[Senate Hearing 111-724]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 111-724
 
                          CYBER SECURITY--2009 

=======================================================================

                                HEARINGS

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE


                                 of the

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 28, 2009

             CYBER SECURITY: DEVELOPING A NATIONAL STRATEGY

                               __________

                           SEPTEMBER 14, 2009

      CYBER SECURITY: PROTECTING INDUSTRY AGAINST GROWING THREATS

                               __________

       Available via http://www.gpoaccess.gov/congress/index.html

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

51-019 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 


























        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware           JOHN McCAIN, Arizona
MARK PRYOR, Arkansas                 GEORGE V. VOINOVICH, Ohio
MARY L. LANDRIEU, Louisiana          JOHN ENSIGN, Nevada
CLAIRE McCASKILL, Missouri           LINDSEY GRAHAM, South Carolina
JON TESTER, Montana                  ROBERT F. BENNETT, Utah
ROLAND W. BURRIS, Illinois
MICHAEL F. BENNET, Colorado

                  Michael L. Alexander, Staff Director
            Deborah p. Parkinson, Professional Staff Member
              Adam R. Sedgewick, Professional Staff Member
     Brandon L. Milhorn, Minority Staff Director and Chief Counsel
                Asha a. Mathew, Minority Senior Counsel
                    John K. Grant, Minority Counsel
                  Trina Driessnack Tyrer, Chief Clerk
         Patricia R. Hogan, Publications Clerk and GPO Detailee
                    Laura W. Kilbride, Hearing Clerk
























                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Lieberman............................................ 1, 35
    Senator Collins.............................................. 3, 37
    Senator Landrieu.............................................    21
    Senator Burris...............................................    24
    Senator Carper...............................................    27
Prepared statements:
    Senator Lieberman...........................................71, 148
    Senator Collins.............................................73, 151

                               WITNESSES
                        Thursday, April 28, 2009

Hon. Stewart A. Baker, Former Assistant Secretary of Homeland 
  Security.......................................................     5
James A. Lewis, Director and Senior Fellow, Technology and Public 
  Policy Program, Center for Strategic and International Studies.     7
Alan Paller, Director of Research, SANS Institute................    10
Tom Kellermann, Vice President of Security Awareness, Core 
  Security Technologies..........................................    14

                       Monday, September 14, 2009

Robert O. Carr, Chairman and Chief Executive Officer, Heartland 
  Payment Systems, Inc...........................................    39
William B. Nelson, President and Chief Executive Officer, 
  Financial Services Information Sharing and Analysis Center.....    42
Michael P. Merritt, Assistant Director, Office of Investigations, 
  U.S. Secret Service, U.S. Department of Homeland Security......    47
Philip R. Reitinger, Deputy Under Secretary, National Protection 
  and Programs Directorate, U.S. Department of Homeland Security.    50

                     Alphabetical List of Witnesses

Baker, Hon. Stewart A.:
    Testimony....................................................     5
    Prepared statement...........................................    75
Carr, Robert O.:
    Testimony....................................................    39
    Prepared statement...........................................   153
Kellermann, Tom:
    Testimony....................................................    14
    Prepared statement...........................................   100
Lewis, James A.:
    Testimony....................................................     7
    Prepared statement...........................................    86
Merritt, Michael P.:
    Testimony....................................................    47
    Prepared statement...........................................   174
Nelson, William B.:
    Testimony....................................................    42
    Prepared statement...........................................   160
Paller, Alan:
    Testimony....................................................    10
    Prepared statement...........................................    90
Reitinger, Philip R.:
    Testimony....................................................    50
    Prepared statement...........................................   183

                                APPENDIX
           RESPONSES TO POST-HEARING QUESTIONS FOR THE RECORD

    Mr. Baker....................................................   114
    Mr. Lewis....................................................   120
    Mr. Paller...................................................   129
    Mr. Kellermann...............................................   135
    Mr. Reitinger................................................   193

                 ADDITIONAL INFORMATION FOR THE RECORD

Josh Bourne, President, Coalition Against Domain Name Abuse 
  (CADNA), September 14, 2009, prepared statement................   194

 
             CYBER SECURITY: DEVELOPING A NATIONAL STRATEGY

                              ----------                              


                        THURSDAY, APRIL 28, 2009

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:05 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Joseph I. 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman, Carper, Landrieu, Burris, and 
Collins.

            OPENING STATEMENT OF CHAIRMAN LIEBERMAN

    Chairman Lieberman. Good morning. The hearing will come to 
order. Thanks to the witnesses and others who are here.
    The topic of this hearing is our national strategy for 
cyber security. I am going to put my statement in the record 
and just speak for a few moments.\1
\\---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Lieberman appears in the 
Appendix on page 71.
---------------------------------------------------------------------------
    It is a series of facts that brings the Committee here and 
why we are grateful to a very distinguished and informed group 
of witnesses for helping us.
    The first fact is that America cyberspace is constantly 
under attack. The second is, the best that I can determine, our 
defenses to those attacks are inadequate. The third fact is 
that the Obama Administration, building on work done by the 
Bush Administration, has just completed a 60-day review of our 
cyber policy and structures, and we expect soon to see release 
of that report.
    The fourth fact is that the Department of Homeland Security 
(DHS), which was created out of this Committee and over which 
we maintain oversight and monitoring our responsibility, has 
the unique authorities given to it under the statute with 
regard to cyber security.
    The fifth fact, may be a probability, I believe, as part of 
the reaction to the report that Melissa Hathaway is doing for 
President Obama, that we will be asked to consider, and should 
consider, some legislative changes or authorizations regarding 
the role of the Homeland Security Department in its 
responsibility to protect critical parts of America's 
cyberspace, particularly, the non-defense, governmental 
cyberspace and to be the main point of coordination with the 
private sector.
    So this hearing is really an opportunity for us to learn 
from the four of you at this quite significant, potentially 
transformational moment in the history of America's 
relationship to cyber warfare, really. I want to just briefly 
develop a few of those realities.
    First, it is very clear, if I can use a harsh word, but I 
will use it because it is relevant, our enemies in cyberspace, 
whether they are individual hackers, foreign governments, 
business competitors, organized crime groups, or terrorists, 
seem too often to be one step ahead of our efforts to deter 
them, and that gap must be closed.
    From 2003's SQL Slammer to the most recent Conficker worm, 
thousands of worms, viruses, and so-called malware have 
infected and disabled computers around the world and put 
sensitive data at risk of loss, theft, or improper disclosure. 
Privacy breaches are a regular occurrence with identity thefts, 
stolen credit cards, or exposure of financial information. 
Within the Federal Government, millions of dollars worth of 
equipment has been lost and the personal information of 
millions of veterans, as one example, compromised.
    In a speech last week, Melissa Hathaway, who is the Acting 
Senior Director for Cyberspace for both the National and 
Homeland Security Councils, told of an incident in which 130 
automatic teller machines (ATMs), in 49 cities around the 
world, were illicitly emptied by cyber theft over a single 30-
minute period. I mean, that is a stunning reality.
    The Wall Street Journal reported last week that operational 
information for the Joint Strike Fighter, our advanced, 
stealth-capable, tactical air fighter was breached making it 
easier for enemies to defend against it if not to steal some of 
the highly classified systems within it.
    We know that there are severe vulnerabilities in our 
electricity grid and that foreign governments seeking to map 
our infrastructures have intruded into our electricity systems 
on a very large scale.
    So there is all too much evidence that our cyber 
infrastructure is insecure and, unfortunately, there is a lot 
of evidence that our security capabilities are inadequate to 
the challenge. GAO and various inspectors general have been 
repeatedly reporting on these weaknesses. Last December, the 
Center for Strategic and International Studies (CSIS) issued a 
report listing a vulnerability of cyber networks as one of our 
Nation's major security vulnerabilities, risks.
    Let me focus just for a moment, for the record, on the 
Department of Homeland Security.
    The cyber security authorities of the Department of 
Homeland Security are not just general under the rubric of 
Homeland Security, but they are clearly outlined in statute and 
presidential directives. Title 2 of the Homeland Security Act 
directs DHS to lead critical infrastructure protection efforts, 
which by definition includes cyber security. Critical 
infrastructure was defined in that act as ``systems and assets, 
whether physical or virtual, so vital to the United States that 
the capacity or destruction of such systems and assets would 
have a debilitating effect on security, national economic 
security, national public health or safety, or any combination 
of these matters.''
    In 2003, President Bush released a national strategy to 
secure cyberspace, which stated that the Department of Homeland 
Security would be ``the focal point for the Federal Government 
to manage cyber security.'' Later that year, the White House 
issued Homeland Security Presidential Directive 7 (HSPD-7) to 
implement the critical infrastructure responsibilities laid out 
in the Homeland Security Act. HSPD-7 reinforced the leadership 
role of the Department of Homeland Security on cyber security, 
stating, ``The Secretary of Homeland Security will continue to 
maintain an organization to serve as a focal point for the 
security of cyberspace.''
    In 2008, President Bush issued Homeland Security 
Presidential Directive 23 (HSPD-23) to implement the 
Comprehensive National Cyber Security Initiative, which focused 
on the protection of Federal networks. The exact language used 
in HSPD-23 is classified. However, I can say that the directive 
affirmed that the Department of Homeland Security serves as the 
lead Federal agency for the protection of Federal civilian 
networks, that is to say all unclassified networks, and for 
coordinating private sector cyber security efforts.
    So as we come to this transitional point, we on this 
Committee feel strongly that the Department of Homeland 
Security has, under statute and presidential directive, a 
central and critically important role to play. And this 
Committee, in a sense, is here to ask you how you think DHS has 
carried out that responsibility--I know you will testify and 
much else--and also what we can do to help DHS do the better 
job that we all acknowledge we needed to do.
    Thank you very much for being here. Senator Collins.

              OPENING STATEMENT OF SENATOR COLLINS

    Senator Collins. Thank you, Mr. Chairman.
    The information and communication networks that we refer to 
as cyberspace have become critical to our economy, our national 
defense, and our homeland security. Yet, every week, we learn 
of more threats to our cyber infrastructure. The spector of our 
adversaries disrupting our telecommunications systems, shutting 
down our electric power, or freezing our financial markets is 
no longer the stuff of science fiction; rather, it is a very 
real possibility as thousands of cyber attacks are launched 
everyday.
    For example, intelligence officials tell us that China and 
Russia have attempted to map the American electrical grid and 
have left behind software that could be activated later perhaps 
to disrupt or destroy components. The Washington Post has 
reported that hackers broke into the Pentagon's Joint Strike 
Fighter project and stole information. And last year, as the 
Chairman alluded to, cyber thieves secretly implanted circuitry 
into keypads sold to British supermarkets, which were then used 
to steal account information and personal identification 
numbers. As these numerous intrusions demonstrate, the cyber 
security threat is real, dangerous, and accelerating.
    Today, this Committee will examine the practical issues of 
how the Federal Government should best be organized to counter 
this threat. An effective response to cyber threats will 
require coordination among law enforcement, intelligence 
agencies, and private owners of critical infrastructure. The 
Department of Homeland Security is the crucial nexus of these 
realms.
    Bringing together these three worlds is precisely the 
reason that Congress created DHS following the terrorist 
attacks of September 11, 2001. The Comprehensive National Cyber 
Security Initiative, started last January--and the Chairman 
referred to it--recognized the value of the Department's unique 
perspective by placing the National Cyber Security Center at 
DHS and charging the Department with the responsibility for 
advancing coordination and consultation among the many Federal 
entities with cyber security missions. And following up on this 
directive, last year, Senator Lieberman and I introduced a 
homeland security reauthorization bill that included cyber 
security provisions that would have increased the 
responsibilities of the center at DHS.
    We also need to determine what specific authorities are 
necessary for DHS to undertake the mission of better securing 
Federal networks and our Nation's critical cyber infrastructure 
as the Department works with but does not supplant the 
important roles played by the Department of Defense, the 
intelligence community, Federal law enforcement officials, and 
other agencies.
    These authorities must allow DHS to address many of the 
most pressing cyber security issues, including how do you share 
critical infrastructure on threats and vulnerabilities, 
particularly with the private sector, since 85 percent of 
critical infrastructure is privately owned?
    How do you encourage the adoption of best practices and 
standards not only across government but throughout our 
Nation's critical infrastructure?
    How do we best generate a strategy that deters terrorists 
and hostile nation states from executing cyber attacks that 
potentially could devastate our critical infrastructure?
    How do we best go after cyber criminals, not necessarily 
from other countries, but within our own country? Sometimes 
that part is overlooked as we discuss the threat.
    How do we secure the supply chain to ensure that systems we 
purchase are free from malicious code?
    And how do we best establish standards and performance 
metrics that can guide government procurement to encourage 
manufacturers to incorporate better security into their 
products for the benefit of both government and the public at 
large?
    Finally, as we consider the reorganization of cyber 
security activities, I would note that this new Administration 
has shown a tendency to appoint special assistants and czars 
within the White House for virtually every important issue that 
we are confronting. While I understand the need to shine a 
spotlight on critical problems, the creation of numerous czars 
or special assistants usually leads to conflict, turf battles, 
and confusing lines of authority.
    Moreover, Congress' ability to effectively oversee 
activities directed from the Executive Office of the President 
are severely limited. Typically, we cannot call upon those in 
the White House to come testify before us, and their budget 
requests are presented with very limited details. So the issue 
of reorganization of cyber security efforts necessarily 
involves the discussion of accountability and oversight by 
Congress as well. On an issue as pressing and as complex as 
cyber security, congressional oversight is critical to making 
real progress.
    I look forward to exploring these issues with our witnesses 
today.
    Mr. Chairman, you have assembled the top experts, and it is 
a pleasure to welcome back to the Committee, of course, Mr. 
Baker, who has been here many times. Thank you for holding this 
important hearing.
    Chairman Lieberman. Thanks, Senator Collins. And thanks for 
the very thoughtful statement. I appreciate it.
    Stewart Baker, good to see you again. Welcome back. You 
graduated from line authority to elder statesman, at an early 
age.

    STATEMENT OF HON. STEWART A. BAKER,\1\ FORMER ASSISTANT 
                 SECRETARY OF HOMELAND SECURITY

    Mr. Baker. It is a pleasure to be home again. Thank you, 
Chairman Lieberman and Ranking Member Collins. It is also a 
pleasure to have graduated from DHS. I served on a commission 
once, and one of the old hands of the commission said, ``Yes, 
they have brought back all the people who could not do the job 
to tell us why we should do the things they could not do.'' And 
in that spirit, I would like to talk a little bit about the 
cyberspace crisis that we face and what DHS should do about it.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Baker appears in the Appendix on 
page 75.
---------------------------------------------------------------------------
    You both have laid out the problem quite eloquently, and I 
will not try to repeat that. I would like to explain why I 
think this problem persists and continues to grow worse. And I 
will use an example that I have laid out in my testimony.
    There was a fellow named Howard Crank, a Vietnam vet 
suffering from diabetes. At home, he got an Internet 
connection, and the world opened up to him. He could interact 
with the world. It was a wonderful thing for him, until, 
essentially, scam artists found him and induced him to mortgage 
his house twice, to max out his credit cards and to go into 
bankruptcy trying to recover the lottery proceeds he was told 
he had won.
    Right up until that moment, I think he would have said the 
Internet had done a great thing for him, but interacting with 
the world, and having the world interact with him, turned out 
to be a disaster because not all of the world intended him 
well.
    We are all in that position. We are all getting benefits 
today from hooking up to the Internet, from using Internet 
protocols. They are making our lives easier and they are making 
the delivery of services and goods cheaper. And yet, every time 
we hook up to the Internet and expand the reach of those 
networks to other parts of our lives, we are creating greater 
risks. And, at some point the ice could give way and we could 
be dropped into the lake and lose everything.
    That is the greatest concern, but today we are not seeing 
any obvious harm to our networks or to our way of life, and 
that is what has led us to ignore the problem or to minimize 
the problem.
    I think it is a tribute to both this Administration and to 
the last that we are finally beginning to look at the ways in 
which we can address this problem more seriously, and I would 
also like to give credit to Jim Lewis for the Center for 
Strategic and International Studies report which I think very 
profoundly raised all of the issues that have to be addressed 
if we are going to successfully defend ourselves in cyberspace.
    That raises, then, as Senator Lieberman and Senator Collins 
both suggested, the question of how to organize ourselves to 
defend cyberspace. And here, I would like to draw on my 
experience. I realized as I was preparing for this hearing, 
that I have helped to start two of the last three cabinet 
departments created in the Federal Government. And I have 
served on a commission that recommended extensive 
organizational changes in the Federal Government.
    If I had to do it over again, I am not sure I would do any 
of that. That's because there is a predictable pattern in the 
reorganization of government. You start with a failure. You 
say, this is not working. We should create another organization 
to solve the problem. And that organization, since you have 
just dreamed it up, does not have any flaws at all. It will do 
everything you want done, and much better than the obviously 
failed institution that you are looking at today.
    When comparing an existing institution, where we have real 
failures, to an imaginary institution that has no flaws, the 
imaginary institution always looks better. Then, of course, 
once you actually try to start the imaginary organization, the 
imaginary organization discovers that it does not have a 
budget, it does not have staff, it does not have an executive 
secretary, it does not have a human relations department to 
begin hiring people. And pretty soon, that new institution is 
deep into a cycle of failure of its own, which then leads 
people to say, well, that is a failure. We should reorganize. 
Maybe we should have this new imaginary organization to do the 
job of the last imaginary organization.
    I say that because I fear that the one recommendation of 
the CSIS report that I disagree with most strongly is the one 
that says, DHS is not doing everything it should. Consequently, 
we should dream up a new organization, a national cyberspace 
office that will perform all of the functions that DHS should 
be performing perfectly and is not performing perfectly.
    That recourse to an imaginary organization, in my view, is 
precisely the problem with the CSIS report. We would be much 
better, in my view, fixing DHS, which, of course, was given 
many of these authorities when it was an imaginary organization 
and now is deep into the second cycle, where people find that 
it is not doing the job perfectly. We would be much better off 
building DHS's capability, something that has just begun, I 
think, seriously for the first time in the last year or two.
    DHS has now launched on the job of building a genuinely 
strong cyber security office that can provide guidance across 
the government, provide services and detailed capabilities to 
the President. If they are given the opportunity to do that, 
they will succeed. If they are kicked aside because they cannot 
perform and have not performed every job that they have been 
given in the last 5 years, I think that we will be making the 
mistake that we made with other organizations where we have 
said, since we do not have a perfect job being done by the 
existing agencies, let's make up a new agency, and hand them 
the responsibility.
    I do not think we want to be in a position 2 years from now 
looking at a new organization that has been created to carry 
out this mission in the Executive Office of the President and 
say, ``Well, gee, they have just hired their staff. They have 
just begun to organize their budget. They have just determined 
who their executive secretary should be. And, so for 2 years, 
we have been treading water and there have been a lot of 
failures since then.'' That is a recipe for treading water and 
not for making improvements.
    I think we would be better off if we took the capabilities 
that DHS has and funded them, provided the resources and the 
staff that DHS needs, and let DHS carry out its 
responsibilities under guidance from a very strong National 
Security Council that can provide the muscle in the interagency 
that is necessary to actually achieve coordination across the 
government.
    Very briefly, I will also talk about the question of 
regulation. I think it is clear that some form of regulation is 
necessary in this area. No private sector agency can be 
expected to fend off State actors who are bent on infiltrating 
its network. We do not expect Bank of America to fight our wars 
for us, and if the bank finds itself on the front lines of a 
war, we should be providing assistance to them at the Federal 
level.
    In fact, there is regulatory authority in many of these 
areas. The Gramm-Leach-Bliley Act requires the financial 
regulators to have substantial authorities over cyber security. 
The Federal Communications Commission (FCC) has provided, and 
certainly has substantial authority over, cyber security 
standards if they choose to use all of their authority. The 
Federal Energy Regulatory Commission (FERC) has some authority. 
What is probably missing is some coordination and what I would 
describe as nimbleness in responding to new threats. And that I 
think is something that DHS can do if it is given clear 
authority and clear--not authority; they have the authority. 
They need a mandate from the Administration, from the 
President, and perhaps from this Committee.
    Thank you very much.
    Chairman Lieberman. Thanks, Mr. Baker. That was very 
interesting testimony, very helpful, and has a certain healthy 
degree of skepticism that comes with having had considerable 
governmental experience. It is a longer view, but it is one 
that is very valuable to us.
    Next, we are going to hear from the previously mentioned 
and saluted James Lewis, Director and Senior Fellow, Technology 
and Public Policy Program at the Center for Strategic and 
International Studies, which did the report to which both Mr. 
Baker and I referred. Thanks for being here.

  STATEMENT OF JAMES A. LEWIS,\1\ DIRECTOR AND SENIOR FELLOW, 
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND 
                     INTERNATIONAL STUDIES

    Mr. Lewis. Thanks very much. And I thank the Committee for 
the opportunity to testify. And also, I applaud your efforts to 
try and deal with the new security challenges we face. I am so 
glad to be here.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Lewis appears in the Appendix on 
page 86.
---------------------------------------------------------------------------
    To summarize the state of cyber security, our networks are 
vulnerable, our opponents are inventive and energetic, and we 
are disorganized. Many people have worked hard in recent years, 
but the United States is late and we are not doing enough.
    As a Nation, we have been slow to realize how important 
cyberspace has become for economic and national security, and, 
therefore, slow to give it the priority it requires. The United 
States is being dragged down by weak cyber security, losing its 
edge in commerce, innovation, and defense. The problems we 
face, espionage, crime, and risk to critical infrastructure, 
will never go away, but they can be reduced by coordinated 
government action. Put bluntly, we need a comprehensive 
strategy and somebody in charge of it.
    To date, the United States has been unable to produce 
either leadership or a strategy. The 1998 Presidential 
Directive 63 still shapes policy, but it was overly fond of 
czars. The 2003 national strategy to secure cyberspace was 
neutered by ideology and internal conflict. The 2008 
Comprehensive National Cyber Security Initiative (CNCI) has 
some valuable elements, but it was not comprehensive. It was 
also hobbled by infighting, and it came far too late.
    So in 2008, CSIS, as you have heard, put out a report that 
recommended a comprehensive national approach. We called for 
the creation of a strong White House cyber advisor with clear 
authorities and a comprehensive national strategy that would 
use all the tools of U.S. power, international engagement, 
military activity, economic policy and regulation. Our report 
contained other important recommendations that I am sure some 
of my fellow witnesses will mention, including the need for 
increased education, modernization of outdated laws and other 
activities.
    While policy must be led from the White House, agencies 
must carry out implementation and operation activities. 
Operational responsibility for cyber security falls on three 
agencies: The National Security Agency (NSA), the Federal 
Bureau of Investigation (FBI) and DHS. The previous 
Administration assigned DHS the lead role for cyber security, 
but this was beyond its competencies. DHS is not the agency to 
lead intelligence, military, diplomatic, or law enforcement 
efforts. This does not mean that DHS does not have an important 
role, and it is time for that agency to begin to perform it.
    DHS is responsible for protecting critical infrastructure 
and for securing the civilian government networks. It is 
beginning to build the capabilities needed to carry out these 
missions, but this will require sustained investment in 
facilities, technology, and DHS's cyber workforce.
    To date, cyber security at DHS does not have the resources 
it needs. DHS needs better technologies to secure civilian and 
government networks. The CNCI had a program named Einstein. 
Einstein is inadequate, whether it is Einstein 1, 2, or 3. Who 
knows? Maybe 4 will work. The real question is whether there is 
a way for DHS to work with NSA to secure all government 
networks. This is, of course, a sensitive topic. NSA has the 
capabilities. DHS has the responsibility. But there are 
compelling constitutional reasons for restricting NSA's role. 
However, it would be a serious error not to take advantage of 
NSA at a time when our government networks are under sustained 
and successful attack.
    DHS might also want to reconsider some reorganization 
within the National Cyber Security Division (NCSD). Perhaps a 
first step would be to merge the U.S. Computer Emergency 
Readiness Team (US-CERT) and the national communications 
systems and its component into a single entity inside of NCSD.
    DHS's cyber functions are part of its National Protection 
and Programs Directorate (NPPD). This directorate needs better 
plans to merge physical infrastructure and cyber infrastructure 
protection. The National Infrastructure Protection Plan is more 
like a dictionary than a plan. DHS needs short implementable 
plans on how to protect critical infrastructure and assure the 
delivery of critical services in the face of cyber attack.
    As part of its critical infrastructure responsibilities, 
DHS is the Federal interface with critical infrastructure 
owners and operators. This is an important role, but the 
current partnerships are inadequate, and DHS might want to look 
at the Department of Defense (DOD) Defense Industrial Base 
Initiative as a model for partnership and information sharing.
    DHS must be part of the larger regulatory effort to improve 
cyber security. To date, the United States has relied on market 
forces and voluntary action. But to quote the former chairman 
of the Securities and Exchange Commission, ``The last 6 months 
have made it abundantly clear that voluntary regulation does 
not work.'' Much of the opposition to regulation involves the 
replay of warmed-over dot-com ideology and a strong desire by 
the private sector to escape liability. I am very sympathetic 
to that.
    As with any complex issue, there is no black or white 
answer. Too much regulation will damage the economy. Too little 
regulation will damage the economy and also harm national 
security. We need to find a middle course that balances 
commercial and national security interests. A new Federal 
approach to cyber security must elicit action from the private 
sector that it will not otherwise perform.
    DHS does not have the regulatory authority for most 
critical infrastructure when it comes to cyberspace. One thing 
to consider is whether to give DHS new and expansive 
authorities or whether to use existing authorities with current 
regulatory agencies, like the FCC, FERC, Nuclear Regulatory 
Commission (NRC), Federal Deposit Insurance Corporation (FDIC), 
and there are many others.
    The Administration has recently concluded a 60-day review 
of cyber security policy. This was a spectacular effort. Most 
of us did not think they would be able to finish on time. And 
while few public details have been released, it appears that 
the White House will play a greater role in organizing and 
leading cyber security policy. There will be greater attention 
to international engagement and to relations with the private 
sector, and there will be closer coordination among agencies.
    My hope is that the 60-day review leads to a strong White 
House cyber advisor with clear authority to set policy and 
guide budgets. More fumbling among agencies will only lead to 
disaster. But with so many different equities involved in cyber 
security, we face gridlock. There is a regrettable debate over 
how much authority the White House cyber advisor should have 
over policy and how strenuously the United States should 
protect its cyber networks. There is a trade off, some say, 
between security and innovation. I say this debate is 
regrettable because our opponents are not waiting 60 days to 
attack us.
    The United States is in a very unfortunate situation. We 
have made better use of cyberspace than our competitors, and 
this has provided real economic benefits. Our reliance on 
cyberspace holds the potential for innovation and future 
growth. However, the combination of greater reliance and 
inadequate attention to security has left us more vulnerable 
than our opponents. If we cannot change this, the power and 
influence of the United States will shrink, and our prosperity 
and security will be damaged. Congress and the Executive Branch 
have the opportunity to avert this damage if we can act 
decisively.
    I thank you for the opportunity to testify. I will be happy 
to take your questions. Let me say, it was more fun to testify 
against Mr. Baker when he was in the government because he was 
a little more constrained, but I welcome the opportunity to 
take your questions.
    Chairman Lieberman. Thank you.
    Well, we like Mr. Baker in both roles. He is more 
unpredictable in this one. Both of you, though, have portrayed 
a crisis, which this is. And the question is what we can do 
together about it. Thanks for your testimony
    Next, we are going to hear from Alan Paller, Director of 
Research at the SANS Institute.
    Thanks so very much for being here.

    STATEMENT OF ALAN PALLER,\1\ DIRECTOR OF RESEARCH, SANS 
                           INSTITUTE

    Mr. Paller. Good morning, Senator Lieberman, Senator 
Collins, Senator Carper, and Senator Landrieu. Your taking on 
this issue is really impressive. It is a complex issue. The 
language is arcane. It is just a pain.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Paller appears in the Appendix on 
page 90.
---------------------------------------------------------------------------
    It turns out that you in your opening statement talked 
about what is really the central problem, which is that there 
is a gap between the attackers and our defenses. What is 
problematic is that the gap is growing at an increasing rate. 
So all this discussion is important, but we are falling behind 
at an increasing rate.
    Let me give you just one simple example. There is a young 
man named Tan Dailin, who is a graduate student at Sichuan 
University. In 2005, the People's Liberation Army (PLA) noticed 
he was hacking into a computer in Japan, so they picked him up 
and said, wouldn't you like to be a contestant in our annual 
competition for who the best hackers are in Chengdu province? 
That is a southwest province of China.
    He entered the competition. His team actually won 10,000 
Renminbi. They put him through a 30-day, 16 hour a day, 
workshop, where he learned to develop really high-end attacks 
and tuned his skills. And then they put him in competition with 
teams from all of the rest of the military sub-units in the 
Southwest China, and his team won that. They won 20,000 
Renminbi. He was famous and important.
    He set up a little company. No one is exactly sure where 
all the money came from. But that company created the hacks 
that were found inside--this was September 2005 when he won it. 
By December, he was found well inside DOD computers. The summer 
of 2006 was a particularly bad summer for the United States 
because there were a lot of what are called zero-day attacks, 
which are attacks that happened using vulnerabilities that the 
vendor has not patched yet. So there is no defense. And his 
team was found to have been the team that built six of those 30 
or so zero-day vulnerabilities.
    What I am trying to say is that other nations are investing 
heavily in creating massive new technologies, and our defenses 
are childlike. What we have done under the Federal Information 
Security Management Act (FISMA) regulations is just 
embarrassing. And the result is much more than the public 
knows. You have not, but the House has had testimony saying the 
Commerce Department and the State Department have been deeply 
penetrated. What has not been told is that every other major 
department has been equally or more deeply penetrated, one so 
greatly that NSA had to bring their blue teams in just to find 
all of the problems.
    We do not tell the public that because it is embarrassing, 
but it is just a symptom of what is happening. Eastern Europe 
has organized crime groups that recruit developers. But the way 
they recruit them is with lies and money. And then when they 
find out that they are working for organized crime, and they do 
not want to, crime groups use terror. They threaten their 
families. They kill their families if they do not want to work.
    You talked about the $10 million that was obtained in 30 
minutes. What was interesting about that case is the reason it 
stopped was the ATMs ran out of money. That was the only 
reason--they were just empty.
    Chairman Lieberman. Just take a moment and explain why the 
30 minutes. Was that thought to be a period of vulnerability in 
the systems?
    Mr. Paller. Well, I did not talk to them. The FBI thinks 
they assumed they would not get caught doing it if it was short 
enough; that the triggers would not happen. What was 
fascinating is you might ask, how can they get that much money 
out?
    The attackers actually had control of the computers inside 
the bank and were raising the limits of how much each of the 
cards could take out of the ATM as the ATMs were being emptied. 
You normally have a $300 or $500 limit. Those limits just kept 
growing, and it was because the attackers had control of the 
computers as well as they had made all these white plastic 
cards. But that $10 million is one of thousands of attacks.
    You heard about the multi-city power outage that the 
hackers did. Why did they do that? Well, it is all extortion. 
If I have control of your computers, and I say I am going to 
take the power out, and you say, no, you will not, well, all I 
have to do is take the power out for 2 days, and every other 
utility will pay. It is a massive money-making scheme, and that 
money can be used to buy extremely advanced technologies. Our 
defenses, the way we have built them under the FISMA 
legislation are just--they are antagonistic to improve 
security. They are not just not improving security, they are 
actually working against it.
    But there is a wonderful story I want to share with you. It 
is why I was happy to come today. It is one huge success. It is 
a Federal success. It shows not only can the Federal Government 
radically improve security, but that the effect can spill over 
into the defense industrial base and into the critical 
infrastructure.
    It started when NSA was briefing John Gilligan, who is the 
Chief Information Officer (CIO) at the Air Force, and they told 
him they could get into Air Force systems in 30 minutes. And he 
said to them, you are not helping us. Tony Sager was the 
briefer from NSA. John said to Tony, ``You are just not helping 
us. You show us how you break in. We fix everything. A few 
months later you are going to come in and break in again.'' 
This is the key statement. ``Can you get all your attackers 
together and tell us what the critical things are we should 
have done that we should do to protect ourselves?''
    You hear Melissa Hathaway talking about offense must inform 
defense. The fundamental error under FISMA was that we asked 
the people who did not know about offense to tell us how to do 
defense. You cannot do that. You just cannot do that.
    So Tony went back and got the attackers together, showed 
John how to configure the systems, and they implemented those 
better configurations on a half a million computers, but they 
had to--this is from your opening statement, Senator Collins. 
You talked about the key role that the private sector plays 
using procurement. That is the one huge lever you have. There 
is nothing close to it. If you want to change security, the 
lever you have is procurement.
    So what John did is he went to Microsoft. Microsoft said, 
no, we are not going to give you a different configuration than 
what we give everybody else. One size fits all. You have to 
take the one we give you. And he went to Steve Ballmer and 
talked him into giving them a more secure configuration. They 
implemented across a half a million machines. Here are the 
results.
    One, it used to take 57 days on average to patch the 
machines. That is a good number in the Federal Government, 57 
days, way too long. Now it is 72 hours and heading down toward 
24. So they were able to change the way they manage computers 
because they have these good configurations. They saved $100 
million in procurement. They save more than $100 million every 
year because they do not have to test the patches on every one 
of their different configurations. And they save $30 million on 
energy costs because the settings actually were energy-saving 
settings.
    But most importantly, because all the experts said this 
would not happen, the users were significantly happier. The 
help desk director at the Air Force reported that their help 
desk calls were down by 50 percent because the users actually 
were better off. So here you have much better security, much 
lower costs, and happier users. And Karen Evans, to her credit, 
actually took that initiative and said to the rest of the 
government, let's do that as a government.
    The challenge right now is that the attackers have gotten 
so far ahead, that is only one piece of what has to be done. So 
John went back to Tony and said, what are the rest of the 
things that have to be done, and he has created a new list of 
the critical things that must be done to secure Federal 
systems.
    The one most important thing in all of that lesson is, the 
Federal Government has the big lever. And it is the $70 billion 
in information technology (IT) procurement that you use each 
year. When we talk about a public-private partnerships, those 
are endless meetings. I am sure you have sat in on some of 
them. They go completely different, if you are about to spend a 
half a billion dollars, which is what John Gilligan did.
    The great partnership is: Let's spend little pieces of that 
money--I am not saying increase the money. These commercial 
organizations are more than willing to deliver more secure 
systems. They actually like it, if you will tell them what 
secure is. That is where NSA comes in. You cannot ask the 
National Institute of Standards and Technology (NIST) to do it. 
They do not know what the attacks are. You have to get it from 
NSA and US-CERT.
    But once you know what the defenses should be, you can use 
procurement dollars to actually spend less money and have more 
secure systems. And what I like most about that story is that 
it trickled down. Microsoft now sells that more secure 
configuration to the defense industrial base, to the utilities. 
So you, using your procurement power, actually changed the 
nature of software and hardware so that it has been built more 
securely, there is nothing to stop the venders from selling 
that more secure version to everyone.
    So the idea of leadership to me is not whether it is a 
White House or DHS leadership, it is whether you use the $70 
billion a year that you spend on information technology to make 
the Nation safer. Thanks.
    Chairman Lieberman. Thanks very much, Mr. Paller. That was 
really riveting testimony. And it is very important to tell 
these stories to help laypeople, if you will, get into this.
    We will enter your statement, along with everybody else's 
statement, into the record. Also, please take a moment to tell 
us what the SANS Institute is and, therefore, what credibility 
you bring to this task.
    Mr. Paller. We are the main teachers. We have about 100,000 
alumni in 60 countries. We train the FBI, the NSA, the British, 
the Japanese, and the Indonesians. We teach the very advanced 
cyber security courses, forensics, and intrusion detection. And 
we also run the Internet Storm Center, which is an early 
warning system.
    Chairman Lieberman. That is great. Thank you.
    Tom Kellermann is the Vice President of Security Awareness, 
a pretty good title, for Core Security Technologies. He brings 
another unique perspective to assist the Committee as we 
undertake this responsibility. So we thank you for being here 
and welcome your testimony now.

  STATEMENT OF TOM KELLERMANN,\1\ VICE PRESIDENT OF SECURITY 
             AWARENESS, CORE SECURITY TECHNOLOGIES

    Mr. Kellermann. Thank you, Senator. I greatly appreciate 
the opportunity to debrief this Committee on serious economic 
and national security risks that we are facing today from a 
cyber perspective. Much of my experience comes from my days at 
the World Bank Treasury on the security team there. And I will 
caveat that with the need for all of us to appreciate the Art 
of War by Sun Tzu. We need to really appreciate how offense 
informs defense, but not only that, how we can better layer 
security and implement policies and programs to create defense 
in depth across not just the Federal Government but critical 
infrastructures.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Kellermann appears in the 
Appendix on page 100.
---------------------------------------------------------------------------
    The horrible events of September 11, 2001, should have 
taught us a fundamental lesson, which was that non-state actors 
will use technology against our critical infrastructures. More 
importantly, it is obvious since September 11, 2001, that 
terrorists' financing has been directly related to the proceeds 
of cyber crime, and the modern day silk road directly relates 
to those bank accounts that were pilfered in that case that 
Melissa Hathaway spoke of at RSA Security.
    The DHS has done a successful job, I think, regarding 
increasing the Federal standing per cyber attacks, however, 
there are some challenges that do detract from these efforts. 
First of all, the lack of management continuity. Many of DHS's 
senior cyber security leadership positions are political 
appointments by nature, and they result in frequent turnover of 
management personnel and changes in priorities and focus of an 
organization's mission. There is an insufficient support 
structure within DHS to provide fundamental functions to 
support cyber security needs, particularly the needs of what I 
consider the four most functional aspects of the National Cyber 
Security Division, which are the Electronic Crimes Task Force, 
the Secret Service, the US-CERT, and the Federal Network 
Security Branch.
    Specifically, as I relate to this, the Federal Network 
Security Branch is no longer the lead when it comes to 
establishing the standards of cyber security and computing 
across civilian agencies, and many times it has to defer to the 
Office of Management and Budget (OMB). So that leadership 
position should be increased. I think that they should have the 
capacity to conduct red-teaming exercises against civilian 
agencies to determine where these vulnerabilities are, to 
determine where the priorities should be for IT spending.
    This is a common problem across the Federal Government, 
where you have CIOs and Chief Technology Officers (CTOs) 
leading the way vis-a-vis what should be spent on IT and IT 
security. And CIOs' mind-sets are much about productivity, 
efficiency, access to services, and culturally differ from the 
defensive perspective of Chief Information Security Officer 
(CISO) community. And I think that it is important from a 
governance perspective that the perspective be raised to the 
top, particularly vis-a-vis the allocation of budgets and the 
expenditures of funds necessary to secure systems.
    To this point, as evidenced by specific campaigns carried 
out against Federal agencies in recent years and further 
illustrated by recent trends emerging in the larger cyber crime 
landscape, a true lack of situational awareness and an 
inability to predict the specific methods being utilized by 
electronic assailants is pervasive throughout the Federal 
Government, particularly as it relates to the recognition that 
the enemy no longer wants to disrupt service; the enemy wants 
to remain persistent and clandestine. The enemy in fact wants 
to launch a cyber insurgency or a cyber infiltration against 
your systems. And in the end, if they are given command and 
control, they want to remain on mission but also be able to 
control the integrity of your data to manipulate you in any 
which way they should feel necessary.
    To address this dire reality, which has been highlighted 
most recently by the publicly incidence of energy hacking 
across the grid, not only in the U.S but overseas, and the 
Heartland payment systems breach, which was one of the most 
massive financial breaches in the past 50 years--to that note, 
over 200 banks were impacted by the Heartland breach, not just 
the cards themselves, but those bank systems that were 
connected to those systems--we need to represent the reality 
here that cyberspace is an aquatic environment. And if you can 
attack one segment of the water, you can infect the entire 
environment.
    It is important that because of this reality, the Federal 
Information Security Management Act compels agencies to undergo 
more frequent, internal assessments to gauge their risk to 
cyber attacks, and not just check-the-box exercises for 
compliance, but really using the dynamic guidance given that is 
being sponsored by Tony Sager and John Gilligan, vis-a-vis the 
Common Audit Guidelines (CAG). And, specifically, agencies 
should be required to conduct regularly extensive security 
audits of their IT systems using the red team mentality and 
best practice identified by folks like Tony Sager, John 
Gilligan, and the CAG.
    In addition, I would ask this Committee to consider the 
creation of systems of accountability, including penalties for 
those organizations and civilian agencies who are not properly 
addressing those critical vulnerabilities, and tailoring their 
IT budgets to addressing those critical vulnerabilities. There 
is too much plausible deniability in the system right now, and 
people do not actually undergo this type of red teaming or 
penetration testing because they want to maintain plausible 
deniability to insulate themselves from not only the clean up 
but also the criminal negligence that would come had they not 
addressed or remediated the problems that were found.
    In addition, we must use these benchmarks to extrapolate 
this phenomenon to third-party outsourcing. The infamous breach 
of DHS 3 years ago was based on a lack of a standard of care in 
due diligence enforced by a third-party managed service 
provider. The previously noted Verizon Data Breach report noted 
that 39 percent of breaches were directly related to strategic 
partners. This was not cases of strategic partners attacking 
systems, but those systems of the strategic partners being 
compromised and used as island hops to transit and attack those 
primary systems.
    It is imperative that we grapple with this systemic risk 
imposed by the outsourcing and offshoring of not only American 
jobs but the digital ecosystem on which we are heavily 
dependent. In order to promote and create a secure U.S. cyber 
ecosystem, this Committee should consider mandating that all 
entities who provide managed information security services, of 
any sort to the U.S. Government, or providers of such services 
to critical infrastructures as defined by the National 
Infrastructure Protection Plan (NIPP), at the very least enter 
into information security service level agreements, which go 
beyond the service level agreements today, which are 
essentially contracts that have mediocre terms of liability and 
recourse and are far too much focused on resiliency and up time 
of the data versus the integrity and confidentiality of said 
data.
    The agreements must require that these service providers, 
at a minimum, have the same standards of legal and layered 
security as defined by NIST-800-53, but also move forward and 
allow that entity, the primary consumer of those services, to 
conduct audits based on things like the CAG of those systems, 
and mandate remediation timetables of those systems.
    We must use Federal acquisitions policy to require that 
these service providers comply with all these individual 
requirements. Those organizations who already are compliant 
with FISMA, who are being proactive, should inherently receive 
tax credits or some sort of benefit from the system for being 
good Samaritans in the cyber landscape.
    In summary, while the national and worldwide cyber pandemic 
is currently scaling in an exponential manner, I would submit 
that the significant gains can be realized through the Federal 
Government today by the political obligation of more aggressive 
attention to these issues. In this dark hour, we need strong 
bipartisan leadership. The dramatic increase in cyber attacks 
necessitates action. The recent 60-day cyber review developed 
by Melissa Hathaway represents a great starting point for real 
policy and strategic leadership, but it cannot be operational 
without the good work of DHS and this Committee.
    It is paramount that this Committee understand that it too 
can serve a fundamental role of change in defending our 
Nation's critical infrastructures from this pervasive 
phenomenon, and I appreciate your consideration of my statement 
and, of course, your public service.
    Chairman Lieberman. Thanks so much, Mr. Kellermann.
    That sets it right up for the question period. We will do 
7-minute rounds of questions.
    Let me make a statement based on what you have said and 
what I have learned here on this Committee, but also in the 
Armed Services Committee. We have a lot of overlap between the 
two committees.
    For a number of years, we have been warned in the Armed 
Services Committee of the threat of asymmetrical warfare, which 
is to say the United States has become so strong in what might 
be called conventional warfare that it would be natural for 
somebody wanting to do us ill to not try to compete with us on 
that level, but to look for the weakness, the vulnerability, 
and to attack us in that sense, asymmetrically.
    The second reality that we are dealing with, of course, is 
that after September 11, 2001, we are involved with Islamist 
terrorists in a global conflict, in which some of the old, 
traditional rules of warfare are gone, which is to say, this is 
not planes against planes, ships against ships, armies against 
armies in conventional battlefields. People strike it as from 
the dark and have no hesitancy to strike civilian populations, 
as we saw here, painfully, on September 11, 2001.
    So you put both those together, the warnings that we got 
about asymmetrical warfare and the new rules of the conflict we 
are in, particularly in which civilian targets are open 
targets, cyber attacks just jumps right out at you, doesn't it, 
as a major threat to the security of the United States; and 
makes relevant not just the defense that the Department of 
Defense must provide to defend cyber systems, but all of the 
privately controlled cyber systems in our country that really 
are in control of our financial system, our power generating 
system. You could go on and on; our healthcare system could be 
incapacitated.
    So I want to invite a reaction. To me, this is a real 
crisis, but I invite you, if you think I am overstating it, to 
say that. But here is my concern. If I were an enemy, either a 
state enemy or a non-state enemy, like a terrorist group 
wanting to do us harm, it seems to me one of the first most 
attractive ways to attack us would be a cyber attack, both 
because of the difficulty of finding me, the enemy, but also of 
the tremendous damage I could do at this point in the status of 
our cyber defenses.
    Is this true, Mr. Paller?
    Mr. Paller. I think you are absolutely right, but I do not 
think the time is yet, meaning I think right now it is easier 
to bring a bomb across the border and blow somebody up. And if 
you are going to do terror right now, that simply works.
    As we strengthen the borders, as we make it harder and 
harder to do kinetic attacks, this kind of cyber attack will 
become the attack of choice. And the reason that it is such a 
challenge, that you have to act right now, is that asymmetric 
warfare means pre-establish and control. So when the Chinese or 
another Nation gets into a Senate committee computer, they do 
not get in to steal the data, they get in to steal the data and 
to leave something so that they can change information at 
critical moments.
    Chairman Lieberman. Correct.
    Mr. Paller. So it is now that we have to fix cyber security 
in government and the commercial sector because the war will 
come later that will be fought in cyberspace. But I do not 
think we are sitting here waiting for a new attack against the 
power plants of America in the next 6 months.
    Chairman Lieberman. OK. You in your testimony, Mr. 
Kellermann, made some references as to how these both come 
together. Organized criminal groups see an opportunity to hold 
up private entities for money by threatening cyber attack or 
actually carrying them out. You raised the question of whether 
that clearing of the $10 million from the ATMs, some of that 
money may have ended up or may have started with organized 
crime, maybe not, and terrorism usage. But in your written 
testimony, you used the example of the Bali bombings in 2002 as 
an example of a terrorist attack that was funded by cyber 
crime.
    Just take a quick moment and tell us about that.
    Mr. Kellermann. What is interesting about the Bali bomber, 
Imam Samudra, was that he not only financed the attack through 
credit card fraud and precipitated through cyber crime, but he 
wrote a manifesto of sorts while in an Indonesian prison, 
stressing that Jihad could best be waged by using the money of 
the infidels to finance the physical acts of terror against the 
infidels. And you will see actually a spike--and I am sure Mr. 
Paller can speak to this with Internet Storm Center. You have 
seen a spike since in the number of hacker attacks emanating 
out of Indonesia. There is a realization of sorts that this 
Robin Hood mentality, that the lack of resources that these 
communities traditionally have, can be acquired through cyber 
means because the financial sector is so porous and too over-
reliant on perimeter defenses.
    But more importantly, vis-a-vis the different types of non-
state actors, you have a dark ages mentality now in the 
underground, where you literally have communities that are 
assisting other communities without ever meeting them, in a 
very ephemeral sense, and acquiring the weapons grade 
technologies to attack systems, whether or not they have 
computer skill sets, as well as the sale of systems that have 
already been compromised is widespread, as well as financial 
details in bank accounts and credit card numbers can be sold 
for $40 a pop in this system, to any actor, so long as they are 
not considered a ripper, which is someone who is untrustworthy, 
that they do not follow through with deals.
    Chairman Lieberman. I have very little time left, but I 
want to just draw out, Mr. Baker and Mr. Lewis, on the debate 
you have about how we should best organize to respond to this.
    Am I right that both of you agree that the Department of 
Homeland Security should have primary responsibility for non-
defense Federal Government computers and for the interaction 
between the Federal Government and the private sector in regard 
to cyber defenses? Is that right?
    I want to say for the record that both are nodding 
affirmatively.
    So let me understand. Mr. Lewis, you have been very clear. 
You think there ought to be an office in the White House to 
coordinate everybody involved, DHS, NSA, DOD, and others.
    But, Mr. Baker, let me understand what you are suggesting. 
Do you think the Department of Homeland Security should play 
the overall governmental coordination role or that there is not 
really a need for one?
    Mr. Baker. Let me address that. There is a need for more 
coordination; there is no doubt about it. It would be my 
suggestion that what is needed is not just a coordinator. This 
is something that the National Security Council does all the 
time. They coordinate and resolve disputes between agencies, 
and they can lead agencies.
    What they will need is support in actually identifying the 
precise steps that ought to be taken on an urgent basis, if 
necessary, the kind of day-to-day research into the problem and 
the response to the problem, the development of standards and 
regulatory approaches and procurement standards that we have 
been talking about here. Everyone recognizes there needs to be 
greater detail in the Administration of the actual cyber 
security enterprise, and the question is, should that be done 
at DHS or by some new agency that will be created in the 
Executive Office of the President. I would suggest that it 
ought to be done at DHS.
    Chairman Lieberman. You would prefer DHS. And insofar as 
the overall coordination, you would have that be done by 
someone working at the NSC or the HSC.
    Mr. Baker. There is no doubt there needs to be very strong 
presidential leadership, probably through the NSC on this. It 
is really a question of how you staff that leadership.
    Chairman Lieberman. Right. Thank you. Senator Collins.
    Senator Collins. Thank you, Mr. Chairman.
    Mr. Baker, let me resume where the Chairman left off.
    When Senator Lieberman and I sat down to implement the 
recommendations of the 9/11 Commission back in 2006, we quickly 
realized that one of the Commission's recommendations having to 
do with the placement of the National Counterterrorism Center 
(NCTC), within the Executive Office of the President was not a 
good idea. And our concern is that it would have placed the 
NCTC largely beyond the reach of congressional oversight, and 
it also would have limited the personnel and budget that the 
center could have. And it also had implications for privacy 
concerns as well.
    When I hear this debate today, it is very reminiscent of 
the debate over the placement of the NCTC. One of the issues 
that we want to avoid is stovepiping again, of having agencies 
that are not coordinated, that are also beyond the reach of 
congressional oversight.
    I know that you followed that debate very closely. Do you 
see any lessons for us as we decide where the appropriate 
entity is to do this coordination in the decisions that were 
made back in 2006 with regard to the placement of the National 
Counterterrorism Center?
    Mr. Baker. I do, actually. And I did follow NCTC's 
implementation closely, both because of the Commission on the 
Prevention of Weapons of Mass Destruction Proliferation and 
Terrorism and because I knew the first two heads of the NCTC 
and worked with them closely at DHS.
    I think that the NCTC is a success, and a success in part 
because it is not in the Executive Office of the President. It 
is not buffeted by whatever is on the President's plate that 
day. It can actually build institutions, take the long view, 
and approach problems with a bit more discipline than you can 
afford when you are trying to follow the ball in the Executive 
Office of the President.
    It also has been able to develop a privacy agenda that I 
think has worked. The responsibility to report to Congress has 
worked out well for NCTC and I think for the insight of the 
Nation into its activities. And I would envision a similar role 
for DHS. That is to say, when I was at DHS, I saw NCTC in some 
respects as an extension of the NSC. They worked for the NSC. 
They were particularly responsive to the President's 
priorities, but because they were outside of the immediate 
battle rhythm, they could do it on a more disciplined, long-
term planning basis. And that is something that I think DHS can 
do if the President and NSC choose to use them in that way.
    Senator Collins. Thank you.
    Mr. Lewis, I want to ask you a more fundamental question 
that came up in a discussion that the Chairman and I had last 
week on this issue.
    If a hostile nation were to shoot missiles at our country's 
power plants and, thus, disabled our electrical grid, we would 
immediately recognize that as an act of war. And the United 
States would marshal all of its resources to counter that 
action. Yet, if a hostile nation used computers to achieve 
exactly the same result, a complete disruption of our 
electrical grid, it is not at all clear that our government 
would view that as an act of war, assuming we could identify 
who was behind the attack, which is a whole other issue and 
challenge in and of itself.
    It is my understanding that the CSIS report has some 
specific recommendations to the President on identifying 
cyberspace as a vital asset, and sending a message to those who 
would attack us, using computers rather than missiles, that we 
would consider that to be an act of war.
    Could you talk about that issue for us?
    Mr. Lewis. Sure, I would be happy to. And let me say that 
we approached this as a national security problem, and we 
thought cyber security should be treated the way we treat other 
national security problems, which is that many agencies have a 
role. No agency has the lead. And so, when you look at our 
foreign policy or our national security policy, it is Defense, 
State, and the intelligence community. And all of them are 
coordinated by the NSC. And we thought the same sort of 
approach is the only way you can fix cyber security.
    So, for me, when I listen to Mr. Baker, NCTC is not a good 
model. Its mission is too narrow. DHS does not have the 
capabilities. We do not want DHS making the decision when 
something is an act of war or when it is not. That is properly 
given to the President. And that is the real issue, when is it 
an act of war?
    This gets back to some of your earlier statements. The 
Chinese have missiles. They are pointed at our power plants or 
at Los Angeles, but they are not going to launch them. They are 
not going to launch them until they need to. The Chinese right 
now have an intelligence advantage that exploit all of our 
networks, including yours. And they probably have left 
something behind that when there is a crisis, they can launch, 
just like they can launch their missiles. So this is not 
something that we should be surprised at. People have always 
been targeting electrical systems. It is just now they have a 
new weapon to attack it.
    Two issues, though. How do you determine who the attacker 
is? My guess right now is we only know perhaps in a quarter of 
the cases at best who is actually launching the attack. The 
other issue is when you decide to respond and how you respond.
    A response does not necessarily have to be keyboard versus 
keyboard, and we usually think of it that way. There is some 
geek over in China and there is some geek over in the United 
States. We have to get away from that. We have to say, from the 
White House, cyberspace is a vital national asset and we will 
use all means to protect it. A simple statement like that would 
be very helpful in putting our enemies on notice.
    We then have to follow it up with some actions. Again, for 
me that points to who should the lead role be. If you are going 
to expel an attache from an embassy because of a cyber 
incident, this is what you would normally do in espionage, it 
is not a decision that would be made by any one agency. It 
would be made by a couple of agencies working through the White 
House. So we have to start treating this like a grown-up 
national security problem and getting the real national 
security system involved.
    Senator Collins. Thank you.
    Chairman Lieberman. Thanks very much, Senator Collins. 
Senator Landrieu, welcome.

             OPENING STATEMENT OF SENATOR LANDRIEU

    Senator Landrieu. Thank you. And I appreciate the 
leadership of this Committee in an area that I feel very 
strongly about as well. And our State has made some initial 
steps working with the Air Force, in particular, to establish 
some benchmarks on this effort, which is why I am here today 
and want to continue to be involved.
    Before I ask my questions, Mr. Paller, let me ask what 
happened to the $10 million? Did they actually get it? Do we 
know where it is, and was it returned?
    Mr. Paller. The $10 million is in the hands of the 
organized crime group.
    Senator Landrieu. And that is----
    Mr. Paller. It is gone.
    Senator Landrieu. It is gone.
    Mr. Paller. And there are several more similar things 
happening as we speak, like that.
    Senator Landrieu. I know the primary debate, and it is an 
important debate, is how this is coordinated between agencies 
and who might take the lead role, but you have been very clear 
that there will be many agencies involved.
    Looking at the sectors that warrant the most protection, 
from the financial sector to the utilities sector, other 
sectors, and given, I think, Mr. Kellermann's comments about 
terrorists using our own financial sector and access to it to 
actually fund their operations, how would each of you rank 
those sectors in terms of importance, since we are behind?
    If we had to rank in order of efforts to protect, what 
order of sectors do you think is most important?
    Mr. Kellermann, why don't you go first?
    Mr. Kellermann. I would say financial sector is actually 
most important because, right now, for the last 10 years, 
organized crime and non-state actor community in general has 
been feasting on financial fraud, whether it is personally 
identifying information or funds transfer out of systems, which 
is why there has been an 80 percent increase in wire transfer 
fraud this past year.
    Senator Landrieu. And what would the second area or third 
area be?
    Mr. Kellermann. I would think there needs to be much more 
attention, actually, being paid to the healthcare sector, 
considering that we are trying to digitize health records, 
which can all be used to establish lines of credit in the same 
fashion that financial data could, in order to have revenue 
streams, per se, coming from the developed world into the 
developing world. The energy sector is obviously very 
important, the Smart Grid. It is going to create a huge 
systemic and operational risk that needs to be dealt with, and 
security must not be retrofitted on that.
    But realistically, the non-state actor community is using 
financial information and health information to establish lines 
of credit to finance physical acts of violence against U.S. 
interest. But more than likely, the state actors who have 
already penetrated these systems, they are not going to 
actually turn off the systems or change the integrity of the 
systems until there is actually an international conflict with 
the United States. So we can wait a little bit vis-a-vis those 
actors due to diplomacy and the need for the DOD to get their 
act together when it comes to cyber security and cyberspace.
    Senator Landrieu. Would any of you like to add something 
about--go ahead, Mr. Paller.
    Mr. Paller. Two completely industrial sectors. I think the 
greatest losses we could have, the place we have to act most 
quickly is in the defense industrial base. When you hear about 
the military losing things, it was not the military; it was the 
contractors. Those firms advise government on how to secure our 
systems, and then, like shoemakers' children without shoes, 
they give up all of the data. It needs a lot of attention, and 
DOD, as Mr. Lewis discussed, is already trying to focus on 
that.
    The second one for me is the power system. But I think the 
fact that he has two and I have two different ones means that 
you will find that the only way to fix those is through Federal 
procurement. If you do not enable them to buy more secure 
systems baked in, they are not going to be able to do it. You 
cannot fix the security of a system after you have bought it. 
If the people sell you a broken system, it is broken.
    Mr. Lewis. Just really quickly, we went through this in the 
commission, and we identified four sectors. The reason we 
identified them is we wanted to be able to take punches and 
keep moving, right? And those were the energy system, 
particularly, the electrical grid, telecommunications, finance, 
and government services, particularly at the Federal level.
    If those four can keep operating in the face of attack, we 
will be able to continue to perform as a nation.
    Senator Landrieu. Let me ask you, has the Pentagon 
identified which branch of the Armed Services should take the 
lead on this effort? Is it more natural to the Air Force or to 
the Army or to the Navy? If anyone would take 30 or 45 seconds 
to briefly describe your views on that.
    Mr. Lewis. The services all have different capabilities. I 
hear Navy is the best. Do not know that, but that is what I 
hear. DOD has decided to set up a new joint command with all 
the services, located at Fort Meade.
    There is a question about where it will be. Right now, it 
is under Strategic Command (STRATCOM) It might become an 
independent one. But the decision appears to be no one service; 
create a joint command, and that is probably the right 
decision.
    Senator Landrieu. Is there any role for the National Guard 
that any of you could foresee in this? And if you would like to 
describe or have you thought about that at all?
    Mr. Paller.
    Mr. Paller. Definitely. The key is you need practitioner 
knowledge. I train the National Guard guys who go over to Iraq 
each summer. They are wonderful. They have a lot of experience 
there. They have the skills. So the merger of that skill set of 
technology-literate people with the military is one of the 
great assets we have.
    Senator Landrieu. And it seems to me--and Mr. Chairman and 
Senator Collins, I want to particularly stress the idea of the 
National Guard taking a leadership role, and the idea that the 
kind of people that we need, Mr. Chairman, to man this command 
would be people that could be recruited from high levels of the 
private sector that might not be engaged 20 or 25 years in the 
Armed Services, but would be at very high levels that could be 
recruited to come into the National Guard, specifically 
committed to this mission.
    So I would urge this Committee to look carefully into the 
role that they might play, being located in all the States, 
very close, of course, to the governors and to the State 
government, and a good nexus between the Federal and State 
government. That might be an opportunity.
    I have many other questions I will ask. I only have 14 
seconds. So in closing, in terms of education and training in 
either our colleges, universities, or other levels, could you 
maybe, Mr. Paller, since you are involved with the SANS 
Institute, give a quick response to what some of our education 
committees could be doing in terms of investing in the 
workforce necessary to create the kind of intellectual strength 
we need in the coming decade or two for this in our country, 
given that so many international students are here and then 
leave with these prerequisite degrees and go back to other 
countries, some of which are not friendly?
    Mr. Paller. Big question. I will just give you one quick 
answer, and I will give you more if you want it later. But the 
quick answer is the most important thing you can do is change 
the way computer science and computer programming is taught in 
America, because programmers are not taught to write secure 
code. Every single one of these attacks happens because of a 
programmer error, and we are not teaching the kids who write 
software to write software securely. The faculty does not want 
to do it. So if you want to fix something, that is a wonderful 
one to fix.
    Mr. Lewis. Just quickly on that one, the President's speech 
yesterday got it right when he said we have to re-focus on 
science, technology, engineering, and math; that we have 
underinvested since the end of the Cold War, and now we are 
behind. And so it was great to hear yesterday. That will help 
create the environment where Mr. Pallen sort of training can 
really flourish.
    Mr. Kellermann. If I may, also I think that MBA students 
and MBA programs are very short-sighted because they teach that 
technology increases efficiencies and accessibility services, 
and productivity. They do not teach the risk management side of 
implementing widespread technology or the implications of 
systemic risk, whether it is outsourcing or offshoring. It is 
just looked at as a win-win and a panacea for fraud actually.
    Chairman Lieberman. Thanks, Senator Landrieu.
    Senator Carper is next on the list, but he is in the 
anteroom in a meeting. So I am going to call on Senator Burris 
in a minute.
    I want to express regret, apologies, to the four witnesses 
that I have to go off to another meeting. I believe Senator 
Landrieu and I are heading in the same direction. But we are 
going to leave you in the able hands of Senator Collins and 
Senator Burris, who will carry the hearing to the conclusion.
    You have been an excellent panel of witnesses. The reward 
for this behavior is that we will undoubtedly call you back. 
Senator Collins and I both were briefed by Melissa Hathaway 
last Friday. And her report is with the President, so we expect 
some public announcement of this soon. The President has built 
on the increases that President Bush asked for some of the 
cyber defense initiatives, in the fiscal year 2010 budget. And 
I expect that we are going to want to take a very active role 
here, probably including a legislative role. So I thank you 
very much for a really helpful testimony.
    With that, Acting Chairman Burris.
    Senator Burris. Thank you.
    Chairman Lieberman. You have come a long way very quickly.

              OPENING STATEMENT OF SENATOR BURRIS

    Senator Burris [presiding]. Thank you, Mr. Chairman, and 
Ranking Member Collins, and for an excellent testimony from our 
distinguished panel.
    One thing that is going through my mind, gentlemen, is a 
simple question. Mostly, it seems like we are on the defensive 
in all of this. We are doing all the planning to try to protect 
every aspect of our data from the would be hackers or skilled 
intruders.
    Are we in this country doing anything on the offense? I 
mean, are we seeking to reach out to some of these would be 
entities and also trying to hack into them to figure out what 
is going on on their side?
    Mr. Lewis, would you like to take a shot at that?
    Mr. Lewis. Sure. Let me start, and my colleagues can join 
in.
    We have offensive capabilities. They are among the best in 
the world. The problem is what I would call asymmetric 
vulnerabilities. We are a target-rich environment. So even 
though we are as good as our opponents, they have more stuff to 
shoot at. So, yes, we have offensive capabilities, but we are 
not in a position where that really is enough to protect us 
right now.
    Mr. Baker. I would add to that. It is true. I once said 
that, in contrast to my experience at NSA in the early 1990s 
and my current experience in government, we have gone from a 
situation in the early 1990s where the score in the game might 
be one to nothing, sort of like a soccer game, today when it 
might be 187 to 149. The offense has just taken over the field.
    Worse from our point of view, we are playing the rest of 
the world. We are on everybody's top five list as intelligence 
targets and they are all trying to get into our systems. And so 
for us to play defense, we really have to play defense against 
everybody else and that is a very demanding requirement.
    Senator Burris. Now, you mean some of our friendly 
countries also or where they are so-called friendly----
    Mr. Baker. As Charles de Gaulle said, nations do not have 
friends; nations have interests.
    Senator Burris. Well, the permanent interest arrangement, 
yes.
    Mr. Lewis. We have some good relations with some treaty 
allies, and then there is the rest of the world. That is a good 
way to think of it.
    Senator Burris. And we have to try to protect our system 
from all of those entities that are trying to get in because we 
are the biggest person on the block, I assume.
    Mr. Lewis. We are the richest and the easiest.
    Senator Burris. Which leads to the other question.
    But to what extent are their turf problems that are being 
resolved in the various entities in these various systems that 
we are having? And I assume that you, Mr. Lewis, is saying that 
this should really be controlled by the White House and not by 
DHS.
    Is turf a problem here in our security interests?
    Mr. Lewis. There are some really big elephants in the room. 
You have the Justice Department. You have the Department of 
Defense. You have the State Department. You have the 
intelligence community. These are hard agencies to control, and 
it is very difficult to get them all moving in the same 
direction unless you have somebody like the National Security 
Council kicking on them. And those of us who have been in the 
government know that you do not just tell the Attorney General 
or the Secretary of Defense and he does it. Someone has to have 
a reporting relationship, and the only place that exists is the 
President.
    So, yes, there are huge turf battles. Those are not 
necessarily bad. It would be better if we had fewer turf 
battles, but the only way we will get there is by establishing 
clear White House leadership.
    Senator Burris. I am pretty sure we do not put all our eggs 
in one basket, in terms of that would be a security problem if 
that were to happen.
    Mr. Lewis. That is right.
    Senator Burris. But there is a concern of coordinating all 
of this various defensive mechanism, which seems to be a major 
problem for us to do.
    Mr. Lewis. I think the place where we have had a little 
confusion is the distinction between direction and an 
operational role. Nobody wants an operational White House, 
meaning in a battle, the general does not drive the tank, but 
the tank driver does not set the policies. We need somebody in 
charge, but the people who actually implement the policies, who 
carry them out, who have the day-to-day missions, that should 
clearly be at the agencies, particularly DHS, which has a very 
major set of roles here. But none of the individual agencies 
are going to be able to coordinate all the other players on the 
team, and we have to think of this as a team effort.
    Senator Burris. Are you saying, Mr. Lewis, that DHS is 
probably the one that could look at setting the possibly policy 
rules for the other agencies, and there would be some type of 
oversight on those policy rules?
    Mr. Lewis. Not as it is currently configured. And Mr. Baker 
might disagree with me. But if you are looking for strategic 
thinking, if you are looking for international engagement, if 
you are looking for intelligence activities, all of those are 
in other agencies outside of DHS. In fact, the most active 
agency has been the Department of Defense. They have the 
National Defense University. It has done a great deal of work 
on defining things like when is it an act of war, what is 
deterrence in cyberspace. The intellectual capital is not 
located in any one agency, and that is why we need to 
coordinate.
    Mr. Baker. I do not disagree with much of that. NSA, in 
particular, is a source of enormous expertise and anyone who 
wants to make policy in this area is going to have to rely very 
heavily on them. Because they are the attackers, they know what 
works and they can, therefore, inform the defenders. And there 
is no doubt there has to be leadership from the White House and 
someone within the White House who is clearly responsible and 
able to make decisions and to drive consensus on the part of 
the departments.
    Where I think we may diverge is, I believe that DHS really 
should be staffing that person with respect to civilian agency 
and private sector coordination. I recognize that DHS has had 
growing pains for sure, and a lot of people would like to give 
up on it, but there is no other logical place to do this. In 
the last year, DHS has made real strides. They have great 
leadership now. And I think they are in a position to do much 
more than they have done over the last 3 or 4 years.
    Senator Burris. My time has run out on this round. But one 
question I hope that each one of you can respond to very 
quickly, what can we in Congress do in reference to this?
    Mr. Kellermann, you want to give it a----
    Mr. Kellermann. I think it is very important that we 
empower DHS to conduct red-teaming exercises across civilian 
agencies and critical infrastructures so they can identify what 
is most vulnerable; to allocate IT resources to fix these 
problems, so we at least have a benchmark of where we are and 
where we need to go beyond the compliance exercises that 
currently exist today. As well, I think through acquisitions 
policy, we need to mandate and require that those who provide 
managed services that create the systemic risks, the aquatic 
risks in the system, should be contractually bound to a 
standard of care, which has not been established yet.
    Senator Burris. Mr. Paller.
    Mr. Paller. The key lever you have is forcing the agencies 
to spend their money to buy security baked in. If you keep 
telling them to do security after they have bought technology 
that is broken, they are just not going to be able to do it. So 
you are a great weapon, and this is the one committee that can 
both set what needs to be done because you have wonderful 
people at DHS now working with NSA.
    Senator Burris. Are you saying put the authority in DHS to 
deal with the other agencies?
    Mr. Paller. Yes. The authority that was missing in DHS is 
what everybody calls the red button. At DOD, when Defense 
Information Systems Agency (DISA) says you are doing a bad job 
of security, if the other group says tough, DISA can pull the 
plug.
    Mr. Paller. So if you want DHS to have the authority you 
are talking about, you have to be able to pull the plug on 
their computers. And that is something that Congress has not 
yet been willing to do.
    Senator Burris. Mr. Lewis, any thought on that as well?
    Mr. Lewis. Sure. The three things that I think that only 
Congress can do, it can set priorities, it can modernize 
authorities, and it can provide the resources.
    Let me talk just for a second on the first authority.
    If some of us were in a classified briefing from DOD and 
they said, we are having an attack--this gets to your missile 
point--how do we respond? Is it Title 10, a military activity? 
Is it Title 50, an intelligence community activity? Or is it 
Title 3 or some other law enforcement activity?
    Right now, it is not clear. There is a whole set of 
problems as to how you could make it clear. But when you look 
at the authorities for response or for defense, they were 
mainly written in the 1980s, and they are out of date.
    Mr. Baker. I agree with everything that has been said up to 
now and I would offer this perspective as well. No one is going 
to come to you and say ``I have a turf fight; I would like you 
to take my side.'' Instead, every time changes in policy are 
made, someone's ox is going to be gored. And you are going to 
have business groups come to you, contractors who say ``I lost 
the contract because I had too many breaches, but that was not 
fair''; or ``My product was deemed insufficiently secure, so I 
did not get the contract and that is not fair''; or ``they are 
regulating me too hard.''
    All of those things are complaints that you will hear, and 
I ask that you take them with a grain of salt and ask, how are 
we going to solve the problem if we listen to all those 
complaints?
    Senator Burris. Again, I am way over my time. Senator 
Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thank you.
    Welcome. Thank you each for joining us today. And thank you 
for your testimony today and your responses to our questions. 
Also thank you for helping to guide me, my staff, and others 
here in this Committee and the Subcommittee as we attempt to 
develop legislation that we hope is going to be helpful in 
addressing the concerns you all have been raising.
    My staff tells me that each of you has had a chance to take 
a look at the bill that we will be introducing later today. As 
you may recall, it revamps the way that the Federal Government 
handles cyber security. We do so by creating a new office for 
cyberspace. We focus on actual security instead of paper 
compliance and strengthen security officers within agencies.
    You just, in an indirect way, provided some answers to a 
question I have. What Senator Burris had just mentioned are 
some things we can do in the Congress to respond to these 
concerns. So some ideas of what we can do are embodied in the 
draft legislation that we expect to introduce later today.
    Could we just go down the row, and start with Mr. 
Kellermann, and just share with us what do you think is good 
about the bill that we have prepared for introduction and what 
is not so good? And are there some areas in the legislation 
that need to be added? Is there something that is missing that 
of which we should be mindful?
    Mr. Kellermann. As you stated earlier, I think that 
elevation of the office is critical. Moving away from paper-
based compliance exercises to more dynamic benchmarking is 
fundamental. And increasing accountability is also highly 
important and paramount to the success of this.
    I would like to see, actually, an expansion of it to bring 
to bear the four critical infrastructures that we have 
identified in the commission report because of the systemic 
nature of this risk, because all of these players, even 
private, can contribute through a lack of layered security to 
the economic and national insecurity of the government of the 
United States and the American citizens.
    Senator Carper. Thank you. Mr. Paller, before you answer, 
let me just say, in our business, as Senator Collins and 
Senator Burris know, we are always reminded to be on message. 
And I just want to say you were really on message. You were as 
good as anybody I have seen and always brought us back to 
procurement.
    Mr. Paller. You have three elements of the bill that are 
wonderful. I happen to be up on them because one of the press 
people called me at 11 o'clock last night----
    Senator Carper. How convenient.
    Mr. Paller. How convenient; exactly.
    But one is you have attack-based metrics in there, 
monitoring the things that actually block real attacks. What 
people have been doing in the name of FISMA is looking at 
everything in the world that might possibly be interesting in 
security, and they have not focused on the things that will 
actually block the known attacks. You also have continuous 
monitoring.
    Under FISMA, the government has been looking every 3 years. 
How long do you think that look lasts after the guy leaves? So 
there is a continuous monitoring of the critical ones. And the 
third one you have is procurement, gently, but it is in there.
    The challenge with the bill is that it also has a bunch of 
other nice things that people who do not want to do those three 
things will rely on. The bill is great. Whether OMB focuses on 
those three, and whether you help OMB focus on those three, is 
a big issue, but it is a wonderful bill.
    Senator Carper. Good. Thanks so much. And thanks for your 
help in crafting it. Mr. Lewis.
    Mr. Lewis. You can tell who the guru is because I did not 
get called by the press until this morning.
    Senator Carper. Well, they called me. I gave him Mr. 
Paller's number [Laughter.]
    I asked him to wait to a little later in the evening. I 
said I think he is out, so maybe around 11 or 12 o'clock.
    Mr. Lewis. I think the bill is exactly right. It creates 
leadership. It moves to better metrics. It gets away from the 
paper-based approach. We desperately need to fix FISMA, so I 
really hope this bill goes through.
    Senator Carper. Thanks so much. Mr. Baker.
    Mr. Baker. I agree, FISMA is not working very well now, and 
any steps along the lines of the legislation that can focus the 
effort to improve security on real threats rather than moving 
paper would be useful.
    Senator Carper. Thank you.
    Let me stick with this a little bit if we could. I 
recognize that cyberspace is not an issue that is strictly the 
responsibility of the private sector. It is not the 
responsibility of civilian agencies. It is not the 
responsibility of just the Department of Defense or the 
intelligence community.
    Given that acknowledgment, what office should be 
responsible for ensuring that information is not only secure 
but free flowing and ensuring our expectations for privacy and 
civil liberties?
    Mr. Baker. In my view, there are really two agencies at the 
heart of this effort, the National Security Agency for the 
security of Defense Department systems and for bringing to bear 
the sophistication of attackers on the defensive effort, and 
the Department of Homeland Security which has defensive 
responsibilities, both for civilian and private sector 
networks.
    There are plenty of other agencies that have enormously 
important roles to play, but we do not have enough experts to 
spread them evenly among those agencies. We need to begin 
building a cadre of real cyber security experts on the civilian 
side that can match what NSA can bring to bear in the defense 
side. And I think DHS is where that critical cadre of expertise 
should be.
    Senator Carper. All right. Thank you. Mr. Lewis.
    Mr. Lewis. This has to be a team effort, so I think there 
are many agencies, as Mr. Baker said. I would have added FBI as 
the third critical agency in your mix. But right now, as one of 
my colleagues says, it is like a kid's soccer team, a bunch of 
7 year olds, here is the ball, they are all after it. The team 
needs a coach or a captain, and that is where I would say that 
your bill gets it exactly right.
    Senator Carper. All right. Thanks. Mr. Paller.
    Mr. Paller. I think Mr. Lewis said it fine.
    Senator Carper. All right. But you did not say it. No, I 
was just kidding.
    Everyone has said what needs to be said, except for me, so 
I am going to say it again. But I appreciate your brevity.
    Mr. Kellermann.
    Mr. Kellermann. I would concur with those comments, but I 
would stress one important fact that I think has been lost, and 
that is the privacy debate. We cannot achieve privacy without 
cyber security. The privacy advocates for a long time now have 
stressed that cyber security somehow impacts privacy. Physical 
security and the use of technology does impact privacy. But, 
realistically, the government does not have monopoly on Big 
Brother anymore, and that is anyone who can hack. So I think it 
is important that the population respects your efforts in 
trying to preserve their privacy with these efforts to improve 
cyber security.
    Senator Carper. I am intrigued by other nations that are 
hacking into our system. I understand the motivation for kids, 
they do it for fun, the challenge. I can understand the 
motivation for criminal groups for the monetary gain. There is 
a lot of money at stake here and they have the ability to do it 
without going into a bank and robbing the bank, but still 
capture even more money. And I can understand the motivation of 
nations that are hostile to us, like terrorist groups that 
would like to bring us to our knees. I can see plenty of 
motivation there.
    It is less obvious to me when I see a nation with whom we 
have diplomatic relations, have had for some time, a nation 
with whom we have a robust trade relationship, a nation that 
buys enormous amounts of our Treasury securities. For that 
nation to be so anxious to be able to infiltrate our systems 
and, potentially, to undermine our systems, talk to us about 
that motivation, if you would.
    Mr. Baker. I think there are two things that are worth 
saying about this. First, we should not assume that all of the 
attacks on our systems are on behalf of a nation-state. There 
is a kind of shadowy world here that is closer to Sir Francis 
Drake than to an official naval force. That is to say, people 
maybe protected by their government, encouraged by their 
government, rewarded by their government, but they are also 
free actors. And there is plenty of that going on in this 
world--digital privateers, if you will.
    But it is also true that many nations that we would 
consider friendly want the best possible intelligence about 
what we plan to do because it has a direct effect on their 
national security. And so they consider it only prudent to try 
to extract as much information from our networks as they can 
get. That does not mean they intend to shut them down, but the 
difference between extracting information and shutting down the 
network is just a question of what you leave behind when you 
get out. So, we do see nations that we would consider friends 
in our networks for precisely that reason.
    Senator Carper. All right. Mr. Lewis.
    Mr. Lewis. We are moving to a more competitive 
international environment. And that means, in the Cold War, it 
was us versus them. Now it is a multi-player game. It is more 
like baseball where you have many teams, and these teams want 
to get that intelligence benefit.
    For me, this is basically a spy story. Now, in particular, 
the Chinese and the Russians, they have been spying on us for 
decades. They found a new way. It is really cool. They are 
taking advantage of it. Does that mean they are not also 
planning to use this as a weapon in the event of a crisis? 
Well, of course, they are planning that. But their primary 
activity, the primary risk to national security now, lies in 
the espionage losses that we are suffering.
    Senator Carper. All right. Thank you. Mr. Paller.
    Mr. Paller. There is one more dimension of it, the economic 
dimension. They may be military friends, but they may be 
economic competitors. The head of the British Security Service 
(MI5) sent a letter to the presidents of the 300 largest 
companies in the United Kingdom, saying, if you are doing 
business with China, China is using exactly the same techniques 
to break into your computers, and your lawyers' computers, to 
take the data they need so they can negotiate from a position 
where they know more than you do.
    I know it is true in the United States because the managing 
partner of one of the largest law firms was the first visitor 
in my new house, telling me the FBI had been in to say every 
single document of every one of the clients has been taken from 
the law firm's computers. So there is a massive economic 
dimension to this, in addition to the military intelligence 
dimension.
    Senator Carper. Thank you. Mr. Kellermann.
    Mr. Kellermann. To that point, why even focus on research 
and development anymore when you can steal competitors' ideas 
and have competitor advantage in the marketplace? And 
realistically, why bother actually conducting espionage in the 
traditional sense, as Mr. Lewis stated, when one can remotely 
access systems and compromise systems?
    Senator Carper. All right. That is a lot to chew on, isn't 
it, colleagues? It is a lot to chew on. Thank you so much for 
being here today.
    Senator Burris. Thank you, Senator. We are going to call on 
our Ranking Member, Senator Collins, to see if she has any 
questions or comments.
    Senator Collins.
    Senator Collins. Thank you, Senator. I do have a couple 
more questions and one comment.
    Mr. Paller, you and I agree that the Federal Government has 
potentially enormous leverage to improve the security of IT 
purchases just using its purchasing power. I found very 
compelling the story that you told of a Federal official 
essentially begging the head of Microsoft to provide a more 
secure configuration.
    Do you have any specific recommendations for us on how we 
can use the Federal purchasing power to require the 
incorporation of better computer security in the software and 
hardware that we are purchasing?
    Mr. Paller. There are two levels you can do it. One is the 
same level the Air Force is doing, which is to persuade the 
vendors to sell more secure versions of what they now sell. And 
the way you do that is by setting up a partnership between the 
vendor and DHS and NSA to agree on what that more secure 
configuration is.
    Senator Collins. So to agree on standards?
    Mr. Paller. On standard configurations.
    Senator Collins. Standard, yes.
    Mr. Paller. So that we can all buy a safer version. They 
will push back, saying ``One size does not fit all.'' And the 
reality is, Microsoft sells one size of Windows to 100 million 
people. Oracle sells one size of its database to 100,000 
people. They all sell one size. So the line ``one size does not 
fit all'' is just a lie.
    But the more important opportunity for immediate action is 
every contract--so this is not just the contracts to buy the 
big stuff. But every contract should have three clauses, and I 
actually put them in my written testimony. I think Ms. Evans 
actually pushed them when she was at OMB. One is you have to 
make your software work on the secure configuration because if 
you sell me software that does not work on a secure 
configuration of Windows, I have to change Windows or not use 
your software.
    Two is, you have to make sure that the 25 most critical 
programming errors are not in your software. And I do not 
remember the third one, but it is in the written statement.
    Senator Collins. Thank you. Those are very helpful 
suggestions and ones that we should adopt.
    Mr. Kellermann, you have done a lot of work and research in 
this area, so I want to bring up an issue we have not talked 
about today. And that is trafficking in counterfeit information 
technology products. That is a global and growing problem. And, 
of course, it is unfair, because it costs legitimate patent and 
copyright holders millions of dollars of losses each year. But 
also, it is a security issue because these inferior products 
are far more likely to contain security vulnerabilities, either 
inadvertently because they are sloppily done, or by design.
    Do we need some sort of concerted global crack down on 
counterfeiting of IT products to help improve our security?
    Mr. Kellermann. Yes, I believe we do. And I think the 
messaging behind that should be focused on the security aspects 
of that software. Even if it is pirated Microsoft operating 
system software, it will not be able to receive updates. And so 
it will persistently have vulnerabilities and holes in code. 
And be able to message that through the corporations and/or 
governments that are purchasing this type of software will be 
important for their understanding of the operational risks that 
they are taking by taking the short cut through the woods in 
this aspect.
    Senator Collins. Thank you.
    Mr. Lewis, I want to end my comments today by disagreeing 
with you on the record in your description of the National 
Counterterrorism Center (NCTC). Along with Senator Lieberman, I 
am the author of the law that created that center, so I know 
very well what the NCTC's responsibilities are. And as the law 
says, not only does the NCTC serve as the primary organization 
within the U.S. Government for analyzing and integrating all 
intelligence information, with the exception of domestic 
terrorists, but also it is specifically assigned the role of 
conducting strategic operational planning for counterterrorism 
activities with all the instruments of international power, 
including diplomatic, financial, military, intelligence, 
homeland security, and law enforcement activities within and 
among the various agencies.
    Senator Lieberman and I were talking that we remember this 
debate very well because it was extremely contentious to give 
NCTC the lead role in strategic operational planning. And on 
this issue, the NCTC reports directly to the President so that 
the agency has the credibility needed to do the job.
    Furthermore, I had my staff check this morning, after you 
responded that NCTC had a very narrow mission, to see whether 
in the new Administration the NCTC is still acting as the lead 
for all agencies on strategic operational planning. And, 
indeed, it is. In fact, more so in this new Administration.
    So I just wanted to correct that for the record.
    Mr. Lewis. Could I add one thing?
    Senator Collins. You certainly can.
    Mr. Lewis. You all have done great work, and now I want you 
to do it for cyber security.
    Senator Collins. As do we. But my point is an entirely 
different point, which is looked at putting NCTC in the office 
of the President. That was the recommendation of the 9/11 
Commission. And it was one of the few areas--I can only think 
of three of the dozens of recommendations--where we disagreed 
with the 9/11 Commission and made an informed and considered 
choice to put this center in the Office of the Director of 
National Intelligence (ODNI).
    It was the right decision. It has been judged as success by 
virtually everyone. And I think we have to be really careful 
about creating a new office, as Senator Carper had suggested, 
within the office of the President for fear that we are going 
to diminish our ability to exercise congressional oversight. We 
cannot call the czars or the heads of offices within the 
Executive Office of the President before this Committee. We 
cannot. We have very little say over their budget.
    So I think we have to proceed carefully. That is not to say 
that we are looking at DHS, as you implied, to make decisions 
on declaring war. Obviously, that is not the case. That, 
obviously, is something that the President would do with 
congressional input, of course. But I think we have to proceed 
carefully here to make sure that we do not create a whole new 
round of turf battles, inadequate congressional oversight, and 
unclear lines of authority.
    So I think we need, definitely, to strengthen cyber 
security, and the question before this Committee is how best to 
do that. And I believe that DHS is the logical agency, given 
how much of cyber security is in the private sector, to 
coordinate that role. That does not mean diminishing the role 
of NSA or the Department of Defense. Those have vital roles, 
and the FBI, as well. But this is something that I think is 
going to be the subject of a lot of debate.
    So, Mr. Chairman, I thank you for allowing me to have some 
final comments on this important issue. And congratulations on 
being the acting Chairman.
    Senator Burris. Thank you, Madam Ranking Member.
    Just before we adjourn this hearing, I just want to throw 
out something to this distinguished panel, because I am an old 
bank examiner, I am an old auditor. And I wondered if we could 
not come up with the old system of having two sets of books.
    Remember that? I am just wondering if we could not have two 
sets of computer systems. We will let them hack into one system 
and get all the information they want.
    Has that been processed or brought up?
    Mr. Lewis. It is an interesting question, and it has come 
up several times in the past. Physically, it is probably not 
possible.
    Senator Burris. It is not possible. OK.
    Mr. Lewis. No. But, virtually, meaning you could have two 
different systems running on the same infrastructure, people 
are looking at that. It may not be possible, but it is 
certainly an idea that is in discussion now.
    Senator Burris. Well, at least I am on time.
    Senator Collins. Thank you.
    Senator Burris. Thank you, Madam Chairman.
    We want to thank the panel. And as you heard Chairman 
Lieberman say, I am pretty sure with your expertise, you will 
be back.
    So we will let the witnesses know that the record will be 
open for 15 days in case witnesses or senators have additional 
questions or statements.
    Last, I would like to say, at this time, the hearing is 
adjourned.
    [Whereupon, at 11:55 a.m., the Committee was adjourned.]

 
       CYBER ATTACKS: PROTECTING INDUSTRY AGAINST GROWING THREATS

                              ----------                              


                       MONDAY, SEPTEMBER 14, 2009

                                     U.S. Senate,  
                       Committee on Homeland Security and  
                                      Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:04 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Joseph I. 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman and Collins.

            OPENING STATEMENT OF CHAIRMAN LIEBERMAN

    Chairman Lieberman. Good morning, and welcome to this 
hearing, and thanks to our distinguished panel of witnesses and 
to all who are here this morning.
    There is an old familiar saying that, ``No good deed goes 
unpunished.'' The modern technological corollary of that could 
be, ``No good invention goes unexploited for bad purposes.''
    And so, as we will discuss this morning, it is in the world 
of cyberspace, as enemies and criminals have used its 
increasingly dominant role in our lives to attack our 
businesses and our Federal, State, and local governments--
indeed, in some senses to threaten the continuity of our 
society, at its worst.
    It was only 40 years ago that the first two computers were 
connected into what is now the Internet. Now nearly the entire 
world is online. The Internet has led to a wonderful revolution 
in commerce, communications, entertainment, and finance that 
has added greater efficiency, productivity, convenience, and 
even pleasure to our lives and our enterprises.
    But, again, it seems that no good invention goes 
unexploited for bad purposes. And that successful computer 
experiment 40 years ago that gave us this remarkably 
interconnected world has also given us a global wave of cyber 
crime that threatens our national security, our economic 
security, and in some direct senses the well-being of 
individual companies and individual Americans.
    In a hearing last April, this Committee examined in detail 
the threats to national security brought on by terrorists, 
nation-states, common hackers, and cyber criminals.
    We learned a lot at that hearing, for instance, that 
computers containing information on the joint strike fighter 
plane and on our electrical grid have been compromised, 
possibly giving our enemies information that could make our 
fighter planes more vulnerable and, at worst, plunge large 
sections of our society into darkness.
    Today, we are going to focus on a new wave of cyber crime 
in the private sector that is hitting businesses of all sizes 
across our country and ask the question: What can be done by 
the public and private sectors to make commercial cyberspace 
more secure, especially for organizations that cannot afford to 
have large information technology (IT) staffs on the job 24/7? 
And this is where I am grateful to the witnesses for being 
here.
    We will hear first from two witnesses from the private 
sector who will describe how real a problem cyber crime is and 
what the private sector is doing and can do about it, and then 
two witnesses from the Federal Government who will testify to 
what the public sector is doing and what more it can do about 
this problem.
    Just to validate the reality of it, in one particular 
example that now is familiar to those who follow this issue, 
cyber criminals operating out of Eastern Europe stole millions 
of dollars from businesses and local governments by first 
sending a seemingly innocuous e-mail to an unsuspecting company 
comptroller or treasurer. The message contained either a virus 
or an Internet link that installs a tiny piece of computer code 
designed to steal passwords.
    Then, using those passwords to gain entry to accounts, the 
crooks patiently siphon off amounts of money, and they are 
clever enough, often, to take them in amounts of less than 
$10,000, thus avoiding triggering a bank report under Federal 
anti-money-laundering requirements. Their methods are so 
sophisticated that the traffic often seems to be coming from an 
authorized computer--which could be a legitimate computer that 
has been commandeered by the cyber criminal--so the bank or the 
other financial institution does not really know that anything 
is amiss.
    The money is then transferred to ``money mules.'' It is 
amazing how that term ``mules'' turns up in a lot of our 
investigatory work here, including people who carry drugs or 
weapons across the border in different directions between the 
U.S. and Mexico. But these a money mules are people recruited 
to set up bank accounts the stolen money can be transferred to 
and who then forward the money to the cyber criminals. Some of 
these people may not even be aware that they are taking part in 
a crime. They are often recruited to become ``local agents'' 
handling cash transfers for what they believe to be a 
legitimate company.
    The cyber gangs find these people over Internet job boards 
by advertising the chance to ``make money from home'' or by 
contacting people directly who have posted resumes on a 
legitimate job service. Once the money shows up in the accounts 
the mules have set up, they are given instructions on how to 
wire it to other accounts which are controlled by the cyber 
criminals.
    Using this basic approach, we know that cyber criminals 
have stolen an awful lot of money, in cases we know $700,000 
from a school district near Pittsburgh; at least $100,000 from 
a bank account of an electronics testing firm in Baton Rouge, 
Louisiana; and approximately $1.2 million from a Texas 
manufacturer. These, of course, are only a few examples of what 
I think can now accurately be described as a cyber crime wave.
    In 2007, TJX Corporation--the parent company of T.J. Maxx 
and Marshall's--experienced a breach in its wireless networks 
during which up to 94 million credit and debit card numbers 
were put at risk of being used illegally.
    In 2008, the Heartland Payment Systems--whose CEO, Robert 
Carr--is before us today--was targeted by hackers in an attack 
that compromised at least 130 million credit card accounts.
    These are just the large intrusions we know about. A lot of 
these cyber attacks, from what I have learned, go undetected or 
unreported because the victims are frightened to report them, 
either for reasons of security or because they have been 
threatened, or, frankly, because they do not want it known that 
it happened.
    This is a real problem that we have to work together to 
stop. Forty years ago, as I said at the outset of my statement, 
the Internet was a tiny island of interconnected university 
computers that was still just an interesting academic 
experiment.
    Today the Internet is a vast global system--a kind of new 
strategic high ground that we call ``cyberspace``--that we 
really must work together to secure just as any military 
commander would seize and attempt to secure the high ground of 
any battlefield on which they were engaged.
    But securing cyberspace is in some senses more complicated, 
though not, at this moment at least, as physically dangerous to 
do since the Internet is so, by definition, limitless, 
certainly in space, and thus, security cannot be achieved by 
the government or the private sector acting alone, and in some 
senses it cannot be achieved easily by either or both acting 
together. But we have to figure out how to do better at this.
    A public-private partnership to defend the integrity of 
cyberspace is now urgently essential. Together, business, 
government, and law enforcement throughout the world must come 
together to deter these attacks and bring these criminals to 
justice.
    Our Committee is working on legislation to help to make 
this so, particularly to further define and strengthen the role 
of the Department of Homeland Security (DHS)--which, of course, 
is the central jurisdiction of the homeland security part of 
our Committee--to strengthen the role of DHS in protecting all 
of us in cyberspace. That is why I look forward to this hearing 
this morning as a way to help educate the Committee on how best 
we can produce legislation that will really have the desired 
effect.
    As always, it has been a pleasure to work with the Ranking 
Member of this Committee, Senator Susan Collins of Maine, and I 
call on her now.

              OPENING STATEMENT OF SENATOR COLLINS

    Senator Collins. Thank you, Mr. Chairman.
    Mr. Chairman, as you indicated, we are living in a wondrous 
new age of global information, an era that is being shaped by 
digital technology, consumer demand, and amazing innovation.
    It truly is a remarkable time. Today, without thinking much 
about it, we send pictures, words, and video over the Web in a 
matter of seconds. We have immediate, 24/7 access to each 
other, texting and talking over affordable wireless devices. 
Technology is transforming our culture, our economy, and our 
world.
    While we enjoy its many benefits, and most people cannot 
imagine life without computer technology, we must also be aware 
of the risks and dangers posed by this new world.
    As the Chairman has pointed out, for every communications 
advance, there is also the risk--indeed, almost the 
inevitability--that the technology will be misused and 
exploited. Indeed, experts estimate that cyber crime has cost 
our national economy nearly $8 billion in losses.
    Protecting our cyberspace has become critically important. 
In the past 18 months, this Committee has held three hearings 
on the topic of cyber security. Each time, we confronted a new 
line of cyber crime or cyber attacks.
    Newspaper headlines paint a troubling picture of the state 
of information technology security in this country. This past 
Friday, computer hacker Albert Gonzalez pleaded guilty to 
charges stemming from the theft of tens of millions of credit 
and debit card numbers from the computers of several major 
retailers, including T.J. Maxx, Marshall's, and Barnes & Noble.
    According to authorities, this may not have been his only 
major cyber crime. In August, he was indicted for his alleged 
involvement in the largest credit and debit card data breach 
ever in our country. Data relating to more than 130 million 
credit and debit cards were stolen from a number of 
corporations, including Hannaford Brothers--a Maine-based 
supermarket chain--and Heartland Payment Systems, whose CEO is 
testifying before us today.
    In July, the U.S. and South Korea endured a sizable denial 
of service attack against both government and privately owned 
systems. The attack--launched by an unknown attacker--used a 
massive ``bot-net'' of hijacked computers to disrupt six 
Federal agencies, the Washington Post, Nasdaq, and other 
targets.
    Most recently, there has been a significant increase in 
organized cyber gangs stealing money from small and mid-sized 
companies. The Financial Crimes Enforcement Network reports 
that wire transfer fraud rose 58 percent in 2008, with 
businesses generally forced to swallow substantial losses that 
they can ill afford in the current economy.
    Like the Chairman, I am particularly concerned about the 
impact of cyber crime on our small businesses that do not have 
the armies of technology security experts available to them 
that a large corporation may have.
    These incidents--coupled with the attacks and crimes that 
we have discussed in our past hearings--should prompt the 
Federal Government to get organized and to make cyber security 
a high priority. Thankfully, there has not yet been a ``cyber 
9/11,'' but information technology vulnerabilities are 
regularly exploited to steal billions of dollars, disrupt 
government and business operations, and engage in acts of 
espionage, including the theft of business, personal, and 
government data. These incidents can be devastating to our 
national security, erode our economic foundations, and ruin 
personal lives.
    We are awash in recommendations on how to better secure our 
information infrastructure. The Center for Strategic and 
International Studies (CSIS), the 60-Day White House Cyberspace 
Policy Review, and numerous academics and industry stakeholders 
have suggested numerous ways to improve cyber security. As 
these latest incidents underscore, however, the time has come 
for the government to move from simply planning and studying 
reports to taking effective action.
    Comprehensive cyber security legislation must be a high 
priority for this Congress, and I know that it is a high 
priority for the Chairman and for me. The Department of 
Homeland Security is designated as the lead agency for cyber 
security, but we must ensure that it has more authority to 
effectively carry out its mission, and the Chairman and I are 
working on legislation that will do just that.
    A couple of important points that we should be undertaking 
right now: We need to improve information sharing between the 
Federal Government and the private sector. After all, 85 
percent of critical infrastructure is privately owned.
    Second, if we encourage the adoption of best practices and 
standards across the government, and if we encourage, through 
using our procurement power, computer manufacturers to build 
better security into their products, that will benefit the 
private sector as well, because the government is such a large 
buyer.
    I look forward to discussing how we can strengthen that 
public-private partnership to ensure the security of this vital 
engine of our economy. Thank you, Mr. Chairman.
    Chairman Lieberman. Thank you, Senator Collins, for that 
excellent statement. Again, thanks to the witnesses. Normally, 
Mr. Carr, we begin hearings of this kind with the governmental 
witnesses. I appreciate the cooperation of the governmental 
witnesses. We thought in telling this story it would be a good 
idea to start with a particular case--Heartland Payment 
Systems--and what the private sector is doing now, and then 
invite Mr. Merritt and Mr. Reitinger to respond.
    So our first witness is Robert Carr, Chairman and Chief 
Executive Officer of Heartland Payment Systems, Inc. Thanks for 
being here, and please proceed with your statement.

 TESTIMONY OF ROBERT O. CARR,\1\ CHAIRMAN AND CHIEF EXECUTIVE 
            OFFICER, HEARTLAND PAYMENT SYSTEMS, INC.

    Mr. Carr. Thank you, Senator. Good morning, Chairman 
Lieberman and Ranking Member Collins. My name is Bob Carr, and 
I am the Chairman and CEO of Heartland.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Carr appears in the Appendix on 
page 153.
---------------------------------------------------------------------------
    Let me begin by thanking the Committee for this opportunity 
to appear today to share our lessons learned. I will talk about 
the steps we have taken and what more can and should be done to 
better protect our customers and the public from criminal 
hackers.
    Our primary business is to provide payment card processing 
services to merchants. This involves facilitating the exchange 
of information and funding between merchants and cardholders' 
issuing banks. Heartland provides full-service electronic 
payment processing services for merchants, including clearing 
and settlement, merchant accounting, and support and risk 
management.
    When a consumer's card is swiped at one of our merchants, 
we forward the authorization request through the card brand, 
such as Visa or MasterCard, to the issuing bank. We then send 
approval back to the merchant, allowing the purchase to be 
made. We receive payment from the issuer, pass it on to the 
merchant, and provide statements and accounting to the 
merchant. It is important to note that in the course of our 
payment processing business we do not receive cardholder Social 
Security numbers, addresses, or unencrypted personal 
identification number data.
    We were founded in 1997, and have since grown from 25 
employees to over 3,100 employees. As of December 31, 2008, we 
provided our bank card processing services to approximately 
230,000 merchant locations in America. Our total bank card 
volume last year was almost $67 billion.
    On January 20, 2009, we announced the discovery of a 
criminal breach of our payment systems environment. This attack 
involved malicious software. The malware appears to have 
allowed criminal access to in-transit payment card data during 
the transaction authorization process. This data is not 
required to be encrypted while in transit under current payment 
card industry guidelines.
    We were pleased to hear the recent news about law 
enforcement's efforts to investigate and prosecute the 
individuals who make up the criminal syndicate that law 
enforcement believes is responsible for the Heartland breach 
and others like it. Albert Gonzalez, the alleged mastermind of 
attacks on TJX and other retailers, including Barnes & Noble, 
Office Max, and Dave & Buster's, has pled guilty to charges in 
a 19-count indictment. The charges include conspiracy, wire 
fraud, and aggravated identity theft. Mr. Gonzalez is also 
accused of having hacked into our system, as well as that of 
Hannaford Brothers, ATMs stationed at 7-Elevens, and two other 
national retailers. It is reported that he was part of a team 
with Eastern European criminals who have attacked a variety of 
U.S. companies. We appreciate the efforts law enforcement is 
making to stop these attacks and bring these criminals to 
justice.
    This has been a difficult experience for me and the 
company. We have taken a financial charge of approximately $32 
million just in the first 6 months of the year on forensics, 
legal work, and other related efforts. Unfortunately, the 
company is involved in inquiries, investigations, and 
litigation so I cannot address in more detail the specifics of 
the intrusion. But I now know that this industry needs to, and 
can, do more to be better protected against the ever more 
sophisticated methods used by these cyber criminals. I want to 
provide the Committee with some additional information about 
what Heartland is working on to try and prevent such intrusions 
in the future.
    Let me note two key areas where Heartland is hard at work 
to enhance payment industry security.
    First, industry and government can be better coordinated. 
The Financial Services Information Sharing Council and Analysis 
Center (FS-ISAC), led by Mr. Nelson, has been a great resource 
to a broad range of financial services companies facing cyber 
threats. However, we could benefit from greater focus on the 
payment processing industry. To address the needs of payment 
processors, we recently formed, within the FS-ISAC, the 
Payments Processing Information Sharing Council (PPISC). The 
PPISC provides a forum for sharing information about fraud, 
threats, vulnerabilities, risk mitigation, and best practices.
    At the PPISC, we shared with the payment industry members 
the malware that we discovered had been used to victimize our 
company. We did this once I learned that criminals were using 
this malware to attack the entire industry. I believe that by 
sharing this with others, including our industry competitors, 
we can better respond to very organized attackers.
    Second, as reflected in the indictments of Mr. Gonzalez, a 
modus operandi frequently used by these attackers is to attempt 
to steal payment card data while it is being transferred in the 
clear--meaning it was not encrypted at the time. It is clear to 
me that we can address this vulnerability, and our internal 
technology team is now developing a possible solution we call 
E3, or ``end-to-end encryption.'' I believe it is critical we 
implement new technology, not just at Heartland but industry-
wide. We, at Heartland, believe we are taking the necessary 
steps to do that.
    Heartland is working to deploy E3 to render data unreadable 
to outsiders from the point of card swipe. We plan to use 
special point-of-sale terminals, with tamper-resistant security 
modules to protect cryptographic secrets. We also plan to use 
special tools in our processing network, hardware security 
modules, to protect the cryptography associated with the card 
data.
    Our goal is to completely remove payment account numbers of 
credit and debit cards and magnetic stripe data so that they 
are never accessible in a usable format in the merchant or 
processor systems. This includes expiration date, service code, 
and other data. We are taking the necessary steps to implement 
this E3 solution, and I want to let the Committee know where 
our efforts stand.
    First, we are working with various suppliers on the 
technology to make E3 a reality and more ubiquitous. We are 
hopeful these efforts will minimize the costs to merchants 
while not inconveniencing cardholders. This is critical to a 
more secure payment processing system. We are seeking partners 
who will not use encryption as an opportunity to unduly profit 
at our expense or the expense of our merchant customers.
    Second, we believe this potential solution needs to be 
implemented on an industry-wide basis. We have been working 
with the Accredited Standards Committee X9 to seek adoption of 
a new standard to protect cardholder data in the electronic 
payments industry so all users can benefit from it. Ultimately, 
the Payment Card Industry Security Council must approve this 
standard, and we are hopeful it will do so.
    Third, once the standards are established, we will need the 
card brands and other financial institutions to cooperate and 
be willing to implement on their side the encryption system our 
merchants are willing to use. We have been meeting with the 
card brands, and we hope we will be able to make progress on 
adoption by the card brands. However, without the cooperation 
of all of the card brands, some of the encrypted data would 
have to be decrypted--and thereby rendered less secure--prior 
to transmission to the card brands and their issuing banks. I 
am hopeful that each of the card brands will ultimately accept 
encrypted transactions from all payment processors.
    We are working on these solutions, both technological and 
cooperative, because I don't want any one else in our industry 
or our customers or their customers--the consumers--to fall 
victim to these cyber criminals. The attacks we face in this 
country potentially can have substantial consequences, and we 
can learn from our experience. While we cannot eliminate the 
risk, we can make cyber theft more difficult. I look forward to 
continuing to work to beat these criminals and appreciate your 
help as we continue this battle.
    I welcome any questions Members have about my testimony 
today.
    Chairman Lieberman. Thank you, Mr. Carr, for that opening 
statement.
    Now we will hear from William Nelson, who is President and 
Chief Executive Officer of the Financial Services Information 
Sharing and Analysis Center, which I have learned is known 
commonly as FS-ISAC. Thanks, Mr. Nelson. I presume you will 
tell us a little bit about the history of the organization.
    Mr. Nelson. Yes, I will start with that.
    Chairman Lieberman. Go right ahead.

    TESTIMONY OF WILLIAM B. NELSON,\1\ PRESIDENT AND CHIEF 
 EXECUTIVE OFFICER, FINANCIAL SERVICES INFORMATION SHARING AND 
                        ANALYSIS CENTER

    Mr. Nelson. Chairman Lieberman, Ranking Member Collins, my 
name is Bill Nelson, and I am the President and CEO of the FS-
ISAC. I want to thank you for this opportunity to address the 
U.S. Senate Homeland Security and Governmental Affairs 
Committee on this very important issue.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Nelson appears in the Appendix on 
page 160.
---------------------------------------------------------------------------
    The FS-ISAC was formed in 1999 in response to the 1998 
Presidential Decision Directive 63 that called for the public 
and private sector to work together to address cyber threats to 
the Nation's critical infrastructures. After September 11, 
2001, and in response to Homeland Security Presidential 
Directive 7 and the Homeland Security Act, the FS-ISAC expanded 
its role to encompass physical threats to our sector.
    The FS-ISAC is a 501(c)6 nonprofit organization and is 
funded entirely by its membership firms through dues and by 
sponsors. In 2004, there were only 68 members of the FS-ISAC, 
mostly larger financial services organizations. Since that time 
the membership has expanded to over 4,100 organizations, 
including commercial banks and credit unions of all sizes, 
brokerage firms, insurance companies, payments processors, and 
over 40 trade associations representing the majority of the 
U.S. financial services sector.
    The FS-ISAC works closely with various government agencies, 
including the U.S. Department of Treasury, the Department of 
Homeland Security, the Federal Reserve; our biggest partner in 
law enforcement, the U.S. Secret Service; the Federal Bureau of 
Investigation (FBI); the National Security Agency (NSA); 
Central Intelligence Agency (CIA); State and local governments; 
and other government organizations.
    The overall objective of the FS-ISAC is to protect the 
financial services sector against cyber and physical threats. 
It acts as a trusted third party that allows members to submit 
threat, vulnerability, and incident information in a trusted 
manner for the good of the financial services sector. I have 
provided a complete list of the FS-ISAC information-sharing 
services and activities in the written testimony. I would, 
however, like to mention six of them to give you an idea of how 
the FS-ISAC meets the information-sharing needs of its members.
    First and foremost, we provide delivery of timely, 
relevant, and actionable cyber and physical e-mail alerts from 
various sources through our Security Operations Center (SOC). 
This SOC operation is staffed 24/7 in order to keep our 
membership apprised of the latest threats, incidents, and 
vulnerabilities. Obviously, the cyber criminal does not work on 
a 9 to 5 schedule, and we must be constantly vigilant to 
respond to their attacks.
    Second, we have Subject Matter Expert committees consisting 
of volunteers of our member firms. They serve on committees 
that provide in-depth analyses of the risks to the sector and 
recommend mitigation and remediation strategies and tactics.
    Third, member surveys allow members to request information 
regarding security best practices at other organizations. The 
results of these surveys are then shared with the entire 
membership.
    Fourth, we hold regular bi-weekly threat information calls 
for members to discuss the latest threats, vulnerabilities, and 
incidents. And we frequently have guest speakers from 
government, law enforcement--like the U.S. Secret Service--and 
from other sectors that discuss risk-related subjects on these 
calls.
    And, five, we conduct emergency conference calls to share 
information with the membership and solicit input and 
collaboration. Last year, we had three emergency calls related 
to cyber threats and two pertaining to physical incidents.
    And, six, we routinely conduct online presentations and 
have a regional outreach program to educate small to medium-
sized regional financial services firms on threats, risks, and 
best practices.
    A key factor in all of these activities is trust, and the 
FS-ISAC works to facilitate development of trust between its 
members, with other organizations in our sector and with other 
sectors, and with government organizations, particularly the 
law enforcement and intelligence communities.
    Next I would like to briefly mention some of the public-
private sector response to the cyber crime issue. We have been 
working with law enforcement, financial regulators, and our 
members, and we do recognize that the criminal threat to both 
affected institutions and to consumer confidence, in 
particular, posed by these activities, and we are taking steps 
to address areas of concern.
    I think the U.S. Secret Service commitment to the financial 
services sector has been tremendous. They provide classified 
briefings for us, and they actually have an assigned full-time 
employee to our sector.
    Another example of a successful instance of government-
financial services sector information sharing occurred on 
October 24 of this year when the FBI, FS-ISAC, and the National 
Automated Clearinghouse Association (NACHA)--a rulemaking body 
for the Automated Clearinghouse Network--in case you do not 
know what that is, if you have direct deposit, you participate 
in the Automated Clearinghouse Network (ACH). We released a 
joint bulletin concerning account takeover activities targeting 
business and corporate customers. And, Senator Lieberman, you 
got a lot of your information, I think, from that bulletin or 
from the Washington Post that got a hold of it.
    The bulletin described the methods and tools employed in 
recent fraud activities against small to medium-sized 
businesses that have been reported to the FBI. FS-ISAC and 
NACHA subject matter expertise was applied to that FBI case 
information to identify the detailed threat detection and risk 
mitigation strategies for financial institutions and their 
business customers. At the same time, we preserved the ongoing 
integrity of those investigations.
    The bulletin was distributed to the FS-ISAC, to its over 
4,100 members and its 40 member associations, so we think we 
were able to reach tens of thousands of financial institutions. 
So we are pretty sure that the bulletin ultimately reached 
nearly every financial institution in the United States.
    The FS-ISAC and NACHA developed a comprehensive list of 
recommendations to financial institutions to educate their 
business customers on the need to use online banking services 
in a secure manner. As a result of this bulletin, financial 
services firms and their business and corporate customers have 
become more aware of some of the online risks facing them and 
how to detect malicious and criminal activities.
    The FS-ISAC also works closely with other key financial 
services industry groups to protect the industry and its 
customers against cyber threats. My written testimony details 
some of these efforts, but I would like to mention one in 
particular. This year, the American Bankers Association, the 
FS-ISAC, and the Financial Services Roundtable worked with the 
Federal Government's General Services Administration (GSA), the 
Internal Revenue Service (IRS), and the Social Security 
Administration (SSA) to develop a proposal for better ID 
assurance for online e-Government applications. The goal of 
this effort is to leverage the ``Know Your Customer'' 
requirements that banks, credit unions, and other financial 
services firms employ for ID proofing and turn that into a 
higher level of assurance for access to online government 
applications. The project is right now in its proposal phase at 
present and still requires a funding commitment and more 
definition around the business model and system architecture. 
However, it is a great example of how the public and private 
sector cooperation is beginning to progress in this important 
area of online ID assurance.
    From a regulatory perspective, financial regulators are 
actively involved in developing regulations and supervisory 
guidance and conducting focused examinations of information 
security, vendor management, and business continuity controls 
at financial institutions and major service providers. There 
are nearly a dozen booklets covering these key cyber security 
and business continuity issues in the Federal Financial 
Institutions Examination Council (FFIEC) handbook.
    For the last part of my testimony, I would like to cover 
six broad recommendations. One is the need to improve cyber 
crime law enforcement. I think our partners in the United 
States are doing a great job--the U.S. Secret Service, FBI, and 
others--but there needs to be better international 
collaboration in particular regarding investigations and 
prosecutions. Law enforcement in many cases knows the threat 
actors, but in some countries, the governments and law 
enforcement in those countries often protect the cyber 
criminal.
    Another area is that private sector firms report that some 
local law enforcement agencies require minimum thresholds 
before they will take the case. However, evidence indicates 
that most of these types of attacks are directed at many firms 
and their customers so the cumulative dollar value of the crime 
committed may be many times the threshold that has been 
established. I think there needs to be improved communication 
at the local level between financial services firms and their 
cyber crime law enforcement contacts and an understanding of 
how to report these crimes so that action can be taken.
    I would support Mr. Carr's recommendation also that there 
needs to be stronger authentication and encryption. Financial 
services firms, processors and regulators need to encourage 
smart use of encryption and stronger authentication.
    We also need to improve financial institution information 
security programs through a flexible and dynamic approach to 
cyber security.
    And the fourth recommendation I came up with in the 
testimony is to improve the public-private sector 
collaboration. We need to expand information sharing between 
government agencies and the financial services industry. As 
part of that, we also need to improve the Internet 
infrastructure and use Federal procurement power to improve the 
security of software and hardware and services. We would 
support the recommendation that Ranking Member Collins and 
Senator Lieberman have come up with.
    And last is education. There needs to be more public-
private sector collaboration to support educational efforts to 
increase consumer and business awareness of cyber threats and 
risk mitigation best practices.
    In conclusion, industry, law enforcement, regulators, and 
DHS have responded to cyber crime threats against financial 
services firms and businesses and consumers, but more work 
needs to be done, and we look forward to making continued 
progress against cyber threats to our Nation. Thank you.
    Chairman Lieberman. Thanks, Mr. Nelson. Just a point of 
clarification. When you referred through your statement to 
physical threats as well as cyber threats as a focus of your 
organization, I think I know what you meant, but why don't you 
clarify it for us?
    Mr. Nelson. Yes. During Hurricanes Ike and Katrina, we 
stood up operations to be responsive to our sector to make sure 
they were aware of what was happening. We got really good 
reports from DHS about where power outages were likely to 
occur. In fact, they have a great predictive model for that.
    We were able to provide information through some of the 
credit card processors of where merchants were actually 
processing transactions, so we knew where food transactions, 
medicine, building supplies, and other types of key critical 
information, where those transactions were processed. We 
directed that to DHS and to other sources so they could 
allocate resources and send people in the right place to get 
what they needed.
    Chairman Lieberman. That is physical threat from a natural 
disaster. Do you also include in the category of physical 
threat protection of physical financial services information 
from physical terrorist attacks, not cyber attacks?
    Mr. Nelson. Yes, we also prepare for physical terrorism. We 
have services that were actually purchased for that, too. If 
there is a physical attack, let us say, in London--the 
underground bombings from a few years ago, we did report that. 
The Mumbai attacks, we reported that within 15 minutes of them 
occurring. We did not know exactly what was happening, but we 
did push that information out immediately. So we did report on 
that.
    Chairman Lieberman. I will leave this in a minute, but what 
about actually working with the financial institution? A while 
ago there was a lot of concern post-September 11, 2001, that 
there might be an actual physical attack on Wall Street to 
create the obvious disruption that would exist. Is that 
something you get involved in? For instance, with an explosive, 
a suicide bomb, something of that kind.
    Mr. Nelson. Yes, we would. If there is any intelligence 
about that potentially occurring, we may get that from the 
intelligence community. We have over 150 people in our sector 
cleared for secret clearance, and, actually we are looking at 
adding more for top secret clearance. So if there is some 
threat intelligence about a potential physical threat, we do 
pass that on. And if the attack does occur, we report that. And 
we have a Business Resilience Committee that works on that.
    Chairman Lieberman. How about preventively or proactively? 
Are you working with member organizations to encourage them or 
assist them in protecting themselves from physical attack of 
that kind?
    Mr. Nelson. Yes, we do. We get reports, for instance, some 
of these--the protester threat, for instance, recently. There 
is a G-20 meeting coming up in Pittsburgh. We have put out a 
number of reports on that from a source that we have, an 
international source that we got information on it, the type of 
threat actors that may appear at it--some of them actually 
fairly dangerous. They are not all sitting there with non-
violent type protests.
    Chairman Lieberman. Right.
    Mr. Nelson. There have been violent attacks in some of 
these cases. So we have been able to report on that and provide 
best practices on how to deal with it.
    Chairman Lieberman. OK. Thanks. We will come back to that.
    Michael Merritt is next, Assistant Director, Office of 
Investigations, U.S. Secret Service, which is now part of the 
Department of Homeland Security. Again, thanks for being here, 
Mr. Merritt. Thanks for what you do every day. I hope you will 
begin by explaining to anybody who is watching this why the 
Secret Service is involved in this field since generally the 
public sees you almost exclusively as protecting presidents, 
vice presidents, and other public officials.

TESTIMONY OF MICHAEL P. MERRITT,\1\ ASSISTANT DIRECTOR, OFFICE 
  OF INVESTIGATIONS, U.S. SECRET SERVICE, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Merritt. I would be happy to. Good morning. Chairman 
Lieberman, Ranking Member Collins. Thank you for the 
opportunity to address this Committee on the Secret Service's 
role in investigating cyber and computer-related crimes.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Merritt appears in the Appendix 
on page 174.
---------------------------------------------------------------------------
    While the Secret Service is perhaps best known for 
protecting our Nation's leaders, we were established in 1865 to 
investigate and prevent the counterfeiting of U.S. currency. As 
the original guardian of the Nation's financial payment system, 
the Secret Service has established a long history of protecting 
American consumers, industries, and financial institutions from 
fraud. Over the last 144 years, our investigative mission and 
statutory authority have expanded, and today the Secret Service 
is recognized worldwide for our expertise and innovative 
approaches to detecting, investigating, and preventing 
financial fraud.
    In recent years, we have observed a significant increase in 
the quality, quantity, and complexity of cyber cases targeting 
financial institutions in the United States. With the advent of 
technology and the Internet, a transnational ``cyber criminal'' 
has emerged, resulting in a marked increase in cyber and 
computer-related crimes targeting private industry and other 
critical infrastructures. Current trends show an increase in 
network intrusions, hacking attacks, malicious software, and 
account takeovers resulting in data breaches affecting every 
sector of the American economy.
    As the well-trained, well-equipped, and sophisticated cyber 
criminals continue to target the large corporations who have 
historically had more resources and assets in place to protect 
their networks, the less sophisticated cyber criminals continue 
their attacks against the small and medium-sized businesses 
that do not have the expertise in place to protect their data.
    For example, in October 2007, the Secret Service identified 
a complex fraud scheme in which servers owned by a payroll 
company were compromised by a network intrusion. Subsequently, 
four debit card accounts belonging to a small Midwestern bank 
were compromised, distributed via the Internet, and used in a 
coordinated attack resulting in ATM withdrawals in excess of $5 
million. The withdrawals involved 9,000 worldwide transactions 
in less than 2 days, and the small bank had to file for Chapter 
11 bankruptcy protection.
    Following the investigative leads generated in this case, 
we were able to prevent additional losses by notifying victim 
companies of the intrusion and compromise, often before the 
companies became aware of the illicit activity. For example, 
when we discovered that the computer network of a U.S. bank had 
been compromised, our prompt notification enabled the bank to 
significantly reduce its exposure and avoid potential losses 
exceeding $15 million. Based on these investigative efforts, 
the Secret Service identified 15 compromised financial 
institutions, $3 million in losses, 5,000 compromised accounts, 
and prevented more than $20 million in potential losses to U.S. 
financial institutions and consumers.
    While cyber criminals operate in a world without borders, 
the law enforcement community does not. The multi-national, 
multi-jurisdictional nature of these cyber crime cases has 
increased in complexity and, accordingly, increased the time 
and resources needed for successful investigation and 
adjudication. The anonymity, level of collaboration among cyber 
criminals, and transnational nature of these crimes have raised 
both the intricacy of these cases and the level of potential 
harm.
    To face the emerging threats posed by cyber criminals, we 
have adopted an innovative, multi-faceted approach. A central 
component of our capabilities for investigating cyber crime is 
the Electronic Crimes Special Agent Program. Today this program 
is comprised of 1,148 special agents deployed in 98 offices 
throughout the world who have received training in forensic 
identification and the preservation and retrieval of 
electronically stored evidence. They are among the most highly 
trained experts in law enforcement. Additionally, in 
partnership with the Department, the State of Alabama, and the 
Alabama District Attorneys Association, we have established the 
National Computer Forensics Institute. The goal of this 
facility is to provide State and local law enforcement, 
prosecutors, and judges with the necessary training, not only 
to understand cyber crime, but to respond to network intrusion 
incidents and to conduct electronic crime investigations. This 
program has been extremely successful, and since opening in May 
2008, we have provided training to 564 State and local law 
enforcement officials representing over 300 agencies from 49 
States and two U.S. territories.
    As cyber cases continue to increase in size, scope, and 
depth, as an agency we are committed to sharing information and 
resources with our law enforcement partners, academia, and the 
private sector. To accomplish this, we have established 28 
Electronic Crimes Task Forces (ECTFs), including the first 
international task force based in Rome, Italy. Currently, 
membership in our Electronic Crimes Task Forces include nearly 
300 academic partners, over 2,100 international, domestic, 
Federal, State, and local law enforcement partners, and over 
3,100 private sector partners. These partners, who range in 
scope from companies with less than 20 employees to Fortune 500 
companies, enjoy the resources, expertise, and advanced 
research provided by the Electronic Crimes Task Forces 
international network.
    In addition, the network that has been established by our 
ECTFs was instrumental in making the Secret Service's first 
Global Cyber Security Conference last month a resounding 
success. This 3-day conference was designed to share the latest 
information in investigative techniques used to combat cyber 
crime. The conference was attended by personnel from over 370 
entities representing 11 countries.
    In addition, to coordinate these investigations at the 
headquarters level, we have established the Cyber Intelligence 
Section to collect, analyze, and disseminate data in support of 
our cyber investigations and to generate new leads. The Cyber 
Intelligence Section has been instrumental in our success in 
infiltrating online cyber criminal networks.
    One such infiltration allowed us to initiate and conduct a 
3-year investigation that eventually led to the identification 
and indictment of 11 perpetrators from the United States, 
Eastern Europe, and Asia. This case involved the hacking of 
nine major U.S. retailers and the subsequent theft and sale of 
more than 40 million credit and debit card numbers, commonly 
referred to, as it has been in this forum, the TJX 
investigation. The total account loss associated with this 
investigation is still being assessed. However, one of the 
corporate victims has already reported expenses of nearly $200 
million resulting from the intrusion.
    As I have highlighted in my statement, the Secret Service 
has implemented a number of initiatives pertaining to cyber and 
computer-related crimes. Responding to the growth in these 
types of crimes and the level of sophistication these criminals 
employ demands an increasing amount of resources and greater 
collaboration. It is not a threat of the future. It is a 
challenge being faced by law enforcement today. Accordingly, we 
dedicate significant resources to increase awareness, educate 
the public, provide training for law enforcement partners, and 
improve investigative techniques. The Secret Service is 
committed to our mission of safeguarding the Nation's critical 
infrastructure and financial payment systems. We will continue 
to aggressively investigate cyber and computer-related crimes 
to protect consumers.
    Chairman Lieberman and Ranking Member Collins, this 
concludes my prepared statement. Thank you again for this 
opportunity to testify on behalf of the U.S. Secret Service, 
and I will be pleased to answer any questions you might have 
during this session.
    Chairman Lieberman. Thanks, Mr. Merritt. I must say I am 
encouraged and impressed by what you have told us about all 
that the Secret Service is doing. It is very good, both the 
outreach here within the country to the private sector and law 
enforcement, but also based on your very accurate statement 
that cyber criminals do not know boundaries but law enforcement 
authorities do; and, therefore, we have to create places and 
perhaps institutions where the good guys can figure out how to 
work across boundaries with the same speed and effect that the 
cyber criminals do. So I look forward to the question period.
    Our final witness on the panel is Philip Reitinger, Deputy 
Under Secretary, National Protection and Programs Directorate 
(NPPD) of the Department of Homeland Security. Mr. Reitinger, 
we welcome you here, and really welcome you to the Department 
generally, with a lot of enthusiasm and high expectations. The 
Department was created out of legislation from this Committee. 
We follow it closely. We feel good about a lot of the progress 
being made in the Department. I personally give the Department 
some good share of the credit for the fact that we have not 
suffered another major terrorist attack since September 11, 
2001.
    But it is my conclusion also--and I am not alone--that in 
this particular area of cyber security, the Department has not 
moved as quickly and as effectively as it should have. So your 
coming to this position is very important to a lot of us. 
Everything we know about you says you have the credentials and 
experience to do the job. So do not screw up. [Laughter.]
    Chairman Lieberman. Go ahead, Mr. Reitinger.

 TESTIMONY OF PHILIP R. REITINGER,\1\ DEPUTY UNDER SECRETARY, 
 NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT 
                      OF HOMELAND SECURITY

    Mr. Reitinger. Thank you, Chairman Lieberman, Ranking 
Member Collins. It is indeed my commitment not to screw up.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Reitinger appears in the Appendix 
on page 183.
---------------------------------------------------------------------------
    It is an honor to be here today to talk with the Committee. 
This is my first opportunity to appear before Congress to 
testify specifically on cyber-related issues, and I am very 
pleased to be here today to do so.
    I would like to start with the threat, if I might. I think 
the Committee, the panel, and the audience know that we are 
dealing with an increasingly dynamic and threatening 
environment in many ways. Hacker skill is rising across the 
board. Not only are the best hackers becoming better and 
better; ``script kiddies,'' as we used to call them during my 
law enforcement days, increasingly have more and more 
sophisticated tools so that they can wreak a high degree of 
damage without even knowing too much about what they are doing. 
And relevant to the topic of information sharing, hackers in 
some ways remain better at information sharing than we, in 
government, have been. So that is an area of growth for us.
    There is the general movement toward targeted attacks. Back 
when I first got involved in this game, if you will, back in 
the 1990s, as a line cyber prosecutor in the Computer Crime and 
Intellectual Property Section at the Department of Justice 
(DOJ), hackers mostly were doing things like tearing down Web 
pages and putting up pictures on the DOJ Web page of a Nazi 
symbol and those sorts of things that were annoying, but more 
annoying than anything else. And then we went through the 
period of worms where mass disruption took place, but perhaps 
little lasting damage.
    That is not the world we are in anymore. Hackers are after 
information of value and actual money, as today's panel 
indicates, and they are increasingly targeting attacks for the 
places where they can get value. And that makes things more 
risky.
    There are other elements of our risk profile that are 
continuing to go up and over which we have little control. I 
call them connectivity, complexity, and criticality.
    Connectivity: We are increasingly connecting all of our 
systems in more and more different ways, so everybody has 
always-on, high-bandwidth connections, and there are 
increasingly international connections, and we are building up 
this vast network that makes us all able to do more but, as the 
Chairman indicated in his opening remarks, also makes us more 
vulnerable.
    Complexity: We are connecting more and more devices, from 
smart phones to embedded devices; TVs are connected to the 
Internet now. And as we put all of these different devices 
together, running many different types of software, the mere 
complexity of the ecosystem makes it harder and harder to 
secure.
    Last, criticality: We depend on this network of networks 
and the machines that are connected to it every day, not only 
to play, to do things like social networking, but for the basic 
functions of our government and economy. And that imposes upon 
us a need not to stand still.
    I do believe over the last 10 years we have made progress, 
but we have not made enough. We have to make more. And as the 
Cyberspace Policy Review indicated, the status quo is simply 
not sufficient. We all need to work together in even stronger 
partnership to address the growing threats that we face and, to 
echo another of the Chairman's comments, to do so at Internet 
speed, not just in law enforcement, although working at 
Internet speed in law enforcement is a significant problem.
    When I was at the Computer Crime and Intellectual Property 
Section, one of the things we did was work on negotiating the 
Council of Europe Cyber Crime Convention. That was a first 
step, but we need to go further to build the law enforcement 
and specifically the operational relationships that are 
international and will allow us to respond effectively.
    I would like to highlight a couple of the things that we 
are doing specifically around partnerships within DHS to 
address this.
    First, it is critically important that we continue to build 
partnership across government. This is another area where I 
think we have been effective but can grow more effective. I 
well remember the very first hacker case that I did when I 
first joined the Computer Crime Section back in the 1990s. I 
was a DOJ prosecutor, and it was investigated by the Secret 
Service. So that was then a Department of Treasury-Department 
of Justice collaboration. We started there. We have continued 
to grow, and we are in a place now where people have come into 
positions across the Federal Government. I think we have put a 
strong team together not only in DHS but in multiple government 
agencies so that we can work very effectively together.
    In DHS, we are working very hard to continue to up our game 
and build our capabilities. I am perhaps most focused on the 
people part of this because I am a big believer that 
organizations fail or succeed based on the people that they 
have. I have some great people and an awesome team, but I do 
not have enough of them. I am in the process of trying to grow 
the National Cyber Security Division. It now has about 111 
people on board as of last week, and we want to grow it to 260 
people next year. So that is a heavy lift in government, but we 
are committed to doing our best to fulfill it.
    We also need to continue to work better and faster and more 
effectively with the private sector. I have seen this from both 
sides. I started in the Department of Justice. I worked for the 
Department of Defense. I spent about 6 years in the private 
sector where I had the honor of being the President of the 
Information Technology Information Sharing and Analysis Center 
(IT-ISAC), a companion organization to the FS-ISAC, before I 
joined DHS again earlier this year. And I have seen incredible 
commitment from people in both the private sector and public 
sector. I believe we have a real opportunity here. And we have 
built partnerships, but there is a lot more to do.
    In particular, we have built the ways to work together. We 
have built the framework to work together. Now we need to drive 
toward outcomes. We need to worry less about having a 
partnership and more about what we can achieve with the 
partnership. So let me highlight a few quick examples of some 
of the things that I think we need to focus on for the coming 
few months.
    The first is the National Cyber Incident Response Plan. 
This was called for in the President's Cyberspace Policy 
Review. It may sound kind of highfalutin' and sort of meta, but 
it is actually not. The idea is that we need, if something bad 
happens, a mechanism, a very actionable way for all of the 
relevant government agencies and all of the different entities 
across the private sector to come together as one Nation--not 
one government, not one sector, but one Nation to respond to 
the incident. And we kicked off that process as called for in 
the Cyberspace Policy Review. It is a broad process, and we are 
doing this differently than is the traditional government 
process.
    The traditional process is you get together, you talk and 
talk and talk, and when it is 99 percent done, you go to the 
private sector, and you say, ``What do you think about it?'' Or 
maybe when it is 100 percent done, you ask them for comments. 
We are not doing that. We have invited the private sector to 
the table at the very start so that they can help build the 
foundations of that plan.
    Associated with it is the second thing. The private sector 
has recommended to us for some time that we need to integrate 
our cyber and communications watch capabilities so we can work 
together effectively. We are doing that. We are moving towards 
an integrated watch floor that will combine DHS's different 
cyber watch centers, like the National Coordinating Center 
(NCC), which is focused on telecommunications; U.S. Computer 
Emergency Readiness Team (US-CERT), which is focused on IT; and 
the National Cyber Security Center, which is focused across 
government, will be collocated at the same site and able to 
work together effectively across government and with the 
private sector, growing our relationship with the private 
sector and with State, local, tribal, and territorial 
governments, so we have the organizational mechanisms, 
partnerships, and trusted relationships to let us implement 
that Cyber Incident Response Plan process and also work 
together more actively to mitigate incidents before they become 
full-blown incidents. We are going to test those processes next 
year as they get developed in the Cyber Storm II exercise 
currently scheduled for September 2010.
    We will also be in the process over the next year of 
launching a new and more significant national awareness 
campaign. We know mostly how to protect systems. Technology is 
not the barrier. What we need is to get the word out there and 
to raise the awareness, among other things, of end users and 
some of these small and local businesses, of how they can 
protect themselves, the simple steps that they can take, and 
what the threat looks like. So we are committed to doing that.
    I am going to drop a quick footnote that the two private 
sector members of the panel early on noted the importance of 
authentication. I would emphasize that we need to do that. The 
President's Cyberspace Policy Review called for the creation of 
a Cyber Identity Management Strategy. There is little that we 
could do that would be more effective to help people protect 
themselves than to implement strong authentication mechanisms 
that are available for people's use with privacy built in from 
the very start. That would enable much better self-protection.
    In conclusion, I would say that I think we are at a moment 
in time when we can really make a difference. We have the right 
focus across government and with the private sector. We have 
leadership commitment from the President, and certainly from my 
secretary and deputy secretary, and the right people coming 
into key positions in the private sector. I think we can make a 
real difference as a community.
    With that, I look forward to your questions. Thank you.
    Chairman Lieberman. Thanks very much, Mr. Reitinger. I 
appreciate both the substance and the spirit of your opening 
statement.
    Let us start with 7-minute rounds for Senator Collins and 
myself.
    I am fascinated by the global nature of cyber crime. I am 
curious if we know, in this case of Mr. Gonzalez, how did he 
connect with the Eastern European gangs that he presumably was 
working with in the cyber crimes? Mr. Merritt, do you have that 
answer?
    Mr. Merritt. Yes, sir. Let me put it in perspective. We 
have talked about compromise today and the exfiltration of 
proprietary information, such as credit and debit card 
information from financial and banking institutions. Here is 
where they end up. They end up in what we call ``carding 
portals,'' or ``carding websites.'' The best description, in 
the short time we have today, is that the carding portals are 
to the criminals what Craigslist and eBay are to law-abiding 
citizens.
    On these carding portals, you can find anything you need. 
People that, in fact, have intruded in these companies and 
exfiltrated credit and debit card information are posting the 
information there for sale.
    Chairman Lieberman. In other words, it is a Web site, 
basically.
    Mr. Merritt. It is a Web site. What happens in these 
loosely held criminal hierarchies is that, through reputation, 
you have people who, in fact, successfully hack into companies 
and then sell their wares on these Web sites. They do not know 
each other personally, Mr. Chairman. They know each other by 
their nicknames on these Web sites, and they conduct business 
without knowing who they are. You might have some that are 
involved in recruiting, some that are selling his or her own 
services, or specialty services, such as hacking or phishing. 
That is where they meet each other.
    So when you say, do they meet each other in a physical 
complex of the traditional type crime, no, sir. They are known 
to each other through these various nicknames on carding 
portals. In these cases, which are transnational in nature, 
that is how they are able to effectively communicate via the 
Internet without actually knowing who they are or even where 
they reside.
    Chairman Lieberman. That is really astounding, but also 
absolutely predictable when you think about it. I will leave it 
to you how much you want to say since we know they are meeting 
in these portals for criminal purposes--law enforcement 
attempts to find its way into those portals, just as if you 
knew that organized crime figures were meeting at a particular 
restaurant regularly, or using a particular pay phone, you 
would find a way to tap that phone or be present in that 
restaurant.
    Mr. Merritt. I would like to comment at some point in time 
about what Mr. Nelson said about the involvement of foreign law 
enforcement because it is an integral component of our success 
in being able to investigate these types of cases. I will give 
you a good example of a success story that we had in 2005 about 
one such carding portal. It was called ShadowCrew.com. It had 
over 4,400 members. And what we were able to do----
    Chairman Lieberman. Let me just stop you a minute. Do you 
have to pay a fee or have a password to get into the portal?
    Mr. Merritt. You have to have your standing in the criminal 
community authenticated by other criminals. You cannot just log 
on. They have to verify that either you have successfully 
hacked into a company and you have an authorized access code to 
buy or sell. But, just like in the old criminal scheme that you 
mentioned at a restaurant, somebody has to vouch for your 
authenticity as far as being part of the criminal world. We, in 
here, could not access--and I hope no one here is going to try. 
We would not access these Web sites since they are only for 
criminals who are known to each other.
    However, in 2005, we successfully conducted an online 
undercover operation for about 2 years, and were the first 
Federal law enforcement agency in the United States to actually 
initiate a Title III on a network. We gained control of this 
network.
    Chairman Lieberman. Just define a Title III for a moment.
    Mr. Merritt. Yes, sir. A Title III, in other words--without 
the criminals knowing--we were eavesdropping, for lack of a 
better word, on this criminal server, collecting criminal 
intelligence, and trying to identify the main players on this 
particular Web site.
    We were fortunate. We affected 28 arrests, with six of 
those arrests being overseas. Essentially, we shut down that 
Web site, and shut down that server. We learned a lot of 
lessons: One, just as Mr. Carr mentioned that he encrypts his 
information, criminals are now encrypting their information, 
and hard drives, which makes it more difficult for law 
enforcement to, in fact, obtain that electronic or digital 
evidence.
    They have also come up with a technology, that at the push 
of a button or even remotely, they are able to destroy the 
evidence on their hard drives. So I think a grand kudo for the 
investigation, is that we affected 28 arrests simultaneously 
because all it would have taken would have been for one 
criminal member in the organization to send out an e-mail to 
notify the rest and that digital evidence would have been 
destroyed. This is a critical component of our ability to 
investigate and prosecute these types of cases.
    There are about 10 or 12 major carding portals in the world 
now, and we have shown that we do have success. Despite the 
anonymity that one presumably has on the Internet, we have 
dispelled that myth. But it is mind-blowing, so to speak, that 
these carding portals exist.
    Chairman Lieberman. Yes, it really is--so mind-blowing that 
I forgot my next question. [Laughter.]
    Mr. Merritt. Well, you know what? If you do not mind, Mr. 
Nelson mentioned that one of the challenges we face is the 
anonymity of these criminals, Mr. Chairman. It is cumbersome 
and laborious to identify who they are. More often than not, 
what we experience here in the United States is that many of 
the intrusions targeting our banking and financial 
infrastructures, our retailers, and our databases originate 
overseas. That is where the level of interaction with foreign 
law enforcement sometimes varies. Different countries have 
different levels of ability to investigate these types of 
crimes. Some countries, quite frankly, lack legislation which 
allows their investigators to prosecute these types of crimes. 
He mentioned the corruption level. That is true. In different 
countries, one can have a very loose or, in some cases, direct 
affiliation between the government and some of these hackers.
    Chairman Lieberman. Yes, I was going to ask Mr. Nelson 
about that. But I am regaining my balance. I remember, and the 
question was this: Is there evidence the traditional organized 
crime syndicates, families, whatever, are involved now in cyber 
crime?
    Mr. Merritt. When you say ``traditional,'' it has been our 
experience that, unlike the traditional Cosa Nostras that we 
had years ago, there is organized crime, but it is a loosely 
held hierarchy because they do not know each other personally.
    Chairman Lieberman. And it is a different operation. It is 
not out of an existing organized crime family here in the 
United States that had a territory that it controlled for 
gambling and drug----
    Mr. Merritt. No, sir. You are correct.
    Chairman Lieberman. This is new. In a sense, these are new 
organized cyber crime operations.
    Mr. Merritt. Absolutely. You might have a hacker who is 
renowned for his or her specialty in the Ukraine. You might 
have a carder who sits in the Baltics and somebody that 
organizes these people, who sits in Russia. So it is a loosely 
held hierarchy within the criminal underworld. But they do not 
necessarily know each other's identity, if that helps, sir.
    Chairman Lieberman. Well, it does, and it obviously 
complicates the job of law enforcement in trying to find them 
and break it up.
    Mr. Merritt. Yes, sir.
    Chairman Lieberman. My time is up. Senator Collins.
    Senator Collins. Thank you.
    Mr. Carr, in looking at the indictment of the individual 
who was involved in the computer theft from Heartland, 7-
Eleven, and Hannaford, I was astounded at what a long period 
elapsed where these hackers were able to steal the credit card 
numbers and debit card numbers. According to the indictment, 
they operated from between October 2006 to May 2008. That is 
more than a year and a half.
    So explain to me how a breach of that magnitude could go 
undetected for so long.
    Mr. Carr. The way breaches are normally detected is that 
fraudulent use of cards is determined, and there was no hint of 
fraudulent use of cards that came to our attention until 
towards the end of 2008.
    Senator Collins. But are there no computer programs that 
one can use to check to see if an intrusion has occurred?
    Mr. Carr. There are, but the cyber criminals are very good 
at masking themselves, and we formed the Payment Processors 
Information Sharing Council with Mr. Nelson primarily so that 
the payment processors could share that information. And, in 
fact, at our May meeting, we did distribute the actual malware 
that was used at Heartland and we believe other businesses. And 
at our meeting last week we updated that, and there were three 
additional malware attacks that had been found since May that 
one of our constituents had passed out to the membership as 
well.
    So being able to scan systems to know what the malware is, 
you have to know something about the attack vector, and you 
have to know something about the malware to find it. All of us 
in this, we go through annual assessments, but the bad guys are 
working together to try to get around all those assessments.
    Senator Collins. But it is my understanding that in this 
case all of the players met the current standards for cyber 
security. Is that correct? The voluntary industry-based 
standards?
    Mr. Carr. We passed, we were certified to be compliant with 
the standards on April 30, 2008.
    Senator Collins. So what does that tell us about the 
standards?
    Mr. Carr. Well, the standards are good standards. They are 
necessary. But some of us believe that an enhanced security is 
possible. A number of years ago, the U.S. Mint decided that it 
was too easy to counterfeit the old bills and upgraded the 
technology of the currency. And 30 years ago, when the magnetic 
stripe was invented, it was invented with the card number in 
the clear on the stripe. And the systems were all developed to 
process that magnetic stripe in the clear.
    We think it is time for that data to be encrypted so that 
merchants never have those card numbers in their system and the 
processors never have that card number in their system either.
    Senator Collins. Because it would be encrypted from the 
point of sale to the processor before going to the credit card 
company?
    Mr. Carr. Correct, and throughout the entire system.
    Senator Collins. Is it typical when a consumer uses a 
credit card at a retailer that it goes first to an entity like 
Heartland? I was under the impression that it went directly to 
Visa or MasterCard or to the bank.
    Mr. Carr. Yes, when the card is swiped, it goes either into 
a gateway that goes to a processor, or it goes directly to the 
processor, and the banks hire companies like Heartland to be 
the gateways and the processing entities for the authorizations 
and the capture and settlement of that information.
    Senator Collins. So is the problem in this case the lack of 
encryption between the retailer and the processing entity or 
the processing entity and the ultimate credit card company?
    Mr. Carr. There are actually five--without getting too 
technical, we think there are five zones of encryption. The 
first zone is from the moment that card is swiped until it gets 
into the gateway or into the processing system. And merchants 
would like to have those card numbers encrypted during that 
zone because then they would not have that data that could be 
taken.
    Zone two is in the processing network. Zone three is in the 
computer systems of the processing network. Zone four is data 
at rest, which is part of the requirements today that all that 
data be encrypted. And I think the industry has done a good job 
of implementing that. And then zone five is to the card brands 
and the issuing institutions as well.
    So it is good to have each one of those zones encrypted, 
but the best is to have them all done, and that is what we are 
trying to adopt through the various work that we are doing.
    Senator Collins. Mr. Nelson, when a retailer is the victim 
of a computer theft scheme like this, do retailers know whom to 
go to in the government?
    Mr. Nelson. I am actually going to defer that to Mr. Carr.
    Senator Collins. Maybe I will go back to Mr. Carr.
    Mr. Nelson. That is more his bailiwick.
    Mr. Carr. Do the retailers know what law enforcement to go 
to?
    Senator Collins. Yes.
    Mr. Carr. I think the larger the merchant is, the more 
likely it is that they know. But I think we could do a better 
job of educating all of our merchants about what process they 
should go through once they are hacked. And, fortunately, Mr. 
Nelson has agreed to--we have set up a new classification of 
membership in our organization that will allow members to learn 
that kind of information.
    Mr. Nelson. Yes, I met with the National Retail Federation 
in June to discuss how we could do more together, and I think 
there really is not a 24/7 operation in the retail community, 
which is an important part of this. We need to make sure they 
are a part of this group and maybe have a link to them, even 
through our organization.
    Senator Collins. To whom do they go?
    Mr. Nelson. The National Retail Federation has a risk 
committee, but it is more a 9 to 5 staff that shares some e-
mails.
    Senator Collins. Exactly my point. I mean, Mr. Merritt has 
told us of the Secret Service's success in carrying off this 
simultaneous arrest of 20 individuals and the fact that the 
operation could have been blown with just one e-mail being sent 
out.
    Well, similarly, when a retailer learns that it has been 
the subject of a computer breach, time is of the essence. I was 
shocked to learn that in the Hannaford case, which involved 
other retailers as well, a year and a half went by when these 
breaches were occurring. So part of the problem here is that 
once a breach is discovered, I do not think there is an 
understanding of to whom you go. Do you call the local police? 
Do you call the Secret Service? Do you call your trade 
association? Do you call the local district attorney? What do 
you do? To whom do you go?
    Mr. Nelson. We have done a pretty good job in our sector 
getting the banks to call us, but I think we really need to do 
a better job reaching out to the retailer community. Again, 
they are not part of our FS-ISAC. Can we make them part of it? 
And that is what Mr. Carr has been pushing for, and my Chairman 
has actually been pushing for that, too. So I think we are 
going to start looking at that.
    Some of the attack signatures that were shared last week, 
we need to get that out to the retailers, too.
    Senator Collins. Just the answers here--and I appreciate 
very much the hard work that all of you on this panel are 
doing, but the lack of clarity to answer that basic question is 
troubling to me because if a large retailer is uncertain who to 
go to, think what it is like for a small business. I think we 
need far more clarity in answering that question because it is 
going to be a lot easier for the business community if there is 
a single source to go to, and also if it is clear who could 
help you prevent a breach in the first place.
    Mr. Nelson. I think Mr. Reitinger's suggestion for a joint 
operations center where you have private sector and public 
sector people collocated and that is the source you go to, I 
think we need to get moving on that.
    Mr. Reitinger. If I might, ma'am.
    Senator Collins. I know I have exceeded my time, and I 
apologize, Mr. Chairman.
    Chairman Lieberman. Go right ahead. No problem.
    Senator Collins. Mr. Reitinger.
    Mr. Reitinger. Thank you, ma'am. There are a lot of 
resources out there to help businesses to know to whom to 
report cyber crime. My recollection is both the FBI and the 
Secret Service list that on their Web pages. We have 
information on our Web pages on to whom to report, as does the 
Department of Justice.
    I am not so sure that it is bad that there is a diversity 
of places to report as long as the resources are available to 
follow up and investigate. There is also the Internet Crime 
Complaint Center, which is, I think, driven by the FBI.
    So there are many resources that can be brought to bear. 
One of the things that we definitely need to do is do a better 
job on awareness: Get the word out there and then make sure we 
have the mechanisms for exchanging data and for law enforcement 
to work together so the case can be most appropriately 
addressed and followed up.
    Senator Collins. Thank you. I still think there is a lack 
of clarity here. After all, the Federal Trade Commission (FTC) 
is involved to some extent; the Secret Service is involved; the 
FBI is involved; the Department of Homeland Security's 
Infrastructure Protection Division is involved; and State and 
local law enforcement are involved.
    Mr. Nelson. Just to support your argument a little bit 
more, I think if you go to local law enforcement, sometimes 
they will not take the case because it does not meet a certain 
threshold. Let us say it is $100,000. But that particular 
attack might have been coming from the same entity in some 
Eastern European country, and they are attacking hundreds of 
different companies. So, cumulatively, it might be a multi-
million-dollar attack. That is the issue.
    Senator Collins. That is exactly the issue because what may 
seem to be an isolated attack affecting one business in one 
State may, in fact, be part of a network of attacks on several 
different businesses. And we need to have a way to look for 
those patterns.
    Mr. Carr. Senator, I think the stakeholders in the industry 
would all agree with you. How can that be done?
    Senator Collins. Right.
    Mr. Carr. How can that be communicated and so on? And I 
think that is a challenge we have to resolve.
    Senator Collins. Thank you. My apologies.
    Chairman Lieberman. Oh, not at all. I appreciate the line 
of questioning.
    Mr. Nelson, in your statement you mentioned the alert sent 
out by FS-ISAC on August 24 that listed several best practices 
and recommended controls for companies. I think it is important 
to note the public-private collaboration that went into issuing 
that August 24 alert.
    As I understand it, it was the first time that the FBI 
actually brought private sector representatives into their 
offices and showed you raw intelligence on a threat impacting 
your sector and asked for your assistance in determining 
protective recommendations for industry.
    I want to follow up on that first by asking you, Mr. 
Reitinger, this question: Does DHS issue best practices for the 
various sectors at this point? And if not, do you intend to? If 
so, are there ways to measure the success of those 
recommendations, that is, the degree of implementation or 
follow-up by people receiving those notices?
    Mr. Reitinger. I would not say, sir, that it is a set of 
specific practices that are issued sector by sector. We issue 
broad guidance from the general how to protect yourself down to 
the very specific technical alerts that US-CERT regularly 
produces. So far this year, we have produced over 40 specific 
products, and our products are available--at least our general 
products are available on our Web page, including cyber 
security tips for businesses, how to protect the workplace, 
those sorts of items.
    We also work very closely with the private sector to 
produce specific incident-related guidance. For example, when 
the distributed denial-of-service attacks were launched around 
July 4 of this year, US-CERT worked very closely with our 
partners in government and industry and produced two distinct 
products: A Federal information notice that provided 
information on the attacks and advice on mitigations to the 
government; and a critical infrastructure information notice 
that similarly went in a non-public way to key private sector 
entities throughout the infrastructure, including all of the 
ISACs.
    So, in general, we do produce the products. We also work 
broadly with the sectors and broadly across the sectors in the 
cyber security cross-sector working group, which is one way 
under the National Infrastructure Protection framework that we 
address cyber security horizontally across all the sectors.
    With regard to measuring implementation, as I think both of 
the Senators' comments indicated early on, metrics are an area 
of growth, I think, for us, generally. By ``us,'' I mean not 
just DHS, although I include DHS in that. But in cyber 
security, judging what works and what does not work is very 
difficult to do.
    So, for example, Senator Collins spoke about the fact that 
we need to use the procurement power to increase the security 
of hardware and software that is bought. I could not agree 
more. But we also need better ways to judge what software is 
secure so that we can have an effective regime because good 
metrics drive good behavior and bad metrics drive bad behavior. 
Similarly, we need better metrics about what security practices 
work effectively and do not work effectively.
    I think our ability in DHS, to return to your question, 
Senator, to judge how broadly our recommendations are 
implemented is an area that we need to grow, but have not fully 
developed yet.
    Chairman Lieberman. So that is a priority for you as you go 
forward.
    Mr. Reitinger. Yes, sir.
    Chairman Lieberman. In your testimony, Mr. Reitinger, you 
stated that DHS is building an integrated cyber security and 
communications watch floor that you expect to be operational 
before the end of this year, and I think that is a very good 
development, and I thank you for it and I hope you will push it 
forward.
    I wanted to ask you two things about that, if you could 
provide, to the extent that you are able, more information 
about the Department's plans in that regard. But also, building 
on this line of questioning, do you expect robust private 
sector participation on the cyber side when this watch floor is 
completed?
    Mr. Reitinger. Yes, sir. The watch floor is in development 
right now. If you were to travel to our Glebe Road facility, 
you would see a lot of people doing demolition and building, 
and I would welcome your presence there. We believe it will 
open substantially before the end of the year, and the 
processes for how it will work are under development right now.
    With regard to your second question about private sector 
participation, we already have private sector participation, 
particularly through the National Coordinating Center, which 
has a number of telecommunications representatives that are 
physically present within DHS space and others who are 
virtually present on a regular basis. We intend to grow from 
that core broader private sector participation and State and 
local participation.
    Chairman Lieberman. Good.
    Mr. Reitinger. Because it is absolutely essential that we 
be able in certain cases to work together, as I like to say, 
breathing the same air to build the trusted relationships, and 
be able to work together virtually so we have a full, one-
nation incident response organization.
    Chairman Lieberman. That is great to hear. I think one of 
the most significant recommendations of the 9/11 Commission, 
which I am proud that our Committee played an active role in 
implementing, was the creation of the National Counterterrorism 
Center, and it is really--appropriately, I suppose--one of the 
unsung heroes of defense of our homeland security. Even in the 
cyber age, there is something to be said for having people 
working on the same problem trying to defend the country from 
the same kinds of threats, breathing the same air, because 
there is natural interaction that goes on. So I am pleased to 
hear about that.
    Will the watch floor be under the National Cyber Security 
Division?
    Mr. Reitinger. It will be in the spaces of cyber security 
and communications, but it will include US-CERT, which is part 
of the National Cyber Security Division (NCSD)----
    Chairman Lieberman. Right.
    Mr. Reitinger [continuing]. And the National Coordinating 
Center, which is a part of the National Communications System, 
but also a part of the Office of Cyber Security and 
Communications (CSC), and it will also include the National 
Cyber Security Center. I am also the Director of that. It is 
not a part of CSC or the National Protection and Programs 
Directorate. In my capacity as the Director, I report directly 
to the Secretary of Homeland Security. The National Cyber 
Security Center has the mission to coordinate and drive common 
situational awareness across all of the high-value watch 
centers for cyber across the Federal Government, and all of 
those pieces will be collocated.
    Chairman Lieberman. That is the key. I mean, as you were 
describing the acronyms and what they stand for, it began to 
sound like a very complicated organizational chart. And maybe 
there is a good reason for every one of those organizations, 
but the key, as we have found, is to make sure they are all 
working together and they are not getting stovepiped.
    Let me ask a final question along this line going back to 
the August 24 alert sent out by FS-ISAC. There were some real 
interesting recommendations in there, I thought, among other 
things one that recommended that people never access bank, 
brokerage, or financial services information at Internet cafes 
or public libraries.
    Mr. Nelson, or anyone else on the panel, but we will start 
with you, is this advice that every American should be 
following? And if so, why?
    Mr. Nelson. Yes, because the information that you key into 
that computer in a public library or Internet cafe can be kept 
there. So when you are keying in your user ID and password, a 
user could subsequently steal it, or they may have put some 
malware on that computer that you are not aware of, and then 
they have access to your banking account.
    Chairman Lieberman. I hope people are listening. Senator 
Collins.
    Senator Collins. Thank you, Mr. Chairman.
    Mr. Reitinger, you brought up the issue of using the 
Federal Government's procurement power to persuade vendors to 
deliver safer IT systems, and we had testimony at our April 
hearing on just this issue from the Director of Research for 
the SANS Institute. He pointed out that when that is done, the 
cost of the security software falls dramatically. He cited an 
example of some encryption software that costs $243 on the 
retail level, and the Department of Agriculture was able to 
purchase it for $12, and DOD for less than $6 per copy because 
of the large volume.
    More to the point, however, is this expert's assertion 
that, despite Federal acquisition rules that requires security 
to be baked into procurements at the beginning, most times it 
is not, that there are no penalties or even checks to ensure 
that security is part of the acquisition process.
    What is DHS doing to ensure that security is part of the 
computer acquisition process?
    Mr. Reitinger. Yes, ma'am, I would be glad to talk about 
that. We have a special software assurance effort that is being 
driven out of the National Cyber Security Division which 
includes both a Software Assurance Forum where best practices 
are developed, industry talks to industry and industry talks to 
government, work is done around building the business case to 
help companies understand what they need to do or ought to do 
for secure development, and work is done on things such as 
acquisitions.
    We also have a Web site called the ``Build Security In'' 
Web site that helps to disseminate those best practices more 
broadly and explain how secure development can be done.
    I think in the long term this is an area for growth. It is 
still too difficult, despite everyone's best work, to know 
whether software is developed securely or not. So one could say 
in an acquisition, ``Thou shalt only buy securely developed 
software,'' but actually specifying that is hard. A lot of work 
has been done, including recently some private sector groups 
have developed guidelines for what that might mean, but the 
evaluation regimes that we have for software remain somewhat 
rudimentary in terms of their ability to judge that, including 
the common criteria, which is an international standard which 
gives a thumbs up or thumbs down for software, which focuses 
more on the implementation of security features in the 
software, as opposed to whether the software was developed 
securely and its overall security.
    So there is a lot of work to be done here, both in terms of 
raising awareness with companies, in terms of figuring out what 
is securely developed or not securely developed and how to 
specify that in acquisitions, and then the research and 
development around how one could develop software more securely 
which could benefit the entire ecosystem.
    Senator Collins. And, of course, it never ends because the 
criminals become more innovative and defeat the security 
software, which is why it is difficult to mandate specific 
standards. You have to constantly share best practices, but the 
technology is going to continually evolve and the criminals are 
going to continually try to defeat it.
    Let me in my final question just ask you about a specific 
example that was brought to my attention recently by the CEO of 
a technology company, who was very concerned that there is a 
lack of a coherent cyber security policy at the Federal 
Government, particularly in the civilian agencies. DOD is a 
whole different animal in this case, as is so frequently the 
case. He cited a recent Request for Proposal (RFP) from the 
Social Security Administration as an example of his concern 
about the current inadequacy of the Federal Government related 
to cyber security.
    The Social Security Administration had issued a RFP for a 
platform that would allow Social Security beneficiaries to 
access their accounts online and to make adjustments online, 
such as address changes. He believes that, as drafted, the RFP 
is highly likely to produce a platform that would make the 
users vulnerable to spoofing--that is, directing users 
unknowingly to false Web sites--and that the Social Security 
Administration would lose millions in just the first month as 
hackers direct payments elsewhere.
    Now, I do not know if this individual's assessment is 
correct, but it really concerns me that this individual, who is 
a technology expert, has reviewed this RFP and concluded that 
the systems to be procured will be highly vulnerable. So what 
do we do in a situation like this? And how can we get civilian 
agencies within the government to recognize that they are the 
container of personal data that, if it is breached, will cause 
great harm? We have seen example after example--such as the 
sizeable breach of the Department of Veterans Affairs records a 
couple years ago.
    Mr. Reitinger. So let me answer this in two parts, if I 
could, ma'am. First, obviously--and I cannot speak to that RFP. 
I apologize. I have not read it.
    Senator Collins. Right. I did not expect you to be able to.
    Mr. Reitinger. But we do need generally to continue to 
raise awareness not just with the private sector but with our 
partners across government, because we are in sort of a 
generational hump, if you will--we did not all grow up working 
with computers and understanding computer security, much like 
we all grew up understanding cars and how to drive cars. So we 
have to get through this period and make sure that we raise 
awareness broadly throughout the Federal Government, including 
among those doing acquisitions.
    I do believe we have a Federal Government cyber security 
strategy. We have the 2003 National Strategy, and then the 
Comprehensive National Cybersecurity Initiative (CNCI), as 
recently expanded upon and developed by the Cyberspace Policy 
Review, which is going to lead to a revised new national 
strategy. But we have focus and we have a way that we are 
moving forward.
    Specifically around the question that you raise in terms of 
access to personal data, it is a difficult problem because 
right now people are accessing whether private or government 
systems, with a set of computers that they find very difficult 
to secure, and using a set of methods to authenticate 
themselves, that are subject to theft.
    In the mid- to long-term, we need to move to an environment 
where no one uses user names and passwords to access sensitive 
data like personally identifiable information, where one has 
readily available stronger authentication means, like 
certificates or tokens or whatever is used, to access data 
where it is much harder to steal that credential. That will 
enable great protection in the ecosystem. It will make it 
harder to steal people's personally identifiable information. 
And it will make theft of personally identifiable information 
less valuable because you will not be able to actually take a 
person's user name and password, or phish it, and then use it 
against them. You would actually have to take something else.
    That is called for in the Cyberspace Policy Review, and it 
is related to some of the comments that my private sector 
colleagues made earlier.
    Senator Collins. Thank you. Thank you, Mr. Chairman.
    Chairman Lieberman. Senator Collins, thank you. Just a few 
more questions.
    Mr. Carr, going back to the case that you unfortunately 
went through, we know that your system was compromised in the 
sense that, you might say, the front door was knocked down, the 
cyber criminals got inside the system. There were 130 million 
accounts that were vulnerable. I presume that a certain number 
of people involved complained to their credit card companies or 
the merchants and said, ``Hey, I did not buy this, and it is on 
my bill.'' Do you have any idea at this point of the scope of 
the loss, either in dollar terms or how many people were 
affected? Or is it too soon to say?
    Mr. Carr. It is too soon to say. We know that we have 
charged off on our profit and loss statement $32 million.
    Chairman Lieberman. Say that again? I am sorry.
    Mr. Carr. $32 million.
    Chairman Lieberman. That you charged off?
    Mr. Carr. That we have had to expend to deal with this 
breach.
    Chairman Lieberman. In other words, to reimburse people?
    Mr. Carr. No--well, part of that could be deemed to be part 
of that. We do not know the extent of the fraud that was 
involved at this point. We do not know how many card numbers 
exactly were compromised.
    Chairman Lieberman. Right. What was the $32 million for?
    Mr. Carr. That was for forensics work, for legal work, and 
for potential settlements of some of the claims.
    Chairman Lieberman. People complaining about what they take 
to be unwarranted charges on their cards, would that 
information come to you? Or is it more likely to come to the 
credit card company?
    Mr. Carr. It comes to the issuing bank and----
    Chairman Lieberman. Yes, because most people do not know 
about you.
    Mr. Carr. Correct.
    Chairman Lieberman. And then they get back to you, I take 
it?
    Mr. Carr. Right. We are in that process today.
    Chairman Lieberman. So at this point, would you say that 
the number of accounts compromised was small or medium or 
large? I know you cannot say exactly.
    Mr. Carr. It is a significant compromise, but we do not 
know to what extent.
    Chairman Lieberman. In your testimony, you also say that 
Federal law enforcement was very helpful to Heartland in this 
process, and I just wanted to ask you to expand on that 
comment. What kind of assistance did you receive from which 
agencies?
    Mr. Carr. Well, the Secret Service was at our meeting last 
week and provided some really good information to the members, 
and we have met with DHS people who have offered to help 
provide us and our industry some monitoring tools for the 
security of our computers through some technology that was paid 
for by the government that is being made available to private 
industry.
    Chairman Lieberman. I appreciate hearing that. As you look 
back--and I know you have done some work on this and have been 
spreading the story throughout your business area--what are 
some of the things you wish you had done, having seen this 
attack?
    Mr. Carr. Well, I wish we had gotten together with our 
industry and shared information more quickly because by 
learning how these bad guys attack others, we would have 
learned a lot at that point. I wish we had done that earlier.
    Chairman Lieberman. Mr. Merritt, let me ask you, and then 
if anyone else wants to get into this, do you think there is a 
need for amendment of existing criminal laws or adoption of new 
criminal laws to facilitate the charging or even investigation, 
but particularly the charging of cyber criminals? Or are you 
able to operate in this new area within the general parameters 
of existing criminal law?
    Mr. Merritt. No, sir. In my opinion, we have the necessary 
statutory authority given to us by Congress to investigate 
these types of crimes and in my written statement, Title 18 of 
the U.S. Code, Sections 1028, 1029, 1030----
    Chairman Lieberman. Right.
    Mr. Merritt. Those are all sufficient to allow us to carry 
out our responsibility.
    Chairman Lieberman. The other part of my question goes a 
bit beyond your role in the process, and we should and will be 
talking to the Department of Justice about this. But just from 
your experience, is it your sense that once you turn cases 
over, as it were, to the prosecutors, they have enough within 
existing criminal law to proceed to prosecute these cases?
    Mr. Merritt. We have been fully supported by U.S. Attorneys 
across the Nation, sir, and specifically Mr. Reitinger 
mentioned he was a part of them before the Computer Crimes and 
Intellectual Property Section (CCIPS). We have been very 
satisfied. I think they have been, too. I would defer to them 
to see if they are having some issues as far as their authority 
to prosecute these types of cases. But we have had very good 
luck, sir. Thank you.
    Chairman Lieberman. Thank you.
    Mr. Reitinger, as part of your quite remarkable background 
in preparation for this job, you have had this prosecutorial 
experience. What is your sense of whether the criminal laws 
need updating to meet this challenge or whether they are 
adequate in their current status?
    Mr. Reitinger. With apologies, sir, I have been out of that 
part of the job since I left the Justice Department and went to 
the Department of Defense back in 2001. So I would defer to my 
expert colleagues at the Secret Service and the Department of 
Justice.
    Chairman Lieberman. We will talk to them.
    Let me ask you a question that I want you all to think 
about, and we will be in touch with you as we proceed to 
legislation. I will start with you, Mr. Reitinger, if you have 
any thoughts now about what are some of the constructive--if 
you think there are any--things we can do by way of legislation 
to help you better do your job or carry out your responsibility 
with regard to cyber security.
    Mr. Reitinger. Sir, I do not have any specific requests to 
make at this time. Obviously, as I gain my experience in this 
job, I am learning more about what is required and where the 
shortfalls, if any, may be. I look forward to continuing to 
work with you and your staff and the Committee staff on those 
issues.
    Chairman Lieberman. Good. Mr. Merritt, any thoughts there?
    Mr. Merritt. Sir, we are aware of several pending pieces of 
data privacy legislation that Congress is considering in the 
different committees, that would encourage private industry, 
when they have been intruded upon, to report those intrusions. 
We have been very supportive when committees have asked us for 
any advice, and we will continue to do so.
    Chairman Lieberman. Good. Any legislation or other action 
by Congress that might facilitate this process we talked about 
earlier of moving ahead with international cooperation in the 
investigation and prosecution of cyber crime?
    Mr. Merritt. Mr. Chairman, it is very hard for Congress to 
implement that type of legislation or law overseas. I think one 
must rely on personal and professional relationships that we 
and other law enforcement entities are able to establish with 
our foreign counterparts.
    Chairman Lieberman. Are you working with the State 
Department--or, Mr. Reitinger, let me ask you--in regard to 
this? In other words, has the development of international 
conventions, treaties, or working groups to deal with cyber 
crime become now an element of our foreign policy?
    Mr. Reitinger. Well, sir, I think it has been for some 
time. The Council of Europe Cyber Crime Convention was 
groundbreaking when it was first developed as the first major 
convention dealing specifically with cyber in that sense, and I 
think all of us were greatly pleased when the Senate chose to 
ratify it. And that has, I think, enabled a much greater degree 
in terms of international collaboration.
    We are actively involved in the Department of Homeland 
Security in building relationships with our international 
partners and are hosting a conference, the Meridian Conference 
in October of this year, where a number of key players will be 
coming in, as well as working to develop non-law enforcement 
operational relationships.
    Finally, I would say that the Cyberspace Policy Review 
specifically talked about the need to build international 
frameworks, and the National Security Telecommunications 
Advisory Committee produced a report, I believe last year, on 
the need for a broader international framework around cyber.
    And so I think it is a subject of focus. There is a lot of 
work that remains to be done under the overall leadership of 
the Department of State.
    Chairman Lieberman. While I have the two of you here, I 
will say, as I said after Mr. Merritt's testimony, that I am 
impressed and I did not know about all that the Secret Service 
was doing in regard to cyber crime. Of course, the Secret 
Service comes into the Department of Homeland Security with a 
very strong, unique independent history, but the question I 
want to ask is whether the Secret Service and the other cyber 
security divisions are adequately integrated--in other words, 
whether there is, certainly, sharing of information going on. 
Mr. Merritt mentioned the Electronic Crimes Task Force and the 
sharing of information going on with State and local law 
enforcers. But is it also going on within the building, as it 
were, or within what will be the building?
    Mr. Reitinger. I think the answer is yes, sir. I think we 
can continue to strengthen the relationships, but there is 
someone from the Secret Service on the NPPD staff. There is a 
Secret Service liaison specifically at US-CERT. They have a 
regular working relationship and an ability to collaborate.
    I, specifically, on more than one occasion, when I have 
received a report from US-CERT, have spoken to them about 
making sure that we were working both with the Secret Service 
and the FBI to ensure there was appropriate law enforcement 
follow-up. And there are collaboration mechanisms that the 
Secret Service and the Bureau use to work broadly within law 
enforcement.
    So I believe the connections are there, and I think as we 
move forward and build out the US-CERT capabilities, they are 
going to continue to be enhanced and be more effective.
    Chairman Lieberman. Obviously, that is very important.
    Mr. Nelson, any thoughts about additional law, Federal law, 
that could assist FS-ISAC in the work that you are doing?
    Mr. Nelson. We did not really specify in our testimony 
recommendations in that regard, but we do think that there are 
some things. We could require support of some funding for, for 
instance, better education, particularly getting the word out 
on that you do not open that phish that you get, that type 
phishing campaign. And one of our members, a small member, a 
financial institution in southern Virginia, came up with the 
idea of a logo, an anti-phishing logo almost like the no-
smoking logo, or ``Don't Pollute, Give a Hoot.'' Remember those 
old campaigns? But just kind of get the national mind or kind 
of the national consciousness around the need not to click on 
these suspicious e-mails. So I think that is one area that I 
think we could work on.
    Chairman Lieberman. One suggestion that has been made to 
the Committee for legislation is to require in law or encourage 
or facilitate the creation of some certification process for 
the private sector--in other words, either administered by a 
group like yours in your area of our economy, financial 
services, and in others; or perhaps with some governmental 
regulatory board which would set minimum standards that we 
would require private sector entities to follow to defend 
themselves--and, in the larger sense, all of us--against cyber 
attack either for purposes of money or terrorism.
    Maybe I should start with you, Mr. Reitinger, and ask you 
whether you have thought about that and if you have any opinion 
on it.
    Mr. Reitinger. I cannot testify to that in particular, sir. 
I would have to see the details of the proposal. What I would 
say is I think it is not true that cyber is completely 
unregulated. Obviously, there are financial regulations. In the 
chemical sector, for example, there are elements to chemical 
cyber security regulation embedded in the current Chemical 
Facility Anti-Terrorism Standards (CFATS) regime. So there is a 
mixture of degree of regulation, and sometimes when people talk 
about the proposal you are talking about, they point to what is 
called the North American Electric Reliability Corporation 
(NERC) and Federal Energy Regulatory Commission (FERC) model.
    Obviously, there is a lot to be explored. I think it is 
beyond dispute that the status quo is not sufficient. We are 
committed to working within the model we have right now and 
enabling our private sector partners to succeed. And in terms 
of whether additional authority is necessary or appropriate, I 
think we need to continue to examine that, because it is clear 
that cyber security is a national security and homeland 
security issue that needs to be fully addressed.
    Chairman Lieberman. Yes, I agree. We have not reached a 
conclusion on this, but it is very important, I think, for the 
Committee to consider it because the Federal Government clearly 
cannot do all this on our own. Too much of our critical 
infrastructure is owned by the private sector, which, of 
course, is quite appropriate and positive. What responsibility 
does the society through the government put on the private 
sector to take at least the minimal set of actions to protect 
themselves and the larger society from cyber attack?
    So I would welcome a first response, Mr. Nelson, and say to 
you that we would like to keep in touch, and with you, Mr. 
Carr, as well. Go right ahead.
    Mr. Nelson. The one thing I would say, we have, of course, 
in the financial services industry, a number of regulators. I 
hear some of our firms complain that regulators are coming in 
every week, a different set. FDIC comes in, the Federal Reserve 
comes in the next week, and then you have the Office of the 
Comptroller of the Currency (OCC), etc.
    Chairman Lieberman. Tell them to get ready for the National 
Cyber Security---- [Laughter.]
    Mr. Nelson. I will do that. But I think on the other side, 
we do have a number of cyber security areas that the examiners 
are looking at that they are examining on today. One was, a 
couple years ago, the implementation of a guidance, and a 
guidance sounds like a loose term, but it was actually a 
requirement for financial institutions to look at all of their 
applications to see if multi-factor authentication should be 
applied, and you have to do that evaluation. Most of the 
financial institutions, at least for business accounts, do 
require multi-factor authentication, for instance. Even on the 
consumer side, there is knowledge-based authentication, for 
instance, knowing that if I am on my computer, this is the 
correct IP address for who I normally do business with. So 
those types of authentication and multi-factor authentication 
tools are more or less looked at by the examiners today to see 
if the banks are complying with that.
    Could they be stronger? And some of the things that Mr. 
Carr recommended about strong encryption, that we have 
recommend, and actually the whole panel has recommended, I 
think that is something at which we ought to look. But, again, 
we have stayed away from being too prescriptive with that and 
wanted to really look at, as technologies change and as the 
attacking vectors change, how do we respond to that. And I 
think we really try to make that part of our regulatory regimen 
today.
    Chairman Lieberman. Mr. Carr, do you want to respond at all 
to that?
    Mr. Carr. I would just like to say that at our meeting last 
week, there was a frustration expressed by law enforcement that 
they would know some of these bad guys and these criminal rings 
and go to countries to arrest them, and they were not able to 
arrest them because of non-cooperation with that country. That 
would be helpful. I am not sure that legislation can solve that 
problem, but that is a problem that needs to be solved.
    Chairman Lieberman. Yes, but that is the kind of problem 
that can be solved either at a diplomatic level, through the 
State Department, or perhaps through the development of more 
and more international cooperative law enforcement efforts.
    Well, that is a topic we are going to consider as we go on 
to develop the legislation, whether we want to create kind of a 
good certification seal if you will, whether as some have 
suggested we go beyond and actually require, for instance, 
encryption or some other steps to be taken. Those are big steps 
to take, and we are not going to take them lightly or without 
adequate consideration.
    I want to thank the four of you. It has been a very 
productive hearing from our point of view, both from the real-
life experiences--the nightmarish experience that you have had 
to go through, Mr. Carr, and, Mr. Nelson, the work that your 
group is doing--and then, Mr. Merritt and Mr. Reitinger, thanks 
for what you are doing in response. This is a problem that is 
not going to go away. It is going to get worse unless we can 
work together to diminish the threat, which this Committee 
wants to do everything it can to make it possible by those of 
you who are out in the field every day.
    So we are going to hold the record of this hearing open for 
15 days for additional statements or questions. I thank you 
again for your testimony. The hearing is adjourned.
    [Whereupon, at 12:04 p.m., the Committee was adjourned.]















                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
