b'<html>\n<title> - MORE SECURITY, LESS WASTE: WHAT MAKES SENSE FOR OUR FEDERAL CYBER DEFENSE</title>\n<body><pre>[Senate Hearing 111-662]\n[From the U.S. Government Publishing Office]\n\n\n\n                                                        S. Hrg. 111-662\n \n   MORE SECURITY, LESS WASTE: WHAT MAKES SENSE FOR OUR FEDERAL CYBER \n                                DEFENSE\n\n=======================================================================\n\n\n                                HEARING\n\n                               before the\n\n                FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT\n                   INFORMATION, FEDERAL SERVICES, AND\n                  INTERNATIONAL SECURITY SUBCOMMITTEE\n\n                                 of the\n\n                              COMMITTEE ON\n               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n\n                                 of the\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 29, 2009\n\n                               __________\n\n       Available via http://www.gpoaccess.gov/congress/index.html\n\n                       Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n53-852                    WASHINGTON : 2010\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2443544b64475157504c4148540a474b490a">[email&#160;protected]</a>  \n\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n               JOSEPH I. LIEBERMAN, Connecticut, Chairman\nCARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine\nDANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma\nTHOMAS R. CARPER, Delaware           JOHN McCAIN, Arizona\nMARK PRYOR, Arkansas                 GEORGE V. VOINOVICH, Ohio\nMARY L. LANDRIEU, Louisiana          JOHN ENSIGN, Nevada\nCLAIRE McCASKILL, Missouri           LINDSEY GRAHAM, South Carolina\nJON TESTER, Montana                  ROBERT F. BENNETT, Utah\nROLAND W. BURRIS, Illinois\nPAUL G. KIRK, JR., Massachusetts\n\n                  Michael L. Alexander, Staff Director\n     Brandon L. Milhorn, Minority Staff Director and Chief Counsel\n                  Trina Driessnack Tyrer, Chief Clerk\n                                 ------                                \n\n SUBCOMMITTEE ON FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION, \n              FEDERAL SERVICES, AND INTERNATIONAL SECURITY\n\n                  THOMAS R. CARPER, Delaware, Chairman\nCARL LEVIN, Michigan                 JOHN McCAIN, Arizona\nDANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma\nMARK L. PRYOR, Arkansas              GEORGE V. VOINOVICH, Ohio\nCLAIRE McCASKILL, Missouri           JOHN ENSIGN, Nevada\nROLAND W. BURRIS, Illinois\n\n                    John Kilvington, Staff Director\n                Erik Hopkins, Professional Staff Member\n    Bryan Parker, Staff Director and General Counsel to the Minority\n                   Deirdre G. Armstrong, Chief Clerk\n\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statement:\n                                                                   Page\n    Senator Carper...............................................     1\nPrepared statements:\n    Senator Carper...............................................    31\n    Senator McCain...............................................    34\n\n                               WITNESSES\n                       Thursday, October 29, 2009\n\nHon. Tom Davis, former U.S. Representative from the State of \n  Virginia.......................................................     4\nVivek Kundra, Federal Chief Information Officer, Administrator \n  for Electronic Government and Information Technology, U.S. \n  Office of Management and Budget................................    12\nGregory C. Wilshusen, Director, Information Technology Security \n  Issues, U.S. Government Accountability Office..................    14\nJohn Streufert, Chief Information Security Officer, and Deputy \n  Chief Information Officer for Information Security, Bureau of \n  Information Resource Management, U.S. Department of State......    16\n\n                     Alphabetical List of Witnesses\n\nDavis, Hon. Tom:\n    Testimony....................................................     4\n    Prepared statement...........................................    36\nKundra, Vivek:\n    Testimony....................................................    12\n    Prepared statement...........................................    39\nStreufert, John:\n    Testimony....................................................    16\n    Prepared statement...........................................    51\nWilshusen, Gregory C.:\n    Testimony....................................................    14\n    Prepared statement...........................................    45\n\n                                APPENDIX\n\nQuestions and responses for the Record from:\n    Mr. Kundra with attachments..................................    58\n    Mr. Wilshusen................................................    84\n    Mr. Streufert................................................    92\nCharts (2) provided for the Record...............................    99\n\n\n   MORE SECURITY, LESS WASTE: WHAT MAKES SENSE FOR OUR FEDERAL CYBER \n                                DEFENSE\n\n                              ----------                              \n\n\n                       THURSDAY, OCTOBER 29, 2009\n\n                                 U.S. Senate,      \n        Subcommittee on Federal Financial Management,      \n              Government Information, Federal Services,    \n                               and International Security  \n                      of the Committee on Homeland Security\n                                        and Governmental Affairs,  \n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 2:33 p.m., in \nroom SD-342, Dirksen Senate Office Building, Hon. Thomas R. \nCarper, Chairman of the Subcommittee, presiding.\n    Present: Senator Carper.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Good afternoon, everyone, and especially \ngood afternoon, Congressman Tom Davis, whose sister, niece, and \nnephews live in the State of Delaware. We are grateful to you \nfor coming today and sharing with us your advice and counsel.\n    The issue du jour is cyber warfare. It isn\'t science \nfiction. It is reality. Over the past few years, we have heard \nalarming reports that criminals, hackers, even foreign nations \nhave deeply penetrated our government\'s most sensitive \nnetworks, including the offices of some of us right here in \nCongress.\n    In fact, just last week, the Congressionally-established \nU.S.-China Economic and Security Review Commission reported \nthat China is strategically developing offensive capabilities \nthat could be used against us in a future military conflict. \nFurther, there have been reports that some of the previously \nsuccessful cyber attacks against agency networks may have left \nbehind what is commonly known as a back door, essentially a \ntechnological means for the bad guys to get back into our \nnetworks without anyone ever knowing about it.\n    These vulnerabilities could be used against us by those who \nmight want to do us harm by stealing sensitive information \nstored on our military networks or by shutting down critical \nnetworks just when we need them the most. Imagine the \nterrifying scenario of a hacker creating uncertainty as to the \nvalidity of the data residing on the Federal Aviation \nAdministration\'s (FAA) air traffic control systems. That is \nexactly the kind of scenario I hope our hearing today prevents.\n    But the threat of a cyber attack isn\'t something new. In \nfact, in 2002, Congress passed what is known as the Federal \nInformation Security Management Act (FISMA), to help prevent \nmany of the problems that we are going to be discussing today. \nThat legislation brought greater attention to the issue of \ncyber security and it helped to establish greater \naccountability within agencies. Overall, I think we would agree \nthat it is a step in the right direction.\n    However, some 7 years after the passage of FISMA and \napproximately $40 billion later, I am troubled to learn that \nthe Office of Management and Budget (OMB) does not track how \nmuch agencies spend on cyber security, nor does the agency \nmeasure those expenditures and whether those expenditures \nactually resulted in improved security. Even more troubling, \nagencies may be constrained from implementing the most basic \ncyber security best practice because of inflexible \nrequirements.\n    Now, allow me to put this into perspective. Federal \nagencies have spent more on cyber security than the entire \ngross domestic product of North Korea, who some have speculated \nis maybe involved with some of those cyber attacks. That is \nunacceptable.\n    Some of the problems with FISMA implementation are a direct \nresult of OMB\'s decisions over the years, while others are due \nto agency neglect. Still other problems lay at the feet of \nthose of us here on Capitol Hill. In essence, there is blame \nenough to go around for all.\n    However, at today\'s hearing, we have an opportunity to \ndiscuss some concrete ways to correct some of those wrongs, and \nthat is what we are going to do.\n    For example, one wasteful and ineffective area that OMB and \nagencies can target is what is known as the ``certification and \naccreditation\'\' process. The certification and accreditation \nprocess is essentially a process whereby agencies evaluate \nevery 3 years what defense security protections are in place to \nprevent attacks on their systems. The process costs taxpayers \nabout $1.3 billion--that is billion with a ``b\'\'--every year, \nand it produces a good deal of paperwork that ends up stored in \nbinders in some clutter-filled rooms. In fact, those rooms look \na lot like this one. In fact, that is one of them. There are, I \nthink, others that look like it.\n    But we can see 3 years\' worth of reports from the \nDepartment of State, just one department, which cost them a \ntotal of $38 million. These reports would be worth the price \ntag if the tactics that hackers used were as static as the \nwords typed on a piece of paper. But hackers change how they \nattack us daily and their numbers, unfortunately, continue to \ngrow.\n    And yet it seems like OMB thinks that a snapshot of agency \npreparedness every 3 years will somehow defend our critical \nnetworks. But instead, billions of dollars are spent every year \non ineffective and useless reports, similar to the chart \npictured here.\\1\\ Meanwhile, we continue to get attacked.\n---------------------------------------------------------------------------\n    \\1\\ The chart referred to appears in the Appendix on page 99.\n---------------------------------------------------------------------------\n    However, testifying today will be a representative from the \nDepartment of State on our second panel who saw an opportunity \nto spend his agency\'s cyber security budget more wisely. \nInstead of spending money on ineffective paper-based reports, \nthe State Department decided to focus on developing a system \nthat monitored their global networks on a continuing basis.\n    If you take a look at the second chart that has just been \nput up,\\1\\ we can see the results of the hard work at the \nDepartment of State. According to that Department, they were \nable to reduce the amount of risk to their agency by 90 percent \nin a single year. I am told that this was achieved by \ndeveloping a system that makes sense, uses effective metrics, \nand holds people accountable. In essence, the Department of \nState can prove that they have better security at a fraction of \nthe cost that they were previously paying.\n---------------------------------------------------------------------------\n    \\1\\ The chart referred to appears in the Appendix on page 100.\n---------------------------------------------------------------------------\n    So as we progress through this hearing, I would like our \nwitnesses to keep in mind that moving to a model more like the \none at the Department of State requires no new legislation, \ncosts less than or the same as the current paperwork-laden \nmethod, and will better protect our country. That is the kind \nof cyber security that makes sense to me, and I suspect that is \nthe kind of cyber security that would make sense to most people \nin this country.\n    In fact, my colleagues and I introduced a bill last \nsession, and we have introduced it again this year, which would \nrequire all agencies to move to a proactive approach like the \none that the Department of State has taken.\n    In addition to requiring continuous monitoring of security \ncontrols and putting a strengthened Chief Information Security \nOfficer in each agency, our bill would enhance the role of the \nDepartment of Homeland Security in cyber security. The \nDepartment would share information with agencies on where cyber \nattacks have been successful so that they can better prioritize \ntheir security enhancements.\n    Further, our bill would require agencies to use their \nenormous purchasing power to persuade vendors to develop and \nsell more secure IT products and services in the first place.\n    Again, our thanks to each of our witnesses. We certainly \nlook forward to what you have to say, share with us, and to \nresponding to our questions.\n    We will be joined as the afternoon goes on by others on our \nSubcommittee, but rather than sit here waiting for them for \nhours, we are going to dive right in with our first panel. As I \ntelegraphed earlier, we will receive our testimony from former \nCongressman Tom Davis, who represented, I think, a \nCongressional district in the Northern part of Virginia, a \nState where I grew up. His service in the U.S. House of \nRepresentatives--how many terms did you serve there?\n    Mr. Davis. Seven.\n    Senator Carper. Seven terms. Did it seem like eight?\n    Mr. Davis. It seemed like 20 at the end. [Laughter.]\n    Senator Carper. Congressman Davis was the principal author \nof a number of pieces of legislation, but he was also the \nprincipal author of the Federal Information Security Management \nAct of 2002, lovingly called FISMA, which is the subject that \nwe are going to be discussing here today.\n    He also held numerous oversight hearings on the \nimplementation of FISMA and is considered an expert on the \nissue. I would like for the record to show that my name and the \nword ``expert\'\' have almost never been used in the same \nsentence. [Laughter.]\n    We are pleased to have Mr. Davis with us, who is certainly \nan expert on this issue and very knowledgeable about a bunch of \nother things. It is a real pleasure to work with him. We are \ntrying to make some progress on, among other issues, figuring \nout a path forward for the U.S. Postal Service.\n    But I understand that we will hear where you believe \nimprovements can be made with the agency implementation and \nperhaps with the language itself, so we thank you for your \nprevious service to our country and for your willingness to be \nof service again here today.\n    You are recognized to proceed for the next half hour--no, I \nwill ask you to keep it fairly close to 5 minutes, but if you \nrun a little over that, it is not going to trouble anybody too \nmuch. So thanks so much for coming, and your entire statement \nwill be made part of the record.\n\nTESTIMONY OF HON. TOM DAVIS,\\1\\ FORMER U.S. REPRESENTATIVE FROM \n                     THE STATE OF VIRGINIA\n\n    Mr. Davis. Thank you, Chairman Carper. I really appreciate \nyour efforts to improve information security and I am grateful \nfor the opportunity to testify here today.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Davis appears in the Appendix on \npage 36.\n---------------------------------------------------------------------------\n    For 14 years, I represented the 11th District of Virginia, \nthe home of the Internet. I would note for the record that I \nretired undefeated and unindicted.\n    Senator Carper. That is quite an accomplishment. \n[Laughter.]\n    Mr. Davis. I was also honored to serve as a member of the \nHouse Committee on Oversight and Government Reform, first as \nthe chairman of the District of Columbia Subcommittee, the \nleast sought after Subcommittee chairmanship in the House, then \nas chairman of the Technology and Procurement Policy \nSubcommittee, then 4 years as chairman and my last 2 years as \nthe ranking member. My Congressional service coincided with the \nproliferation of the Internet and the explosion of new \ncapabilities that came along for both the public and the \nprivate sector.\n    It was clear the revolution in interconnectivity had the \npotential to fundamentally change governmental operations and \nservice delivery. However, it also created a new form of \nvulnerability, one in which traditional protections of \ngeographic distance and physical strength were irrelevant.\n    For these reasons, I made information technology management \nand security a focus of my work in Congress. Federal agencies \nneeded to take this threat seriously and ensure proper \nprocedures and tools were in place to protect information \nsystems. Similarly, Congress needed a clear picture of the \ninformation security posture of the Federal Government in order \nto conduct effective oversight.\n    FISMA, which I championed in 2000 and 2002 and which had \nthe concurrence from this Committee, was intended to help \nprovide such a framework. FISMA required Federal agencies under \nthe direction of the Office of Management and Budget to create \na comprehensive risk-based approach to information security \nmanagement. It further requires annual IT security reviews, \nreporting, and remediation planning at Federal agencies. These \nrequirements were based on best practices, and in addition to \nsafeguarding information were intended to make security \nmanagement an integral part of an agency\'s operation.\n    At the time FISMA was enacted, no coordinated priority \nexisted to address the threat of cyber attacks. Technology was \nevolving rapidly. Rather than taking a prescriptive approach, \nwe believed agencies needed to walk before they could run, and \nputting procedures and protocols in place was an important \nfirst step in protecting government\'s critical infrastructure.\n    Since its enactment, FISMA has undoubtedly served to \nelevate the importance of information management and \ninformation security in government, and I am proud of the \nprogress we have made. That said, there is room for updates and \nimprovement, and your legislation, I think, is a very positive \nstep in that direction. It is time to really take FISMA to the \nnext level.\n    While I believe the requirements listed in FISMA would be \ncomponents of any sound information security plan, the need at \npresent is to operationalize its implementation. This would \ninvolve tools such as Red Team penetration tests. It would also \nrequire appropriate performance measures and, as the time \nbetween a penetration and detection, the time to deploy a \nsecurity patch once it has been released, and the time to \ncomplete a root cause analysis when a security breach does \noccur, I am pleased your language references both penetration \ntests and performance measures.\n    Three other key ingredients: Responsibility, Authority, and \nAccountability.\n    Chief Information Security Officers (CISOs), may be \nresponsible for overall information security planning, but they \ncan\'t be just the bad men when things go wrong. Responsibility \nfor an information security program permeates an organization, \nfrom the head of the agency to every employee. Most of the \nsecurity breaches that have grabbed headlines in recent years \naren\'t the result of some evil cyber genius but Federal \nemployees failing to adhere to basic security protocols--a lost \nlaptop, a stolen Blackberry, computers never returned when an \nemployee leaves an agency. These can result in the personal \ninformation of untold thousands being put at risk.\n    CISOs might have to come up with the protocols, but the \nrank and file have to adhere to them. As Congress looks at \ninformation security issues, it might be wise to consider \nuniform procedures, training, and penalties to reduce theft, \nloss, or other adverse events. I might add, in the private \nsector, training is very critical in these areas and it is \ndrummed into employees at every level.\n    Your language gives CISOs authority to development, \nimplement, and enforce security measures. That is important. \nThere also have to be consequences, good and bad, for failures \nand successes. That is one aspect of the accountability \ncomponent. The private sector provides some models. For \nexample, the payment card industry mandates compliance with \nstandards set by the PCI Security Standards Council. Failure to \nadhere to these standards results in a business losing the \nability to conduct transactions with payment cards. Now, that \nexact example isn\'t going to fit the Federal system, but we \nneed carrots and we need sticks that promote compliance and \npunish negligence.\n    Another aspect of accountability deals with funding. \nFederal Government spending has risen sharply in recent years, \nbut to what end? We have to link performance in this specific \ninstance, performance of information security products and \nservices, with spending decisions. Simply asking for more or \nproviding more isn\'t going to fix the problem, nor is it going \nto serve the interest of the American people.\n    In closing, I would like to reiterate my appreciation for \nthe work you are doing on information security. The information \nage is indeed a strange new world in which a mischievous \nteenager could be just as dangerous as a terrorist organization \nor malevolent government. I am committed to helping however I \ncan to make sure our Federal systems are up to the task and \nthat our oversight mechanisms are commensurate to the need, and \nI think your legislation is a good step forward. Thank you.\n    Senator Carper. Thank you very much, Congressman.\n    I don\'t know if you have ever done this, but one of the \nthings I have done for a number of years as a new Senator here, \nwhenever it is one of my colleagues\' birthdays, I actually call \nthem on the phone if we are not in session and just wish them a \nhappy birthday, track them down wherever they are, around the \ncountry or really around the world. Those are calls that I \nenjoy, and I think my colleagues do. I do the same thing with \nmembers of my staff, former members of my staff and just family \nand friends.\n    I don\'t know if this is true, but it is in my briefing \nnotes so it must be true--but I am told that today happens to \nbe the birthday of the Internet, and I was thinking about maybe \njust sending an e-mail out and seeing how well it can get \naround and cover as much of the Internet as we could---- \n[Laughter.]\n    But I understand that 40 years ago, I\'m told, in 1969, the \nfirst message was sent out on the Internet, and I understand \nthat the message also ended up crashing the Internet. \n[Laughter.]\n    So today\'s hearing is timely.\n    I would just ask, Congressman Davis, as one of the \nprincipal authors and Congressional overseers of the FISMA \nlegislation, you know all too well that there have been some \nsuccesses and some challenges since its adoption. For example, \nit seems that OMB has historically focused on agency compliance \nrather than on agency outcomes. And I must say, we are real \ngood at focusing on process and compliance rather than \noutcomes.\n    Arne Duncan was just in Delaware, the Secretary of \nEducation, and he spent a fair amount of time at the University \nof Delaware 2 days ago talking about the need for us in \neducation to focus not on process, but on outcomes. It turns \nout that is not just in education, but it is in this regard, as \nwell.\n    Could you take a few minutes maybe and explain to us where \nyou think there are opportunities to improve agency cyber \nsecurity? It seems like the sophistication of the attacks \ndramatically evolves every year. We just met with an agency \nhead in the current Administration who shared with us just how \nmany cyber attacks are occurring every day on his agency, on \nthe agency that he leads. It is alarming. But this training has \nled to a huge increase in the number of reported breaches by \nagencies.\n    As you know, I have been trying to lead the effort to \nreform FISMA and really strengthen it to make it the \nlegislation that I think you, as its principal author, hoped it \nwould be so that agencies focus their limited resources on \nimproving security rather than just producing the kind of \npaperwork that we see over here to my right.\n    Some of the improvements that we have been suggesting, such \nas continuous monitoring, seem like they make a lot of sense, \nand the best part of this idea is that it doesn\'t require a \nbill to be passed by Congress. However, the previous \nAdministration didn\'t seem all that interested in making any \nchanges to the current reporting structure, at least not during \ntheir final year. I think they just said, we will let the new \nfolks take care of that.\n    So that is a big way of leading me to this question, and I \nwould just ask, Congressman Davis, what are your thoughts on \nthis idea, and are there other opportunities that either us on \nthis Committee, Subcommittee, or the Administration should be \nlooking into?\n    Mr. Davis. Well, thank you. That is a pretty broad range, \nbut let me take a stab. Let me note first that in your second \npanel, you look at the State Department and what they have \ndone. This is an agency that has paid careful attention to not \njust compliance, but also operationally what to do, and I think \nyou are going to get some glimpse of some of the things that \ncan be done across other agencies when they give it the \nappropriate attention.\n    You know, it is hard to legislate priorities. It has really \ngot to come from the Executive Branch, because our managers \nhave so many different things to do, so many boxes to check, \nthat at the end of the day, they make everything a priority and \nnothing becomes a priority. And that is one of the \ndifficulties. This legislation will help, but if an \nadministration or an agency head doesn\'t buy into this, it is \ndifficult to make it really as operational as we would like it. \nAnybody can check a box. That is not hard to do. But making \nthis a priority--and you will hear in the next panel, I think, \nsome good ideas on this.\n    You can\'t just involve the heads of the agencies or the \nCISOs, as I have noted before. You need to get a buy-in at all \nlevels. This has to be part of what every employee does. It has \nto be drilled into them through training. They have to \nunderstand, anybody that deals with any entry point, any secure \nnetwork, that they have to really be on top of that 24 hours a \nday.\n    A lot of our problems result from just plain negligence, \npeople that didn\'t take this seriously. It wasn\'t drilled into \nthem as part of their jobs. It means everybody has to be \ntrained, that really, our whole systems are vulnerable at our \nweakest point, and our weakest point is any entry point, and \nfrankly, any employee.\n    I like the certification process you talk about in this \nbill. I like the idea that using the purchasing power of the \ngovernment to not just drive down costs, but you can get a \ncongruity of products that way. One of the difficulties in \ngovernment is we are so stovepiped. We have agencies even \nwithin agencies that aren\'t talking with each other. I think \nusing that purchasing power, maybe allowing the Group 70 \nSchedule in GSA to be utilized by States and locals--well, not \njust Group 70, the schedules for any cyber products to be \nincluded in that could be helpful in getting the same kind of \nproducts that everybody is using appropriately certified. There \nis just a lot of room here if we will make it a priority, and I \nthink you have included some of those in the bill.\n    Finally, the carrots and sticks are tough in government. \nHow do you reward? How do you punish the people that aren\'t \ndoing this? You can always do it through bonuses and you can do \nit through promotions and those kind of things, but that has to \ncome from management. It has to come from a buy-in from the \ntop.\n    And you are right. We banged our head in the previous \nAdministration trying to take this to a different level and get \ntheir interest in it. But what so often happens with \nadministrations, they have so many different things to do and \ndifferent agency heads, that without a lot of additional money, \nthis doesn\'t become the priority. They want to make sure that \nthey are advancing their mission and they will take a chance of \na cyber attack hoping it doesn\'t occur on their watch and spend \nthe money in other areas.\n    Senator Carper. I appreciate the kind words you have had to \nsay about the legislation we have reintroduced this year. If \nyou were on this side of the dais, where you sat for many \nyears, and had an opportunity to contribute to the legislation, \nto amend it, to make better what we have introduced, any \nthoughts of what you would do, or what you would have us do, to \nstrengthen it further?\n    Mr. Davis. I alluded to one part in my testimony and that \nis the fact that we are losing a lot of information and a lot \nof secure information just by employees and contractors \nmishandling this information, taking computers home. In the \ncase of the Veterans Administration, the employee that took \nthis home that had his computer stolen, it wasn\'t even \nencrypted. We have now changed that through protocols.\n    But we are still--we have lost Census information, we have \nlost hand-helds. We have people leaving with their computers \nfrom government and sensitive information and nobody has \nbothered to get it back. I think writing that into law would be \nvery helpful in terms of those kind of protections and making \nsure that at least we are not being careless about this. If we \nare going to get penetrated and hit, make them earn it. Don\'t \nmake it easy. And I think sometimes, as I said, any careless \nemployee can lose confidential information if it is not handled \nright. I think that ought to be written into this.\n    Senator Carper. Alright. Thank you.\n    I suspect you have been following the current debate about \nwhether there ought to be a cyber coordinator, which is \nsupposed to help prioritizing and align agency efforts. As you \nknow, FISMA clearly gives the responsibility for coordinating \nthe Federal Government\'s cyber security to OMB\'s Administrator \nfor E-Government. However, I am concerned that the people who \nwork in that office may not have the cyber security \nqualifications that are needed or necessary to make sure that \nagencies are cost-effectively securing their networks. In fact, \nI am even more troubled that OMB has never asked, apparently, \nhow much money they spend on cyber security.\n    What are your thoughts on the role of the E-Government \noffice in the larger cyber security discussion, and what do you \nbelieve should be the role of that office in overseeing agency \ncyber security?\n    Mr. Davis. Well, you are going to hear from Vivek Kundra, \nwho is very able. He will have a perspective on that now, \nhaving come to the Federal Government. He used to be with the \nCommonwealth of Virginia, where he did an outstanding job. I am \nglad the Administration has recognized his capability. So he \nmay have a little bit different perspective.\n    But coming from the legislative perspective on this, I \nthink you are spot on. The E-Government is the head of that \narea. It may not have expertise in this particular area. Even \nmore important, I think, is navigating the land mines of \ngetting a consistency across government in terms of how this is \ngoing to be implemented.\n    OMB, Homeland Security, I don\'t know how you want to pick \nthis. A Cyber Czar, though, or someone who has that particular \nexpertise and can navigate this so the Administration can get \neverybody kind of marching to the same protocols, using the \nsame systems, instead of having it so stovepiped and \nfactionalized as it is now, is just a very important part of \nsolving this problem.\n    Senator Carper. Alright. Thanks.\n    Let me just follow up on that with another question that \nrelates to this. I understand that you have been briefed on \nsome of the benefits that the State Department has been able to \nachieve with their new system. I was just wondering if there \nwere any risks associated with following that model. Sometimes, \nas a recovering governor, we used to say that what would work \nin Delaware may not work in Virginia. It may not work in \nMissouri. It may work in Texas, but it works in Delaware. But \nin some cases, there is one model that will serve in a variety \nof different States, and in this case, agencies. But I wonder \nif there are any risks with following the model that they have \npursued at the State Department? What do you see are some----\n    Mr. Davis. Well, I am not sure--first, I think State has \ndone just an outstanding job, and what they have done is they \nhave paid attention. They have taken the legislation seriously \nand you have a dedicated cadre up there at the top that have \ndriven this.\n    What works at State may not work at Commerce. It may not \nwork in intelligence. I am not probably smart enough to know \nthat. But the one thing State has shown us is that when you get \nagency officials that take this seriously, they can make a huge \ndifference. And, of course, State has been vulnerable to a \nnumber of attacks, which I think has heightened their awareness \nof this. I hope it doesn\'t take cyber attacks in some of these \nother agencies to get them to up their awareness--but it is \njust a good model of how you have people sitting around a room \nthinking about what are their possible vulnerabilities and \ncoming up with a program to combat that.\n    Again, I don\'t know if I am qualified to talk about what \nwould work at different agencies and what the vulnerabilities \nare, but that is just a good example. Their FISMA grade has \nbeen excellent, not just because they checked the right boxes, \nbut because they have been operational in what they have done, \nas well.\n    Senator Carper. OK. One of the things we are trying to \nencourage agencies to do more of is this notion of continuous \nmonitoring, rather than just taking a snapshot every 3 years, \nbut to focus on this and monitor every day. Are there any \npitfalls with that that come to mind?\n    Mr. Davis. Well, the one pitfall when you are not just \nmonitoring it but when you are testing these is you run into \nthe Freedom of Information Act (FOIA) situation. You don\'t want \neverybody to know what your vulnerabilities are. I think you \nneed to keep a cap on that so that you can make the appropriate \ncorrections.\n    The other thing I would add is there is a lot we can learn \nfrom the private sector. The private sector has had to deal \nwith these issues even more than government, the banking \nsystem, in particular, with the kind of penetrations that they \nare getting, the hits they are getting. Opening up that \ndialogue with the private sector is important to understand \nwhat they have gone through and some of the innovations that \nthey have made. The difficulty comes in the FOIA laws. It comes \nwith antitrust. It comes from tort law and their ability to \nshare that information with us, and that is a dialogue, I \nthink, that needs to continue. But they can be a part. There is \na lot of expertise out there in the private sector we want to \nharness and bring into government.\n    Senator Carper. Two more questions and I am all done. In \nthe Federal Information Security Management Act (FISMA) bill \nthat you helped to create, the Inspectors General are required, \nI believe it is annually, to evaluate whether agencies are \ndoing the kind of security that they say they are doing in this \nregard. For example, the Inspectors General use paperwork from \nthe certification and accreditation process to evaluate whether \nagency security is really effective.\n    I understand that if all the agencies moved to an approach \nlike the one they have over at State, not much paperwork is \ngoing to be produced. In fact, it seems to me that an Inspector \nGeneral could come at any time during the year, see whether the \nagency\'s security is actually effective. I don\'t know if this \nis a question you would be prepared to answer, but do you think \nthat is true, and what should be the role of the IGs in this?\n    Mr. Davis. Well, the IGs are independent. I mean, that is \nthe one reason that I think they are equipped to do this as \nopposed to someone else who could be under the thumb of the \nagency. You really want an independent to look at that. Now, \nthe IGs operate differently in different departments. They have \ndifferent burdens that they have to meet. But they bring an \nindependence to this which I think is critically important.\n    Senator Carper. And finally, you served on the House \nCommittee on Oversight and Government Reform for, I think you \nsaid, maybe 14 years, as Chairman for 6 years, as Ranking \nMember for another 2 years, and during that time, you and I \nwere able to work together to identify a couple of potentially \nwasteful practices in the Federal Government, and I think in \none or two cases, we actually made some positive changes.\n    What do you see as the greatest opportunity for improving \nthe efficiency of cyber security spending in the Federal \nGovernment?\n    Mr. Davis. Well, I think contracting. All this really comes \ndown to contracting, and when it is done ad hoc in stovepipes \nby different agencies, not sharing information, not building it \ntogether, you get a lot of systems that, at the end of the day, \nsome are better than others. They don\'t talk to each other. It \nhas to get coordinated.\n    One of the things I like about this bill is you use our \npurchasing power together to drive those products and I think \nthat will bring it together much better than we have today. We \nspend a lot of money. We don\'t always get what we want in \ngovernment contracting across the board. But in this particular \ncase, I think--I like your concepts that you have in this bill, \ngovernment using its power. I think that will drive a congruity \nof products that is absolutely necessary in this case to get \nthis solved.\n    Senator Carper. Alright. Well, those are my questions. Some \nof my colleagues who are waiting back in the anteroom until you \nleave--no, they are not, but when some of my colleagues show \nup, whether they show up or not, some of them are going to have \nsome questions that they would like to send along----\n    Mr. Davis. You can always get them to me. We are happy to \nrespond. You have a great second panel, as well, and thanks for \nallowing me to share my views.\n    Senator Carper. It is great to see you. Thanks so much for \nyour previous service to our country, and not just for the \nfolks in Virginia, but also in Delaware and the other 48 \nStates.\n    Mr. Davis. Thank you.\n    Senator Carper. Good luck. Take care.\n    The second panel is welcome to approach the table and take \nyour seats. Gentlemen, welcome. It is good to see you all, and \nthank you for taking the time to be with us today.\n    I understand from Erik Hopkins, who has worked on this \nlegislation for a couple of years now, that we have on a dolly \nup here some of the paperwork that kind of flows from--is it \njust one agency? Not just from one agency, but from one system, \nis that right, one system within one agency, their paperwork \nfrom their certification and accreditations. If that is just \none system and one agency, I hate to think what would be the \ncase for the whole government.\n    Be careful, Mr. Streufert. You are not going to have a \nplace to sit here very soon. Well, that gives us some idea. \nThat is a fair amount of paperwork. And again, that is one \nsystem and one agency. We wouldn\'t be able to see you guys--you \nprobably wouldn\'t be able to get in the room--if we had all of \nthem gathered here today.\n    Let me make some introductions to kick off our second \npanel. We are going to hear from Vivek Kundra, who was \nappointed Federal Chief Information Officer of the United \nStates by President Obama in March of this year. We are glad to \nsee you are still able to sit up and take nourishment and to be \nhere with us today. You look none the worse for wear.\n    As Congressman Davis mentioned earlier, prior to his taking \nhis current position, Mr. Kundra served in Mayor Fenty\'s \ncabinet as the Chief Technology Officer for the District of \nColumbia and in Governor Kaine\'s cabinet as Assistant Secretary \nof Commerce and Technology for the Commonwealth of Virginia. \nYou are great to be here and we appreciate your service and \nthank you for your presence.\n    Our next witness is no stranger before our Subcommittee. \nMr. Wilshusen. He is the Director of Information Security \nIssues at the Government Accountability Office. We are told \ntoday by our chaplain, Chaplain Barry Black, Chaplain for the \nU.S. Senate, he said the words that people most enjoy hearing \nin their lives is the sound of their own name. Among the words \nthat they least like to hear are their own name mispronounced, \nso we will try to get your names right. But I will say, none of \nyour parents made this easy for a guy like me. [Laughter.]\n    So please bear with me. But I am told you have over 28 \nyears of auditing, financial management, information systems \nexperience starting at the age of 12, and you have been at it \nfor quite a while. Before joining GAO in 1997, Mr. Wilshusen \nheld a variety of public and private sector positions, so we \nthank you for coming back today.\n    Our last witness is John Streufert. Your name doesn\'t look \nlike ``Stroy-fert,\'\' but it is, isn\'t it? I bet it has been \nmispronounced once or twice, hasn\'t it?\n    Mr. Streufert. Yes. Every day.\n    Senator Carper. You are the Chief Information Security \nOfficer at the Department of State. You are like our hero here \ntoday, and we are here to celebrate what you have done and to \ntry to find out if it is something we can replicate in other \nagencies.\n    I am told that since starting your current job, you have \nbeen recognized for outstanding leadership and improving cyber \nsecurity at both the Department of State and the U.S. Agency \nfor International Development (USAID). In fact, Mr. Streufert \nwas a recipient of the Distinguished Presidential Rank Award in \n2004 for his work at USAID, and I understand that you will show \nus once again how we can improve cyber security, so good for \nyou.\n    With that having been said, we will turn to Mr. Kundra as \nour first witness and ask you to proceed. Your statements will \nbe made part of the record, so feel free to summarize as you \nwish. But you are recognized. Thank you.\n\n    TESTIMONY OF VIVEK KUNDRA,\\1\\ FEDERAL CHIEF INFORMATION \n     OFFICER, ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND \n  INFORMATION TECHNOLOGY, U.S. OFFICE OF MANAGEMENT AND BUDGET\n\n    Mr. Kundra. Good afternoon, Chairman Carper. Thank you for \nthe opportunity to testify on the Federal Information Security \nManagement Act and information security posture of the U.S. \nGovernment.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Kundra appears in the Appendix on \npage 39.\n---------------------------------------------------------------------------\n    Our Nation\'s security and economic prosperity depend on our \ndigital infrastructure. The President\'s Cyberspace Policy \nReview stated that cyber security threats are some of the most \nsignificant economic and national security challenges of the \n21st Century.\n    The groups of State and non-State actors that target U.S. \ncitizens, businesses, and Federal agencies is growing \nexponentially. Daily, there are millions of attempts to attack \nopen ports and vulnerable applications across our government.\n    The Federal Government\'s current security posture does not \nadequately confront the real-time threat factors that we face \non a daily basis. Hiring challenges, a focus on compliance, and \ncumbersome reporting have inhibited effective cyber security \nmanagement. The Federal Information Security Management Act of \n2002 raised awareness across the Federal Government regarding \ninformation security, yet significant progress is essential \nwhen it comes to execution.\n    To advance the Federal Government\'s security posture, the \nAdministration is taking steps in key areas, such as human \ncapital management, performance management, cost analysis, and \nrisk management. For example, in the area of human capital \nmanagement, we expedited the hiring authority for up to 1,000 \ncyber security professionals across the Department of Homeland \nSecurity. This will enable DHS to recruit skilled cyber \nanalysts, developers, and engineers to secure our country by \nsecuring our Nation against cyber attacks.\n    To enhance the performance monitoring, last week, we \nactually launched CyberScope, an online platform for agencies \nto submit security information that will allow us to analyze \nand monitor the Federal Government\'s security posture in a \ncomprehensive manner. Prior to 2009, it took three full-time \nemployees to compile hundreds of spreadsheets that were e-\nmailed to OMB by agencies in response to FISMA reporting \nrequirements. This laborious, unsecure process inhibited \ninsight into the security posture of the government. The \nthreats we face change daily, yet our legacy reporting \nprocesses have been tied to manual, annual, and quarterly \nprocesses to evaluate how secure we are.\n    The CyberScope platform will be leveraged to develop a \ncyber security dashboard that will unlock the value of \nagencies\' submissions when it comes to FISMA reporting and also \nthe real-time posture across the Federal Government. Just as \nthe IT dashboard took us from a static, paper-based environment \nto a dynamic, digital environment, the new cyber security \ndashboard will provide the government with a real-time view of \nthreats facing us and our vulnerabilities.\n    For example, the State Department is supplementing its \nFISMA reporting with a risk-scoring program that you alluded to \nthat scans every computer and server connected to its network \nat least 36 hours on multiple security factors. Rather than \njust conducting certifications and accreditations every 3 \nyears, continued monitoring must be the norm across the \ngovernment.\n    To enable effective security cost analysis, we are asking \nagencies for detailed security cost information for the first \ntime. We recognize that the best security is baked into the \nsystems and the architecture and investments that agencies are \nmaking. Therefore, we see this as the beginning of the process \nof obtaining relevant data. In the coming years, detailed cost \ndata combined with performance-based metrics will allow OMB and \nagencies to effectively manage and make informed decisions when \nit comes to risk.\n    To better manage risk, OMB has established a task force \nthat was launched last month to develop forward-leaning metrics \nand making sure that those metrics are actually focused on \noutcomes rather than process. To solicit the best ideas, we \nhave reached out across the Federal community as well as the \nprivate sector. OMB plans to release the metrics for fiscal \nyear 2010 along with a road map of how we are going to move \nfrom a culture of compliance to a culture of outcomes in the \nfirst quarter of 2010. What gets measured gets done.\n    The threats we face are numerous, evolving faster than our \ncyber defenses, and they have the potential to do great harm to \nour cyber infrastructure. From the launch of CyberScope to the \nhiring of up to 1,000 new DHS cyber security experts, the \nAdministration is committed to strengthening our cyber defense. \nA secure, trusted computing environment in the Federal \nGovernment is the responsibility of everyone involved, from \nagency heads to those charged with oversight. It entails \nemployees, contractors, and the American people all working \ntogether.\n    This will not be easy, nor will it occur overnight. Our \ncurrent actions represent important steps toward a strong cyber \ndefense and begin the shift from a culture of compliance to one \nfocused on real security to protect the digital infrastructure \nthat is so vital to our economic prosperity and national \nsecurity.\n    Thank you for the opportunity to testify. I look forward to \nyour questions.\n    Senator Carper. You bet. It is I who thank you.\n    Mr. Wilshusen, please proceed. Thank you, and welcome back.\n\n  TESTIMONY OF GREGORY C. WILSHUSEN,\\1\\ DIRECTOR, INFORMATION \n  TECHNOLOGY SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY \n                             OFFICE\n\n    Mr. Wilshusen. Mr. Chairman, thank you for the opportunity \nto participate in today\'s hearing on how agencies can establish \ncost effective cyber defense.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Wilshusen appears in the Appendix \non page 45.\n---------------------------------------------------------------------------\n    FISMA, which was enacted in 2002, was intended to provide a \ncomprehensive framework for ensuring the effectiveness of \nsecurity controls over information resources that support \nFederal operations and assets. It also requires agencies and \nOMB to annually report on the adequacy and effectiveness of \nagency information security programs and compliance with the \nprovisions of the Act. To help meet these requirements, OMB \nestablished a uniform set of information security measures that \nall Federal agencies report on annually.\n    Mr. Chairman, in light of questions about whether agencies \nare measuring the right things in securing their systems, you \nrequested that GAO examine how organizations develop and use \nmetrics to assess the performance and effectiveness of their \ninformation security activities. In a report being released \ntoday, we describe the key types and attributes of information \nsecurity performance measures and the practices of leading \norganizations in developing and using them, and compare those \nmeasures and practices with those used by 24 major Federal \nagencies and OMB.\n    Leading organizations and experts identified measures that \ngenerally fell into three major types: Compliance, control \neffectiveness, and program impact. They stressed the importance \nof developing and using different types of measures to ensure \nthe measurement process is comprehensive and useful in \nachieving their information security goals. They also reported \nthat all such measures generally have certain characteristics \nor attributes. These attributes include being measurable, \nmeaningful, repeatable, and actionable.\n    Further, these organizations and experts indicated that the \nsuccessful development of measures depends on adherence to a \nnumber of key practices, including focusing on risks, involving \nstakeholders, assigning accountability for measures, and \nlinking them to business goals.\n    Mr. Chairman, we have determined that Federal agencies have \nnot always followed these key practices. While agencies have \ndeveloped measures that generally fall into each of the three \nmajor types, on balance, they rely primarily on compliance \nmeasures, which have a limited ability to gauge program \neffectiveness. Agencies stated that, for the most part, they \npredominately collected measures on compliance because they \nwere focused on measures associated with OMB\'s FISMA reporting \nrequirements.\n    In addition, while most agencies have developed some \nmeasures that include the four key attributes identified by \nleading organizations, these attributes were not always present \nin all agency measures. Further, agencies have not consistently \nfollowed key practices in developing measures, such as focusing \non risks.\n    Last, the measures established by OMB for FISMA reporting \npurposes are primarily compliance-based. They focus on whether \ncontrol activity was implemented, not how well or how \neffectively that control was implemented. Consequently, OMB\'s \nreport to Congress provides limited information about the \neffectiveness of agencies\' information security programs and \nthe security posture of the Federal Government.\n    In our report, we recommended that OMB provide direction \nand guidance to agencies in developing and using measures that \nbetter address the effectiveness of their information security \nprograms. We also recommended that OMB revise its annual FISMA \nreporting guidance to require reporting on a balanced set of \nperformance measures, including measures that focus on \neffectiveness of control activities and program impact, and to \nrevise its annual report to Congress to better provide \ninformation on the effectiveness of agency security programs, \nthe extent to which major risks are being addressed, and \nprogress that has been made in improving the security posture \nof the Federal Government.\n    OMB has generally agreed with our recommendations. \nImplementing these recommendations will help to focus attention \non activities that will enhance the effectiveness of security \ncontrols and improve the cyber defense of Federal computer \nsystems and information.\n    Mr. Chairman, this concludes my statement. I would be happy \nto respond to any questions that you may have.\n    Senator Carper. Good. Thank you so much. Mr. Streufert, you \nare number four.\n\n  TESTIMONY OF JOHN STREUFERT,\\1\\ CHIEF INFORMATION SECURITY \n OFFICER AND DEPUTY CHIEF INFORMATION OFFICER FOR INFORMATION \n   SECURITY, BUREAU OF INFORMATION RESOURCE MANAGEMENT, U.S. \n                      DEPARTMENT OF STATE\n\n    Mr. Streufert. Good afternoon, Chairman Carper. I am \npleased to have this opportunity to testify before the \nSubcommittee regarding the Department of State\'s capabilities \nfor securing its global information and technology \ninfrastructure.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Streufert appears in the Appendix \non page 51.\n---------------------------------------------------------------------------\n    The Department serves as the diplomatic front line in over \n270 overseas posts by serving its 70,000 users with the \nWorldwide Network and mission essential software applications. \nThe foreign policy mission makes an inviting target for attack \nby highly-skilled cyber adversaries. However, the Department\'s \nlayered approach to risk management allows multiple levels of \nprotection.\n    In my role as the Chief Information Security Officer, I \nhave become intimately familiar with the benefits, \nshortcomings, and promising opportunities to build upon the \ncurrent Federal Information Security Management Act of 2002. \nOur goal is to ensure system security for diplomacy while \ncontinuously improving the return on investment for each dollar \nspent.\n    The passage of FISMA served as a game-changing event for \nthe Federal agency community. FISMA applies to all information \nused on behalf of Federal departments and agencies on behalf of \nAmerican citizens. It established a holistic information \nsecurity program and also the responsibility of accounting to \noversight entities, including Congress. Together, these served \nas valuable checks in determining the health of an agency\'s \ninformation security program.\n    However, the Federal cyber landscape has changed in the \npast 5 years. The implementation of Federal cyber security has \nbeen typically undertaken through manual processes and \ncompliance checks, like in conducting an annual inventory of \nsystems, testing security not less than annually, reporting \nquarterly on weaknesses to OMB and performing certification and \naccreditation studies every 3 years.\n    Our cyber problems, though, have dramatically escalated in \nseverity and frequency. In a typical week, the Department of \nState blocks 3.5 million spam e-mail and intercepts 4,500 \nviruses and detects over a million external probes to our \nnetwork. Of that number, in the past 2 years, the percentage of \nmalicious code attacks recorded at the Department of State on \ntrouble tickets has jumped from 38 percent in the year ending \nAugust 2008 to 79 percent just 12 months later for that same \nperiod. The volatility of changes to security-sensitive changes \nhas been equally problematic.\n    Ongoing demands for certification and accreditation studies \nsimilar to this single system that I have shown the \ndocumentation for here, amounted over 6 years to the \nexpenditure of $133 million, amassing a total of 50 shelf feet, \nor 95,000 pages for just the 150 major information systems that \nwe were monitoring to this degree. This does not include the \ndatabases for tracking system inventory or tracking the plans \nof action and milestones to resolve the pending weaknesses. \nThis equates to the cost of the CSA report, not including the \nrelated products, like the security plans, of roughly $1,400 \nper page.\n    And indeed, if there is any particular problem with this, \nit is not the content of the report, it is the fact that you \ncould get a false sense of security that these snapshots \nproduce results on paper that are extraordinarily accurate but \nout of date within days of being published, in fact, perhaps \nout of date even in the time that it took to print these 2,000 \npages.\n    In contrast, this month, the Office of Management and \nBudget launched CyberScope, a secure streamlined interactive \ndata collection platform far more efficient in allowing and \nalso allowing research and analysis across Federal agencies. \nThe U.S. Chief Information Officer has similarly and in support \nof this formed an interagency task force charged with \ndeveloping outcome-focused metrics for information security \nperformance by all Federal agencies and departments, including \nthe Department of State. Final metrics based on this work are \nexpected to be released later this fiscal year.\n    For its part, the Department began supplementing its FISMA \ncompliance reports and studies with a risk scoring program that \nscanned every computer and server connected to its network not \nless than every 36 hours on eight factors and twice a month for \nsafe configurations with software. This risk scoring program \nutilizes best practices, such as the Consensus Audit \nGuidelines, which was a collaborative effort between government \nand industry.\n    To assess the vulnerabilities, we use the Common \nVulnerability Scoring System of the National Institute of \nStandards and Technology and the Department of Homeland \nSecurity, where scanning tools tag specific risks with point \nvalues between zero and 10, with 10 being the highest \nvulnerability. When the problem is resolved in this method, \nrisk points are deducted and a better score comes to the \ntechnical team and organizations. This computation occurs no \nmatter where they are located across the world.\n    Since mid-July, overall risk on the Department\'s key \nunclassified network, measured by the Risk Scoring Program, has \nbeen reduced by 90 percent in overseas sites and 89 percent at \ndomestic sites, as the chart indicates.\\1\\ These methods have \nallowed one critical piece of the Department\'s information \nsecurity program to move from snapshots in time to a program \nthat scans for weaknesses continually, identifies weak \nconfigurations each 15 days, recalculates the most important \nproblems to fix in priority order on a daily basis, and issues \nletter grades of A-plus through F monthly to managers so that \naccountability for progress can be taken for every organization \nas experience has indicated for them over the past 30 days. The \nvarious score reports tabulate risk scores by region, compare \nprogress overseas to our domestic sites, and creates \nenterprise-wide summaries for senior management.\n---------------------------------------------------------------------------\n    \\1\\ The chart referred to appears in the Appendix on page 100.\n---------------------------------------------------------------------------\n    In short, these details empower administrators with \ntargeted daily attention to conduct remediation and offer \nsummaries to empower experts to our executives to oversee the \nmost serious problems.\n    Mr. Chairman, I want to conclude by emphasizing that the \nDepartment\'s policies, technologies, business processes, and \npartnerships in place continue to evolve and continue to meet \nthe challenges as the threats change in the cyberspace \nenvironment. I thank you and the Subcommittee for this \nopportunity to speak before you today and would be pleased to \nrespond to any of your questions.\n    Senator Carper. Thanks, Mr. Streufert, for that testimony. \nThanks for being a good role model over at the State Department \nand USAID for the rest of us.\n    I just want to start with this chart,\\1\\ and it looks like \na reduced risk of cyber vulnerabilities, about 89 percent at \nthe State Department headquarters from July 2008 to July 2009, \nand 90 percent abroad. Did you anticipate this kind of progress \nin a year when you were getting into this? Did you anticipate \nthis kind of a record of achievement?\n---------------------------------------------------------------------------\n    \\1\\ The chart referred to appears in the Appendix on page 100.\n---------------------------------------------------------------------------\n    Mr. Streufert. At the Agency for International Development \n(AID), we had a similar progress, a two-thirds reduction in a \n6-month period, so we had a feeling that it was possible but \nhad not yet tested this on the scale of an organization the \nsize of the State Department. We were certainly very pleased, \nand at that point, we began discussing what had been found with \nour colleagues.\n    Senator Carper. You mentioned this in your testimony. I \nwant you to go back. Kind of walk us through again why were you \nso successful at the State Department and at AID before that? \nWhat were the key elements again, please?\n    Mr. Streufert. This is an instance where support \nbeneficially comes from many parts of the organization. It \nbegins, as Congressman Davis indicated, with strong support at \nthe top, and I am pleased to say that the senior leadership of \nthe State Department has been very supportive at each step on \nthe way.\n    Senator Carper. When you say senior, how senior? What are \nwe talking about?\n    Mr. Streufert. Under Secretary for Management Patrick \nKennedy, and he has assembled an E-Government Oversight Board \nfor the Department of State. I have been able to speak on \nprogress before this group twice in the last year. So there has \nbeen strong involvement from the top of the organization.\n    The next beneficial thing that one needs is the \ncoordination and----\n    Senator Carper. Why do you suppose the folks at the top \nwere so supportive?\n    Mr. Streufert. Well, we understand that strong information \nsecurity is essential for our mission. We are spread in 24 time \nzones. The ability to send and receive information in support \nof American citizens services, and in support of the passport \nand visa process are vital to our mission. We understand that \nwe depend on the information systems, and therefore the \nsecurity related to them.\n    Senator Carper. OK. Other than support at the top, what \nwere the other key elements in your success?\n    Mr. Streufert. We brought together a coalition of 11 \ndifferent organizations inside the State Department that worked \non technology matters, and that set the template where we could \nbegin our regular scanning. And after that point, when we \ndeployed the system, the fact that the individuals at each of \nthe embassies and consulates and headquarters organizations \ncould understand exactly what they needed to fix, it was of \nsubstantial benefit to them to get some of the positive \nreductions in risk points that the chart and our experience \nindicates.\n    Senator Carper. Now, talk to us about other agencies being \nable to replicate the success that you enjoyed at the State \nDepartment. Other than cloning you, moving the agency heads \nfrom State over to--cloning them and moving them into the other \nagencies, how transferrable is this to other agencies? What do \nyou think might transfer and what might not?\n    Mr. Streufert. One item that we always mention in \ndiscussion with other cabinet departments is that we used \ninformation that was already being collected in our \norganization for other purposes, including producing the \ncertification and accreditation reports. Eighty percent of the \ninformation, as an example, was an outgrowth of what we needed \nto manage our servers and personal computers already. So it was \nsimply a question of lifting that data up and out of where it \nwas at the local level and then putting it in the security \nwarehouse. Once there, our dashboard calculates grades and \nshows the most serious problems that need to be worked on.\n    Since many of the other parts of the Federal Government \nhave this software, the primary things to work on are assuring \nthat all of the networks are connected and that they have the \nsupport structures in place in order to put the security \ninformation out to the managers who want to make the changes. \nAnd I should hasten to add, the progress at the State \nDepartment came from thousands of individuals that were working \nevery day on their most serious problems, and that is where the \nprogress indeed came from.\n    Senator Carper. Let me ask, first, Mr. Kundra, and then Mr. \nWilshusen about replicating this kind of success. How do we go \nabout doing that? In fact, it may be something you have already \nbegun. I don\'t know.\n    Mr. Kundra. Yes. We started talking about this back in \nApril, and within the Federal CIO Council, Susan Swart, who is \nthe CIO at the State Department, has been sharing this approach \nwith our colleagues. But if you look at what we are doing \nacross the Federal Government, CyberScope is the first step in \nthat direction in terms of if you looked at the previous \napproach, it was manual, it was based on a lot of paperwork and \ndidn\'t really produce meaningful insight where we could slice \nand dice information across the Federal Government so we could \ncompare what was happening at Health and Human Services versus \nState versus DOD versus Department of Energy. The first step is \nto make sure that we are getting data and information so we \ncould get meaningful insight.\n    The second part of that, which is the task force that we \nare spending a lot of energy and we would love to share the \nmetrics with you and get feedback from the Congress at the end \nof November, and these metrics are essentially going to be \nfocused on game changing ways where we can address real \nsecurity. So not necessarily asking the question, do you have a \npatch management program, but getting to the point which is how \nlong does it take you to actually patch those systems.\n    And thinking about the Red Teams, it is not enough to just \nsay we have this file room that you pointed to. I talk about \nhow the files you see in that room are actually far more secure \nthan the very systems they are supposed to protect. So how do \nwe get Red Teams to validate that the information that is out \nthere, we are testing it against what we know in terms of \nagencies and it makes it really difficult right now across the \nFederal Government to spot patterns. So if we see a threat \nvector that may start at the State Department, how do we know \nwe don\'t have the same threat vector at Health and Human \nServices?\n    So we are in the early phases in terms of deploying a \nFederal Government-wide approach. But the key here, as \nCongressman Davis said, is to move away from this culture of \ncompliance and really move towards execution. How do we get \nthese things done and how do we apply some of these \nmethodologies? And I know that DHS and the National Institute \nof Standards and Technology (NIST) are actually working with \nthe State Department to think through how this can be scaled \nacross other Federal agencies.\n    Senator Carper. Mr. Wilshusen, same question in terms of \nreplicability. What do you think we ought to be able to \nreplicate and why not?\n    Mr. Wilshusen. Well, I had the privilege of Mr. Streufert \ngiving me a presentation of his system last week, and so I \ncan\'t really attest to the accuracy of the data that he \npresents, but a couple of things----\n    Senator Carper. Would you say that the accuracy is probably \npretty skeptical?\n    Mr. Wilshusen. Well, I just don\'t have data or evidence to \nshow that it is accurate. I can\'t say one way or the other. We \njust haven\'t done the tests on that.\n    But what his system shows is a lot of promise. With regard \nto replicability, one of the key aspects that it relies upon is \nthe ability to have automated tools in place that have the \ncapability to reach, touch, and then scan each of the devices \nthat are covered under this particular system. Now, the \nDepartment of State has, according to their system, about \n30,000 devices that are covered by this particular system.\n    It does at the present, as I understand it, cover Windows \nworkstations and servers. And so presumably, it might be able \nto be replicated at other agencies to address those particular \nservers if those other agencies allow a central point to be \nable to go out and reach all those devices throughout the \nentire organization, and that may or may not be the case. I \njust don\'t know.\n    Senator Carper. Erik Hopkins, sitting right behind me, just \nhanded me a note that says, ``Agencies are making the decision \nright now to spend another $1.3 billion to produce the \npaperwork we see here. Is there anything we can do about \nthat?\'\' It is a pretty good question.\n    Mr. Wilshusen. It is, indeed. Certainly, as you know, FISMA \nrequires that agencies implement cost-effective solutions to \nmitigate their risks, and one has to make the assessment, is \nspending this amount of money on preparing presumably the \ncertification and accreditation documents appropriate?\n    If it is just to prepare paperwork, that is not really \ncost-effective--the agency would not be receiving the true \nvalue of the execution of the underlying processes that are \nrepresented by that paperwork. Primarily, are they assessing \nthe risks? Are they developing and documenting controls that \nmitigate those risks? And then are they providing the training \nto staff, to implement those controls, testing and evaluating \nthose controls to make sure that they are operating as intended \nand are effective? And then remediating deficiencies as those \nbecome known?\n    Those are all activities that are required under FISMA with \nregard to agencies\' information security programs and some of \nthe activities that are required in order to go through the \ncertification and accreditation process. So if the process is \njust to check off boxes on paperwork, then that is not very \nuseful. The important part is that the agencies are effectively \nperforming these processes in order to implement controls that \neffectively protect their systems.\n    Senator Carper. Mr. Kundra.\n    Mr. Kundra. If I can add to that, I want to make sure as we \nlook at the paperwork that we are seeing here in systems that \nthe State Department is talking about and other agencies, I \nagree in terms of the fact that the pendulum has definitely \nswung too much towards a paperwork exercise. But I also want to \ncaution that some of these systems have very sensitive \ninformation regarding the personal information of the American \npeople, Social Security numbers, and the processes conducted on \nthese systems are also very sensitive.\n    So although I recognize that there is a lot of paperwork \nhere, it is very important to make sure that this is also a \nprocess that ensures accountability for the business owners in \nterms of making sure that before a system goes online, have \nthey done a risk assessment? Have they thought about all the \nrisks? Do they have the right controls in place in terms of \nrunning the system? Have they made sure that they have back-ups \nand thought through the processes required to connect this to \nother systems?\n    But what has happened, unfortunately, is a lot of agencies \nare also treating this as a paperwork exercise rather than \nsaying, look, just like if an airplane were to take off, the \nfirst flight, you would go through a number of checks, but \nafter it takes off, you need to make sure that you are \nmonitoring all the dials and the gauges to understand where you \nare in the air. What has happened is, unfortunately, a lot of \nagencies are substituting and are looking at these processes as \na 3-year exercise rather than saying, what do we do on an \nongoing basis after the system goes live? What do we do to make \nsure that we are monitoring risk on a real-time basis?\n    Senator Carper. Alright. Mr. Wilshusen, did you want to add \nanything else?\n    Mr. Wilshusen. Yes, I did. I would just echo what Mr. \nKundra mentioned is the fact that it is critical that agencies \nprovide a monitoring capability and test and evaluates the \neffectiveness of their controls on a regular, current basis, \nbecause the threats change, the vulnerabilities change daily. \nWaiting every 3 years at specific points in time is not \nadequately addressing those risks and threats. That is one of \nthe benefits of what Mr. Streufert has done at the Department \nof State. As he mentioned, he is scanning his systems every 2 \nweeks to look for certain weaknesses and configuration changes \nand that is an important control.\n    Senator Carper. When there is a penetration, sometimes \nwhoever the penetrator is leaves a back door to allow somebody \nto come back in later on and create mischief. In a case where \nthat has happened, they have left a back door open. How would \nyour continuous monitoring and updating at the State Department \nsolve that problem, Mr. Streufert?\n    Mr. Streufert. This is a very critical question in \nCongressman Davis\'s testimony as well as your own. The problem \nis that there are back doors and then the action step of \ndeploying the Red Teams that do penetration tests trying to \nbreak into the systems. We believe this concern and the \npractice of penetration tests is so good and worth continuing \nall across the government and expanding it, as your bill \nindicates, is that when we did this at the State Department, we \nfound that 80 percent of the successful attacks which were \nmodeled in the penetration test were ethical hacking, as it is \ncalled. We invite people to break in, though a surprise to us, \nbut with our understanding that it would be done. Eighty \npercent of the successful attacks were based on known \nvulnerabilities.\n    Senator Carper. Known to whom?\n    Mr. Streufert. Known to the National Institute of Standards \nin this National Vulnerability Database that we use for \nscoring. And so we know those problems are there. I would liken \nit unto a burglar that can kick through a screen door to get \ninto a system and cause mischief, and once inside, what the \npenetration tests show is that known vulnerabilities and weak \nconfigurations, both referenced by Mr. Wilshusen in his \nremarks, can allow lateral movement inside the networks.\n    So it is not that we will be able to prevent every attack. \nIt is that the higher that the risk score is by these methods \nthe National Institute of Standards and DHS have provided to \nus, the more likely that we will be exposed to a very easy \nattack. If it is within our control to change, and, in fact, we \nprove that it is possible at the Department of State over a \nperiod of just 12 months to have a significant effect, we \nshould do it as part of our responsibilities of protecting the \nsystems of the government.\n    Senator Carper. Alright. Thank you.\n    Mr. Wilshusen. This is consistent with the results of our \naudits that we conduct at various different Federal agencies in \nthat we often find deficiencies that are related to unpatched \nsystems and other known vulnerabilities that have not been \ncorrected by the agencies. There have been a number of other \nreports by private organizations that have consistently \nreported that many successful attacks are based upon known \nvulnerabilities for which patches have been available, some for \n6 months or more. And so it is imperative that agencies take \nappropriate steps to immediately address those vulnerabilities \nand mitigate them before they can be exploited.\n    Senator Carper. Alright. Thank you.\n    I should have asked this question sooner, but I didn\'t. I \nwill go back to it now. Something that you said, Mr. Streufert, \nkind of triggered this for me. When you look back to \nCongressman Davis\'s presentation, some of the comments that he \nmade, is there anything there that you would want to go back \nand kind of underline as especially important and noteworthy, \nor something maybe you disagreed with?\n    Mr. Kundra. I think the approach of Red Teams, essentially \nmaking sure that the government is focused on constantly trying \nto find and penetrating our national infrastructure so that we \ncan get ahead of some of these threats, recognizing that if we \ntake an offense when it comes to our defense, we will be in a \nmuch better situation than just having a strategy that focuses \non defense.\n    Senator Carper. OK. Mr. Wilshusen.\n    Mr. Wilshusen. I would agree with Mr. Kundra\'s remarks. I \nwould also agree with Mr. Davis\'s remarks related to having an \nindependent evaluation of agencies\' information security \nprograms and that it is essential to have IGs be able to \nexamine and review the controls in the programs at their \nparticular agency. Having an independent evaluation is \ncritical, and in my mind, there are opportunities to improve \nthe effectiveness of those evaluations by assuring that they \nare being performed in accordance with Generally Accepted \nGovernment Auditing Standards and that they do, in fact, \ninclude testing of the systems on a regular, frequent basis.\n    Senator Carper. OK. In other discussions we have had on the \nissue of cyber security attacks and being ready for them and \nbeing able to deter them or turn them back, some of the experts \nwe talk with have suggested that we simply need to do a better \njob in contracting to make sure that the systems that we are \nbuying as a government, whether it is by agency or Federal \nGovernment-wide, that they are better technology, just better \nable by virtue of the way they are made and provided to the \nagency to turn back attacks. I wonder to what extent did that \nplay a role in the State Department in terms of replicating, if \nthere are any lessons that we can take from that for the rest \nof our government.\n    Mr. Streufert. I think that there are many ways that the \nacquisition process could support this effort, and as we are \njust in the beginning of the continuous monitoring phase of our \nsecurity programs in the government, we would want to take note \nand try to get it right the first time.\n    One thing that the Department of State has already begun \nimplementing is the idea of associate contractor agreements \nwhen we go out and compete our technical services work. This \nidea was first employed in the Department of Defense with the \nB-1B bomber, and the idea was that it was functionally \nnecessary for that airplane to hire many different contractors \nthat did the different parts of the airplane. But the question \nwas, would they be invited to work together, and so a clause \nwith associate contractor agreements was placed in the overall \ncontract and all of the subcontractors that they would work \ntogether. We believe that this is one of the factors at the \nState Department that, over time, we will be able to improve by \nmaking awards and asking the contractors to work together.\n    The second element under acquisition, the 20 most important \ncontrols or consensus audit guidelines, is a view that many key \ngovernment and industry professionals in the security field \nbelieve that we need tools around each of the 15 of the 20 \ncategories that are susceptible to automated verification at \nthe State Department. Our programs currently only implement \nabout four or five of the 15 areas that are under the \ncontinuous evaluation and grading program. So if we awarded a \ncontract that had multiple providers for those 15 tools, then \nthe most compelling and innovative ways that industry would \ngive to the government would be regularly refreshed. So I think \na multiple-award contract would be very helpful.\n    Senator Carper. Mr. Kundra.\n    Mr. Kundra. The other area I would like to add is as we \nthink about the public-private partnership, it is very \nimportant to recognize that we need to approach cyber security \nfrom an ecosystem perspective, thinking about what technologies \nare we buying, how are we buying them, and what are the default \nsettings in a lot of the software and hardware that we procure.\n    An example would be what we are doing with Microsoft in \nterms of an operating system strategy, which is that if you \nlook at a Federal desktop core configuration, by fundamentally \nchanging the default settings, because most software companies \nare going to design software and operating systems and have the \ndefault settings so they are extremely easy to use, yet from a \npublic sector perspective, there are a lot of things that we \nneed to change to make sure that we are leaning towards greater \nsecurity to protect the privacy and security of the American \npeople.\n    So through this strategy, we have partnered with Microsoft \nand we actually create a model configuration that prevents a \nmajority of the attack vectors that are out there. And \nespecially as we move towards a new platform with Windows 7, we \nare working closely with Microsoft through NIST and DOD to make \nsure that their core configuration is a secure one before we \neven deploy it across the Federal Government.\n    Senator Carper. Alright. Thank you. Mr. Wilshusen.\n    Mr. Wilshusen. I would just like to add that the U.S. \nGovernment spends about $70 billion a year on IT products and \nservices. I think that is the correct number. So there is a \ncertain leverage that the Federal Government has when it \nprocures these products and services to require certain minimum \nsecurity requirements. Certainly that will help potentially \nenhance the security features on products that it buys and that \ncould also apply to other marketplaces, as well.\n    Having standard settings and standard requirements can also \npotentially lead to cost savings, as well. One of the benefits \nthat we looked at when we had our review on Federal encryption \nefforts was the Smart Buy program over at GSA in which agencies \nwere able to buy cost-effective encryption technologies at \nalmost pennies on the dollar, not quite, but at a huge cost \nsavings because they were able to take advantage of volume \ndiscounts. So there are advantages to leveraging the Federal \nprocurement dollar and its acquisition policies.\n    Senator Carper. In a day and age when we have seen in the \nfirst 8 years of this decade, we literally doubled our Nation\'s \ndebt, we ran it up by another $1.4 trillion last year, and \nlikely even more this year, every time we can save some pennies \non the dollar, that is good. It sounds like in this case it is \nquarters on the dollar, which is even better.\n    A couple more questions and then we will wrap it up. This \nwould be a question really for the entire panel. In the current \nFISMA legislation that we have drafted, Inspectors General must \nevaluate whether agencies are securing their systems like they \nsay that they are securing them. That means that agencies are \nspending $1.3 billion to produce the paperwork that the IGs use \nto evaluate agency effectiveness. IGs then must spend even more \ntime and more money, perhaps another $1 billion or so, to see \nwhether the paperwork was accurate. So the government ends up \nspending maybe over $2 billion, maybe it is $2.3 billion or so, \non a process that is basically flawed. It doesn\'t make a lot of \nsense to me, and I don\'t think to others, as well.\n    Could each of you just take a couple of moments and tell us \nwhat you think the role of the IG should be in cyber security? \nAnd maybe better yet, how do we make the partnership between an \nagency and that agency\'s IG more proactive, more collaborative, \nso that we aren\'t wasting or they aren\'t wasting so much money? \nDo you want to go first, Mr. Streufert?\n    Mr. Streufert. Yes, Senator Carper. This is a key question. \nThe first thing we might say is that these products in the \nthree-ring binders here, a systems security plan, a contingency \nplan, testing plans, test results, these are all important \nthings to do. What the finding of the State Department is, that \nwith the modern tools that are increasingly available since \nFISMA was put into law, we can do that 72 times more frequently \nthan the 3-year standard of producing these binders.\n    So the first thing to say is that as we look at the \npossibility for continuous monitoring, the discussions between \nthe departments and the OIGs could be on data that was as fresh \nas 15 days old, as opposed to what I will have to do unless \nthere is an adjustment. It will take me a full 8 months to \nproduce these 2,000 pages for the third time when I know that \nmany elements of that data I am already collecting every 2 to \n15 days.\n    I would say that our conversations with the OIG would be \nstronger if we had common measuring sticks for security, not \njust in the vulnerability area, which we have already done very \nwell, but many other parts of our security program. And if we \nhad an agreement between the parties that managed the security \nprogram of what were the criteria for evaluation in advance, \nnot just within an individual cabinet department but across the \nentire government, we would be able to compare the relative \nsecurity between one cabinet department or agency and another.\n    I think the worst mistake of all we could make, even though \nthe dramatic nature of some of our expenditures of C&As, is to \nmake the mistake of doing less than we are currently doing. So \nnotwithstanding, I would be the first person to say that we \nshould try to use automated means rather than paper. We want to \nmake sure before we set aside the paper methods that we would \ndo our very best to make sure we have a stronger system than \nthe one that we just left behind.\n    Senator Carper. Mr. Wilshusen.\n    Mr. Wilshusen. And I would also agree to a large extent \nwith what Mr. Streufert said, in that many of these documents \nthat are being prepared are not being prepared just for the \nbenefit of the auditor, but, in fact, are being prepared in \norder to adequately protect the systems that are being covered \nby those documents.\n    Now, having said that, certainly auditors have a \nresponsibility to review the effectiveness of security \ncontrols, and that includes testing a subset of systems. In our \nexaminations, while we do look at certain documents that are \nthe products or byproducts and artifacts of agency processes, \nwe are also looking at how systems are actually configured and \ntesting the effectiveness of those controls. So it is more than \njust reviewing documents. It is actually doing a more in-depth \nreview, and that is what IGs are doing and should be doing, as \nwell, in addition to reviewing some of the artifacts that are \ngenerated from agency security processes.\n    Senator Carper. Alright. Mr. Kundra, you get the last word \non this question, and then I have one more separate question \nfor you and we will call it a day.\n    Mr. Kundra. I think it is impossible to confront a real-\ntime threat, such as cyber warfare or adversaries and State \nactors and organized crime that are actively trying to hack \ninto our systems, with a process that is built around annual \nreporting, quarterly reporting, or whether you do it on a \nmonthly basis. What needs to happen in terms of the \nrelationship between the IGs and the CIOs is that they need to \nhave greater transparency into the same data and moving toward \na real-time platform so they could both see what is happening \non a real-time basis and constructively move the security \nposture of the U.S. Government rather than relying on reports \nthat are created.\n    By the time that report is printed and handed over to the \nIG, there is already a new threat factor that is created on a \nreal-time basis. The velocity at which these threats come and \nthe frequency cannot be addressed with a filing cabinet like \nthis.\n    Senator Carper. Good point. Thank you.\n    And the last question, I think I will direct it just to Mr. \nKundra unless other panelists think he mis-answers the \nquestion, then you can correct him. In your current position, \nhow do you like what you are doing? Are you enjoying it? Is it \nchallenging? Do you ever get to go home at night?\n    Mr. Kundra. It is great. Very little sleep, but it is an \nenormous opportunity to serve the country and to advance the \nPresident\'s technology agenda.\n    Senator Carper. Alright. Good. In your current position, I \nthink you are maybe the person responsible for overseeing the \neffectiveness of our Federal Government\'s cyber defense, and \nthat is a government, as we know, that is composed of hundreds, \nmaybe thousands of different systems. I am told that you have \nrelatively few, if any, cyber security experts that work for \nyou and I find that of concern, maybe even troubling.\n    But I find it even more troubling that OMB, which is known \nfor their budget prowess, has never asked for a detailed \naccounting of what an agency spends on cyber security. I don\'t \nknow if that is true, but if it is true, why do you think it \nhas been the case? Why hasn\'t OMB, as far as I know, ever said, \nwell, what are you all spending for cyber security? And to \nfollow up, if that is true, are you going to do anything to \ncorrect that situation?\n    Mr. Kundra. Sure. So that was actually one of the most \nshocking things when we tried to do analysis as far as cyber \nsecurity was concerned. One was that the information that was \nbeing submitted to OMB was being submitted in these \nspreadsheets, hundreds of spreadsheets that were being mailed \nin.\n    Two was, from a cost perspective, what was being collected \nwas aggregate security information. So what we did immediately \nis for the 2009 report, we are getting to the detailed cost \nallocation when it comes to information security, so we know \nwhere is the government spending when it comes to products, \nhuman capital, and specifically computer network attacks \n(CNAs). And unfortunately, with a lack of that information, \nwhat we aren\'t able to do is effective comparative analysis \nbetween one agency and another, and more importantly, a deeper \nunderstanding of how do our investments line up with our \nvulnerabilities and where do we need to make those appropriate \ninvestments.\n    But we are working very closely with DHS and the U.S. \nComputer Emergency Readiness Team (US-CERT) specifically, and \nas part of the FISMA reporting requirements in CyberScope, we \nare going to be collecting all that data.\n    Senator Carper. If you will all just bear with me for one \nmoment, please.\n    [Pause.]\n    Senator Carper. I know I said the last question was the \nlast question. I am going to try to squeeze one more in here \nbefore we let you go. Again, this is for Mr. Kundra, and if \nothers want to chime in, go ahead.\n    I think OMB has the ability to ask agencies if they would \nfollow a model similar to that of the Department of State. Do \nyou think that conducting a pilot, or maybe having a number of \nagencies basically say, we want you to follow something \nsimilar, do you think that is a good idea? Maybe it is \nsomething you have given some thought to, or maybe you are \nplanning on doing it, or maybe you don\'t think it is a good \nidea, but would you just think out loud for us on that?\n    Mr. Kundra. Sure. I actually think it is a great idea. That \nis one of the reasons the State Department is actually talking \nto the Veterans Administration. It is making the tool, the \nsoftware actually available to NIST and DHS, also, to figure \nout how can that be scaled, recognizing that across Federal \nagencies, HHS is going to have a very different environment. \nBut what is going to be common is they all have desktops, \ncertain network infrastructure, from routers to switches, and \nfiguring out how can we make sure that we are not duplicatively \nspending money and creating new tools if we can leverage best \npractices across a Federal Government.\n    From an OMB perspective, it is very important for us to get \nthe threat matrix across the entire Federal Government. So how \ndo we roll up this information at a DHS level so we get a real-\ntime posture from a security perspective?\n    Senator Carper. OK. Do you all want to comment at all on \nwhat Mr. Kundra said? You don\'t have to, but if you would like \nto, you are welcome to do so. Did he do OK?\n    Mr. Streufert. Yes. We very much appreciate the leadership \nof Mr. Kundra and OMB on the issues of CyberScope to make our \nreporting more efficient, and his very early willingness to \nlook at issues like dashboards. I think that our collective \ncommitment should be to one of continuous improvement. The \nState Department has some ideas on this and we have worked on \nit some. We want to share that with others. But I believe what \nwill happen is Vivek invites, and he already has done so, \nconversations more widely in government that good ideas will \ncome from all of the cabinet departments that we will be well \nserved to fold in and come up with the strongest possible \nproduct as a government together.\n    Senator Carper. OK. I think we will wrap it up at this \npoint. I have another hearing that started at 9:30 this morning \nthat is still going on on climate change legislation. It will \nbe a full day.\n    A couple of thank yous. One to Mr. Streufert, to you and \nyour colleagues. I know you said it is not just you, there are \na lot of people involved at the State Department that are \nresponsible for the progress that is being made there and for \nthe example that you are able to provide for other Federal \nagencies. But thank you for your leadership, and our \ncommendation is to you and to your colleagues. As we used to \nsay in the Navy, Bravo Zulu.\n    I want to thank Mr. Wilshusen for the report that we \nreceived from you and your colleagues on cyber security \nmetrics. It is one I requested, I believe last year, but thanks \nfor that report.\n    And Mr. Kundra, thank you for taking on this responsibility \nand giving it 110 percent, maybe more than that.\n    We are going to stay on this. We are going to push forward \non the legislation and get it enacted if we can. I know the \nChairman and Ranking Member of the full Committee on Homeland \nSecurity and Governmental Affairs are interested in passing \neven more comprehensive legislation on cyber security, and \nthere is some discussion of folding our piece into that, or \nmaybe moving what we are doing on its own if we want to try to \nget it out there and moving along.\n    But thank you for helping inform our legislative path just \na little bit better today. I would encourage, Mr. Kundra, for \nyou and our friends at OMB to use this model that works and \nother models that work and to replicate that success.\n    But maybe one or two points that I will make, and maybe I \nam being redundant, but I will go ahead and make them anyway. I \nthink repetition can be helpful.\n    But the first point is we are spending way too much money \non a process that is flawed from the beginning. That is not to \ntake anything away from Congressman Davis and others who were \ninvolved in the FISMA legislation from 2002, but it is a \nprocess that is flawed. Writing a report about security is not \nthe same as investing in security, and with so much at stake, \nwe should be doing a much better job.\n    The irony of it is, we had a luncheon speaker at our weekly \ncaucus luncheon today who runs a big Federal agency and he \nshared with us just some up-to-date information about the kind \nof attacks that are underway every day, every hour, every \nminute. It really puts this in real time and with a real sense \nof urgency.\n    My next point is the fact that OMB is, I think, the only \none who really can make this happen absent Congress passing a \nbill. I would again say, Mr. Kundra, actually take a hard look \nat what you can do, and I sense that you are already doing \nthat, to make sure that we don\'t waste another year, another $1 \nbillion, if not more, to do something that doesn\'t work very \nwell.\n    My last point is the fact that, obviously, that we all need \nto work together. I am pleased to see with the three of you \nhere before us, it is a pretty good model of how we can \ncooperate and I hope that we are part of that, as well. But \ntechnology changes so fast that without a partnership between--\nnot just among agencies, but also between the Legislative \nBranch and the Executive Branch, Americans, unfortunately, are \ngoing to end up on the losing end, and we don\'t want that to \nhappen.\n    I am going to ask, I think, for you all to come back to me, \nI will put this in writing, but to come back to us in maybe 2 \nweeks with opportunities that you believe will lead to \nefficiencies in defending our networks. If you do that, I would \nbe grateful. If you get any other questions from my colleagues, \nthen if you would respond to those within 2 weeks, that would \nbe terrific.\n    Thank you all very much for coming today, for your \ntestimony, and for the work that you are doing. I would \nencourage you to continue on and we will do our best to have \nyou back. Thank you.\n    And with that having been said, this hearing is adjourned.\n    [Whereupon, at 4:07 p.m., the Subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] T3852.001\n\n[GRAPHIC] [TIFF OMITTED] T3852.002\n\n[GRAPHIC] [TIFF OMITTED] T3852.003\n\n[GRAPHIC] [TIFF OMITTED] T3852.004\n\n[GRAPHIC] [TIFF OMITTED] T3852.005\n\n[GRAPHIC] [TIFF OMITTED] T3852.006\n\n[GRAPHIC] [TIFF OMITTED] T3852.007\n\n[GRAPHIC] [TIFF OMITTED] T3852.008\n\n[GRAPHIC] [TIFF OMITTED] T3852.009\n\n[GRAPHIC] [TIFF OMITTED] T3852.010\n\n[GRAPHIC] [TIFF OMITTED] T3852.011\n\n[GRAPHIC] [TIFF OMITTED] T3852.012\n\n[GRAPHIC] [TIFF OMITTED] T3852.013\n\n[GRAPHIC] [TIFF OMITTED] T3852.014\n\n[GRAPHIC] [TIFF OMITTED] T3852.015\n\n[GRAPHIC] [TIFF OMITTED] T3852.016\n\n[GRAPHIC] [TIFF OMITTED] T3852.017\n\n[GRAPHIC] [TIFF OMITTED] T3852.018\n\n[GRAPHIC] [TIFF OMITTED] T3852.019\n\n[GRAPHIC] [TIFF OMITTED] T3852.020\n\n[GRAPHIC] [TIFF OMITTED] T3852.021\n\n[GRAPHIC] [TIFF OMITTED] T3852.022\n\n[GRAPHIC] [TIFF OMITTED] T3852.023\n\n[GRAPHIC] [TIFF OMITTED] T3852.024\n\n[GRAPHIC] [TIFF OMITTED] T3852.025\n\n[GRAPHIC] [TIFF OMITTED] T3852.026\n\n[GRAPHIC] [TIFF OMITTED] T3852.027\n\n[GRAPHIC] [TIFF OMITTED] T3852.028\n\n[GRAPHIC] [TIFF OMITTED] T3852.029\n\n[GRAPHIC] [TIFF OMITTED] T3852.030\n\n[GRAPHIC] [TIFF OMITTED] T3852.031\n\n[GRAPHIC] [TIFF OMITTED] T3852.032\n\n[GRAPHIC] [TIFF OMITTED] T3852.033\n\n[GRAPHIC] [TIFF OMITTED] T3852.034\n\n[GRAPHIC] [TIFF OMITTED] T3852.035\n\n[GRAPHIC] [TIFF OMITTED] T3852.036\n\n[GRAPHIC] [TIFF OMITTED] T3852.037\n\n[GRAPHIC] [TIFF OMITTED] T3852.038\n\n[GRAPHIC] [TIFF OMITTED] T3852.039\n\n[GRAPHIC] [TIFF OMITTED] T3852.040\n\n[GRAPHIC] [TIFF OMITTED] T3852.041\n\n[GRAPHIC] [TIFF OMITTED] T3852.042\n\n[GRAPHIC] [TIFF OMITTED] T3852.043\n\n[GRAPHIC] [TIFF OMITTED] T3852.044\n\n[GRAPHIC] [TIFF OMITTED] T3852.045\n\n[GRAPHIC] [TIFF OMITTED] T3852.046\n\n[GRAPHIC] [TIFF OMITTED] T3852.047\n\n[GRAPHIC] [TIFF OMITTED] T3852.048\n\n[GRAPHIC] [TIFF OMITTED] T3852.049\n\n[GRAPHIC] [TIFF OMITTED] T3852.050\n\n[GRAPHIC] [TIFF OMITTED] T3852.051\n\n[GRAPHIC] [TIFF OMITTED] T3852.052\n\n[GRAPHIC] [TIFF OMITTED] T3852.053\n\n[GRAPHIC] [TIFF OMITTED] T3852.054\n\n[GRAPHIC] [TIFF OMITTED] T3852.055\n\n[GRAPHIC] [TIFF OMITTED] T3852.056\n\n[GRAPHIC] [TIFF OMITTED] T3852.057\n\n[GRAPHIC] [TIFF OMITTED] T3852.058\n\n[GRAPHIC] [TIFF OMITTED] T3852.059\n\n[GRAPHIC] [TIFF OMITTED] T3852.060\n\n[GRAPHIC] [TIFF OMITTED] T3852.061\n\n[GRAPHIC] [TIFF OMITTED] T3852.062\n\n[GRAPHIC] [TIFF OMITTED] T3852.063\n\n[GRAPHIC] [TIFF OMITTED] T3852.064\n\n[GRAPHIC] [TIFF OMITTED] T3852.065\n\n[GRAPHIC] [TIFF OMITTED] T3852.066\n\n[GRAPHIC] [TIFF OMITTED] T3852.067\n\n[GRAPHIC] [TIFF OMITTED] T3852.068\n\n[GRAPHIC] [TIFF OMITTED] T3852.069\n\n[GRAPHIC] [TIFF OMITTED] T3852.070\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'