[Senate Hearing 111-1103]
[From the U.S. Government Publishing Office]



                                                       S. Hrg. 111-1103
 
                          CYBER SECURITY--2010

=======================================================================


                                HEARINGS

                               before the

                              COMMITTEE ON

                         HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE


                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 15, 2010
 PROTECTING CYBERSPACE AS A NATIONAL ASSET: COMPREHENSIVE LEGISLATION 
                          FOR THE 21ST CENTURY

                               __________

                           NOVEMBER 17, 2010
         SECURING CRITICAL INFRASTRUCTURE IN THE AGE OF STUXNET

                               __________

        Available via the World Wide Web: http://www.fdsys.gov/

       Printed for the use of the Committee on Homeland Security
                        and Governmental Affairs



                  U.S. GOVERNMENT PRINTING OFFICE
58-034                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001





        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware           SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          GEORGE V. VOINOVICH, Ohio
CLAIRE McCASKILL, Missouri           JOHN ENSIGN, Nevada
JON TESTER, Montana                  LINDSEY GRAHAM, South Carolina
ROLAND W. BURRIS, Illinois
EDWARD E. KAUFMAN, Delaware *
CHRISTOPHER A. COONS, Delaware *

                  Michael L. Alexander, Staff Director
         Deborah P. Parkinson, Senior Professional Staff Member
              Adam R, Sedgewick, Professional Staff Member
     Brandon L. Milhorn, Minority Staff Director and Chief Counsel
   Robert L. Strayer, Minority Director of Homeland Security Affairs
          Devin F. O'Brien, Minority Professional Staff Member
                  Trina Driessnack Tyrer, Chief Clerk
         Patricia R. Hogan, Publications Clerk and GPO Detailee
                    Laura W. Kilbride, Hearing Clerk

 * Senator Coons replaced Senator Kaufman on the Committee on November 
                               15, 2010.

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Lieberman I60 1, 39..................................
    Senator Collins I60 3, 40....................................
    Senator Carper...............................................     5
    Senator McCain...............................................    15
    Senator Burris...............................................    17
    Senator Coons................................................    59
Prepared statements:
    Senator Lieberman I60 65, 124................................
    Senator Collins I60 67, 127..................................
    Senator Carper...............................................    70

                               WITNESSES
                         Tuesday, June 15, 2010

Philip Reitinger, Deputy Under Secretary, National Protection and 
  Programs Directorate, U.S. Department of Homeland Security.....     6
Frances Fragos Townsend, Chairwoman of the Board, Intelligence 
  and National Security Alliance.................................    19
Alan Paller, Director of Research, The SANS Institute............    22
Steven T. Naumann, Vice President, Wholesale Market Development, 
  Exelon Corporation, on behalf of the Edison Electric Institute 
  and the Electric Power Supply Association......................    25
Sara C. Santarelli, Chief Network Security Officer, Verizon 
  Communications.................................................    27

                      Wednesday, November 17, 2010

Sean McGurk, Acting Director, National Cybersecurity and 
  Communications Integration Center, Office of Cybersecurity and 
  Communications, U.S. Department of Homeland Security...........    41
Michael J. Assante, President and Chief Executive Officer, 
  National Board of Information Security Examiners of the United 
  States Inc.....................................................    44
Dean Turner, Director, Global Intelligence Network, Symantec 
  Security Response, Symantec Corporation........................    48
Mark W. Gandy, Global Manager, Information Technology Security 
  and Information Asset Management, Dow Corning Corporation......    52

                     Alphabetical List of Witnesses

Assante, Michael J.:
    Testimony....................................................    44
    Prepared statement with an attachment........................   142
Gandy, Mark W.:
    Testimony....................................................    52
    Prepared statement...........................................   165
McGurk, Sean:
    Testimony....................................................    41
    Prepared statement...........................................   129
Naumann, Steven T.:
    Testimony....................................................    25
    Prepared statement...........................................   101
Paller, Alan:
    Testimony....................................................    22
    Prepared statement...........................................    84
Reitinger, Philip:
    Testimony....................................................     6
    Prepared statement...........................................    72
Santarelli, Sara C.:
    Testimony....................................................    27
    Prepared statement...........................................   109
Townsend, Frances Fragos:
    Testimony....................................................    19
    Prepared statement...........................................    80
Turner, Dean:
    Testimony....................................................    48
    Prepared statement...........................................   156

                                APPENDIX

Statement for the Record from Robert D. Jamison, Former Under 
  Secretary of Homeland Security for the National Protection and 
  Programs Directorate...........................................   116
Responses to post-hearing questions submitted for the Record 
  from:
    Mr. McGurk...................................................   170
    Mr. Assante..................................................   173
    Mr. Turner...................................................   176
    Mr. Gandy....................................................   177


                  PROTECTING CYBERSPACE AS A NATIONAL



                    ASSET: COMPREHENSIVE LEGISLATION



                          FOR THE 21ST CENTURY

                              ----------                              


                         TUESDAY, JUNE 15, 2010

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:59 p.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Joseph I. 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman, Carper, Pryor, Burris, 
Collins, and McCain.

            OPENING STATEMENT OF CHAIRMAN LIEBERMAN

    Chairman Lieberman. The hearing will come to order. Good 
afternoon and thanks for being here today. We are going to take 
a look at legislation Senators Collins, Carper, and I 
introduced last week, the Protecting Cyberspace as a National 
Asset Act. It provides a comprehensive framework to modernize, 
strengthen, and coordinate our cyber defenses across civilian 
Federal networks and the networks of the most vital privately 
owned critical infrastructure, including some real basics of 
American life: Our electric grid, financial systems, and our 
telecommunications networks.
    Today we are going to hear from the top cyber security 
official at the Department of Homeland Security (DHS), which, 
of course, has a critical role to play in protecting our cyber 
assets; and we are also going to hear from security and 
industry experts. We have, in preparing this legislation, 
consulted extensively with members of the Administration, 
people in the private sector, and privacy groups as well.
    In the 40 years since the Internet was created, it has 
developed into a necessity of modern life, a source of 
remarkable information and entertainment and commerce. But as 
we also have come to know, it is a target of constant attack 
and exploitation. We now have a responsibility to bring the 
public and private sectors together to secure the Internet, 
cyberspace, and to secure it well. And we believe that our bill 
would do just that.
    The idea of cyber crime is not really totally new to the 
American people. We all know about identity theft and about 
emails from a foreign prince, doctor, or government official 
who desperately needs more money, needs to move it out of his 
or her country, and who will reward you richly--if only you 
will give them your bank account number, which some people 
actually do.
    Identity theft and financial fraud are serious matters. 
But, of course, we need, and hope through this bill, to 
reorient our thinking about the risks inherent in the Internet 
and cyberspace because today we face much greater risks in 
cyberspace than crimes like identity theft. A sophisticated 
attacker could cripple most of our financial system, take down 
a lot of the electric grid, or cause physical devastation equal 
to or greater than conventional warfare. The fact is that the 
threat of cyber attack is among the most serious threats 
America faces today.
    President Obama I think has correctly described our 
sprawling government and private sector cyber networks as a 
``strategic national asset.'' But our efforts to secure those 
networks and that national asset have been disjointed, 
understaffed, and underfinanced. So what does our bill do?
    First, we need leadership, we need focused and clear 
leadership, and our bill provides it in the form of a White 
House Office of Cyberspace Policy that would lead all Federal 
efforts to defend cyberspace--that is, civilian, defense, and 
private. The office would be led by a Senate-confirmed 
director, accountable to the public. We have previously asked, 
for instance, White House cyber coordinator Howard Schmidt to 
testify before this Committee, but we have always been turned 
down, apparently on the grounds of executive privilege. Our 
legislation would change that by requiring Senate confirmation 
and thereby making Mr. Schmidt or whoever holds that position 
subject to the call of Congress and the public.
    We also need a stronger agency to defend the dot-gov 
networks and oversee the defenses of our most critical 
infrastructure. The Department of Homeland Security Inspector 
General will issue a report tomorrow critical of many 
operational elements of the Department's cyber security effort, 
citing a lack of clear authority as one of the issues that 
needs to be rectified. Our bill more than addresses these 
shortcomings by creating a National Center for Cybersecurity 
and Communications within the Department of Homeland Security 
which would have new, strong authorities to protect non-
defense, public sector, and private sector networks from cyber 
attack. DHS already has this responsibility through 
Presidential Directive but, in our opinion, insufficient 
authority to carry it out.
    The sound defense of our cyber networks will only be 
successful if industry and government work together, so our 
bill will set up a collaborative process where the best ideas 
of the private sector and the government would be used to meet 
a baseline set of security requirements that DHS would enforce 
for the Nation's most critical infrastructure.
    Thanks to some excellent work by our colleague, Senator 
Carper, our legislation reforms and updates the Federal 
Information Security Management Act to require continuous 
monitoring and protection of Federal networks, but do away with 
the paper-based reporting system that takes up time agencies 
really otherwise would be using and should be using to protect 
their networks.
    Our legislation also would require the Federal Government 
to develop and implement a strategy to ensure that the almost 
$80 billion of information technology products and services 
that the Federal Government purchases each year are secure and 
do not provide our adversaries with a back door into our 
networks. And, of course, if the Federal Government uses that 
$80 billion of purchasing power to drive security add-ons and 
innovations in information technology products, it will also be 
available and presumably bought by the private sector.
    Finally, we would give special authority to the President 
to act in the event of a catastrophic cyber attack that could 
seriously jeopardize public safety or have disastrous effects 
on our economy or national security. In those instances, 
clearly defined in our legislation, the President could direct 
the National Cybersecurity and Communications Center at DHS to 
impose emergency measures on a select group of critical 
infrastructure to preserve those assets and the networks they 
rely on and protect the American people. These emergency 
measures would automatically expire within 30 days unless the 
President ordered an extension. I know there has been some 
concern and controversy about that provision, and we can speak 
to it, I hope, in the question-and-answer period. But it is 
linked with a very important limitation on liability of private 
entities who take action in response to an order from the 
government and might otherwise incur liability. But we protect 
them from that because the action the government is ordering 
them to take is in the national security or economic interest.
    So freedom of expression and freedom to innovate are not 
inconsistent with greater security in cyberspace and that is 
exactly what we hope to combine and balance in this 
legislation.
    Senator Collins.

              OPENING STATEMENT OF SENATOR COLLINS

    Senator Collins. Thank you, Mr. Chairman.
    Mr. Chairman, I have a very lengthy statement which I would 
request be inserted in the record in full.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Collins appears in the 
Appendix on page 67.
---------------------------------------------------------------------------
    Chairman Lieberman. Without objection.
    Senator Collins. And I will just summarize my comments.
    As the Chairman has pointed out, cyberspace is under 
increasing assault on all fronts. The cyber threat is real, and 
the consequences of a major successful national cyber attack 
could be devastating. As former Director of National 
Intelligence Michael McConnell warned in February, ``If we went 
to war today, in a cyber war, we would lose.''
    We are already under fire. Just this past March, the 
Senate's Sergeant at Arms reported that the computer systems of 
Congress and Executive Branch agencies are now under cyber 
attack an average of 1.8 billion times a month. Cyber crime 
already costs our national economy an estimated $8 billion per 
year.
    So it is clear that we must move forward now with an 
aggressive and comprehensive approach to protect cyberspace as 
a national asset. The vital legislation that we introduced last 
week would do just that. It would fortify the government's 
efforts to safeguard America's cyber networks. And it would 
promote a true public/private partnership to work on national 
cyber security priorities.
    For far too long, our approach to cyber security has been 
disjointed and uncoordinated. This simply cannot continue. The 
stakes are too high.
    Our bill, as the Chairman has pointed out, would establish 
an essential point of interagency policy coordination within 
the White House. This would be the Office of Cyberspace Policy 
which would be run by a Senate-confirmed director who would 
advise the President and who would develop a national cyber 
security strategy.
    Let me be clear. We are not talking about creating an 
unaccountable cyber czar. The Cyber Director would have defined 
responsibilities and would be accountable to Congress as well 
as to the President. The Cyber Director would be an adviser, a 
strategist, not an implementer.
    That responsibility, for Federal civilian systems and for 
the private sector critical infrastructure, would fall to a 
strong operational and tactical partner at the Department of 
Homeland Security through a newly created National Center for 
Cybersecurity and Communications (NCCC). This new cyber center 
is patterned on the National Counterterrorism Center (NCTC). It 
would have representatives from various departments and would 
work on these issues day to day.
    The bill, as I mentioned, emphasizes the importance of 
working with the private sector to improve cyber security 
across private sector networks.
    In cases where owners and operators are responsible for 
assets whose disruption would cost thousands of lives in mere 
seconds or multiple billions of dollars, the bill would 
establish certain risk-based performance requirements to close 
security gaps.
    These requirements, for example, would apply to vital 
components of the electric grid, telecommunications networks, 
financial systems, or other critical infrastructure systems 
that could cause a national or regional catastrophe if 
disrupted.
    But I want to emphasize that the private sector would be 
able to choose which security measures are implemented to meet 
the risk-based performance requirements. That model would allow 
for the continued innovation that is fundamental to the success 
of the information technology (IT) sector. And as the Chairman 
has indicated, the bill would also provide limited liability 
protections to owners and operators of critical infrastructure 
that comply with the new risk-based performance requirements.
    If a cyber attack were imminent or occurring, the bill 
would authorize the President to undertake emergency measures. 
But as the Chairman has indicated, we have carefully 
circumscribed that authority. It is limited in duration and 
scope. The bill does not authorize any new surveillance 
authorities or permit the government to ``take over'' private 
networks.
    The legislation would also take full advantage of the 
government's massive purchasing power to help ensure that cyber 
security is baked into products when they are brought to the 
marketplace.
    And, finally, the bill would improve the recruitment and 
retention of a qualified Federal IT workforce.
    If hackers can bring the nation of Estonia to its knees 
through cyber attacks, infiltrate a major defense program, and 
hack into the computers owned and operated by some of the 
world's most sophisticated private sector experts, we must 
assume that even more spectacular and potentially devastating 
attacks lie ahead. We simply cannot wait for a cyber September 
11, 2001, before our government takes this threat seriously and 
acts to protect these critical assets.
    Thank you.
    Chairman Lieberman. Thank you very much, Senator Collins.
    It is the tradition of our Committee that the Chairman and 
the Ranking Member only make opening statements. It is a 
selfish system but one that Senator Collins and I both 
appreciate. [Laughter.]
    But on this occasion, since Senator Carper is a cosponsor 
of our legislation, I would welcome any opening statement that 
you would have Senator Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thank you very much, Mr. Chairman. I want 
to salute you and Senator Collins for bringing this together in 
a bipartisan--even a tripartisan coalition--on an issue whose 
time has come. Look around this room. Standing room only. I 
would suggest that finally at long last we have a strong 
national focus here in the Senate and in the Administration on 
taking the steps that we need to take to make sure that our 
Internet, which has grown more complex by the day, is secure.
    For 3 years, I have called for some of the very same 
reforms that we will talk about today. In fact, I introduced 
cyber security legislation, I think, last spring in an effort 
to strengthen our Federal Government--and our Nation--against 
the kinds of attacks that we have seen seriously disrupt the 
nations of Estonia, as Senator Collins has mentioned, and 
Georgia.
    One reform that I am especially happy my colleagues have 
accepted is the creation of a White House office that would be 
responsible for coordinating the security and resiliency of our 
Nation's cyberspace. To date, Federal agencies' efforts have 
been ad hoc; they have been for the most part duplicative. 
There is an old saying that goes, ``the left hand does not know 
what the right hand is doing.'' And my hope is that this office 
will provide the needed strategic direction to more effectively 
deal with challenges in cyberspace before they become a crisis.
    Another reform that I am happy, when it made it into the 
bill, is the idea that agencies need to leverage their 
purchasing power to demand that private vendors sell more 
secure products and services at the front end. For too long 
agencies have needlessly spent money cleaning up after a cyber 
attack because the technology was full of security holes. Like 
a door with no lock, hackers have used security holes that 
never should have been there in the first place to gain access 
to our sensitive networks, and this bill changes that.
    I also want to commend my colleagues--and our staffs, and I 
especially want to commend Erik Hopkins, who is sitting right 
behind me, for the work that he has done on these issues for 
years. But I commend all who have been involved in reforming 
the Federal Information Security Management Act of 2002. As we 
all know, producing a plan that sounds good on paper is not the 
same as ensuring the plan is effectively implemented. That is 
why our legislation compels agencies to stop producing the 
reams of ineffective paperwork they currently do and instead 
focus their efforts on defending their systems in real time, 
much as we do in the nuclear power industry.
    Last, I want to thank my colleagues for accepting my 
language to create a nationwide network of cyber challenges to 
help reduce the gap between the number of so-called cyber 
warriors that are produced in America and those that are being 
trained in place like China, North Korea, and Russia. A little 
bit like a farm system in baseball, these cyber challenges will 
create a pipeline of talent that can be tapped by government 
agencies and by private sector companies. If we want America to 
continue to be dominant in the century to come--and we know we 
do--we have to invest in the skills of these young people.
    In closing, I look forward to working with our Chairman, 
with Ranking Member Collins, and other colleagues who have an 
interest in these issues, including Senator McCain to my left, 
and my colleague, Senator Burris from Illinois, who I know has 
a strong interest in these issues. My hope is we can bring 
together a diverse group of stakeholders on all sides of the 
issue to produce a bipartisan/tripartisan bill that will 
enhance our Nation's cyber security and be signed by the 
President before the end of this week--or maybe this month. How 
about this year? Thank you.
    Chairman Lieberman. Thanks, Senator Carper. Thanks to 
Senator McCain and Senator Burris for being here.
    We will go to our first witness, Philip Reitinger, Deputy 
Under Secretary of the National Protection and Programs 
Directorate, and Director of the National Cybersecurity Center 
at the Department of Homeland Security. Mr. Reitinger's coming 
to the Department is part, I think, of a really full open-
throttle attempt to dramatically upgrade the Department's 
capacity for cyber defense. He has a remarkably diverse 
background in both the private sector and government, which 
includes working at both Microsoft and the Department of 
Justice, though not at the same time.
    Mr. Reitinger. Thank you, sir. You left off the Department 
of Defense as well.
    Chairman Lieberman. Sure.
    Anyway, Mr. Reitinger, I am glad to see you again, and we 
welcome your testimony now.

   TESTIMONY OF PHILIP REITINGER,\1\ DEPUTY UNDER SECRETARY, 
 NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT 
                      OF HOMELAND SECURITY

    Mr. Reitinger. Chairman Lieberman, Ranking Member Collins, 
and Members of the Committee, it is indeed an honor to appear 
before you today to talk about the security of cyberspace and 
this Committee's Protecting Cyberspace as a National Asset Act.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Reitinger appears in the Appendix 
on page 72.
---------------------------------------------------------------------------
    As you point out Mr. Chairman, the President has described 
our networks as a strategic national asset. And as the Ranking 
Member pointed out, those networks are under an increasing 
threat and increasing risk of harm every day. The attackers 
range in skill from state-sponsored attackers down to low-level 
criminal hackers. And the fundamental insecurity of our 
ecosystem means not just our information is at risk, but the 
information infrastructure that provides us critical services 
is also at risk, as the Committee Members point out: Power, 
financial services, transportation, and other key parts of our 
infrastructure. That means it is incumbent upon all of us--
across the government, the State, local, tribal, and 
territorial governments, and the private sector--to treat this 
as a real national security and homeland security emergency. We 
must respond to deal with the increasing threat.
    The prior Administration began a good start in this space 
with the Comprehensive National Cybersecurity Initiative, which 
President Obama furthered with the Cyberspace Policy Review. 
We, in DHS, are similarly recognizing our responsibility. We 
are the lead for working to protect Federal civilian systems 
and working to protect private sector and State, local, tribal, 
and territorial government systems and helping them to bolster 
their cyber security.
    A key moment happened in February of this year which 
escaped a lot of people's notice. The Department of Homeland 
Security released, after interagency review, the first ever 
Quadrennial Homeland Security Review, which was released, 
interestingly, on the same day as the Quadrennial Defense 
Review. And I would urge everyone who has not to read the cyber 
sections of those two documents because they are parallel. The 
Department of Defense (DOD) recognizes its increasing need to 
be involved and treat cyber security as a growing mission set. 
And the entire homeland security enterprise--and that is 
broader than just the Department of Homeland Security. It 
includes the private sector. It includes multiple other 
government agencies and State, local, tribal, and territorial 
governments. It treated cyberspace and the security of 
cyberspace as a top five mission area of that enterprise, on a 
par with protecting the borders and ensuring domestic security. 
So we are well on the way towards treating this as a national 
and homeland security event.
    In that line, we have had significant outcomes over the 
course of the past year that demonstrate our intent to move 
forward. I am a firm believer that, in government or the 
private sector, organizations succeed or fail based on the 
people who are doing the work. If you have the right people, 
technology does not matter too much. And if you do not have the 
right people, then technology does not matter too much.
    There was a great core of people at the Department of 
Homeland Security when I arrived, and we have been expanding 
that as rapidly as possible. During the course of the last 
fiscal year, fiscal year 2009, we increased the people who do 
cyber security in the Office of Cybersecurity and 
Communications from 35 to 118. And in the course of this fiscal 
year, we are trying to more than double it again.
    We are rapidly deploying EINSTEIN 2 on the technical side. 
We are ahead of schedule. It is deployed and operational at 11 
of 19 agencies where it is to be deployed, and at four Internet 
service providers it is deployed, and in one it is operational. 
Through those deployments, we are already discovering, apropos 
of the comments that the Ranking Member made before, more than 
278,000 indicators on average of potentially malicious activity 
per month.
    Finally, with regard to FISMA, the Administration is moving 
rapidly to recognize the criticisms that have been made of that 
regime in the past. In particular, a key focus in the 
Administration is moving away from annual paper reports and 
more towards continuous monitoring. What is the real security 
situation we are in? And apropos of where this Committee is 
intending to go, providing the operational responsibility to 
manage that effort to the Department of Homeland Security.
    Turning finally to the bill, I regret I am not able at this 
time to state an Administration position on the bill which was 
introduced last week. That said, DHS looks forward greatly to 
continuing to work with the Committee on strengthening the 
Department's ability to accomplish its cyber security mission. 
I particularly welcome this Committee's and the sponsors' 
support for the DHS mission, its support for allowing DHS' 
effort to maximize its hiring flexibilities, and the continuing 
and clear support in the bill for privacy and civil liberties, 
which we believe are fundamental to cyber security.
    With regard to authorities, we believe the continued 
examination of authorities for both DHS and in emergencies is 
called for to see what can be done under existing authorities 
and what changes may be necessary.
    Finally, I would state that with regard to organization, it 
is the Department of Homeland Security's view that our 
preference is to keep physical and cyber security tightly co-
joined. We believe that it will enable us to work more 
effectively with the private sector to manage risk, give us--to 
the extent one wants to influence the private sector, which is 
important--more levers to pull, and allow us to continue to 
work with the private sector in an all-hazards way on instant 
response.
    Mr. Chairman, Ranking Member Collins, Members of the 
Committee, thank you again for the opportunity to testify, and 
I would be more than pleased to answer any questions you may 
have.
    Chairman Lieberman. Thanks, Mr. Reitinger. I appreciate the 
fact that though there is not an official position of the 
Administration on the bill, you are giving your own welcome and 
warm response, particularly of the role given to the 
Department. Is that right?
    Mr. Reitinger. We certainly welcome the support for the DHS 
mission space, sir, and the clear delineation of roles and 
responsibilities, absolutely.
    Chairman Lieberman. Fine. Let me just start out, and we 
will do 7-minute rounds. Let me ask first, if somebody comes up 
to you and says, ``Is all this business about cyber security 
for real? In other words, are we really under threat from non-
state actors, other states, or terrorist groups? Can they 
really do as much damage as a conventional attack?'' What do 
you say?
    Mr. Reitinger. Sir, the threat is clearly real. I often 
say--in fact, I said yesterday when I was in Miami at the Forum 
of Instant Response Teams event--that if you really want to 
secure your computer, it is best to turn it off, disconnect it 
from the Internet, and if you really want to be secure, do not 
allow any person to get near it, open up the cover, pull out 
the hard drive, and hit it with a hammer until it no longer can 
be read.
    The current state of the technology simply does not allow 
for foolproof security. Instead, we are in risk management. And 
right now we have a long way to go to be able to as effectively 
manage risk as we need to.
    We depend on these companies not just to see a silly video 
on the Internet or even to write a document to pass up the 
chain of command. We depend on them for power, for food, and 
for transportation. Those systems are insecure in many ways, 
and we simply do not live in a sustainable environment right 
now. The system is fundamentally insecure and needs to change.
    Chairman Lieberman. So the capacity to attack in cyberspace 
or intrude or exploit is, therefore, much greater than the 
capacity to defend against such attacks?
    Mr. Reitinger. Yes, sir.
    Chairman Lieberman. I do not want to carry you too far into 
a parade of horribles, but is it really possible that a cyber 
attack on, for instance, private infrastructure could cause 
damage comparable to a conventional military attack on our 
homeland?
    Mr. Reitinger. Sir, I think it is hard to know the full 
scope of damage. I think it is possible damage. It is certainly 
likely that significant economic damage could be undertaken. If 
a cyber attack, for example, destabilized people's trust in the 
financial system, one would see untold economic costs to this 
country. And physical attacks are possible, and we need to 
advance the state of science and the art of the possible to 
know what the full scope of risk is. In any event, we need to 
prepare now as if it were possible.
    Chairman Lieberman. Yes. Let us talk about what we can do 
to better defend, and let me ask you to compare or respond to 
some alternative suggestions to the one that we have included 
in our bill. There are proposals moving around different 
sections of Congress that would have the Department of Defense 
or the intelligence community take the lead on protecting the 
Federal civilian networks. Obviously, DOD is responsible for 
the defense networks now, and, of course, our bill respects 
that totally. But there are these proposals saying DOD or the 
intelligence community should take the lead in protecting 
Federal civilian networks as well as those of private critical 
infrastructure.
    From your point of view, what is the argument for why the 
Department of Homeland Security, as opposed to those other 
agencies, should have that responsibility?
    Mr. Reitinger. Sir, the Department of Homeland Security has 
been given the responsibility for helping to protect the dot-
gov, the civilian government systems, and working with the 
private sector under both the prior Administration and this 
Administration. It is what we do, it is our role, and that is 
appropriate.
    Every agency brings its own capabilities to bear, and I by 
no means wish to undercut the key role of the Department of 
Defense or the expertise it brings to bear. This Nation has 
spent significant dollars over a long period of time to develop 
technical capabilities in the Department of Defense, which the 
Department of Homeland Security can and does leverage in its 
role of working with the private sector and protecting civilian 
government systems. We leverage and synchronize the 
capabilities of the Department of Defense in significant 
amounts of the work that we do, and we coordinate with them 
fully and partner with them across the Federal Government 
enterprise.
    DHS has in its own space developed its own capabilities. We 
have built as a part of the National Infrastructure Protection 
Plan the partnership framework under which we work with the 
private sector. We have built the capability to deploy teams to 
work in particular private sector environments and provide 
support. We have built the ability to help control systems' 
vendors and those who deploy control systems to respond to 
cyber events and to help secure their systems.
    By working together and each playing our positions and 
bringing our capabilities to bear, one team, one fight, we can 
be most effective across government.
    Chairman Lieberman. Do you have particular concerns, for 
instance, about DOD or the intelligence community taking over 
nondefense civilian government networks or private 
infrastructure? I know some people have been concerned about 
privacy or civil liberties in that case.
    Mr. Reitinger. Sir, I believe both General Alexander, the 
Director of the National Security Agency (NSA), and now the 
head of Cyber Command, and other individuals from DOD have been 
clear over time that protection of the civilian government 
space and working with the private sector is the mission space 
of the Department of Homeland Security, that they are intent to 
support. And I believe they will do that, and we will work 
effectively together.
    Chairman Lieberman. Let me ask you one last question. I 
believe that DHS is the right place for this authority to be. I 
am also encouraged because I think you bring a lot to the 
position you are in now. Personnel are really key in this, and 
our bill respects that by creating flexibility in hiring for 
the new section that we are creating and beefing up in DHS. So 
I want to ask you to respond to those suggestions in our bill 
and whether you think they are important and whether you think 
they are adequate.
    Mr. Reitinger. Sir, I cannot comment on the specific 
provisions in the bill because the Administration is still 
reviewing it, but I can say that hiring flexibility is very 
important to the Department of Homeland Security, in particular 
in the cyber security area.
    Chairman Lieberman. And this really means being able to pay 
people more than the normal pay scale in Federal service 
because that is what you have to do to get the best people. Is 
that right?
    Mr. Reitinger. It means paying more in particular cases. It 
means having the flexibilities to be able to hire people 
rapidly. As you can imagine, there are far too few cyber 
security experts in our country. And, indeed, one of the long-
term things we need to accomplish is enhancing our educational 
system so that there are more such people available to go to 
the private sector and the government.
    But now we are in a space where we are competing 
substantially with private industry that can pay a lot more. We 
succeed by, first of all, giving those individuals a chance to 
really make a difference, to tell them that we have a critical 
mission, and you as a patriot can help your country; second, by 
giving them the ability and capability to actually make a 
difference; and, third, by asking them not to make too many 
sacrifices. We are very clear. If you come to work for the 
government, indeed, any part of the government, you are going 
to make a sacrifice if you are in cyber security because you 
are not going to make what you could in the private sector. But 
if we can bring them on more rapidly and pay them something 
comparable to what they would get in the private sector, they 
will do that to help protect their country.
    Chairman Lieberman. Thank you. Senator Collins.
    Senator Collins. Thank you.
    I was struck in your written testimony by the 
Administration's continued reliance on Section 706 of the 
Communications Act as the basis for emergency authority in the 
event of a cyber attack. In fact, while your testimony is a 
little bit unclear on this point, you seem to be opposing the 
attempt that we have in our bill to lay out the authorities of 
the President, and instead you are pointing back to this Act.
    I would point out that authority was passed in January 
1942. It was passed a month after the attack by the Japanese on 
Pearl Harbor--obviously, a very different time and long before 
the Internet was even conceived of.
    In light of the current nature of our communications 
infrastructure, the Communications Act grants very broad 
authority to the President, but it is authority that can only 
be exercised when a certain threshold is met, and that is the 
state of war or the threat of war. It is wholly lacking in the 
kinds of flexibility to respond to a serious attack targeting 
some of our most critical infrastructure that may fall below 
that threshold.
    Is it clear, based on legal research DHS has done, the 
opinions of the Federal Communications Commission, or some 
court decision, that the authority of Section 706 could be used 
to respond to an attack on our critical infrastructure that 
does not rise to the level of the state of war or the threat of 
war?
    Mr. Reitinger. So, ma'am, let me first begin by saying 
while Section 706 is one authority and, as you point out, a 
hoary one that inures to the President of the United States, 
there are other legal authorities the President could bring to 
bear. Your point I think is well taken, though, that those 
authorities, for the most part, are older or not specifically 
designed for this case.
    That said, the Administration's position is to prefer to 
see if those authorities could be aligned in a way that would 
allow the need to be met, and if movement goes forward, to do 
so in a way that would be minimally disruptive. I would say 
that there are a lot of legal questions that have not been 
answered. The Cyberspace Policy Review identified a significant 
number of them. We and the Administration, I think, would be 
happy to work with this Committee to make sure that the 
authorities that are necessary to meet the coming need are 
present to the Department of Homeland Security or the President 
of the United States in an appropriate emergency.
    Senator Collins. Well, shouldn't we be carefully defining 
what authority the President has? Our bill has far more 
targeted authority to respond to a cyber emergency, but that 
authority is limited both in duration and scope. It requires 
notice to Congress. It does not authorize the President to take 
over networks. It allows the private sector to propose 
alternative means of achieving the goal.
    Shouldn't we be spelling out exactly what the President's 
authority is short of a state of war?
    Mr. Reitinger. Ma'am, I apologize that I cannot take a 
position on the bill at this time, but I do appreciate the 
effort that the Committee made to tailor the authorities so 
they are focused on the expected need.
    Senator Collins. I will take that as a yes. [Laughter.]
    I would say--and I am not trying to put you in an 
uncomfortable spot, but as you know, we have been working with 
the Department on this issue for more than a year, and I just 
do not understand why the Department is not further along in 
its thinking on what should be done. And that is one reason why 
the three of us proceeded with a bill. We cannot wait. Those 
hackers are not waiting. The 1.8 billion attacks per month are 
occurring now.
    So I guess I would ask you to take a look at those 
provisions of the bill. They are carefully circumscribed and 
yet aggressive enough, and they reflect the reality. Relying on 
a law passed in World War II is just foolhardy. It is out of 
date.
    Let me switch to another issue. Tomorrow the DHS Inspector 
General will release a report that the Chairman referred to 
that will say that the U.S. Computer Emergency Readiness Team 
(US-CERT) program, which is charged with monitoring the 
security of civilian cyber networks, does not have the 
enforcement authority that it needs to ensure that agencies 
comply with its recommendations and mitigation guidance. It 
also notes that US-CERT does not have the authority to compel 
agencies to deploy technology for determining in real time if a 
cyber attack is taking place.
    Our bill would correct those problems. We would enhance the 
authorities of US-CERT and create a stronger cyber center 
within DHS, including providing the center with the authority 
to enforce compliance with its cyber security directives.
    Do you agree that the Department needs additional 
authorities to enforce security policies for civilian Federal 
networks?
    Mr. Reitinger. Ma'am, as your question points out, the 
Department does have broad authority within the civilian 
government space to set requirements for other agencies to 
meet. The Department does not have direct enforcement authority 
over those departments and agencies, which has raised issues in 
particular cases, for example, in Conficker, where we had 
difficulty in obtaining responses regarding the scope of the 
issue for different departments and agencies.
    So we have, I think, strong authorities right now in terms 
of setting requirements. In terms of enforcement, we have the 
commitment, I think, from both the cyber security coordinator 
at the White House and the Office of Management and Budget 
(OMB) to work with us when agencies have difficulty in 
responding to our requirements. And they may do so for a number 
of valid reasons, including they themselves have limited 
resources and ability to respond because they are, in fact, 
just barely able to keep the attackers at bay. We will work 
through the White House in order to make sure that there is as 
full compliance as possible.
    Senator Collins. Well, it is evident to me that the 
Department needs more teeth in its directives, or agencies are 
going to feel free to ignore them, and that is one of the 
problems we are trying to rectify. Thank you, Mr. Chairman.
    Chairman Lieberman. Thanks very much, Senator Collins.
    I just want to endorse both lines of the Senator's 
questioning, but particularly the first one about the need for 
a clear statement of the authority of the President in the case 
of a national emergency regarding cyber networks, because I 
think the old Telecommunications Act does not do it. It is at 
best unclear. And, of course, in a crisis I would hate to have 
lawyers arguing in front of the President about what the right 
thing to do is as we are about to be attacked in cyberspace. If 
there is an attack on our electric grid, I do not see in the 
old telecommunications law the power in the President, or 
anybody, for instance, to order that a patch be put on some 
part of the grid to protect it. So I hope you will take a good 
look at that and agree when you do that we need new clearly 
stated authority.
    Senator Carper.
    Senator Carper. Thanks, Mr. Chairman.
    Mr. Reitinger, welcome. Good to see you. Thank you for your 
testimony and for your service on many fronts.
    You may have said this and I missed it, but I can 
appreciate why the Administration may not have a position on 
this legislation today. Did you say when you expect to have 
that kind of position--or establish a position?
    You said later or tomorrow? Is that what you said?
    Mr. Reitinger. Predictions about the vagaries of the 
interagency process are beyond my cognitive skills. I would 
hesitate to venture a guess, but it is of importance to us and 
the Administration, and we will be focusing on the bill.
    Senator Carper. All right. The old saying goes something 
like this: ``The best defense is a good offense.'' And we are 
talking a lot here today and have been talking for several 
years about how to play good defense. Talk to us about how we 
might play better offense.
    Mr. Reitinger. Sir, offense is mostly outside my realm of 
responsibility now. I am in a part of the U.S. Government that 
plays defense.
    What I can say is that particularly with regard--if you 
count law enforcement investigations as part of offense, we do 
need to have the right deterrence structure, and so we partner 
very closely with our friends in the Federal Bureau of 
Investigation (FBI) and the Secret Service to make sure that we 
bring the necessary capabilities to bear, that we liaise with 
them so that they are able to work as a part of a cross-
government partnership. But we are, within the parts of DHS 
that report to me, very focused on playing defense, and that is 
our area of responsibility.
    Senator Carper. Whose job is it to play offense on our 
team?
    Mr. Reitinger. Well, generally it would depend on what the 
role would be, sir. I am not necessarily in a position to say 
who does what different pieces, but the overall 
responsibilities roll up to the White House.
    Senator Carper. All right. A month or so ago, I believe, we 
met with you and some of your colleagues to discuss the role of 
the Department in securing our Nation from cyber attacks. In 
addition, we discussed whether or not the Department needed to 
be internally reorganized to more effectively prevent and 
defend against both physical and against cyber attacks. In your 
written testimony today, you mentioned that you believe the 
Department should have an all-hazards approach to security. I 
have a couple of questions that flow from that.
    Do you believe our bill reorganizes the Department of 
Homeland Security in a way to better handle both cyber and 
physical attacks? And a second half to the question is: Do you 
think there will be any unintended consequences by splitting 
cyber and physical security responsibilities into two entities?
    Mr. Reitinger. Sir, I would say that I appreciate the 
effort the Committee made to ensure coordination between 
physical and cyber by including a deputy for physical 
infrastructure protection within the NCCC, if I could use that 
acronym. However, I do believe that DHS will be more effective 
if we keep physical infrastructure protection and cyber 
infrastructure protection co-joined.
    We are, as we move forward, increasingly finding ways that 
those sub-components, can work together even more effectively. 
For example, when we do assessment work for our critical 
infrastructure facilities, doing physical and cyber 
infrastructure assessments at the same time by working to build 
out our all-hazards response capability. We have already 
collocated our cyber watch centers in the National 
Cybersecurity and Communications Integration Center, and we are 
thinking through the extent to which we should better merge 
those with our National Infrastructure Coordinating Center, 
which coordinates a lot of physical response activities, 
because the private sector speaks the language of all hazards. 
They worry about risk, as a telecommunications company would 
say, whether it is from a cyber attack or a backhoe.
    We, in government, need to step to that and speak their 
same language. If we want to influence how they behave in an 
all-hazards way, in a risk-based way, and if something bad 
happens, physical or cyber, to be able to address it 
seamlessly.
    Senator Carper. All right. I have one more question. I 
chair a subcommittee of the Committee on Environment and Public 
Works that deals with nuclear safety. We have about 104 nuclear 
power plants, as you may know, and the nuclear industry and the 
Nuclear Regulatory Commission (NRC) which regulates that 
industry use force-on-force exercises where good guys act like 
bad guys and they test whether or not our 104 nuclear power 
plants are prepared for an assault from a force of truly bad 
guys. This is also known as offense informing the defense.
    It is widely recognized that the National Security Agency 
has developed the most sophisticated capabilities in the world 
to exploit other groups' sensitive networks. This knowledge and 
experience of the offense has allowed the NSA to develop better 
defenses to protect their own systems and networks. I included 
provisions in our cyber bill to help the Department of Homeland 
Security also to do this.
    What is the Department doing now to better enhance the 
defenses of the Federal Government using the NSA model?
    Mr. Reitinger. I guess I would answer that in two parts, 
sir. To begin with, we rely on NSA technical assistance and we 
leverage their capabilities. So we look strongly at the 
capabilities they have developed as we move forward with 
technical approaches to decide what the best approach to 
protecting dot-gov is. That is the general answer.
    The more specific answer is with regard to the activities 
you talk about, such as red teaming and blue teaming. I would 
say we have yet to fully develop the capability to be able to 
execute on that. The ability to do that sort of red teaming and 
blue teaming activity is included in our fiscal year 2011 
budget, and we will fully coordinate with and rely on the 
capabilities and the expertise that NSA has developed in doing 
that.
    I have specifically spoken to Tony Sager at NSA who is a 
nationwide expert in the cyber defense part of NSA, and we will 
fully rely on what they can bring to bear as we develop our own 
capabilities to execute a similar strategy within the dot-gov 
space.
    Senator Carper. My time has expired. Thank you very much.
    Mr. Reitinger. Thank you.
    Chairman Lieberman. Thank you, Senator Carper. Senator 
McCain.

              OPENING STATEMENT OF SENATOR MCCAIN

    Senator McCain. Thank you, Mr. Chairman, and I thank you 
and Senator Collins for your hard work on this comprehensive 
legislation.
    Mr. Reitinger, besides the fact that you work there, why 
should the Department of Homeland Security be the lead agency?
    Mr. Reitinger. For defending government and the private 
sector? Because we are ideally positioned to do it, sir, 
because it is a part of homeland security, because we can and 
will partner with the Department of Defense and other key 
government agencies to bring all national capabilities to bear, 
including leveraging the capabilities of the Department of 
Defense, and because we can provide the transparency and 
accountability that the American people expect in full 
partnership with other government agencies.
    Senator McCain. What does ``full partnership'' mean, Mr. 
Reitinger? Somebody has to lead. ``Full partnership'' means 
equality, so let us be careful with our verbiage here. Do you 
think that we have already been the victim of cyber attacks?
    Mr. Reitinger. Yes, sir.
    Senator McCain. Do you think we are basically in a cyber 
war right now?
    Mr. Reitinger. Sir, I hesitate to use----
    Senator McCain. Cyber conflict?
    Mr. Reitinger. Sir, we live in a very threatening cyber 
environment, yes.
    Senator McCain. Who is our greatest attacker, most 
significant attackers?
    Mr. Reitinger. Sir, I would prefer to address that more in 
closed session, but the scope of attackers runs the spectrum 
from low-level criminal hackers to the most significant 
adversaries.
    Senator McCain. Russia mobilized a very effective cyber 
attack against Georgia prior to their invasion by conventional 
forces. Isn't that correct?
    Mr. Reitinger. Sir, there was a significant attack against 
Georgia. Yes, sir.
    Senator McCain. And there has been one against Estonia?
    Mr. Reitinger. Estonia suffered a significant attack as 
well.
    Senator McCain. And do we know where that came from, from 
Russia?
    Mr. Reitinger. Sir, I am not prepared to attribute that 
activity on the record.
    Senator McCain. Every media in America is, but you cannot.
    Mr. Reitinger. Sir, from our perspective, if I could, sir--
and I do not mean to be flippant.
    Senator McCain. You are not flippant. You are just not 
forthcoming.
    Mr. Reitinger. I apologize, sir.
    Senator McCain. That is all right.
    Mr. Reitinger. For us in the Department of Homeland 
Security and for the people that work for me and with me, we 
approach these events to cover the spectrum of threats. 
Certainly the attackers run the gamut from Nation states down 
to criminal hackers and everything in between--organized 
criminal groups, organized hacker groups--and we need to bring 
the right protections to bear to enable us to protect against 
that full spectrum of threats.
    And ``full partnership,'' sir means that we are involved in 
helping to secure government systems. We do not secure the 
Department of Defense systems or the intelligence community 
systems. We do not engage in international cyber conflict. We 
instead work to fulfill our role and enable entities like the 
Department of Defense to fulfill theirs. And I think that the 
Department of Defense would say the same thing about us.
    Senator McCain. But obviously the Department of Defense 
would be probably the area we would most want to protect over 
any other if we had to prioritize.
    Mr. Reitinger. The Department of Defense is a key entity to 
protect, sir, as are other parts of government and key parts of 
the private sector that provide essential services, such as the 
power grid and our financial services system.
    Senator McCain. Well, Mr. Chairman, I notice that there are 
different bills going through different committees--the Senate 
Armed Services Committee, the House Armed Services Committee, 
the Commerce Committee, and the Foreign Relations Committee. At 
some point I would suggest we are going to have to consolidate 
or discuss or come to some kind of agreement rather than have a 
number of competing pieces of legislation here.
    I have to say, after the Department of Homeland Security's 
handling of the Christmas bomber and other activities, I am not 
confident that DHS, at this particular time, is the proper 
bureaucracy to work in partnership with the Department of 
Defense.
    I thank you, Mr. Chairman.
    Chairman Lieberman. Thanks, Senator McCain. We will 
continue to try to convince you that DHS can do it, and Senator 
Collins and I agree that--we hate to attribute blame, but the 
State Department made the more consequential errors, 
unfortunately, leading up to the Christmas Day bombing. So we 
will continue to work on that.
    Senator McCain. Thank you, and I thank the witness.
    Chairman Lieberman. Incidentally, you are absolutely right. 
There are bills on this subject that are moving through various 
committees. There is none quite--well, I should not say that. 
Senator Snowe and Senator Rockefeller have introduced a bill in 
the Commerce Committee that is comprehensive. We think ours is 
more comprehensive, but the other bills in the Armed Services 
and Judiciary Committees go to points of this. I know the 
Majority Leader intends for there to be a blending of these 
bills into one bill that comes to the floor.
    Senator Burris.

              OPENING STATEMENT OF SENATOR BURRIS

    Senator Burris. Thank you, Mr. Chairman.
    Mr. Reitinger, I understand that you cannot comment on the 
legislation, and some of the questions that Senator McCain just 
raised or some of the points that are going through my mind in 
terms of the current status. What is the current status of our 
protection of cyber piracy within our financial system, our 
military system,and our power grid? What is your current 
assessment of the cyber activity today?
    Mr. Reitinger. Sir, I would say, although this may be an 
unsatisfying answer, it varies greatly. Through all the 
infrastructures you mentioned and government agencies you 
mentioned, the level of defenses vary considerably. There are 
parts of the government, such as the Department of Defense and 
other agencies, that are very well protected. There are other 
agencies that have more areas of growth.
    There are sectors and components of sectors in places like 
the financial sector or the energy sector that do very well and 
others that have a lot of work to do. That is, I think, one of 
the concerns because sometimes cyber security is only as strong 
as its weakest link and the interdependencies are very great.
    Senator Burris. Do we currently have authority to protect 
our financial system? Can Homeland Security deal with the 
hundreds of billions of dollars that is being stolen from the 
financial arena today which they do not even report?
    Mr. Reitinger. Sir, there are certainly authorities in that 
space. There are a number of law enforcement authorities that 
would allow investigation and prosecution of those who commit--
--
    Senator Burris. Does Homeland Security have any input in 
that today?
    Mr. Reitinger. Yes, through the Secret Service, sir.
    Senator Burris. So the Secret Service has the cyber 
authority.
    Mr. Reitinger. The Secret Service has the investigative 
authority along with the FBI for those types of crimes, yes, 
sir.
    Senator Burris. So you do not have that authority?
    Mr. Reitinger. Not within the parts of Homeland Security 
that report up to me, no, sir.
    Senator Burris. OK.
    Mr. Reitinger. Our authority, sir, with regard to the 
private sector is that of coordination. We can raise awareness. 
We have capabilities that could help them.
    Senator Burris. I do not give too much credence to all our 
TV programs, but ``60 Minutes'' just the other day ran a 
segment on cyber terrorism. Are you familiar with that 
information that came out to the public recently?
    Mr. Reitinger. I am familiar with some of the things the 
program said, sir.
    Senator Burris. Sir, are you familiar with the ``60 
Minutes'' program? It is a simple yes or no answer.
    Mr. Reitinger. Yes, sir, I am familiar with ``60 Minutes'' 
generally.
    Senator Burris. No, the program.
    Mr. Reitinger. No, sir, I am not.
    Senator Burris. Thank you. It took us 2 seconds to say no. 
Do not be so defensive.
    What we have here, Mr. Reitinger, is a concern of public 
confidence in our system, and what I would assume is that there 
are entities out there that are seeking to enrich themselves, 
but also to break the confidence of the public. So there is a 
public factor to this if Americans feel that we are not secure. 
I want to ask you whether or not you think we can protect our 
systems?
    Mr. Reitinger. Completely, sir? No. Substantially, we can 
take action and respond to attacks when they occur, and we are 
continuing to enhance our ability to do that. But completely 
protect and prevent----
    Senator Burris. What is your timetable on that? Because as 
I understand the ``60 Minutes'' report, we are losing data 
every day. They are right now from this report sitting in the 
Pentagon on our military computers, little types of information 
that can now direct those systems that we might not even be 
able to control. Are we dealing with anything like that? Are 
you familiar?
    Mr. Reitinger. Sir, we are moving forward very rapidly. As 
I mentioned, we are rolling out the EINSTEIN 2 intrusion 
detection system. That is deployed to 12 of 19 departments and 
agencies where it will be deployed, and it will be deployed to 
all 19, we forecast, by the end of the fiscal year, so by the 
end of September.
    In terms of when compromises take place, pursuant to the 
President's Cyberspace Policy Review, we are developing a 
national cyber instant response plan process. That is nearing 
substantial completion. It will be vetted, and it is going to 
be tested in September of this year. There are other efforts on 
a longer timeline and other efforts on a short timeline. So we 
have significant efforts going across the ecosystem.
    For example, you talk about the financial services sector, 
sir. We are right now piloting an activity in partnership with 
the Department of Defense and the financial services sector 
through their Information Sharing and Analysis Center, a body 
they voluntarily formed, where we share threat information with 
them now on an unclassified level, going forward on a 
classified level, where they also share information through the 
financial services Information Sharing and Analysis Center back 
with us and each other. So that is building a much better 
understanding of the threat and what entities need to do to 
respond to it in that sector.
    So there are a number of different efforts we are moving, 
sir.
    Senator Burris. I just wonder what we are doing to other 
countries with our system. I just hope that we also have cyber 
piracy going on to counteract the cyber piracy that is coming 
against us. And in your layman's opinion--not your professional 
opinion--would you say that we have some going on?
    Mr. Reitinger. Sir, I cannot comment on that. I apologize.
    Senator Burris. Thank you, Mr. Chairman. I have to end my 
questioning.
    Chairman Lieberman. Thanks, Senator Burris.
    If I may offer an opinion, not being a member of the 
Administration, my own impression, let us put it that way, is 
that the U.S. Government has a very well developed cyber 
offensive capacity if it becomes necessary to use that to 
protect our security, and that should be comforting to the 
American people. But I do want to come back and underline 
something Secretary Reitinger said, which is the capacity of 
those who would attack us is much greater right now than our 
capacity to defend against those attacks. And we are closing 
that gap. But this legislation and the resources that the 
Administration is putting behind this are aimed at eliminating 
the gap. So it is with that intention that we go forward.
    I want to indicate--you may have heard this already--that 
Senator Collins and I are going to take this bill to a 
Committee markup next week, so we really want to move this out. 
And in that regard, I urge you to do everything you can--
although I know a lot of this ultimately will be in OMB--to 
have an Administration position developed on this legislation 
and the other legislation.
    Senator Harry Reid has been very clear, at least to me, 
that he really wants to pass a cyber security act this year, so 
I hope you will be authorized soon to get more explicitly into 
the debate.
    Mr. Reitinger. Thank you, sir.
    Chairman Lieberman. Thank you. Thanks for your testimony.
    We will call the second panel, beginning with Fran 
Townsend. It must give you real pleasure to be out of Federal 
service as you hear me talk about the need for approval from 
OMB.
    Ms. Townsend. Exactly.
    Chairman Lieberman. On the second panel, we are very 
pleased to begin with Fran Townsend while you are getting 
seated. She is now the Chairwoman of the Board of the 
Intelligence and National Security Alliance, a former Homeland 
Security Advisor to President George W. Bush, and a star of 
screen, if not yet stage. Welcome.

  TESTIMONY OF FRANCES FRAGOS TOWNSEND,\1\ CHAIRWOMAN OF THE 
       BOARD, INTELLIGENCE AND NATIONAL SECURITY ALLIANCE

    Ms. Townsend. Well, thank you, Mr. Chairman, for that 
introduction. It is really a privilege to be back with you and 
Ranking Member Senator Collins. Thank you very much for your 
invitation to testify at this hearing and to offer my thoughts 
on the Protecting Cyberspace as a National Asset Act of 2010.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Townsend appears in the Appendix 
on page 80.
---------------------------------------------------------------------------
    I am here today in my role, as you noted, as Chairwoman of 
the Board of the Intelligence and National Security Alliance 
(INSA). It is a premier not-for-profit private sector 
professional organization providing a structure and interactive 
forum for thought leadership, the sharing of ideas, and 
networking within the intelligence and national security 
communities. INSA has over 100 corporate members as well as 
several hundred individual members who are leaders within the 
government, private sector, and academia. And as I think you 
are aware, INSA prepared and submitted my statement for the 
record while I was out of the country. I arrived home 
yesterday. So I will also add a few of my personal observations 
before I close.
    Through its Cyber Security Council, INSA has emphasized the 
importance of creating a strong public-private partnerships 
that can provide meaningful recommendations to address the 
national and economic security threat today. I would like to 
specifically speak to the importance of establishing a public-
private partnership to promote national cyber security 
priorities, strengthen and clarify authorities regarding the 
protection of Federal civilian systems, and improve national 
cyber security defenses.
    Collective national cyber security can only be effectively 
addressed through a partnership approach between the government 
and private industry. While the government has the legal 
authority required to organize markets, enforce laws, and 
protect citizens' privacy and property, the vast majority of 
cyberspace infrastructure, as you all noted, is privately owned 
and operated. And as a result, industry is where most of the 
expertise in the fields of IT and cyber security reside. 
Because of this, a partnership is really the only way forward.
    INSA's Cyber Security Council studied several different 
models of public-private partnerships during the preparation 
and research for its November 2009 report entitled ``Addressing 
Cyber Security Through Public-Private Partnership.'' 
Historically, effective public-private partnerships have 
inclusive private sector membership, unified in the pursuit of 
common goals, a single responsible and accountable government 
partner organization, and clearly delineated roles for both 
public and private entities. We are very pleased to see these 
concerns and this organizational structure reflected in the 
legislation we are here discussing today. This bill not only 
establishes a clearly responsible center for the problem, but 
requires a private sector advisory council to advise the center 
on their actions' effects on industry.
    Assuring that private sector concerns are heard within 
government is an important first step to the creation of a 
public-private partnership, but this alone is not sufficient to 
guarantee success. INSA's Cyber Security Council has identified 
three additional components, specific to a public-private 
partnership on cyber security, which would be required for a 
successful effort: First, a flexible or incentivized approach 
to regulation; second, robust information sharing and 
cooperation; and, last, communication on standards and best 
practices.
    In the interest of time, I will not go through each of 
those and would ask that you refer to my statement for the 
record which we earlier submitted.
    In terms of my personal observations, all of which are 
addressed by the legislation, but I think based on my own 
experience, knowing that this will go to a negotiated process 
in the Senate, I think it is worth underscoring their 
importance.
    I support the creation of a National Center for 
Cybersecurity within DHS because of their abilities uniquely to 
address privacy and civil liberties concerns that affect all 
Americans. Because of their necessary reliance on the Internet 
for our personal lives, I think that their ability to address 
those concerns will be critically important in ensuring public 
support for such a center. But I want to be clear that in my 
judgment to be effective, wherever such a center is, in fact, 
housed, it must have several key ingredients to be successful. 
And, again, these are all contemplated by your bill.
    First, interagency and cross-government capability, both 
vertical down to the State and local level and up to the 
Federal Government, and across the Federal Government as well 
as including the private sector. As Senator Collins noted, 
NCTC, which is effectively in the Office of the Director of 
National Intelligence, is the best analogy, and the NCTC does 
report to the White House. And that is a model that ought to be 
preserved as stated in the bill.
    Second, budget and enforcement authority is really 
necessary. Money to implement any steps or affect Federal 
agency spending is a necessity, and authority to punish or call 
out across Federal agencies those departments that fail to meet 
basic standards is also a necessity.
    Personnel authority, adequate ability to hire and fire, is 
necessary to ensure a competent and experienced staff of 
professionals. While the current bill, as I noted, does 
contemplate these important steps, I worry about language such 
as develop a plan, coordinate, recommend, assess, and consult.
    I had the privilege of working with the Chairman and 
Ranking Member on the Intelligence Reform and Prevention of 
Terror Act, and while we were well intentioned and I believe 
that was a good and necessary bill, it is the bill which 
established the Director of National Intelligence. And while 
this was an important and necessary step, it has been referred 
to recently as ``organized to fail.'' I think what those 
critics would say is that the position lacks some of the 
necessary authorities that this bill contemplates and would 
most respectfully suggest that as this bill moves forward, it 
will be important for the people of the United States for our 
own national security to ensure that those sorts of authorities 
remain tied to the Director of the National Cyber Center.
    I believe that the private sector advisory council is very 
important and urge that, too, be implemented. I will say, 
however, since leaving government, I often hear from frustrated 
chief executive officers (CEOs) that the U.S. Government and 
DHS, in particular, have at times been both unresponsive and 
not engaged with them. We should look at existing mechanisms 
before creating new advisory councils. The President has the 
National Security Telecommunications Advisory Council (NSTAC), 
and the National Infrastructure Advisory Council (NIAC), which 
reports to the President through DHS. These exist now and must 
be used, but they need interaction and dialogue with the 
President of the United States, not just with the White House 
and agency staff.
    Third, as addressed in Section 251 of your bill, 
information sharing with the private sector must be a two-way 
street, and sensitive commercial data must be explicitly 
protected.
    Last, while the bill creates both the White House position 
and the DHS center, both positions are Senate-confirmed. And 
while I understand why that is so and I strongly support 
congressional oversight, I believe that the position in the 
White House must be left to the President's prerogative to 
decide how to adequately staff it and, thus, do not necessarily 
believe that the White House position should be Senate-
confirmed.
    I applaud the Committee's focus on this important issue and 
hope that this legislation as it proceeds will only be further 
strengthened and not diminished by compromise. The goal is to 
make a positive and meaningful contribution to the national 
security of the United States, and this bill goes a long way 
towards achieving that goal.
    I thank you and look forward to answering your questions.
    Chairman Lieberman. Thanks very much for that very helpful 
testimony.
    I do want to say at this point that we had intended to have 
Robert Jamison as a witness. He is President now of the Eline 
Group and former Under Secretary at the Department of Homeland 
Security during the Bush Administration, where he was the 
senior official on all cyber and communications operations. 
Unfortunately, he was not able to attend because of a family 
emergency, but his testimony, I think, is quite strong, and we 
have left copies of it on the tables for those who are 
interested.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Jamison appears in the Appendix 
on page 116.
---------------------------------------------------------------------------
    Next, we are pleased to have Alan Paller, Director of 
Research at the SANS Institute and former member of the 
National Infrastructure Assurance Council, widely recognized as 
an expert in cyber matters. We are glad to welcome you back to 
the Committee and look forward to your testimony now.

  TESTIMONY OF ALAN PALLER,\2\ DIRECTOR OF RESEARCH, THE SANS 
                           INSTITUTE

    Mr. Paller. Thank you, Mr. Chairman, Senator Collins, and 
Senator Carper. You made last Thursday a very good day for the 
people who had despaired the government would ever lead by 
example. So it was just a wonderful day that you made for us, 
and the bill that you put together actually solves sort of the 
main problems that had kept the government from doing the right 
thing. I will summarize a few of them.
---------------------------------------------------------------------------
    \2\ The prepared statement of Mr. Paller appears in the Appendix on 
page 84.
---------------------------------------------------------------------------
    Before I do that, part of the bill is this little thing 
called the cyber challenge, and Senator Carper has been just 
wonderful at helping it. But I wanted to come back to you, Mr. 
Chairman, because last August you met with a young man from 
Connecticut named Michael Coppola who, at 16 years old, beat 
all these adults in a major competition. He was moved by that. 
While he was in school, he was asked what were the courses that 
the high schools are not teaching that would have allowed the 
other students to do well. So we outlined the courses, and I 
said, ``That is good. Can you give us a syllabus?'' He said yes 
and he built a syllabus. And I said, ``That is good. Can you 
give us the exams that you would give to see if the people had 
learned it?'' And he did that with some friends.
    About that time, the State of California was getting ready 
for the California cyber camp. I heard your song on Thursday 
about the cyber camp. But they wanted to go to the high 
schools, and we went to the high schools, and none of the high 
school kids had ever seen cyber security. They did not know 
what to do with it. So they could not take the exam that the 
college kids were taking that was a real cyber security exam. 
So we took Mr. Coppala's exams, built a competition; 150 high 
school kids took it. They took hours and hours and hours out 
during the weeks they had AP exams, I mean, they were so 
excited about it. Governor Arnold Schwarzenegger personally 
came to give them--or he actually wrote the letters that 
recognized the winners of it. It was a very nice thing. So your 
16-year-old from the high school that does not even have a 
programming course did awfully well.
    Chairman Lieberman. That is great to hear. Thank you. I am 
proud of him. And he won a contest, as I recall.
    Mr. Paller. Yes, he beat a bunch of adults and other people 
in a King of the Hill cyber competition, a tough one.
    Chairman Lieberman. I am glad he is on our side.
    Mr. Paller. Exactly right.
    The most important parts of your bill are the ones that 
reduce our vulnerabilities because we have so much of our 
existence dependent on the Internet, we are much more 
vulnerable to an attack. Even if an attacker has lesser 
capabilities than we do, they could do much more damage to us 
because we are so dependent on it. We can take out other 
people's capabilities, but they are not hurt as much. So our 
ability to defend ourselves completely is actually the only 
first--and you do first things first. It is the only thing we 
have to do first. And what you did in the bill is you enabled 
that, and I want to tell you why--because I think there will be 
pushback, I would sort of like to give you why I think it 
worked.
    The White House office was controversial the last time, and 
I was so happy you went ahead and put it in the White House. 
And the reason has nothing to do with whether DHS can or if the 
White House is better. It has to do with this cross-agency 
action that nothing any one agency does ever moves another 
agency. It is not until somebody in the White House beats them 
about the head and face that they actually move. And so putting 
it back in the White House under a tough boss can actually make 
a difference. And you gave it the right authorities to do that.
    The reason is that we have this odd attitude about security 
where we get mad at people for not defending themselves well. 
So we talk about the government is not doing a good job of 
defending themselves. It is the wrong order.
    Remember, we train tens of thousands of people a year to 
defend things, so we know what they can and cannot do. You 
cannot defend yourself using the off-the-shelf tools that the 
vendors sell you. You cannot defend yourself using the networks 
that the internet service providers (ISPs) provide to you. You 
cannot. You can barely survive at that level.
    The only way to actually do the defense is a partnership 
between the users--think of them as automobile drivers--and the 
car manufacturers, the people who sell the IT services and 
software and the people who sell the IT online services, the 
ISPs. It is a partnership. They have to get better and the 
users have to get better. But it is cheaper for the vendors to 
say you users are bad drivers. We do not want to fix our cars 
because you guys do not drive well. It is the partnership. When 
the cars got safer and the people drove better, we actually had 
a lot fewer accidents on the road. That is what we have to do. 
But you cannot do that without procurement because none of 
those vendors will listen to any user except a very large user. 
So you need cross-agency buying, and the only way you are going 
to get cross-agency buying is with that White House office.
    So I am trying to put the pieces together. You cannot have 
procurement without that White House office because no one else 
has the power to pull the money together to make it spend 
together.
    The third one is the regulatory framework you put in. If we 
do not get that right, we have no defense on the civilian 
side--no recovery on the civilian side. I read this article 
about unintended consequences. The industry is saying there may 
be unintended consequences, and I had this immediate image of 
all the taxi drivers setting up a block so that the military 
could not get in to stop traffic because the taxi drivers 
needed to keep on making their money with tolls. And there is a 
nuclear bomb that the army was trying to stop, and the taxi 
drivers said, ``Look, there are unintended consequences of you 
coming. Could we have a meeting? Can we talk about it?'' I had 
this exact image of them. It might not be fair to share. But 
somebody is making money, and they really do not want to stop 
for anything. I guess that is all right.
    But I do want to go back to this procurement thing. There 
are actually two sides. We have this idea that we need to 
protect our systems. We keep talking about that. We will be 
able to do that well if we do all the things that you are 
talking about, and I am going to show you a cool thing that one 
of the agencies has done--that Senator Carper found, actually--
that will actually make a huge difference in that. But once we 
get the hygiene right--that is Bob Dix's old word. Once we get 
hygiene right, people will still make it through. There are 
organizations with enough money that they will, in fact, get 
through all the defenses when we have as perfect defenses as we 
can. So there is another half--and it is literally a half--
which are the people who the air force has given a wonderful 
name to--they are called the hunters, and they are the people 
who can unravel the data about an attack, figure out what it is 
and what they are doing and how they are doing it and stop 
them. So you helped set that up. The reason that DHS is having 
such trouble relative to DOD is they have none of those 
hunters. And all these people they are hiring are not hunters 
because you need seeds for the crystal, and they do not have 
any seeds there. The seeds are all at NSA, and when they are 
hiring 300 more people, when you go look at their skills, they 
are just not the hunters. They are not the people we have to 
have.
    In closing, I want to tell you about a wonderful positive 
story. There is a concept of reducing risk. This is a chart 
that shows every embassy around the world and every State 
Department office around the world over 12 months, a reliable 
measurement of cyber security risk, reliable as in the NSA has 
been there to say, yes, they are doing pretty good. And it is a 
90-percent reduction in cyber risk in all of the embassies and 
89 percent across all the State Department offices. This ended 
in August just this year. They are almost half again as good. 
This is the model that you will not find in any other agency 
around government. And it is a model that actually gives us 
response. When the Google hack happened at all agencies--it was 
an Internet Explorer vulnerability. We all had Internet 
Explorer. So every machine had this. Every agency sent out 
emails saying fix it, fix it, fix it. State did not say fix it. 
State actually changed the risk score on the vulnerability. It 
is called the Aurora Vulnerability. They changed it. So when 
you talk to DOD, they will tell you, ``We got 70 percent 
compliance in about 4 months.'' If you talk to other agencies, 
60 percent, 50 percent. State Department got 90 percent in 6 
days. So 4 months, 70, 60 percent versus 90 percent in 6 days. 
This is what continuous monitoring is all about.
    Maybe one last thing, or am I way over my time?
    Chairman Lieberman. You are way over, but one last quick 
thing.
    Mr. Paller. So the reason agencies could not do it is this: 
The last FISMA gave the power to set standards to the National 
Institute of Standards and Technology (NIST), and they had no 
adult supervision. So it wrote a standard that said that one of 
its guidance documents was mandatory, and that guidance 
document required all of these, 8,511 pages, that you have to 
do every day, and I am sure that all cyber security will. But, 
anyway, that is it.
    Chairman Lieberman. That was great. Thank you. You are the 
most mobile witness we have had before the Committee in a long 
time. [Laughter.]
    Thanks for your excellent testimony, and I appreciate your 
words of support for what we have proposed here.
    Next we have Steven Naumann, who is Vice President for 
Wholesale Market Development for Exelon Corporation and 
Chairman of the Member Representatives Committee of the North 
American Electric Reliability Corporation (NERC). Mr. Naumann 
is going to be testifying today on behalf of the Edison 
Electric Institute (EEI), which represents about 70 percent of 
our electric sector, and the Electric Power Supply Association 
(EPSA). Thanks very much for being here.

 TESTIMONY OF STEVEN T. NAUMANN,\1\ VICE PRESIDENT, WHOLESALE 
MARKET DEVELOPMENT, EXELON CORPORATION, ON BEHALF OF THE EDISON 
  ELECTRIC INSTITUTE AND THE ELECTRIC POWER SUPPLY ASSOCIATION

    Mr. Naumann. Thank you, Chairman Lieberman, Ranking Member 
Collins, and Senator Carper.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Naumann appears in the Appendix 
on page 101.
---------------------------------------------------------------------------
    Just quickly, Exelon serves more than 5.4 million customers 
in the Chicago and Philadelphia areas. We operate approximately 
30,000 megawatts of generation, including 17 nuclear units, 
just to give you an idea of our scope. And as you said, I am 
representing EEI and EPSA today. We are members of both trade 
organizations.
    At the outset, I would like to thank you, Chairman 
Lieberman, Ranking Member Collins, and Senator Carper, for your 
thoughtful approach to the bill and for your leadership on this 
issue. The owners, operators, and users of the electric power 
grid take cyber security very seriously. In fact, a broad 
coalition representing the full range of generation, 
transmission, and distribution interests in the United States 
as well as regulators, Canadian interests, and large industrial 
customers all agree on the need for government involvement in 
protecting critical infrastructure from cyber attack. While I 
am not testifying officially on behalf of the coalition, this 
cooperative relationship to address threats to the power grid 
is vital to improving cyber security.
    There are three principles in the bill that I would like to 
emphasize: First, leveraging public and private sector 
expertise, including information sharing between the two areas; 
second, concentrating on truly critical infrastructure; and, 
third, addressing cyber security in a comprehensive, multi-
sector way.
    First, both the government and the electric power sector 
have distinct areas of responsibility and expertise. With its 
intelligence-gathering and law enforcement capabilities, the 
government is able to detect threats, evaluate the likelihood 
of malicious attacks, and identify patterns of potential 
infiltration. Power companies, on the other hand, are 
experienced at operating their systems and engineering 
resiliency and recovery, depending on a threat.
    To best ensure the cyber security of the Nation's electric 
grid, we need to clearly define these roles and 
responsibilities while facilitating cooperation and information 
sharing between government agencies and the power sector. The 
government-wide coordinator your bill envisions is critical to 
ensuring that information does not fall through the cracks and 
that the right people have complete information to make sound 
operational decisions in times of crisis. This careful 
consultation with industry helps ensure that government actions 
in protecting the grid from a cyber attack do not have 
unintended or harmful consequences, and I will be glad to 
explain that I do not mean taxi drivers blocking the streets, 
but when you are operating a system, if you do not do the right 
thing, you might get things happening that you really do not 
want to.
    Second is the bill's narrow scope. It focuses appropriately 
on the need to protect truly critical assets and deal with 
cyber security emergencies. There is a security axiom that 
states, ``If you try to protect everything, you protect 
nothing.'' Therefore, the risk-based prioritization reflected 
in the proposed bill ensures that both government and private 
sector resources are allocated wisely.
    The industry believes your bill focuses on the more 
relevant question and urgent security gap. What additional 
authority is needed in order to promote clarity and focus in 
response to national cyber security emergencies?
    Third is the comprehensive approach to dealing with cyber 
security. While the electric power industry's focus is on 
operating and protecting the electric grid, the interconnected 
nature of our critical infrastructure requires a multi-sector 
approach. We in the power industry rely on telecommunications 
systems to operate the grid, pipelines and railroads to bring 
fuel to our generation, and wholesale markets to sell our 
product. Should any of these critical sectors be compromised, 
the reliability of the electric power system would be impacted. 
Likewise, each of these sectors depends on a reliable supply of 
electricity to operate. Your bill recognizes this truth, as did 
the President's ``60-Day Cyber Review'' completed last year. I 
would urge the Congress to follow your leadership and approach 
this issue holistically.
    Again, the industry's perspective on sound cyber policy 
includes promoting clearly defined roles and responsibilities, 
as well as ongoing consultation and sharing of information 
between government and the private sector. Using a risk-based 
model that secures truly critical assets against cyber security 
emergencies is the best use of the limited security resources 
and approaching the issue in a comprehensive, multi-sector way.
    Again, I appreciate the opportunity to appear today and 
would be happy to answer any questions. Thank you.
    Chairman Lieberman. Thank you very much, Mr. Naumann.
    Finally, we go to Sara Santarelli, Verizon's Chief Network 
Security Officer. I hope that you will be able to offer us a 
perspective on the type of intrusions and probes that Verizon 
is seeing on a regular basis, but thanks for being here.

  TESTIMONY OF SARA C. SANTARELLI,\1\ CHIEF NETWORK SECURITY 
                OFFICER, VERIZON COMMUNICATIONS

    Ms. Santarelli. Thank you for having me today. Mr. 
Chairman, Ranking Member Collins, and Members of the Committee, 
thank you for the opportunity to discuss this important topic 
of cyber security today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Santarelli appears in the 
Appendix on page 109.
---------------------------------------------------------------------------
    Your legislation represents a positive step forward. We 
feel that the majority of the legislation supports the common 
goal of creating a much safer online environment, even if we 
may not agree with every specific provision.
    Cyber security initiatives take place at many different 
layers at Verizon. We work closely with our suppliers to help 
ensure that their products meet our security requirements. We 
use technologies to identify and mitigate threats on our 
network. We have developed an internal dashboard to help manage 
security of our own corporate systems, and we offer a wide 
range of services to our customers to help them better protect 
their networks and their data.
    Security events are a constant reminder that our networks 
and our customers' networks are under steady assault. These 
threats are constantly changing and evolving as criminals 
develop new techniques to get around the latest defenses, and 
once launched, these attacks can escalate with an astonishing 
speed. Speed and flexibility are critical to the success of our 
response.
    The Slammer worm, launched in January 2003, was the fastest 
spreading computer worm in history. It doubled in size roughly 
every 8.5 seconds. Within 3 minutes, the worm had achieved its 
full potential with more than 55 million computers being 
scanned per second. Success in stopping the Slammer worm was 
predicated on the ability to take fast and decisive action 
without extraneous briefing, consultations, or declarations. 
Similarly, the experience in 2009 and 2008 as well with the 
Conficker worm illustrates how important it is to maintain a 
flexible approach in responding to cyber threats.
    In response to this threat, an international working group 
was actually formed consisting of 30 named members and many 
more partners and contributors from around the world, including 
Verizon. Information sharing by that working group proved very 
effective.
    Each incident we respond to teaches us different lessons, 
but the one common denominator is this: While government has a 
role to play in enhancing cyber security, it must not act in 
ways that diminish our flexibility, speed, and independence 
that network providers find essential in waging the war on 
cyber crime. Any government-directed information-sharing 
mechanism must not place restrictions or requirements on the 
free flow of information about the Internet and must not deter 
participation by knowledgeable entities.
    Network providers like Verizon are on the front lines of 
this war, but the fight cannot be left solely to the private 
sector. There is a role for government to play. We applaud the 
Committee's efforts to help bring clarity and definition to 
that role.
    The government can do things that the private sector simply 
cannot. My written statement identifies eight ways in which the 
government can be uniquely helpful. Let me summarize three.
    First, the government should lead by example, working to 
enhance the security of public networks, centralizing, 
clarifying agency roles and responsibilities; eliminating 
regulatory duplication; and purchasing technology solutions 
that raise the level of security technology in the marketplace 
generally. Proposals in this bill would help streamline public-
private interaction and ensure consistency in the security of 
the government's infrastructure. The bill also takes several 
positive steps towards eliminating duplication, enhancing the 
security of government networks, and using the government's 
budget power for targeted investment in cyber security 
technologies.
    Second, the government should promote enhanced security for 
private sector infrastructure but not at the expense of speed 
and flexibility of response. For those who are slow in adopting 
best practices in the areas of cyber security, it is 
appropriate for government to provide strong incentives for 
them to do so. However, given the wide range of networks and 
technologies, as well as the rapid pace with which cyber 
threats are evolving, we simply cannot lock ourselves into a 
single regulated approach. The most effective approach, which 
this bill does take, is a public-private partnership where 
government provides assistance and expertise to the private 
sector. Confidentiality and liability protection will encourage 
the private sector to implement desired activities.
    Finally, the government should eliminate legal barriers to 
the collection, use, and sharing of information by network 
operators, their customers, and the government. Striking an 
appropriate balance between privacy and the need for 
information sharing will directly support our shared goal of 
enhanced cyber security.
    We look forward to continuing to work with you and the 
Committee on cyber security legislation, and I look forward to 
answering your questions today.
    Chairman Lieberman. Very good. Thank you. We will do 7-
minute rounds of questions.
    Ms. Townsend, since you have been liberated from official 
Federal service, maybe you can respond more directly to some of 
the questions that were asked of Mr. Reitinger, which are, 
really, who would you say are the main sources of attack 
against American cyber systems?
    Ms. Townsend. Sure. I mean, I think if you look at the open 
source material that is available, it is commonly understood 
that our most capable adversaries, potential adversaries are 
both the Russian government and the Chinese government.
    Chairman Lieberman. Right.
    Ms. Townsend. We have capable allies, of course, in Western 
Europe in the British and the French, but, of course, once you 
know you have capability, how they use it is really dependent 
on their own agenda.
    Chairman Lieberman. Do we think that the non-state actors, 
both terrorist groups and organized crime syndicates, are 
developing the capacity to cyber attack us or others?
    Ms. Townsend. It is an interesting question, Senator, 
because I think our understanding as you watch terrorist 
organizations, in particular, is that their operational 
capability is often dependent on their ability to use the 
Internet. Whether that is to pass information, propaganda, 
recruit, or fundraise, they need the Internet just as we need 
the Internet. And so that sort of mutual need has been 
something of a protective measure in terms of their willingness 
to cyber attack. That is not a guarantee. And so, of course, I 
think the government watches quite closely how the capability 
of our terrorist adversaries increases and looks for the 
potential that they may turn and decide it is worth using it as 
an attack method.
    Chairman Lieberman. Thanks for those answers. They are very 
helpful.
    I appreciate very much that both Mr. Naumann and Ms. 
Santarelli are here because you represent major private sector 
entities that are affected. And I know that both the 
corporations that you work for and the sectors of the private 
economy that you are associated with are aware and sensitive to 
the threat in cyberspace, and that it represents a threat not 
just to your businesses but to our national security if a 
vulnerability is tapped.
    So I wanted to ask you--and then Mr. Paller and Ms. 
Townsend if they want to get in this question: Obviously, this 
legislation is premised on a conclusion that there is a need 
for governmental involvement. We try very hard to have a 
balanced, collaborative public-private sector approach in the 
bill. But there are some who might argue that there is actually 
little or no need for government involvement here because 
industry has the same incentive that the government has to 
secure its networks. And I wanted to ask you if you agree with 
that, and if you disagree, why. In other words, is there a 
necessary role for government here?
    Mr. Naumann. Chairman Lieberman, the electric power 
industry believes there is. As I said in my remarks, we all 
take protection of our networks very seriously, and for the 
reasons you state. But our capabilities do not go to 
intelligence gathering. They do not go to evaluation of some of 
these threats. We need to be able, first of all, to be notified 
of these threats. We need to be able, working with the 
intelligence agencies or those who have that information, to 
understand how those threats can affect our equipment and our 
service to our customers, and then to devise mitigation 
measures together with the government.
    We simply do not have that ability, nor, obviously, is that 
our expertise. Our expertise is running power systems. And so 
as I said, there is this gap. Could it be filled in some 
informal way? Yes, but the problem is when you get into a real 
emergency, there need to be lines of communication and 
procedures that are set up, practiced and drilled so that we 
know that information will get down to the people who need to 
actually put it into effect.
    Chairman Lieberman. Ms. Santarelli.
    Ms. Santarelli. Senator, when I look and I think about how 
can the government help the private sector, I think it is 
important to understand that the ecosystem of the Internet is 
actually made up of multiple layers. We have the suppliers of 
equipment and information systems. On top of that, that 
equipment and the systems are pulled together to make the 
infrastructure. On top of that, we have applications and 
systems that ride and the content that rides on the network. 
And then beyond that, connecting it all together, we have our 
end user population. I like to call it Grandma and Grandpa 
checking out the Internet at night or our kids that are on 
Facebook or whatever.
    So when we look at this as from a pure network provider 
perspective, we are just one part of the ecosystem, and I do 
not think any one part has the power or the ability to drive a 
solution in terms of security threat. All of those layers need 
to work together, and I think that government can help us with 
that.
    You note in the bill in particular the dispensation for 
security controls on your vendors. As one of the largest 
purchasers, we would like to see the government definitely 
drive that into our equipment providers so that as we take that 
equipment and build networks and applications with equipment 
that does have the security requirements.
    Chairman Lieberman. Very good. Would either of you like to 
add anything? Ms. Townsend.
    Ms. Townsend. Senator, just very quickly, of course, the 
government is the only entity capable of prosecution of crime, 
and so you are going to see acts that are crimes. But I would 
also note that in the intelligence and national security arena, 
we have seen instances in Estonia where one might rightly 
classify a cyber attack as an act of war. And so the government 
must play a role in working with the private sector. I 
absolutely believe the government cannot run it uniquely, and I 
have talked to the issue of the need for a public-private 
partnership. But we would be remiss if we did not believe that 
the government has a very substantial role.
    Chairman Lieberman. This is a most unusual area because we 
went for long periods of our history--after the initial 
chapters of our history--without being attacked here in our 
homeland, with the blessing of the protection that the oceans 
gave us. Then came Pearl Harbor, then another long period when 
we feared attack but there really were not any any during the 
Cold War. Now, unfortunately, we have been regularly the target 
of attack by the Islamist terrorist movement. But now in a way 
that is really totally unprecedented, through cyberspace, we 
can be attacked from far away here in our homeland. And it 
seems to me that perhaps the most attractive, if I can use a 
bad adjective, targets for an enemy will be private sector 
targets because of the extent to which our society depends on 
them, whether the electric grid or a dam that is holding back 
an enormous amount of water that is controlled over the 
Internet.
    I appreciate the answers that all of you gave, and to me it 
really cries out for the kind of public-private collaboration 
that we are talking about.
    My time is up in this round. Senator Collins.
    Senator Collins. Thank you, Mr. Chairman.
    Ms. Townsend, I had a discussion with the previous witness 
about the existing emergency authorities of the President that 
were passed in the wake of the attack on Pearl Harbor in World 
War II. Let me get your opinion on this issue. Do you believe 
the existing emergency authorities, the authorities in current 
law, are sufficient for the President to deal with cyber 
attacks?
    Ms. Townsend. Senator Collins, thank you for the 
opportunity to address that question. I can say unequivocally 
my belief is that the existing authorities are not adequate, 
and they are ambiguous, as you noted.
    I would say in the Cyber Shockwave exercise that I had the 
privilege to participate in, Jamie Gorelick, the former Deputy 
Attorney General in the Clinton Administration, acted in the 
role as the Attorney General, and she said that existing 
authorities are not only inadequate, but that in the absence of 
adequate authorities, she made the point that a president in a 
crisis will act and look to right it later with the Congress 
and the American people.
    I do not think that is the way we want to behave. I think 
you quite rightly point out that we ought to tackle the tough 
problems up front and make sure that the President and the 
Executive Branch have the authorities they need to act and that 
we are comfortable balancing security versus privacy and civil 
liberties.
    Senator Collins. Thank you. That is excellent testimony, 
and your point is very well taken. A President is going to act, 
and that is, frankly, also where you see abuses, where there 
are problems when there is not clear authority. So since it is 
so evident that cyber attacks are happening every day and are 
only going to get worse, it just cries out for us to establish 
the rules now in a thoughtful way.
    Mr. Paller, I want to bring up a different issue with you 
which was prompted by your demonstrating your extraordinary 
knowledge of what is going on in the Federal Government. If 
government agencies, as required by our bill, coordinate to 
establish a government-wide security standard or set of 
standards for the purchase of IT products, do you believe there 
would be a favorable impact on price? In other words, if that 
happens, is there a potential of saving taxpayers some money in 
these purchases?
    Mr. Paller. Thank you for asking that question. It actually 
not only will save money for the government, it will actually 
make a lot of money for the vendors. The same vendors that say, 
no, you are a bad human being to ask for that are going to make 
a lot of money. Here is the example.
    Do you remember when the Department of Veterans Affairs 
(VA) lost 17 million pieces of information?
    Senator Collins. Yes.
    Mr. Paller. Everyone wanted to encrypt their laptops. There 
were millions of laptops in the government. The commercial 
price for a laptop encryption was $243. The General Services 
Administration (GSA) price was $97. It was not enough. I mean, 
they did not have enough money to buy that.
    They got together, the White House, DOD, the States 
actually got together, pooled their buying. They did not pick 
one, they picked several. So it was not we are going to define 
you are the winner, everybody else is the loser. But they 
picked several, and they negotiated prices in which that price 
went from $97 to $11 in the first buy. But the amount of money 
that the software--I built a software company. We in the 
software business want the revenue. It is not the price per 
package. Buying millions of copies at $11 still makes us a 
whole lot more money than your buying five at $100,000 apiece.
    So what you do when you do the buying together is you lower 
the price across government, but you also radically expand 
their market, and they make more money. And the ones who win 
that actually go on to take over markets all across the world 
because they were the ones that were selected for the 
government buy. It is a win-win kind of operation.
    Senator Collins. Thank you.
    Mr. Naumann, your company operates in more than one sector 
of the economy, and thus, you are regulated by various Federal 
agencies. For example, you operate nuclear plants, correct? So 
you are under the Nuclear Regulatory Commission. You also 
operate an electric transmission business that is regulated by 
the Federal Energy Regulatory Commission (FERC). So because you 
have experience in dealing with different regulatory agencies, 
I want to get your view on the need to have a Federal agency 
involved in addressing cyber security in a coordinated way 
across all the critical infrastructures.
    In other words, if we do not act to make clear who is doing 
what in cyber security, are you likely to be subject to 
different standards by different agencies?
    Mr. Naumann. Thank you, Senator Collins. That is correct. 
At present, I will tell you the agencies, for example, the NRC 
and the FERC through the North American Electric Reliability 
Corporation, are trying to coordinate their cyber security 
policies. Of course, that does not include, for example, in our 
case the Illinois Commerce Commission, which has authority over 
our distribution network, and the Pennsylvania Public Utility 
Commission, which has authority over the network in 
Pennsylvania.
    Having one set of best practices, including the feedback 
that the legislation contemplates of being able to go back and 
showing how we would solve a problem, I think would make it 
easier not only for us; it would make it easier for the various 
regulatory organizations and be more cost-effective. So we 
would support a single agency being the coordinator and then 
cascading down.
    Senator Collins. Ms. Santarelli, same question for you.
    Ms. Santarelli. Yes, Senator Collins. Thank you for the 
opportunity to comment on that. As a national infrastructure 
provider, we agree with Mr. Naumann that it would be beneficial 
to us to have a single one voice into the government entities 
rather than having to work through multiple entities. As I 
mentioned in my oral testimony and my written testimony, it is 
very important to us to continue to have the speed to respond 
to any threat in near real time, if not real time, and working 
across multiple agencies I think could complicate that ability.
    Senator Collins. Thank you. Thank you, Mr. Chairman.
    Chairman Lieberman. Thanks very much, Senator Collins. 
Senator Carper.
    Senator Carper. Thank you, Mr. Chairman. I just want to 
observe, if I could, to our Chairman and Ranking Member that 
the subject that is before us today can be pretty dense and 
pretty hard to understand. And I say that as a guy who, until 
just a couple years ago, could barely spell the word FISMA, and 
today I actually understand what it means. And you have taken 
some tough, complex subjects and made them really 
understandable, even for me, and I thank you for that. Really 
good presentations and answers.
    I have heard from Mr. Paller a number of times before, and 
I have always observed that your presentations are, I think, 
especially effective. Have you ever thought of writing a book 
on this subject?
    Mr. Paller. If you look at my written testimony, it is 
really long. [Laughter.]
    Senator Collins. He already has.
    Senator Carper. Fair enough. Sometimes I start off my 
questioning when we have a second panel, I ask the second panel 
to look back at the testimony of the first panel and ask if 
there was anything that you especially agreed with or disagreed 
with from our first witness. And then I just want to ask you to 
kind of play off of each other and ask you to think about some 
of the things that your colleagues said during their testimony, 
and say, ``Well, I really agreed with that,'' or, ``Boy, they 
are out to lunch on that one.'' But go back to the first panel 
with us. Anything that was said that you especially want to 
underline or emphasize for us. If you would just start off, Ms. 
Townsend, please.
    Ms. Townsend. Thank you, Senator. I do think I was struck 
by Senator McCain's question about partnership and Phil 
Reitinger's answer. A quick vignette, I led the Katrina lessons 
learned about how we could do things better, and I remember 
interviewing General Russ Honore, and we talked about the 
national incident commander's role to coordinate the response. 
And he had this great line that I never forgot. He said, ``You 
know, when you have a coordinator, a coordinator starts out to 
make a horse and ends up with a camel.'' And it was graphic 
enough and there is something to that.
    And so I do think we have to be careful. That is why I said 
if DHS is simply in the role of coordinating, somebody does 
need to lead. Senator McCain is quite right. I think DHS is 
right to lead, to understand where greater capability in the 
government may reside to protect defense systems, intelligence 
systems, but somebody must lead. I think that makes it 
especially important that you have a White House office. 
Everybody needs a Daddy, and if this is----
    Senator Carper. And a Mommy.
    Ms. Townsend [continuing]. Inside DHS, that person will 
need the gravitas of a White House office to break through the 
interagency process that can only be done there. And so I do 
think we have to be careful to make sure to give them the 
authority to actually get the job done and then the link to the 
White House to implement it.
    Senator Carper. All right. Mr. Paller.
    Mr. Paller. Only one. When Mr. Reitinger was talking about 
the people and how critical the people are, I think he was 
radically understating the problem. A man named Jim Gosler, who 
ran the Clandestine Information Technology Office (CITO), in 
the Central Intelligence Agency (CIA), said to a bunch of 
people in the Pentagon and NSA, ``We have only a thousand 
people that can fight at world-class levels right now.'' There 
was another person at the meeting who was a senior DOD official 
that was frowning, and I asked him why he was frowning, he 
said, ``Because I cannot get to a thousand.'' We need 20,000 to 
30,000 of those people.
    The problem with what Mr. Reitinger is doing, is he is 
trying to hire them away from other people. But if you only 
have a thousand, you are just going to grab them from a DOD 
contractor or a NSA contractor. He has to change his mood from 
we are going to go get these people to we are going to go build 
these people, and he has to really take that on. His legacy is 
the building of those people because until DHS has that core of 
excellent people who are not contractors but are inside the 
organization, they cannot compete with NSA and they cannot 
defend the Nation.
    Senator Carper. Good point. Thank you. Mr. Naumann.
    Mr. Naumann. Senator, actually it was something you said 
about----
    Senator Carper. Something I said?
    Mr. Naumann. Yes, sir. The difference between what is on 
paper and implementation. And for the electric power industry, 
when there is an immediate threat, having a single point of 
contact to cascade that down with communications protocols and 
channels that have been drilled and practiced is essential. 
When time is of the essence, there is no time for confusion. 
And so having the clear chain of command to get the information 
to us, to be able to work with us to devise mitigation, and get 
that information out to the right people becomes essential. And 
that involves the implementation and it involves drilling and 
it involves getting it right.
    Senator Carper. Thank you. Ms. Santarelli.
    Ms. Santarelli. Thank you, Senator Carper. When I was 
listening to Mr. Reitinger's testimony and he spoke of a recent 
worm, Conficker, he shared some of the difficulties in working 
through all of the different agencies and getting information, 
it struck me because in my oral comments I referenced the same 
worm. And in the private sector, it was a different experience. 
We very quickly pulled together a working group that stands 
over 30 entities strong with a lot of additional partners 
outside of that, a worldwide group of folks, technical folks 
coming together to share, ``Hey, what worked for you? What is 
the issue? What are you seeing?'' ``Hey, here is this IP 
address. Here are where the machines are that you need to avoid 
and not interact with them.''
    And so it struck me that partnership is important and that 
we should learn from each other, because on the one side it 
works so well in the private industry to be able to share that 
information live, and we would really look forward to working 
with the Committee to share some of those best practices that 
we have in our ability to communicate and interact with 
organizations like SANS and others to share that information. 
Thank you.
    Senator Carper. Thank you. One last quick question, if I 
could. My colleagues have heard me say from time to time that 
the role of government is to steer the boat, not row the boat. 
And another thing that has fascinated me for a long time is how 
do we use market forces to try to drive good public policy 
behavior?
    Let me just ask, for those two principles, for me cardinal 
principles, how well do we do in terms of measuring up to those 
principles in the legislation that we have introduced? Ms. 
Santarelli, do you want to go first?
    Ms. Santarelli. Yes. I think that there are some really 
positive aspects in the legislation that you have introduced. I 
do like the ability to continue to grow in terms of the public-
private partnership. I think that there is improvement in 
opportunities where we can work together to share information.
    I would like to see and continue to work with the Committee 
to address some of the legal barriers that we believe are there 
that restrict us a bit in terms of being able to share 
information. So we would like to see those barriers ironed out 
a bit to ensure more success in our ability to share 
information.
    Senator Carper. Thanks. Mr. Naumann.
    Mr. Naumann. What this bill does is it puts an overlay on 
the security and reliability processes the industry has now 
through the North American Electric Reliability Corporation 
setting mandatory standards. It acts or puts into place 
something that really the government is the one who has that 
capability on the intelligence gathering.
    There are processes now. What is contemplated here is 
better because, as I said earlier, you need certainty and also 
the feedback in providing industry solutions back to the 
government to get the best solutions. And so what it does is it 
lets us do what we do best, and we do set through NERC cyber 
security standards. But it puts an overlay on that for the part 
where the government has the real expertise, and that is simply 
not our--intelligence gathering is not our job.
    Senator Carper. All right. Mr. Chairman, could we hear just 
briefly from Mr. Paller and Ms. Townsend?
    Mr. Paller. I give you a 9.1. It is really well down.
    Senator Carper. Was that on a scale of 100?
    Mr. Paller. On a scale of 10--9.1.
    Senator Carper. Thanks. Ms. Townsend, last word.
    Ms. Townsend. Yes, I think the liability protection 
provided in the bill is incredibly important for the private 
sector. If there is something I would strengthen, we have to 
protect the information that we are encouraging be shared, and 
I think that is important whether it is traveling from the 
State and local level all the way up through the Federal 
Government to the private sector or the other way. We have to 
ensure that across the spectrum of shared information we are 
making sure that the information is protected, or the private 
sector will not share.
    Senator Carper. All right. Thank you all very much.
    Chairman Lieberman. Thank you, Senator Carper.
    Senator Carper. And, Mr. Chairman, thank you very much for 
allowing me to a be a part of this trio, and I think we are on 
to something good here, and we very much look forward to 
working with you.
    Chairman Lieberman. Thank you. Our pleasure to work with 
you, and you did say something, just in answer to your 
question.
    I want to just highlight--and then we will let everybody 
go--this last exchange because there is something I came to 
appreciate as we worked on this bill, and Senator Collins 
particularly made a very significant contribution on this 
point, which was that when we talk about the emergency 
authorities of the President with regard to the most critical 
parts of cyberspace, a lot of what we are talking about is the 
importance that the President has the capacity to say to an 
electric company or to say to Verizon in the national interest, 
``There is an attack about to come,'' or ``We are in the midst 
of an attack, and I hereby order you to put a patch on this or 
put your network down in this part or stop accepting anything 
incoming from Country A.''
    That might be the kind of thing that an individual company 
would want to do or know they should do, but the potential 
liability in doing that is enormous, because in the normal 
business sense, you might well be putting down operations with 
enormous financial consequences or losses. But it is in the 
national interest to do that at that moment to stop greater 
losses.
    So I wanted to explain that just in this last line of 
questioning and your answers to Senator Carper because that is 
really what we have in mind. There is no authority here, as 
Senator Collins said at the beginning, for the President to 
have the government take over cyberspace. It is really through 
the National Cyberspace and Communications Center at DHS to 
issue orders probably as a result of previous agreement and 
collaboration with the private sector, to do things that in a 
normal business sense you would be hesitant to do, but in terms 
of national security there is no question that you should do 
it, and we should protect you from liability.
    Do you want to add anything to that, Senator Collins? You 
made a very important contribution to that part of the bill.
    Senator Collins. Thank you. Mr. Chairman, I do think that 
we got that right, and I very much appreciate the strong 
testimony in support of it.
    I just wanted to make a couple of final comments. This is 
very complex legislation dealing with an extraordinarily 
important issue, and I want to thank our staffs and all the 
private sector partners that assisted us in drafting this bill. 
I think that is why I will say that I believe we have come up 
with the best approach of all the bills that are out there. It 
is because we did get a great deal of advice, insight, and 
input from the private sector partners, from former government 
officials, and from current government officials.
    So I just wanted to thank those individuals, many of whom 
are here or are represented here today, as well as our staffs 
for their hard work. This has been a long time coming, but I 
think we have produced a very good bill, and I thank you for 
your leadership as well.
    Chairman Lieberman. Thanks, Senator Collins. You are 
absolutely right. It took longer than we wanted, really. A lot 
of it was because there was a lot of consultation. We tried to 
do this in a collaborative way, and as a result I think it is a 
better bill.
    Incidentally, we took a long time in getting to this point, 
but now we have our foot on the gas, because this is really 
urgent. So we are going to report the bill out hopefully next 
week, and as I said earlier, I believe Senator Reid is going to 
try to bring the various bills together to reconcile 
differences and then schedule floor time this year to move this 
along.
    This has been an excellent panel. You have been helpful to 
us before today and today. I thank you very much for that.
    We will leave the record of the hearing open for 15 days 
for additional statements and questions, and with that, I thank 
you and adjourn the hearing.
    [Whereupon, at 5:08 p.m., the Committee was adjourned.]


         SECURING CRITICAL INFRASTRUCTURE IN THE AGE OF STUXNET

                              ----------                              


                      WEDNESDAY, NOVEMBER 17, 2010

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:07 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Joseph I. 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman, Coons, and Collins.

            OPENING STATEMENT OF CHAIRMAN LIEBERMAN

    Chairman Lieberman. Good morning. The hearing will come to 
order. I apologize for being a little late. I was set to 
introduce a nominee for a State Department position at the 
Foreign Relations Committee, and they started a 9:30 hearing at 
10 o'clock, so I will blame it on them. But they blamed it on 
Secretary Clinton, so the line of accountability continues.
    In a sense, this is a hearing to both remind us and educate 
those who are watching--hopefully, the public and Members of 
the Committee--about the reality of the cyber threat to the 
United States and how important it was that we work hard to 
develop cyber security reform legislation in this Congress, and 
how unfortunate it is that the clock is going to run out on us 
before we have a chance to complete negotiations with other 
committees and with the Administration, who I regret to say, I 
think did not engage as early and as fully in the process of 
developing this legislation as was necessary.
    But this Stuxnet story really takes the reality of the 
threat to a new level, I believe, and I think should awaken any 
skeptics. And there are some, of course, who think that we are 
overstating the threat and, therefore, overreacting in the 
public resources that we are devoting to the protection of our 
cyber systems here in America. Of course, I totally disagree 
with that argument.
    We have an extraordinary group of witnesses here today who 
will not only explain to us what Stuxnet is but will, I hope, 
talk more generally about the cyber threat to our country.
    I will say, in terms of our legislation, that it is 
certainly my intention--and I know it is Senator Collins'--to 
come back to this legislation really early in the next session 
of Congress and try to get it out as soon as possible. And, 
again, I want to say this will require more immediate and 
intense engagement by the Administration and by some of the 
other committees that claim jurisdiction here. We, of course, 
think we are the ultimate source of jurisdiction for cyber 
security matters that are non-defense, which is the Armed 
Services Committee. But this will be a real priority for the 
Committee when the session begins next year.
    Because I am late, I am going to put the rest of my 
statement in the record \1\ and call on Senator Collins.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Lieberman appears in the 
Appendix on page 124.
---------------------------------------------------------------------------

              OPENING STATEMENT OF SENATOR COLLINS

    Senator Collins. Thank you, Mr. Chairman. I know that we 
have votes starting at 11 o'clock this morning, so I am going 
to follow your lead. Let me just make a couple of comments.
    Much attention has been paid to cyber crimes, such as 
identity theft, and to cyber attacks that are intended to steal 
proprietary information or government secrets. But lurking 
beyond those serious threats are potentially devastating 
attacks that could disrupt, damage, or even destroy our 
critical infrastructure, such as the electric power grid, oil 
and gas pipelines, dams, or communication networks. These cyber 
threats could cause catastrophic damage in the physical world, 
and this threat is not theoretical. It is real and present, and 
the newest weapon in the cyber toolkit that was introduced to 
the world in June when cyber security experts detected the 
cyber worm called ``Stuxnet,'' which demonstrates to us the 
extraordinary capacity that a worm could have to disrupt 
absolutely critical infrastructure.
    It is evident that the development of this very 
sophisticated malware was likely the work of a well-financed 
team of experts with extensive knowledge of the targeted 
systems. It is my understanding that more than 100,000 
computers were infected and that the damage could have been 
catastrophic.
    Like Senator Lieberman, I believe that this problem is 
urgent. We have introduced bipartisan, comprehensive 
legislation to deal with this threat. I personally think it is 
an ideal issue for the lame duck session of Congress to take 
up. My fear is that we will wait until we have a successful 
cyber September 11, 2001, before acting, so I would like to see 
us be proactive on this issue, and I believe our bill points 
the way.
    In the meantime, I look forward to hearing the testimony of 
all the extraordinary experts that we have today to shine a 
spotlight on what the impact would be of an attack on critical 
infrastructure, an attack that this worm has made evident could 
happen at any time.
    Thank you, Mr. Chairman, and I would ask that my full 
statement be put in the record.\2\
---------------------------------------------------------------------------
    \2\ The prepared statement of Senator Collins appears in the 
Appendix on page 127.
---------------------------------------------------------------------------
    Chairman Lieberman. Without objection. Thanks, Senator 
Collins. Just listening to you reminded me of something I heard 
a businessman say a couple of days ago, which is that one of 
the problems with our government is that too often 
metaphorically it waits until there are four or five major car 
accidents at a cross-section before it decides to put up a 
stoplight. And we want to make sure that we put the stoplight 
and the protections up before we have not just an accident but 
suffer a major attack.
    When my staff presented the memo to me about this hearing, 
including the description of the witnesses, my reaction was we 
could not have a better group of witnesses. And I really 
appreciate both your work in this area and your presence here 
today.
    We are going to begin with Sean P. McGurk, Acting Director, 
National Cybersecurity and Communications Integration Center at 
the U.S. Department of Homeland Security. Good morning, Mr. 
McGurk.

    TESTIMONY OF SEAN MCGURK,\1\ ACTING DIRECTOR, NATIONAL 
CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER, OFFICE OF 
 CYBERSECURITY AND COMMUNICATIONS, U.S. DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. McGurk. Good morning, Chairman Lieberman and Ranking 
Member Collins. My name is Sean McGurk. I am the Acting 
Director for the National Cybersecurity and Communications 
Integration Center, and up until recently I was the Director 
for the Control Systems Security Program and the Industrial 
Control Systems Cyber Emergency Response Team (ICS-CERT) also 
at the Department of Homeland Security (DHS). The Department 
greatly appreciates this Committee's support in our ongoing 
efforts to identify cyber threats and to combat cyber concerns 
in the critical infrastructure, and in addition, I appreciate 
the opportunity to appear before you today to provide some 
insight into the activities that we have analyzed and 
identified in relation to Stuxnet.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. McGurk appears in the Appendix on 
page 129.
---------------------------------------------------------------------------
    I would like to discuss the importance of securing these 
control systems and how they significantly differ from the 
information technology systems that we have been focusing on 
over the past few years, and to also discuss DHS' approach in 
addressing cyber threats and cyber risks as they apply to the 
control system. And, finally, I would like to spend a few 
minutes discussing Stuxnet itself and how Stuxnet has changed 
the landscape when it comes to critical infrastructure.
    Something as simple and innocuous as this becomes a 
challenge for all of us to maintain accountability and control 
of our critical infrastructure systems. This actually contains 
the Stuxnet virus.
    Chairman Lieberman. Mr. McGurk, take just a moment and 
define a control system.
    Mr. McGurk. Yes, sir. A control system in our common 
terminology is any of the automated or embedded systems that we 
use in our day-to-day activities. The National Infrastructure 
Protection Plan has identified 18 critical infrastructures in 
the United States. As you are all well aware, the foundational 
element between those 18 critical infrastructures are control 
systems. Energy is different than water which is different than 
nuclear, but the fundamental foundation is those control 
systems, those automated, digital-to-analog robotic systems 
that manufacture cars, purify water, generate electricity, or 
actually produce the goods and services that we rely on on a 
day-to-day basis.
    So recognizing the unique nature of those systems, the 
Department created the Control System Security Program back in 
2004 to address those challenges.
    Much of what we have learned from information technology 
practices are basic principles that we can apply, but just the 
nature of these operational systems requires us to take a 
different approach in protecting them. How we protect the 
systems that generate power, purify our control over traffic 
flow systems, or our rail and aviation transportation systems 
is fundamentally different than the way we protect our 
information technology infrastructure. That is why the 
Department takes this all-hazards, all-risk approach when 
identifying those challenges.
    In order to focus on that foundation, the Control System 
Security Program has established many activities in order to 
increase the level of awareness for the control systems 
community. One of those activities involves a Workforce 
Development Program. In partnership with the Idaho National 
Lab, we have built a very comprehensive and extensive hands-on 
training environment where, working with the private sector and 
with other Federal departments and agencies, we have been able 
to train over 16,000 individuals, both asset owners, operators, 
and vendors and other Federal agencies, in control systems 
security--again, focusing on the unique nature between 
information technology and control systems.
    We have also worked closely with the standards community to 
ensure that we are focusing on how to apply those principles 
and practices from information technology into a control 
systems environment. It is very important to recognize those 
unique requirements and the differences between the systems and 
not try to apply a one-size-fits-all.
    In order to support the asset owner and operator community 
in the private sector, we developed a series of tools that 
could be used in order to enable a self-assessment of the 
control systems security. There are many automated systems that 
enable the evaluation of information technology and enterprise 
networks, but we needed to focus on those unique 
characteristics of control systems. Subsequently, we worked 
with the Department of Energy laboratory community and 
developed these tools so that we could actually apply them in 
the general public.
    In addition to the 16,000 personnel that we have trained, 
we have also trained partners in 30 different countries to 
increase the level of awareness of industrial control security. 
We actually chair an international body focusing on increasing 
the level of awareness for industrial control, and we have also 
conducted more than 50 on-site assessments at facilities 
throughout the United States, in 15 different States and three 
territories. We plan on increasing that level of activity in 
the coming years.
    ICS-CERT also maintains fly-away teams. These fly-away 
teams are incident response teams that work with the private 
sector asset owners and operators upon request to do either 
remote maintenance and analysis or physical analysis. When 
requested, we will deploy a team. They will assist asset owners 
and operators in identifying restoration methods, digital media 
capture methods, and then we will conduct the analysis to 
determine what the extent of the vulnerability is and what the 
potential impacts are. We do this in order to understand the 
overall risk profile to an industrial control environment, 
looking at the threats, the vulnerabilities, and then 
potentially the consequences. And then we work closely with the 
community, the asset owners, operators, and the private sector 
to build those mitigation strategies.
    When the Department first identified a vulnerability back 
in 2007 that we termed ``Aurora''--which had to do with hacking 
into and modifying settings in digital protective networks, 
physically destroying electric generation capacity--we 
recognized the need to partner closely with industry so that we 
could develop mitigation strategies that were sector-specific. 
Fundamentally, what fixes the energy sector may not work in the 
water sector, so that is why it is important for the Department 
to continue to partner with those 18 sectors to identify proper 
mitigation strategies. We understand we need to work with the 
broad community in order to be effective in mitigating the 
risk.
    We also generated fly-away team checklists. Up until this 
point, the understanding of what data was necessary to identify 
risks to control systems was not well understood, so we worked 
with academia and with other researchers to identify those 
digital capture methods so that we could actually build a 
forensic path to enable us to actually identify variants of 
vulnerability such as Stuxnet.
    The Department operates a malware lab; this is a physical 
laboratory where we can actually install equipment and analyze 
how it operates. In the case of Stuxnet, we were able to 
configure the actual manufacturer's equipment in a live 
environment and not only dissect the code to determine what it 
is capable of doing, but actually analyze what it does once it 
gains access to the equipment. So that gives us a better 
understanding of not just the analytics behind the code itself, 
but also its impact in a physical infrastructure. So the 
Department still maintains that capability, and we share that 
with the general public.
    We also look at our responsibility to continue to partner 
with the Federal departments and agencies to ensure that we are 
sharing the information as we analyze it. It is important for 
us to recognize that the intelligence community and the law 
enforcement community have their responsibilities in these 
areas, and we provide the intellectual capability behind it 
from a very unique skill set of industrial control to forward 
their efforts as well. So as we analyze the data, we share that 
information with the intelligence community, the law 
enforcement community, and other departments and agencies at 
the State and local level so that they understand the impacts 
of something like Stuxnet.
    As I said, Stuxnet is a one-of-a-kind type of situation. We 
have not seen this coordinated effort of information technology 
vulnerabilities, industrial control exploitations, completely 
wrapped up in one unique package. For us, to use a very 
overused term, it is a game changer. Stuxnet actually modifies 
not only the physical settings of an information technology 
system, but it also modifies the physical settings of a process 
control environment.
    Essentially, if I wanted to find out what the process is 
doing, I have the capability of removing those files or 
exfiltrating the data, so I do not have to break into the front 
door and actually steal the formula or the intellectual 
property of what you are manufacturing. I can actually go to 
the devices themselves, read the settings, and reverse engineer 
the formula for whatever the process is that is being 
manufactured. In addition, I can make modifications to the 
physical environment so that you would be unaware of those 
changes being made, and subsequently it would have an adverse 
impact on the environment.
    So the products that you are producing may not be of the 
specifications that you originally analyzed because Stuxnet 
demonstrates the capability of bypassing the safety and 
security systems to go down to the root level to make those 
changes; so the operator may believe the indicators on the 
panel are accurate, but, in fact, there is malicious activity 
occurring at the base level. These are capabilities that we 
have seen demonstrated in Stuxnet that we have never seen 
before in any analysis of code that we have conducted.
    Now, as I mentioned, there is a significant amount of 
concern also. Stuxnet is a pathway that people can then 
exploit. It has basically been a road map, and it was written 
in a modular format so that people could actually remove the 
vendor-specific payload, that malicious code that attacked the 
control system, and substitute it with any other type of 
control system code that they desire. So it was written in such 
a way that it allows that flexibility and capability, and that 
really causes us concern as we move forward. And that is why we 
continue to partner with the departments and agencies and the 
private sector to analyze the capabilities and the risks 
associated with Stuxnet.
    Again, Chairman Lieberman, Ranking Member Collins, I 
appreciate this opportunity today to appear before you, and I 
am standing by and happy to answer any questions. Thank you.
    Chairman Lieberman. Thanks, Mr. McGurk. That was a very 
good beginning, both very informative and, frankly, chilling in 
terms of the effectiveness of Stuxnet. You could make a lot of 
comparisons to guided missiles and multiple independently 
targetable reentry vehicle (MIRVs) and all the rest, and from 
an earlier time of combat but quite something.
    Michael Assante, who has a long background in this area, is 
currently president and chief executive officer of the National 
Board of Information Security Examiners. Thanks for being here.

    TESTIMONY OF MICHAEL J. ASSANTE,\1\ PRESIDENT AND CHIEF 
   EXECUTIVE OFFICER, NATIONAL BOARD OF INFORMATION SECURITY 
              EXAMINERS OF THE UNITED STATES, INC.

    Mr. Assante. Thank you. Good morning, Chairman Lieberman 
and Senator Collins. I am coming here today in the capacity of 
the National Board of Information Security Examiners of the 
United States, Inc. (NBISE), but also a lot of work that I have 
done in the field of critical infrastructure protection with a 
focus on control system security. I am pleased that this 
hearing is taking place today to explore the implications of 
very advanced cyber threats on our Nation and our critical 
infrastructure. The Stuxnet code is a very worthy centerpiece 
for this discussion today. Even though it is, I believe, 
neither the first nor will it be the last attempt to compromise 
and use an operational system to effect physical outcomes, 
Stuxnet is, at the very least, an important wake-up call for 
digitally reliant nations; and at worst, it is a blueprint for 
future attackers.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Assante appears in the Appendix 
on page 142.
---------------------------------------------------------------------------
    My remarks today will paint a very difficult challenge, but 
it is important to note that I remain an optimist. This Nation, 
as it has done countless times in past contests, should turn to 
its men and women, both in and out of uniform, to muster an 
effective defense. Our obligation is to best organize, train, 
and equip these individuals to be successful in this very 
important task.
    Stuxnet is a highly disruptive innovation. Simply put, 
Pandora's box was opened years ago as the United States became 
reliant on digital technology to help operators complete and 
control complex processes. Stuxnet is an important harbinger of 
things that I believe may come if we do not use this 
opportunity to learn about the risks to our infrastructures. No 
one should be shocked by the cyber exploits that can be 
engineered to successfully compromise and impact control 
systems. Study after study has identified common 
vulnerabilities found across control system products and 
implementations.
    Stuxnet is the best example of a cyber threat that was 
thought to be hypothetically possible; that is, some would say 
the fantastic story line of those that are just spreading fear, 
uncertainty, and doubt. Well, in this all too real story, 
possible did not merely just become probable, but it snuck onto 
the world stage, undetected by defenders for months. Its 
features, capabilities, the targeted technology, and the 
purpose should shock security professionals, engineers, 
business leaders, and government leaders into action. And I say 
this very important statement for the following three reasons.
    First, it is important that we understand there is a very 
well resourced group possessing the necessary motivation, who 
have successfully acquired the knowledge, skills, and 
capabilities to systematically develop and launch a highly 
sophisticated attack against control system technology. The now 
public occurrence of such a cyber attack is very important 
because it dispels conventional thinking that it is just ``too 
hard'' for an attacker to assemble the necessary information, 
gain familiarity with the technology, and acquire the knowledge 
of specific implementations to devise an attack that could 
disrupt or damage the physical components of an industrial 
process. It is simply not true.
    What is shocking to control system security experts is not 
that it was done, but that it was done in such a manner as to 
rely upon pre-programmed code, one that had the ability to 
autonomously analyze the system that has been compromised and 
identify very specific conditions desired for the delivery of 
its ``digital warhead.''
    The lesson that we must not gloss over is that highly 
resourced actors can assemble people and the capability to plan 
and to deal with system variances, anticipated security 
controls, obscure and proprietary technology, and complex 
industrial processes.
    Second, we must understand that the attacks that we should 
be most concerned with are not designed to disable their 
digital targets, but to manipulate them in a very unintended 
fashion. Many professionals have limited their thinking to 
dealing with the loss of individual elements or components of 
their control systems and have failed to fully embrace the 
implications of calculated misuse.
    In modern control systems, most of the process safety 
depends on logic that is found in the controllers. By analyzing 
this code, one can not only determine what the engineer wants 
to happen but also what the engineer wants to avoid.
    Finally, our current defense and protection models are not 
sufficient against highly structured and resourced cyber 
adversaries capable of employing new and high-consequence 
attacks. Our defensive thinking has been shaped by the more 
frequent and more survivable threats of the past. This means 
that while current cyber defense tactics, security 
architectures, and tools are necessary and can be responsive to 
the most likely of threats, they are not sufficient to deal 
with emerging advanced threats. The optimist always points to a 
new type of security tool or practice as the solution to 
current protection inadequacies. But should we not believe that 
if it had been necessary to assure their success, the authors 
of the Stuxnet worm would have simply developed a way to 
counter any near measures that we would have fielded in force.
    This requires us to consider not only security but also how 
we can design and engineer survivability into our complex 
systems and achieve a level of resilience not only in our 
organizations but to our technology and our processes, and 
better prepared to respond and recover to these types of 
advanced threats. The susceptibility of our modern 
interconnected and digitally reliant infrastructures is well 
established.
    I would also like to spend a minute on the flaws of our 
current efforts to regulate cyber security. The National 
American Electric Reliability Corporation (NERC)-developed 
critical infrastructure protection (CIP) reliability standards 
represent a very early attempt to manage cyber security risks 
through mandatory standards with very significant penalties for 
noncompliance. It is clear to me that the standards as written 
and implemented are not materially contributing to the 
management of risk posed by very advanced cyber threats, such 
as the Stuxnet worm.
    The standards are comprised of 43 specific requirements 
designed to provide what I would call a minimum set of 
practices that, if properly implemented, should serve as a 
simple foundation to built from. Many of the requirements 
should have already been commonplace in the industry but were 
not.
    The standards also include significant gaps and exclusions, 
but their greatest weakness is in how they have been 
implemented. The result has been a conscious and inevitable 
retreat to a compliance- or checklist-focused approach to 
security. Unfortunately, the NERC CIP standards have become a 
glass ceiling for many utility security programs, which 
prevents the emergence of the very type of security programs we 
need to deal with Stuxnet-like attacks.
    Regulation, although necessary, should be re-evaluated and 
designed to emphasize learning, enable the development of 
greater technical capabilities, require qualified staffs, and 
discourage the creation of a very predictable and static 
defense.
    We must recognize that we are in the time of Stuxnet, and 
in turn, it is the time to be honest. We do not have immediate 
technical answers to better protect industrial control systems 
from Stuxnet-like attacks. We do not have an effective 
defenses, and we do not have adequate detection techniques. We 
lack a functioning information-sharing and learning framework 
and have limited abilities to apply new-found knowledge. The 
public-private partnership has failed to produce satisfactory 
results in these areas.
    We must develop and implement protection strategies that 
accept the unfortunate reality that many of our networks are 
already contested territory. Accepting this very important 
assumption will help stimulate industry and community efforts 
to develop new and improved approaches to addressing the most 
material of risks.
    Why did some not see this coming? Well, significant cause 
for concern is that much of the information about cyber 
security-related threats remains classified in the homeland 
security, defense, and intelligence communities, with 
restricted opportunities to share information with the cyber 
security researchers, technology providers, and possibly 
affected private asset owners.
    I would like to specifically emphasize one of the necessary 
investments to combat advanced cyber threats like Stuxnet. 
Through the years, working as the chief security officer at a 
major utility, or by supporting researchers in a national 
laboratory, and coordinating protection efforts while I was at 
NERC, I have gained an appreciation for the importance and the 
difference made by skilled and well-developed people. As in 
this case, you must have a human complement up to the task of 
optimally detecting and calling out the faint signals by which 
these attacks sometimes announce themselves.
    I have never understood why we have not embraced better 
training and development methods for our front-line security 
and operations staff. We train pilots using advanced simulators 
to deal with very difficult conditions and mechanical failures. 
Why do we not use simulators to allow security and operational 
staff to experience low-frequently but high-consequence attacks 
against systems and designs? Mr. McGurk's program that helps 
develop that is a great first step.
    Why do we not use performance-based examinations to qualify 
our professionals? We have allowed chance to be our schoolhouse 
where targeted organizations simply suffer in silence, not 
willing to pass along the tough lessons that they have learned 
to others.
    I commend this Committee for its exploration of the 
implications that advanced threats like Stuxnet pose to our 
critical infrastructure and to our Nation. We must waste no 
more time debating our susceptibility. We must accept that 
well-resourced adversaries are capable of causing damage to 
industrial processes in very difficult to anticipate ways. I 
believe the following steps are necessary.
    We must remove and remediate architectural weaknesses, 
known vulnerabilities, and poor security designs in industrial 
control system technology over time.
    We need to promote greater progress designing and 
integrating security and forensic tools into control system 
environments.
    We must prioritize our efforts by jointly studying the 
potential consequences that may result from directed and well-
resourced attacks of control systems and protection systems in 
high-risk segments of our critical infrastructure. In the cases 
where the consequences are absolutely unacceptable, we must 
assume that an attacker can successfully defeat our security 
and, therefore, direct our efforts to engineering away the risk 
that more survivable designs and practices might be able to 
obtain.
    We need to organize a well-funded, multi-year research 
program to design toward a more resilient infrastructure, 
especially in the area of industrial and digital control 
systems.
    We must establish new regulation in the form of performance 
requirements that value learning, promote innovation, and 
better equip and prepare control system environments and the 
teams that protect, operate, and maintain them. The current 
regulatory structure will not, in my view, be capable of 
achieving this end.
    We must require critical infrastructure asset owners and 
control system vendors to report industrial control system-
specific security incidents.
    We must task appropriate U.S. Government agencies to 
provide up-to-date information to asset owners and operators on 
observed adversary tactics and techniques, especially when 
investigations reveal attacker capabilities to side-step or 
exploit the very security technologies we rely upon.
    We must invest in the workforce that defends and operates 
our infrastructure systems. We need scalable, immersive, hands-
on training environments, and local simulator training 
technology should be used to optimize the development of this 
workforce. The same workforce should then be qualified through 
periodic rigorous performance-based assessments and, where 
appropriate, examinations.
    In conclusion, my greatest fear is that we are running out 
of time to learn these important lessons. Ultimately, we know 
that our conventional approach to more common security threats 
will be necessary but woefully insufficient to protect us from 
threats like the Stuxnet worm. We must act now to develop our 
greatest resources in this important contest. That would be the 
professionals that defend, operate, and protect the critical 
infrastructure and critical systems of this country. Thank you.
    Chairman Lieberman. Thanks, Mr. Assante. Very practical and 
constructive recommendations.
    Dean Turner is our next witness, Director of the Global 
Intelligence Network at Symantec Security Response, Symantec 
Corporation. Thank you for being here.

  TESTIMONY OF DEAN TURNER,\1\ DIRECTOR, GLOBAL INTELLIGENCE 
   NETWORK, SYMANTEC SECURITY RESPONSE, SYMANTEC CORPORATION

    Mr. Turner. Thank you, Mr. Chairman and Ranking Member 
Collins. I would like to thank you for, of course, allowing us 
the opportunity to appear here today and to discuss not only 
the Stuxnet worm but how we can better begin to secure the 
industrial control systems that underpin this country's 
national critical infrastructure.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Turner appears in the Appendix on 
page 156.
---------------------------------------------------------------------------
    As you have pointed out, I am the Director of Symantec's 
Global Intelligence Network. As a leader in the security space, 
Symantec welcomes the opportunity to provide comments to the 
Committee as it continues its, arguably, important efforts to 
enhance the security of critical infrastructure systems from 
cyber attack. We believe that critical infrastructure 
protection is an essential element of a resilient and secure 
nation.
    Let me begin by providing Symantec's observations on 
Stuxnet and offering our insights on the threat that the worm 
poses to this Nation's industrial control systems.
    Symantec examined each of the Stuxnet components in order 
to better understand exactly how the threat worked in detail. 
We found Stuxnet to be an incredibly large and complex threat, 
and it is the first threat that Symantec has identified that 
targets critical industrial infrastructure and is written 
specifically to attack industrial control systems used in part 
to control and monitor industrial processes. Not only can 
Stuxnet successfully reprogram the programmable logic 
controllers (PLCs), that are part of these industrial control 
systems, but it also, as Mr. Assante and Mr. McGurk have 
pointed out, cleverly hides those modifications.
    Stuxnet is able to accomplish this task via a rootkit, 
which is a type of malicious software that keeps itself hidden 
from the computer's operating system. Computer source code 
contained in the PLC is the function that allows control 
systems to operate and to control machinery in a plant or a 
factory. The ability to reprogram this function allows for the 
potential to control or alter how the system operates.
    We speculate that the ultimate goal of Stuxnet is to 
reprogram and sabotage industrial control systems. The threat 
is targeting a specific industrial control system, and that is 
the one utilized by energy sectors, such as with a gas pipeline 
or power plant.
    Stuxnet demonstrates the vulnerability of our critical 
infrastructure industrial control systems to attack and, again, 
as other witnesses' testimonies today have pointed out, 
highlights a problem and should serve as a wake-up call for our 
critical infrastructure systems around the world.
    The potential for attackers to gain control of critical 
infrastructure assets, such as power plants, dams, and chemical 
facilities, is extremely serious. Whether Stuxnet ushers in a 
new generation of malicious code attacks toward critical 
infrastructure remains to be seen. Stuxnet is of such 
complexity--requiring significant resources to develop--that 
only a select few attackers are capable of producing such a 
threat. So we do not expect masses of similar sophisticated 
threats to suddenly appear.
    Stuxnet does, however, highlight that attacks to control 
critical infrastructure are possible and not just a plot in a 
spy novel. The real-world implications of Stuxnet are some of 
the most serious that we have ever seen in a threat.
    The intended target of Stuxnet is not known. We know even 
less about who could have written Stuxnet than the target 
itself. What we do know is that whoever was behind it has good 
knowledge of ICS systems, particularly those systems that were 
targeted. Without better knowledge of the persons behind these 
attacks, it is nearly impossible to say with any certainty who 
was ultimately responsible and what were the possible motives 
behind the attack. The combination of sophisticated attacker 
and their target means that any speculation as to who was 
behind that is just that: Speculation.
    Symantec believes that education and awareness is a key 
component to securing critical systems from cyber attack. From 
the classroom to the boardroom, from the management level to 
the security professional, education is needed to ensure 
security is part of an organization's ethos. Good security 
requires secure software and well-designed and maintained 
networks. In other words, security needs to be baked in from 
the outset, and part of this is ensuring that all of those 
involved continuously maintain their skill sets in what is 
arguably a fast-changing environment.
    The question being asked now of security professionals 
associated with U.S. critical infrastructure is what we should 
be doing in response to this particular discovery.
    The first obvious measures to protecting these types of 
systems from Stuxnet and similar threats is to deploy up-to-
date anti-malware solutions. Unfortunately, many industrial 
control systems today still need to be modernized in order to 
be able to do just that.
    The second most important element is to watch for vendor 
security notifications and alerts and apply patches as soon as 
possible.
    Last, but certainly not least, is know your assets, 
identify your perimeter of security operations, and maintain a 
high level of situational awareness to ensure you are aware of 
and can respond to these types of incidents in a timely manner.
    Keeping in mind that over 85 percent of the U.S. critical 
infrastructure is owned and/or operated by the private sector, 
Symantec commissioned a recent study on critical infrastructure 
protection. Our goal here was to find out how aware critical 
infrastructure companies were of government efforts in this 
area and to determine how engaged business was about working 
government. And we came up with four key findings from that 
particular survey.
    One, critical infrastructure providers are increasingly 
attacked.
    Two, attacks on critical infrastructure are effective and 
costly.
    Three, industry wants to partner with government on 
critical infrastructure protection.
    And finally, fourth, critical infrastructure providers feel 
more readiness is needed to counter these types of attacks.
    Most telling was that respondents cited security training, 
awareness by executive management of serious threats, endpoint 
security measures, security response, and security audits as 
the major safeguard areas in need of the most improvement.
    Since most of the Nation's cyber infrastructure is not 
government owned, a public-private partnership of government 
and private stakeholders is required to secure the Internet and 
ICS systems. Cooperation is needed now more than ever, given 
that industrial control systems face an ever-increasing risk 
due to cyber threats such as Stuxnet.
    Toward that end, Symantec commends the Department of 
Homeland Security for their engagement with the private sector 
on critical infrastructure protection. DHS has been a valuable 
partner to Symantec and others in the private sector, through 
the Sector Coordinating Councils as well as the IT Information 
Sharing and Analysis Center.
    Symantec has provided input to DHS on the Comprehensive 
National Cyber Initiative projects, and we have been engaged 
with the Department on the National Cyber Incident Response 
Plan. Additionally, we participated in the National Cyber 
Exercise, Cyber Storm III, which demonstrated the value of 
operational incident collaboration across the public and 
private sectors. Further, we have held several briefings with 
DHS to share our expertise on Stuxnet and how critical 
infrastructures can better secure their systems against these 
threats. We look forward to continuing to partner with DHS and 
other agencies on the many issues and preparedness activities 
related to the Nation's critical infrastructure protection.
    Stuxnet demonstrates the importance of public-private 
information-sharing partnerships across the entire critical 
infrastructure community. While DHS has made strides to partner 
with control system vendors through its ICS-CERT, it should 
build on its 2009 ``Strategy for Securing Control Systems'' and 
enhance its control systems partnerships by including the IT 
and IT security communities, who have traditionally worked with 
the DHS U.S. Computer Emergency Readiness Team (US-CERT). 
Cross-collaboration within DHS is the key to improved 
situational awareness and operational response, and DHS should 
continue its efforts to integrate these functions.
    Until there is greater coordination between IT and IT 
security vendors and the industrial control systems owners and 
operators, there is an increased risk that multiple 
organizations will conduct duplicative work and miss 
opportunities to learn from and collectively respond to 
threats. We recommend that DHS further enhance information 
sharing on control systems vulnerabilities with the IT and IT 
security communities and continue to work on integrating its 
information-sharing capabilities to improve situational 
awareness and operational response partnerships with industry.
    In closing, Symantec would like to convey our strong 
support for the Protecting Cyberspace as a National Asset Act. 
We believe that this important legislation will enhance and 
modernize the Nation's overall cyber security posture in order 
to safeguard the critical infrastructure from attack. The bill 
also importantly recognizes cyber security as a shared 
government and private sector responsibility, one which 
requires a coordinated strategy to detect, report, and mitigate 
cyber incidents. We look forward to working with the Committee 
to help advance this important legislation.
    Thank you for the opportunity to testify today. We remain 
committed to continuing to work in coordination with Congress, 
the administration, and our private sector partners to secure 
our Nation's critical infrastructure from cyber attack. And I 
will be happy to respond to any questions the Committee may 
have.
    Chairman Lieberman. Thanks very much, Mr. Turner. Thanks 
for your specific explicit endorsement of the legislation, 
which Senator Collins and I introduced and which the Committee 
reported out unanimously, obviously across party lines, and 
really thank you for the fact that your entire statement was 
really an explanation, in a sense a call to action for us to 
pass such legislation and to create a public-private alliance 
here to protect our country from this very serious threat.
    Mark Gandy is our last witness. He is the Global Manager of 
Information Technology Security and Information Asset 
Management at the Dow Corning Corporation. Thank you for being 
here.

  TESTIMONY OF MARK W. GANDY,\1\ GLOBAL MANAGER, INFORMATION 
   TECHNOLOGY SECURITY AND INFORMATION ASSET MANAGEMENT, DOW 
                      CORNING CORPORATION

    Mr. Gandy. Thank you. Good morning, Chairman Lieberman, 
Ranking Member Collins, and Members of the Senate Homeland 
Security Committee. My name is Mark Gandy, and I am the Global 
Manager of Cybersecurity for the Dow Corning Corporation. I am 
also Chairman of the American Chemistry Council's Cybersecurity 
Steering Committee.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Gandy appears in the Appendix on 
page 165.
---------------------------------------------------------------------------
    To begin, I would like to thank the Committee for holding 
this important hearing today on the critical issue of cyber 
security. While I realize this is not a legislative hearing, I 
would like to commend your efforts in crafting bipartisan 
legislation during this Congress that effectively balances the 
need for increased vigilance through the promotion of a risk-
based framework whereby the critical infrastructure sectors can 
appropriately address their cyber threats.
    The American Chemistry Council (ACC) and its members stand 
ready to support a continued momentum on this issue as we 
proceed into the next Congress. Today I will be making comments 
or statements on behalf of the American Chemistry Council.
    The ACC represents the leading chemical companies in the 
United States. The business of chemistry is a critical aspect 
of our Nation's economy, employing more than 800,000 Americans 
and producing more than 19 percent of the world's chemical 
products. In fact, more than 96 percent of all manufactured 
goods are directly touched by the business of chemistry.
    Cyber security is a top priority for ACC and the chemical 
sector. Because of our critical role in the economy and our 
commitments to our communities, security is a top priority for 
ACC members.
    In 2001, our members voluntarily adopted an aggressive 
security program--the Responsible Care Security Code (RCSC)--
which is mandatory for all members of the ACC. The RCSC is a 
comprehensive security management program that addresses both 
physical and cyber security and requires a comprehensive 
assessment of security vulnerabilities and risks and to 
implement protective measures across a company's entire value 
chain. Each company's security plan is then reviewed by an 
independent third-party auditor. The RCSC has been a model for 
State-level chemical security regulatory programs in New 
Jersey, New York, and Maryland and was deemed equivalent to the 
U.S. Coast Guard's Maritime Transportation Security Act.
    Public-private partnerships are vital to winning the war on 
cyber terrorism. The ACC and its members have been proactively 
engaged with the former and current administrations on 
improving cyber security. In June 2002, ACC members began 
implementation of the Chemical Sector Cybersecurity Strategy, 
which was referenced by the Bush Administration's National 
Strategy to Secure Cyber Space of 2003. ACC participated in the 
White House 60-day cyber policy review, and our cyber experts 
work closely with the DHS National Cybersecurity Division in 
many areas, including national Cyber Storm exercises, 
information-sharing programs, and development and 
implementation of the road map to securing control systems in 
the chemical sector.
    ACC was gratified that in 2009 the Obama Administration 
made cyber security a top priority. A 2009 program update can 
be found on the Obama Administration's Web site, ``Making 
Strides to Improve Cybersecurity in the Chemical Sector.''
    Since 2001, ACC members have invested more than $8 billion 
in your enhancements, including both physical and cyber 
security protections. Security in all its dimensions continues 
to be a top priority for ACC and the chemical industry, and our 
record of accomplishment and cooperation with Congress, DHS, 
and others is undisputed.
    Considering the industry's perspective on the increased 
threat, we have seen the threat landscape evolve from 
relatively unorganized, unsophisticated exploits of virus and 
worm activity with a notoriety objective--making a name for the 
hacker--to increasingly more sophisticated and economically 
disruptive attacks to network computing into today's relatively 
sophisticated and stealthy threats that target intellectual 
property for economic gain and are potentially disruptive to 
operational stability of critical infrastructure.
    However, while the threat landscape is evolving in 
sophistication and intent, many vulnerabilities exploited 
remain relatively unsophisticated, whereby well-known counter 
measures are possible. Cyber threats to control systems are 
evolving in complexity and sophistication as well-funded and 
highly motivated groups become more active. Specifically, 
Stuxnet is more advanced with respect to a targeted control 
system attack by a knowledgeable subject matter expert using 
typical technology exploits of common vulnerabilities inherent 
in any system. Stuxnet demonstrates that threats to process 
control systems are real and need to be a significant part of 
the cyber security risk management equation.
    The industry recognizes the vulnerabilities of industrial 
control systems as they have increasingly become enterprise 
network connected. The threat is serious and the industry is 
responding by increased preparation and response planning with 
significant resources.
    In response to the evolving threat landscape and the 
relatively commonly avoidable exploits, the industry is working 
proactively to improve information sharing among the industry 
and with government about threats, working with technology 
suppliers and the U.S. Government to enhance the robustness of 
control systems through the development of international 
standards for improved security of control systems, and 
developing and publishing risk management best practices and 
security guidance that help owner-operators better prepare and 
respond to cyber threats such as Stuxnet.
    The industry approach is a comprehensive risk management 
strategy that includes proactive steps through ACC and the U.S. 
Government, emphasizing the importance of effectiveness threat 
and best practice information sharing and robust technology 
solutions. Our sector is also leading the development of 
comprehensive international standards by the International 
Society for Automation. These standards will lead to the 
development of control systems that are more resilient to cyber 
attacks.
    ACC and its members are also actively engaged in the road 
map to secure control systems in the chemical sector along with 
our active partnerships with DHS and the Chemical Sector 
Coordinating Council. These and other activities make up a 
coordinated comprehensive sector program that was significantly 
informed through participation in exercises such as the 
recently completed Cyber Storm III.
    In summary, the ACC and its members remain committed to 
advancing cyber security practices and systems in the chemical 
industry by working in partnership with Congress, DHS, 
technology organizations, and developers. Working with the 
chemical sector at large, we are improving how we share 
information and striving for continuous improvement of critical 
control systems that are protected from the loss of critical 
function during a major cyber event.
    The Federal Government plays a crucial role in helping the 
sector to achieve this goal by creating and supporting programs 
and incentives that promote advances in new technologies and 
standards and upgrading of legacy systems across the sector.
    Sharing of timely and actionable threat information with 
the private sector and working together on risk-based solutions 
that focus on the resiliency of control systems should be an 
area of heightened attention and focus to mitigate the evolving 
threats.
    And, last, identifying and holding accountable those who 
attack our critical cyber infrastructure, whether it is for 
notoriety or for financial gain, must be a priority.
    That concludes my opening statement. We have submitted a 
written statement for the record. Thank you for this 
opportunity to present on behalf of the ACC, and I will be 
happy to take any questions that you have. Thank you.
    Chairman Lieberman. Thanks, Mr. Gandy. Encouraging to hear 
that private sector response to the growing threat, and your 
statement, along with others, will be entered into the record.
    I want to just formally welcome Senator Coons for the first 
time. He was sworn in 2 days ago as the new Senator from 
Delaware. There is a great tradition of Delaware Senators 
serving on this Committee. I know you bring extraordinary 
experience and ability, and we look forward to working with you 
on the Committee.
    Senator Coons. Thank you, Mr. Chairman.
    Senator Collins. Let me join the Chairman in also welcoming 
Senator Coons to our Committee. As he mentioned, I think there 
has been a Senator from Delaware on this Committee going back 
to Bill Roth's days for decades.
    Chairman Lieberman. Bill Roth, right.
    Senator Collins. And we are delighted to have you join us 
and hope it will be a permanent assignment. I know that is 
still up in the air. Thank you.
    Chairman Lieberman. Me, too. Thanks, Senator Collins.
    I think we will do 6-minute rounds here so we can try to 
give everybody an opportunity in case the vote actually goes 
off on time at 11 a.m.
    This has been excellent testimony, and what it reminds me 
of, obviously, as a lay person, if you will, here, is that 
cyberspace is a lot different from the normal space we occupy, 
even in terms of what we are describing as the threat. I think 
you, Mr. Turner, said something so interesting, which is we 
really do not know who the attacker was in the Stuxnet case. 
That I can understand because of all the difficulty. But what 
is fascinating is that--and I believe I understand this--we do 
not know what the target was either. But we know that there was 
a Stuxnet attack and that it is real.
    So, Mr. McGurk, maybe I will start with you on this to help 
our education because my understanding is--and I say this with 
pride--that the Department of Homeland Security's Industrial 
Control Systems Computer Emergency Response Team, which we call 
more simply ICS-CERT, played a critical role in unraveling 
Stuxnet. So help us understand a little more what this thing 
is, whose origin and destination we do not understand.
    Mr. McGurk. Yes, Senator. Thank you for that opportunity. 
As you had mentioned, the ICS-CERT took the initial focus of 
analyzing what the capabilities of Stuxnet were. In order to 
understand its code, we identified by reverse engineering the 
physical attributes of the code and how it actually exploited 
the information technology vulnerabilities. There were these 
undocumented capabilities in the operating system, which are 
often called ``zero day'' vulnerabilities. They are called 
``zero day'' because no one knows about them.
    In this particular case, this code utilized four zero day 
vulnerabilities to ensure that the malicious part that affects 
the industrial control system was delivered. So using a device 
such as the USB device, it actually migrated through the 
networks and then went into the physical process control 
environment. We were able to take the equipment at our 
laboratory out at Idaho National Labs and physically configure 
it with representatives from the vendor community themselves. 
The actual vendors of the products came out and helped 
configure the equipment, and then we actually allowed Stuxnet 
to go loose into the environment, if you will.
    Because it was written with such advanced cryptological and 
obfuscation technologies, Stuxnet actually used the equipment 
itself that it was attacking to encode itself. So we were able 
to actually give it that programmable logic controller that it 
was looking for because it focuses on a specific hardware and 
software combination, and actually it was able to dissect the 
code by accessing the programmable logic controller, and it 
started decrypting itself. That allowed us to speed our 
analysis along, and it did not take as much time to identify 
not how it was written but what it was capable of doing.
    Our focus was on developing and understanding its 
capabilities and then identifying those mitigation strategies. 
So our efforts allowed us to do that.
    Chairman Lieberman. So where was it found? I am thinking in 
conventional terms, but this thing that you analyzed, whose 
origin and destination was not clear, nonetheless had to exist 
somewhere so you could analyze it.
    Mr. McGurk. The first sample of code that we received was 
actually working in our partnership with various international 
CERTs. We received it from the German CERT, who in turn 
received it from the vendor themselves.
    Chairman Lieberman. The vendor was a Germany company?
    Mr. McGurk. It was a German company; yes, sir. So, 
subsequently, we were able to get a pure sample of the code 
that was in the wild, and that allowed us to conduct that 
reverse analysis.
    Chairman Lieberman. And the control system targeted here, 
as I think one of you said, was a control system that is 
usually used for the control of power plants? Is that right?
    Mr. McGurk. Essentially, these devices are ubiquitous. This 
particular vendor has a market share of about 7 percent here in 
the United States. There are other companies that have larger 
percentages. But these particular pieces of equipment are used 
in agriculture, manufacturing, power generation, water 
treatment, several sectors across the United States. Power 
generation and distribution is only one of those and not 
necessarily in this particular case the largest. Manufacturing 
is actually the larger infrastructure that uses these types of 
systems.
    Chairman Lieberman. In terms of the origin of it, although 
I understand we do not conclusively know, I presume--do we 
think that this was a Nation state actor and that there are a 
limited number of Nation states that have such advanced 
capability?
    Mr. McGurk. Nothing in the code really points to any 
specific sense of origin or where it was developed. Based on 
our analysis, we feel that it was probably developed over a set 
period of time. These individual blocks were put together by a 
team or a series of teams working in concert, because there are 
indicators that it was strung together in such a fashion. But 
we have also identified with other types of malicious code and 
botnets where they actually generate $30 million a month in 
revenue from operating as various botnets. So when you have 
that capability from a criminal intent standpoint, you have 
resources to be able to buy this type of capability.
    Chairman Lieberman. There has been some speculation in the 
media that the target here might have been the nuclear power 
systems within Iran. In fact, at one point--perhaps unrelated 
to Stuxnet--an Iranian official complained about the fact that 
their nuclear program was under cyber attack, not linking these 
two. What would you say in response to that?
    Mr. McGurk. Again, sir, attribution and intent are the 
fields for other departments and agencies. We are focusing 
primarily on capability. But I would also like to also 
acknowledge Mr. Turner's comments that there would be an 
incredible amount of knowledge necessary to be able to identify 
specifically what the target was, and there are no indicators 
in the code. We understand what it is capable of doing.
    Chairman Lieberman. Right.
    Mr. McGurk. But to specifically say it was designed to 
target a particular facility is very difficult for anyone to 
say with any assurance.
    Chairman Lieberman. Thank you. My time is up. Senator 
Collins.
    Senator Collins. Thank you, Mr. Chairman.
    Mr. Turner reminded all of us that 85 percent of critical 
infrastructure is in the private sector, and that is why the 
bill that the Chairman and I drafted focuses on public-private 
partnerships and information sharing that is absolutely 
critical. I would like to ask each of you to comment on two 
issues related to that.
    First, how vulnerable is our Nation's critical 
infrastructure to cyber threats like Stuxnet? And then, second, 
how would you characterize the level of preparedness in the 
private sector to deal with a threat of this sophistication?
    We will start with you, Mr. McGurk, and just go down the 
table. Thank you.
    Mr. McGurk. Thank you, Senator. As far as how vulnerable, I 
think the issue was made clear earlier in many of the 
testimonies before the Committee that the advent and adoption 
of commercial off-the-shelf technology into a critical process 
environment has now opened each of those former legacy-based 
systems to the same types of vulnerabilities we have in 
information technology today. By connecting these systems and, 
if you will, systems of systems together, we have actually 
increased the risk profile associated with those networks and 
operating those networks.
    The private sector has been working diligently to identify 
those mitigation strategies and those steps as they integrate 
that technology. The Department has been working in our 
private-public partnership capacity to provide the services and 
the expertise that we have to help identify those processes in 
securing the critical infrastructure.
    It is an uphill battle, and when we see something like 
Stuxnet come into play that significantly alters the landscape, 
we need to reassess and re-evaluate our mitigation plans so 
that we can identify new methods of increasing that security, 
and the private sector working with the Department has been 
focusing on that for quite some time now.
    Senator Collins. Thank you. Mr. Assante.
    Mr. Assante. I think it is important to note that in my 
time at NERC and working with the industry, there were lots of 
incidents where we had non-directed and not very structured 
cyber threats that impacted or found their ways onto control 
systems. That was very concerning because it was not by design. 
It found its way because technology is very cross-cutting. That 
indicates to me that we are not only very susceptible, but not 
very well prepared since we had architectures that allowed for 
that to happen.
    When you look at the Stuxnet worm, you are talking about a 
very well resourced and very structured cyber adversary with 
advance planning capability. In that sense, I believe we are 
extremely susceptible. In fact, I believe our susceptibility 
grows every day. If you just look at the very trends within the 
technologies that we deploy, we are doing things that would 
allow an attacker more freedom of action within these 
environments.
    As an example, we are converging safety systems with 
control systems at the network layer. It is a very dangerous 
combination because you allow somebody to get free access to 
both the system that is designed to make sure a process stays 
safe and the system that controls what a process does. Those 
types of trends that our manufacturers, vendors, and even our 
asset owners have called for because there is great business 
efficiencies to do are very dangerous and troublesome. So I 
believe we are becoming more susceptible to these types of 
attacks every day.
    Senator Collins. Thank you. Mr. Turner.
    Mr. Turner. Senator Collins, I concur with Mr. McGurk and 
Mr. Assante, to the level of complexity in the issues that we 
are facing today. In my role within Symantec, I spent a good 
deal of time looking at vulnerabilities and talking about 
numbers and trends and threats and all the rest of it. And I 
think what I would like to do is maybe illustrate using Stuxnet 
just exactly where we stand.
    As of early last week, we saw approximately 44,000 unique 
Stuxnet infections worldwide. Now, that may not sound like a 
big number, but when we are talking about a highly 
sophisticated threat that requires an awful lot of knowledge 
and skills and people to pull together, that is a big number.
    In terms of the United States, we have seen a little over 
1,600 unique Stuxnet infections, 50 of which we have identified 
as having the WinCC/Step7 Stuxnet--the software that Stuxnet 
trojans installed. Sixty percent of the global infections of 
Stuxnet are in Iran. And we can talk about speculation and all 
those other things about where the evidence points, but the 
point here is that even if something like this is tied to one 
particular country or group of countries, the ability for these 
types of threats to have a global reach is enormous. We have 
gone from the days, in 2004, where we saw a little over 260,000 
new threats to where we saw 2.9 million last year. 
Vulnerabilities in software and hardware have become, 
unfortunately, in some ways a cost of doing business. There is 
an awful lot of issues here.
    Our level of preparedness, I think, is to some degree, 
certainly in the private sector, better than it ever has been, 
but still has a long way to go. It is a cliche, but 
unfortunately, we do not know what we do not know. And when we 
start talking about industrial control systems and some of the 
other things where the partnership is not quite as developed as 
it should be, it is a little more difficult to answer.
    So how vulnerable are the industrial control systems and 
supervisory control and data acquisition (SCADA) systems within 
the United States or anywhere else? That is a difficult 
question to answer until we know exactly the scope of the 
problem and how many vulnerabilities there are.
    Senator Collins. Thank you. Mr. Gandy.
    Mr. Gandy. Regarding the vulnerability question, the 
chemical sector understands this evolving threat, has been 
working proactively to ensure the resiliency of our control 
systems from both the physical and cyber approach through a 
risk-based framework that identifies these vulnerabilities and 
then works on implementing appropriate mitigating controls. As 
mentioned, the Responsible Care Security Code, the road map to 
securing control systems in the chemical sector, ongoing 
Chemical Facility Anti-Terrorism Standards (CFATS) compliance 
work, are all working to comprehensively provide a framework of 
assessment, design, engineering, implementation, and monitoring 
for these kinds of vulnerabilities.
    The level of preparedness in the sector, the ACC and its 
members have been working for years across the sector to 
prepare and share information about these issues, both from an 
industry peer-to-peer sharing and sharing with technology 
suppliers and DHS and national cyber information-sharing 
exercises. We continue to comprehensively improve control 
system security in the chemical sector.
    The road map to security in the control system in the 
chemical sector is further driving the resiliency of control 
systems through preparedness and awareness.
    Senator Collins. Thank you.
    Chairman Lieberman. Thanks, Senator Collins. Senator Coons.

               OPENING STATEMENT OF SENATOR COONS

    Senator Coons. Thank you, Mr. Chairman, for holding these 
interesting and important hearings.
    If I might, Mr. Gandy, I just want to commend the ACC for 
its model private sector initiative.
    For the whole panel, one of the things that made Stuxnet, I 
think, particularly concerning is its ability to both 
infiltrate and then exfiltrate data that are operational in 
nature and would allow an unknown observer to then map an 
industrial process. What sort of risks does this pose for trade 
secrets in the event that we have foreign nations who are 
competitors to this country interested in using this kind of 
capability to learn about detailed operational configuration of 
our manufacturing processes, our power grid, our chemical 
processes in a way that would allow them to then mimic them, 
map them, and expand them, or make them strong?
    So I would be interested, if I could, in brief answers from 
all the members of the panel to two questions. Does Stuxnet 
signal not just a risk in terms of infrastructure but also 
intellectual property and the potential loss of American trade 
secrets? And then, second, what could we be doing to strengthen 
the public-private partnership on both fronts, both the 
intellectual property and the operational control of critical 
infrastructure? If we could start with Mr. McGurk. Thank you.
    Mr. McGurk. Thank you, Senator. To answer the question 
succinctly, yes, it does demonstrate the very unique capability 
of exfiltrating or removing that data associated with critical 
process development. In addition, it has an advanced capability 
that we have seen demonstrated where it can actually remove the 
historical files associated with the process. That is a key 
element because it actually goes into development and 
refinement of your process, so I know not only what you are 
currently producing but what you have produced in the past and 
what changes you have made to refine that process. So, 
subsequently, from an intellectual property standpoint, it 
poses a very great risk.
    In order to strengthen that partnership, I think we are all 
discussing the very same topic of awareness and understanding 
and putting those mechanisms in place, whether it is through 
education, certification, or through information sharing, and 
actually collaborative development of information in order to 
address risks such as Stuxnet. Thank you, sir.
    Senator Coons. Thank you.
    Mr. Assante. I think the Stuxnet worm was very 
sophisticated and capable and that not only did it allow you to 
maintain a foothold in the environment that you compromise, 
which is what the attacker wants to do, through the exportation 
of information it allows them to conduct discovery. Discovery 
is a very important element to being able to plan follow-on 
attacks, if that is what the author would so choose to do. And 
so whether discovery is by pulling out information that has 
value or that has information that would support future 
planning processes or the ability to just recognize how you 
maintain a sustained foothold, that is a very significant issue 
for the industrial control system world, and certainly we have 
seen that play out in threats across financial services, 
defense industrial base, and other key sectors of our economy 
where we have trade secrets or proprietary information that is 
important to our economic stability.
    I do not want to gloss over the idea that the Stuxnet worm 
was so sophisticated that it was capable of acting 
autonomously. So whether they lost that communication link, 
that piece of code had quite a bit of intelligence to be able 
to act. So I think the concept of follow-on attack is 
important.
    I believe from the public-private partnership perspective, 
I have seen great progress. I have been involved in it over the 
years. I do believe that the proposed legislation that this 
Committee is looking at which be a significant step forward to 
further ingraining how we should go about what I think is a 
more productive partnership. I think that we need to not only 
hold the asset owner responsible for the management of risk as 
it relates to the systems that they manage, but also the 
technology providers. We will constantly be trying to be very 
reactive if we do not get the technology providers to take a 
serious part in being able to program these systems more 
securely, to help design the architectures, they will be better 
suited to deal with these types of advanced threats.
    Mr. Turner. Senator Coons, echoing the comments by Mr. 
Assante and Mr. McGurk, the short answer is yes, absolutely it 
is a risk. Ninety to 95 percent of all the threats we see today 
are risks to personally identifiable information. The fact that 
this is wrapped up into a threat that targets critical 
infrastructure is just as important as any other one, and more 
so in many ways.
    We know, for example, that there was the capability before 
the sink holes--the command-and-control (CnC) servers were 
taken over by Symantec--that this particular code had the 
ability to actually install a back door on those systems. So 
the systems that we did not know about between June 2009 and 
where we are today in 2010 could still be exfiltrating data. We 
know that part of the threat's purpose was to steal the design 
documents of the ICS systems. That particular information could 
still be leaked.
    We do need to take this seriously because it is all about 
information--the secondary component, of course, being what 
could you do not only with that information, but more 
importantly changing the frequency control that drives 
themselves and all the other things that could take place.
    I think in terms of what do we need to do to strengthen our 
partnerships, there is a fair amount of activity taking place 
in back channels where security experts are discussing the 
issues and the threats amongst themselves and also coordination 
among the organizations. Organizations like TechAmerica have 
undertaken industry working groups where we get together and we 
discuss better ways to share information, not only between 
ourselves but between government and the rest. And I think that 
is also a very important step forward, in addition to, 
obviously, the legislation that is proposed by the Committee.
    Senator Coons. Thank you.
    Mr. Gandy. Senator Coons, yes, we believe, the industry 
believes that intellectual property is a target of these 
malware writers. The intentions of Stuxnet, aside, we believe 
malware will be on our enterprise business networks and on our 
process control networks that will attempt to comprehensively 
steal our intellectual property, reverse engineering our 
processes, and stealing other sensitive business information.
    Regarding what can we be doing more from a public-private 
partnership, we continue to believe that continued working 
groups, such as the Industrial Control Systems Joint Working 
Group, are essential to the government, industry, and the 
suppliers working together to work on the resiliencies of 
control system security. We also continue to encourage 
participation in national exercises such as the Cyber Storms so 
that we can continue to work on information sharing, continue 
to practice information sharing, identify road blocks, improve 
the efficiency, effectiveness, and timeliness of the 
information that is shared.
    Senator Coons. Thank you very much to the panel, and thank 
you, Mr. Chairman, for the opportunity to ask questions.
    Chairman Lieberman. Thank you, Senator. I appreciate it.
    The votes have gone off. I think rather than holding you 
here and coming back, I will try to ask a few more questions 
and see if I can hustle over before the votes are done.
    I want to get clear--I think it was you, Mr. Turner, who 
said that 60 percent of computers infected with Stuxnet are in 
Iran.
    Mr. Turner. That is correct. Sixty percent of the 
infections that we have observed worldwide are coming from 
Internet Protocol (IP) addresses of machines identified as 
being in Iran.
    Chairman Lieberman. And have we identified any computers 
infected in the United States?
    Mr. Turner. We have.
    Chairman Lieberman. Just as a natural movement of the 
Stuxnet, or is it also a unique----
    Mr. Turner. Well, intent is one of the hardest things to 
determine, Mr. Chairman. This particular threat and the way it 
first propagated was via a USB device, taking advantage of a 
particular vulnerability in Microsoft, something known as 
``.lnk.'' So in order for something like that to propagate to 
get over to the United States, a USB drive would have to get on 
a plane. But that does not mean, of course, that the particular 
code could not be transferred from one person to another.
    Chairman Lieberman. Right.
    Mr. Turner. We think that most of the infections we see 
worldwide are anecdotal and antecedent to the originals.
    Chairman Lieberman. They have fed off the original.
    Mr. Turner. Correct.
    Chairman Lieberman. Understood. Mr. McGurk, we have heard 
you discuss the resources that DHS can provide for the private 
sector in this regard. These are resources that the private 
sector can choose to utilize or choose to ignore, correct?
    Mr. McGurk. Yes, that is correct, Senator. We only respond 
when requested by the private sector. We have no authorities to 
actually direct that activity.
    Chairman Lieberman. Right. So my question naturally is--and 
I would ask the others as well quickly--whether you believe 
that we can increase cyber security of our country's most 
critical infrastructure through voluntary measures alone. Or 
does the Department of Homeland Security in this case need some 
enhanced authority? Obviously, to state underneath that the 
whole premise of this hearing today and the focus on Stuxnet is 
both to educate the Committee, but also to say to us as the 
Homeland Security Committee, if this can be done to somebody 
else, obviously it now can be done to us, so we better raise 
our guard.
    So let me come back to the question. Can we do what we have 
to do by voluntary measures? Or does DHS need some kind of 
enhanced authority? Mr. McGurk.
    Mr. McGurk. Again, Senator, I appreciate the opportunity to 
reply to that. I am a simple sailor, 28 years in the Navy. I am 
used to executing and operating my orders under the authorities 
that are granted to me. The Department has policy 
decisionmakers in place that actually identify those 
requirements. My focus is on managing and leading the 
operational environment that I am entrusted with at the 
Department. And given those responsibilities, we have been 
operating within those guidelines. And for the most part, we 
have not been as successful as we could potentially be, but we 
are as successful as we can be within those guidelines.
    Chairman Lieberman. So you would accept enhanced authority 
if we gave it to you, but you are not appealing for it right 
now? [Laughter.]
    Mr. McGurk. Sir, I feel confident that I am still able to 
execute the current mission given the requirements.
    Chairman Lieberman. Mr. Assante.
    Mr. Assante. Well, as a fellow Navy shipmate, Mr. McGurk, I 
believe that DHS and the U.S. Government would benefit from 
additional authorities in this area. I believe it is critical 
that organizations cannot suffer in silence. If an advanced 
threat is on our shores impacting our systems, that should be a 
required thing to report. We should be able to muster the 
effective resources that we have, whether it is in government 
or within industry, to be able to tackle those and very rapidly 
share information so we can protect our systems. I think 
advance authority would allow us to do so.
    I believe participating in regulation in the electric power 
industry, you get to be very smart in how you design the 
regulation and the legislation. Performance requirements are 
very important in my book. I think there are some unsafe 
practices that we continue to use that we need to ensure that 
they are curtailed. And I think that we need to maximize our 
ability to learn and still be able to innovate. So I think 
authority is necessary.
    Chairman Lieberman. Thank you.
    Mr. Turner, my time is running out, but see if you can give 
a quick answer, the same to Mr. Gandy.
    Mr. Turner. I think that more time and effort needs to be 
spent in shoring up the current channels of communication 
between all parties involved in the discussion. There are, of 
course, very tricky legal and ethical issues around certain 
types of data that might be personally identifiable information 
(PII) and the rest of it, because it is not just data that 
occurs in the United States of America but data that occurs 
elsewhere in the world.
    Chairman Lieberman. Right.
    Mr. Turner. And if the goal is to get as much information 
as possible into the hands of the people who can do the most to 
take care of the issue, the best way to do that is to actually 
strengthen the channels of communication that currently exist.
    Chairman Lieberman. Mr. Gandy, the chemical industry, as 
you well know, is actually subject now under other legislation 
to risk-based performance requirements similar to those 
contemplated in our legislation. What do you think?
    Mr. Gandy. That is correct. My response would be that I 
believe there is evidence that the industry is already working 
voluntarily, very productively, and the CFATS work that is 
ongoing right now where DHS is out reviewing the registered 
most critical sites of the critical infrastructure in the 
chemical sector against those risk-based performance standards 
will help us continue to improve our security posture in the 
face of this threat.
    Chairman Lieberman. Thank you. We have covered a lot more 
ground, I might say, in this period of time than the Committee 
usually does, and it is because not only we were rushed, but 
because of the quality of the witnesses. I cannot thank you 
enough.
    I want to restate that this Committee is going to make our 
cyber security legislation or legislation like it a priority 
early in the next session, beginning in January.
    We are going to keep the record of this hearing open for 15 
days for additional questions and statements, but I thank you 
very much for what you have done today and for the work you are 
doing to protect our country every day.
    The hearing is adjourned.
    [Whereupon, at 11:22 a.m., the Committee was adjourned.]
                            A P P E N D I X

                              ----------                              

[GRAPHIC] [TIFF OMITTED] 58034.001

[GRAPHIC] [TIFF OMITTED] 58034.002

[GRAPHIC] [TIFF OMITTED] 58034.003

[GRAPHIC] [TIFF OMITTED] 58034.004

[GRAPHIC] [TIFF OMITTED] 58034.005

[GRAPHIC] [TIFF OMITTED] 58034.006

[GRAPHIC] [TIFF OMITTED] 58034.007

[GRAPHIC] [TIFF OMITTED] 58034.008

[GRAPHIC] [TIFF OMITTED] 58034.009

[GRAPHIC] [TIFF OMITTED] 58034.010

[GRAPHIC] [TIFF OMITTED] 58034.011

[GRAPHIC] [TIFF OMITTED] 58034.012

[GRAPHIC] [TIFF OMITTED] 58034.013

[GRAPHIC] [TIFF OMITTED] 58034.014

[GRAPHIC] [TIFF OMITTED] 58034.015

[GRAPHIC] [TIFF OMITTED] 58034.016

[GRAPHIC] [TIFF OMITTED] 58034.017

[GRAPHIC] [TIFF OMITTED] 58034.018

[GRAPHIC] [TIFF OMITTED] 58034.019

[GRAPHIC] [TIFF OMITTED] 58034.020

[GRAPHIC] [TIFF OMITTED] 58034.021

[GRAPHIC] [TIFF OMITTED] 58034.022

[GRAPHIC] [TIFF OMITTED] 58034.023

[GRAPHIC] [TIFF OMITTED] 58034.024

[GRAPHIC] [TIFF OMITTED] 58034.025

[GRAPHIC] [TIFF OMITTED] 58034.026

[GRAPHIC] [TIFF OMITTED] 58034.027

[GRAPHIC] [TIFF OMITTED] 58034.028

[GRAPHIC] [TIFF OMITTED] 58034.029

[GRAPHIC] [TIFF OMITTED] 58034.030

[GRAPHIC] [TIFF OMITTED] 58034.031

[GRAPHIC] [TIFF OMITTED] 58034.032

[GRAPHIC] [TIFF OMITTED] 58034.033

[GRAPHIC] [TIFF OMITTED] 58034.034

[GRAPHIC] [TIFF OMITTED] 58034.035

[GRAPHIC] [TIFF OMITTED] 58034.036

[GRAPHIC] [TIFF OMITTED] 58034.037

[GRAPHIC] [TIFF OMITTED] 58034.038

[GRAPHIC] [TIFF OMITTED] 58034.039

[GRAPHIC] [TIFF OMITTED] 58034.040

[GRAPHIC] [TIFF OMITTED] 58034.041

[GRAPHIC] [TIFF OMITTED] 58034.042

[GRAPHIC] [TIFF OMITTED] 58034.043

[GRAPHIC] [TIFF OMITTED] 58034.044

[GRAPHIC] [TIFF OMITTED] 58034.045

[GRAPHIC] [TIFF OMITTED] 58034.046

[GRAPHIC] [TIFF OMITTED] 58034.047

[GRAPHIC] [TIFF OMITTED] 58034.048

[GRAPHIC] [TIFF OMITTED] 58034.049

[GRAPHIC] [TIFF OMITTED] 58034.050

[GRAPHIC] [TIFF OMITTED] 58034.051

[GRAPHIC] [TIFF OMITTED] 58034.052

[GRAPHIC] [TIFF OMITTED] 58034.053

[GRAPHIC] [TIFF OMITTED] 58034.054

[GRAPHIC] [TIFF OMITTED] 58034.055

[GRAPHIC] [TIFF OMITTED] 58034.056

[GRAPHIC] [TIFF OMITTED] 58034.057

[GRAPHIC] [TIFF OMITTED] 58034.058

[GRAPHIC] [TIFF OMITTED] 58034.059

[GRAPHIC] [TIFF OMITTED] 58034.060

[GRAPHIC] [TIFF OMITTED] 58034.061

[GRAPHIC] [TIFF OMITTED] 58034.062

[GRAPHIC] [TIFF OMITTED] 58034.063

[GRAPHIC] [TIFF OMITTED] 58034.064

[GRAPHIC] [TIFF OMITTED] 58034.065

[GRAPHIC] [TIFF OMITTED] 58034.066

[GRAPHIC] [TIFF OMITTED] 58034.067

[GRAPHIC] [TIFF OMITTED] 58034.068

[GRAPHIC] [TIFF OMITTED] 58034.069

[GRAPHIC] [TIFF OMITTED] 58034.070

[GRAPHIC] [TIFF OMITTED] 58034.071

[GRAPHIC] [TIFF OMITTED] 58034.072

[GRAPHIC] [TIFF OMITTED] 58034.073

[GRAPHIC] [TIFF OMITTED] 58034.074

[GRAPHIC] [TIFF OMITTED] 58034.075

[GRAPHIC] [TIFF OMITTED] 58034.076

[GRAPHIC] [TIFF OMITTED] 58034.077

[GRAPHIC] [TIFF OMITTED] 58034.078

[GRAPHIC] [TIFF OMITTED] 58034.079

[GRAPHIC] [TIFF OMITTED] 58034.080

[GRAPHIC] [TIFF OMITTED] 58034.081

[GRAPHIC] [TIFF OMITTED] 58034.082

[GRAPHIC] [TIFF OMITTED] 58034.083

[GRAPHIC] [TIFF OMITTED] 58034.084

[GRAPHIC] [TIFF OMITTED] 58034.085

[GRAPHIC] [TIFF OMITTED] 58034.086

[GRAPHIC] [TIFF OMITTED] 58034.087

[GRAPHIC] [TIFF OMITTED] 58034.088

[GRAPHIC] [TIFF OMITTED] 58034.089

[GRAPHIC] [TIFF OMITTED] 58034.090

[GRAPHIC] [TIFF OMITTED] 58034.091

[GRAPHIC] [TIFF OMITTED] 58034.092

[GRAPHIC] [TIFF OMITTED] 58034.093

[GRAPHIC] [TIFF OMITTED] 58034.094

[GRAPHIC] [TIFF OMITTED] 58034.095

[GRAPHIC] [TIFF OMITTED] 58034.096

[GRAPHIC] [TIFF OMITTED] 58034.097

[GRAPHIC] [TIFF OMITTED] 58034.098

[GRAPHIC] [TIFF OMITTED] 58034.099

[GRAPHIC] [TIFF OMITTED] 58034.100

[GRAPHIC] [TIFF OMITTED] 58034.101

[GRAPHIC] [TIFF OMITTED] 58034.102

[GRAPHIC] [TIFF OMITTED] 58034.103

[GRAPHIC] [TIFF OMITTED] 58034.104

[GRAPHIC] [TIFF OMITTED] 58034.105

[GRAPHIC] [TIFF OMITTED] 58034.106

[GRAPHIC] [TIFF OMITTED] 58034.107

[GRAPHIC] [TIFF OMITTED] 58034.108

[GRAPHIC] [TIFF OMITTED] 58034.109

[GRAPHIC] [TIFF OMITTED] 58034.110

[GRAPHIC] [TIFF OMITTED] 58034.111

[GRAPHIC] [TIFF OMITTED] 58034.114

[GRAPHIC] [TIFF OMITTED] 58034.112

[GRAPHIC] [TIFF OMITTED] 58034.113

                                 
