b"<html>\n<title> - CYBERSECURITY: INNOVATIVE SOLUTIONS TO CHALLENGING PROBLEMS</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n      CYBERSECURITY: INNOVATIVE SOLUTIONS TO CHALLENGING PROBLEMS \n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INTELLECTUAL PROPERTY,\n                     COMPETITION, AND THE INTERNET\n\n                                 OF THE\n\n                       COMMITTEE ON THE JUDICIARY\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 25, 2011\n\n                               __________\n\n                           Serial No. 112-38\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n      Available via the World Wide Web: http://judiciary.house.gov\n\n\n                               __________\n\n                       U.S. GOVERNMENT PRINTING OFFICE \n\n66-541 PDF                     WASHINGTON : 2011 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                       COMMITTEE ON THE JUDICIARY\n\n                      LAMAR SMITH, Texas, Chairman\nF. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan\n    Wisconsin                        HOWARD L. BERMAN, California\nHOWARD COBLE, North Carolina         JERROLD NADLER, New York\nELTON GALLEGLY, California           ROBERT C. ``BOBBY'' SCOTT, \nBOB GOODLATTE, Virginia                  Virginia\nDANIEL E. LUNGREN, California        MELVIN L. WATT, North Carolina\nSTEVE CHABOT, Ohio                   ZOE LOFGREN, California\nDARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas\nMIKE PENCE, Indiana                  MAXINE WATERS, California\nJ. RANDY FORBES, Virginia            STEVE COHEN, Tennessee\nSTEVE KING, Iowa                     HENRY C. ``HANK'' JOHNSON, Jr.,\nTRENT FRANKS, Arizona                  Georgia\nLOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico\nJIM JORDAN, Ohio                     MIKE QUIGLEY, Illinois\nTED POE, Texas                       JUDY CHU, California\nJASON CHAFFETZ, Utah                 TED DEUTCH, Florida\nTIM GRIFFIN, Arkansas                LINDA T. SANCHEZ, California\nTOM MARINO, Pennsylvania             [Vacant]\nTREY GOWDY, South Carolina\nDENNIS ROSS, Florida\nSANDY ADAMS, Florida\nBEN QUAYLE, Arizona\n[Vacant]\n\n      Sean McLaughlin, Majority Chief of Staff and General Counsel\n       Perry Apelbaum, Minority Staff Director and Chief Counsel\n                                 ------                                \n\n  Subcommittee on Intellectual Property, Competition, and the Internet\n\n                   BOB GOODLATTE, Virginia, Chairman\n\n                   BEN QUAYLE, Arizona, Vice-Chairman\n\nF. JAMES SENSENBRENNER, Jr.,         MELVIN L. WATT, North Carolina\nWisconsin                            JOHN CONYERS, Jr., Michigan\nHOWARD COBLE, North Carolina         HOWARD L. BERMAN, California\nSTEVE CHABOT, Ohio                   JUDY CHU, California\nDARRELL E. ISSA, California          TED DEUTCH, Florida\nMIKE PENCE, Indiana                  LINDA T. SANCHEZ, California\nJIM JORDAN, Ohio                     JERROLD NADLER, New York\nTED POE, Texas                       ZOE LOFGREN, California\nJASON CHAFFETZ, Utah                 SHEILA JACKSON LEE, Texas\nTIM GRIFFIN, Arkansas                MAXINE WATERS, California\nTOM MARINO, Pennsylvania             [Vacant]\nSANDY ADAMS, Florida\n[Vacant]\n\n                     Blaine Merritt, Chief Counsel\n\n                   Stephanie Moore, Minority Counsel\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                              MAY 25, 2011\n\n                                                                   Page\n\n                           OPENING STATEMENTS\n\nThe Honorable Bob Goodlatte, a Representative in Congress from \n  the State of Virginia, and Chairman, Subcommittee on \n  Intellectual Property, Competition, and the Internet...........     1\nThe Honorable Melvin L. Watt, a Representative in Congress from \n  the State of North Carolina, and Ranking Member, Subcommittee \n  on Intellectual Property, Competition, and the Internet........     3\nThe Honorable John Conyers, Jr., a Representative in Congress \n  from the State of Michigan, Ranking Member, Committee on the \n  Judiciary, and Member, Subcommittee on Intellectual Property, \n  Competition, and the Internet..................................     4\n\n                               WITNESSES\n\nJames A. Baker, Associate Deputy Attorney General, U.S. \n  Department of Justice\n  Oral Testimony.................................................     6\n  Joint Prepared Statement.......................................     8\nGreg Schaffer, Assistant Secretary for Cybersecurity and \n  Communications (CS&C), National Protection and Programs \n  Directorate, Department of Homeland Security\n  Oral Testimony.................................................    14\n  Joint Prepared Statement.......................................     8\nAri Schwartz, Senior Internet Policy Advisor, National Institute \n  of Standards and Technology, U.S. Department of Commerce\n  Oral Testimony.................................................    15\n  Joint Prepared Statement.......................................     8\nRobert W. Holleyman, II, President and CEO, Business Software \n  Alliance (BSA)\n  Oral Testimony.................................................    31\n  Prepared Statement.............................................    33\nLeigh Williams, BITS President, The Financial Services Roundtable \n  (FSR)\n  Oral Testimony.................................................    44\n  Prepared Statement.............................................    47\nLeslie Harris, President and CEO, Center for Democracy and \n  Technology (CDT)\n  Oral Testimony.................................................    56\n  Prepared Statement.............................................    58\n\n\n      CYBERSECURITY: INNOVATIVE SOLUTIONS TO CHALLENGING PROBLEMS\n\n                              ----------                              \n\n\n                        WEDNESDAY, MAY 25, 2011\n\n              House of Representatives,    \n         Subcommittee on Intellectual Property,    \n                     Competition, and the Internet,\n                                Committee on the Judiciary,\n                                                    Washington, DC.\n\n    The Subcommittee met, pursuant to call, at 10:03 a.m., in \nroom 2141, Rayburn Office Building, the Honorable Bob Goodlatte \n(Chairman of the Subcommittee) presiding.\n    Present: Representatives Goodlatte, Quayle, Coble, Issa, \nChaffetz, Griffin, Marino, Adams, Watt, Conyers, Lofgren, and \nJackson Lee.\n    Staff present: (Majority) Vishal Amin, Counsel; Olivia Lee, \nClerk; and (Minority) Stephanie Moore, Subcommittee Chief \nCounsel.\n    Mr. Goodlatte. Good morning. The Subcommittee on \nIntellectual Property, Competition, and the Internet will come \nto order.\n    And I will recognize myself for an opening statement.\n    Today we are holding a hearing on cybersecurity. This is a \ncomplex issue that cuts across several Federal agencies and \nconnects a multitude of stakeholders. The issue may be complex, \nbut the consequences of failure are fairly direct.\n    The Federal Government's computers are attacked by hackers, \nmany from abroad, on a regular basis. Though most of these \nattacks are thwarted, some end up breaking through. And not all \nof these attacks are sophisticated. Sometimes it is the low-\ntech attack that wreaks the most damage as demonstrated by the \nWikiLeaks case where thousands of classified State Department \ndocuments were released online. Had basic cybersecurity \npractices been followed, it would not have been possible for \nsomeone to remove such a large volume of data from those \nclassified computers.\n    Despite the fact that the Federal sector grabs the \nheadlines, in many respects it really is the private sector \nthat stands on the front lines of cybersecurity. More than 90 \npercent of our Nation's critical infrastructure is operated by \nthe private sector. Even though the Federal Government has an \nimportant role to play, we need to make sure we hear from the \nprivate sector and ensure that their hands are not tied due to \nobtuse regulations and increased bureaucracy.\n    In 2004, worldwide economic damage from digital attacks was \nbetween $46 billion and $56 billion, according to a \nCongressional Research Service estimate. In 2009, the \nAdministration's cyberspace policy review estimated that losses \nfrom data theft in 2008 were as high as $1 trillion. It is \nclear that the stakes are high and we must take steps to \nbolster our cybersecurity now.\n    Again, while the Government has a crucial role to play, any \npolicy to improve private-sector cybersecurity should not run \nagainst or impede our economic prosperity. Regulatory mandates \nare unlikely to lead to private-sector cybersecurity \nimprovements and will likely hinder economic growth.\n    The regulatory process is a slow one, whereas the \nescalating cyber threats our country faces are extremely \ndynamic problems. Cybersecurity threats and online technologies \nchange quickly, so quickly that any regulations for \ncybersecurity could be outdated by the time they are finalized.\n    Further, a burdensome regulatory framework that increases \ncosts for U.S. businesses puts them at a distinct competitive \ndisadvantage to their foreign competitors. Likewise, any \nefforts by the Government to take control of the Internet \nthrough a kill switch should be strongly resisted. The idea of \na kill switch harkens to the type of control abused by \ndictators, as we most recently saw in Egypt.\n    I believe that Congress and the Administration need to set \ngeneral parameters and then look for ways to encourage the \nprivate sector to do more to protect its infrastructure from \ncyber attacks. However, in doing so, we need to ensure that a \none-size-fits-all mandate from the Federal Government is \navoided. Entangling companies in a morass of red tape will not \nsolve the problem and will actually stifle innovation. \nCompanies are on the front lines in this fight, and the private \nsector is the best equipped to match the increasingly \nsophisticated threats to our cybersecurity with sophisticated \ncounter-efforts. To be successful, any solutions in this area \nmust unleash the creativity and resourcefulness of the private \nsector to combat the problem.\n    One way to accomplish this would be to provide limited \nliability protection to companies that take steps to improve \ntheir cybersecurity capabilities. Providing civil liability \nsafe harbors to businesses that demonstrate compliance with \ncybersecurity best practices would encourage the private sector \nto adopt effective measures.\n    Additionally, I believe that Government has a role to play \nin public engagement, working with companies to help them \nunderstand and appreciate the potential losses that can occur \nthrough a cyber intrusion. When folks better understand the \npotential ramifications, it becomes clearer that it is in their \nbest economic interest to improve their cybersecurity \ncapabilities. Part of this public/private engagement means that \ncompanies will need to share experiences and best practices to \nhelp identify vulnerabilities and solutions.\n    As we look at these innovative solutions, I think that we \nalso need to examine the criminal code to ensure that our laws \ntrack with the threats posed by hackers and other cyber \ncriminals. Our Nation's law enforcement agencies should have \nthe necessary tools to investigate, apprehend, and prosecute \ncyber criminals.\n    Though these ideas are not exhaustive, I think this \nframework will help us steer the debate toward solutions that \naddress the complex and challenging problems posed in the \ncybersecurity sphere. I am currently working on legislation \nalong these lines and look forward to continuing to work with \nMembers of this Committee and industry on that effort.\n    I look forward to hearing from all of our witnesses today \nand hope that we can have a spirited discussion on the \nAdministration's cybersecurity proposal and the best steps \nCongress can take to ensure that our security in the digital \nera is strong and effective.\n    And now it is my pleasure to recognize the Ranking Member \nof the Subcommittee, the gentleman from North Carolina, Mr. \nWatt.\n    Mr. Watt. Thank you, Mr. Chairman. I appreciate the \nChairman convening this hearing. I am little disappointed that \nwe don't have our colleagues here from the Crime Subcommittee, \nespecially in light of the Chairman's last few paragraphs \nsuggesting that this may be more readily addressed by dealing \nwith the issue on the criminal side. But I am sure there are \nother implications here and I am happy to try to explore them \nhopefully without being as firm in my opinions yet since I am \nnot an expert in this area as the Chairman seems to be. I am \nnot sure that I think the private sector can solve every public \nproblem we have, but that is a subject of a long debate in \nmany, many different contexts.\n    The protection and security of our Nation's digital \ninformation infrastructure is among the highest priorities we \nface as the transformation of global communications networks to \ncyberspace continues. As the Administration noted over 2 years \nago in its cyberspace policy review, quote, cyberspace touches \npractically everything and everyone. It provides a platform for \ninnovation and prosperity and the means to improve general \nwelfare around the globe. But with the broad reach of a loose \nand likely regulated digital infrastructure, great risks \nthreaten nations, private enterprises, and individual rights. \nClosed quote.\n    The Administration's answer to these challenges was \nreleased last week, and I commend the Chairman for scheduling \nthis hearing promptly so that we can begin to debate these \nissues in earnest.\n    Over the past few years, news reports of breaches in the \ndigital security of our businesses, for example, Google, Sony, \nand PlayStation, or breaches of the digital security of the \nGovernment have increased at an alarming rate. Although \nWikiLeaks has become the face of security breaches within the \nGovernment, the more significant breaches are those where \nGovernment computers are attacked and infected with malicious \ncode, as was the case last fall when a foreign intelligence \nagency using a flash drive spread a rogue program through a \nmilitary computer network of classified and unclassified data.\n    Various officials and commentators have sounded a clarion \ncall for Congress to address this threat or risk a \nsophisticated cyber attack that could cripple the U.S. computer \nnetworks, including our financial institutions, energy, and \nelectricity systems and transportation networks.\n    Others have rightly highlighted the fact that we must \ncontinue to value individual privacy as we develop effective \nprotocols to secure our digital infrastructure from attack.\n    The Administration's proposal has been met with mixed \nreviews. On the one hand, the proposal seems to have received a \ngenerally positive reception in the Senate, but at least one \ncritic and former Bush administration official has dubbed the \nproposal as less than ``weak tea,'' saying ``I would call this \nweak tea except the teabag doesn't seem to have actually \ntouched the water. The privacy and business groups that don't \nwant to do anything serious about the cybersecurity crisis have \ncaptured yet another White House.''\n    I am hopeful that both panels today can provide us with a \nresponse to that criticism.\n    In closing, let me say I look forward to learning more \nabout the aims of the Administration's proposal but must note \none concern that I am sure Ranking Member Bobby Scott of the \nCrime Subcommittee and I would share: the inclusion in the \nproposal of mandatory minimums. Particularly in an area rife \nwith adolescent mischief, it seems to me that there may be \nmissed opportunities if there is no flexibility to educate and \ntake advantage of the genius, albeit sometimes misguided or \nmanipulated, of our youth who may not know that they are \ncommitting a cyber crime.\n    We have two impressive panels today, so I will yield back \nand look forward to their testimony. Thank you, Mr. Chairman.\n    Mr. Goodlatte. I thank the gentleman.\n    And the Chair is pleased to recognize the Ranking Member of \nthe full Committee, the gentleman from Michigan, Mr. Conyers.\n    Mr. Conyers. Thank you, Chairman Goodlatte and our Ranking \nminority Member, Mel Watt.\n    I want to join in the request that the Subcommittee on \nCrime have hearings on this subject since we are not doing it \ntogether, and I think it is better that we do it separately \nanyway, but especially with this mandatory minimum in here.\n    Now, there may be a mandatory minimum that I like, but I \nhave never met one yet. And to be putting this in, rushing this \nin without ever clarifying what it is we are putting a \nmandatory minimum on is not a good way for a Committee on the \nJudiciary to proceed. And so I think we ought to take that out, \nand I think that ought to belong to the Subcommittee on Crime \nto help us get to that.\n    Now, I am going to be drafting a national law that doesn't \nhave that in it but that will be a lot more particular, and I \nam hoping that we can get to this. California has the strongest \nlaws on the subject, and I think it is very important. But I \ndon't think that we can do this without taking into \nconsideration some of the other State laws. And I think there \nhas to be one law that supersedes all the State laws unless we \nhave some particular kinds of carve-out that would allow some \nof them to exist. That is the question I am interested in \ntoday. Should we have a national law or should we have \nexceptions within the national law?\n    And I will yield back the balance of my time, Chairman \nGoodlatte. Thank you.\n    Mr. Goodlatte. I thank the gentleman.\n    And I want to assure both the gentleman from North Carolina \nand the gentleman from Michigan that while the Administration's \nproposals are deserving of very careful consideration, there \nwill be, I want to assure you, no rush to judgment on them with \nor without mandatory minimums.\n    We have two very distinguished panels of witnesses today, \nand each of the witnesses' written statements will be entered \ninto the record in its entirety. I ask that each witness \nsummarize his testimony in 5 minutes or less, and to help you \nstay within that time, there is a timing light on your table. \nWhen the light switches from green to yellow, you have 1 minute \nto conclude your testimony. When the light turns red, it \nsignals that your time has expired.\n    Before I introduce our witnesses, I would like them to \nstand and be sworn.\n    [Witnesses sworn.]\n    Mr. Goodlatte. Thank you. You can be seated.\n    Our first witness is Mr. James Baker. Mr. Baker serves as \nAssociate Deputy Attorney General in the Department of Justice. \nMr. Baker is responsible for a range of national security, \ncybersecurity, and other matters. He previously served as \ncounsel for intelligence policy at the Department from 2001 to \n2007 where, among other things, he was in charge of \nrepresenting the United States before the Foreign Intelligence \nSurveillance Court. In addition, he served as a Federal \nprosecutor with the Department's Criminal Division from 2008 to \n2009. Mr. Baker was Assistant General Counsel for National \nSecurity at Verizon Business. He has also taught national \nsecurity at Harvard Law School and was a fellow at the \nInstitute of Politics at Harvard's Kennedy School of \nGovernment. He is a graduate of the University of Notre Dame \nand the University of Michigan Law School.\n    Our second witness is Mr. Greg Schaffer. Mr. Schaffer \nserves as Assistant Secretary for Cyber Security and \nCommunications at the Department of Homeland Security. Mr. \nSchaffer works within the National Protection and Programs \nDirectorate to lead the Department's cybersecurity efforts. He \nworks with public and private sectors as well as international \npartners to prepare for, prevent, and respond to catastrophic \nincidents that could degrade or overwhelm the Nation's \nstrategic cyber and communications infrastructure. Mr. Schaffer \npreviously served as Senior Vice President and Chief Risk \nOfficer for Alltel Communications. Before joining Alltel, Mr. \nSchaffer worked at PricewaterhouseCoopers and served as a \nprosecutor at the Department of Justice. He received his B.A. \nfrom George Washington University and his J.D. from the \nUniversity of Southern California Law Center.\n    Our third witness is Mr. Ari Schwartz. Mr. Schwartz serves \nas Senior Internet Policy Advisor for the National Institute of \nStandards and Technology, NIST, at the Department of Commerce. \nAs part of the Commerce Department's Internet Policy Task \nForce, he provides input on areas such as cybersecurity, \nprivacy, and identity management. He also works on IT-related \nissues for the White House Office of Science and Technology \nPolicy Cross Agency Working Groups. Mr. Schwartz came to NIST \non August 30, 2010 after serving over 12 years as Vice \nPresident and Chief Operating Officer of the Center for \nDemocracy and Technology. At CDT, Mr. Schwartz worked to \nimprove privacy protections in the digital age and expand \naccess to Government information via the Internet. He also led \nthe Anti-Spyware Coalition, anti-spyware software companies, \nacademics and public interest groups dedicated to defeating \nspyware. He was also named one of the top five influential IT \nsecurity thinkers of 2007 by Secure Computing magazine.\n    Welcome to you all and we will begin with you, Mr. Baker.\n\nTESTIMONY OF JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY GENERAL, \n                   U.S. DEPARTMENT OF JUSTICE\n\n    Mr. Baker. Good morning, Mr. Chairman, Ranking Member Watt, \nand Members of the Committee. Thank you for the opportunity to \ntestify today on behalf of the Department of Justice regarding \nthe Administration's cyber legislation proposals.\n    As the President has stated and as this Committee well \nknows, the United States confronts serious and complex \ncybersecurity threats. Our critical infrastructure is \nvulnerable to cyber intrusions that could damage vital national \nresources and put lives at risk. Intruders have stolen \nconfidential information, intellectual property, and \nsubstantial amounts of funds.\n    Cyber crime is on the rise and criminal syndicates are \noperating with increasing sophistication to steal from innocent \nAmericans. Even more alarming, these intrusions might be \ncreating future access points through which criminal actors and \nothers can compromise critical systems during times of crisis \nor for other nefarious purposes.\n    Over the past few years, the Government has made real \nprogress in confronting these threats. At the Justice \nDepartment, our investigators and prosecutors have established \nnew units such as the National Cyber Investigative Joint Task \nForce, or NCIJTF, to pull together the resources of many \ndifferent agencies to investigate and address cyber threats.\n    Despite the good work that has been going on in this area, \nthe problem is far from resolved. It is clear that new \nlegislation can improve cybersecurity in a number of critical \nrespects as described in the Administration's legislative \nproposal. I would like to take a moment to highlight two parts \nof the Administration's legislative package that is aimed at \nprotecting Americans from cyber crime.\n    First, data breach notification. Data breaches frequently \ninvolve the compromise of sensitive, personal information and \nexpose consumers to identity theft and other crimes. Right now, \nthere are 47 different State laws requiring companies to report \ndata breaches in different situations and through different \nmechanisms.\n    The Administration's data breach proposal would replace \nthose 47 State laws with a single national standard applicable \nto all entities that meet the minimum threshold set forth in \nthe proposal. If enacted into law, this proposal, we believe, \nwould better ensure that companies notify consumers promptly \nwhen sensitive personally identifiable information is \ncompromised and that they inform consumers about what they can \ndo to protect themselves. The proposal would empower the \nFederal Trade Commission to enforce the reporting requirements. \nIt would also establish rules for what must be reported to law \nenforcement agencies when there is a significant intrusion so \nthat, for example, the FBI and the U.S. Secret Service can work \nquickly to identify the culprit and protect others from being \nvictimized. The national standard would also make compliance \neasier for industry, we believe, which currently has the burden \nof operating under the patchwork of all these different State \nlaws that I mentioned.\n    Second, the Administration's proposal includes a handful of \nchanges to a variety of criminal laws aimed at ensuring that \ncomputer crimes and cyber intrusions can be investigated and \npunished in the same way and to the same extent as other \nsimilar or analogous criminal activity. Of particular note, the \nAdministration's proposal would make it clearly unlawful to \ndamage or shut down a computer system that manages or controls \na critical infrastructure, and it would establish minimum \nsentence requirements for such activities. This narrow, focused \nproposal is intended to provide strong deterrence to this class \nof very serious, potentially life-threatening crimes. Moreover, \nbecause cyber crime has become a big business for organized \ncrime groups, the Administration's proposal would make it clear \nthat the Racketeer Influenced and Corrupt Organizations Act, or \nRICO, applies to computer crimes.\n    Also, the proposal would harmonize the sentences and \npenalties in the Computer Fraud and Abuse Act with other \nsimilar laws. For example, acts of wire fraud in the United \nStates currently carry a maximum penalty of 20 years in prison, \nbut violations of the Computer Fraud and Abuse Act involving \nvery similar behavior carry a maximum of only 5 years.\n    Mr. Chairman and Members of the Committee, this is an \nimportant topic and thank you for holding this hearing today. \nThe country is at risk and there is much work to be done to \nbetter protect critical infrastructure and stop computer \ncriminals from victimizing and threatening Americans.\n    I look forward to answering your questions today, and thank \nyou, Mr. Chairman.\n    [The joint prepared statement of Mr. Baker, Mr. Schaffer, \nand Mr. Schwartz follows:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                               __________\n\n    Mr. Goodlatte. Thank you, Mr. Baker.\n    Mr. Schaffer, welcome.\n\n      TESTIMONY OF GREG SCHAFFER, ASSISTANT SECRETARY FOR \n CYBERSECURITY AND COMMUNICATIONS (CS&C), NATIONAL PROTECTION \n   AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Schaffer. Thank you, Mr. Chairman, Ranking Member Watt, \nand Members of the Subcommittee. It is a pleasure to be here \nthis morning and an honor to be able to testify on this \nimportant topic.\n    No security issue is more pressing to the Nation than \ncybersecurity today. We face known and unknown vulnerabilities \nthat are being exploited by an expanding set of threat actors \nwith strong and rapidly expanding threat capabilities. They are \nacting in an environment where we have limited awareness of \nwhat they are exploiting on our networks, but through the \nlimited visibility we do have, we know one fact, which is that \nin cyberspace, offense wins and defense tends to lose. As a \nconsequence, personal privacy is routinely invaded, \nintellectual property of American companies is continuously \nsiphoned off to points unknown, and as we attach more and more \nof our critical infrastructure to the networks for the \nefficiency that they can bring, the power grid, the financial \nsector, transportation networks, we put more and more of our \nsystems at risk to attacks that can literally impact our way of \nlife. This is a national security issue. It is an economic \nsecurity issue, and it is a homeland security issue.\n    We believe that government, industry, and individuals \nworking together will be necessary in order to reform our \npractices in order to execute a solution to these problems, and \nthe Administration's proposal recently submitted to Congress is \ndesigned to do that.\n    I will focus my comments on two parts of the proposal, one \nfocused on protecting the Federal Government and the other on \nprotecting critical infrastructure.\n    Under the heading of protecting the Federal Government, the \nproposal would solidify DHS's responsibilities with respect to \nleading protection for Federal civilian networks. It would \nestablish protection service capabilities like intrusion \ndetection and intrusion prevention, red teams, and risk \nassessments for Federal Departments and agencies. It is some of \nthe work that we are already doing today, but it clarifies our \nauthority and it removes the necessity to enter into \ncomplicated legal agreements and arrangements in order to \nexecute in our mission space.\n    It also would modernize the Federal Information Security \nManagement Act, or FISMA. It is similar to many bills that have \nbeen presented over the last couple of years to go away from \npaper-based compliance exercises and move in the direction of \nreal risk reduction through continuous monitoring and \noperational improvements.\n    We would also be ensuring that DHS has the cybersecurity \nhiring authorities in order to get the best people in order to \nexecute in this mission space. As you know, it is extremely \ncompetitive to hire people in this space. DOD had some \nauthorities that allows them to move more quickly to do the \nhiring and pay arrangements that the private sector often can \npay more and hire faster. This would simply expand DOD's \nexisting capabilities and apply them to DHS.\n    Under the heading of protecting critical infrastructure, we \nbelieve that the proposal enhances collaboration with the \nprivate sector through both voluntary and mandatory programs as \nwell as improving the opportunities for information sharing.\n    Under the heading of voluntary assistance, it enables DHS \nto quickly work with the private sector, State, local, tribal, \nand territorial governments by clarifying our legal authority \nto provide certain kinds of assistance, including alerts and \nwarnings, risk assessments, onsite technical support, and \nincident response.\n    For information sharing, it again clarifies the authority \nof businesses, State, local, tribal, and territorial \ngovernments to provide information that they learn about \nthrough operating their own networks which can be useful to \nhelp cybersecurity for the Nation. That would be done with \nimmunity when the sharing is done, but it would also be done \nunder mandates for a robust privacy oversight and controls.\n    Mandatory parts of the provision in the bill would really \nfocus on critical infrastructure mitigation of risk. In this \nspace, the plan is to work with the private sector to develop \nthe kinds of entities that would need to be covered as critical \ninfrastructure to develop frameworks to identify risks, \nmitigate those risks, and then have the individual companies \ncome up with plans to apply those frameworks to their \ninfrastructure. We would then be able to make that information \navailable to the marketplace. We would also be in a position to \nget notices of breaches when they happen so that we can have \nsituational awareness across the ecosystem, as well as being \nable to provide assistance to those companies when breaches do \noccur.\n    We believe that these provisions will help improve security \nacross the entire ecosystem, and I thank you again for the \nopportunity to testify and I stand ready to answer your \nquestions.\n    Mr. Goodlatte. Thank you, Mr. Schaffer.\n    Mr. Schwartz, welcome.\n                               __________\n\n  TESTIMONY OF ARI SCHWARTZ, SENIOR INTERNET POLICY ADVISOR, \nNATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT \n                          OF COMMERCE\n\n    Mr. Schwartz. Thank you, Chairman Goodlatte, Ranking Member \nWatt, Representative Conyers. Thank you for inviting me to \ntestify on behalf of the Department of Commerce on the \nAdministration's cybersecurity legislative proposal.\n    The main goal of this proposal is to maximize the country's \neffectiveness in protecting the security of key critical \ninfrastructure networks and systems that rely on the Internet \nwhile also minimizing regulatory burden on the entities that it \nseeks to protect and while also protecting the privacy and \ncivil liberties of the public.\n    I will briefly address five parts of the proposal: first, \ncreating secure plans for covered critical infrastructure; \nsecond, promoting secure data centers; third, protecting \nFederal systems; fourth, data breach reporting; and fifth, \nprivacy protections.\n    One of the most important themes of the proposal is \naccountability through disclosure. In requiring creation of \nsecurity plans, the Administration is promoting the use of \nprivate sector expertise and innovation over top-down \nGovernment regulation.\n    The covered critical infrastructure entities will take the \nlead in developing frameworks of performance standards under \nthe proposal and, therefore, will look to create these \nframeworks working together with industry and can also ask NIST \nto work with them to help create these frameworks. There will \nbe strong incentive for both industry to build effective \nframeworks and for DHS to approve those created by industry. \nThe entities involved will want the certainty of knowing that \ntheir approach has been approved and DHS will benefit from \nknowing that they will not need to invest the resources of \ntaking an intensive approach through developing a Government-\nmandated framework unless the industry fails to act.\n    Rather than substituting the Government's judgment for \nprivate firms, the plan holds the covered entities accountable \nto the consumers and the marketplace. This encourages \ninnovation in mitigation strategies, improving adherence to \nbest practice by facilitating greater transparency, \nunderstanding, and collaboration.\n    In that same spirit, the Administration also seeks to \npromote cloud services that can provide more efficient service \nand better security to Government agencies and to small \nbusinesses and a wide range of other businesses. To do so, the \ndraft legislation proposes to prevent States from requiring \ncompanies to build their data center within that State except \nwhere expressly authorized by Federal law.\n    The proposal also clarifies roles and responsibilities for \nsetting Federal information security standards. Importantly, \nthe Secretary of Commerce will maintain the responsibility for \npromulgating standards and guidelines which will continue to be \ndeveloped by NIST in cooperation with the private sector.\n    My colleague from the Justice Department, Mr. Baker, went \ninto great detail about the data breach reporting standard. On \nthat I will just highlight a few pieces.\n    First of all, we have learned quite a bit from the States, \nselecting and augmenting those strategies and practices we felt \nmost effective in protecting security and privacy. The \nlegislation will help build certainty and trust in the \nmarketplace by making it easier for consumers to understand the \ndata breach notices that they receive, why they are receiving \nthem, and to take action upon them once they receive them.\n    Also, the Department of Commerce last year held a notice of \ninquiry under the Internet Policy Task Force set up by \nSecretary Locke, and through that notice of inquiry, we \nreceived many, many comments from a wide range of businesses. \nThey were unified in their stance that a nationwide standard \nfor data breach will make compliance much easier for all those \nbusinesses that must follow the 47 different legal standards \ntoday.\n    Finally, I would like to point out that many of the new and \naugmented authorities in this package are governed by a new \nprivacy framework for Government that we believe would enhance \nthe privacy protections for information collected by and shared \nwith the Government for cybersecurity purposes. The framework \nwould be created in consultation with privacy and civil \nliberties experts and the Attorney General, subject to regular \nreports by the Department of Justice Privacy Office working \nwith the Department of Homeland Security Privacy Office, and \noverseen by The Independent Privacy and Civil Liberties \nOversight Board. Government violations of this framework would \nbe subject to both criminal and financial penalties.\n    Thank you again for holding this important hearing and I do \nlook forward to answering your questions.\n                               __________\n\n    Mr. Goodlatte. Thank you, Mr. Schwartz.\n    I will recognize myself for a few questions, and I will \ndirect this first one to all of you. What new tools will law \nenforcement get in the Administration's proposal to investigate \nand prosecute cyber intrusions and other cyber crimes? I will \nstart with you, Mr. Baker.\n    Mr. Baker. Thank you, Mr. Chairman.\n    So the first thing, as I mentioned in my opening, was a \nproposal to create and make a clear crime with respect to \nefforts, either completed efforts or attempted efforts, to \ndamage critical infrastructure systems, and in situations where \nthe damage causes substantial impairment of the systems. So \nthat is one. That is the one that would have the mandatory \nminimum provision in it, and I can come back to that if you \nwish.\n    The other thing is our experience has shown that \nincreasingly cyber crimes are committed by groups of people \nthat are organized. So they are organized criminal activity. \nAnd we think, under those circumstances, it is appropriate to \nmake clear that we can use the tools available to us under the \nRacketeer Influenced and Corrupt Organizations Act, or RICO, to \ngo after those people. They pose a significant threat to the \ncountry. They are well organized, and they are effective in \nterms of being able to steal lots of money and compromise \ninformation from lots of people.\n    The other thing we believe is this will harmonize and bring \nmore, I guess, uniformity to parts of the criminal code with \nrespect to the penalty provisions.\n    So those are some of the key things that we are looking at \nhere. If I can just come back to the first one that I \nmentioned, the damage to critical infrastructure systems.\n    Our objective there is deterrence. What we are focused on \nis trying to prevent people--encourage people to not engage in \nthose types of activities. That is what we are really after in \nthat situation because when you have damage to a critical \ninfrastructure system, people are going to be harmed, and that \nis what we want to avoid through these tools.\n    Mr. Goodlatte. Thank you.\n    Mr. Schaffer?\n    Mr. Schaffer. Yes, Mr. Chairman. I won't speak to the \nparticular provisions that Mr. Baker mentioned, but I will say \nfrom a Department of Homeland Security perspective, the \nimproved situational awareness that we would expect through the \nclarity of the voluntary provisions to ask for and get \nassistance, to have information sharing from the private \nsector, and the clarity around what the Federal Departments and \nagencies can disclose and report will, I think, improve the \nsituation for law enforcement across the board. We work \ncooperatively today with law enforcement agencies within the \nDepartment of Justice, within DHS, and otherwise, and that \ngrowing interagency cooperation to know what is happening in \nthe ecosystem I think benefits law enforcement. It benefits \nnetwork defense. It is good across the entire ecosystem.\n    Mr. Goodlatte. Thank you.\n    Mr. Schwartz?\n    Mr. Schwartz. I will just briefly add. My two colleagues \ncovered the main areas, but briefly just to give kind of more \nof a general overview, really the goal is to get the incentives \nright. We have to make sure that we have a deterrence for those \nthat are doing wrong, that criminals do pay for their crimes, \nand that companies and entities that need to do the right thing \nin the space have incentive to do so as well. We think that \nthis package moves us further in that direction. We are happy \nto work with you further to make sure that we have those \nincentives right.\n    Mr. Goodlatte. Thank you.\n    The Administration's proposal appears to mandate technical \nstandards for almost any aspect of the private sector. Should \nthe American people feel comfortable with giving the Homeland \nSecurity Department the ability to designate any enterprise as \ncovered critical infrastructure? And subject to DHS mandates, \nare there any avenues for an enterprise to appeal their \nclassification? Mr. Schaffer?\n    Mr. Schaffer. Yes, Mr. Chairman. Thank you for the \nquestion.\n    I think that the way that the statute is set up, that \nprocess of identifying critical infrastructure would be done \nthrough a rulemaking, and because it would be done through a \nrulemaking, the private sector would have an opportunity to \nparticipate in the process, to comment on the criteria that \nwould be established in order to identify which entities should \nbe a part of critical infrastructure, and then would be in a \nposition to participate in the process of identifying both the \nrisks that needed to be mitigated, the frameworks for \nmitigation of those risks, and then develop plans to execute on \nthat risk mitigation. So they have got significant roles in the \nprivate sector. This is not DHS going out and doing it on its \nown.\n    Mr. Goodlatte. Right, but if they want out, can they get \nout?\n    Mr. Schaffer. Again, I think that would be part of the \nrulemaking process to get to the ultimate rules that would make \na determination.\n    Mr. Goodlatte. Well, let me just add to that. I am not \naware of any modern system that isn't reliant on some form of \ninformation infrastructure to operate, and if the Secretary \ndecides for any reason that a particular system could weaken \nour economy, security, or safety, then he or she has unfettered \nauthority to regulate them. Quite frankly, a lot of that seems \nlike regulation for regulation's sake.\n    My question--I will address it to all of you since it is \nthe Secretary of Homeland Security who seems to have the \nprimary authority here. But do you think that Congress and the \nAmerican people want to have their cabinet agencies turned into \nquasi-fiefdoms with absolute authority over the private sector? \nMr. Schwartz?\n    Mr. Schwartz. I want to take issue with this point that you \nraise about technical mandates. The frameworks that are being \ndesigned here are not at all technical mandates. These are \nperformance measures. These are performance standards that \nindustry will come together to design for themselves. That is \nthe goal. There are no technical mandates and no technical \nstandards within that framework whatsoever. Once industry has \nbuilt those performance measures, they then create their own \nsecurity plans to meet those performance measures. So they come \nup with what technology is needed, what standards they need to \nfollow in order to meet those performance plans. It is \npurposely, specifically set up to avoid the kind of technology \nmandates in other bills.\n    Mr. Goodlatte. Each company can have a separate standard?\n    Mr. Schwartz. Each company could build their own--decide \nwhat technology they need to meet those performance measures. \nThey could have completely separate technologies if they want \nto. It would obviously make sense----\n    Mr. Goodlatte. Maybe we are engaged in semantics here, \nthough. You call them ``performance measures.'' I call them \n``technical standards.''\n    Mr. Schwartz. No. Those are two completely--coming from the \nNational Institution for Standards and Technology, we focus on \nstandards in terms of measurements. The goal is to come to a \nperformance measure or a technical standard. Those are two \nseparate things. A performance measure is to say that we need \nto make sure that we cut down on the number of breaches, that \nwe act in a certain way when breaches happen, and that is tied \nto something that can be measured as opposed to a technical \nstandard which is we take information in a certain way, we use \na certain kind of technology, we are trying to get at a certain \nproblem in a very specific way. We see those as two different \nthings. And we have separated the framework that needs to be \nbuilt, which is the higher performance standard framework, from \nthe technical security plan. The security plan is built by the \ncompany not by the industry at large, not by DHS. And that is \nwhere we think the separation is.\n    It is exactly that reason that we think that innovation in \nthe marketplace can grow in this space through this plan as \nopposed to the other bills that we have seen out there in this \nspace that have DHS make the decisions. So we completely agree \nwith you. DHS should not be making the decisions.\n    Mr. Goodlatte. Let me give you an example, a real-time \nexample. You have the recent Sony PlayStation attack. It could \ncost the company hundreds of millions of dollars. We don't know \nwhat the outcome is going to be there yet. With that type of \nimpact on the economy, would Sony's PlayStation network fall \nunder the ``covered critical infrastructure''?\n    Mr. Schaffer. I think as conceived, there would be a \nprocess to make determinations as to what would fall under. I \nwouldn't, as I sit here today, think that that would have been \nidentified as critical infrastructure, but again, those \nregulations haven't be written.\n    I do think, as a former CISO and CSO, a chief information \nsecurity officer and chief security officer, for a Fortune 260 \ncompany, this kind of arrangement where the companies get to \nparticipate in identifying the risks, designing the frameworks, \nand then writing their plans to meet those frameworks is \nflexible enough and allows for innovation. It doesn't tell a \nCISO, chief information security officer, what to do to solve \nthe problem. It simply identifies the problems that need to be \naddressed and then gives them significant flexibility in coming \nup with a solution.\n    Mr. Goodlatte. Well, you are asking for a lot of trust from \nthe Congress and from the American people on this. So I guess \nwhat we will have to decide is will we want to trust the \nbureaucracy or are we going to try to write that much detail \ninto legislation that clearly defines what is and what is not \ncovered by so-called critical infrastructure.\n    At this time, it is my pleasure to yield to the gentleman \nfrom North Carolina, Mr. Watt.\n    Mr. Watt. Thank you, Mr. Chairman.\n    Let me address the circumstance under which we are here \ntoday because it is a little unusual. We have three Government \nwitnesses here. You have submitted joint testimony, and it \nleads me to raise the question who is really in charge of this. \nI mean, most of the time, when we are doing this stuff, we have \none person who is the go-to person. My understanding is that \nyou all kind of insisted that you had to have three witnesses \nfrom the Government side. I know there are different aspects to \nthis, but who is in charge of coming up with where you all got \nto? Where does the buck stop? I know it stops at the \nPresident's desk. Don't tell me that. Who is running the show?\n    Mr. Baker. If I could, I will start with that, Congressman.\n    Mr. Watt. I don't need three answers to it. I just need one \nanswer to it.\n    Mr. Baker. At the end of the day, you are right. The \nPresident and the White House are in charge.\n    The proposal that we have put forward reflects a whole-of-\ngovernment approach. Many aspects of the Government participate \nin the development of this proposal and have various \n``equities,'' if I can use that word. The Attorney General \nplays a certain role. The Secretary of Homeland Security plays \na certain role. Different officials play different roles \nthroughout the proposal, and what we are trying to do is bring \nforward something that does reflect a whole-of-government \napproach because the whole of government is responsible----\n    Mr. Watt. So every time we want some information about \nanything here, we are going to have to have three of you all \ncome talk to us?\n    Mr. Baker. The Department of Justice has a longstanding \nrelationship with this Committee. If you let us know what you \nneed, we will work to make sure we get the right people here \nfor you.\n    Mr. Watt. All right.\n    You talked about, Mr. Baker, the Federal preemption issue. \nI am always a little leery of Federal preemption. We have dealt \nwith it in a number of contexts, and generally I am leery of it \nbecause the Federal law waters down what some States have done \nand waters up what some States have done. So you get to some \nfairly vanilla middle ground.\n    Does your proposal provide an exemption from Federal \npreemption for stronger State laws?\n    Mr. Baker. I think the answer is no, Mr. Chairman. the idea \nis that we are establishing----\n    Mr. Watt. Have you adopted the strongest State standard \nthat is out there?\n    Mr. Baker. The answer is I am not sure that I could tell \nyou what all 47 statutes require, but I believe that we have \nlooked at all the statutes and other proposals, because there \nhave been a number of different proposals in this area both \nfrom----\n    Mr. Watt. Well, what is the compelling Federal interest in \nhaving a Federal standard for protecting all data, private \ncitizen data? There are a number of things that the States have \nauthority to do, and we are operating in a Federal system here. \nWhy should we be preempting a State law on my personal \ninformation, breach of my personal information that is stronger \nthan what you think the law should be?\n    Mr. Baker. The compelling interest is the cybersecurity of \nthe Nation. This is----\n    Mr. Watt. No. This is about my personal--this is about the \npersonal part of my information now. I understand when it comes \nto national defense and homeland security, you have got a \nnational, Federal compelling interest.\n    But you know, this is like consumer law, it seems to me. \nYou know, we have gone through this debate in the financial \nservices context. They tried to preempt every State law. The \nState laws in a lot of cases were a lot more robust and \naggressive than the Federal law that we were trying to impose. \nWhy would I want to do that?\n    Mr. Baker. Well, again, as I said, we are trying to make \nthis a uniform standard that makes it easier and faster that \nconsumers find out what is going on and are aware of what has \nhappened and makes it easier for companies to comply. So we are \ntrying to get the balance right here.\n    I would say, with respect to this proposal in its entirety, \nwe are here and we are happy to work with you.\n    Mr. Watt. Okay. This is the first time I am seeing this. I \nmean, it is a fairly new statute. But these are some of the \nthings that I think we have got to work through.\n    Let me draw another parallel, if I have a little time, Mr. \nChairman. You have got an immunity from liability for private \nindustry people that seems to me to be as broad as it would be \nas if the Government itself were acting. This is under section \n246 of this proposed legislation. And it basically says, okay, \nif you do what we tell you to do under section 244(e), then you \nare given immunity from any kind of liability. 244(e) says that \nit authorizes the Secretary to request and obtain the \nassistance of private entities that provide electronic \ncommunications or cybersecurity services in order to implement \nthis program. That is pretty damn broad.\n    And it reminds me, to some extent, of the same thing that \nthe Federal Government was asking us to do under the PATRIOT \nAct. The Government told you to do something. Therefore, it \nmust be good. Therefore, you are exempt from liability. So are \nwe setting up the same framework here?\n    Mr. Baker. I will defer to----\n    Mr. Watt. I didn't support it there either.\n    I am assuming this is a legal issue.\n    Mr. Baker. It is a combination, sir, and so it is liability \nprotection, but it is if they act consistent with this \nsubtitle, the subtitle that includes the sections you \nreferenced. So they need to act in conformance with the law or \nhave a good faith belief that they are doing so. Then they get \nliability. If they go off the reservation and do something that \nis not authorized, they don't get liability protection.\n    I will defer to Mr. Schaffer.\n    Mr. Watt. Okay, Mr. Schaffer. Help me.\n    Mr. Schaffer. Yes, Congressman. The provision really goes \nto the disclosure of any communication record or other \ninformation or assistance provided to the Department pursuant \nto 244(e). So what really this is trying to do is to allow the \nDepartment to work with a private sector entity that has \nidentified an issue and wants to bring that forward for the \nbenefit of all to protect the ecosystem.\n    Mr. Watt. Well, how is that different--you know, the \nJustice Department or somebody went out and told all the \ntelecoms to tap anybody's phone, even though we thought it was \nunconstitutional to do that. And then you came back and said, \nwell, give them immunity for doing that because we told them to \ndo it. I mean, how is this different than that?\n    Mr. Schaffer. The statute doesn't authorize them to \ndisclose anything that was not obtained legally. It doesn't \nauthorize them to----\n    Mr. Watt. But once you tell them it is legal to obtain it, \ndoesn't that give them complete immunity? That was the argument \nyou were using the last time under the PATRIOT Act.\n    Mr. Schaffer. Sir, I cannot speak to what argument was made \nwith respect to the PATRIOT Act, but I know that here the \nintent is to address a problem that is ongoing which is we \nroutinely interact with a company like Sony or other companies \nwho have had breaches, know that there is an ongoing matter of \nconcern, and want to provide information to the Government that \ncan be used to help that company and can be used to help a \nwhole range of other players who are potentially at risk. In \nthose moments, we sometimes are delayed by days or weeks in \nnegotiation with those entities around what they can or cannot \nprovide to the Government in that moment.\n    Mr. Watt. It sounds like exactly the situation you all were \nin. Those companies said I am not going to tap these phones \nbecause we think it is unconstitutional. You said, oh, no, it \nconstitutional. We will give you immunity for it. So the \ncompany then is able to do something that they believe is \nunconstitutional just because you told them it was \nconstitutional. And they had some ambiguous Justice Department \nmemo that said that.\n    I am having trouble differentiating this. I mean, these are \nissues that I think we are going to have to address here. I am \nway over my time.\n    This is a little bit more than a teabag I think. This has \nsome implications that go well beyond, I think, what has been \nwell thought out. So I guess that is why we are here.\n    Mr. Chairman, I yield back. I appreciate the Chairman being \ngenerous with----\n    Mr. Goodlatte. I thank the gentleman.\n    The gentleman from California, Mr. Issa, is recognized for \n5 minutes.\n    Mr. Issa. I doubt that I will be as spellbinding as the \nprevious inquisitor, but I will agree with him.\n    I have got a deep concern here. Mr. Baker, why is it that \nthis draft legislation doesn't envision the third branch of \nGovernment having a significant role? Why is it you believe \nthat you have to essentially grant immunity without court \ninteraction?\n    Mr. Baker. Well, I guess I would have to think through--I \nmean, various parts of the proposal do involve the third branch \nof Government, for example, the critical infrastructure \nprohibition that----\n    Mr. Issa. No, but I am talking specifically here. Look, if \nyou go to Sony or you go to Facebook or you go to anybody, they \nhave vast pools of information that are personal. And the \nRanking Member and I share this. The tradition in this country \nhas been you want to see it. I want you to have to make a good \nfaith test to the third branch who stands there prepared to \ndoubt your good intentions. It has what has kept 1984 from not \nhappening in this country, is that you have got to go to that \nthird branch, and they are just a little more cynical about \nyour power grabs as a branch. We are supposed to be your \nbalance, but without their interplay, you are going to be doing \nthis for years to come, and all it will take is--well, you \ndon't have two-thirds in both houses to stop a President from \ndoing it in his Administration.\n    So tell me why specifically if you feel that you need to \ngrant immunity to anybody for their cooperation, the third \nbranch of Government should not be included?\n    Mr. Baker. First of all, the provision I think you are \ntalking about is a voluntary provision. So it only allows \nsharing of information in a voluntary----\n    Mr. Issa. Look, I know what voluntary is. I did vote for \nthe PATRIOT Act. I did sit on the Select Intelligence \nCommittee. I did participate in that broad granting of immunity \nand pushed to get it into the bill retroactively to make it \nclear that we needed to put September 11th emergencies behind \nus.\n    But having said that, look, let's get back to it. You are \nasking for cooperation with the force of your ability to make \nlife miserable on private sector companies behind closed doors \nis not a voluntary act. You can be very, very convincing. \nWouldn't you agree?\n    Mr. Baker. The Government can be very convincing, \ncertainly.\n    What I would say is what we are trying to do and what we \nreally tried to do in this whole proposal is get the balance \nright between the need to provide security, the need to allow \nfor innovation and foster innovation, and the need to protect \nprivacy.\n    Mr. Issa. My only question to you is, as we go through this \nlegislation, wouldn't you agree that adding in--even if it is a \nspecial court, if it is judges that are ready and quickly able \nto understand a comparatively complex new area of security, \nwouldn't you say that having that third party is a protection \nthat this side of the dais should be interested in seeing that \nyour side of the dais has?\n    Mr. Baker. Congressman, we are happy to work with you on \nthat. We have never said that this is a perfect proposal in all \nrespects, and we are happy to work with you and the other \nMembers of Congress because, on a bipartisan basis, we want to \nmake sure that we get this legislation right.\n    Mr. Issa. Mr. Schaffer, he got the easy question. You are \ngetting a little tougher.\n    The Department of Homeland Security has politicized FOIA. \nIt has actually taken FOIA requests by the press and others, \nhanded them over to political appointees to create an enemies \nlist to know who was asking for what, to deny it or to spin it \nbefore it is ever released. Why is it, you think, the \nDepartment of Homeland Security is the primary place to get \ncommercial information, not firewall to the bad guys outside \nour country, not terrorists within? Why do you think that you \nare the best place to put Facebook and Google and Microsoft and \nall the other providers and Sony, obviously--why is it you \nthink you should have anything to do with it? Where do you have \nthe standing under Homeland Security?\n    And by the way, why is it Mr. Schwartz wouldn't be more \nappropriate? Why is it that that portion isn't as much Commerce \nas it is this new and sometimes dysfunctional Department of \nHomeland Security?\n    Mr. Schaffer. Thank you, Congressman.\n    I think that DHS has spent a considerable amount of effort \nover the course of the last several years building its \nrelationships with the private sector in this particular \nsubject-matter area. Under the National Infrastructure \nProtection Plan, DHS has a major role in working with the \nsectors, the 18 critical infrastructure sectors, on a wide \nrange of protection and security-related issues. With respect \nto cybersecurity, DHS, in particular my organization at Cyber \nSecurity and Communications, has responsibility with respect to \nthe IT sector, the communications sector, and the Cross Sector \nCybersecurity Working Group.\n    We work through those structures and several others to \nbuild an ongoing relationship where we actually have private \nsector participation on the watch floor that we use to handle \ncyber incidents under the National Cyber Incident Response \nPlan. And that relationship has been growing. We have been \nadding the information security analysis centers from the \ndifferent sectors, participating also on the watch floor, \nsending representatives because they want to participate.\n    Mr. Issa. Okay, I get it. I am going to be a little short \nonly because my time has actually expired.\n    Mr. Schwartz, obviously, Commerce and State really have a \npresence overseas, and a lot of what we need to do is to reach \nout at all levels.\n    What role do you think that you should be included in a \nmore robust way than you are under this proposal?\n    Mr. Schwartz. Well, I think this proposal does lay out ways \nthat NIST and Commerce can be deeply involved, but it involves \nthe private sector bringing us in for those cases. So, for \nexample, in the critical infrastructure plans piece, if they \nwant to invite NIST to help work with them to plan \ninternational standards to help them build the framework so it \ncan lead to security plans and figure out how that can work \nbetter together and they want NIST to participate in that, the \nprivate sector can bring us in to do so. Obviously, we have \nlimited resources to be able to get involved in every different \ncritical infrastructure area, but that is one place----\n    Mr. Issa. So you currently see you are going to be \nreactive, not proactive because of the nature of it. Wouldn't \nit be better for you to have a mandate to be proactive?\n    Mr. Schwartz. There are some places working with the \nFederal Government agencies, for example, where we are setting \nstandards for the Federal Government, where we are being very \nproactive. And some of those are then ending being used by the \nprivate sector. So in terms of the question of protecting the \ncritical infrastructure as it relates to the private sector, we \nneed to be brought in for that. For the Federal Government, we \nare much more proactive. And I think we want it that way. We \ndon't want to be setting technical standards for the private \nsector, as I said to the Chairman earlier. I think that is very \nimportant that we are working with the private sector \ncooperatively and we are setting standards that can work for \nGovernment, and then we can figure out how those can be used \ntogether.\n    Mr. Issa. Thank you.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Goodlatte. I thank the gentleman.\n    The Chair recognizes the gentleman from Michigan, Mr. \nConyers.\n    Mr. Conyers. Thank you, Mr. Chairman.\n    Mr. Schaffer, the notice would have to be given to an \nentity of the Department of Homeland Security. That is a \nnational standard requirement for reporting breaches of private \nconsumer data. What entity of the Department of Homeland \nSecurity?\n    Mr. Schaffer. I think, as we are currently constructed, it \nis the NCIC and U.S. CERT entity. I think that the drafting \nrecognizes that names of entities can change over time, but the \nnotion is that that portion of my organization at Cyber \nSecurity and Communications would be where those central \nreports would flow.\n    Mr. Conyers. So everybody has got to come back and read \nthis transcript to find out what the answer to my question is.\n    Mr. Schaffer. I apologize, sir. The United States Computer \nEmergency Response Team is part of the Cyber Security and \nCommunications organization, and there is a watch floor called \nthe National Cyber Security and Communications Integration \nCenter that works with U.S. CERT to be a collection point for \ninformation aggregation and dissemination.\n    Mr. Conyers. So we just go to some entity and that is what \nit is. So now we know.\n    All right. Who is going to have primary responsibility to \ninvestigate criminal violations as between the FBI and the \nSecret Service?\n    Mr. Baker. As it is today, it is a variety--the two of them \nwork it out. They coordinate their activities to determine who \nis going to investigate a particular offense. They have \noverlapping jurisdiction. They have to coordinate their \nactivities, and so that is how it is done with those agencies. \nIt is common to do that with a variety of different law \nenforcement agencies that exist in the Federal Government.\n    Mr. Conyers. Well, they have enough differences of opinion \noften enough as it is.\n    Mr. Baker. They may have differences of opinion. At the end \nof the day, they don't get to go to court unless they come \nthrough the Department of Justice. The Department of Justice is \nin control of what cases get indicted and what cases are \nbrought forward and how appeals are handled and so on and so \nforth. So at the end of the day, it is the Attorney General.\n    Mr. Conyers. Thanks, Mr. Chairman.\n    Mr. Goodlatte. I thank the gentleman.\n    And the Chair now recognizes the gentleman from Arizona, \nMr. Quayle.\n    Mr. Quayle. Thank you, Mr. Chairman, and thanks to all the \nwitnesses for being here.\n    One thing I want to know--it is for all of you and whoever \nbest can answer this just pipe in. Can you explain exactly how \nyou plan to address some of the duplicative regulation work \nthat might be happening here? Because NIST has historically \nbeen the lead agency in setting standards, especially working \nwith industry to create those standards. But the \nAdministration's proposal seems to shift that responsibility to \nDHS.\n    For example, will DHS first assess the cybersecurity \nrequirements of the various Federal agencies to determine if \nthey are adequate before creating their own regulations, or do \nyou intend that DHS just creates their own regulations and then \nwaits for the request from various agencies for exceptions?\n    Mr. Schwartz. Let me just briefly talk about NIST's role \nbecause I think there is a misunderstanding there about what \nNIST's role currently is. NIST today sets the standards for the \nFederal Government. Then OMB takes that and approves them for \nthe agencies.\n    Under this proposal--and there has recently been a memo \nthat also passed some of that authority to DHS. So this would \ncodify the ways that things are actually currently being run, \nwhich is that NIST would still write the standards. In fact, \nthe Secretary of Commerce publishes those standards. It is very \nclearly in the proposal. Then DHS can draw on those to decide \nwhat the agencies should do specifically.\n    So NIST is still writing the standards the way that we have \nand we will continue to write the standards in that way and, in \nfact, gain slightly more independence in that because OMB has \ntraditionally just passed on exactly what we have said to the \nother agencies. This will allow DHS to tailor better to \ndifferent agencies and hopefully create better technical \nstandards that can be tied to performance standards as well so \nthat we can react better more quickly over time inside of the \nFederal Government.\n    Mr. Quayle. But so then is DHS then going to take the \nvarious standards that NIST comes up with and then implement \nthem through the other various Federal agency, or is the \nFederal agency going to be able to use NIST standards to create \ntheir own cybersecurity framework within that agency and then \nhave to get approval from DHS?\n    Mr. Schaffer. As Mr. Schwartz said, this really codifies \nthe way things are operating now through delegations of \nauthority. So NIST would continue to draft the standards. DHS \nwould take those standards and would be applying them to the \nDepartments and agencies. If Departments and agencies had \nspecific issues that needed to be addressed in some special \nway--the standards are not written for each individual agency, \nthey are written holistically--then we would be in a position \nto work with an agency and come up with a set of requirements \nthat made sense specifically for the set of threats or risks. \nBut ideally we would be working starting from the NIST \nstandards just as we are today, and as Mr. Schwartz said, that \nwas being done by OMB recently delegated through a memorandum \nto DHS. But the statute would just codify that oversight \nauthority moving to DHS.\n    Mr. Quayle. And, Mr. Schwartz, when you are talking about \nthe standards that are being developed by NIST, that kind of \ndoes conjure up a very static procedural way that we are not \ngoing to be able to have the flexibility to respond to various \ncyber threats which evolve very quickly in the future. How is \nNIST going to develop those standards and do them in a way that \nallows for the flexibility to have best practices from various \nareas to come in and make sure that, instead of just being \nreactive, we are being proactive to make sure that we are still \nusing the best standards to address cybersecurity threats?\n    Mr. Schwartz. One of the problems we have today under FISMA \nis that the focus has been on trying to cover all of the \ndifferent controls that NIST puts out, so the IG, the Inspector \nGeneral, has said you have to make sure that you cover all of \nthese controls rather than saying we need to focus the controls \nthat work best for each agency, which is what NIST really says \nin our guidance on the subject. So this structure helps to get \nthat point across better, that we are really aiming at \nperformance here and not at you have to follow every single \nstandard that NIST puts out.\n    As NIST puts these out, we do think that we have \nflexibility and we spend a lot of time with some more technical \nstandards. Encryption is a good example of that, which we try \nto think very far ahead in trying to make sure that things are \ndone, and the world depends on the NIST encryption standards \nfor that reason because it is so thought out, et cetera. There \nare others that we try to act much more quickly, try to be \nreactive, et cetera, and get things out very quickly. So we try \nto have that kind of flexibility so we can do both.\n    But we need the independence also of not having to answer \nevery agency question that comes in on every topic. We need \nsomeone to be able to do that. We work with the agencies as \nclients, et cetera, and work with them on the standards, but \nthere is a different piece of it in terms of performance and \ngetting the performance measures out. It is good to have \nanother body do that. OMB was doing that role before. Now that \nis moving more to DHS.\n    Mr. Quayle. Thank you very much.\n    I yield back.\n    Mr. Goodlatte. I thank the gentleman.\n    The gentlewoman from Florida, Ms. Adams, is recognized for \n5 minutes.\n    Ms. Adams. Thank you, Mr. Chair.\n    Earlier I heard you, Mr. Schwartz, say ``performance \nmeasures.'' Can you give me your definition for performance \nmeasures?\n    Mr. Schwartz. What we are aiming at is trying to figure out \nexactly how to improve the actual way that the Internet is \nprotected so that we can come up with measures that show when \nwe have been successful in protecting cybersecurity as opposed \nto ``technical standard,'' which is to say that you must follow \na certain set of controls in order to come up and make sure \nthat you are interoperable with other types of controls.\n    Ms. Adams. So that is your explanation of performance \nmeasure.\n    Mr. Schwartz. Again, performance measure is something that \ncan be measured that shows that you are continually improving \nthe cybersecurity as we know it, that we can show continued \npositive performance over time.\n    Ms. Adams. Well, I have to tell you that your description \nkind of concerns me because you had to grapple at what it was. \nSo it concerns me when an agency is going to decide what the \nperformance standards are when they are still grappling with \nwhat are the performance standards, how do you define \nperformance standards.\n    Mr. Schwartz. Again, I am not the technical person that is \ngoing and writing these technical standards, and I am not the \nperson that is writing the performance standards. What a \nperformance standard will be will be a particular number or a \nparticular set of--particular targets.\n    Ms. Adams. So that is not static.\n    Mr. Schwartz. It is not static, exactly. It is something \nthat is not static. It is something that can change over time, \nsomething that can be revisited, whereas a technical standard \nis something that is written, people need to be able to follow \nit and be able to interoperate.\n    Ms. Adams. And following along what--Mr. Watt I believe was \nthe one that brought it up on the Federal preemption with Mr. \nBaker. You said that you had not reviewed all 47--that they had \nbeen reviewed, but you had not reviewed them. So you don't know \nif the Federal preemption would preempt a State that actually \nmight have a better system than what the Federal Government \nwould come up with. Is that correct?\n    Mr. Baker. That is correct.\n    Ms. Adams. So you still advocate for Federal preemption \neven though you could actually do more harm than good?\n    Mr. Baker. Well, our folks have looked at it carefully and \nwe believe that this is the right balance. If there are State \nstandards that Members of Congress feel should be included in \nthe Federal legislation, we are happy to work with you on that. \nWe have tried to get the balance right. If you think we should \nadd things, we are happy to work with you and look forward to \nthat because we want to make sure that----\n    Ms. Adams. Well, I am happy to hear that agencies want to \nwork with us on legislation that we would be drafting. That is \na good thing. I would hate to think that you would think you \ncould draft the legislation.\n    Let's see. Mr. Schaffer, I believe. You are from DHS? Do \nyou believe that there should be limits to the power that the \nSecretary of Homeland Security can exert on private industry?\n    Mr. Schaffer. I am sorry. I missed the last phrase.\n    Ms. Adams. Do you believe that there should be limits to \nthe power that the Secretary of Homeland Security can exert on \nprivate industry?\n    Mr. Schaffer. I am sorry, ma'am. I believe----\n    Ms. Adams. That is a yes or a no?\n    Mr. Schaffer. Yes, and I think they are in the statute.\n    Ms. Adams. Would the Administration's plan give the \nSecretary unfettered authority over any business?\n    Mr. Schaffer. No, it certainly wouldn't give unfettered \nauthority.\n    Ms. Adams. Maximum authority?\n    What large industries would be excluded?\n    Mr. Schaffer. Ma'am, the way the statute is configured--and \nI assume that we are talking about the critical infrastructure \nportion of the statute because other portions have a different \nscope.\n    Ms. Adams. Are there any that have been excluded so far?\n    Mr. Schaffer. I certainly don't think that every large \nenterprise would be part of critical infrastructure under this \nconstruct.\n    Ms. Adams. How about under cybersecurity as a whole that \nwould be monitored under this?\n    Mr. Schaffer. Certainly the statute is designed to improve \ncybersecurity across the entire ecosystem, but the critical \ninfrastructure piece is, indeed, intended to be focused on \ncritical infrastructure, those infrastructures which, if \ndisrupted through a cyber attack, would have cascading and \ndevastating effects across a significant portion of our day-to-\nday lives.\n    Ms. Adams. Mr. Baker, do you know any that would be \nexcluded?\n    Mr. Baker. I am sorry.\n    Ms. Adams. Any industries that would be excluded outside \nthe critical infrastructure? Large corporations.\n    Mr. Baker. Categories of industries. I mean, I guess it \ndepends on the facts and circumstances and how they \ninterrelate, but I think I----\n    Ms. Adams. How would you define that? Would that be clearly \ndefined in what you were doing?\n    Mr. Baker. In the proposal that I was talking about earlier \non the critical infrastructure, we have got a fairly specific--\n--\n    Ms. Adams. I am sorry, Mr. Chair. I guess I have overrun my \ntime.\n    But I am just curious. If you are outside the critical \ninfrastructure, you are on the cybersecurity issue, is there \nany of that that falls into the exclusion?\n    Mr. Baker. Any that would fall into the exclusion in terms \nof the--well, with respect to the proposal I was referring to, \nwe couldn't use it if it didn't meet the test that was set \nforth in the statute, and that would be determined at the end \nof the day by a court. We would have to make the case to the \ncourt that it was part of the----\n    Ms. Adams. You think it might end up in court.\n    Mr. Baker. Well, this one, the one I am referring to, \nabsolutely would, yes, because it would be a criminal offense \nand we would have to show that it was vital to the country.\n    Ms. Adams. I was actually talking about the statute if we \nwere to pass it.\n    Mr. Baker. The statute what? I am sorry.\n    Ms. Adams. The law, if we were to pass it. I thought you \nmeant you thought it would be in court.\n    Mr. Baker. I am sorry. I couldn't hear, Congresswoman. I am \nsorry.\n    Mr. Goodlatte. I thank the gentlewoman.\n    And the gentleman from Pennsylvania, Mr. Marino, is \nrecognized for 5 minutes. The gentleman has no questions.\n    We will thank our panel then. This has been very \ninteresting, and I think it is just the beginning of a lot of \ndiscussion about the Administration's proposal and potential \nlegislation that I and others are working on here in the \nCongress. So we very much appreciate your contribution, and we \nwill thank all of you and excuse you and move to the second \npanel.\n    We will now move to our second distinguished panel of \nwitnesses today, and as I advised earlier, each of the \nwitnesses' written statements will be entered into the record \nin its entirety. And I ask that each witness summarize his or \nher testimony in 5 minutes or less, and to help stay within \nthat time, there is a timing light on your table. When the \nlight switches from green to yellow, you have 1 minute to \nconclude your testimony. When the light turns red, that is it.\n    Before I introduce our witnesses, I would like them to \nstand and be sworn, and we would ask you to do that at this \ntime. It is the custom of the Committee to swear in our \nwitnesses.\n    [Witnesses sworn.]\n    Mr. Goodlatte. Thank you very much.\n    Our first witness is Mr. Robert Holleyman. Mr. Holleyman \nserves as the President and CEO of the Business Software \nAlliance. He has headed BSA since 1990, expanding their \noperations to more than 80 countries and launched 13 foreign \noffices, in addition to their D.C. headquarters. Mr. Holleyman \nhas been named one of the 50 most influential people in the \nintellectual property world by the international magazine, \nManaging IP. He was also named by the Washington Post as one of \nthe key players in the U.S. Government's cybersecurity efforts \nfor his work on behalf of industry on national cybersecurity \npolicy.\n    Before joining BSA, Mr. Holleyman served as counsel in the \nU.S. Senate and was an attorney with a leading law firm in \nHouston, Texas.\n    He earned his bachelor of arts degree at Trinity University \nin San Antonio, Texas and his juris doctor from Louisiana State \nUniversity Law Center in Baton Rouge. He also completed the \nexecutive management program at the Stanford Graduate School of \nBusiness.\n    Our second witness is Mr. Leigh Williams. Mr. Williams \nserves as BITS President for the Financial Services Roundtable. \nSince 2007, Leigh Williams has served as President of BITS, the \ntechnology policy division of The Financial Services \nRoundtable, focusing on improving operational practices and \npublic policy in the financial sector. Previously Mr. Williams \nwas a senior fellow at Harvard's Kennedy School of Government \nresearching public and private sector collaboration in the \ngovernance of privacy and security.\n    Mr. Williams worked for many years at Fidelity Investments \nin various risk, security, privacy, and policy roles, including \nchief risk officer, chief privacy officer, and senior vice \npresident for public policy.\n    Mr. Williams earned a bachelor of arts in economics from \nRice University and a master of public and private management \nfrom Yale University where he currently serves as the Yale \nSchool of Management Alumni Association President.\n    Our third witness is Ms. Leslie Harris. Ms. Harris serves \nas the President and CEO of the Center for Democracy and \nTechnology. Ms. Harris is responsible for the overall direction \nof the organization and serves as its chief strategist and \nspokesperson. Ms. Harris has worked extensively in policy \nissues related to civil liberties, new technologies, \ncybersecurity, and global Internet freedom. In 2009, she was \nnamed one of Washington's ``tech titans'' by Washingtonian \nMagazine.\n    Prior to joining CDT, Ms. Harris founded Leslie Harris and \nAssociates, a public policy firm. She has also worked for the \nPeople for the American Way and the American Civil Liberties \nUnion.\n    Ms. Harris received her B.A. from the University of North \nCarolina at Chapel Hill and her law degree from the Georgetown \nUniversity Law Center.\n    I want to welcome all of you and we will begin with Mr. \nHolleyman.\n\n        TESTIMONY OF ROBERT W. HOLLEYMAN, II, PRESIDENT \n           AND CEO, BUSINESS SOFTWARE ALLIANCE (BSA)\n\n    Mr. Holleyman. Thank you. Chairman Goodlatte, Ranking \nMember Watt, BSA appreciates the opportunity to work with this \nCommittee on a variety of challenges that we face in the area \nof cyberspace. These include the continuing problem of software \npiracy and threats to cybersecurity. Indeed, the two issues are \nconnected because pirated software, which cost our industry \nnearly $60 billion last year, is increasingly used to \ndistribute malicious computer code, and this puts companies, \ngovernments, and consumers at risk.\n    Today I would like to address three issues: first, the \nevolving nature of security threats; second, the link between \npiracy and the spread of those threats; and third, specific \nactions this Committee should take to address these problems.\n    Just 10 years ago, the primary threats to security online \nwere hackers and vandals, and they primarily chased notoriety \nand the opportunity to take down systems through denial-of-\nservice attacks against entities like eBay and CNN.\n    But the stakes are now much higher. Organized criminals \nhave entered this arena and they are using the Internet to \ndistribute malware so that they can make big money. And today's \nscams build off both fears and social trends, and they take \nadvantage of worms, viruses, adware, links to fake websites, \nand other fraudulent activity, and they steal valuable data \nfrom consumers and enterprises. It has been estimated that for \nU.S. businesses alone, the costs of this are approximately $45 \nbillion annually.\n    The link to software piracy is also evolving. The research \nfirm IDC estimates that fully one-third of illegally installed \nsoftware contains some form of malware, and organizations using \npirated software have a 73 percent greater chance of serious \nsecurity problems than companies that use licensed software.\n    Before turning to specific legislative recommendations, I \nwould like to note, and importantly for this Subcommittee and \nCommittee, that the U.S. Government does not yet have in place \na policy to require Federal contractors to use licensed \nsoftware, even though Federal agencies must. And, indeed, I \nfind it astonishing, given the security threats associated with \nillegal software, that this action has not been taken. The \nAdministration is now considering an executive order that would \nrequire Federal contractors to use licensed technologies, and I \nurge this Committee to express its support for that order and \npush the Administration to act in this area.\n    We believe this Committee can also bolster America's \ncybersecurity in at least three additional ways.\n    First, by strengthening the hand of law enforcement and \nprosecutors. As cyber criminals adapt, so must our cyber crime \nlaws, and BSA supports legislation to strengthen penalties and \nexpand the scope of offenses. We need new causes of action that \ntoughen the hand of prosecutors while, at the same time, \npreventing opportunistic private litigation.\n    Second, we need clear, uniform Federal data protection and \ndata breach rules. Today more than 40 States have enacted such \nlaws. This patchwork is confusing for consumers and inefficient \nfor businesses. The Federal Government should require \nnotification of breaches that pose a genuine risk of harm. It \nshould preempt State laws, and it should prevent excessive \nnotification which can overwhelm and confuse consumers. \nImportantly, notification should not be required when the \nstolen data is worthless to the thief because it has been \nrendered unusable through deployment of security technologies \nsuch as encryption.\n    And finally, the law should provide specific incentives for \nsharing information about cyber threats with Government \nagencies. Companies should be able to share records and other \ninformation with DHS about the specific nature of the threat \nwithout the risk that sharing that information will lead to \nsuits against the company. Similarly, critical infrastructure \ncompanies that comply with the security requirements of DHS or \nact to mitigate risks identified by DHS should also be \nprotected from liability.\n    Lastly, Mr. Chairman, Mr. Ranking Member, Mr. Quayle, this \nCommittee is looking at the consequences of cybersecurity as \nthey affect the Nation's economy. The economic consequences of \nthis are greater for this Nation than any other because of the \nway in which we deploy this technology throughout our society. \nAnd by acting to deter cyber threats and to take more actions, \nwe can believe that the economy will be healthier by deploying \nnew resources to creating new jobs and overall strengthening \neconomic security.\n    So I look forward to working with this Committee as always \non these important issues. Thank you.\n    [The prepared statement of Mr. Holleyman follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n        \n                               __________\n\n    Mr. Goodlatte. Thank you, Mr. Holleyman.\n    Mr. Williams, welcome.\n\n         TESTIMONY OF LEIGH WILLIAMS, BITS PRESIDENT, \n            THE FINANCIAL SERVICES ROUNDTABLE (FSR)\n\n    Mr. Williams. Thank you, Mr. Chairman, Representative \nQuayle, Ranking Member Watt, for the opportunity to testify on \nthe financial community's cybersecurity efforts, on the case \nfor new legislation and in support of the Administration's \nproposal.\n    My name is Leigh Williams and I am President of BITS, the \ntechnology policy division of the Financial Services \nRoundtable. BITS addresses security, fraud, and public policy \nissues on behalf of 100 of the Nation's largest financial \ninstitutions, their hundreds of millions of customers, and all \nof the stakeholders in the financial infrastructure.\n    From this perspective, I can assure you that cybersecurity \nmatters a great deal to financial institutions not because \nregulations require it, although they do, but because good \nbusiness practices and customers require it.\n    At the industry level, BITS' 2011 agenda--set by chief \ninformation security officers, by CIOs and CEOs--addresses \nsecure software, protection from malicious software, security, \nin social media, cloud computing, and mobile computing, secure \nemail, and security education and awareness. While some of this \nwork can be done within the industry, more and more requires \ncross-sector collaboration. For example, our sector council is \nworking with the Treasury Department and with our financial \nregulators on cybersecurity exercises. We are working with law \nenforcement in an account takeover task force led by our \nInformation Sharing and Analysis Center. And I thank you, Mr. \nBaker.\n    Beyond our traditional circle, with DHS, we are developing \na pilot to offer expert assistance to institutions in the Cyber \nOperational Risk review program. Thank you, Mr. Schaffer.\n    And broader still, we are working with NIST to implement \nthe National Strategy for Trusted Identities in Cyberspace. \nThank you, Mr. Schwartz.\n    As the Committee considers legislative options, I urge \nMembers to leverage this existing body of work and the existing \ncontrols, but also to strengthen our connections with our \nFederal partners and our peers in other sectors. Talking this \nthrough with my colleagues, I hear words like ``integrate'' and \n``harmonize,'' ``align,'' and ``reconcile.'' I don't hear \n``replace'' or ``substitute.'' And as I am sure you appreciate, \nI don't generally hear ``add on'' or ``layer on.''\n    Even given this head start and our substantial momentum, we \nthink that cybersecurity legislation is warranted. We believe \nthat a comprehensive bill could improve security throughout the \necosystem, including in the networks on which our institutions \ndepend. It could strengthen the security of Federal systems and \nmobilize law enforcement and other Federal resources. It could \nspur voluntary action through safe harbors and outcome-based \nmetrics.\n    Attached to my written testimony is a list of 13 policy \napproaches that our sector council endorsed, along with three \nthat it found more problematic. I urge the Committee to \nconsider these consensus recommendations of the financial \ncommunity.\n    OMB recently transmitted to Congress the Administration's \nproposal to improve cybersecurity. The Financial Services \nRoundtable supports this legislation and we look forward to \nworking for its passage. We support many of the provisions on \ntheir own merits, and we see the overall proposal as an \nimportant step toward building a more integrated approach.\n    I will structure the remainder of my testimony around the \nkey provisions of the proposal.\n    We support the strengthening of criminal penalties for \ndamage to critical computers, for committing computer fraud, \nand for trafficking in passwords. We also urge escalated \ntreatment for the theft of proprietary business information.\n    We support the adoption of a uniform national standard for \nbreach notification.\n    We strongly recommend full Federal preemption and \nreconciliation with the existing banking regulations.\n    We support exemptions, as you have heard from BSA, for data \nrendered unreadable and for situations in which there is no \nreasonable risk of harm.\n    We support strengthening cybersecurity authorities within \nDHS and codifying DHS's collaboration with the sector-specific \nagencies such as the Treasury Department and with sector \nregulators such as our banking, securities, and insurance \nsupervisors.\n    We support each of the seven purposes articulated in the \nregulatory framework, including especially: enhancing \ninfrastructure security, complementing currently available \nmeasures, and balancing efficiency, innovation, security, and \nprivacy.\n    We think this evenhanded approach will help calibrate the \neffort, capitalize on existing oversight, and prevent the \nrelease of public information.\n    In closing, let me just underscore how much we appreciate \nyour attention in this matter and commit that for our part we \nwill continue to work on cybersecurity with our members and \npartners. We will support legislation that leverages existing \nprotections, and we will support and help to implement the \nAdministration's proposal.\n    Thank you for your time.\n    [The prepared statement of Mr. Williams follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n        \n                               __________\n\n    Mr. Goodlatte. Thank you, Mr. Williams.\n    Ms. Harris, welcome.\n\n   TESTIMONY OF LESLIE HARRIS, PRESIDENT AND CEO, CENTER FOR \n                 DEMOCRACY AND TECHNOLOGY (CDT)\n\n    Ms. Harris. Chairman Goodlatte, Ranking Member Watt, \nMembers of the Subcommittee, thank you for the opportunity to \ntestify today.\n    Charting a path forward on cybersecurity policy that makes \nmeaningful improvements in security and at the same time \nprotects privacy and innovation requires a very nuanced \napproach that encourages collaboration between Government and \nindustry. One size does not fit all. Policies for Government-\nowned systems should be distinct from those aimed at the \nprivate sector. Government regulation needs to be limited very \nnarrowly to critical infrastructure, and importantly particular \ncaution has to be applied to systems like the Internet that \nsupport Americans' rights to free speech. That means as a first \nprinciple network providers--and not the Government--need to be \nin the business of monitoring their own networks for \nintrusions.\n    Here the Administration's bill rightly honors this \nprincipal. No Government entity needs to be involved in \nmonitoring private communications networks as part of \ncybersecurity. There is no evidence that the Government can do \nthis better and no need to move toward middle-of-the-network \nsolutions that would put civil liberties at risk.\n    Second, information sharing needs to be enhanced without \nputting privacy at risk. There is a general agreement that more \nsharing is good between Government and the private sector and \nwithin industry. The White House proposal anticipates a very \nsweeping, albeit voluntary, information sharing regime that \nencourages sharing of information, including communications \ntraffic to DHS, regardless of whether the use or disclosure of \nthat information is otherwise restricted by law. And that means \nthat it effectively sweeps away protections of the Wiretap Act, \nECPA, FISA, FOIA--all statutes within the jurisdiction of this \nCommittee--and many, many more. We appreciate the bill's \npromise of yet-to-be-articulated privacy rules, but we don't \nsee how they can adequately police such a vast sharing regime \nin contrast to well understood statutory protections.\n    Third, the designation of critical infrastructure needs to \nbe very narrowly tailored. Getting the government role in \nprivate cybersecurity efforts right first requires getting the \ndesignation of critical infrastructure right. Here we believe \nthat the definition provided in the Administration's bill is \noverbroad and that the ``debilitating impact'' standard is \nsimply too ambiguous and could sweep vast swaths of U.S. \nindustry into the critical infrastructure fold.\n    Fourth, Congress should not give the President shut-off \nauthority in cybersecurity emergencies. We certainly appreciate \nthe White House's implicit rejection of this power in its \nproposal and hope that this puts this dangerous idea to rest. \nAfter the Egyptian cutoff earlier this year, it should be clear \nthat a grant of presidential shut-down authority would set a \nvery dangerous precedent for the world.\n    Fifth, the Computer Fraud and Abuse Act law needs to be \ntightened before we consider any new or enhanced penalties. It \nis a very, very important component of our online trust \nframework and it has given the Federal Government authority to \npursue cyber crime, hacking, and identity theft. But its vague \nterms have led to troubling civil and more recently criminal \nactions that have stretched the law far beyond what Congress \nintended. Indeed, some courts have interpreted unauthorized \naccess so broadly that companies, when setting terms of service \nthat few users will ever read, are in effect getting to \ndetermine what user conduct is criminal. So before there is any \nexpansion of the law or increase in penalties, we need to look \nat those questions.\n    We also caution about ratcheting up penalties. The \nmandatory minimums in CFAA were actually repealed in the \nPATRIOT Act, and I think we have to know why before we put them \nback in. And while we have no opposition to the law being a \nRICO predicate, we are concerned about the consequences for \ncivil actions where triple damages may encourage civil \nlitigants to further pursue what we see as novel uses of this \nstatute.\n    Finally, we believe the White House proposal on data breach \nprovides a very good starting point for consideration of the \nFederal law. The notification trigger we think is right. The \nstandards in the bill we think are right. But we will caution \nthat we are talking about preempting 46 State laws, and there \nare some areas--for example, California has very specific \nprotections for health information--that are not reflected. So \nwhen we are talking about the definitions in the law and when \nwe are talking about the extent of preemption, we would urge \nyou to be very careful.\n    We appreciate the opportunity to testify here today and \nlook forward to working with this Committee on this important \nissue.\n    [The prepared statement of Ms. Harris follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n        \n                               __________\n\n    Mr. Goodlatte. Thank you, Ms. Harris.\n    I will begin the questioning, and my first question is \ndirected to you, Mr. Holleyman.\n    To what extent has the Administration worked with the \ntechnology sector and incorporated their best practices into \nthe cybersecurity legislative proposal?\n    Mr. Holleyman. We have worked closely with the \nAdministration throughout this process, have particularly \nworked closely with NIST over a period of time. I think, in \nlarge part, the Administration's proposals reflect ones that we \nwould endorse. There are other issues where we have proposed \nrecommended changes, as we submitted in our testimony and a few \nissues that have not been resolved. So I think that the \ninclusion of this effort from the Administration has been \nhelpful and it is good to see them come forward with a concrete \nproposal.\n    Mr. Goodlatte. How can Congress encourage innovative \nsolutions to combat this dynamic problem and avoid the one-\nsize-fits-all regulation that Ms. Harris and others have \nexpressed concern about?\n    Mr. Holleyman. By making sure that there are technology \nneutrality provisions that are always taken into place. There \nis no one-size-fits-all technology that will work for every \nsolution, every customer, every government. We need to have the \nflexibility to adapt and use new technologies as the nature of \nthe crimes adapt. So maintaining that principle is important.\n    And I think, secondly, by ensuring that the level of \nFederal resources against cyber crime can be escalated in a way \nthat there is a greater deterrent, because we are all at risk, \nand the Federal Government has a unique role in fighting cyber \ncrime.\n    Mr. Goodlatte. Mr. Williams, what are banks proactively \ndoing to ensure that critical data is protected from hackers \nand economic espionage by foreign competitors?\n    Mr. Williams. Individual institutions are doing a great \ndeal. They each have programs that are embedded within their \noperational risk and their general risk management programs, \nsome of which are subject to review by regulators of the \nbanking securities or the insurance industries, others of which \nexist solely on the basis of it being good practice. They also \nconduct, through BITS and many other coalitions, a great deal \nof industry-level work to ensure some consistency throughout \nthe industry and to help connect the industry--the sector with \nother sectors.\n    Mr. Goodlatte. When there are data breaches, how are they \ngenerally handled? Is it standard practice to provide public \nnotification or inform Federal authorities or both?\n    Mr. Williams. There are actually already, within the \nbanking subsector of financial services, uniform national \nstandards for preparing for, responding to, and notifying of \nbreaches, and over the last several years, as the industry has \ngravitated toward that uniform approach, we have found it to be \nvery effective.\n    Mr. Goodlatte. Ms. Harris, do you think it should be \nGovernment or the private sector to take the lead in \ndetermining best practices for cybersecurity?\n    Ms. Harris. I think it should be the private sector, and I \nthink in this regard, the Administration's bill does a very \ngood job of putting the private sector in the lead for \ndeveloping these sectoral risk plans and then allowing the \ncompanies to develop their own individual plans. Our only \nconcern is making sure that the definitions in this bill are \nsufficiently precise so that as we go down the road to deciding \nwhich sectors are cybersecurity infrastructure, critical \ninfrastructure, we don't come up with a definition that is \noverbroad.\n    I think on the second part, whether they have gotten a good \nbalance between public and private, I think they have done a \npretty good job, but that is once you have been designated \n``critical infrastructure.'' Our concern is not to have too \nmany industries swept into that basket.\n    Mr. Goodlatte. You are all saying that there is a good deal \nof collaboration in writing this legislation, and that is good \nto hear.\n    What can the Congress do to strengthen the ongoing \ncooperation between private enterprise and the Federal \nGovernment on cybersecurity? Does anybody want to tackle that \nfirst? Mr. Holleyman?\n    Mr. Holleyman. Two things. One is to enable the private \nsector to share more information about the specific nature of \nthreats, but we also very much feel that there needs to be \nmechanisms by which the Federal Government shares information \nwith companies, particularly in the security space, about the \nnature of the threats so that we can work in closer \npartnership. Generally our companies do share a lot of \ninformation. We think this proposed legislation would help \nfoster a better climate for more, but we would like to see more \nfrom the Federal Government in appropriate circumstances that \ncould be shared with industry.\n    Mr. Goodlatte. Thank you.\n    Mr. Williams?\n    Mr. Williams. Mr. Chairman, I would offer two responses.\n    First, I was very encouraged in the first panel to hear the \nphrase ``providing opportunities for voluntary information \nsharing.'' We think that they should be voluntary but enabling \nthose opportunities we think is very important.\n    The second thing I might say is that we already have very \nstrong information sharing within the financial services \nsphere. Part of the reason, a great deal of the motivation, for \nour supporting this comprehensive legislation is to extend \nbeyond our sphere, to extend to our service providers, to our \ncustomers, to agencies other than our banking regulators to \nensure that the overall ecosystem is protected.\n    Mr. Goodlatte. Thank you.\n    Ms. Harris?\n    Ms. Harris. So I agree that data sharing is important. We \nhave some very specific concerns, and those concerns are in the \nway this law is constructed. Rather than trying to figure out \nwhat aspects of the law, particularly ECPA, may not be adequate \nto allow more sharing to occur, it simply sweeps away all of \nthese laws in favor of this broad voluntary mechanism.\n    So I think that this Committee is the right Committee to \ntry to figure out whether we can pinpoint in a serious way what \nis the legal barrier that exists right now in our Government \ninformation sharing laws and how do we narrowly fix that \nwithout basically throwing out all those laws and other Federal \nand State laws that touch on privacy. I just think this is the \nright Committee to do that and that this is a big challenge. It \nis, I think, not the right approach to simply say, \n``notwithstanding any other provision,'' and sweep everything \naway. It is this Committee's laws. It is health laws. It is \nGramm-Leach-Bliley. It goes on and on, and I don't think \nanybody can tell us what the implications of that might be.\n    And second, this is a law enforcement Committee. I guess, \nno, it is not because we switched Committees here. And getting \na law enforcement piece right is important. And I think I have \nmentioned some of the changes that I think are necessary in the \nCFAA before we start to take a look at penalties and other \nchanges.\n    Mr. Goodlatte. Thank you.\n    The gentleman from North Carolina, Mr. Watt, is recognized.\n    Mr. Watt. Thank you, Mr. Chairman.\n    I am trying to get to this question that Ms. Harris has \ntouched upon here, the definition. And I think that is what is \ntroubling me here and probably what is troubling the Chairman \nis where the divide is between what the Government should be \ndoing and taking control of and what is outside what the \nGovernment should be doing.\n    So I am looking here closely at the legislation, and there \nis section 242 which defines ``critical infrastructure'' that \nrefers us back to the emergency preparedness statute which \ndefines the word ``critical infrastructure.'' And then there is \na separate section which defines something new, I take it, \nwhich is called ``critical information infrastructure,'' which \ngoes beyond the emergency preparedness thing.\n    I think we have probably all gotten comfortable with the \nemergency preparedness part of this. That is the Government's \nrole clearly. I am not even second-guessing that. That has been \nin the statute.\n    But this definition of ``critical information \ninfrastructure,'' a new term in this statute, seems to be very, \nvery broad. And I think we have got probably some very serious \nwork to do.\n    Can you help me, Mr. Holleyman, kind of understand what you \nperceive to be critical information infrastructure? I mean, you \nare familiar with these two things that I just talked about. \nRight? Have you looked at the statute?\n    Mr. Holleyman. I am familiar with what you are talking \nabout, but I can't offer today a recommendation. I would like \nto get back to you with some thoughts.\n    Mr. Watt. And I am going to tell you the one thing that is \ntroubling here--and I raised it with the first panel because \nonce you start defining ``critical information \ninfrastructure,'' if it is defined too broadly, it has a lot of \nimplications. And then you start talking about preempting State \nlaws with respect to any critical information infrastructure, \nthen you get into a whole other segment of things. Then when \nyou start saying the Government can demand or request certain \ninformation and provide legal immunity for providing that \ninformation, you get into a whole different set. And that is \nvery delicate territory.\n    Is my personal information, if it is breached in a \ncorporate computer--is that critical information infrastructure \nor is it outside? Mr. Williams? Let's put it in the financial \nservices context. I serve on the Financial Services Committee \ntoo. So I am very familiar with this. We have debating this for \na long time. Is a breach of my personal information by--\nsomebody craps into Bank of America or Mechanics and Farmers \nBank, which is where I bank, and breaches their--and they get \nmy personal--does that make that critical information \ninfrastructure?\n    Mr. Williams. If I might answer your direct question and \nmaybe extend it a little bit. I think the direct answer is yes. \nIf your personal information--collected, aggregated with the \npersonal information of a lot of the other customers of a \nparticular bank--is breached, it absolutely constitutes what I \nthink the legislation calls a risk to critical economic \nsecurity of the United States. If it is any one person, perhaps \nnot, but in the aggregate absolutely.\n    In extension, I would say that within financial services, \nwe have begun to think about what is and is not critical. As \nyou know, institutions now are subject to a designation by the \nTreasury and the Financial Services Oversight Council of being \nsystemically important which we could think of as financially \nsystemically important or operationally systemically important.\n    We also, outside of our industry, have begun----\n    Mr. Watt. Okay. Well, let me just take this one step \nfurther. My personal information, aggregated with other \npeople's personal information, can bring down the whole system. \nI acknowledge that. But does that give the Federal Government \nthe right to preempt a State law that says it will protect my \npersonal information? Where does that fall?\n    Mr. Williams. I think in the narrowest sense, our banking \nregulators have already said that we need to have notification \nrequirements and security requirements that protect single \nindividuals' information at the Federal level.\n    Mr. Watt. Yes. We are fighting that battle. I was involved \nin drawing the preemption language in Dodd-Frank. It was an \nabsolute nightmare. I had consumer groups in the room. I had \nbankers in the room. The Senate took it and referred it to some \ncase law, some case that had been decided by the Supreme Court, \nand they are still fighting about what is preempted and what is \nnot preempted.\n    This is much, much, much broader than that, and we couldn't \neven agree on what the Federal preemption standards should be \nfor the financial services bill. This is so much broader than \nwhat we were talking about in the financial services bill. I \nmean, something that is so vital to the United States that the \nincapacity or destruction of such systems would have a \ndebilitating impact on national security, that is fine.\n    But when you talk about national economic security or \nnational public health or safety, this is a very, very broad \ndefinition of how you are defining that. And I think it is that \ndiscomfort with the Federal Government being too much in that \nspace that people start to say are we setting up a Big Brother \nsystem here where the tail is wagging the dog basically.\n    I am sure people have been working on this, but we have got \na lot of work to do, I think, on this definition before we can \nget the public comfortable with having Homeland Security call \nup a company and demand that it give--well, they say they are \nnot demanding. They are just requesting it. But you heard Mr. \nBaker say when the Government requests and you couple that with \ngiving immunity to the companies for providing the information \nto the Government, then you are right back to where we were \nunder the PATRIOT Act. And people get very uncomfortable with \nthe Government being so powerful that it can then call up and \ndemand certain information and then provide immunity for \nsomebody when they provide that information because they don't \nnecessarily even want the Government to have immunity in that \ncase if they violate the standard that is applicable.\n    It is a very difficult line that we are walking here. We \ncan't define it today. I am way over my time, but I think that \nis the most troubling aspect of what we have got to deal with \nhere, and it is providing discomfort on the left and it will \nprovide discomfort on the far right. That is when I used to \njokingly say I would quite often back around the circle into \nJesse Helms. I would be backing from the left and he would be \nbacking from the right, and all of a sudden, we would be \nstanding in the same place because both of us were suspicious \nof too powerful a Government. And that is where we could get if \nwe are not careful.\n    Mr. Chairman, I am on a soapbox, so I am going to yield \nback.\n    Mr. Goodlatte. Well, I have enjoyed standing here listening \nto you.\n    The gentleman from Arizona, Mr. Quayle, is recognized for 5 \nminutes.\n    Mr. Quayle. Thank you, Mr. Chairman.\n    Mr. Williams and Mr. Holleyman, I am kind of going along \nthe same lines. My concern is that with the broad definition \nfor the covered critical infrastructure and how it is going to \napply to various small business, medium-sized businesses that \nare starting to grow and then their inability to be able to \ncover those expenses or at least they might be eating into \ntheir margins because they don't have the ability like some of \nthe other large financial institutions that have the capital to \nbe able to comply with these various regulations.\n    How will this, because it is so broad--and I know that we \nare talking about having to tighten up the language and all, \nbut my concern is how are we going to be able to make it so \nthat we are not going to be inhibiting growth in the private \nsector. Because if the regulations are overly burdensome, we \nare going to have a situation where companies are going to look \nto see their cost-benefit analysis of whether they are going to \ngrow and then fall under that critical infrastructure or stay \nthe same size and not have to comply. That is one of my biggest \nconcerns, because this is overbroad and how that is going to \naffect growth in the private sector.\n    Mr. Williams. I absolutely share your interest in setting \nthose criteria. I will leave it to the judgment of the Congress \nhow much of the specificity belongs in the legislation, in \nregulation, or in judicial reviews as we heard earlier on this \npoint and on several other points.\n    What I will say is at least in financial services, we have \nbegun to set a fairly high threshold. So the systemically \nimportant financial institutions are really the largest and the \nmost interconnected. The operationally significant financial \nutilities are a small number of highly connected organizations \nthat I don't think would qualify in the small business category \nthat you----\n    Mr. Quayle. Kind of running on the same lines, if the \nprivate sector is already addressing the situation, if like you \nwere saying, large financial institutions--you know, a lot of \ntheir business is made at lightning speed transactions and they \nmake or don't make money based on that. And so having that \ncybersecurity infrastructure within that framework is important \nto them, but they are doing it on their own initiative.\n    So if you are saying that you are already having a lot of \nthese critical pieces of infrastructure doing it without the \nregulatory framework in place, why don't we just leave it to \nthe people to do best practices and then be able to make their \nown determination on what level? Because quite frankly, I think \nthat somebody who is banking with a Bank of America or a Chase \nor whatever--they will be looking to those that have the \ncybersecurity framework in place as a way to make a decision in \nthe private sector and let the market kind of take that \napproach.\n    Mr. Williams. It does happen, we think, with a lot of \ncompanies in a lot of sectors, many of whom are business \npartners to financial providers, but we think it happens \nunevenly. So we depend on electric utilities. We depend on the \ntelecom networks. We depend on software providers, many of whom \nare strong and responsible but not all of whom operate with the \nsame level of resilience. We think raising that general bar \nmakes a lot of sense.\n    Mr. Quayle. Okay.\n    And Mr. Holleyman, you were mentioning a lot of the \ntrademark infringement that happens in the Internet and \nelsewhere. That is rampant. Anytime you do a search, you can \nfind copyright infringed products out there.\n    But is this the right piece of legislation to be going for \nthat? Wouldn't it be a lot more effective to have independent \nlegislation that is outside of this larger regulatory framework \nto address that situation? Because it doesn't seem like it goes \nreally hand in hand.\n    Mr. Holleyman. Well, I think that is a great question. We \ndo think that this is a piece of legislation that should \naddress the cyber framework. I was drawing into that, however, \none other area that this Committee has responsibility for which \nis the area around intellectual property protection but \nspecifically the nature of software because fully a third of \nthe software that is used illegally and downloaded off the \nInternet contains malware. And malware is providing a \npenetration in the systems that has a pervasive impact well \nbeyond the intellectual property or the software industry.\n    And I was encouraging this Committee to encourage the \nAdministration to issue the executive order that requires \nFederal contractors to use only legal software in the same way \nthat is required of Federal agencies, not only because it is \nimportant for intellectual property protection, but because the \nsame type of vulnerabilities are being introduced into the \nFederal network when Federal contractors are using illegal \nsoftware which oftentimes contains the type of malware that \nposes a cybersecurity risk. So I am linking the two issues.\n    Mr. Quayle. Thank you very much.\n    I yield back.\n    Mr. Goodlatte. I thank the gentleman.\n    The Chair recognizes the gentlewoman from California, Ms. \nLofgren.\n    Ms. Lofgren. Thank you, Mr. Chairman.\n    First, my apologies for not being here for this whole \nhearing. We had a markup in the House Administration Committee \nthat I had to go to, but I have read all the testimony and it \nis very, very helpful.\n    Ms. Harris, your testimony relative to the standards is \nvery, very useful.\n    And Bob--I mean, Mr. Holleyman--your preemption issue is an \nimportant one. It is difficult, as the Ranking Member has \ndiscussed, but I think we are going to have to address it in \nterms of data breaches because the current situation is \nchaotic. And that is going to be hard to do since all of us--\nStates have been aggressive about privacy. We are not going to \nbe able to go home if we don't maintain some similar types of \nstandards.\n    I credit the Administration for working with the technology \nsector, but we are a long ways from where we are going to need \nto be on this. The idea that we would waive all other law, \nprovide immunity. I mean, when the Government goes to the \nprivate sector and asks for something, it is more than just \nasking. I mean, there is an obligation. We have seen that in \nmany other contexts. There is no liability. Even with \nliability, companies respond. If there is no liability and the \nstandards are as vague as this, we have created a big \nGovernment nightmare, and we just can't go there.\n    On the other hand, cybersecurity and the threat to our \ncyber infrastructure is very real. And I am wondering, as we \nmove forward, if we can make some distinctions not just on the \nnature of the activity but the origin of the threats because \nthere are different levels based on where the threat is coming \nfrom.\n    I am not an anti-government person, but I am mindful that \nthe Department of Homeland Security for over a year and a half \nmaintained a miniature golf site on its list of critical \ninfrastructure and wouldn't take it off. So let's not be \nbelieving that the Department knows everything there is to know \nabout the critical infrastructure threat that we face. We tend \nto over-categorize things in Government, and if we do that in \nthis case, we will see Government encroaching on really what \nshould be the private sector's primary responsibility and \ncertainly that of free Americans to be able to communicate \nwithout fear of intrusion or monitoring by their own \nGovernment.\n    So those are big-deal defects in what has been presented so \nfar, and I am hearing some bipartisan concern along those \nlines. And I am confident that the Administration will want to \nwork with us to fix those items.\n    I am just wondering. Maybe all of you can comment on this. \nTo some extent, the Administration's proposal seems to put the \nGovernment at sort of the center of the cybersecurity \ninformation sharing. And I think it is true that the private \nsector has given up more than they have gotten back, and that \nhas to change. But I am wondering whether that is really \noptimal, whether we want the Federal Government to have that \nman-in-the-middle centrality role or whether there is some \nother way to structure it that might be more nimble.\n    Do you have any comment on that, the three of you?\n    Ms. Harris. So that is a question that we have been asking \nas well, as to whether or not all information in and all \ninformation out, which has been the model, really is the most \nnimble way to share information and there are a variety of \nprivate sector sharing groups going on. But I think it is worth \nexploring whether or not that is--I mean, we have information \nsharing already set up in the Federal Government, and in fact, \nin the last couple of years, that has improved, I think, quite \na bit.\n    But, obviously, the civil liberties issues are ratcheted up \nwhen all sharing has to go through the Government or is \nencouraged to go through the Government. I need a better \nunderstanding of sort of the value added. Obviously, the \nGovernment needs that information for its own purposes, but the \nquestion is whether or not everybody has to go to ``go'' first \nbefore they deal with each other.\n    I know there is sectoral sharing. I find this very \ndifficult.\n    Ms. Lofgren. If I can just add in one other element, which \nis some sectors that are, in fact, critical that an attack \nwould deal with systems and create cascading failures have \ntaken significant steps to protect themselves, the financial \nsector among them. Other sectors, not so much. The ISACs--you \nknow, some have worked well, some not so well.\n    And so maybe one thing that we could do--I don't really see \na robust section here--is really even the assessment of--you \nknow, maybe it is the liability that ought to be imposed on \ncertain sectors--and they tend not to be the technology \nsector--where they have not taken the minimal steps necessary \nto protect themselves, and their lack of doing so puts the \nNation at risk. Maybe we ought to be doing some incentives in \nthe negative way for some of those sectors where the \ncatastrophe awaits us.\n    Mr. Williams. I certainly agree, ma'am, that the private \nsector should be the primary locus of all of this work. We \nwithin financial services, and I suspect in many other sectors, \nhave utilities that are entirely private and we have the ISACs \nthat are semi-private. And a great deal of the work occurs in \nall of those places. There should be incentives and \ndisincentives that strengthen all of that private sector work.\n    I suspect that if we create more resources on the Federal \nside and strengthen a hub of information sharing on the Federal \nside, it will still allow for that rich private work to take \nplace. I would never support substituting all of the dispersed \nprivate effort for a centralized Government effort, but I \nsuspect that there is room for both.\n    Mr. Holleyman. Ms. Lofgren, if I can mention two ideas.\n    One is we think that the most important role for the \nFederal Government is to serve as a convener by bringing in the \ninterested parties together. We think in particular NIST and \nothers have done a great job in taking on that role.\n    Secondly, where critical infrastructure may ultimately be \ndefined, we think there are two hallmarks to it. One, it needs \nto be a narrow definition, and second, there needs to be \nflexibility around how entities in critical infrastructure use \nsecurity products to create the kind of security and deal with \nthe evolving nature of the threats.\n    Ms. Lofgren. I know my time is up, but in some cases that \nincludes--our own Government has failed to do even the minimal \nthing. I remember a hearing on US-VISIT in the Homeland \nSecurity Committee where we learned for the first time that \nthey hadn't even deployed intrusion detection software. I mean, \nit was stunning.\n    So we have a long way to go, but this bill also has a long \nway to go.\n    And I thank the Chairman for indulging me over my 5 minutes \nand yield back.\n    Mr. Goodlatte. I thank the gentlewoman.\n    And I am pleased to recognize the gentlewoman from Texas, \nMs. Jackson Lee, for 5 minutes.\n    Ms. Jackson Lee. Mr. Chairman, thank you very much.\n    To the witnesses, I was detained. We held, Mr. Chairman, a \nhearing in Homeland Security that actually overlapped some of \nthe very questions that are being raised here from a different \nperspective, and that is the in-depth use of cyber sites by \nindividuals intending to do us harm. So I think it is a two-\nedged sword or focus in terms of the protection of data, but as \nwell as protection of the American homeland. And I raise my \nquestions accordingly.\n    And I would just like to put the President's remarks in the \nrecord by reading them in part. His statement was: ``We count \non computer networks to deliver our oil and gas, our power, and \nour water, rely on them for public transportation, air traffic \ncontrol. But just as we failed in the past to invest in our \nphysical infrastructure, our roads, our bridges, and rails, we \nhave failed to invest in the security of our digital \ninfrastructure and the status quo is not acceptable.'' And I \njoin him in that, which is I guess the basis of his plan and \ninitiative.\n    I want to start with Mr. Williams because I might not have \nheard you correctly when you seemed to have been arguing \nagainst a central Government plan which I took to be focused on \nhow to structure our security and data protection versus the \nprivate sector involvement. Can you just expand on what you \nwere saying there, please?\n    Mr. Williams. Yes, ma'am. We certainly believe that \nexpanded authorities in the Department of Homeland Security and \nan expanded role of the Government are appropriate. We think \nthat this is important, as we go through this arc that Mr. \nHolleyman described where we have gone from very simple, \nunsophisticated hackers to much more sophisticated attacks. \nThis warrants a more collective approach to protecting the \noverall ecosystem.\n    What I would say--and maybe this is where that has softened \na bit--is that even if we build up that center, even if we \nbuild those resources and improve our ability to take advantage \nof that hub and that convening authority, we will still very \nmuch have a widely dispersed expertise and set of resources \nthat are at the disposal of companies. Individual companies, \ntheir utilities, their service providers, their nonprofits, \ntheir coalitions I think probably will still be the primary \ngravitational center of the work.\n    Ms. Jackson Lee. So it is important for the private sector \nto develop cutting edge technology simply to provide \nprotection. Is that what you are saying? You should continue to \ndo research and develop that next level of software that \nprovides that protection.\n    Mr. Williams. Absolutely, absolutely.\n    Ms. Jackson Lee. Let me follow up on some of the materials \nthat we received in the previous hearing that spoke about some \nof the either unknown or unattended to sites where the Taliban \nin Afghanistan can, without hindrance, have friendly \nconversations that may even intrude into the United States.\n    Let me ask all of you. Do you have an intensity with your \nparticular companies, those you represent where you are aware \nof that usage of sites seemingly unimpeded? Do you cooperate \nwith, for example, the FBI? Do you believe the FBI has \nsufficient tools on this? And I am saying this in the backdrop \nof a very sensitive concern about civil liberties and civil \nrights. So I am particularly concerned about sites that are \ninternational that are able to pierce the cyberspace that we \nhave. Do you want to start, Mr. Holleyman?\n    Mr. Holleyman. Ms. Jackson Lee, I don't have any \ninformation about the specific narrow question you posed. \nCertainly in a variety of cyber crime activities, companies in \nthe software industry do cooperate with law enforcement, but I \ncan't comment on your specific question.\n    Ms. Jackson Lee. So you are not aware----\n    Mr. Holleyman. I am personally not in my role as the \npresident of our association.\n    Ms. Jackson Lee. Mr. Williams?\n    Mr. Williams. We do work very actively with law enforcement \nat every level with both the U.S. authorities and with non-U.S. \nauthorities to ensure that our systems--financial services \nsystems--are not used for malicious purposes, to protect the \nintellectual property that lives in those systems, to protect \nthe personally sensitive information that is in those systems. \nWe have a lot of good motivations for working actively with \npeople in the private sector and the public sector to protect \nthe financial infrastructure.\n    Ms. Jackson Lee. Do you have any comment, Ms. Harris?\n    Ms. Harris. Well, I represent a civil liberties \norganization.\n    Ms. Jackson Lee. Right. That is why I asked if you had a \ncomment.\n    Ms. Harris. Beyond that----\n    Ms. Jackson Lee. I will move to my next question. Thank \nyou.\n    Ms. Harris. Okay.\n    Ms. Jackson Lee. The next question is the current trend of \ntechnology is to place information onto the cloud of third \nparty operating systems and allows phones and computers to \naccess this information. How does this rapidly growing \ndependence on storing information remotely in the cloud impact \nthe steps individuals, businesses, and the Government should \ntake to enhance cybersecurity? And how will the Government \naddress jurisdictional issues? I don't want to ask about the \nGovernment, but what are you all doing with respect to that \nconcept?\n    Mr. Holleyman. Well, from a software industry perspective, \nthere are several things we are doing. One is companies that \nare providing cloud services or hosting very much realize that \nthe security associated with their cloud offerings is going to \nbe critical not only to comply with a variety of laws, but also \nto gain customer confidence. It is probably one of the most \nimportant things that you can do, and they are very active at \nthe top of the list.\n    Second is that we are building awareness of the fact that \ncustomers should be asking questions about where their data is \nhosted and the level of security that that cloud service \nprovides.\n    And finally, if a cloud offering is, in fact, secure, we \nbelieve it could provide a higher level of security than the \nvery dispersed nature of servers and networks that exist today. \nSo we are trying to make it clear that there is nothing \ninherently problematic about storing information in the cloud. \nIn fact, it could be better in many circumstances, but you have \nto ask the questions about how providers are securing \ninformation and what steps are they taking.\n    Mr. Williams. We have specialists in a lot of different \ndisciplines active in our program, and people from every one of \nthose disciplines have asked about and worked on cloud. So we \nhave security specialists thinking about what the marginal \nsecurity requirements would be and what the security \nimprovements might be coming from a cloud-based infrastructure.\n    We have people who work with service providers who are \nasking what contractual provisions can help protect information \nand systems in the cloud in a way that might not have been \ncontemplated when servers were all in one location.\n    And we have people who work on public policy thinking about \nwhat the right regulatory framework would be for looking at \ncloud where geological boundaries make a little bit less sense.\n    Everyone has an interest in it and many of those interests, \nwe hope, will lead to cloud being not something that would ever \ndegrade security or degrade resiliency but would improve it.\n    Ms. Jackson Lee. So you are not running away from that. The \nbusiness community is actively engaged.\n    Mr. Williams. We are absolutely engaged. I can tell you \nthat within financial services, firms are very reluctant to \nmove their information to a public cloud where the resiliency \nstandards are set on the basis of what is publicly appropriate \nfor relatively nonsensitive information. They are much more \nlikely to use proprietary clouds or industry-specific or \nregional clouds where they can have elevated controls in place.\n    Mr. Goodlatte. The time of the gentlewoman has expired.\n    Ms. Jackson Lee. Ms. Harris, was trying to answer. Could \nshe----\n    Mr. Goodlatte. Without objection, the gentlewoman will be \ngranted an additional minute.\n    Ms. Jackson Lee. I thank the gentleman.\n    Ms. Harris. I think that security in the cloud certainly \nwith companies that are providing applications and storage and \nother services, cloud services, to business, security is good \nand getting better.\n    I think that the unanswered question here is security and \nprivacy and other rights for consumers in the cloud, and that \nis certainly beyond the scope of this hearing. But it is far \nless clear to me that as consumers are encouraged to move their \ninformation to the cloud, that they can be guaranteed the same \nlevel of security protections, nor can they be guaranteed the \nsame level of privacy protections. Our constitutional \nprotections, our Fourth Amendment protections, our ECPA \nprotections have been outstripped by technology. We don't have \nconsumer privacy laws in this country that broadly apply to \ndata. So there are a lot of issues for consumers in the cloud \nthat go sort of beyond what business has to face.\n    Ms. Jackson Lee. I thank the Chairman very much. Mr. \nChairman, I just want to make this one comment, and I know that \nwe are speaking of software, but I really appreciate this \nhearing. I am sorry I was not here for its entirety. But there \nreally is--besides the constitutional issues--Ms. Harris, I am \nnot ignoring that and the civil liberties. There really are \nreal challenges for cybersecurity and particularly unhosted \nsites, and I would imagine that there would be overlap between \nJudiciary and Homeland Security on these issues that have to do \nwith terrorism.\n    Mr. Goodlatte. Undoubtedly there is.\n    Ms. Jackson Lee. I yield back.\n    Mr. Goodlatte. I have one additional question. I direct it \nto Mr. Holleyman an Mr. Williams.\n    How worried is the tech industry about state-sponsored \nhacking and theft?\n    Mr. Holleyman. The tech industry is certainly very worried. \nIt is probably one of the fastest growing forms of risk. I \ncan't quantify the extent today, but it is certainly something \nthat we work closely with Government in trying to identify \nwhere those risks may be occurring.\n    Mr. Goodlatte. Mr. Williams?\n    Mr. Williams. The financial services industry is very \nfocused on the most sophisticated threats with or without \nattribution, whether they happen to be state-sponsored or \nsponsored by some other malicious actor. We are very focused on \nensuring that the simplest, most unsophisticated threats are \nabsolutely taken care of, but we are more and more focused on \nthis more sophisticated tier.\n    Mr. Goodlatte. Thank you.\n    Mr. Watt?\n    Mr. Watt. I think I might pass except to observe that \nhaving dealt with the systemic risk issue, it seems to me that \nthat is in the financial services sector. This bill seems to me \nto be putting Homeland Security in a much, much, much more \npowerful position on a much, much broader range of issues than \nwe dealt with with just financial services' systemic risk.\n    And one might wonder at some point whether the director of \nHomeland Security is a lot more powerful than the chairman of \nthe Federal Reserve. I don't ask that. I was just wondering \naloud. Just wondering aloud. We will talk off the record.\n    Thank you, Mr. Chairman.\n    Mr. Goodlatte. I thank the gentleman.\n    And I want to thank all of our witnesses. It has been a \nvery helpful contribution to this hearing. In fact, the entire \nhearing has been very useful. It is very clear that this is a \nwide-ranging subject that, in terms of the Congress tackling \nit, is going to involve a lot of input from a lot of \nCommittees. But I think this Committee has a critical role to \nplay both the Intellectual Property, Competition and the \nInternet Subcommittee, as well as the Crime Subcommittee, and \nwe look forward to working together to accomplish some good \nlegislation that would buttress the work of the Administration \nand certainly give guidance to the private sector.\n    So without objection, all Members will have 5 legislative \ndays to submit to the Chair additional written questions for \nthe witnesses, which we will forward and ask the witnesses to \nrespond to as promptly as they can so that their answers may be \nmade a part of the record.\n    Without objection, all Members will have 5 legislative days \nto submit any additional materials for inclusion in the record.\n    With that, I would again like to thank our witnesses and \ndeclare the hearing adjourned.\n    [Whereupon, at 12:27 p.m., the Subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"