[Senate Hearing 111-664]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 111-664
 
 CYBERSECURITY: PREVENTING TERRORIST ATTACKS AND PROTECTING PRIVACY IN 
                               CYBERSPACE 

=======================================================================

                                HEARING

                               before the

                       SUBCOMMITTEE ON TERRORISM
                         AND HOMELAND SECURITY

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                     ONE HUNDRED ELEVENTH CONGRESS

                                 SECOND

                               __________

                           NOVEMBER 17, 2009

                               __________

                          Serial No. J-111-62

                               __________

         Printed for the use of the Committee on the Judiciary

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

61-662 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 




















                            C O N T E N T S

                              ----------                              

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 JEFF SESSIONS, Alabama
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
RUSSELL D. FEINGOLD, Wisconsin       CHARLES E. GRASSLEY, Iowa
CHARLES E. SCHUMER, New York         JON KYL, Arizona
RICHARD J. DURBIN, Illinois          LINDSEY GRAHAM, South Carolina
BENJAMIN L. CARDIN, Maryland         JOHN CORNYN, Texas
SHELDON WHITEHOUSE, Rhode Island     TOM COBURN, Oklahoma
AMY KLOBUCHAR, Minnesota
EDWARD E. KAUFMAN, Delaware
ARLEN SPECTER, Pennsylvania
AL FRANKEN, Minnesota
            Bruce A. Cohen, Chief Counsel and Staff Director
                  Matt Miner, Republican Chief Counsel
                                 ------                                

            Subcommittee on Terrorism and Homeland Security

                 BENJAMIN L. CARDIN, Maryland, Chairman
HERB KOHL, Wisconsin                 JON KYL, Arizona
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
CHARLES E. SCHUMER, New York         JEFF SESSIONS, Alabama
RICHARD J. DURBIN, Illinois          JOHN CORNYN, Texas
AL FRANKEN, Minnesota                TOM COBURN, Oklahoma
EDWARD E. KAUFMAN, Delaware
                Bill Van Horne, Democratic Chief Counsel
               Stephen Higgins, Republican Chief Counsel
















                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Cardin, Hon. Benjamin, a U.S. Senator from the State of Maryland.     1
    prepared statement...........................................    85
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona..........     3
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, 
  prepared statement.............................................   114

                               WITNESSES

Baker, James A., Associate Deputy Attorney General, Office of the 
  Deputy Attorney General, U.S. Department of Justice, 
  Washington, DC.................................................     4
Chabinsky, Steven R., Deputy Assistant Director, Cyber Division, 
  Federal Bureau of Investigation, U.S. Department of Justice, 
  Washington, DC.................................................    10
Clinton, Larry, President, Internet Security Alliance, Arlington, 
  Virginia.......................................................    26
Nojeim, Gregory T., Senior Counsel and Director, Project on 
  Freedom, Security & Technology, Center for Democracy & 
  Technology, Washington, DC.....................................    25
Reitinger, Philip, Deputy Under Secretary, National Protection 
  and Programs Directorate, Director, National Cyber Security 
  Center, U.S. Department of Homeland Security, Washington, DC...     6
Schaeffer, Richard C., Jr., Director, Information Assurance 
  Directorate, National Security Agency, U.S. Department of 
  Defense, Fort Meade, Maryland..................................     8
Wortzel, Larry M., Ph.D., Vice Chairman, U.S.-China Economic and 
  Security Review Commission, Washington, DC.....................    28

                         QUESTIONS AND ANSWERS

Responses of James Baker to questions submitted by Senators 
  Whitehouse, Feingold, Hatch and Kyl............................    34
Responses of Steven R. Chabinsky to questions submitted by 
  Senators Whitehouse, Hatch and Kyl.............................    44
Responses of Gregory T. Nojeim to questions submitted by Senator 
  Whitehouse.....................................................    52
Responses of Philip Reitinger to questions submitted by Senators 
  Whitehouse, Hatch and Kyl......................................    56
Responses of Richard C. Schaeffer to questions submitted by 
  Senators Kyl, Hatch and Whitehouse.............................    68

                       SUBMISSIONS FOR THE RECORD

Baker, James A., Associate Deputy Attorney General, Office of the 
  Deputy Attorney General, U.S. Department of Justice, 
  Washington, DC, statement......................................    76
Chabinsky, Steven R., Deputy Assistant Director, Cyber Division, 
  Federal Bureau of Investigation, U.S. Department of Justice, 
  Washington, DC, statement......................................    88
Clinton, Larry, President, Internet Security Alliance, Arlington, 
  Virginia, statement............................................    94
Nojeim, Gregory T., Senior Counsel and Director, Project on 
  Freedom, Security & Technology, Center for Democracy & 
  Technology, Washington, DC, statement..........................   115
Reitinger, Philip, Deputy Under Secretary, National Protection 
  and Programs Directorate, Director, National Cyber Security 
  Center, U.S. Department of Homeland Security, Washington, DC, 
  statement......................................................   129
Richard C. Schaeffer, Jr., Director, Information Assurance 
  Directorate, National Security Agency, U.S. Department of 
  Defense, Fort Meade, Maryland, statement.......................   141
Wilshusen, Gregory C., Director Information Security Issues, GAO, 
  and David A. Powner, Director Infomation Technology Management, 
  GAO, Washington, DC, joint statement...........................   145
Wortzel, Larry M., Ph.D., Vice Chairman, U.S.-China Economic and 
  Security Review Commission, Washington, DC, statement..........   168


 CYBERSECURITY: PREVENTING TERRORIST ATTACKS AND PROTECTING PRIVACY IN 
                               CYBERSPACE

                              ----------                              


                       TUESDAY, NOVEMBER 17, 2009

                                       U.S. Senate,
           Subcommittee on Terrorism and Homeland Security,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Benjamin L. 
Cardin, Chairman of the Subcommittee, presiding.
    Present: Senators Cardin, Kohl, Feinstein, Schumer, Durbin, 
Kaufman, Kyl, Hatch, Sessions, Cornyn, and Coburn.

 OPENING STATEMENT OF HON. BENJAMIN L. CARDIN, A U.S. SENATOR 
                   FROM THE STATE OF MARYLAND

    Chairman Cardin. The Subcommittee will come to order, the 
Subcommittee on Terrorism and Homeland Security. Our topic 
today is ``Cybersecurity: Preventing Terrorist Attacks and 
Protecting Privacy in Cyberspace.''
    I must tell you I think this is a very sobering subject. As 
we have seen the advancement of technology, we have also seen 
the enhanced risks against our homeland security.
    On November the 8th, ``60 Minutes'' did an expose on what 
many of us have feared in the development of cyberspace. It 
showed that the technology advancement has indeed made our 
Nation at greater risk. We are vulnerable. We are vulnerable 
from terrorist attacks against our country using cyberspace. 
They can steal sensitive information which can compromise our 
national security. They can, more frighteningly, alter data 
which is used to run critical infrastructure for this country, 
information systems, attacking our infrastructure, whether it 
is our energy grid or whether it is our financial institutions, 
all causing significant damage to the United States. It can 
compromise our military assets which are used to defend our 
Nation.
    And it is not just Government that is at risk. It is the 
private sector also at risk. Financial information can be used 
to obtain illegal funds. It is the modern-day bank robbers, but 
they do not have to use hoods and masks and guns and go into 
banks. They can invade our financial institutions and steal 
money from the depositors. Identity theft is much more at risk 
because of technology advancements.
    It is not only financial information. It is sensitive 
information such as health records, and it can be used to 
extort funds from people in our country.
    The Government has a responsibility to protect our 
Government and its citizens from these attacks, from those who 
might misuse cyberspace. Also, Government has a responsibility 
that in its countermeasures it also strikes the right balance 
between getting the information necessary to protect us from 
cyber attacks, but also protect the privacy of Americans as 
well.
    President Obama, shortly after taking office, undertook a 
comprehensive clean-slate review to assess U.S. policies and 
structures for cybersecurity. Now, some of the conclusions are 
of interest to this Committee, and I think some are disturbing. 
One of the conclusions of that review showed that the Federal 
Government is not organized to address the growing problems of 
cybersecurity; that there are overlapping agencies' 
responsibilities; this Nation is at a crossroads; the status 
quo is no longer acceptable; and that the national dialog on 
cybersecurity must begin today. I agree with that conclusion.
    The study also pointed out the need to appoint a 
cybersecurity policy officer responsible for coordination of 
the national cybersecurity policies and activities. In other 
words, we need a point person that has that responsibility. I 
know a lot of agencies have this responsibility, but they are 
at cross-purposes and at times conflicting. The report also 
indicated we need to designate a privacy and civil liberties 
official to the National Security Council Cyber Security 
Directorate.
    A point that we certainly will be taking up in this hearing 
is how do we enhance and protect the civil liberties of the 
people of this Nation.
    The bottom line is that we need to coordinate Government 
efforts also using the private sector to make sure we are as 
effective as possible to protect our Nation against this 
vulnerability.
    Well, I am pleased that at today's hearing we have two 
panels. First we have a panel of Government experts who are 
responsible for cybersecurity in this country and developing 
the policies for cybersecurity in this country. And then in the 
second panel we will hear from the private sector as to how we 
can coordinate both the private and public sector.
    Senator Kyl will be joining us shortly. I notified his 
staff that I would start immediately at 10 o'clock because 
there are scheduled votes on the floor of the Senate at around 
11:15 to 11:30. Now, in the Senate we do not always adhere to 
when the scheduled votes are scheduled, but in an effort to try 
to make sure that we have the maximum time available for asking 
questions, we started promptly at 10 o'clock.
    Our first panel consists of four Government witnesses: 
James Baker, who was sworn in as the Assistant Deputy Attorney 
General at the United States Department of Justice in July of 
2009. He has worked on numerous national security matters 
during his career. As a former Federal prosecutor, he worked on 
all aspects of national security investigations and 
prosecutions, including particularly the Foreign Intelligence 
Surveillance Act, FISA, during his 17-year career as an 
official at the United States Department of Justice from 1990 
to 2007.
    Phil Reitinger was appointed to serve as Deputy Under 
Secretary for the National Protection and Programs Directorate 
on March 11, 2009. In this role, Mr. Reitinger leads the 
Homeland Security Department's integrated efforts to reduce 
risks across physical and cyber infrastructure. On June 1, 
2009, he also became the Director of the National Cyber 
Security Center, which is charged with enhancing the security 
of Federal networks and systems by collecting, analyzing, 
integrating, and sharing information among interagency 
partners.
    Richard Schaeffer is the Information Assurance Director at 
the National Security Agency. He is responsible for the 
availability of products, services, technologies, and standards 
for protecting and defending our Nation's critical 
infrastructure systems from adversaries in cyberspace.
    And then Steven Chabinsky serves as the Deputy Assistant 
Director within the FBI's Cyber Division. Mr. Chabinsky 
recently returned to the FBI after completing a joint duty 
assignment with the Office of the Director of National 
Intelligence, where he served as Assistant Director of National 
Intelligence for Cyber, the Chair of the National Cyber Study 
Group, and the Director of the Joint Interagency Cyber Task 
Force.
    Before calling on the witnesses, let me yield to Senator 
Kyl, the Ranking Republican on the Subcommittee.

  STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF 
                            ARIZONA

    Senator Kyl. Mr. Chairman, thank you. I am sorry I missed 
most of your opening statement, the most important part of the 
hearing, but I am sure I will get a copy of that and review it. 
I want to thank the witnesses as well. We have been talking 
about this hearing for some time. I really applaud you for 
being able to put together a great panel for us today.
    The Federal Government increasingly relies on 
interconnected information systems for its crucial day-to-day 
operations, and these systems are ever more subject to cyber 
crime as well as cyber espionage.
    I am concerned in particular about China, a growing threat 
to U.S. cybersecurity. In a report published last month by the 
U.S.-China Economic and Security Review Commission, here is 
what was said: ``Increasingly, Chinese military strategists 
have come to view information dominance as the precursor for 
overall success in a conflict. China is likely using its 
maturing computer network exploitation capability to support 
intelligence collection against the U.S. Government.''
    And then the report goes on to say, ``In a conflict with 
the U.S., China will likely use its computer network operations 
capabilities to attack unclassified DOD and civilian contractor 
logistics networks in the continental United States and allied 
countries in the Asia-Pacific Region. The stated goal in 
targeting these systems is to delay U.S. deployments and impact 
combat effectiveness of troops already in theater.'' Just one 
example of the way that an attack could occur.
    Obviously, we do not think the Chinese forces could defeat 
ours head on head, so they seek another method to gain 
advantage. And in my view, the U.S. is not adequately 
countering this serious and growing threat.
    During a recent interview on a news program, ``60 
Minutes,'' the Director of Technology and Public Policy Program 
at the Center for Strategic and International Studies said that 
the U.S. faced a so-called electronic Pearl Harbor in 2007 when 
an unknown foreign power broke into the computer systems at the 
Departments of Defense, State, Commerce, and Energy, and 
probably NASA, and downloaded the equivalent of a Library of 
Congress worth of information.
    During the same news segment, when asked about the 
possibility that penetrations into U.S. systems had left behind 
malicious software that could enable future attacks, former 
Director of National Intelligence Mike McConnell responded, ``I 
would be shocked if we were in a situation where the tools and 
capabilities and techniques had not been left in U.S. computer 
and information systems.'' So, obviously, he is concerned as 
well.
    As with the threat from terrorism, our Government must use 
all tools available to address this threat and protect our 
citizens and way of life. A key challenge in this regard is 
balancing the privacy of U.S. citizens.
    Representatives of the departments that are in charge of 
addressing cybersecurity vulnerabilities are assembled before 
us today, and I look forward to hearing how they are planning 
to get ahead of this growing cyber threat. Again, thank you for 
your considerable interest in the subject.
    Chairman Cardin. Thank you, Senator Kyl. It has been a 
pleasure working with you on this issue. This is an area of 
great interest to every Member of the Senate, and it is given a 
high priority by both you and me and this Subcommittee.
    With that, I would ask our witnesses first to stand in 
order to administer the oath, and then we will start with their 
testimony. Do you affirm that the testimony you are about to 
give before the Committee will be the truth, the whole truth, 
and nothing but the truth, so help you God?
    Mr. Baker. I do.
    Mr. Reitinger. I do.
    Mr. Schaeffer. I do.
    Mr. Chabinsky. I do.
    Chairman Cardin. Thank you. Mr. Baker, we are pleased to 
hear from you. And, by the way, all of your full statements 
will be made part of the record, and you may proceed as you 
wish.

STATEMENT OF JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY GENERAL, 
   OFFICE OF THE DEPUTY ATTORNEY GENERAL, U.S. DEPARTMENT OF 
                    JUSTICE, WASHINGTON, DC

    Mr. Baker. Thank you, Mr. Chairman, members of the 
Subcommittee, and members of the Committee. I appreciate this 
opportunity to discuss the critical issue of protecting the 
Nation from cybersecurity threats while ensuring the protection 
of civil liberties and privacy, as has been mentioned already. 
I have submitted a lengthy statement for the record, and I will 
not repeat that here, but I would just like to make a few brief 
points.
    First of all, the Department of Justice is key player in 
the cybersecurity arena. Among other things, we provide legal 
advice and guidance on a range of cybersecurity activities to 
other Federal entities. Our objective is to ensure full use of 
available legal authorities and strict adherence to the law, 
including civil liberties and privacy protections. In addition, 
we assist in the development of cybersecurity policy. DOJ is a 
full participant in the interagency policy process.
    Further, we collect information and conduct investigations 
regarding cybersecurity threats in partnership with law 
enforcement and intelligence agencies. Importantly, obviously, 
we prosecute cyber criminals in Federal court. We use the full 
range of available criminal statutes to seek the maximum 
penalties against cyber criminals.
    Further, we train investigators and prosecutors around the 
country to make sure that we have knowledgeable officials ready 
to respond to the cyber threats of today. We engage with our 
foreign law enforcement partners to deny safe havens to cyber 
criminals and to bring them to justice wherever it may be most 
advantageous.
    If I could just quickly highlight one of the functions of 
the Department of Justice in the FBI, which will be talked 
about later, the NCIJTF, which is the National Cyber 
Investigative Joint Task Force. NCIJTF is in my experience a 
very forward-looking organization that engages in robust 
information sharing and coordination across Federal agencies. 
At the same time, they have a strong awareness of the need to 
adhere to applicable laws that govern the collection and use of 
information. They certainly recognize that they have a long way 
to go, but in my view, they embody the significant changes that 
the FBI has made over the past 5 years.
    Now, if I could turn briefly to the legal regime that 
governs cyber activities. There is a complex set of legal 
authorities that governs in this area. The Constitution, 
Federal statutes, State law, foreign law, international law--
all have an impact in this area. These laws were developed over 
time in response to legal, policy, and technological 
developments.
    The legal regime currently enables law enforcement and 
intelligence officials to obtain authorizations to collect 
vital information through electronic surveillance and other 
collection means. The legal authorities require strict 
adherence to a variety of civil liberties and privacy 
protections that are well understood by investigative agents.
    However, the evolution of technology, our dependence on 
technology, and our adversaries' exploitation of 
vulnerabilities in that technology raises the question of 
whether our statutes are adequate to address the cyber threats 
of today and at the same time protect privacy and civil 
liberties. The administration is prepared to partner with 
Congress to ensure that adequate laws, policies, and resources 
are available to support the U.S. cybersecurity-related 
missions.
    Further, because most of the cyber infrastructure is in 
private hands, we must also consult with industry in this 
important effort. As we move forward, it is critical that we 
proceed carefully so that we do not modify applicable law in a 
way that inadvertently harms important collection efforts or 
undermines existing requirements that are critical to the 
protection of civil liberties and legitimate privacy interests.
    I would like to thank the Chairman and the Subcommittee for 
your leadership on this issue, and I look forward to your 
questions.
    [The prepared statement of Mr. Baker appears as a 
submission for the record.]
    Chairman Cardin. Thank you very much for your testimony.
    Mr. Reitinger.

STATEMENT OF PHILIP REITINGER, DEPUTY UNDER SECRETARY, NATIONAL 
 PROTECTION AND PROGRAMS DIRECTORATE, DIRECTOR, NATIONAL CYBER 
    SECURITY CENTER, U.S. DEPARTMENT OF HOMELAND SECURITY, 
                         WASHINGTON, DC

    Mr. Reitinger. Thank you, sir. Chairman Cardin, Ranking 
Member Kyl, and members of the Committee and Subcommittee, 
thank you for the opportunity to be here today to talk to you 
about the growing threats that we face in cyberspace.
    As I think the Committee and Subcommittee are aware, the 
threats are increasing. Your comments, Chairman, clearly 
indicate that. The skill level of attackers is rising across 
the spectrum from the most sophisticated attackers to the least 
sophisticated attackers. And, in fact, the most sophisticated 
attackers increasingly write high-quality tools that enable the 
least sophisticated attackers to launch very directed attacks 
without necessarily knowing that much.
    At the same time, also as your comments point out, sir, we 
are depending more on these systems day to day, not just for 
communicating and doing work, but for operating our 
infrastructure and for the basic functions of our life.
    As a result, as you point out, the status quo is simply not 
sufficient. We all need to up our game in Government and the 
private sector to increase the security and resiliency of our 
systems, but that is not our only goal. At the same time, we 
need to increase the competitiveness of our country so that we 
can maintain our lead going forward and we need to protect 
privacy by design. I would like to talk about some of our 
efforts in each of those areas.
    To begin with, security. There is no silver-bullet solution 
here, sir. We are all working very hard across Government, but 
as Mr. Baker's comments indicate, this is going to take a broad 
set of efforts from the Government and the private sector. So 
we in the Department of Homeland Security and with our partners 
in Government and industry are working very hard to develop the 
right relationships to be able to be effective.
    A recent announcement we have made in this space is the 
announcement of the National Cyber Security and Communications 
Integration Center, where we for the first time in the 
Department of Homeland Security, in direct response to advice 
we received from the private sector and from Congress through 
the Government Accountability Office, collocated the various 
operational watch centers we have for cybersecurity and 
communications in the same place. So our telecommunications 
watch capability, the National Coordinating Center, our IT 
security-based coordinating capability, US-CERT, and our cross-
Government coordinating capability, the National Cyber Security 
Center, their watch components are all now located in the same 
space with appropriate liaisons from other Government agencies 
like the FBI so that they can breathe the same air, build 
trust, and collaborate effectively to respond to significant 
incidents that call for that level of cooperation.
    Second, competitiveness. One of the things we need to do as 
a Nation is make sure that we are not only addressing the 
security issues we face now but are prepared to address them 
going forward. That means we need a bigger pool of 
cybersecurity experts to hire. I am trying in the Department of 
Homeland Security, in the National Cyber Security Division, to 
go from roughly 115 people on board at the end of the last 
fiscal year to about 260 by the end of the upcoming fiscal 
year. As I think those of you who know, that is a growth of 
over 50 percent, and it is a pretty heavy lift. In doing so, we 
will be competing with some of the other agencies you see up 
here and the people in the private sector. And unless we can 
grow that pool of people, that is going to be a zero-sum game. 
So, also with our partners in Government, we are working very 
hard to build the relationships, to build the techniques, and 
to build the programs that will build a pool of cybersecurity 
experts coming from our own universities that we will be able 
to be successful in the future, and I believe Mr. Schaeffer may 
talk a little bit more about that.
    Let me then turn to privacy briefly. Privacy is absolutely 
essential. We are working very hard in this space, including 
building the processes, training, oversight mechanisms, and 
transparency, that we need to assure that our computer security 
efforts, our information assurance efforts, are compliant with 
and actually advance privacy rather than impair it. And we are 
working to support other administration efforts such as 
enhancing identity management strategies that are sensitive to 
privacy so that, going forward, we will be even more 
successful.
    The one thing I would call out here as a key area for us is 
raising awareness because unless we can continue to raise the 
awareness of the American people and business interests, they 
are not going to be able to protect themselves. So during 
October, Cybersecurity Awareness Month, we made significant 
efforts to do that. I would be happy to talk more about that in 
the question-and-answer period if it is of interest to the 
Committee.
    In conclusion, I would say that it is clear, I think, to 
all of us that cybersecurity is a team sport. We are 
collaborating very effectively across Government, and I look 
forward to the Committee's questions to explore more of these 
questions in detail. Thank you, sir.
    [The prepared statement of Mr. Reitinger appears as a 
submission for the record.]
    Chairman Cardin. Thank you.
    Mr. Schaeffer.

 STATEMENT OF RICHARD C. SCHAEFFER, JR., DIRECTOR, INFORMATION 
     ASSURANCE DIRECTORATE, NATIONAL SECURITY AGENCY, U.S. 
          DEPARTMENT OF DEFENSE, FORT MEADE, MARYLAND

    Mr. Schaeffer. Thank you, sir. Good morning, Chairman 
Cardin, Ranking Member Kyl, and distinguished members of the 
Subcommittee. I appreciate the opportunity to be here today to 
talk briefly about the NSA's information assurance mission and 
its relationship to the work of the Department of Homeland 
Security and others concerned with helping operators of crucial 
information systems protect and defend their data systems and 
networks from hostile acts and other disruptive events.
    Each day, ever more data and functions that are vital to 
the Nation are consigned to digital systems and complex 
interdependent networks. As Mr. Reitinger said, there are no 
silver bullets when it comes to cybersecurity. But, over time, 
increased awareness of cybersecurity issues, new standards, 
better education, expanding information sharing, more uniform 
practices, and improved technology can and will make a 
meaningful difference.
    Many people who discuss this issue see only the challenges 
and, quite frankly, discuss them in ways in which the situation 
seems to be hopeless. I believe that that glass is half-full, 
and there are a number of steps that individuals and system 
owners and users can take to mitigate many of the threats of 
operating in cyberspace.
    The NSA's information assurance mission focuses on 
protecting what National Security Directive 42 defines as 
national security systems. Those are systems that process, 
store, and transmit classified information or otherwise 
critical to military or intelligence activities. Historically, 
much of our work has been sponsored by and tailored for the 
Department of Defense. Today, national security systems are 
heavily dependent on commercial products and infrastructure or 
interconnect with systems that are. This creates new and 
significant common ground between defense and broader U.S. 
Government and homeland security needs. More and more we find 
that protecting national security systems demands teaming with 
public and private institutions to raise the information 
assurance level of products and services more broadly. If done 
correctly, this is a win-win situation that benefits the whole 
spectrum of information technology users, from warfighters and 
policymakers to Federal, State, local, and tribal governments, 
to the operators of critical infrastructure, and the Nation's 
most sensitive arteries of commerce.
    In my statement for the record, which I submitted in 
advance, I used several recent specific examples of NSA's close 
and continued collaboration with Government organizations as 
well as our partners from industry and academia. For instance, 
the NSA and the National Institute of Standards and Technology 
have been working together for several years to characterize 
cyber vulnerabilities, threats, and countermeasures to provide 
practical cryptographic and cybersecurity guidance to both IT 
suppliers and consumers. Among other things, we have compiled 
and published security checklists for hardening computers and 
networks against a variety of threats. We have shaped and 
promoted standards that enable information about computer 
vulnerabilities to be more easily catalogued and exchanged and 
ultimately the vulnerabilities themselves to be automatically 
patched. And we have begun studying how to extend our joint 
vulnerability management efforts to directly support compliance 
programs such as those associated with the Federal Information 
Security Management Act. All of this is unclassified and 
advances cybersecurity in general, from national security and 
other Government networks to critical infrastructure and other 
commercial or private systems.
    The NSA partners similarly with the Department of Homeland 
Security. Earlier this year, we proudly announced the 
designation of 29 additional U.S. colleges and universities as 
National Centers of Academic Excellence in Information 
Assurance Education and/or Information Assurance Research. This 
brings the number of institutions participating in this highly 
regarded program to 106 located in 37 States, the District of 
Columbia, and the Commonwealth of Puerto Rico.
    NSA and DHS collaborate daily, cooperating on 
investigations and forensic analysis of cyber incidents and 
malicious software, and together we look for and mitigate the 
vulnerabilities in various technologies that would render them 
susceptible to similar attacks. We each bring to these efforts 
complementary experience, insight, and expertise based on the 
different problem sets and user communities on which we 
concentrate, and we each then carry back to those communities 
the dividends of our combined wisdom and resources.
    Key to the Nation's cybersecurity efforts is a public-
private partnership which has been actively embraced by the 
Federal Government, industry, and academia. This trusting 
relationship includes and is based upon the common goal of 
improving cybersecurity, the sharing of information, and 
collaborative research development and innovation. A recent 
example of this collaboration is last month's fifth annual 
Security Automation Conference at the Baltimore Convention 
Center, co-hosted by NSA, NIST, DHS, and the Defense 
Information Systems Agency. This conference brought together 
nearly 1,000 representatives from the public and private 
sectors and demonstrated the benefits of automation and 
standardization of vulnerability management, security 
management, and security compliance.
    As Lieutenant General Alexander, NSA's Director, stated 
clearly in his address to the RSA Security Conference this past 
April, Cybersecurity is a big job, and it is going to take a 
team to do it. We will bring our technical expertise, and 
working with many others in the public and private sector, we 
will comprise the team the Nation needs to address this 
challenge.
    This concludes my remarks. I would be pleased to answer any 
questions from you and other members of the Subcommittee.
    [The prepared statement of Mr. Schaeffer appears as a 
submission for the record.]
    Chairman Cardin. Again, thank you for your testimony.
    Mr. Chabinsky.

 STATEMENT OF STEVEN R. CHABINSKY, DEPUTY ASSISTANT DIRECTOR, 
     CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION, U.S. 
             DEPARTMENT OF JUSTICE, WASHINGTON, DC

    Mr. Chabinsky. Good morning, Chairman Cardin, Ranking 
Member Kyl, members of the Committee and Subcommittee.
    The FBI considers the cyber threat against our Nation to be 
one of the greatest concerns of the 21st century. The most 
sophisticated of our adversaries, which includes a number of 
nation states and likely some organized crime groups, have the 
ability to alter our hardware and software along the global 
supply chain, to conduct remote intrusions into our networks, 
to establish the physical and technical presence necessary to 
reroute and monitor our wireless communications, and position 
employees within our private sector and Government 
organizations as insider threats awaiting further instruction.
    The FBI has not yet seen a high level of end-to-end cyber 
sophistication within terrorist organizations. Still, the FBI 
is aware of and investigating individuals who are affiliated 
with or sympathetic to al Qaeda who have recognized and 
discussed the vulnerabilities of the United States 
infrastructure to cyber attack, who have demonstrated an 
interest in elevating their computer hacking skills, and who 
are seeking more sophisticated capabilities from outside of 
their close-knit circles.
    To meet these challenges, today's FBI has the largest cadre 
of cyber trained law enforcement officers in the United States, 
numbering over 2,000. Internationally, the FBI operates 75 
legal attache offices and sub-offices around the world.
    To be sure, while protecting the United States against 
cyber-based attacks is one of the FBI's highest priorities, we 
are always mindful that doing so must be achieved while 
safeguarding civil liberties and privacy rights. In that 
regard, the FBI complies with the Attorney General guidelines 
for FBI domestic investigations and receives invaluable support 
from the Department of Justice's Computer Crime and 
Intellectual Property Section, the Department's National 
Security Division, and U.S. Attorney's Offices throughout the 
country.
    Although an unclassified forum is not suitable for 
discussing the FBI's counterterrorism and counterintelligence 
cyber efforts, our investigative success on the criminal side 
provides a glimpse into our capabilities and strategic 
partnerships that can be used against any adversary. For today, 
let me focus on the FBI's strong leadership and expertise in 
investigating financial cyber crime.
    You may have read last year about the transnational 
organization that used sophisticated hacking techniques to 
withdraw over $9 million from 2,100 ATM machines located in 280 
cities around the world, all in under 12 hours. I would not be 
surprised if Hollywood makes this one into a movie. From my 
perspective, the best part is the ending. Based on a successful 
FBI-led investigation with especially strong support from the 
reporting victim and Estonian law enforcement, just last week a 
Federal grand jury returned a 16-count indictment against key 
members of the group, and arrests already have been made 
internationally.
    Only a few weeks earlier, the FBI's Operation Phish Phry 
brought down a transnational crime ring that engaged in 
computer intrusions, identity theft, and money laundering. The 
case resulted in a 51-count Federal indictment, charging 53 
U.S. citizens, while FBI in coordination with Egyptian law 
enforcement identified 47 Egyptian suspects directly involved 
in the criminal conspiracy. This year, the FBI and the 
Financial Services Information Sharing and Analysis Center, the 
FS-ISAC, also forged a best practice for Government-private 
sector information sharing. We co-authored an advisory based on 
ongoing FBI investigations that were then distributed to the 
4,100 members of the FS-ISAC, over 40 of which are themselves 
associations, and shared with bank customers to prevent further 
victimization.
    At the consumer level, the FBI established and leads the 
Internet Crime Complaint Center in partnership with the 
National White Collar Crime Center. www.ic3.gov is the leading 
cyber crime incident-reporting portal, having received over a 
quarter of a million complaints just last year.
    We are also proud of the FBI's cooperative efforts with the 
United States Secret Service. In order to support the Secret 
Service's cyber crime authorities, the FBI provided the Secret 
Service with over 1,800 cyber intelligence reports and analytic 
products in fiscal year 2009 alone. The Secret Service also is 
a full-time member of the FBI's National Cyber Investigative 
Joint Task Force, and the FBI has invited the Secret Service to 
partner with us at the Internet Crime Complaint Center and the 
National Cyber Forensics and Training Alliance. Operationally, 
we are providing the Secret Service with the opportunity to 
participate in FBI-led investigations, which most recently 
provided the Secret Service with information relevant to their 
successful investigations of intrusions into Heartland Payment 
Systems and TJX Companies.
    Each of the above examples demonstrates that taking 
advantage of all of our country's skills and knowledge, 
leveraging our Nation's resolve and common cause, provides 
significant advantages that are leading to increased and 
repeatable successes.
    In conclusion, I am grateful to the Subcommittee for this 
chance to highlight the FBI's strengths in combating cyber 
terror, cyber espionage, and cyber crime in a manner that 
protects privacy rights and civil liberties, and to recognize 
the partnerships that allow us to meet this ever growing 
economic and national security problem.
    In that regard, I would also like to particularly thank the 
members of this panel with whom the FBI partners every day.
    I am happy to answer any questions you may have. Thank you.
    [The prepared statement of Mr. Chabinsky appears as a 
submission for the record.]
    Chairman Cardin. Let me thank all of our witnesses from the 
Department of Justice, from Homeland Security, NSA, and from 
the FBI. I do not know if we feel any better after listening to 
your testimony, but I think we understand the risk, and the 
risk is that we can have spies, soldiers, and criminals 
anyplace in this country placed overnight, and, Mr. Reitinger, 
you mentioned that we need to be more aware. But I am not so 
sure we know when, in fact, we have been invaded. Certainly 
that is true with the less sophisticated users who do not have 
the same type of security systems that perhaps the Government 
has. But it is unclear that we really even know when we have 
been attacked. And it is very possible today that major 
information systems have been compromised, and we are not clear 
whether there is an operational plan to use that at this point 
or not.
    Which brings me, I guess, to the risk factors. We are 
concerned that other governments are, in fact, actively 
involved in trying to compromise our cybersecurity. We know 
that terrorists are interested in invading us. We know that 
criminals have game plans to try to advance their particular 
causes. And then you have the lone-wolf hackers who just want, 
for whatever reasons, to compromise cyberspace.
    Is there a common strategy here that we can use to protect 
us against other countries, against terrorists, against 
criminals, against hackers? What is the common strategy that 
the United States needs to employ in order to make us less 
vulnerable to these types of attacks? Who wants to start?
    Mr. Reitinger.
    Mr. Reitinger. I will start with that, sir, and then look 
for additional contributions from the other people on the 
panel.
    There is a common strategy, but it is not a one-prong 
strategy. As a number of us said, there is no silver bullet 
here, sir. In some cases, there will be different strategies. 
For example, one might use different strategies with regard to 
single hackers or organized criminal groups as opposed to 
terrorists or nation states. But broadly across all of them, we 
do need to up our defensive game, and that is essentially our 
role in the Department of Homeland Security, at least the 
components that report up to me.
    We need to make sure that we are, as you suggested, raising 
awareness across the spectrum.
    Chairman Cardin. How do you raise awareness when you do not 
know, in fact, that you have been compromised or that there is 
something in your software or hardware that can be used against 
you? As I understand it, the technology is not at that point 
where particularly in the private sector they do not know 
whether their software program has been compromised, as I 
understand it.
    Mr. Reitinger. Sir, it gets complicated, but I think there 
are three responses to that. The first is that, obviously, 
supply chain attacks are of concern, and we are not where we 
need to be as a Nation yet in terms of ability to prevent and 
deter supply chain attacks. It can be very difficult to 
determine if software has vulnerabilities or does not, and that 
is both--we need to work on practices and procedures in that 
regard and on technology.
    With regard to end users knowing whether they have been 
compromised or not, I think there are a couple of pieces. The 
first is that we need to make sure that they know about the 
threat and they are at least aware of the simple things that 
they can do to protect themselves. That was actually the 
message, one of the key messages of Cybersecurity Awareness 
Month, to make sure that we were trying to communicate as 
broadly as possible that there are very simple things that end 
users can do to cutoff broad avenues of attack--you know, keep 
their software up to date, run antivirus, some fairly simple 
steps.
    With regard to knowing whether they have been compromised 
or not, we have provided tips to end users, things they should 
watch for that might indicate, for example, that their computer 
had been compromised as a botnet. But there is a broad 
technology agenda there, too, sir. It remains the case that it 
is too hard for individual users and even small and medium 
businesses to secure their systems. We need to as a Nation and 
as an IT ecosystem continue to make it more simple for people 
to institute protections, to determine if they have been 
compromised, and to make sure they stay secure.
    Chairman Cardin. Mr. Chabinsky, you said the good news is 
that we brought indictments against those who robbed us. The 
bad news is they were able to rob us, they were able to get 
money. And every day, as I understand it, there is money being 
stolen through cyberspace.
    So there is clearly a vulnerability here. Clearly, we want 
to bring criminal charges to those who violate our criminal 
statutes. But I think our first objective is to prevent this 
from happening.
    Mr. Chabinsky. Yes, Senator. The case that you are 
referring to actually has an interesting component that I did 
not mention in my oral testimony in which, while we were 
investigating that case, we received information from our 
foreign law enforcement partners that showed a targeting list 
of other banks that were going to become victims. And we were 
able actually to notify each of those banks. We actually went 
in person with FBI agents to notify each bank so that they 
would be prepared and they were able to prevent further crime. 
So in that example, the bad news part of the story, Senator, as 
you mentioned, is that we already had victims. The good news 
part is we were able within that case to prevent further 
victimhood.
    The same would go for our relationship with the Financial 
Services ISAC in which, by seeing a growing trend which 
amounted to 200 cases, that is the bad news part of the story. 
There were 200 cases that we had in which we saw victims.
    Nationwide, we probably prevented thousands more by getting 
the information out to each of the banks and for them to then 
provide with their customers to show them how they could avoid 
future schemes.
    The FBI is trying to have better preventive efforts by 
undercover operations, by way of example, so that we could 
penetrate some of the organizations that are planning attacks 
and in that way know their intent before they have the ability 
to act upon it. But it is a difficult problem, sir.
    Chairman Cardin. Mr. Schaeffer, first of all, I have been 
to NSA many times, and I am always impressed by the quality of 
work that is done there. I think our first line of attack is to 
try to get the right intelligence information and develop the 
technologies in order to counter what those who want to attack 
us want to do. At NSA, you are very much involved in both of 
those areas, although your intelligence collection, of course, 
is international.
    How do you stay ahead of the curve? It seems to me normally 
you would want to get experienced people on staff that are 
expert in this area, but in cyber issues it seems like the 
young people--it is more people coming out of college 
developing new technologies. How do you stay ahead of the curve 
here?
    Mr. Schaeffer. Well, sir, we do exactly what you said. We 
recruit, we hire, we train those bright young minds that are 
coming out of the colleges and universities today. I started at 
NSA as an engineer, and I am certainly glad I am not competing 
with the intellect and the capabilities that are coming out of 
the colleges and universities today. They have got tremendous 
capabilities.
    So we take experienced personnel who are deeply steeped in 
vulnerability discovery and understanding how systems break and 
how they can be broken, and use the technology knowledge that 
the young workforce brings into our environment, and it is a 
collaboration. It is a mentorship. It is a partnering between 
more experienced employees and the younger folks who do bring 
the latest technology knowledge into the space.
    We, of course, have a research organization that tries to 
stay ahead, helping us understand what breakthrough 
technologies or what significant technologies that may be 
coming down the road at a later point in time, that we need to 
be prepared to help understand how to protect and defense those 
technologies in the information space.
    So it is a combination. It is bright young people coming 
into the organization. It is experienced people. It is great 
tools and technology that the Nation gives us to help work this 
problem.
    Chairman Cardin. And we would invite you to share with us 
if there are additional tools you need in regards to this 
issue. We understand the politics of OMB and all the other 
areas that you have to deal with. But I think we want to hear 
independently from you as to what tools are necessary for you 
to be able to effectively deal with this threat against our 
country. So we would appreciate that.
    And for Mr. Baker, you also indicated that there may be 
needs for changes in our law as it relates to the ability to 
properly protect this country, but also protect the civil 
liberties of the people who live in America. And we would 
invite you to be open in that process working with us to help 
develop the legal framework that you need. We know what we went 
through with FISA. We know what we went through on some of the 
issues. We want to work collectively here. We do not want to 
work in an adversarial role as to what is necessary to give you 
the tools you need, but also to protect the civil liberties of 
people in this country.
    Mr. Baker. Yes, Senator. Thank you very much. We recognize 
that, and we appreciate the opportunity to work with you on 
these very complex and important issues.
    Chairman Cardin. Thank you.
    Senator Kyl.
    Senator Kyl. Well, let me begin by reiterating the point 
that the Chairman just made. These hearings give us the 
opportunity to hear some things from you, but we just get a 
sketch. We just touch the surface. And we are also looking for 
what we can do to help, both in terms of resources that might 
be available or needed or legislative authority. And so that 
invitation really is extended to each of you and the others 
with whom you work.
    And I think the Chairman put his finger on it by inquiring 
about a common strategy. Let me see if I can bore down into 
that just a little bit. And I do not want to get into 
organizational charts because they make my head spin, but to 
try to understand just in a very basic way how our Government--
who is in charge, if anyone is, and how we structure the 
mechanisms that can be useful to protect across broad spectrums 
of society, including Government agencies, contractors, private 
businesses, utilities, and universities and others that are all 
subject to the same kinds of attacks and, therefore, about 
which some commonality would seem to be in order.
    And maybe, Mr. Schaeffer, let me begin by asking you since, 
as I understand it, NSA has been given some kind of overall 
lead in this, but I am not sure that the authority is nailed 
down. And I know that there are some conflicting views as to 
who all should have what authority and whether there should be 
somebody in charge. Maybe you could give us your understanding, 
and then I invite each of the rest of you to comment on that as 
well.
    Mr. Schaeffer. Well, sir, I think I would first point to 
the comment that General Alexander made back at the RSA 
Conference, and that is, this is a team sport. You are 
absolutely correct, there are various authorities that exist in 
departments and agencies across the Government. Within NSA, our 
responsibility for national security systems is just a portion 
of the overall set of networks. We work collaboratively with 
the Department of Homeland Security, the National Institute of 
Standards and Technology, and others to help other elements of 
the Government.
    I think the great benefit is that what we do for U.S. 
Government systems, whether that is in the development of 
configuration information, whether it is standards, all that is 
directly extensible into the private sector. The kinds of 
policies and procedures that we outline for U.S. Government 
systems can, in fact, be adopted by critical infrastructure 
elements and others across the community. We think in terms of 
the things that we can do to protect the network environment, 
individuals can adopt those mechanisms as well.
    I cannot underscore enough a comment that Mr. Reitinger 
made about just the basics. How do you harden systems? It is 
good configuration management. It is good patch management. It 
is good access control. All the kinds of principles and 
practices that we as individuals and we as organizations need 
to put in place such that the policies that exist, disparate 
and varied though they are, can, in fact, have an effect on the 
overall assurance of the operating environment in which we 
conduct our business today, whether that is warfighting, 
whether that is Government, or otherwise.
    Senator Kyl. Let me just bore down a bit. Mr. Reitinger, 
let me put that question to you, because I gather that there is 
some connection between the Government on the one hand and all 
of the private sector on the other hand, through Homeland 
Security, but I am not exactly sure. I do not know if what I 
said is correct or not. But if anybody does it, I presume you 
would. How do those mechanisms that you appreciate the need 
for, because you are at the highest level of development, get 
translated down into all the different sectors of our society 
where they are really needed?
    Mr. Reitinger. Absolutely, sir. As Mr. Schaeffer indicated, 
this is a team sport, but it is not even football or baseball, 
if I could perhaps unduly extend the analogy. It is more like 
soccer. We are all playing positions, and we need to execute in 
our individual roles. This is going to remain a horizontal 
activity across Government.
    One of the roles that we have in the Department of Homeland 
Security is serving as the bridge into the private sector, sort 
of the broader dot-com and the infrastructures that are out 
there that we need to protect. So we built a structure, the 
National Infrastructure Protection Plan, and a set of sector 
coordinating councils that bring people from all of those 
different sectors together to collaborate with Government.
    There is also an additional structure next to that that 
works specifically on operational issues, the set of 
information-sharing and analysis centers that work both through 
that structure and with the United States CERT, but also more 
particularly with their sector-specific agencies. So, for 
example, Mr. Chabinsky talked about the Financial Services 
ISAC. That is an operational body working clearly in the 
financial services sector that would partner with US-CERT on 
some of the defensive measures, on some law enforcement 
material, and some of the work coming out of the Bureau's 
infrastructure protection capabilities would partner with the 
Bureau.
    So we have built a structure where there are multiple ways 
to work together, and we are continuing as a Government and 
more broadly in the private sector to refine the roles and 
responsibilities we have all got.
    So, for example, one of the outcomes of the Cyberspace 
Policy Review is that we need, in the event of a significant 
incident, to be able to respond as one Nation. So there is an 
effort going forward called the National Cyber Instant Response 
Plan to devise a highly actionable set of policies and 
procedures that will enable all of the different Government 
agencies to work effectively with the private sector in the 
event of a significant incident. And we are driving toward 
having a draft ready at the end of this year or the start of 
next year that we are actually going to test at the start of 
next year and that will even more affirmatively exercise in the 
Cyber Storm III exercise that will take place in September of 
next year.
    Senator Kyl. Great. I have just another minute or so. Would 
either of the two of the Department of Justice and the FBI 
witnesses like to comment as well, please?
    Mr. Baker. Well, just briefly, Senator. Thank you.
    I guess in response to your question about who is in 
charge, from the executive branch it is the President who is in 
charge, and there is a very active effort run out of the White 
House. We meet weekly. There is a big group that meets weekly 
or almost weekly. There are sub-groups that meet continually on 
a variety of different topics.
    Senator Kyl. Excuse me, but who convenes that meeting or 
nominally sets the agenda?
    Mr. Baker. It is the National Security Council, a director-
level person, I believe, in there who is running those 
meetings. And so there is a very active--I made a brief 
reference to it in my opening remarks--a very active policy, 
operational, technology review that is going on continually to 
try to address some of these very, very difficult legal, 
technical questions that we are facing.
    Chairman Cardin. Would the Senator yield just for one 
moment?
    Senator Kyl. Sure.
    Chairman Cardin. Is that structure by just de facto or has 
the President requested this, the National Security Council 
coordinating this activity? Or is it just taken up because of 
its----
    Mr. Baker. The accurate answer is I do not know the exact 
origin of that, Senator. We can find that out and get back to 
you. But it is very structured, so it is not just de facto, it 
has not just emerged on the back of an envelope.
    Chairman Cardin. We would appreciate that. Thanks.
    [The information referred to appears as a submission for 
the record.]
    Senator Kyl. Mr. Chabinsky, anything you want to add to 
that?
    Mr. Chabinsky. I would like to support and add a little bit 
more to Mr. Baker's comments. The National Security Council has 
been working through the Interagency Policy Committee to 
coordinate the cyber security. The President immediately upon 
entering office asked for a Cybersecurity Policy Review. After 
that review was completed, the President adopted the 
Comprehensive National Cybersecurity Initiative and provided 
additional short-, mid-, and long-term recommendations for 
moving the community forward. And the community has stayed on 
top of that through the leadership of the Office of the 
Director of National Intelligence. The Joint Interagency Cyber 
Task Force continues to monitor and coordinate the 12 
interdependent initiatives within the Comprehensive National 
Cybersecurity Initiative working with each of the agencies on 
performance measures and letting the President know on a 
quarterly basis how the community has organized to respond.
    Part of that Comprehensive National Cybersecurity 
Initiative involves very strong partnership with the private 
sector and academia, led by the Department of Homeland 
Security.
    In addition, part of that partnership includes gathering 
the intelligence agencies, law enforcement agencies, homeland 
security agencies in common cause both for shared situational 
awareness, as provided by the National Cybersecurity Center 
which Mr. Reitinger directs, and US-CERT at the Department of 
Homeland Security, and the FBI takes a leadership role for 
domestic investigative coordination at the National Cyber 
Investigative Joint Task Force.
    For its part, the FBI has additional partnerships not only 
with the critical infrastructures, but within its InfraGard 
Program that started in 1996. We have expanded that program to 
include over 33,000 members of the private sector located 
throughout 87 cities in the country. In fact, InfraGard now has 
all but eclipsed the size of the Federal Bureau of 
Investigation showing that partnerships are both required and 
looked for by industry. So that has been enormously successful, 
as have our partnerships with the National Cyber Forensics and 
Training Alliance and the National White Collar Crime Center.
    So we are working together, and I think that there is more 
occurring than what might otherwise meet the eye, and we are 
moving forward in collaboration both as a Government and with 
the private sector and industry, and with our international 
partners.
    Senator Kyl. Thank you.
    Chairman Cardin. Senator Kaufman.
    Senator Kaufman. Thank you, Mr. Chairman.
    I would like to follow up on Chairman Cardin's question. He 
said, if you do not know you are under attack, how do you 
proceed? I would just like to talk a little bit, Mr. 
Reitinger--and others can chime in--about when you are under 
attack. I was involved with an agency of the Federal Government 
that was under a massive attack. They knew they were under 
attack, and the consultants told them afterwards not to 
publicize it because they were pretty sure it was a hacker and 
that the hacker was looking for attention.
    Now, when you are in a situation when you do not know 
whether it is a hacker, you do not know if it is a foreign 
government, you do not know if it is a terrorist, you do not 
know if it is a criminal, how do you proceed to deal with a 
cyber attack that you have already taken?
    Mr. Reitinger. Generally, the defensive measures that you 
would use would depend less on the source of the attacker and 
more on what the attack looked like and how you would defend 
against it. So there might be a set of defensive protections 
you would use for a denial-of-service attack, a separate set 
for intrusions, and a separate set for something like an 
Internet fraud activity.
    So in all of those cases, we in the Department of Homeland 
Security, the United States Computer Emergency Readiness Team 
or Cyber Emergency Readiness Team, would be responsible for 
working with the department or agency to help them defend their 
networks and to respond to the attack. We in DHS worry less 
about attribution and more about defense.
    In terms of responding to the attack and attribution, that 
sort of activity would be pursued by an entity like the Secret 
Service or the Federal Bureau of Investigation, and so that 
would be an area within their area of responsibility, and 
either we or the Department or the affected department or 
agency would work effectively with them.
    Senator Kaufman. And under no circumstance will you 
publicize the attack or let the public know that there had been 
an attack on the agency?
    Mr. Reitinger. That is not generally our role. That would 
be the department or agency's role. In point of fact, there are 
often reasons not to publicize attacks because it could 
interfere with an ongoing criminal investigation.
    Senator Kaufman. And then if you were an agency, just a 
general agency out there, to kind of follow up on Senator Kyl's 
comment, who would be there to advise you how to proceed?
    Mr. Reitinger. Lots of people could be there to provide 
advice to you on how to proceed. US-CERT could provide and 
would provide advice as part of its overall responsibility to 
help coordinate the security of civilian Government agencies. 
And with regard to law enforcement activity, the FBI or the 
Secret Service, depending upon the particular type of activity, 
could provide advice. So depending upon what had happened 
different, people could provide advice.
    In addition, advice from the private sector can be 
available directly to the agency because they will have 
partnerships and vendors that they work with, and advice from 
the private sector is also available through US-CERT and the 
different partnerships that both DHS has created and the 
sector-specific agencies have created in each of the different 
critical infrastructure sectors.
    Senator Kaufman. Mr. Schaeffer, in your testimony you 
talked about publicizing and the meetings you had and the 
forums and the rest of it. Is there conflict between 
publicizing how people should proceed in order to be prepared 
for cybersecurity and the fact that when you do that, you kind 
of let the bad guys know exactly what you are doing in order to 
stop them?
    Mr. Schaeffer. Well, sir, I think the challenge is how do 
we get everyone up to a certain level of assurance. There is a 
lot that we can state publicly, it is unclassified, a lot that 
we can do to help individuals and system owners harden the 
network environment in which they operate. That is good. That 
is common sense. That is good network hygiene. There are common 
principles that people ought to be using anyway that are quite 
public. And so it does not disclose anything that would help an 
adversary know how to attack a system or intrude upon a system. 
It actually makes that job harder for the individual, raising 
the ante somewhat, causing them to have to resort to more 
sophisticated means to gain entry into a system.
    So the harder we can make the general network environment, 
the easier it is going to be to detect when, in fact, something 
does go wrong, a system has been intruded upon.
    Senator Kaufman. You said in your testimony, you talked 
about the use of proper operating system configurations to 
help. What portion of the problem could be solved if people 
used proper operating system configurations, do you think?
    Mr. Schaeffer. Well, that is a wonderful question. We 
believe that if one institutes best practices, proper 
configurations, good network monitoring, a system ought to be 
able to withstand about 80 percent of the commonly known 
attacks, mechanisms against systems today. But you can actually 
harden your network environment to raise the bar such that the 
adversary has to resort to much, much more sophisticated means, 
thereby raising the risk of detection and so forth.
    Just an example. We are much more in sync now with the 
release of new technology. It was just a couple of weeks ago 
that Microsoft released Windows 7. We have had a longstanding 
relationship in working with Microsoft to help improve the 
security of that operating system, and it was almost coincident 
with the release of Windows 7 that Microsoft also released the 
Security Configuration Guide, thereby enabling users to, out of 
the box, activate about 1,500 security settings that otherwise 
would be turned off.
    And so there is a tremendous amount of capability that is 
enabled through configuring software applications more 
effectively from a security standpoint. Of course, then they 
have to be maintained, and that is the kind of constant 
vigilance that goes along with maintaining a good security 
posture.
    Senator Kaufman. OK. Just one short question, Mr. 
Reitinger. Is there anybody in your Department involved with 
the security of electronic voting machines?
    Mr. Reitinger. I believe we have had some involvement, but 
I need to get back to you.
    Senator Kaufman. Could you get back to me on that?
    Mr. Reitinger. Yes.
    [The information referred to appears as a submission for 
the record.]
    Senator Kaufman. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman Cardin. I would just comment, 80 percent against 
an attack on our country would be, I think, unacceptable. But I 
understand the challenges that we are facing, but leaving a 20-
percent risk factor is still a high risk factor.
    Senator Kaufman. I wonder what it is right now.
    Chairman Cardin. I am sure it is much higher.
    Senator Kaufman. The point is if we get to 80 percent they 
have to expose themselves more. It is not just that it is 80 
percent--obviously, we want to be 100 percent. But if they are 
80 percent, what you are basically saying, Mr. Schaeffer, if I 
am right, is that in order to pierce a wall that is 80 percent, 
they have to expose themselves more, and it makes it easier to 
catch them. So that 80 percent is more than just like our 
normal getting 80 out of 100. It presents them with a bigger 
problem, and then they have to show more what they are about in 
order to----
    Chairman Cardin. I think that is a very good point. I guess 
my point is that we would never prepare a defense budget based 
upon an 80-percent effectiveness. So it is----
    Senator Kaufman. I totally agree with you. I totally agree 
with that.
    Chairman Cardin. Senator Whitehouse.
    Senator Whitehouse. Thank you, Chairman Cardin.
    Are all of you or any of you satisfied with the existing 
legal structure within which you are presently operating?
    Mr. Baker. Senator, that is complicated question. I think 
the answer to it is no.
    Senator Whitehouse. Does anybody disagree? Are there any 
yeses on the panel?
    [No response.]
    Senator Whitehouse. OK. Nobody is satisfied. That said, can 
we expect administration legislative proposals at some point?
    Mr. Baker. As I mentioned in my opening remarks, we are 
very eager to work with Congress----
    Senator Whitehouse. Being eager to work with us and having 
a proposal are two different things.
    Mr. Baker. We do not have a proposal today. We are 
definitely debating these kinds of issues inside the 
administration. But as I mentioned in my opening remarks----
    Senator Whitehouse. With a view----
    Mr. Baker. I beg your pardon?
    Senator Whitehouse. With a view toward preparing proposals?
    Mr. Baker. With a view to deciding whether we should 
propose changes and, if so, how, because we do not want to mess 
up, to put it bluntly, the existing authorities that we have 
that provide a huge amount of capability to collect both law 
enforcement information and foreign intelligence information 
and, importantly, protect civil liberties and privacy. So we do 
not want to make mistakes because this area is so complicated, 
as you know from your debates about the FISA amendments that 
the Chairman referenced earlier that is a very complicated 
area. This area is equally as complicated. There are many 
statutes you have to consider, and not only Federal statutes 
but also you have to consider State law, foreign law, and 
international law, because these are things that impact this 
area as well with respect to the private sector in particular.
    So it is a complicated area, and we are very cognizant of 
the need to review these authorities closely and make sure that 
we are doing the best that we can today.
    Senator Whitehouse. By what process will that analysis be 
undertaken?
    Mr. Baker. Well, there is this interagency process that I 
mentioned before with all of the different agencies that have 
equities in this area, and it will proceed, I believe, in the 
normal--you know, once proposals are developed, it will proceed 
in the normal interagency process. Everybody gets a chance to 
look at what the proposals are and make sure that we are not 
doing anything one way or the other that is not effective or 
will not be effective.
    Senator Whitehouse. But the original development of those 
proposals would be through the interagency process led by the 
National Security Council that you have looked at?
    Mr. Baker. I think that is fair to say, Senator, yes. DOJ 
plays an active role in that process. We have got all the 
different--I mean, every one of these agencies has a General 
Counsel's office that are reviewing these things. So I think 
that is fair to say, yes.
    Senator Whitehouse. Would you be the lead agency for that 
effort?
    Mr. Baker. DOJ is always the lead agency when it comes to--
we obviously play a key role in reviewing the legal authorities 
with the legal advisers from the National Security Council, 
Homeland Security Council, all the different General Counsel's 
offices representing the agencies that are here today, plus 
more.
    Senator Whitehouse. Everybody else agreed? I think your 
microphone may not be on.
    Mr. Reitinger. Sorry. It seems to be a problem I have got 
today. As Mr. Baker indicated, the Cyberspace Policy Review, 
the work that led to that, identified a number of legal issues, 
and those are all under examination, including the various 
authorities that agencies have and whether or not we--whether 
the administration would want to propose things. I believe the 
process would be essentially as he says, with agencies looking 
at their own needs and working through the interagency process 
to propose things, if called for, to Congress.
    Senator Whitehouse. On a separate aspect of this topic, the 
problem of attribution is one that I think every witness has 
mentioned during the course of this hearing, which, of course, 
on the flip side is the problem of deniability by the sponsor 
of the attack, which inhibits deterrence as a countermeasure by 
our country.
    However, even where attribution through the maze of servers 
and electronic connections out there cannot be specifically 
established, the fact that a fighter plane's systems have been 
hacked and are particularly useful to one particular country or 
that very significant code developed by the American private 
sector appears verbatim in the code of competitors in another 
country and you can sort of connect the dots at that point. And 
it is a little bit beyond a pure law enforcement matter because 
you may not be able to actually prove all the way through, and 
if it is a Government act, it is a little hard to get the 
Government in a court of law.
    What are you all doing to--what is being done to build a 
foundation for diplomatic dialogue with the nations that are 
most responsible for the massive, persistent, and aggressive 
waves of cyber attack that we are experiencing in a more 
general way? There is a point where you can say, ``Look, OK, 
you are not doing it. Sure. If it continues to happen, here are 
the consequences.'' That is something that can really only be 
done at a diplomatic nation-to-nation level. I know the 
President is in China now. Where are we in terms of trying to 
push back diplomatically against foreign sovereign-sponsored 
cyber attack?
    Mr. Reitinger. Let me briefly answer that question, sir, 
and then turn to the question of attribution, if I might, 
because you raised a number of points there that I think it 
would be important to touch on.
    One of the action items coming out of the Cyberspace Policy 
Review, another one of them, was specifically to develop more 
focus on what the right international framework is here, and, 
clearly, we need both closer relationships with allies and 
overall an approach to how we are going to have a secure global 
ecosystem going forward. So that is an area of focus, and work 
is going on interagency right now about the right international 
approach.
    The other thing, I wanted to turn briefly to attribution, 
because you talked a little bit about that at the start. 
Obviously, actually attributing conduct is not clearly a role 
of the entities that report up to me, like the United States 
Cyber Emergency Readiness Team, US-CERT. That is more a role 
for, for example, the Department of Justice and the FBI.
    But there is another side to attribution which I think does 
go to what you are talking about, sort of the positive 
attribution, not where you want to say, ``I have been attacked. 
Who did it? '' but, ``I only want to let in people into my 
systems when they have proven who they are.'' So that is more 
about authorization and authentication.
    Another action item coming out of the policy review--and if 
you talk about broadly cutting out avenues of attack, there is 
little that we could do that would be more effective than 
enabling broad, voluntary, interoperable authentication with 
privacy protections built in at the start so it is much easier 
to defend your systems and your perimeter and only let in the 
people, the software, or the devices that you want to.
    Senator Whitehouse. My time has expired. Thank you, 
Chairman.
    Chairman Cardin. Thank you.
    Just following up on Senator Whitehouse's point on the 
protection of privacy in our current laws, there has been the 
implementation of the EINSTEIN I, II, and now III, which is 
being used by our agencies to protect against cyber attacks. As 
I understand it, it has the capacity of obtaining personal 
information from innocent Americans. And I guess my question to 
you, Mr. Baker, is: Are you satisfied that the current 
implementation of these countermeasures is consistent with our 
privacy laws and that minimization is being used to prevent the 
dissemination of information that is otherwise protected?
    Mr. Baker. Thank you, Senator. As the Committee knows, we 
have done an extensive legal analysis of the EINSTEIN II 
initiative and made available the OLC opinions regarding--two 
OLC opinions regarding that matter which are publicly available 
on OLC's website. So our analysis of that program is that it 
does comply with the Fourth Amendment and with the various 
statutory requirements. It meets the various statutory 
requirements that are out there.
    In terms of minimization and use of the information and so 
on, I mean, there are procedures in place, as reflected, I 
think, in the Department of Homeland Security's privacy impact 
statement or assessment with respect to EINSTEIN II, that 
describe the kinds of procedures and policies that they 
implement to ensure that information regarding--personally 
identifiable information or other information generated from 
that program are handled appropriately. And so I believe that 
we are satisfied with that to date.
    Chairman Cardin. And EINSTEIN III, as I understand it, is 
now in the process of being developed and implemented?
    Mr. Baker. I will defer to Mr. Reitinger on the description 
of EINSTEIN III, but----
    Chairman Cardin. The Department of Justice has not had any 
impact on III?
    Mr. Baker. The Department of Justice has conducted a legal 
analysis of EINSTEIN III. I am not able to describe that or 
discuss that in this setting today, but we have conducted such 
an analysis and, I believe, made that available to committees 
of the Congress.
    Chairman Cardin. Mr. Reitinger.
    Mr. Reitinger. Thank you, Mr. Chairman. Obviously, EINSTEIN 
I and EINSTEIN II are in deployment. EINSTEIN III is still in 
development. We are working closely with our partners in 
Government, including the Department of Justice, on what that 
ought to look like and how we can best protect privacy. I can 
spend more time describing the protections for privacy in 
EINSTEIN II. Mr. Baker touched on them, but they are fairly 
broad. They include policy and procedure. As our Privacy Impact 
Assessment described, how we collect information, when we 
retain and how we retain information, and how it is disclosed.
    It includes training. We provide training to those 
responsible in US-CERT for operating the EINSTEIN system. There 
are three levels of training in the Department of Homeland 
Security: general privacy training, specific training for those 
who conduct the EINSTEIN system, and going forward, there will 
be specific training on EINSTEIN III.
    Oversight mechanisms, both the Office of Privacy and the 
Office of Civil Rights and Civil Liberties and other components 
of the Department of Homeland Security can provide oversight 
into the mechanisms that are used. And, in addition, within the 
Office of Cybersecurity and Communications, there is an 
identified compliance and oversight officer whose job it is to 
ensure compliance with the rules.
    And, last, there is transparency. I think we have received 
some praise for the fact that we have gone forward and been 
forward leaning with our Privacy Impact Assessments for 
EINSTEIN I and II, and it is our intention to be as transparent 
as possible consistent with the need for secrecy in some areas.
    Chairman Cardin. Let me go back to Senator Whitehouse 
again. On EINSTEIN III, the Department of Justice, is that one 
of your concerns about the current legal structure being 
adequate? Or are you able to work through EINSTEIN III within 
the current legal framework?
    Mr. Baker. I think, Senator, I am not able to describe the 
legal analysis with respect to EINSTEIN III in detail today, 
but what I will just--I will say that, as I describe, there is 
a range of statutes--the Fourth Amendment, obviously, and then 
the range of statutes that apply in this area. So anytime you 
are doing anything with electronic communications, storage, 
transit, however it--I am not speaking about EINSTEIN III in 
particular, but any type of program, you have to go through a 
whole range of different issues that you have to analyze. So it 
is complex in that sense. The statutes are complex. The legal 
regime is complex. And, therefore, the analysis is complex.
    If I could just amend my comments from before, with respect 
to EINSTEIN II, there are still discussions that are going on 
with respect to the procedures of handling some of the data, in 
particular data that comes into the Department of Justice, for 
example, from a variety of different sources. So not all of the 
privacy issues with respect to EINSTEIN II have been resolved. 
There is still work going on in that regard, so I just wanted 
to note that.
    Chairman Cardin. And just following up on Senator 
Whitehouse, this Committee is very interested in understanding 
the legal challenges, both in obtaining the information you 
need and protecting the privacies. And if this is not the right 
forum to talk about it, we invite an opportunity to review it.
    Now, Senator Whitehouse also serves on the Intelligence 
Committee, so he is in a position where he can obtain 
information both through the Intelligence Committee and the 
Judiciary Committee.
    Senator Whitehouse. Usually a day or so after the New York 
Times gets it.
    [Laughter.]
    Chairman Cardin. Senator Kyl.
    [Pause.]
    Chairman Cardin. If our colleagues are agreeable, we are 
going to dismiss this panel and go to the second panel because 
we are told it is likely to be votes starting soon. Thank you 
all very much for your testimony.
    Chairman Cardin. Our second panel consists of Gregory 
Nojeim, who is the senior counsel at the Center for Democracy & 
Technology and the director of its project on freedom, 
security, and technology. In this capacity, he conducts much of 
CDT's work in the area of national security, terrorism, and 
Fourth Amendment protections. He is also co-chair of the 
Coordinating Committee on the National Security and Civil 
Liberties of the Individual Rights and Responsibilities Section 
of the American Bar Association.
    Larry Clinton is president and CEO of the Internet Security 
Alliance. He is a member of the experts panel created by the 
General Accounting Office at the request of the House Committee 
on Homeland Security to assess and make recommendations to the 
Obama administration on cybersecurity.
    Larry Wortzel is Vice Chairman of the U.S.-China Economic 
and Security Review Commission. He is a retired Army colonel 
who served two tours of duty as a military attache in China. 
For 25 years of his 32-year military career, Dr. Wortzel was an 
intelligence officer.
    If you all would please rise so I can swear you in. Do you 
affirm that the testimony you are about to give before the 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you God?
    Mr. Nojeim. I do.
    Mr. Clinton. I do.
    Mr. Wortzel. I do.
    Chairman Cardin. Thank you all very much. Without 
objection, your entire statements will be made a part of the 
Committee record. You may proceed as you see fit, starting with 
Mr. Nojeim.

 STATEMENT OF GREGORY T. NOJEIM, SENIOR COUNSEL AND DIRECTOR, 
PROJECT ON FREEDOM, SECURITY & TECHNOLOGY, CENTER FOR DEMOCRACY 
                  & TECHNOLOGY, WASHINGTON, DC

    Mr. Nojeim. Thank you, Chairman Cardin, Ranking Member Kyl, 
members of the Subcommittee. Thanks for the opportunity to 
testify about cybersecurity and civil liberties on behalf of 
the Center for Democracy & Technology. CDT is a nonprofit, non-
partisan organization dedicated to keeping the Internet open, 
innovative, and free.
    The United States faces significant cybersecurity threats. 
Computer hackers have penetrated Government systems and have 
stolen massive amounts of sensitive information. They have 
penetrated financial networks and have stolen millions of 
dollars. While the need to act is clear, it is essential that 
we take a nuanced and incremental approach. We ask that you 
keep a key distinction in mind as you go forward. Policy toward 
Government systems can be much more prescriptive than policy 
toward private systems.
    The characteristics that have made the Internet 
successful--openness, decentralization, user control--they may 
be put at risk if heavy-handed cybersecurity mandates are 
applied to all critical infrastructure.
    When he unveiled the White House Cyberspace Policy Review 
on May 29, President Obama correctly emphasized that the 
pursuit of cybersecurity must not include governmental 
monitoring of private networks. Monitoring these systems is the 
job of private sector communications providers. They already do 
it today pursuant to self-defense provisions in current law. 
The Wiretap Act allows communications providers to intercept, 
use, and disclose--to both their peers and to the Government--
communications passing over their networks while they are 
engaged in activity necessary to protect their own rights and 
property. ECPA provides similar authorities for disclosure of 
stored communications. Furthermore, the Wiretap Act allows 
service providers to invite in the Government to intercept the 
communications of computer trespassers. These provisions do not 
authorize ongoing or routine disclosure of traffic by the 
private sector to the Government, nor should they. The 
Subcommittee should consider whether it is necessary to clarify 
these provisions and to require public statistical reporting on 
their use.
    While current law authorizes providers to make disclosures 
to protect themselves, what about disclosures to protect 
others? There might be a need for a very narrow exception to 
the Wiretap Act and to ECPA to permit providers to make 
voluntary disclosures about specific attacks and malicious code 
to protect other providers. We urge the Subcommittee to 
approach this issue very cautiously, for exceptions intended to 
promote information sharing could end up harming privacy.
    While the private sector protects its systems, the Federal 
Government clearly has responsibility to monitor and protect 
its own systems. Caution and transparency are both required to 
avoid chilling communications that Americans have with their 
Government. The DHS EINSTEIN system is being deployed by 
Government agencies to protect Government computers against 
attack. CDT does not object to this in principle. However, 
independent audits should be required to ensure that EINSTEIN 
does not inadvertently access private-to-private 
communications. Audits could also ensure compliance with strict 
limits on how much information is collected, with whom it is 
shared, and for what purposes.
    We do, however, object to the secrecy that has shrouded the 
EINSTEIN Program. Notwithstanding the OLC opinions and the 
Privacy Impact Assessment that have been released, much more 
needs to be known about the program. Excessive secrecy 
undermines public trust and communications carrier 
participation, both of which are essential to the success of 
this and other cybersecurity initiatives.
    On the question of identity and authentication, some have 
proposed sweeping identification mandates, including even a 
passport for using the Internet. Identification and 
authentication will likely play a significant role in securing 
critical infrastructure. They should be applied judiciously, to 
specific high-value targets, and to high-risk activities and 
allow for multiple identification solutions.
    Privacy and security cannot be viewed as a zero-sum game. 
Measures intended to increase communications security need not 
threaten privacy and, indeed, they can enhance it. CDT looks 
forward to working with the Subcommittee to identify and 
promote these win-win solutions.
    Thank you.
    [The prepared statement of Mr. Nojeim appears as a 
submission for the record.]
    Chairman Cardin. Thank you very much for your testimony.
    Mr. Clinton.

   STATEMENT OF LARRY CLINTON, PRESIDENT, INTERNET SECURITY 
                 ALLIANCE, ARLINGTON, VIRGINIA

    Mr. Clinton. Thank you, Mr. Chairman, Mr. Kyl, Senator 
Whitehouse. The Internet Security Alliance is a trade 
association of major business users of Internet security 
services, so we represent banks, defense companies, IT, 
telecom, traditional manufacturers, pretty much anybody who 
uses the Internet. ISA's mission is to integrate advanced 
technology with the pragmatic business imperatives of the 
owners and operators of the system, which is primarily the 
private sector, and coordinate that with what we hope will be 
enlightened public policy to create a sustained system of 
cybersecurity.
    In November of 2008, ISA published its policy 
recommendations for the 111th Congress, the social contract 
document, which we hope to provide that sort of overarching 
strategy that I think the Chairman was asking about initially. 
We were delighted when President Obama came out with his 
Cyberspace Policy Review in May of 2008 because the first thing 
he quoted was our social contract document, and they cited 
about a dozen other documents of ours in terms of their report. 
Naturally, the ISA supports the President's position for three 
reasons.
    First, the administration recognizes that cybersecurity is 
as much an economic issue as it is a technical issue. That is, 
by the way, we are not reaching that 80 percent we discussed 
during the first panel.
    Second, the administration advocates the development of 
market incentives to improve private sector behavior with 
regard to cybersecurity.
    Third, the President himself said that he will not be 
supporting mandated cybersecurity standards for the private 
sector. This last point is important because, as we argue in 
detail in our written testimony, federally mandated 
cybersecurity standards not only would not work, but they will 
be seriously counterproductive to our National economic 
interests and our National security interests.
    On December 3rd, we are going to be releasing a new 
publication detailing specific steps to move from broad 
principles of agreement to implementation. However, given the 
short amount of time I have with the Committee today, I want to 
focus on the one issue that I believe is most important for the 
Committee to appreciate if it is going to legislate in the 
cybersecurity space, and that is, in order for us to achieve a 
sustainable system, we must fundamentally change the economic 
equation with regard to cybersecurity.
    The dispiriting realization with regard to cybersecurity 
economics is that all of the current incentives favor the 
attackers. Cyber attacks are comparatively cheap and easy to 
execute. The profits that can be generated from cyber attacks 
are enormous. Cyber defense perimeter is nearly limitless. 
Costs are difficult to calculate. Defense is expensive. It 
often does not generate return on investment.
    Now, most of us in this room today are what demographers 
are now calling digital immigrants, meaning that unlike my 
teenaged children, we were not born into the digital world that 
we now inhabit. Perhaps it is because cybersecurity economics 
is so foreign to us and is poorly understood at the consumer, 
national, and corporate levels.
    For example, many consumers have a false sense of security 
due to their belief that most of the financial impact resulting 
from a loss of personal data will be fully covered by corporate 
entities, like the banks. In fact, much of these losses are 
transferred back to consumers in the form of higher interest 
rates and consumer fees. During the first panel, we talked 
about the prospect of a potential cyber hurricane, and the 
Federal Government does not seem to realize that you are the de 
facto insurer of last resort. All of financial risk management 
is laid at the Federal Government steps right now because there 
is virtually no private cyber insurance market to help you.
    Meanwhile, most of our corporate and Government structures 
are built on outdated models wherein the owners of the data do 
not understand themselves to be responsible for the defense of 
the data. The marketing department has data, the finance 
department has data, et cetera, et cetera, but they think the 
security of the data is the responsibility of the IT guys at 
the end of the hall. As a result, the financial risk management 
of cyber events across enterprise settings is not properly 
analyzed, not properly appreciated, and cyber defense is not 
adequately budgeted. The interaction of these factors may be at 
the root of the finding of the 2009 PricewaterhouseCoopers 
Global Information Security Study, which pointed out that, 
despite the increasing publicity about the dangers of cyber 
incursions, nearly half--47 percent--of all enterprises are 
actually reducing or deferring budgets for information security 
initiatives. The ISA Social Contract, like the administration's 
Cyberspace Policy Review, argues that what will be required to 
address this issue is for the public sector to deploy market 
incentives to motivate private investment for the purposes of 
protecting the public interest.
    Now, the good news, as we discussed during the first panel, 
is that the research shows that between 80 to 90 percent of 
cyber breaches could be prevented if we simply adopted the 
standards, practices, and technologies that we already have. 
The problem is we are not doing it.
    The Government is charged with the responsibility to 
provide for the common defense, but in the cyber world, 
Government cannot do this alone. They will require the private 
sector cooperation and investment. While some of that 
investment will come from corporations serving their own 
private security needs, the extent of investment required to 
serve the broader public needs due to some of the unique 
aspects of cyber economics I just described will not be done.
    In our written testimony, we provide a fairly comprehensive 
proposal how we can create a modern, sustainable, effective 
system of cybersecurity. However, to do this, we digital 
immigrants, including Members of Congress, may have to learn 
some new rules and some new language to manage this new world. 
We believe we can do it together.
    Thank you, sir.
    [The prepared statement of Mr. Clinton appears as a 
submission for the record.]
    Chairman Cardin. That gives us another reason for 
immigration reform.
    Dr. Wortzel.

STATEMENT OF LARRY M. WORTZEL, PH.D., VICE CHAIRMAN, U.S.-CHINA 
    ECONOMIC AND SECURITY REVIEW COMMISSION, WASHINGTON, DC

    Mr. Wortzel. Chairman Cardin, Ranking Member Kyl, thanks 
for giving me the opportunity to testify today.
    Our Nation's critical infrastructure, economy, defense 
information, and citizens are threatened by hackers, 
terrorists, and hostile foreign intelligence services. 
Preventing computer network penetration and pursuing those who 
attack us while preserving privacy is a challenge. But I have 
to say our intelligence and law enforcement agencies have been 
recently successful in preventing terrorist attacks and 
detecting espionage because of the Foreign Intelligence 
Surveillance Act and the PATRIOT Act. I think with good 
legislation, vigorous oversight by Congress, and attention from 
the White House, our intelligence and law enforcement 
authorities can accomplish much in protecting America's 
computer networks.
    In my remarks, I will make reference to the report Senator 
Kyl mentioned by the U.S.-China Economic and Security Review 
Commission on China's capability to conduct cyber warfare and 
penetrate and exploit computer networks. The report's findings 
are relevant to securing critical infrastructure and preventing 
cyber attacks. And the lessons learned by preventing intrusions 
from China apply to all other forms of intrusions.
    In addition to discussing the Commission's findings about 
cybersecurity, I am going to provide my personal views, 
informed by my experience as an Army intelligence officer and 
my own research on the subject at The Heritage Foundation.
    I think we can do better in some areas. I do not believe 
that the Computer Fraud and Abuse Act, even as amended by the 
PATRIOT Act, is sufficient to address some critical issues. One 
of these is the right of private response by individuals or 
corporations that may choose to retaliate against cyber 
intruders.
    As our Commission's report documents, there have been 
significant penetrations of critical infrastructure, defense 
contractors, and Government cyber networks, including those of 
the Department of Defense and Congress. The Commission 
recommended that Congress respond by evaluating the 
effectiveness and the resources available for law enforcement 
and the intelligence community. Among the most important 
objectives should be developing reliable attribution techniques 
to determine the origin of computer intrusions. The Commission 
also recommended that Congress urge the Obama administration to 
develop measures to deter malicious Chinese cyber activity.
    In a recent editorial, I pointed out that Government and 
private industry are still in a reactive posture to cyber 
intrusions and cyber espionage. And as yet, there is no fully 
coordinated Government and industry response. I think President 
Obama made a good start with the 60-day cyber review, but there 
still is no permanent cybersecurity coordinator at the White 
House, as recommended in its own review. Efforts to coordinate 
standards and policies across Government and in the private 
sector appear stalled without senior leadership in the National 
Security Council.
    That said, I think President Obama was wise to incorporate 
the Homeland Security Council staff into the National Security 
Council. I think the National Security Act of 1947 is a fine 
model for the executive branch to address these things. I think 
with proper staffing in the White House, attention from the 
National Security Adviser, and the leadership in NSC meetings 
of the cabinet Secretary of the lead Department in the 
Executive branch, a unified, well-led effort can bring together 
the agencies of the Government and coordinate cybersecurity 
with allies and private industry. Also, creating the U.S. Cyber 
Command is an outstanding initiative within the Department of 
Defense.
    Now, there is still debate about what agency should lead 
cyber efforts and set standards. I think the Department of 
Homeland Security can help coordinate these with state and 
local governments as well as private industry.
    I believe the lead agency for the government response 
however, should be the National Security Agency. NSA has a 
strong institutional culture of adherence to the Foreign 
Intelligence Surveillance Act. Its personnel are trained to 
protect the privacy and rights of American persons. No agency 
has the decades of experience the National Security Agency has 
in conducting operations in the electronic and cyber realms; 
its personnel are skilled and superbly trained; it has broad 
international contacts with allies and friendly governments; 
and it has wide contacts in the private sector. Also, it has 
got a cadre of highly skilled linguists who are able to work in 
the languages associated with foreign intrusions.
    In closing, I think the Government should be able to set 
standards for private industry associated with the National 
Industrial Security Program. And with respect to our critical 
infrastructure, I think it would behoove us to insist on 
certain standards, particularly on things like utilities.
    Thank you, gentlemen.
    [The prepared statement of Mr. Wortzel appears as a 
submission for the record.]
    Chairman Cardin. Thank you for your testimonies. We will 
start with Senator Kyl.
    Senator Kyl. Thank you. Why don't I just take a couple of 
minutes here, because our first vote has started, and I want to 
apologize to all three of you. I found all of your testimony 
very important and useful, and it may be that we will want to 
follow up with some questions, if that is all right with you, 
because in about 10 minutes we will have to go to the vote.
    I am still fixated a little bit on this question of who 
should lead the effort, and let me start, because you raised 
the question right at the end, Mr. Wortzel. You indicated you 
thought NSA would be the best to lead the overall effort, and 
if you could just give me about one more minute on that.
    And then, Mr. Clinton, given that the interface with a lot 
of business is through the Department of Homeland Security, as 
you mentioned, how would that fit into an NSA with an overall 
lead?
    And maybe, Mr. Nojeim, are there any concerns that you have 
with that kind of a structure, especially since another 
alternative would be military? But it seems to me that the 
Defense Department has its own kind of separate thing to do, 
but correct me if I am wrong.
    Dr. Wortzel.
    Mr. Wortzel. Senator, I think you are absolutely right. 
With respect to the National Security Council, I tend to ask a 
couple of questions with to assess what the NSC might be doing.
    First of all, there is no permanent senior director for 
cyber maters on the NSC. It looks like the acting senior 
director is pretty well qualified for what he is doing. He 
comes out of the Department of Justice. But the White House 
needs to finalize this selection.
    Now, the question looking at the NSC structure and 
effectiveness ought to focus on what happens if a deputies 
Committee meeting is held to make the highest-level 
recommendations to the President on cyber issues. What 
executive and department cabinet agency's deputy chairs it? I 
do not have the answer to that.
    And I think the second question we should be asking is: 
Right now what is the highest level of executive out of the 
executive branch that has attended or chaired an NSC meeting on 
cyber issues? I am not even certain it is getting the right 
attention.
    Now, I think no agency has better expertise maybe in the 
world than the National Security Agency broadly on electronic 
operations and operations in the electromagnetic spectrum. But 
at the NSC, the cabinet deputy chasing meetings should probably 
be the Deputy Attorney General. This puts the proper focus on 
privacy issues. I do not know if that is happening.
    My own experience was as a very junior person with the 
senior interagency groups in the Reagan NSC. When we worked on 
counterintelligence matters, the Attorney General led it. When 
we worked on intelligence matters at the time, it was the CIA 
Director.
    So I do not know what is happening on the NSC now. I do not 
see anything publicized about the processes. But those are the 
questions that have to be asked of the executive branch. I just 
do not think it is getting the right attention.
    Mr. Clinton. Senator, let me first start by commenting that 
I spend a lot of time suggesting that Members of Congress 
should not be telling the private sector how it should organize 
itself, so I am reluctant to tell the Federal Government how it 
should be organizing itself.
    I think that the overall question, I would agree with Mr. 
Wortzel, about the need for attention is very important, and we 
think that the overall approach that the President articulated 
in May is correct in that the new cyber coordinator is supposed 
to have a dual-hatted responsibility both to the National 
Security Council and to the National Economic Council.
    We think that this notion that cybersecurity is both a 
national security and a national economic security issue is 
critical. And so I would worry about turning over to NSA the 
leadership of this because I do not think that they take that 
sort of perspective. They have a very legitimate perspective, 
but I do not think it is that perspective.
    I would also point out, as we indicated, we quote I think 
three different sources in our written testimony, and then NSA 
actually said in the previous panel that the vast majority of 
this stuff we already know how to do. He was saying 80 percent. 
Our research indicates up to 90 percent. So we do not need 
necessarily people to come up with in the main new programs and 
new--we know how to do a lot of this. We are just not doing it. 
Virtually everybody agrees on that.
    Now, the other 10 to 20 percent of the problem, that is, 
like, really hard stuff, you know, and we definitely need a lot 
of work with the NSA on that. The supply chain issues are 
enormous. There is a lot of work that needs to be done over 
there.
    But in terms of creating the overall system, which is what 
we need, we need, as digital immigrants, as I say, we guys of 
our age quartile need to rethink how we are doing this. We 
cannot do this through cold war-era structures. And that is 
what we have now. We have the Department of Commerce, we have 
the Department of Justice. We are in these old structures. This 
does not make sense in the Internet age. We need to rethink 
this, and we need to rethink the approach.
    So in the short term, I am happy with NSA doing a great 
deal of work on that other 10 percent. I would be reluctant to 
see them from their perspective take the leadership on the 
overall effort. My sense is that that should be run in a dual-
hatted capacity out of the White House with a lot of work from 
DHS as well as, frankly, the Department of Commerce.
    Chairman Cardin. Thank you.
    Mr. Nojeim. May I add to those comments? Senator Kyl, I do 
not think NSA wants that role. The head of the NSA already said 
that it does not want to be in charge of cybersecurity. NSA 
might have particular expertise in finding attacks and 
identifying attacks. It can share that expertise with other 
agencies, civilian agencies, such as DHS. DHS has a lot of 
history in this area. It is not all good history. But it has 
got some new leadership, and I think you can have a lot of 
confidence in Phil Reitinger and his team. They seem to be 
tackling issues that had been left open for a while.
    And I should add--I would be remiss if I did not--that NSA 
has certain baggage that it would bring to a leading role in 
the effort to secure civilian systems that other agencies do 
not have, including the warrantless wiretapping program.
    Thank you.
    Chairman Cardin. Senator Whitehouse.
    Senator Whitehouse. Thank you. Given the status of the 
vote, I would probably make this a question for the record so 
that I do not keep us late. But I would like you, Mr. Nojeim, 
to get back to me on the boundary that you suggest between the 
provider-driven security measures in the private sector versus 
the Government-run national security protection measures. In 
light of what I would consider to be three--well, let us not 
call them ``facts''--observations.
    One, if, in fact, NSA has technical capabilities beyond 
those of the providers, why should you be relying on the 
providers in areas where NSA actually has greater capability?
    Why should it be satisfactory to have NSA only brought in 
by the providers on an invite-in basis in circumstances in 
which the providers might not even know that a particularly 
sophisticated attack is underway through their systems, but NSA 
might?
    And, finally, how can the relationship between the 
providers and NSA be anything but ongoing and routine when 
cyber attack is constant and unremitting? It is not like, OK, 
we are having some cyber attacks today and we will call in NSA, 
but today is a good day, we are not having cyber attacks today, 
so we do not need them.
    We are under a constant, massive, unremitting barrage of 
cyber attack, and I do not see how you get out of ongoing and 
routine in that context.
    Mr. Nojeim. I will be happy to respond for the----
    Senator Whitehouse. I do not think we have time because of 
the vote.
    Chairman Cardin. If you could do it for the record, I think 
we would appreciate that. Unfortunately, there are a series of 
votes on the floor of the Senate; otherwise, we would try to 
keep the hearing moving forward. I think the point that Senator 
Whitehouse has raised, though, is of interest to all of us, so 
we would appreciate not just you, Mr. Nojeim, but if all of you 
would respond, we would appreciate it.
    [The information referred to appears as a submission for 
the record.]
    Chairman Cardin. Mr. Clinton, I think your point about the 
economic issues is a very important point. I am curious as to 
how we can try to adjust that in the private sector and would 
welcome, I guess, more thoughts as to how we can adjust that. 
And, Dr. Wortzel, I think your comments about how we try to 
coordinate this is vitally important to our country.
    We will keep the record open for additional questions by 
members of the Committee, and we thank all three of you for 
your testimony. It is a continuing effort, so we will look 
forward to your continued involvement as we try to get this 
right for our Nation.
    With that, the Subcommittee will stand adjourned.
    [Whereupon, at 11:45 a.m., the Subcommittee was adjourned.]
    [Questions and answers and submissions for the record.]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
                                 
