[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]






                                     

                          [H.A.S.C. No. 112-5]
 
       WHAT SHOULD THE DEPARTMENT OF DEFENSE'S ROLE IN CYBER BE?

                               __________

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD

                           FEBRUARY 11, 2011


                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

                  U.S. GOVERNMENT PRINTING OFFICE
64-861                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  
  


           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                    MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota                LORETTA SANCHEZ, California
BILL SHUSTER, Pennsylvania           ROBERT ANDREWS, New Jersey
K. MICHAEL CONAWAY, Texas            SUSAN A. DAVIS, California
CHRIS GIBSON, New York               TIM RYAN, Ohio
BOBBY SCHILLING, Illinois            C.A. DUTCH RUPPERSBERGER, Maryland
ALLEN B. WEST, Florida               HANK JOHNSON, Georgia
TRENT FRANKS, Arizona                KATHY CASTOR, Florida
DUNCAN HUNTER, California
                 Kevin Gates, Professional Staff Member
                 Mark Lewis, Professional Staff Member
                      Jeff Cullen, Staff Assistant


                            C O N T E N T S

                              ----------                              

                     CHRONOLOGICAL LIST OF HEARINGS
                                  2011

                                                                   Page

Hearing:

Friday, February 11, 2011, What Should the Department of 
  Defense's Role in Cyber Be?....................................     1

Appendix:

Friday, February 11, 2011........................................    29
                              ----------                              

                       FRIDAY, FEBRUARY 11, 2011
       WHAT SHOULD THE DEPARTMENT OF DEFENSE'S ROLE IN CYBER BE?
              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Ranking Member, Subcommittee on Emerging Threats and 
  Capabilities...................................................     2
Thornberry, Hon. Mac, a Representative from Texas, Chairman, 
  Subcommittee on Emerging Threats and Capabilities..............     1

                               WITNESSES

Cauley, Gerry, President and Chief Executive Officer, North 
  American Electric Reliability Corporation......................     6
Nojeim, Gregory T., Senior Counsel and Director, Project on 
  Freedom, Security and Technology, Center for Democracy and 
  Technology.....................................................     8
Pfleeger, Shari L., Director of Research, Institute for 
  Information Infrastructure Protection at Dartmouth College.....     4

                                APPENDIX

Prepared Statements:

    Cauley, Gerry................................................    58
    Langevin, Hon. James R.......................................    34
    Nojeim, Gregory T............................................    67
    Pfleeger, Shari L............................................    36
    Thornberry, Hon. Mac.........................................    33

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    [There were no Questions submitted post hearing.]
       WHAT SHOULD THE DEPARTMENT OF DEFENSE'S ROLE IN CYBER BE?

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
         Subcommittee on Emerging Threats and Capabilities,
                         Washington, DC, Friday, February 11, 2011.
    The subcommittee met, pursuant to call, at 11:30 a.m., in 
room 2118, Rayburn House Office Building, Hon. Mac Thornberry 
(chairman of the subcommittee) presiding.

OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM 
     TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND 
                          CAPABILITIES

    Mr. Thornberry. Hearing will come to order.
    Let me welcome the members and witnesses and guests to this 
first hearing in this Congress of the Emerging Threats and 
Capabilities Subcommittee.
    I certainly appreciate all the members who have chosen to 
join this subcommittee. And among other benefits, we will have 
the former chair and former ranking member of the subcommittee, 
Ms. Sanchez and Mr. Miller, as part of our body.
    But I am really looking forward to the chance to working in 
partnership with the gentleman from Rhode Island, Mr. Langevin. 
He and I started working together on cyber issues in 2003 as 
part of the Select Homeland Security Committee, on the Cyber 
Subcommittee of that body, and have worked together on this 
committee and on the Intelligence Committee basically ever 
since. So I look forward to what we can accomplish together for 
the country's security in the next two years.
    One of the first things that one notices is the name of the 
subcommittee has changed. And I think that is to better match 
what our charge is. We are to look out in the future and help 
see that the United States is prepared to deal with those 
national security challenges that are still emerging, that we 
are still learning about. Things such as terrorism and cyber 
warfare.
    We are also charged with nurturing emerging capability that 
can meet those and other threats. And the jurisdiction of the 
subcommittees has been changed to reflect so we can better 
focus on cyber and these other challenges.
    Of course, any emerging threat presents new challenges on 
policy, legal authority, budgeting, such as we have witnessed, 
for example, since 9/11. And today, in the field of cyber, we 
want to start by asking really a fairly basic but I think 
important question, and that is, what is the role of the 
Department of Defense in defending the country in cyberspace?
    If a formation of planes or some hostile-acting ships came 
barreling towards a factory or refinery in the U.S., I think 
most of us have a pretty good idea of what we would expect from 
the Department of Defense. They may try to identify who it is, 
divert them over to another area. They may even go so far as to 
shoot them down. But the bottom line is we expect our military 
to protect us from threats that we cannot handle on our own.
    But what do we expect, or what should we expect, if a bunch 
of malicious packets, or potentially malicious packets, come 
barreling at us--or come barreling at the same facilities in 
cyberspace? I am not sure we have a good answer to that. And if 
we figure out what we expect, then the question is, can the 
government do what we expect? Does it have the ability and the 
authorization to do it?
    I don't expect that we are going to get definitive answers 
to those questions today, but I do think we need to be serious 
and diligent about pursuing those answers because the threat is 
serious and it is growing in numbers and sophistication.
    Yesterday, at the Intelligence Committee hearing, I asked 
DNI [Director of National Intelligence] Clapper, Director 
Panetta, FBI [Federal Bureau of Investigation] Director Mueller 
about how serious the threats in cyberspace were as a matter of 
national security. Each of them responded they thought it was 
in fact very serious. Clapper said, ``The threat is increasing 
in scope and scale, and its impact is difficult to overstate.''
    So we know that cyber is a new domain of vandalism, of 
crime, of espionage, and, yes, even warfare, but I am afraid 
the country is not very well equipped to deal with any of those 
challenges.
    As we look for solutions, we have to be smart and careful 
and true to our values, but I believe we need to act to improve 
our security.
    And I appreciate the witnesses who are here today to help 
guide us on that path.
    But first, I would yield to the distinguished gentleman 
from Rhode Island, the ranking member, for any comments he 
would like to make.
    [The prepared statement of Mr. Thornberry can be found in 
the Appendix on page 33.]

  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM 
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS 
                        AND CAPABILITIES

    Mr. Langevin. Well, thank you, Mr. Chairman.
    As this is our subcommittee's first hearing of the 112th 
Congress, I just wanted to take a moment to congratulate you on 
your chairmanship and to say how much I very much looking 
forward to working with you again. As you rightly pointed out, 
we have worked on many of these issues together in our time on 
the Homeland Security Committee, to our time as we have served 
on this committee, and as well as the House Intelligence 
Committee.
    So our paths keep crossing in a very positive way and we 
have enjoyed a very productive partnership in the past and I 
know we will continue with our work on this subcommittee as 
well. So congratulations to you.
    In 2007, as chair of the Homeland Security Subcommittee on 
Emerging Threats, Cyber Security and Science and Technology, I 
conducted a detailed and thorough examination of cyber threats 
to our power grid after tests conducted at Idaho National Labs, 
known as Aurora, became public.
    At that time, industry representatives from NERC [the North 
American Electric Reliability Corporation] misled or were 
inaccurate about their testimony to the Homeland Security 
Committee about their efforts to address these threats in the 
private sector. Now, we called them on it and they retracted 
their statements. But the experience illustrates how difficult 
it can be to require and ensure security when it comes to 
critical infrastructure.
    Since then, threats to our critical infrastructure have 
only grown, with news reports suggesting that there is interest 
by malicious actors in exploiting vulnerabilities in the U.S. 
power grid and other critical infrastructure. The federal 
agencies have taken steps to reduce these vulnerabilities. I 
have to say, though, I am afraid that many in industry and in 
government still fail to appreciate the urgency of this threat. 
Since I began working on this issue, I have been disappointed 
by the overall lack of serious response and commitment to this 
issue, and I still believe America is vulnerable to a cyber 
attack against the electric grid that would cause severe damage 
not only to our critical infrastructure, but also to our 
economy and the welfare of our citizens.
    Because of this concern, last Congress I posed this 
question to the heads of all of our military services. If our 
civilian power system is vulnerable, what is being done to 
protect our numerous military bases that rely on them to 
operate?
    Well, the answers were disturbing, but not surprising. Vice 
Admiral Barry McCullough, head of the Navy's 10th Fleet, 
testified that, ``These systems are very vulnerable to 
attack,'' noting that much of the power and water systems for 
our military bases are served by single sources and have only 
very limited backup capabilities with an attack on a power 
station potentially requiring weeks or even months to recovery 
from, our bases could face serious problems maintaining 
operational status. A recent report from the Department of 
Energy's Inspector General found that despite years of concern 
and hand-wringing by those who are aware of the threat, not 
much has been done to increase protection to these civilian 
systems.
    Their reports also fault federal regulators for not 
implementing the adequate security standards--cyber security 
standards. But if you ask industry, you will find out that 
there is no actual requirement to do what the government wants. 
The regulators don't have any actual ability to regulate when 
they see a problem, despite being fully aware of the tremendous 
risks that face our nation.
    Now, if everyone is aware of the threat, both DOD [the 
Department of Defense] and our civilian power sector, it 
appears that the tragedy of the commons has ruled that no one 
has been willing or able to address it.
    At the House Intelligence Committee's annual open meeting 
yesterday, Director Panetta testified that cyber threats to our 
critical infrastructure had the potential to be the next Pearl 
Harbor, and I agree and remain unconvinced that we have the 
abilities or the authorities to stop a large-scale cyber 
attack.
    To this end, last year I introduced legislation to 
coordinate our national cyber security policies for the 
protection of our federal networks, as well as our critical 
infrastructure. And while we had success with an amendment in 
the House defense authorization measure, you may know that we 
were forced to remove that language during conference.
    Let me just say, Mr. Chairman, that I look forward to 
working with you to move forward again this year and finally 
begin to address these critical vulnerabilities.
    Today, I am anxious to hear from our panel, especially Mr. 
Cauley from NERC and ask what has changed since 2007. Are we 
still as vulnerable today as we were then? And I, for one, 
believe that the answer is yes. I fear that little has changed 
other than the acceleration of the threat and the growth of our 
vulnerability.
    With that, Mr. Chairman, I look forward to our witnesses' 
testimony. I want to thank our witnesses for being here, and I 
yield back.
    Mr. Thornberry. I thank the gentleman.
    And now we will turn to our witnesses. And let me say first 
of all, I appreciate each of you all's written statement. 
Without objection, they will be made part of the full record. 
But I thought each of you did a very good job in laying out a 
number of issues. I know I learned from each of them, so I 
appreciate the effort you put into that.
    With us today is Dr. Shari Pfleeger, director of research 
from the Institute of Information Infrastructure Protection 
headquartered at Dartmouth; Mr. Gerry Cauley, chief executive 
officer of the North American Electric Reliability Corporation, 
NERC; and Mr. Gregory Nojeim, senior counsel, Center for 
Democracy and Technology.
    Pretty good? Okay, good.
    Thank you all for being here. We will try to move out 
smartly today. I don't think we will have votes for a little 
bit, and I would like to give everybody a chance to ask 
questions before those votes. So as I say, your full statement 
will be made part of the record, if you would like to summarize 
it, and then we will turn to questions.
    Dr. Pfleeger, the floor is yours.

STATEMENT OF SHARI L. PFLEEGER, DIRECTOR OF RESEARCH, INSTITUTE 
 FOR INFORMATION INFRASTRUCTURE PROTECTION AT DARTMOUTH COLLEGE

    Ms. Pfleeger. Good morning, Chairman Thornberry, Ranking 
Member Langevin, members of the subcommittee and guests. Thank 
you for inviting me here. I was asked to talk about the 
economics of cyber security and I have organized my response 
based on the three big questions that you asked me.
    So the first one is: What are the significant challenges 
that face us? And I see three big challenges. The first is the 
diverse and distributed ownership of the cyber infrastructure, 
which makes it difficult to apply traditional approaches for 
security because there are so many different pieces. And many 
of those pieces have been developed without security in mind. 
They are not always the big--security is not always the biggest 
motivator for making money for the providers of those pieces.
    The second is appeal as a criminal tool. Criminals can use 
the cyber infrastructure to perpetrate their crimes more 
broadly, more quickly and more anonymously than they could 
before.
    And the third is, and this perhaps has the most relevance 
to the Defense Department, the difficulty in reaction to 
emergent behavior. Many aberrant cyber-based behaviors are 
emergent in that it takes a long time to figure out exactly 
what is going on, understanding the cause and effect, and 
selecting an appropriate reaction. And when the cause is 
uncertain and the possible responses have life-threatening or 
diplomatic implications, the decisionmakers have to reduce the 
uncertainty surrounding cause and effect.
    So I have identified three policy, legal, economic and 
technical challenges. The first is misaligned incentives. Most 
of the providers are in business to make money, not necessarily 
to provide security. And so many organizations prefer just to 
wait for cyber attacks to happen and clean up the mess, or they 
rely on what is sometimes called ``free-riding'' or ``herd 
immunity,'' where they let other people implement the security, 
and the people who don't implement the security still get some 
benefit.
    And in addition to that, the bad outcomes don't always 
affect the organization lacking security or don't affect them 
for very long. So, for instance, their stock prices might go 
down, but then they eventually pop back up again. So there is 
little incentive for them to take a long-term security view.
    The second is the need for diversity. Technological 
diversity leads to more secure networks and systems, but 
because of a variety of things, including economic reasons, 
training, access and even chance, the technology is actually 
quite uniform, more than we would expect.
    And finally, security is often incompatible with 
organizational culture and goals, so many people who use our 
networks are paid to get their jobs done and they often see 
security not as an enabler, but as an inhibitor. So you see 
lots of cases of people turning off the security in order to 
get their jobs done, or neglecting to do things like set the 
security properly.
    So what should the government do? I suggest five things. 
The first is to address cyber attacks the way other unwelcome 
behaviors are addressed. Our current reliance on convenience 
surveys for information about cyber attack trends can be 
misleading and we need more careful sampling and more 
consistent solicitation of data.
    The government should incentivize or require better breach, 
fraud and abuse reporting, and data about the nature and number 
of cyber attacks should be reported consistently each year so 
that sensible trend data can form the basis for effective 
actions. It may be more useful to capture data in smaller ways, 
in various ways for various purposes, and then good economic 
models informed by these representative consistent data can 
improve our general understanding not only of the cyber risk, 
but of the cyber risk relative to other kinds of risk.
    Second, I recommend that liability statutes cover cyber 
technology. When lack of car safety was made more visible in 
the 1960s, the government responded by making automobile 
companies more liable for their unsafe practices and products. 
Similarly, I think a combination of manufacturer liability and 
economic constructs like insurance could encourage more secure 
product design and implementation.
    The third is insist on good systems engineering. Use the 
government's purchasing power in two important ways. First, 
refuse to continue to deal with system providers whose products 
and services are demonstrably insecure, unsafe, or 
undependable. The data gathered in this process can inform 
subsequent technology decisions so that errors made in earlier 
products are less likely to occur in later ones. Especially in 
cyber security we see the same problems appearing over and over 
again.
    Secondly, insist on five up-to-date formal arguments 
describing why the systems are secure and dependable. These 
arguments are used in other domains like nuclear power plant 
safety and could easily be applied to cyber security. And 
suppliers' formal arguments could be woven into the system 
integrator security arguments to show that supply chain issues 
have been addressed with appropriate levels of care and 
confidence.
    The fourth suggestion is to provide incentives to encourage 
good security hygiene. Incentives like tax incentives and 
insurance discounts can speed implementation of demonstrably 
more security technology and the incentives should also include 
rewards for speedy correction of security problems and 
punishments for lax attention to such problems.
    Finally, encourage multidisciplinary research. Many 
security failures occur not because there is no solution but 
because the solution hasn't been applied or because designers 
fail to include the user's perspective when designing the 
technology.
    Research involving behavioral science and behavioral 
economics can improve the security and dependability of the 
nation's cyber infrastructure in two ways. In the short term, 
it can improve adoption rates for the security technology, 
thereby reducing the attack surface against which malicious 
actors aim. And in the longer term it can lead to a more 
resilient cyber infrastructure that users are eager to use 
correctly and safely.
    Thank you.
    [The prepared statement of Ms. Pfleeger can be found in the 
Appendix on page 34.]
    Mr. Thornberry. Thank you.
    Mr. Cauley.

   STATEMENT OF GERRY CAULEY, PRESIDENT AND CHIEF EXECUTIVE 
    OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

    Mr. Cauley. Good morning, Chairman Thornberry, Ranking 
Member Langevin, members of the subcommittee and fellow 
panelists. My name is Gerry Cauley. And referring to Ranking 
Member Langevin's comments on the performance of NERC in the 
past, I would point out that I am the new President and CEO of 
the North American Electric Reliability Corporation. And I also 
serve as the Chairman of the Electricity Subsector Coordinating 
Council.
    I am a graduate of the U.S. Military Academy at West Point, 
a former officer in the U.S. Army Corps of Engineers. I have a 
master's degree in nuclear engineering from the University of 
Maryland. And I have devoted over 30 years to working toward 
the safety and reliability of our nuclear and electric 
industries, including in 2003 serving as a lead investigator 
for the 2003 Northeast blackout.
    I have with me also today NERC's chief security officer, 
Mark Weatherford, behind me, who until recently served as the 
chief information security officer for the state of California 
and previously served 26 years in the U.S. Navy as an 
information security officer.
    NERC is a non-profit corporation that was founded in 1968 
to develop voluntary operating and planning standards for the 
owners and operators of the North American bulk power system.
    In 2007, the Federal Energy Regulatory Commission 
designated NERC as the electric reliability organization in the 
United States, in accordance with the Energy Policy Act of 
2005.
    As a result, our standards, including cyber security 
standards, became enforceable at that time. To my knowledge, 
they are the only mandatory cyber standards among the various 
critical infrastructures in North America.
    As CEO of the organization charged with overseeing 
reliability and security of the North American grid, I am 
deeply concerned about the changing risk landscape from 
conventional risks such as extreme weather and equipment 
failures to emerging new risks where we are left to imagine 
scenarios that might occur and prepare to avoid or mitigate the 
consequences, some of which could be more severe than we have 
previously experienced.
    I am most concerned about physical and cyber attacks 
intended to disable elements of the power grid or deny specific 
electricity to specific targets such as government and business 
centers, military installations, or other infrastructures. 
These threats differ from conventional risks in that they 
result from intentional actions by adversaries and are simply 
not random failures or acts of nature.
    It is difficult to address such rapidly evolving risks 
solely with a traditional regulatory model that relies mainly 
on mandatory standards, regulations and directives.
    The defensive barriers mandated by our standards do make it 
more difficult for those seeking to do harm to the grid, but 
alone they may not be completely sufficient in stopping the 
determined efforts of the adaptable adversaries supported by 
nation-states or organized terrorist groups.
    The most effective approach against such adversaries is to 
apply resiliency principles as outlined in the National 
Infrastructure Advisory Council report on the grid, delivered 
to the White House in October 2010.
    I was fortunate to serve on that council with a number of 
industry CEOs.
    Resiliency requires proactive readiness for whatever may 
come our way. It includes robustness, the ability to minimize 
consequences in real time. The ability to restore essential 
services. The ability to adapt and learn.
    Examples of the NIAC [National Infrastructure Advisory 
Council] team's recommendations include: one, a national 
response plan that clarifies the roles and responsibilities 
between industry and government; two, improving the sharing of 
actionable information by government regarding threats and 
vulnerabilities; three, cost recovery for security investments 
driven by national policy; and four, a strategy on spare 
equipment, with long lead times such as electric power 
transformers.
    NERC is moving forward with a number of our own actions to 
complement our mandatory CIP [critical infrastructure 
protection] standards and provide enhanced resilience to the 
grid, including partnering with the Department of Energy and 
the National Institute of Standards and Technology to develop 
comprehensive cyber security risk management guides for the 
entire electric system, from the meter to the bulk power 
system.
    Making actionable information available to the industry is 
a priority for NERC. We worked with DOD, DHS [the Department of 
Homeland Security] and other agencies in 2010 to issue high-
quality alerts to the industry on the Aurora mitigation, the 
Stuxnet malware and VPN [virtual private network] tunneling 
vulnerability.
    We are developing a North American cyber security exercise 
to prepare for and test a national response plan. In recent 
meetings at the USNORTHCOM [U.S. Northern Command] and the 
Pentagon, we have begun collaborating with DOD on assessing 
worst-case scenarios and developing case studies at critical 
military installations to ensure that essential requirements 
for national security are being addressed.
    We are engaged with the DOE National Laboratories in 
opportunities to apply the expertise of the federal government 
in enhancing the cyber security of our grid.
    In 2010, we started conducting onsite security sufficiency 
reviews at utilities, and we will continue that program in 
2011. And we are working with vendors and industry to enhance--
to demonstrate enhanced physical security of our systems.
    The emerging challenges we face are difficult but not 
intractable. I believe we can and must take decisive actions 
through partnership between industry and government to meet 
these challenges. And I thank you, and look forward to your 
questions.
    [The prepared statement of Mr. Cauley can be found in the 
Appendix on page 56.]
    Mr. Thornberry. Thank you, sir. I appreciate it.
    Mr. Nojeim.

 STATEMENT OF GREGORY T. NOJEIM, SENIOR COUNSEL AND DIRECTOR, 
    PROJECT ON FREEDOM, SECURITY AND TECHNOLOGY, CENTER FOR 
                    DEMOCRACY AND TECHNOLOGY

    Mr. Nojeim. Thank you, Chairman Thornberry, Ranking Member 
Langevin, and members of the subcommittee.
    Thanks for the opportunity to testify on behalf of the 
Center for Democracy and Technology about cyber security and 
the role of DOD.
    CDT [the Center for Democracy and Technology] is a non-
profit, non-partisan civil liberties organization dedicated to 
keeping the Internet open, innovative and free.
    The United States faces significant cyber security threats. 
While the need to act is clear, it is essential that we take a 
nuanced incremental approach that recognizes distinct roles for 
DOD, the Department of Homeland Security, and the private 
sector. Generally speaking, DOD entities should be responsible 
for military systems, DHS for civilian government systems, and 
the private sector should monitor its own unclassified systems.
    We ask that you keep a key distinction in mind: Policy 
toward government systems can be much more prescriptive than 
policy toward private systems. The characteristics that have 
made the Internet successful--openness, decentralization and 
user control--may be put at risk if heavy-handed cyber security 
measures are applied to all critical infrastructure. In the 
case of critical infrastructures, one size does not fit all.
    When DHS and private sector efforts to secure civilian, 
government and private systems fall short, it is tempting to 
conclude that Cyber Command and NSA [the National Security 
Agency] should lead outside the dot-mil domain. But they 
operate in a culture of secrecy--for entirely legitimate 
reasons--that would hamper civilian cyber security efforts that 
depend on public trust and corporate participation.
    Instead, expertise and resources of Cyber Command and NSA 
must be leveraged to help DHS with its cyber security mission.
    More robust information sharing from the private sector to 
the government and vice versa is one way to leverage resources. 
But policymakers must proceed carefully to ensure that 
information sharing does not devolve into de facto surveillance 
through ongoing or routine disclosure of private communications 
to the government.
    When he unveiled the White House Cyberspace Policy Review, 
President Obama correctly emphasized that the pursuit of cyber 
security must not include governmental monitoring of private 
sector networks or Internet traffic. That is one of the 
overriding civil liberties priorities in the cyber security 
arena.
    Another is ensuring the free flow of information. Even in a 
cyber security emergency, empowering the government to shut 
down or limit Internet traffic over private systems could have 
unintended effects, including discouraging network operators 
from sharing cyber security information that they ought to 
share out of fear that that information would be used to shut 
them down. They know better than the government when elements 
of their systems need to be isolated.
    Despite the value of anonymity on the Internet, some have 
proposed sweeping identification mandates, even a passport for 
using the Internet.
    Identification and authentication will likely play a 
significant role in securing critical infrastructure. We don't 
dispute that. However, they should be applied judiciously to 
specific high-value targets--like classified military 
networks--and to high-risk activities, and should allow for 
multiple identification solutions. Finally, you should resist 
proposals that would damage cyber security by making 
communications less secure. We are concerned about proposals to 
extend communications assistance for law enforcement design 
mandates to communications applications to facilitate 
electronic surveillance, as is being sought by the FBI. Because 
it could weaken communication security.
    Privacy and security cannot be viewed as a zero-sum game. 
Measures intended to increase communication security need not 
threaten privacy and indeed can enhance it.
    We look forward to working with the subcommittee to 
identify and promote these win-win measures.
    [The prepared statement of Mr. Nojeim can be found in the 
Appendix on page 65.]
    Mr. Thornberry. Great. Thank you.
    I will look forward to the same thing.
    I am going to reserve my questions and give other members 
have a chance.
    And I would yield first five minutes to Mr. Conaway.
    Mr. Conaway. Thank you, Mr. Chairman.
    And panel, thank you.
    It is interesting, we have Dr. Pfleeger on one end and Dr. 
Nojeim on the other, because many of the things that Dr. 
Pfleeger was proposing to do fly in the face of what Dr. Nojeim 
was saying in terms of some of the prescriptive things that 
would happen.
    To follow up the Chairman's original comments about the 
analogy between a physical attack on America and the response 
that the federal government spoken, you know, it would have 
been the military, of course, but the federal government's 
response to that is pretty clear. Trying to look at those 
solutions in cyber, given that the cyber attack happens in the 
blink of an eye or less and the warnings aren't nearly as easy 
to discern obviously captures the problem we have.
    Who out there among the think tank groups are proposing 
solutions to that? In other words each of you brought--maybe 
that was your mandate--brought narrow, focused solutions to the 
issues, but is there a group out there that is looking at the 
broader issue? How does it--you know, what is the federal 
government's role--DOD and NSA--with respect to the dot-mil and 
homeland security? And then nobody on everything else has Dr. 
Nojeim concerned. Is that a rational way to continue down this 
path?
    Mr. Nojeim. I don't think that anybody is out there 
proposing that there is a silver bullet. I think that most 
people who are engaged in this endeavor all recognize that 
there needs to be a number of incremental steps taken.
    To the thought that there is a silver bullet I think flies 
in the face of the kinds of risks that we are facing. We are 
going to have to have a situation where industry and the 
government cooperate--and sometimes very closely--in order to 
deal with these risks.
    We have suggested not that industry has to stand alone when 
those packets are coming toward them, but that there is a very 
strong role that the government can play in helping out. It 
includes information sharing. It includes the sharing of attack 
signatures that will help the private industry identify the 
attack as it comes in.
    Mr. Conaway. And that is the sharing of information that 
Dr. Pfleeger was saying ought to be done on a real-time basis 
as opposed to ad hoc every once in a while. Am I understanding 
between those two comments?
    Ms. Pfleeger. I don't think it necessarily has to be real 
time, but it has to be regular. As the threats change----
    Mr. Conaway. Okay.
    Ms. Pfleeger [continuing]. We need to know what the changes 
look like.
    Mr. Conaway. Not trying to put words in your mouth, but is 
that--do I understand what you just said in relation to what 
her comment was in terms of one of the solutions is to have a 
better way to gather the scope of the problem on a regular 
basis as opposed to an ad hoc basis?
    Mr. Nojeim. Oh, no. We agree that there has to be----
    Mr. Conaway. Okay.
    Mr. Nojeim [continuing]. A lot of information sharing and 
that is----
    Mr. Conaway. How you put that in place, that 
``requirement'' in place without terrifying folks about your 
other comments that we are taking over the Internet, you know, 
all the other things. That Internet nonsense is going out there 
right now as a result of some of the comments the President 
made and misinterpretation of those. How do we bridge that gap?
    Mr. Nojeim. I don't think you have to have a world where 
communications traffic that is private-to-private traffic and 
is coming over an Internet backbone has to be shared with the 
government. I don't think that anybody's proposing that world.
    I think what we do need is a world where if a private 
industry sees anomalies, they can share information about those 
anomalies with government agencies that need to act on them and 
that that can happen quickly, and it can happen in near real-
time.
    Mr. Conaway. Let me--before my time runs out, Mr. Cauley, 
help me understand the scope of your national test on the 
security exercise. Is that just with respect to the electricity 
grid that you are talking about doing, or is that broader 
infrastructure than just electricity?
    Mr. Cauley. Congressman, this year the exercise will be 
fairly limited in scope. We are looking to pull in all the key 
players in the industry in terms of participating in the 
exercise and demonstrate the communications and emergency 
scenarios that we might see. We do have interfaces with 
Homeland Security, DOD and Department of Energy and others, who 
will participate in that exercise.
    One of the challenges that we are looking to try to resolve 
during such an emergency is what are the relationships between 
industry and government and how do we crystallize what those 
relationships should be and who is in charge and how that 
works. So we are hoping this exercise in the fall of this year 
will help answer and maybe clarify what additional questions 
need to be answered with that regard.
    Mr. Conaway. Thank you, Mr. Chairman. Yield back.
    Mr. Thornberry. Thank the gentleman.
    The ranking member.
    Mr. Langevin. Thank you, Mr. Chairman.
    Again, to the panel, thank you for your testimony today. 
All this is, obviously, fascinating and very important work.
    If I could, Mr. Cauley, I would like to start with you. 
First of all, thank you for refreshing my memory, just the 
record mentioning that you are new on the job at NERC as the 
chair. Thank you for the wealth of experience you bring to the 
job. And I certainly look forward to working with you in that 
role.
    Let me ask. You touched on some of the things in your 
testimony about what has changed since 2007, but for the point 
about conversation, would you highlight against some of those 
things that have changed over the last few years?
    And I still am of the opinion that NERC and FERC [the 
Federal Energy Regulatory Commission] really still lack the 
authority to direct all power utilities to follow the cyber 
security regulations, so I would like you to touch on that as 
well. And actually, how do you know that the government's 
guidance is being followed or that we are actually secure?
    Mr. Cauley. Thank you, Ranking Member Langevin.
    The industry has evolved quite a bit. As you know, the 
issue of cyber and physical security is relatively new to the 
industry compared to the 100-year history of the industry.
    I have had the opportunity in the past year to go out and 
meet a number of CEOs in most of the industry, and I believe 
that the awareness and the commitment is there that perhaps may 
not have been there before, but certainly has been elevated. 
And I feel we have the support of the industry.
    The standards that we had have been in transition, so I 
think we have evolved and improved standards. We just recently 
approved a new standard with a bright line criteria in terms of 
what are the critical assets that need to be covered by our 
cyber security standards. And we are in the process of adopting 
NIST [National Institute of Standards and Technology] controls 
into our standards, and that work continues.
    I believe at this point that the Federal Energy Regulatory 
Commission has full and adequate authority to direct us to do 
any additional standards or modifications to the standards that 
would be required to protect the security of the grid. In terms 
of----
    Mr. Langevin. Would you agree, though, that FERC doesn't 
have the kind of robust authority that, say, the Nuclear 
Regulatory Commission has when dealing with threats or things 
that need to be directed is done?
    Mr. Cauley. Yes, sir. I was going to get to the point where 
I think there is--there may be a gap, I think, that does exist. 
So in addition to the standards, we have the ability to put 
actionable information to the industry. We have improved that 
process.
    So where I think we have a gap, a very narrow gap that has 
been narrowed with their activities over the last couple of 
years, is in an emergency situation, if there is an imminent 
threat to the grid, at this point we have the ability to put 
that information out, but not to produce a mandatory 
requirement in a short amount of time.
    In that arena I do support expanded authorities for the 
federal government. It could be FERC or it could be another 
agency, but I believe there is an opportunity as an authority I 
would like to have. For an emergency imminent threat to the 
grid, action must be taken.
    I would caution, however, that the grid is a very complex 
machine. Ordering certain actions can have adverse 
consequences, even to the point of taking down the grid, so 
that involving NERC in that process and putting the directive 
in the form of a conservative action, conservative position, 
but not telling operators how to operate the system, would be 
most effective.
    Mr. Langevin. Thank you. And I would certainly look forward 
to working with you on closing that gap.
    Mr. Chairman, if you could, would you--does NERC work right 
now with DOD, identifying threats to the electric 
infrastructure critical to our military readiness? I know you 
talked--said that in your testimony, for the purpose of the 
record, would you expand on that?
    Mr. Cauley. Yes, Ranking Member Langevin. We have just 
begun that recently, and we are in the process of ramping that 
up.
    The first thing we are going to do is look to develop a 
design basis scenario. I think the industry has a perspective 
of what are the worst-case scenarios that can happen from their 
own risk management perspective, but when we look at national 
threats, obviously those risks tend to be more widespread and 
potentially more devastating.
    So we are in the process of beginning to develop a national 
cyber and physical security attack on the grid and what is the 
worst-case scenario that we could work from. That will drive 
things like the extent of our emergency plans, do we need spare 
equipment, and those kinds of questions.
    The second piece, just to be brief, is working on an 
installation-by-installation basis in terms of, are there 
adequate redundancies and procedures in place to ensure that 
each critical installation will have power supply and, if it is 
taken out, that we would have the capability to restore power 
very quickly.
    Mr. Langevin. Okay. Thank you.
    Thank you, Mr. Chairman. I yield back.
    Mr. Thornberry. Thank the gentleman.
    Mr. Gibson.
    Mr. Gibson. Thank you, Mr. Chairman.
    And appreciate the panel today. Very informative testimony 
right across the board.
    I actually want to pursue the experimentation question just 
a little bit further. So I am understanding that this is the 
first time, sir, that your organization is participating in 
this type of exercise in 2011. Yes, sir?
    Mr. Cauley. If you are referring to the national exercise--
--
    Mr. Gibson. Yes, secure grid exercise.
    Mr. Cauley. We have done training and exercises 
historically in preparations for hurricanes and earthquakes and 
known types of risks. We have participated most recently in 
Cyber Storm III and the previous versions of Cyber Storm, so we 
have participated in exercises.
    What we are proposing to do this year is to get--in our 
exercise is to get greater involvement by industry rather than 
a sampling of industry, and gauge our entire communications 
infrastructure. We have an ability to communicate with the 
operating companies directly, and rather than having a 
government-driven exercise, where we bring a few of them in, I 
want this to be industry-driven, where the government folks can 
participate with us.
    Mr. Gibson. I am trying to--where I am driving is I am 
trying to get an appreciation for just how secure our 
electrical grid is, and I am trying to get an understanding of 
the exercise that is going to try to draw conclusions about 
that.
    So you mentioned you are still drawing up the design for 
the exercise. What principles are you using to ensure your 
sampling geographically and with enough depth that you are 
going to be able to draw significant conclusions from the 
exercise?
    Mr. Cauley. Congressman Gibson, I think we are talking 
probably several different things. So in terms of the actual 
evolving security of the grid, I believe we are enhancing that 
continuously. We have standards for firewalls and protections 
and access controls and those kinds of things.
    So the actual security is progressing in terms of 
continuously improving. The challenge is, what is the worst 
thing that could happen? And we are in the process of working 
with Department of Defense to postulate some potential extreme 
events, like take down major cities, take down major oil 
refineries or military installations.
    Those scenarios, we have not run those in the past, and we 
are developing those as new this year.
    We currently have the ability to communicate directly and 
have robust communications with industry folks. But now with 
this new scale of a scenario we have not seen before we will 
test that and demonstrate our ability to meet that challenge.
    Mr. Gibson. And one final question on this same topic. So 
as private sector, as research and development is done on the 
possibility of moving beyond copper for transmission, are you 
comfortable that there is enough collaboration that you will be 
able to make assessments as far as security going forward?
    Mr. Cauley. We have very open dialogue with national labs 
and other agencies in government, that we are trying to take 
advantage of every technology that will be useful and practical 
and cost effective for implementing in the private sector.
    Mr. Gibson. Okay. Thank you.
    I yield back.
    Mr. Thornberry. Mr. Johnson.
    Mr. Johnson. Thank you, Mr. Chairman and Mr. Ranking 
Member. I commend you for holding this hearing and look forward 
to joining you in the hard work that will be necessary to 
secure the cyber domain.
    There is an emerging consensus that we need to clear 
jurisdictional distinctions between military and civilian cyber 
security efforts. Just as the military does not police our 
streets, it should not police our civilian cyber 
infrastructure.
    But we must ensure that the armed forces will have the 
necessary tools to prosecute and defend the country from cyber 
warfare.
    One note on private sector regulation. As we draw these 
fine jurisdictional distractions, Congress should establish 
hard regulatory requirements, not just soft suggestions of 
voluntary security measures to ensure the security of our 
private sector technology infrastructure.
    We do not merely recommend that airlines maintain the 
highest standards of safety and reliability. Likewise, we must 
not merely recommend that American industry implement state-of-
the-art best practices to ensure cyber security. We must 
require it, and there should be penalties when those 
requirements are not heeded.
    My first question I would ask each of our panelists, what 
is the first question, the essential question for determining 
whether any given cyber threat should be the purview of 
civilian or military cyber security authorities?
    Ms. Pfleeger. That is a difficult question to answer 
because the military often uses private sector networks to 
accomplish things. And the threats to national security can be 
economic, they could be espionage, they could be a variety of 
things.
    So I am not sure that--I think it would be a case-by-case 
answer rather than a one-size-fits-all answer, which I think 
reinforces what Mr. Nojeim said, that there is no silver bullet 
for security. And it is very difficult, I think, to--I think 
you need to look at the threat models and use the threat models 
to decide when the military should step in and when it 
shouldn't.
    Mr. Johnson. Thank you.
    Mr. Cauley. Congressman, first I would agree that mandatory 
requirements and enforceability are one element in establishing 
an adequate defense. And we have those standards and are 
looking to continue to improve those for the electric grid.
    I think to answer your question directly, it is the 
responsibility of the asset and information owners to protect 
their assets and their information. And I think those are 
divided into government and private sector assets and 
information.
    However, the reality is we are very much intertwined. 
Military bases and systems depend on electricity. So we are 
bound together not only in the information world, but also in 
the electric world.
    So I think it is important to complement that clear line of 
responsibility and accountability for securing our own systems 
to make sure that our actions are also complementary and 
helpful to each other.
    And so I think there are opportunities for the military to 
assist us in information awareness, and when we are under 
attack and maybe don't know it, and vice versa, for us to 
ensure we have done everything we can to provide reliable 
electric service.
    Mr. Nojeim. I agree with both of the other panelists.
    I think that one thing to keep in mind is that you often 
won't know what precisely was the source of the threat, what 
was the source of the problem. So then it becomes difficult to 
say who is responsible to respond to that threat.
    But you--I think it is easier to say that everybody should 
be securing their own systems or the systems for which they are 
responsible, and to add that, if I am securing my system and I 
learn about information that would help Mr. Cauley secure his 
system, I need to have a way to share it. And that is, I think, 
where a lot of productive work can be done.
    Mr. Johnson. Thank you.
    Mr. Nojeim, in the physical world there are clear 
differences of capability and role between civilian law 
enforcement and the armed forces. The military wields superior 
firepower, specializes in destruction instead of arrest or 
investigation, and is subject to less restrictive rules of 
engagement.
    What are or should be the equivalent differences of role 
and capability between civilian and military cyber-security 
authorities?
    Mr. Nojeim. You know, some of the capabilities are going to 
have to be similar. So, for example, say the National Security 
Agency has the ability to distinguish which--what is an attack 
signature that could threaten--of malware that could threaten a 
communications system. That information is useful, not just to 
the NSA, not just to Cyber Command, not just to the Department 
of Homeland Security, but to many people who are trying to 
secure information systems.
    The point that I am trying to get across is that while we 
talk about and I have talked about having distinct roles for 
each of these entities, we can maintain that distinction by 
relying on other activity that will help secure all networks 
better.
    One of those activities is information sharing, which I 
have talked about, and another is the sharing of expertise. 
There may be expertise within the military and at the National 
Security Agency that would be helpful to the Department of 
Defense, and there is already a mechanism to allow for the 
sharing of some of that information.
    Mr. Johnson. Thank you, Mr. Chairman.
    Mr. Thornberry. I thank the gentleman.
    Mr. West.
    Mr. West. Thank you, Mr. Chairman, and thank you, Mr. 
Ranking Member, for the panel being here today.
    I think when we look at this 21st-century battlefield it is 
definitely different from what we encountered in the 20th 
century. And of course it is multi-dimensional, multi-spatial. 
And of course the cyber realm does bring some interesting 
challenges.
    So my question, going back to my time in the military, we 
always had this thing called mission-essential vulnerable 
areas, and we always sat down and looked at what was our high-
value target list, the things that we knew that we needed to 
protect from our adversaries and our enemies.
    So my question is, in your assessment, what systems should 
be considered critical to national security, and under what 
framework should the government and the Department of Defense 
in particular provide for the security of private networks, 
both to those deemed critical to national security and to a 
wider user base?
    I will open that up to the panel. And subject to your 
response, I will yield back to the Chairman.
    Mr. Cauley. Congressman, I would take this on from the 
perspective of the electric grid in relationship to military.
    We have taken steps to identify what are the critical 
assets within the grid, and we have approved a standard 
requiring companies to identify those. Obviously, nuclear 
plants are essential. Large-generation, high-voltage 
transmission that serves as the backbone of the grid. 
Blackstart generation that allows us to reboot the system if it 
needs to be done. And our larger control center.
    So we are in the process. We have required that. What that 
may not get to, however, is the relationship with security--the 
military installations, which as I mentioned, the initiative 
that we have started with DOD is to identify if there is, 
besides our own electric priorities, what are the priorities of 
the military that we need to take a look at as well.
    And then at that point it becomes a decision between the 
electric company servicing that facility and the military base 
in terms of what additional steps would be needed.
    I would add one more aspect that I hadn't had a chance to 
mention. There are going to be some actions and threats that 
are beyond the capability of the industry to cope with.
    And an example, much has been said about a nuclear blast 
400 kilometers in the sky creating an EMP [electromagnetic 
pulse] event that takes down the grid. And--suggesting we need 
to understand the relationship between government and industry 
in resolving issues. That is a poster child for that, because I 
think the industry would say that is a government issue, if we 
have a nuclear blast going off over our skies in the homeland. 
Obviously, we would be expected to take some actions in terms 
of protecting and hardening the grid. But those issues need to 
be worked out further.
    Mr. West. Then the follow-on question is, do you think we 
have a clear line of delineation between the responsibilities 
of, you know, the government, DOD and the private sector?
    Mr. Cauley. No, sir, not to the extent needed for clarity 
of responsibility facing these new threats. I think the 
collaboration, consultation has been good, but I think it is 
based on ad hoc relationships and not clear lines of 
responsibility and authority.
    Ms. Pfleeger. I would like to use two examples to address 
your question. The first is there is a model that seems to be 
working that the Defense Department is already using called the 
``defense industrial base,'' where collaboratively the major 
contractors come together to share their cyber experiences and 
to share the things that they have done in order to address any 
kind of cyber problem.
    That might be a good model for expanding in some way, and 
the roles there I think are fluid because I think 
collaboratively, the defense industrial base acts to help the 
Defense Department, but at the same time makes clear what their 
individual goals are as private enterprises.
    The other thing is that I would encourage the Defense 
Department to think more about prevention, rather than reaction 
to cyber attacks. And let me use an example. I was at a meeting 
a couple of years ago where someone from DARPA [the Defense 
Advanced Research Projects Agency] was talking about funding a 
system where the whole, for example, the whole communications 
system in the U.S. could be viewed on one screen and you could 
watch as a cyber event unfolded that one part of the country 
goes down, then another, then another.
    The problem with that example is that it might not have 
been a cyber attack. It might have been that all the phone 
companies are buying their switches from the same vendor. There 
is a flaw in the switches and they all happen to be going down 
because some system problem was percolating through the system.
    So that is what I meant in my testimony about the 
difficulties of emergent behavior and the risks of making 
assumptions. And so it is very hard in those cases to decide 
not only what is going on, but what is the appropriate thing to 
do to react.
    Therefore, I think it makes a lot more sense to look from a 
preventive point of view at things like our critical 
infrastructure and look at more diversity, look at redundancy, 
look at ways of making sure that if we do have some sort of 
attack, we can come back up quickly or at least in some manner 
that enables the Defense Department, as well as private 
enterprise, to function while we figure out what is really 
happening and apply fixes.
    Mr. Nojeim. I would just add that there is a list of 
critical infrastructure key resources, tier one, tier two 
lists. DHS has prepared it. It is based on assessments as to 
what would happen if these were destroyed or rendered 
inoperative; in terms of casualties, whether people would have 
to evacuate areas; what would be the damage to national 
security.
    So there has already been a lot of thinking about what 
needs to be protected. We don't have to recreate the wheel on 
that score.
    Mr. Thornberry. Mrs. Davis.
    Mrs. Davis. Thank you, Mr. Chairman.
    Thank you all for being here. You provide a broad range, 
and that is appreciated.
    I don't know whether you would feel prepared to answer this 
question specifically, but I am wondering about interagency 
collaboration, coordination. One of the things that we 
experienced here on the Armed Services Committee a number of 
years ago was sort of our shock that in fact, you know I guess 
I would say the Pentagon and the State Department didn't really 
talk to each other to the extent that they should, and that we 
really weren't looking at a whole-of-government approach, if 
you will.
    Can you apply that to the issues that we are addressing 
here in terms of cyber security? How would you assess the 
extent to which that is kind of a working--I guess it is a work 
in progress in many ways--but where are we in that issue, to 
look upon how we best deal in an interagency way on this issue?
    Ms. Pfleeger. Well, there are some formal and some informal 
things going on. There was for a while an Infosec Research 
Council where different agencies funding cyber security 
research had representatives get together periodically and 
share what they were doing and coordinate.
    There are more formal things like the Department of 
Commerce now has an Internet Policy Task Force that is looking 
across the government. But you are absolutely right that a lot 
more needs to be done. There needs to be a lot more regular 
interaction at high levels across the different----
    Mrs. Davis. Any area particularly that you would seek to 
improve, specifically if we could focus on that?
    Ms. Pfleeger. Well, certainly discussions between Defense 
and Commerce and between Defense and State. Those are probably 
the two I would pick.
    Mr. Cauley. Congresswoman, with respect to the electric 
system, we have had very collegial consultation with a variety 
of agencies, and they are very helpful. I think if we are 
challenged it is just a confusion over leadership and the 
relationships between the different organizations, and the 
relationships between government and private sector.
    So they are collegial. We are getting worked on. We are 
learning. They are learning from us. We are learning from them, 
but it is not clear what the delineation of responsibilities, 
who is in charge, those kinds of questions. We are making do 
with what we have today.
    Mrs. Davis. Who is in charge, that is a big question. We 
got that, yes. Thank you.
    Mr. Nojeim, do you want to comment on that as well----
    Mr. Nojeim. I would just say that there is some 
cooperation, some communication, and that it is starting to get 
better and it needs to go further.
    Mrs. Davis. Can I just ask you a little bit about the labor 
force as it relates to this highly complex STEM [science, 
technology, engineering, and mathematics] area of education and 
science and technology. Clearly, we are not where we want to be 
generally in the country as it is in terms of encouraging young 
people to go into the field.
    Can you assess sort of the labor force and those people who 
are migrating to these careers and to this area? And what we--
what else--what should we be doing, even in terms of preparing 
our youngest children, I think, in having the ability to work 
in this area since we know that, as I know as I am just getting 
introduced to this topic and our concern that state actors make 
us very vulnerable. And we obviously need to be providing that 
expertise to our young people as well.
    Any thoughts, ideas as far as the labor force?
    Mr. Cauley. Well, in the electric industry, we are seeing 
an influx of talent. I mean, I think it is pretty obvious that 
kids will go where the jobs are. We are seeing very high 
influx. And we are also focused on training. I think we do have 
a gap that we are working on which is to elevate the 
credentials, the professional credentials of our security--
physical and cyber security folks.
    So I think its major improvements in the last couple of 
years, lots of new talent coming in, but a long ways to go as 
well.
    Mrs. Davis. Yes?
    Ms. Pfleeger. In many cases, the people who provide cyber 
security expertise don't do only that, especially in small 
businesses. And so we are having a workshop at the end of April 
at Georgia Tech to look at the demand, to help inform what the 
supply should look like. And we are inviting people from 
government and industry together to tell us what their demand 
looks like and what some of the problems are so that we can 
make some recommendations about what the supply activities 
should look like.
    Mrs. Davis. Thank you.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Thank you.
    Mr. Ryan.
    Mr. Ryan. Thank you, Mr. Chairman.
    I just have one question. One of the issues we have not 
just with--I am going to ask if it fits into the cyber strategy 
that we all should have as a country--is the issue of 
translating a lot of different languages. Is that an issue when 
we are talking about cyber security, where we have, whether 
they are state actors or a decentralized, you know, Al Qaeda-
type, where these folks are working from a different language 
than the English language, and trying to attack our systems.
    And, you know, is this an issue for us? Is this something 
that we need to be aware of? Because clearly, I know as far as 
the private sector goes, you are talking about Mandarin and 
Farsi and being able to have enough Americans able to speak 
these languages, to write and read in these languages for our 
corporate interests, as well as our governmental interests.
    I just wondered as I am sitting here listening, is that 
something that we should be concerned about not having, on top 
of what Ms. Davis was just saying, the workforce capable of 
helping us address this problem?
    I will let you answer and yield back the balance of my time 
when you are done.
    Mr. Cauley. Congressman, from an electric perspective, I 
don't view that as a priority at this time. For North America, 
all of our information exchange is done in English, including 
in Quebec where French is the language. But the electric grid 
operations are purely English.
    So we treat anything that is not in English as suspect to 
start with. So it is not really an interpretation question for 
us. It hasn't come up to our attention at this point.
    Mr. Nojeim. I think at one level, bad code is bad code and 
it is not really a question of whether it is English language 
or Spanish or another language. I think that the issue about 
needing people to speak in multiple languages comes up mostly 
in terms of prosecuting wrongdoers and being able to understand 
what people are saying who are perpetrating the crimes.
    Mr. Ryan. I know at one point we had an issue with a lot of 
the intelligence we were getting. We weren't able to translate 
a lot of the, you know, kind of prepared for attacks against 
us, we weren't able to do that. So I just want to throw that 
out there if that is something we need to continue to look at.
    Mr. Thornberry. And that is still the case with a lot of 
intelligence we get. We don't have the resources to translate 
it, so I thank the gentleman. Dr. Pfleeger, you talked about 
incentives in your statement. It has been suggested to me that 
with proper incentives, we can elevate general cyber security 
that would take care of roughly 80 percent of the problems that 
are going through cyberspace. Do you think that is about right?
    Ms. Pfleeger. Well, I don't know if it is 70 percent, 80 
percent. What I--two days ago, Arbor Networks revealed the 
results of a survey that they did of network engineers. And the 
top problem that the network engineers talked about was non-
technical factors being one of the most significant obstacles 
to reducing mitigation time.
    A lot of that has to do with there being a lack of 
incentives for the people maintaining the networks to pay more 
attention to security; the lack of users to pay more attention 
to security. And so because a lot of these non-technical 
problems loom large, that 80 percent number is probably close.
    I mean, if you look at things like the causes of all a lot 
of typical problems, we see the same things over and over 
again. People don't change things from the default settings. 
They don't understand how to install security software.
    If there were incentives to encourage people to do the 
right thing, what I called in my testimony good hygiene, won't 
completely solve the problem, but it could eliminate a lot of 
these things that we see that recur that shouldn't be happening 
anymore. We should know better by now.
    Mr. Thornberry. Do you know of any organization that has 
actually run the numbers, by which I mean to say this incentive 
for this tax provision or this, you know, whatever it is, will 
have this consequence in the real world, because businesses are 
calculating cost-benefit every day. How much is it going to 
cost? What is the benefit I get? And that cost-benefit has to 
line up for them to take additional actions. Has anybody run 
the numbers to kind of get more specifics on it?
    Ms. Pfleeger. There are some researchers who have done some 
economic models that suggest which incentives might be the most 
effective, but I haven't seen a lot that use real-world 
numbers, in part because it is hard to get good data.
    Mr. Thornberry. Yes.
    Ms. Pfleeger. So there are some first steps, but it would 
be really helpful if business would work with some of the 
modelers to--so that the models reflect the realities of the 
business trade-offs.
    Mr. Thornberry. Okay.
    Mr. Cauley, especially in your written statement, you made 
reference to the fact that private industry is always going to 
be at least a step behind in identifying some of the most 
sophisticated threats that go through cyberspace.
    I mean, just assume, if you will, that you can take care of 
80 percent by good hygiene, we still have 20 percent that are 
the more sophisticated, difficult threats to deal with. And so 
from what you said earlier today, I take it in that area you 
think there needs to be more government assistance of some sort 
for that kind of upper tier.
    Mr. Cauley. Yes, Mr. Chairman. That is why I think we need 
a dual strategy. So the Ranking Member Langevin has suggested 
we need firmer regulations and standards, and I agree with that 
because it provides a baseline of the expected mandatory 
requirements.
    But facing a dynamic, ever-evolving adversary, sitting 
still with fixed barriers is going to be very difficult. So 
having a robust relationship with the government intelligence 
agencies, which we are beginning to develop to take quick 
information and be able to turn it into actions that the 
industry can take, is essential.
    So let's treat it like it is a dynamic, ongoing war, and it 
is not a fence put around the systems. And I think that is 
where we need the help from the federal government.
    Mr. Thornberry. Let me ask you this. There has been lots of 
talk about a smart grid. To me that indicates that there are 
more access points on the grid to the Internet. Does that not 
increase our vulnerability--potential vulnerability of the 
electricity grid?
    Mr. Cauley. Mr. Chairman, it does create--introduce 
additional risks, additional entry points. And it is incumbent 
upon the industry and government, I think, in partnership to 
work out a sufficient set of security requirements for a smart 
grid and also for the vendors to deliver devices and systems 
that build in the security as a major objective from the start, 
not as an add-on later down the road.
    Mr. Thornberry. Mr. Nojeim, I think Mr. Cauley a while ago 
kind of used the EMP example as a big, catastrophic sort of 
event that would require government direct intervention.
    And I guess what I am wondering with you is do you--set EMP 
aside--what do you think there could be a situation where the 
cyber event is of such a magnitude as to overwhelm, perhaps, 
private ability to deal with it and that direct government 
action would be appropriate?
    Or, as I think you have kind of indicated in your 
testimony, is it always--as far as direct responsibility, it is 
DOD for DOD, DHS for dot-gov and all of dot-com is on its own?
    Mr. Nojeim. So I just--if I gave the impression that all of 
dot-com is on its own, I didn't mean to do that, because what I 
did say in the testimony at least a few times were some 
measures that ought to be taken to help dot-com defend itself.
    As for a catastrophic event that the private person 
couldn't deal with, I would need to just talk a little bit more 
and understand a little bit more about what that event would 
be. So, for example, some people have said that maybe the 
government ought to have authority to order the shutdown of 
Internet traffic to a critical infrastructure system.
    Well, see, that authority, as you think that through, would 
only be exercised when the person who owns or operates the 
system thinks that it ought not to be shut down. And they have 
strong incentive to protect their system. They have a strong 
incentive to isolate their system when it is in danger, and 
they do that right now.
    I think the question we have to ask is whether the 
government would have superior information that would inform 
that decision. And if so, that is kind of information ought to 
be shared.
    And we also ought to ask other questions about what 
incentives that kind of authority would create. Would the owner 
operator of that system be willing to share information that 
they ought to share what they know that that information could 
be used to shut them down? Would they be more hesitant to shut 
down on their own when they think they ought to, because they 
are waiting to be ordered to shut down by the government, 
knowing that with the order will come a limitation of 
liability?
    So I think we have to think these things through and maybe 
game out some scenarios before we make blanket decisions.
    Mr. Thornberry. Okay. Let me ask one other thing, and then 
I will yield to the ranking member and others who may have 
questions.
    But as I understand what you have said, you think there is 
an appropriate role for government to share with private 
industry information it receives about signatures and malicious 
attacks going on in cyberspace as long as it is the private 
entity that deals with it, that takes direct action of some 
sort.
    Mr. Nojeim. Yes. Yes.
    Mr. Thornberry. And even though, obviously, if the 
government were to share some information with, say, a 
telecommunications carrier, the government will have to expect 
that some information is kept classified, potentially.
    Mr. Nojeim. And the government should expect and should 
help the telecommunications carrier have people on staff who 
can handle classified information.
    Mr. Thornberry. Certainly.
    Mr. Nojeim. And if there is a gap there----
    Mr. Thornberry. Absolutely.
    Mr. Nojeim [continuing]. And the right ones don't have the 
right clear cleared people, that is a place where the committee 
ought to pay particular----
    Mr. Thornberry. Well, DOD deals with defense contractors--
--
    Mr. Nojeim. All the time.
    Mr. Thornberry [continuing]. All the time in huge numbers, 
so, yes, I think that is a fair point.
    Ranking member.
    Mr. Langevin. Thank you, Mr. Chairman.
    To continue to explore this role of proper balance of 
authorities and such, particularly in time of crisis--and this 
is really for the entire panel--you know, do you think they 
DOD's role should be in specifically protecting not just our 
power systems, but other critical infrastructure, such as our 
financial institutions or communications sector?
    Should there be any new structures set up to increase their 
coordination with the Department of Homeland Security, for 
example?
    Mr. Nojeim. I think there are some structures already. And 
again, when we think about role of DOD when it comes to 
securing private systems, it should be in a supportive role and 
that, for example, it should be supporting the efforts of the 
Department of Homeland Security to work with those private 
entities to secure their systems.
    And Cyber Command and NSA are going to have information and 
expertise that will be useful. And the important thing is to 
loose it and to access it and together to DHS and to these 
other entities so they can do a better job.
    Mr. Cauley. I would answer that question. I think there 
is--I have seen evidence of good coordination between the 
Department of Defense and Homeland Security, but I will repeat 
my earlier comment that working to try to resolve electric 
industry issues related to cyber, it is a community of 
agencies.
    It is not clear, you know, where all the responsibilities 
lie or where the authorities are, but we try to work with 
everybody.
    I think there is an interesting set of questions here in 
terms of what DOD should be authorized to do in the state of an 
emergency. And I really wouldn't rule out--I sympathize with my 
fellow panelist's comment that it becomes very, very scary if a 
government agency can take an action that would alter the 
controls of the power grid, because it is just a scary thought. 
It could have unintended consequences.
    But I can conceive of extreme denial of service attacks on 
the Internet or sort of a major cyber concurrent attack on the 
entire country, where intervention by DOD might be beneficial 
just to stop the bleeding in the initial minutes and hours. And 
I think that would merit some more dialogue in terms of what 
that would look like, but overall I think the industry needs 
the information to act under most circumstances.
    Ms. Pfleeger. I suggest that the DOD consider again the 
threat models and try to work collaboratively in advance with 
providers of the key infrastructure, perhaps by giving them 
scenarios. So the DOD might suggest, for instance, that the 
electric grid have the capability to do a handful of things 
that would be useful to both the grid and the Defense 
Department, if there were an attack on the grid.
    I think that kind of in--advance, preventive set of 
measures might be more effective than just having a blanket 
ability to--for the DOD to take over something that it is not 
used to running.
    Mr. Langevin. Let me turn to something else. You know, 
there is a debate around, you know, what constitutes cyber 
warfare, what constitutes a cyber attack, if you will, versus 
defense. You know, and basically how involved should our 
military be in cyber security when you look at, for example, 
computer network operations by DOD. Much of this debate focuses 
around--what constitutes ``warfare,'' you know.
    Could you provide a definition to us about what cyber 
warfare is and what it looks like, and what the appropriate 
response should be?
    Mr. Cauley. Ranking Member Langevin, I have seen enough in 
the last few months--just in my visits with NORTHCOM and the 
Pentagon--to understand that the Department of Defense has a 
much richer understanding of the ongoing cyber warfare than we 
have in the private sector.
    So I think anything that can be done to not just keep that 
information internal as we know what is going on in the cyber 
warfare arena, but how can we help industry understand the 
information they need to know to--to be aware of what is going 
on.
    I myself have a top secret clearance--been to some of the 
briefings. I have understood more than I had in the past. And 
it is serious stuff going on. And I think we need to be able to 
share that with industry in a timely fashion.
    The tendency is, because it is a war, to keep it inside the 
military and not share it. And I think we have to figure out 
how we overcome that a bit.
    Mr. Langevin. Well, I yield back.
    Mr. Thornberry. Dr. Pfleeger, one of the challenges the 
government always faces is how to have a role that does not 
distort the market in some way. And I am thinking about 
especially research in this area.
    Obviously, the Microsoft and the Dells of the world are 
doing lots of research about next phases of computing that can 
be more secure. Do you have suggestions as to the government's 
role in funding specific kinds of research that would be 
complementary but not displace the role that private industry 
plays?
    Ms. Pfleeger. I think there are already a lot of activities 
coordinating what the private sector is doing with what our 
universities should be doing and what the government should be 
sponsoring.
    Both within the DOD and the Department of Homeland Security 
they have lists of their key topics that they try to fund.
    I think the place where there is room for improvement is 
that often the focus is on the technology alone and not on how 
people use the technology or perceive the technology. And so I 
think that is an opportunity for improving not just the kinds 
of technology that we are producing to make things more secure, 
but improving the technology transfer, improving the eagerness 
with which users view the security. If they could view it more 
as an enabler than as an obstacle, I think that would make a 
huge difference.
    So it isn't always what the technologists like to get 
funded to look at, but in fact, technology that isn't used 
properly or isn't used at all is fairly worthless.
    Mr. Thornberry. Let me also give you a chance to weigh in 
if you would like on this question about emergency powers. 
Because I know it has been very controversial in some of the 
Senate bills about to what extent a government ought to have 
ability to take emergency actions. And you have heard a little 
bit of it addressed here.
    Do you have views on that?
    Ms. Pfleeger. I don't really have a view. I have looked at 
some of the issues. But I am not a lawyer. I am not a 
historian. I am not sure it would be appropriate for me to make 
a judgment.
    Mr. Thornberry. I appreciate it.
    Yes, gentleman from Texas.
    Mr. Conaway. It occurred to me, that as you are looking at 
this new cloud concept where everything is out that--the things 
that we are talking about today--before that--in other words, 
all of that innovation which creates greater accesses and from 
anywhere you want all your data is out there.
    Does the stuff we talked about today really contemplate 
that at all?
    Ms. Pfleeger. Do you mean--if I understand you, you are 
asking whether the kinds of recommendations that we made in our 
testimony----
    Mr. Conaway [continuing]. Yes, just the state of play, is 
the state of art for--does the users out there remotely 
understand the risks they take, that you are relying on private 
entities to protect all of that?
    It just occurred to me that we fight this fight right now 
where most everybody's stuff was on a laptop and you had a 
direct access line. But now with this--the new innovations and 
the continued improvements and everything, do we really 
contemplate--are these recommendations getting as far ahead as 
what that is ahead of the normal way people understand what is 
going on?
    Ms. Pfleeger. Well, I think the cloud computing is a good 
example of misaligned incentives. Because a lot of people--a 
lot of organizations are choosing to use the cloud because it 
is cheaper without being aware, as you point out, of the risks 
that they are taking.
    And so I think a lot of these questions are being raised. 
But there aren't a lot of good answers yet.
    Mr. Nojeim. I think that it is a double-edged sword. And 
you could have cloud providers that are better at security than 
the individual user is on his or her laptop. So maybe if more 
users demand more security, we will get better security as a 
result of migration to the cloud instead of worse security.
    Mr. Conaway. But is the driver--is the free market system 
robust enough to drive those kinds of things without the users 
knowing it and/or appreciating it----
    Mr. Nojeim. I think it depends on the user. There are some 
users that are large corporations that are moving to the cloud 
and they are asking these questions----
    Mr. Conaway. They will drag along the protections for all 
those folks----
    Mr. Nojeim. They are going to drag along the protections 
for--you know, obviously, they are interested in protecting 
their own data. I think the issue is whether the practices 
become such that they become more a standard at a higher level 
as a result of the demands of industry. As it moves toward the 
cloud it would filter down and help consumers.
    Mr. Conaway. Okay.
    Thank you, Mr. Chairman. Appreciate that.
    Mr. Thornberry. Let me just--I have been trying to take 
notes and see if I can summarize, at least, some areas where it 
seems to me you all are pretty well in agreement.
    One is that the government does need to take some action. 
That continuing to let things drift along as--that may be a 
little--continuing as we are without some additional action 
would be a mistake.
    Secondly, that there needs to be some further action in the 
form of incentives, regulations to encourage a general--or to 
mandate a general increase in cyber security.
    Third, that at a minimum, the Department of Defense should 
ensure that the appropriate entities in the private sector have 
access to more of the information that the Department of 
Defense has in order to protect those private networks better.
    So have I--does anybody disagree, I guess, with at least 
that starting point?
    Now, you all have to say something. They can't----
    Mr. Nojeim. I think that is a good starting point. I think 
that, you know, people are going to say, ``Well, I didn't call 
for more regulation,'' or this or that.
    But----
    Mr. Thornberry. Yes, yes.
    Mr. Nojeim [continuing]. I think that, you know, when we 
look at incentives, we look at accessing information that the 
government has and spreading that out, I think that there is a 
general consensus about that.
    Mr. Thornberry. And you are okay with increase incentives 
and considering, at least, looking at regulation of certain 
sectors that are already regulated, at least, as something----
    Mr. Nojeim. Yes.
    And as I said, we think that different sectors are going to 
be subject to different rules.
    Mr. Thornberry. Yes. Yes.
    Mr. Cauley. Mr. Chairman, I would generally agree, as well 
with a couple of nuances. I think there does need to be clarity 
within the various agencies in the government in terms of roles 
and responsibilities, and who do we work with as private 
sector.
    I think in terms of the mandates to industry, my sense is 
we have--in the electric side, we have addressed that mostly 
through existing structures through the Federal Energy 
Regulatory Commission and our ability to do mandatory 
standards.
    I did point out a gap, I thought, in emergency, in an 
immediate threat--do we need a mandate and action?
    I think there is a danger of further escalating the 
mandatory compliance directive aspect because we may drive the 
electric industry to sort of a common plateau of mandated 
regulations. And I am trying to get them to fight the dynamic 
warfare in cyber--so I think we can over-regulate when we have 
a solid foundation. So I just want to make that distinction.
    Mr. Thornberry. And that is a fair point and an important 
amplification, I think.
    Ms. Pfleeger. I also agree that it is a good summary.
    I think, in addition, the government could--I think we 
would probably all agree that the government could encourage 
private sector initiatives that already are good behavior. 
There already are examples of private enterprise making data 
public, collaborating in various ways. And so making that more 
visible and providing incentives in that way might be helpful.
    Mr. Thornberry. Okay.
    We may want to pursue--I have some other questions on that 
line that we may want to pursue with you.
    Anyway, thank you all very much for being here. I 
appreciate your testimony and the time it took to prepare it, 
and for your being here.
    With that, the hearing stands adjourned.
    [Whereupon, at 12:59 p.m., the subcommittee was adjourned.]
?

      
=======================================================================




                            A P P E N D I X

                           February 11, 2011

=======================================================================

      
?

      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                           February 11, 2011

=======================================================================

      
      
    [GRAPHIC] [TIFF OMITTED] T4861.001
    
    [GRAPHIC] [TIFF OMITTED] T4861.056
    
    [GRAPHIC] [TIFF OMITTED] T4861.057
    
    [GRAPHIC] [TIFF OMITTED] T4861.002
    
    [GRAPHIC] [TIFF OMITTED] T4861.003
    
    [GRAPHIC] [TIFF OMITTED] T4861.004
    
    [GRAPHIC] [TIFF OMITTED] T4861.005
    
    [GRAPHIC] [TIFF OMITTED] T4861.006
    
    [GRAPHIC] [TIFF OMITTED] T4861.007
    
    [GRAPHIC] [TIFF OMITTED] T4861.008
    
    [GRAPHIC] [TIFF OMITTED] T4861.009
    
    [GRAPHIC] [TIFF OMITTED] T4861.010
    
    [GRAPHIC] [TIFF OMITTED] T4861.011
    
    [GRAPHIC] [TIFF OMITTED] T4861.012
    
    [GRAPHIC] [TIFF OMITTED] T4861.013
    
    [GRAPHIC] [TIFF OMITTED] T4861.014
    
    [GRAPHIC] [TIFF OMITTED] T4861.015
    
    [GRAPHIC] [TIFF OMITTED] T4861.016
    
    [GRAPHIC] [TIFF OMITTED] T4861.017
    
    [GRAPHIC] [TIFF OMITTED] T4861.018
    
    [GRAPHIC] [TIFF OMITTED] T4861.019
    
    [GRAPHIC] [TIFF OMITTED] T4861.020
    
    [GRAPHIC] [TIFF OMITTED] T4861.021
    
    [GRAPHIC] [TIFF OMITTED] T4861.022
    
    [GRAPHIC] [TIFF OMITTED] T4861.023
    
    [GRAPHIC] [TIFF OMITTED] T4861.024
    
    [GRAPHIC] [TIFF OMITTED] T4861.025
    
    [GRAPHIC] [TIFF OMITTED] T4861.026
    
    [GRAPHIC] [TIFF OMITTED] T4861.027
    
    [GRAPHIC] [TIFF OMITTED] T4861.028
    
    [GRAPHIC] [TIFF OMITTED] T4861.029
    
    [GRAPHIC] [TIFF OMITTED] T4861.030
    
    [GRAPHIC] [TIFF OMITTED] T4861.031
    
    [GRAPHIC] [TIFF OMITTED] T4861.032
    
    [GRAPHIC] [TIFF OMITTED] T4861.033
    
    [GRAPHIC] [TIFF OMITTED] T4861.034
    
    [GRAPHIC] [TIFF OMITTED] T4861.035
    
    [GRAPHIC] [TIFF OMITTED] T4861.036
    
    [GRAPHIC] [TIFF OMITTED] T4861.037
    
    [GRAPHIC] [TIFF OMITTED] T4861.038
    
    [GRAPHIC] [TIFF OMITTED] T4861.039
    
    [GRAPHIC] [TIFF OMITTED] T4861.040
    
    [GRAPHIC] [TIFF OMITTED] T4861.041
    
    [GRAPHIC] [TIFF OMITTED] T4861.042
    
    [GRAPHIC] [TIFF OMITTED] T4861.043
    
    [GRAPHIC] [TIFF OMITTED] T4861.044
    
    [GRAPHIC] [TIFF OMITTED] T4861.045
    
    [GRAPHIC] [TIFF OMITTED] T4861.046
    
    [GRAPHIC] [TIFF OMITTED] T4861.047
    
    [GRAPHIC] [TIFF OMITTED] T4861.048
    
    [GRAPHIC] [TIFF OMITTED] T4861.049
    
    [GRAPHIC] [TIFF OMITTED] T4861.050
    
    [GRAPHIC] [TIFF OMITTED] T4861.051
    
    [GRAPHIC] [TIFF OMITTED] T4861.052
    
    [GRAPHIC] [TIFF OMITTED] T4861.053
    
    [GRAPHIC] [TIFF OMITTED] T4861.054
    
    [GRAPHIC] [TIFF OMITTED] T4861.055
    
                                  
