b"<html>\n<title> - CYBERSECURITY: NEXT STEPS TO PROTECT OUR CRITICAL INFRASTRUCTURE</title>\n<body><pre>[Senate Hearing 111-667]\n[From the U.S. Government Publishing Office]\n\n\n                                                        S. Hrg. 111-667\n \n                 CYBERSECURITY: NEXT STEPS TO PROTECT \n                      OUR CRITICAL INFRASTRUCTURE \n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                         COMMITTEE ON COMMERCE,\n                      SCIENCE, AND TRANSPORTATION\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                           FEBRUARY 23, 2010\n\n                               __________\n\n    Printed for the use of the Committee on Commerce, Science, and \n                             Transportation\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n57-888 PDF                       WASHINGTON : 2010 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             SECOND SESSION\n\n            JOHN D. ROCKEFELLER IV, West Virginia, Chairman\nDANIEL K. INOUYE, Hawaii             KAY BAILEY HUTCHISON, Texas, \nJOHN F. KERRY, Massachusetts             Ranking\nBYRON L. DORGAN, North Dakota        OLYMPIA J. SNOWE, Maine\nBARBARA BOXER, California            JOHN ENSIGN, Nevada\nBILL NELSON, Florida                 JIM DeMINT, South Carolina\nMARIA CANTWELL, Washington           JOHN THUNE, South Dakota\nFRANK R. LAUTENBERG, New Jersey      ROGER F. WICKER, Mississippi\nMARK PRYOR, Arkansas                 GEORGE S. LeMIEUX, Florida\nCLAIRE McCASKILL, Missouri           JOHNNY ISAKSON, Georgia\nAMY KLOBUCHAR, Minnesota             DAVID VITTER, Louisiana\nTOM UDALL, New Mexico                SAM BROWNBACK, Kansas\nMARK WARNER, Virginia                MIKE JOHANNS, Nebraska\nMARK BEGICH, Alaska\n                    Ellen L. Doneski, Staff Director\n                   James Reid, Deputy Staff Director\n                   Bruce H. Andrews, General Counsel\n             Ann Begeman, Acting Republican Staff Director\n             Brian M. Hendricks, Republican General Counsel\n                  Nick Rossi, Republican Chief Counsel\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on February 23, 2010................................     1\nStatement of Senator Rockefeller.................................     1\nStatement of Senator Snowe.......................................     3\n    Prepared statement...........................................     5\nStatement of Senator Ensign......................................    36\nStatement of Senator Pryor.......................................    38\nStatement of Senator Begich......................................    41\nStatement of Senator Klobuchar...................................    43\nStatement of Senator Thune.......................................    47\n\n                               Witnesses\n\nVice Admiral Michael McConnell, USN (Retired), Executive Vice \n  President, National Security Business, Booz Allen Hamilton.....     7\n    Prepared statement...........................................    10\nJames A. Lewis, Director and Senior Fellow, Technology and Public \n  Policy Program, Center for Strategic and International Studies.    12\n    Prepared statement...........................................    14\nScott Borg, Director and Chief Economist, U.S. Cyber Consequences \n  Unit...........................................................    17\n    Prepared statement...........................................    19\nMary Ann Davidson, Chief Security Officer, Oracle Corporation....    21\n    Prepared statement...........................................    23\nJames Arden ``Jamie'' Barnett, Jr., Rear Admiral, USN (Retired), \n  Chief, Public Safety and Homeland Security Bureau, FCC.........    27\n    Prepared statement...........................................    29\n\n                                Appendix\n\nHon. Tom Udall, U.S. Senator from New Mexico, prepared statement.    55\nWritten questions submitted by Vice Admiral Michael McConnell to:\n    Hon. John D. Rockefeller IV..................................    55\n    Hon. Tom Udall...............................................    55\nResponse to written questions submitted by Dr. James A. Lewis to:\n    Hon. John D. Rockefeller IV..................................    56\n    Hon. Tom Udall...............................................    57\n    Hon. John Ensign.............................................    57\nResponse to written questions submitted by Hon. John D. \n  Rockefeller IV to Scott Borg...................................    58\nResponse to written questions submitted by Mary Ann Davidson to:\n    Hon. John D. Rockefeller IV..................................    60\n    Hon. Tom Udall...............................................    62\n    Hon. John Ensign.............................................    72\nResponse to written questions submitted by Rear Admiral James \n  Barnett, Jr. to:\n    Hon. John D. Rockefeller IV..................................    75\n    Hon. John Ensign.............................................    77\n\n\n    CYBERSECURITY: NEXT STEPS TO PROTECT OUR CRITICAL INFRASTRUCTURE\n\n                              ----------                              \n\n\n                       TUESDAY, FEBRUARY 23, 2010\n\n                                       U.S. Senate,\n        Committee on Commerce, Science, and Transportation,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 2:40 p.m. in room \nSR-253, Russell Senate Office Building, Hon. John D. \nRockefeller IV, Chairman of the Committee, presiding.\n\n       OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, \n                U.S. SENATOR FROM WEST VIRGINIA\n\n    The Chairman. Welcome, all. And this hearing will come to \norder. And members will be coming in.\n    Before I give my opening statement, I just want to make \nsure that everybody knows who is testifying. And Vice Admiral \nMichael McConnell, U.S. Navy, Retired, Executive Vice President \nof National Security Business, Booz Allen Hamilton. He and I \nhave done a lot of work together, including on FISA, other \nmatters. Dr. James Lewis, Director and Senior Fellow, \nTechnology and Public Policy Program Center for Strategic and \nInternational Studies. And Dr. Lewis is there, working on his \ncomputer, I think. Mr. Scott Borg, Director and Chief \nEconomist, U.S. Cyber Consequences Unit. And Rear Admiral James \nArden Barnett, Jr., Chief, Public Safety and Homeland Security \nBureau, Federal Communications Commission. I'm really glad \nabout that. And Ms. Mary Ann Davidson, Chief Security Officer, \nOracle Corporation. So, you're going to have some attention \nfocused on you today.\n    This Nation--is it OK if I proceed? OK. This Nation and its \ncitizens depend enormously on communication technologies in so \nincredibly many ways every single day. Vast network expansions \nhave transformed virtually every aspect of our lives: \neducation, healthcare, how businesses grow, don't grow, \nfunction, and the development of an interconnected, more \ndemocratic conversation. Our government, our economy, our very \nlives rely on technology that connects millions of people \naround the world in real time and all the time. And yet, these \npowerful networks also carry great risks which people, for the \nmost part, don't understand--understandably don't understand--\nbut are going to have to come to understand.\n    In recent years, hackers have attacked numerous Federal \nagencies, key media outlets, large companies across the private \nsector, targeting intellectual property, stealing valuable \ninformation vital to our national and economic security.\n    What was it? An article I read in the paper, somebody from \nDOD says, ``We're getting attacked every day, all day, 7 days a \nweek.'' And that's what they do. And these attacks are coming \nwith increasing regularity and increasing sophistication. A \nmajor cyber attack could shut down our Nation's most critical \ninfrastructure: our power grid, telecommunications, financial \nservices; you just think of it, and they can do it--the basic \nfoundations on which our communities and families have been \nbuilt, in terms of all of their lives and who are trying to \nhave a future.\n    So, this hearing is a next step in examining the important \naction we should be taking right now, as a government and as a \nnational economy, to harden our defenses and safeguard critical \ninfrastructure against a major cyber attack. Having said that \nthey're happening all the time, that would seem to be out of \norder, but, you know, it needs--both need to be said.\n    Now, I understand it's no secret that cybersecurity is one \nof my top securities; it isn't a secret, at least, to Olympia \nSnowe and myself. As the former Chair of the Intelligence \nCommittee, and now Commerce, I know that it's both national \nsecurity and our economic security at stake. But, obviously, \nI'm not alone. Many experts, business leaders, public \nofficials, including two of our former directors of national \nintelligence, have pointed, time and time again, to \ncybersecurity as this country's chief security problem.\n    President Obama called cyberspace a strategic national \nasset. However, this very important point, critical to the \nchallenge we're discussing here today, unlike the other \nstrategic national assets, cyberspace is 85-percent owned and \ncontrolled by private companies and individuals. That means \nthat no one--neither the Government nor the private sector--can \nkeep cyberspace secure on their own. Both must work together. \nAll must work together. And that is why the wonderful Senator \nSnowe, from Maine, and I have introduced comprehensive \nlegislation--the Cybersecurity Act 2009--to modernize the \nrelationship between the Government and the private sector on \ncybersecurity.\n    And I have to say that on--there's--it's such a sensitive \nsubject, particularly with the private sector, that I--we were \non our fourth draft, because we kept calling in the \nstakeholders. They kept saying, ``Well, this is wrong, this is \nwrong, this is wrong.'' And so, we would adjust, and do another \none. I mean, we did it the way legislation should be developed.\n    Our legislation calls for developing a cybersecurity \nstrategy and identifying the key roles and responsibilities of \nall the players, private and public, who will respond in a time \nof crisis.\n    I'm sure you've all heard about last week's Cyber ShockWave \nexercise. I watched. The process made it enormously clear; if \nwe are serious about responding effectively to real cyber \nemergencies, we need a very strong top-level coordination. Too \nmuch is at stake for us to pretend that today's outdated \ncybersecurity policies are up to the task of protecting our \nNation and/or our economic infrastructure.\n    We have heard the reassurances and seen the best efforts of \nthe many in the private sector working to secure their \nnetworks. But, it's clear that even the largest, most \nsophisticated companies are not immune from attack. So, we have \nto do better. And that means it will take a level of \ncoordination and sophistication to outmatch our adversaries and \nminimize, as much as possible, the threats. So, it's that \nsimple. We can't wait; we've got to get going on this. We've \ngot to get people educated on it. And it's a massive, massive \nundertaking.\n    I want to introduce, to speak first--one, because he has to \nleave at 4 o'clock and, second, because he's kind of senior \naround here--Admiral Mike McConnell, who, you know, was NSA, \nDNI, private sector, and we worked together very closely on \nFISA and other legislation.\n    So, I now call upon Admiral--I'm very aware that you have \nto go----\n    Admiral McConnell. Yes, sir.\n    The Chairman.--and we will work that, and make it work. \nBut, Senator Snowe ranks here today.\n    No, but I want you to make an opening statement, if you \nwant to.\n    Well, John, that's a quandary. I mean, you know, Olympia \nought to make a little bit of an opening statement. You could \ntake a 3-minute opening statement.\n\n              STATEMENT OF HON. OLYMPIA J. SNOWE, \n                    U.S. SENATOR FROM MAINE\n\n    Senator Snowe. OK. Thank you, Mr. Chairman, you're so \ngracious and generous.\n    I also want to take this opportunity to commend you for \nyour extraordinary leadership on this paramount issue for the \nsecurity of our Nation. And I also want to extend my sincere \nappreciation to our esteemed witnesses here today who represent \na combined depth and breadth of knowledge and experience to \nprovide invaluable insight into the multiple facets of this \nthreat posed by cyberintrusion and attack and how we should \nmobilize as a nation to leverage both the public and the \nprivate sector to confront this exceptional challenge.\n    As Senator Rockefeller indicated, we filed a comprehensive \ncybersecurity bill, just a year ago, to accomplish that. We \nhave since had multiple drafts. We are trying to bring new, \nhigh-level governmental attention to developing a fully \nintegrated, thoroughly coordinated public private partnership, \nas we see this as the only means to address our Nation's 21st-\ncentury vulnerability to cybercrime, global cyberespionage and \ncyber attacks.\n    As crossover members of both the Intelligence Committee and \nthe Commerce Committee, Senator Rockefeller and I, are keenly \naware of the gravity of these circumstances and the astonishing \ndimensions of this threat. Moreover, our legislation reflects \nthe recommendations of the Center for Strategic and \nInternational Studies' Blue Ribbon Report that was issued to \nthe President. And the bill has undergone a number of \nrevisions, following literally hundreds of meetings with \nindustry and government thought leaders on this vital subject.\n    We sought to carve a course for our country to embrace a \nnational security policy that will protect and preserve \nAmerican cyberspace, which the President has rightly deemed a \nstrategic national asset, because it is simply undeniable that \nthe interconnection and integration of global systems, the very \nbackbone of our functioning modern society, creates myriad \nopportunities for cyber attackers to disrupt communications, \nelectrical power, and other indisputably essential services. \nAnd over the past several years, let there be no mistake, \ncyberexploitation activity has grown more sophisticated, more \nserious, and more targeted.\n    According to the Director of National Intelligence, Dennis \nBlair, a burgeoning array of state and non-state adversaries \nare increasingly targeting the Internet, telecommunications \nnetworks, and computers. And we're being assaulted on an \nunprecedented scale by well-resourced and persistent \nadversaries seeking to gain a glimpse into America's mission-\ncritical vulnerabilities.\n    In an unclassified setting just 2 weeks ago, the Director \ntestified that the national security of the United States, our \neconomic prosperity, and the daily functioning of our \ngovernment are dependent on a dynamic public and private \ninformation infrastructure that is now severely threatened. As \nthe Director also noted, the recent intrusions reported by \nGoogle that appear to have originated in China should serve as \na wake-up call to those who have not taken this problem \nseriously. That's why Senator Rockefeller and I have said that \nour failure to implement effective policies and procedures to \nprevent unauthorized intrusions have proven extremely \nconsequential. And if we fail to take swift action, we risk a \ncybercalamity of epic proportions, with devastating \nimplications for our Nation.\n    We've already experienced breaches to our supply chains. \nAccording to the SANS Institute, there have been several \nincidents involving infected memory sticks sold in U.S. retail \nstores. Furthermore, the FBI has alerted the Administration \nthat malevolent actors have actually begun selling counterfeit \nnetworking equipment infected with viruses to consumers. \nIndeed, government agencies, as well as the private sector, are \nidentifying an increasing number of security incidents. \nAccording to Verizon, more electronic records were breached \nlast year than the previous 4 years combined, resulting in loss \nof privacy, identity theft, and financial crimes. Today, \nhijacked personal computers, known as ``botnets'' are used to \nsend spam or viruses. And all of this is done without the \nowner's knowledge.\n    And just this week, according to a recently released report \nfrom NetWitness, hackers gained access to data at close to \n2,500 companies and government agencies, from credit card \ntransactions to intellectual property over the last 18 months, \nin a coordinated global attack. In fact, it was described as \none of the largest and most sophisticated attacks, in the \nWashington Post this month.\n    Then, according to a report drafted by the chief \ninformation security officer of In-Q-Tel, the CIA's venture \ncapital arm, hackers currently charge about a penny for every \nthousand e-mails of spam, and only $1 for a credit card that \nincludes every piece of information necessary to compromise \none's credit.\n    I commend the President for deeming cybersecurity a top \npriority and recently naming Howard Schmidt, whom Senator \nRockefeller and I met with just a few weeks ago, as the \nAdministration's national cybersecurity coordinator. However, \nwe remain concerned that this position does not possess the \ninstitutional heft that it requires. We would prefer and \nrecommend, in our legislation, a Cabinet-level, Senate-\nconfirmed national cyberadviser that reports directly to the \nPresident and is directly accountable to the American people.\n    It is imperative that the public and private-sectors \nmarshal our collective forces in a collaborative and \ncomplementary manner to confront this urgent threat and reduce \nthe risk posed by cyberintrusion or catastrophic cyber attack. \nAs part of this effort, we must identify incentives for the \nprivate sector. Limiting liability for the companies that \nimprove their cybersecurity posture, improving threat \ninformation-sharing, providing a safe harbor for exchanging \nvulnerability data, as well as tax credits contingent on a \ncompany complying with certain security practices, should all \nbe considered.\n    It is equally urgent that government take proactive steps, \nalways mindful of privacy concerns. The Government should work \nwith the private sector to recognize and promote cybersecurity \nperformance measures and best practices and develop a robust \nworkforce of cybersecurity professionals, promote innovation \nand excellence in products and services, and institute a \ncampaign, as Senator Rockefeller has indicated, to educate the \npublic about cybersecurity risk, using the Government's \npurchasing power, as well, to raise standards through \nprocurement.\n    Ultimately, we must recognize that time is not on our side, \nand it's clear that our adversaries will continue to change \ntheir tactics as technology evolves. Congress must take action.\n    I look forward to hearing from our distinguished witnesses \nand working closely with the Chairman and all members of this \ncommittee and others, and throughout the Congress, in order to \naccomplish this goal this year.\n    Thank you.\n    [The prepared statement of Senator Snowe follows:]\n\n  Prepared Statement of Hon. Olympia J. Snowe, U.S. Senator from Maine\n    Thank you, Mr. Chairman, and I would like to take this opportunity \nto commend you for your extraordinary and visionary leadership on this \nparamount issue for the security of our Nation.\n    I also want to extend my sincere appreciation to our esteemed \nwitnesses for joining with us today. All of you bring to bear a \ncombined depth and breadth of knowledge and experience to provide \ninvaluable insight on the multiple facets of the threat posed by cyber \nintrusion and attack, and how we should mobilize as a nation to \nleverage both the private and public sector to confront this \nexceptional challenge.\n    Indeed, Senator Rockefeller and I filed a comprehensive \ncybersecurity bill almost a year ago to accomplish just that. We sought \nto bring new high-level governmental attention to developing a fully \nintegrated, thoroughly coordinated public-private partnership as that \nis the only way we can address our Nation's 21st century vulnerability \nto cyber crime, global cyber espionage, and cyber attacks.\n    As crossover members of both the Intelligence and Commerce \ncommittees, Senator Rockefeller and I are keenly aware of the gravity \nas well as the astonishing dimensions of the threat. Moreover, our \nlegislation reflects the recommendations of the CSIS report to \nPresident Obama, and the bill has undergone a number of revisions \nfollowing literally hundreds of meetings with industry and government \nthought-leaders on this vital subject.\n    Senator Rockefeller and I sought to carve a course for our country \nto embrace a national security policy that will protect and preserve \nAmerican cyberspace, which the President has rightly deemed a \n``strategic national asset.'' Because it is simply undeniable that the \ninterconnection and integration of global systems--the very backbone of \nour functioning modern society--creates myriad opportunities for cyber \nattackers to disrupt communications, electrical power, and other \nindisputably essential services. And over the past several years, let \nthere be no mistake--cyber exploitation activity has grown more \nsophisticated . . . more targeted . . . and more serious.\n    According to Director of National Intelligence Dennis Blair, a \nburgeoning array of state and non-state adversaries are increasingly \ntargeting the Internet . . . telecommunications networks . . . and \ncomputers . . . and we are being assaulted on an unprecedented scale by \nwell-resourced and persistent adversaries seeking to gain a glimpse \ninto America's mission-critical vulnerabilities.\n    In an unclassified setting just 2 weeks ago, the Director testified \nthat ``the national security of the United States, our economic \nprosperity, and the daily functioning of our government are dependent \non a dynamic public and private information infrastructure'' that is \nnow ``severely threatened.'' As the Director also noted, the recent \nintrusions reported by Google that appear to have originated in China \nshould ``serve as a wake-up call to those who have not taken this \nproblem seriously.''\n    That is why Senator Rockefeller and I have said that our failure to \nimplement effective policies and procedures to prevent unauthorized \nintrusion has proven extremely consequential, and if we fail to take \nswift action, we risk a cyber-calamity of epic proportions with \ndevastating implications for our Nation.\n    We have already experienced breaches to our supply chain. According \nto the SANS (Systems Admin, Audit, Network, and Security) Institute \nthere have been several incidents involving infected memory sticks sold \nin U.S. retail stores. Furthermore, the FBI has reportedly alerted the \nadministration that malevolent actors have actually begun selling \ncounterfeit networking equipment infected with viruses to consumers.\n    Indeed, government agencies as well as the private sector are \nidentifying an increasing number of security incidents. According to \nVerizon, more electronic records were breached last year than the \nprevious 4 years combined, resulting in loss of privacy, identity \ntheft, and financial crimes. Today, hijacked personal computers known \nas botnets are used to send spam or viruses. And all of this is done \nwithout the owner's knowledge.\n    Just this week, according to a recently released report from \nNetwitness, hackers gained access to a data at close to 2,500 companies \nand government agencies, from credit-card transactions to intellectual \nproperty, over the last 18 months in a coordinated global attack. Then, \naccording to a report drafted by the Chief Information Security Officer \nof In-Q-Tel, the CIA's venture capital arm, hackers currently charge \nabout a penny for every 1000 e-mails of spam and only about $1.00 for a \ncredit card that includes every piece of information necessary to \ncompromise one's credit!\n    As you all know, 85 percent of our vital infrastructure is owned \nand operated by the private sector, and, according to a 2009 Verizon \nreport which examined data breaches at 45 major U.S. firms in 15 \ndifferent industries, ``the average cost for a data breach reached an \neye-opening $6.75 million''--that's the cost to the average large \ncompany every single day. Cyber attacks represent both a potential \nnational security and economic catastrophe.\n    I commend President Obama for deeming cybersecurity ``a top \npriority'' and recently naming Howard Schmidt--whom Senator Rockefeller \nand I met with a few weeks ago--as the administration's national \ncybersecurity coordinator. However, we remain concerned that this \nposition still does not possess the institutional heft that it \nrequires, as the coordinator is not accountable to Congress and the \nAmerican people nor does he does report directly to the President--\nsignificantly more can and must be done. It is imperative that public \nand private sectors marshal our collective forces in a collaborative \nand complementary manner to confront this urgent threat and reduce the \nrisk posed by cyber intrusion or a catastrophic cyber attack.\n    As part of this effort, we must identify incentives for the private \nsector. Limiting liability for the companies that improve its \ncybersecurity posture, improving threat information sharing, providing \na ``safe harbor'' for exchanging vulnerability data, as well as tax \ncredits contingent on a company complying with certain security \npractices, should all be considered.\n    It is equally urgent that government takes proactive steps always \nmindful though of privacy concerns. The government should work with the \nprivate sector to recognize and promote cybersecurity performance \nmeasures and best practices, develop a robust workforce of \ncybersecurity professionals, promote innovation and excellence in \nproducts and services, institute a campaign to educate the public about \ncybersecurity risks, use the Government's purchasing power to raise \nstandards through procurement, and promote government and private \nsector teamwork in emergency preparedness and response in the event of \na catastrophic cyber attack.\n    Ultimately, we must recognize that time is not on our side and it \nis clear that our adversaries will continue to change their tactics as \ntechnology evolves. Congress must take action--I look forward to \nhearing from our distinguished witnesses and working closely with my \ncolleagues to implement a comprehensive cybersecurity strategy for our \nNation.\n\n    The Chairman. Thank you, Senator Snowe.\n    Admiral if you would present your testimony, please, and \nthen we'll go right on through.\n    I just want to point out that I--was it four years ago? \nFive years ago?\n    Admiral McConnell. Three years ago, sir.\n    The Chairman. Three years ago----\n    Admiral McConnell. Yes, sir.\n    The Chairman.--that you took the entire Intelligence \nCommittee to an offsite place and spent a whole day on \ncybersecurity.\n    Admiral McConnell. Right.\n    The Chairman. And you were so intense that day that I don't \nthink any of us were quite the same afterwards. And it was one \nof those things that, you know, was a wake-up call that we \nneeded. You gave us amounts of information, and now we have \npeople on the Intelligence Committee who are following this \nsubject very closely.\n    We welcome you, sir.\n\n          STATEMENT OF VICE ADMIRAL MICHAEL McCONNELL,\n\n            USN (RETIRED), EXECUTIVE VICE PRESIDENT,\n\n        NATIONAL SECURITY BUSINESS, BOOZ ALLEN HAMILTON\n\n    Admiral McConnell. Thank you, Mr. Chairman, Senator Snowe, \nmembers of the Committee. It's a pleasure to be here.\n    Let me first say I not only agree, I fully endorse and \nverify everything that the two of you said in your opening \nstatements. Based on what I know, at a classified level, my \nexperience since being the Director of NSA in 1992, I've been \nworrying about this issue and following it, and you're exactly \nright. And thank you for your leadership as a forcing function.\n    Now, what I will attempt to do in some very brief comments \nis put a sharper edge on it and then make some associations, on \na historical basis, about what we may need to do.\n    You asked me to talk to threat, actions to mitigate, and \npublic-private partnership. You mentioned that we're at \nsignificant risk; let me make it sharper. If the Nation went to \nwar today in a cyberwar, we would lose. We would lose. We're \nthe most vulnerable. We're the most connected. We have the most \nto lose. So, if we went to war today in a cyberwar, we would \nlose.\n    As an intelligence officer, I'm often asked to make \npredictions. I want to make three predictions for you:\n    The first is, we will not mitigate this risk. We'll talk \nabout it, we'll wave our arms, we'll have a bill, but we will \nnot mitigate this risk. And as a consequence of not mitigating \nthe risk, we're going to have a catastrophic event. In our \nwonderful democracy, it usually takes a forcing function to \nmove us to action. And it is my belief, having followed this \nfrom the early 1990s, it's going to take that catastrophic \nevent.\n    Now, my second prediction is, the Government's role is \ngoing to dramatically change. It is going to be a very active \nrole in the future of telecommunications in this country and, \nin fact, in global telecommunications.\n    My third prediction is, we're going to morph the Internet \nfrom something that's referred to, generally, as ``dot-com'' to \nsomething I would call ``dot-secure.'' It will be a new way of \ncommunicating. Because when transactions move billions of \ndollars, or when transactions route trains up and down the East \nCoast or control electric power or touch our lives in the way \nthey do at such a significant level, the basic attributes of \nsecurity must be endorsed. And the first attribute of security \nis not a scrambled text to protect a secret. The first \nattribute is authentication; who's doing this transaction. If \nit's a $10-billion transaction, don't you need to know for sure \nwho's conducting the transaction? The second attribute is data \nintegrity. You didn't move that decimal. The third is \nnonrepudiation.\n    Now, the reason I pick it up that way is because, as the \nDirector of NSA, everybody knows the mission is to break code; \nbreak the codes of potential adversaries, so we know their \nsecrets. The other mission of NSA is to make the code to \nprotect our secrets. And the attributes of security mostly are \nin focus when you talk about nuclear weapons. So, if you're--if \nyou ever contemplated using nuclear weapons--heaven forbid, we \nnever do--authentication--order from the President--becomes the \nsingle most important feature. Data integrity is the second \nmost important. Nonrepudiation is the third. So, thinking about \nit that way changes one's perspective.\n    So, we're not going to do what we need to do. We're going \nto have a catastrophic event. The Government's role is going to \nchange dramatically, and then we're going to go to a new \ninfrastructure.\n    Now, let me speak to the Government's role. I wanted to get \nhistorical perspective, so I asked some of my associates to do \nsome research. And the astounding thing that we discovered is, \nthere is a technology cycle that runs about every 50 years. \nCould be closer to 60, or maybe 40, but it's about every 50 \nyears. Every time there's new technology, there's a rush to \ninvest, there's a frenzy, there's a period when there's a bust, \nthen there's strong intervention by the Government, and then it \nsettles out, going forward.\n    And the first example that I'll use is railroads. United \nStates has been the largest economy in the world since 1880. \nMost people don't know that. We captured the Industrial \nRevolution from the British. We laid rail coast-to-coast, and \nour economy was off and running. What happened? The railroads \nbecame so powerful they started to dictate to the Government. \nSo, what was the result? Antitrust legislation; break it up. \nThe Government's role changed very dramatically.\n    You can extend that argument to automobiles. Same argument. \nWhen I was a child, 60,000 people a year died on the highway; \nthe population of the Nation was 150 million. Today, it's \n30,000; our population is 300 million. What changed? The \nGovernment's role significantly changed. Interstate highways, \nfor safety, guardrails, seatbelts, flashers, all the things \nthat industry was forced to do because it affected so many \npeople. So, in my view, the Internet--global communications, \nmoving money at the speed of light from Tokyo to New York, or \nfrom New York to Singapore--billions of dollars--the \ntransportation systems of the world, the electric power grid of \nthe world--that is so significant that the Government's role is \ngoing to change very dramatically. And I would predict we will \nhave a different Internet at some point in time.\n    Now, what are the things we have to do? International \nagreements with partners and with competitors. Because it's in \nthe interest of China, as an example, to have a Net that's \nsecure, for which there's authentication, for which there's \ndata integrity, for which there's nonrepudiation features built \nin. You can achieve that with mathematical certainty. It's a \nsimple function of applying the right kind of tools and \ntechniques and encryption. I would argue it's not in China's \nself-interest to destabilize the U.S. money--money supply.\n    Now, what I really worry about today is, not a nation-\nstate. If we had a war with a nation-state, we would engage in \nground combat, maritime combat, air combat, space combat, and \ncyberspace combat. That's not likely in our future. But, what \nis likely in our future is a group that's not deterred, who \nwishes to destroy the system, who has the technical \ncapability--because the cost of entry is pretty low--has the \ntechnical capability to attack something. And I'll use the \nmoney supply as an example.\n    I majored in Economics 101, way back as an undergraduate, \nand I was astounded to learn there's no gold backing up all \nthose dollars. We left that standard in the 1930s. And then I \nwas astounded to learn that they're not even dollar bills \nprinted; there's--only about 6 percent of the value of the \ncountry is actually in dollar bills. So, where's the value? \nIt's an accounting entry. And I believe the right kind of \ntalent could attack the global money supply.\n    As an example, our gross domestic product, on a yearly \nbasis, is 14 trillion--just over 14 trillion. Two banks in New \nYork move 7 trillion a day. So, if an extremist group with the \nright kind of tools could scramble that data, they could \ndestroy confidence in global banking. New York is the banking \ncenter of the world.\n    So, that's the risk. Will we be required to experience that \ncatastrophic event before we move to action?\n    I'll finish with just an example. Nuclear weapons are easy \nto imagine, because there's the mushroom cloud and the \nshockwave. When nuclear weapons happened, this Nation took \naction to put the government in charge. There was a joint \ncommittee of Congress to oversee it and fund it, and the law \nsaid only the government could own things that were nuclear. \nNow, that's mitigated over time. That committee was determined \nto be unconstitutional, and we created the Department of \nEnergy, and it has gone on. We've got commercial nuclear energy \nand so on. So, we learned over time to adjust to that.\n    If you take telecommunications and the Internet, it's \nalmost entirely in the private sector, and it's going in the \nother direction. But, it has become so important and so \npotentially significant, in my view, it rivals nuclear weapons, \nin terms of potential damage to the country.\n    So, the government was hands-off to start. And if you look \nat the evolution of the 50-year cycles, whether it was building \ncanals or textile machinery or railroads or automobiles, that \ncycle repeated, where the government had a greater role when it \naffected more people. And we're reaching that point now. So, \neither we have a forcing function through a catastrophic event \nor, hopefully, your bill will be law and we can have the \nforcing function to deal with this in the way we must deal with \nit. We must develop a deterrence policy, and we're probably \ngoing to have to figure out how we engage in preemption, where \nthose that wish us harm cannot be deterred.\n    Mr. Chairman, that's my warm-up. I look forward to your \nquestions. Thank you very much.\n    [The prepared statement of Admiral McConnell follows:]\n\n Prepared Statement of Vice Admiral Michael Mcconnell, USN (Retired), \n   Executive Vice President, National Security Business, Booz Allen \n                                Hamilton\nIntroduction\n    Mr. Chairman, members of the Committee, thank you for the \nopportunity to speak to the Committee on Commerce, Science, and \nTransportation today.\n    First, I want to open with a simple statement:\n\n        If we were in a cyberwar today, the United States would lose.\n\n    This is not because we do not have talented people or cutting edge \ntechnology; it is because we are simply the most dependent and the most \nvulnerable. It is also because we have not made the national commitment \nto understanding and securing cyberspace. While we are making progress:\n\n  <bullet> the President's cyberspace policy review completed last May,\n\n  <bullet> the appointment of the Cybersecurity Coordinator in \n        December, and\n\n  <bullet> recent investments in the Comprehensive National \n        Cybersecurity Initiative (CNCI) are moves in the right \n        direction but\n\n  <bullet> these moves are not enough.\n\n    The Federal Government will spend more each year on missile defense \nthan it does on Cybersecurity, despite the fact that we are attacked \nthousands of times each day in cyberspace and we are vulnerable to \nattacks of strategic significance, i.e., attacks that could destroy the \nglobal financial system and compromise the future and prosperity of our \nNation. Securing cyberspace will require a more robust commitment in \nterms of leadership, policies, legislation, and resources than has been \nevident in the past.\nSeizing Opportunity . . .\n    The cyber revolution has transformed our economy, enriched our \nsociety, and enhanced our national security. The Information and \nCommunications Technology (ICT) sector contributes over $1 trillion to \nour economy each year; ``smart'' electric grids promise to transform \nour energy system; intelligent transportation systems are altering the \nway we move and the way we manage commerce; electronic medical records \nand telemedicine promise to reduce costs while improving quality. The \nglobal financial sector relies on information technology to process and \nclear transactions on the order trillions of dollars each day. To put \nthat in perspective, while the U.S. total GDP was just over $14T last \nyear, two banks in New York move over $7T per day in transactions.\n    Meanwhile, major investments in broadband--by both the government \nand private sector--empowers small businesses and our citizens; digital \nclassrooms are changing the way our children are educated; and ``open \ngovernment'' initiatives make government data more accessible and \nuseable for business and individuals alike. Our military and security \nservices have benefited as well. The Department of Defense has \naggressively adopted network-centric operations, linking sensors, \ncommanders and operators in near-real time and providing the U.S. a \ndecisive advantage in the battlespace. The intelligence community and \nhomeland security have benefited from cyber technologies by improving \ncollaboration and information sharing across formerly impenetrable \norganizational divides. In short, the microprocessor and Internet have \nbeen as transformative as the steam engine and railroads in the 19th \ncentury and as impactful as the internal combustion engine and \ninterstate highway system in the 20th century.\n. . . Managing Risk\n    The reach and impact of cyberspace will accelerate over the next 10 \nyears, as another billion users in China, India, Brazil, Russia, \nIndonesia and Middle East gain access to the Internet. As a \nconsequence, cyberspace will be much more diverse, distributed, and \ncomplex. As cyberspace becomes more critical to the day-to-day \nfunctioning of business, society and government, the potential damage \nfrom cyber attacks, system failures and data breaches will be more \nsevere.\n    In the early stages of cyberspace, the threat largely originated \nfrom ``hackers'' who wanted to their test skills and demonstrate their \ntechnical prowess. Criminal elements followed, resulting in attacks \nagainst financial institutions, credit card accounts, ATMs for personal \ngain. More sophisticated actors emerged as state-based intelligence and \nsecurity organizations developed robust exploitation and attack \ncapabilities as part of a larger national security strategy.\n    Recently, ``hactivists''--non-state actors mobilized in support of \na particular issue or motivated by patriotic reasons--have entered the \nfray. Generally speaking, we know and understand these threats--their \ncapabilities and intentions.\n    However, of particular concern is the rise of non-state actors who \nare motivated not by greed or a cause, but by those with a different \nworld view who wish to destroy the information infrastructure which \npowers much of the modern world--the electric grid, the global \nfinancial system, the electronic health care records, the \ntransportation networks.\n    Of increasing concern is that the sophistication of cyber attack \ntools continues to increase at cyber speed, while the barriers to entry \ncontinues to fall as attack tools proliferate in chat rooms, homepages, \nand websites. The challenges we face are significant and will only \ngrow; our response must equally bold and decisive.\nRecommendations for Cybersecurity\n    Despite the complex and seemingly unprecedented nature of the \nchallenge, there are some immediate actions we can take to secure \ncyberspace and the future of our Nation.\n    Cyber Policy--The U.S. needs a long-term cyberspace strategy that \nspells our specific goals and objectives and clarifies roles and \nresponsibilities across the Federal Government. This should be preceded \nby a cyber equivalent to President's Eisenhower's ``Project Solarium'' \nin the early 1950s in developing the Nation's nuclear deterrence \npolicy. Today, we need a full and open discourse with a diverse group--\nbusiness, civil society, and government--on the challenges we face in \ncyberspace. This dialogue should result in a strategic framework that \nwill guide our investments and shape our policies, both domestically \nand internationally.\n    We need a national strategy for cyber that matches our national \nstrategy that guided us during the cold war, when the Soviet Union and \nnuclear weapons posed an existential threat to the United States and \nits allies. Cyber has become so important to the lives of our citizens \nand the functioning of our economy that gone are the days when Silicon \nValley could say ``hands off' to a Government role. To offer historical \nperspective on how the Government's role has increased in every case as \nemerging technologies effect the Nation and greater numbers of our \ncitizens, I am attaching to this statement a review conducted by my \ncolleagues and I entitled ``The Road to Cyberpower.''\n    Cyber Operations--The Cybersecurity challenge to the Nation today \nmirrors our response to counter terrorism after 9/11--a host of Federal \nand state and local agencies, each with their own authorities, \nmissions, operations centers and information systems. The risk is that \nwe fail to learn the lessons around counterterrorism information \nsharing and operations and create more silos by individual agencies, \npotentially creating an atmosphere of bureaucratic rivalry and \nduplicative investments. To that end, the U.S. should establish a \nNational Cybersecurity Center, modeled on the interagency National \nCounter Terrorism Center (NCTC), that integrates elements of DoD's \nproposed Cyber Command, DHS's National Cybersecurity and Communications \nIntegration Center (NCCIC), FBI's cyber operations, state and local \ngovernment, and the private sector. This center should operate at the \nhighest levels of classification for all members and serve as the hub \nof information sharing and integration, situational awareness and \nanalysis, coordination and collaboration. Only sharing information \nacross all sectors will we be able to provide incident response across \nall domains of cyberspace--.gov, .mil, and .com.\n    Such a center would utilize the legal authorities of each agency \nwhile protecting privacy and civil liberties with appropriate oversight \nby the Attorney General and the Congress. The center also could serve \nas the information sharing and collaboration hub with our allies and \nother Cybersecurity organizations, providing a single conduit for \noutside entities.\n    Cyber Technology--The U.S. risks being left behind in Cybersecurity \ntechnology. Currently, multiple organizations within the government and \nprivate sector are focused on developing new technologies to protect \nour networks, computer systems, data and applications. However, most of \nthe efforts are fragmented and sub-scale. The U.S. should approach this \nchallenge as we successfully addressed to the challenge to our \nsemiconductor industry in the 1980s through a public-private \npartnership focused on Cybersecurity technologies.\n    The U.S. should establish a Cybersecurity Collaborative Consortia, \nmodeled after SEMATECH, a public-private partnership that supports \nbasic research and development and develops foundational technologies \nand techniques of common concern--identity and access management, \nsecure networks, intrusion detection, dynamic defense, etc. Such an \norganization should work closely with the National Institute of \nStandards and Technology (NISI) and with the National Security Agency \n(NSA) to define standards for Cybersecurity that could be used for \ngovernment, business, and individuals in both the public and private \nsectors because there are no effective boundaries in cyberspace.\n    Cyber Human Capital--The U.S. needs a Cyber Education and Training \nInitiative (akin to the National Defense Education Act of 1958 after \nthe launch of Sputnik) to build our national human capital base in \nmath, science and technology, electrical engineering, computer science, \nand cybersecurity. Recent initiatives by Congress in programs like the \nFederal Cybersecurity Scholarship for Service and the Information \nAssurance Scholarship Program are a start, but need to be more \naggressively funded to build the expertise we need in cyberspace. As a \ncountry, our vulnerabilities will only grow without a highly trained \nworkforce than can respond to the daunting cyber challenges and \nopportunities of the 21st century.\n    Cyber Management--Current spending and oversight on Cyber is spread \namong multiple accounts and dispersed over multiple committees in \nCongress. It is difficult to understand the current level of investment \nin cyber and evaluate the effectiveness of our investments given this \ncomplexity and lack of transparency. OMB, working with Congress, should \nidentify Cybersecurity investments, develop performance criteria \naligned against a national cyber strategy, address the gaps and \neliminate duplicative or conflicting efforts, and improve \naccountability for results. We can not spend our way out of this \nchallenge, prioritization, accountability, management and oversight are \nkey.\nSummary\n    Cyber technologies offer unprecedented opportunities for the \nnation; however, they also present significant risks to our \ninfrastructure, our financial systems, and our way of life. We \nprevailed in the Cold War through strong leadership, clear policies, \nstrong alliances, and close integration of all elements of national \npower--economic, military, and diplomatic--supported by a bi-partisan, \nnational consensus around containment and deterrence. We must do the \nsame with Cybersecurity.\n\n    The Chairman. Thank you, Admiral.\n    Dr. Lewis.\n\n       STATEMENT OF JAMES A. LEWIS, DIRECTOR AND SENIOR \n         FELLOW, TECHNOLOGY AND PUBLIC POLICY PROGRAM, \n         CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES\n\n    Dr. Lewis. Thank you, Mr. Chairman, and I'd like to thank \nthe Committee for the opportunity to testify.\n    And I want to congratulate you on the Cybersecurity Act of \n2010. This is a very important bill, and if it was passed, it \nwould make an immense improvement to our national security and \nour economic well-being. The bill provides a broad rethinking \nof our approach to cybersecurity and the role of government. \nAnd a lot of what I'm going to say is going to sound a lot like \nAdmiral McConnell, which may be good, or not.\n    The people who pioneered cyberspace--the people who \noriginally designed it--they wanted governments to have a \nlimited role. They expected the Internet would be a self-\ngoverning global commons. And they argued there were no borders \nin cyberspace and that technology moved too fast for government \nto intervene and that the old rules of business and national \nsecurity didn't apply. None of this was right.\n    People thought we would get a peaceful global commons. \nInstead, we've got the Wild West. The Internet was not designed \nto be secure. The rules and contracts put in place when it was \ncommercialized were not written with security in mind. The \nresult is a very Hobbesian environment; cyberspace is not safe.\n    So, the issue for me is, How do you bring law to the Wild \nWest? How to move from a do-it-yourself homebrew approach to \ncybersecurity, and how to secure the digital global \ninfrastructure we now depend on. Legislation like the \nCybersecurity Act can play a crucial role in bringing needed \nchange.\n    You will hear--I think you've already heard--a litany of \ncriticism. You will be told the bill is not perfect. But, I \nnote that the Constitution says our goal is ``more perfect,'' \nnot perfection. This bill would make cybersecurity more \nperfect.\n    People will say that we cannot measure or certify \ncybersecurity. This might explain why we're in such a mess. \nBut, I think we're now at the point where we're beginning to \ncollect data that shows what works; and if we can determine \nwhat works, we can teach it and we can certify people to it.\n    Many will say that we should let the market fix \ncybersecurity. I'm familiar with this one because I, myself, \nwrote it in 1996, and I'm still waiting. The government needs \nto give the market a kick.\n    There's a desire to say that the President should not have \nauthorities, during a crisis, to respond to the kind of cyber \nattack that Admiral McConnell was talking about. I call this \nthe Hurricane Katrina approach to cybersecurity. There will be \ncomplaints that cybersecurity will get in the way of \ninnovation. But, to build on the car metaphor, requiring safer \ncars did not kill innovation in the automobile industry, or we \nwould still all be driving 1956 DeSotos.\n    Some claim the private sector can do a better job defending \nnetworks than government. This is like saying we can rely on \nthe airlines to defend our airspace against enemy fighters. \nPrivate companies will never be a match for foreign \nintelligence service or foreign militaries.\n    But, moving to the policies we need for cybersecurity will \nnot be easy. In the past, when a new technology has come along \nand reshaped business and warfare in society, it has taken the \nUnited States decades to develop the rules it needed; the laws, \nthe judicial precedents, and the regulations that would \nsafeguard society.\n    The difference now is that we don't have decades to do \nthis. We're under attack every day, as you said. We're losing, \nevery day, vital secrets. We're at tremendous risk. If we had a \nwar, we would lose. So, we can't wait. You know, when it was \nsteam engines or automobiles or telephones, we could take 20 or \n30 or 40 years to come up with the rules we needed. But, we \ndon't have that luxury now, right? Prompt action is necessary.\n    The prospects for growth and improvement in cyberspace \nremain great, but to obtain these benefits, we need to close \nthe frontier, end the pioneer approach, say the Wild West is \nover, and bring the rule of law to cyberspace. We need a new \nframework for cybersecurity, and this bill helps provide it.\n    The work of this committee has really helped force the \ndebate in this issue, and so I really applaud you for it. \nPeople have had to think hard about real serious issues. And I \nhope, with that, that we see passage of the bill sometime this \nyear.\n    Thanks again for letting me testify, and I'll be happy to \ntake your questions.\n    [The prepared statement of Dr. Lewis follows:]\n\n   Prepared Statement of James A. Lewis, Director and Senior Fellow, \n    Technology and Public Policy Program, Center for Strategic and \n                         International Studies\n    I would like to thank the Committee for this opportunity to testify \nand I would like to congratulate it for its comprehensive \n``Cybersecurity Act of 2009.''\n    This bill is important because it is a broad step to rethinking our \napproach to the Internet, to cyberspace, and to the role of government.\n    The pioneers of cyberspace wanted governments to have a very \nlimited role. They expected a self-governing global commons to emerge, \nand argued that there were no borders, that technology moved to fast, \nthat old rules of business and security did not apply. They expected a \nglobal commons; instead they got the wild west. The Internet was not \ndesigned to be secure; the rules and contracts put in place when it was \ncommercialized were not written with security in mind. The result is \nHobbesian, that is to say nasty and brutish, if not short. So the issue \nfor the Nation is how to bring law to the Wild West, how to move from a \ndo-it-yourself homebrew approach to cybersecurity, and how to secure a \nglobal digital infrastructure upon which we now depend. Legislation \nlike the Cybersecurity Act 0f 2010 can play a crucial role.\n    Cybersecurity has become an important issue over the last decade as \nthe Internet changed to become a significant global infrastructure. The \nU.S. in particular has woven computer networks into so many of its \neconomic activities that we are as reliant on the Internet as we are on \nany other critical infrastructure. Networked activities can be cheaper \nand more efficient, so companies large and small have migrated to the \nInternet because it can provide competitive advantage. Our national \ndefense relies heavily upon networks. Networks reinforced existing \ntrends in military the realization that intangible factors--greater \nknowledge, faster decisionmaking increased certainty--would increase \neffectiveness of our military force.\n    That technologies designed in the early 1970s have worked so well \nand have so cleanly scaled to support more than a billion users is an \namazing triumph, but anyone with malicious intent can easily exploit \nthese networks. The Internet was not designed to be a global \ninfrastructure upon which hundreds of millions of people would depend. \nIt was never designed to be secure. The early architects and thinkers \nof cyberspace in the first flush of commercialization downplayed the \nrole of government. The vision was that cyberspace would be a global \ncommons led and shaped by private action, where a self-organizing \ncommunity could invent and create. This ideology of a self-organizing \nglobal commons has shaped Internet policy and cybersecurity, but we \nmust now recognize that this pioneer approach is now inadequate.\n    There are two reasons for this inadequacy. First, private efforts \nto secure networks will be always be overwhelmed by professional \nmilitary and criminal action. The private sector does not have the \ncapability to defeat an advanced opponent like the SRV or the PLA, \norganizations that invest hundreds of millions of dollars and employ \nthousands of people to defeat any defense. We do not expect airlines to \ndefend our airspace against enemy fighter planes and we should not \nexpect private companies to defend cyberspace against foreign \ngovernments.\n    Second, absent government intervention, security may be \nunachievable. Two ideas borrowed from economics help explain this--\npublic goods and market failure. Public goods are those that benefit \nall of society but whose returns are difficult for any individual to \ncapture. Basic research is one public good that the market would not \nadequately supply if government did not create incentives. \nCybersecurity is another such public good where market forces are \ninadequate.\n    We talk about cyber attack and cyber war when we really should be \nsaying cyber espionage and cybercrime. Espionage and crime are not acts \nof war. They are, however, daily occurrences on the Internet, with the \nU.S. being the chief victim, and they have become a major source of \nharm to national security. The greatest damage to the U.S. comes from \nespionage, including economic espionage. We have lost more as a nation \nto espionage than at any time since the 1940s. The damage is usually \nnot visible, but of course, the whole purpose of espionage is not to be \ndetected.\n    This is not cyberwar, Russia, China, and cybercriminals of all \ntypes have no interest in disrupting Wall Street, the Internet, or the \nAmerican economy. There is too much to steal, so why would anyone close \noff this gold mine. As with any good espionage exploit or mafia racket, \nthe perpetrators want stability, a low profile, and smooth operations \ngoing so they can continue to reap the benefits.\n    There is a potential for cyber attack, but it is so far constrained \nby political and technological barriers. Terrorists likely do not yet \nhave the advanced cyber capabilities needed to launch crippling \nstrikes. The alternative, that they have these capabilities but have \nchosen for some reason not to use them, is ridiculous. There are \nnations that could launch a crippling strike, but they are likely to do \nson only as part of a larger armed conflict with the United States. \nThese nations do not love jihadis any more than we do, so they are \nunlikely in the near future to transfer advanced cyber capabilities to \nterrorists. Presumably, in the case of Russia and China their cyber \ncriminal proxies are also instructed not to take jihadi clients \n(although there is one incident where it is alleged that Russian \nhackers served as mercenaries for Hezbollah, against Israel). Should \nany of these conditions change--the technological constraints that \nlimit terrorists and the political constraints that limit states and \nadvanced cyber criminals - the U.S. is in no position to defend itself \nagainst cyber attack.\n    Short of armed conflict (over Taiwan or Georgia), China or Russia \nare unlikely to use cyber strikes against the U.S. The political risk \nis too high--it would be like sending a bomber or a missile against a \npower plant, and the U.S. response would be vigorous. Our opponents, \nhowever, have reportedly conducted reconnaissance missions against \ncritical infrastructure--the electrical grid, for example--to allow \nthem to strike if necessary in the event of conflict. Cyber attack is \ncheaper and faster than a missile or plane, there is some chance that \nthe attacker can deny responsibility (because of the weak \nauthentication on the Internet). Right now, our opponents have the \nadvantage but it is within our capabilities to change this.\n    Getting this change requires a new approach. Many of the solutions \nto the problem of cybersecurity our Nation has tried are well past \ntheir sell-by date. Public-private partnerships, information sharing, \ngovernment-lead-by-example, self-regulation, and market-based solutions \nare remedies we have try for more than a decade without success. These \npolicies overestimate incentives for private action and misalign \ngovernment and private sector responsibilities.\n    Like other new technologies in the past--airplanes, cars, steam \nengines--the appeal and the benefits are so great that we have rushed \nto adopt the Internet despite serious safety problems. These problems \nare amplified by the global connectivity of the new infrastructure, as \nthe speed of Internet connections means that geographical distance \nprovides little in the way of protection. For those earlier \ntechnologies, safety came about through innovation driven by government \nmandates, and by agreements among nations. The same process of \ndevelopment is necessary to secure cyberspace. The Cybersecurity Act of \n2009 could play a vital role in this improvement.\n    This will not be an easy task. The United States does not like to \ndeal with market failure. This has been true since the earliest days of \nthe republic. Steam engines, although notoriously unsafe, had to wait \nforty years until a series of savage accidents costing hundreds of live \nled Congress to impose safety regulations. Automobile safety rules took \nmore than half a century and initially faced strong opposition from \nmanufacturers. The initial air safety regulations appeared only twenty-\nthree years after the first flight. There is the recurring hope that \n``intellect and practical science,'' to quote a 19th Century \nCongressional report explaining why regulation was unnecessary for \nsteamboats put it, will lead to improvement via some automatic and \nself-correcting market process and without government intervention.\n    Just as cars were not built to be safe until government pressure \nchanged auto manufacturers' behavior, cyberspace will not be secure \nuntil government forces improvement. Twelve years of reliance on \nvoluntary efforts and self-regulation have put us in an untenable \nsituation. Some may argue that a move away from the market or a greater \nemphasis on security or a larger role for government will damage \ninnovation in cyberspace. This argument is in part a reflection of \ncompetition among various bureaucracies, advanced to protect turf, but \nis also reflects a misunderstanding of the nature of innovation. There \nare grounds to be concerned about the ability of the U.S. to innovate \nwhen compared to other nations, but the real obstacles are a weak \neducation system, poorly designed tax policies, damaging immigration \nrules, and mis-investment that makes it hard to develop new \ntechnologies and competitors. Removing these obstacles would be \npolitically difficult and face strong opposition. It is easier to \ninsist instead that keeping the Internet open and anonymous or bringing \nbroadband to undeserving areas will somehow generate growth. Greater \nsecurity is more likely to increase innovation, by reducing the loss of \nintellectual property and by increasing demand for more valuable \nInternet services.\n    Another reason put forward for not taking action is the supposedly \nborderless nature of cyberspace. The pioneers of cyberspace wanted \ntheir new creation to be a global commons, a shared space that no one \nowns. The designers of the Internet built the network to reflect their \nvalues, which were non-hierarchical and to a degree, anti-authoritarian \nand anti-government. One of the original cyberspace theorists was also \na songwriter for the Grateful Dead, and it was he who issued the famous \nDeclaration of Independence of cyberspace, saying there was no room or \nneed for governments. Cyberspace would be a global commons where a \nself-organizing community could invent and create.\n    This is an ill-conceived notion that continues to distort our \nthinking. Cyberspace is an artificial construct produced by machines. \nThose machines are all owned by individuals or organizations and all \nexist in some physical location that is subject to the sovereign \ncontrol of some nation.\n    Cyberspace is like the public space in a shopping mall, a ``pseudo \ncommons'' or a condominium.\n    In some instances, of course, such as the Internet Engineering Task \nForce or the Open Source Software Movement, this vision of an open, \nnonhierarchical community has worked exceptionally well. But to use a \nhistorical analogy, many of the pioneers of the Internet expected \nWoodstock and the ``Summer of Love,'' instead they got Altamont and the \nHells Angels. The combination of unplanned global access, porous \ntechnologies, and weak governance makes this newly critical \ninfrastructure exceptionally vulnerable. As our reliance as a nation \nincreases, so does our vulnerability to remote exploitation and perhaps \nattack.\n    Cyberspace is not a global commons. It is a shared global \ninfrastructure. There is rarely a moment when a collection of bits \nmoving from one computer to another is not actually on a network that \nsomeone owns and that is physically located in a sovereign state. The \nexceptions might be undersea cables or satellite transmissions, but the \naction still takes place on an owned facility were the owner is subject \nto some country and its laws. At best, this could is a ``pseudo \ncommons.'' It looks like a commons but actually is not, as someone owns \nthe resources in question and that someone is subject to the laws of \nsome nation. Cyberspace is in fact a more like a condominium, where \nthere are many contiguous owners.\n    Governance of this condominium is both weak and fragmented. There \nare no agreed rules, other than business contracts, and no \n``condominium board,'' no process to develop rules. Action in \ncyberspace takes place in a context defined by commercial law and \nbusiness contracts. When the United States commercialized the Internet, \nit chose this legal construct accommodate business activity, but it is \ninadequate for security, particularly as the Internet spread to \ncountries around the world and to nations with very different values \nand laws.\n    The proposed legislation would go a long way to correct these \nproblems. To put the problem in a larger perspective, it is time to \nmove from the policies created in the pioneer phase of the Internet. It \nis time to close the Wild West. This will require a broad rethinking of \nAmerican law and policy, and will require adapting to the technologies \nwe now depend on. It will need new kinds of international agreements, \nnew standards and rules for industry, and new approaches to the \nprofessionalization of those who operate networks. This is no small \ntask but, judging from experience, it is inevitable. This process has \noccurred before, often with help from the government. The Commerce \nDepartment of the 1920s, for example, encouraged several major \nindustries, including the automotive and radio industries, to \nstandardize, to professionalize, and to create associations and rules \nthat serve the public interest.\n    A ``one size fits all'' strategy will not work. We will need to \nmanage international engagement, critical infrastructure regulation, \nand economic stability all at the same time. Progress faces significant \nobstacles. There are legitimate concerns over civil liberties. There \nare strong business interests in avoiding regulation. And there are the \ntattered remnants of a vision of cyberspace as some kind of utopian \nfrontier. Governance is a central issue for each of these. Governance \nis the process for creating rules, resolving disputes, and ensuring \ncompliance. Our beliefs about the nature of cyberspace have downplayed \nthe role of formal governance and now we are paying the price. Changing \nthis, as we did for steamboats, cars and airplanes, is part of the \nlong-term process to adjust to new environment created by technological \nchange.\n    This bill contains many of the essential elements of the new \napproach we need. A comprehensive national strategy that considers all \naspects of national security and puts forward along term vision for \ncyberspace is an essential starting point for making this new \ninfrastructure secure. It will be essential, of course, to avoid merely \nrepeating the formulas of 1998 or 2003 in a new strategy. We've heard \nrepeatedly that there is a shortfall of individuals with the requisite \nskills for cybersecurity. The scholarships, competitions and workforce \nplans outlined in this bill would go a long way to repair this. The \nlegal review and the intelligence assessment are long overdue. The call \nfor the creations of a response and restoration developed with the \nprivate sector that the President could implement in a crisis is \ncrucial for national defense.\n    As with any major piece of legislation, there will be considerable \ncriticism. Some of this criticism is ideological, some reflects self-\ninterest, and some is the result of a healthy skepticism as to our \nability to carry out some of the ambitious measures contained in the \nbill. There was initially concern that emphasizing the authorities the \nPresident already has to intervene in network operations during a \ncrisis would somehow give the ability to shut off the Internet. This \nstemmed mainly from an inaccurate reading of the bill and perhaps from \nthe desire to preserve the notion of cyberspace as an untrammeled \ncommons where government has little or no role. Frankly, efforts to \ndeny the President adequate authority in a crisis are like expressing a \npreference for Katrina-like disaster management. I hope we can do \nbetter.\n    No one ever disagrees with the notion of more education, but the \nmore contentious aspect of the workforce development is the requirement \nfor certification and training. Being able to certify that someone has \nthe necessary skill and knowledge is a requisite part of \nprofessionalization. We do this for doctors, lawyers, pilots, barbers, \nplumbers and real estate agents. Some certification requirements are \nFederal, many are developed by states. Many in the IT industry believe \nthat they are not ready for this step. Certification requires knowing \nwhat is useful and necessary and being able teach it and test it. It is \non the former that there is disagreement--that we do not know what is \nnecessary for security.\n    This may have been true at one time but I believe it is changing. \nIn the last few years, as people have been able to collect more data on \nsecurity problems, to develop metrics, and to identify steps will \nreduce risk, it is possible to think of a training program for \ncybersecurity. This is part of a larger move from compliance drive \nsecurity, which has largely failed, to performance driven security. The \nconcept of a cybersecurity dashboard found in Section 203 reflects this \nshift to a data driven approach to cybersecurity. The Act, if passed, \nwill accelerate the development and professionalization of those parts \nof cyberspace that provide critical services to the Nation.\n    These are all politically difficult issues, but this situation is \nnot new. Every time a new technology has reshaped business, warfare and \nsociety, there has been a lag in developing the rules--law, judicial \nprecedents, regulations--needed to safeguard society. Cyberspace is \ndifferent in its global scope and in the immediate nature of the damage \nAmerica suffers. Waiting for some natural process or perfect solution \nnot only puts our Nation at risk, it gives our opponents an advantage. \nWe would be well served if Congress passed this bill.\n\n    The Chairman. Thank you, sir.\n    Mr. Borg.\n\n  STATEMENT OF SCOTT BORG, DIRECTOR AND CHIEF ECONOMIST, U.S. \n                    CYBER CONSEQUENCES UNIT\n\n    Mr. Borg. Thank you for inviting me.\n    My name is Scott Borg. Oh, I should turn this on. I'm the \nDirector of the U.S. Cyber Consequences Unit. This is an \nindependent, nonprofit, research institute that investigates \nthe economic and strategic consequences of cyber attacks. We \nsupply our results only to the U.S. Government and to the \npublic.\n    At the USCCU, I've had the privilege of leading an \nextraordinary team of cybersecurity experts, economists, and \nother investigators, many of whom have national reputations. \nThis team has included Warren Axelrod, John Bumgarner, Joel \nGordes, Ben Mazzotta, Michael Mylrea, Ardith Spence, Paul \nThompson, Charles Wheeler, and a number of others.\n    Since 2004, we have been visiting facilities in critical \ninfrastructure industries, and interviewing employees, to \ndetermine what cyber attacks are actually possible and what \ntheir consequences would be. We have been given access to the \nbusiness records of large critical infrastructure corporations \nso that we could analyze their dependence on their suppliers \nand their customers' dependence on them. We've developed \npowerful conceptual frameworks and analytic tools for making \nsense of this information.\n    There are three points I would like to make today. First, \ncyber attacks are already damaging the American economy much \nmore than is generally recognized. Second, the biggest growth \nopportunities for the American economy all depend on better \ncybersecurity. Third, in order to get the improved \ncybersecurity we urgently need, we must fix a number of broken \nor missing markets.\n    The greatest damage to the American economy from cyber \nattacks is due to massive thefts of business information. This \ntype of loss is delayed and hard to measure, but it is much \ngreater than the losses due to personal identity theft and the \nassociated credit card fraud. The reason the loss from \ninformation theft is so great is that we really do operate in \nan information economy. The amount of value a company can \ncreate and capture is generally proportionate to the amount of \ninformation that it can utilize that its global competitors \ncan't.\n    Education is economically important because it allows us to \ncreate and apply more information. The greater portion of the \nvalue, even in most manufactured goods, is not in the materials \nfrom which things are made, but in the information they \ncontain. A modern automobile or airplane, from an economic \nstandpoint, is primarily an information product.\n    To understand what this means, think of how a company makes \nmoney. It introduces a new product or a new feature, and \ncollects a premium from it until its competitors start offering \nsomething comparable. Even after that, the company will \nprobably still be able to make a profit on that item because it \nwill know how to produce it for less. When a new production \nfacility opens, there will typically be a 5- to 15-percent drop \nin costs each year for the first 3 to 6 years. This is because \nthe company is learning how to do everything more efficiently; \nit's about information. The amount by which the company's costs \nare lower than the costs of its competitors is normally all \nprofit.\n    Now think what happens if the company's information is \nstolen. The period during which it can collect a premium will \nbe reduced to almost nothing, because the competitors will be \nable to offer a comparable product almost right away. The \nprofits due to lower costs will be gone, because the \ncompetitors will have all the detailed information that made \nthe greater efficiencies possible. The competitors' costs will \nactually be lower than those of the victimized company, because \nthe competitors won't have the expense of creating the \ninformation. Instead of collecting a healthy profit, the \nvictimized company might now be struggling to survive.\n    Most of the other factors allowing companies to prosper can \nalso be wiped out by information thefts. To get an idea of the \neffect of information thefts on the larger economy, imagine \nthis sort of example multiplied thousands of times.\n    The biggest large-scale growth opportunities for the \nAmerican economy also depend on better cybersecurity. This is \nbecause nearly all the more innovative ways of creating value \nneed information technology to be developed efficiently.\n    There are eight big growth opportunities that I've been \nable to identify. I think you've been given a list of them. \nThese include things like the flexible re-allocation of \ncapacity, which lies behind the Smart Grid and cloud computing; \nmobile information support, which boosts efficiency of tools \nlike electronic medical records; and smart products, which \nallow products, such as smart phones, to increasingly contain \nservices. Examining this list reveals that each of these \nopportunities requires networked computers, and is vulnerable \nto cyber attacks. Awareness of this is the main thing that is \nslowing down the implementation of many of these strategies. \nAnd most of them could be brought to a screeching halt by a \ngreater awareness of the vulnerabilities they're introducing.\n    The solutions to these problems are not something that the \ngovernment can directly legislate into existence. The reason is \nthat both the information technology and the techniques \nemployed in cyber attacks are developing so rapidly. If the \ngovernment tries to mandate standards, they will be out of \ndate, and an actual impediment to better security, before they \ncan be applied. This is not like fire codes for building \nconstructions, where the big changes take decades. We don't \nknow what the minimum code of cybersecurity should look like 4 \nyears from now.\n    If there's any area of the American economy that needs \ncreative entrepreneurial problem-solving, it is, therefore, \ncybersecurity. Yet, our markets are currently not delivering \nthe improvements in cybersecurity at anything like the \nnecessary rate. In some cases, they are not delivering \nimprovements at all.\n    When markets are not functioning properly, there are \nidentifiable reasons. I think you've got a list of these \nreasons; there happen to be six of them. Sometimes it's because \ncompanies are not being charged for all of their costs or paid \nfor all the benefits they produce. Other times, the individual \nagents are not adequately motivated to act in the long-term \nbest interests of their company. Still other times, there isn't \nenough information available for good market choices.\n    Each of these market problems, each of these market \nbreakdowns, has possible remedies. It's these remedies to the \nmarket failures that should be at the center of our discussion \nof how to improve our cybersecurity.\n    Thank you.\n    [The prepared statement of Mr. Borg follows:]\n\n    Prepared Statement of Scott Borg, Director and Chief Economist, \n                      U.S. Cyber Consequences Unit\n    Thank you for inviting me. My name is Scott Borg. I am the Director \nof the U.S. Cyber Consequences Unit. This is an independent, non-profit \nresearch institute that investigates the economic and strategic \nconsequences of cyber attacks. We supply our results only to the U.S. \nGovernment and to the public. At the US-CCU, I have had the privilege \nof leading an extraordinary team of cyber-security experts, economists, \nand other investigators, many of whom are nationally famous in their \nfields. This team has included Warren Axelrod, John Bumgarner, Joel \nGordes, Ben Mazzotta, Michael Mylrea, Ardith Spence, Paul Thompson, \nCharles Wheeler, and a number of others. Since 2004, we have been \nvisiting facilities in critical infrastructure industries and \ninterviewing employees to determine what cyber attacks are actually \npossible and what their effects would be. We have been given access to \nthe business records of large critical infrastructure corporations, so \nthat we could analyze their dependence on their suppliers and their \ncustomers' dependence on them. We have developed powerful conceptual \nframeworks and analytic tools for making sense of this information.\n    There are three points I would like to make today:\n\n        First, cyber attacks are already damaging the American economy \n        much more than is generally recognized.\n\n        Second, the biggest growth opportunities for the American \n        economy all depend on better cyber security.\n\n        Third, in order to get the improved cyber security we urgently \n        need, we must fix a number of broken or missing markets.\n\n    The greatest damage to the American economy from cyber attacks is \ndue to massive thefts of business information. This type of loss is \ndelayed and hard to measure, but it is much greater than the losses due \nto personal identity theft and the associated credit card fraud. The \nreason the loss from information theft is so great is that we really do \noperate in an information economy. The amount of value a company can \ncreate and capture is generally proportionate to the amount of \ninformation it can utilize that its global competitors can't. Education \nis economically important because it allows us to create and apply more \ninformation. The greater portion of the value, even in most \nmanufactured goods, is not in the materials from which things are made, \nbut in the information they contain. A modern automobile or airplane, \nfrom an economic standpoint, is primarily an information product.\n    To understand what this means, think of how a company makes money. \nIt introduces a new product or new feature and collects a premium for \nit until its competitors start offering something comparable. Even \nafter that, the company will probably still be able to make a profit on \nthat item, because it will know how to produce it for less. When a new \nproduction facility opens, there will typically be a five to fifteen \npercent drop in costs each year for the first three to 6 years. This is \nbecause the company is learning how to do everything more efficiently. \nThe amount by which the company's costs are lower than the costs of its \ncompetitors is normally all profit.\n    Now think of what happens if the company's information is stolen. \nThe period during which it can collect a premium will be reduced to \nalmost nothing, because the competitors will be able to offer an \nequivalent product right away. The profits due to lower costs will be \ngone, because the competitors will have all the detailed information \nthat made the greater efficiencies possible. The competitors' costs \nwill actually be lower than those of the victimized company, because \nthe competitors won't have the expense of creating the information. \nInstead of collecting a healthy profit, the victimized company might \nnow be struggling to survive.\n    Most of the other factors allowing companies to prosper can also be \nwiped out by information thefts. To get an idea of the effect of \ninformation thefts on the larger economy, imagine this sort of example \nmultiplied thousands of times.\n    The biggest large-scale growth opportunities for the American \neconomy also depend on better cyber security. This is because nearly \nall of the more innovative ways of creating value need information \ntechnology to be implemented efficiently.\n    There are eight big growth opportunities that I have been able to \nidentify. These include things like the Flexible Re-Allocation of \nCapacity, which is what lies behind the smart grid and cloud computing, \nMobile Information Support, which boosts efficiency with tools like \nelectronic medical records, and Smart Products, which will allow \nmaterial products, such as smart phones, to increasingly ``contain \nservices.''\n    Examining this list reveals that each of these opportunities \nrequires networked computers and is vulnerable to cyber attacks. An \nawareness of this is the main thing that has already been holding back \nthe adoption of practices like cloud computing. More important, nearly \nall of these economic initiatives, including the smart grid and \nelectronic medical records, could be brought to a screeching halt by a \ngreater awareness of the vulnerabilities that they are introducing.\n    The solutions to these problems are not something that the \ngovernment can directly legislate into existence. The reason is that \nboth the information technology and the techniques employed in cyber \nattacks are developing so rapidly. If the government tries to mandate \nstandards, they will be out of date--and an actual impediment to better \nsecurity--before they can be applied. This is not like fire codes in \nbuilding construction, where the big changes take decades. We don't \nknow what the minimum code for cyber security should look like 4 years \nfrom now.\n    If there is any area of the American economy that needs creative, \nentrepreneurial problem solving, it is therefore cyber security. Yet \nour markets are not currently delivering improvements in cyber security \nat anything like the necessary rate. In some cases, they are not \ndelivering improvements at all.\n    When markets are not functioning properly, there are identifiable \nreasons. Sometimes companies are not being charged for all of their \ncosts or paid for all of the benefits they produce. Other times, the \nindividual agents are not adequately motivated to act in the long term \nbest interests of their company. Still other times, there isn't enough \ninformation available for good market choices. There are six such \nreasons altogether, and each suggests possible remedies. It is these \nmarket remedies that should be at the center of our discussions on how \nto save our economy from the destructive effects of cyber attacks.\n    Thank you.\n\n    The Chairman. Thank you, sir, very much.\n    And now Mary Ann Davidson, from Oracle, please.\n\n                STATEMENT OF MARY ANN DAVIDSON, \n           CHIEF SECURITY OFFICER, ORACLE CORPORATION\n\n    Ms. Davidson. Chairman Rockefeller and members of the \nCommittee, I'm Mary Ann Davidson, the Chief Security Officer \nfor Oracle.\n    I appreciate the opportunity to appear before you today, \nand I want to commend the Committee for tackling the difficult \nissue of cybersecurity and for including industry in the \ndrafting process of cybersecurity legislation, since \npartnership between government and the private sector is \ncritical to secure our common infrastructure.\n    I have two specific recommendations to address the present \nand future challenges of securing critical infrastructure. \nFirst, we need to change the educational system so that we have \na cadre of people who know that critical cyberinfrastructure \nwill be attacked and to design and build accordingly and \ndefensively. Second, we need to stop upping the ante on \nexposing critical infrastructure to, in some cases, large \nsystemic risk.\n    Some have proposed that we certify cybersecurity \nprofessionals to improve the protection of critical \ninfrastructure. However, you can't secure something that was \nnot designed or built to be secure. Putting it differently, do \nwe certify interior decorators or the people who built the \nhouse? It's architects and engineers and contractors who are \nprofessionally licensed, not the people who move furniture \naround and pick out color schemes, as important as that is.\n    Those who build software used in critical infrastructure do \nnot, in general, design and code defensively, because they're \nnot educated to do it. And yet, too many universities fiddle \nwhile Rome burns, or at least fiddle while Rome is being \nhacked. Several years ago, Oracle sent letters to the top \nuniversities we recruit from, telling them that we spend \nmillions of dollars fixing avoidable, preventable coding errors \nin software that creates security vulnerabilities. We have to \ntrain all computer science graduates in how to write secure \ncode, because they were not taught this at universities. \nUniversities need to change their curricula to address this \nclear and present deficiency. And the security of commercial \nsoftware has become a national security issue. Oracle received \nprecisely one response to this letter, and that was a request \nfor money. Is there a more tone-deaf response than that?\n    We must act now to change the educational system for all \ncomputer science and computer-related degree programs, \nincluding industrial control systems, so they include security \nthroughout the degree program. We should insist that \nuniversities submit a plan to alter their curricula, and we \nshould link government research funding to phased change. If \nparents can tell their toddlers that they don't get any dessert \nuntil they eat their peas, the U.S. Government can certainly \ntie monies to computer-related curricula change.\n    Something else we can do today is stop making cybersecurity \nworse by using technology in ways we know very well we cannot \nsecure and that creates huge systemic risk. We need look no \nfurther than the recent financial system meltdown in which \nmassive computer programs could quantify all kinds of risk \nexcept the most important one: systemic risk.\n    One such area is Smart Grid, the idea that powerplants can \nuse near-realtime measurements on usage--devices in your home--\nso we can price power better, be smarter about usage and build \nfewer plants. Nobody is opposed to doing more with less, \nunless, of course, the ``more'' includes a lot more risk.\n    And here's what we do know. We know we cannot secure \nmillions of IP-based clients; the millions of PCs that have \nbeen co-opted into botnets are proof of that. We know that the \nSCADA protocols used in control systems were not designed to be \nattack resistant; they were originally used in \nelectromechanical systems, where you had to physically access \nthe control, turn the knob, and so on. Now we are increasingly \nmoving to IP-based control systems and connecting them to \ncorporate networks that, in turn, are connected to the \nInternet.\n    We know that some Smart Grid devices are hackable. For \nexample, a prototype worm developed by a security research firm \nwas able, in a simulated attack--thank heavens--to spread from \nmeter to meter to take out power in more than 15,000 homes in \n24 hours. We know that terrorists are increasingly interested \nin targeting utility grids. We know that there are PDAs--\ndigital assistants--that talk SCADA, because it's just so \nexpensive to send a technician to the plant. Dare I say, move \nthe control rods in and out of the reactor? There's an app for \nthat. Will we one day scram a reactor when someone was merely \ntrying to answer the phone?\n    And last, we know that the people designing and building \nthese systems are not taught secure, defensive programming any \nmore than computer programmers are.\n    There are two things we can do now, and must do now. We \nshould insist on some standards, through existing standards \nbodies, of Smart Grid components. NIST, for example, has led a \ncybersecurity working group that recently released a second \ndraft of Smart Grid Cybersecurity Strategy and Requirements \ndocument. Good on them.\n    Second, we need better transparency on how Smart Grid \ncomponents are built and of what they are built. There are some \nmechanisms that can help establish this transparency, such as \nthe Common Criteria, which is ISO-standard, and the Department \nof Homeland Security materials on improving software assurance \nand acquisition.\n    Last, we do not think of the New Testament as a guide to \ncritical infrastructure protection, and yet, Jesus contrasted \nthe man who built his house on a rock with, quote, ``a foolish \nman who built his house on sand.'' The rain came down, the \nstreams rose, and the winds blew and beat against that house, \nand it fell with a great crash. The Gospel of Matthew.\n    This is an apt description of securing critical \ninfrastructure. If our infrastructure builders do not \nunderstand the difference between building on rock and building \non sand, our house will collapse in the first good rainstorm.\n    Thank you, and I'll be happy to take your questions.\n    The Chairman. Thank you.\n    [The prepared statement of Ms. Davidson follows:]\n\n   Prepared Statement of Mary Ann Davidson, Chief Security Officer, \n                           Oracle Corporation\n    Chairman Rockefeller, Ranking Member Hutchison, and members of the \nCommittee, I am Mary Ann Davidson, Chief Security Officer for Oracle. I \nappreciate the opportunity to appear before you today, and I also want \nto commend the committee for tackling the issue of cyber security--it's \na very tough and multi-faceted issue. I also want to thank the \ncommittee for including industry in the drafting process of cyber \nsecurity legislation, partnership between government and the private \nsector is critical for making our public infrastructure safe and \nsecure.\n    When many of us were young, we looked up to superheroes: Superman, \nBatman, Aquaman and Wonder Woman: the people who could do almost \nanything and were unstoppable (except--perhaps--by Kryptonite). When we \ngrow up, most of us realized that there are no superheroes: many \nproblems are very difficult to solve and require a lot of hard work by \na lot of smart people to fix. So it is with the security of critical \ninfrastructure: we cannot shine a signal in the sky and expect \nSuperNerd to come and save us.\n    Many intelligent people have proposed a number of ways we can help \ndefine the problem of critical infrastructure protection as it relates \nto cybersecurity, ``bound'' the problem space and improve it. There are \ntwo specific recommendations that may help stem the problems of the \npresent and change the dynamics of the future: both are necessary to \nhelp secure not only today's but tomorrow's critical \ncyberinfrastructure.\n    First, we need to change our collective mindset so that elements of \ncritical cyber infrastructure are designed, developed and delivered to \nbe secure. We do that in part by changing the educational system so \nthat we have a cadre of people who know that critical cyber \ninfrastructure will be attacked--and they build accordingly and \ndefensively. We do not generally think of the New Testament as a guide \nto critical infrastructure protection, yet consider the parable of the \nbuilders, in which Jesus contrasts the man who built his house on rock \nwith ``. . . a foolish man who built his house on sand. The rain came \ndown, the streams rose, and the winds blew and beat against that house, \nand it fell with a great crash'' (Matthew 7:24-27). This parable is an \napt description of the problems in securing critical infrastructure: if \nour infrastructure ``builders'' do not understand the difference \nbetween building on rock and building on sand, our house will collapse \nin the first good rainstorm.\n    The second recommendation is more straightforward: we need to stop \n``upping the ante'' on exposing critical infrastructure to--in some \ncases--unknowable risk--and we should walk away from the gambling \ntables until we both understand the odds and the odds are better. What \nwe know now is that we continue to expose critical infrastructure to \nthe Internet in the interests of saving money, which massively \nincreases our attack surface, we do not, in many cases, know how \nexposed we are, and we have determined enemies. ``Doubling down'' is \nnot a strategy--except a strategy for catastrophic loss.\nChanging the Educational System\n    One of many cybersecurity risks the Department of Defense is \nconcerned with involves the supply chain of software--more \nspecifically, the risk that someone, somewhere will put something both \nbad and undetectable in computer code that will allow enemies to attack \nus more easily. However, that is but one type of supply chain risk we \nshould worry about and perhaps not even the most critical one. In fact, \n``the software supply chain'' at a fundamental level includes the \npeople who design, code and build software. We should worry about the \nsupply chain of people as much or more than the supply chain of \nsoftware itself, because those who design, code and build software \ndon't know how to build it securely and the institutions--with some \nnotable exceptions--who educate them either don't know or do not care \nto know how woefully inadequate their educational programs are. (Some \nuniversities, of course, do care about security and have invested in \nimproving their computer science curricula accordingly. Kudos to them.)\n    If we were having a rash of bridge failures, and we discovered that \nuniversities were failing to teach structural engineering to civil \nengineers, we would not be discussing how to redesign tollbooths and \ntrain tollbooth operators, or teach people how to drive safely on \nbridges. Similarly, proposals to ``certify more cybersecurity \nprofessionals'' is only a remedy for the cyber threats to critical \ninfrastructure if we understand the problem certifications attempt to \nsolve and ensure that we focus on the right set of professionals to \ncertify. This is especially true since ``cybersecurity professionals'' \nthese days may well include Chad, the 12-year-old who installs anti-\nvirus on his technophobic grandparents' computer.\n    Several years ago Oracle sent letters to the top 10 or 12 \nuniversities we recruit from \\1\\--more specifically, to the chair of \nthe computer science (CS) (or equivalent) department and the dean of \nthe school in which the computer science department resided--telling \nthem that:\n---------------------------------------------------------------------------\n    \\1\\ A heavily redacted form of this letter is available at http://\nwww.oracle.com/security/docs/mary-annletter.pdf and a larger discussion \nof the supply chain ``personnel'' issue is available at http://\nblogs.oracle.com/maryanndavidson/2008/04/the_supply_chain_problem.html.\n\n        a. We spent millions of dollars fixing avoidable, preventable \n        coding errors in software that lead to exploitable security \n---------------------------------------------------------------------------\n        vulnerabilities;\n\n        b. We have to train CS graduates in how to write secure code \n        because they were not taught these skills in computer science \n        programs;\n\n        c. We need universities to change their curricula to address \n        this clear and present educational deficiency; and\n\n        d. The security of commercial software has become a national \n        security issue.\n\n    Oracle received precisely one response to these letters, and that \nwas a request for money to enable that university to create a ``secure \nprogramming class.'' In the last 6 months, a representative that same \nuniversity--at a Department of Homeland Security Software Assurance \nForum no less--said publicly (and in apparent reference to the Oracle \nletter) that his institutions' graduates were ``too good'' for vendors \nlike Oracle.\n    It's hard to imagine a more tone-deaf response to a ``customer'' \nrequest for a better ``product.''\n    Some have proposed that we certify ``cybersecurity professionals'' \nto improve the protection of our critical infrastructure. However, \ncertifying cybersecurity professionals--presuming we could define the \nterm precisely enough to avoid certifying absolutely everybody who \ntouches an information technology (IT)-based system--is too late in the \ngame. You can't secure something that was not designed to be secure or \nthat has holes big enough to drive the QEII through. Putting it \ndifferently, in the physical world, do we certify interior decorators \nor the people who build the house? It's architects, engineers and \ncontractors who are professionally licensed, not the people who move \nfurniture around and pick out color schemes. (No disrespect to security \nadministrators--or interior designers--is intended by this comparison; \nthe fact remains that cybersecurity professionals cannot necessarily \nsecure a system that was not designed to be secure.)\n    In the physical world, engineering degree programs are accredited \nand engineering is a profession. Engineering graduates take the \nengineer-in-training (EIT) exam--proof that they learned and absorbed \nbasic engineering principles in their degree program as part of their \ncareer progression. Most who choose to actually practice the \nengineering profession must become a licensed professional engineer \n(PE). While it is true--as many academics are quick to point out--that \nwe understand the physics of, say, bridge design, and there are--as \nyet--no ``physics'' of computer systems, that does not mean that we \nshould not expect people who are being educated in computer science to \nknow both what we know now, and what we do not know: specifically, how \nto think about complexity and risk. At any rate, the fact that Oracle \nand other large software vendors almost universally must teach the \nbasics of computer security to computer science graduates building IT-\nbased infrastructure should give all of us pause.\n    We know that embedding sound principles in curricula and \nreinforcing those principles throughout a degree program works: this is \nwhy physics is a ``core'' course for engineers and why civil engineers \ncannot conveniently ignore physics in upper level classes. We also know \nthat an increasing number of professions involve computers and thus the \nneed for ``security''--embedded and reinforced throughout a number of \ncurricula and a number of classes within those curricula--is critical. \nControl system design, for example, absolutely must include an \nawareness of sound security principles or we will merely repeat the \nmistakes we have already made. And yet, too many universities continue \nto fiddle while Rome burns, or at least, fiddle while Rome is hacked.\n    A modest proposal in pursuit of curricula change would be to link \ngovernment research funding to phased educational reform in computer \nand computer-related degree programs. That is, cutting off all money \nuntil the curricula is fixed is counterproductive (as it penalizes \ninstitutions that actually are making positive changes even if they are \nnot ``there'' yet). But we can certainly demand that universities \nsubmit a plan to alter their curricula that includes specific delivery \ndates for curricula change and insist that they make those changes as \ndelivered--or else. Currently, there is no forcing function to change \neducation. Many university professors are tenured and thus have no \nincentive to ``cure.'' One of the few market forces we can exert is \nmoney--such as grant money. If parents can tell their toddlers that \nthey don't get any dessert until they eat their peas, the U.S. \nGovernment can certainly tie research funds to phased curricula change.\n    There are two additional reasons to--immediately and with some \nurgency--forcefully impose curricula change on the universities that \ndeliver the pipeline of people building critical cyber-infrastructure. \nThe first is that we are already out of time: when the Soviet Union \nlaunched Sputnik, it lit up the skies and lit up our eyes. The U.S. \nrapidly moved to dramatically improve the science and technology focus \nof our educational system so that we, too, could conquer space. As \nregards cybersecurity, we have already had our Sputnik moment: in fact, \nwe in cybersecurity have such moments over and over, every single day. \nThe most damning comment one could make about the recent Google-China \nheadlines is that for those of us in industry, it was merely the \nexclamation point on a long narrative, not an opening soliloquy.\n    The second reason is that everybody is looking for expertise to \nsecure what we have today--not to mention, what we are building in our \nheadlong rush to site critical infrastructure upon technical ``sand.'' \nFor example, the Department of Homeland Security has stated that they \nwant to hire 1000 cybersecurity professionals.\\2\\ Where will they find \nthem? The military is standing up cyber commands \\3\\ and it seems \nincreasingly obvious that wars of the future will increasingly take \nplace in the cyber realm. Where are these future attackers and \ndefenders to come from?\n---------------------------------------------------------------------------\n    \\2\\ http://www.cnn.com/2009/POLITICS/10/02/dhs.cybersecurity.jobs/\nindex.html.\n    \\3\\ http://www.informationweek.com/news/government/security/\nshowArticle.jhtml?articleID\n=222600639.\n---------------------------------------------------------------------------\n    In particular, the military views technology as a force multiplier \nand their information systems increasingly form the background of their \nability to fight wars. What possible confidence can the military have \nthat the network elements on which they base their ability to prosecute \nwar can be trusted if the people who built them do not understand at a \nvery basic level that all software can and will be attacked? The people \ndesigning and building software do not, in general, think, design and \ncode defensively because they are not educated to do it. We might as \nwell be turning out Marines who don't know that they have enemies, or \nwhat a firefight is or what ``take the hill'' means. The results would \nbe and are predictable. Marines are lethal in no small part because \nthey know there are enemies, and they train to annihilate them.\nSlow Our Exposure to Systemic Risk\n    There is an old saying that goes, ``quit while you are behind, and \nwhen you are in a hole, don't dig.'' Nowhere is this truth more evident \nthan in our rush to increase the interconnectedness of critical \ninfrastructure and its exposure to the Internet--an exposure that \ncreates risks that we do not understand and thus cannot mitigate. We \nembrace the interconnectedness because the benefits--and cost savings--\nseem clear, but the risks are murky. No sensible person, of course, \nshould say that we cannot do anything that involves risk. Life is about \nassuming risk.\n    That said, and as a cautionary tale of assuming risks we do not \nunderstand, we need look no further than the recent financial system \nmeltdown in which massive computer programs could quantify all kinds of \nrisk except the most important one: systemic risk. The financial \nsuperheroes ``in charge'' and the brilliant ``quants'' that were their \nsuper-sidekicks got it wrong. Nobody really knew the degree to which \nentity A was exposed to entity B and what would happen if the thread \nbetween them was snipped. It turns out; systemic financial risk was the \nKryptonite that brought down Superman.\n    Alas, a lot of technophiles pushing new ``problems'' we need \nsophisticated IT-based solutions for, or those eagerly embracing new \nuses (and abuses) of technology, do not realize that everything--\nincluding technology--has limits. The ``limits'' are not necessarily \nthose of bandwidth, or protocols we haven't invented yet. The most \nimportant limitation is our inability to make rational, informed \ndecisions about risk because of complexities we simply cannot fathom.\n    In the many discussions on what the government can do to fix \ncybersecurity, including ``spend more money on research,'' and \n``certify cybersecurity professionals,'' it is worth noting that no \nsingle proposal will ``save us,'' and certainly not any time soon. \nThere is, however, one thing we can do today: stop making cybersecurity \nworse by rushing to use technology in ways we know very well we cannot \nsecure and that create huge systemic, unknown (and thus unmitigateable) \nrisk.\n    One such area is smart grid. The general idea, we are told, is to \nallow power plants to: (a) get lots of near-real time measurements on \npower consumption (e.g., from your house) to better price power \nconsumption accordingly and (b) do remote maintenance of grid elements \n(e.g., deployed in your house). If we can do better demand pricing we \ncan build fewer plants and be ``smarter'' about power usage. Nobody is \nnecessarily opposed to ``do more with less'' premises, with one big \ncaveat: what if the ``more'' is ``more risk''--a lot more? More, in \nfact, than we can fathom. What we know about smart grid should--if not \nscare us--at least induce a very large gulp:\n\n  <bullet> We already know we cannot secure millions of Internet \n        protocol (IP)-based clients: it's hard enough to secure \n        servers. The millions of PCs that have been co-opted into \n        botnets are proof enough of that.\n\n  <bullet> We know that the SCADA (Supervisory Control and Data \n        Acquisition) protocols used in control systems were not \n        designed to be attack resistant: they were originally used in \n        electro-mechanical systems where you had to physically access \n        the control to use it (i.e., turn the knob).\n\n  <bullet> We know people are increasingly moving to Internet protocol \n        (I P)-based control systems, and connecting them to corporate \n        networks that are, in turn, connected to the Internet. We thus \n        know that people can access controls for things they shouldn't \n        be able to from places they aren't supposed to be able to.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ http://www.c4-security.com/\nThe%20Dark%20Side%20of%20the%20Smart%20Grid%20-\n%20Smart%20Meters%20%28in%29Security.pdf.\n\n  <bullet> We know that many of the smart grid devices that have \n        already been deployed are hackable.\\5\\ For example, a prototype \n        worm developed by a security research firm was able--in a \n        simulated attack--to spread from meter to meter to take out \n        power in more than 15,000 homes in 24 hours.\\6\\\n---------------------------------------------------------------------------\n    \\5\\ http://rdist.root.org/2010/02/15/reverse-engineering-a-smart-\nmeter/.\n    \\6\\ http://www.wired.com/threatlevel/2009/10/smartgrid.\n\n  <bullet> We know that terrorists are increasingly interested in \n        targeting utility grids and in developing their hacking \n        expertise to be able to do so. \\7\\\n---------------------------------------------------------------------------\n    \\7\\ http://www.scmagazineus.com/critical-condition-utility-\ninfrastructure/article/161689/.\n\n  <bullet> We know that smart grid concepts are also starting to be \n---------------------------------------------------------------------------\n        implemented in gas and water utilities.\n\n  <bullet> We know that people have built personal digital assistants \n        (PDAs) that ``talk SCADA'' because ``it's so expensive to send \n        a technician to the plant.'' (It won't be long before we hear: \n        ``Move the control rods in and out of the reactor? There's an \n        app for that!'' Some day we may have a power plant meltdown \n        when all someone was trying to do is answer the phone.)\n\n  <bullet> And, last, we know that the people designing and building \n        these systems were never taught ``secure/defensive \n        programming'' any more than computer programmers were.\n\n    What we can infer from all the above is that the rush to ``save \nmoney'' is being done by people who fundamentally do not understand \nthat they are vastly increasing the potential risk of a cyber attack \nthat can be launched from any home. Against the grid itself. In a way \nthat we do not know how to mitigate. In an increasingly hostile world. \nIf we think saving money on critical infrastructure is more important \nthan protecting it we might as well start sending the Marines into \ncombat with slingshots (so much cheaper than M 16s) and expecting them \nto secure our Nation. Neither is acceptable, and both will involve \nneedless and senseless loss of life.\n    Before we keep trying to ``do more with less,'' let's take a deep \nbreath, step back and think seriously about worst cases and how we \navoid them in the first place. Hoping our enemies won't exploit a big \nshiny new attack vector once we've deployed is not a strategy. Actually \nminimizing the attack surface is.\n    There are a couple of things we can do to slow the lemming-like \nrush over the smart grid cliff. One of them is to insist on some \nstandards (through existing standard setting bodies)--if not actual \ncertification--of smart grid components. N IST, for example, has led a \nCyber Security Working Group that recently released a second draft of \n``Smart Grid Cyber Security Strategy and Requirements'' document.\\8\\ \nIt's a start.\n---------------------------------------------------------------------------\n    \\8\\ http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/\nNISTIR7628Feb2010.\n---------------------------------------------------------------------------\n    Second, we need a better transparency around how ``smart grid'' \ncomponents are built, and of what they are built--given a lot of the \nunderlying components may be commercial software that was not \nnecessarily designed for the threat environment in which it will be \ndeployed. It will also help those building critical infrastructure to \nknow how robust the ``building materials'' are. There are existing \nmechanisms that can help establish that transparency, such as the \nCommon Criteria (International Standards Organization (ISO)-15408) and \nthe Department of Homeland Security (DHS) materials on improving \nsoftware assurance in acquisition.\\9\\\n---------------------------------------------------------------------------\n    \\9\\ https://buildsecurityin.us-cert.gov/swa/downloads/\nSwA_in_Acquisition_102208.pdf.\n---------------------------------------------------------------------------\n    Without knowing how software was built, and what care was and was \nnot taken in development--we are building a house from components we \nknow nothing about and hoping the resultant structure is sound. It \nisn't merely that a house built on sand cannot stand, it's that a house \nbuilt of ice won't survive in the tropics and a house built of some \ntypes of wood won't survive in a termite-friendly environment. Without \nknowing what components are being used in the house, how they were \ndesigned and built--and with what assumptions--we have no idea whether \neven a house built on rock is going to stick around for the long haul. \nThere are, after all, earthquake zones.\n    It may seem difficult to change the status quo, and yet we have to \nbelieve in the capacity for positive change--even if that embraces a \nclear and abrupt departure from the status quo. As the prophet Isaiah \nsaid, ``Whether you turn to the right or to the left, your ears will \nhear a voice behind you, saying, `This is the way; walk in it.' Then \nyou will defile your idols overlaid with silver and your images covered \nwith gold; you will throw them away . . . and say to them, `Away with \nyou!' '' So be it.\n\n    The Chairman. And, finally, Rear Admiral Barnett, Chief, \nPublic Safety and Homeland Security Bureau, Federal \nCommunications Commission.\n\nSTATEMENT OF JAMES ARDEN ``JAMIE'' BARNETT, JR., REAR ADMIRAL, \n   USN (RETIRED), CHIEF, PUBLIC SAFETY AND HOMELAND SECURITY \n                          BUREAU, FCC\n\n    Admiral Barnett. Thank you, Mr. Chairman and distinguished \nmembers of the Committee. Thank you for the opportunity to \ntestify on this important topic.\n    My remarks to you today are focused on the transformation \nof communications by the Internet and broadband technologies, \nthe cyberthreat that transformation has engendered, and how the \nrole of the FCC to ensure communications is being invigorated \nto meet the challenge of the cyberthreat.\n    Advanced broadband communication technologies have \ndramatically changed to lives of Americans by enriching the way \nthat we communicate, learn, work, and live. Virtually all major \ncommunication networks are now connected to the Internet; and, \nfor that reason, those communication networks are vulnerable to \ncyber attacks.\n    Most cyber attacks target information systems attached to \ncommunication networks--the edge or end-users--not the \ncommunications infrastructure itself. Nonetheless, \ncommunications infrastructures are not immune to cyber attacks, \nand they have vulnerabilities. We should not have a false sense \nof safety. A successful attack on communication networks could \nhave a severe or even catastrophic effect.\n    The FCC has an important role to play in securing broadband \ncommunications infrastructures in conjunction with our Federal \npartners. We are the congressionally mandated regulatory agency \nwith authority over communication providers and communication \nnetworks, and we must face the new reality that cyberthreats \nnow imperil our communication networks.\n    When I came to--came aboard as the Chief of the Public \nSafety and Homeland Security Bureau at the FCC, our Chairman, \nChairman Julius Genachowski, asked me to convene a working \ngroup to examine the Commission's cybersecurity posture and \nrecommend courses of action. This group delivered a report to \nthe Chairman, and many of its recommendations will be addressed \nin the National Broadband Plan that will be delivered to \nCongress next month, in March. In the report, and in the \nNational Broadband Plan, we developed a roadmap to fulfill our \ncybersecurity role and responsibilities. And I'd like to \naddress just a few points in that--from that roadmap.\n    First, the FCC can provide the Nation a much greater \nsituational awareness of the status and performance of the \nInternet, including attacks, than it currently possesses. Many \nof the owners and operators of the backbone of the Internet are \ncommunications companies who are licensees of the FCC. One of \nthe reasons why the communications in America are so reliable \nis that, under FCC rules, those licensees provide us with near-\nrealtime data on network outages and problems, so that we can \nanalyze that data and work on solutions. We also have a \nsuccessful voluntary program of reporting in times of disasters \nand emergencies.\n    If these near-realtime outage and incident reporting \nsystems were extended to the Internet, the FCC could provide \nthe Nation with an enhanced situational awareness of attacks \nand incidents and provide vital information for defense against \nattacks and restoration of communications.\n    Second, there are things that FCC can do to prevent or \nmitigate the effects of cyber attacks. For example, a previous \nFCC Federal Advisory Committee, the Network Reliability and \nInteroperability Council, or NRIC, developed a set of detailed \ncybersecurity best practices that are intended to be \nimplemented by communication providers on a voluntary basis. \nWe're exploring the creation of a voluntary certification \nprogram, possibly using these best practices as criteria to \nprovide network operators with additional incentives to improve \ntheir cybersecurity posture. And we're also looking to other \nvoluntary incentives.\n    In December 2009, the FCC launched a new expert advisory \npanel called the Communications Security Reliability and \nInteroperability Council, or CSRIC, to examine and recommend \nother cybersecurity solutions, such as how to stem the stream \nof malware that arrives at our networks.\n    We're increasing our contacts with communication regulators \nin other nations, since cyberspace and security are not local, \nbut are truly global. We're at the start of a long journey, \nworking with our Federal partners and with industry to secure \nour Nation's vital infrastructure against new and rapidly \nevolving threats. And, Chairman, we are determined to do so.\n    Thank you for your--the opportunity to testify.\n    [The prepared statement of Admiral Barnett follows:]\n\nPrepared Statement of James Arden ``Jamie'' Barnett, Jr., Rear Admiral, \n USN (Retired), Chief, Public Safety and Homeland Security Bureau, FCC\n    Senator Rockefeller, Ranking Member Hutchinson and distinguished \nmembers of the Committee, thank you for the opportunity to testify on \nthe important topic of cyber security, and thank you for your \nleadership in holding this hearing to address this urgent problem.\n    My remarks to you today are focused on the transformation of \ncommunications by the Internet and broadband technologies, the cyber \nthreat that transformation has engendered, and how the traditional role \nof the Federal Communications Commission to ensure communications is \nbeing invigorated to meet the challenge of the cyber threat.\n    Advanced broadband communications technologies have dramatically \nchanged the lives of Americans and others around the globe by enriching \nthe way they communicate, learn, work and live. The Internet, which \nrelies on broadband communications infrastructure, is now a central \npart of American interaction of all types. However, the manner in which \nthe Internet developed has left it exposed to cyber attacks. \nSpecifically, the Internet, which started as a small research network, \nhas evolved into a global network connecting over a billion people who \nrely on it for social, economic, educational and political \napplications, among others. The Internet's core design philosophy was \ninitially based on easy connectivity. The underlying Internet protocols \nand architecture were not designed to be secure. As Internet usage has \nincreased and has become mainstreamed for everyday life, communications \nproviders have responded by adding features to improve the security of \ntheir infrastructure and the services that ride on it.\n    As the public and private sectors continue to move toward more \nonline usage, bad actors, including criminals, have begun to lurk in \nthe shadows of cyberspace where they can launch costly attacks on end-\nusers. In 2008, the FBI Internet Crime Complaint Center logged $265 \nmillion in reported losses for Internet users, the highest loss ever \nreported. No one is immune from attack, whether consumers, government \nusers or even our Nation's most sophisticated companies. Last year, it \nwas reported that ten to twenty terabytes of data were pilfered from \nU.S. Government networks by a foreign entity, and in January Google \nreported that it was subject to a sophisticated attack originating from \nChina. Reports show that at least ten other large companies, including \nfinance, media and chemical companies, have been the targets of similar \nattacks. As attacks become more persistent, breaching computer systems \nand establishing a foothold, these attackers are able to compromise \npersonal, confidential and classified information. We have seen the \neffects of dedicated cyber attacks on Estonia and the Republic of \nGeorgia. Critical infrastructure sectors, such as energy, finance and \ntransportation, can all fall victim to these attacks.\n    All major communications networks are now connected to the \nInternet, and for that reason, those communications networks are \nvulnerable to cyber attacks. Most cyber attacks target information \nsystems attached to communications networks, the edge or end-users, not \nthe communications infrastructure itself. Cyber attackers currently \ntend to view the communications infrastructure as the necessary \nsuperhighway that will carry them to their victim. Accordingly, they \nare reluctant to make it impassable.\n    Nonetheless, communications infrastructures are not immune to cyber \nattacks, and they have known vulnerabilities. Accordingly, we should \nnot have a false sense of satisfaction with regard to the survivability \nof our broadband infrastructure. A successful attack on communications \nnetworks can affect all end-users that rely on broadband \ninfrastructure. For example, as 9-1-1 networks migrate from today's \ntechnologies to Internet-based technologies concerns about the \nvulnerability of these systems to cyber attacks have mounted. A \nsuccessful attack on such a network could severely obstruct the ability \nof our first responders even knowing of emergencies.\n    We cannot allow the absence of a successful attack make us \ncomplacent. The FCC has an important role to play in securing broadband \ncommunications infrastructures. We are the Congressionally-mandated \nregulatory agency with authority over communications providers and \ncommunications networks. We must face the new reality that cyber threat \nnow imperils our communications networks and therefore our wellbeing \nand even lives.\n    With the changing shape of the telecommunications infrastructure \nand usage patterns, it is incumbent on the FCC to reassess our role in \ncyber security. When I came aboard as Chief of the Public Safety and \nHomeland Security Bureau, FCC Chairman Genachowski asked me to convene \na ninety-day working group to examine the Commission's cyber security \nposture and recommend future courses of action. This group delivered \nits report to the Chairman on November 30, 2009, and many of its \nrecommendations will be addressed in the National Broadband Plan that \nwill be submitted to Congress in March. Our Working Group report \ndemonstrates the critical role that the FCC has in cyber security, in \nconjunction with its Federal partners. This report, in conjunction with \nthe National Broadband Plan, leads us to our plan to become further \nengaged in cyber security. To this end, we have developed a roadmap in \nwhich we plan to address cyber security utilizing our past experience, \ntechnical expertise and our regulatory relationship with the FCC's \nlicensees to protect the communications infrastructure. I would like to \nmention six major points from that roadmap.\n    First, we believe, based on past experience, that many cyber \nsecurity challenges can be met through public-private partnership \narrangements with industry. However, it would be ill-advised to assume \nthat intervention is not needed. In some cases, obligations may be \nnecessary. The Commission has a vital role to play in these situations, \nand we will be working to craft a regulatory approach to cyber security \nthat strikes the right balance.\n    Second, we believe there are things the FCC can do to prevent or \nmitigate the effects of cyber attacks. For example, recently, the \nNetwork Reliability and Interoperability Council, an FCC Federal \nadvisory committee consisting of leading industry executives and \npractioners, developed a set of detailed cyber security best practices \nthat are intended to be implemented by communications providers on a \nvoluntary basis.\n    We believe the opportunity exists for us to build on these best \npractices to provide network operators additional ability to improve \ntheir cyber security and to increase the adoption of these best \npractices. A recent survey by PricewaterhouseCoopers found that \norganizations following best practices experienced significantly lower \nimpact from cyber attacks, something that commercial industry should \nfind attractive. We believe that based on this survey that we should \nexplore methods, such as voluntary certification of compliance with \nbest practices that would create market-based incentives to increase \ncyber security.\n    Third, we believe that a significant area for FCC involvement in \ncyber security is to secure and analyze additional data received from \nall broadband service providers concerning network and service \ndisruptions. However, our past experience in receiving data from \ncommunications providers concerning disruptions in their networks has \nbeen proven effective at providing us early warning of potential \nproblems and attacks on the Nation's existing communications \ninfrastructure. This information allows us, working with our Federal \npartners and the communications industry, to expedite restoration of \nservice. Our work, which is based on a sector-wide view of \ncommunications outages, also allows us to spot industry-wide or \ncarrier-specific reliability and security matters. We use this \ninformation in conjunction with DHS and communications providers to \nproduce long-term improvements. For example, we recently observed a \nstatistically significant upward trend in the number of events \naffecting wireline carriers. We worked with industry to establish a \nteam of experts who examined the data in closer detail and developed a \nset of recommendations. In the intervening months we have measured a 28 \npercent decline in this category of outages. Obtaining similar \ninformation from broadband and Internet service providers would enable \nthe FCC and its Federal partners to work with industry on sustained \nimprovements to Internet-based infrastructure. We are currently \nexamining the best path forward to obtain this information.\n    A fourth way in which we are exploring more active involvement in \ncybersecurity is increase our ability to prepare reports which contains \nsituational awareness on broadband communications infrastructure during \ndisasters for use by our Federal partners, such as the Department of \nHomeland Security (DHS). We currently gather such data for traditional \ncommunications, and it has proven invaluable in emergency management \nand communications restoration. Accordingly, we plan to coordinate with \nDHS and communications providers in the near future to plan and \nimplement a cyber attack situational awareness system.\n    Fifth, another avenue we are pursuing is how to best address the \nconstant stream of malware arriving at the network, frequently from \nend-users who are not aware that their systems are compromised. The \nCommission has recently established an advisory committee, the \nCommunications Security, Reliability and Interoperability Council, \nknown as CSRIC. An important function of the Council is to examine this \nproblem and to recommend methods that communications providers can \nimplement to protect their networks from malicious traffic. We expect \nto see reports from this Council in the near-term.\n    Sixth, and finally, cybersecurity is by nature international. The \nnetworks are global, the threats are worldwide, and the human component \nis universal. Through the State Department, the Commission participates \nin various international activities and fora such as the United Nations \nInternational Telecommunication Union (ITU) in which cyber security is \nan issue. Cyber security is increasingly raised as an issue in \ndiscussions with foreign regulators and at international meetings and \nconferences, and the international aspects of cyber security is also a \nmore prevalent topic in the domestic arena. Going forward, there will \nbe increased need and opportunities for, greater FCC participation in \nactivities involving international aspects of cybersecurity--both in \nthe United States and abroad.\n    My intention has been to describe to you our vision of the FCC's \nrole in cyberspace and what we are doing to secure our critical \ncommunications infrastructure in a broadband world. We are at the start \nof a long journey, working with our Federal partners and industry, to \nsecure our Nation's vital infrastructure against a new and rapidly \nevolving threat, and we are determined to do so.\n    Thank you for the opportunity to speak to you today.\n\n    The Chairman. Thank you very much, Admiral Barnett.\n    Let me ask the first question. The--this is directed to \nAdmiral McConnell and Mr. Borg and to Ms. Davidson.\n    You all talked, in various ways, about the need to have \npeople understand this at a very early age. You know, this--\nthey say, you know, kids are too fat these days, we ought to do \nmore exercise. Those things are--exercise is being cut out, \nsports are being cut out, and sort of crowding the curriculum \nis a really tough thing to do. On the other hand, if people \ndon't understand the threat of cybersecurity, it's all lose \nfrom now on.\n    I made the point, Ms. Davidson, that 85 percent of the \ncritical infrastructure in this country are owned and \ncontrolled by the private sector. And we found, as we were--at \nleast I found, as we were drafting this legislation, that \ncompanies--I'm not saying Oracle; I'm not necessarily saying \nbig telecommunications companies--but, companies tended to \nresist the idea of the government sort of getting in the way of \nwhat they were already doing, which they felt to be adequate. \nNow, my experience in general security with large companies, \nand particularly like powerplants and chemical plants backed up \nagainst rivers, and the rivers are patrolled by the Coast \nGuard, except, of course, that there aren't enough boats or \npeople, so they're really not controlled by the Coast Guard, so \nthey're all vulnerable, but they say they're doing the job, and \nthus, they--they're--you know, we had a lot of engagement with \nindustry. And so--and I look at your testimony here, Ms. \nDavidson, and it's interesting, because I'm not sure what \nyou're saying. Your second recommendation, we need to stop \nupping the ante, as you said, on exposing critical \ninfrastructure--in some cases, unknowable risk--and we should \nwalk away from the gambling tables until we both understand the \nodds, and the odds are better. Doubling down is not a strategy, \nexcept a strategy for catastrophic loss.\n    Now, what I'm--what I'd like the three of you to comment on \nis, in that I think we all agree there has to be this \ncoordination between government and the private sector, are \nyou, in a sense, walking away, saying, ``We have to let time \npass so that people understand this problem better and kids--\nit's part of their curriculum''? And--or are you not? And, \nAdmiral and Mr. Borg, if you could comment on this problem of \nhow--don't we have to take action really soon? But, then, \nyou've already said, whatever action--I think, Mr. Borg, you \ndid--whatever action we take is going to be outdated in 3 years \nanyway. So, talk to me a little bit about this business of \ncooperation, what we do. Is legislation any good? What do you \npropose?\n    Admiral.\n    Admiral McConnell. Sir, let me use an example that touched \nme personally. I'm old enough to remember Sputnik. And that \nhappened in 1957. And shortly after, the--an Act was passed. I \ndon't recall the exact name, something to the effect of the \nNational Defense Education Act. I went to college on that Act, \nand it's likely I would not have gone to college except for \nthat Act. So, when I talk about an education bill--you heard in \nmy opening comments, I think the Nation reacts to two things: \ncrisis and money. Crisis will move us to act, money will move \nus to act. So, if there is a bill that invests in the \nyoungsters of this Nation to make them smart about cyber and \ncyber issues, and safe code, and secure code, and so on, I \nthink we will start to mitigate this problem.\n    I'll use an example. One of my colleagues is Gene--Dr. Gene \nSpafford, at Purdue. Early mover, wonderful program, struggling \nto keep it alive, because there's no interest or funding in it. \nSo, I think, since we react to crisis or money, that it's going \nto take an investment, probably something on the order of the \nNational Security Education Act of 1958, for us to address this \nproblem. And if we do that, I think we'll make progress.\n    The Chairman. Will we make progress simply because people \ngrow up and go into business and go into government and, \ntherefore, work things out? Or----\n    Admiral McConnell. It's----\n    The Chairman.--it's a necessary starting point, no matter \nwhat happens.\n    Admiral McConnell.--it is a necessary starting point. And, \nfor me, the example is, we put a man on the moon in 10 years. \nSo, Sputnik happened, the bill was passed, lots of engineers \nand scientists and physicists, and so on, that were educated. \nAnd when President Kennedy set it as a goal, then, 10 years, we \nactually did it. So, for me, it's a necessary step to get us \nstarted so we have the skill sets.\n    Now, one of the things I'm worry about is, we are \nsignificantly outnumbered, in terms of population in China, in \nIndia, and other places. So, we don't have a birthright to \nintelligence. I mean, there are smart people all over the \nworld. It's an even distribution. And others are investing in \nthis in a major, major way. So, if we're going to compete and \nbe competitive and influence the world for a global standard in \ncooperation in this arena, in my view, we have to produce the \nelectrical engineers, computer scientists, and other technical \ntalents that will allow us to do this.\n    The Chairman. OK. So, we--that is stipulated. I think there \nwould be no argument on that at all.\n    In this matter of cooperation between government and \nbusiness, and the point I raised, Ms. Davidson, about ``How do \nI interpret what you said?''--I know that it was basically the \nbusiness community that came in and say, ``Look, we're fine. We \nknow what we're doing on this.'' I'm simplifying a little bit, \nobviously. But, ``We don't need the government involved in \nthis.'' The Admiral and others are saying that the government \nhas to be involved in this, or else nothing really is going to \nhappen. And so, I don't--when you say ``walking away,'' I want \nto know what you mean.\n    Ms. Davidson. What I meant by that was, there's an \nexpression, ``Quit while you're behind, and when you're in a \nhole, don't dig.'' And the reason I use Smart Grid--and I was \nvery careful there; I didn't say, ``Oh, let's not do anything \nthat's insecure.'' You know, everything in life is about \nassuming some risk. My concern is our failure to understand \nsystemic risk and going forward. And based on what we know \nnow--and all of those comments had footnotes to external \nreports--what we see here is--this looks like we're assuming an \nasymmetric risk we don't understand. I didn't say, ``Let's not \ndo more with less.''\n    The Chairman. But, you did say----\n    Ms. Davidson. ``Let's not make use of technology.''\n    The Chairman.--doubling down is not a strategy, except a \nstrategy for catastrophic loss.\n    Ms. Davidson. I did say that. And my comment was that we \ncontinue to look at more ways we can use an IP-based backbone, \nwhen we know, today, we cannot secure clients. And that's, on a \ntechnical level, saying, ``OK, if I have to physically go in a \nplant to turn a knob to do something bad, that's something I \ncan limit.'' If I'm now putting a device in everyone's home \nthat may or may not--that's the question mark--be appropriately \ndesigned for a threat environment, you know, then I'm basically \nsaying, ``OK, now I've got a million ways to get into \nsomething.'' Now----\n    The Chairman. Well, my----\n    Ms. Davidson. So, what I'm saying is----\n    The Chairman.--my time is----\n    Ms. Davidson.--is, let's understand--try to understand the \nsystemic risk. Let's look at how we actually impose enough \norder that we understand what kind of risk we're assuming. \nRight now, some of these devices have been hacked. We don't \nknow how they're built. We don't know whether--there is no \ncertification program for the devices. I have concerns about \nthat----\n    The Chairman. All right. Look----\n    Ms. Davidson.--based on just what I know.\n    The Chairman.--my time is out, OK? My time is out, and you \nhave to respect the rules of this committee.\n    I want to come back to you, because I don't think you've \nanswered the--my basic question. I think you've reaffirmed my \nconcern, ``Until people understand everything, or until \neverything is prepared, don't act.'' Now, you do say you're \ngoing to act in two ways, but I want to get back to that.\n    In the meantime, Senator Snowe.\n    Senator Snowe. Thank you, Mr. Chairman.\n    I guess it gets back to the question about, What will be \neffective incentives for the private sector? I mean, if the \nprivate sector owns and operates 85 percent of the \ninfrastructure, then obviously we have to concentrate on \nproviding the essential incentives for them to adapt.\n    What do you think would be effective private-market \nincentives, and is that the appropriate focus? Should we compel \nthem? Should we create incentives, in terms of adopting best \npractices versus mandating standards? What approach do you \nbelieve we should take that would be the most effective in that \nregard?\n    Admiral McConnell?\n    Admiral McConnell. What I attempted to do in my opening \nremarks--to make the analogy that in those historical cycles, \nwe go through this each time. So, if we were having this \ndiscussion about railroads and robber-barons, you know, way \nback in the 1880s, those that were in the railroad business \nwould argue very strongly, ``We don't want the government \ninvolved.'' So, what we did was have legislation to break it up \nand regulate it, and so on.\n    So, the way I would think about it is, the current system \nis not secure; and so, without prescribing exactly what the \nanswers are, it is a requirement to make it more secure. Now, \nthere is talent that exists to have that dialogue, and in a \nconstructive way. It will introduce tension in the system. \nThere will be those that argue that we shouldn't do this. There \nwill be those that say the Government's going to spy on its own \ncitizens, and so on. But, it is setting an objective to make it \nsecure, to achieve the basic elements of security--the basic \nelements of making something secure, which I tried to \nhighlight, with authentication and so on. Those things are \nessential when the transactions are of such significance they \naffect a broad portion of the population.\n    So, I think, properly framed, we could create such a \nframework that would cause us to move forward in that \ndirection. But, it would be required; it would be mandated. \nBecause industry is not going to embrace this unless they're \nforced to do it.\n    Senator Snowe. Yes. Dr. Lewis? Dr. Borg?\n    Dr. Lewis. Let me--I was a regulator for 3 years, right? \nAnd what I found is that most companies will try and do the \nright thing, and some companies will always do the right thing, \nand some companies will never do the right thing; and so, if \nyou don't compel them, you're not going to get the right thing. \nAnd since this is a network, and they're all connected, if 10 \npercent don't do the right thing, then 100 percent could be \nvulnerable.\n    So, incentives are great, but what I'd also say is, How do \nyou ensure compliance? And that leads me to a mandatory \napproach.\n    Senator Snowe. Yes. Dr. Borg?\n    Mr. Borg. Yes, I urgently would like to talk about this, \nbut I hardly know where to start.\n    I think the government urgently needs to do something. I \nthink most of the things in your bill, broadly speaking, need \nto be done. However, we have a lot of things here that aren't \nworking in the markets. Government intervention is needed to \nhelp those things to work.\n    The sheet that I waved--that I held up--lists 21 things \nthat you could consider doing to help markets function better. \nSome of those things you're already proposing to do; some of \nthem are already in your bill. But, there are many other ways \nin which these markets are not working.\n    There's a tendency, left over from the Cold War, to think \nthat we have two choices where markets are concerned. One is to \nbe the commissar and dictate from the government what everybody \nshould do, and the other is to go, ``Whoopee, let's hope the \nmarkets will do it on their own.''\n    In fact, markets are engineered into existence, and the way \nthey work is greatly shaped by government policy. Things that \nthe government decides about what kind of information should be \nmade available can hugely shape the way a market functions.\n    In this area, we have a number of markets where there's \ninsufficient information for any of the participants with the \nbest intention in the world to do the right thing; there is \njust no way they can make the right choices, where \ncybersecurity is concerned.\n    We have other situations where there are financial \nimpediments to them doing the right thing. I completely agree \nwith James Lewis, that we have a lot of people out there who \nwould do the right thing, but we shouldn't be penalizing them \nfor doing so.\n    We have other situations where people are ready to jump in \nand supply the kind of security that is needed--supply products \nthat will provide the right security, but there are economic \nimpediments for them doing that.\n    So, there's a whole area here that needs to be--opened up \nfor discussion, a whole area of possible government action \nthat's really not being addressed.\n    Senator Snowe. Ms. Davidson, would you care to comment, or \nAdmiral Barnett?\n    Ms. Davidson. So, there are lots of ways to correct \nmarkets--market imbalances. And, you know, we can talk, as a \npublic policy issue, about, Is this more effective or that more \neffective, or is it regulatory or something else? One of the \nthings I have pushed for, because I think it could be \neffective, is--and I believe I talked about this in the context \nof Smart Grid, but I talked about it in a much larger context--\nis a little more transparency around how people build their \nsoftware. Why is that important? Because at least the people \nwho are taking a piece of software that may not have been \ndesigned for some particular purpose, but is general-purpose \nsoftware, need to understand what was done and not done. You \nknow, we know more about used cars than you do about a lot of \npieces of software that are used in really large systems. So, \nat least forcing some transparency, which is what DHS was \ntrying to get at, would require someone to show, What did you \ndo, and not do, in development? My entire group--purpose in \nliving is to enforce compliance around our own organization \nwhich is that transparency. You know, which groups do, and do \nnot do, particular things. And how we build software goes to a \nsecurity oversight board and it goes to our chief executive \nofficer. So, we know, at any point in time, here's where we \nare, in terms of complying with our own development processes. \nWe state it is--what we believe are to be best practices.\n    Now, is that perfect? No. Does it mean that somebody, maybe \nin the Defense Department, who's buying a piece of software and \ngoing to deploy it in some system we have no knowledge of, \nunderstands what they're getting and not getting?\n    Forcing transparency, by the way--it's a strange analogy--\nit's the bathing-suit test. When someone puts on a bathing suit \naround March, and they know they're going to go out in the \nwater in June, by and large, they're going to look at \nthemselves and say, ``I look terrible. I need to get a trainer, \ncut out the carbs. I want to look good next to the three other \npeople at the beach.'' So, forcing more transparency actually \ndoes elevate people's performance, in that you're probably \ngoing to do no--more if you know that someone's looking over \nyour shoulder. It's not perfect; it won't cure everything, but \nI think that, as part of that correcting that market imbalance, \nis--people need to understand, ``You gave me a piece of \nsoftware. What does it do, and not do? How well does it do it? \nAnd what did you engineer into this? And what were your \nassumptions about how it was going to be used and who is going \nto attack it?'' That's not perfect, but it's a good start.\n    Senator Snowe. Thank you.\n    Ms. Davidson. And the government could enforce that, \nthrough procurement.\n    Admiral McConnell. Senator, could I offer one other----\n    Senator Snowe. Yes.\n    Admiral McConnell.--quick comment--example. In the late \n1960s, early 1970s, the United States dominated the \nsemiconductor industry. At a point in time, we went from 80 \npercent to 20 percent. So, we had to do something about that, \nbecause it was so vital to us. So, what we did was create a \npublic-private partnership. It goes by the name of Symantec. \nAnd Symantec--I think, it--I don't get the--remember the exact \nnumbers, about 250 million on the government side, about 250 \nmillion on the private-sector side. We recaptured the \nsemiconductor industry. That's the kind of thing that we could \ninvest in here, with regard to cybersecurity. It would create \nthe transparency that the case has been made well for. If----\n    So, there are a series of things that could be done to put \nus in a position to create the kind of infrastructure that we \nneed that's secure enough to do the Nation's business.\n    Senator Snowe. That's an interesting analogy.\n    Thank you.\n    The Chairman. Thank you, Senator Snowe.\n    Senator Ensign.\n\n                STATEMENT OF HON. JOHN ENSIGN, \n                    U.S. SENATOR FROM NEVADA\n\n    Senator Ensign. Thank you, Mr. Chairman.\n    I agree with you, in how important and how critical these \nissues are to our Nation's economy and our national security; \nit's very important that we have this hearing today and that we \nexplore it going forward into the future. And I appreciate the \ninput of our witnesses today on an incredibly complex issue.\n    Admiral McConnell, I have a great deal of respect for you, \nbut when you're talking about security in other industries, the \nInternet and technology today is changing so much more rapidly \nthan any of those other industries ever did. And also remember \nthat with railroads we came in much later. The airline \nindustry, as well. I mean, can you imagine if the government \nwould have come in too early, for instance, in the airline \nindustry, before it became a mature industry?\n    The question is somewhat about balance. We do want to make \nsure that innovation occurs, as well. But, cybersecurity is \nvery, very important for all of us; for all of our personal \nidentities; for our financial security, where somebody could \nsteal the money out of your bank account; for protecting some \nof these critical systems that we have, like Smart Grids; and \nfor all of the other things that you all have laid out today.\n    Getting to a question, I would ask each one of you to \nsuccinctly talk about what you believe is the single biggest \ncybersecurity vulnerability that we have today. If you could \ntell this committee just one thing, what would you say the \ngovernment should focus on?\n    Admiral McConnell. I'll go first, if that's all right.\n    Senator Ensign. Yes. Just right down the line.\n    Admiral McConnell. The area would be the financial system, \nbecause it--as the comments, I made earlier, about it being \nvulnerable. And the issue is, the authorities for dealing with \nit are divided by statute, and it's compartmentalized in \nboundaries. So, as a nation, cyber respects no boundaries; and \nso, it's going to take some action on the Hill for various \ncommittees who oversee pieces to address it more holistically \nfor the integration of the problem.\n    So, if you think about it as communications, exploitation \nof communications, attack of communications, or defense of \ncommunication, different statutes, different departments, \ndifferent committees, and it's, How would you put that together \nin a way that you can ensure the effect of successful \ncommunications while doing the things that would allow you to \ngain insight of a potential adversary and then mitigate the \nrisk at network speeds, which are milliseconds? So, that's the \nchallenge.\n    Senator Ensign. Dr. Lewis?\n    Dr. Lewis. We, in our report of December 2008, said that \nthe one thing you ought to focus on is securing cyberspace. And \nthere were three components to that: the financial grid, as \nyou've heard; the electrical grid; and the telecommunications \nnetworks.\n    And so, I would say you need to think about, What is it \nthat gives us this wonderful capability to do things over the \nInternet? And you need those three things. Focus on them.\n    Senator Ensign. OK.\n    Mr. Borg?\n    Mr. Borg. Three of us here were on the Cyber Commission and \nheartily endorse that report that Jim wrote.\n    It's--the center of all this has got to be, however, \ncritical infrastructure industries. That's what we mostly need \nto protect. That's what could do us the greatest damage. That's \nwhere the government needs to be focusing its attention.\n    Right now, if an electrical company wants to improve its \ncybersecurity, it can't get permission to pass on the minute \nrate increase that that requires; it can't get permission from \nthe local regulatory organizations.\n    With the best desire in the world to improve security, the \nimpediments to these companies doing the right thing are really \ngreat. So, one of the first things to do is to remove the \nimpediments and make sure that there is a positive incentive to \ntake care of these urgent issues.\n    Senator Ensign. OK.\n    Ms. Davidson?\n    Ms. Davidson. I would certainly echo what my colleagues \nhave said, but I also want to distinguish between something \nthat is important but not urgent. And that--it still gets back \nto this educational system, particularly college systems. We \ndon't send Marines out to take the hill who don't understand \nthat there are enemies--they will attack them--what weapons to \nuse and how to secure the perimeter. And yet, we are training--\nthe people who build IT systems are building infrastructure. \nThey don't understand that they're building infrastructure, \nwith all that that implies, and they particularly do not \nunderstand the difference between things--you know, good input, \nbad input, and evil input. Until we change the mindset of \npeople to understand their systems will be attacked, and to \nbuild and design accordingly, we're not going to change the \nstructure. We might address it today or next year, but the next \ngeneration coming forward will not understand that we're \ncontinuing to build infrastructure, and the responsibilities. \nWe have to invest, today, in changing the mindset, and that's \nthe educational system.\n    Senator Ensign. Admiral Barnett, before you answer--Ms. \nDavidson, you mentioned the government hanging carrots out \nthere. We give them a lot of money from the Federal Government \nto tie in certain things. Remember, however, the private sector \nalso has great influence. I know Oracle is trying to get the \nuniversities included. But, collectively, the private sector \ncould have greater influence, because there's a lot of money \nthat comes from private donors to the universities, as well, \nand I would encourage you all to get together, and especially \nwith some of the larger donors who understand the critical \nimportance of what you were just talking about, to encourage \nthe universities to change what they're doing. And so, maybe we \ncould hit it from both sides.\n    Ms. Davidson. Thank you.\n    Senator Ensign. Thank you.\n    Admiral Barnett?\n    Admiral Barnett. Senator Ensign, it may be somewhat a \nparochial answer, but, obviously, coming from the FCC, we see \nmaking the telecommunications networks and infrastructure \nsecure to be a primary focus. We--you know, of course, going \nback to Senator Snowe's question, as well, the front line, of \ncourse, are private companies--the commercial things. But, \nthere may be a role for regulation in such things as Admiral \nMcConnell mentioned earlier, such as authentication, identity \nmanagement, that could help secure--and you can't have \npiecemeal answers to that. A regulatory framework may be able \nto help bolster the private companies in protecting our \ntelecommunications infrastructure.\n    Senator Ensign. Thank you.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you very much, Senator Ensign.\n    Senator Pryor.\n\n                 STATEMENT OF HON. MARK PRYOR, \n                   U.S. SENATOR FROM ARKANSAS\n\n    Senator Pryor. Thank you, Mr. Chairman, and thank you for \nholding this hearing.\n    Admiral Barnett, I'd like to start with you, if possible.\n    And when I think of the FCC----\n    The Chairman. Incidentally, Senator--I mean, Admiral \nMcConnell has to leave in about 5 minutes, so if--particularly \nif anybody has questions for him.\n    Excuse me. Go ahead.\n    Senator Pryor. OK. Thank you.\n    When I think of the FCC, I think of, you know, your role of \nregulating, say, telecommunications, for example, and making \nsure there's competition and consumer protection, and all those \ntypes of things. But, are you saying that there--FCC does have \na role in protecting our communications and our Internet?\n    Admiral Barnett. Senator, what I would say is that we have \na role in making sure that we have the best policies and best \npractices to ensure. I mean, our traditional role in--under the \nCommunications Act is to ensure and promote that there is a \nvast, reliable, nationwide, global wire and radio \ncommunications system. To the degree that the Internet is now \nconnected to our communication networks, the FCC has a role in \ndoing that. And so, what we have to do as we go forward is make \nsure that we are continually looking at those policies and \nmaking sure that we are bolstering our networks. So, yes, sir, \nwe do have a role.\n    Senator Ensign. Ms. Davidson, let me ask, if I may. We've \nheard a lot today about the public sector and the private \nsector. I think, obviously, we all need to do a better job of \nworking together to come up with smart policies, in a lot of \ndifferent ways, to make all this happen like it should. But, \nright now, can the private sector talk amongst themselves about \nwhat's going on out there, and can you share information? Or \nwhen you start doing that, do you start to get into an \nantitrust problem or another environment that companies either \ncan't do legally or are just reluctant to do because of \ncompetition?\n    Ms. Davidson. You know, I think some of that's out of my \narea of expertise. I have been told that there are sometimes \nsome challenges. A lot of the--a lot of it has to do with--at \nsome point, it's knowing who you're dealing with. People talk a \nlot about information sharing, and I'm all for that, but we \nneed to remember, information sharing is a tactic, not a \nstrategy. So, it gets down to information sharing about what, \nfor what purpose, with whom, and how is that going to be used? \nSo, I'm sorry I can't give you a better answer. I'll be very \nhappy to research it and get back to you to make sure I'm \ngiving you a more precise one.\n    Senator Ensign. Admiral Barnett.\n    Admiral Barnett. Senator, if you don't mind me jumping in \non that. But, that is one of the things that I think the FCC \ncan help. Right now, we've had a very--a great deal of success \nin the traditional communications world by getting information \non outages and problems in the communications network. Because \ncompanies are not--competitors are not going to be willing, nor \nis it proper for them, to share that information with each \nother. And yet, at the FCC, it's confidential. We can look at \nit; we can analyze what's happening across the entire network--\nanalyze it and work on solutions. It's been very effective for \nour legacy communications systems.\n    One idea is to explore, Could that be extended to the \nInternet, and could we obtain the same success in getting \nsituational awareness of what's happening?\n    Senator Pryor. Good. Thank you.\n    Admiral McConnell, let me ask you--I know you need to leave \nin just 5 minutes or so. You gave a very strong opening \nstatement, and your insights have been very interesting to the \nCommittee members. But, you know, you focus pretty much solely \non U.S. policy. Is there a need for an international policy \nhere that, you know, the U.S. either leads or the U.S. plugs \ninto? I don't know that we've talked a lot about international \npolicy.\n    Admiral McConnell. And, sir, my view is, it can't be solved \nwithout an international approach. And I don't--I apologize for \nbeing the history buff here today, but I go back to think about \nthe face-off between the United States and its allies and the \nSoviet Union in the cold war. So, it was an international \ndimension of NATO and the other allies that brought that to a \nsuccessful conclusion, from our point of view.\n    So, I think this is a global problem, and it will require \ninteraction and agreement at an international level, probably \nstarting with the nations that already have alliances, and so \non. But, at some point, it's going to have to--in my view--it \nwill have to migrate to nations that we currently see as, if \nnot adversaries, certainly competitors.\n    Senator Pryor. Dr. Lewis, let me ask you--and this may be \nmy last question, because I may be out of time--but, just for \nthe media and for laymen, like myself, can you describe--can \nyou give us two or three scenarios of what a cyber attack might \nlook like? I mean, we talk about this, but what does that mean \nto the--you know, the average Joe out there in this country? \nTell us what a cyber attack might look like.\n    Dr. Lewis. Sure. And I think we need to divide it--it's a \ngreat question--need to divide it into two parts. The first is, \nthen, as you've heard from Scott and from Admiral McConnell and \nfrom everyone else on the panel, we're attacked every day, and \nwe're successfully attacked, and it's the economic damage that \nwe have to worry about.\n    So, what would a cyber attack look like? It would look like \nbeing bled to death and not noticing it. And that's kind of \nwhat's happening now. All right? So, the cyber attack is mainly \nespionage, some crime. We've seen a good one. I don't know if \nyou saw it, but a couple months ago a bank, over a 3-day \nweekend, had $9.8 million extracted from its ATMs. That was a \ngood cyber attack. Caught some of the guys who did it. The \nmastermind probably lives in Russia, not under attack.\n    I don't worry too much about terrorists, and I'll tell you \nwhy. Because terrorists are nuts. If they had the ability to \nattack us, they would have used it, right? So, the notion that \nthey're waiting for Christmas or something--they know how to do \nit. Eventually, they will get it, right? Eventually. And they \nwill not be constrained.\n    There are people who could attack us now: Russia, China, \nsome others. Our military--potential military opponents. Sorry. \nAnd we know they've done reconnaissance on the electrical grid. \nSo, could they turn off the electrical grid in the event of a \nconflict over Taiwan or Georgia? Sure. That's what it would \nlook like. Could they disrupt the financial system? They might, \nif they thought that they were either in really desperate \nstraits or if they thought it wouldn't hurt their own bank \naccounts, right? But, I think that's what you want to look for.\n    Right now, huge losses through espionage, growing losses \nthrough crimes, and the potential of tremendous damage to \ncritical infrastructure if we get into a fight.\n    Senator Pryor. Thank you, Mr. Chairman.\n    The Chairman. Thank you, Senator Pryor.\n    Senator Begich.\n\n                STATEMENT OF HON. MARK BEGICH, \n                    U.S. SENATOR FROM ALASKA\n\n    Senator Begich. Thank you very much, Mr. Chairman.\n    And I'll try to be quick with these, because I have to be \nsomewhere at 4 o'clock.\n    But, let me ask Admiral Barnett, if I can. I was listening \nto your response to Senator Pryor in regards to, kind of, the \nrole the FCC is now playing or will play in the future. I sit \non the Armed Services Committee, and we've gotten briefings on \nDOD issues around cybersecurity. Can you, from your \nperspective--who do you think, within the general government--I \nknow Homeland Security, to some extent--but, who has the full \nauthority--for example, if you have recommendations of things \nthat should be done, who pulls the trigger?\n    Admiral Barnett. Well, I don't know that we have any \ntriggers to pull. We're a regulatory agency.\n    Senator Begich. Right. I understand that.\n    Admiral Barnett. But, we work very closely with the \nNational Communications Systems, with DHS, and that's where we \nhave most of our conversations, our information sharing. The \ninformation that we do get is applied to the National \nCommunications System, on outages and network problems. We \nwould see that being extended to other types of problems that \nwe're talking about today.\n    So, primarily focused on DHS, although we work with a lot \nof our Federal partners, including DOJ. We're a part of the \nJoint Telecommunications Resource Board that advises OSTP.\n    Senator Begich. Do you think, just--in your experience at \nthis point, do you think they're well coordinated among the \nagencies?\n    Admiral Barnett. Well, as far as I can tell, we have good \ncommunications, we have good relationships and good information \nflows. We have--I'm not positive, while I've been in office, \nwe've been tested on that. And for that reason, we participate \nin exercises to make sure that there are good information \nflows. Our most recent one was back in January, a tabletop \nconducted with----\n    Senator Begich. Right.\n    Admiral Barnett.--OSTP and Joint Telecommunications \nResources Board.\n    Senator Begich. What's the--do you think the agencies that \nyou're working with have the resources they need to do the work \nto make sure--or are there gaps that have been identified, or \nyou can identify?\n    Admiral Barnett. You know, Senator, I'm not positive I \ncould speak for those agencies. I can say that, after Chairman \nGenachowski asked us to do our own review, part of the things \nthat we came up with is that we needed to increase our talent \npool with regard to cybersecurity, and consequently, we \nlaunched a program to do that, to make sure that we have the \ntalent that we need.\n    It goes back to the question that the Chairman was talking \nabout earlier, is that we need to make sure that there's an \neducational pool out there. One of the things that I've been, \neven before coming to the FCC, concerned about is the \nprecipitous drop in computer science majors that this country \nhas been producing since 2000. I mean, I think it's like a drop \nof almost 40 percent. It may have ticked up in the last year, \nbecause I haven't looked at it, but it's very concerning.\n    Senator Begich. Do you have--and let me, if I can, kind of \nmove into that arena. And anyone can answer this after I make \nthis question--and that--or ask this question--and that is, Do \nyou think our ability to buy that talent--pay, compete against \ncompanies like Oracle--do you think we have that capacity?\n    Admiral Barnett. Once again, I can only speak for the FCC. \nOne of the amazing things--it's just like when I was Active \nDuty in the military--it's amazing to me that Americans are \nwilling to come forward, because of their belief in the country \nand what we're doing. I'm positive that we'll be able to find \nthose folks, if we can educate them.\n    Senator Begich. Anyone else want to comment on that?\n    Admiral McConnell. There--I'm familiar with the current \ntalent pool, particularly in this area, particularly around \nFort Meade, over in Maryland, and there's just not enough \nresources. So, my comments about educational bases--we're going \nto have to do that. If I could offer another, sort of, \nhistorical context, what was referred to a moment ago, the \nNCS--the National Communications System--resulted from the \nCuban Missile Crisis. The President couldn't communicate with \nthe Cabinet officer. We had a single carrier--AT&T--so, a--an \narrangement was made. We had guaranteed communications for all \nCabinet officers, under any circumstances. That held until \nJudge Greene's famous decision, which broke it up.\n    At that point--the question was--asked by Senator Pryor, \nwas exactly the key issue: Can the industry members come \ntogether and have a discussion out of fear of the antitrust \nlegislation? And they couldn't do that. So, a secondary \norganization was created, called NSTAC--National Security \nTelecommunications Advisory Council. But, it's only focused on \ntelecommunications. That served the Nation well for 30 years. \nIt resided in Defense. It now is over in the Department of \nHomeland Security. But, it's a public sector--U.S. Government--\nand a private sector, and they collaborate, coordinate for \nkeeping communications working.\n    What--DHS, who under law has the authority for this \nmission--defense--has proposed a construct patterned after NCS \nNSTAC. It's called CPAC--Critical Infrastructure Protection \nAdvisory Council. Three chairs: Secretary of Defense, the DNI, \nand the Secretary of Homeland Security. Three co-chairs. You \npick the largest segments of industry--critical \ninfrastructures--to come together. You have to have public \nmeetings, with government participation, with minutes that are \npublished to the public----\n    Senator Begich. Sure.\n    Admiral McConnell.--and you talk about the issues, like \ntechnology or policy or operations, to address these issues. \nNow, that has been proposed. My sense, that it hasn't gotten \nthe traction that it needs. Perhaps that would--may be \nsomething that you could consider, in your bill, to put some \nenergy behind it.\n    Senator Begich. Yes, that's a good question.\n    My time is up, but, Dr. Lewis, I saw you--maybe you could \ndo a quick response.\n    Dr. Lewis. Sure. Just--I wanted to come back to the \neducational point. And it's not a fluke that we have two \nadmirals sitting here, because the Navy's paid a lot of \nattention to that--to cybersecurity and to cryptology. They're \ncoming up with a scholarship program. There's something called \nU.S. Cyber Challenge, which CSIS has been a little involved in, \nand it's an effort to get kids interested in cybersecurity, in \nhacking contests. It's really good.\n    There's a chance to rebuild the university programs. And \nAdmiral McConnell mentioned the National Defense Education Act \nof 1958. And what that did is, we said, ``Hey, the Russians are \nahead of us. We need a lot of engineers and mathematicians and \nforeign language specialists.'' Five years later, we had them. \nSo, yes, you can fix this, with the right sort of investment.\n    Senator Begich. Thank you very much, Dr. Lewis.\n    I--my time is up, Mr. Chairman. Thank you for the \nopportunity.\n    The Chairman. I've got to stick with that, Admiral.\n    Senator Klobuchar.\n\n               STATEMENT OF HON. AMY KLOBUCHAR, \n                  U.S. SENATOR FROM MINNESOTA\n\n    Senator Klobuchar. Thank you very much.\n    And do you have to leave, Admiral McConnell? Is that \ncorrect?\n    Admiral McConnell. I do, and I want to offer a last \ncomment. But, I----\n    The Chairman. Please.\n    Admiral McConnell.--a little over time--just offer my last \ncomment.\n    The Chairman. Yup.\n    Admiral McConnell. Something that hasn't been mentioned; I \nwant to make it harder. We've talked about cybercrime and \ncyberwar, and on and on. I'm thinking about a new idea, and I \nwill call it ``Insidia.'' Insidia means that an adversary \nbuilds into our infrastructure. They do what they're doing now, \nin terms of taking our intellectual capital, and now they harm \nthe infrastructure for competitive advantage, if and when they \nchoose to do so. That is possible today.\n    So, let's say that a--you pick it--country X is going to \nintroduce a new product, and they want achieve dominance in a \nmarket. They could cause things to happen in our \ninfrastructure, that we don't even recognize, that would \ndisadvantage us in a competitive way.\n    So, it's early in my thinking, but I'll just leave the \nthought with you. Insidia. Just something I made up, but it \ncould happen today. And the reason I know it could happen today \nis, I know we could do it, if we chose to do so.\n    The Chairman. The great question, ``If we chose to do so.''\n    Voice. We've been investigating that for the last several \nyears, so I can give you background, if you'd like.\n    The Chairman. Great.\n    Senator Klobuchar. You know, just following up on some of \nthe issues raised about the lack of expertise and not enough \ncomputer science majors. I'm a former prosecutor, and I always \nremember how difficult it was when we even had simple computer \ncrimes and the police would show up, we didn't--and they'd \npress a button, and then all the porn would vanish from the \nscreen, and we'd lose the computer evidence. And that's a \nreally tiny example, compared to what we're dealing with here.\n    What do you think about the ability--just as you're \nconcerned about computer science degrees--of law enforcement \nright now? Because I've always said we need to be as \nsophisticated as the crooks we're trying to pursue, whether \nit's internationally or whether it's domestically. What do you \nthink needs to be done there? I'm a member of the Judiciary \nCommittee, as well.\n    Mr. Borg?\n    Mr. Borg. When we were looking at it, we discovered that \nactually the law enforcement is getting increasingly \nsophisticated about handling their evidence, but, they're not \nvery sophisticated about their own vulnerabilities. We looked \nat the crime labs and discovered that we could, or somebody \ncould, hack into most of the crime labs that we've looked at, \nalter evidence, if they chose, do all kinds of mischief. So, \nwe've got some huge issues there.\n    Senator Klobuchar. OK.\n    Mr. Borg. Think if somebody for hire could tamper with just \nthe chain of evidence for any prosecution that depended on \nphysical evidence. That's the situation we're in right now.\n    Senator Klobuchar. Right. Well, and part of what I think is \njust the training, again, and being able to hire people who \nhave that kind of computer forensics experience.\n    Yesterday, the Federal Trade Commission issued a report \nthat revealed widespread data breaches by companies, schools, \nand local governments whose employees are engaged in peer-to-\npeer file sharing. The software was also implicated in a \nsecurity breach involving the President's helicopter, and other \ncases. I'm actually working on some legislation along these \nlines, that we're going to be introducing soon. But, could you \ntalk a little bit about how this could be a national security \nthreat, and what can be done about the human element in all \nthis, about employees even inadvertently sharing confidential \nfiles?\n    You want to talk about peer-to-peer?\n    Dr. Lewis. Well, you know, we're coming to a--sort of a--\nwe're at the early days of, I think, new thinking about \ncybersecurity, and that's where the work of this committee's \nbeen really valuable.\n    I talk to a lot of companies. What they've--what I've \nlearned is that some of them have fabulous best practices, \nright? Now, usually they've been companies that have already \nbeen hit, right? So, I talk to a giant oil company, they had \na--they were hacked, and lost millions of dollars, and now they \ndo everything right. One of the things they do is, they \nseverely limit the ability of employees to use this kind of \nsoftware.\n    We can think of many examples. It's fun, if you think about \nsome of them, you can type in ``tax return'' and it will, for \nsystems that are not set up, show you people's tax returns. \nBut, we now are beginning to identify practices that work in \nimproving network security, and this is one of them.\n    So, the question is, How do we populate industry with those \nbest practices? How do we tell them what they are? How do we \nget them all to do the right thing, when it comes to file \nsharing?\n    Senator Klobuchar. Very good.\n    On February 16, the Bipartisan Policy Center sponsored the \nCyber ShockWave exercise, which brought together former high-\nranking national security officials to evaluate how they acted \nwhen there was a realtime cybersecurity emergency. And one of \nthe problems the simulation exposed was the lack of clarity \nregarding government authority to regulate private-sector-\ncontrolled infrastructure systems, such as telecommunication \nnetworks and the electrical power grid, during such an \nemergency. Do you have any views on what steps should be taken \nto clarify the ability of government to assume temporary \ncontrol of infrastructure during a cybercrisis?\n    Dr. Lewis. Well, I think, I'm--I don't want to talk too \nmuch; I'll let somebody else jump in, too, but--there's a \nprovision in the bill that I think could be very helpful. And \none of the things that we need to think about is, In an \nemergency, do we want the President to have the things he needs \nto do to protect the American people? And I'm not sure the \nscenario got it right. I'm not sure that the President wouldn't \nscrounge around--they have some very smart lawyers over there--\nand maybe under the International Economic Powers Act or--\npardon me--International Economic Emergency Powers Act, or some \nother act, we could come up with a solution. But, I think the \nability to intervene in a crisis is essential, and giving the \nPresident that authority clearly is going to be essential for \nnational defense in what's become a new kind of warfare.\n    So, in that sense, the provision in the bill, which I \nunderstand has gone through many changes, really could be quite \nhelpful in making the Nation more secure.\n    Senator Klobuchar. Mr. Borg, in your testimony, you stated \nthat cyber attacks have already done damage to the American \neconomy, much more than is generally recognized, due to massive \nthefts of business information. Could you talk about some of \nthe examples of what you most see with business information \nthefts, and what was, or not, done by individual corporations, \nwhat you think they could do better?\n    Mr. Borg. It's very tricky to talk about this, because \nwe've been warned by lawyers that if we even hint about an \nactual example, we will be sued by everybody involved--the \ncompany----\n    The Chairman. Could you say that again?\n    Mr. Borg. Is that--what?\n    The Chairman. Could you say that again?\n    Mr. Borg. We've been warned by lawyers that if we even hint \nat a real example, so that somebody could begin to identify it, \nwe will be sued by everybody involved, because the business \nleaders who let this happen will face shareholder lawsuits, \nthey will--their companies will feel obligated to sue the \nbeneficiaries, who will countersue, claiming libel, and so on. \nSo, the whole thing is, legally, a mess. As a consequence, \nnobody wants to talk about this. This is huge.\n    Senator Klobuchar. Right.\n    Mr. Borg. This is just gigantic.\n    Senator Klobuchar. Well, but there's--sometimes there are \npublicly known examples that maybe you could----\n    Mr. Borg. There aren't for this one.\n    Senator Klobuchar. OK.\n    Mr. Borg. We do have companies that had very, very \nextensive intrusions that coincided with similar facilities \nbeing built in Southeast Asia. The facilities in Southeast Asia \nare ones that nobody is allowed to visit--we think, because \nthey would suspiciously like the facilities here that they are \nreplicating. They were, when they opened, able to function very \nefficiently, offer very low prices, with no particular strain \non the corporation that was running them. So, we think whole \nfactories are being replicated in other parts of the world.\n    Senator Klobuchar. Wow.\n    Mr. Borg. The economic consequence is that whole industries \nare potentially going to be stolen over time. It happens \ngradually. It's being slowed down by certain obstacles right \nnow, the chief one of which is, there aren't enough people in \nsome of the countries and areas of the world that are receiving \nthis information to sort it all out; there isn't enough \nexpertise in American ways of doing business to utilize all the \ninformation they've got. But, potentially, we're looking at the \nviability of entire industries being undermined over time. And \nthe thing is just going abroad.\n    Senator Klobuchar. And so, if they had the appropriate \npeople, they would just be able to basically replicate a \ncompany, is what you're saying?\n    Mr. Borg. Yes, that's right. Except without the expenses of \nhaving to do the R&D, to go through the learning curve, to do \nall the other things. You can open a facility, and, on the day \nyou open, have a level of efficiency that it took the American \nmarket leaders 6 years to get to.\n    Senator Klobuchar. Anyone else?\n    Dr. Lewis. Let me give you a real quick example. I don't \ncare if anybody sues me, but--I heard an example I thought was \nastounding. It was about a small furniture company, right? A \ncouple hundred employees, you know, not a big revenue--they \nmake wooden furniture. They got hacked, and somebody stole all \nthe designs for the wooden furniture. Now, you all know that \nthere are countries in the world that are good at making low-\ncost furniture, right? And now they have the designs, the \nintellectual property. They have the newest styles, and they \ncan get it on the market faster--as Scott said, on the market \nfaster, at a lower price. That American company has really been \nhurt, right? And that's what we're looking at.\n    But, the notion, to me, that it's worth this--how pervasive \nis this, if you're going to be hacking small furniture \ncompanies that make wooden furniture? It's amazing. We don't \nrealize what's happening to our country.\n    Senator Klobuchar. OK.\n    Mr. Borg. Something else here that's very important, that's \nnot understood, is that all of the information for all the \npressures, temperatures, switches for an entire factory, and \nall the schematic diagrams, can be stolen. We're not talking \nabout stealing the formula for Coca-Cola. We're talking about \nsucking all of the information out of a company.\n    Senator Klobuchar. Well, thank you very much. It sounds \nlike we have a lot of work to do here.\n    The Chairman. Kind of, yes.\n    Senator Thune.\n\n                 STATEMENT OF HON. JOHN THUNE, \n                 U.S. SENATOR FROM SOUTH DAKOTA\n\n    Senator Thune. Thank you, Mr. Chairman. And I want to thank \nyou and the Ranking Member for holding today's hearing on a \nvery important and oftentimes overlooked subject, \ncybersecurity, which, as we've heard, has great consequence for \nour security and our economy. And I think we have to remember \nthat we're under constant attack. Our critical infrastructure \nand the Internet backbone of our economy remain extremely \nvulnerable to these cyber attacks. And there was a recent GAO \nreport that states that cyber attacks could cost our economy \n$100 billion annually in the near future. And so, I think it's \nimportant that this committee give the appropriate, sufficient \nattention to this important subject.\n    I know some--the questions have been posed--Senator \nKlobuchar and I are working on the peer-to-peer issue, and some \nlegislation with regard to that. But, I--what I'd like to do is \njust ask a couple of questions to the panel and whoever would \nlike to respond to these.\n    The Wall Street Journal recently reported that hackers in \nEurope and China hacked into computers in over 2,500 companies \nand government agencies. And what's probably even more shocking \nis that they infiltrated these systems for several months \nbefore they were being detected. How do we improve the \nidentification of these attacks, to stop the activity before \nthey do additional damage?\n    Mr. Borg. One of the problems is that we focus so \nexclusively on perimeter defense that once somebody has \npenetrated the system, we don't have adequate devices to spot \nwhat's going on. One of the things that we urgently need to \ndevelop is industry-specific, sometimes even business-specific, \nmonitoring capabilities that will set off alarms when these \nsystems are being misused and when information is being \nimproperly moved about.\n    Dr. Lewis. You know, the Journal article was interesting. I \nthink it's the third or fourth time I've heard of something \nlike this--massive penetrations; hundreds, if not thousands of \ncompanies. It's an ongoing program. It's a nice program, \nbecause you're not going to get caught. And even if you do get \ncaught, there are no consequences.\n    So, one of the things we want to think about is, When we \nsee people committing a crime, what are the consequences? And \nright now, if there's zero consequence, there's almost zero \nrisk.\n    I've talked to a few of the big financial companies and \nsaid, ``Do you have trouble telling who is doing bad things to \nyou?'' And what they usually say is, ``No.'' They can follow \nthe money, they see where it goes, they know who's doing it to \nthem. But, right now, we don't have any way to go to these \nother countries and say, ``Hey, some of your citizens are \ncommitting crimes in our country. Would you do something about \nit?'' And so, whether this is something for the World Trade \nOrganization, whether it's for the World Intellectual Property \nOrganization, whether it's for INTERPOL, we need to start going \nafter people who do these things. And right now, they've gotten \na free ride.\n    Senator Thune. I'm just trying to think about what our role \nis, in terms of a worldwide problem. And if you don't have the \ncapability of enforcing or imposing some sort of penalty or \npunishment on people who do this, you're right, there's no \nconsequence to it. I don't know what would keep them from \ncontinuing to do it.\n    The question I have, dealing with the first response, which \nsaid coming up with some industry-specific or even company-\nspecific mechanisms of dealing with that, Do you see some role \nfor the Congress in that process? I mean, it seems to me that \nthe companies that are impacted by this are, maybe, better \npositioned to do that.\n    Mr. Borg. When I've talked about the need for this kind of \ntool, this kind of software, to people in the security \nindustry, they have regularly said, ``Oh, yes, we're really \neager to jump into that market as soon as it's pioneered. We \ndon't want to be the first mover, we want to be ready to--once \nthe market is formed.'' So, there's a huge opportunity here for \nthe government to seed that market, to be a guaranteed \ncustomer, to, in some cases, be an initial supplier, providing \nsome prototype tools. And then, I think, once that is set up, \nthe security industry will be ready to move into it. But, it's \nanother example of a market that's not working properly, that \ncould be fixed by government intervention.\n    Ms. Davidson. If I can echo that--and I'm sorry Admiral \nMcConnell is no longer here, because he was using the railroad \nindustry as an example. There is a role for the government in \npromoting the use of standards. And why do we care about that \nin this context? Part of what would make it easier for people \nto not only have better situational awareness, but to be able \nto connect these types of dots, is having standards around what \ntype of records or censor records you need to keep in a system, \nand the way in which that is expressed. And the reason for \nthat--why do the railroads tie into that? Because, a long time \nago, the railroads didn't have a standard train gauge. And the \nreason it's--I think, 4 feet, 8-and-a-half inches, is because \nthe government stepped in and said, ``We want to build a \ntranscontinental railroad--that's a public good--and we're \ngoing to tell you what the train gauge is going to be, so we \ncan put the pieces together, and you can get on a plane on the \nEast Coast and go all the way across the West Coast.'' The \ngovernment could actually promote the use of standards around \naudit records in such a way that would be not only how the--the \nnerdy bits and bytes of how they're described, but also what \nkind of record you have to keep. And by doing that, and \npromoting it through procurement, you could effectively tell \nyour suppliers, ``We're going to change--we're going to tell \nyou what kind of train you're going to build and what the train \ngauge is going to be.''\n    NIST is very good at getting industry to participate in \nthat, and that could actually help make--create the \ninfrastructure of security which can help secure critical \ncyberinfrastructure.\n    Senator Thune. And there are multiple government agencies \nthat deal with, and have some role in preventing, cyber \nattacks. You've got Defense, Homeland Security, Commerce, FCC, \nFBI. And this was actually going to be a question more for \nAdmiral McConnell, but I'm interested in knowing, from your \nobservation, how the coordination--level of coordination is \nbetween those various agencies, and is there anything that this \ncommittee could do to ensure that they're working in a more \nefficient and coordinated manner to prevent cyber attacks?\n    Admiral Barnett. Senator, from the FCC's perspective, we--\nChairman Genachowski is focused on making sure that we have \ngood communications with our Federal partners. And that's not \njust for cybersecurity, but emergency management and other \nresponsibilities that we have. So, there's certainly a focus on \nthis. I mean, I think there's a desire to make sure that we do \nthe best. And for that, there's a lot of communication, I would \nsay, with regard to the exercises that you're seeing. I can't \nsay that there may need to be some more, and I can't speak to \nall agencies, but there certainly is communication going on \nabout the threat.\n    Dr. Lewis. You know, we want to recognize that progress has \nbeen made in the last year, or even a bit longer. So, there is \nmore cooperation than there used to be, and more coordination. \nAnd hopefully the appointment of a new cybercoordinator at the \nWhite House will help that.\n    But, you're all familiar with what happened on December \n25th in Detroit. And that was a--in some ways, a problem with \ncoordination among Federal agencies. Again, on the \ncounterterrorism side, we're much better off than we were 9 \nyears ago. But, you can still see problems, and I'd say, in \ncyberspace, the coordination is not as good as it is in the \nintelligence community and the counterterrorism community.\n    So, good progress, but still a long ways to go. And that's \nwhere congressional attention, measures like this bill, can \nhelp encourage the Federal Government to move in the right \ndirection.\n    The Chairman. Thank you, Senator Thune.\n    Senator Snowe.\n    Senator Snowe. Thank you, Mr. Chairman.\n    Dr. Lewis, I wanted to ask you about the cybercoordinator \nposition and the appointment of Howard Schmidt, as you \nmentioned, being a coordinator, rather than a Senate-confirmed \nposition. And, for example, he is not able to testify before \nthis committee on this issue. So, how important is it to have a \nSenate-confirmed position on this question?\n    Dr. Lewis. Well, I think, in the long run--and hopefully \nthe long run won't be more than a few years--we're going to \nneed something like USTR, right? Or maybe some of the other \nagencies that exist. We're going to need a specific agency that \nwill be appropriately staffed and have the right authorities to \ndo this. And that position, just as the USTR positions are \nconfirmable, would make sense. So, I think, good first step \nthere, appointing a coordinator. We're on the right path, but \nwe've got a long ways to go.\n    Senator Snowe. Yes.\n    Dr. Lewis. And, you know, when you think about it, this is \na new infrastructure--you've heard that from everyone--that we \ndepend on. But, we haven't adjusted the government to that. And \nmoving toward that Senate-confirmable position would probably \nbe a good idea.\n    Senator Snowe. Does anybody else have an opinion on that \nquestion?\n    Ms. Davidson. Well, I can't comment on the structure, but I \ncan certainly comment on the individual. I think Howard Schmidt \nis probably the very best possible person who could have been \nchosen for that position, who commands tremendous respect in \nindustry, and his sole agenda is to make things better. And \nbecause of his--because of who he is, there will--people who \nwill line up to do things for him because it's Howard asking. I \nthink it was an outstanding appointment. You just could not \nhave had found anybody better. It will be a very difficult job, \nbut if anyone is up to it, it is--he is absolutely the right \nperson for that.\n    Senator Snowe. Well, I just think it's--given everything \nthat we've discussed here today and, obviously, the \nsignificance of this issue and the fact that, as the President \ndescribed, it's a strategic national asset, I think it should \nbe elevated so we have that conversation, and that--more \nimportantly, that he reports directly to the President of the \nUnited States. I mean, I think that that sends a very critical \nmessage, frankly. And that relationship should be developed at \nthe outset, as we're beginning this process and, hopefully, \ngetting legislation in place. That's going to be absolutely \ncritical in that regard; otherwise, we're not going to have the \nbenefit, other than in private meetings, to have those kind of \ndiscussions, when, in fact, they should be part of the public \narena.\n    I would just like to ask you, Are you familiar with the \nNetWitness report, by any chance? And how would you \ncharacterize the extent of that attack?\n    Dr. Lewis. Interesting company. The fellow who runs it is a \nguy named Amit Yoran. Like Howard, he has tremendous respect, \nlong experience. And so, it's good that they came out with \nthis.\n    Interesting report, but, for me, it wasn't a big surprise. \nI mean, this is sort of the normal business, here. How many \ntimes have we seen this in the past: ``Somewhere in Eurasia, \nthere's a group of hackers, and they've penetrated hundreds or \nthousands of American companies.'' You know, it's just--this \none wasn't particularly sophisticated.\n    One of the things to bear in mind is that we have more \nsophisticated opponents than the fellows we stumbled across \nhere. The NetWitness report just helps reinforce the kind of \npressure we're facing.\n    Senator Snowe. Dr. Borg?\n    Mr. Borg. There were a couple of things about it that were \na little bit interesting. One is just the scale of it, and the \nother is that it used two botnets in conjunction. Each time we \nhave one of these, they're a little more sophisticated, they \nhave another little new twist, something here or there. So, \nit's a sign of an ongoing process of attackers just getting \nbetter and better, more talented.\n    Senator Snowe. Getting increasingly sophisticated? Yes. And \nhow do we keep pace with that sophistication?\n    Mr. Borg. Well, one of the ways we're not keeping pace is \nby having departments of cybersecurity where, in the graduate \nprograms, there are no Americans. A lot of our leading programs \nliterally have no American students at the Ph.D. level, or \nsometimes even the master's level. We're training a lot of the \nworld in cybersecurity better than we are our own people.\n    Senator Snowe. What accounts for that? Is there any reason \nfor that, or does it just happen to be the way it is?\n    Mr. Borg. If you're Indian----\n    Senator Snowe. By----\n    Mr. Borg.--or Chinese----\n    Senator Snowe. Yes.\n    Mr. Borg.--or from some other part of the world, there is \ngreater motivation and a bigger gain from getting a degree in \ncybersecurity than if you're American.\n    Ms. Davidson. Well, and to that point, a lot of the--you \nknow, how do we keep up with it? I actually have a team of \nhackers who work for me. They're ethical hackers; their job is \nto break our software before someone else does. They are also \nthe ones who author our coding standards: How do you write \nsecure code? And those are in a constant state of revision, not \nonly for new things that are publicly known, but new, nefarious \nways they find to break our software. And we train all our \ndevelopers on that. So, it is constant revision, because there \nis always something else malicious coming down the pike.\n    Admiral Barnett. Senator, of course, I have a son who's in \ncomputer security, so I'm not going to complain about the \nAmerican education system; I think we do have the ability to \ntrain the people we need. But, there needs to be an emphasis \non--it has been a concern of mine--I mentioned the precipitous \ndrop in the number of computer science degrees that we are \nproducing. I might mention the number of women that we are \nproducing, and that has dropped even further. There's a good \ndeal of research of the reasons for that. We need to attack \nthose directly and reemphasize getting American kids ready to \ngo into computer science programs--so, we have to start earlier \nthan college--and then making sure that they're incentivized to \ndo that, and attack all the various reasons, some of which are \ncultural--there are various reasons, too, that we can provide \nto you.\n    Senator Snowe. Well, that's interesting. And that's \nsomething that is part of our legislation that we're focusing \non, on the training and the certification of cybersecurity \npersonnel. But, that's clearly an emphasis that we have to \nmake.\n    So, then would it be very difficult for the Department of \nHomeland Security to, you know, hire up to 1,000 cybersecurity \npersonnel over the next 3 years? Is that ambitious, or is that \ndoable?\n    Dr. Lewis. It's probably doable. They came in with only \nabout a third of their positions filled. They had 1,000 slots, \nand I think they had about 300 filled. And in the intervening \nyear, I think they've moved that up to about 50 or 60 percent; \nthey've done a good job.\n    There's three problems. First, the shortfall of trained \npersonnel means DHS is competing with NSA and with DOD, with \nFBI. And, let's face it, it might be more fun to work at NSA or \nDOD than DHS, right? So, they've got a competition problem.\n    Second, a lot of the hiring processes that we have in the \nFederal Government don't help. And so, somebody gets hired by \nDHS, and then they're told--and this happens at other agencies, \ntoo--``We've hired you, and in another 6 to 8 months we'll be \nable to actually bring you on board.'' And, of course, people \ncan't wait 6 to 8 months for a job. So, a lot of people leave \nearly.\n    Finally, there's this--again, this shortfall problem, which \nis that somebody comes to DHS, they get good training, they get \nsome good experience, they get a clearance, and they're \nsuddenly a lot more attractive to the private sector. So, \nyou've got an outflow problem, too. And all these things are \nnot impossible to beat; we've beat them in other agencies. But, \nwhile there has been really good work done at DHS, I think they \ncould use some help on the recruitment side.\n    Senator Snowe. Thank you.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you, Senator Snowe.\n    Let me kind of close up here by saying, you've been a \nfabulous panel, all of you. And you, too, Admiral McConnell, \nwherever you are. I mean, you really know your stuff. You speak \nwith the kind of cold clarity which this subject deserves. \nSenator Snowe and I are very happy that we've introduced our \nbill. And when listening to you, you know, you just ask, Is \nit--was it done in time? Can it make a difference? And the \nanswer has to be yes.\n    And let me say the things that worry me. One is the whole \nquestion of starting kids out. Right now, there's this \nenormous--which was brought on point--emphasis on STEM--\nScience, Technology, Engineering, and Mathematics. We \ndesperately need that. Is there a way that--and the kids are so \ngood--my son was--two nights ago he called up, and he's really, \nreally good on computers, and he was doing--he was at war with \na hacker, trying to fight back, and, you know, very, very \nsophisticated stuff. He's 30, so that makes it a little easier. \nBut, the--trying to integrate this somehow--we don't have that \nchoice, do we?--into early education. We do not have that \nchoice. And if boards of education say they don't have that \nmoney, we still do not have that choice.\n    The second thing is that the problem is so pervasive, so \noverwhelming. We're talking about the public sector and the \nprivate sector and all the--your 6- to 8-month vetting, you \nknow, the horrors of the Federal Government and its vetting \nprocess, and people just say, ``You know, I can't wait.'' So, \nyou lose good people. The salaries involved. The budget \nrestrictions we're now going through for the next number of \nyears, because of our deficits. And yet, you know, put it in \ncomparison to the dangers of these massive cyber attacks, which \nare not, you know, unlike another terrorist attack, something \nof the future, you know, next week, next month, next year; \nthey're all day, every day, as I quoted at the beginning, from \na DOD person. I mean, it's just happening all the time, sucking \nthe blood. I think, forensically, it takes 4 minutes to drain \nthe blood out of a person, and, you know, that's not a \nparticularly attractive analysis, but it's a cogent one, that \nthis is a really serious, desperate problem and that bills at \nany--you know, any kind of effort is going to be important, and \nwe have to, all of us, decide how to do this.\n    You know, we talk about the Federal Government and the \nstovepipes that Olympia Snowe and I have dealt with on the \nIntelligence Committee, and the intelligence community has \ngotten a lot better since we had a DNI, but they are by no \nmeans cured. People tend to hold on to their territory, and \nthey don't give it up easily. And I--that has to be true in the \ncorporate world, for some, you know, very clear and \nunderstandable reasons.\n    So, how do we make it all work? How do we get people to \ntogether? How do we create the sense of urgency, at a broader \nlever, in which we do things we've just never done before as a \ncountry? Which I think is what it amounts to. Yes, we've got to \ngive the President the right to intervene. And that's \ncontroversial. That's all--that'll always be controversial. \nBut, Senator Snowe and I believe that needs to be done.\n    But, let me leave you with one happy thought, just for \npractice. Last year and this year and the year before, on the \ntwo sides, let's say, of American young people looking for \ncareers, one is in the intelligence--the world of \nintelligence--the CIA, NSA, et cetera--the applications for \nthose agencies, in number and in quality, have never been \nhigher. So, they're swamping these agencies with applications \nto work there. And incredible--and I've done this, and I'm sure \nthat Senator Snowe has, too--you go and meet some of these \nyoung people working for CIA or whatever--they're fantastic. \nAnd so, that's national security.\n    On the other end is the Peace Corps or Teach for America. \nBut, just take the Peace Corps for a moment. They have never \nhad so many applications, ever, and of such high quality.\n    So, to say, on the one hand, that we don't have enough \nAmericans doing this, that people from other countries--they \nused to get their degrees and stay here, because it was more \nprofitable. Now, they're being called home, and they're \npatriotic, and they're doing--I mean, I can't criticize them \nfor what they're doing. It's just that it makes our life more \ndifficult.\n    So, I think that, with the depth and desperation of the \nproblem, mixed with this sort of hopeful and positive attitude \nto be engaged in serious matters, cerebral matters, of young \npeople in this country, we've got to find our way out of this. \nAnd we won't do it quickly, but we sure have to do it.\n    So, thank you very, very much, all of you.\n    The hearing is adjourned.\n    [Whereupon, at 4:35 p.m., the hearing was adjourned.]\n                            A P P E N D I X\n\n   Prepared Statement of Hon. Tom Udall, U.S. Senator from New Mexico\n    Thank you, Chairman Rockefeller, for again focusing this \ncommittee's attention on cyber security.\n    Since this committee met last year to discuss this topic, we have \nwitnessed a number of alarming cyber attacks and data breaches.\n    In December, Google announced that they--and probably many other \nAmerican companies--had been infiltrated by cyber attacks that \noriginated in China. Apparently the hackers specifically targeted \nChinese activists who used Google services. However, many other users \nand companies could be harmed by this type of cyber attack.\n    In January, we learned that the National Archives apparently lost a \nhard drive that had over 100,000 Social Security numbers for workers \nand visitors to the White House.\n    This month, a cyber war game exercise also illustrated some of the \nNation's vulnerabilities to a sophisticated cyber attack and the need \nfor a nimble and coordinated response to protect our infrastructure.\n    So, I welcome the opportunity to ask a few questions today about \nhow we can do more to protect consumers, companies, and the Nation.\n                                 ______\n                                 \n     Written Questions Submitted by Hon. John D. Rockefeller IV to \n                     Vice Admiral Michael McConnell\n    Question 1. What are the key elements of public-private teamwork \nthat are not in place today that should be?\n    The witness did not respond.\n\n    Question 2. Would it make a difference if more senior executives in \nthe private sector were granted security clearances?\n    The witness did not respond.\n\n    Question 3. What about cybersecurity? Are you confident that the \neveryday American citizen knows the threat that we are under, and knows \nhow to make his or her own home or business safe?\n    The witness did not respond.\n\n    Question 4. Should there be basic cyber awareness and education as \npart of the normal curriculum in elementary and secondary school?\n    The witness did not respond.\n\n    Question 5. What can the government and private sector do together \nto solve this labor shortage problem?\n    The witness did not respond.\n\n    Question 6. What can we do to inspire young students to aspire to \nserve their country by being a cybersecurity professional?\n    The witness did not respond.\n\n    Question 7. What must the government do better? What must the \nprivate sector do better? What responsibilities do both have to the \npublic at large?\n    The witness did not respond.\n                                 ______\n                                 \n           Written Questions Submitted by Hon. Tom Udall to \n                         Vice Admiral McConnell\n    Question 1. Admiral McConnell, your statement sounds the alarm \nabout threats to our infrastructure. You note that the United States is \nnot doing enough to promote cybersecurity and that the country needs a \ncoordinated approach involving the public and private sectors. Our \nnational labs--which are the crown jewels of our Nation's research \nsystem--are active in efforts to promote cyber security. In my home \nstate of New Mexico, Sandia National Laboratories is engaged in efforts \nto secure the national electrical grid from cyber attack. Los Alamos \nNational Laboratories is a leader in quantum cryptography. What role \nshould our National Labs have in the efforts you describe to protect \nour Nation from cyber attack?\n    The witness did not respond.\n\n    Question 2. Some experts say the arrival of ``Cloud computing'' \ncould be as important and as disruptive as the advent of the World Wide \nWeb. Eric Schmidt, the CEO of Google, has written that, ``We're moving \ninto the era of `cloud' computing, with information and applications \nhosted in the diffuse atmosphere of cyberspace rather than on specific \nprocessors and silicon racks. The network will truly be the computer.'' \nHow can we be sure to realize the benefits of cloud computing given \nvery real cyber security threats?\n    The witness did not respond.\n\n    Question 3. What is the role of government and private industry in \nprotecting sensitive data as it increasingly moves from desktop devices \nto the ``cloud''?\n    The witness did not respond.\n                                 ______\n                                 \nResponse to Written Questions Submitted by Hon. John D. Rockefeller IV \n                         to Dr. James A. Lewis\n    Question 1. What are the key elements of public-private teamwork \nthat are not in place today that should be?\n    Answer. The most effective partnership models are based on small \npermanent groups of senior business leaders from the corporate \nheadquarters who regularly interact with senior government officials. \nOnly two or three groups (DOD's ESF, DHS's CIPAC and perhaps NSTAC) now \nfollow this model. The key elements are trust and authority--trust \ncomes from regular meetings among the same people and authority comes \nfrom the ability to make binding decisions. Many existing groups are \nnot designed to provide trust or authority.\n\n    Question 2. Would it make a difference if more senior executives in \nthe private sector were granted security clearances?\n    Answer. Classified briefings on the nature and extent of the threat \nare very effective in alerting corporate CEO's to the problem they \nface. Classified briefings have been one of the most effective parts of \nthe DOD's Defense Intelligence Bases initiative.\n\n    Question 3. What about cybersecurity? Are you confident that the \neveryday American citizen knows the threat that we are under, and knows \nhow to make his or her own home or business safe?\n    Answer. I do not believe we should make citizens responsible for \nthe national defense. There are some minimal activities (keeping anti-\nvirus software updated) that citizens now need to perform but we would \nbe better served by shifting security to service providers. Nobody has \nto program their land-line phone or install anti-virus software on it. \nThe same model should apply to the Internet.\n\n    Question 4. Should there be basic cyber awareness and education as \npart of the normal curriculum in elementary and secondary school?\n    Answer. Wouldn't hurt, although we shouldn't expect too much from \nit.\n\n    Question 5. How can the Federal Government bolster market-based \nprivate sector incentives to drive innovation in cybersecurity and \nraise the bar on cybersecurity standards and best practices?\n    Answer. The same way it drove innovation in automobile safety: by \nsetting goals and requirements and then letting the companies figure \nout how to implement them.\n\n    Question 6. Does the American public have the right to expect that \nU.S. private sector critical infrastructure companies are looking out \nfor the safety and security of the American people? Should this \ninterest in public safety an integral aspect of the private market for \nIT products and services?\n    Answer. In most other areas of public safety we expect critical \ninfrastructure companies to meet minimal standards. It is time to \nextend this to cybersecurity. In many cases, regulatory authorities \nalso allow companies to impose a small surcharge to cover the \nadditional cost of safety measures. This too must become part of a \nnational effort to secure networks.\n\n    Question 7. What must the government do better? What must the \nprivate sector do better? What responsibilities do both have to the \npublic at large? With this in mind, how can we fashion a public-private \npartnership, based on trust, that allows for sharing of confidential \nand/or classified threat and vulnerability information between the \ngovernment and critical private sector networks?\n    Answer. National security is the responsibility of the government. \nWe should not assign this function to citizens or companies if we wish \nto succeed. Government needs to be better organized and have a clear \nstrategy for defense. The best analogy might be to city policing: yes, \nwe want people to lock their cars and doors to buildings, and exercise \na little common sense, but at the end of the day it is the \nresponsibility of the city authorities to bring crime rates down. Our \ncurrent approach to cyber security is like the crime fighting approach \nin New York City in the 1970s. We need to change that.\n\n    Question 8. Would government and private cybersecurity efforts \nbenefit from ``vulnerability mapping'' of major U.S. networks, public \nand private?\n    Answer. Only if the mapping was then tied to some action to either \nimprove defenses or increase resiliency.\n\n    Question 9. What are the specific risks to such an activity?\n    Answer. Since our major opponents have probably already done this, \nany additional risk is likely to be small.\n                                 ______\n                                 \n     Response to Written Questions Submitted by Hon. Tom Udall to \n                           Dr. James A. Lewis\n    Question 1. The recent Bipartisan Policy Center cyber war game \nexercise examined a potential attack that first affected wireless cell \nphones. As computing and networking technology become integral to all \nmanner of consumer goods, it seems that new cyber attack \nvulnerabilities will only proliferate. In today's business landscape, \nsupply chains stretch across the globe and companies often acquire \nother firms to gain access to new software and technologies for their \nproducts. This makes it more difficult to know whether a product may \ncontain cybersecurity vulnerabilities from a single component or piece \nof software code from an outside supplier or other firm. How is \nsecurity of the final assembled product affected in an environment in \nwhich new links are so frequently added to the product's ``chain''?\n    Answer. Most companies have processes in place for quality control \nthat provides some level of protection. A skilled adversary could \nbypass these, but it would be expensive to do so. The larger problem is \nthat as manufacturing and invention shift form the U.S. to Asia, our \nvulnerability to supply chain corruption may grow.\n\n    Question 2. How are leading technology companies bringing the \nsecurity of acquired products in line with their own standards for \ncybersecurity?\n    Answer. The most advanced companies buy from trusted suppliers, \nengage in testing, and rely on their network defenses to identify \nanomalies (such as effort to exfiltrate large amounts of data) after a \nnew device or program is installed.\n\n    Question 3. What is the role of Chief Security Officers or Chief \nTechnology Officers in assuring best security practices are implemented \nin such cases?\n    Answer. It varies from company to company. The best practice is for \nboth CSO and CTO to work together to build secure networks.\n                                 ______\n                                 \n    Response to Written Questions Submitted by Hon. John Ensign to \n                           Dr. James A. Lewis\n    Question 1. Are there any legal restrictions we should focus on \nthat make it more difficult for industry and government agencies to \nshare the information needed to protect our critical cyber \ninfrastructure? Are there any barriers that Congress needs to \neliminate, or any legal flexibility we can provide to foster the \nnecessary sharing while still protecting sensitive or proprietary \ninformation?\n    Answer. The main problems are the need to have personnel with \nsecurity clearance to receive some information and the perception that \nthe government does not share fully. It may be possible to streamline \nthe clearance process for lower classification levels (Secret, for \nexample).\n\n    Question 2. What mechanisms are in place for private companies to \nreport cyber intrusions (either originating domestically or overseas) \nto the Federal Government?\n    Answer. Different parts of the Federal Government receive reports \nof cyber intrusions. DHS, FBI, Secret Service and, in some instance \nDOD, all get reporting from companies, but the information is not \nalways available to other agencies.\n\n    Question 3. What is being done to encourage private companies, \nparticularly those with government contracts, to report cyber \nintrusions (either originating domestically or overseas)?\n    Answer. DHS, FBI, Secret Service and DOD have outreach programs, \nsuch as FBI's Infragard program\n\n    Question 4. Do government contractors have an ethical or statutory \nobligation to report cyber intrusions (either originating domestically \nor overseas)?\n    Answer. DOD has begun to require reporting from companies in the \nDefense industrial base and in some instances companies have reported \nbreaches in their SEC filings, but there is no consistent requirement.\n\n    Question 5. Do government contractors with classified information \non their servers and individuals with security clearances on their \npayrolls have a statutory or ethical obligation to report cyber \nintrusions (either originating domestically or overseas)?\n    Answer. This requirement may be part of their contract of part of \nDOD acquisitions regulations--the DFAR.\n\n    Question 6. When Request For Proposals (RFPs) are put out for \ncontracts that involve sensitive or classified information do all of \nthese RFPs require that bids include the number of successful and \nunsuccessful cyber intrusions committed by domestic or foreign entities \n(either originating domestically or overseas)?\n    Answer. I do not know of any specific requirement.\n\n    Question 7. In your opinion, if a private company believes that it \nhas been the victim of a cyber intrusion (both originating domestically \nor overseas), which is the appropriate agency that it should report \nthis intrusion to?\n    Answer. The FBI.\n\n    Question 8. In your opinion, if a government contractor believes \nthat it has been the victim of a cyber intrusion (both origination \ndomestically or overseas), which is the appropriate agency that it \nshould report this intrusion to?\n    Answer. The FBI and the contracting agency.\n\n    Question 9. In your opinion, if a government contractor that is \nworking on a sensitive or classified project and believes that it has \nbeen a victim of a cyber intrusion (both origination domestically or \noverseas), which is the appropriate agency that it should report this \nintrusion to?\n    Answer. The FBI and the contracting agency.\n                                 ______\n                                 \nResponse to Written Questions Submitted by Hon. John D. Rockefeller IV \n                             to Scott Borg\n    Question 1. What are the key elements of public-private teamwork \nthat are not in place today that should be?\n    Answer. The public and private sectors should be discussing how to \nengender the sort of market environment that will allow the creative \npotential of American corporations to be turned loose on our collective \ncyber-security problems. This hasn't happened yet.\n    Instead, our ability to tackle the challenges of cyber security is \nbeing severely limited by established interests and obsolete ways of \nthinking. Even the threat of government regulation and the promise of \nbig profits from government contracts or subsidies are not solutions, \nbut serious impediments to real cooperation. Both get corporations \nthinking in terms of lobbyists and public relations, rather than \nproblem solving.\n\n    Question 2. Would it make a difference if more senior executives in \nthe private sector were granted security clearances?\n    Answer. Giving more senior executives security clearances would be \nof little help. The population that needs to be reached is much larger \nthan the group to whom it would be practical to grant clearances. What \nis needed, instead, is a set of better incentives for declassifying \ninformation and an improved system for circulating it, while respecting \nits sensitivity.\n    In general, the whole system of government security clearances is \nill-suited to protecting the sort of private-sector-based information \nrelevant to cyber defense. It has been a serious impediment to \ncommunication, yet does not offer sufficient security.\n    It is important to understand that the most sensitive and dangerous \ninformation regarding the possibilities of cyber attacks on critical \ninfrastructures is not possessed by the government. It is generated and \nowned by private sector corporations. Much of this information is far \ntoo sensitive to be entrusted to everyone with a given level of \nsecurity clearance. This information is seldom shared with the \ngovernment, in part, because there is a widespread belief that the \ngovernment can't be trusted with it.\n\n    Question 3. What about cybersecurity? Are you confident that the \neveryday American citizen knows the threat that we are under, and knows \nhow to make his or her own home or business safe?\n    Answer. It is obvious to virtually all cyber-security experts that \nmost Americans have no idea of the threat we are under and little idea \nof how to make their home and business computers safe.\n\n    Question 4. Should there be basic cyber awareness and education as \npart of the normal curriculum in elementary and secondary school?\n    Answer. Yes, cyber-security education is essential, but it should \nnot be used as an excuse for failing to create more secure information \nproducts and services. When systems are badly designed, there is a \ngreat temptation to blame the users. But systems that make great \ndemands on users are simply badly designed systems. In addition to \neducation, it is urgently important to address the question of why \ninformation systems are so badly designed from a security standpoint.\n\n    Question 5. How can the Federal Government bolster market-based \nprivate sector incentives to drive innovation in cybersecurity and \nraise the bar on cybersecurity standards and best practices?\n    Answer. I have offered a list of six basic reasons why markets are \nnot delivering the needed levels of cyber security: (1) Companies are \nnot being charged for the increased risks they cause or paid for the \nrisks they reduce; (2) Individual executives are not being motivated to \nact in the long term interests of their companies where cyber security \nis concerned; (3) People don't have adequate information to take \naccount of cyber security in their market choices; (4) Markets for many \nurgently needed cyber-security products and services haven't been \ncreated yet; (5) Switching costs are too great to allow companies to \nshift readily to more secure choices; and (6) Entry barriers have kept \nout alternative products and services that would be better from a \nsecurity standpoint.\n    For each of these six market problems, there are several market \nremedies that should be considered. One of the possibilities, for \nexample, for remedying the lack of information needed for market \nchoices is a government-facilitated system for rating the cyber \nsecurity of software products. If people don't have any reliable \ninformation on which software products are safer, they can't choose the \nsafer products. Putting rating labels on software, the way we put \nalready rating labels on everything from cars to cookies, would make it \npossible for the markets to deliver safer software.\n    Talk of ``raising the bar'' and ``bolstering incentives'' misses \nthe point. The markets that determine cyber security are broken and \nneed to be fixed. Government mandates and subsidies won't do the job. \nThe government measures that are needed are actually less heavy-handed \nand less expensive, but they need to affect the mechanisms that allow \nmarkets to function.\n\n    Question 6. Does the American public have the right to expect that \nU.S. private sector critical infrastructure companies are looking out \nfor the safety and security of the American people? Should this \ninterest in public safety an integral aspect of the private market for \nIT products and services?\n    Answer. The American public should be able to assume that its \ninterests are being safeguarded, especially where monopolies like \nelectric power are concerned. But government intervention in these \nareas needs to handled very carefully, because the technology is \nchanging so rapidly. If the government tries to dictate security \nmeasures to the critical infrastructure industries, these measures will \nprobably be out of date and counter-productive before they are finished \nbeing officially formulated.\n\n    Question 7. What must the government do better? What must the \nprivate sector do better? What responsibilities do both have to the \npublic at large?\n    Answer. The government needs to get over the idea that its choices \nare to throw out the market and dictate what should be done or, \nalternatively, to do nothing and hope some market will somehow solve \nthings. Instead, the government needs to understand that properly \nfunctioning markets need attention and engagement.\n    For its part, the private sector needs to recognize that properly \nfunctioning markets provide better opportunities to make money for any \ncompanies that are delivering real value. They should work with the \ngovernment to make these markets happen.\n                                 ______\n                                 \nResponse to Written Questions Submitted by Hon. John D. Rockefeller IV \n                          to Mary Ann Davidson\n    Question 1. What are the key elements of public-private teamwork \nthat are not in place today that should be?\n    Answer. The information flow still seems to be one way. With the \nexception of the UK government (through CPNI, a part of MI5), industry \nalmost never hears of threats the government--or some in the \ngovernment--know about. In some cases, there may be legal restrictions \nthat prevent this information sharing. It is (obviously) not the case \nthat everyone should know everything, but if there is a material threat \nthat affects national security--where that definition also includes \neconomic security--then I think that some of that information should be \nshared more broadly.\n\n    Question 2. Would it make a difference if more senior executives in \nthe private sector were granted security clearances?\n    Answer. Generally, yes. I still think there is a general lack of \nawareness among some executives about the extent to which critical \nsystems are vulnerable and the degree to which their data--including \nintellectual property--is vulnerable. This affects not only national \nsecurity in the traditional sense but also our national economic \nsecurity.\n\n    Question 3. What about cybersecurity? Are you confident that the \neveryday American citizen knows the threat that we are under, and knows \nhow to make his or her own home or business safe?\n    Answer. Absolutely not; that is, I have no confidence that the \naverage person knows how severe of the risks are and what they can do \nto protect themselves. I am a security professional, yet I still learn \nnew things every day about how technology can be broken, corrupted or \nused by bad guys against us.\n\n    Question 4. Should there be basic cyber awareness and education as \npart of the normal curriculum in elementary and secondary school?\n\n    Answer. It may sound strange to say Yes, but I am old enough to \nremember the cold war, and how elementary school children would do \n``duck and cover'' drills in schools. We accepted that at the time, \nbecause we lived under the threat of a nuclear war. We now live in a \nworld in which there are new threats and--especially given the degree \nto which schools seem hell bent on using computers at an early age as \n``educational tools''--they need to emphasize both ``responsible use'' \nand ``safe use'' of those tools.\n\n    Question 5. How can the Federal Government bolster market-based \nprivate sector incentives to drive innovation in cybersecurity and \nraise the bar on cybersecurity standards and best practices?\n    Answer. I do not think innovation is the problem--there are lots of \nsecurity startups and more all the time. (Of course, there are other \ndisincentives in the sense that Sarbanes-Oxley, for all that it was \nwell intended, has resulted in the curtailment of the market for \ninitial public offerings (IPOS) in the U.S. The ``compliance overhead'' \nfor becoming a public company is so high and so expensive that a lot of \ncompanies will not IPO anymore--their only exit strategy for investors \nis to be acquired. This was a (clearly) unintended consequence of the \nlegislation but it has nonetheless curtailed innovation.)\n    I note that there are ways to bolster innovation by helping small \ninnovative security startups tap into the larger market that the \nFederal Government represents, such as the IT Security Entrepreneur's \nForum which is sponsored, in part, by the Defense Department and the \nDepartment of Homeland Security. (See http://www.security-\ninnovation.org/).\n    As far as raising the bar on standards and best practices, I have \nbeen an advocate for a long time of using procurement power to do that. \nAnd the procurement power need not only be the Federal Government but \ncould include other sectors. For example, the multi-state information \nsharing and analysis center (MS-ISAC) has come up with common \nprocurement language on software development practice. Is it binding on \nthe states? No. Is it a common resource that they can use to \ncontractually ``signal'' their suppliers that they need to provide \nbetter security? Yes.\n    A no-brainer as far as I am concerned is that any piece of software \nsold to the government should: (a) provide a secure configuration guide \n(attorneys frown on the term ``best practice''), (b) enable the product \nto be installed in that configuration (make it easy and cheap for \ncustomers to be ``secure out of the gate'') and (c) either provide a \ntool to maintain the configuration or support a standard (such as those \nprovided via the Security Content Automation Protocol) that enables the \nconfiguration to be monitored automatically and re-configured \nautomatically.\n    The Air Force realized that something like 80 percent of their \nsecurity vulnerabilities were a result of weak/poor configuration \npractice. If vendors can do something once that helps secure all their \ncustomers, at a lower lifecycle cost, they ought to do it. Procurement \ncan force them to do it.\n\n    Question 6. Does the American public have the right to expect that \nU.S. private sector critical infrastructure companies are looking out \nfor the safety and security of the American people? Should this \ninterest in public safety an integral aspect of the private market for \nIT products and services?\n    Answer. The two items are different. Why are they different? \nBecause in the case of critical infrastructure companies, most know \nthey are ``critical'' and in fact are already regulated (financial \nservices and utilities, to name two). So, there is already awareness \nthat there is a ``duty of care'' to the public (or they wouldn't be \nregulated in the first place).\n    In the case of the private market for IT products and services, \nrealize that while some products are created for vertical markets that \nmay be regulated (e.g., a piece of software that is used in the \nutilities industry), a lot of software is general purpose (e.g., \naccounting software). Trying to impose a ``worst case'' duty of care on \nall purpose software would be like trying to ensure that, say, any \nlaptop would be required to comply with the battlefield ruggedness the \nmilitary demands. The Defense Science Board, in considering the foreign \ninfluence over the supply chain of software, realized that, while \nraising the overall assurance of commercial software was necessary, \nraising it to the level required for all national security applications \nwas unfeasible because the commercial marketplace will not support such \nhigh levels of assurance. I think it is a similar argument for general \npurpose software used in ``critical sectors''--it's not clear whether \nthe market will support high assurance to the extent that's what those \nsectors require.\n    Now what should happen is that critical sectors use their (perhaps \ncollective) purchasing demands to push their suppliers to higher levels \nof assurance. In fact, we are already seeing many regulated sectors or \ncustomers tied to those sectors (as suppliers) demanding more \ntransparency in development practice and higher accountability in \nsoftware development practice because their customers (e.g., \npharmaceuticals, defense) are demanding it. And I am all in favor of \nthat push since I think customers' being more demanding purchasers \n(within reason) absolutely is an effective agent of change.\n\n    Question 7. What can the government and private sector do together \nto solve this labor shortage problem?\n    Answer. Unfortunately, there isn't a simple solution for this. \nNobody can major in ``cybersecurity'' and in fact, security needs to be \nembedded in a lot of places if we want to change the dynamic. (E.g., we \ndon't use traffic cops to enforce secure driving--drivers all have to \ntake drivers' ed and be licensed to drive or we wouldn't have a prayer \nof having reasonably safe highways).\n    As I have noted in my testimony, I think curricula change in \nuniversities is a Must Do or we do not have a prayer of changing the \nbattlefield, so to speak. Perhaps the government can bring some \npressure on the accreditation bodies for computer and computer-related \ndegree programs? There is a group called ABET which accredits \nengineering, computer science and technology programs (see http://\nwww.abet.org/) and within that there is a group called Computing \nSciences Accreditation Board, see http://www.csab.org/) which appears \nto be the sub-group of ABET that accredits computer science, \ninformation systems, software engineering and information technology \ndegree programs. I do not know who accredits industrial control systems \ndegree programs (if it is not within one of the above groups).\n\n    Question 8. What can we do to inspire young students to aspire to \nserve their country by being a cybersecurity professional?\n    Answer. Making being a good guy more glamorous than being a bad \nguy, as trivial as that sounds. Currently, the press tends to \n``glamorize'' the hacking community. Vendors are almost universally \nportrayed as evil slugs that deliberately build crummy software because \nthey do not care about their customers (!). Hackers (including those \nwho release exploit code before a vendor can fix a problem) are often \ngiven a pass--regardless of the amount of damage they do. One well-\nknown hacker released ``proof of concept code'' that several months \nlater was the genesis of the Slammer word, which did BILLIONS in \ndamages. He got a pass from the press for that and there were no legal \nrepercussions, either, since releasing proof of concept code is not \nillegal.\n    Finding a way to change the dynamic so kids use their technical \nskills as defenders and securers can be done (I suspect the Marines'--\nThe Few, the Proud, the Marines--is one of the more successful \n``service-oriented'' advertising campaigns there is).\n    We have a broader societal problem (in my opinion) in that we have \ngenerations raised to be very aware of their rights and what is due \nthem, but few are aware of or seem to care about their \nresponsibilities. Serving your country is a responsibility of \ncitizenship and I think diversifying that message to emphasize other \nkinds of service (than just using a rifle) could work (e.g., ``Uncle \nSam is looking for a few good geeks'').\n    I don't think appealing to the wallet is necessarily the first \nthing to pitch but quite honestly; there is a lot of demand for \ncybersecurity professionals--and not nearly the supply. This creates \nscarcity that increases wages, all things being equal. So yes, \ncybersecurity is also a good career move because the skills are \nmarketable.\n\n    Question 9. What must the government do better? What must the \nprivate sector do better? What responsibilities do both have to the \npublic at large?\n    Answer. I think the government can do a number of things better. \nFor one thing, while the military is busy standing up cyber commands, \nnot all the services actually have career paths for plain old \ninformation technology let alone cyber-expertise. I note that \ntraditionally, logistics, though not a war fighter discipline, is still \na valued career skill and in fact you can make flag rank (general or \nadmiral) in a logistics specialty. Why does it matter? Because Patton \nunderstood what would happen if his 3rd Army ran out of oil. Today's \ninformation centric armies run on bits and bytes, just as much as oil. \nWithout a clear, recognized and rewarded career path in both \n``defensive'' information technology and offensive cyber war, the \nmilitary is sending a signal that information smarts is not valued and \nis not important.\n    Obviously, the government also needs to lead by example by securing \ntheir own networks.\n    As far as the private sector goes, I do advocate greater emphasis \nand ``governance'' around security for private enterprises. Governance \nis not about being perfect, it is about understanding the threats to \nyour business, prioritizing them in terms of ``what do we, as a \ncompany, adhere to in terms of security practices to mitigate those \nrisks?'' and ensuring that you are doing those things broadly and \nconsistently. Where you are not doing them, you have a reasonably \naggressive remediation plan in place to, as they say, ``get with the \nprogram.'' If you do not manage risks appropriately, you are not \nrunning your business well.\n                                 ______\n                                 \n     Response to Written Questions Submitted by Hon. Tom Udall to \n                           Mary Ann Davidson\n    Question 1. Ms. Davidson, in your statement, you note that many of \nthe commercial software components used to build a new ``smart grid'' \nprobably are not designed for such for the level of cyber attack \nthreats that our Nation's electric grid may face. But ensuring that \ncommercial software, or even government computer systems, are safe from \ncyber attack is a real challenge. The National Institute of Standards \nand Technology (NIST) maintains a standard for data encryption, the \nFIPS 140 standard. What other government or industry standards exist \nfor cyber security?\n    Answer. There are lots of standards--some of them are technical \nstandards that ensure interoperability of components (e.g., public key \nencryption standards like PKCS (public key cryptography standards) 11, \nor standards created by consortia such as the payment card industry \n(PCI) data security standard (DSS) that addresses securing information \nrelated to payment transactions. There are some emerging standards that \nwould specifically facilitate higher ``situational awareness'' for \nnetworks, such as the security content automation protocol (SCAP), a \ncornucopia of standards that enable things like determining what \nproduct is running on a network (and what version), what it's secure \nconfiguration is, and so on. These standards were developed by NIST or, \nin some cases, Mitre under contract to NIST.\n    There are also international software assurance standards (such as \nthe Common Criteria--International Standards Organization (ISO)-15408) \nto which the U.S. subscribes. The Common Criteria is focused on \ndescribing the nature of threats, what technical measures a product \nneeds to address those threats, and how well it does meet them. I note \nthat in many cases an international standard is really better than a \nmarket-specific one, because: (a) a lot of security needs are not \ncountry specific and (b) if each country (and in some cases if each \nindustry) starts specifying a similar but slightly different way to do \nX, companies will--ironically--potentially end up with worse security \nas they spend money not on actual improvement but on meeting hundreds \nof only slightly different regulatory requirements. For example, if \nlocal, city, county, state and Federal bodies all required separate \ntermite inspections for houses, you'd have to pay for four inspections. \nYour house would arguably not be four times as termite-free as if you \njust did one pretty good inspection.\n    In some cases (by industry) there might be legitimate differences. \nFor example, the Defense Department has (legitimately) different \nrequirements for, say, smart phones that are going to be used in \nsensitive environments than the average consumer does for his or her \nsmart phones.\n\n    Question 2. Should Congress encourage companies and government \nagencies to develop and use more cyber security standards?\n    Answer. I think technical interoperability-type security standards \nthe market will take care of--government tends to be too slow to drive \nthose and entities tend to cooperate when there is a common problem \n(or, where cooperation will actually increase the market size because \nthere can be more uptake of technology with a single standard than \nwould be the case if there are dueling standards).\n    But there are ``underserved'' markets or areas in which industry is \nunlikely to develop common standards where government--specifically, \nNIST--can have an important role. One such area has been SCAP--being \nable to determine, quickly, what products are on a network, what their \nconfigurations are, to what they might be susceptible, and to be able \nto reconfigure them automatically--is helping to automate defenses. \nConsidering attacks are automated, automating defenses is important.\n    Another such area (as unglamorous as it sounds) is auditing and \nauditability. There are a plethora of products in the sector called SIM \n(security information management) or SIEM (security information and \nevent management) that claim to be able to analyze ``events'' on \nnetworks (by data mining audit logs) and correlate them (e.g., to see \nattack patterns). However, that assumes a) that events are recorded at \nall--not all products have robust enough auditing to even record \ninteresting events--and that the events can be expressed in a common \nformat (so they can be more easily correlated). There is an emerging \nstandard (called CEE--Common Event Expression, see http://\ncee.mitre.org/) in this sector but quite honestly, the government could \nhelp create the capacity for better ``situational awareness on \nnetworks'' by fostering a standard adoption through procurement \npolicies. Any software product the government buys could be expected to \na) have basic auditability as defined by a standard (possibly CEE, \nassuming it is actually published by NIST and industry is allowed to \ncomment on it) and b) express their audit records in a common format.\n\n    Question 3. The recent Bipartisan Policy Center cyber war game \nexercise examined a potential attack that first affected wireless cell \nphones. As computing and networking technology become integral to all \nmanner of consumer goods, it seems that new cyber attack \nvulnerabilities will only proliferate.\n    In today's business landscape, supply chains stretch across the \nglobe and companies often acquire other firms to gain access to new \nsoftware and technologies for their products. This makes it more \ndifficult to know whether a product may contain cybersecurity \nvulnerabilities from a single component or piece of software code from \nan outside supplier or other firm. How is security of the final \nassembled product affected in an environment in which new links are so \nfrequently added to the product's ``chain''?\n    Answer. Keep in mind, there are many supply chain risks businesses \nneed to consider that directly affect their business. These are not \nnecessarily the same concerns that their customers have (but are \nnonetheless important). For example, some software carries so-called \n``viral licensing'' provisions in that, if the software is embedded \nwithin another product, the product comes under the same licensing \nterms (which in many cases, effectively makes it freeware). No vendor \nwants to embed such third party code that ``taints'' their code base in \nsuch a way that they can no longer sell the resulting product--their \nrevenue model is destroyed. Second, realize that it is impossible to \ndetect all vulnerabilities in software even using the best commercially \navailable tools and it is--in particular (emphasis added) it is \nimpossible to absolutely prevent someone from putting something bad in \ncode that would be undetectable.\n    What is reasonable and feasible is that a company should have \nreasonable practices around their supply chain risk (because it is in \ntheir business interests to do that, anyway). Note again that many of \nthese risks will go directly to their ability to operate and will not \nnecessarily be the same risks that a purchaser worries about. A company \nshould also have a reasonable governance structure in place to ensure \nthat they are doing the same things across their lines of business. \nHaving done that, they could disclose their practices to interested \npurchasers--who were, for example, concerned over how a company takes \nreasonable measures to prevent someone from corrupting their code base. \nReasonable means that, for example, changes to code have attribution, \nand there are restrictions on access (e.g., not just anybody in the \ncompany can make a change to code--and certainly not in a way that \ncannot be attributed).\n    I have done a paper for the House Homeland Security Subcommittee on \nCybersecurity, Emerging Threats and Science and Technology on supply \nchain risk that speaks to the above in more detail and I would be happy \nto provide that, as well, if it is of interest and of use.\n\n    Question 4. How are leading technology companies bringing the \nsecurity of acquired products in line with their own standards for \ncybersecurity?\n    Answer. I cannot (obviously) speak for other companies, but Oracle \nhas a structured process for integrating acquired companies into Oracle \nbusiness practices. My team has the remit for integration of acquired \nentities into our secure development practices. As part of that, we \nrapidly ascertain their current practices, use the review to create a \ncompliance plan going forward, and--as with all lines of business--\nperiodically report progress against compliance requirements to \nexecutive management via a security oversight committee. The compliance \nmeasurement covers the entirety of our secure development practices. In \ncases where an entity struggles to make compliance we highlight them \nfor special attention and guidance (and the accountability that goes \nwith it). There are other groups that look after integration of our \nnetworks, the security policies that go with our business practices, \nand so forth.\n\n    Question 5. What is the role of Chief Security Officers or Chief \nTechnology Officers in assuring best security practices are implemented \nin such cases?\n    Answer. There can be several roles. One of them is that to the \nextent a CTO or CSO is an influencer or purchaser of technology, they \ncan enforce better procurement transparency on their suppliers. That \ncould include specific ``disclosure'' requirements on their suppliers \nrelated to development practice if not compliance with standards (like \nFIPS-140, or ISO 15408).\n    Second, to the extent a company develops their own software, they \nshould have internal standards for development practice that at least \nreflect or include consensus good practice. That can reference \n``standards''--I use the term loosely--such as BSIMM (Build Security In \nMaturity Model), or the Build Security In guidance issued by the \nDepartment of Homeland Security, or things like the SANS Top 25 coding \nerrors (i.e., to at least ensure that a developer has considered these \nissues and attempted to avoid them), and so forth. There actually is a \nlot of material out on what constitutes good, secure development \npractice, and what common vulnerabilities are (and how to avoid them). \nIt's unconscionable that universities do not educate people who design \nand build systems on these matters, but that does not mean people who \nbuild systems in industry should accept that ``educational deficiency'' \nwithout making every effort to rectify it in their own practice.\n                               Attachment\n                           Supply Chain Risk\n    The purpose of this document is to outline risk management concerns \npertaining to the supply chain of software and hardware. This document \nmay serve as a blueprint for suppliers seeking to ensure they've \nadequately addressed hardware- and software-related supply chain risk, \nand for purchasers in the procurement of software. That is, suppliers \nthat want to protect their supply chain should be able to address these \nquestions for their own risk management purposes. Secondarily, \nsuppliers should be able to disclose their supply chain risk management \npractices so that a purchaser can make better risk-based acquisition \ndecisions.\n    While supply chain transparency alone will not ameliorate risk, it \nwill level the playing field to the extent that supply chain assurance \n``disclosure'' becomes the norm, and thus customers have the ability to \nuse supply chain risk mitigation as a--but not necessarily the only--\npurchasing criterion. Furthermore, it is likely that disclosure will \nlead to some upleveling of security practices to the extent vendors are \nnot already addressing supply chain risk and more customers evaluate \nsupply chain risk prior to purchasing. That is, to the extent more \npurchasers demand transparency around supply chain risk mitigation, \nsuppliers not already addressing this risk will be compelled by market \nforces to do so.\nScope\n    The scope of this paper is supply chain risk for commercial off-\nthe-shelf (COTS) software and hardware, not custom code or government \noff-the-shelf (GOTS) software and hardware, which may be a combination \nof COTS components and either government-developed or third party \ncustom code. GOTS could include custom applications (built by cleared \nindividuals) that run on COTS components, for example. This document \ndoes not address supply chain risk related to industrial policy (i.e., \na country may wish to ensure that they have one or more domestic \nsuppliers of a critical component--such as microprocessors   la the \nTrusted Foundry Program--to avoid supply chain disruption caused by war \nor other geopolitical upheaval).\nConstraints\n    There are a number of practical constraints that bound the ``supply \nchain risk assessment'' problem as it pertains to COTS software and \nhardware. These constraints are important because they set the \nframework for what can reasonably and feasibly be asserted about the \nsupply chain of commercial software and hardware. Any such \n``reasonability'' discussion must of necessity bound efforts to reduce \nor mitigate supply chain risk for COTS. In particular, COTS is not \nGOTS: it is no more reasonable to purchase commercial, general purpose \nsoftware and hardware and expect it to have the assurance (e.g., \nextensive third party validation, ``cleared'' personnel, robustness in \nthreat environments it was not designed for) of custom, single purpose \nsoftware and hardware as it is to purchase a Gulfstream V and expect it \nto perform to the specifications of an F-22 Raptor.\n    Constraint 1: In the general case--and certainly for multi-purpose \ninfrastructure and applications software and hardware--there are no \nCOTS products without global development and manufacturing.\n    Discussion: The explosion in COTS software and hardware of the past \n20 years has occurred precisely because companies are able to gain \naccess to global talent by developing products around the world. For \nexample, a development effort may include personnel on a single \n``virtual team'' who work across the United States and in the United \nKingdom and India. COTS suppliers also need access to global resources \nto support their global customers. For example, COTS suppliers often \noffer 7x24 support in which responsibility for addressing a critical \ncustomer service request migrates around the globe, from support center \nto support center (often referred to as a ``follow the sun'' model). \nFurthermore, the more effective and available (that is, 7x24 and \nglobal) support is, the more likely problems will be reported and \nresolved more quickly for the benefit of all customers. Even smaller \nfirms that produce niche COTS products (e.g., cryptographic or security \nsoftware and hardware) may use global talent to produce it.\n    Note that global development may include outsourcing of development \nstaff resource (use of contracted third parties to develop code modules \nthat are sold separately, or integrated into larger product suites), as \nwell in-house developers (employees) of a global enterprise that are \nlocated in development centers around the globe. For example, some \nenterprise software providers build some modules in-house while being \nan open source distributor for other modules. In addition to including \ndevelopment groups in multiple countries, global development may also \ninclude H1B visa holders or green card holders working in the United \nStates.\n    Hardware suppliers are typically no longer ``soup to nuts'' \nmanufacturers. That is, a hardware supplier may use a global supply \nnetwork in which components--sourced from multiple entities worldwide--\nare assembled by another entity. Software is loaded onto the finished \nhardware in yet another manufacturing step. Global manufacturing and \nassembly helps hardware suppliers focus on production of the elements \nfor which they can best add value and keeps overall manufacturing and \ndistribution costs low. We take it for granted that we can buy \nserviceable and powerful personal computers for under $1000, but it was \nnot that long ago that the computing power in the average PC was out of \nreach for all but highly capitalized entities and special purpose \napplications. Global manufacturing and distribution has helped make \nthis happen.\n    In summary, many organizations that would have deployed custom \nsoftware and hardware in the past have now ``bet the farm'' on the use \nof COTS products because they are cheaper, more feature rich, and more \nsupportable than custom software and hardware. As a result, COTS \nproducts are being embedded in many systems--or used in many deployment \nscenarios--that they were not necessarily designed for. Supply chain \nrisk is by no means the only risk of deploying commercial products in \nnon-commercial threat environments.\n    Constraint 2: It is not possible to prevent someone from putting \nsomething in code that is undetectable and potentially malicious, no \nmatter how much you tighten geographic parameters.\n    Discussion: One of the main expressions of concern over supply \nchain risk is the ``malware boogeyman,'' most often associated with the \nfear that a malicious employee with authorized access to code will put \na backdoor or malware in code that is eventually sold to a critical \ninfrastructure provider (e.g., financial services, utilities) or a \ndefense or intelligence agency. Such code, it is feared, could enable \nan adversary to alter (i.e., change) data or exfiltrate data (e.g., \nremove copies of data surreptitiously) or make use of a planted ``kill \nswitch'' to prevent the software or hardware from functioning. \nTypically, the fear is expressed as ``a foreigner'' could do this. \nHowever, it is unclear precisely what ``foreigner'' is in this context:\n\n  <bullet> There are many H1B visa holders (and green card holders) who \n        work for companies located in the United States. Are these \n        ``foreigners?''\n\n  <bullet> There are U.S. citizens who live in countries other than the \n        U.S. and work on code there. Are these ``foreigners?'' That is, \n        is the fear of code corruption based on geography or national \n        origin of the developer?\n\n  <bullet> There are developers who are naturalized U.S. citizens (or \n        dual passport holders). Are these ``foreigners?''\n\n    It is unclear whether the concern is geographic locale, national \norigin of a developer or overall development practice and the \nconsistency by which it is applied worldwide. For example, non-US staff \nworking outside the U.S. would appear by definition to be \n``foreigners,'' yet they are often subject to U.S. management oversight \nand their work on code may be peer and manager reviewed before it is \naccepted. In the sense that a U.S. manager ``accepts'' responsibility \nfor a ``foreigner's'' code work, is this still a concern?\n    Similarly, there are presumably different levels of concern for \ndifferent foreign countries. How is a COTS vendor expected to know \nwhich countries are of more concern than others? Should work by staff \nworking in or citizens of traditional U.S. allies be accepted as \nsimilar to that of U.S. staff?\n    COTS software, particularly infrastructure software (operating \nsystems, databases, middleware) or packaged applications (customer \nrelationship management (CRM), enterprise resource planning (ERP)) \ntypically has multiple millions of lines of code (e.g., the Oracle \ndatabase has about 70 million lines of code). Also typically, \ncommercial software is in near-constant state of development: there is \nalways a new version under development or old versions undergoing \nmaintenance. While there are automated tools on the market that can \nscan source code for exploitable security defects (so-called static \nanalysis tools), such tools find only a portion of exploitable defects \nand these are typically of the ``coding error'' variety. They do not \nfind most design defects and they would be unlikely to find \ndeliberately introduced backdoors or malware.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ For example, a trivial way to introduce a backdoor in a way \nthat would be undetectable by automated tools would be to create a \npackage or function (that is, a piece of code that does something \nspecific) that is ``called'' within a piece of software but that does--\nnothing. Nothing that is, unless the package is called with a specific \nargument--that is, a piece of data (e.g., an input string) that \ntriggers the package to do something very specific and malevolent. \nWhile some automated tools scan for ``dead code''--code that is never \nexecuted--this package would be executed in the sense it is called by \nmany other pieces of code--but doesn't do anything, or doesn't do \nanything bad, except when called with a particular ``triggering'' \ninput. Manual code review might catch this, but as noted earlier, \nmanual code review is unlikely for every change to a large code base \nthat changes constantly.\n---------------------------------------------------------------------------\n    Given the size of COTS code bases, the fact they are in a near \nconstant state of flux, and the limits of automated tools, there is no \nway to absolutely prevent the insertion of bad code that would have \nunintended consequences and would not be detectable. (As a proof point, \na security expert in command and control systems once put ``bad code'' \nin a specific 100 lines of code and challenged code reviewers to find \nit within the specific 100 lines of code. They couldn't. In other \nwords, even if you know where to look, malware can be and often is \nundetectable.) \\2\\\n---------------------------------------------------------------------------\n    \\2\\ The expert related the story while serving on the Defense \nScience Board task force analyzing the mission impact of foreign \ninfluence on DOD software, referenced later in this paper.\n---------------------------------------------------------------------------\n    Constraint 3: Commercial assurance is not ``high assurance.''\n    Note that there are existing, internationally recognized assurance \nmeasures such as the Common Criteria (ISO-15408) that validate that \nsoftware meets specific (stated) threats it was designed to meet. The \nCommon Criteria supports a sliding scale of assurance (i.e., levels 1 \nthrough 7) with different levels of software development rigor required \nat each level: the higher the assurance level, the more development \nrigor required to substantiate the higher assurance level. Most \ncommercial software can be evaluated up to Evaluation Assurance Level \n(EAL) 4 (which, under the Common Criteria Recognition Arrangement \n(CCRA), is also accepted by other countries that subscribe to the \nCommon Criteria).\n    Regarding the supply chain issue at hand, what is achievable and \ncommercially feasible is for a supplier to have reasonable controls on \naccess to source code during its development cycle and reasonable use \nof commercial tools and processes that will find routine ``bad code'' \n(such as exploitable coding errors that lead to security \nvulnerabilities). Such a ``raise the bar'' exercise may have a \ndeterrent affect to the extent that it removes the plausible \ndeniability of a malefactor inserting a common coding error that leads \nto a security exploit. That is, in the absence of using these tools, a \nmalefactor could insert a back door implemented as a common coding \nerror. If the error is found, the malefactor has plausible deniability \nthat, after all, he made a coding error that many other developers \nmake, such as a buffer overflow. Using automated vulnerability finding \ntools, in addition to improving code hygiene, makes it harder for \nsomeone to deliberately insert a backdoor masquerading as a common \ncoding error because the tools find many such coding errors. Thus, a \nmalefactor may, at least, have to work harder. (A side benefit is the \noverall lower cost of ownership of software to the extent code quality \nimproves and customers do not have to apply so many after-the-fact \nsecurity patches.)\n    That said, and to Constraint 1, the COTS marketplace will not \nsupport significantly higher software assurance levels such as manual \ncode review of 70 million lines of code, or extensive third party \n``validation'' of large bodies of code beyond existing mechanisms \n(i.e., the Common Criteria) nor will it support a ``custom code'' \ndevelopment model where all developers are U.S. citizens, anymore than \nthe marketplace will support U.S.-only components and U.S.-only \nassembly in hardware manufacturing. This was, in fact, a conclusion \nreached by the Defense Science Board in their report on foreign \ninfluence on the supply chain of software.\\3\\ And in fact, supply chain \nrisk is not about the citizenship of developers or their geographic \nlocale but about the lifecycle of software, how it can be corrupted, \nand taking reasonable and commercially feasible precautions to prevent \ncode corruption.\n---------------------------------------------------------------------------\n    \\3\\ Report of the Defense Science Board Task Force on the Mission \nImpact of Foreign Influence on DOD Software (http://www.acq.osd.mil/\ndsb/reports/2007-09-Mission_Impact_of_Foreign\n_Influence_on_DoD_Software.pdf).\n---------------------------------------------------------------------------\n    The lack of market support for ``higher assurance commercial \nsoftware'' is particularly ironic given the recent policy change \\4\\ by \nthe National Information Assurance Partnership (NIAP) that negates much \nof the value of existing assurance mechanisms (i.e., Common Criteria \nevaluations). While they are not perfect, Common Criteria evaluations \ndo establish the assurance of commercial software and--at commercial \nassurance levels--includes an assessment of the security of the \nsoftware development environment. In other words, it is ironic that \nthere seems to be increased interest in software assurance (or, the \nsupply chain aspects of assurance) at the very time the U.S. government \nis undercutting the market for evaluated products.\n---------------------------------------------------------------------------\n    \\4\\ See http://www.niap-ccevs.org/ Prior to October 2009, \nprocurement policy as it related to software assurance was governed by \nDepartment of Defense (DOD) 8500, which stated that national security \nsystems must have an international Common Criteria (ISO 15408) \nevaluation or, for cryptographic modules, Federal Information \nProcessing Standard (FIPS) 140-2 cryptographic module validation. \n(Note: DoD 8500 and NSTISSP #11 are due to be modified to reflect the \nnew NIAP policy.) As of October 2009, the NIAP policy has been changed \nsuch that only products for which the U.S. government has an approved \n``protection profile'' (a description of the threats a specific class \nof product faces and the technical remedies for these threats) must be \nevaluated. (The only other ``exception'' is in the case where an agency \nindicates to NSA by letter that they need another class of product--\nwithout a protection profile--evaluated.) While the intent of the \npolicy is to make evaluation more ``relevant'' to the stated needs of \nthe U.S. Government, as a practical matter it has undercut the market \nfor evaluated products. Vendors are already reassigning their \nevaluation personnel in response to this ``market signaling.''\n---------------------------------------------------------------------------\n    Constraint 4: Any supply chain assurance exercise--whether improved \nassurance or improved disclosure--must be done under the auspices of a \nsingle global standard, such as the Common Criteria.\n    This document is proposed as a potential ``disclosure \nquestionnaire'' for both suppliers and purchasers of software and \nhardware. Any such disclosure requirement needs to ensure that the \nvalue of information--to purchasers--is greater than the cost to \nsuppliers of providing such information. That is, the information needs \nto result in significantly more ``informed'' purchasing behavior than \nwould otherwise be the case. To that end, disclosure should be \nsomething that is standardized, not customized. Even a large vendor \nwould not be able to complete per-customer or per-industry \nquestionnaires on supply chain risk for each release of each product \nthey produce. The cost of completing such ``per-customer, per-\nindustry'' questionnaires would be considerable, and far more so for \nsmall, niche vendors or innovative start-ups.\n    For example, a draft questionnaire by the Department of Homeland \nSecurity as part of their software assurance efforts asked, for each \ndevelopment project, for each phase of development (requirement, \ndesign, code, and test) how many ``foreigners'' worked on each project? \nA large product may have hundreds of projects, and collating how many \n``foreigners'' worked on each of them provides little value (and says \nnothing about the assurance of the software development process) while \nbeing extremely expensive to collect. (The question was dropped from \nthe final document.)\n    More specifically, given that the major supply chain concerns seem \nto be centered on assurance, we should use international assurance \nstandards (specifically the Common Criteria) to address them. Were \nsomeone to institute a separate, expensive, non-international ``supply \nchain assurance certification,'' not only would software assurance not \nimprove, it would likely get worse, because the same resources that \ncompanies today spend on improving their product would be spent on \nsecondary or tertiary ``certifications'' that are expensive, \ninconsistent and non-leverageable. A new ``regulatory regime''--\nparticularly one that largely overlaps with an existing scheme--would \nbe expensive and ``crowd out'' better uses of time, people, and money. \nTo the extent some supply chain issues are not already addressed in \nCommon Criteria evaluations, the Common Criteria could be modified to \naddress them, using an existing structure that already speaks to \nassurance in the international realm.\nTerms\n    Like the Indian fable of the six blind men and the elephant, each \nof whom described a totally different animal based on what part of it \nthey were touching, the definition of ``supply chain risk'' often \nvaries depending on who is describing it. The assurance that \nstakeholders may wish to have around supply chain risk may vary \ndepending on their perspectives. For example, vendor concerns may \ninclude a heavy emphasis on intellectual property (IP) protection since \nIP is typically one's ``corporate crown jewels'' and, should it be \ncompromised (e.g., stolen or tainted) the firm may be out of business \nor crippled in some markets. For customers, the concern tends to focus \non the aforementioned ``malware boogeyman'' which is a subset of a \nlarger discipline known as software assurance.\n    Counterfeiting is a risk that is perceptually greater for hardware \nthan for software. The concern from a supplier's side goes to both \ntheir brand and their intellectual property since a hardware component \nhas to both look like and perform like the genuine article but may not \nbe as good a quality as the genuine article. The customer concerns over \ncounterfeiting include getting what you pay for in terms of performance \ncharacteristics (i.e., not failing at a critical juncture) and the \ncustomer ability to service the product.\n    Software assurance (SwA) is defined by the Department of Homeland \nSecurity as ``the level of confidence that software is free from \nvulnerabilities, either intentionally designed into the software or \naccidentally inserted at anytime during its lifecycle, and that the \nsoftware functions in the intended manner.''\n    Source code is raw computer code in uncompiled form. Typically, \nvendors deliver compiled code (also known as binaries or executables) \nto customers, so that all the customer can do is execute--``run''--the \ncode. While much software is configurable, the executable typically \nlimits the amount of customization or configuration a customer can do \nto what is designed in (e.g., a customer of an ERP application can \ntypically configure approval hierarchies or the chart of accounts, but \ncannot change the basic logic of the application). Therefore, most \nthreats to the supply chain are threats to source code to the extent \nthat it is source code that must actually be modified (maliciously).\n    There is another risk to the extent that some code allows execution \nof other binaries that are ``linked in''--allowed to run with the \nexecutable. That is, a software developer that downloads or purchases \nbinaries to run with their code without an understanding or vetting of \nwhat that code does could be allowing ``bad code'' to execute with or \nwithin their product. Much software (such as browsers or wiki software) \nis explicitly designed to allow such third party ``plug-ins.'' Despite \nthe fact that the basic software usually ``warns'' users of the dangers \nof allowing unvalidated plug-ins to run, most users just ``click \nthrough'' such warnings because they want the features of the ``cool'' \nplug-in.\nSupply Chain/Source Code Questions\n    The following questions outline concerns that a software or \nhardware manufacturer should address in regards to protection of source \ncode throughout its lifecycle. It also includes questions related to \nhardware-related intellectual property and assembly. By addressing \nthese concerns, a software or hardware manufacturer should be able to:\n\n  <bullet> Identify the ways in which they are addressing risks (and \n        the ``owners'' for those areas).\n\n  <bullet> Document what is being done--and not done--to protect their \n        source code throughout its lifecycle.\n\n  <bullet> Identify remaining unmitigated risk and propose ways to \n        reduce that risk.\n\n  <bullet> Create a governance structure around the protection of \n        source code--and other intellectual property, such as hardware \n        designs--to ensure that policies are followed consistently \n        across lines of business, and consistently over time.\n\n    Note: many below questions that are geared toward intellectual \nproperty protection of source code may be equally applicable to the \nintellectual property associated with hardware designs (i.e., limiting \naccess to source code or hardware designs to ensure employees--with or \nwithout ``need to know''--do not commit IP theft).\nAcquisition\n    Many companies grow by acquisition and incorporate code sets from \nthose acquisitions into other products. Ultimately, the processes and \npolicies that a company implements around supply chain risk need to be \nreasonably consistent (that is, if there is an exception or a policy \n``difference,'' there should be a reason for it and an explicit \napproval of that difference).\n    A1. Do you do any pre-acquisition screening of source code prior to \nan acquisition (e.g., to ascertain what it does, the ``content'' or \nother characteristics of the code)? The general concern is, ``Do you \nknow what you are getting in an acquisition?'' \\5\\\n---------------------------------------------------------------------------\n    \\5\\ One reason to do such pre-acquisition screening is to identify \nso-called ``viral licenses'' wherein inclusion of the code in a larger \ncode base changes the licensing terms, potentially ``tainting'' the \nlarger code base and one's ability to generate revenue from it. There \nare automated tools (e.g., from Black Duck) that can scan code bases \nlooking for such ``viral license'' code.\n---------------------------------------------------------------------------\n    A2. Are you consistent across all acquisitions, or do you do \ndifferent ``source code due diligence'' depending on the acquisition?\n    A3. Are acquired code bases integrated into your other software \ndevelopment practices? How quickly, and how often is this progress \nmeasured?\nDevelopment\n    Software development encompasses much of the lifecycle of code. \nThis may include incorporation of third party code (e.g., open source, \nlicensed libraries), the core development of new code, the ability to \nmaintain it through its lifecycle, granting access to source code to \nthird parties (e.g., for a security assessment or for other reasons) \nand escrowing the code.\nPersonnel\n    D1. What screening or background check do you do of employees who \nget access to source code throughout its life cycle?\n    D2. Is the screening consistent (in terms of quality) across \nemployees, geographic areas and product divisions?\n    D3. Do you differentiate among some products or product areas that \nare deemed more critical (and thus do more stringent checks)? Which \nones?\nThird Party Code (not Open Source Code)\n    D4. What controls do you have around third party code incorporation \ninto the code base (to ensure, for example, that a random piece of code \nwithout approval, appropriate licensing and oversight is not introduced \ninto source code)?\n    D5. In cases where you do incorporate third party code, are you \nincorporating source code in all cases, or are there some object \nlibraries?\n    D6. What if any security checks do you do on third party code, and \nis it consistent across product lines and across ``homegrown'' and \n``third party'' libraries? (That is, any code shipped with a product \nshould in general comply with the same standards of quality, testing, \nand so on.)\n    D7. Are the security checks done via manual code review, static \nanalysis or other analytic tool, or via another means?\n    D8. Are the same checks done on patches and updates? That is, if a \nthird party provider gives you a ``patch'' to a problem in their \nlibraries, are there any security checks done on the patch?\n    D9. How consistently are the above checks done across third party \nlibraries and across lines of business?\nOpen Source Code\n    D10. What processes and policies do you have around incorporation \nof open source code into your product (to ensure, for example, that you \ndo not incorporate viral licenses, or ``back-doored code'' or an \notherwise ``tainted'' open source code into your code base)?\n    D11. Are the same checks done on patches and updates? That is, if a \nthird party provider gives you a ``patch'' to a problem in their \nlibraries, are there any security checks done on the patch?\n    D12. How consistently are the above checks done across open source \nlibraries and across lines of business?\nDevelopment Access Control\n    D13. Have you identified all employees who get access to source \ncode throughout its life cycle (e.g., developers, quality assurance \n(QA), support personnel) as apropos? (That is, access to source code \nshould be reasonably restricted to those with a need to access it, not \nopen to all. While the ability to modify code (write) is one concern, \nthe ability to read code (that is read but not modify) may also be a \nconcern for purposes of intellectual property protection.)\n    D14. Do you deploy source control systems to govern access to and \nmodification of source code?\n    D15. What is the granularity of access? (That is, can a developer \nget access to, say, an entire product's code base or a much smaller \nsubset?)\n    D16. How often is this access control reverified? For example, if \nan employee is transferred, how quickly is source code access modified \nor restricted accordingly?\n    D17. How consistent are your access controls? (That is, are these \ncontrols implemented consistently across all product areas, or is there \na lot of disparity on granularity depending on product access?)\n    D18. Are the servers on which source code is stored regularly \nmaintained (e.g., do you apply critical patches--especially security \npatches--in a timely manner?)\n    D19. Are there baseline secure configurations enforced on the \nservers on which source code is stored and how often are these checked? \n(The concern is whether someone can bypass source code controls by \nbreaking into the source code server through, say, a poor configuration \nor an unpatched system.)\n    D20. Do you have any special carve outs on source code access \nbeyond ``by product/by developer''--for example, are there greater \nrestrictions on accessing security functionality like encryption \ntechnologies (e.g., for Export Administration Regulations (EAR) \nreasons) or other geographic restrictions?\n    D21. Do you review, validate (or ``pen test'') your source code \naccess controls to ensure that your controls are adequate? How often?\n    D22. Do you do any proactive checking (e.g., through a data loss \nprevention tool) to look for source code leaving your corporate network \n(e.g., through someone e-mailing it)?\n    D23. What if any auditing do you have on who accesses source code \nin development and does anyone ever review those logs? How often?\n    D24. What if any native logs are there in the source control system \nitself and how far back can you attribute changes to code?\n    D25. Are code changes attributable to individual developers?\nSecurity Testing\n    T1. Do you use automated (or other) tools--such as static \nanalysis--to actively look for security vulnerabilities in code?\n    T2. How broadly is the tool deployed within a product? (E.g., is it \nrun against all libraries associated with a product, just a few, or \nsomething in between?)\n    T3. How broad is the code coverage of such tools across all \nproducts and lines of business?\n    T4. Are defects found via such tools logged and tracked?\n    T5. What policies do you have around fixing defects you find either \nduring development or afterwards? Do you keep metrics around how \nquickly issues are fixed?\n    T6. What kind of access control or restrictions do you have on \naccess to information about unfixed security vulnerabilities? (The \nconcern is that a malefactor could find information about exploitable \ndefects by accessing a record or database of such information if access \nis not suitably restricted to those with ``need to know.'')\nManufacturing and Distribution\n    M1. What processes do you have to ensure that your code is not \ncorrupted in between development and delivery to customers or external \nparties (e.g., escrow agents)? For example, do you use checksums or \nother mechanisms to ensure that the code ``as developed and released to \nmanufacturing'' is what is delivered to customers?\n    M2. Are these processes consistent across product divisions and \nproducts?\n    M3. What are your processes regarding backing up (that is, secure \nstorage) of source code, to include length of time for which you store \nit (e.g., escrowing), security controls around the secure storage \n(e.g., encryption) and any auditing or ``spot checking'' of these \ncontrols?\n    M4. Do you use a third party to escrow source code? If so, what \ncontrols are there on source code as it is transmitted to the firm \n(e.g., is it encrypted and/or sent by trusted courier, other?)\nThird Party Access to Source Code\n    P1. What policies do you have around providing access to source \ncode to third parties and how are they enforced? (There are many \nreasons an entity might provide such access: for example, a third party \nmight be doing a ``port'' of the code to an operating system that the \ncompany does not have in-house resources to do.) What kind of access is \nprovided and how is it provided? (Does the third party have access to \ncorporate networks for purposes of accessing code, or other?)\n    P2. Is there any ``master list'' of where such access has been \napproved and provided, to whom, for what products and so forth?\n    P3. What policies and processes do you have in place to ensure, for \nexample, that random third parties (to include customers and third \nparty research firms acting on their behalf) do not get access to \nsource code for purposes of security analysis? (While companies may \nwish to contract with third parties for such purposes, allowing a third \nparty to access source code for security analysis purposes allows that \nthird party to amass a database of unfixed security vulnerabilities \nwhich, if compromised or sold, could put all customers at risk.)\nHardware\n    The following section addresses hardware-specific supply chain \nrisks.\nManufacturing\n    HM1. To what degree is your manufacturing outsourced?\n    HM2. If all or part of your manufacturing is outsourced, what steps \nhave you taken to mitigate intellectual property theft (i.e., by not \nhaving a turnkey ``outsourcer'' that provides all components to \nspecifications and that also does final assembly, or by selecting \nlocales based on ``country risk?'') \\6\\\n---------------------------------------------------------------------------\n    \\6\\ The degree to which manufacturing can be outsourced in sections \nis a function of the amount of expertise one wants to retain in-house \nand also an assessment of risk of putting all one's eggs in one basket, \nin particular, country-specific risk. Some locales have not only a \nhigher reputation for intellectual property theft but much less legal \nprotection of IP.\n---------------------------------------------------------------------------\nTesting\n    HT1. What kind of testing do conduct of a) components during \nmanufacturing and b) final component assembly?\n    HT2. Is testing done by the outsourcer or is there a ``check and \nbalance?'' wherein testing is done by an entity other than the \nmanufacturer?\n    HT3. How broad and deep is the testing (Each component? Each final \nassembly?)\n    HT4. Does testing \\7\\ include verification that there are no \ncomponents or functions that should not be there?\n---------------------------------------------------------------------------\n    \\7\\ Note: as with software, hardware testing can establish that \nhardware performs to specifications but cannot necessarily establish \nwhat it does not do.\n---------------------------------------------------------------------------\nCounterfeiting/Fraud\n    HC1. What procedures do you have in place to ensure that components \nused in hardware manufacture are authentic (that is, not \ncounterfeited)? How broad (i.e., against the spectrum of components) \nand deep (i.e., frequency) is your verification?\n    HC2. What procedures do you have in place to provide component \nverification for customers (that is, to establish that hardware \nostensibly of your manufacture actually is authentic and not a \nknockoff?)\n    HC3. Do you actively look for fraudulent ``suppliers'' of your \nproduct?\nOther\n    HO1. Are any hardware components used and resold \\8\\ wiped to \nensure that no data--or non-standard programs--are installed when they \nare delivered to customers?\n---------------------------------------------------------------------------\n    \\8\\ Some companies use their own hardware components for testing or \ndevelopment purposes for a period of 90 days or less and then sell them \nto customers (tax laws allow this). It's critical to ensure that there \nis no data or non-standard programs on the hardware for the protection \nof both the supplier and customers. This is a different issue than \nwiping corporate data (or intellectual property) prior to disposition.\n---------------------------------------------------------------------------\n    HO2. Is this verified to ensure that data is truly non-recoverable?\n    HO3. Are hardware components used operationally wiped before being \nscrapped or resold to ensure that data is non-recoverable?\n                                 ______\n                                 \n    Response to Written Questions Submitted by Hon. John Ensign to \n                           Mary Ann Davidson\n    Question 1. Ms. Davidson, Mr. Lewis of the Center for Strategic and \nInternational Studies states in his testimony that public-private \npartnerships, information-sharing, self-regulation, and market-based \nsolutions in the cybersecurity space are ``well past their sell-by \ndate'' and have not been successful. He argues that strong government \nmandates are required to spur the cybersecurity innovation that our \ncountry needs. As the only witness on the panel who has any hands-on \ncybersecurity experience in the private sector, do you agree with Mr. \nLewis that we have exhausted the potential of market-based solutions to \nimprove cybersecurity? If not, what specific steps can we take to \nimprove cooperation and coordination between industry and the \ngovernment?\n    Answer. With all respect to my esteemed colleague, Mr. Lewis, I do \nnot agree with him on this issue. To take these points separately, I do \nnot think that market based solutions have been fully explored in areas \nwhere they could help harvest low hanging security fruit. To give one \nsuch example, the Air Force (under then-CIO John Gilligan) realized \nthat some 80 percent of their serious security vulnerabilities (as \nidentified by NSA) were the result of poor desktop configurations. They \nworked with one of their major suppliers (Microsoft) and NSA to craft a \nmore secure desktop configuration and then--as a condition of \nprocurement--required Microsoft to ship products to them in the secure \ndefault configuration. They estimated they saved millions of dollars \nover the life of their contract and dramatically improved their \nsecurity posture. That configuration became the basis of the Federal \nDesktop Core Configuration (FDCC), which the Office of Management and \nBudget (OMB) required all suppliers to be able to comply with (that is, \nsuppliers who ran on a Microsoft desktop needed to assert that they \nsupported /could run on an FDCC-compliant Windows desktop).\n    While the way the program was implemented can and should be \nimproved, as a general construct, it was an important and needed \neffort. The U.S. government could help themselves--and other market \nsectors--by requiring any product sold to them to: (a) deliver a secure \nconfiguration guide, (b) allow the product to be installed by default \nin the secure configuration, and (c) provide either tools to maintain \nthe configuration OR make the security-specific configuration \nparameters machine readable in a standard format (such as Security \nContent Automation Protocol (SCAP)). It is a ``no brainer'' to require \nsuppliers to do something once that enables all customers to: (a) be \nmore secure out of the box, (b) maintain their security posture easily, \nand (c) lower their lifecycle security costs. Yet, it has never been \nbroadly adopted as a procurement requirement. There is a lot of low \nhanging fruit like that that has never been planted, let alone \nharvested. (Note: Oracle, like many large vendors, has instituted \n``secure by default'' as part of their development process. We do this \nbecause we, like many vendors, run our own company on our own software \nand thus it lowers our own IT security costs and improves our IT \nsecurity posture as a company, not to mention that of all other \ncustomers. Providing good security at an attractive price point is also \na competitive advantage for us. In short, we have market incentives \n(lower cost of operations) to deliver secure configurations.)\n    No vendor can or should argue that doing something once as a \nvendor, that improves security for all customers, and lowers their \nlifecycle costs, ``can't be done'' or ``shouldn't be done.'' It does \nwork, it can work, it must work. It makes too much economic sense not \nto work (and does, indeed, correct a market inefficiency).\n    I am leery of ``information sharing'' being thrown out as a \nsecurity cure-all, because information sharing is a technique, or a \ntactic; it is not a strategy. Specifically, it is not always easy to \nascertain what information is useful, with whom it should be shared, \nwhat the desired result would be of such information sharing, and so \non. Absent some concrete ``for instances,'' it's ineffective for \neveryone to share everything with everybody as a cure for cybersecurity \nproblems. Furthermore, information sharing (in the general sense) \ntypically imposes costs on those sharing the information that may \n``crowd out'' other--more useful--security activity. Not to mention, \nmany businesses are global entities, so it is difficult to share \ninformation with one entity (the U.S. government) and not others (e.g., \nother governments).\n    Back to the procurement idea, what would actually facilitate \ninformation sharing, and enable better situational awareness as well as \nmore automated defenses is continuing to push the elements of SCAP \nthrough the standards process (ideally, as an international standards \norganization (ISO) standard) and then requiring suppliers to support \nSCAP as a condition of Federal procurement. Why? Because currently, \nnobody can answer the following questions real time: what is on my \nnetwork? who is on my network? what is my state of (security) \nreadiness? and what is happening that I should be concerned about? SCAP \ndoes not speak to all of these, but absent being able to automate \ndiscovery of what's on the network--what products, what versions--what \nis the security configuration of those elements--what vulnerabilities \nare present? and so on, there is no way that defenses can be automated. \nAnd, being able to have a common language to express the above would \ntake the scarce resources we now employ in purchasing and deploying \nmultiple one-off tools--which cannot communicate with all networks \nelements, which cannot express ``readiness'' in any way that is \nactionable--and apply them to other areas of network defense. Better \nintelligence at a lower cost: voila!\n    Automated and actionable information sharing for which the \ninformation has a specific purpose and distinct benefit is more \neffective than ``give us all your information.''\n    In short, the government can and does change the market through \ntheir procurement policies. ``You don't ask; you don't get'' is not, \nperhaps, enshrined in the Federal Acquisition Regulations, but it \nshould be. And, working with industry in a public private partnership \nto talk about how rapidly those requirements can be implemented, what \nkind of timelines, and so on, could help make procurement an effective \ninstrument of change.\n    Another example: the Defense Department claims they want to do \nbetter risk based acquisitions. One way to accomplish this would be for \nthe U.S. Government to come up with a standard (i.e., ``single'' ) set \nof reasonable questions around software development practices that \nwould help a customer know what was and was not done in the area of \nsecurity. They should be questions for which the answers: (a) have \nvalue, (b) would materially affect the customers' decision to procure \nand (c) have a specific purpose in mind that (d) should be readily \nanswerable by both large and small suppliers. A vendor could answer \nthese questions once (per product) and the results could be reused by a \nnumber of procurement offices. Better information, at lower cost, and \nmore transparency. Transparency also reduces market inefficiencies \n(i.e., where the seller has more information than the purchaser). This \nis also a better approach than having multiple, agency-specific or \ncountry specific ``assessments'' that actually crowd out security \nimprovements (just as having 12 termite inspections will not results in \na house with \\1/12\\<SUP>th</SUP> the number of termites, but it will \nresult in a more expensive house). I already have had customers asking \nfor such transparency and, where a product group is not doing as well \nas I would like, I have used the ``transparency requirement'' to push \nthe problems to a senior level of management. (That is, if you don't \nwant to publicly say you don't do A, B, and C, because you think you \nwill look bad vis a vis your competitors, then the remedy is to start \ndoing A, B and C. This assumes A, B and C are worth doing and \nmaterially improve security which, in the case of our company and \nothers who have such software assurance programs, they are.) If it is \ntrue that everybody cannot do everything perfectly in security (and it \nis true), it is also true that most of us can do some things better \nthat are also economically feasible to do better.\n\n    Question 2. Ms. Davidson, in your testimony you discuss the need to \nchange our educational system and to slow our country's exposure to \nsystemic cybersecurity risk. You raise a lot of good points, but do you \nhave any other specific recommendations on what this committee can do \nto harden and protect our critical infrastructure?\n    Answer. What about starting to require self defending products as \npart of procurement? The Marine Corps ethos is ``every Marine a \nrifleman.'' That is, every Marine can fight, and they don't outsource \nindividual defense to the next Marine down the line. They do not assume \ntheir perimeters will not be breached, nor that they will never take \ncasualties.\n    Given the threat environment (and the fact that our perimeters are \nso porous), we should change our mindset away from ``build stronger \nfirewalls'' to realizing that: (a) perimeters will be breached and thus \n(b) we need both ``redoubts''--ideally dynamic redoubts--and for each \nproduct to be able to defend itself. That is, products already know \nwhat good input look likes, how to handle bad input gracefully, It \nought also to anticipate ``evil input'' and be able to share real time \ninformation (e.g., events of interest) via a common auditing protocol \nand format (something NIST could develop and, apparently is developing \nvia a standard called CEE (Common Event Expression). A fire team pinned \ndown by enemies will not last long if it cannot tell the command post \nthey are under fire in language the command post can understand. \nSystems under attack will not be able to survive if they cannot \ndigitally do the same thing.\n    Procurement could be used to start ``signaling'' the marketplace \nthat DOD expects products to natively defend themselves instead of \nassuming ``nobody would ever do that,'' and ``the firewall will save us \nall'' as is the case now.\n    Networks are--like it or not--battlefields now and we ought to take \nthe lessons we have learned from warfare and apply them to general \nnetwork defense (and by that I do not necessarily mean ``cyberwar''). \nBy way of example, the late Maj. John Boyd's theories on the importance \nof maneuverability to air combat (popularized as the so-called observe-\norient-decide-act (OODA) loop) found later application to ground combat \n(i.e., in the first Gulf War) and also in business strategy.\n\n    Question 3. Ms. Davidson, in his testimony, Admiral McConnell \nrecommends establishing a National Cybersecurity Center (modeled after \nthe National Counter Terrorism Center) that would integrate private \nsector participation with interagency cooperation. What are your \nthoughts about such a center? In your opinion, would the private sector \nview this as a positive development or just one more layer of \ngovernment bureaucracy?\n    Answer. Before undertaking such an activity, I'd want to consider \nwhat existing organizations do (and how well) and what the ``mission \nstatement'' is for such a new organization. We already have industry \nspecific information sharing and analysis centers (ISACs) which are \nnatural focal points for both industry sectors to share information \namong themselves and to serve as a focal point for interactions with \ngovernment (e.g., I have been told--but have no way to verify--that the \nHeartland Payment Systems data breach used techniques that were known \nand discussed in the financial services industry ISAC (of which \nHeartland was not a member at the time)).\n\n    Question 4. What mechanisms are in place for private companies to \nreport cyber intrusions (either originating domestically or overseas) \nto the Federal Government?\n    Answer. As a general comment, I think we need to choose words \ncarefully in terms of what constitutes an intrusion. That is, there may \nbe ``general patterns of traffic'' that could be of interest, that do \nnot constitute an intrusion. Also, there are ``incidents'' that, upon \ninvestigation, are found not to have merit. For example, if a company \nhas poor processes for terminating the accounts of employees who have \nleft, and a (former) employee accesses their network, should that be \nreported to the government? I would think ``no,'' in the general case. \nNow, if the company had evidence that their industrial designs for, \nsay, a new hardware encryption device being built for the Defense \nDepartment were exfiltrated by that employee, the answer would likely \nbe ``yes.''\n\n    Question 5. What is being done to encourage private companies, \nparticularly those with government contracts, to report cyber \nintrusions (either originating domestically or overseas)?\n    Answer. With all respect, this discussion, doubtless coming on the \nheels of the Google-China incident, reminds me of the discussions of 8 \nor 9 years ago, when the Federal Government wanted information about \nnon-public security vulnerabilities in software products (the \ndiscussion was typically, ``vendors, give us all your vulnerability \ninformation''). Leaving aside the fact that a) there is often no \nremediation for such issues until the vendor issues a patch, b) sharing \nthat information inevitably results in data leaks, which puts everyone \nat risk. Famously, CPNI (part of MI-5) ``shared'' such information on a \n``need to know'' basis only (with other UK intelligence or Ministry of \nDefence entities) and yet it leaked to U.S. COMMERCIAL customers, which \nled to the actual vulnerability being reported to the vendor who built \nthe software. The vendor, of course, was the only one actually able to \nremediate the defect. In the meantime, the risk to the vendors' \ncustomer base materially increased and the trust of the vendor \ncommunity toward this particular government materially decreased. (CPNI \nhave since implemented much better information sharing protocols.)\n    There is a difference between a cyber intrusion where the entity \nhas determined is limited and did no damage and one in which there was \nmaterial harm. The next question ought to be a consideration of the \nbenefit of sharing that information, the cost of obtaining it, and the \npositive results that would accrue from it. Just asking people to throw \naudit logs over the wall to a third party, for example, does not have a \nclear benefit (and could, if the information were not handled properly, \nrender the intruded upon entity MORE vulnerable in the future).\n\n    Question 6. Do government contractors have an ethical or statutory \nobligation to report cyber intrusions (either originating domestically \nor overseas)?\n    Answer. In my opinion, it depends upon the nature of the intrusion.\n\n    Question 7. Do government contractors with classified information \non their servers and individuals with security clearances on their \npayrolls have a statutory or ethical obligation to report cyber \nintrusions (either originating domestically or overseas)?\n    Answer. See earlier comments. Note that I am not arguing against \nreporting anything; my concern is that any organization on either the \noriginating or receiving end of information can drown in it if the \ninformation is not targeted for a specific purpose. And, if a system is \nvulnerable, and the vulnerability had not been remediated (which may \nrequire an architectural change or operational change), if the \ninformation about HOW the breach occurred is not protected, the company \nwill be more vulnerable.\n    Clearly, there are occasions in which an intrusion would have \nlarger ramifications than just the effect on the intruded upon entity. \nFor example, if a contractor is developing a new weapons program, and \nthe designs are exfiltrated to a hostile nation state, which renders \nthe value of the weaponry potentially much lower to the Defense \nDepartment. You can't have a technical advantage if the technology is \nused by everybody.\n    In short, I think ``incident reporting'' to be successful would \nneed some clear ground rules for both asker and askee to include what \ntypes of incidents or intrusions are material and germane.\n\n    Question 8. When Request For Proposals (RFPs) are put out for \ncontracts that involve sensitive or classified information do all of \nthese RFPs require that bids include the number of successful and \nunsuccessful cyber intrusions committed by domestic or foreign entities \n(either originating domestically or overseas)?\n    Answer. I am unaware of any such requirements in RFPs.\n    At the risk of stating the obvious, you can't count unsuccessful \nintrusions because there are a lot of attempts you cannot necessarily \ncapture. Also, you cannot count the successful intrusions you haven't \nfound yet, either. What would be unproductive is reporting something \nlike ``number of port scans'' as a proxy for ``unsuccessful \nintrusions'' Firewalls get scanned all the time. Having to collect that \ndata and report it doesn't really accomplish anything besides taking a \nscarce resource (a good security person) and putting them on a \nreporting function.\n    By way of example, about 9 or 10 years ago, after Oracle started \nrunning an ad campaign entitled ``Unbreakable''--the port scans on our \nfirewall (that is, an attempt to look for open ports, perhaps through \nwhich to mount an attack) increased by an order of magnitude in just \none week. We can pretty confidently conclude that the increase in port \nscans was from hackers who wanted to be the first to break \n``Unbreakable.'' Now, there were no actual intrusions but, in the \nabsence of a precise definition, someone could require these port scans \nto be reported as an ``incident.'' That would not be a productive use \nof either a reporter's time or the time of an entity on the receiving \nend, either.\n\n    Question 9. In your opinion, if a private company believes that it \nhas been the victim of a cyber intrusion (both originating domestically \nor overseas), which is the appropriate agency that it should report \nthis intrusion to?\n    Answer. The FBI. And in fact the FBI does reach out to local \nbusinesses in Silicon Valley (and for all I know in other locations) to \nengage in dialogue. Dong this proactively is better than hoping a \ncompany knows to call the FBI.\n\n    Question 10. In your opinion, if a government contractor believes \nthat it has been the victim of a cyber intrusion (both origination \ndomestically or overseas), which is the appropriate agency that it \nshould report this intrusion to?\n    Answer. The FBI.\n\n    Question 11. In your opinion, if a government contractor that is \nworking on a sensitive or classified project and believes that it has \nbeen a victim of a cyber intrusion (both origination domestically or \noverseas), which is the appropriate agency that it should report this \nintrusion to?\n    Answer. I think the company ought to be doing an investigation on \ntheir own first and in fact, most organizations of size DO have (or \nshould have) an incident response protocol which includes a series of \ndecisions as to whether law enforcement should be contacted (regarding \nan incident) and under what conditions. For example, if a government \ncontractor experienced a website defacement (which is an ``incident'' \nunder most definitions), does any Federal Government entity really want \nthat reported to them? (Note that a web page for the company as a whole \nis likely a different area of the network than a classified program.)\n    This would actually be a good area for industry-government \ndialogue--under what circumstances would the government want to know of \n``incidents?''\n                                 ______\n                                 \nResponse to Written Questions Submitted by Hon. John D. Rockefeller IV \n                   to Rear Admiral James Barnett Jr.\n    Question 1. What about cybersecurity? Are you confident that the \neveryday American citizen knows the threat that we are under, and knows \nhow to make his or her own home or business safe?\n    Answer. I believe that the consumers, on the whole, are becoming \nmore aware of the threats that exist when they use the Internet, but \nthere continues to be room for improved education in this area. Polling \ndata, for example, indicates that citizen awareness is improving. A \nMarch 2009 poll conducted by Harris Interactive indicates that online \nsecurity awareness among adults 18 and over had ``grown tremendously in \nthe past 2 years. The study found that 62 percent are more concerned \nabout their online security.''\n    Nevertheless earlier studies identified significant gaps between \nperceptions and the realities of America's cyber security and are cause \nfor continuing concern. For example whereas 81 percent said they were \nusing a firewall, expert analysis indicated that in reality only 42 \npercent had a firewall installed on their computer.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ 2008 NCSA/Symantec Home User Study, October 2008, http://\nstaysafeonline.mediaroom\n.com/index.php?s=67&item=46.\n\n    Question 2. Should there be basic cyber awareness and education as \npart of the normal curriculum in elementary and secondary school?\n    Answer. Yes. Regardless of the environment in which it is taught, \nour youngest generation needs instruction at the appropriate time by \nresponsible adults who are knowledgeable on these subjects. According \nto a poll released February 25, ``more than 90 percent of technology \ncoordinators school administrators and teachers support teaching \ncyberethics, cybersafety and cybersecurity in schools. However, only 35 \npercent of teachers and just over half of school administrators report \nthat their school districts require cyberethics, cybersafety, and \ncybersecurity in their curriculum.'' \\2\\ There are also differing \nopinions ``as to who is or should be responsible (parents vs. teachers) \nfor educating students about cyberethics, cybersafety, and \ncybersecurity. For example, while 72 percent of teachers indicated that \nparents bear the primary responsibility for teaching these topics, 51 \npercent of school administrators indicate that teachers are \nresponsible.'' \\3\\\n---------------------------------------------------------------------------\n    \\2\\ Cybersecurity, Safety and Ethics Education Falls Short in U.S. \nSchools, February 2010. http://staysafeonline.mediaroom.com/\nindex.php?s=43&item=57.\n    \\3\\ Ibid.\n\n    Question 3. What must the government do better? What must the \nprivate sector do better? What responsibilities do both have to the \npublic at large?\n    Answer. Concerning educating the everyday American citizen on \ncybersecurity issues, the government must speak with a single, clear \nvoice. Hence the FCC is committed to working with other Federal \nagencies to deliver a coordinated message. The Commission has a unique \nrole on the Federal team protecting the critical communications \ninfrastructure against cyber attacks. Thus, the Commission must \ncoordinate its own focus on the cybersecurity of the communications \ninfrastructure with the end-system and standardization cybersecurity \nresponsibilities that have been delegated to DHS, FTC, NIST, and other \nFederal agencies. Many broadband service providers are to be commended \nfor making ``anti-virus'' software and services available to their \nsubscribers, frequently free of charge. These providers should take \nsteps to ensure that their subscribers not only are aware of the \navailability of such software and services, but, through appropriate \ncommunications to them, also take steps to ensure that they understand \nthe perils of not taking advantage of these offerings or ones that \noffer similar protections.\n    The government and the private sector must also work together to \nensure the cyber security of our Nation's critical infrastructures. For \nexample, they must work together to identify and encourage the \nimplementation of standards and best practices that will enhance the \nsecurity of our systems. In this regard, the Commission's National \nBroadband Plan recommended that the Commission explore creation of a \nvoluntary cyber security certification program as a mechanism to \nencourage the implementation of cyber security best practices by \ncommunications service providers. The government and the private sector \nmust also develop a partnership that allows for sharing of threat and \nvulnerability information.\n\n    Question 4. With this in mind, how can we fashion a public-private \npartnership, based on trust, that allows for sharing of confidential \nand/or classified threat and vulnerability information between the \ngovernment and critical private sector networks?\n    Answer. Our experience working with telecommunications carriers on \ncommunications outage reporting and vulnerability analysis suggests \nthat this is possible. The recently released National Broadband Plan \nrecommended that the Commission and the Department of Homeland \nSecurity's Office of Cybersecurity and Communications should \ncollaboratively develop an IP network Cyber Information Reporting \nSystem (CIRS). As envisioned, CIRS would serve as a mechanism by which \nthe Commission could collect situational awareness information from \ncommunications service providers and ISPs, during cyber events as \nopposed to hurricanes and other types of emergencies. Under CIRS, the \nCommission would act as a trusted facilitator to ensure that any \ninformation sharing is reciprocated and structured in such a fashion \nthat ISP proprietary information remains confidential. CIRS filers may \nbe in a position to report about downstream attacks, i.e., attacks on \ncustomers. Accordingly, relevant privacy issues and other details would \nneed to be addressed.\n\n    Question 5. Would government and private cybersecurity efforts \nbenefit from ``vulnerability mapping'' of major U.S. networks, public \nand private?\n    Answer. Yes. Vulnerability mapping typically involves identifying \nweaknesses in the targeted network infrastructure components and their \ncommunications protocols. Many of these weaknesses are already well \nunderstood and a greater benefit would come from ubiquitous deployment \nof known fixes and best practices. Naturally, steps would have to be \ntaken to secure this sensitive information.\n\n    Question 6. What are the specific risks to such an activity?\n    Answer. The most obvious risk of vulnerability mapping is a breach \nin information security whereby an adversary obtains sensitive \ninformation about vulnerabilities in our critical communications \ninfrastructure. I believe this risk can be mitigated with proper \nsafeguards, and I further believe that the benefits of vulnerability \nmapping outweigh the risks. There's little real security to be achieved \nthrough obscurity. Any effort relying on security through obscurity--\nthe idea of not drawing attention to a security problem lessens the \npotential for a security event--assumes that if flaws are not known, \nthat attackers are unlikely to find them. While this notion may be \ntheoretically attractive as a defense in-depth measure, in the real \nworld where we are dealing with multiple vulnerabilities spread across \na substantial infrastructure, which is currently the case, this is not \na reasonable assumption. Rather, achieving security by design--where \nconcerted efforts are brought to bear on solving a set of vulnerability \nrisks--would make us more secure.\n                                 ______\n                                 \n    Response to Written Questions Submitted by Hon. John Ensign to \n                     Rear Admiral James Barnett Jr.\n    Question 1. Are there any legal restrictions we should focus on \nthat make it more difficult for industry and government agencies to \nshare the information needed to protect our critical cyber \ninfrastructure? Are there any bathers that Congress needs to eliminate, \nor any legal flexibility we can provide to foster the necessary sharing \nwhile still protecting sensitive or proprietary information?\n    Answer. I believe that the Administration's recent Cyberspace \nPolicy Review--Assuring a Trusted and Resilient Information and \nCommunications Infrastructure, to which the FCC contributed, captures \nwell the current state of information sharing between and among \nindustry and government agencies:\n    ``Some members of the private sector continue to express concern \nthat certain Federal laws might impede full collaborative partnerships \nand operational information sharing between the private sector and \ngovernment. For example, some in industry are concerned that the \ninformation sharing and collective planning that occurs among members \nof the same sector under existing partnership models might be viewed as \n``collusive'' or contrary to laws forbidding restraints on trade. [For \nexample, the Sherman Antitrust Act, 15 U.S.C. \x06\x06 1-7 (2004)]. Industry \nhas also expressed reservations about disclosing to the Federal \nGovernment sensitive or proprietary business information, such as \nvulnerabilities and data or network breaches. This concern has \npersisted notwithstanding the protections afforded by statutes such as \nthe Trade Secrets Act and the Critical Infrastructure Information Act, \nwhich was enacted specifically to address industry concerns with \nrespect to the Freedom of Information Act (FOIA). Beyond these issues, \nindustry may still have concerns about reputational harm, liability, or \nregulatory consequences of sharing information. Conversely, the Federal \nGovernment sometimes limits the information it will share with the \nprivate sector because of the legitimate need to protect sensitive \nintelligence sources and methods or the privacy rights of individuals.\n    These concerns do not exist in isolation. Antitrust laws provide \nimportant safeguards against unfair competition, and FOIA helps ensure \ntransparency in government that is essential to maintain public \nconfidence. The civil liberties and privacy community has expressed \nconcern that extending protections would only serve as a legal shield \nagainst liability. In addition, the challenges of information sharing \ncan be further complicated by the global nature of the information and \ncommunications marketplace. When members of industry operating in the \nUnited States are foreign-owned, mandatory information sharing, or \nexclusion of such companies from information sharing regimes, can \npresent trade implications.''\n    [Obama Administration, Cyberspace Policy Review--Assuring a Trusted \nand Resilient Information and Communications Infrastructure, May 29, \n2009, p.18]\n\n    Question 2. What mechanisms are in place for private companies to \nreport cyber intrusions (either originating domestically or overseas) \nto the Federal Government?\n    Answer. The FCC currently has rules that require communications \nproviders to report disruptions to circuit-oriented infrastructure and \nwireline and wireless switched-voice services. Thus, if a cyber \nintrusion resulted in a circuit-oriented or switched-voice \ncommunications service outage that meets certain thresholds, the \ncommunications provider must report the outage and the root cause to \nthe FCC. These rules generally cover legacy communications systems and \ndo not cover Internet Protocol (IP)-based communications \ninfrastructure. To address this, the National Broadband Plan proposed \nthat the Commission initiate a proceeding to expand these outage \nreporting rules to broadband Internet service providers and to \ninterconnected voice over 1P service providers.\n    In addition, the National Broadband Plan recommended that the \nCommission and the Department of Homeland Security's Office of \nCybersecurity and Communications collaboratively develop an lP network \nCyber Information Reporting System (CIRS) somewhat as an analog of the \nFCC's Disaster Information Reporting System (DIRS). Specifically, the \nNational Broadband Plan states that ``CIRS will be an invaluable tool \nfor monitoring cybersecurity and providing decisive responses to cyber \nattacks.\n    ORS should be designed to disseminate information rapidly to \nparticipating providers during major cyber events. CIRS should be \ncrafted as a real-time voluntary monitoring system for cyber events \naffecting the communications infrastructure. The FCC should act as a \ntrusted facilitator to ensure any sharing is reciprocated and that the \nsystem is structured so ISP proprietary information remains \nconfidential.'' National Broadband Plan, Recommendation 16.8 (available \nat http://www.broad\nband.gov/plan/16-public-safetyntr16-1).\n\n    Question 3. What is being done to encourage private companies, \nparticularly those with government contracts, to report cyber \nintrusions (either originating domestically or overseas)?\n    Answer. The packet-oriented infrastructure and packet-switched \nservices such as Internet access are much more susceptible to outages \ncaused by cyber incidents. The FCC has engaged in collaborative efforts \nwith industry, including Internet Service Providers, to enhance \nindustry's own ability to prevent and respond to cyber events through \nFederal advisory committees, which include private sector \nrepresentatives. There are currently no requirements for reporting \npacket-switched service outages or their causes, which would include \ncyber incident causes.\n    The FCC's National Broadband Plan has recommended that the \nCommission's Part 4 outage reporting rules be expanded through a \nrulemaking proceeding to include ISPs and interconnected VoIP service \nproviders. The Commission would seek comment about reported ``causes'' \nand thresholds for reportable events. As with the data received \npursuant to the Commission's circuit-oriented outage reporting rules, \nISP and VoIP outage data would be analyzed and used to support \ncooperative efforts with industry to improve security and reliability.\n\n    Question 4. Do government contractors have an ethical or statutory \nobligation to report cyber intrusions (either originating domestically \nor overseas)?\n    Answer. We are not aware of any code of ethics or statutory \nobligation that requires government contractors to report cyber \nintrusions. Although the Federal Acquisition Regulation (FAR) requires \ncontracts over $5 million to include a clause requiring the contractor \nto establish a written code of business ethics and conduct, there is no \nFAR requirement that such codes address the subject of cyber \nintrusions. FCC Directive 1479.3 (mentioned in the response to question \n5), which is included in a small number of FCC IT contracts, requires \nreporting of ``security incidents'' regarding FCC IT systems.\n\n    Question 5. Do government contractors with classified information \non their servers and individuals with security clearances on their \npayrolls have a statutory or ethical obligation to report cyber \nintrusions (either originating domestically or overseas)?\n    Answer. Under the National Security Act, government contractors and \ntheir employees with security clearances have a statutory obligation to \nprotect the classified information that comes into their possession. \nThis requires the same reporting of cyber intrusions into systems that \ninvolve sensitive information as fall to government employees.\n\n    Question 6. When Request For Proposals (RFPs) are put out for \ncontracts that involve sensitive or classified information do all of \nthese RFPs require that bids include the number of successful and \nunsuccessful cyber intrusions committed by domestic or foreign entities \n(either originating domestically or overseas)?\n    Answer. The FCC's information technology contracting procedures \nrequire contractors to comply with the security matters addressed in \nFCC Directive 1479, which ``establishes policy and assigns \nresponsibilities for assuring that there are adequate levels of \nprotection for all FCC information systems, the FCC Network, \napplications and databases, and information created, stored, or \nprocessed therein.''\n    A requirement that the vendor report the number of successful and \nunsuccessful cyber intrusions is not a standard feature of FCC \ncontracts for information technology systems. However, under current \nprocedures this requirement could be included in the language for those \ncontracts for systems that involve sensitive information at the \ndiscretion of the Contracting Officer. The nature of Internet-based \ncyber attacks is such that careful attention would have to be given to \nspecifying definitions, thresholds and suspected origination of cyber \nintrusions.\n\n    Question 7. In your opinion, if a private company believes that it \nhas been the victim of a cyber intrusion (both originating domestically \nor overseas), which is the appropriate agency that it should report \nthis intrusion to?\n    Answer. If a cyber intrusion results in circuit-oriented or \nswitched-voice communications service outages that meet certain \nthresholds, then the communications provider must report the outage and \nthe root cause (i.e., the cyber incident) to the FCC in accordance with \nPart 4 of our regulations. As noted above, the FCC's National Broadband \nPlan has recommended that outage reporting rules be expanded to include \nISPs and interconnected VoIP services through a rulemaking proceeding.\n    More generally, as the GAO has noted, where criminal activity is \ninvolved ``the Departments of Justice (DOA Homeland Security (DHS), and \nDefense (DOD), and the Federal Trade Commission (FTC) have prominent \nroles in addressing cybercrime within the Federal Government. DOD's FBI \nand DHS's U.S. Secret Service (Secret Service) are key Federal \norganizations with responsibility for investigating cybercrime. State \nand local law enforcement organizations also have key responsibilities \nin addressing cybercrime.''\n    [Cybercrime--Public and Private Entities Face Challenges in \nAddressing Cyber Threats, June 2007, GAO-07-705, p.1]\n\n    Question 8. In your opinion, if a government contractor believes \nthat it has been the victim of a cyber intrusion (both origination \ndomestically or overseas), which is the appropriate agency that it \nshould report this intrusion to?\n    Answer. In my opinion a government contractor should--unless the \napplicable contract otherwise provides--first report a cyber intrusion \nto the contracting agency; for example an FCC contractor should report \na cyber intrusion to the FCC. If criminal activity is suspected, then \nthe FCC will report the intrusion to the agency or agencies that \ninvestigate cyber crime within the Federal Government, such as the \nDepartments of Justice and Homeland Security.\n\n    Question 9. In your opinion, if a government contractor that is \nworking on a sensitive or classified project and believes that it has \nbeen a victim of a cyber intrusion (both origination domestically or \noverseas), which is the appropriate agency that it should report this \nintrusion to?\n    Answer. Unless the governing contract otherwise provides, a \ngovernment contractor should first report a cyber intrusion involving \nsensitive or classified information to the contracting agency. If \ncriminal activity is suspected, then the agency should report the \nintrusion to the agency or agencies that investigate cyber crime within \nthe Federal Government, such as the Departments of Justice and Homeland \nSecurity.\n\n                                  <all>\n\x1a\n</pre></body></html>\n"