b'<html>\n<title> - [H.A.S.C. No. 112-5]WHAT SHOULD THE DEPARTMENT OF DEFENSE\'S ROLE IN CYBER BE?</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n                                     \n\n                          [H.A.S.C. No. 112-5]\n \n       WHAT SHOULD THE DEPARTMENT OF DEFENSE\'S ROLE IN CYBER BE?\n\n                               __________\n\n                                HEARING\n\n                               BEFORE THE\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n                                 OF THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                           FEBRUARY 11, 2011\n\n\n                                     \n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n                                     \n\n                  U.S. GOVERNMENT PRINTING OFFICE\n64-861                    WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a1c6d1cee1c2d4d2d5c9c4cdd18fc2cecc8f">[email&#160;protected]</a>  \n  \n\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n                    MAC THORNBERRY, Texas, Chairman\nJEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island\nJOHN KLINE, Minnesota                LORETTA SANCHEZ, California\nBILL SHUSTER, Pennsylvania           ROBERT ANDREWS, New Jersey\nK. MICHAEL CONAWAY, Texas            SUSAN A. DAVIS, California\nCHRIS GIBSON, New York               TIM RYAN, Ohio\nBOBBY SCHILLING, Illinois            C.A. DUTCH RUPPERSBERGER, Maryland\nALLEN B. WEST, Florida               HANK JOHNSON, Georgia\nTRENT FRANKS, Arizona                KATHY CASTOR, Florida\nDUNCAN HUNTER, California\n                 Kevin Gates, Professional Staff Member\n                 Mark Lewis, Professional Staff Member\n                      Jeff Cullen, Staff Assistant\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n                                  2011\n\n                                                                   Page\n\nHearing:\n\nFriday, February 11, 2011, What Should the Department of \n  Defense\'s Role in Cyber Be?....................................     1\n\nAppendix:\n\nFriday, February 11, 2011........................................    29\n                              ----------                              \n\n                       FRIDAY, FEBRUARY 11, 2011\n       WHAT SHOULD THE DEPARTMENT OF DEFENSE\'S ROLE IN CYBER BE?\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Emerging Threats and \n  Capabilities...................................................     2\nThornberry, Hon. Mac, a Representative from Texas, Chairman, \n  Subcommittee on Emerging Threats and Capabilities..............     1\n\n                               WITNESSES\n\nCauley, Gerry, President and Chief Executive Officer, North \n  American Electric Reliability Corporation......................     6\nNojeim, Gregory T., Senior Counsel and Director, Project on \n  Freedom, Security and Technology, Center for Democracy and \n  Technology.....................................................     8\nPfleeger, Shari L., Director of Research, Institute for \n  Information Infrastructure Protection at Dartmouth College.....     4\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Cauley, Gerry................................................    58\n    Langevin, Hon. James R.......................................    34\n    Nojeim, Gregory T............................................    67\n    Pfleeger, Shari L............................................    36\n    Thornberry, Hon. Mac.........................................    33\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    [There were no Questions submitted post hearing.]\n       WHAT SHOULD THE DEPARTMENT OF DEFENSE\'S ROLE IN CYBER BE?\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n         Subcommittee on Emerging Threats and Capabilities,\n                         Washington, DC, Friday, February 11, 2011.\n    The subcommittee met, pursuant to call, at 11:30 a.m., in \nroom 2118, Rayburn House Office Building, Hon. Mac Thornberry \n(chairman of the subcommittee) presiding.\n\nOPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM \n     TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND \n                          CAPABILITIES\n\n    Mr. Thornberry. Hearing will come to order.\n    Let me welcome the members and witnesses and guests to this \nfirst hearing in this Congress of the Emerging Threats and \nCapabilities Subcommittee.\n    I certainly appreciate all the members who have chosen to \njoin this subcommittee. And among other benefits, we will have \nthe former chair and former ranking member of the subcommittee, \nMs. Sanchez and Mr. Miller, as part of our body.\n    But I am really looking forward to the chance to working in \npartnership with the gentleman from Rhode Island, Mr. Langevin. \nHe and I started working together on cyber issues in 2003 as \npart of the Select Homeland Security Committee, on the Cyber \nSubcommittee of that body, and have worked together on this \ncommittee and on the Intelligence Committee basically ever \nsince. So I look forward to what we can accomplish together for \nthe country\'s security in the next two years.\n    One of the first things that one notices is the name of the \nsubcommittee has changed. And I think that is to better match \nwhat our charge is. We are to look out in the future and help \nsee that the United States is prepared to deal with those \nnational security challenges that are still emerging, that we \nare still learning about. Things such as terrorism and cyber \nwarfare.\n    We are also charged with nurturing emerging capability that \ncan meet those and other threats. And the jurisdiction of the \nsubcommittees has been changed to reflect so we can better \nfocus on cyber and these other challenges.\n    Of course, any emerging threat presents new challenges on \npolicy, legal authority, budgeting, such as we have witnessed, \nfor example, since 9/11. And today, in the field of cyber, we \nwant to start by asking really a fairly basic but I think \nimportant question, and that is, what is the role of the \nDepartment of Defense in defending the country in cyberspace?\n    If a formation of planes or some hostile-acting ships came \nbarreling towards a factory or refinery in the U.S., I think \nmost of us have a pretty good idea of what we would expect from \nthe Department of Defense. They may try to identify who it is, \ndivert them over to another area. They may even go so far as to \nshoot them down. But the bottom line is we expect our military \nto protect us from threats that we cannot handle on our own.\n    But what do we expect, or what should we expect, if a bunch \nof malicious packets, or potentially malicious packets, come \nbarreling at us--or come barreling at the same facilities in \ncyberspace? I am not sure we have a good answer to that. And if \nwe figure out what we expect, then the question is, can the \ngovernment do what we expect? Does it have the ability and the \nauthorization to do it?\n    I don\'t expect that we are going to get definitive answers \nto those questions today, but I do think we need to be serious \nand diligent about pursuing those answers because the threat is \nserious and it is growing in numbers and sophistication.\n    Yesterday, at the Intelligence Committee hearing, I asked \nDNI [Director of National Intelligence] Clapper, Director \nPanetta, FBI [Federal Bureau of Investigation] Director Mueller \nabout how serious the threats in cyberspace were as a matter of \nnational security. Each of them responded they thought it was \nin fact very serious. Clapper said, ``The threat is increasing \nin scope and scale, and its impact is difficult to overstate.\'\'\n    So we know that cyber is a new domain of vandalism, of \ncrime, of espionage, and, yes, even warfare, but I am afraid \nthe country is not very well equipped to deal with any of those \nchallenges.\n    As we look for solutions, we have to be smart and careful \nand true to our values, but I believe we need to act to improve \nour security.\n    And I appreciate the witnesses who are here today to help \nguide us on that path.\n    But first, I would yield to the distinguished gentleman \nfrom Rhode Island, the ranking member, for any comments he \nwould like to make.\n    [The prepared statement of Mr. Thornberry can be found in \nthe Appendix on page 33.]\n\n  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM \nRHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS \n                        AND CAPABILITIES\n\n    Mr. Langevin. Well, thank you, Mr. Chairman.\n    As this is our subcommittee\'s first hearing of the 112th \nCongress, I just wanted to take a moment to congratulate you on \nyour chairmanship and to say how much I very much looking \nforward to working with you again. As you rightly pointed out, \nwe have worked on many of these issues together in our time on \nthe Homeland Security Committee, to our time as we have served \non this committee, and as well as the House Intelligence \nCommittee.\n    So our paths keep crossing in a very positive way and we \nhave enjoyed a very productive partnership in the past and I \nknow we will continue with our work on this subcommittee as \nwell. So congratulations to you.\n    In 2007, as chair of the Homeland Security Subcommittee on \nEmerging Threats, Cyber Security and Science and Technology, I \nconducted a detailed and thorough examination of cyber threats \nto our power grid after tests conducted at Idaho National Labs, \nknown as Aurora, became public.\n    At that time, industry representatives from NERC [the North \nAmerican Electric Reliability Corporation] misled or were \ninaccurate about their testimony to the Homeland Security \nCommittee about their efforts to address these threats in the \nprivate sector. Now, we called them on it and they retracted \ntheir statements. But the experience illustrates how difficult \nit can be to require and ensure security when it comes to \ncritical infrastructure.\n    Since then, threats to our critical infrastructure have \nonly grown, with news reports suggesting that there is interest \nby malicious actors in exploiting vulnerabilities in the U.S. \npower grid and other critical infrastructure. The federal \nagencies have taken steps to reduce these vulnerabilities. I \nhave to say, though, I am afraid that many in industry and in \ngovernment still fail to appreciate the urgency of this threat. \nSince I began working on this issue, I have been disappointed \nby the overall lack of serious response and commitment to this \nissue, and I still believe America is vulnerable to a cyber \nattack against the electric grid that would cause severe damage \nnot only to our critical infrastructure, but also to our \neconomy and the welfare of our citizens.\n    Because of this concern, last Congress I posed this \nquestion to the heads of all of our military services. If our \ncivilian power system is vulnerable, what is being done to \nprotect our numerous military bases that rely on them to \noperate?\n    Well, the answers were disturbing, but not surprising. Vice \nAdmiral Barry McCullough, head of the Navy\'s 10th Fleet, \ntestified that, ``These systems are very vulnerable to \nattack,\'\' noting that much of the power and water systems for \nour military bases are served by single sources and have only \nvery limited backup capabilities with an attack on a power \nstation potentially requiring weeks or even months to recovery \nfrom, our bases could face serious problems maintaining \noperational status. A recent report from the Department of \nEnergy\'s Inspector General found that despite years of concern \nand hand-wringing by those who are aware of the threat, not \nmuch has been done to increase protection to these civilian \nsystems.\n    Their reports also fault federal regulators for not \nimplementing the adequate security standards--cyber security \nstandards. But if you ask industry, you will find out that \nthere is no actual requirement to do what the government wants. \nThe regulators don\'t have any actual ability to regulate when \nthey see a problem, despite being fully aware of the tremendous \nrisks that face our nation.\n    Now, if everyone is aware of the threat, both DOD [the \nDepartment of Defense] and our civilian power sector, it \nappears that the tragedy of the commons has ruled that no one \nhas been willing or able to address it.\n    At the House Intelligence Committee\'s annual open meeting \nyesterday, Director Panetta testified that cyber threats to our \ncritical infrastructure had the potential to be the next Pearl \nHarbor, and I agree and remain unconvinced that we have the \nabilities or the authorities to stop a large-scale cyber \nattack.\n    To this end, last year I introduced legislation to \ncoordinate our national cyber security policies for the \nprotection of our federal networks, as well as our critical \ninfrastructure. And while we had success with an amendment in \nthe House defense authorization measure, you may know that we \nwere forced to remove that language during conference.\n    Let me just say, Mr. Chairman, that I look forward to \nworking with you to move forward again this year and finally \nbegin to address these critical vulnerabilities.\n    Today, I am anxious to hear from our panel, especially Mr. \nCauley from NERC and ask what has changed since 2007. Are we \nstill as vulnerable today as we were then? And I, for one, \nbelieve that the answer is yes. I fear that little has changed \nother than the acceleration of the threat and the growth of our \nvulnerability.\n    With that, Mr. Chairman, I look forward to our witnesses\' \ntestimony. I want to thank our witnesses for being here, and I \nyield back.\n    Mr. Thornberry. I thank the gentleman.\n    And now we will turn to our witnesses. And let me say first \nof all, I appreciate each of you all\'s written statement. \nWithout objection, they will be made part of the full record. \nBut I thought each of you did a very good job in laying out a \nnumber of issues. I know I learned from each of them, so I \nappreciate the effort you put into that.\n    With us today is Dr. Shari Pfleeger, director of research \nfrom the Institute of Information Infrastructure Protection \nheadquartered at Dartmouth; Mr. Gerry Cauley, chief executive \nofficer of the North American Electric Reliability Corporation, \nNERC; and Mr. Gregory Nojeim, senior counsel, Center for \nDemocracy and Technology.\n    Pretty good? Okay, good.\n    Thank you all for being here. We will try to move out \nsmartly today. I don\'t think we will have votes for a little \nbit, and I would like to give everybody a chance to ask \nquestions before those votes. So as I say, your full statement \nwill be made part of the record, if you would like to summarize \nit, and then we will turn to questions.\n    Dr. Pfleeger, the floor is yours.\n\nSTATEMENT OF SHARI L. PFLEEGER, DIRECTOR OF RESEARCH, INSTITUTE \n FOR INFORMATION INFRASTRUCTURE PROTECTION AT DARTMOUTH COLLEGE\n\n    Ms. Pfleeger. Good morning, Chairman Thornberry, Ranking \nMember Langevin, members of the subcommittee and guests. Thank \nyou for inviting me here. I was asked to talk about the \neconomics of cyber security and I have organized my response \nbased on the three big questions that you asked me.\n    So the first one is: What are the significant challenges \nthat face us? And I see three big challenges. The first is the \ndiverse and distributed ownership of the cyber infrastructure, \nwhich makes it difficult to apply traditional approaches for \nsecurity because there are so many different pieces. And many \nof those pieces have been developed without security in mind. \nThey are not always the big--security is not always the biggest \nmotivator for making money for the providers of those pieces.\n    The second is appeal as a criminal tool. Criminals can use \nthe cyber infrastructure to perpetrate their crimes more \nbroadly, more quickly and more anonymously than they could \nbefore.\n    And the third is, and this perhaps has the most relevance \nto the Defense Department, the difficulty in reaction to \nemergent behavior. Many aberrant cyber-based behaviors are \nemergent in that it takes a long time to figure out exactly \nwhat is going on, understanding the cause and effect, and \nselecting an appropriate reaction. And when the cause is \nuncertain and the possible responses have life-threatening or \ndiplomatic implications, the decisionmakers have to reduce the \nuncertainty surrounding cause and effect.\n    So I have identified three policy, legal, economic and \ntechnical challenges. The first is misaligned incentives. Most \nof the providers are in business to make money, not necessarily \nto provide security. And so many organizations prefer just to \nwait for cyber attacks to happen and clean up the mess, or they \nrely on what is sometimes called ``free-riding\'\' or ``herd \nimmunity,\'\' where they let other people implement the security, \nand the people who don\'t implement the security still get some \nbenefit.\n    And in addition to that, the bad outcomes don\'t always \naffect the organization lacking security or don\'t affect them \nfor very long. So, for instance, their stock prices might go \ndown, but then they eventually pop back up again. So there is \nlittle incentive for them to take a long-term security view.\n    The second is the need for diversity. Technological \ndiversity leads to more secure networks and systems, but \nbecause of a variety of things, including economic reasons, \ntraining, access and even chance, the technology is actually \nquite uniform, more than we would expect.\n    And finally, security is often incompatible with \norganizational culture and goals, so many people who use our \nnetworks are paid to get their jobs done and they often see \nsecurity not as an enabler, but as an inhibitor. So you see \nlots of cases of people turning off the security in order to \nget their jobs done, or neglecting to do things like set the \nsecurity properly.\n    So what should the government do? I suggest five things. \nThe first is to address cyber attacks the way other unwelcome \nbehaviors are addressed. Our current reliance on convenience \nsurveys for information about cyber attack trends can be \nmisleading and we need more careful sampling and more \nconsistent solicitation of data.\n    The government should incentivize or require better breach, \nfraud and abuse reporting, and data about the nature and number \nof cyber attacks should be reported consistently each year so \nthat sensible trend data can form the basis for effective \nactions. It may be more useful to capture data in smaller ways, \nin various ways for various purposes, and then good economic \nmodels informed by these representative consistent data can \nimprove our general understanding not only of the cyber risk, \nbut of the cyber risk relative to other kinds of risk.\n    Second, I recommend that liability statutes cover cyber \ntechnology. When lack of car safety was made more visible in \nthe 1960s, the government responded by making automobile \ncompanies more liable for their unsafe practices and products. \nSimilarly, I think a combination of manufacturer liability and \neconomic constructs like insurance could encourage more secure \nproduct design and implementation.\n    The third is insist on good systems engineering. Use the \ngovernment\'s purchasing power in two important ways. First, \nrefuse to continue to deal with system providers whose products \nand services are demonstrably insecure, unsafe, or \nundependable. The data gathered in this process can inform \nsubsequent technology decisions so that errors made in earlier \nproducts are less likely to occur in later ones. Especially in \ncyber security we see the same problems appearing over and over \nagain.\n    Secondly, insist on five up-to-date formal arguments \ndescribing why the systems are secure and dependable. These \narguments are used in other domains like nuclear power plant \nsafety and could easily be applied to cyber security. And \nsuppliers\' formal arguments could be woven into the system \nintegrator security arguments to show that supply chain issues \nhave been addressed with appropriate levels of care and \nconfidence.\n    The fourth suggestion is to provide incentives to encourage \ngood security hygiene. Incentives like tax incentives and \ninsurance discounts can speed implementation of demonstrably \nmore security technology and the incentives should also include \nrewards for speedy correction of security problems and \npunishments for lax attention to such problems.\n    Finally, encourage multidisciplinary research. Many \nsecurity failures occur not because there is no solution but \nbecause the solution hasn\'t been applied or because designers \nfail to include the user\'s perspective when designing the \ntechnology.\n    Research involving behavioral science and behavioral \neconomics can improve the security and dependability of the \nnation\'s cyber infrastructure in two ways. In the short term, \nit can improve adoption rates for the security technology, \nthereby reducing the attack surface against which malicious \nactors aim. And in the longer term it can lead to a more \nresilient cyber infrastructure that users are eager to use \ncorrectly and safely.\n    Thank you.\n    [The prepared statement of Ms. Pfleeger can be found in the \nAppendix on page 34.]\n    Mr. Thornberry. Thank you.\n    Mr. Cauley.\n\n   STATEMENT OF GERRY CAULEY, PRESIDENT AND CHIEF EXECUTIVE \n    OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION\n\n    Mr. Cauley. Good morning, Chairman Thornberry, Ranking \nMember Langevin, members of the subcommittee and fellow \npanelists. My name is Gerry Cauley. And referring to Ranking \nMember Langevin\'s comments on the performance of NERC in the \npast, I would point out that I am the new President and CEO of \nthe North American Electric Reliability Corporation. And I also \nserve as the Chairman of the Electricity Subsector Coordinating \nCouncil.\n    I am a graduate of the U.S. Military Academy at West Point, \na former officer in the U.S. Army Corps of Engineers. I have a \nmaster\'s degree in nuclear engineering from the University of \nMaryland. And I have devoted over 30 years to working toward \nthe safety and reliability of our nuclear and electric \nindustries, including in 2003 serving as a lead investigator \nfor the 2003 Northeast blackout.\n    I have with me also today NERC\'s chief security officer, \nMark Weatherford, behind me, who until recently served as the \nchief information security officer for the state of California \nand previously served 26 years in the U.S. Navy as an \ninformation security officer.\n    NERC is a non-profit corporation that was founded in 1968 \nto develop voluntary operating and planning standards for the \nowners and operators of the North American bulk power system.\n    In 2007, the Federal Energy Regulatory Commission \ndesignated NERC as the electric reliability organization in the \nUnited States, in accordance with the Energy Policy Act of \n2005.\n    As a result, our standards, including cyber security \nstandards, became enforceable at that time. To my knowledge, \nthey are the only mandatory cyber standards among the various \ncritical infrastructures in North America.\n    As CEO of the organization charged with overseeing \nreliability and security of the North American grid, I am \ndeeply concerned about the changing risk landscape from \nconventional risks such as extreme weather and equipment \nfailures to emerging new risks where we are left to imagine \nscenarios that might occur and prepare to avoid or mitigate the \nconsequences, some of which could be more severe than we have \npreviously experienced.\n    I am most concerned about physical and cyber attacks \nintended to disable elements of the power grid or deny specific \nelectricity to specific targets such as government and business \ncenters, military installations, or other infrastructures. \nThese threats differ from conventional risks in that they \nresult from intentional actions by adversaries and are simply \nnot random failures or acts of nature.\n    It is difficult to address such rapidly evolving risks \nsolely with a traditional regulatory model that relies mainly \non mandatory standards, regulations and directives.\n    The defensive barriers mandated by our standards do make it \nmore difficult for those seeking to do harm to the grid, but \nalone they may not be completely sufficient in stopping the \ndetermined efforts of the adaptable adversaries supported by \nnation-states or organized terrorist groups.\n    The most effective approach against such adversaries is to \napply resiliency principles as outlined in the National \nInfrastructure Advisory Council report on the grid, delivered \nto the White House in October 2010.\n    I was fortunate to serve on that council with a number of \nindustry CEOs.\n    Resiliency requires proactive readiness for whatever may \ncome our way. It includes robustness, the ability to minimize \nconsequences in real time. The ability to restore essential \nservices. The ability to adapt and learn.\n    Examples of the NIAC [National Infrastructure Advisory \nCouncil] team\'s recommendations include: one, a national \nresponse plan that clarifies the roles and responsibilities \nbetween industry and government; two, improving the sharing of \nactionable information by government regarding threats and \nvulnerabilities; three, cost recovery for security investments \ndriven by national policy; and four, a strategy on spare \nequipment, with long lead times such as electric power \ntransformers.\n    NERC is moving forward with a number of our own actions to \ncomplement our mandatory CIP [critical infrastructure \nprotection] standards and provide enhanced resilience to the \ngrid, including partnering with the Department of Energy and \nthe National Institute of Standards and Technology to develop \ncomprehensive cyber security risk management guides for the \nentire electric system, from the meter to the bulk power \nsystem.\n    Making actionable information available to the industry is \na priority for NERC. We worked with DOD, DHS [the Department of \nHomeland Security] and other agencies in 2010 to issue high-\nquality alerts to the industry on the Aurora mitigation, the \nStuxnet malware and VPN [virtual private network] tunneling \nvulnerability.\n    We are developing a North American cyber security exercise \nto prepare for and test a national response plan. In recent \nmeetings at the USNORTHCOM [U.S. Northern Command] and the \nPentagon, we have begun collaborating with DOD on assessing \nworst-case scenarios and developing case studies at critical \nmilitary installations to ensure that essential requirements \nfor national security are being addressed.\n    We are engaged with the DOE National Laboratories in \nopportunities to apply the expertise of the federal government \nin enhancing the cyber security of our grid.\n    In 2010, we started conducting onsite security sufficiency \nreviews at utilities, and we will continue that program in \n2011. And we are working with vendors and industry to enhance--\nto demonstrate enhanced physical security of our systems.\n    The emerging challenges we face are difficult but not \nintractable. I believe we can and must take decisive actions \nthrough partnership between industry and government to meet \nthese challenges. And I thank you, and look forward to your \nquestions.\n    [The prepared statement of Mr. Cauley can be found in the \nAppendix on page 56.]\n    Mr. Thornberry. Thank you, sir. I appreciate it.\n    Mr. Nojeim.\n\n STATEMENT OF GREGORY T. NOJEIM, SENIOR COUNSEL AND DIRECTOR, \n    PROJECT ON FREEDOM, SECURITY AND TECHNOLOGY, CENTER FOR \n                    DEMOCRACY AND TECHNOLOGY\n\n    Mr. Nojeim. Thank you, Chairman Thornberry, Ranking Member \nLangevin, and members of the subcommittee.\n    Thanks for the opportunity to testify on behalf of the \nCenter for Democracy and Technology about cyber security and \nthe role of DOD.\n    CDT [the Center for Democracy and Technology] is a non-\nprofit, non-partisan civil liberties organization dedicated to \nkeeping the Internet open, innovative and free.\n    The United States faces significant cyber security threats. \nWhile the need to act is clear, it is essential that we take a \nnuanced incremental approach that recognizes distinct roles for \nDOD, the Department of Homeland Security, and the private \nsector. Generally speaking, DOD entities should be responsible \nfor military systems, DHS for civilian government systems, and \nthe private sector should monitor its own unclassified systems.\n    We ask that you keep a key distinction in mind: Policy \ntoward government systems can be much more prescriptive than \npolicy toward private systems. The characteristics that have \nmade the Internet successful--openness, decentralization and \nuser control--may be put at risk if heavy-handed cyber security \nmeasures are applied to all critical infrastructure. In the \ncase of critical infrastructures, one size does not fit all.\n    When DHS and private sector efforts to secure civilian, \ngovernment and private systems fall short, it is tempting to \nconclude that Cyber Command and NSA [the National Security \nAgency] should lead outside the dot-mil domain. But they \noperate in a culture of secrecy--for entirely legitimate \nreasons--that would hamper civilian cyber security efforts that \ndepend on public trust and corporate participation.\n    Instead, expertise and resources of Cyber Command and NSA \nmust be leveraged to help DHS with its cyber security mission.\n    More robust information sharing from the private sector to \nthe government and vice versa is one way to leverage resources. \nBut policymakers must proceed carefully to ensure that \ninformation sharing does not devolve into de facto surveillance \nthrough ongoing or routine disclosure of private communications \nto the government.\n    When he unveiled the White House Cyberspace Policy Review, \nPresident Obama correctly emphasized that the pursuit of cyber \nsecurity must not include governmental monitoring of private \nsector networks or Internet traffic. That is one of the \noverriding civil liberties priorities in the cyber security \narena.\n    Another is ensuring the free flow of information. Even in a \ncyber security emergency, empowering the government to shut \ndown or limit Internet traffic over private systems could have \nunintended effects, including discouraging network operators \nfrom sharing cyber security information that they ought to \nshare out of fear that that information would be used to shut \nthem down. They know better than the government when elements \nof their systems need to be isolated.\n    Despite the value of anonymity on the Internet, some have \nproposed sweeping identification mandates, even a passport for \nusing the Internet.\n    Identification and authentication will likely play a \nsignificant role in securing critical infrastructure. We don\'t \ndispute that. However, they should be applied judiciously to \nspecific high-value targets--like classified military \nnetworks--and to high-risk activities, and should allow for \nmultiple identification solutions. Finally, you should resist \nproposals that would damage cyber security by making \ncommunications less secure. We are concerned about proposals to \nextend communications assistance for law enforcement design \nmandates to communications applications to facilitate \nelectronic surveillance, as is being sought by the FBI. Because \nit could weaken communication security.\n    Privacy and security cannot be viewed as a zero-sum game. \nMeasures intended to increase communication security need not \nthreaten privacy and indeed can enhance it.\n    We look forward to working with the subcommittee to \nidentify and promote these win-win measures.\n    [The prepared statement of Mr. Nojeim can be found in the \nAppendix on page 65.]\n    Mr. Thornberry. Great. Thank you.\n    I will look forward to the same thing.\n    I am going to reserve my questions and give other members \nhave a chance.\n    And I would yield first five minutes to Mr. Conaway.\n    Mr. Conaway. Thank you, Mr. Chairman.\n    And panel, thank you.\n    It is interesting, we have Dr. Pfleeger on one end and Dr. \nNojeim on the other, because many of the things that Dr. \nPfleeger was proposing to do fly in the face of what Dr. Nojeim \nwas saying in terms of some of the prescriptive things that \nwould happen.\n    To follow up the Chairman\'s original comments about the \nanalogy between a physical attack on America and the response \nthat the federal government spoken, you know, it would have \nbeen the military, of course, but the federal government\'s \nresponse to that is pretty clear. Trying to look at those \nsolutions in cyber, given that the cyber attack happens in the \nblink of an eye or less and the warnings aren\'t nearly as easy \nto discern obviously captures the problem we have.\n    Who out there among the think tank groups are proposing \nsolutions to that? In other words each of you brought--maybe \nthat was your mandate--brought narrow, focused solutions to the \nissues, but is there a group out there that is looking at the \nbroader issue? How does it--you know, what is the federal \ngovernment\'s role--DOD and NSA--with respect to the dot-mil and \nhomeland security? And then nobody on everything else has Dr. \nNojeim concerned. Is that a rational way to continue down this \npath?\n    Mr. Nojeim. I don\'t think that anybody is out there \nproposing that there is a silver bullet. I think that most \npeople who are engaged in this endeavor all recognize that \nthere needs to be a number of incremental steps taken.\n    To the thought that there is a silver bullet I think flies \nin the face of the kinds of risks that we are facing. We are \ngoing to have to have a situation where industry and the \ngovernment cooperate--and sometimes very closely--in order to \ndeal with these risks.\n    We have suggested not that industry has to stand alone when \nthose packets are coming toward them, but that there is a very \nstrong role that the government can play in helping out. It \nincludes information sharing. It includes the sharing of attack \nsignatures that will help the private industry identify the \nattack as it comes in.\n    Mr. Conaway. And that is the sharing of information that \nDr. Pfleeger was saying ought to be done on a real-time basis \nas opposed to ad hoc every once in a while. Am I understanding \nbetween those two comments?\n    Ms. Pfleeger. I don\'t think it necessarily has to be real \ntime, but it has to be regular. As the threats change----\n    Mr. Conaway. Okay.\n    Ms. Pfleeger [continuing]. We need to know what the changes \nlook like.\n    Mr. Conaway. Not trying to put words in your mouth, but is \nthat--do I understand what you just said in relation to what \nher comment was in terms of one of the solutions is to have a \nbetter way to gather the scope of the problem on a regular \nbasis as opposed to an ad hoc basis?\n    Mr. Nojeim. Oh, no. We agree that there has to be----\n    Mr. Conaway. Okay.\n    Mr. Nojeim [continuing]. A lot of information sharing and \nthat is----\n    Mr. Conaway. How you put that in place, that \n``requirement\'\' in place without terrifying folks about your \nother comments that we are taking over the Internet, you know, \nall the other things. That Internet nonsense is going out there \nright now as a result of some of the comments the President \nmade and misinterpretation of those. How do we bridge that gap?\n    Mr. Nojeim. I don\'t think you have to have a world where \ncommunications traffic that is private-to-private traffic and \nis coming over an Internet backbone has to be shared with the \ngovernment. I don\'t think that anybody\'s proposing that world.\n    I think what we do need is a world where if a private \nindustry sees anomalies, they can share information about those \nanomalies with government agencies that need to act on them and \nthat that can happen quickly, and it can happen in near real-\ntime.\n    Mr. Conaway. Let me--before my time runs out, Mr. Cauley, \nhelp me understand the scope of your national test on the \nsecurity exercise. Is that just with respect to the electricity \ngrid that you are talking about doing, or is that broader \ninfrastructure than just electricity?\n    Mr. Cauley. Congressman, this year the exercise will be \nfairly limited in scope. We are looking to pull in all the key \nplayers in the industry in terms of participating in the \nexercise and demonstrate the communications and emergency \nscenarios that we might see. We do have interfaces with \nHomeland Security, DOD and Department of Energy and others, who \nwill participate in that exercise.\n    One of the challenges that we are looking to try to resolve \nduring such an emergency is what are the relationships between \nindustry and government and how do we crystallize what those \nrelationships should be and who is in charge and how that \nworks. So we are hoping this exercise in the fall of this year \nwill help answer and maybe clarify what additional questions \nneed to be answered with that regard.\n    Mr. Conaway. Thank you, Mr. Chairman. Yield back.\n    Mr. Thornberry. Thank the gentleman.\n    The ranking member.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Again, to the panel, thank you for your testimony today. \nAll this is, obviously, fascinating and very important work.\n    If I could, Mr. Cauley, I would like to start with you. \nFirst of all, thank you for refreshing my memory, just the \nrecord mentioning that you are new on the job at NERC as the \nchair. Thank you for the wealth of experience you bring to the \njob. And I certainly look forward to working with you in that \nrole.\n    Let me ask. You touched on some of the things in your \ntestimony about what has changed since 2007, but for the point \nabout conversation, would you highlight against some of those \nthings that have changed over the last few years?\n    And I still am of the opinion that NERC and FERC [the \nFederal Energy Regulatory Commission] really still lack the \nauthority to direct all power utilities to follow the cyber \nsecurity regulations, so I would like you to touch on that as \nwell. And actually, how do you know that the government\'s \nguidance is being followed or that we are actually secure?\n    Mr. Cauley. Thank you, Ranking Member Langevin.\n    The industry has evolved quite a bit. As you know, the \nissue of cyber and physical security is relatively new to the \nindustry compared to the 100-year history of the industry.\n    I have had the opportunity in the past year to go out and \nmeet a number of CEOs in most of the industry, and I believe \nthat the awareness and the commitment is there that perhaps may \nnot have been there before, but certainly has been elevated. \nAnd I feel we have the support of the industry.\n    The standards that we had have been in transition, so I \nthink we have evolved and improved standards. We just recently \napproved a new standard with a bright line criteria in terms of \nwhat are the critical assets that need to be covered by our \ncyber security standards. And we are in the process of adopting \nNIST [National Institute of Standards and Technology] controls \ninto our standards, and that work continues.\n    I believe at this point that the Federal Energy Regulatory \nCommission has full and adequate authority to direct us to do \nany additional standards or modifications to the standards that \nwould be required to protect the security of the grid. In terms \nof----\n    Mr. Langevin. Would you agree, though, that FERC doesn\'t \nhave the kind of robust authority that, say, the Nuclear \nRegulatory Commission has when dealing with threats or things \nthat need to be directed is done?\n    Mr. Cauley. Yes, sir. I was going to get to the point where \nI think there is--there may be a gap, I think, that does exist. \nSo in addition to the standards, we have the ability to put \nactionable information to the industry. We have improved that \nprocess.\n    So where I think we have a gap, a very narrow gap that has \nbeen narrowed with their activities over the last couple of \nyears, is in an emergency situation, if there is an imminent \nthreat to the grid, at this point we have the ability to put \nthat information out, but not to produce a mandatory \nrequirement in a short amount of time.\n    In that arena I do support expanded authorities for the \nfederal government. It could be FERC or it could be another \nagency, but I believe there is an opportunity as an authority I \nwould like to have. For an emergency imminent threat to the \ngrid, action must be taken.\n    I would caution, however, that the grid is a very complex \nmachine. Ordering certain actions can have adverse \nconsequences, even to the point of taking down the grid, so \nthat involving NERC in that process and putting the directive \nin the form of a conservative action, conservative position, \nbut not telling operators how to operate the system, would be \nmost effective.\n    Mr. Langevin. Thank you. And I would certainly look forward \nto working with you on closing that gap.\n    Mr. Chairman, if you could, would you--does NERC work right \nnow with DOD, identifying threats to the electric \ninfrastructure critical to our military readiness? I know you \ntalked--said that in your testimony, for the purpose of the \nrecord, would you expand on that?\n    Mr. Cauley. Yes, Ranking Member Langevin. We have just \nbegun that recently, and we are in the process of ramping that \nup.\n    The first thing we are going to do is look to develop a \ndesign basis scenario. I think the industry has a perspective \nof what are the worst-case scenarios that can happen from their \nown risk management perspective, but when we look at national \nthreats, obviously those risks tend to be more widespread and \npotentially more devastating.\n    So we are in the process of beginning to develop a national \ncyber and physical security attack on the grid and what is the \nworst-case scenario that we could work from. That will drive \nthings like the extent of our emergency plans, do we need spare \nequipment, and those kinds of questions.\n    The second piece, just to be brief, is working on an \ninstallation-by-installation basis in terms of, are there \nadequate redundancies and procedures in place to ensure that \neach critical installation will have power supply and, if it is \ntaken out, that we would have the capability to restore power \nvery quickly.\n    Mr. Langevin. Okay. Thank you.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Thornberry. Thank the gentleman.\n    Mr. Gibson.\n    Mr. Gibson. Thank you, Mr. Chairman.\n    And appreciate the panel today. Very informative testimony \nright across the board.\n    I actually want to pursue the experimentation question just \na little bit further. So I am understanding that this is the \nfirst time, sir, that your organization is participating in \nthis type of exercise in 2011. Yes, sir?\n    Mr. Cauley. If you are referring to the national exercise--\n--\n    Mr. Gibson. Yes, secure grid exercise.\n    Mr. Cauley. We have done training and exercises \nhistorically in preparations for hurricanes and earthquakes and \nknown types of risks. We have participated most recently in \nCyber Storm III and the previous versions of Cyber Storm, so we \nhave participated in exercises.\n    What we are proposing to do this year is to get--in our \nexercise is to get greater involvement by industry rather than \na sampling of industry, and gauge our entire communications \ninfrastructure. We have an ability to communicate with the \noperating companies directly, and rather than having a \ngovernment-driven exercise, where we bring a few of them in, I \nwant this to be industry-driven, where the government folks can \nparticipate with us.\n    Mr. Gibson. I am trying to--where I am driving is I am \ntrying to get an appreciation for just how secure our \nelectrical grid is, and I am trying to get an understanding of \nthe exercise that is going to try to draw conclusions about \nthat.\n    So you mentioned you are still drawing up the design for \nthe exercise. What principles are you using to ensure your \nsampling geographically and with enough depth that you are \ngoing to be able to draw significant conclusions from the \nexercise?\n    Mr. Cauley. Congressman Gibson, I think we are talking \nprobably several different things. So in terms of the actual \nevolving security of the grid, I believe we are enhancing that \ncontinuously. We have standards for firewalls and protections \nand access controls and those kinds of things.\n    So the actual security is progressing in terms of \ncontinuously improving. The challenge is, what is the worst \nthing that could happen? And we are in the process of working \nwith Department of Defense to postulate some potential extreme \nevents, like take down major cities, take down major oil \nrefineries or military installations.\n    Those scenarios, we have not run those in the past, and we \nare developing those as new this year.\n    We currently have the ability to communicate directly and \nhave robust communications with industry folks. But now with \nthis new scale of a scenario we have not seen before we will \ntest that and demonstrate our ability to meet that challenge.\n    Mr. Gibson. And one final question on this same topic. So \nas private sector, as research and development is done on the \npossibility of moving beyond copper for transmission, are you \ncomfortable that there is enough collaboration that you will be \nable to make assessments as far as security going forward?\n    Mr. Cauley. We have very open dialogue with national labs \nand other agencies in government, that we are trying to take \nadvantage of every technology that will be useful and practical \nand cost effective for implementing in the private sector.\n    Mr. Gibson. Okay. Thank you.\n    I yield back.\n    Mr. Thornberry. Mr. Johnson.\n    Mr. Johnson. Thank you, Mr. Chairman and Mr. Ranking \nMember. I commend you for holding this hearing and look forward \nto joining you in the hard work that will be necessary to \nsecure the cyber domain.\n    There is an emerging consensus that we need to clear \njurisdictional distinctions between military and civilian cyber \nsecurity efforts. Just as the military does not police our \nstreets, it should not police our civilian cyber \ninfrastructure.\n    But we must ensure that the armed forces will have the \nnecessary tools to prosecute and defend the country from cyber \nwarfare.\n    One note on private sector regulation. As we draw these \nfine jurisdictional distractions, Congress should establish \nhard regulatory requirements, not just soft suggestions of \nvoluntary security measures to ensure the security of our \nprivate sector technology infrastructure.\n    We do not merely recommend that airlines maintain the \nhighest standards of safety and reliability. Likewise, we must \nnot merely recommend that American industry implement state-of-\nthe-art best practices to ensure cyber security. We must \nrequire it, and there should be penalties when those \nrequirements are not heeded.\n    My first question I would ask each of our panelists, what \nis the first question, the essential question for determining \nwhether any given cyber threat should be the purview of \ncivilian or military cyber security authorities?\n    Ms. Pfleeger. That is a difficult question to answer \nbecause the military often uses private sector networks to \naccomplish things. And the threats to national security can be \neconomic, they could be espionage, they could be a variety of \nthings.\n    So I am not sure that--I think it would be a case-by-case \nanswer rather than a one-size-fits-all answer, which I think \nreinforces what Mr. Nojeim said, that there is no silver bullet \nfor security. And it is very difficult, I think, to--I think \nyou need to look at the threat models and use the threat models \nto decide when the military should step in and when it \nshouldn\'t.\n    Mr. Johnson. Thank you.\n    Mr. Cauley. Congressman, first I would agree that mandatory \nrequirements and enforceability are one element in establishing \nan adequate defense. And we have those standards and are \nlooking to continue to improve those for the electric grid.\n    I think to answer your question directly, it is the \nresponsibility of the asset and information owners to protect \ntheir assets and their information. And I think those are \ndivided into government and private sector assets and \ninformation.\n    However, the reality is we are very much intertwined. \nMilitary bases and systems depend on electricity. So we are \nbound together not only in the information world, but also in \nthe electric world.\n    So I think it is important to complement that clear line of \nresponsibility and accountability for securing our own systems \nto make sure that our actions are also complementary and \nhelpful to each other.\n    And so I think there are opportunities for the military to \nassist us in information awareness, and when we are under \nattack and maybe don\'t know it, and vice versa, for us to \nensure we have done everything we can to provide reliable \nelectric service.\n    Mr. Nojeim. I agree with both of the other panelists.\n    I think that one thing to keep in mind is that you often \nwon\'t know what precisely was the source of the threat, what \nwas the source of the problem. So then it becomes difficult to \nsay who is responsible to respond to that threat.\n    But you--I think it is easier to say that everybody should \nbe securing their own systems or the systems for which they are \nresponsible, and to add that, if I am securing my system and I \nlearn about information that would help Mr. Cauley secure his \nsystem, I need to have a way to share it. And that is, I think, \nwhere a lot of productive work can be done.\n    Mr. Johnson. Thank you.\n    Mr. Nojeim, in the physical world there are clear \ndifferences of capability and role between civilian law \nenforcement and the armed forces. The military wields superior \nfirepower, specializes in destruction instead of arrest or \ninvestigation, and is subject to less restrictive rules of \nengagement.\n    What are or should be the equivalent differences of role \nand capability between civilian and military cyber-security \nauthorities?\n    Mr. Nojeim. You know, some of the capabilities are going to \nhave to be similar. So, for example, say the National Security \nAgency has the ability to distinguish which--what is an attack \nsignature that could threaten--of malware that could threaten a \ncommunications system. That information is useful, not just to \nthe NSA, not just to Cyber Command, not just to the Department \nof Homeland Security, but to many people who are trying to \nsecure information systems.\n    The point that I am trying to get across is that while we \ntalk about and I have talked about having distinct roles for \neach of these entities, we can maintain that distinction by \nrelying on other activity that will help secure all networks \nbetter.\n    One of those activities is information sharing, which I \nhave talked about, and another is the sharing of expertise. \nThere may be expertise within the military and at the National \nSecurity Agency that would be helpful to the Department of \nDefense, and there is already a mechanism to allow for the \nsharing of some of that information.\n    Mr. Johnson. Thank you, Mr. Chairman.\n    Mr. Thornberry. I thank the gentleman.\n    Mr. West.\n    Mr. West. Thank you, Mr. Chairman, and thank you, Mr. \nRanking Member, for the panel being here today.\n    I think when we look at this 21st-century battlefield it is \ndefinitely different from what we encountered in the 20th \ncentury. And of course it is multi-dimensional, multi-spatial. \nAnd of course the cyber realm does bring some interesting \nchallenges.\n    So my question, going back to my time in the military, we \nalways had this thing called mission-essential vulnerable \nareas, and we always sat down and looked at what was our high-\nvalue target list, the things that we knew that we needed to \nprotect from our adversaries and our enemies.\n    So my question is, in your assessment, what systems should \nbe considered critical to national security, and under what \nframework should the government and the Department of Defense \nin particular provide for the security of private networks, \nboth to those deemed critical to national security and to a \nwider user base?\n    I will open that up to the panel. And subject to your \nresponse, I will yield back to the Chairman.\n    Mr. Cauley. Congressman, I would take this on from the \nperspective of the electric grid in relationship to military.\n    We have taken steps to identify what are the critical \nassets within the grid, and we have approved a standard \nrequiring companies to identify those. Obviously, nuclear \nplants are essential. Large-generation, high-voltage \ntransmission that serves as the backbone of the grid. \nBlackstart generation that allows us to reboot the system if it \nneeds to be done. And our larger control center.\n    So we are in the process. We have required that. What that \nmay not get to, however, is the relationship with security--the \nmilitary installations, which as I mentioned, the initiative \nthat we have started with DOD is to identify if there is, \nbesides our own electric priorities, what are the priorities of \nthe military that we need to take a look at as well.\n    And then at that point it becomes a decision between the \nelectric company servicing that facility and the military base \nin terms of what additional steps would be needed.\n    I would add one more aspect that I hadn\'t had a chance to \nmention. There are going to be some actions and threats that \nare beyond the capability of the industry to cope with.\n    And an example, much has been said about a nuclear blast \n400 kilometers in the sky creating an EMP [electromagnetic \npulse] event that takes down the grid. And--suggesting we need \nto understand the relationship between government and industry \nin resolving issues. That is a poster child for that, because I \nthink the industry would say that is a government issue, if we \nhave a nuclear blast going off over our skies in the homeland. \nObviously, we would be expected to take some actions in terms \nof protecting and hardening the grid. But those issues need to \nbe worked out further.\n    Mr. West. Then the follow-on question is, do you think we \nhave a clear line of delineation between the responsibilities \nof, you know, the government, DOD and the private sector?\n    Mr. Cauley. No, sir, not to the extent needed for clarity \nof responsibility facing these new threats. I think the \ncollaboration, consultation has been good, but I think it is \nbased on ad hoc relationships and not clear lines of \nresponsibility and authority.\n    Ms. Pfleeger. I would like to use two examples to address \nyour question. The first is there is a model that seems to be \nworking that the Defense Department is already using called the \n``defense industrial base,\'\' where collaboratively the major \ncontractors come together to share their cyber experiences and \nto share the things that they have done in order to address any \nkind of cyber problem.\n    That might be a good model for expanding in some way, and \nthe roles there I think are fluid because I think \ncollaboratively, the defense industrial base acts to help the \nDefense Department, but at the same time makes clear what their \nindividual goals are as private enterprises.\n    The other thing is that I would encourage the Defense \nDepartment to think more about prevention, rather than reaction \nto cyber attacks. And let me use an example. I was at a meeting \na couple of years ago where someone from DARPA [the Defense \nAdvanced Research Projects Agency] was talking about funding a \nsystem where the whole, for example, the whole communications \nsystem in the U.S. could be viewed on one screen and you could \nwatch as a cyber event unfolded that one part of the country \ngoes down, then another, then another.\n    The problem with that example is that it might not have \nbeen a cyber attack. It might have been that all the phone \ncompanies are buying their switches from the same vendor. There \nis a flaw in the switches and they all happen to be going down \nbecause some system problem was percolating through the system.\n    So that is what I meant in my testimony about the \ndifficulties of emergent behavior and the risks of making \nassumptions. And so it is very hard in those cases to decide \nnot only what is going on, but what is the appropriate thing to \ndo to react.\n    Therefore, I think it makes a lot more sense to look from a \npreventive point of view at things like our critical \ninfrastructure and look at more diversity, look at redundancy, \nlook at ways of making sure that if we do have some sort of \nattack, we can come back up quickly or at least in some manner \nthat enables the Defense Department, as well as private \nenterprise, to function while we figure out what is really \nhappening and apply fixes.\n    Mr. Nojeim. I would just add that there is a list of \ncritical infrastructure key resources, tier one, tier two \nlists. DHS has prepared it. It is based on assessments as to \nwhat would happen if these were destroyed or rendered \ninoperative; in terms of casualties, whether people would have \nto evacuate areas; what would be the damage to national \nsecurity.\n    So there has already been a lot of thinking about what \nneeds to be protected. We don\'t have to recreate the wheel on \nthat score.\n    Mr. Thornberry. Mrs. Davis.\n    Mrs. Davis. Thank you, Mr. Chairman.\n    Thank you all for being here. You provide a broad range, \nand that is appreciated.\n    I don\'t know whether you would feel prepared to answer this \nquestion specifically, but I am wondering about interagency \ncollaboration, coordination. One of the things that we \nexperienced here on the Armed Services Committee a number of \nyears ago was sort of our shock that in fact, you know I guess \nI would say the Pentagon and the State Department didn\'t really \ntalk to each other to the extent that they should, and that we \nreally weren\'t looking at a whole-of-government approach, if \nyou will.\n    Can you apply that to the issues that we are addressing \nhere in terms of cyber security? How would you assess the \nextent to which that is kind of a working--I guess it is a work \nin progress in many ways--but where are we in that issue, to \nlook upon how we best deal in an interagency way on this issue?\n    Ms. Pfleeger. Well, there are some formal and some informal \nthings going on. There was for a while an Infosec Research \nCouncil where different agencies funding cyber security \nresearch had representatives get together periodically and \nshare what they were doing and coordinate.\n    There are more formal things like the Department of \nCommerce now has an Internet Policy Task Force that is looking \nacross the government. But you are absolutely right that a lot \nmore needs to be done. There needs to be a lot more regular \ninteraction at high levels across the different----\n    Mrs. Davis. Any area particularly that you would seek to \nimprove, specifically if we could focus on that?\n    Ms. Pfleeger. Well, certainly discussions between Defense \nand Commerce and between Defense and State. Those are probably \nthe two I would pick.\n    Mr. Cauley. Congresswoman, with respect to the electric \nsystem, we have had very collegial consultation with a variety \nof agencies, and they are very helpful. I think if we are \nchallenged it is just a confusion over leadership and the \nrelationships between the different organizations, and the \nrelationships between government and private sector.\n    So they are collegial. We are getting worked on. We are \nlearning. They are learning from us. We are learning from them, \nbut it is not clear what the delineation of responsibilities, \nwho is in charge, those kinds of questions. We are making do \nwith what we have today.\n    Mrs. Davis. Who is in charge, that is a big question. We \ngot that, yes. Thank you.\n    Mr. Nojeim, do you want to comment on that as well----\n    Mr. Nojeim. I would just say that there is some \ncooperation, some communication, and that it is starting to get \nbetter and it needs to go further.\n    Mrs. Davis. Can I just ask you a little bit about the labor \nforce as it relates to this highly complex STEM [science, \ntechnology, engineering, and mathematics] area of education and \nscience and technology. Clearly, we are not where we want to be \ngenerally in the country as it is in terms of encouraging young \npeople to go into the field.\n    Can you assess sort of the labor force and those people who \nare migrating to these careers and to this area? And what we--\nwhat else--what should we be doing, even in terms of preparing \nour youngest children, I think, in having the ability to work \nin this area since we know that, as I know as I am just getting \nintroduced to this topic and our concern that state actors make \nus very vulnerable. And we obviously need to be providing that \nexpertise to our young people as well.\n    Any thoughts, ideas as far as the labor force?\n    Mr. Cauley. Well, in the electric industry, we are seeing \nan influx of talent. I mean, I think it is pretty obvious that \nkids will go where the jobs are. We are seeing very high \ninflux. And we are also focused on training. I think we do have \na gap that we are working on which is to elevate the \ncredentials, the professional credentials of our security--\nphysical and cyber security folks.\n    So I think its major improvements in the last couple of \nyears, lots of new talent coming in, but a long ways to go as \nwell.\n    Mrs. Davis. Yes?\n    Ms. Pfleeger. In many cases, the people who provide cyber \nsecurity expertise don\'t do only that, especially in small \nbusinesses. And so we are having a workshop at the end of April \nat Georgia Tech to look at the demand, to help inform what the \nsupply should look like. And we are inviting people from \ngovernment and industry together to tell us what their demand \nlooks like and what some of the problems are so that we can \nmake some recommendations about what the supply activities \nshould look like.\n    Mrs. Davis. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. Thornberry. Thank you.\n    Mr. Ryan.\n    Mr. Ryan. Thank you, Mr. Chairman.\n    I just have one question. One of the issues we have not \njust with--I am going to ask if it fits into the cyber strategy \nthat we all should have as a country--is the issue of \ntranslating a lot of different languages. Is that an issue when \nwe are talking about cyber security, where we have, whether \nthey are state actors or a decentralized, you know, Al Qaeda-\ntype, where these folks are working from a different language \nthan the English language, and trying to attack our systems.\n    And, you know, is this an issue for us? Is this something \nthat we need to be aware of? Because clearly, I know as far as \nthe private sector goes, you are talking about Mandarin and \nFarsi and being able to have enough Americans able to speak \nthese languages, to write and read in these languages for our \ncorporate interests, as well as our governmental interests.\n    I just wondered as I am sitting here listening, is that \nsomething that we should be concerned about not having, on top \nof what Ms. Davis was just saying, the workforce capable of \nhelping us address this problem?\n    I will let you answer and yield back the balance of my time \nwhen you are done.\n    Mr. Cauley. Congressman, from an electric perspective, I \ndon\'t view that as a priority at this time. For North America, \nall of our information exchange is done in English, including \nin Quebec where French is the language. But the electric grid \noperations are purely English.\n    So we treat anything that is not in English as suspect to \nstart with. So it is not really an interpretation question for \nus. It hasn\'t come up to our attention at this point.\n    Mr. Nojeim. I think at one level, bad code is bad code and \nit is not really a question of whether it is English language \nor Spanish or another language. I think that the issue about \nneeding people to speak in multiple languages comes up mostly \nin terms of prosecuting wrongdoers and being able to understand \nwhat people are saying who are perpetrating the crimes.\n    Mr. Ryan. I know at one point we had an issue with a lot of \nthe intelligence we were getting. We weren\'t able to translate \na lot of the, you know, kind of prepared for attacks against \nus, we weren\'t able to do that. So I just want to throw that \nout there if that is something we need to continue to look at.\n    Mr. Thornberry. And that is still the case with a lot of \nintelligence we get. We don\'t have the resources to translate \nit, so I thank the gentleman. Dr. Pfleeger, you talked about \nincentives in your statement. It has been suggested to me that \nwith proper incentives, we can elevate general cyber security \nthat would take care of roughly 80 percent of the problems that \nare going through cyberspace. Do you think that is about right?\n    Ms. Pfleeger. Well, I don\'t know if it is 70 percent, 80 \npercent. What I--two days ago, Arbor Networks revealed the \nresults of a survey that they did of network engineers. And the \ntop problem that the network engineers talked about was non-\ntechnical factors being one of the most significant obstacles \nto reducing mitigation time.\n    A lot of that has to do with there being a lack of \nincentives for the people maintaining the networks to pay more \nattention to security; the lack of users to pay more attention \nto security. And so because a lot of these non-technical \nproblems loom large, that 80 percent number is probably close.\n    I mean, if you look at things like the causes of all a lot \nof typical problems, we see the same things over and over \nagain. People don\'t change things from the default settings. \nThey don\'t understand how to install security software.\n    If there were incentives to encourage people to do the \nright thing, what I called in my testimony good hygiene, won\'t \ncompletely solve the problem, but it could eliminate a lot of \nthese things that we see that recur that shouldn\'t be happening \nanymore. We should know better by now.\n    Mr. Thornberry. Do you know of any organization that has \nactually run the numbers, by which I mean to say this incentive \nfor this tax provision or this, you know, whatever it is, will \nhave this consequence in the real world, because businesses are \ncalculating cost-benefit every day. How much is it going to \ncost? What is the benefit I get? And that cost-benefit has to \nline up for them to take additional actions. Has anybody run \nthe numbers to kind of get more specifics on it?\n    Ms. Pfleeger. There are some researchers who have done some \neconomic models that suggest which incentives might be the most \neffective, but I haven\'t seen a lot that use real-world \nnumbers, in part because it is hard to get good data.\n    Mr. Thornberry. Yes.\n    Ms. Pfleeger. So there are some first steps, but it would \nbe really helpful if business would work with some of the \nmodelers to--so that the models reflect the realities of the \nbusiness trade-offs.\n    Mr. Thornberry. Okay.\n    Mr. Cauley, especially in your written statement, you made \nreference to the fact that private industry is always going to \nbe at least a step behind in identifying some of the most \nsophisticated threats that go through cyberspace.\n    I mean, just assume, if you will, that you can take care of \n80 percent by good hygiene, we still have 20 percent that are \nthe more sophisticated, difficult threats to deal with. And so \nfrom what you said earlier today, I take it in that area you \nthink there needs to be more government assistance of some sort \nfor that kind of upper tier.\n    Mr. Cauley. Yes, Mr. Chairman. That is why I think we need \na dual strategy. So the Ranking Member Langevin has suggested \nwe need firmer regulations and standards, and I agree with that \nbecause it provides a baseline of the expected mandatory \nrequirements.\n    But facing a dynamic, ever-evolving adversary, sitting \nstill with fixed barriers is going to be very difficult. So \nhaving a robust relationship with the government intelligence \nagencies, which we are beginning to develop to take quick \ninformation and be able to turn it into actions that the \nindustry can take, is essential.\n    So let\'s treat it like it is a dynamic, ongoing war, and it \nis not a fence put around the systems. And I think that is \nwhere we need the help from the federal government.\n    Mr. Thornberry. Let me ask you this. There has been lots of \ntalk about a smart grid. To me that indicates that there are \nmore access points on the grid to the Internet. Does that not \nincrease our vulnerability--potential vulnerability of the \nelectricity grid?\n    Mr. Cauley. Mr. Chairman, it does create--introduce \nadditional risks, additional entry points. And it is incumbent \nupon the industry and government, I think, in partnership to \nwork out a sufficient set of security requirements for a smart \ngrid and also for the vendors to deliver devices and systems \nthat build in the security as a major objective from the start, \nnot as an add-on later down the road.\n    Mr. Thornberry. Mr. Nojeim, I think Mr. Cauley a while ago \nkind of used the EMP example as a big, catastrophic sort of \nevent that would require government direct intervention.\n    And I guess what I am wondering with you is do you--set EMP \naside--what do you think there could be a situation where the \ncyber event is of such a magnitude as to overwhelm, perhaps, \nprivate ability to deal with it and that direct government \naction would be appropriate?\n    Or, as I think you have kind of indicated in your \ntestimony, is it always--as far as direct responsibility, it is \nDOD for DOD, DHS for dot-gov and all of dot-com is on its own?\n    Mr. Nojeim. So I just--if I gave the impression that all of \ndot-com is on its own, I didn\'t mean to do that, because what I \ndid say in the testimony at least a few times were some \nmeasures that ought to be taken to help dot-com defend itself.\n    As for a catastrophic event that the private person \ncouldn\'t deal with, I would need to just talk a little bit more \nand understand a little bit more about what that event would \nbe. So, for example, some people have said that maybe the \ngovernment ought to have authority to order the shutdown of \nInternet traffic to a critical infrastructure system.\n    Well, see, that authority, as you think that through, would \nonly be exercised when the person who owns or operates the \nsystem thinks that it ought not to be shut down. And they have \nstrong incentive to protect their system. They have a strong \nincentive to isolate their system when it is in danger, and \nthey do that right now.\n    I think the question we have to ask is whether the \ngovernment would have superior information that would inform \nthat decision. And if so, that is kind of information ought to \nbe shared.\n    And we also ought to ask other questions about what \nincentives that kind of authority would create. Would the owner \noperator of that system be willing to share information that \nthey ought to share what they know that that information could \nbe used to shut them down? Would they be more hesitant to shut \ndown on their own when they think they ought to, because they \nare waiting to be ordered to shut down by the government, \nknowing that with the order will come a limitation of \nliability?\n    So I think we have to think these things through and maybe \ngame out some scenarios before we make blanket decisions.\n    Mr. Thornberry. Okay. Let me ask one other thing, and then \nI will yield to the ranking member and others who may have \nquestions.\n    But as I understand what you have said, you think there is \nan appropriate role for government to share with private \nindustry information it receives about signatures and malicious \nattacks going on in cyberspace as long as it is the private \nentity that deals with it, that takes direct action of some \nsort.\n    Mr. Nojeim. Yes. Yes.\n    Mr. Thornberry. And even though, obviously, if the \ngovernment were to share some information with, say, a \ntelecommunications carrier, the government will have to expect \nthat some information is kept classified, potentially.\n    Mr. Nojeim. And the government should expect and should \nhelp the telecommunications carrier have people on staff who \ncan handle classified information.\n    Mr. Thornberry. Certainly.\n    Mr. Nojeim. And if there is a gap there----\n    Mr. Thornberry. Absolutely.\n    Mr. Nojeim [continuing]. And the right ones don\'t have the \nright clear cleared people, that is a place where the committee \nought to pay particular----\n    Mr. Thornberry. Well, DOD deals with defense contractors--\n--\n    Mr. Nojeim. All the time.\n    Mr. Thornberry [continuing]. All the time in huge numbers, \nso, yes, I think that is a fair point.\n    Ranking member.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    To continue to explore this role of proper balance of \nauthorities and such, particularly in time of crisis--and this \nis really for the entire panel--you know, do you think they \nDOD\'s role should be in specifically protecting not just our \npower systems, but other critical infrastructure, such as our \nfinancial institutions or communications sector?\n    Should there be any new structures set up to increase their \ncoordination with the Department of Homeland Security, for \nexample?\n    Mr. Nojeim. I think there are some structures already. And \nagain, when we think about role of DOD when it comes to \nsecuring private systems, it should be in a supportive role and \nthat, for example, it should be supporting the efforts of the \nDepartment of Homeland Security to work with those private \nentities to secure their systems.\n    And Cyber Command and NSA are going to have information and \nexpertise that will be useful. And the important thing is to \nloose it and to access it and together to DHS and to these \nother entities so they can do a better job.\n    Mr. Cauley. I would answer that question. I think there \nis--I have seen evidence of good coordination between the \nDepartment of Defense and Homeland Security, but I will repeat \nmy earlier comment that working to try to resolve electric \nindustry issues related to cyber, it is a community of \nagencies.\n    It is not clear, you know, where all the responsibilities \nlie or where the authorities are, but we try to work with \neverybody.\n    I think there is an interesting set of questions here in \nterms of what DOD should be authorized to do in the state of an \nemergency. And I really wouldn\'t rule out--I sympathize with my \nfellow panelist\'s comment that it becomes very, very scary if a \ngovernment agency can take an action that would alter the \ncontrols of the power grid, because it is just a scary thought. \nIt could have unintended consequences.\n    But I can conceive of extreme denial of service attacks on \nthe Internet or sort of a major cyber concurrent attack on the \nentire country, where intervention by DOD might be beneficial \njust to stop the bleeding in the initial minutes and hours. And \nI think that would merit some more dialogue in terms of what \nthat would look like, but overall I think the industry needs \nthe information to act under most circumstances.\n    Ms. Pfleeger. I suggest that the DOD consider again the \nthreat models and try to work collaboratively in advance with \nproviders of the key infrastructure, perhaps by giving them \nscenarios. So the DOD might suggest, for instance, that the \nelectric grid have the capability to do a handful of things \nthat would be useful to both the grid and the Defense \nDepartment, if there were an attack on the grid.\n    I think that kind of in--advance, preventive set of \nmeasures might be more effective than just having a blanket \nability to--for the DOD to take over something that it is not \nused to running.\n    Mr. Langevin. Let me turn to something else. You know, \nthere is a debate around, you know, what constitutes cyber \nwarfare, what constitutes a cyber attack, if you will, versus \ndefense. You know, and basically how involved should our \nmilitary be in cyber security when you look at, for example, \ncomputer network operations by DOD. Much of this debate focuses \naround--what constitutes ``warfare,\'\' you know.\n    Could you provide a definition to us about what cyber \nwarfare is and what it looks like, and what the appropriate \nresponse should be?\n    Mr. Cauley. Ranking Member Langevin, I have seen enough in \nthe last few months--just in my visits with NORTHCOM and the \nPentagon--to understand that the Department of Defense has a \nmuch richer understanding of the ongoing cyber warfare than we \nhave in the private sector.\n    So I think anything that can be done to not just keep that \ninformation internal as we know what is going on in the cyber \nwarfare arena, but how can we help industry understand the \ninformation they need to know to--to be aware of what is going \non.\n    I myself have a top secret clearance--been to some of the \nbriefings. I have understood more than I had in the past. And \nit is serious stuff going on. And I think we need to be able to \nshare that with industry in a timely fashion.\n    The tendency is, because it is a war, to keep it inside the \nmilitary and not share it. And I think we have to figure out \nhow we overcome that a bit.\n    Mr. Langevin. Well, I yield back.\n    Mr. Thornberry. Dr. Pfleeger, one of the challenges the \ngovernment always faces is how to have a role that does not \ndistort the market in some way. And I am thinking about \nespecially research in this area.\n    Obviously, the Microsoft and the Dells of the world are \ndoing lots of research about next phases of computing that can \nbe more secure. Do you have suggestions as to the government\'s \nrole in funding specific kinds of research that would be \ncomplementary but not displace the role that private industry \nplays?\n    Ms. Pfleeger. I think there are already a lot of activities \ncoordinating what the private sector is doing with what our \nuniversities should be doing and what the government should be \nsponsoring.\n    Both within the DOD and the Department of Homeland Security \nthey have lists of their key topics that they try to fund.\n    I think the place where there is room for improvement is \nthat often the focus is on the technology alone and not on how \npeople use the technology or perceive the technology. And so I \nthink that is an opportunity for improving not just the kinds \nof technology that we are producing to make things more secure, \nbut improving the technology transfer, improving the eagerness \nwith which users view the security. If they could view it more \nas an enabler than as an obstacle, I think that would make a \nhuge difference.\n    So it isn\'t always what the technologists like to get \nfunded to look at, but in fact, technology that isn\'t used \nproperly or isn\'t used at all is fairly worthless.\n    Mr. Thornberry. Let me also give you a chance to weigh in \nif you would like on this question about emergency powers. \nBecause I know it has been very controversial in some of the \nSenate bills about to what extent a government ought to have \nability to take emergency actions. And you have heard a little \nbit of it addressed here.\n    Do you have views on that?\n    Ms. Pfleeger. I don\'t really have a view. I have looked at \nsome of the issues. But I am not a lawyer. I am not a \nhistorian. I am not sure it would be appropriate for me to make \na judgment.\n    Mr. Thornberry. I appreciate it.\n    Yes, gentleman from Texas.\n    Mr. Conaway. It occurred to me, that as you are looking at \nthis new cloud concept where everything is out that--the things \nthat we are talking about today--before that--in other words, \nall of that innovation which creates greater accesses and from \nanywhere you want all your data is out there.\n    Does the stuff we talked about today really contemplate \nthat at all?\n    Ms. Pfleeger. Do you mean--if I understand you, you are \nasking whether the kinds of recommendations that we made in our \ntestimony----\n    Mr. Conaway [continuing]. Yes, just the state of play, is \nthe state of art for--does the users out there remotely \nunderstand the risks they take, that you are relying on private \nentities to protect all of that?\n    It just occurred to me that we fight this fight right now \nwhere most everybody\'s stuff was on a laptop and you had a \ndirect access line. But now with this--the new innovations and \nthe continued improvements and everything, do we really \ncontemplate--are these recommendations getting as far ahead as \nwhat that is ahead of the normal way people understand what is \ngoing on?\n    Ms. Pfleeger. Well, I think the cloud computing is a good \nexample of misaligned incentives. Because a lot of people--a \nlot of organizations are choosing to use the cloud because it \nis cheaper without being aware, as you point out, of the risks \nthat they are taking.\n    And so I think a lot of these questions are being raised. \nBut there aren\'t a lot of good answers yet.\n    Mr. Nojeim. I think that it is a double-edged sword. And \nyou could have cloud providers that are better at security than \nthe individual user is on his or her laptop. So maybe if more \nusers demand more security, we will get better security as a \nresult of migration to the cloud instead of worse security.\n    Mr. Conaway. But is the driver--is the free market system \nrobust enough to drive those kinds of things without the users \nknowing it and/or appreciating it----\n    Mr. Nojeim. I think it depends on the user. There are some \nusers that are large corporations that are moving to the cloud \nand they are asking these questions----\n    Mr. Conaway. They will drag along the protections for all \nthose folks----\n    Mr. Nojeim. They are going to drag along the protections \nfor--you know, obviously, they are interested in protecting \ntheir own data. I think the issue is whether the practices \nbecome such that they become more a standard at a higher level \nas a result of the demands of industry. As it moves toward the \ncloud it would filter down and help consumers.\n    Mr. Conaway. Okay.\n    Thank you, Mr. Chairman. Appreciate that.\n    Mr. Thornberry. Let me just--I have been trying to take \nnotes and see if I can summarize, at least, some areas where it \nseems to me you all are pretty well in agreement.\n    One is that the government does need to take some action. \nThat continuing to let things drift along as--that may be a \nlittle--continuing as we are without some additional action \nwould be a mistake.\n    Secondly, that there needs to be some further action in the \nform of incentives, regulations to encourage a general--or to \nmandate a general increase in cyber security.\n    Third, that at a minimum, the Department of Defense should \nensure that the appropriate entities in the private sector have \naccess to more of the information that the Department of \nDefense has in order to protect those private networks better.\n    So have I--does anybody disagree, I guess, with at least \nthat starting point?\n    Now, you all have to say something. They can\'t----\n    Mr. Nojeim. I think that is a good starting point. I think \nthat, you know, people are going to say, ``Well, I didn\'t call \nfor more regulation,\'\' or this or that.\n    But----\n    Mr. Thornberry. Yes, yes.\n    Mr. Nojeim [continuing]. I think that, you know, when we \nlook at incentives, we look at accessing information that the \ngovernment has and spreading that out, I think that there is a \ngeneral consensus about that.\n    Mr. Thornberry. And you are okay with increase incentives \nand considering, at least, looking at regulation of certain \nsectors that are already regulated, at least, as something----\n    Mr. Nojeim. Yes.\n    And as I said, we think that different sectors are going to \nbe subject to different rules.\n    Mr. Thornberry. Yes. Yes.\n    Mr. Cauley. Mr. Chairman, I would generally agree, as well \nwith a couple of nuances. I think there does need to be clarity \nwithin the various agencies in the government in terms of roles \nand responsibilities, and who do we work with as private \nsector.\n    I think in terms of the mandates to industry, my sense is \nwe have--in the electric side, we have addressed that mostly \nthrough existing structures through the Federal Energy \nRegulatory Commission and our ability to do mandatory \nstandards.\n    I did point out a gap, I thought, in emergency, in an \nimmediate threat--do we need a mandate and action?\n    I think there is a danger of further escalating the \nmandatory compliance directive aspect because we may drive the \nelectric industry to sort of a common plateau of mandated \nregulations. And I am trying to get them to fight the dynamic \nwarfare in cyber--so I think we can over-regulate when we have \na solid foundation. So I just want to make that distinction.\n    Mr. Thornberry. And that is a fair point and an important \namplification, I think.\n    Ms. Pfleeger. I also agree that it is a good summary.\n    I think, in addition, the government could--I think we \nwould probably all agree that the government could encourage \nprivate sector initiatives that already are good behavior. \nThere already are examples of private enterprise making data \npublic, collaborating in various ways. And so making that more \nvisible and providing incentives in that way might be helpful.\n    Mr. Thornberry. Okay.\n    We may want to pursue--I have some other questions on that \nline that we may want to pursue with you.\n    Anyway, thank you all very much for being here. I \nappreciate your testimony and the time it took to prepare it, \nand for your being here.\n    With that, the hearing stands adjourned.\n    [Whereupon, at 12:59 p.m., the subcommittee was adjourned.]\n?\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                           February 11, 2011\n\n=======================================================================\n\n      \n?\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                           February 11, 2011\n\n=======================================================================\n\n      \n      \n    [GRAPHIC] [TIFF OMITTED] T4861.001\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.056\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.057\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.002\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.003\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.004\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.005\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.006\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.007\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.008\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.009\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.010\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.011\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.012\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.013\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.014\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.015\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.016\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.017\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.018\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.019\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.020\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.021\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.022\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.023\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.024\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.025\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.026\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.027\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.028\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.029\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.030\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.031\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.032\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.033\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.034\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.035\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.036\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.037\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.038\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.039\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.040\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.041\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.042\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.043\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.044\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.045\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.046\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.047\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.048\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.049\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.050\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.051\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.052\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.053\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.054\n    \n    [GRAPHIC] [TIFF OMITTED] T4861.055\n    \n                                  <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'