b"<html>\n<title> - CYBER SECURITY</title>\n<body><pre>[Senate Hearing 111-1103]\n[From the U.S. Government Publishing Office]\n\n\n\n                                                       S. Hrg. 111-1103\n \n                          CYBER SECURITY--2010\n\n=======================================================================\n\n\n                                HEARINGS\n\n                               before the\n\n                              COMMITTEE ON\n\n                         HOMELAND SECURITY AND\n\n                          GOVERNMENTAL AFFAIRS\n\n                          UNITED STATES SENATE\n\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JUNE 15, 2010\n PROTECTING CYBERSPACE AS A NATIONAL ASSET: COMPREHENSIVE LEGISLATION \n                          FOR THE 21ST CENTURY\n\n                               __________\n\n                           NOVEMBER 17, 2010\n         SECURING CRITICAL INFRASTRUCTURE IN THE AGE OF STUXNET\n\n                               __________\n\n        Available via the World Wide Web: http://www.fdsys.gov/\n\n       Printed for the use of the Committee on Homeland Security\n                        and Governmental Affairs\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n58-034                    WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n               JOSEPH I. LIEBERMAN, Connecticut, Chairman\nCARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine\nDANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma\nTHOMAS R. CARPER, Delaware           SCOTT P. BROWN, Massachusetts\nMARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona\nMARY L. LANDRIEU, Louisiana          GEORGE V. VOINOVICH, Ohio\nCLAIRE McCASKILL, Missouri           JOHN ENSIGN, Nevada\nJON TESTER, Montana                  LINDSEY GRAHAM, South Carolina\nROLAND W. BURRIS, Illinois\nEDWARD E. KAUFMAN, Delaware *\nCHRISTOPHER A. COONS, Delaware *\n\n                  Michael L. Alexander, Staff Director\n         Deborah P. Parkinson, Senior Professional Staff Member\n              Adam R, Sedgewick, Professional Staff Member\n     Brandon L. Milhorn, Minority Staff Director and Chief Counsel\n   Robert L. Strayer, Minority Director of Homeland Security Affairs\n          Devin F. O'Brien, Minority Professional Staff Member\n                  Trina Driessnack Tyrer, Chief Clerk\n         Patricia R. Hogan, Publications Clerk and GPO Detailee\n                    Laura W. Kilbride, Hearing Clerk\n\n * Senator Coons replaced Senator Kaufman on the Committee on November \n                               15, 2010.\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Lieberman I60 1, 39..................................\n    Senator Collins I60 3, 40....................................\n    Senator Carper...............................................     5\n    Senator McCain...............................................    15\n    Senator Burris...............................................    17\n    Senator Coons................................................    59\nPrepared statements:\n    Senator Lieberman I60 65, 124................................\n    Senator Collins I60 67, 127..................................\n    Senator Carper...............................................    70\n\n                               WITNESSES\n                         Tuesday, June 15, 2010\n\nPhilip Reitinger, Deputy Under Secretary, National Protection and \n  Programs Directorate, U.S. Department of Homeland Security.....     6\nFrances Fragos Townsend, Chairwoman of the Board, Intelligence \n  and National Security Alliance.................................    19\nAlan Paller, Director of Research, The SANS Institute............    22\nSteven T. Naumann, Vice President, Wholesale Market Development, \n  Exelon Corporation, on behalf of the Edison Electric Institute \n  and the Electric Power Supply Association......................    25\nSara C. Santarelli, Chief Network Security Officer, Verizon \n  Communications.................................................    27\n\n                      Wednesday, November 17, 2010\n\nSean McGurk, Acting Director, National Cybersecurity and \n  Communications Integration Center, Office of Cybersecurity and \n  Communications, U.S. Department of Homeland Security...........    41\nMichael J. Assante, President and Chief Executive Officer, \n  National Board of Information Security Examiners of the United \n  States Inc.....................................................    44\nDean Turner, Director, Global Intelligence Network, Symantec \n  Security Response, Symantec Corporation........................    48\nMark W. Gandy, Global Manager, Information Technology Security \n  and Information Asset Management, Dow Corning Corporation......    52\n\n                     Alphabetical List of Witnesses\n\nAssante, Michael J.:\n    Testimony....................................................    44\n    Prepared statement with an attachment........................   142\nGandy, Mark W.:\n    Testimony....................................................    52\n    Prepared statement...........................................   165\nMcGurk, Sean:\n    Testimony....................................................    41\n    Prepared statement...........................................   129\nNaumann, Steven T.:\n    Testimony....................................................    25\n    Prepared statement...........................................   101\nPaller, Alan:\n    Testimony....................................................    22\n    Prepared statement...........................................    84\nReitinger, Philip:\n    Testimony....................................................     6\n    Prepared statement...........................................    72\nSantarelli, Sara C.:\n    Testimony....................................................    27\n    Prepared statement...........................................   109\nTownsend, Frances Fragos:\n    Testimony....................................................    19\n    Prepared statement...........................................    80\nTurner, Dean:\n    Testimony....................................................    48\n    Prepared statement...........................................   156\n\n                                APPENDIX\n\nStatement for the Record from Robert D. Jamison, Former Under \n  Secretary of Homeland Security for the National Protection and \n  Programs Directorate...........................................   116\nResponses to post-hearing questions submitted for the Record \n  from:\n    Mr. McGurk...................................................   170\n    Mr. Assante..................................................   173\n    Mr. Turner...................................................   176\n    Mr. Gandy....................................................   177\n\n\n                  PROTECTING CYBERSPACE AS A NATIONAL\n\n\n\n                    ASSET: COMPREHENSIVE LEGISLATION\n\n\n\n                          FOR THE 21ST CENTURY\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 15, 2010\n\n                                     U.S. Senate,  \n                           Committee on Homeland Security  \n                                  and Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 2:59 p.m., in \nroom SD-342, Dirksen Senate Office Building, Hon. Joseph I. \nLieberman, Chairman of the Committee, presiding.\n    Present: Senators Lieberman, Carper, Pryor, Burris, \nCollins, and McCain.\n\n            OPENING STATEMENT OF CHAIRMAN LIEBERMAN\n\n    Chairman Lieberman. The hearing will come to order. Good \nafternoon and thanks for being here today. We are going to take \na look at legislation Senators Collins, Carper, and I \nintroduced last week, the Protecting Cyberspace as a National \nAsset Act. It provides a comprehensive framework to modernize, \nstrengthen, and coordinate our cyber defenses across civilian \nFederal networks and the networks of the most vital privately \nowned critical infrastructure, including some real basics of \nAmerican life: Our electric grid, financial systems, and our \ntelecommunications networks.\n    Today we are going to hear from the top cyber security \nofficial at the Department of Homeland Security (DHS), which, \nof course, has a critical role to play in protecting our cyber \nassets; and we are also going to hear from security and \nindustry experts. We have, in preparing this legislation, \nconsulted extensively with members of the Administration, \npeople in the private sector, and privacy groups as well.\n    In the 40 years since the Internet was created, it has \ndeveloped into a necessity of modern life, a source of \nremarkable information and entertainment and commerce. But as \nwe also have come to know, it is a target of constant attack \nand exploitation. We now have a responsibility to bring the \npublic and private sectors together to secure the Internet, \ncyberspace, and to secure it well. And we believe that our bill \nwould do just that.\n    The idea of cyber crime is not really totally new to the \nAmerican people. We all know about identity theft and about \nemails from a foreign prince, doctor, or government official \nwho desperately needs more money, needs to move it out of his \nor her country, and who will reward you richly--if only you \nwill give them your bank account number, which some people \nactually do.\n    Identity theft and financial fraud are serious matters. \nBut, of course, we need, and hope through this bill, to \nreorient our thinking about the risks inherent in the Internet \nand cyberspace because today we face much greater risks in \ncyberspace than crimes like identity theft. A sophisticated \nattacker could cripple most of our financial system, take down \na lot of the electric grid, or cause physical devastation equal \nto or greater than conventional warfare. The fact is that the \nthreat of cyber attack is among the most serious threats \nAmerica faces today.\n    President Obama I think has correctly described our \nsprawling government and private sector cyber networks as a \n``strategic national asset.'' But our efforts to secure those \nnetworks and that national asset have been disjointed, \nunderstaffed, and underfinanced. So what does our bill do?\n    First, we need leadership, we need focused and clear \nleadership, and our bill provides it in the form of a White \nHouse Office of Cyberspace Policy that would lead all Federal \nefforts to defend cyberspace--that is, civilian, defense, and \nprivate. The office would be led by a Senate-confirmed \ndirector, accountable to the public. We have previously asked, \nfor instance, White House cyber coordinator Howard Schmidt to \ntestify before this Committee, but we have always been turned \ndown, apparently on the grounds of executive privilege. Our \nlegislation would change that by requiring Senate confirmation \nand thereby making Mr. Schmidt or whoever holds that position \nsubject to the call of Congress and the public.\n    We also need a stronger agency to defend the dot-gov \nnetworks and oversee the defenses of our most critical \ninfrastructure. The Department of Homeland Security Inspector \nGeneral will issue a report tomorrow critical of many \noperational elements of the Department's cyber security effort, \nciting a lack of clear authority as one of the issues that \nneeds to be rectified. Our bill more than addresses these \nshortcomings by creating a National Center for Cybersecurity \nand Communications within the Department of Homeland Security \nwhich would have new, strong authorities to protect non-\ndefense, public sector, and private sector networks from cyber \nattack. DHS already has this responsibility through \nPresidential Directive but, in our opinion, insufficient \nauthority to carry it out.\n    The sound defense of our cyber networks will only be \nsuccessful if industry and government work together, so our \nbill will set up a collaborative process where the best ideas \nof the private sector and the government would be used to meet \na baseline set of security requirements that DHS would enforce \nfor the Nation's most critical infrastructure.\n    Thanks to some excellent work by our colleague, Senator \nCarper, our legislation reforms and updates the Federal \nInformation Security Management Act to require continuous \nmonitoring and protection of Federal networks, but do away with \nthe paper-based reporting system that takes up time agencies \nreally otherwise would be using and should be using to protect \ntheir networks.\n    Our legislation also would require the Federal Government \nto develop and implement a strategy to ensure that the almost \n$80 billion of information technology products and services \nthat the Federal Government purchases each year are secure and \ndo not provide our adversaries with a back door into our \nnetworks. And, of course, if the Federal Government uses that \n$80 billion of purchasing power to drive security add-ons and \ninnovations in information technology products, it will also be \navailable and presumably bought by the private sector.\n    Finally, we would give special authority to the President \nto act in the event of a catastrophic cyber attack that could \nseriously jeopardize public safety or have disastrous effects \non our economy or national security. In those instances, \nclearly defined in our legislation, the President could direct \nthe National Cybersecurity and Communications Center at DHS to \nimpose emergency measures on a select group of critical \ninfrastructure to preserve those assets and the networks they \nrely on and protect the American people. These emergency \nmeasures would automatically expire within 30 days unless the \nPresident ordered an extension. I know there has been some \nconcern and controversy about that provision, and we can speak \nto it, I hope, in the question-and-answer period. But it is \nlinked with a very important limitation on liability of private \nentities who take action in response to an order from the \ngovernment and might otherwise incur liability. But we protect \nthem from that because the action the government is ordering \nthem to take is in the national security or economic interest.\n    So freedom of expression and freedom to innovate are not \ninconsistent with greater security in cyberspace and that is \nexactly what we hope to combine and balance in this \nlegislation.\n    Senator Collins.\n\n              OPENING STATEMENT OF SENATOR COLLINS\n\n    Senator Collins. Thank you, Mr. Chairman.\n    Mr. Chairman, I have a very lengthy statement which I would \nrequest be inserted in the record in full.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Collins appears in the \nAppendix on page 67.\n---------------------------------------------------------------------------\n    Chairman Lieberman. Without objection.\n    Senator Collins. And I will just summarize my comments.\n    As the Chairman has pointed out, cyberspace is under \nincreasing assault on all fronts. The cyber threat is real, and \nthe consequences of a major successful national cyber attack \ncould be devastating. As former Director of National \nIntelligence Michael McConnell warned in February, ``If we went \nto war today, in a cyber war, we would lose.''\n    We are already under fire. Just this past March, the \nSenate's Sergeant at Arms reported that the computer systems of \nCongress and Executive Branch agencies are now under cyber \nattack an average of 1.8 billion times a month. Cyber crime \nalready costs our national economy an estimated $8 billion per \nyear.\n    So it is clear that we must move forward now with an \naggressive and comprehensive approach to protect cyberspace as \na national asset. The vital legislation that we introduced last \nweek would do just that. It would fortify the government's \nefforts to safeguard America's cyber networks. And it would \npromote a true public/private partnership to work on national \ncyber security priorities.\n    For far too long, our approach to cyber security has been \ndisjointed and uncoordinated. This simply cannot continue. The \nstakes are too high.\n    Our bill, as the Chairman has pointed out, would establish \nan essential point of interagency policy coordination within \nthe White House. This would be the Office of Cyberspace Policy \nwhich would be run by a Senate-confirmed director who would \nadvise the President and who would develop a national cyber \nsecurity strategy.\n    Let me be clear. We are not talking about creating an \nunaccountable cyber czar. The Cyber Director would have defined \nresponsibilities and would be accountable to Congress as well \nas to the President. The Cyber Director would be an adviser, a \nstrategist, not an implementer.\n    That responsibility, for Federal civilian systems and for \nthe private sector critical infrastructure, would fall to a \nstrong operational and tactical partner at the Department of \nHomeland Security through a newly created National Center for \nCybersecurity and Communications (NCCC). This new cyber center \nis patterned on the National Counterterrorism Center (NCTC). It \nwould have representatives from various departments and would \nwork on these issues day to day.\n    The bill, as I mentioned, emphasizes the importance of \nworking with the private sector to improve cyber security \nacross private sector networks.\n    In cases where owners and operators are responsible for \nassets whose disruption would cost thousands of lives in mere \nseconds or multiple billions of dollars, the bill would \nestablish certain risk-based performance requirements to close \nsecurity gaps.\n    These requirements, for example, would apply to vital \ncomponents of the electric grid, telecommunications networks, \nfinancial systems, or other critical infrastructure systems \nthat could cause a national or regional catastrophe if \ndisrupted.\n    But I want to emphasize that the private sector would be \nable to choose which security measures are implemented to meet \nthe risk-based performance requirements. That model would allow \nfor the continued innovation that is fundamental to the success \nof the information technology (IT) sector. And as the Chairman \nhas indicated, the bill would also provide limited liability \nprotections to owners and operators of critical infrastructure \nthat comply with the new risk-based performance requirements.\n    If a cyber attack were imminent or occurring, the bill \nwould authorize the President to undertake emergency measures. \nBut as the Chairman has indicated, we have carefully \ncircumscribed that authority. It is limited in duration and \nscope. The bill does not authorize any new surveillance \nauthorities or permit the government to ``take over'' private \nnetworks.\n    The legislation would also take full advantage of the \ngovernment's massive purchasing power to help ensure that cyber \nsecurity is baked into products when they are brought to the \nmarketplace.\n    And, finally, the bill would improve the recruitment and \nretention of a qualified Federal IT workforce.\n    If hackers can bring the nation of Estonia to its knees \nthrough cyber attacks, infiltrate a major defense program, and \nhack into the computers owned and operated by some of the \nworld's most sophisticated private sector experts, we must \nassume that even more spectacular and potentially devastating \nattacks lie ahead. We simply cannot wait for a cyber September \n11, 2001, before our government takes this threat seriously and \nacts to protect these critical assets.\n    Thank you.\n    Chairman Lieberman. Thank you very much, Senator Collins.\n    It is the tradition of our Committee that the Chairman and \nthe Ranking Member only make opening statements. It is a \nselfish system but one that Senator Collins and I both \nappreciate. [Laughter.]\n    But on this occasion, since Senator Carper is a cosponsor \nof our legislation, I would welcome any opening statement that \nyou would have Senator Carper.\n\n              OPENING STATEMENT OF SENATOR CARPER\n\n    Senator Carper. Thank you very much, Mr. Chairman. I want \nto salute you and Senator Collins for bringing this together in \na bipartisan--even a tripartisan coalition--on an issue whose \ntime has come. Look around this room. Standing room only. I \nwould suggest that finally at long last we have a strong \nnational focus here in the Senate and in the Administration on \ntaking the steps that we need to take to make sure that our \nInternet, which has grown more complex by the day, is secure.\n    For 3 years, I have called for some of the very same \nreforms that we will talk about today. In fact, I introduced \ncyber security legislation, I think, last spring in an effort \nto strengthen our Federal Government--and our Nation--against \nthe kinds of attacks that we have seen seriously disrupt the \nnations of Estonia, as Senator Collins has mentioned, and \nGeorgia.\n    One reform that I am especially happy my colleagues have \naccepted is the creation of a White House office that would be \nresponsible for coordinating the security and resiliency of our \nNation's cyberspace. To date, Federal agencies' efforts have \nbeen ad hoc; they have been for the most part duplicative. \nThere is an old saying that goes, ``the left hand does not know \nwhat the right hand is doing.'' And my hope is that this office \nwill provide the needed strategic direction to more effectively \ndeal with challenges in cyberspace before they become a crisis.\n    Another reform that I am happy, when it made it into the \nbill, is the idea that agencies need to leverage their \npurchasing power to demand that private vendors sell more \nsecure products and services at the front end. For too long \nagencies have needlessly spent money cleaning up after a cyber \nattack because the technology was full of security holes. Like \na door with no lock, hackers have used security holes that \nnever should have been there in the first place to gain access \nto our sensitive networks, and this bill changes that.\n    I also want to commend my colleagues--and our staffs, and I \nespecially want to commend Erik Hopkins, who is sitting right \nbehind me, for the work that he has done on these issues for \nyears. But I commend all who have been involved in reforming \nthe Federal Information Security Management Act of 2002. As we \nall know, producing a plan that sounds good on paper is not the \nsame as ensuring the plan is effectively implemented. That is \nwhy our legislation compels agencies to stop producing the \nreams of ineffective paperwork they currently do and instead \nfocus their efforts on defending their systems in real time, \nmuch as we do in the nuclear power industry.\n    Last, I want to thank my colleagues for accepting my \nlanguage to create a nationwide network of cyber challenges to \nhelp reduce the gap between the number of so-called cyber \nwarriors that are produced in America and those that are being \ntrained in place like China, North Korea, and Russia. A little \nbit like a farm system in baseball, these cyber challenges will \ncreate a pipeline of talent that can be tapped by government \nagencies and by private sector companies. If we want America to \ncontinue to be dominant in the century to come--and we know we \ndo--we have to invest in the skills of these young people.\n    In closing, I look forward to working with our Chairman, \nwith Ranking Member Collins, and other colleagues who have an \ninterest in these issues, including Senator McCain to my left, \nand my colleague, Senator Burris from Illinois, who I know has \na strong interest in these issues. My hope is we can bring \ntogether a diverse group of stakeholders on all sides of the \nissue to produce a bipartisan/tripartisan bill that will \nenhance our Nation's cyber security and be signed by the \nPresident before the end of this week--or maybe this month. How \nabout this year? Thank you.\n    Chairman Lieberman. Thanks, Senator Carper. Thanks to \nSenator McCain and Senator Burris for being here.\n    We will go to our first witness, Philip Reitinger, Deputy \nUnder Secretary of the National Protection and Programs \nDirectorate, and Director of the National Cybersecurity Center \nat the Department of Homeland Security. Mr. Reitinger's coming \nto the Department is part, I think, of a really full open-\nthrottle attempt to dramatically upgrade the Department's \ncapacity for cyber defense. He has a remarkably diverse \nbackground in both the private sector and government, which \nincludes working at both Microsoft and the Department of \nJustice, though not at the same time.\n    Mr. Reitinger. Thank you, sir. You left off the Department \nof Defense as well.\n    Chairman Lieberman. Sure.\n    Anyway, Mr. Reitinger, I am glad to see you again, and we \nwelcome your testimony now.\n\n   TESTIMONY OF PHILIP REITINGER,\\1\\ DEPUTY UNDER SECRETARY, \n NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT \n                      OF HOMELAND SECURITY\n\n    Mr. Reitinger. Chairman Lieberman, Ranking Member Collins, \nand Members of the Committee, it is indeed an honor to appear \nbefore you today to talk about the security of cyberspace and \nthis Committee's Protecting Cyberspace as a National Asset Act.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Reitinger appears in the Appendix \non page 72.\n---------------------------------------------------------------------------\n    As you point out Mr. Chairman, the President has described \nour networks as a strategic national asset. And as the Ranking \nMember pointed out, those networks are under an increasing \nthreat and increasing risk of harm every day. The attackers \nrange in skill from state-sponsored attackers down to low-level \ncriminal hackers. And the fundamental insecurity of our \necosystem means not just our information is at risk, but the \ninformation infrastructure that provides us critical services \nis also at risk, as the Committee Members point out: Power, \nfinancial services, transportation, and other key parts of our \ninfrastructure. That means it is incumbent upon all of us--\nacross the government, the State, local, tribal, and \nterritorial governments, and the private sector--to treat this \nas a real national security and homeland security emergency. We \nmust respond to deal with the increasing threat.\n    The prior Administration began a good start in this space \nwith the Comprehensive National Cybersecurity Initiative, which \nPresident Obama furthered with the Cyberspace Policy Review. \nWe, in DHS, are similarly recognizing our responsibility. We \nare the lead for working to protect Federal civilian systems \nand working to protect private sector and State, local, tribal, \nand territorial government systems and helping them to bolster \ntheir cyber security.\n    A key moment happened in February of this year which \nescaped a lot of people's notice. The Department of Homeland \nSecurity released, after interagency review, the first ever \nQuadrennial Homeland Security Review, which was released, \ninterestingly, on the same day as the Quadrennial Defense \nReview. And I would urge everyone who has not to read the cyber \nsections of those two documents because they are parallel. The \nDepartment of Defense (DOD) recognizes its increasing need to \nbe involved and treat cyber security as a growing mission set. \nAnd the entire homeland security enterprise--and that is \nbroader than just the Department of Homeland Security. It \nincludes the private sector. It includes multiple other \ngovernment agencies and State, local, tribal, and territorial \ngovernments. It treated cyberspace and the security of \ncyberspace as a top five mission area of that enterprise, on a \npar with protecting the borders and ensuring domestic security. \nSo we are well on the way towards treating this as a national \nand homeland security event.\n    In that line, we have had significant outcomes over the \ncourse of the past year that demonstrate our intent to move \nforward. I am a firm believer that, in government or the \nprivate sector, organizations succeed or fail based on the \npeople who are doing the work. If you have the right people, \ntechnology does not matter too much. And if you do not have the \nright people, then technology does not matter too much.\n    There was a great core of people at the Department of \nHomeland Security when I arrived, and we have been expanding \nthat as rapidly as possible. During the course of the last \nfiscal year, fiscal year 2009, we increased the people who do \ncyber security in the Office of Cybersecurity and \nCommunications from 35 to 118. And in the course of this fiscal \nyear, we are trying to more than double it again.\n    We are rapidly deploying EINSTEIN 2 on the technical side. \nWe are ahead of schedule. It is deployed and operational at 11 \nof 19 agencies where it is to be deployed, and at four Internet \nservice providers it is deployed, and in one it is operational. \nThrough those deployments, we are already discovering, apropos \nof the comments that the Ranking Member made before, more than \n278,000 indicators on average of potentially malicious activity \nper month.\n    Finally, with regard to FISMA, the Administration is moving \nrapidly to recognize the criticisms that have been made of that \nregime in the past. In particular, a key focus in the \nAdministration is moving away from annual paper reports and \nmore towards continuous monitoring. What is the real security \nsituation we are in? And apropos of where this Committee is \nintending to go, providing the operational responsibility to \nmanage that effort to the Department of Homeland Security.\n    Turning finally to the bill, I regret I am not able at this \ntime to state an Administration position on the bill which was \nintroduced last week. That said, DHS looks forward greatly to \ncontinuing to work with the Committee on strengthening the \nDepartment's ability to accomplish its cyber security mission. \nI particularly welcome this Committee's and the sponsors' \nsupport for the DHS mission, its support for allowing DHS' \neffort to maximize its hiring flexibilities, and the continuing \nand clear support in the bill for privacy and civil liberties, \nwhich we believe are fundamental to cyber security.\n    With regard to authorities, we believe the continued \nexamination of authorities for both DHS and in emergencies is \ncalled for to see what can be done under existing authorities \nand what changes may be necessary.\n    Finally, I would state that with regard to organization, it \nis the Department of Homeland Security's view that our \npreference is to keep physical and cyber security tightly co-\njoined. We believe that it will enable us to work more \neffectively with the private sector to manage risk, give us--to \nthe extent one wants to influence the private sector, which is \nimportant--more levers to pull, and allow us to continue to \nwork with the private sector in an all-hazards way on instant \nresponse.\n    Mr. Chairman, Ranking Member Collins, Members of the \nCommittee, thank you again for the opportunity to testify, and \nI would be more than pleased to answer any questions you may \nhave.\n    Chairman Lieberman. Thanks, Mr. Reitinger. I appreciate the \nfact that though there is not an official position of the \nAdministration on the bill, you are giving your own welcome and \nwarm response, particularly of the role given to the \nDepartment. Is that right?\n    Mr. Reitinger. We certainly welcome the support for the DHS \nmission space, sir, and the clear delineation of roles and \nresponsibilities, absolutely.\n    Chairman Lieberman. Fine. Let me just start out, and we \nwill do 7-minute rounds. Let me ask first, if somebody comes up \nto you and says, ``Is all this business about cyber security \nfor real? In other words, are we really under threat from non-\nstate actors, other states, or terrorist groups? Can they \nreally do as much damage as a conventional attack?'' What do \nyou say?\n    Mr. Reitinger. Sir, the threat is clearly real. I often \nsay--in fact, I said yesterday when I was in Miami at the Forum \nof Instant Response Teams event--that if you really want to \nsecure your computer, it is best to turn it off, disconnect it \nfrom the Internet, and if you really want to be secure, do not \nallow any person to get near it, open up the cover, pull out \nthe hard drive, and hit it with a hammer until it no longer can \nbe read.\n    The current state of the technology simply does not allow \nfor foolproof security. Instead, we are in risk management. And \nright now we have a long way to go to be able to as effectively \nmanage risk as we need to.\n    We depend on these companies not just to see a silly video \non the Internet or even to write a document to pass up the \nchain of command. We depend on them for power, for food, and \nfor transportation. Those systems are insecure in many ways, \nand we simply do not live in a sustainable environment right \nnow. The system is fundamentally insecure and needs to change.\n    Chairman Lieberman. So the capacity to attack in cyberspace \nor intrude or exploit is, therefore, much greater than the \ncapacity to defend against such attacks?\n    Mr. Reitinger. Yes, sir.\n    Chairman Lieberman. I do not want to carry you too far into \na parade of horribles, but is it really possible that a cyber \nattack on, for instance, private infrastructure could cause \ndamage comparable to a conventional military attack on our \nhomeland?\n    Mr. Reitinger. Sir, I think it is hard to know the full \nscope of damage. I think it is possible damage. It is certainly \nlikely that significant economic damage could be undertaken. If \na cyber attack, for example, destabilized people's trust in the \nfinancial system, one would see untold economic costs to this \ncountry. And physical attacks are possible, and we need to \nadvance the state of science and the art of the possible to \nknow what the full scope of risk is. In any event, we need to \nprepare now as if it were possible.\n    Chairman Lieberman. Yes. Let us talk about what we can do \nto better defend, and let me ask you to compare or respond to \nsome alternative suggestions to the one that we have included \nin our bill. There are proposals moving around different \nsections of Congress that would have the Department of Defense \nor the intelligence community take the lead on protecting the \nFederal civilian networks. Obviously, DOD is responsible for \nthe defense networks now, and, of course, our bill respects \nthat totally. But there are these proposals saying DOD or the \nintelligence community should take the lead in protecting \nFederal civilian networks as well as those of private critical \ninfrastructure.\n    From your point of view, what is the argument for why the \nDepartment of Homeland Security, as opposed to those other \nagencies, should have that responsibility?\n    Mr. Reitinger. Sir, the Department of Homeland Security has \nbeen given the responsibility for helping to protect the dot-\ngov, the civilian government systems, and working with the \nprivate sector under both the prior Administration and this \nAdministration. It is what we do, it is our role, and that is \nappropriate.\n    Every agency brings its own capabilities to bear, and I by \nno means wish to undercut the key role of the Department of \nDefense or the expertise it brings to bear. This Nation has \nspent significant dollars over a long period of time to develop \ntechnical capabilities in the Department of Defense, which the \nDepartment of Homeland Security can and does leverage in its \nrole of working with the private sector and protecting civilian \ngovernment systems. We leverage and synchronize the \ncapabilities of the Department of Defense in significant \namounts of the work that we do, and we coordinate with them \nfully and partner with them across the Federal Government \nenterprise.\n    DHS has in its own space developed its own capabilities. We \nhave built as a part of the National Infrastructure Protection \nPlan the partnership framework under which we work with the \nprivate sector. We have built the capability to deploy teams to \nwork in particular private sector environments and provide \nsupport. We have built the ability to help control systems' \nvendors and those who deploy control systems to respond to \ncyber events and to help secure their systems.\n    By working together and each playing our positions and \nbringing our capabilities to bear, one team, one fight, we can \nbe most effective across government.\n    Chairman Lieberman. Do you have particular concerns, for \ninstance, about DOD or the intelligence community taking over \nnondefense civilian government networks or private \ninfrastructure? I know some people have been concerned about \nprivacy or civil liberties in that case.\n    Mr. Reitinger. Sir, I believe both General Alexander, the \nDirector of the National Security Agency (NSA), and now the \nhead of Cyber Command, and other individuals from DOD have been \nclear over time that protection of the civilian government \nspace and working with the private sector is the mission space \nof the Department of Homeland Security, that they are intent to \nsupport. And I believe they will do that, and we will work \neffectively together.\n    Chairman Lieberman. Let me ask you one last question. I \nbelieve that DHS is the right place for this authority to be. I \nam also encouraged because I think you bring a lot to the \nposition you are in now. Personnel are really key in this, and \nour bill respects that by creating flexibility in hiring for \nthe new section that we are creating and beefing up in DHS. So \nI want to ask you to respond to those suggestions in our bill \nand whether you think they are important and whether you think \nthey are adequate.\n    Mr. Reitinger. Sir, I cannot comment on the specific \nprovisions in the bill because the Administration is still \nreviewing it, but I can say that hiring flexibility is very \nimportant to the Department of Homeland Security, in particular \nin the cyber security area.\n    Chairman Lieberman. And this really means being able to pay \npeople more than the normal pay scale in Federal service \nbecause that is what you have to do to get the best people. Is \nthat right?\n    Mr. Reitinger. It means paying more in particular cases. It \nmeans having the flexibilities to be able to hire people \nrapidly. As you can imagine, there are far too few cyber \nsecurity experts in our country. And, indeed, one of the long-\nterm things we need to accomplish is enhancing our educational \nsystem so that there are more such people available to go to \nthe private sector and the government.\n    But now we are in a space where we are competing \nsubstantially with private industry that can pay a lot more. We \nsucceed by, first of all, giving those individuals a chance to \nreally make a difference, to tell them that we have a critical \nmission, and you as a patriot can help your country; second, by \ngiving them the ability and capability to actually make a \ndifference; and, third, by asking them not to make too many \nsacrifices. We are very clear. If you come to work for the \ngovernment, indeed, any part of the government, you are going \nto make a sacrifice if you are in cyber security because you \nare not going to make what you could in the private sector. But \nif we can bring them on more rapidly and pay them something \ncomparable to what they would get in the private sector, they \nwill do that to help protect their country.\n    Chairman Lieberman. Thank you. Senator Collins.\n    Senator Collins. Thank you.\n    I was struck in your written testimony by the \nAdministration's continued reliance on Section 706 of the \nCommunications Act as the basis for emergency authority in the \nevent of a cyber attack. In fact, while your testimony is a \nlittle bit unclear on this point, you seem to be opposing the \nattempt that we have in our bill to lay out the authorities of \nthe President, and instead you are pointing back to this Act.\n    I would point out that authority was passed in January \n1942. It was passed a month after the attack by the Japanese on \nPearl Harbor--obviously, a very different time and long before \nthe Internet was even conceived of.\n    In light of the current nature of our communications \ninfrastructure, the Communications Act grants very broad \nauthority to the President, but it is authority that can only \nbe exercised when a certain threshold is met, and that is the \nstate of war or the threat of war. It is wholly lacking in the \nkinds of flexibility to respond to a serious attack targeting \nsome of our most critical infrastructure that may fall below \nthat threshold.\n    Is it clear, based on legal research DHS has done, the \nopinions of the Federal Communications Commission, or some \ncourt decision, that the authority of Section 706 could be used \nto respond to an attack on our critical infrastructure that \ndoes not rise to the level of the state of war or the threat of \nwar?\n    Mr. Reitinger. So, ma'am, let me first begin by saying \nwhile Section 706 is one authority and, as you point out, a \nhoary one that inures to the President of the United States, \nthere are other legal authorities the President could bring to \nbear. Your point I think is well taken, though, that those \nauthorities, for the most part, are older or not specifically \ndesigned for this case.\n    That said, the Administration's position is to prefer to \nsee if those authorities could be aligned in a way that would \nallow the need to be met, and if movement goes forward, to do \nso in a way that would be minimally disruptive. I would say \nthat there are a lot of legal questions that have not been \nanswered. The Cyberspace Policy Review identified a significant \nnumber of them. We and the Administration, I think, would be \nhappy to work with this Committee to make sure that the \nauthorities that are necessary to meet the coming need are \npresent to the Department of Homeland Security or the President \nof the United States in an appropriate emergency.\n    Senator Collins. Well, shouldn't we be carefully defining \nwhat authority the President has? Our bill has far more \ntargeted authority to respond to a cyber emergency, but that \nauthority is limited both in duration and scope. It requires \nnotice to Congress. It does not authorize the President to take \nover networks. It allows the private sector to propose \nalternative means of achieving the goal.\n    Shouldn't we be spelling out exactly what the President's \nauthority is short of a state of war?\n    Mr. Reitinger. Ma'am, I apologize that I cannot take a \nposition on the bill at this time, but I do appreciate the \neffort that the Committee made to tailor the authorities so \nthey are focused on the expected need.\n    Senator Collins. I will take that as a yes. [Laughter.]\n    I would say--and I am not trying to put you in an \nuncomfortable spot, but as you know, we have been working with \nthe Department on this issue for more than a year, and I just \ndo not understand why the Department is not further along in \nits thinking on what should be done. And that is one reason why \nthe three of us proceeded with a bill. We cannot wait. Those \nhackers are not waiting. The 1.8 billion attacks per month are \noccurring now.\n    So I guess I would ask you to take a look at those \nprovisions of the bill. They are carefully circumscribed and \nyet aggressive enough, and they reflect the reality. Relying on \na law passed in World War II is just foolhardy. It is out of \ndate.\n    Let me switch to another issue. Tomorrow the DHS Inspector \nGeneral will release a report that the Chairman referred to \nthat will say that the U.S. Computer Emergency Readiness Team \n(US-CERT) program, which is charged with monitoring the \nsecurity of civilian cyber networks, does not have the \nenforcement authority that it needs to ensure that agencies \ncomply with its recommendations and mitigation guidance. It \nalso notes that US-CERT does not have the authority to compel \nagencies to deploy technology for determining in real time if a \ncyber attack is taking place.\n    Our bill would correct those problems. We would enhance the \nauthorities of US-CERT and create a stronger cyber center \nwithin DHS, including providing the center with the authority \nto enforce compliance with its cyber security directives.\n    Do you agree that the Department needs additional \nauthorities to enforce security policies for civilian Federal \nnetworks?\n    Mr. Reitinger. Ma'am, as your question points out, the \nDepartment does have broad authority within the civilian \ngovernment space to set requirements for other agencies to \nmeet. The Department does not have direct enforcement authority \nover those departments and agencies, which has raised issues in \nparticular cases, for example, in Conficker, where we had \ndifficulty in obtaining responses regarding the scope of the \nissue for different departments and agencies.\n    So we have, I think, strong authorities right now in terms \nof setting requirements. In terms of enforcement, we have the \ncommitment, I think, from both the cyber security coordinator \nat the White House and the Office of Management and Budget \n(OMB) to work with us when agencies have difficulty in \nresponding to our requirements. And they may do so for a number \nof valid reasons, including they themselves have limited \nresources and ability to respond because they are, in fact, \njust barely able to keep the attackers at bay. We will work \nthrough the White House in order to make sure that there is as \nfull compliance as possible.\n    Senator Collins. Well, it is evident to me that the \nDepartment needs more teeth in its directives, or agencies are \ngoing to feel free to ignore them, and that is one of the \nproblems we are trying to rectify. Thank you, Mr. Chairman.\n    Chairman Lieberman. Thanks very much, Senator Collins.\n    I just want to endorse both lines of the Senator's \nquestioning, but particularly the first one about the need for \na clear statement of the authority of the President in the case \nof a national emergency regarding cyber networks, because I \nthink the old Telecommunications Act does not do it. It is at \nbest unclear. And, of course, in a crisis I would hate to have \nlawyers arguing in front of the President about what the right \nthing to do is as we are about to be attacked in cyberspace. If \nthere is an attack on our electric grid, I do not see in the \nold telecommunications law the power in the President, or \nanybody, for instance, to order that a patch be put on some \npart of the grid to protect it. So I hope you will take a good \nlook at that and agree when you do that we need new clearly \nstated authority.\n    Senator Carper.\n    Senator Carper. Thanks, Mr. Chairman.\n    Mr. Reitinger, welcome. Good to see you. Thank you for your \ntestimony and for your service on many fronts.\n    You may have said this and I missed it, but I can \nappreciate why the Administration may not have a position on \nthis legislation today. Did you say when you expect to have \nthat kind of position--or establish a position?\n    You said later or tomorrow? Is that what you said?\n    Mr. Reitinger. Predictions about the vagaries of the \ninteragency process are beyond my cognitive skills. I would \nhesitate to venture a guess, but it is of importance to us and \nthe Administration, and we will be focusing on the bill.\n    Senator Carper. All right. The old saying goes something \nlike this: ``The best defense is a good offense.'' And we are \ntalking a lot here today and have been talking for several \nyears about how to play good defense. Talk to us about how we \nmight play better offense.\n    Mr. Reitinger. Sir, offense is mostly outside my realm of \nresponsibility now. I am in a part of the U.S. Government that \nplays defense.\n    What I can say is that particularly with regard--if you \ncount law enforcement investigations as part of offense, we do \nneed to have the right deterrence structure, and so we partner \nvery closely with our friends in the Federal Bureau of \nInvestigation (FBI) and the Secret Service to make sure that we \nbring the necessary capabilities to bear, that we liaise with \nthem so that they are able to work as a part of a cross-\ngovernment partnership. But we are, within the parts of DHS \nthat report to me, very focused on playing defense, and that is \nour area of responsibility.\n    Senator Carper. Whose job is it to play offense on our \nteam?\n    Mr. Reitinger. Well, generally it would depend on what the \nrole would be, sir. I am not necessarily in a position to say \nwho does what different pieces, but the overall \nresponsibilities roll up to the White House.\n    Senator Carper. All right. A month or so ago, I believe, we \nmet with you and some of your colleagues to discuss the role of \nthe Department in securing our Nation from cyber attacks. In \naddition, we discussed whether or not the Department needed to \nbe internally reorganized to more effectively prevent and \ndefend against both physical and against cyber attacks. In your \nwritten testimony today, you mentioned that you believe the \nDepartment should have an all-hazards approach to security. I \nhave a couple of questions that flow from that.\n    Do you believe our bill reorganizes the Department of \nHomeland Security in a way to better handle both cyber and \nphysical attacks? And a second half to the question is: Do you \nthink there will be any unintended consequences by splitting \ncyber and physical security responsibilities into two entities?\n    Mr. Reitinger. Sir, I would say that I appreciate the \neffort the Committee made to ensure coordination between \nphysical and cyber by including a deputy for physical \ninfrastructure protection within the NCCC, if I could use that \nacronym. However, I do believe that DHS will be more effective \nif we keep physical infrastructure protection and cyber \ninfrastructure protection co-joined.\n    We are, as we move forward, increasingly finding ways that \nthose sub-components, can work together even more effectively. \nFor example, when we do assessment work for our critical \ninfrastructure facilities, doing physical and cyber \ninfrastructure assessments at the same time by working to build \nout our all-hazards response capability. We have already \ncollocated our cyber watch centers in the National \nCybersecurity and Communications Integration Center, and we are \nthinking through the extent to which we should better merge \nthose with our National Infrastructure Coordinating Center, \nwhich coordinates a lot of physical response activities, \nbecause the private sector speaks the language of all hazards. \nThey worry about risk, as a telecommunications company would \nsay, whether it is from a cyber attack or a backhoe.\n    We, in government, need to step to that and speak their \nsame language. If we want to influence how they behave in an \nall-hazards way, in a risk-based way, and if something bad \nhappens, physical or cyber, to be able to address it \nseamlessly.\n    Senator Carper. All right. I have one more question. I \nchair a subcommittee of the Committee on Environment and Public \nWorks that deals with nuclear safety. We have about 104 nuclear \npower plants, as you may know, and the nuclear industry and the \nNuclear Regulatory Commission (NRC) which regulates that \nindustry use force-on-force exercises where good guys act like \nbad guys and they test whether or not our 104 nuclear power \nplants are prepared for an assault from a force of truly bad \nguys. This is also known as offense informing the defense.\n    It is widely recognized that the National Security Agency \nhas developed the most sophisticated capabilities in the world \nto exploit other groups' sensitive networks. This knowledge and \nexperience of the offense has allowed the NSA to develop better \ndefenses to protect their own systems and networks. I included \nprovisions in our cyber bill to help the Department of Homeland \nSecurity also to do this.\n    What is the Department doing now to better enhance the \ndefenses of the Federal Government using the NSA model?\n    Mr. Reitinger. I guess I would answer that in two parts, \nsir. To begin with, we rely on NSA technical assistance and we \nleverage their capabilities. So we look strongly at the \ncapabilities they have developed as we move forward with \ntechnical approaches to decide what the best approach to \nprotecting dot-gov is. That is the general answer.\n    The more specific answer is with regard to the activities \nyou talk about, such as red teaming and blue teaming. I would \nsay we have yet to fully develop the capability to be able to \nexecute on that. The ability to do that sort of red teaming and \nblue teaming activity is included in our fiscal year 2011 \nbudget, and we will fully coordinate with and rely on the \ncapabilities and the expertise that NSA has developed in doing \nthat.\n    I have specifically spoken to Tony Sager at NSA who is a \nnationwide expert in the cyber defense part of NSA, and we will \nfully rely on what they can bring to bear as we develop our own \ncapabilities to execute a similar strategy within the dot-gov \nspace.\n    Senator Carper. My time has expired. Thank you very much.\n    Mr. Reitinger. Thank you.\n    Chairman Lieberman. Thank you, Senator Carper. Senator \nMcCain.\n\n              OPENING STATEMENT OF SENATOR MCCAIN\n\n    Senator McCain. Thank you, Mr. Chairman, and I thank you \nand Senator Collins for your hard work on this comprehensive \nlegislation.\n    Mr. Reitinger, besides the fact that you work there, why \nshould the Department of Homeland Security be the lead agency?\n    Mr. Reitinger. For defending government and the private \nsector? Because we are ideally positioned to do it, sir, \nbecause it is a part of homeland security, because we can and \nwill partner with the Department of Defense and other key \ngovernment agencies to bring all national capabilities to bear, \nincluding leveraging the capabilities of the Department of \nDefense, and because we can provide the transparency and \naccountability that the American people expect in full \npartnership with other government agencies.\n    Senator McCain. What does ``full partnership'' mean, Mr. \nReitinger? Somebody has to lead. ``Full partnership'' means \nequality, so let us be careful with our verbiage here. Do you \nthink that we have already been the victim of cyber attacks?\n    Mr. Reitinger. Yes, sir.\n    Senator McCain. Do you think we are basically in a cyber \nwar right now?\n    Mr. Reitinger. Sir, I hesitate to use----\n    Senator McCain. Cyber conflict?\n    Mr. Reitinger. Sir, we live in a very threatening cyber \nenvironment, yes.\n    Senator McCain. Who is our greatest attacker, most \nsignificant attackers?\n    Mr. Reitinger. Sir, I would prefer to address that more in \nclosed session, but the scope of attackers runs the spectrum \nfrom low-level criminal hackers to the most significant \nadversaries.\n    Senator McCain. Russia mobilized a very effective cyber \nattack against Georgia prior to their invasion by conventional \nforces. Isn't that correct?\n    Mr. Reitinger. Sir, there was a significant attack against \nGeorgia. Yes, sir.\n    Senator McCain. And there has been one against Estonia?\n    Mr. Reitinger. Estonia suffered a significant attack as \nwell.\n    Senator McCain. And do we know where that came from, from \nRussia?\n    Mr. Reitinger. Sir, I am not prepared to attribute that \nactivity on the record.\n    Senator McCain. Every media in America is, but you cannot.\n    Mr. Reitinger. Sir, from our perspective, if I could, sir--\nand I do not mean to be flippant.\n    Senator McCain. You are not flippant. You are just not \nforthcoming.\n    Mr. Reitinger. I apologize, sir.\n    Senator McCain. That is all right.\n    Mr. Reitinger. For us in the Department of Homeland \nSecurity and for the people that work for me and with me, we \napproach these events to cover the spectrum of threats. \nCertainly the attackers run the gamut from Nation states down \nto criminal hackers and everything in between--organized \ncriminal groups, organized hacker groups--and we need to bring \nthe right protections to bear to enable us to protect against \nthat full spectrum of threats.\n    And ``full partnership,'' sir means that we are involved in \nhelping to secure government systems. We do not secure the \nDepartment of Defense systems or the intelligence community \nsystems. We do not engage in international cyber conflict. We \ninstead work to fulfill our role and enable entities like the \nDepartment of Defense to fulfill theirs. And I think that the \nDepartment of Defense would say the same thing about us.\n    Senator McCain. But obviously the Department of Defense \nwould be probably the area we would most want to protect over \nany other if we had to prioritize.\n    Mr. Reitinger. The Department of Defense is a key entity to \nprotect, sir, as are other parts of government and key parts of \nthe private sector that provide essential services, such as the \npower grid and our financial services system.\n    Senator McCain. Well, Mr. Chairman, I notice that there are \ndifferent bills going through different committees--the Senate \nArmed Services Committee, the House Armed Services Committee, \nthe Commerce Committee, and the Foreign Relations Committee. At \nsome point I would suggest we are going to have to consolidate \nor discuss or come to some kind of agreement rather than have a \nnumber of competing pieces of legislation here.\n    I have to say, after the Department of Homeland Security's \nhandling of the Christmas bomber and other activities, I am not \nconfident that DHS, at this particular time, is the proper \nbureaucracy to work in partnership with the Department of \nDefense.\n    I thank you, Mr. Chairman.\n    Chairman Lieberman. Thanks, Senator McCain. We will \ncontinue to try to convince you that DHS can do it, and Senator \nCollins and I agree that--we hate to attribute blame, but the \nState Department made the more consequential errors, \nunfortunately, leading up to the Christmas Day bombing. So we \nwill continue to work on that.\n    Senator McCain. Thank you, and I thank the witness.\n    Chairman Lieberman. Incidentally, you are absolutely right. \nThere are bills on this subject that are moving through various \ncommittees. There is none quite--well, I should not say that. \nSenator Snowe and Senator Rockefeller have introduced a bill in \nthe Commerce Committee that is comprehensive. We think ours is \nmore comprehensive, but the other bills in the Armed Services \nand Judiciary Committees go to points of this. I know the \nMajority Leader intends for there to be a blending of these \nbills into one bill that comes to the floor.\n    Senator Burris.\n\n              OPENING STATEMENT OF SENATOR BURRIS\n\n    Senator Burris. Thank you, Mr. Chairman.\n    Mr. Reitinger, I understand that you cannot comment on the \nlegislation, and some of the questions that Senator McCain just \nraised or some of the points that are going through my mind in \nterms of the current status. What is the current status of our \nprotection of cyber piracy within our financial system, our \nmilitary system,and our power grid? What is your current \nassessment of the cyber activity today?\n    Mr. Reitinger. Sir, I would say, although this may be an \nunsatisfying answer, it varies greatly. Through all the \ninfrastructures you mentioned and government agencies you \nmentioned, the level of defenses vary considerably. There are \nparts of the government, such as the Department of Defense and \nother agencies, that are very well protected. There are other \nagencies that have more areas of growth.\n    There are sectors and components of sectors in places like \nthe financial sector or the energy sector that do very well and \nothers that have a lot of work to do. That is, I think, one of \nthe concerns because sometimes cyber security is only as strong \nas its weakest link and the interdependencies are very great.\n    Senator Burris. Do we currently have authority to protect \nour financial system? Can Homeland Security deal with the \nhundreds of billions of dollars that is being stolen from the \nfinancial arena today which they do not even report?\n    Mr. Reitinger. Sir, there are certainly authorities in that \nspace. There are a number of law enforcement authorities that \nwould allow investigation and prosecution of those who commit--\n--\n    Senator Burris. Does Homeland Security have any input in \nthat today?\n    Mr. Reitinger. Yes, through the Secret Service, sir.\n    Senator Burris. So the Secret Service has the cyber \nauthority.\n    Mr. Reitinger. The Secret Service has the investigative \nauthority along with the FBI for those types of crimes, yes, \nsir.\n    Senator Burris. So you do not have that authority?\n    Mr. Reitinger. Not within the parts of Homeland Security \nthat report up to me, no, sir.\n    Senator Burris. OK.\n    Mr. Reitinger. Our authority, sir, with regard to the \nprivate sector is that of coordination. We can raise awareness. \nWe have capabilities that could help them.\n    Senator Burris. I do not give too much credence to all our \nTV programs, but ``60 Minutes'' just the other day ran a \nsegment on cyber terrorism. Are you familiar with that \ninformation that came out to the public recently?\n    Mr. Reitinger. I am familiar with some of the things the \nprogram said, sir.\n    Senator Burris. Sir, are you familiar with the ``60 \nMinutes'' program? It is a simple yes or no answer.\n    Mr. Reitinger. Yes, sir, I am familiar with ``60 Minutes'' \ngenerally.\n    Senator Burris. No, the program.\n    Mr. Reitinger. No, sir, I am not.\n    Senator Burris. Thank you. It took us 2 seconds to say no. \nDo not be so defensive.\n    What we have here, Mr. Reitinger, is a concern of public \nconfidence in our system, and what I would assume is that there \nare entities out there that are seeking to enrich themselves, \nbut also to break the confidence of the public. So there is a \npublic factor to this if Americans feel that we are not secure. \nI want to ask you whether or not you think we can protect our \nsystems?\n    Mr. Reitinger. Completely, sir? No. Substantially, we can \ntake action and respond to attacks when they occur, and we are \ncontinuing to enhance our ability to do that. But completely \nprotect and prevent----\n    Senator Burris. What is your timetable on that? Because as \nI understand the ``60 Minutes'' report, we are losing data \nevery day. They are right now from this report sitting in the \nPentagon on our military computers, little types of information \nthat can now direct those systems that we might not even be \nable to control. Are we dealing with anything like that? Are \nyou familiar?\n    Mr. Reitinger. Sir, we are moving forward very rapidly. As \nI mentioned, we are rolling out the EINSTEIN 2 intrusion \ndetection system. That is deployed to 12 of 19 departments and \nagencies where it will be deployed, and it will be deployed to \nall 19, we forecast, by the end of the fiscal year, so by the \nend of September.\n    In terms of when compromises take place, pursuant to the \nPresident's Cyberspace Policy Review, we are developing a \nnational cyber instant response plan process. That is nearing \nsubstantial completion. It will be vetted, and it is going to \nbe tested in September of this year. There are other efforts on \na longer timeline and other efforts on a short timeline. So we \nhave significant efforts going across the ecosystem.\n    For example, you talk about the financial services sector, \nsir. We are right now piloting an activity in partnership with \nthe Department of Defense and the financial services sector \nthrough their Information Sharing and Analysis Center, a body \nthey voluntarily formed, where we share threat information with \nthem now on an unclassified level, going forward on a \nclassified level, where they also share information through the \nfinancial services Information Sharing and Analysis Center back \nwith us and each other. So that is building a much better \nunderstanding of the threat and what entities need to do to \nrespond to it in that sector.\n    So there are a number of different efforts we are moving, \nsir.\n    Senator Burris. I just wonder what we are doing to other \ncountries with our system. I just hope that we also have cyber \npiracy going on to counteract the cyber piracy that is coming \nagainst us. And in your layman's opinion--not your professional \nopinion--would you say that we have some going on?\n    Mr. Reitinger. Sir, I cannot comment on that. I apologize.\n    Senator Burris. Thank you, Mr. Chairman. I have to end my \nquestioning.\n    Chairman Lieberman. Thanks, Senator Burris.\n    If I may offer an opinion, not being a member of the \nAdministration, my own impression, let us put it that way, is \nthat the U.S. Government has a very well developed cyber \noffensive capacity if it becomes necessary to use that to \nprotect our security, and that should be comforting to the \nAmerican people. But I do want to come back and underline \nsomething Secretary Reitinger said, which is the capacity of \nthose who would attack us is much greater right now than our \ncapacity to defend against those attacks. And we are closing \nthat gap. But this legislation and the resources that the \nAdministration is putting behind this are aimed at eliminating \nthe gap. So it is with that intention that we go forward.\n    I want to indicate--you may have heard this already--that \nSenator Collins and I are going to take this bill to a \nCommittee markup next week, so we really want to move this out. \nAnd in that regard, I urge you to do everything you can--\nalthough I know a lot of this ultimately will be in OMB--to \nhave an Administration position developed on this legislation \nand the other legislation.\n    Senator Harry Reid has been very clear, at least to me, \nthat he really wants to pass a cyber security act this year, so \nI hope you will be authorized soon to get more explicitly into \nthe debate.\n    Mr. Reitinger. Thank you, sir.\n    Chairman Lieberman. Thank you. Thanks for your testimony.\n    We will call the second panel, beginning with Fran \nTownsend. It must give you real pleasure to be out of Federal \nservice as you hear me talk about the need for approval from \nOMB.\n    Ms. Townsend. Exactly.\n    Chairman Lieberman. On the second panel, we are very \npleased to begin with Fran Townsend while you are getting \nseated. She is now the Chairwoman of the Board of the \nIntelligence and National Security Alliance, a former Homeland \nSecurity Advisor to President George W. Bush, and a star of \nscreen, if not yet stage. Welcome.\n\n  TESTIMONY OF FRANCES FRAGOS TOWNSEND,\\1\\ CHAIRWOMAN OF THE \n       BOARD, INTELLIGENCE AND NATIONAL SECURITY ALLIANCE\n\n    Ms. Townsend. Well, thank you, Mr. Chairman, for that \nintroduction. It is really a privilege to be back with you and \nRanking Member Senator Collins. Thank you very much for your \ninvitation to testify at this hearing and to offer my thoughts \non the Protecting Cyberspace as a National Asset Act of 2010.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Townsend appears in the Appendix \non page 80.\n---------------------------------------------------------------------------\n    I am here today in my role, as you noted, as Chairwoman of \nthe Board of the Intelligence and National Security Alliance \n(INSA). It is a premier not-for-profit private sector \nprofessional organization providing a structure and interactive \nforum for thought leadership, the sharing of ideas, and \nnetworking within the intelligence and national security \ncommunities. INSA has over 100 corporate members as well as \nseveral hundred individual members who are leaders within the \ngovernment, private sector, and academia. And as I think you \nare aware, INSA prepared and submitted my statement for the \nrecord while I was out of the country. I arrived home \nyesterday. So I will also add a few of my personal observations \nbefore I close.\n    Through its Cyber Security Council, INSA has emphasized the \nimportance of creating a strong public-private partnerships \nthat can provide meaningful recommendations to address the \nnational and economic security threat today. I would like to \nspecifically speak to the importance of establishing a public-\nprivate partnership to promote national cyber security \npriorities, strengthen and clarify authorities regarding the \nprotection of Federal civilian systems, and improve national \ncyber security defenses.\n    Collective national cyber security can only be effectively \naddressed through a partnership approach between the government \nand private industry. While the government has the legal \nauthority required to organize markets, enforce laws, and \nprotect citizens' privacy and property, the vast majority of \ncyberspace infrastructure, as you all noted, is privately owned \nand operated. And as a result, industry is where most of the \nexpertise in the fields of IT and cyber security reside. \nBecause of this, a partnership is really the only way forward.\n    INSA's Cyber Security Council studied several different \nmodels of public-private partnerships during the preparation \nand research for its November 2009 report entitled ``Addressing \nCyber Security Through Public-Private Partnership.'' \nHistorically, effective public-private partnerships have \ninclusive private sector membership, unified in the pursuit of \ncommon goals, a single responsible and accountable government \npartner organization, and clearly delineated roles for both \npublic and private entities. We are very pleased to see these \nconcerns and this organizational structure reflected in the \nlegislation we are here discussing today. This bill not only \nestablishes a clearly responsible center for the problem, but \nrequires a private sector advisory council to advise the center \non their actions' effects on industry.\n    Assuring that private sector concerns are heard within \ngovernment is an important first step to the creation of a \npublic-private partnership, but this alone is not sufficient to \nguarantee success. INSA's Cyber Security Council has identified \nthree additional components, specific to a public-private \npartnership on cyber security, which would be required for a \nsuccessful effort: First, a flexible or incentivized approach \nto regulation; second, robust information sharing and \ncooperation; and, last, communication on standards and best \npractices.\n    In the interest of time, I will not go through each of \nthose and would ask that you refer to my statement for the \nrecord which we earlier submitted.\n    In terms of my personal observations, all of which are \naddressed by the legislation, but I think based on my own \nexperience, knowing that this will go to a negotiated process \nin the Senate, I think it is worth underscoring their \nimportance.\n    I support the creation of a National Center for \nCybersecurity within DHS because of their abilities uniquely to \naddress privacy and civil liberties concerns that affect all \nAmericans. Because of their necessary reliance on the Internet \nfor our personal lives, I think that their ability to address \nthose concerns will be critically important in ensuring public \nsupport for such a center. But I want to be clear that in my \njudgment to be effective, wherever such a center is, in fact, \nhoused, it must have several key ingredients to be successful. \nAnd, again, these are all contemplated by your bill.\n    First, interagency and cross-government capability, both \nvertical down to the State and local level and up to the \nFederal Government, and across the Federal Government as well \nas including the private sector. As Senator Collins noted, \nNCTC, which is effectively in the Office of the Director of \nNational Intelligence, is the best analogy, and the NCTC does \nreport to the White House. And that is a model that ought to be \npreserved as stated in the bill.\n    Second, budget and enforcement authority is really \nnecessary. Money to implement any steps or affect Federal \nagency spending is a necessity, and authority to punish or call \nout across Federal agencies those departments that fail to meet \nbasic standards is also a necessity.\n    Personnel authority, adequate ability to hire and fire, is \nnecessary to ensure a competent and experienced staff of \nprofessionals. While the current bill, as I noted, does \ncontemplate these important steps, I worry about language such \nas develop a plan, coordinate, recommend, assess, and consult.\n    I had the privilege of working with the Chairman and \nRanking Member on the Intelligence Reform and Prevention of \nTerror Act, and while we were well intentioned and I believe \nthat was a good and necessary bill, it is the bill which \nestablished the Director of National Intelligence. And while \nthis was an important and necessary step, it has been referred \nto recently as ``organized to fail.'' I think what those \ncritics would say is that the position lacks some of the \nnecessary authorities that this bill contemplates and would \nmost respectfully suggest that as this bill moves forward, it \nwill be important for the people of the United States for our \nown national security to ensure that those sorts of authorities \nremain tied to the Director of the National Cyber Center.\n    I believe that the private sector advisory council is very \nimportant and urge that, too, be implemented. I will say, \nhowever, since leaving government, I often hear from frustrated \nchief executive officers (CEOs) that the U.S. Government and \nDHS, in particular, have at times been both unresponsive and \nnot engaged with them. We should look at existing mechanisms \nbefore creating new advisory councils. The President has the \nNational Security Telecommunications Advisory Council (NSTAC), \nand the National Infrastructure Advisory Council (NIAC), which \nreports to the President through DHS. These exist now and must \nbe used, but they need interaction and dialogue with the \nPresident of the United States, not just with the White House \nand agency staff.\n    Third, as addressed in Section 251 of your bill, \ninformation sharing with the private sector must be a two-way \nstreet, and sensitive commercial data must be explicitly \nprotected.\n    Last, while the bill creates both the White House position \nand the DHS center, both positions are Senate-confirmed. And \nwhile I understand why that is so and I strongly support \ncongressional oversight, I believe that the position in the \nWhite House must be left to the President's prerogative to \ndecide how to adequately staff it and, thus, do not necessarily \nbelieve that the White House position should be Senate-\nconfirmed.\n    I applaud the Committee's focus on this important issue and \nhope that this legislation as it proceeds will only be further \nstrengthened and not diminished by compromise. The goal is to \nmake a positive and meaningful contribution to the national \nsecurity of the United States, and this bill goes a long way \ntowards achieving that goal.\n    I thank you and look forward to answering your questions.\n    Chairman Lieberman. Thanks very much for that very helpful \ntestimony.\n    I do want to say at this point that we had intended to have \nRobert Jamison as a witness. He is President now of the Eline \nGroup and former Under Secretary at the Department of Homeland \nSecurity during the Bush Administration, where he was the \nsenior official on all cyber and communications operations. \nUnfortunately, he was not able to attend because of a family \nemergency, but his testimony, I think, is quite strong, and we \nhave left copies of it on the tables for those who are \ninterested.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Jamison appears in the Appendix \non page 116.\n---------------------------------------------------------------------------\n    Next, we are pleased to have Alan Paller, Director of \nResearch at the SANS Institute and former member of the \nNational Infrastructure Assurance Council, widely recognized as \nan expert in cyber matters. We are glad to welcome you back to \nthe Committee and look forward to your testimony now.\n\n  TESTIMONY OF ALAN PALLER,\\2\\ DIRECTOR OF RESEARCH, THE SANS \n                           INSTITUTE\n\n    Mr. Paller. Thank you, Mr. Chairman, Senator Collins, and \nSenator Carper. You made last Thursday a very good day for the \npeople who had despaired the government would ever lead by \nexample. So it was just a wonderful day that you made for us, \nand the bill that you put together actually solves sort of the \nmain problems that had kept the government from doing the right \nthing. I will summarize a few of them.\n---------------------------------------------------------------------------\n    \\2\\ The prepared statement of Mr. Paller appears in the Appendix on \npage 84.\n---------------------------------------------------------------------------\n    Before I do that, part of the bill is this little thing \ncalled the cyber challenge, and Senator Carper has been just \nwonderful at helping it. But I wanted to come back to you, Mr. \nChairman, because last August you met with a young man from \nConnecticut named Michael Coppola who, at 16 years old, beat \nall these adults in a major competition. He was moved by that. \nWhile he was in school, he was asked what were the courses that \nthe high schools are not teaching that would have allowed the \nother students to do well. So we outlined the courses, and I \nsaid, ``That is good. Can you give us a syllabus?'' He said yes \nand he built a syllabus. And I said, ``That is good. Can you \ngive us the exams that you would give to see if the people had \nlearned it?'' And he did that with some friends.\n    About that time, the State of California was getting ready \nfor the California cyber camp. I heard your song on Thursday \nabout the cyber camp. But they wanted to go to the high \nschools, and we went to the high schools, and none of the high \nschool kids had ever seen cyber security. They did not know \nwhat to do with it. So they could not take the exam that the \ncollege kids were taking that was a real cyber security exam. \nSo we took Mr. Coppala's exams, built a competition; 150 high \nschool kids took it. They took hours and hours and hours out \nduring the weeks they had AP exams, I mean, they were so \nexcited about it. Governor Arnold Schwarzenegger personally \ncame to give them--or he actually wrote the letters that \nrecognized the winners of it. It was a very nice thing. So your \n16-year-old from the high school that does not even have a \nprogramming course did awfully well.\n    Chairman Lieberman. That is great to hear. Thank you. I am \nproud of him. And he won a contest, as I recall.\n    Mr. Paller. Yes, he beat a bunch of adults and other people \nin a King of the Hill cyber competition, a tough one.\n    Chairman Lieberman. I am glad he is on our side.\n    Mr. Paller. Exactly right.\n    The most important parts of your bill are the ones that \nreduce our vulnerabilities because we have so much of our \nexistence dependent on the Internet, we are much more \nvulnerable to an attack. Even if an attacker has lesser \ncapabilities than we do, they could do much more damage to us \nbecause we are so dependent on it. We can take out other \npeople's capabilities, but they are not hurt as much. So our \nability to defend ourselves completely is actually the only \nfirst--and you do first things first. It is the only thing we \nhave to do first. And what you did in the bill is you enabled \nthat, and I want to tell you why--because I think there will be \npushback, I would sort of like to give you why I think it \nworked.\n    The White House office was controversial the last time, and \nI was so happy you went ahead and put it in the White House. \nAnd the reason has nothing to do with whether DHS can or if the \nWhite House is better. It has to do with this cross-agency \naction that nothing any one agency does ever moves another \nagency. It is not until somebody in the White House beats them \nabout the head and face that they actually move. And so putting \nit back in the White House under a tough boss can actually make \na difference. And you gave it the right authorities to do that.\n    The reason is that we have this odd attitude about security \nwhere we get mad at people for not defending themselves well. \nSo we talk about the government is not doing a good job of \ndefending themselves. It is the wrong order.\n    Remember, we train tens of thousands of people a year to \ndefend things, so we know what they can and cannot do. You \ncannot defend yourself using the off-the-shelf tools that the \nvendors sell you. You cannot defend yourself using the networks \nthat the internet service providers (ISPs) provide to you. You \ncannot. You can barely survive at that level.\n    The only way to actually do the defense is a partnership \nbetween the users--think of them as automobile drivers--and the \ncar manufacturers, the people who sell the IT services and \nsoftware and the people who sell the IT online services, the \nISPs. It is a partnership. They have to get better and the \nusers have to get better. But it is cheaper for the vendors to \nsay you users are bad drivers. We do not want to fix our cars \nbecause you guys do not drive well. It is the partnership. When \nthe cars got safer and the people drove better, we actually had \na lot fewer accidents on the road. That is what we have to do. \nBut you cannot do that without procurement because none of \nthose vendors will listen to any user except a very large user. \nSo you need cross-agency buying, and the only way you are going \nto get cross-agency buying is with that White House office.\n    So I am trying to put the pieces together. You cannot have \nprocurement without that White House office because no one else \nhas the power to pull the money together to make it spend \ntogether.\n    The third one is the regulatory framework you put in. If we \ndo not get that right, we have no defense on the civilian \nside--no recovery on the civilian side. I read this article \nabout unintended consequences. The industry is saying there may \nbe unintended consequences, and I had this immediate image of \nall the taxi drivers setting up a block so that the military \ncould not get in to stop traffic because the taxi drivers \nneeded to keep on making their money with tolls. And there is a \nnuclear bomb that the army was trying to stop, and the taxi \ndrivers said, ``Look, there are unintended consequences of you \ncoming. Could we have a meeting? Can we talk about it?'' I had \nthis exact image of them. It might not be fair to share. But \nsomebody is making money, and they really do not want to stop \nfor anything. I guess that is all right.\n    But I do want to go back to this procurement thing. There \nare actually two sides. We have this idea that we need to \nprotect our systems. We keep talking about that. We will be \nable to do that well if we do all the things that you are \ntalking about, and I am going to show you a cool thing that one \nof the agencies has done--that Senator Carper found, actually--\nthat will actually make a huge difference in that. But once we \nget the hygiene right--that is Bob Dix's old word. Once we get \nhygiene right, people will still make it through. There are \norganizations with enough money that they will, in fact, get \nthrough all the defenses when we have as perfect defenses as we \ncan. So there is another half--and it is literally a half--\nwhich are the people who the air force has given a wonderful \nname to--they are called the hunters, and they are the people \nwho can unravel the data about an attack, figure out what it is \nand what they are doing and how they are doing it and stop \nthem. So you helped set that up. The reason that DHS is having \nsuch trouble relative to DOD is they have none of those \nhunters. And all these people they are hiring are not hunters \nbecause you need seeds for the crystal, and they do not have \nany seeds there. The seeds are all at NSA, and when they are \nhiring 300 more people, when you go look at their skills, they \nare just not the hunters. They are not the people we have to \nhave.\n    In closing, I want to tell you about a wonderful positive \nstory. There is a concept of reducing risk. This is a chart \nthat shows every embassy around the world and every State \nDepartment office around the world over 12 months, a reliable \nmeasurement of cyber security risk, reliable as in the NSA has \nbeen there to say, yes, they are doing pretty good. And it is a \n90-percent reduction in cyber risk in all of the embassies and \n89 percent across all the State Department offices. This ended \nin August just this year. They are almost half again as good. \nThis is the model that you will not find in any other agency \naround government. And it is a model that actually gives us \nresponse. When the Google hack happened at all agencies--it was \nan Internet Explorer vulnerability. We all had Internet \nExplorer. So every machine had this. Every agency sent out \nemails saying fix it, fix it, fix it. State did not say fix it. \nState actually changed the risk score on the vulnerability. It \nis called the Aurora Vulnerability. They changed it. So when \nyou talk to DOD, they will tell you, ``We got 70 percent \ncompliance in about 4 months.'' If you talk to other agencies, \n60 percent, 50 percent. State Department got 90 percent in 6 \ndays. So 4 months, 70, 60 percent versus 90 percent in 6 days. \nThis is what continuous monitoring is all about.\n    Maybe one last thing, or am I way over my time?\n    Chairman Lieberman. You are way over, but one last quick \nthing.\n    Mr. Paller. So the reason agencies could not do it is this: \nThe last FISMA gave the power to set standards to the National \nInstitute of Standards and Technology (NIST), and they had no \nadult supervision. So it wrote a standard that said that one of \nits guidance documents was mandatory, and that guidance \ndocument required all of these, 8,511 pages, that you have to \ndo every day, and I am sure that all cyber security will. But, \nanyway, that is it.\n    Chairman Lieberman. That was great. Thank you. You are the \nmost mobile witness we have had before the Committee in a long \ntime. [Laughter.]\n    Thanks for your excellent testimony, and I appreciate your \nwords of support for what we have proposed here.\n    Next we have Steven Naumann, who is Vice President for \nWholesale Market Development for Exelon Corporation and \nChairman of the Member Representatives Committee of the North \nAmerican Electric Reliability Corporation (NERC). Mr. Naumann \nis going to be testifying today on behalf of the Edison \nElectric Institute (EEI), which represents about 70 percent of \nour electric sector, and the Electric Power Supply Association \n(EPSA). Thanks very much for being here.\n\n TESTIMONY OF STEVEN T. NAUMANN,\\1\\ VICE PRESIDENT, WHOLESALE \nMARKET DEVELOPMENT, EXELON CORPORATION, ON BEHALF OF THE EDISON \n  ELECTRIC INSTITUTE AND THE ELECTRIC POWER SUPPLY ASSOCIATION\n\n    Mr. Naumann. Thank you, Chairman Lieberman, Ranking Member \nCollins, and Senator Carper.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Naumann appears in the Appendix \non page 101.\n---------------------------------------------------------------------------\n    Just quickly, Exelon serves more than 5.4 million customers \nin the Chicago and Philadelphia areas. We operate approximately \n30,000 megawatts of generation, including 17 nuclear units, \njust to give you an idea of our scope. And as you said, I am \nrepresenting EEI and EPSA today. We are members of both trade \norganizations.\n    At the outset, I would like to thank you, Chairman \nLieberman, Ranking Member Collins, and Senator Carper, for your \nthoughtful approach to the bill and for your leadership on this \nissue. The owners, operators, and users of the electric power \ngrid take cyber security very seriously. In fact, a broad \ncoalition representing the full range of generation, \ntransmission, and distribution interests in the United States \nas well as regulators, Canadian interests, and large industrial \ncustomers all agree on the need for government involvement in \nprotecting critical infrastructure from cyber attack. While I \nam not testifying officially on behalf of the coalition, this \ncooperative relationship to address threats to the power grid \nis vital to improving cyber security.\n    There are three principles in the bill that I would like to \nemphasize: First, leveraging public and private sector \nexpertise, including information sharing between the two areas; \nsecond, concentrating on truly critical infrastructure; and, \nthird, addressing cyber security in a comprehensive, multi-\nsector way.\n    First, both the government and the electric power sector \nhave distinct areas of responsibility and expertise. With its \nintelligence-gathering and law enforcement capabilities, the \ngovernment is able to detect threats, evaluate the likelihood \nof malicious attacks, and identify patterns of potential \ninfiltration. Power companies, on the other hand, are \nexperienced at operating their systems and engineering \nresiliency and recovery, depending on a threat.\n    To best ensure the cyber security of the Nation's electric \ngrid, we need to clearly define these roles and \nresponsibilities while facilitating cooperation and information \nsharing between government agencies and the power sector. The \ngovernment-wide coordinator your bill envisions is critical to \nensuring that information does not fall through the cracks and \nthat the right people have complete information to make sound \noperational decisions in times of crisis. This careful \nconsultation with industry helps ensure that government actions \nin protecting the grid from a cyber attack do not have \nunintended or harmful consequences, and I will be glad to \nexplain that I do not mean taxi drivers blocking the streets, \nbut when you are operating a system, if you do not do the right \nthing, you might get things happening that you really do not \nwant to.\n    Second is the bill's narrow scope. It focuses appropriately \non the need to protect truly critical assets and deal with \ncyber security emergencies. There is a security axiom that \nstates, ``If you try to protect everything, you protect \nnothing.'' Therefore, the risk-based prioritization reflected \nin the proposed bill ensures that both government and private \nsector resources are allocated wisely.\n    The industry believes your bill focuses on the more \nrelevant question and urgent security gap. What additional \nauthority is needed in order to promote clarity and focus in \nresponse to national cyber security emergencies?\n    Third is the comprehensive approach to dealing with cyber \nsecurity. While the electric power industry's focus is on \noperating and protecting the electric grid, the interconnected \nnature of our critical infrastructure requires a multi-sector \napproach. We in the power industry rely on telecommunications \nsystems to operate the grid, pipelines and railroads to bring \nfuel to our generation, and wholesale markets to sell our \nproduct. Should any of these critical sectors be compromised, \nthe reliability of the electric power system would be impacted. \nLikewise, each of these sectors depends on a reliable supply of \nelectricity to operate. Your bill recognizes this truth, as did \nthe President's ``60-Day Cyber Review'' completed last year. I \nwould urge the Congress to follow your leadership and approach \nthis issue holistically.\n    Again, the industry's perspective on sound cyber policy \nincludes promoting clearly defined roles and responsibilities, \nas well as ongoing consultation and sharing of information \nbetween government and the private sector. Using a risk-based \nmodel that secures truly critical assets against cyber security \nemergencies is the best use of the limited security resources \nand approaching the issue in a comprehensive, multi-sector way.\n    Again, I appreciate the opportunity to appear today and \nwould be happy to answer any questions. Thank you.\n    Chairman Lieberman. Thank you very much, Mr. Naumann.\n    Finally, we go to Sara Santarelli, Verizon's Chief Network \nSecurity Officer. I hope that you will be able to offer us a \nperspective on the type of intrusions and probes that Verizon \nis seeing on a regular basis, but thanks for being here.\n\n  TESTIMONY OF SARA C. SANTARELLI,\\1\\ CHIEF NETWORK SECURITY \n                OFFICER, VERIZON COMMUNICATIONS\n\n    Ms. Santarelli. Thank you for having me today. Mr. \nChairman, Ranking Member Collins, and Members of the Committee, \nthank you for the opportunity to discuss this important topic \nof cyber security today.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Ms. Santarelli appears in the \nAppendix on page 109.\n---------------------------------------------------------------------------\n    Your legislation represents a positive step forward. We \nfeel that the majority of the legislation supports the common \ngoal of creating a much safer online environment, even if we \nmay not agree with every specific provision.\n    Cyber security initiatives take place at many different \nlayers at Verizon. We work closely with our suppliers to help \nensure that their products meet our security requirements. We \nuse technologies to identify and mitigate threats on our \nnetwork. We have developed an internal dashboard to help manage \nsecurity of our own corporate systems, and we offer a wide \nrange of services to our customers to help them better protect \ntheir networks and their data.\n    Security events are a constant reminder that our networks \nand our customers' networks are under steady assault. These \nthreats are constantly changing and evolving as criminals \ndevelop new techniques to get around the latest defenses, and \nonce launched, these attacks can escalate with an astonishing \nspeed. Speed and flexibility are critical to the success of our \nresponse.\n    The Slammer worm, launched in January 2003, was the fastest \nspreading computer worm in history. It doubled in size roughly \nevery 8.5 seconds. Within 3 minutes, the worm had achieved its \nfull potential with more than 55 million computers being \nscanned per second. Success in stopping the Slammer worm was \npredicated on the ability to take fast and decisive action \nwithout extraneous briefing, consultations, or declarations. \nSimilarly, the experience in 2009 and 2008 as well with the \nConficker worm illustrates how important it is to maintain a \nflexible approach in responding to cyber threats.\n    In response to this threat, an international working group \nwas actually formed consisting of 30 named members and many \nmore partners and contributors from around the world, including \nVerizon. Information sharing by that working group proved very \neffective.\n    Each incident we respond to teaches us different lessons, \nbut the one common denominator is this: While government has a \nrole to play in enhancing cyber security, it must not act in \nways that diminish our flexibility, speed, and independence \nthat network providers find essential in waging the war on \ncyber crime. Any government-directed information-sharing \nmechanism must not place restrictions or requirements on the \nfree flow of information about the Internet and must not deter \nparticipation by knowledgeable entities.\n    Network providers like Verizon are on the front lines of \nthis war, but the fight cannot be left solely to the private \nsector. There is a role for government to play. We applaud the \nCommittee's efforts to help bring clarity and definition to \nthat role.\n    The government can do things that the private sector simply \ncannot. My written statement identifies eight ways in which the \ngovernment can be uniquely helpful. Let me summarize three.\n    First, the government should lead by example, working to \nenhance the security of public networks, centralizing, \nclarifying agency roles and responsibilities; eliminating \nregulatory duplication; and purchasing technology solutions \nthat raise the level of security technology in the marketplace \ngenerally. Proposals in this bill would help streamline public-\nprivate interaction and ensure consistency in the security of \nthe government's infrastructure. The bill also takes several \npositive steps towards eliminating duplication, enhancing the \nsecurity of government networks, and using the government's \nbudget power for targeted investment in cyber security \ntechnologies.\n    Second, the government should promote enhanced security for \nprivate sector infrastructure but not at the expense of speed \nand flexibility of response. For those who are slow in adopting \nbest practices in the areas of cyber security, it is \nappropriate for government to provide strong incentives for \nthem to do so. However, given the wide range of networks and \ntechnologies, as well as the rapid pace with which cyber \nthreats are evolving, we simply cannot lock ourselves into a \nsingle regulated approach. The most effective approach, which \nthis bill does take, is a public-private partnership where \ngovernment provides assistance and expertise to the private \nsector. Confidentiality and liability protection will encourage \nthe private sector to implement desired activities.\n    Finally, the government should eliminate legal barriers to \nthe collection, use, and sharing of information by network \noperators, their customers, and the government. Striking an \nappropriate balance between privacy and the need for \ninformation sharing will directly support our shared goal of \nenhanced cyber security.\n    We look forward to continuing to work with you and the \nCommittee on cyber security legislation, and I look forward to \nanswering your questions today.\n    Chairman Lieberman. Very good. Thank you. We will do 7-\nminute rounds of questions.\n    Ms. Townsend, since you have been liberated from official \nFederal service, maybe you can respond more directly to some of \nthe questions that were asked of Mr. Reitinger, which are, \nreally, who would you say are the main sources of attack \nagainst American cyber systems?\n    Ms. Townsend. Sure. I mean, I think if you look at the open \nsource material that is available, it is commonly understood \nthat our most capable adversaries, potential adversaries are \nboth the Russian government and the Chinese government.\n    Chairman Lieberman. Right.\n    Ms. Townsend. We have capable allies, of course, in Western \nEurope in the British and the French, but, of course, once you \nknow you have capability, how they use it is really dependent \non their own agenda.\n    Chairman Lieberman. Do we think that the non-state actors, \nboth terrorist groups and organized crime syndicates, are \ndeveloping the capacity to cyber attack us or others?\n    Ms. Townsend. It is an interesting question, Senator, \nbecause I think our understanding as you watch terrorist \norganizations, in particular, is that their operational \ncapability is often dependent on their ability to use the \nInternet. Whether that is to pass information, propaganda, \nrecruit, or fundraise, they need the Internet just as we need \nthe Internet. And so that sort of mutual need has been \nsomething of a protective measure in terms of their willingness \nto cyber attack. That is not a guarantee. And so, of course, I \nthink the government watches quite closely how the capability \nof our terrorist adversaries increases and looks for the \npotential that they may turn and decide it is worth using it as \nan attack method.\n    Chairman Lieberman. Thanks for those answers. They are very \nhelpful.\n    I appreciate very much that both Mr. Naumann and Ms. \nSantarelli are here because you represent major private sector \nentities that are affected. And I know that both the \ncorporations that you work for and the sectors of the private \neconomy that you are associated with are aware and sensitive to \nthe threat in cyberspace, and that it represents a threat not \njust to your businesses but to our national security if a \nvulnerability is tapped.\n    So I wanted to ask you--and then Mr. Paller and Ms. \nTownsend if they want to get in this question: Obviously, this \nlegislation is premised on a conclusion that there is a need \nfor governmental involvement. We try very hard to have a \nbalanced, collaborative public-private sector approach in the \nbill. But there are some who might argue that there is actually \nlittle or no need for government involvement here because \nindustry has the same incentive that the government has to \nsecure its networks. And I wanted to ask you if you agree with \nthat, and if you disagree, why. In other words, is there a \nnecessary role for government here?\n    Mr. Naumann. Chairman Lieberman, the electric power \nindustry believes there is. As I said in my remarks, we all \ntake protection of our networks very seriously, and for the \nreasons you state. But our capabilities do not go to \nintelligence gathering. They do not go to evaluation of some of \nthese threats. We need to be able, first of all, to be notified \nof these threats. We need to be able, working with the \nintelligence agencies or those who have that information, to \nunderstand how those threats can affect our equipment and our \nservice to our customers, and then to devise mitigation \nmeasures together with the government.\n    We simply do not have that ability, nor, obviously, is that \nour expertise. Our expertise is running power systems. And so \nas I said, there is this gap. Could it be filled in some \ninformal way? Yes, but the problem is when you get into a real \nemergency, there need to be lines of communication and \nprocedures that are set up, practiced and drilled so that we \nknow that information will get down to the people who need to \nactually put it into effect.\n    Chairman Lieberman. Ms. Santarelli.\n    Ms. Santarelli. Senator, when I look and I think about how \ncan the government help the private sector, I think it is \nimportant to understand that the ecosystem of the Internet is \nactually made up of multiple layers. We have the suppliers of \nequipment and information systems. On top of that, that \nequipment and the systems are pulled together to make the \ninfrastructure. On top of that, we have applications and \nsystems that ride and the content that rides on the network. \nAnd then beyond that, connecting it all together, we have our \nend user population. I like to call it Grandma and Grandpa \nchecking out the Internet at night or our kids that are on \nFacebook or whatever.\n    So when we look at this as from a pure network provider \nperspective, we are just one part of the ecosystem, and I do \nnot think any one part has the power or the ability to drive a \nsolution in terms of security threat. All of those layers need \nto work together, and I think that government can help us with \nthat.\n    You note in the bill in particular the dispensation for \nsecurity controls on your vendors. As one of the largest \npurchasers, we would like to see the government definitely \ndrive that into our equipment providers so that as we take that \nequipment and build networks and applications with equipment \nthat does have the security requirements.\n    Chairman Lieberman. Very good. Would either of you like to \nadd anything? Ms. Townsend.\n    Ms. Townsend. Senator, just very quickly, of course, the \ngovernment is the only entity capable of prosecution of crime, \nand so you are going to see acts that are crimes. But I would \nalso note that in the intelligence and national security arena, \nwe have seen instances in Estonia where one might rightly \nclassify a cyber attack as an act of war. And so the government \nmust play a role in working with the private sector. I \nabsolutely believe the government cannot run it uniquely, and I \nhave talked to the issue of the need for a public-private \npartnership. But we would be remiss if we did not believe that \nthe government has a very substantial role.\n    Chairman Lieberman. This is a most unusual area because we \nwent for long periods of our history--after the initial \nchapters of our history--without being attacked here in our \nhomeland, with the blessing of the protection that the oceans \ngave us. Then came Pearl Harbor, then another long period when \nwe feared attack but there really were not any any during the \nCold War. Now, unfortunately, we have been regularly the target \nof attack by the Islamist terrorist movement. But now in a way \nthat is really totally unprecedented, through cyberspace, we \ncan be attacked from far away here in our homeland. And it \nseems to me that perhaps the most attractive, if I can use a \nbad adjective, targets for an enemy will be private sector \ntargets because of the extent to which our society depends on \nthem, whether the electric grid or a dam that is holding back \nan enormous amount of water that is controlled over the \nInternet.\n    I appreciate the answers that all of you gave, and to me it \nreally cries out for the kind of public-private collaboration \nthat we are talking about.\n    My time is up in this round. Senator Collins.\n    Senator Collins. Thank you, Mr. Chairman.\n    Ms. Townsend, I had a discussion with the previous witness \nabout the existing emergency authorities of the President that \nwere passed in the wake of the attack on Pearl Harbor in World \nWar II. Let me get your opinion on this issue. Do you believe \nthe existing emergency authorities, the authorities in current \nlaw, are sufficient for the President to deal with cyber \nattacks?\n    Ms. Townsend. Senator Collins, thank you for the \nopportunity to address that question. I can say unequivocally \nmy belief is that the existing authorities are not adequate, \nand they are ambiguous, as you noted.\n    I would say in the Cyber Shockwave exercise that I had the \nprivilege to participate in, Jamie Gorelick, the former Deputy \nAttorney General in the Clinton Administration, acted in the \nrole as the Attorney General, and she said that existing \nauthorities are not only inadequate, but that in the absence of \nadequate authorities, she made the point that a president in a \ncrisis will act and look to right it later with the Congress \nand the American people.\n    I do not think that is the way we want to behave. I think \nyou quite rightly point out that we ought to tackle the tough \nproblems up front and make sure that the President and the \nExecutive Branch have the authorities they need to act and that \nwe are comfortable balancing security versus privacy and civil \nliberties.\n    Senator Collins. Thank you. That is excellent testimony, \nand your point is very well taken. A President is going to act, \nand that is, frankly, also where you see abuses, where there \nare problems when there is not clear authority. So since it is \nso evident that cyber attacks are happening every day and are \nonly going to get worse, it just cries out for us to establish \nthe rules now in a thoughtful way.\n    Mr. Paller, I want to bring up a different issue with you \nwhich was prompted by your demonstrating your extraordinary \nknowledge of what is going on in the Federal Government. If \ngovernment agencies, as required by our bill, coordinate to \nestablish a government-wide security standard or set of \nstandards for the purchase of IT products, do you believe there \nwould be a favorable impact on price? In other words, if that \nhappens, is there a potential of saving taxpayers some money in \nthese purchases?\n    Mr. Paller. Thank you for asking that question. It actually \nnot only will save money for the government, it will actually \nmake a lot of money for the vendors. The same vendors that say, \nno, you are a bad human being to ask for that are going to make \na lot of money. Here is the example.\n    Do you remember when the Department of Veterans Affairs \n(VA) lost 17 million pieces of information?\n    Senator Collins. Yes.\n    Mr. Paller. Everyone wanted to encrypt their laptops. There \nwere millions of laptops in the government. The commercial \nprice for a laptop encryption was $243. The General Services \nAdministration (GSA) price was $97. It was not enough. I mean, \nthey did not have enough money to buy that.\n    They got together, the White House, DOD, the States \nactually got together, pooled their buying. They did not pick \none, they picked several. So it was not we are going to define \nyou are the winner, everybody else is the loser. But they \npicked several, and they negotiated prices in which that price \nwent from $97 to $11 in the first buy. But the amount of money \nthat the software--I built a software company. We in the \nsoftware business want the revenue. It is not the price per \npackage. Buying millions of copies at $11 still makes us a \nwhole lot more money than your buying five at $100,000 apiece.\n    So what you do when you do the buying together is you lower \nthe price across government, but you also radically expand \ntheir market, and they make more money. And the ones who win \nthat actually go on to take over markets all across the world \nbecause they were the ones that were selected for the \ngovernment buy. It is a win-win kind of operation.\n    Senator Collins. Thank you.\n    Mr. Naumann, your company operates in more than one sector \nof the economy, and thus, you are regulated by various Federal \nagencies. For example, you operate nuclear plants, correct? So \nyou are under the Nuclear Regulatory Commission. You also \noperate an electric transmission business that is regulated by \nthe Federal Energy Regulatory Commission (FERC). So because you \nhave experience in dealing with different regulatory agencies, \nI want to get your view on the need to have a Federal agency \ninvolved in addressing cyber security in a coordinated way \nacross all the critical infrastructures.\n    In other words, if we do not act to make clear who is doing \nwhat in cyber security, are you likely to be subject to \ndifferent standards by different agencies?\n    Mr. Naumann. Thank you, Senator Collins. That is correct. \nAt present, I will tell you the agencies, for example, the NRC \nand the FERC through the North American Electric Reliability \nCorporation, are trying to coordinate their cyber security \npolicies. Of course, that does not include, for example, in our \ncase the Illinois Commerce Commission, which has authority over \nour distribution network, and the Pennsylvania Public Utility \nCommission, which has authority over the network in \nPennsylvania.\n    Having one set of best practices, including the feedback \nthat the legislation contemplates of being able to go back and \nshowing how we would solve a problem, I think would make it \neasier not only for us; it would make it easier for the various \nregulatory organizations and be more cost-effective. So we \nwould support a single agency being the coordinator and then \ncascading down.\n    Senator Collins. Ms. Santarelli, same question for you.\n    Ms. Santarelli. Yes, Senator Collins. Thank you for the \nopportunity to comment on that. As a national infrastructure \nprovider, we agree with Mr. Naumann that it would be beneficial \nto us to have a single one voice into the government entities \nrather than having to work through multiple entities. As I \nmentioned in my oral testimony and my written testimony, it is \nvery important to us to continue to have the speed to respond \nto any threat in near real time, if not real time, and working \nacross multiple agencies I think could complicate that ability.\n    Senator Collins. Thank you. Thank you, Mr. Chairman.\n    Chairman Lieberman. Thanks very much, Senator Collins. \nSenator Carper.\n    Senator Carper. Thank you, Mr. Chairman. I just want to \nobserve, if I could, to our Chairman and Ranking Member that \nthe subject that is before us today can be pretty dense and \npretty hard to understand. And I say that as a guy who, until \njust a couple years ago, could barely spell the word FISMA, and \ntoday I actually understand what it means. And you have taken \nsome tough, complex subjects and made them really \nunderstandable, even for me, and I thank you for that. Really \ngood presentations and answers.\n    I have heard from Mr. Paller a number of times before, and \nI have always observed that your presentations are, I think, \nespecially effective. Have you ever thought of writing a book \non this subject?\n    Mr. Paller. If you look at my written testimony, it is \nreally long. [Laughter.]\n    Senator Collins. He already has.\n    Senator Carper. Fair enough. Sometimes I start off my \nquestioning when we have a second panel, I ask the second panel \nto look back at the testimony of the first panel and ask if \nthere was anything that you especially agreed with or disagreed \nwith from our first witness. And then I just want to ask you to \nkind of play off of each other and ask you to think about some \nof the things that your colleagues said during their testimony, \nand say, ``Well, I really agreed with that,'' or, ``Boy, they \nare out to lunch on that one.'' But go back to the first panel \nwith us. Anything that was said that you especially want to \nunderline or emphasize for us. If you would just start off, Ms. \nTownsend, please.\n    Ms. Townsend. Thank you, Senator. I do think I was struck \nby Senator McCain's question about partnership and Phil \nReitinger's answer. A quick vignette, I led the Katrina lessons \nlearned about how we could do things better, and I remember \ninterviewing General Russ Honore, and we talked about the \nnational incident commander's role to coordinate the response. \nAnd he had this great line that I never forgot. He said, ``You \nknow, when you have a coordinator, a coordinator starts out to \nmake a horse and ends up with a camel.'' And it was graphic \nenough and there is something to that.\n    And so I do think we have to be careful. That is why I said \nif DHS is simply in the role of coordinating, somebody does \nneed to lead. Senator McCain is quite right. I think DHS is \nright to lead, to understand where greater capability in the \ngovernment may reside to protect defense systems, intelligence \nsystems, but somebody must lead. I think that makes it \nespecially important that you have a White House office. \nEverybody needs a Daddy, and if this is----\n    Senator Carper. And a Mommy.\n    Ms. Townsend [continuing]. Inside DHS, that person will \nneed the gravitas of a White House office to break through the \ninteragency process that can only be done there. And so I do \nthink we have to be careful to make sure to give them the \nauthority to actually get the job done and then the link to the \nWhite House to implement it.\n    Senator Carper. All right. Mr. Paller.\n    Mr. Paller. Only one. When Mr. Reitinger was talking about \nthe people and how critical the people are, I think he was \nradically understating the problem. A man named Jim Gosler, who \nran the Clandestine Information Technology Office (CITO), in \nthe Central Intelligence Agency (CIA), said to a bunch of \npeople in the Pentagon and NSA, ``We have only a thousand \npeople that can fight at world-class levels right now.'' There \nwas another person at the meeting who was a senior DOD official \nthat was frowning, and I asked him why he was frowning, he \nsaid, ``Because I cannot get to a thousand.'' We need 20,000 to \n30,000 of those people.\n    The problem with what Mr. Reitinger is doing, is he is \ntrying to hire them away from other people. But if you only \nhave a thousand, you are just going to grab them from a DOD \ncontractor or a NSA contractor. He has to change his mood from \nwe are going to go get these people to we are going to go build \nthese people, and he has to really take that on. His legacy is \nthe building of those people because until DHS has that core of \nexcellent people who are not contractors but are inside the \norganization, they cannot compete with NSA and they cannot \ndefend the Nation.\n    Senator Carper. Good point. Thank you. Mr. Naumann.\n    Mr. Naumann. Senator, actually it was something you said \nabout----\n    Senator Carper. Something I said?\n    Mr. Naumann. Yes, sir. The difference between what is on \npaper and implementation. And for the electric power industry, \nwhen there is an immediate threat, having a single point of \ncontact to cascade that down with communications protocols and \nchannels that have been drilled and practiced is essential. \nWhen time is of the essence, there is no time for confusion. \nAnd so having the clear chain of command to get the information \nto us, to be able to work with us to devise mitigation, and get \nthat information out to the right people becomes essential. And \nthat involves the implementation and it involves drilling and \nit involves getting it right.\n    Senator Carper. Thank you. Ms. Santarelli.\n    Ms. Santarelli. Thank you, Senator Carper. When I was \nlistening to Mr. Reitinger's testimony and he spoke of a recent \nworm, Conficker, he shared some of the difficulties in working \nthrough all of the different agencies and getting information, \nit struck me because in my oral comments I referenced the same \nworm. And in the private sector, it was a different experience. \nWe very quickly pulled together a working group that stands \nover 30 entities strong with a lot of additional partners \noutside of that, a worldwide group of folks, technical folks \ncoming together to share, ``Hey, what worked for you? What is \nthe issue? What are you seeing?'' ``Hey, here is this IP \naddress. Here are where the machines are that you need to avoid \nand not interact with them.''\n    And so it struck me that partnership is important and that \nwe should learn from each other, because on the one side it \nworks so well in the private industry to be able to share that \ninformation live, and we would really look forward to working \nwith the Committee to share some of those best practices that \nwe have in our ability to communicate and interact with \norganizations like SANS and others to share that information. \nThank you.\n    Senator Carper. Thank you. One last quick question, if I \ncould. My colleagues have heard me say from time to time that \nthe role of government is to steer the boat, not row the boat. \nAnd another thing that has fascinated me for a long time is how \ndo we use market forces to try to drive good public policy \nbehavior?\n    Let me just ask, for those two principles, for me cardinal \nprinciples, how well do we do in terms of measuring up to those \nprinciples in the legislation that we have introduced? Ms. \nSantarelli, do you want to go first?\n    Ms. Santarelli. Yes. I think that there are some really \npositive aspects in the legislation that you have introduced. I \ndo like the ability to continue to grow in terms of the public-\nprivate partnership. I think that there is improvement in \nopportunities where we can work together to share information.\n    I would like to see and continue to work with the Committee \nto address some of the legal barriers that we believe are there \nthat restrict us a bit in terms of being able to share \ninformation. So we would like to see those barriers ironed out \na bit to ensure more success in our ability to share \ninformation.\n    Senator Carper. Thanks. Mr. Naumann.\n    Mr. Naumann. What this bill does is it puts an overlay on \nthe security and reliability processes the industry has now \nthrough the North American Electric Reliability Corporation \nsetting mandatory standards. It acts or puts into place \nsomething that really the government is the one who has that \ncapability on the intelligence gathering.\n    There are processes now. What is contemplated here is \nbetter because, as I said earlier, you need certainty and also \nthe feedback in providing industry solutions back to the \ngovernment to get the best solutions. And so what it does is it \nlets us do what we do best, and we do set through NERC cyber \nsecurity standards. But it puts an overlay on that for the part \nwhere the government has the real expertise, and that is simply \nnot our--intelligence gathering is not our job.\n    Senator Carper. All right. Mr. Chairman, could we hear just \nbriefly from Mr. Paller and Ms. Townsend?\n    Mr. Paller. I give you a 9.1. It is really well down.\n    Senator Carper. Was that on a scale of 100?\n    Mr. Paller. On a scale of 10--9.1.\n    Senator Carper. Thanks. Ms. Townsend, last word.\n    Ms. Townsend. Yes, I think the liability protection \nprovided in the bill is incredibly important for the private \nsector. If there is something I would strengthen, we have to \nprotect the information that we are encouraging be shared, and \nI think that is important whether it is traveling from the \nState and local level all the way up through the Federal \nGovernment to the private sector or the other way. We have to \nensure that across the spectrum of shared information we are \nmaking sure that the information is protected, or the private \nsector will not share.\n    Senator Carper. All right. Thank you all very much.\n    Chairman Lieberman. Thank you, Senator Carper.\n    Senator Carper. And, Mr. Chairman, thank you very much for \nallowing me to a be a part of this trio, and I think we are on \nto something good here, and we very much look forward to \nworking with you.\n    Chairman Lieberman. Thank you. Our pleasure to work with \nyou, and you did say something, just in answer to your \nquestion.\n    I want to just highlight--and then we will let everybody \ngo--this last exchange because there is something I came to \nappreciate as we worked on this bill, and Senator Collins \nparticularly made a very significant contribution on this \npoint, which was that when we talk about the emergency \nauthorities of the President with regard to the most critical \nparts of cyberspace, a lot of what we are talking about is the \nimportance that the President has the capacity to say to an \nelectric company or to say to Verizon in the national interest, \n``There is an attack about to come,'' or ``We are in the midst \nof an attack, and I hereby order you to put a patch on this or \nput your network down in this part or stop accepting anything \nincoming from Country A.''\n    That might be the kind of thing that an individual company \nwould want to do or know they should do, but the potential \nliability in doing that is enormous, because in the normal \nbusiness sense, you might well be putting down operations with \nenormous financial consequences or losses. But it is in the \nnational interest to do that at that moment to stop greater \nlosses.\n    So I wanted to explain that just in this last line of \nquestioning and your answers to Senator Carper because that is \nreally what we have in mind. There is no authority here, as \nSenator Collins said at the beginning, for the President to \nhave the government take over cyberspace. It is really through \nthe National Cyberspace and Communications Center at DHS to \nissue orders probably as a result of previous agreement and \ncollaboration with the private sector, to do things that in a \nnormal business sense you would be hesitant to do, but in terms \nof national security there is no question that you should do \nit, and we should protect you from liability.\n    Do you want to add anything to that, Senator Collins? You \nmade a very important contribution to that part of the bill.\n    Senator Collins. Thank you. Mr. Chairman, I do think that \nwe got that right, and I very much appreciate the strong \ntestimony in support of it.\n    I just wanted to make a couple of final comments. This is \nvery complex legislation dealing with an extraordinarily \nimportant issue, and I want to thank our staffs and all the \nprivate sector partners that assisted us in drafting this bill. \nI think that is why I will say that I believe we have come up \nwith the best approach of all the bills that are out there. It \nis because we did get a great deal of advice, insight, and \ninput from the private sector partners, from former government \nofficials, and from current government officials.\n    So I just wanted to thank those individuals, many of whom \nare here or are represented here today, as well as our staffs \nfor their hard work. This has been a long time coming, but I \nthink we have produced a very good bill, and I thank you for \nyour leadership as well.\n    Chairman Lieberman. Thanks, Senator Collins. You are \nabsolutely right. It took longer than we wanted, really. A lot \nof it was because there was a lot of consultation. We tried to \ndo this in a collaborative way, and as a result I think it is a \nbetter bill.\n    Incidentally, we took a long time in getting to this point, \nbut now we have our foot on the gas, because this is really \nurgent. So we are going to report the bill out hopefully next \nweek, and as I said earlier, I believe Senator Reid is going to \ntry to bring the various bills together to reconcile \ndifferences and then schedule floor time this year to move this \nalong.\n    This has been an excellent panel. You have been helpful to \nus before today and today. I thank you very much for that.\n    We will leave the record of the hearing open for 15 days \nfor additional statements and questions, and with that, I thank \nyou and adjourn the hearing.\n    [Whereupon, at 5:08 p.m., the Committee was adjourned.]\n\n\n         SECURING CRITICAL INFRASTRUCTURE IN THE AGE OF STUXNET\n\n                              ----------                              \n\n\n                      WEDNESDAY, NOVEMBER 17, 2010\n\n                                     U.S. Senate,  \n                           Committee on Homeland Security  \n                                  and Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10:07 a.m., in \nroom SD-342, Dirksen Senate Office Building, Hon. Joseph I. \nLieberman, Chairman of the Committee, presiding.\n    Present: Senators Lieberman, Coons, and Collins.\n\n            OPENING STATEMENT OF CHAIRMAN LIEBERMAN\n\n    Chairman Lieberman. Good morning. The hearing will come to \norder. I apologize for being a little late. I was set to \nintroduce a nominee for a State Department position at the \nForeign Relations Committee, and they started a 9:30 hearing at \n10 o'clock, so I will blame it on them. But they blamed it on \nSecretary Clinton, so the line of accountability continues.\n    In a sense, this is a hearing to both remind us and educate \nthose who are watching--hopefully, the public and Members of \nthe Committee--about the reality of the cyber threat to the \nUnited States and how important it was that we work hard to \ndevelop cyber security reform legislation in this Congress, and \nhow unfortunate it is that the clock is going to run out on us \nbefore we have a chance to complete negotiations with other \ncommittees and with the Administration, who I regret to say, I \nthink did not engage as early and as fully in the process of \ndeveloping this legislation as was necessary.\n    But this Stuxnet story really takes the reality of the \nthreat to a new level, I believe, and I think should awaken any \nskeptics. And there are some, of course, who think that we are \noverstating the threat and, therefore, overreacting in the \npublic resources that we are devoting to the protection of our \ncyber systems here in America. Of course, I totally disagree \nwith that argument.\n    We have an extraordinary group of witnesses here today who \nwill not only explain to us what Stuxnet is but will, I hope, \ntalk more generally about the cyber threat to our country.\n    I will say, in terms of our legislation, that it is \ncertainly my intention--and I know it is Senator Collins'--to \ncome back to this legislation really early in the next session \nof Congress and try to get it out as soon as possible. And, \nagain, I want to say this will require more immediate and \nintense engagement by the Administration and by some of the \nother committees that claim jurisdiction here. We, of course, \nthink we are the ultimate source of jurisdiction for cyber \nsecurity matters that are non-defense, which is the Armed \nServices Committee. But this will be a real priority for the \nCommittee when the session begins next year.\n    Because I am late, I am going to put the rest of my \nstatement in the record \\1\\ and call on Senator Collins.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Lieberman appears in the \nAppendix on page 124.\n---------------------------------------------------------------------------\n\n              OPENING STATEMENT OF SENATOR COLLINS\n\n    Senator Collins. Thank you, Mr. Chairman. I know that we \nhave votes starting at 11 o'clock this morning, so I am going \nto follow your lead. Let me just make a couple of comments.\n    Much attention has been paid to cyber crimes, such as \nidentity theft, and to cyber attacks that are intended to steal \nproprietary information or government secrets. But lurking \nbeyond those serious threats are potentially devastating \nattacks that could disrupt, damage, or even destroy our \ncritical infrastructure, such as the electric power grid, oil \nand gas pipelines, dams, or communication networks. These cyber \nthreats could cause catastrophic damage in the physical world, \nand this threat is not theoretical. It is real and present, and \nthe newest weapon in the cyber toolkit that was introduced to \nthe world in June when cyber security experts detected the \ncyber worm called ``Stuxnet,'' which demonstrates to us the \nextraordinary capacity that a worm could have to disrupt \nabsolutely critical infrastructure.\n    It is evident that the development of this very \nsophisticated malware was likely the work of a well-financed \nteam of experts with extensive knowledge of the targeted \nsystems. It is my understanding that more than 100,000 \ncomputers were infected and that the damage could have been \ncatastrophic.\n    Like Senator Lieberman, I believe that this problem is \nurgent. We have introduced bipartisan, comprehensive \nlegislation to deal with this threat. I personally think it is \nan ideal issue for the lame duck session of Congress to take \nup. My fear is that we will wait until we have a successful \ncyber September 11, 2001, before acting, so I would like to see \nus be proactive on this issue, and I believe our bill points \nthe way.\n    In the meantime, I look forward to hearing the testimony of \nall the extraordinary experts that we have today to shine a \nspotlight on what the impact would be of an attack on critical \ninfrastructure, an attack that this worm has made evident could \nhappen at any time.\n    Thank you, Mr. Chairman, and I would ask that my full \nstatement be put in the record.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ The prepared statement of Senator Collins appears in the \nAppendix on page 127.\n---------------------------------------------------------------------------\n    Chairman Lieberman. Without objection. Thanks, Senator \nCollins. Just listening to you reminded me of something I heard \na businessman say a couple of days ago, which is that one of \nthe problems with our government is that too often \nmetaphorically it waits until there are four or five major car \naccidents at a cross-section before it decides to put up a \nstoplight. And we want to make sure that we put the stoplight \nand the protections up before we have not just an accident but \nsuffer a major attack.\n    When my staff presented the memo to me about this hearing, \nincluding the description of the witnesses, my reaction was we \ncould not have a better group of witnesses. And I really \nappreciate both your work in this area and your presence here \ntoday.\n    We are going to begin with Sean P. McGurk, Acting Director, \nNational Cybersecurity and Communications Integration Center at \nthe U.S. Department of Homeland Security. Good morning, Mr. \nMcGurk.\n\n    TESTIMONY OF SEAN MCGURK,\\1\\ ACTING DIRECTOR, NATIONAL \nCYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER, OFFICE OF \n CYBERSECURITY AND COMMUNICATIONS, U.S. DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Mr. McGurk. Good morning, Chairman Lieberman and Ranking \nMember Collins. My name is Sean McGurk. I am the Acting \nDirector for the National Cybersecurity and Communications \nIntegration Center, and up until recently I was the Director \nfor the Control Systems Security Program and the Industrial \nControl Systems Cyber Emergency Response Team (ICS-CERT) also \nat the Department of Homeland Security (DHS). The Department \ngreatly appreciates this Committee's support in our ongoing \nefforts to identify cyber threats and to combat cyber concerns \nin the critical infrastructure, and in addition, I appreciate \nthe opportunity to appear before you today to provide some \ninsight into the activities that we have analyzed and \nidentified in relation to Stuxnet.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. McGurk appears in the Appendix on \npage 129.\n---------------------------------------------------------------------------\n    I would like to discuss the importance of securing these \ncontrol systems and how they significantly differ from the \ninformation technology systems that we have been focusing on \nover the past few years, and to also discuss DHS' approach in \naddressing cyber threats and cyber risks as they apply to the \ncontrol system. And, finally, I would like to spend a few \nminutes discussing Stuxnet itself and how Stuxnet has changed \nthe landscape when it comes to critical infrastructure.\n    Something as simple and innocuous as this becomes a \nchallenge for all of us to maintain accountability and control \nof our critical infrastructure systems. This actually contains \nthe Stuxnet virus.\n    Chairman Lieberman. Mr. McGurk, take just a moment and \ndefine a control system.\n    Mr. McGurk. Yes, sir. A control system in our common \nterminology is any of the automated or embedded systems that we \nuse in our day-to-day activities. The National Infrastructure \nProtection Plan has identified 18 critical infrastructures in \nthe United States. As you are all well aware, the foundational \nelement between those 18 critical infrastructures are control \nsystems. Energy is different than water which is different than \nnuclear, but the fundamental foundation is those control \nsystems, those automated, digital-to-analog robotic systems \nthat manufacture cars, purify water, generate electricity, or \nactually produce the goods and services that we rely on on a \nday-to-day basis.\n    So recognizing the unique nature of those systems, the \nDepartment created the Control System Security Program back in \n2004 to address those challenges.\n    Much of what we have learned from information technology \npractices are basic principles that we can apply, but just the \nnature of these operational systems requires us to take a \ndifferent approach in protecting them. How we protect the \nsystems that generate power, purify our control over traffic \nflow systems, or our rail and aviation transportation systems \nis fundamentally different than the way we protect our \ninformation technology infrastructure. That is why the \nDepartment takes this all-hazards, all-risk approach when \nidentifying those challenges.\n    In order to focus on that foundation, the Control System \nSecurity Program has established many activities in order to \nincrease the level of awareness for the control systems \ncommunity. One of those activities involves a Workforce \nDevelopment Program. In partnership with the Idaho National \nLab, we have built a very comprehensive and extensive hands-on \ntraining environment where, working with the private sector and \nwith other Federal departments and agencies, we have been able \nto train over 16,000 individuals, both asset owners, operators, \nand vendors and other Federal agencies, in control systems \nsecurity--again, focusing on the unique nature between \ninformation technology and control systems.\n    We have also worked closely with the standards community to \nensure that we are focusing on how to apply those principles \nand practices from information technology into a control \nsystems environment. It is very important to recognize those \nunique requirements and the differences between the systems and \nnot try to apply a one-size-fits-all.\n    In order to support the asset owner and operator community \nin the private sector, we developed a series of tools that \ncould be used in order to enable a self-assessment of the \ncontrol systems security. There are many automated systems that \nenable the evaluation of information technology and enterprise \nnetworks, but we needed to focus on those unique \ncharacteristics of control systems. Subsequently, we worked \nwith the Department of Energy laboratory community and \ndeveloped these tools so that we could actually apply them in \nthe general public.\n    In addition to the 16,000 personnel that we have trained, \nwe have also trained partners in 30 different countries to \nincrease the level of awareness of industrial control security. \nWe actually chair an international body focusing on increasing \nthe level of awareness for industrial control, and we have also \nconducted more than 50 on-site assessments at facilities \nthroughout the United States, in 15 different States and three \nterritories. We plan on increasing that level of activity in \nthe coming years.\n    ICS-CERT also maintains fly-away teams. These fly-away \nteams are incident response teams that work with the private \nsector asset owners and operators upon request to do either \nremote maintenance and analysis or physical analysis. When \nrequested, we will deploy a team. They will assist asset owners \nand operators in identifying restoration methods, digital media \ncapture methods, and then we will conduct the analysis to \ndetermine what the extent of the vulnerability is and what the \npotential impacts are. We do this in order to understand the \noverall risk profile to an industrial control environment, \nlooking at the threats, the vulnerabilities, and then \npotentially the consequences. And then we work closely with the \ncommunity, the asset owners, operators, and the private sector \nto build those mitigation strategies.\n    When the Department first identified a vulnerability back \nin 2007 that we termed ``Aurora''--which had to do with hacking \ninto and modifying settings in digital protective networks, \nphysically destroying electric generation capacity--we \nrecognized the need to partner closely with industry so that we \ncould develop mitigation strategies that were sector-specific. \nFundamentally, what fixes the energy sector may not work in the \nwater sector, so that is why it is important for the Department \nto continue to partner with those 18 sectors to identify proper \nmitigation strategies. We understand we need to work with the \nbroad community in order to be effective in mitigating the \nrisk.\n    We also generated fly-away team checklists. Up until this \npoint, the understanding of what data was necessary to identify \nrisks to control systems was not well understood, so we worked \nwith academia and with other researchers to identify those \ndigital capture methods so that we could actually build a \nforensic path to enable us to actually identify variants of \nvulnerability such as Stuxnet.\n    The Department operates a malware lab; this is a physical \nlaboratory where we can actually install equipment and analyze \nhow it operates. In the case of Stuxnet, we were able to \nconfigure the actual manufacturer's equipment in a live \nenvironment and not only dissect the code to determine what it \nis capable of doing, but actually analyze what it does once it \ngains access to the equipment. So that gives us a better \nunderstanding of not just the analytics behind the code itself, \nbut also its impact in a physical infrastructure. So the \nDepartment still maintains that capability, and we share that \nwith the general public.\n    We also look at our responsibility to continue to partner \nwith the Federal departments and agencies to ensure that we are \nsharing the information as we analyze it. It is important for \nus to recognize that the intelligence community and the law \nenforcement community have their responsibilities in these \nareas, and we provide the intellectual capability behind it \nfrom a very unique skill set of industrial control to forward \ntheir efforts as well. So as we analyze the data, we share that \ninformation with the intelligence community, the law \nenforcement community, and other departments and agencies at \nthe State and local level so that they understand the impacts \nof something like Stuxnet.\n    As I said, Stuxnet is a one-of-a-kind type of situation. We \nhave not seen this coordinated effort of information technology \nvulnerabilities, industrial control exploitations, completely \nwrapped up in one unique package. For us, to use a very \noverused term, it is a game changer. Stuxnet actually modifies \nnot only the physical settings of an information technology \nsystem, but it also modifies the physical settings of a process \ncontrol environment.\n    Essentially, if I wanted to find out what the process is \ndoing, I have the capability of removing those files or \nexfiltrating the data, so I do not have to break into the front \ndoor and actually steal the formula or the intellectual \nproperty of what you are manufacturing. I can actually go to \nthe devices themselves, read the settings, and reverse engineer \nthe formula for whatever the process is that is being \nmanufactured. In addition, I can make modifications to the \nphysical environment so that you would be unaware of those \nchanges being made, and subsequently it would have an adverse \nimpact on the environment.\n    So the products that you are producing may not be of the \nspecifications that you originally analyzed because Stuxnet \ndemonstrates the capability of bypassing the safety and \nsecurity systems to go down to the root level to make those \nchanges; so the operator may believe the indicators on the \npanel are accurate, but, in fact, there is malicious activity \noccurring at the base level. These are capabilities that we \nhave seen demonstrated in Stuxnet that we have never seen \nbefore in any analysis of code that we have conducted.\n    Now, as I mentioned, there is a significant amount of \nconcern also. Stuxnet is a pathway that people can then \nexploit. It has basically been a road map, and it was written \nin a modular format so that people could actually remove the \nvendor-specific payload, that malicious code that attacked the \ncontrol system, and substitute it with any other type of \ncontrol system code that they desire. So it was written in such \na way that it allows that flexibility and capability, and that \nreally causes us concern as we move forward. And that is why we \ncontinue to partner with the departments and agencies and the \nprivate sector to analyze the capabilities and the risks \nassociated with Stuxnet.\n    Again, Chairman Lieberman, Ranking Member Collins, I \nappreciate this opportunity today to appear before you, and I \nam standing by and happy to answer any questions. Thank you.\n    Chairman Lieberman. Thanks, Mr. McGurk. That was a very \ngood beginning, both very informative and, frankly, chilling in \nterms of the effectiveness of Stuxnet. You could make a lot of \ncomparisons to guided missiles and multiple independently \ntargetable reentry vehicle (MIRVs) and all the rest, and from \nan earlier time of combat but quite something.\n    Michael Assante, who has a long background in this area, is \ncurrently president and chief executive officer of the National \nBoard of Information Security Examiners. Thanks for being here.\n\n    TESTIMONY OF MICHAEL J. ASSANTE,\\1\\ PRESIDENT AND CHIEF \n   EXECUTIVE OFFICER, NATIONAL BOARD OF INFORMATION SECURITY \n              EXAMINERS OF THE UNITED STATES, INC.\n\n    Mr. Assante. Thank you. Good morning, Chairman Lieberman \nand Senator Collins. I am coming here today in the capacity of \nthe National Board of Information Security Examiners of the \nUnited States, Inc. (NBISE), but also a lot of work that I have \ndone in the field of critical infrastructure protection with a \nfocus on control system security. I am pleased that this \nhearing is taking place today to explore the implications of \nvery advanced cyber threats on our Nation and our critical \ninfrastructure. The Stuxnet code is a very worthy centerpiece \nfor this discussion today. Even though it is, I believe, \nneither the first nor will it be the last attempt to compromise \nand use an operational system to effect physical outcomes, \nStuxnet is, at the very least, an important wake-up call for \ndigitally reliant nations; and at worst, it is a blueprint for \nfuture attackers.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Assante appears in the Appendix \non page 142.\n---------------------------------------------------------------------------\n    My remarks today will paint a very difficult challenge, but \nit is important to note that I remain an optimist. This Nation, \nas it has done countless times in past contests, should turn to \nits men and women, both in and out of uniform, to muster an \neffective defense. Our obligation is to best organize, train, \nand equip these individuals to be successful in this very \nimportant task.\n    Stuxnet is a highly disruptive innovation. Simply put, \nPandora's box was opened years ago as the United States became \nreliant on digital technology to help operators complete and \ncontrol complex processes. Stuxnet is an important harbinger of \nthings that I believe may come if we do not use this \nopportunity to learn about the risks to our infrastructures. No \none should be shocked by the cyber exploits that can be \nengineered to successfully compromise and impact control \nsystems. Study after study has identified common \nvulnerabilities found across control system products and \nimplementations.\n    Stuxnet is the best example of a cyber threat that was \nthought to be hypothetically possible; that is, some would say \nthe fantastic story line of those that are just spreading fear, \nuncertainty, and doubt. Well, in this all too real story, \npossible did not merely just become probable, but it snuck onto \nthe world stage, undetected by defenders for months. Its \nfeatures, capabilities, the targeted technology, and the \npurpose should shock security professionals, engineers, \nbusiness leaders, and government leaders into action. And I say \nthis very important statement for the following three reasons.\n    First, it is important that we understand there is a very \nwell resourced group possessing the necessary motivation, who \nhave successfully acquired the knowledge, skills, and \ncapabilities to systematically develop and launch a highly \nsophisticated attack against control system technology. The now \npublic occurrence of such a cyber attack is very important \nbecause it dispels conventional thinking that it is just ``too \nhard'' for an attacker to assemble the necessary information, \ngain familiarity with the technology, and acquire the knowledge \nof specific implementations to devise an attack that could \ndisrupt or damage the physical components of an industrial \nprocess. It is simply not true.\n    What is shocking to control system security experts is not \nthat it was done, but that it was done in such a manner as to \nrely upon pre-programmed code, one that had the ability to \nautonomously analyze the system that has been compromised and \nidentify very specific conditions desired for the delivery of \nits ``digital warhead.''\n    The lesson that we must not gloss over is that highly \nresourced actors can assemble people and the capability to plan \nand to deal with system variances, anticipated security \ncontrols, obscure and proprietary technology, and complex \nindustrial processes.\n    Second, we must understand that the attacks that we should \nbe most concerned with are not designed to disable their \ndigital targets, but to manipulate them in a very unintended \nfashion. Many professionals have limited their thinking to \ndealing with the loss of individual elements or components of \ntheir control systems and have failed to fully embrace the \nimplications of calculated misuse.\n    In modern control systems, most of the process safety \ndepends on logic that is found in the controllers. By analyzing \nthis code, one can not only determine what the engineer wants \nto happen but also what the engineer wants to avoid.\n    Finally, our current defense and protection models are not \nsufficient against highly structured and resourced cyber \nadversaries capable of employing new and high-consequence \nattacks. Our defensive thinking has been shaped by the more \nfrequent and more survivable threats of the past. This means \nthat while current cyber defense tactics, security \narchitectures, and tools are necessary and can be responsive to \nthe most likely of threats, they are not sufficient to deal \nwith emerging advanced threats. The optimist always points to a \nnew type of security tool or practice as the solution to \ncurrent protection inadequacies. But should we not believe that \nif it had been necessary to assure their success, the authors \nof the Stuxnet worm would have simply developed a way to \ncounter any near measures that we would have fielded in force.\n    This requires us to consider not only security but also how \nwe can design and engineer survivability into our complex \nsystems and achieve a level of resilience not only in our \norganizations but to our technology and our processes, and \nbetter prepared to respond and recover to these types of \nadvanced threats. The susceptibility of our modern \ninterconnected and digitally reliant infrastructures is well \nestablished.\n    I would also like to spend a minute on the flaws of our \ncurrent efforts to regulate cyber security. The National \nAmerican Electric Reliability Corporation (NERC)-developed \ncritical infrastructure protection (CIP) reliability standards \nrepresent a very early attempt to manage cyber security risks \nthrough mandatory standards with very significant penalties for \nnoncompliance. It is clear to me that the standards as written \nand implemented are not materially contributing to the \nmanagement of risk posed by very advanced cyber threats, such \nas the Stuxnet worm.\n    The standards are comprised of 43 specific requirements \ndesigned to provide what I would call a minimum set of \npractices that, if properly implemented, should serve as a \nsimple foundation to built from. Many of the requirements \nshould have already been commonplace in the industry but were \nnot.\n    The standards also include significant gaps and exclusions, \nbut their greatest weakness is in how they have been \nimplemented. The result has been a conscious and inevitable \nretreat to a compliance- or checklist-focused approach to \nsecurity. Unfortunately, the NERC CIP standards have become a \nglass ceiling for many utility security programs, which \nprevents the emergence of the very type of security programs we \nneed to deal with Stuxnet-like attacks.\n    Regulation, although necessary, should be re-evaluated and \ndesigned to emphasize learning, enable the development of \ngreater technical capabilities, require qualified staffs, and \ndiscourage the creation of a very predictable and static \ndefense.\n    We must recognize that we are in the time of Stuxnet, and \nin turn, it is the time to be honest. We do not have immediate \ntechnical answers to better protect industrial control systems \nfrom Stuxnet-like attacks. We do not have an effective \ndefenses, and we do not have adequate detection techniques. We \nlack a functioning information-sharing and learning framework \nand have limited abilities to apply new-found knowledge. The \npublic-private partnership has failed to produce satisfactory \nresults in these areas.\n    We must develop and implement protection strategies that \naccept the unfortunate reality that many of our networks are \nalready contested territory. Accepting this very important \nassumption will help stimulate industry and community efforts \nto develop new and improved approaches to addressing the most \nmaterial of risks.\n    Why did some not see this coming? Well, significant cause \nfor concern is that much of the information about cyber \nsecurity-related threats remains classified in the homeland \nsecurity, defense, and intelligence communities, with \nrestricted opportunities to share information with the cyber \nsecurity researchers, technology providers, and possibly \naffected private asset owners.\n    I would like to specifically emphasize one of the necessary \ninvestments to combat advanced cyber threats like Stuxnet. \nThrough the years, working as the chief security officer at a \nmajor utility, or by supporting researchers in a national \nlaboratory, and coordinating protection efforts while I was at \nNERC, I have gained an appreciation for the importance and the \ndifference made by skilled and well-developed people. As in \nthis case, you must have a human complement up to the task of \noptimally detecting and calling out the faint signals by which \nthese attacks sometimes announce themselves.\n    I have never understood why we have not embraced better \ntraining and development methods for our front-line security \nand operations staff. We train pilots using advanced simulators \nto deal with very difficult conditions and mechanical failures. \nWhy do we not use simulators to allow security and operational \nstaff to experience low-frequently but high-consequence attacks \nagainst systems and designs? Mr. McGurk's program that helps \ndevelop that is a great first step.\n    Why do we not use performance-based examinations to qualify \nour professionals? We have allowed chance to be our schoolhouse \nwhere targeted organizations simply suffer in silence, not \nwilling to pass along the tough lessons that they have learned \nto others.\n    I commend this Committee for its exploration of the \nimplications that advanced threats like Stuxnet pose to our \ncritical infrastructure and to our Nation. We must waste no \nmore time debating our susceptibility. We must accept that \nwell-resourced adversaries are capable of causing damage to \nindustrial processes in very difficult to anticipate ways. I \nbelieve the following steps are necessary.\n    We must remove and remediate architectural weaknesses, \nknown vulnerabilities, and poor security designs in industrial \ncontrol system technology over time.\n    We need to promote greater progress designing and \nintegrating security and forensic tools into control system \nenvironments.\n    We must prioritize our efforts by jointly studying the \npotential consequences that may result from directed and well-\nresourced attacks of control systems and protection systems in \nhigh-risk segments of our critical infrastructure. In the cases \nwhere the consequences are absolutely unacceptable, we must \nassume that an attacker can successfully defeat our security \nand, therefore, direct our efforts to engineering away the risk \nthat more survivable designs and practices might be able to \nobtain.\n    We need to organize a well-funded, multi-year research \nprogram to design toward a more resilient infrastructure, \nespecially in the area of industrial and digital control \nsystems.\n    We must establish new regulation in the form of performance \nrequirements that value learning, promote innovation, and \nbetter equip and prepare control system environments and the \nteams that protect, operate, and maintain them. The current \nregulatory structure will not, in my view, be capable of \nachieving this end.\n    We must require critical infrastructure asset owners and \ncontrol system vendors to report industrial control system-\nspecific security incidents.\n    We must task appropriate U.S. Government agencies to \nprovide up-to-date information to asset owners and operators on \nobserved adversary tactics and techniques, especially when \ninvestigations reveal attacker capabilities to side-step or \nexploit the very security technologies we rely upon.\n    We must invest in the workforce that defends and operates \nour infrastructure systems. We need scalable, immersive, hands-\non training environments, and local simulator training \ntechnology should be used to optimize the development of this \nworkforce. The same workforce should then be qualified through \nperiodic rigorous performance-based assessments and, where \nappropriate, examinations.\n    In conclusion, my greatest fear is that we are running out \nof time to learn these important lessons. Ultimately, we know \nthat our conventional approach to more common security threats \nwill be necessary but woefully insufficient to protect us from \nthreats like the Stuxnet worm. We must act now to develop our \ngreatest resources in this important contest. That would be the \nprofessionals that defend, operate, and protect the critical \ninfrastructure and critical systems of this country. Thank you.\n    Chairman Lieberman. Thanks, Mr. Assante. Very practical and \nconstructive recommendations.\n    Dean Turner is our next witness, Director of the Global \nIntelligence Network at Symantec Security Response, Symantec \nCorporation. Thank you for being here.\n\n  TESTIMONY OF DEAN TURNER,\\1\\ DIRECTOR, GLOBAL INTELLIGENCE \n   NETWORK, SYMANTEC SECURITY RESPONSE, SYMANTEC CORPORATION\n\n    Mr. Turner. Thank you, Mr. Chairman and Ranking Member \nCollins. I would like to thank you for, of course, allowing us \nthe opportunity to appear here today and to discuss not only \nthe Stuxnet worm but how we can better begin to secure the \nindustrial control systems that underpin this country's \nnational critical infrastructure.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Turner appears in the Appendix on \npage 156.\n---------------------------------------------------------------------------\n    As you have pointed out, I am the Director of Symantec's \nGlobal Intelligence Network. As a leader in the security space, \nSymantec welcomes the opportunity to provide comments to the \nCommittee as it continues its, arguably, important efforts to \nenhance the security of critical infrastructure systems from \ncyber attack. We believe that critical infrastructure \nprotection is an essential element of a resilient and secure \nnation.\n    Let me begin by providing Symantec's observations on \nStuxnet and offering our insights on the threat that the worm \nposes to this Nation's industrial control systems.\n    Symantec examined each of the Stuxnet components in order \nto better understand exactly how the threat worked in detail. \nWe found Stuxnet to be an incredibly large and complex threat, \nand it is the first threat that Symantec has identified that \ntargets critical industrial infrastructure and is written \nspecifically to attack industrial control systems used in part \nto control and monitor industrial processes. Not only can \nStuxnet successfully reprogram the programmable logic \ncontrollers (PLCs), that are part of these industrial control \nsystems, but it also, as Mr. Assante and Mr. McGurk have \npointed out, cleverly hides those modifications.\n    Stuxnet is able to accomplish this task via a rootkit, \nwhich is a type of malicious software that keeps itself hidden \nfrom the computer's operating system. Computer source code \ncontained in the PLC is the function that allows control \nsystems to operate and to control machinery in a plant or a \nfactory. The ability to reprogram this function allows for the \npotential to control or alter how the system operates.\n    We speculate that the ultimate goal of Stuxnet is to \nreprogram and sabotage industrial control systems. The threat \nis targeting a specific industrial control system, and that is \nthe one utilized by energy sectors, such as with a gas pipeline \nor power plant.\n    Stuxnet demonstrates the vulnerability of our critical \ninfrastructure industrial control systems to attack and, again, \nas other witnesses' testimonies today have pointed out, \nhighlights a problem and should serve as a wake-up call for our \ncritical infrastructure systems around the world.\n    The potential for attackers to gain control of critical \ninfrastructure assets, such as power plants, dams, and chemical \nfacilities, is extremely serious. Whether Stuxnet ushers in a \nnew generation of malicious code attacks toward critical \ninfrastructure remains to be seen. Stuxnet is of such \ncomplexity--requiring significant resources to develop--that \nonly a select few attackers are capable of producing such a \nthreat. So we do not expect masses of similar sophisticated \nthreats to suddenly appear.\n    Stuxnet does, however, highlight that attacks to control \ncritical infrastructure are possible and not just a plot in a \nspy novel. The real-world implications of Stuxnet are some of \nthe most serious that we have ever seen in a threat.\n    The intended target of Stuxnet is not known. We know even \nless about who could have written Stuxnet than the target \nitself. What we do know is that whoever was behind it has good \nknowledge of ICS systems, particularly those systems that were \ntargeted. Without better knowledge of the persons behind these \nattacks, it is nearly impossible to say with any certainty who \nwas ultimately responsible and what were the possible motives \nbehind the attack. The combination of sophisticated attacker \nand their target means that any speculation as to who was \nbehind that is just that: Speculation.\n    Symantec believes that education and awareness is a key \ncomponent to securing critical systems from cyber attack. From \nthe classroom to the boardroom, from the management level to \nthe security professional, education is needed to ensure \nsecurity is part of an organization's ethos. Good security \nrequires secure software and well-designed and maintained \nnetworks. In other words, security needs to be baked in from \nthe outset, and part of this is ensuring that all of those \ninvolved continuously maintain their skill sets in what is \narguably a fast-changing environment.\n    The question being asked now of security professionals \nassociated with U.S. critical infrastructure is what we should \nbe doing in response to this particular discovery.\n    The first obvious measures to protecting these types of \nsystems from Stuxnet and similar threats is to deploy up-to-\ndate anti-malware solutions. Unfortunately, many industrial \ncontrol systems today still need to be modernized in order to \nbe able to do just that.\n    The second most important element is to watch for vendor \nsecurity notifications and alerts and apply patches as soon as \npossible.\n    Last, but certainly not least, is know your assets, \nidentify your perimeter of security operations, and maintain a \nhigh level of situational awareness to ensure you are aware of \nand can respond to these types of incidents in a timely manner.\n    Keeping in mind that over 85 percent of the U.S. critical \ninfrastructure is owned and/or operated by the private sector, \nSymantec commissioned a recent study on critical infrastructure \nprotection. Our goal here was to find out how aware critical \ninfrastructure companies were of government efforts in this \narea and to determine how engaged business was about working \ngovernment. And we came up with four key findings from that \nparticular survey.\n    One, critical infrastructure providers are increasingly \nattacked.\n    Two, attacks on critical infrastructure are effective and \ncostly.\n    Three, industry wants to partner with government on \ncritical infrastructure protection.\n    And finally, fourth, critical infrastructure providers feel \nmore readiness is needed to counter these types of attacks.\n    Most telling was that respondents cited security training, \nawareness by executive management of serious threats, endpoint \nsecurity measures, security response, and security audits as \nthe major safeguard areas in need of the most improvement.\n    Since most of the Nation's cyber infrastructure is not \ngovernment owned, a public-private partnership of government \nand private stakeholders is required to secure the Internet and \nICS systems. Cooperation is needed now more than ever, given \nthat industrial control systems face an ever-increasing risk \ndue to cyber threats such as Stuxnet.\n    Toward that end, Symantec commends the Department of \nHomeland Security for their engagement with the private sector \non critical infrastructure protection. DHS has been a valuable \npartner to Symantec and others in the private sector, through \nthe Sector Coordinating Councils as well as the IT Information \nSharing and Analysis Center.\n    Symantec has provided input to DHS on the Comprehensive \nNational Cyber Initiative projects, and we have been engaged \nwith the Department on the National Cyber Incident Response \nPlan. Additionally, we participated in the National Cyber \nExercise, Cyber Storm III, which demonstrated the value of \noperational incident collaboration across the public and \nprivate sectors. Further, we have held several briefings with \nDHS to share our expertise on Stuxnet and how critical \ninfrastructures can better secure their systems against these \nthreats. We look forward to continuing to partner with DHS and \nother agencies on the many issues and preparedness activities \nrelated to the Nation's critical infrastructure protection.\n    Stuxnet demonstrates the importance of public-private \ninformation-sharing partnerships across the entire critical \ninfrastructure community. While DHS has made strides to partner \nwith control system vendors through its ICS-CERT, it should \nbuild on its 2009 ``Strategy for Securing Control Systems'' and \nenhance its control systems partnerships by including the IT \nand IT security communities, who have traditionally worked with \nthe DHS U.S. Computer Emergency Readiness Team (US-CERT). \nCross-collaboration within DHS is the key to improved \nsituational awareness and operational response, and DHS should \ncontinue its efforts to integrate these functions.\n    Until there is greater coordination between IT and IT \nsecurity vendors and the industrial control systems owners and \noperators, there is an increased risk that multiple \norganizations will conduct duplicative work and miss \nopportunities to learn from and collectively respond to \nthreats. We recommend that DHS further enhance information \nsharing on control systems vulnerabilities with the IT and IT \nsecurity communities and continue to work on integrating its \ninformation-sharing capabilities to improve situational \nawareness and operational response partnerships with industry.\n    In closing, Symantec would like to convey our strong \nsupport for the Protecting Cyberspace as a National Asset Act. \nWe believe that this important legislation will enhance and \nmodernize the Nation's overall cyber security posture in order \nto safeguard the critical infrastructure from attack. The bill \nalso importantly recognizes cyber security as a shared \ngovernment and private sector responsibility, one which \nrequires a coordinated strategy to detect, report, and mitigate \ncyber incidents. We look forward to working with the Committee \nto help advance this important legislation.\n    Thank you for the opportunity to testify today. We remain \ncommitted to continuing to work in coordination with Congress, \nthe administration, and our private sector partners to secure \nour Nation's critical infrastructure from cyber attack. And I \nwill be happy to respond to any questions the Committee may \nhave.\n    Chairman Lieberman. Thanks very much, Mr. Turner. Thanks \nfor your specific explicit endorsement of the legislation, \nwhich Senator Collins and I introduced and which the Committee \nreported out unanimously, obviously across party lines, and \nreally thank you for the fact that your entire statement was \nreally an explanation, in a sense a call to action for us to \npass such legislation and to create a public-private alliance \nhere to protect our country from this very serious threat.\n    Mark Gandy is our last witness. He is the Global Manager of \nInformation Technology Security and Information Asset \nManagement at the Dow Corning Corporation. Thank you for being \nhere.\n\n  TESTIMONY OF MARK W. GANDY,\\1\\ GLOBAL MANAGER, INFORMATION \n   TECHNOLOGY SECURITY AND INFORMATION ASSET MANAGEMENT, DOW \n                      CORNING CORPORATION\n\n    Mr. Gandy. Thank you. Good morning, Chairman Lieberman, \nRanking Member Collins, and Members of the Senate Homeland \nSecurity Committee. My name is Mark Gandy, and I am the Global \nManager of Cybersecurity for the Dow Corning Corporation. I am \nalso Chairman of the American Chemistry Council's Cybersecurity \nSteering Committee.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Gandy appears in the Appendix on \npage 165.\n---------------------------------------------------------------------------\n    To begin, I would like to thank the Committee for holding \nthis important hearing today on the critical issue of cyber \nsecurity. While I realize this is not a legislative hearing, I \nwould like to commend your efforts in crafting bipartisan \nlegislation during this Congress that effectively balances the \nneed for increased vigilance through the promotion of a risk-\nbased framework whereby the critical infrastructure sectors can \nappropriately address their cyber threats.\n    The American Chemistry Council (ACC) and its members stand \nready to support a continued momentum on this issue as we \nproceed into the next Congress. Today I will be making comments \nor statements on behalf of the American Chemistry Council.\n    The ACC represents the leading chemical companies in the \nUnited States. The business of chemistry is a critical aspect \nof our Nation's economy, employing more than 800,000 Americans \nand producing more than 19 percent of the world's chemical \nproducts. In fact, more than 96 percent of all manufactured \ngoods are directly touched by the business of chemistry.\n    Cyber security is a top priority for ACC and the chemical \nsector. Because of our critical role in the economy and our \ncommitments to our communities, security is a top priority for \nACC members.\n    In 2001, our members voluntarily adopted an aggressive \nsecurity program--the Responsible Care Security Code (RCSC)--\nwhich is mandatory for all members of the ACC. The RCSC is a \ncomprehensive security management program that addresses both \nphysical and cyber security and requires a comprehensive \nassessment of security vulnerabilities and risks and to \nimplement protective measures across a company's entire value \nchain. Each company's security plan is then reviewed by an \nindependent third-party auditor. The RCSC has been a model for \nState-level chemical security regulatory programs in New \nJersey, New York, and Maryland and was deemed equivalent to the \nU.S. Coast Guard's Maritime Transportation Security Act.\n    Public-private partnerships are vital to winning the war on \ncyber terrorism. The ACC and its members have been proactively \nengaged with the former and current administrations on \nimproving cyber security. In June 2002, ACC members began \nimplementation of the Chemical Sector Cybersecurity Strategy, \nwhich was referenced by the Bush Administration's National \nStrategy to Secure Cyber Space of 2003. ACC participated in the \nWhite House 60-day cyber policy review, and our cyber experts \nwork closely with the DHS National Cybersecurity Division in \nmany areas, including national Cyber Storm exercises, \ninformation-sharing programs, and development and \nimplementation of the road map to securing control systems in \nthe chemical sector.\n    ACC was gratified that in 2009 the Obama Administration \nmade cyber security a top priority. A 2009 program update can \nbe found on the Obama Administration's Web site, ``Making \nStrides to Improve Cybersecurity in the Chemical Sector.''\n    Since 2001, ACC members have invested more than $8 billion \nin your enhancements, including both physical and cyber \nsecurity protections. Security in all its dimensions continues \nto be a top priority for ACC and the chemical industry, and our \nrecord of accomplishment and cooperation with Congress, DHS, \nand others is undisputed.\n    Considering the industry's perspective on the increased \nthreat, we have seen the threat landscape evolve from \nrelatively unorganized, unsophisticated exploits of virus and \nworm activity with a notoriety objective--making a name for the \nhacker--to increasingly more sophisticated and economically \ndisruptive attacks to network computing into today's relatively \nsophisticated and stealthy threats that target intellectual \nproperty for economic gain and are potentially disruptive to \noperational stability of critical infrastructure.\n    However, while the threat landscape is evolving in \nsophistication and intent, many vulnerabilities exploited \nremain relatively unsophisticated, whereby well-known counter \nmeasures are possible. Cyber threats to control systems are \nevolving in complexity and sophistication as well-funded and \nhighly motivated groups become more active. Specifically, \nStuxnet is more advanced with respect to a targeted control \nsystem attack by a knowledgeable subject matter expert using \ntypical technology exploits of common vulnerabilities inherent \nin any system. Stuxnet demonstrates that threats to process \ncontrol systems are real and need to be a significant part of \nthe cyber security risk management equation.\n    The industry recognizes the vulnerabilities of industrial \ncontrol systems as they have increasingly become enterprise \nnetwork connected. The threat is serious and the industry is \nresponding by increased preparation and response planning with \nsignificant resources.\n    In response to the evolving threat landscape and the \nrelatively commonly avoidable exploits, the industry is working \nproactively to improve information sharing among the industry \nand with government about threats, working with technology \nsuppliers and the U.S. Government to enhance the robustness of \ncontrol systems through the development of international \nstandards for improved security of control systems, and \ndeveloping and publishing risk management best practices and \nsecurity guidance that help owner-operators better prepare and \nrespond to cyber threats such as Stuxnet.\n    The industry approach is a comprehensive risk management \nstrategy that includes proactive steps through ACC and the U.S. \nGovernment, emphasizing the importance of effectiveness threat \nand best practice information sharing and robust technology \nsolutions. Our sector is also leading the development of \ncomprehensive international standards by the International \nSociety for Automation. These standards will lead to the \ndevelopment of control systems that are more resilient to cyber \nattacks.\n    ACC and its members are also actively engaged in the road \nmap to secure control systems in the chemical sector along with \nour active partnerships with DHS and the Chemical Sector \nCoordinating Council. These and other activities make up a \ncoordinated comprehensive sector program that was significantly \ninformed through participation in exercises such as the \nrecently completed Cyber Storm III.\n    In summary, the ACC and its members remain committed to \nadvancing cyber security practices and systems in the chemical \nindustry by working in partnership with Congress, DHS, \ntechnology organizations, and developers. Working with the \nchemical sector at large, we are improving how we share \ninformation and striving for continuous improvement of critical \ncontrol systems that are protected from the loss of critical \nfunction during a major cyber event.\n    The Federal Government plays a crucial role in helping the \nsector to achieve this goal by creating and supporting programs \nand incentives that promote advances in new technologies and \nstandards and upgrading of legacy systems across the sector.\n    Sharing of timely and actionable threat information with \nthe private sector and working together on risk-based solutions \nthat focus on the resiliency of control systems should be an \narea of heightened attention and focus to mitigate the evolving \nthreats.\n    And, last, identifying and holding accountable those who \nattack our critical cyber infrastructure, whether it is for \nnotoriety or for financial gain, must be a priority.\n    That concludes my opening statement. We have submitted a \nwritten statement for the record. Thank you for this \nopportunity to present on behalf of the ACC, and I will be \nhappy to take any questions that you have. Thank you.\n    Chairman Lieberman. Thanks, Mr. Gandy. Encouraging to hear \nthat private sector response to the growing threat, and your \nstatement, along with others, will be entered into the record.\n    I want to just formally welcome Senator Coons for the first \ntime. He was sworn in 2 days ago as the new Senator from \nDelaware. There is a great tradition of Delaware Senators \nserving on this Committee. I know you bring extraordinary \nexperience and ability, and we look forward to working with you \non the Committee.\n    Senator Coons. Thank you, Mr. Chairman.\n    Senator Collins. Let me join the Chairman in also welcoming \nSenator Coons to our Committee. As he mentioned, I think there \nhas been a Senator from Delaware on this Committee going back \nto Bill Roth's days for decades.\n    Chairman Lieberman. Bill Roth, right.\n    Senator Collins. And we are delighted to have you join us \nand hope it will be a permanent assignment. I know that is \nstill up in the air. Thank you.\n    Chairman Lieberman. Me, too. Thanks, Senator Collins.\n    I think we will do 6-minute rounds here so we can try to \ngive everybody an opportunity in case the vote actually goes \noff on time at 11 a.m.\n    This has been excellent testimony, and what it reminds me \nof, obviously, as a lay person, if you will, here, is that \ncyberspace is a lot different from the normal space we occupy, \neven in terms of what we are describing as the threat. I think \nyou, Mr. Turner, said something so interesting, which is we \nreally do not know who the attacker was in the Stuxnet case. \nThat I can understand because of all the difficulty. But what \nis fascinating is that--and I believe I understand this--we do \nnot know what the target was either. But we know that there was \na Stuxnet attack and that it is real.\n    So, Mr. McGurk, maybe I will start with you on this to help \nour education because my understanding is--and I say this with \npride--that the Department of Homeland Security's Industrial \nControl Systems Computer Emergency Response Team, which we call \nmore simply ICS-CERT, played a critical role in unraveling \nStuxnet. So help us understand a little more what this thing \nis, whose origin and destination we do not understand.\n    Mr. McGurk. Yes, Senator. Thank you for that opportunity. \nAs you had mentioned, the ICS-CERT took the initial focus of \nanalyzing what the capabilities of Stuxnet were. In order to \nunderstand its code, we identified by reverse engineering the \nphysical attributes of the code and how it actually exploited \nthe information technology vulnerabilities. There were these \nundocumented capabilities in the operating system, which are \noften called ``zero day'' vulnerabilities. They are called \n``zero day'' because no one knows about them.\n    In this particular case, this code utilized four zero day \nvulnerabilities to ensure that the malicious part that affects \nthe industrial control system was delivered. So using a device \nsuch as the USB device, it actually migrated through the \nnetworks and then went into the physical process control \nenvironment. We were able to take the equipment at our \nlaboratory out at Idaho National Labs and physically configure \nit with representatives from the vendor community themselves. \nThe actual vendors of the products came out and helped \nconfigure the equipment, and then we actually allowed Stuxnet \nto go loose into the environment, if you will.\n    Because it was written with such advanced cryptological and \nobfuscation technologies, Stuxnet actually used the equipment \nitself that it was attacking to encode itself. So we were able \nto actually give it that programmable logic controller that it \nwas looking for because it focuses on a specific hardware and \nsoftware combination, and actually it was able to dissect the \ncode by accessing the programmable logic controller, and it \nstarted decrypting itself. That allowed us to speed our \nanalysis along, and it did not take as much time to identify \nnot how it was written but what it was capable of doing.\n    Our focus was on developing and understanding its \ncapabilities and then identifying those mitigation strategies. \nSo our efforts allowed us to do that.\n    Chairman Lieberman. So where was it found? I am thinking in \nconventional terms, but this thing that you analyzed, whose \norigin and destination was not clear, nonetheless had to exist \nsomewhere so you could analyze it.\n    Mr. McGurk. The first sample of code that we received was \nactually working in our partnership with various international \nCERTs. We received it from the German CERT, who in turn \nreceived it from the vendor themselves.\n    Chairman Lieberman. The vendor was a Germany company?\n    Mr. McGurk. It was a German company; yes, sir. So, \nsubsequently, we were able to get a pure sample of the code \nthat was in the wild, and that allowed us to conduct that \nreverse analysis.\n    Chairman Lieberman. And the control system targeted here, \nas I think one of you said, was a control system that is \nusually used for the control of power plants? Is that right?\n    Mr. McGurk. Essentially, these devices are ubiquitous. This \nparticular vendor has a market share of about 7 percent here in \nthe United States. There are other companies that have larger \npercentages. But these particular pieces of equipment are used \nin agriculture, manufacturing, power generation, water \ntreatment, several sectors across the United States. Power \ngeneration and distribution is only one of those and not \nnecessarily in this particular case the largest. Manufacturing \nis actually the larger infrastructure that uses these types of \nsystems.\n    Chairman Lieberman. In terms of the origin of it, although \nI understand we do not conclusively know, I presume--do we \nthink that this was a Nation state actor and that there are a \nlimited number of Nation states that have such advanced \ncapability?\n    Mr. McGurk. Nothing in the code really points to any \nspecific sense of origin or where it was developed. Based on \nour analysis, we feel that it was probably developed over a set \nperiod of time. These individual blocks were put together by a \nteam or a series of teams working in concert, because there are \nindicators that it was strung together in such a fashion. But \nwe have also identified with other types of malicious code and \nbotnets where they actually generate $30 million a month in \nrevenue from operating as various botnets. So when you have \nthat capability from a criminal intent standpoint, you have \nresources to be able to buy this type of capability.\n    Chairman Lieberman. There has been some speculation in the \nmedia that the target here might have been the nuclear power \nsystems within Iran. In fact, at one point--perhaps unrelated \nto Stuxnet--an Iranian official complained about the fact that \ntheir nuclear program was under cyber attack, not linking these \ntwo. What would you say in response to that?\n    Mr. McGurk. Again, sir, attribution and intent are the \nfields for other departments and agencies. We are focusing \nprimarily on capability. But I would also like to also \nacknowledge Mr. Turner's comments that there would be an \nincredible amount of knowledge necessary to be able to identify \nspecifically what the target was, and there are no indicators \nin the code. We understand what it is capable of doing.\n    Chairman Lieberman. Right.\n    Mr. McGurk. But to specifically say it was designed to \ntarget a particular facility is very difficult for anyone to \nsay with any assurance.\n    Chairman Lieberman. Thank you. My time is up. Senator \nCollins.\n    Senator Collins. Thank you, Mr. Chairman.\n    Mr. Turner reminded all of us that 85 percent of critical \ninfrastructure is in the private sector, and that is why the \nbill that the Chairman and I drafted focuses on public-private \npartnerships and information sharing that is absolutely \ncritical. I would like to ask each of you to comment on two \nissues related to that.\n    First, how vulnerable is our Nation's critical \ninfrastructure to cyber threats like Stuxnet? And then, second, \nhow would you characterize the level of preparedness in the \nprivate sector to deal with a threat of this sophistication?\n    We will start with you, Mr. McGurk, and just go down the \ntable. Thank you.\n    Mr. McGurk. Thank you, Senator. As far as how vulnerable, I \nthink the issue was made clear earlier in many of the \ntestimonies before the Committee that the advent and adoption \nof commercial off-the-shelf technology into a critical process \nenvironment has now opened each of those former legacy-based \nsystems to the same types of vulnerabilities we have in \ninformation technology today. By connecting these systems and, \nif you will, systems of systems together, we have actually \nincreased the risk profile associated with those networks and \noperating those networks.\n    The private sector has been working diligently to identify \nthose mitigation strategies and those steps as they integrate \nthat technology. The Department has been working in our \nprivate-public partnership capacity to provide the services and \nthe expertise that we have to help identify those processes in \nsecuring the critical infrastructure.\n    It is an uphill battle, and when we see something like \nStuxnet come into play that significantly alters the landscape, \nwe need to reassess and re-evaluate our mitigation plans so \nthat we can identify new methods of increasing that security, \nand the private sector working with the Department has been \nfocusing on that for quite some time now.\n    Senator Collins. Thank you. Mr. Assante.\n    Mr. Assante. I think it is important to note that in my \ntime at NERC and working with the industry, there were lots of \nincidents where we had non-directed and not very structured \ncyber threats that impacted or found their ways onto control \nsystems. That was very concerning because it was not by design. \nIt found its way because technology is very cross-cutting. That \nindicates to me that we are not only very susceptible, but not \nvery well prepared since we had architectures that allowed for \nthat to happen.\n    When you look at the Stuxnet worm, you are talking about a \nvery well resourced and very structured cyber adversary with \nadvance planning capability. In that sense, I believe we are \nextremely susceptible. In fact, I believe our susceptibility \ngrows every day. If you just look at the very trends within the \ntechnologies that we deploy, we are doing things that would \nallow an attacker more freedom of action within these \nenvironments.\n    As an example, we are converging safety systems with \ncontrol systems at the network layer. It is a very dangerous \ncombination because you allow somebody to get free access to \nboth the system that is designed to make sure a process stays \nsafe and the system that controls what a process does. Those \ntypes of trends that our manufacturers, vendors, and even our \nasset owners have called for because there is great business \nefficiencies to do are very dangerous and troublesome. So I \nbelieve we are becoming more susceptible to these types of \nattacks every day.\n    Senator Collins. Thank you. Mr. Turner.\n    Mr. Turner. Senator Collins, I concur with Mr. McGurk and \nMr. Assante, to the level of complexity in the issues that we \nare facing today. In my role within Symantec, I spent a good \ndeal of time looking at vulnerabilities and talking about \nnumbers and trends and threats and all the rest of it. And I \nthink what I would like to do is maybe illustrate using Stuxnet \njust exactly where we stand.\n    As of early last week, we saw approximately 44,000 unique \nStuxnet infections worldwide. Now, that may not sound like a \nbig number, but when we are talking about a highly \nsophisticated threat that requires an awful lot of knowledge \nand skills and people to pull together, that is a big number.\n    In terms of the United States, we have seen a little over \n1,600 unique Stuxnet infections, 50 of which we have identified \nas having the WinCC/Step7 Stuxnet--the software that Stuxnet \ntrojans installed. Sixty percent of the global infections of \nStuxnet are in Iran. And we can talk about speculation and all \nthose other things about where the evidence points, but the \npoint here is that even if something like this is tied to one \nparticular country or group of countries, the ability for these \ntypes of threats to have a global reach is enormous. We have \ngone from the days, in 2004, where we saw a little over 260,000 \nnew threats to where we saw 2.9 million last year. \nVulnerabilities in software and hardware have become, \nunfortunately, in some ways a cost of doing business. There is \nan awful lot of issues here.\n    Our level of preparedness, I think, is to some degree, \ncertainly in the private sector, better than it ever has been, \nbut still has a long way to go. It is a cliche, but \nunfortunately, we do not know what we do not know. And when we \nstart talking about industrial control systems and some of the \nother things where the partnership is not quite as developed as \nit should be, it is a little more difficult to answer.\n    So how vulnerable are the industrial control systems and \nsupervisory control and data acquisition (SCADA) systems within \nthe United States or anywhere else? That is a difficult \nquestion to answer until we know exactly the scope of the \nproblem and how many vulnerabilities there are.\n    Senator Collins. Thank you. Mr. Gandy.\n    Mr. Gandy. Regarding the vulnerability question, the \nchemical sector understands this evolving threat, has been \nworking proactively to ensure the resiliency of our control \nsystems from both the physical and cyber approach through a \nrisk-based framework that identifies these vulnerabilities and \nthen works on implementing appropriate mitigating controls. As \nmentioned, the Responsible Care Security Code, the road map to \nsecuring control systems in the chemical sector, ongoing \nChemical Facility Anti-Terrorism Standards (CFATS) compliance \nwork, are all working to comprehensively provide a framework of \nassessment, design, engineering, implementation, and monitoring \nfor these kinds of vulnerabilities.\n    The level of preparedness in the sector, the ACC and its \nmembers have been working for years across the sector to \nprepare and share information about these issues, both from an \nindustry peer-to-peer sharing and sharing with technology \nsuppliers and DHS and national cyber information-sharing \nexercises. We continue to comprehensively improve control \nsystem security in the chemical sector.\n    The road map to security in the control system in the \nchemical sector is further driving the resiliency of control \nsystems through preparedness and awareness.\n    Senator Collins. Thank you.\n    Chairman Lieberman. Thanks, Senator Collins. Senator Coons.\n\n               OPENING STATEMENT OF SENATOR COONS\n\n    Senator Coons. Thank you, Mr. Chairman, for holding these \ninteresting and important hearings.\n    If I might, Mr. Gandy, I just want to commend the ACC for \nits model private sector initiative.\n    For the whole panel, one of the things that made Stuxnet, I \nthink, particularly concerning is its ability to both \ninfiltrate and then exfiltrate data that are operational in \nnature and would allow an unknown observer to then map an \nindustrial process. What sort of risks does this pose for trade \nsecrets in the event that we have foreign nations who are \ncompetitors to this country interested in using this kind of \ncapability to learn about detailed operational configuration of \nour manufacturing processes, our power grid, our chemical \nprocesses in a way that would allow them to then mimic them, \nmap them, and expand them, or make them strong?\n    So I would be interested, if I could, in brief answers from \nall the members of the panel to two questions. Does Stuxnet \nsignal not just a risk in terms of infrastructure but also \nintellectual property and the potential loss of American trade \nsecrets? And then, second, what could we be doing to strengthen \nthe public-private partnership on both fronts, both the \nintellectual property and the operational control of critical \ninfrastructure? If we could start with Mr. McGurk. Thank you.\n    Mr. McGurk. Thank you, Senator. To answer the question \nsuccinctly, yes, it does demonstrate the very unique capability \nof exfiltrating or removing that data associated with critical \nprocess development. In addition, it has an advanced capability \nthat we have seen demonstrated where it can actually remove the \nhistorical files associated with the process. That is a key \nelement because it actually goes into development and \nrefinement of your process, so I know not only what you are \ncurrently producing but what you have produced in the past and \nwhat changes you have made to refine that process. So, \nsubsequently, from an intellectual property standpoint, it \nposes a very great risk.\n    In order to strengthen that partnership, I think we are all \ndiscussing the very same topic of awareness and understanding \nand putting those mechanisms in place, whether it is through \neducation, certification, or through information sharing, and \nactually collaborative development of information in order to \naddress risks such as Stuxnet. Thank you, sir.\n    Senator Coons. Thank you.\n    Mr. Assante. I think the Stuxnet worm was very \nsophisticated and capable and that not only did it allow you to \nmaintain a foothold in the environment that you compromise, \nwhich is what the attacker wants to do, through the exportation \nof information it allows them to conduct discovery. Discovery \nis a very important element to being able to plan follow-on \nattacks, if that is what the author would so choose to do. And \nso whether discovery is by pulling out information that has \nvalue or that has information that would support future \nplanning processes or the ability to just recognize how you \nmaintain a sustained foothold, that is a very significant issue \nfor the industrial control system world, and certainly we have \nseen that play out in threats across financial services, \ndefense industrial base, and other key sectors of our economy \nwhere we have trade secrets or proprietary information that is \nimportant to our economic stability.\n    I do not want to gloss over the idea that the Stuxnet worm \nwas so sophisticated that it was capable of acting \nautonomously. So whether they lost that communication link, \nthat piece of code had quite a bit of intelligence to be able \nto act. So I think the concept of follow-on attack is \nimportant.\n    I believe from the public-private partnership perspective, \nI have seen great progress. I have been involved in it over the \nyears. I do believe that the proposed legislation that this \nCommittee is looking at which be a significant step forward to \nfurther ingraining how we should go about what I think is a \nmore productive partnership. I think that we need to not only \nhold the asset owner responsible for the management of risk as \nit relates to the systems that they manage, but also the \ntechnology providers. We will constantly be trying to be very \nreactive if we do not get the technology providers to take a \nserious part in being able to program these systems more \nsecurely, to help design the architectures, they will be better \nsuited to deal with these types of advanced threats.\n    Mr. Turner. Senator Coons, echoing the comments by Mr. \nAssante and Mr. McGurk, the short answer is yes, absolutely it \nis a risk. Ninety to 95 percent of all the threats we see today \nare risks to personally identifiable information. The fact that \nthis is wrapped up into a threat that targets critical \ninfrastructure is just as important as any other one, and more \nso in many ways.\n    We know, for example, that there was the capability before \nthe sink holes--the command-and-control (CnC) servers were \ntaken over by Symantec--that this particular code had the \nability to actually install a back door on those systems. So \nthe systems that we did not know about between June 2009 and \nwhere we are today in 2010 could still be exfiltrating data. We \nknow that part of the threat's purpose was to steal the design \ndocuments of the ICS systems. That particular information could \nstill be leaked.\n    We do need to take this seriously because it is all about \ninformation--the secondary component, of course, being what \ncould you do not only with that information, but more \nimportantly changing the frequency control that drives \nthemselves and all the other things that could take place.\n    I think in terms of what do we need to do to strengthen our \npartnerships, there is a fair amount of activity taking place \nin back channels where security experts are discussing the \nissues and the threats amongst themselves and also coordination \namong the organizations. Organizations like TechAmerica have \nundertaken industry working groups where we get together and we \ndiscuss better ways to share information, not only between \nourselves but between government and the rest. And I think that \nis also a very important step forward, in addition to, \nobviously, the legislation that is proposed by the Committee.\n    Senator Coons. Thank you.\n    Mr. Gandy. Senator Coons, yes, we believe, the industry \nbelieves that intellectual property is a target of these \nmalware writers. The intentions of Stuxnet, aside, we believe \nmalware will be on our enterprise business networks and on our \nprocess control networks that will attempt to comprehensively \nsteal our intellectual property, reverse engineering our \nprocesses, and stealing other sensitive business information.\n    Regarding what can we be doing more from a public-private \npartnership, we continue to believe that continued working \ngroups, such as the Industrial Control Systems Joint Working \nGroup, are essential to the government, industry, and the \nsuppliers working together to work on the resiliencies of \ncontrol system security. We also continue to encourage \nparticipation in national exercises such as the Cyber Storms so \nthat we can continue to work on information sharing, continue \nto practice information sharing, identify road blocks, improve \nthe efficiency, effectiveness, and timeliness of the \ninformation that is shared.\n    Senator Coons. Thank you very much to the panel, and thank \nyou, Mr. Chairman, for the opportunity to ask questions.\n    Chairman Lieberman. Thank you, Senator. I appreciate it.\n    The votes have gone off. I think rather than holding you \nhere and coming back, I will try to ask a few more questions \nand see if I can hustle over before the votes are done.\n    I want to get clear--I think it was you, Mr. Turner, who \nsaid that 60 percent of computers infected with Stuxnet are in \nIran.\n    Mr. Turner. That is correct. Sixty percent of the \ninfections that we have observed worldwide are coming from \nInternet Protocol (IP) addresses of machines identified as \nbeing in Iran.\n    Chairman Lieberman. And have we identified any computers \ninfected in the United States?\n    Mr. Turner. We have.\n    Chairman Lieberman. Just as a natural movement of the \nStuxnet, or is it also a unique----\n    Mr. Turner. Well, intent is one of the hardest things to \ndetermine, Mr. Chairman. This particular threat and the way it \nfirst propagated was via a USB device, taking advantage of a \nparticular vulnerability in Microsoft, something known as \n``.lnk.'' So in order for something like that to propagate to \nget over to the United States, a USB drive would have to get on \na plane. But that does not mean, of course, that the particular \ncode could not be transferred from one person to another.\n    Chairman Lieberman. Right.\n    Mr. Turner. We think that most of the infections we see \nworldwide are anecdotal and antecedent to the originals.\n    Chairman Lieberman. They have fed off the original.\n    Mr. Turner. Correct.\n    Chairman Lieberman. Understood. Mr. McGurk, we have heard \nyou discuss the resources that DHS can provide for the private \nsector in this regard. These are resources that the private \nsector can choose to utilize or choose to ignore, correct?\n    Mr. McGurk. Yes, that is correct, Senator. We only respond \nwhen requested by the private sector. We have no authorities to \nactually direct that activity.\n    Chairman Lieberman. Right. So my question naturally is--and \nI would ask the others as well quickly--whether you believe \nthat we can increase cyber security of our country's most \ncritical infrastructure through voluntary measures alone. Or \ndoes the Department of Homeland Security in this case need some \nenhanced authority? Obviously, to state underneath that the \nwhole premise of this hearing today and the focus on Stuxnet is \nboth to educate the Committee, but also to say to us as the \nHomeland Security Committee, if this can be done to somebody \nelse, obviously it now can be done to us, so we better raise \nour guard.\n    So let me come back to the question. Can we do what we have \nto do by voluntary measures? Or does DHS need some kind of \nenhanced authority? Mr. McGurk.\n    Mr. McGurk. Again, Senator, I appreciate the opportunity to \nreply to that. I am a simple sailor, 28 years in the Navy. I am \nused to executing and operating my orders under the authorities \nthat are granted to me. The Department has policy \ndecisionmakers in place that actually identify those \nrequirements. My focus is on managing and leading the \noperational environment that I am entrusted with at the \nDepartment. And given those responsibilities, we have been \noperating within those guidelines. And for the most part, we \nhave not been as successful as we could potentially be, but we \nare as successful as we can be within those guidelines.\n    Chairman Lieberman. So you would accept enhanced authority \nif we gave it to you, but you are not appealing for it right \nnow? [Laughter.]\n    Mr. McGurk. Sir, I feel confident that I am still able to \nexecute the current mission given the requirements.\n    Chairman Lieberman. Mr. Assante.\n    Mr. Assante. Well, as a fellow Navy shipmate, Mr. McGurk, I \nbelieve that DHS and the U.S. Government would benefit from \nadditional authorities in this area. I believe it is critical \nthat organizations cannot suffer in silence. If an advanced \nthreat is on our shores impacting our systems, that should be a \nrequired thing to report. We should be able to muster the \neffective resources that we have, whether it is in government \nor within industry, to be able to tackle those and very rapidly \nshare information so we can protect our systems. I think \nadvance authority would allow us to do so.\n    I believe participating in regulation in the electric power \nindustry, you get to be very smart in how you design the \nregulation and the legislation. Performance requirements are \nvery important in my book. I think there are some unsafe \npractices that we continue to use that we need to ensure that \nthey are curtailed. And I think that we need to maximize our \nability to learn and still be able to innovate. So I think \nauthority is necessary.\n    Chairman Lieberman. Thank you.\n    Mr. Turner, my time is running out, but see if you can give \na quick answer, the same to Mr. Gandy.\n    Mr. Turner. I think that more time and effort needs to be \nspent in shoring up the current channels of communication \nbetween all parties involved in the discussion. There are, of \ncourse, very tricky legal and ethical issues around certain \ntypes of data that might be personally identifiable information \n(PII) and the rest of it, because it is not just data that \noccurs in the United States of America but data that occurs \nelsewhere in the world.\n    Chairman Lieberman. Right.\n    Mr. Turner. And if the goal is to get as much information \nas possible into the hands of the people who can do the most to \ntake care of the issue, the best way to do that is to actually \nstrengthen the channels of communication that currently exist.\n    Chairman Lieberman. Mr. Gandy, the chemical industry, as \nyou well know, is actually subject now under other legislation \nto risk-based performance requirements similar to those \ncontemplated in our legislation. What do you think?\n    Mr. Gandy. That is correct. My response would be that I \nbelieve there is evidence that the industry is already working \nvoluntarily, very productively, and the CFATS work that is \nongoing right now where DHS is out reviewing the registered \nmost critical sites of the critical infrastructure in the \nchemical sector against those risk-based performance standards \nwill help us continue to improve our security posture in the \nface of this threat.\n    Chairman Lieberman. Thank you. We have covered a lot more \nground, I might say, in this period of time than the Committee \nusually does, and it is because not only we were rushed, but \nbecause of the quality of the witnesses. I cannot thank you \nenough.\n    I want to restate that this Committee is going to make our \ncyber security legislation or legislation like it a priority \nearly in the next session, beginning in January.\n    We are going to keep the record of this hearing open for 15 \ndays for additional questions and statements, but I thank you \nvery much for what you have done today and for the work you are \ndoing to protect our country every day.\n    The hearing is adjourned.\n    [Whereupon, at 11:22 a.m., the Committee was adjourned.]\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] 58034.001\n\n[GRAPHIC] [TIFF OMITTED] 58034.002\n\n[GRAPHIC] [TIFF OMITTED] 58034.003\n\n[GRAPHIC] [TIFF OMITTED] 58034.004\n\n[GRAPHIC] [TIFF OMITTED] 58034.005\n\n[GRAPHIC] [TIFF OMITTED] 58034.006\n\n[GRAPHIC] [TIFF OMITTED] 58034.007\n\n[GRAPHIC] [TIFF OMITTED] 58034.008\n\n[GRAPHIC] [TIFF OMITTED] 58034.009\n\n[GRAPHIC] [TIFF OMITTED] 58034.010\n\n[GRAPHIC] [TIFF OMITTED] 58034.011\n\n[GRAPHIC] [TIFF OMITTED] 58034.012\n\n[GRAPHIC] [TIFF OMITTED] 58034.013\n\n[GRAPHIC] [TIFF OMITTED] 58034.014\n\n[GRAPHIC] [TIFF OMITTED] 58034.015\n\n[GRAPHIC] [TIFF OMITTED] 58034.016\n\n[GRAPHIC] [TIFF OMITTED] 58034.017\n\n[GRAPHIC] [TIFF OMITTED] 58034.018\n\n[GRAPHIC] [TIFF OMITTED] 58034.019\n\n[GRAPHIC] [TIFF OMITTED] 58034.020\n\n[GRAPHIC] [TIFF OMITTED] 58034.021\n\n[GRAPHIC] [TIFF OMITTED] 58034.022\n\n[GRAPHIC] [TIFF OMITTED] 58034.023\n\n[GRAPHIC] [TIFF OMITTED] 58034.024\n\n[GRAPHIC] [TIFF OMITTED] 58034.025\n\n[GRAPHIC] [TIFF OMITTED] 58034.026\n\n[GRAPHIC] [TIFF OMITTED] 58034.027\n\n[GRAPHIC] [TIFF OMITTED] 58034.028\n\n[GRAPHIC] [TIFF OMITTED] 58034.029\n\n[GRAPHIC] [TIFF OMITTED] 58034.030\n\n[GRAPHIC] [TIFF OMITTED] 58034.031\n\n[GRAPHIC] [TIFF OMITTED] 58034.032\n\n[GRAPHIC] [TIFF OMITTED] 58034.033\n\n[GRAPHIC] [TIFF OMITTED] 58034.034\n\n[GRAPHIC] [TIFF OMITTED] 58034.035\n\n[GRAPHIC] [TIFF OMITTED] 58034.036\n\n[GRAPHIC] [TIFF OMITTED] 58034.037\n\n[GRAPHIC] [TIFF OMITTED] 58034.038\n\n[GRAPHIC] [TIFF OMITTED] 58034.039\n\n[GRAPHIC] [TIFF OMITTED] 58034.040\n\n[GRAPHIC] [TIFF OMITTED] 58034.041\n\n[GRAPHIC] [TIFF OMITTED] 58034.042\n\n[GRAPHIC] [TIFF OMITTED] 58034.043\n\n[GRAPHIC] [TIFF OMITTED] 58034.044\n\n[GRAPHIC] [TIFF OMITTED] 58034.045\n\n[GRAPHIC] [TIFF OMITTED] 58034.046\n\n[GRAPHIC] [TIFF OMITTED] 58034.047\n\n[GRAPHIC] [TIFF OMITTED] 58034.048\n\n[GRAPHIC] [TIFF OMITTED] 58034.049\n\n[GRAPHIC] [TIFF OMITTED] 58034.050\n\n[GRAPHIC] [TIFF OMITTED] 58034.051\n\n[GRAPHIC] [TIFF OMITTED] 58034.052\n\n[GRAPHIC] [TIFF OMITTED] 58034.053\n\n[GRAPHIC] [TIFF OMITTED] 58034.054\n\n[GRAPHIC] [TIFF OMITTED] 58034.055\n\n[GRAPHIC] [TIFF OMITTED] 58034.056\n\n[GRAPHIC] [TIFF OMITTED] 58034.057\n\n[GRAPHIC] [TIFF OMITTED] 58034.058\n\n[GRAPHIC] [TIFF OMITTED] 58034.059\n\n[GRAPHIC] [TIFF OMITTED] 58034.060\n\n[GRAPHIC] [TIFF OMITTED] 58034.061\n\n[GRAPHIC] [TIFF OMITTED] 58034.062\n\n[GRAPHIC] [TIFF OMITTED] 58034.063\n\n[GRAPHIC] [TIFF OMITTED] 58034.064\n\n[GRAPHIC] [TIFF OMITTED] 58034.065\n\n[GRAPHIC] [TIFF OMITTED] 58034.066\n\n[GRAPHIC] [TIFF OMITTED] 58034.067\n\n[GRAPHIC] [TIFF OMITTED] 58034.068\n\n[GRAPHIC] [TIFF OMITTED] 58034.069\n\n[GRAPHIC] [TIFF OMITTED] 58034.070\n\n[GRAPHIC] [TIFF OMITTED] 58034.071\n\n[GRAPHIC] [TIFF OMITTED] 58034.072\n\n[GRAPHIC] [TIFF OMITTED] 58034.073\n\n[GRAPHIC] [TIFF OMITTED] 58034.074\n\n[GRAPHIC] [TIFF OMITTED] 58034.075\n\n[GRAPHIC] [TIFF OMITTED] 58034.076\n\n[GRAPHIC] [TIFF OMITTED] 58034.077\n\n[GRAPHIC] [TIFF OMITTED] 58034.078\n\n[GRAPHIC] [TIFF OMITTED] 58034.079\n\n[GRAPHIC] [TIFF OMITTED] 58034.080\n\n[GRAPHIC] [TIFF OMITTED] 58034.081\n\n[GRAPHIC] [TIFF OMITTED] 58034.082\n\n[GRAPHIC] [TIFF OMITTED] 58034.083\n\n[GRAPHIC] [TIFF OMITTED] 58034.084\n\n[GRAPHIC] [TIFF OMITTED] 58034.085\n\n[GRAPHIC] [TIFF OMITTED] 58034.086\n\n[GRAPHIC] [TIFF OMITTED] 58034.087\n\n[GRAPHIC] [TIFF OMITTED] 58034.088\n\n[GRAPHIC] [TIFF OMITTED] 58034.089\n\n[GRAPHIC] [TIFF OMITTED] 58034.090\n\n[GRAPHIC] [TIFF OMITTED] 58034.091\n\n[GRAPHIC] [TIFF OMITTED] 58034.092\n\n[GRAPHIC] [TIFF OMITTED] 58034.093\n\n[GRAPHIC] [TIFF OMITTED] 58034.094\n\n[GRAPHIC] [TIFF OMITTED] 58034.095\n\n[GRAPHIC] [TIFF OMITTED] 58034.096\n\n[GRAPHIC] [TIFF OMITTED] 58034.097\n\n[GRAPHIC] [TIFF OMITTED] 58034.098\n\n[GRAPHIC] [TIFF OMITTED] 58034.099\n\n[GRAPHIC] [TIFF OMITTED] 58034.100\n\n[GRAPHIC] [TIFF OMITTED] 58034.101\n\n[GRAPHIC] [TIFF OMITTED] 58034.102\n\n[GRAPHIC] [TIFF OMITTED] 58034.103\n\n[GRAPHIC] [TIFF OMITTED] 58034.104\n\n[GRAPHIC] [TIFF OMITTED] 58034.105\n\n[GRAPHIC] [TIFF OMITTED] 58034.106\n\n[GRAPHIC] [TIFF OMITTED] 58034.107\n\n[GRAPHIC] [TIFF OMITTED] 58034.108\n\n[GRAPHIC] [TIFF OMITTED] 58034.109\n\n[GRAPHIC] [TIFF OMITTED] 58034.110\n\n[GRAPHIC] [TIFF OMITTED] 58034.111\n\n[GRAPHIC] [TIFF OMITTED] 58034.114\n\n[GRAPHIC] [TIFF OMITTED] 58034.112\n\n[GRAPHIC] [TIFF OMITTED] 58034.113\n\n                                 <all>\n\x1a\n</pre></body></html>\n"