are available for people's use with privacy built in from \nthe very start. That would enable much better self-protection.\n    In conclusion, I would say that I think we are at a moment \nin time when we can really make a difference. We have the right \nfocus across government and with the private sector. We have \nleadership commitment from the President, and certainly from my \nsecretary and deputy secretary, and the right people coming \ninto key positions in the private sector. I think we can make a \nreal difference as a community.\n    With that, I look forward to your questions. Thank you.\n    Chairman Lieberman. Thanks very much, Mr. Reitinger. I \nappreciate both the substance and the spirit of your opening \nstatement.\n    Let us start with 7-minute rounds for Senator Collins and \nmyself.\n    I am fascinated by the global nature of cyber crime. I am \ncurious if we know, in this case of Mr. Gonzalez, how did he \nconnect with the Eastern European gangs that he presumably was \nworking with in the cyber crimes? Mr. Merritt, do you have that \nanswer?\n    Mr. Merritt. Yes, sir. Let me put it in perspective. We \nhave talked about compromise today and the exfiltration of \nproprietary information, such as credit and debit card \ninformation from financial and banking institutions. Here is \nwhere they end up. They end up in what we call ``carding \nportals,'' or ``carding websites.'' The best description, in \nthe short time we have today, is that the carding portals are \nto the criminals what Craigslist and eBay are to law-abiding \ncitizens.\n    On these carding portals, you can find anything you need. \nPeople that, in fact, have intruded in these companies and \nexfiltrated credit and debit card information are posting the \ninformation there for sale.\n    Chairman Lieberman. In other words, it is a Web site, \nbasically.\n    Mr. Merritt. It is a Web site. What happens in these \nloosely held criminal hierarchies is that, through reputation, \nyou have people who, in fact, successfully hack into companies \nand then sell their wares on these Web sites. They do not know \neach other personally, Mr. Chairman. They know each other by \ntheir nicknames on these Web sites, and they conduct business \nwithout knowing who they are. You might have some that are \ninvolved in recruiting, some that are selling his or her own \nservices, or specialty services, such as hacking or phishing. \nThat is where they meet each other.\n    So when you say, do they meet each other in a physical \ncomplex of the traditional type crime, no, sir. They are known \nto each other through these various nicknames on carding \nportals. In these cases, which are transnational in nature, \nthat is how they are able to effectively communicate via the \nInternet without actually knowing who they are or even where \nthey reside.\n    Chairman Lieberman. That is really astounding, but also \nabsolutely predictable when you think about it. I will leave it \nto you how much you want to say since we know they are meeting \nin these portals for criminal purposes--law enforcement \nattempts to find its way into those portals, just as if you \nknew that organized crime figures were meeting at a particular \nrestaurant regularly, or using a particular pay phone, you \nwould find a way to tap that phone or be present in that \nrestaurant.\n    Mr. Merritt. I would like to comment at some point in time \nabout what Mr. Nelson said about the involvement of foreign law \nenforcement because it is an integral component of our success \nin being able to investigate these types of cases. I will give \nyou a good example of a success story that we had in 2005 about \none such carding portal. It was called ShadowCrew.com. It had \nover 4,400 members. And what we were able to do----\n    Chairman Lieberman. Let me just stop you a minute. Do you \nhave to pay a fee or have a password to get into the portal?\n    Mr. Merritt. You have to have your standing in the criminal \ncommunity authenticated by other criminals. You cannot just log \non. They have to verify that either you have successfully \nhacked into a company and you have an authorized access code to \nbuy or sell. But, just like in the old criminal scheme that you \nmentioned at a restaurant, somebody has to vouch for your \nauthenticity as far as being part of the criminal world. We, in \nhere, could not access--and I hope no one here is going to try. \nWe would not access these Web sites since they are only for \ncriminals who are known to each other.\n    However, in 2005, we successfully conducted an online \nundercover operation for about 2 years, and were the first \nFederal law enforcement agency in the United States to actually \ninitiate a Title III on a network. We gained control of this \nnetwork.\n    Chairman Lieberman. Just define a Title III for a moment.\n    Mr. Merritt. Yes, sir. A Title III, in other words--without \nthe criminals knowing--we were eavesdropping, for lack of a \nbetter word, on this criminal server, collecting criminal \nintelligence, and trying to identify the main players on this \nparticular Web site.\n    We were fortunate. We affected 28 arrests, with six of \nthose arrests being overseas. Essentially, we shut down that \nWeb site, and shut down that server. We learned a lot of \nlessons: One, just as Mr. Carr mentioned that he encrypts his \ninformation, criminals are now encrypting their information, \nand hard drives, which makes it more difficult for law \nenforcement to, in fact, obtain that electronic or digital \nevidence.\n    They have also come up with a technology, that at the push \nof a button or even remotely, they are able to destroy the \nevidence on their hard drives. So I think a grand kudo for the \ninvestigation, is that we affected 28 arrests simultaneously \nbecause all it would have taken would have been for one \ncriminal member in the organization to send out an e-mail to \nnotify the rest and that digital evidence would have been \ndestroyed. This is a critical component of our ability to \ninvestigate and prosecute these types of cases.\n    There are about 10 or 12 major carding portals in the world \nnow, and we have shown that we do have success. Despite the \nanonymity that one presumably has on the Internet, we have \ndispelled that myth. But it is mind-blowing, so to speak, that \nthese carding portals exist.\n    Chairman Lieberman. Yes, it really is--so mind-blowing that \nI forgot my next question. [Laughter.]\n    Mr. Merritt. Well, you know what? If you do not mind, Mr. \nNelson mentioned that one of the challenges we face is the \nanonymity of these criminals, Mr. Chairman. It is cumbersome \nand laborious to identify who they are. More often than not, \nwhat we experience here in the United States is that many of \nthe intrusions targeting our banking and financial \ninfrastructures, our retailers, and our databases originate \noverseas. That is where the level of interaction with foreign \nlaw enforcement sometimes varies. Different countries have \ndifferent levels of ability to investigate these types of \ncrimes. Some countries, quite frankly, lack legislation which \nallows their investigators to prosecute these types of crimes. \nHe mentioned the corruption level. That is true. In different \ncountries, one can have a very loose or, in some cases, direct \naffiliation between the government and some of these hackers.\n    Chairman Lieberman. Yes, I was going to ask Mr. Nelson \nabout that. But I am regaining my balance. I remember, and the \nquestion was this: Is there evidence the traditional organized \ncrime syndicates, families, whatever, are involved now in cyber \ncrime?\n    Mr. Merritt. When you say ``traditional,'' it has been our \nexperience that, unlike the traditional Cosa Nostras that we \nhad years ago, there is organized crime, but it is a loosely \nheld hierarchy because they do not know each other personally.\n    Chairman Lieberman. And it is a different operation. It is \nnot out of an existing organized crime family here in the \nUnited States that had a territory that it controlled for \ngambling and drug----\n    Mr. Merritt. No, sir. You are correct.\n    Chairman Lieberman. This is new. In a sense, these are new \norganized cyber crime operations.\n    Mr. Merritt. Absolutely. You might have a hacker who is \nrenowned for his or her specialty in the Ukraine. You might \nhave a carder who sits in the Baltics and somebody that \norganizes these people, who sits in Russia. So it is a loosely \nheld hierarchy within the criminal underworld. But they do not \nnecessarily know each other's identity, if that helps, sir.\n    Chairman Lieberman. Well, it does, and it obviously \ncomplicates the job of law enforcement in trying to find them \nand break it up.\n    Mr. Merritt. Yes, sir.\n    Chairman Lieberman. My time is up. Senator Collins.\n    Senator Collins. Thank you.\n    Mr. Carr, in looking at the indictment of the individual \nwho was involved in the computer theft from Heartland, 7-\nEleven, and Hannaford, I was astounded at what a long period \nelapsed where these hackers were able to steal the credit card \nnumbers and debit card numbers. According to the indictment, \nthey operated from between October 2006 to May 2008. That is \nmore than a year and a half.\n    So explain to me how a breach of that magnitude could go \nundetected for so long.\n    Mr. Carr. The way breaches are normally detected is that \nfraudulent use of cards is determined, and there was no hint of \nfraudulent use of cards that came to our attention until \ntowards the end of 2008.\n    Senator Collins. But are there no computer programs that \none can use to check to see if an intrusion has occurred?\n    Mr. Carr. There are, but the cyber criminals are very good \nat masking themselves, and we formed the Payment Processors \nInformation Sharing Council with Mr. Nelson primarily so that \nthe payment processors could share that information. And, in \nfact, at our May meeting, we did distribute the actual malware \nthat was used at Heartland and we believe other businesses. And \nat our meeting last week we updated that, and there were three \nadditional malware attacks that had been found since May that \none of our constituents had passed out to the membership as \nwell.\n    So being able to scan systems to know what the malware is, \nyou have to know something about the attack vector, and you \nhave to know something about the malware to find it. All of us \nin this, we go through annual assessments, but the bad guys are \nworking together to try to get around all those assessments.\n    Senator Collins. But it is my understanding that in this \ncase all of the players met the current standards for cyber \nsecurity. Is that correct? The voluntary industry-based \nstandards?\n    Mr. Carr. We passed, we were certified to be compliant with \nthe standards on April 30, 2008.\n    Senator Collins. So what does that tell us about the \nstandards?\n    Mr. Carr. Well, the standards are good standards. They are \nnecessary. But some of us believe that an enhanced security is \npossible. A number of years ago, the U.S. Mint decided that it \nwas too easy to counterfeit the old bills and upgraded the \ntechnology of the currency. And 30 years ago, when the magnetic \nstripe was invented, it was invented with the card number in \nthe clear on the stripe. And the systems were all developed to \nprocess that magnetic stripe in the clear.\n    We think it is time for that data to be encrypted so that \nmerchants never have those card numbers in their system and the \nprocessors never have that card number in their system either.\n    Senator Collins. Because it would be encrypted from the \npoint of sale to the processor before going to the credit card \ncompany?\n    Mr. Carr. Correct, and throughout the entire system.\n    Senator Collins. Is it typical when a consumer uses a \ncredit card at a retailer that it goes first to an entity like \nHeartland? I was under the impression that it went directly to \nVisa or MasterCard or to the bank.\n    Mr. Carr. Yes, when the card is swiped, it goes either into \na gateway that goes to a processor, or it goes directly to the \nprocessor, and the banks hire companies like Heartland to be \nthe gateways and the processing entities for the authorizations \nand the capture and settlement of that information.\n    Senator Collins. So is the problem in this case the lack of \nencryption between the retailer and the processing entity or \nthe processing entity and the ultimate credit card company?\n    Mr. Carr. There are actually five--without getting too \ntechnical, we think there are five zones of encryption. The \nfirst zone is from the moment that card is swiped until it gets \ninto the gateway or into the processing system. And merchants \nwould like to have those card numbers encrypted during that \nzone because then they would not have that data that could be \ntaken.\n    Zone two is in the processing network. Zone three is in the \ncomputer systems of the processing network. Zone four is data \nat rest, which is part of the requirements today that all that \ndata be encrypted. And I think the industry has done a good job \nof implementing that. And then zone five is to the card brands \nand the issuing institutions as well.\n    So it is good to have each one of those zones encrypted, \nbut the best is to have them all done, and that is what we are \ntrying to adopt through the various work that we are doing.\n    Senator Collins. Mr. Nelson, when a retailer is the victim \nof a computer theft scheme like this, do retailers know whom to \ngo to in the government?\n    Mr. Nelson. I am actually going to defer that to Mr. Carr.\n    Senator Collins. Maybe I will go back to Mr. Carr.\n    Mr. Nelson. That is more his bailiwick.\n    Mr. Carr. Do the retailers know what law enforcement to go \nto?\n    Senator Collins. Yes.\n    Mr. Carr. I think the larger the merchant is, the more \nlikely it is that they know. But I think we could do a better \njob of educating all of our merchants about what process they \nshould go through once they are hacked. And, fortunately, Mr. \nNelson has agreed to--we have set up a new classification of \nmembership in our organization that will allow members to learn \nthat kind of information.\n    Mr. Nelson. Yes, I met with the National Retail Federation \nin June to discuss how we could do more together, and I think \nthere really is not a 24/7 operation in the retail community, \nwhich is an important part of this. We need to make sure they \nare a part of this group and maybe have a link to them, even \nthrough our organization.\n    Senator Collins. To whom do they go?\n    Mr. Nelson. The National Retail Federation has a risk \ncommittee, but it is more a 9 to 5 staff that shares some e-\nmails.\n    Senator Collins. Exactly my point. I mean, Mr. Merritt has \ntold us of the Secret Service's success in carrying off this \nsimultaneous arrest of 20 individuals and the fact that the \noperation could have been blown with just one e-mail being sent \nout.\n    Well, similarly, when a retailer learns that it has been \nthe subject of a computer breach, time is of the essence. I was \nshocked to learn that in the Hannaford case, which involved \nother retailers as well, a year and a half went by when these \nbreaches were occurring. So part of the problem here is that \nonce a breach is discovered, I do not think there is an \nunderstanding of to whom you go. Do you call the local police? \nDo you call the Secret Service? Do you call your trade \nassociation? Do you call the local district attorney? What do \nyou do? To whom do you go?\n    Mr. Nelson. We have done a pretty good job in our sector \ngetting the banks to call us, but I think we really need to do \na better job reaching out to the retailer community. Again, \nthey are not part of our FS-ISAC. Can we make them part of it? \nAnd that is what Mr. Carr has been pushing for, and my Chairman \nhas actually been pushing for that, too. So I think we are \ngoing to start looking at that.\n    Some of the attack signatures that were shared last week, \nwe need to get that out to the retailers, too.\n    Senator Collins. Just the answers here--and I appreciate \nvery much the hard work that all of you on this panel are \ndoing, but the lack of clarity to answer that basic question is \ntroubling to me because if a large retailer is uncertain who to \ngo to, think what it is like for a small business. I think we \nneed far more clarity in answering that question because it is \ngoing to be a lot easier for the business community if there is \na single source to go to, and also if it is clear who could \nhelp you prevent a breach in the first place.\n    Mr. Nelson. I think Mr. Reitinger's suggestion for a joint \noperations center where you have private sector and public \nsector people collocated and that is the source you go to, I \nthink we need to get moving on that.\n    Mr. Reitinger. If I might, ma'am.\n    Senator Collins. I know I have exceeded my time, and I \napologize, Mr. Chairman.\n    Chairman Lieberman. Go right ahead. No problem.\n    Senator Collins. Mr. Reitinger.\n    Mr. Reitinger. Thank you, ma'am. There are a lot of \nresources out there to help businesses to know to whom to \nreport cyber crime. My recollection is both the FBI and the \nSecret Service list that on their Web pages. We have \ninformation on our Web pages on to whom to report, as does the \nDepartment of Justice.\n    I am not so sure that it is bad that there is a diversity \nof places to report as long as the resources are available to \nfollow up and investigate. There is also the Internet Crime \nComplaint Center, which is, I think, driven by the FBI.\n    So there are many resources that can be brought to bear. \nOne of the things that we definitely need to do is do a better \njob on awareness: Get the word out there and then make sure we \nhave the mechanisms for exchanging data and for law enforcement \nto work together so the case can be most appropriately \naddressed and followed up.\n    Senator Collins. Thank you. I still think there is a lack \nof clarity here. After all, the Federal Trade Commission (FTC) \nis involved to some extent; the Secret Service is involved; the \nFBI is involved; the Department of Homeland Security's \nInfrastructure Protection Division is involved; and State and \nlocal law enforcement are involved.\n    Mr. Nelson. Just to support your argument a little bit \nmore, I think if you go to local law enforcement, sometimes \nthey will not take the case because it does not meet a certain \nthreshold. Let us say it is $100,000. But that particular \nattack might have been coming from the same entity in some \nEastern European country, and they are attacking hundreds of \ndifferent companies. So, cumulatively, it might be a multi-\nmillion-dollar attack. That is the issue.\n    Senator Collins. That is exactly the issue because what may \nseem to be an isolated attack affecting one business in one \nState may, in fact, be part of a network of attacks on several \ndifferent businesses. And we need to have a way to look for \nthose patterns.\n    Mr. Carr. Senator, I think the stakeholders in the industry \nwould all agree with you. How can that be done?\n    Senator Collins. Right.\n    Mr. Carr. How can that be communicated and so on? And I \nthink that is a challenge we have to resolve.\n    Senator Collins. Thank you. My apologies.\n    Chairman Lieberman. Oh, not at all. I appreciate the line \nof questioning.\n    Mr. Nelson, in your statement you mentioned the alert sent \nout by FS-ISAC on August 24 that listed several best practices \nand recommended controls for companies. I think it is important \nto note the public-private collaboration that went into issuing \nthat August 24 alert.\n    As I understand it, it was the first time that the FBI \nactually brought private sector representatives into their \noffices and showed you raw intelligence on a threat impacting \nyour sector and asked for your assistance in determining \nprotective recommendations for industry.\n    I want to follow up on that first by asking you, Mr. \nReitinger, this question: Does DHS issue best practices for the \nvarious sectors at this point? And if not, do you intend to? If \nso, are there ways to measure the success of those \nrecommendations, that is, the degree of implementation or \nfollow-up by people receiving those notices?\n    Mr. Reitinger. I would not say, sir, that it is a set of \nspecific practices that are issued sector by sector. We issue \nbroad guidance from the general how to protect yourself down to \nthe very specific technical alerts that US-CERT regularly \nproduces. So far this year, we have produced over 40 specific \nproducts, and our products are available--at least our general \nproducts are available on our Web page, including cyber \nsecurity tips for businesses, how to protect the workplace, \nthose sorts of items.\n    We also work very closely with the private sector to \nproduce specific incident-related guidance. For example, when \nthe distributed denial-of-service attacks were launched around \nJuly 4 of this year, US-CERT worked very closely with our \npartners in government and industry and produced two distinct \nproducts: A Federal information notice that provided \ninformation on the attacks and advice on mitigations to the \ngovernment; and a critical infrastructure information notice \nthat similarly went in a non-public way to key private sector \nentities throughout the infrastructure, including all of the \nISACs.\n    So, in general, we do produce the products. We also work \nbroadly with the sectors and broadly across the sectors in the \ncyber security cross-sector working group, which is one way \nunder the National Infrastructure Protection framework that we \naddress cyber security horizontally across all the sectors.\n    With regard to measuring implementation, as I think both of \nthe Senators' comments indicated early on, metrics are an area \nof growth, I think, for us, generally. By ``us,'' I mean not \njust DHS, although I include DHS in that. But in cyber \nsecurity, judging what works and what does not work is very \ndifficult to do.\n    So, for example, Senator Collins spoke about the fact that \nwe need to use the procurement power to increase the security \nof hardware and software that is bought. I could not agree \nmore. But we also need better ways to judge what software is \nsecure so that we can have an effective regime because good \nmetrics drive good behavior and bad metrics drive bad behavior. \nSimilarly, we need better metrics about what security practices \nwork effectively and do not work effectively.\n    I think our ability in DHS, to return to your question, \nSenator, to judge how broadly our recommendations are \nimplemented is an area that we need to grow, but have not fully \ndeveloped yet.\n    Chairman Lieberman. So that is a priority for you as you go \nforward.\n    Mr. Reitinger. Yes, sir.\n    Chairman Lieberman. In your testimony, Mr. Reitinger, you \nstated that DHS is building an integrated cyber security and \ncommunications watch floor that you expect to be operational \nbefore the end of this year, and I think that is a very good \ndevelopment, and I thank you for it and I hope you will push it \nforward.\n    I wanted to ask you two things about that, if you could \nprovide, to the extent that you are able, more information \nabout the Department's plans in that regard. But also, building \non this line of questioning, do you expect robust private \nsector participation on the cyber side when this watch floor is \ncompleted?\n    Mr. Reitinger. Yes, sir. The watch floor is in development \nright now. If you were to travel to our Glebe Road facility, \nyou would see a lot of people doing demolition and building, \nand I would welcome your presence there. We believe it will \nopen substantially before the end of the year, and the \nprocesses for how it will work are under development right now.\n    With regard to your second question about private sector \nparticipation, we already have private sector participation, \nparticularly through the National Coordinating Center, which \nhas a number of telecommunications representatives that are \nphysically present within DHS space and others who are \nvirtually present on a regular basis. We intend to grow from \nthat core broader private sector participation and State and \nlocal participation.\n    Chairman Lieberman. Good.\n    Mr. Reitinger. Because it is absolutely essential that we \nbe able in certain cases to work together, as I like to say, \nbreathing the same air to build the trusted relationships, and \nbe able to work together virtually so we have a full, one-\nnation incident response organization.\n    Chairman Lieberman. That is great to hear. I think one of \nthe most significant recommendations of the 9/11 Commission, \nwhich I am proud that our Committee played an active role in \nimplementing, was the creation of the National Counterterrorism \nCenter, and it is really--appropriately, I suppose--one of the \nunsung heroes of defense of our homeland security. Even in the \ncyber age, there is something to be said for having people \nworking on the same problem trying to defend the country from \nthe same kinds of threats, breathing the same air, because \nthere is natural interaction that goes on. So I am pleased to \nhear about that.\n    Will the watch floor be under the National Cyber Security \nDivision?\n    Mr. Reitinger. It will be in the spaces of cyber security \nand communications, but it will include US-CERT, which is part \nof the National Cyber Security Division (NCSD)----\n    Chairman Lieberman. Right.\n    Mr. Reitinger [continuing]. And the National Coordinating \nCenter, which is a part of the National Communications System, \nbut also a part of the Office of Cyber Security and \nCommunications (CSC), and it will also include the National \nCyber Security Center. I am also the Director of that. It is \nnot a part of CSC or the National Protection and Programs \nDirectorate. In my capacity as the Director, I report directly \nto the Secretary of Homeland Security. The National Cyber \nSecurity Center has the mission to coordinate and drive common \nsituational awareness across all of the high-value watch \ncenters for cyber across the Federal Government, and all of \nthose pieces will be collocated.\n    Chairman Lieberman. That is the key. I mean, as you were \ndescribing the acronyms and what they stand for, it began to \nsound like a very complicated organizational chart. And maybe \nthere is a good reason for every one of those organizations, \nbut the key, as we have found, is to make sure they are all \nworking together and they are not getting stovepiped.\n    Let me ask a final question along this line going back to \nthe August 24 alert sent out by FS-ISAC. There were some real \ninteresting recommendations in there, I thought, among other \nthings one that recommended that people never access bank, \nbrokerage, or financial services information at Internet cafes \nor public libraries.\n    Mr. Nelson, or anyone else on the panel, but we will start \nwith you, is this advice that every American should be \nfollowing? And if so, why?\n    Mr. Nelson. Yes, because the information that you key into \nthat computer in a public library or Internet cafe can be kept \nthere. So when you are keying in your user ID and password, a \nuser could subsequently steal it, or they may have put some \nmalware on that computer that you are not aware of, and then \nthey have access to your banking account.\n    Chairman Lieberman. I hope people are listening. Senator \nCollins.\n    Senator Collins. Thank you, Mr. Chairman.\n    Mr. Reitinger, you brought up the issue of using the \nFederal Government's procurement power to persuade vendors to \ndeliver safer IT systems, and we had testimony at our April \nhearing on just this issue from the Director of Research for \nthe SANS Institute. He pointed out that when that is done, the \ncost of the security software falls dramatically. He cited an \nexample of some encryption software that costs $243 on the \nretail level, and the Department of Agriculture was able to \npurchase it for $12, and DOD for less than $6 per copy because \nof the large volume.\n    More to the point, however, is this expert's assertion \nthat, despite Federal acquisition rules that requires security \nto be baked into procurements at the beginning, most times it \nis not, that there are no penalties or even checks to ensure \nthat security is part of the acquisition process.\n    What is DHS doing to ensure that security is part of the \ncomputer acquisition process?\n    Mr. Reitinger. Yes, ma'am, I would be glad to talk about \nthat. We have a special software assurance effort that is being \ndriven out of the National Cyber Security Division which \nincludes both a Software Assurance Forum where best practices \nare developed, industry talks to industry and industry talks to \ngovernment, work is done around building the business case to \nhelp companies understand what they need to do or ought to do \nfor secure development, and work is done on things such as \nacquisitions.\n    We also have a Web site called the ``Build Security In'' \nWeb site that helps to disseminate those best practices more \nbroadly and explain how secure development can be done.\n    I think in the long term this is an area for growth. It is \nstill too difficult, despite everyone's best work, to know \nwhether software is developed securely or not. So one could say \nin an acquisition, ``Thou shalt only buy securely developed \nsoftware,'' but actually specifying that is hard. A lot of work \nhas been done, including recently some private sector groups \nhave developed guidelines for what that might mean, but the \nevaluation regimes that we have for software remain somewhat \nrudimentary in terms of their ability to judge that, including \nthe common criteria, which is an international standard which \ngives a thumbs up or thumbs down for software, which focuses \nmore on the implementation of security features in the \nsoftware, as opposed to whether the software was developed \nsecurely and its overall security.\n    So there is a lot of work to be done here, both in terms of \nraising awareness with companies, in terms of figuring out what \nis securely developed or not securely developed and how to \nspecify that in acquisitions, and then the research and \ndevelopment around how one could develop software more securely \nwhich could benefit the entire ecosystem.\n    Senator Collins. And, of course, it never ends because the \ncriminals become more innovative and defeat the security \nsoftware, which is why it is difficult to mandate specific \nstandards. You have to constantly share best practices, but the \ntechnology is going to continually evolve and the criminals are \ngoing to continually try to defeat it.\n    Let me in my final question just ask you about a specific \nexample that was brought to my attention recently by the CEO of \na technology company, who was very concerned that there is a \nlack of a coherent cyber security policy at the Federal \nGovernment, particularly in the civilian agencies. DOD is a \nwhole different animal in this case, as is so frequently the \ncase. He cited a recent Request for Proposal (RFP) from the \nSocial Security Administration as an example of his concern \nabout the current inadequacy of the Federal Government related \nto cyber security.\n    The Social Security Administration had issued a RFP for a \nplatform that would allow Social Security beneficiaries to \naccess their accounts online and to make adjustments online, \nsuch as address changes. He believes that, as drafted, the RFP \nis highly likely to produce a platform that would make the \nusers vulnerable to spoofing--that is, directing users \nunknowingly to false Web sites--and that the Social Security \nAdministration would lose millions in just the first month as \nhackers direct payments elsewhere.\n    Now, I do not know if this individual's assessment is \ncorrect, but it really concerns me that this individual, who is \na technology expert, has reviewed this RFP and concluded that \nthe systems to be procured will be highly vulnerable. So what \ndo we do in a situation like this? And how can we get civilian \nagencies within the government to recognize that they are the \ncontainer of personal data that, if it is breached, will cause \ngreat harm? We have seen example after example--such as the \nsizeable breach of the Department of Veterans Affairs records a \ncouple years ago.\n    Mr. Reitinger. So let me answer this in two parts, if I \ncould, ma'am. First, obviously--and I cannot speak to that RFP. \nI apologize. I have not read it.\n    Senator Collins. Right. I did not expect you to be able to.\n    Mr. Reitinger. But we do need generally to continue to \nraise awareness not just with the private sector but with our \npartners across government, because we are in sort of a \ngenerational hump, if you will--we did not all grow up working \nwith computers and understanding computer security, much like \nwe all grew up understanding cars and how to drive cars. So we \nhave to get through this period and make sure that we raise \nawareness broadly throughout the Federal Government, including \namong those doing acquisitions.\n    I do believe we have a Federal Government cyber security \nstrategy. We have the 2003 National Strategy, and then the \nComprehensive National Cybersecurity Initiative (CNCI), as \nrecently expanded upon and developed by the Cyberspace Policy \nReview, which is going to lead to a revised new national \nstrategy. But we have focus and we have a way that we are \nmoving forward.\n    Specifically around the question that you raise in terms of \naccess to personal data, it is a difficult problem because \nright now people are accessing whether private or government \nsystems, with a set of computers that they find very difficult \nto secure, and using a set of methods to authenticate \nthemselves, that are subject to theft.\n    In the mid- to long-term, we need to move to an environment \nwhere no one uses user names and passwords to access sensitive \ndata like personally identifiable information, where one has \nreadily available stronger authentication means, like \ncertificates or tokens or whatever is used, to access data \nwhere it is much harder to steal that credential. That will \nenable great protection in the ecosystem. It will make it \nharder to steal people's personally identifiable information. \nAnd it will make theft of personally identifiable information \nless valuable because you will not be able to actually take a \nperson's user name and password, or phish it, and then use it \nagainst them. You would actually have to take something else.\n    That is called for in the Cyberspace Policy Review, and it \nis related to some of the comments that my private sector \ncolleagues made earlier.\n    Senator Collins. Thank you. Thank you, Mr. Chairman.\n    Chairman Lieberman. Senator Collins, thank you. Just a few \nmore questions.\n    Mr. Carr, going back to the case that you unfortunately \nwent through, we know that your system was compromised in the \nsense that, you might say, the front door was knocked down, the \ncyber criminals got inside the system. There were 130 million \naccounts that were vulnerable. I presume that a certain number \nof people involved complained to their credit card companies or \nthe merchants and said, ``Hey, I did not buy this, and it is on \nmy bill.'' Do you have any idea at this point of the scope of \nthe loss, either in dollar terms or how many people were \naffected? Or is it too soon to say?\n    Mr. Carr. It is too soon to say. We know that we have \ncharged off on our profit and loss statement $32 million.\n    Chairman Lieberman. Say that again? I am sorry.\n    Mr. Carr. $32 million.\n    Chairman Lieberman. That you charged off?\n    Mr. Carr. That we have had to expend to deal with this \nbreach.\n    Chairman Lieberman. In other words, to reimburse people?\n    Mr. Carr. No--well, part of that could be deemed to be part \nof that. We do not know the extent of the fraud that was \ninvolved at this point. We do not know how many card numbers \nexactly were compromised.\n    Chairman Lieberman. Right. What was the $32 million for?\n    Mr. Carr. That was for forensics work, for legal work, and \nfor potential settlements of some of the claims.\n    Chairman Lieberman. People complaining about what they take \nto be unwarranted charges on their cards, would that \ninformation come to you? Or is it more likely to come to the \ncredit card company?\n    Mr. Carr. It comes to the issuing bank and----\n    Chairman Lieberman. Yes, because most people do not know \nabout you.\n    Mr. Carr. Correct.\n    Chairman Lieberman. And then they get back to you, I take \nit?\n    Mr. Carr. Right. We are in that process today.\n    Chairman Lieberman. So at this point, would you say that \nthe number of accounts compromised was small or medium or \nlarge? I know you cannot say exactly.\n    Mr. Carr. It is a significant compromise, but we do not \nknow to what extent.\n    Chairman Lieberman. In your testimony, you also say that \nFederal law enforcement was very helpful to Heartland in this \nprocess, and I just wanted to ask you to expand on that \ncomment. What kind of assistance did you receive from which \nagencies?\n    Mr. Carr. Well, the Secret Service was at our meeting last \nweek and provided some really good information to the members, \nand we have met with DHS people who have offered to help \nprovide us and our industry some monitoring tools for the \nsecurity of our computers through some technology that was paid \nfor by the government that is being made available to private \nindustry.\n    Chairman Lieberman. I appreciate hearing that. As you look \nback--and I know you have done some work on this and have been \nspreading the story throughout your business area--what are \nsome of the things you wish you had done, having seen this \nattack?\n    Mr. Carr. Well, I wish we had gotten together with our \nindustry and shared information more quickly because by \nlearning how these bad guys attack others, we would have \nlearned a lot at that point. I wish we had done that earlier.\n    Chairman Lieberman. Mr. Merritt, let me ask you, and then \nif anyone else wants to get into this, do you think there is a \nneed for amendment of existing criminal laws or adoption of new \ncriminal laws to facilitate the charging or even investigation, \nbut particularly the charging of cyber criminals? Or are you \nable to operate in this new area within the general parameters \nof existing criminal law?\n    Mr. Merritt. No, sir. In my opinion, we have the necessary \nstatutory authority given to us by Congress to investigate \nthese types of crimes and in my written statement, Title 18 of \nthe U.S. Code, Sections 1028, 1029, 1030----\n    Chairman Lieberman. Right.\n    Mr. Merritt. Those are all sufficient to allow us to carry \nout our responsibility.\n    Chairman Lieberman. The other part of my question goes a \nbit beyond your role in the process, and we should and will be \ntalking to the Department of Justice about this. But just from \nyour experience, is it your sense that once you turn cases \nover, as it were, to the prosecutors, they have enough within \nexisting criminal law to proceed to prosecute these cases?\n    Mr. Merritt. We have been fully supported by U.S. Attorneys \nacross the Nation, sir, and specifically Mr. Reitinger \nmentioned he was a part of them before the Computer Crimes and \nIntellectual Property Section (CCIPS). We have been very \nsatisfied. I think they have been, too. I would defer to them \nto see if they are having some issues as far as their authority \nto prosecute these types of cases. But we have had very good \nluck, sir. Thank you.\n    Chairman Lieberman. Thank you.\n    Mr. Reitinger, as part of your quite remarkable background \nin preparation for this job, you have had this prosecutorial \nexperience. What is your sense of whether the criminal laws \nneed updating to meet this challenge or whether they are \nadequate in their current status?\n    Mr. Reitinger. With apologies, sir, I have been out of that \npart of the job since I left the Justice Department and went to \nthe Department of Defense back in 2001. So I would defer to my \nexpert colleagues at the Secret Service and the Department of \nJustice.\n    Chairman Lieberman. We will talk to them.\n    Let me ask you a question that I want you all to think \nabout, and we will be in touch with you as we proceed to \nlegislation. I will start with you, Mr. Reitinger, if you have \nany thoughts now about what are some of the constructive--if \nyou think there are any--things we can do by way of legislation \nto help you better do your job or carry out your responsibility \nwith regard to cyber security.\n    Mr. Reitinger. Sir, I do not have any specific requests to \nmake at this time. Obviously, as I gain my experience in this \njob, I am learning more about what is required and where the \nshortfalls, if any, may be. I look forward to continuing to \nwork with you and your staff and the Committee staff on those \nissues.\n    Chairman Lieberman. Good. Mr. Merritt, any thoughts there?\n    Mr. Merritt. Sir, we are aware of several pending pieces of \ndata privacy legislation that Congress is considering in the \ndifferent committees, that would encourage private industry, \nwhen they have been intruded upon, to report those intrusions. \nWe have been very supportive when committees have asked us for \nany advice, and we will continue to do so.\n    Chairman Lieberman. Good. Any legislation or other action \nby Congress that might facilitate this process we talked about \nearlier of moving ahead with international cooperation in the \ninvestigation and prosecution of cyber crime?\n    Mr. Merritt. Mr. Chairman, it is very hard for Congress to \nimplement that type of legislation or law overseas. I think one \nmust rely on personal and professional relationships that we \nand other law enforcement entities are able to establish with \nour foreign counterparts.\n    Chairman Lieberman. Are you working with the State \nDepartment--or, Mr. Reitinger, let me ask you--in regard to \nthis? In other words, has the development of international \nconventions, treaties, or working groups to deal with cyber \ncrime become now an element of our foreign policy?\n    Mr. Reitinger. Well, sir, I think it has been for some \ntime. The Council of Europe Cyber Crime Convention was \ngroundbreaking when it was first developed as the first major \nconvention dealing specifically with cyber in that sense, and I \nthink all of us were greatly pleased when the Senate chose to \nratify it. And that has, I think, enabled a much greater degree \nin terms of international collaboration.\n    We are actively involved in the Department of Homeland \nSecurity in building relationships with our international \npartners and are hosting a conference, the Meridian Conference \nin October of this year, where a number of key players will be \ncoming in, as well as working to develop non-law enforcement \noperational relationships.\n    Finally, I would say that the Cyberspace Policy Review \nspecifically talked about the need to build international \nframeworks, and the National Security Telecommunications \nAdvisory Committee produced a report, I believe last year, on \nthe need for a broader international framework around cyber.\n    And so I think it is a subject of focus. There is a lot of \nwork that remains to be done under the overall leadership of \nthe Department of State.\n    Chairman Lieberman. While I have the two of you here, I \nwill say, as I said after Mr. Merritt's testimony, that I am \nimpressed and I did not know about all that the Secret Service \nwas doing in regard to cyber crime. Of course, the Secret \nService comes into the Department of Homeland Security with a \nvery strong, unique independent history, but the question I \nwant to ask is whether the Secret Service and the other cyber \nsecurity divisions are adequately integrated--in other words, \nwhether there is, certainly, sharing of information going on. \nMr. Merritt mentioned the Electronic Crimes Task Force and the \nsharing of information going on with State and local law \nenforcers. But is it also going on within the building, as it \nwere, or within what will be the building?\n    Mr. Reitinger. I think the answer is yes, sir. I think we \ncan continue to strengthen the relationships, but there is \nsomeone from the Secret Service on the NPPD staff. There is a \nSecret Service liaison specifically at US-CERT. They have a \nregular working relationship and an ability to collaborate.\n    I, specifically, on more than one occasion, when I have \nreceived a report from US-CERT, have spoken to them about \nmaking sure that we were working both with the Secret Service \nand the FBI to ensure there was appropriate law enforcement \nfollow-up. And there are collaboration mechanisms that the \nSecret Service and the Bureau use to work broadly within law \nenforcement.\n    So I believe the connections are there, and I think as we \nmove forward and build out the US-CERT capabilities, they are \ngoing to continue to be enhanced and be more effective.\n    Chairman Lieberman. Obviously, that is very important.\n    Mr. Nelson, any thoughts about additional law, Federal law, \nthat could assist FS-ISAC in the work that you are doing?\n    Mr. Nelson. We did not really specify in our testimony \nrecommendations in that regard, but we do think that there are \nsome things. We could require support of some funding for, for \ninstance, better education, particularly getting the word out \non that you do not open that phish that you get, that type \nphishing campaign. And one of our members, a small member, a \nfinancial institution in southern Virginia, came up with the \nidea of a logo, an anti-phishing logo almost like the no-\nsmoking logo, or ``Don't Pollute, Give a Hoot.'' Remember those \nold campaigns? But just kind of get the national mind or kind \nof the national consciousness around the need not to click on \nthese suspicious e-mails. So I think that is one area that I \nthink we could work on.\n    Chairman Lieberman. One suggestion that has been made to \nthe Committee for legislation is to require in law or encourage \nor facilitate the creation of some certification process for \nthe private sector--in other words, either administered by a \ngroup like yours in your area of our economy, financial \nservices, and in others; or perhaps with some governmental \nregulatory board which would set minimum standards that we \nwould require private sector entities to follow to defend \nthemselves--and, in the larger sense, all of us--against cyber \nattack either for purposes of money or terrorism.\n    Maybe I should start with you, Mr. Reitinger, and ask you \nwhether you have thought about that and if you have any opinion \non it.\n    Mr. Reitinger. I cannot testify to that in particular, sir. \nI would have to see the details of the proposal. What I would \nsay is I think it is not true that cyber is completely \nunregulated. Obviously, there are financial regulations. In the \nchemical sector, for example, there are elements to chemical \ncyber security regulation embedded in the current Chemical \nFacility Anti-Terrorism Standards (CFATS) regime. So there is a \nmixture of degree of regulation, and sometimes when people talk \nabout the proposal you are talking about, they point to what is \ncalled the North American Electric Reliability Corporation \n(NERC) and Federal Energy Regulatory Commission (FERC) model.\n    Obviously, there is a lot to be explored. I think it is \nbeyond dispute that the status quo is not sufficient. We are \ncommitted to working within the model we have right now and \nenabling our private sector partners to succeed. And in terms \nof whether additional authority is necessary or appropriate, I \nthink we need to continue to examine that, because it is clear \nthat cyber security is a national security and homeland \nsecurity issue that needs to be fully addressed.\n    Chairman Lieberman. Yes, I agree. We have not reached a \nconclusion on this, but it is very important, I think, for the \nCommittee to consider it because the Federal Government clearly \ncannot do all this on our own. Too much of our critical \ninfrastructure is owned by the private sector, which, of \ncourse, is quite appropriate and positive. What responsibility \ndoes the society through the government put on the private \nsector to take at least the minimal set of actions to protect \nthemselves and the larger society from cyber attack?\n    So I would welcome a first response, Mr. Nelson, and say to \nyou that we would like to keep in touch, and with you, Mr. \nCarr, as well. Go right ahead.\n    Mr. Nelson. The one thing I would say, we have, of course, \nin the financial services industry, a number of regulators. I \nhear some of our firms complain that regulators are coming in \nevery week, a different set. FDIC comes in, the Federal Reserve \ncomes in the next week, and then you have the Office of the \nComptroller of the Currency (OCC), etc.\n    Chairman Lieberman. Tell them to get ready for the National \nCyber Security---- [Laughter.]\n    Mr. Nelson. I will do that. But I think on the other side, \nwe do have a number of cyber security areas that the examiners \nare looking at that they are examining on today. One was, a \ncouple years ago, the implementation of a guidance, and a \nguidance sounds like a loose term, but it was actually a \nrequirement for financial institutions to look at all of their \napplications to see if multi-factor authentication should be \napplied, and you have to do that evaluation. Most of the \nfinancial institutions, at least for business accounts, do \nrequire multi-factor authentication, for instance. Even on the \nconsumer side, there is knowledge-based authentication, for \ninstance, knowing that if I am on my computer, this is the \ncorrect IP address for who I normally do business with. So \nthose types of authentication and multi-factor authentication \ntools are more or less looked at by the examiners today to see \nif the banks are complying with that.\n    Could they be stronger? And some of the things that Mr. \nCarr recommended about strong encryption, that we have \nrecommend, and actually the whole panel has recommended, I \nthink that is something at which we ought to look. But, again, \nwe have stayed away from being too prescriptive with that and \nwanted to really look at, as technologies change and as the \nattacking vectors change, how do we respond to that. And I \nthink we really try to make that part of our regulatory regimen \ntoday.\n    Chairman Lieberman. Mr. Carr, do you want to respond at all \nto that?\n    Mr. Carr. I would just like to say that at our meeting last \nweek, there was a frustration expressed by law enforcement that \nthey would know some of these bad guys and these criminal rings \nand go to countries to arrest them, and they were not able to \narrest them because of non-cooperation with that country. That \nwould be helpful. I am not sure that legislation can solve that \nproblem, but that is a problem that needs to be solved.\n    Chairman Lieberman. Yes, but that is the kind of problem \nthat can be solved either at a diplomatic level, through the \nState Department, or perhaps through the development of more \nand more international cooperative law enforcement efforts.\n    Well, that is a topic we are going to consider as we go on \nto develop the legislation, whether we want to create kind of a \ngood certification seal if you will, whether as some have \nsuggested we go beyond and actually require, for instance, \nencryption or some other steps to be taken. Those are big steps \nto take, and we are not going to take them lightly or without \nadequate consideration.\n    I want to thank the four of you. It has been a very \nproductive hearing from our point of view, both from the real-\nlife experiences--the nightmarish experience that you have had \nto go through, Mr. Carr, and, Mr. Nelson, the work that your \ngroup is doing--and then, Mr. Merritt and Mr. Reitinger, thanks \nfor what you are doing in response. This is a problem that is \nnot going to go away. It is going to get worse unless we can \nwork together to diminish the threat, which this Committee \nwants to do everything it can to make it possible by those of \nyou who are out in the field every day.\n    So we are going to hold the record of this hearing open for \n15 days for additional statements or questions. I thank you \nagain for your testimony. The hearing is adjourned.\n    [Whereupon, at 12:04 p.m., the Committee was adjourned.]\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"