b"<html>\n<title> - CYBERSECURITY: PREVENTING TERRORIST ATTACKS AND PROTECTING PRIVACY IN CYBERSPACE</title>\n<body><pre>[Senate Hearing 111-664]\n[From the U.S. Government Publishing Office]\n\n\n                                                        S. Hrg. 111-664\n \n CYBERSECURITY: PREVENTING TERRORIST ATTACKS AND PROTECTING PRIVACY IN \n                               CYBERSPACE \n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                       SUBCOMMITTEE ON TERRORISM\n                         AND HOMELAND SECURITY\n\n                                 of the\n\n                       COMMITTEE ON THE JUDICIARY\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                                 SECOND\n\n                               __________\n\n                           NOVEMBER 17, 2009\n\n                               __________\n\n                          Serial No. J-111-62\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n61-662 PDF                       WASHINGTON : 2010 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                  PATRICK J. LEAHY, Vermont, Chairman\nHERB KOHL, Wisconsin                 JEFF SESSIONS, Alabama\nDIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah\nRUSSELL D. FEINGOLD, Wisconsin       CHARLES E. GRASSLEY, Iowa\nCHARLES E. SCHUMER, New York         JON KYL, Arizona\nRICHARD J. DURBIN, Illinois          LINDSEY GRAHAM, South Carolina\nBENJAMIN L. CARDIN, Maryland         JOHN CORNYN, Texas\nSHELDON WHITEHOUSE, Rhode Island     TOM COBURN, Oklahoma\nAMY KLOBUCHAR, Minnesota\nEDWARD E. KAUFMAN, Delaware\nARLEN SPECTER, Pennsylvania\nAL FRANKEN, Minnesota\n            Bruce A. Cohen, Chief Counsel and Staff Director\n                  Matt Miner, Republican Chief Counsel\n                                 ------                                \n\n            Subcommittee on Terrorism and Homeland Security\n\n                 BENJAMIN L. CARDIN, Maryland, Chairman\nHERB KOHL, Wisconsin                 JON KYL, Arizona\nDIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah\nCHARLES E. SCHUMER, New York         JEFF SESSIONS, Alabama\nRICHARD J. DURBIN, Illinois          JOHN CORNYN, Texas\nAL FRANKEN, Minnesota                TOM COBURN, Oklahoma\nEDWARD E. KAUFMAN, Delaware\n                Bill Van Horne, Democratic Chief Counsel\n               Stephen Higgins, Republican Chief Counsel\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                    STATEMENTS OF COMMITTEE MEMBERS\n\n                                                                   Page\n\nCardin, Hon. Benjamin, a U.S. Senator from the State of Maryland.     1\n    prepared statement...........................................    85\nKyl, Hon. Jon, a U.S. Senator from the State of Arizona..........     3\nLeahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, \n  prepared statement.............................................   114\n\n                               WITNESSES\n\nBaker, James A., Associate Deputy Attorney General, Office of the \n  Deputy Attorney General, U.S. Department of Justice, \n  Washington, DC.................................................     4\nChabinsky, Steven R., Deputy Assistant Director, Cyber Division, \n  Federal Bureau of Investigation, U.S. Department of Justice, \n  Washington, DC.................................................    10\nClinton, Larry, President, Internet Security Alliance, Arlington, \n  Virginia.......................................................    26\nNojeim, Gregory T., Senior Counsel and Director, Project on \n  Freedom, Security & Technology, Center for Democracy & \n  Technology, Washington, DC.....................................    25\nReitinger, Philip, Deputy Under Secretary, National Protection \n  and Programs Directorate, Director, National Cyber Security \n  Center, U.S. Department of Homeland Security, Washington, DC...     6\nSchaeffer, Richard C., Jr., Director, Information Assurance \n  Directorate, National Security Agency, U.S. Department of \n  Defense, Fort Meade, Maryland..................................     8\nWortzel, Larry M., Ph.D., Vice Chairman, U.S.-China Economic and \n  Security Review Commission, Washington, DC.....................    28\n\n                         QUESTIONS AND ANSWERS\n\nResponses of James Baker to questions submitted by Senators \n  Whitehouse, Feingold, Hatch and Kyl............................    34\nResponses of Steven R. Chabinsky to questions submitted by \n  Senators Whitehouse, Hatch and Kyl.............................    44\nResponses of Gregory T. Nojeim to questions submitted by Senator \n  Whitehouse.....................................................    52\nResponses of Philip Reitinger to questions submitted by Senators \n  Whitehouse, Hatch and Kyl......................................    56\nResponses of Richard C. Schaeffer to questions submitted by \n  Senators Kyl, Hatch and Whitehouse.............................    68\n\n                       SUBMISSIONS FOR THE RECORD\n\nBaker, James A., Associate Deputy Attorney General, Office of the \n  Deputy Attorney General, U.S. Department of Justice, \n  Washington, DC, statement......................................    76\nChabinsky, Steven R., Deputy Assistant Director, Cyber Division, \n  Federal Bureau of Investigation, U.S. Department of Justice, \n  Washington, DC, statement......................................    88\nClinton, Larry, President, Internet Security Alliance, Arlington, \n  Virginia, statement............................................    94\nNojeim, Gregory T., Senior Counsel and Director, Project on \n  Freedom, Security & Technology, Center for Democracy & \n  Technology, Washington, DC, statement..........................   115\nReitinger, Philip, Deputy Under Secretary, National Protection \n  and Programs Directorate, Director, National Cyber Security \n  Center, U.S. Department of Homeland Security, Washington, DC, \n  statement......................................................   129\nRichard C. Schaeffer, Jr., Director, Information Assurance \n  Directorate, National Security Agency, U.S. Department of \n  Defense, Fort Meade, Maryland, statement.......................   141\nWilshusen, Gregory C., Director Information Security Issues, GAO, \n  and David A. Powner, Director Infomation Technology Management, \n  GAO, Washington, DC, joint statement...........................   145\nWortzel, Larry M., Ph.D., Vice Chairman, U.S.-China Economic and \n  Security Review Commission, Washington, DC, statement..........   168\n\n\n CYBERSECURITY: PREVENTING TERRORIST ATTACKS AND PROTECTING PRIVACY IN \n                               CYBERSPACE\n\n                              ----------                              \n\n\n                       TUESDAY, NOVEMBER 17, 2009\n\n                                       U.S. Senate,\n           Subcommittee on Terrorism and Homeland Security,\n                                Committee on the Judiciary,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 10 a.m., in \nroom SD-226, Dirksen Senate Office Building, Hon. Benjamin L. \nCardin, Chairman of the Subcommittee, presiding.\n    Present: Senators Cardin, Kohl, Feinstein, Schumer, Durbin, \nKaufman, Kyl, Hatch, Sessions, Cornyn, and Coburn.\n\n OPENING STATEMENT OF HON. BENJAMIN L. CARDIN, A U.S. SENATOR \n                   FROM THE STATE OF MARYLAND\n\n    Chairman Cardin. The Subcommittee will come to order, the \nSubcommittee on Terrorism and Homeland Security. Our topic \ntoday is ``Cybersecurity: Preventing Terrorist Attacks and \nProtecting Privacy in Cyberspace.''\n    I must tell you I think this is a very sobering subject. As \nwe have seen the advancement of technology, we have also seen \nthe enhanced risks against our homeland security.\n    On November the 8th, ``60 Minutes'' did an expose on what \nmany of us have feared in the development of cyberspace. It \nshowed that the technology advancement has indeed made our \nNation at greater risk. We are vulnerable. We are vulnerable \nfrom terrorist attacks against our country using cyberspace. \nThey can steal sensitive information which can compromise our \nnational security. They can, more frighteningly, alter data \nwhich is used to run critical infrastructure for this country, \ninformation systems, attacking our infrastructure, whether it \nis our energy grid or whether it is our financial institutions, \nall causing significant damage to the United States. It can \ncompromise our military assets which are used to defend our \nNation.\n    And it is not just Government that is at risk. It is the \nprivate sector also at risk. Financial information can be used \nto obtain illegal funds. It is the modern-day bank robbers, but \nthey do not have to use hoods and masks and guns and go into \nbanks. They can invade our financial institutions and steal \nmoney from the depositors. Identity theft is much more at risk \nbecause of technology advancements.\n    It is not only financial information. It is sensitive \ninformation such as health records, and it can be used to \nextort funds from people in our country.\n    The Government has a responsibility to protect our \nGovernment and its citizens from these attacks, from those who \nmight misuse cyberspace. Also, Government has a responsibility \nthat in its countermeasures it also strikes the right balance \nbetween getting the information necessary to protect us from \ncyber attacks, but also protect the privacy of Americans as \nwell.\n    President Obama, shortly after taking office, undertook a \ncomprehensive clean-slate review to assess U.S. policies and \nstructures for cybersecurity. Now, some of the conclusions are \nof interest to this Committee, and I think some are disturbing. \nOne of the conclusions of that review showed that the Federal \nGovernment is not organized to address the growing problems of \ncybersecurity; that there are overlapping agencies' \nresponsibilities; this Nation is at a crossroads; the status \nquo is no longer acceptable; and that the national dialog on \ncybersecurity must begin today. I agree with that conclusion.\n    The study also pointed out the need to appoint a \ncybersecurity policy officer responsible for coordination of \nthe national cybersecurity policies and activities. In other \nwords, we need a point person that has that responsibility. I \nknow a lot of agencies have this responsibility, but they are \nat cross-purposes and at times conflicting. The report also \nindicated we need to designate a privacy and civil liberties \nofficial to the National Security Council Cyber Security \nDirectorate.\n    A point that we certainly will be taking up in this hearing \nis how do we enhance and protect the civil liberties of the \npeople of this Nation.\n    The bottom line is that we need to coordinate Government \nefforts also using the private sector to make sure we are as \neffective as possible to protect our Nation against this \nvulnerability.\n    Well, I am pleased that at today's hearing we have two \npanels. First we have a panel of Government experts who are \nresponsible for cybersecurity in this country and developing \nthe policies for cybersecurity in this country. And then in the \nsecond panel we will hear from the private sector as to how we \ncan coordinate both the private and public sector.\n    Senator Kyl will be joining us shortly. I notified his \nstaff that I would start immediately at 10 o'clock because \nthere are scheduled votes on the floor of the Senate at around \n11:15 to 11:30. Now, in the Senate we do not always adhere to \nwhen the scheduled votes are scheduled, but in an effort to try \nto make sure that we have the maximum time available for asking \nquestions, we started promptly at 10 o'clock.\n    Our first panel consists of four Government witnesses: \nJames Baker, who was sworn in as the Assistant Deputy Attorney \nGeneral at the United States Department of Justice in July of \n2009. He has worked on numerous national security matters \nduring his career. As a former Federal prosecutor, he worked on \nall aspects of national security investigations and \nprosecutions, including particularly the Foreign Intelligence \nSurveillance Act, FISA, during his 17-year career as an \nofficial at the United States Department of Justice from 1990 \nto 2007.\n    Phil Reitinger was appointed to serve as Deputy Under \nSecretary for the National Protection and Programs Directorate \non March 11, 2009. In this role, Mr. Reitinger leads the \nHomeland Security Department's integrated efforts to reduce \nrisks across physical and cyber infrastructure. On June 1, \n2009, he also became the Director of the National Cyber \nSecurity Center, which is charged with enhancing the security \nof Federal networks and systems by collecting, analyzing, \nintegrating, and sharing information among interagency \npartners.\n    Richard Schaeffer is the Information Assurance Director at \nthe National Security Agency. He is responsible for the \navailability of products, services, technologies, and standards \nfor protecting and defending our Nation's critical \ninfrastructure systems from adversaries in cyberspace.\n    And then Steven Chabinsky serves as the Deputy Assistant \nDirector within the FBI's Cyber Division. Mr. Chabinsky \nrecently returned to the FBI after completing a joint duty \nassignment with the Office of the Director of National \nIntelligence, where he served as Assistant Director of National \nIntelligence for Cyber, the Chair of the National Cyber Study \nGroup, and the Director of the Joint Interagency Cyber Task \nForce.\n    Before calling on the witnesses, let me yield to Senator \nKyl, the Ranking Republican on the Subcommittee.\n\n  STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF \n                            ARIZONA\n\n    Senator Kyl. Mr. Chairman, thank you. I am sorry I missed \nmost of your opening statement, the most important part of the \nhearing, but I am sure I will get a copy of that and review it. \nI want to thank the witnesses as well. We have been talking \nabout this hearing for some time. I really applaud you for \nbeing able to put together a great panel for us today.\n    The Federal Government increasingly relies on \ninterconnected information systems for its crucial day-to-day \noperations, and these systems are ever more subject to cyber \ncrime as well as cyber espionage.\n    I am concerned in particular about China, a growing threat \nto U.S. cybersecurity. In a report published last month by the \nU.S.-China Economic and Security Review Commission, here is \nwhat was said: ``Increasingly, Chinese military strategists \nhave come to view information dominance as the precursor for \noverall success in a conflict. China is likely using its \nmaturing computer network exploitation capability to support \nintelligence collection against the U.S. Government.''\n    And then the report goes on to say, ``In a conflict with \nthe U.S., China will likely use its computer network operations \ncapabilities to attack unclassified DOD and civilian contractor \nlogistics networks in the continental United States and allied \ncountries in the Asia-Pacific Region. The stated goal in \ntargeting these systems is to delay U.S. deployments and impact \ncombat effectiveness of troops already in theater.'' Just one \nexample of the way that an attack could occur.\n    Obviously, we do not think the Chinese forces could defeat \nours head on head, so they seek another method to gain \nadvantage. And in my view, the U.S. is not adequately \ncountering this serious and growing threat.\n    During a recent interview on a news program, ``60 \nMinutes,'' the Director of Technology and Public Policy Program \nat the Center for Strategic and International Studies said that \nthe U.S. faced a so-called electronic Pearl Harbor in 2007 when \nan unknown foreign power broke into the computer systems at the \nDepartments of Defense, State, Commerce, and Energy, and \nprobably NASA, and downloaded the equivalent of a Library of \nCongress worth of information.\n    During the same news segment, when asked about the \npossibility that penetrations into U.S. systems had left behind \nmalicious software that could enable future attacks, former \nDirector of National Intelligence Mike McConnell responded, ``I \nwould be shocked if we were in a situation where the tools and \ncapabilities and techniques had not been left in U.S. computer \nand information systems.'' So, obviously, he is concerned as \nwell.\n    As with the threat from terrorism, our Government must use \nall tools available to address this threat and protect our \ncitizens and way of life. A key challenge in this regard is \nbalancing the privacy of U.S. citizens.\n    Representatives of the departments that are in charge of \naddressing cybersecurity vulnerabilities are assembled before \nus today, and I look forward to hearing how they are planning \nto get ahead of this growing cyber threat. Again, thank you for \nyour considerable interest in the subject.\n    Chairman Cardin. Thank you, Senator Kyl. It has been a \npleasure working with you on this issue. This is an area of \ngreat interest to every Member of the Senate, and it is given a \nhigh priority by both you and me and this Subcommittee.\n    With that, I would ask our witnesses first to stand in \norder to administer the oath, and then we will start with their \ntestimony. Do you affirm that the testimony you are about to \ngive before the Committee will be the truth, the whole truth, \nand nothing but the truth, so help you God?\n    Mr. Baker. I do.\n    Mr. Reitinger. I do.\n    Mr. Schaeffer. I do.\n    Mr. Chabinsky. I do.\n    Chairman Cardin. Thank you. Mr. Baker, we are pleased to \nhear from you. And, by the way, all of your full statements \nwill be made part of the record, and you may proceed as you \nwish.\n\nSTATEMENT OF JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY GENERAL, \n   OFFICE OF THE DEPUTY ATTORNEY GENERAL, U.S. DEPARTMENT OF \n                    JUSTICE, WASHINGTON, DC\n\n    Mr. Baker. Thank you, Mr. Chairman, members of the \nSubcommittee, and members of the Committee. I appreciate this \nopportunity to discuss the critical issue of protecting the \nNation from cybersecurity threats while ensuring the protection \nof civil liberties and privacy, as has been mentioned already. \nI have submitted a lengthy statement for the record, and I will \nnot repeat that here, but I would just like to make a few brief \npoints.\n    First of all, the Department of Justice is key player in \nthe cybersecurity arena. Among other things, we provide legal \nadvice and guidance on a range of cybersecurity activities to \nother Federal entities. Our objective is to ensure full use of \navailable legal authorities and strict adherence to the law, \nincluding civil liberties and privacy protections. In addition, \nwe assist in the development of cybersecurity policy. DOJ is a \nfull participant in the interagency policy process.\n    Further, we collect information and conduct investigations \nregarding cybersecurity threats in partnership with law \nenforcement and intelligence agencies. Importantly, obviously, \nwe prosecute cyber criminals in Federal court. We use the full \nrange of available criminal statutes to seek the maximum \npenalties against cyber criminals.\n    Further, we train investigators and prosecutors around the \ncountry to make sure that we have knowledgeable officials ready \nto respond to the cyber threats of today. We engage with our \nforeign law enforcement partners to deny safe havens to cyber \ncriminals and to bring them to justice wherever it may be most \nadvantageous.\n    If I could just quickly highlight one of the functions of \nthe Department of Justice in the FBI, which will be talked \nabout later, the NCIJTF, which is the National Cyber \nInvestigative Joint Task Force. NCIJTF is in my experience a \nvery forward-looking organization that engages in robust \ninformation sharing and coordination across Federal agencies. \nAt the same time, they have a strong awareness of the need to \nadhere to applicable laws that govern the collection and use of \ninformation. They certainly recognize that they have a long way \nto go, but in my view, they embody the significant changes that \nthe FBI has made over the past 5 years.\n    Now, if I could turn briefly to the legal regime that \ngoverns cyber activities. There is a complex set of legal \nauthorities that governs in this area. The Constitution, \nFederal statutes, State law, foreign law, international law--\nall have an impact in this area. These laws were developed over \ntime in response to legal, policy, and technological \ndevelopments.\n    The legal regime currently enables law enforcement and \nintelligence officials to obtain authorizations to collect \nvital information through electronic surveillance and other \ncollection means. The legal authorities require strict \nadherence to a variety of civil liberties and privacy \nprotections that are well understood by investigative agents.\n    However, the evolution of technology, our dependence on \ntechnology, and our adversaries' exploitation of \nvulnerabilities in that technology raises the question of \nwhether our statutes are adequate to address the cyber threats \nof today and at the same time protect privacy and civil \nliberties. The administration is prepared to partner with \nCongress to ensure that adequate laws, policies, and resources \nare available to support the U.S. cybersecurity-related \nmissions.\n    Further, because most of the cyber infrastructure is in \nprivate hands, we must also consult with industry in this \nimportant effort. As we move forward, it is critical that we \nproceed carefully so that we do not modify applicable law in a \nway that inadvertently harms important collection efforts or \nundermines existing requirements that are critical to the \nprotection of civil liberties and legitimate privacy interests.\n    I would like to thank the Chairman and the Subcommittee for \nyour leadership on this issue, and I look forward to your \nquestions.\n    [The prepared statement of Mr. Baker appears as a \nsubmission for the record.]\n    Chairman Cardin. Thank you very much for your testimony.\n    Mr. Reitinger.\n\nSTATEMENT OF PHILIP REITINGER, DEPUTY UNDER SECRETARY, NATIONAL \n PROTECTION AND PROGRAMS DIRECTORATE, DIRECTOR, NATIONAL CYBER \n    SECURITY CENTER, U.S. DEPARTMENT OF HOMELAND SECURITY, \n                         WASHINGTON, DC\n\n    Mr. Reitinger. Thank you, sir. Chairman Cardin, Ranking \nMember Kyl, and members of the Committee and Subcommittee, \nthank you for the opportunity to be here today to talk to you \nabout the growing threats that we face in cyberspace.\n    As I think the Committee and Subcommittee are aware, the \nthreats are increasing. Your comments, Chairman, clearly \nindicate that. The skill level of attackers is rising across \nthe spectrum from the most sophisticated attackers to the least \nsophisticated attackers. And, in fact, the most sophisticated \nattackers increasingly write high-quality tools that enable the \nleast sophisticated attackers to launch very directed attacks \nwithout necessarily knowing that much.\n    At the same time, also as your comments point out, sir, we \nare depending more on these systems day to day, not just for \ncommunicating and doing work, but for operating our \ninfrastructure and for the basic functions of our life.\n    As a result, as you point out, the status quo is simply not \nsufficient. We all need to up our game in Government and the \nprivate sector to increase the security and resiliency of our \nsystems, but that is not our only goal. At the same time, we \nneed to increase the competitiveness of our country so that we \ncan maintain our lead going forward and we need to protect \nprivacy by design. I would like to talk about some of our \nefforts in each of those areas.\n    To begin with, security. There is no silver-bullet solution \nhere, sir. We are all working very hard across Government, but \nas Mr. Baker's comments indicate, this is going to take a broad \nset of efforts from the Government and the private sector. So \nwe in the Department of Homeland Security and with our partners \nin Government and industry are working very hard to develop the \nright relationships to be able to be effective.\n    A recent announcement we have made in this space is the \nannouncement of the National Cyber Security and Communications \nIntegration Center, where we for the first time in the \nDepartment of Homeland Security, in direct response to advice \nwe received from the private sector and from Congress through \nthe Government Accountability Office, collocated the various \noperational watch centers we have for cybersecurity and \ncommunications in the same place. So our telecommunications \nwatch capability, the National Coordinating Center, our IT \nsecurity-based coordinating capability, US-CERT, and our cross-\nGovernment coordinating capability, the National Cyber Security \nCenter, their watch components are all now located in the same \nspace with appropriate liaisons from other Government agencies \nlike the FBI so that they can breathe the same air, build \ntrust, and collaborate effectively to respond to significant \nincidents that call for that level of cooperation.\n    Second, competitiveness. One of the things we need to do as \na Nation is make sure that we are not only addressing the \nsecurity issues we face now but are prepared to address them \ngoing forward. That means we need a bigger pool of \ncybersecurity experts to hire. I am trying in the Department of \nHomeland Security, in the National Cyber Security Division, to \ngo from roughly 115 people on board at the end of the last \nfiscal year to about 260 by the end of the upcoming fiscal \nyear. As I think those of you who know, that is a growth of \nover 50 percent, and it is a pretty heavy lift. In doing so, we \nwill be competing with some of the other agencies you see up \nhere and the people in the private sector. And unless we can \ngrow that pool of people, that is going to be a zero-sum game. \nSo, also with our partners in Government, we are working very \nhard to build the relationships, to build the techniques, and \nto build the programs that will build a pool of cybersecurity \nexperts coming from our own universities that we will be able \nto be successful in the future, and I believe Mr. Schaeffer may \ntalk a little bit more about that.\n    Let me then turn to privacy briefly. Privacy is absolutely \nessential. We are working very hard in this space, including \nbuilding the processes, training, oversight mechanisms, and \ntransparency, that we need to assure that our computer security \nefforts, our information assurance efforts, are compliant with \nand actually advance privacy rather than impair it. And we are \nworking to support other administration efforts such as \nenhancing identity management strategies that are sensitive to \nprivacy so that, going forward, we will be even more \nsuccessful.\n    The one thing I would call out here as a key area for us is \nraising awareness because unless we can continue to raise the \nawareness of the American people and business interests, they \nare not going to be able to protect themselves. So during \nOctober, Cybersecurity Awareness Month, we made significant \nefforts to do that. I would be happy to talk more about that in \nthe question-and-answer period if it is of interest to the \nCommittee.\n    In conclusion, I would say that it is clear, I think, to \nall of us that cybersecurity is a team sport. We are \ncollaborating very effectively across Government, and I look \nforward to the Committee's questions to explore more of these \nquestions in detail. Thank you, sir.\n    [The prepared statement of Mr. Reitinger appears as a \nsubmission for the record.]\n    Chairman Cardin. Thank you.\n    Mr. Schaeffer.\n\n STATEMENT OF RICHARD C. SCHAEFFER, JR., DIRECTOR, INFORMATION \n     ASSURANCE DIRECTORATE, NATIONAL SECURITY AGENCY, U.S. \n          DEPARTMENT OF DEFENSE, FORT MEADE, MARYLAND\n\n    Mr. Schaeffer. Thank you, sir. Good morning, Chairman \nCardin, Ranking Member Kyl, and distinguished members of the \nSubcommittee. I appreciate the opportunity to be here today to \ntalk briefly about the NSA's information assurance mission and \nits relationship to the work of the Department of Homeland \nSecurity and others concerned with helping operators of crucial \ninformation systems protect and defend their data systems and \nnetworks from hostile acts and other disruptive events.\n    Each day, ever more data and functions that are vital to \nthe Nation are consigned to digital systems and complex \ninterdependent networks. As Mr. Reitinger said, there are no \nsilver bullets when it comes to cybersecurity. But, over time, \nincreased awareness of cybersecurity issues, new standards, \nbetter education, expanding information sharing, more uniform \npractices, and improved technology can and will make a \nmeaningful difference.\n    Many people who discuss this issue see only the challenges \nand, quite frankly, discuss them in ways in which the situation \nseems to be hopeless. I believe that that glass is half-full, \nand there are a number of steps that individuals and system \nowners and users can take to mitigate many of the threats of \noperating in cyberspace.\n    The NSA's information assurance mission focuses on \nprotecting what National Security Directive 42 defines as \nnational security systems. Those are systems that process, \nstore, and transmit classified information or otherwise \ncritical to military or intelligence activities. Historically, \nmuch of our work has been sponsored by and tailored for the \nDepartment of Defense. Today, national security systems are \nheavily dependent on commercial products and infrastructure or \ninterconnect with systems that are. This creates new and \nsignificant common ground between defense and broader U.S. \nGovernment and homeland security needs. More and more we find \nthat protecting national security systems demands teaming with \npublic and private institutions to raise the information \nassurance level of products and services more broadly. If done \ncorrectly, this is a win-win situation that benefits the whole \nspectrum of information technology users, from warfighters and \npolicymakers to Federal, State, local, and tribal governments, \nto the operators of critical infrastructure, and the Nation's \nmost sensitive arteries of commerce.\n    In my statement for the record, which I submitted in \nadvance, I used several recent specific examples of NSA's close \nand continued collaboration with Government organizations as \nwell as our partners from industry and academia. For instance, \nthe NSA and the National Institute of Standards and Technology \nhave been working together for several years to characterize \ncyber vulnerabilities, threats, and countermeasures to provide \npractical cryptographic and cybersecurity guidance to both IT \nsuppliers and consumers. Among other things, we have compiled \nand published security checklists for hardening computers and \nnetworks against a variety of threats. We have shaped and \npromoted standards that enable information about computer \nvulnerabilities to be more easily catalogued and exchanged and \nultimately the vulnerabilities themselves to be automatically \npatched. And we have begun studying how to extend our joint \nvulnerability management efforts to directly support compliance \nprograms such as those associated with the Federal Information \nSecurity Management Act. All of this is unclassified and \nadvances cybersecurity in general, from national security and \nother Government networks to critical infrastructure and other \ncommercial or private systems.\n    The NSA partners similarly with the Department of Homeland \nSecurity. Earlier this year, we proudly announced the \ndesignation of 29 additional U.S. colleges and universities as \nNational Centers of Academic Excellence in Information \nAssurance Education and/or Information Assurance Research. This \nbrings the number of institutions participating in this highly \nregarded program to 106 located in 37 States, the District of \nColumbia, and the Commonwealth of Puerto Rico.\n    NSA and DHS collaborate daily, cooperating on \ninvestigations and forensic analysis of cyber incidents and \nmalicious software, and together we look for and mitigate the \nvulnerabilities in various technologies that would render them \nsusceptible to similar attacks. We each bring to these efforts \ncomplementary experience, insight, and expertise based on the \ndifferent problem sets and user communities on which we \nconcentrate, and we each then carry back to those communities \nthe dividends of our combined wisdom and resources.\n    Key to the Nation's cybersecurity efforts is a public-\nprivate partnership which has been actively embraced by the \nFederal Government, industry, and academia. This trusting \nrelationship includes and is based upon the common goal of \nimproving cybersecurity, the sharing of information, and \ncollaborative research development and innovation. A recent \nexample of this collaboration is last month's fifth annual \nSecurity Automation Conference at the Baltimore Convention \nCenter, co-hosted by NSA, NIST, DHS, and the Defense \nInformation Systems Agency. This conference brought together \nnearly 1,000 representatives from the public and private \nsectors and demonstrated the benefits of automation and \nstandardization of vulnerability management, security \nmanagement, and security compliance.\n    As Lieutenant General Alexander, NSA's Director, stated \nclearly in his address to the RSA Security Conference this past \nApril, Cybersecurity is a big job, and it is going to take a \nteam to do it. We will bring our technical expertise, and \nworking with many others in the public and private sector, we \nwill comprise the team the Nation needs to address this \nchallenge.\n    This concludes my remarks. I would be pleased to answer any \nquestions from you and other members of the Subcommittee.\n    [The prepared statement of Mr. Schaeffer appears as a \nsubmission for the record.]\n    Chairman Cardin. Again, thank you for your testimony.\n    Mr. Chabinsky.\n\n STATEMENT OF STEVEN R. CHABINSKY, DEPUTY ASSISTANT DIRECTOR, \n     CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION, U.S. \n             DEPARTMENT OF JUSTICE, WASHINGTON, DC\n\n    Mr. Chabinsky. Good morning, Chairman Cardin, Ranking \nMember Kyl, members of the Committee and Subcommittee.\n    The FBI considers the cyber threat against our Nation to be \none of the greatest concerns of the 21st century. The most \nsophisticated of our adversaries, which includes a number of \nnation states and likely some organized crime groups, have the \nability to alter our hardware and software along the global \nsupply chain, to conduct remote intrusions into our networks, \nto establish the physical and technical presence necessary to \nreroute and monitor our wireless communications, and position \nemployees within our private sector and Government \norganizations as insider threats awaiting further instruction.\n    The FBI has not yet seen a high level of end-to-end cyber \nsophistication within terrorist organizations. Still, the FBI \nis aware of and investigating individuals who are affiliated \nwith or sympathetic to al Qaeda who have recognized and \ndiscussed the vulnerabilities of the United States \ninfrastructure to cyber attack, who have demonstrated an \ninterest in elevating their computer hacking skills, and who \nare seeking more sophisticated capabilities from outside of \ntheir close-knit circles.\n    To meet these challenges, today's FBI has the largest cadre \nof cyber trained law enforcement officers in the United States, \nnumbering over 2,000. Internationally, the FBI operates 75 \nlegal attache offices and sub-offices around the world.\n    To be sure, while protecting the United States against \ncyber-based attacks is one of the FBI's highest priorities, we \nare always mindful that doing so must be achieved while \nsafeguarding civil liberties and privacy rights. In that \nregard, the FBI complies with the Attorney General guidelines \nfor FBI domestic investigations and receives invaluable support \nfrom the Department of Justice's Computer Crime and \nIntellectual Property Section, the Department's National \nSecurity Division, and U.S. Attorney's Offices throughout the \ncountry.\n    Although an unclassified forum is not suitable for \ndiscussing the FBI's counterterrorism and counterintelligence \ncyber efforts, our investigative success on the criminal side \nprovides a glimpse into our capabilities and strategic \npartnerships that can be used against any adversary. For today, \nlet me focus on the FBI's strong leadership and expertise in \ninvestigating financial cyber crime.\n    You may have read last year about the transnational \norganization that used sophisticated hacking techniques to \nwithdraw over $9 million from 2,100 ATM machines located in 280 \ncities around the world, all in under 12 hours. I would not be \nsurprised if Hollywood makes this one into a movie. From my \nperspective, the best part is the ending. Based on a successful \nFBI-led investigation with especially strong support from the \nreporting victim and Estonian law enforcement, just last week a \nFederal grand jury returned a 16-count indictment against key \nmembers of the group, and arrests already have been made \ninternationally.\n    Only a few weeks earlier, the FBI's Operation Phish Phry \nbrought down a transnational crime ring that engaged in \ncomputer intrusions, identity theft, and money laundering. The \ncase resulted in a 51-count Federal indictment, charging 53 \nU.S. citizens, while FBI in coordination with Egyptian law \nenforcement identified 47 Egyptian suspects directly involved \nin the criminal conspiracy. This year, the FBI and the \nFinancial Services Information Sharing and Analysis Center, the \nFS-ISAC, also forged a best practice for Government-private \nsector information sharing. We co-authored an advisory based on \nongoing FBI investigations that were then distributed to the \n4,100 members of the FS-ISAC, over 40 of which are themselves \nassociations, and shared with bank customers to prevent further \nvictimization.\n    At the consumer level, the FBI established and leads the \nInternet Crime Complaint Center in partnership with the \nNational White Collar Crime Center. www.ic3.gov is the leading \ncyber crime incident-reporting portal, having received over a \nquarter of a million complaints just last year.\n    We are also proud of the FBI's cooperative efforts with the \nUnited States Secret Service. In order to support the Secret \nService's cyber crime authorities, the FBI provided the Secret \nService with over 1,800 cyber intelligence reports and analytic \nproducts in fiscal year 2009 alone. The Secret Service also is \na full-time member of the FBI's National Cyber Investigative \nJoint Task Force, and the FBI has invited the Secret Service to \npartner with us at the Internet Crime Complaint Center and the \nNational Cyber Forensics and Training Alliance. Operationally, \nwe are providing the Secret Service with the opportunity to \nparticipate in FBI-led investigations, which most recently \nprovided the Secret Service with information relevant to their \nsuccessful investigations of intrusions into Heartland Payment \nSystems and TJX Companies.\n    Each of the above examples demonstrates that taking \nadvantage of all of our country's skills and knowledge, \nleveraging our Nation's resolve and common cause, provides \nsignificant advantages that are leading to increased and \nrepeatable successes.\n    In conclusion, I am grateful to the Subcommittee for this \nchance to highlight the FBI's strengths in combating cyber \nterror, cyber espionage, and cyber crime in a manner that \nprotects privacy rights and civil liberties, and to recognize \nthe partnerships that allow us to meet this ever growing \neconomic and national security problem.\n    In that regard, I would also like to particularly thank the \nmembers of this panel with whom the FBI partners every day.\n    I am happy to answer any questions you may have. Thank you.\n    [The prepared statement of Mr. Chabinsky appears as a \nsubmission for the record.]\n    Chairman Cardin. Let me thank all of our witnesses from the \nDepartment of Justice, from Homeland Security, NSA, and from \nthe FBI. I do not know if we feel any better after listening to \nyour testimony, but I think we understand the risk, and the \nrisk is that we can have spies, soldiers, and criminals \nanyplace in this country placed overnight, and, Mr. Reitinger, \nyou mentioned that we need to be more aware. But I am not so \nsure we know when, in fact, we have been invaded. Certainly \nthat is true with the less sophisticated users who do not have \nthe same type of security systems that perhaps the Government \nhas. But it is unclear that we really even know when we have \nbeen attacked. And it is very possible today that major \ninformation systems have been compromised, and we are not clear \nwhether there is an operational plan to use that at this point \nor not.\n    Which brings me, I guess, to the risk factors. We are \nconcerned that other governments are, in fact, actively \ninvolved in trying to compromise our cybersecurity. We know \nthat terrorists are interested in invading us. We know that \ncriminals have game plans to try to advance their particular \ncauses. And then you have the lone-wolf hackers who just want, \nfor whatever reasons, to compromise cyberspace.\n    Is there a common strategy here that we can use to protect \nus against other countries, against terrorists, against \ncriminals, against hackers? What is the common strategy that \nthe United States needs to employ in order to make us less \nvulnerable to these types of attacks? Who wants to start?\n    Mr. Reitinger.\n    Mr. Reitinger. I will start with that, sir, and then look \nfor additional contributions from the other people on the \npanel.\n    There is a common strategy, but it is not a one-prong \nstrategy. As a number of us said, there is no silver bullet \nhere, sir. In some cases, there will be different strategies. \nFor example, one might use different strategies with regard to \nsingle hackers or organized criminal groups as opposed to \nterrorists or nation states. But broadly across all of them, we \ndo need to up our defensive game, and that is essentially our \nrole in the Department of Homeland Security, at least the \ncomponents that report up to me.\n    We need to make sure that we are, as you suggested, raising \nawareness across the spectrum.\n    Chairman Cardin. How do you raise awareness when you do not \nknow, in fact, that you have been compromised or that there is \nsomething in your software or hardware that can be used against \nyou? As I understand it, the technology is not at that point \nwhere particularly in the private sector they do not know \nwhether their software program has been compromised, as I \nunderstand it.\n    Mr. Reitinger. Sir, it gets complicated, but I think there \nare three responses to that. The first is that, obviously, \nsupply chain attacks are of concern, and we are not where we \nneed to be as a Nation yet in terms of ability to prevent and \ndeter supply chain attacks. It can be very difficult to \ndetermine if software has vulnerabilities or does not, and that \nis both--we need to work on practices and procedures in that \nregard and on technology.\n    With regard to end users knowing whether they have been \ncompromised or not, I think there are a couple of pieces. The \nfirst is that we need to make sure that they know about the \nthreat and they are at least aware of the simple things that \nthey can do to protect themselves. That was actually the \nmessage, one of the key messages of Cybersecurity Awareness \nMonth, to make sure that we were trying to communicate as \nbroadly as possible that there are very simple things that end \nusers can do to cutoff broad avenues of attack--you know, keep \ntheir software up to date, run antivirus, some fairly simple \nsteps.\n    With regard to knowing whether they have been compromised \nor not, we have provided tips to end users, things they should \nwatch for that might indicate, for example, that their computer \nhad been compromised as a botnet. But there is a broad \ntechnology agenda there, too, sir. It remains the case that it \nis too hard for individual users and even small and medium \nbusinesses to secure their systems. We need to as a Nation and \nas an IT ecosystem continue to make it more simple for people \nto institute protections, to determine if they have been \ncompromised, and to make sure they stay secure.\n    Chairman Cardin. Mr. Chabinsky, you said the good news is \nthat we brought indictments against those who robbed us. The \nbad news is they were able to rob us, they were able to get \nmoney. And every day, as I understand it, there is money being \nstolen through cyberspace.\n    So there is clearly a vulnerability here. Clearly, we want \nto bring criminal charges to those who violate our criminal \nstatutes. But I think our first objective is to prevent this \nfrom happening.\n    Mr. Chabinsky. Yes, Senator. The case that you are \nreferring to actually has an interesting component that I did \nnot mention in my oral testimony in which, while we were \ninvestigating that case, we received information from our \nforeign law enforcement partners that showed a targeting list \nof other banks that were going to become victims. And we were \nable actually to notify each of those banks. We actually went \nin person with FBI agents to notify each bank so that they \nwould be prepared and they were able to prevent further crime. \nSo in that example, the bad news part of the story, Senator, as \nyou mentioned, is that we already had victims. The good news \npart is we were able within that case to prevent further \nvictimhood.\n    The same would go for our relationship with the Financial \nServices ISAC in which, by seeing a growing trend which \namounted to 200 cases, that is the bad news part of the story. \nThere were 200 cases that we had in which we saw victims.\n    Nationwide, we probably prevented thousands more by getting \nthe information out to each of the banks and for them to then \nprovide with their customers to show them how they could avoid \nfuture schemes.\n    The FBI is trying to have better preventive efforts by \nundercover operations, by way of example, so that we could \npenetrate some of the organizations that are planning attacks \nand in that way know their intent before they have the ability \nto act upon it. But it is a difficult problem, sir.\n    Chairman Cardin. Mr. Schaeffer, first of all, I have been \nto NSA many times, and I am always impressed by the quality of \nwork that is done there. I think our first line of attack is to \ntry to get the right intelligence information and develop the \ntechnologies in order to counter what those who want to attack \nus want to do. At NSA, you are very much involved in both of \nthose areas, although your intelligence collection, of course, \nis international.\n    How do you stay ahead of the curve? It seems to me normally \nyou would want to get experienced people on staff that are \nexpert in this area, but in cyber issues it seems like the \nyoung people--it is more people coming out of college \ndeveloping new technologies. How do you stay ahead of the curve \nhere?\n    Mr. Schaeffer. Well, sir, we do exactly what you said. We \nrecruit, we hire, we train those bright young minds that are \ncoming out of the colleges and universities today. I started at \nNSA as an engineer, and I am certainly glad I am not competing \nwith the intellect and the capabilities that are coming out of \nthe colleges and universities today. They have got tremendous \ncapabilities.\n    So we take experienced personnel who are deeply steeped in \nvulnerability discovery and understanding how systems break and \nhow they can be broken, and use the technology knowledge that \nthe young workforce brings into our environment, and it is a \ncollaboration. It is a mentorship. It is a partnering between \nmore experienced employees and the younger folks who do bring \nthe latest technology knowledge into the space.\n    We, of course, have a research organization that tries to \nstay ahead, helping us understand what breakthrough \ntechnologies or what significant technologies that may be \ncoming down the road at a later point in time, that we need to \nbe prepared to help understand how to protect and defense those \ntechnologies in the information space.\n    So it is a combination. It is bright young people coming \ninto the organization. It is experienced people. It is great \ntools and technology that the Nation gives us to help work this \nproblem.\n    Chairman Cardin. And we would invite you to share with us \nif there are additional tools you need in regards to this \nissue. We understand the politics of OMB and all the other \nareas that you have to deal with. But I think we want to hear \nindependently from you as to what tools are necessary for you \nto be able to effectively deal with this threat against our \ncountry. So we would appreciate that.\n    And for Mr. Baker, you also indicated that there may be \nneeds for changes in our law as it relates to the ability to \nproperly protect this country, but also protect the civil \nliberties of the people who live in America. And we would \ninvite you to be open in that process working with us to help \ndevelop the legal framework that you need. We know what we went \nthrough with FISA. We know what we went through on some of the \nissues. We want to work collectively here. We do not want to \nwork in an adversarial role as to what is necessary to give you \nthe tools you need, but also to protect the civil liberties of \npeople in this country.\n    Mr. Baker. Yes, Senator. Thank you very much. We recognize \nthat, and we appreciate the opportunity to work with you on \nthese very complex and important issues.\n    Chairman Cardin. Thank you.\n    Senator Kyl.\n    Senator Kyl. Well, let me begin by reiterating the point \nthat the Chairman just made. These hearings give us the \nopportunity to hear some things from you, but we just get a \nsketch. We just touch the surface. And we are also looking for \nwhat we can do to help, both in terms of resources that might \nbe available or needed or legislative authority. And so that \ninvitation really is extended to each of you and the others \nwith whom you work.\n    And I think the Chairman put his finger on it by inquiring \nabout a common strategy. Let me see if I can bore down into \nthat just a little bit. And I do not want to get into \norganizational charts because they make my head spin, but to \ntry to understand just in a very basic way how our Government--\nwho is in charge, if anyone is, and how we structure the \nmechanisms that can be useful to protect across broad spectrums \nof society, including Government agencies, contractors, private \nbusinesses, utilities, and universities and others that are all \nsubject to the same kinds of attacks and, therefore, about \nwhich some commonality would seem to be in order.\n    And maybe, Mr. Schaeffer, let me begin by asking you since, \nas I understand it, NSA has been given some kind of overall \nlead in this, but I am not sure that the authority is nailed \ndown. And I know that there are some conflicting views as to \nwho all should have what authority and whether there should be \nsomebody in charge. Maybe you could give us your understanding, \nand then I invite each of the rest of you to comment on that as \nwell.\n    Mr. Schaeffer. Well, sir, I think I would first point to \nthe comment that General Alexander made back at the RSA \nConference, and that is, this is a team sport. You are \nabsolutely correct, there are various authorities that exist in \ndepartments and agencies across the Government. Within NSA, our \nresponsibility for national security systems is just a portion \nof the overall set of networks. We work collaboratively with \nthe Department of Homeland Security, the National Institute of \nStandards and Technology, and others to help other elements of \nthe Government.\n    I think the great benefit is that what we do for U.S. \nGovernment systems, whether that is in the development of \nconfiguration information, whether it is standards, all that is \ndirectly extensible into the private sector. The kinds of \npolicies and procedures that we outline for U.S. Government \nsystems can, in fact, be adopted by critical infrastructure \nelements and others across the community. We think in terms of \nthe things that we can do to protect the network environment, \nindividuals can adopt those mechanisms as well.\n    I cannot underscore enough a comment that Mr. Reitinger \nmade about just the basics. How do you harden systems? It is \ngood configuration management. It is good patch management. It \nis good access control. All the kinds of principles and \npractices that we as individuals and we as organizations need \nto put in place such that the policies that exist, disparate \nand varied though they are, can, in fact, have an effect on the \noverall assurance of the operating environment in which we \nconduct our business today, whether that is warfighting, \nwhether that is Government, or otherwise.\n    Senator Kyl. Let me just bore down a bit. Mr. Reitinger, \nlet me put that question to you, because I gather that there is \nsome connection between the Government on the one hand and all \nof the private sector on the other hand, through Homeland \nSecurity, but I am not exactly sure. I do not know if what I \nsaid is correct or not. But if anybody does it, I presume you \nwould. How do those mechanisms that you appreciate the need \nfor, because you are at the highest level of development, get \ntranslated down into all the different sectors of our society \nwhere they are really needed?\n    Mr. Reitinger. Absolutely, sir. As Mr. Schaeffer indicated, \nthis is a team sport, but it is not even football or baseball, \nif I could perhaps unduly extend the analogy. It is more like \nsoccer. We are all playing positions, and we need to execute in \nour individual roles. This is going to remain a horizontal \nactivity across Government.\n    One of the roles that we have in the Department of Homeland \nSecurity is serving as the bridge into the private sector, sort \nof the broader dot-com and the infrastructures that are out \nthere that we need to protect. So we built a structure, the \nNational Infrastructure Protection Plan, and a set of sector \ncoordinating councils that bring people from all of those \ndifferent sectors together to collaborate with Government.\n    There is also an additional structure next to that that \nworks specifically on operational issues, the set of \ninformation-sharing and analysis centers that work both through \nthat structure and with the United States CERT, but also more \nparticularly with their sector-specific agencies. So, for \nexample, Mr. Chabinsky talked about the Financial Services \nISAC. That is an operational body working clearly in the \nfinancial services sector that would partner with US-CERT on \nsome of the defensive measures, on some law enforcement \nmaterial, and some of the work coming out of the Bureau's \ninfrastructure protection capabilities would partner with the \nBureau.\n    So we have built a structure where there are multiple ways \nto work together, and we are continuing as a Government and \nmore broadly in the private sector to refine the roles and \nresponsibilities we have all got.\n    So, for example, one of the outcomes of the Cyberspace \nPolicy Review is that we need, in the event of a significant \nincident, to be able to respond as one Nation. So there is an \neffort going forward called the National Cyber Instant Response \nPlan to devise a highly actionable set of policies and \nprocedures that will enable all of the different Government \nagencies to work effectively with the private sector in the \nevent of a significant incident. And we are driving toward \nhaving a draft ready at the end of this year or the start of \nnext year that we are actually going to test at the start of \nnext year and that will even more affirmatively exercise in the \nCyber Storm III exercise that will take place in September of \nnext year.\n    Senator Kyl. Great. I have just another minute or so. Would \neither of the two of the Department of Justice and the FBI \nwitnesses like to comment as well, please?\n    Mr. Baker. Well, just briefly, Senator. Thank you.\n    I guess in response to your question about who is in \ncharge, from the executive branch it is the President who is in \ncharge, and there is a very active effort run out of the White \nHouse. We meet weekly. There is a big group that meets weekly \nor almost weekly. There are sub-groups that meet continually on \na variety of different topics.\n    Senator Kyl. Excuse me, but who convenes that meeting or \nnominally sets the agenda?\n    Mr. Baker. It is the National Security Council, a director-\nlevel person, I believe, in there who is running those \nmeetings. And so there is a very active--I made a brief \nreference to it in my opening remarks--a very active policy, \noperational, technology review that is going on continually to \ntry to address some of these very, very difficult legal, \ntechnical questions that we are facing.\n    Chairman Cardin. Would the Senator yield just for one \nmoment?\n    Senator Kyl. Sure.\n    Chairman Cardin. Is that structure by just de facto or has \nthe President requested this, the National Security Council \ncoordinating this activity? Or is it just taken up because of \nits----\n    Mr. Baker. The accurate answer is I do not know the exact \norigin of that, Senator. We can find that out and get back to \nyou. But it is very structured, so it is not just de facto, it \nhas not just emerged on the back of an envelope.\n    Chairman Cardin. We would appreciate that. Thanks.\n    [The information referred to appears as a submission for \nthe record.]\n    Senator Kyl. Mr. Chabinsky, anything you want to add to \nthat?\n    Mr. Chabinsky. I would like to support and add a little bit \nmore to Mr. Baker's comments. The National Security Council has \nbeen working through the Interagency Policy Committee to \ncoordinate the cyber security. The President immediately upon \nentering office asked for a Cybersecurity Policy Review. After \nthat review was completed, the President adopted the \nComprehensive National Cybersecurity Initiative and provided \nadditional short-, mid-, and long-term recommendations for \nmoving the community forward. And the community has stayed on \ntop of that through the leadership of the Office of the \nDirector of National Intelligence. The Joint Interagency Cyber \nTask Force continues to monitor and coordinate the 12 \ninterdependent initiatives within the Comprehensive National \nCybersecurity Initiative working with each of the agencies on \nperformance measures and letting the President know on a \nquarterly basis how the community has organized to respond.\n    Part of that Comprehensive National Cybersecurity \nInitiative involves very strong partnership with the private \nsector and academia, led by the Department of Homeland \nSecurity.\n    In addition, part of that partnership includes gathering \nthe intelligence agencies, law enforcement agencies, homeland \nsecurity agencies in common cause both for shared situational \nawareness, as provided by the National Cybersecurity Center \nwhich Mr. Reitinger directs, and US-CERT at the Department of \nHomeland Security, and the FBI takes a leadership role for \ndomestic investigative coordination at the National Cyber \nInvestigative Joint Task Force.\n    For its part, the FBI has additional partnerships not only \nwith the critical infrastructures, but within its InfraGard \nProgram that started in 1996. We have expanded that program to \ninclude over 33,000 members of the private sector located \nthroughout 87 cities in the country. In fact, InfraGard now has \nall but eclipsed the size of the Federal Bureau of \nInvestigation showing that partnerships are both required and \nlooked for by industry. So that has been enormously successful, \nas have our partnerships with the National Cyber Forensics and \nTraining Alliance and the National White Collar Crime Center.\n    So we are working together, and I think that there is more \noccurring than what might otherwise meet the eye, and we are \nmoving forward in collaboration both as a Government and with \nthe private sector and industry, and with our international \npartners.\n    Senator Kyl. Thank you.\n    Chairman Cardin. Senator Kaufman.\n    Senator Kaufman. Thank you, Mr. Chairman.\n    I would like to follow up on Chairman Cardin's question. He \nsaid, if you do not know you are under attack, how do you \nproceed? I would just like to talk a little bit, Mr. \nReitinger--and others can chime in--about when you are under \nattack. I was involved with an agency of the Federal Government \nthat was under a massive attack. They knew they were under \nattack, and the consultants told them afterwards not to \npublicize it because they were pretty sure it was a hacker and \nthat the hacker was looking for attention.\n    Now, when you are in a situation when you do not know \nwhether it is a hacker, you do not know if it is a foreign \ngovernment, you do not know if it is a terrorist, you do not \nknow if it is a criminal, how do you proceed to deal with a \ncyber attack that you have already taken?\n    Mr. Reitinger. Generally, the defensive measures that you \nwould use would depend less on the source of the attacker and \nmore on what the attack looked like and how you would defend \nagainst it. So there might be a set of defensive protections \nyou would use for a denial-of-service attack, a separate set \nfor intrusions, and a separate set for something like an \nInternet fraud activity.\n    So in all of those cases, we in the Department of Homeland \nSecurity, the United States Computer Emergency Readiness Team \nor Cyber Emergency Readiness Team, would be responsible for \nworking with the department or agency to help them defend their \nnetworks and to respond to the attack. We in DHS worry less \nabout attribution and more about defense.\n    In terms of responding to the attack and attribution, that \nsort of activity would be pursued by an entity like the Secret \nService or the Federal Bureau of Investigation, and so that \nwould be an area within their area of responsibility, and \neither we or the Department or the affected department or \nagency would work effectively with them.\n    Senator Kaufman. And under no circumstance will you \npublicize the attack or let the public know that there had been \nan attack on the agency?\n    Mr. Reitinger. That is not generally our role. That would \nbe the department or agency's role. In point of fact, there are \noften reasons not to publicize attacks because it could \ninterfere with an ongoing criminal investigation.\n    Senator Kaufman. And then if you were an agency, just a \ngeneral agency out there, to kind of follow up on Senator Kyl's \ncomment, who would be there to advise you how to proceed?\n    Mr. Reitinger. Lots of people could be there to provide \nadvice to you on how to proceed. US-CERT could provide and \nwould provide advice as part of its overall responsibility to \nhelp coordinate the security of civilian Government agencies. \nAnd with regard to law enforcement activity, the FBI or the \nSecret Service, depending upon the particular type of activity, \ncould provide advice. So depending upon what had happened \ndifferent, people could provide advice.\n    In addition, advice from the private sector can be \navailable directly to the agency because they will have \npartnerships and vendors that they work with, and advice from \nthe private sector is also available through US-CERT and the \ndifferent partnerships that both DHS has created and the \nsector-specific agencies have created in each of the different \ncritical infrastructure sectors.\n    Senator Kaufman. Mr. Schaeffer, in your testimony you \ntalked about publicizing and the meetings you had and the \nforums and the rest of it. Is there conflict between \npublicizing how people should proceed in order to be prepared \nfor cybersecurity and the fact that when you do that, you kind \nof let the bad guys know exactly what you are doing in order to \nstop them?\n    Mr. Schaeffer. Well, sir, I think the challenge is how do \nwe get everyone up to a certain level of assurance. There is a \nlot that we can state publicly, it is unclassified, a lot that \nwe can do to help individuals and system owners harden the \nnetwork environment in which they operate. That is good. That \nis common sense. That is good network hygiene. There are common \nprinciples that people ought to be using anyway that are quite \npublic. And so it does not disclose anything that would help an \nadversary know how to attack a system or intrude upon a system. \nIt actually makes that job harder for the individual, raising \nthe ante somewhat, causing them to have to resort to more \nsophisticated means to gain entry into a system.\n    So the harder we can make the general network environment, \nthe easier it is going to be to detect when, in fact, something \ndoes go wrong, a system has been intruded upon.\n    Senator Kaufman. You said in your testimony, you talked \nabout the use of proper operating system configurations to \nhelp. What portion of the problem could be solved if people \nused proper operating system configurations, do you think?\n    Mr. Schaeffer. Well, that is a wonderful question. We \nbelieve that if one institutes best practices, proper \nconfigurations, good network monitoring, a system ought to be \nable to withstand about 80 percent of the commonly known \nattacks, mechanisms against systems today. But you can actually \nharden your network environment to raise the bar such that the \nadversary has to resort to much, much more sophisticated means, \nthereby raising the risk of detection and so forth.\n    Just an example. We are much more in sync now with the \nrelease of new technology. It was just a couple of weeks ago \nthat Microsoft released Windows 7. We have had a longstanding \nrelationship in working with Microsoft to help improve the \nsecurity of that operating system, and it was almost coincident \nwith the release of Windows 7 that Microsoft also released the \nSecurity Configuration Guide, thereby enabling users to, out of \nthe box, activate about 1,500 security settings that otherwise \nwould be turned off.\n    And so there is a tremendous amount of capability that is \nenabled through configuring software applications more \neffectively from a security standpoint. Of course, then they \nhave to be maintained, and that is the kind of constant \nvigilance that goes along with maintaining a good security \nposture.\n    Senator Kaufman. OK. Just one short question, Mr. \nReitinger. Is there anybody in your Department involved with \nthe security of electronic voting machines?\n    Mr. Reitinger. I believe we have had some involvement, but \nI need to get back to you.\n    Senator Kaufman. Could you get back to me on that?\n    Mr. Reitinger. Yes.\n    [The information referred to appears as a submission for \nthe record.]\n    Senator Kaufman. Thank you very much.\n    Thank you, Mr. Chairman.\n    Chairman Cardin. I would just comment, 80 percent against \nan attack on our country would be, I think, unacceptable. But I \nunderstand the challenges that we are facing, but leaving a 20-\npercent risk factor is still a high risk factor.\n    Senator Kaufman. I wonder what it is right now.\n    Chairman Cardin. I am sure it is much higher.\n    Senator Kaufman. The point is if we get to 80 percent they \nhave to expose themselves more. It is not just that it is 80 \npercent--obviously, we want to be 100 percent. But if they are \n80 percent, what you are basically saying, Mr. Schaeffer, if I \nam right, is that in order to pierce a wall that is 80 percent, \nthey have to expose themselves more, and it makes it easier to \ncatch them. So that 80 percent is more than just like our \nnormal getting 80 out of 100. It presents them with a bigger \nproblem, and then they have to show more what they are about in \norder to----\n    Chairman Cardin. I think that is a very good point. I guess \nmy point is that we would never prepare a defense budget based \nupon an 80-percent effectiveness. So it is----\n    Senator Kaufman. I totally agree with you. I totally agree \nwith that.\n    Chairman Cardin. Senator Whitehouse.\n    Senator Whitehouse. Thank you, Chairman Cardin.\n    Are all of you or any of you satisfied with the existing \nlegal structure within which you are presently operating?\n    Mr. Baker. Senator, that is complicated question. I think \nthe answer to it is no.\n    Senator Whitehouse. Does anybody disagree? Are there any \nyeses on the panel?\n    [No response.]\n    Senator Whitehouse. OK. Nobody is satisfied. That said, can \nwe expect administration legislative proposals at some point?\n    Mr. Baker. As I mentioned in my opening remarks, we are \nvery eager to work with Congress----\n    Senator Whitehouse. Being eager to work with us and having \na proposal are two different things.\n    Mr. Baker. We do not have a proposal today. We are \ndefinitely debating these kinds of issues inside the \nadministration. But as I mentioned in my opening remarks----\n    Senator Whitehouse. With a view----\n    Mr. Baker. I beg your pardon?\n    Senator Whitehouse. With a view toward preparing proposals?\n    Mr. Baker. With a view to deciding whether we should \npropose changes and, if so, how, because we do not want to mess \nup, to put it bluntly, the existing authorities that we have \nthat provide a huge amount of capability to collect both law \nenforcement information and foreign intelligence information \nand, importantly, protect civil liberties and privacy. So we do \nnot want to make mistakes because this area is so complicated, \nas you know from your debates about the FISA amendments that \nthe Chairman referenced earlier that is a very complicated \narea. This area is equally as complicated. There are many \nstatutes you have to consider, and not only Federal statutes \nbut also you have to consider State law, foreign law, and \ninternational law, because these are things that impact this \narea as well with respect to the private sector in particular.\n    So it is a complicated area, and we are very cognizant of \nthe need to review these authorities closely and make sure that \nwe are doing the best that we can today.\n    Senator Whitehouse. By what process will that analysis be \nundertaken?\n    Mr. Baker. Well, there is this interagency process that I \nmentioned before with all of the different agencies that have \nequities in this area, and it will proceed, I believe, in the \nnormal--you know, once proposals are developed, it will proceed \nin the normal interagency process. Everybody gets a chance to \nlook at what the proposals are and make sure that we are not \ndoing anything one way or the other that is not effective or \nwill not be effective.\n    Senator Whitehouse. But the original development of those \nproposals would be through the interagency process led by the \nNational Security Council that you have looked at?\n    Mr. Baker. I think that is fair to say, Senator, yes. DOJ \nplays an active role in that process. We have got all the \ndifferent--I mean, every one of these agencies has a General \nCounsel's office that are reviewing these things. So I think \nthat is fair to say, yes.\n    Senator Whitehouse. Would you be the lead agency for that \neffort?\n    Mr. Baker. DOJ is always the lead agency when it comes to--\nwe obviously play a key role in reviewing the legal authorities \nwith the legal advisers from the National Security Council, \nHomeland Security Council, all the different General Counsel's \noffices representing the agencies that are here today, plus \nmore.\n    Senator Whitehouse. Everybody else agreed? I think your \nmicrophone may not be on.\n    Mr. Reitinger. Sorry. It seems to be a problem I have got \ntoday. As Mr. Baker indicated, the Cyberspace Policy Review, \nthe work that led to that, identified a number of legal issues, \nand those are all under examination, including the various \nauthorities that agencies have and whether or not we--whether \nthe administration would want to propose things. I believe the \nprocess would be essentially as he says, with agencies looking \nat their own needs and working through the interagency process \nto propose things, if called for, to Congress.\n    Senator Whitehouse. On a separate aspect of this topic, the \nproblem of attribution is one that I think every witness has \nmentioned during the course of this hearing, which, of course, \non the flip side is the problem of deniability by the sponsor \nof the attack, which inhibits deterrence as a countermeasure by \nour country.\n    However, even where attribution through the maze of servers \nand electronic connections out there cannot be specifically \nestablished, the fact that a fighter plane's systems have been \nhacked and are particularly useful to one particular country or \nthat very significant code developed by the American private \nsector appears verbatim in the code of competitors in another \ncountry and you can sort of connect the dots at that point. And \nit is a little bit beyond a pure law enforcement matter because \nyou may not be able to actually prove all the way through, and \nif it is a Government act, it is a little hard to get the \nGovernment in a court of law.\n    What are you all doing to--what is being done to build a \nfoundation for diplomatic dialogue with the nations that are \nmost responsible for the massive, persistent, and aggressive \nwaves of cyber attack that we are experiencing in a more \ngeneral way? There is a point where you can say, ``Look, OK, \nyou are not doing it. Sure. If it continues to happen, here are \nthe consequences.'' That is something that can really only be \ndone at a diplomatic nation-to-nation level. I know the \nPresident is in China now. Where are we in terms of trying to \npush back diplomatically against foreign sovereign-sponsored \ncyber attack?\n    Mr. Reitinger. Let me briefly answer that question, sir, \nand then turn to the question of attribution, if I might, \nbecause you raised a number of points there that I think it \nwould be important to touch on.\n    One of the action items coming out of the Cyberspace Policy \nReview, another one of them, was specifically to develop more \nfocus on what the right international framework is here, and, \nclearly, we need both closer relationships with allies and \noverall an approach to how we are going to have a secure global \necosystem going forward. So that is an area of focus, and work \nis going on interagency right now about the right international \napproach.\n    The other thing, I wanted to turn briefly to attribution, \nbecause you talked a little bit about that at the start. \nObviously, actually attributing conduct is not clearly a role \nof the entities that report up to me, like the United States \nCyber Emergency Readiness Team, US-CERT. That is more a role \nfor, for example, the Department of Justice and the FBI.\n    But there is another side to attribution which I think does \ngo to what you are talking about, sort of the positive \nattribution, not where you want to say, ``I have been attacked. \nWho did it? '' but, ``I only want to let in people into my \nsystems when they have proven who they are.'' So that is more \nabout authorization and authentication.\n    Another action item coming out of the policy review--and if \nyou talk about broadly cutting out avenues of attack, there is \nlittle that we could do that would be more effective than \nenabling broad, voluntary, interoperable authentication with \nprivacy protections built in at the start so it is much easier \nto defend your systems and your perimeter and only let in the \npeople, the software, or the devices that you want to.\n    Senator Whitehouse. My time has expired. Thank you, \nChairman.\n    Chairman Cardin. Thank you.\n    Just following up on Senator Whitehouse's point on the \nprotection of privacy in our current laws, there has been the \nimplementation of the EINSTEIN I, II, and now III, which is \nbeing used by our agencies to protect against cyber attacks. As \nI understand it, it has the capacity of obtaining personal \ninformation from innocent Americans. And I guess my question to \nyou, Mr. Baker, is: Are you satisfied that the current \nimplementation of these countermeasures is consistent with our \nprivacy laws and that minimization is being used to prevent the \ndissemination of information that is otherwise protected?\n    Mr. Baker. Thank you, Senator. As the Committee knows, we \nhave done an extensive legal analysis of the EINSTEIN II \ninitiative and made available the OLC opinions regarding--two \nOLC opinions regarding that matter which are publicly available \non OLC's website. So our analysis of that program is that it \ndoes comply with the Fourth Amendment and with the various \nstatutory requirements. It meets the various statutory \nrequirements that are out there.\n    In terms of minimization and use of the information and so \non, I mean, there are procedures in place, as reflected, I \nthink, in the Department of Homeland Security's privacy impact \nstatement or assessment with respect to EINSTEIN II, that \ndescribe the kinds of procedures and policies that they \nimplement to ensure that information regarding--personally \nidentifiable information or other information generated from \nthat program are handled appropriately. And so I believe that \nwe are satisfied with that to date.\n    Chairman Cardin. And EINSTEIN III, as I understand it, is \nnow in the process of being developed and implemented?\n    Mr. Baker. I will defer to Mr. Reitinger on the description \nof EINSTEIN III, but----\n    Chairman Cardin. The Department of Justice has not had any \nimpact on III?\n    Mr. Baker. The Department of Justice has conducted a legal \nanalysis of EINSTEIN III. I am not able to describe that or \ndiscuss that in this setting today, but we have conducted such \nan analysis and, I believe, made that available to committees \nof the Congress.\n    Chairman Cardin. Mr. Reitinger.\n    Mr. Reitinger. Thank you, Mr. Chairman. Obviously, EINSTEIN \nI and EINSTEIN II are in deployment. EINSTEIN III is still in \ndevelopment. We are working closely with our partners in \nGovernment, including the Department of Justice, on what that \nought to look like and how we can best protect privacy. I can \nspend more time describing the protections for privacy in \nEINSTEIN II. Mr. Baker touched on them, but they are fairly \nbroad. They include policy and procedure. As our Privacy Impact \nAssessment described, how we collect information, when we \nretain and how we retain information, and how it is disclosed.\n    It includes training. We provide training to those \nresponsible in US-CERT for operating the EINSTEIN system. There \nare three levels of training in the Department of Homeland \nSecurity: general privacy training, specific training for those \nwho conduct the EINSTEIN system, and going forward, there will \nbe specific training on EINSTEIN III.\n    Oversight mechanisms, both the Office of Privacy and the \nOffice of Civil Rights and Civil Liberties and other components \nof the Department of Homeland Security can provide oversight \ninto the mechanisms that are used. And, in addition, within the \nOffice of Cybersecurity and Communications, there is an \nidentified compliance and oversight officer whose job it is to \nensure compliance with the rules.\n    And, last, there is transparency. I think we have received \nsome praise for the fact that we have gone forward and been \nforward leaning with our Privacy Impact Assessments for \nEINSTEIN I and II, and it is our intention to be as transparent \nas possible consistent with the need for secrecy in some areas.\n    Chairman Cardin. Let me go back to Senator Whitehouse \nagain. On EINSTEIN III, the Department of Justice, is that one \nof your concerns about the current legal structure being \nadequate? Or are you able to work through EINSTEIN III within \nthe current legal framework?\n    Mr. Baker. I think, Senator, I am not able to describe the \nlegal analysis with respect to EINSTEIN III in detail today, \nbut what I will just--I will say that, as I describe, there is \na range of statutes--the Fourth Amendment, obviously, and then \nthe range of statutes that apply in this area. So anytime you \nare doing anything with electronic communications, storage, \ntransit, however it--I am not speaking about EINSTEIN III in \nparticular, but any type of program, you have to go through a \nwhole range of different issues that you have to analyze. So it \nis complex in that sense. The statutes are complex. The legal \nregime is complex. And, therefore, the analysis is complex.\n    If I could just amend my comments from before, with respect \nto EINSTEIN II, there are still discussions that are going on \nwith respect to the procedures of handling some of the data, in \nparticular data that comes into the Department of Justice, for \nexample, from a variety of different sources. So not all of the \nprivacy issues with respect to EINSTEIN II have been resolved. \nThere is still work going on in that regard, so I just wanted \nto note that.\n    Chairman Cardin. And just following up on Senator \nWhitehouse, this Committee is very interested in understanding \nthe legal challenges, both in obtaining the information you \nneed and protecting the privacies. And if this is not the right \nforum to talk about it, we invite an opportunity to review it.\n    Now, Senator Whitehouse also serves on the Intelligence \nCommittee, so he is in a position where he can obtain \ninformation both through the Intelligence Committee and the \nJudiciary Committee.\n    Senator Whitehouse. Usually a day or so after the New York \nTimes gets it.\n    [Laughter.]\n    Chairman Cardin. Senator Kyl.\n    [Pause.]\n    Chairman Cardin. If our colleagues are agreeable, we are \ngoing to dismiss this panel and go to the second panel because \nwe are told it is likely to be votes starting soon. Thank you \nall very much for your testimony.\n    Chairman Cardin. Our second panel consists of Gregory \nNojeim, who is the senior counsel at the Center for Democracy & \nTechnology and the director of its project on freedom, \nsecurity, and technology. In this capacity, he conducts much of \nCDT's work in the area of national security, terrorism, and \nFourth Amendment protections. He is also co-chair of the \nCoordinating Committee on the National Security and Civil \nLiberties of the Individual Rights and Responsibilities Section \nof the American Bar Association.\n    Larry Clinton is president and CEO of the Internet Security \nAlliance. He is a member of the experts panel created by the \nGeneral Accounting Office at the request of the House Committee \non Homeland Security to assess and make recommendations to the \nObama administration on cybersecurity.\n    Larry Wortzel is Vice Chairman of the U.S.-China Economic \nand Security Review Commission. He is a retired Army colonel \nwho served two tours of duty as a military attache in China. \nFor 25 years of his 32-year military career, Dr. Wortzel was an \nintelligence officer.\n    If you all would please rise so I can swear you in. Do you \naffirm that the testimony you are about to give before the \nCommittee will be the truth, the whole truth, and nothing but \nthe truth, so help you God?\n    Mr. Nojeim. I do.\n    Mr. Clinton. I do.\n    Mr. Wortzel. I do.\n    Chairman Cardin. Thank you all very much. Without \nobjection, your entire statements will be made a part of the \nCommittee record. You may proceed as you see fit, starting with \nMr. Nojeim.\n\n STATEMENT OF GREGORY T. NOJEIM, SENIOR COUNSEL AND DIRECTOR, \nPROJECT ON FREEDOM, SECURITY & TECHNOLOGY, CENTER FOR DEMOCRACY \n                  & TECHNOLOGY, WASHINGTON, DC\n\n    Mr. Nojeim. Thank you, Chairman Cardin, Ranking Member Kyl, \nmembers of the Subcommittee. Thanks for the opportunity to \ntestify about cybersecurity and civil liberties on behalf of \nthe Center for Democracy & Technology. CDT is a nonprofit, non-\npartisan organization dedicated to keeping the Internet open, \ninnovative, and free.\n    The United States faces significant cybersecurity threats. \nComputer hackers have penetrated Government systems and have \nstolen massive amounts of sensitive information. They have \npenetrated financial networks and have stolen millions of \ndollars. While the need to act is clear, it is essential that \nwe take a nuanced and incremental approach. We ask that you \nkeep a key distinction in mind as you go forward. Policy toward \nGovernment systems can be much more prescriptive than policy \ntoward private systems.\n    The characteristics that have made the Internet \nsuccessful--openness, decentralization, user control--they may \nbe put at risk if heavy-handed cybersecurity mandates are \napplied to all critical infrastructure.\n    When he unveiled the White House Cyberspace Policy Review \non May 29, President Obama correctly emphasized that the \npursuit of cybersecurity must not include governmental \nmonitoring of private networks. Monitoring these systems is the \njob of private sector communications providers. They already do \nit today pursuant to self-defense provisions in current law. \nThe Wiretap Act allows communications providers to intercept, \nuse, and disclose--to both their peers and to the Government--\ncommunications passing over their networks while they are \nengaged in activity necessary to protect their own rights and \nproperty. ECPA provides similar authorities for disclosure of \nstored communications. Furthermore, the Wiretap Act allows \nservice providers to invite in the Government to intercept the \ncommunications of computer trespassers. These provisions do not \nauthorize ongoing or routine disclosure of traffic by the \nprivate sector to the Government, nor should they. The \nSubcommittee should consider whether it is necessary to clarify \nthese provisions and to require public statistical reporting on \ntheir use.\n    While current law authorizes providers to make disclosures \nto protect themselves, what about disclosures to protect \nothers? There might be a need for a very narrow exception to \nthe Wiretap Act and to ECPA to permit providers to make \nvoluntary disclosures about specific attacks and malicious code \nto protect other providers. We urge the Subcommittee to \napproach this issue very cautiously, for exceptions intended to \npromote information sharing could end up harming privacy.\n    While the private sector protects its systems, the Federal \nGovernment clearly has responsibility to monitor and protect \nits own systems. Caution and transparency are both required to \navoid chilling communications that Americans have with their \nGovernment. The DHS EINSTEIN system is being deployed by \nGovernment agencies to protect Government computers against \nattack. CDT does not object to this in principle. However, \nindependent audits should be required to ensure that EINSTEIN \ndoes not inadvertently access private-to-private \ncommunications. Audits could also ensure compliance with strict \nlimits on how much information is collected, with whom it is \nshared, and for what purposes.\n    We do, however, object to the secrecy that has shrouded the \nEINSTEIN Program. Notwithstanding the OLC opinions and the \nPrivacy Impact Assessment that have been released, much more \nneeds to be known about the program. Excessive secrecy \nundermines public trust and communications carrier \nparticipation, both of which are essential to the success of \nthis and other cybersecurity initiatives.\n    On the question of identity and authentication, some have \nproposed sweeping identification mandates, including even a \npassport for using the Internet. Identification and \nauthentication will likely play a significant role in securing \ncritical infrastructure. They should be applied judiciously, to \nspecific high-value targets, and to high-risk activities and \nallow for multiple identification solutions.\n    Privacy and security cannot be viewed as a zero-sum game. \nMeasures intended to increase communications security need not \nthreaten privacy and, indeed, they can enhance it. CDT looks \nforward to working with the Subcommittee to identify and \npromote these win-win solutions.\n    Thank you.\n    [The prepared statement of Mr. Nojeim appears as a \nsubmission for the record.]\n    Chairman Cardin. Thank you very much for your testimony.\n    Mr. Clinton.\n\n   STATEMENT OF LARRY CLINTON, PRESIDENT, INTERNET SECURITY \n                 ALLIANCE, ARLINGTON, VIRGINIA\n\n    Mr. Clinton. Thank you, Mr. Chairman, Mr. Kyl, Senator \nWhitehouse. The Internet Security Alliance is a trade \nassociation of major business users of Internet security \nservices, so we represent banks, defense companies, IT, \ntelecom, traditional manufacturers, pretty much anybody who \nuses the Internet. ISA's mission is to integrate advanced \ntechnology with the pragmatic business imperatives of the \nowners and operators of the system, which is primarily the \nprivate sector, and coordinate that with what we hope will be \nenlightened public policy to create a sustained system of \ncybersecurity.\n    In November of 2008, ISA published its policy \nrecommendations for the 111th Congress, the social contract \ndocument, which we hope to provide that sort of overarching \nstrategy that I think the Chairman was asking about initially. \nWe were delighted when President Obama came out with his \nCyberspace Policy Review in May of 2008 because the first thing \nhe quoted was our social contract document, and they cited \nabout a dozen other documents of ours in terms of their report. \nNaturally, the ISA supports the President's position for three \nreasons.\n    First, the administration recognizes that cybersecurity is \nas much an economic issue as it is a technical issue. That is, \nby the way, we are not reaching that 80 percent we discussed \nduring the first panel.\n    Second, the administration advocates the development of \nmarket incentives to improve private sector behavior with \nregard to cybersecurity.\n    Third, the President himself said that he will not be \nsupporting mandated cybersecurity standards for the private \nsector. This last point is important because, as we argue in \ndetail in our written testimony, federally mandated \ncybersecurity standards not only would not work, but they will \nbe seriously counterproductive to our National economic \ninterests and our National security interests.\n    On December 3rd, we are going to be releasing a new \npublication detailing specific steps to move from broad \nprinciples of agreement to implementation. However, given the \nshort amount of time I have with the Committee today, I want to \nfocus on the one issue that I believe is most important for the \nCommittee to appreciate if it is going to legislate in the \ncybersecurity space, and that is, in order for us to achieve a \nsustainable system, we must fundamentally change the economic \nequation with regard to cybersecurity.\n    The dispiriting realization with regard to cybersecurity \neconomics is that all of the current incentives favor the \nattackers. Cyber attacks are comparatively cheap and easy to \nexecute. The profits that can be generated from cyber attacks \nare enormous. Cyber defense perimeter is nearly limitless. \nCosts are difficult to calculate. Defense is expensive. It \noften does not generate return on investment.\n    Now, most of us in this room today are what demographers \nare now calling digital immigrants, meaning that unlike my \nteenaged children, we were not born into the digital world that \nwe now inhabit. Perhaps it is because cybersecurity economics \nis so foreign to us and is poorly understood at the consumer, \nnational, and corporate levels.\n    For example, many consumers have a false sense of security \ndue to their belief that most of the financial impact resulting \nfrom a loss of personal data will be fully covered by corporate \nentities, like the banks. In fact, much of these losses are \ntransferred back to consumers in the form of higher interest \nrates and consumer fees. During the first panel, we talked \nabout the prospect of a potential cyber hurricane, and the \nFederal Government does not seem to realize that you are the de \nfacto insurer of last resort. All of financial risk management \nis laid at the Federal Government steps right now because there \nis virtually no private cyber insurance market to help you.\n    Meanwhile, most of our corporate and Government structures \nare built on outdated models wherein the owners of the data do \nnot understand themselves to be responsible for the defense of \nthe data. The marketing department has data, the finance \ndepartment has data, et cetera, et cetera, but they think the \nsecurity of the data is the responsibility of the IT guys at \nthe end of the hall. As a result, the financial risk management \nof cyber events across enterprise settings is not properly \nanalyzed, not properly appreciated, and cyber defense is not \nadequately budgeted. The interaction of these factors may be at \nthe root of the finding of the 2009 PricewaterhouseCoopers \nGlobal Information Security Study, which pointed out that, \ndespite the increasing publicity about the dangers of cyber \nincursions, nearly half--47 percent--of all enterprises are \nactually reducing or deferring budgets for information security \ninitiatives. The ISA Social Contract, like the administration's \nCyberspace Policy Review, argues that what will be required to \naddress this issue is for the public sector to deploy market \nincentives to motivate private investment for the purposes of \nprotecting the public interest.\n    Now, the good news, as we discussed during the first panel, \nis that the research shows that between 80 to 90 percent of \ncyber breaches could be prevented if we simply adopted the \nstandards, practices, and technologies that we already have. \nThe problem is we are not doing it.\n    The Government is charged with the responsibility to \nprovide for the common defense, but in the cyber world, \nGovernment cannot do this alone. They will require the private \nsector cooperation and investment. While some of that \ninvestment will come from corporations serving their own \nprivate security needs, the extent of investment required to \nserve the broader public needs due to some of the unique \naspects of cyber economics I just described will not be done.\n    In our written testimony, we provide a fairly comprehensive \nproposal how we can create a modern, sustainable, effective \nsystem of cybersecurity. However, to do this, we digital \nimmigrants, including Members of Congress, may have to learn \nsome new rules and some new language to manage this new world. \nWe believe we can do it together.\n    Thank you, sir.\n    [The prepared statement of Mr. Clinton appears as a \nsubmission for the record.]\n    Chairman Cardin. That gives us another reason for \nimmigration reform.\n    Dr. Wortzel.\n\nSTATEMENT OF LARRY M. WORTZEL, PH.D., VICE CHAIRMAN, U.S.-CHINA \n    ECONOMIC AND SECURITY REVIEW COMMISSION, WASHINGTON, DC\n\n    Mr. Wortzel. Chairman Cardin, Ranking Member Kyl, thanks \nfor giving me the opportunity to testify today.\n    Our Nation's critical infrastructure, economy, defense \ninformation, and citizens are threatened by hackers, \nterrorists, and hostile foreign intelligence services. \nPreventing computer network penetration and pursuing those who \nattack us while preserving privacy is a challenge. But I have \nto say our intelligence and law enforcement agencies have been \nrecently successful in preventing terrorist attacks and \ndetecting espionage because of the Foreign Intelligence \nSurveillance Act and the PATRIOT Act. I think with good \nlegislation, vigorous oversight by Congress, and attention from \nthe White House, our intelligence and law enforcement \nauthorities can accomplish much in protecting America's \ncomputer networks.\n    In my remarks, I will make reference to the report Senator \nKyl mentioned by the U.S.-China Economic and Security Review \nCommission on China's capability to conduct cyber warfare and \npenetrate and exploit computer networks. The report's findings \nare relevant to securing critical infrastructure and preventing \ncyber attacks. And the lessons learned by preventing intrusions \nfrom China apply to all other forms of intrusions.\n    In addition to discussing the Commission's findings about \ncybersecurity, I am going to provide my personal views, \ninformed by my experience as an Army intelligence officer and \nmy own research on the subject at The Heritage Foundation.\n    I think we can do better in some areas. I do not believe \nthat the Computer Fraud and Abuse Act, even as amended by the \nPATRIOT Act, is sufficient to address some critical issues. One \nof these is the right of private response by individuals or \ncorporations that may choose to retaliate against cyber \nintruders.\n    As our Commission's report documents, there have been \nsignificant penetrations of critical infrastructure, defense \ncontractors, and Government cyber networks, including those of \nthe Department of Defense and Congress. The Commission \nrecommended that Congress respond by evaluating the \neffectiveness and the resources available for law enforcement \nand the intelligence community. Among the most important \nobjectives should be developing reliable attribution techniques \nto determine the origin of computer intrusions. The Commission \nalso recommended that Congress urge the Obama administration to \ndevelop measures to deter malicious Chinese cyber activity.\n    In a recent editorial, I pointed out that Government and \nprivate industry are still in a reactive posture to cyber \nintrusions and cyber espionage. And as yet, there is no fully \ncoordinated Government and industry response. I think President \nObama made a good start with the 60-day cyber review, but there \nstill is no permanent cybersecurity coordinator at the White \nHouse, as recommended in its own review. Efforts to coordinate \nstandards and policies across Government and in the private \nsector appear stalled without senior leadership in the National \nSecurity Council.\n    That said, I think President Obama was wise to incorporate \nthe Homeland Security Council staff into the National Security \nCouncil. I think the National Security Act of 1947 is a fine \nmodel for the executive branch to address these things. I think \nwith proper staffing in the White House, attention from the \nNational Security Adviser, and the leadership in NSC meetings \nof the cabinet Secretary of the lead Department in the \nExecutive branch, a unified, well-led effort can bring together \nthe agencies of the Government and coordinate cybersecurity \nwith allies and private industry. Also, creating the U.S. Cyber \nCommand is an outstanding initiative within the Department of \nDefense.\n    Now, there is still debate about what agency should lead \ncyber efforts and set standards. I think the Department of \nHomeland Security can help coordinate these with state and \nlocal governments as well as private industry.\n    I believe the lead agency for the government response \nhowever, should be the National Security Agency. NSA has a \nstrong institutional culture of adherence to the Foreign \nIntelligence Surveillance Act. Its personnel are trained to \nprotect the privacy and rights of American persons. No agency \nhas the decades of experience the National Security Agency has \nin conducting operations in the electronic and cyber realms; \nits personnel are skilled and superbly trained; it has broad \ninternational contacts with allies and friendly governments; \nand it has wide contacts in the private sector. Also, it has \ngot a cadre of highly skilled linguists who are able to work in \nthe languages associated with foreign intrusions.\n    In closing, I think the Government should be able to set \nstandards for private industry associated with the National \nIndustrial Security Program. And with respect to our critical \ninfrastructure, I think it would behoove us to insist on \ncertain standards, particularly on things like utilities.\n    Thank you, gentlemen.\n    [The prepared statement of Mr. Wortzel appears as a \nsubmission for the record.]\n    Chairman Cardin. Thank you for your testimonies. We will \nstart with Senator Kyl.\n    Senator Kyl. Thank you. Why don't I just take a couple of \nminutes here, because our first vote has started, and I want to \napologize to all three of you. I found all of your testimony \nvery important and useful, and it may be that we will want to \nfollow up with some questions, if that is all right with you, \nbecause in about 10 minutes we will have to go to the vote.\n    I am still fixated a little bit on this question of who \nshould lead the effort, and let me start, because you raised \nthe question right at the end, Mr. Wortzel. You indicated you \nthought NSA would be the best to lead the overall effort, and \nif you could just give me about one more minute on that.\n    And then, Mr. Clinton, given that the interface with a lot \nof business is through the Department of Homeland Security, as \nyou mentioned, how would that fit into an NSA with an overall \nlead?\n    And maybe, Mr. Nojeim, are there any concerns that you have \nwith that kind of a structure, especially since another \nalternative would be military? But it seems to me that the \nDefense Department has its own kind of separate thing to do, \nbut correct me if I am wrong.\n    Dr. Wortzel.\n    Mr. Wortzel. Senator, I think you are absolutely right. \nWith respect to the National Security Council, I tend to ask a \ncouple of questions with to assess what the NSC might be doing.\n    First of all, there is no permanent senior director for \ncyber maters on the NSC. It looks like the acting senior \ndirector is pretty well qualified for what he is doing. He \ncomes out of the Department of Justice. But the White House \nneeds to finalize this selection.\n    Now, the question looking at the NSC structure and \neffectiveness ought to focus on what happens if a deputies \nCommittee meeting is held to make the highest-level \nrecommendations to the President on cyber issues. What \nexecutive and department cabinet agency's deputy chairs it? I \ndo not have the answer to that.\n    And I think the second question we should be asking is: \nRight now what is the highest level of executive out of the \nexecutive branch that has attended or chaired an NSC meeting on \ncyber issues? I am not even certain it is getting the right \nattention.\n    Now, I think no agency has better expertise maybe in the \nworld than the National Security Agency broadly on electronic \noperations and operations in the electromagnetic spectrum. But \nat the NSC, the cabinet deputy chasing meetings should probably \nbe the Deputy Attorney General. This puts the proper focus on \nprivacy issues. I do not know if that is happening.\n    My own experience was as a very junior person with the \nsenior interagency groups in the Reagan NSC. When we worked on \ncounterintelligence matters, the Attorney General led it. When \nwe worked on intelligence matters at the time, it was the CIA \nDirector.\n    So I do not know what is happening on the NSC now. I do not \nsee anything publicized about the processes. But those are the \nquestions that have to be asked of the executive branch. I just \ndo not think it is getting the right attention.\n    Mr. Clinton. Senator, let me first start by commenting that \nI spend a lot of time suggesting that Members of Congress \nshould not be telling the private sector how it should organize \nitself, so I am reluctant to tell the Federal Government how it \nshould be organizing itself.\n    I think that the overall question, I would agree with Mr. \nWortzel, about the need for attention is very important, and we \nthink that the overall approach that the President articulated \nin May is correct in that the new cyber coordinator is supposed \nto have a dual-hatted responsibility both to the National \nSecurity Council and to the National Economic Council.\n    We think that this notion that cybersecurity is both a \nnational security and a national economic security issue is \ncritical. And so I would worry about turning over to NSA the \nleadership of this because I do not think that they take that \nsort of perspective. They have a very legitimate perspective, \nbut I do not think it is that perspective.\n    I would also point out, as we indicated, we quote I think \nthree different sources in our written testimony, and then NSA \nactually said in the previous panel that the vast majority of \nthis stuff we already know how to do. He was saying 80 percent. \nOur research indicates up to 90 percent. So we do not need \nnecessarily people to come up with in the main new programs and \nnew--we know how to do a lot of this. We are just not doing it. \nVirtually everybody agrees on that.\n    Now, the other 10 to 20 percent of the problem, that is, \nlike, really hard stuff, you know, and we definitely need a lot \nof work with the NSA on that. The supply chain issues are \nenormous. There is a lot of work that needs to be done over \nthere.\n    But in terms of creating the overall system, which is what \nwe need, we need, as digital immigrants, as I say, we guys of \nour age quartile need to rethink how we are doing this. We \ncannot do this through cold war-era structures. And that is \nwhat we have now. We have the Department of Commerce, we have \nthe Department of Justice. We are in these old structures. This \ndoes not make sense in the Internet age. We need to rethink \nthis, and we need to rethink the approach.\n    So in the short term, I am happy with NSA doing a great \ndeal of work on that other 10 percent. I would be reluctant to \nsee them from their perspective take the leadership on the \noverall effort. My sense is that that should be run in a dual-\nhatted capacity out of the White House with a lot of work from \nDHS as well as, frankly, the Department of Commerce.\n    Chairman Cardin. Thank you.\n    Mr. Nojeim. May I add to those comments? Senator Kyl, I do \nnot think NSA wants that role. The head of the NSA already said \nthat it does not want to be in charge of cybersecurity. NSA \nmight have particular expertise in finding attacks and \nidentifying attacks. It can share that expertise with other \nagencies, civilian agencies, such as DHS. DHS has a lot of \nhistory in this area. It is not all good history. But it has \ngot some new leadership, and I think you can have a lot of \nconfidence in Phil Reitinger and his team. They seem to be \ntackling issues that had been left open for a while.\n    And I should add--I would be remiss if I did not--that NSA \nhas certain baggage that it would bring to a leading role in \nthe effort to secure civilian systems that other agencies do \nnot have, including the warrantless wiretapping program.\n    Thank you.\n    Chairman Cardin. Senator Whitehouse.\n    Senator Whitehouse. Thank you. Given the status of the \nvote, I would probably make this a question for the record so \nthat I do not keep us late. But I would like you, Mr. Nojeim, \nto get back to me on the boundary that you suggest between the \nprovider-driven security measures in the private sector versus \nthe Government-run national security protection measures. In \nlight of what I would consider to be three--well, let us not \ncall them ``facts''--observations.\n    One, if, in fact, NSA has technical capabilities beyond \nthose of the providers, why should you be relying on the \nproviders in areas where NSA actually has greater capability?\n    Why should it be satisfactory to have NSA only brought in \nby the providers on an invite-in basis in circumstances in \nwhich the providers might not even know that a particularly \nsophisticated attack is underway through their systems, but NSA \nmight?\n    And, finally, how can the relationship between the \nproviders and NSA be anything but ongoing and routine when \ncyber attack is constant and unremitting? It is not like, OK, \nwe are having some cyber attacks today and we will call in NSA, \nbut today is a good day, we are not having cyber attacks today, \nso we do not need them.\n    We are under a constant, massive, unremitting barrage of \ncyber attack, and I do not see how you get out of ongoing and \nroutine in that context.\n    Mr. Nojeim. I will be happy to respond for the----\n    Senator Whitehouse. I do not think we have time because of \nthe vote.\n    Chairman Cardin. If you could do it for the record, I think \nwe would appreciate that. Unfortunately, there are a series of \nvotes on the floor of the Senate; otherwise, we would try to \nkeep the hearing moving forward. I think the point that Senator \nWhitehouse has raised, though, is of interest to all of us, so \nwe would appreciate not just you, Mr. Nojeim, but if all of you \nwould respond, we would appreciate it.\n    [The information referred to appears as a submission for \nthe record.]\n    Chairman Cardin. Mr. Clinton, I think your point about the \neconomic issues is a very important point. I am curious as to \nhow we can try to adjust that in the private sector and would \nwelcome, I guess, more thoughts as to how we can adjust that. \nAnd, Dr. Wortzel, I think your comments about how we try to \ncoordinate this is vitally important to our country.\n    We will keep the record open for additional questions by \nmembers of the Committee, and we thank all three of you for \nyour testimony. It is a continuing effort, so we will look \nforward to your continued involvement as we try to get this \nright for our Nation.\n    With that, the Subcommittee will stand adjourned.\n    [Whereupon, at 11:45 a.m., the Subcommittee was adjourned.]\n    [Questions and answers and submissions for the record.]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n                                 <all>\n\x1a\n</pre></body></html>\n"