[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]


 
      CYBERSECURITY: INNOVATIVE SOLUTIONS TO CHALLENGING PROBLEMS 

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INTELLECTUAL PROPERTY,
                     COMPETITION, AND THE INTERNET

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 25, 2011

                               __________

                           Serial No. 112-38

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov


                               __________

                       U.S. GOVERNMENT PRINTING OFFICE 

66-541 PDF                     WASHINGTON : 2011 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 




















                       COMMITTEE ON THE JUDICIARY

                      LAMAR SMITH, Texas, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        HOWARD L. BERMAN, California
HOWARD COBLE, North Carolina         JERROLD NADLER, New York
ELTON GALLEGLY, California           ROBERT C. ``BOBBY'' SCOTT, 
BOB GOODLATTE, Virginia                  Virginia
DANIEL E. LUNGREN, California        MELVIN L. WATT, North Carolina
STEVE CHABOT, Ohio                   ZOE LOFGREN, California
DARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas
MIKE PENCE, Indiana                  MAXINE WATERS, California
J. RANDY FORBES, Virginia            STEVE COHEN, Tennessee
STEVE KING, Iowa                     HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona                  Georgia
LOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio                     MIKE QUIGLEY, Illinois
TED POE, Texas                       JUDY CHU, California
JASON CHAFFETZ, Utah                 TED DEUTCH, Florida
TIM GRIFFIN, Arkansas                LINDA T. SANCHEZ, California
TOM MARINO, Pennsylvania             [Vacant]
TREY GOWDY, South Carolina
DENNIS ROSS, Florida
SANDY ADAMS, Florida
BEN QUAYLE, Arizona
[Vacant]

      Sean McLaughlin, Majority Chief of Staff and General Counsel
       Perry Apelbaum, Minority Staff Director and Chief Counsel
                                 ------                                

  Subcommittee on Intellectual Property, Competition, and the Internet

                   BOB GOODLATTE, Virginia, Chairman

                   BEN QUAYLE, Arizona, Vice-Chairman

F. JAMES SENSENBRENNER, Jr.,         MELVIN L. WATT, North Carolina
Wisconsin                            JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina         HOWARD L. BERMAN, California
STEVE CHABOT, Ohio                   JUDY CHU, California
DARRELL E. ISSA, California          TED DEUTCH, Florida
MIKE PENCE, Indiana                  LINDA T. SANCHEZ, California
JIM JORDAN, Ohio                     JERROLD NADLER, New York
TED POE, Texas                       ZOE LOFGREN, California
JASON CHAFFETZ, Utah                 SHEILA JACKSON LEE, Texas
TIM GRIFFIN, Arkansas                MAXINE WATERS, California
TOM MARINO, Pennsylvania             [Vacant]
SANDY ADAMS, Florida
[Vacant]

                     Blaine Merritt, Chief Counsel

                   Stephanie Moore, Minority Counsel


























                            C O N T E N T S

                              ----------                              

                              MAY 25, 2011

                                                                   Page

                           OPENING STATEMENTS

The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Chairman, Subcommittee on 
  Intellectual Property, Competition, and the Internet...........     1
The Honorable Melvin L. Watt, a Representative in Congress from 
  the State of North Carolina, and Ranking Member, Subcommittee 
  on Intellectual Property, Competition, and the Internet........     3
The Honorable John Conyers, Jr., a Representative in Congress 
  from the State of Michigan, Ranking Member, Committee on the 
  Judiciary, and Member, Subcommittee on Intellectual Property, 
  Competition, and the Internet..................................     4

                               WITNESSES

James A. Baker, Associate Deputy Attorney General, U.S. 
  Department of Justice
  Oral Testimony.................................................     6
  Joint Prepared Statement.......................................     8
Greg Schaffer, Assistant Secretary for Cybersecurity and 
  Communications (CS&C), National Protection and Programs 
  Directorate, Department of Homeland Security
  Oral Testimony.................................................    14
  Joint Prepared Statement.......................................     8
Ari Schwartz, Senior Internet Policy Advisor, National Institute 
  of Standards and Technology, U.S. Department of Commerce
  Oral Testimony.................................................    15
  Joint Prepared Statement.......................................     8
Robert W. Holleyman, II, President and CEO, Business Software 
  Alliance (BSA)
  Oral Testimony.................................................    31
  Prepared Statement.............................................    33
Leigh Williams, BITS President, The Financial Services Roundtable 
  (FSR)
  Oral Testimony.................................................    44
  Prepared Statement.............................................    47
Leslie Harris, President and CEO, Center for Democracy and 
  Technology (CDT)
  Oral Testimony.................................................    56
  Prepared Statement.............................................    58


      CYBERSECURITY: INNOVATIVE SOLUTIONS TO CHALLENGING PROBLEMS

                              ----------                              


                        WEDNESDAY, MAY 25, 2011

              House of Representatives,    
         Subcommittee on Intellectual Property,    
                     Competition, and the Internet,
                                Committee on the Judiciary,
                                                    Washington, DC.

    The Subcommittee met, pursuant to call, at 10:03 a.m., in 
room 2141, Rayburn Office Building, the Honorable Bob Goodlatte 
(Chairman of the Subcommittee) presiding.
    Present: Representatives Goodlatte, Quayle, Coble, Issa, 
Chaffetz, Griffin, Marino, Adams, Watt, Conyers, Lofgren, and 
Jackson Lee.
    Staff present: (Majority) Vishal Amin, Counsel; Olivia Lee, 
Clerk; and (Minority) Stephanie Moore, Subcommittee Chief 
Counsel.
    Mr. Goodlatte. Good morning. The Subcommittee on 
Intellectual Property, Competition, and the Internet will come 
to order.
    And I will recognize myself for an opening statement.
    Today we are holding a hearing on cybersecurity. This is a 
complex issue that cuts across several Federal agencies and 
connects a multitude of stakeholders. The issue may be complex, 
but the consequences of failure are fairly direct.
    The Federal Government's computers are attacked by hackers, 
many from abroad, on a regular basis. Though most of these 
attacks are thwarted, some end up breaking through. And not all 
of these attacks are sophisticated. Sometimes it is the low-
tech attack that wreaks the most damage as demonstrated by the 
WikiLeaks case where thousands of classified State Department 
documents were released online. Had basic cybersecurity 
practices been followed, it would not have been possible for 
someone to remove such a large volume of data from those 
classified computers.
    Despite the fact that the Federal sector grabs the 
headlines, in many respects it really is the private sector 
that stands on the front lines of cybersecurity. More than 90 
percent of our Nation's critical infrastructure is operated by 
the private sector. Even though the Federal Government has an 
important role to play, we need to make sure we hear from the 
private sector and ensure that their hands are not tied due to 
obtuse regulations and increased bureaucracy.
    In 2004, worldwide economic damage from digital attacks was 
between $46 billion and $56 billion, according to a 
Congressional Research Service estimate. In 2009, the 
Administration's cyberspace policy review estimated that losses 
from data theft in 2008 were as high as $1 trillion. It is 
clear that the stakes are high and we must take steps to 
bolster our cybersecurity now.
    Again, while the Government has a crucial role to play, any 
policy to improve private-sector cybersecurity should not run 
against or impede our economic prosperity. Regulatory mandates 
are unlikely to lead to private-sector cybersecurity 
improvements and will likely hinder economic growth.
    The regulatory process is a slow one, whereas the 
escalating cyber threats our country faces are extremely 
dynamic problems. Cybersecurity threats and online technologies 
change quickly, so quickly that any regulations for 
cybersecurity could be outdated by the time they are finalized.
    Further, a burdensome regulatory framework that increases 
costs for U.S. businesses puts them at a distinct competitive 
disadvantage to their foreign competitors. Likewise, any 
efforts by the Government to take control of the Internet 
through a kill switch should be strongly resisted. The idea of 
a kill switch harkens to the type of control abused by 
dictators, as we most recently saw in Egypt.
    I believe that Congress and the Administration need to set 
general parameters and then look for ways to encourage the 
private sector to do more to protect its infrastructure from 
cyber attacks. However, in doing so, we need to ensure that a 
one-size-fits-all mandate from the Federal Government is 
avoided. Entangling companies in a morass of red tape will not 
solve the problem and will actually stifle innovation. 
Companies are on the front lines in this fight, and the private 
sector is the best equipped to match the increasingly 
sophisticated threats to our cybersecurity with sophisticated 
counter-efforts. To be successful, any solutions in this area 
must unleash the creativity and resourcefulness of the private 
sector to combat the problem.
    One way to accomplish this would be to provide limited 
liability protection to companies that take steps to improve 
their cybersecurity capabilities. Providing civil liability 
safe harbors to businesses that demonstrate compliance with 
cybersecurity best practices would encourage the private sector 
to adopt effective measures.
    Additionally, I believe that Government has a role to play 
in public engagement, working with companies to help them 
understand and appreciate the potential losses that can occur 
through a cyber intrusion. When folks better understand the 
potential ramifications, it becomes clearer that it is in their 
best economic interest to improve their cybersecurity 
capabilities. Part of this public/private engagement means that 
companies will need to share experiences and best practices to 
help identify vulnerabilities and solutions.
    As we look at these innovative solutions, I think that we 
also need to examine the criminal code to ensure that our laws 
track with the threats posed by hackers and other cyber 
criminals. Our Nation's law enforcement agencies should have 
the necessary tools to investigate, apprehend, and prosecute 
cyber criminals.
    Though these ideas are not exhaustive, I think this 
framework will help us steer the debate toward solutions that 
address the complex and challenging problems posed in the 
cybersecurity sphere. I am currently working on legislation 
along these lines and look forward to continuing to work with 
Members of this Committee and industry on that effort.
    I look forward to hearing from all of our witnesses today 
and hope that we can have a spirited discussion on the 
Administration's cybersecurity proposal and the best steps 
Congress can take to ensure that our security in the digital 
era is strong and effective.
    And now it is my pleasure to recognize the Ranking Member 
of the Subcommittee, the gentleman from North Carolina, Mr. 
Watt.
    Mr. Watt. Thank you, Mr. Chairman. I appreciate the 
Chairman convening this hearing. I am little disappointed that 
we don't have our colleagues here from the Crime Subcommittee, 
especially in light of the Chairman's last few paragraphs 
suggesting that this may be more readily addressed by dealing 
with the issue on the criminal side. But I am sure there are 
other implications here and I am happy to try to explore them 
hopefully without being as firm in my opinions yet since I am 
not an expert in this area as the Chairman seems to be. I am 
not sure that I think the private sector can solve every public 
problem we have, but that is a subject of a long debate in 
many, many different contexts.
    The protection and security of our Nation's digital 
information infrastructure is among the highest priorities we 
face as the transformation of global communications networks to 
cyberspace continues. As the Administration noted over 2 years 
ago in its cyberspace policy review, quote, cyberspace touches 
practically everything and everyone. It provides a platform for 
innovation and prosperity and the means to improve general 
welfare around the globe. But with the broad reach of a loose 
and likely regulated digital infrastructure, great risks 
threaten nations, private enterprises, and individual rights. 
Closed quote.
    The Administration's answer to these challenges was 
released last week, and I commend the Chairman for scheduling 
this hearing promptly so that we can begin to debate these 
issues in earnest.
    Over the past few years, news reports of breaches in the 
digital security of our businesses, for example, Google, Sony, 
and PlayStation, or breaches of the digital security of the 
Government have increased at an alarming rate. Although 
WikiLeaks has become the face of security breaches within the 
Government, the more significant breaches are those where 
Government computers are attacked and infected with malicious 
code, as was the case last fall when a foreign intelligence 
agency using a flash drive spread a rogue program through a 
military computer network of classified and unclassified data.
    Various officials and commentators have sounded a clarion 
call for Congress to address this threat or risk a 
sophisticated cyber attack that could cripple the U.S. computer 
networks, including our financial institutions, energy, and 
electricity systems and transportation networks.
    Others have rightly highlighted the fact that we must 
continue to value individual privacy as we develop effective 
protocols to secure our digital infrastructure from attack.
    The Administration's proposal has been met with mixed 
reviews. On the one hand, the proposal seems to have received a 
generally positive reception in the Senate, but at least one 
critic and former Bush administration official has dubbed the 
proposal as less than ``weak tea,'' saying ``I would call this 
weak tea except the teabag doesn't seem to have actually 
touched the water. The privacy and business groups that don't 
want to do anything serious about the cybersecurity crisis have 
captured yet another White House.''
    I am hopeful that both panels today can provide us with a 
response to that criticism.
    In closing, let me say I look forward to learning more 
about the aims of the Administration's proposal but must note 
one concern that I am sure Ranking Member Bobby Scott of the 
Crime Subcommittee and I would share: the inclusion in the 
proposal of mandatory minimums. Particularly in an area rife 
with adolescent mischief, it seems to me that there may be 
missed opportunities if there is no flexibility to educate and 
take advantage of the genius, albeit sometimes misguided or 
manipulated, of our youth who may not know that they are 
committing a cyber crime.
    We have two impressive panels today, so I will yield back 
and look forward to their testimony. Thank you, Mr. Chairman.
    Mr. Goodlatte. I thank the gentleman.
    And the Chair is pleased to recognize the Ranking Member of 
the full Committee, the gentleman from Michigan, Mr. Conyers.
    Mr. Conyers. Thank you, Chairman Goodlatte and our Ranking 
minority Member, Mel Watt.
    I want to join in the request that the Subcommittee on 
Crime have hearings on this subject since we are not doing it 
together, and I think it is better that we do it separately 
anyway, but especially with this mandatory minimum in here.
    Now, there may be a mandatory minimum that I like, but I 
have never met one yet. And to be putting this in, rushing this 
in without ever clarifying what it is we are putting a 
mandatory minimum on is not a good way for a Committee on the 
Judiciary to proceed. And so I think we ought to take that out, 
and I think that ought to belong to the Subcommittee on Crime 
to help us get to that.
    Now, I am going to be drafting a national law that doesn't 
have that in it but that will be a lot more particular, and I 
am hoping that we can get to this. California has the strongest 
laws on the subject, and I think it is very important. But I 
don't think that we can do this without taking into 
consideration some of the other State laws. And I think there 
has to be one law that supersedes all the State laws unless we 
have some particular kinds of carve-out that would allow some 
of them to exist. That is the question I am interested in 
today. Should we have a national law or should we have 
exceptions within the national law?
    And I will yield back the balance of my time, Chairman 
Goodlatte. Thank you.
    Mr. Goodlatte. I thank the gentleman.
    And I want to assure both the gentleman from North Carolina 
and the gentleman from Michigan that while the Administration's 
proposals are deserving of very careful consideration, there 
will be, I want to assure you, no rush to judgment on them with 
or without mandatory minimums.
    We have two very distinguished panels of witnesses today, 
and each of the witnesses' written statements will be entered 
into the record in its entirety. I ask that each witness 
summarize his testimony in 5 minutes or less, and to help you 
stay within that time, there is a timing light on your table. 
When the light switches from green to yellow, you have 1 minute 
to conclude your testimony. When the light turns red, it 
signals that your time has expired.
    Before I introduce our witnesses, I would like them to 
stand and be sworn.
    [Witnesses sworn.]
    Mr. Goodlatte. Thank you. You can be seated.
    Our first witness is Mr. James Baker. Mr. Baker serves as 
Associate Deputy Attorney General in the Department of Justice. 
Mr. Baker is responsible for a range of national security, 
cybersecurity, and other matters. He previously served as 
counsel for intelligence policy at the Department from 2001 to 
2007 where, among other things, he was in charge of 
representing the United States before the Foreign Intelligence 
Surveillance Court. In addition, he served as a Federal 
prosecutor with the Department's Criminal Division from 2008 to 
2009. Mr. Baker was Assistant General Counsel for National 
Security at Verizon Business. He has also taught national 
security at Harvard Law School and was a fellow at the 
Institute of Politics at Harvard's Kennedy School of 
Government. He is a graduate of the University of Notre Dame 
and the University of Michigan Law School.
    Our second witness is Mr. Greg Schaffer. Mr. Schaffer 
serves as Assistant Secretary for Cyber Security and 
Communications at the Department of Homeland Security. Mr. 
Schaffer works within the National Protection and Programs 
Directorate to lead the Department's cybersecurity efforts. He 
works with public and private sectors as well as international 
partners to prepare for, prevent, and respond to catastrophic 
incidents that could degrade or overwhelm the Nation's 
strategic cyber and communications infrastructure. Mr. Schaffer 
previously served as Senior Vice President and Chief Risk 
Officer for Alltel Communications. Before joining Alltel, Mr. 
Schaffer worked at PricewaterhouseCoopers and served as a 
prosecutor at the Department of Justice. He received his B.A. 
from George Washington University and his J.D. from the 
University of Southern California Law Center.
    Our third witness is Mr. Ari Schwartz. Mr. Schwartz serves 
as Senior Internet Policy Advisor for the National Institute of 
Standards and Technology, NIST, at the Department of Commerce. 
As part of the Commerce Department's Internet Policy Task 
Force, he provides input on areas such as cybersecurity, 
privacy, and identity management. He also works on IT-related 
issues for the White House Office of Science and Technology 
Policy Cross Agency Working Groups. Mr. Schwartz came to NIST 
on August 30, 2010 after serving over 12 years as Vice 
President and Chief Operating Officer of the Center for 
Democracy and Technology. At CDT, Mr. Schwartz worked to 
improve privacy protections in the digital age and expand 
access to Government information via the Internet. He also led 
the Anti-Spyware Coalition, anti-spyware software companies, 
academics and public interest groups dedicated to defeating 
spyware. He was also named one of the top five influential IT 
security thinkers of 2007 by Secure Computing magazine.
    Welcome to you all and we will begin with you, Mr. Baker.

TESTIMONY OF JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY GENERAL, 
                   U.S. DEPARTMENT OF JUSTICE

    Mr. Baker. Good morning, Mr. Chairman, Ranking Member Watt, 
and Members of the Committee. Thank you for the opportunity to 
testify today on behalf of the Department of Justice regarding 
the Administration's cyber legislation proposals.
    As the President has stated and as this Committee well 
knows, the United States confronts serious and complex 
cybersecurity threats. Our critical infrastructure is 
vulnerable to cyber intrusions that could damage vital national 
resources and put lives at risk. Intruders have stolen 
confidential information, intellectual property, and 
substantial amounts of funds.
    Cyber crime is on the rise and criminal syndicates are 
operating with increasing sophistication to steal from innocent 
Americans. Even more alarming, these intrusions might be 
creating future access points through which criminal actors and 
others can compromise critical systems during times of crisis 
or for other nefarious purposes.
    Over the past few years, the Government has made real 
progress in confronting these threats. At the Justice 
Department, our investigators and prosecutors have established 
new units such as the National Cyber Investigative Joint Task 
Force, or NCIJTF, to pull together the resources of many 
different agencies to investigate and address cyber threats.
    Despite the good work that has been going on in this area, 
the problem is far from resolved. It is clear that new 
legislation can improve cybersecurity in a number of critical 
respects as described in the Administration's legislative 
proposal. I would like to take a moment to highlight two parts 
of the Administration's legislative package that is aimed at 
protecting Americans from cyber crime.
    First, data breach notification. Data breaches frequently 
involve the compromise of sensitive, personal information and 
expose consumers to identity theft and other crimes. Right now, 
there are 47 different State laws requiring companies to report 
data breaches in different situations and through different 
mechanisms.
    The Administration's data breach proposal would replace 
those 47 State laws with a single national standard applicable 
to all entities that meet the minimum threshold set forth in 
the proposal. If enacted into law, this proposal, we believe, 
would better ensure that companies notify consumers promptly 
when sensitive personally identifiable information is 
compromised and that they inform consumers about what they can 
do to protect themselves. The proposal would empower the 
Federal Trade Commission to enforce the reporting requirements. 
It would also establish rules for what must be reported to law 
enforcement agencies when there is a significant intrusion so 
that, for example, the FBI and the U.S. Secret Service can work 
quickly to identify the culprit and protect others from being 
victimized. The national standard would also make compliance 
easier for industry, we believe, which currently has the burden 
of operating under the patchwork of all these different State 
laws that I mentioned.
    Second, the Administration's proposal includes a handful of 
changes to a variety of criminal laws aimed at ensuring that 
computer crimes and cyber intrusions can be investigated and 
punished in the same way and to the same extent as other 
similar or analogous criminal activity. Of particular note, the 
Administration's proposal would make it clearly unlawful to 
damage or shut down a computer system that manages or controls 
a critical infrastructure, and it would establish minimum 
sentence requirements for such activities. This narrow, focused 
proposal is intended to provide strong deterrence to this class 
of very serious, potentially life-threatening crimes. Moreover, 
because cyber crime has become a big business for organized 
crime groups, the Administration's proposal would make it clear 
that the Racketeer Influenced and Corrupt Organizations Act, or 
RICO, applies to computer crimes.
    Also, the proposal would harmonize the sentences and 
penalties in the Computer Fraud and Abuse Act with other 
similar laws. For example, acts of wire fraud in the United 
States currently carry a maximum penalty of 20 years in prison, 
but violations of the Computer Fraud and Abuse Act involving 
very similar behavior carry a maximum of only 5 years.
    Mr. Chairman and Members of the Committee, this is an 
important topic and thank you for holding this hearing today. 
The country is at risk and there is much work to be done to 
better protect critical infrastructure and stop computer 
criminals from victimizing and threatening Americans.
    I look forward to answering your questions today, and thank 
you, Mr. Chairman.
    [The joint prepared statement of Mr. Baker, Mr. Schaffer, 
and Mr. Schwartz follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                               __________

    Mr. Goodlatte. Thank you, Mr. Baker.
    Mr. Schaffer, welcome.

      TESTIMONY OF GREG SCHAFFER, ASSISTANT SECRETARY FOR 
 CYBERSECURITY AND COMMUNICATIONS (CS&C), NATIONAL PROTECTION 
   AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY

    Mr. Schaffer. Thank you, Mr. Chairman, Ranking Member Watt, 
and Members of the Subcommittee. It is a pleasure to be here 
this morning and an honor to be able to testify on this 
important topic.
    No security issue is more pressing to the Nation than 
cybersecurity today. We face known and unknown vulnerabilities 
that are being exploited by an expanding set of threat actors 
with strong and rapidly expanding threat capabilities. They are 
acting in an environment where we have limited awareness of 
what they are exploiting on our networks, but through the 
limited visibility we do have, we know one fact, which is that 
in cyberspace, offense wins and defense tends to lose. As a 
consequence, personal privacy is routinely invaded, 
intellectual property of American companies is continuously 
siphoned off to points unknown, and as we attach more and more 
of our critical infrastructure to the networks for the 
efficiency that they can bring, the power grid, the financial 
sector, transportation networks, we put more and more of our 
systems at risk to attacks that can literally impact our way of 
life. This is a national security issue. It is an economic 
security issue, and it is a homeland security issue.
    We believe that government, industry, and individuals 
working together will be necessary in order to reform our 
practices in order to execute a solution to these problems, and 
the Administration's proposal recently submitted to Congress is 
designed to do that.
    I will focus my comments on two parts of the proposal, one 
focused on protecting the Federal Government and the other on 
protecting critical infrastructure.
    Under the heading of protecting the Federal Government, the 
proposal would solidify DHS's responsibilities with respect to 
leading protection for Federal civilian networks. It would 
establish protection service capabilities like intrusion 
detection and intrusion prevention, red teams, and risk 
assessments for Federal Departments and agencies. It is some of 
the work that we are already doing today, but it clarifies our 
authority and it removes the necessity to enter into 
complicated legal agreements and arrangements in order to 
execute in our mission space.
    It also would modernize the Federal Information Security 
Management Act, or FISMA. It is similar to many bills that have 
been presented over the last couple of years to go away from 
paper-based compliance exercises and move in the direction of 
real risk reduction through continuous monitoring and 
operational improvements.
    We would also be ensuring that DHS has the cybersecurity 
hiring authorities in order to get the best people in order to 
execute in this mission space. As you know, it is extremely 
competitive to hire people in this space. DOD had some 
authorities that allows them to move more quickly to do the 
hiring and pay arrangements that the private sector often can 
pay more and hire faster. This would simply expand DOD's 
existing capabilities and apply them to DHS.
    Under the heading of protecting critical infrastructure, we 
believe that the proposal enhances collaboration with the 
private sector through both voluntary and mandatory programs as 
well as improving the opportunities for information sharing.
    Under the heading of voluntary assistance, it enables DHS 
to quickly work with the private sector, State, local, tribal, 
and territorial governments by clarifying our legal authority 
to provide certain kinds of assistance, including alerts and 
warnings, risk assessments, onsite technical support, and 
incident response.
    For information sharing, it again clarifies the authority 
of businesses, State, local, tribal, and territorial 
governments to provide information that they learn about 
through operating their own networks which can be useful to 
help cybersecurity for the Nation. That would be done with 
immunity when the sharing is done, but it would also be done 
under mandates for a robust privacy oversight and controls.
    Mandatory parts of the provision in the bill would really 
focus on critical infrastructure mitigation of risk. In this 
space, the plan is to work with the private sector to develop 
the kinds of entities that would need to be covered as critical 
infrastructure to develop frameworks to identify risks, 
mitigate those risks, and then have the individual companies 
come up with plans to apply those frameworks to their 
infrastructure. We would then be able to make that information 
available to the marketplace. We would also be in a position to 
get notices of breaches when they happen so that we can have 
situational awareness across the ecosystem, as well as being 
able to provide assistance to those companies when breaches do 
occur.
    We believe that these provisions will help improve security 
across the entire ecosystem, and I thank you again for the 
opportunity to testify and I stand ready to answer your 
questions.
    Mr. Goodlatte. Thank you, Mr. Schaffer.
    Mr. Schwartz, welcome.
                               __________

  TESTIMONY OF ARI SCHWARTZ, SENIOR INTERNET POLICY ADVISOR, 
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT 
                          OF COMMERCE

    Mr. Schwartz. Thank you, Chairman Goodlatte, Ranking Member 
Watt, Representative Conyers. Thank you for inviting me to 
testify on behalf of the Department of Commerce on the 
Administration's cybersecurity legislative proposal.
    The main goal of this proposal is to maximize the country's 
effectiveness in protecting the security of key critical 
infrastructure networks and systems that rely on the Internet 
while also minimizing regulatory burden on the entities that it 
seeks to protect and while also protecting the privacy and 
civil liberties of the public.
    I will briefly address five parts of the proposal: first, 
creating secure plans for covered critical infrastructure; 
second, promoting secure data centers; third, protecting 
Federal systems; fourth, data breach reporting; and fifth, 
privacy protections.
    One of the most important themes of the proposal is 
accountability through disclosure. In requiring creation of 
security plans, the Administration is promoting the use of 
private sector expertise and innovation over top-down 
Government regulation.
    The covered critical infrastructure entities will take the 
lead in developing frameworks of performance standards under 
the proposal and, therefore, will look to create these 
frameworks working together with industry and can also ask NIST 
to work with them to help create these frameworks. There will 
be strong incentive for both industry to build effective 
frameworks and for DHS to approve those created by industry. 
The entities involved will want the certainty of knowing that 
their approach has been approved and DHS will benefit from 
knowing that they will not need to invest the resources of 
taking an intensive approach through developing a Government-
mandated framework unless the industry fails to act.
    Rather than substituting the Government's judgment for 
private firms, the plan holds the covered entities accountable 
to the consumers and the marketplace. This encourages 
innovation in mitigation strategies, improving adherence to 
best practice by facilitating greater transparency, 
understanding, and collaboration.
    In that same spirit, the Administration also seeks to 
promote cloud services that can provide more efficient service 
and better security to Government agencies and to small 
businesses and a wide range of other businesses. To do so, the 
draft legislation proposes to prevent States from requiring 
companies to build their data center within that State except 
where expressly authorized by Federal law.
    The proposal also clarifies roles and responsibilities for 
setting Federal information security standards. Importantly, 
the Secretary of Commerce will maintain the responsibility for 
promulgating standards and guidelines which will continue to be 
developed by NIST in cooperation with the private sector.
    My colleague from the Justice Department, Mr. Baker, went 
into great detail about the data breach reporting standard. On 
that I will just highlight a few pieces.
    First of all, we have learned quite a bit from the States, 
selecting and augmenting those strategies and practices we felt 
most effective in protecting security and privacy. The 
legislation will help build certainty and trust in the 
marketplace by making it easier for consumers to understand the 
data breach notices that they receive, why they are receiving 
them, and to take action upon them once they receive them.
    Also, the Department of Commerce last year held a notice of 
inquiry under the Internet Policy Task Force set up by 
Secretary Locke, and through that notice of inquiry, we 
received many, many comments from a wide range of businesses. 
They were unified in their stance that a nationwide standard 
for data breach will make compliance much easier for all those 
businesses that must follow the 47 different legal standards 
today.
    Finally, I would like to point out that many of the new and 
augmented authorities in this package are governed by a new 
privacy framework for Government that we believe would enhance 
the privacy protections for information collected by and shared 
with the Government for cybersecurity purposes. The framework 
would be created in consultation with privacy and civil 
liberties experts and the Attorney General, subject to regular 
reports by the Department of Justice Privacy Office working 
with the Department of Homeland Security Privacy Office, and 
overseen by The Independent Privacy and Civil Liberties 
Oversight Board. Government violations of this framework would 
be subject to both criminal and financial penalties.
    Thank you again for holding this important hearing and I do 
look forward to answering your questions.
                               __________

    Mr. Goodlatte. Thank you, Mr. Schwartz.
    I will recognize myself for a few questions, and I will 
direct this first one to all of you. What new tools will law 
enforcement get in the Administration's proposal to investigate 
and prosecute cyber intrusions and other cyber crimes? I will 
start with you, Mr. Baker.
    Mr. Baker. Thank you, Mr. Chairman.
    So the first thing, as I mentioned in my opening, was a 
proposal to create and make a clear crime with respect to 
efforts, either completed efforts or attempted efforts, to 
damage critical infrastructure systems, and in situations where 
the damage causes substantial impairment of the systems. So 
that is one. That is the one that would have the mandatory 
minimum provision in it, and I can come back to that if you 
wish.
    The other thing is our experience has shown that 
increasingly cyber crimes are committed by groups of people 
that are organized. So they are organized criminal activity. 
And we think, under those circumstances, it is appropriate to 
make clear that we can use the tools available to us under the 
Racketeer Influenced and Corrupt Organizations Act, or RICO, to 
go after those people. They pose a significant threat to the 
country. They are well organized, and they are effective in 
terms of being able to steal lots of money and compromise 
information from lots of people.
    The other thing we believe is this will harmonize and bring 
more, I guess, uniformity to parts of the criminal code with 
respect to the penalty provisions.
    So those are some of the key things that we are looking at 
here. If I can just come back to the first one that I 
mentioned, the damage to critical infrastructure systems.
    Our objective there is deterrence. What we are focused on 
is trying to prevent people--encourage people to not engage in 
those types of activities. That is what we are really after in 
that situation because when you have damage to a critical 
infrastructure system, people are going to be harmed, and that 
is what we want to avoid through these tools.
    Mr. Goodlatte. Thank you.
    Mr. Schaffer?
    Mr. Schaffer. Yes, Mr. Chairman. I won't speak to the 
particular provisions that Mr. Baker mentioned, but I will say 
from a Department of Homeland Security perspective, the 
improved situational awareness that we would expect through the 
clarity of the voluntary provisions to ask for and get 
assistance, to have information sharing from the private 
sector, and the clarity around what the Federal Departments and 
agencies can disclose and report will, I think, improve the 
situation for law enforcement across the board. We work 
cooperatively today with law enforcement agencies within the 
Department of Justice, within DHS, and otherwise, and that 
growing interagency cooperation to know what is happening in 
the ecosystem I think benefits law enforcement. It benefits 
network defense. It is good across the entire ecosystem.
    Mr. Goodlatte. Thank you.
    Mr. Schwartz?
    Mr. Schwartz. I will just briefly add. My two colleagues 
covered the main areas, but briefly just to give kind of more 
of a general overview, really the goal is to get the incentives 
right. We have to make sure that we have a deterrence for those 
that are doing wrong, that criminals do pay for their crimes, 
and that companies and entities that need to do the right thing 
in the space have incentive to do so as well. We think that 
this package moves us further in that direction. We are happy 
to work with you further to make sure that we have those 
incentives right.
    Mr. Goodlatte. Thank you.
    The Administration's proposal appears to mandate technical 
standards for almost any aspect of the private sector. Should 
the American people feel comfortable with giving the Homeland 
Security Department the ability to designate any enterprise as 
covered critical infrastructure? And subject to DHS mandates, 
are there any avenues for an enterprise to appeal their 
classification? Mr. Schaffer?
    Mr. Schaffer. Yes, Mr. Chairman. Thank you for the 
question.
    I think that the way that the statute is set up, that 
process of identifying critical infrastructure would be done 
through a rulemaking, and because it would be done through a 
rulemaking, the private sector would have an opportunity to 
participate in the process, to comment on the criteria that 
would be established in order to identify which entities should 
be a part of critical infrastructure, and then would be in a 
position to participate in the process of identifying both the 
risks that needed to be mitigated, the frameworks for 
mitigation of those risks, and then develop plans to execute on 
that risk mitigation. So they have got significant roles in the 
private sector. This is not DHS going out and doing it on its 
own.
    Mr. Goodlatte. Right, but if they want out, can they get 
out?
    Mr. Schaffer. Again, I think that would be part of the 
rulemaking process to get to the ultimate rules that would make 
a determination.
    Mr. Goodlatte. Well, let me just add to that. I am not 
aware of any modern system that isn't reliant on some form of 
information infrastructure to operate, and if the Secretary 
decides for any reason that a particular system could weaken 
our economy, security, or safety, then he or she has unfettered 
authority to regulate them. Quite frankly, a lot of that seems 
like regulation for regulation's sake.
    My question--I will address it to all of you since it is 
the Secretary of Homeland Security who seems to have the 
primary authority here. But do you think that Congress and the 
American people want to have their cabinet agencies turned into 
quasi-fiefdoms with absolute authority over the private sector? 
Mr. Schwartz?
    Mr. Schwartz. I want to take issue with this point that you 
raise about technical mandates. The frameworks that are being 
designed here are not at all technical mandates. These are 
performance measures. These are performance standards that 
industry will come together to design for themselves. That is 
the goal. There are no technical mandates and no technical 
standards within that framework whatsoever. Once industry has 
built those performance measures, they then create their own 
security plans to meet those performance measures. So they come 
up with what technology is needed, what standards they need to 
follow in order to meet those performance plans. It is 
purposely, specifically set up to avoid the kind of technology 
mandates in other bills.
    Mr. Goodlatte. Each company can have a separate standard?
    Mr. Schwartz. Each company could build their own--decide 
what technology they need to meet those performance measures. 
They could have completely separate technologies if they want 
to. It would obviously make sense----
    Mr. Goodlatte. Maybe we are engaged in semantics here, 
though. You call them ``performance measures.'' I call them 
``technical standards.''
    Mr. Schwartz. No. Those are two completely--coming from the 
National Institution for Standards and Technology, we focus on 
standards in terms of measurements. The goal is to come to a 
performance measure or a technical standard. Those are two 
separate things. A performance measure is to say that we need 
to make sure that we cut down on the number of breaches, that 
we act in a certain way when breaches happen, and that is tied 
to something that can be measured as opposed to a technical 
standard which is we take information in a certain way, we use 
a certain kind of technology, we are trying to get at a certain 
problem in a very specific way. We see those as two different 
things. And we have separated the framework that needs to be 
built, which is the higher performance standard framework, from 
the technical security plan. The security plan is built by the 
company not by the industry at large, not by DHS. And that is 
where we think the separation is.
    It is exactly that reason that we think that innovation in 
the marketplace can grow in this space through this plan as 
opposed to the other bills that we have seen out there in this 
space that have DHS make the decisions. So we completely agree 
with you. DHS should not be making the decisions.
    Mr. Goodlatte. Let me give you an example, a real-time 
example. You have the recent Sony PlayStation attack. It could 
cost the company hundreds of millions of dollars. We don't know 
what the outcome is going to be there yet. With that type of 
impact on the economy, would Sony's PlayStation network fall 
under the ``covered critical infrastructure''?
    Mr. Schaffer. I think as conceived, there would be a 
process to make determinations as to what would fall under. I 
wouldn't, as I sit here today, think that that would have been 
identified as critical infrastructure, but again, those 
regulations haven't be written.
    I do think, as a former CISO and CSO, a chief information 
security officer and chief security officer, for a Fortune 260 
company, this kind of arrangement where the companies get to 
participate in identifying the risks, designing the frameworks, 
and then writing their plans to meet those frameworks is 
flexible enough and allows for innovation. It doesn't tell a 
CISO, chief information security officer, what to do to solve 
the problem. It simply identifies the problems that need to be 
addressed and then gives them significant flexibility in coming 
up with a solution.
    Mr. Goodlatte. Well, you are asking for a lot of trust from 
the Congress and from the American people on this. So I guess 
what we will have to decide is will we want to trust the 
bureaucracy or are we going to try to write that much detail 
into legislation that clearly defines what is and what is not 
covered by so-called critical infrastructure.
    At this time, it is my pleasure to yield to the gentleman 
from North Carolina, Mr. Watt.
    Mr. Watt. Thank you, Mr. Chairman.
    Let me address the circumstance under which we are here 
today because it is a little unusual. We have three Government 
witnesses here. You have submitted joint testimony, and it 
leads me to raise the question who is really in charge of this. 
I mean, most of the time, when we are doing this stuff, we have 
one person who is the go-to person. My understanding is that 
you all kind of insisted that you had to have three witnesses 
from the Government side. I know there are different aspects to 
this, but who is in charge of coming up with where you all got 
to? Where does the buck stop? I know it stops at the 
President's desk. Don't tell me that. Who is running the show?
    Mr. Baker. If I could, I will start with that, Congressman.
    Mr. Watt. I don't need three answers to it. I just need one 
answer to it.
    Mr. Baker. At the end of the day, you are right. The 
President and the White House are in charge.
    The proposal that we have put forward reflects a whole-of-
government approach. Many aspects of the Government participate 
in the development of this proposal and have various 
``equities,'' if I can use that word. The Attorney General 
plays a certain role. The Secretary of Homeland Security plays 
a certain role. Different officials play different roles 
throughout the proposal, and what we are trying to do is bring 
forward something that does reflect a whole-of-government 
approach because the whole of government is responsible----
    Mr. Watt. So every time we want some information about 
anything here, we are going to have to have three of you all 
come talk to us?
    Mr. Baker. The Department of Justice has a longstanding 
relationship with this Committee. If you let us know what you 
need, we will work to make sure we get the right people here 
for you.
    Mr. Watt. All right.
    You talked about, Mr. Baker, the Federal preemption issue. 
I am always a little leery of Federal preemption. We have dealt 
with it in a number of contexts, and generally I am leery of it 
because the Federal law waters down what some States have done 
and waters up what some States have done. So you get to some 
fairly vanilla middle ground.
    Does your proposal provide an exemption from Federal 
preemption for stronger State laws?
    Mr. Baker. I think the answer is no, Mr. Chairman. the idea 
is that we are establishing----
    Mr. Watt. Have you adopted the strongest State standard 
that is out there?
    Mr. Baker. The answer is I am not sure that I could tell 
you what all 47 statutes require, but I believe that we have 
looked at all the statutes and other proposals, because there 
have been a number of different proposals in this area both 
from----
    Mr. Watt. Well, what is the compelling Federal interest in 
having a Federal standard for protecting all data, private 
citizen data? There are a number of things that the States have 
authority to do, and we are operating in a Federal system here. 
Why should we be preempting a State law on my personal 
information, breach of my personal information that is stronger 
than what you think the law should be?
    Mr. Baker. The compelling interest is the cybersecurity of 
the Nation. This is----
    Mr. Watt. No. This is about my personal--this is about the 
personal part of my information now. I understand when it comes 
to national defense and homeland security, you have got a 
national, Federal compelling interest.
    But you know, this is like consumer law, it seems to me. 
You know, we have gone through this debate in the financial 
services context. They tried to preempt every State law. The 
State laws in a lot of cases were a lot more robust and 
aggressive than the Federal law that we were trying to impose. 
Why would I want to do that?
    Mr. Baker. Well, again, as I said, we are trying to make 
this a uniform standard that makes it easier and faster that 
consumers find out what is going on and are aware of what has 
happened and makes it easier for companies to comply. So we are 
trying to get the balance right here.
    I would say, with respect to this proposal in its entirety, 
we are here and we are happy to work with you.
    Mr. Watt. Okay. This is the first time I am seeing this. I 
mean, it is a fairly new statute. But these are some of the 
things that I think we have got to work through.
    Let me draw another parallel, if I have a little time, Mr. 
Chairman. You have got an immunity from liability for private 
industry people that seems to me to be as broad as it would be 
as if the Government itself were acting. This is under section 
246 of this proposed legislation. And it basically says, okay, 
if you do what we tell you to do under section 244(e), then you 
are given immunity from any kind of liability. 244(e) says that 
it authorizes the Secretary to request and obtain the 
assistance of private entities that provide electronic 
communications or cybersecurity services in order to implement 
this program. That is pretty damn broad.
    And it reminds me, to some extent, of the same thing that 
the Federal Government was asking us to do under the PATRIOT 
Act. The Government told you to do something. Therefore, it 
must be good. Therefore, you are exempt from liability. So are 
we setting up the same framework here?
    Mr. Baker. I will defer to----
    Mr. Watt. I didn't support it there either.
    I am assuming this is a legal issue.
    Mr. Baker. It is a combination, sir, and so it is liability 
protection, but it is if they act consistent with this 
subtitle, the subtitle that includes the sections you 
referenced. So they need to act in conformance with the law or 
have a good faith belief that they are doing so. Then they get 
liability. If they go off the reservation and do something that 
is not authorized, they don't get liability protection.
    I will defer to Mr. Schaffer.
    Mr. Watt. Okay, Mr. Schaffer. Help me.
    Mr. Schaffer. Yes, Congressman. The provision really goes 
to the disclosure of any communication record or other 
information or assistance provided to the Department pursuant 
to 244(e). So what really this is trying to do is to allow the 
Department to work with a private sector entity that has 
identified an issue and wants to bring that forward for the 
benefit of all to protect the ecosystem.
    Mr. Watt. Well, how is that different--you know, the 
Justice Department or somebody went out and told all the 
telecoms to tap anybody's phone, even though we thought it was 
unconstitutional to do that. And then you came back and said, 
well, give them immunity for doing that because we told them to 
do it. I mean, how is this different than that?
    Mr. Schaffer. The statute doesn't authorize them to 
disclose anything that was not obtained legally. It doesn't 
authorize them to----
    Mr. Watt. But once you tell them it is legal to obtain it, 
doesn't that give them complete immunity? That was the argument 
you were using the last time under the PATRIOT Act.
    Mr. Schaffer. Sir, I cannot speak to what argument was made 
with respect to the PATRIOT Act, but I know that here the 
intent is to address a problem that is ongoing which is we 
routinely interact with a company like Sony or other companies 
who have had breaches, know that there is an ongoing matter of 
concern, and want to provide information to the Government that 
can be used to help that company and can be used to help a 
whole range of other players who are potentially at risk. In 
those moments, we sometimes are delayed by days or weeks in 
negotiation with those entities around what they can or cannot 
provide to the Government in that moment.
    Mr. Watt. It sounds like exactly the situation you all were 
in. Those companies said I am not going to tap these phones 
because we think it is unconstitutional. You said, oh, no, it 
constitutional. We will give you immunity for it. So the 
company then is able to do something that they believe is 
unconstitutional just because you told them it was 
constitutional. And they had some ambiguous Justice Department 
memo that said that.
    I am having trouble differentiating this. I mean, these are 
issues that I think we are going to have to address here. I am 
way over my time.
    This is a little bit more than a teabag I think. This has 
some implications that go well beyond, I think, what has been 
well thought out. So I guess that is why we are here.
    Mr. Chairman, I yield back. I appreciate the Chairman being 
generous with----
    Mr. Goodlatte. I thank the gentleman.
    The gentleman from California, Mr. Issa, is recognized for 
5 minutes.
    Mr. Issa. I doubt that I will be as spellbinding as the 
previous inquisitor, but I will agree with him.
    I have got a deep concern here. Mr. Baker, why is it that 
this draft legislation doesn't envision the third branch of 
Government having a significant role? Why is it you believe 
that you have to essentially grant immunity without court 
interaction?
    Mr. Baker. Well, I guess I would have to think through--I 
mean, various parts of the proposal do involve the third branch 
of Government, for example, the critical infrastructure 
prohibition that----
    Mr. Issa. No, but I am talking specifically here. Look, if 
you go to Sony or you go to Facebook or you go to anybody, they 
have vast pools of information that are personal. And the 
Ranking Member and I share this. The tradition in this country 
has been you want to see it. I want you to have to make a good 
faith test to the third branch who stands there prepared to 
doubt your good intentions. It has what has kept 1984 from not 
happening in this country, is that you have got to go to that 
third branch, and they are just a little more cynical about 
your power grabs as a branch. We are supposed to be your 
balance, but without their interplay, you are going to be doing 
this for years to come, and all it will take is--well, you 
don't have two-thirds in both houses to stop a President from 
doing it in his Administration.
    So tell me why specifically if you feel that you need to 
grant immunity to anybody for their cooperation, the third 
branch of Government should not be included?
    Mr. Baker. First of all, the provision I think you are 
talking about is a voluntary provision. So it only allows 
sharing of information in a voluntary----
    Mr. Issa. Look, I know what voluntary is. I did vote for 
the PATRIOT Act. I did sit on the Select Intelligence 
Committee. I did participate in that broad granting of immunity 
and pushed to get it into the bill retroactively to make it 
clear that we needed to put September 11th emergencies behind 
us.
    But having said that, look, let's get back to it. You are 
asking for cooperation with the force of your ability to make 
life miserable on private sector companies behind closed doors 
is not a voluntary act. You can be very, very convincing. 
Wouldn't you agree?
    Mr. Baker. The Government can be very convincing, 
certainly.
    What I would say is what we are trying to do and what we 
really tried to do in this whole proposal is get the balance 
right between the need to provide security, the need to allow 
for innovation and foster innovation, and the need to protect 
privacy.
    Mr. Issa. My only question to you is, as we go through this 
legislation, wouldn't you agree that adding in--even if it is a 
special court, if it is judges that are ready and quickly able 
to understand a comparatively complex new area of security, 
wouldn't you say that having that third party is a protection 
that this side of the dais should be interested in seeing that 
your side of the dais has?
    Mr. Baker. Congressman, we are happy to work with you on 
that. We have never said that this is a perfect proposal in all 
respects, and we are happy to work with you and the other 
Members of Congress because, on a bipartisan basis, we want to 
make sure that we get this legislation right.
    Mr. Issa. Mr. Schaffer, he got the easy question. You are 
getting a little tougher.
    The Department of Homeland Security has politicized FOIA. 
It has actually taken FOIA requests by the press and others, 
handed them over to political appointees to create an enemies 
list to know who was asking for what, to deny it or to spin it 
before it is ever released. Why is it, you think, the 
Department of Homeland Security is the primary place to get 
commercial information, not firewall to the bad guys outside 
our country, not terrorists within? Why do you think that you 
are the best place to put Facebook and Google and Microsoft and 
all the other providers and Sony, obviously--why is it you 
think you should have anything to do with it? Where do you have 
the standing under Homeland Security?
    And by the way, why is it Mr. Schwartz wouldn't be more 
appropriate? Why is it that that portion isn't as much Commerce 
as it is this new and sometimes dysfunctional Department of 
Homeland Security?
    Mr. Schaffer. Thank you, Congressman.
    I think that DHS has spent a considerable amount of effort 
over the course of the last several years building its 
relationships with the private sector in this particular 
subject-matter area. Under the National Infrastructure 
Protection Plan, DHS has a major role in working with the 
sectors, the 18 critical infrastructure sectors, on a wide 
range of protection and security-related issues. With respect 
to cybersecurity, DHS, in particular my organization at Cyber 
Security and Communications, has responsibility with respect to 
the IT sector, the communications sector, and the Cross Sector 
Cybersecurity Working Group.
    We work through those structures and several others to 
build an ongoing relationship where we actually have private 
sector participation on the watch floor that we use to handle 
cyber incidents under the National Cyber Incident Response 
Plan. And that relationship has been growing. We have been 
adding the information security analysis centers from the 
different sectors, participating also on the watch floor, 
sending representatives because they want to participate.
    Mr. Issa. Okay, I get it. I am going to be a little short 
only because my time has actually expired.
    Mr. Schwartz, obviously, Commerce and State really have a 
presence overseas, and a lot of what we need to do is to reach 
out at all levels.
    What role do you think that you should be included in a 
more robust way than you are under this proposal?
    Mr. Schwartz. Well, I think this proposal does lay out ways 
that NIST and Commerce can be deeply involved, but it involves 
the private sector bringing us in for those cases. So, for 
example, in the critical infrastructure plans piece, if they 
want to invite NIST to help work with them to plan 
international standards to help them build the framework so it 
can lead to security plans and figure out how that can work 
better together and they want NIST to participate in that, the 
private sector can bring us in to do so. Obviously, we have 
limited resources to be able to get involved in every different 
critical infrastructure area, but that is one place----
    Mr. Issa. So you currently see you are going to be 
reactive, not proactive because of the nature of it. Wouldn't 
it be better for you to have a mandate to be proactive?
    Mr. Schwartz. There are some places working with the 
Federal Government agencies, for example, where we are setting 
standards for the Federal Government, where we are being very 
proactive. And some of those are then ending being used by the 
private sector. So in terms of the question of protecting the 
critical infrastructure as it relates to the private sector, we 
need to be brought in for that. For the Federal Government, we 
are much more proactive. And I think we want it that way. We 
don't want to be setting technical standards for the private 
sector, as I said to the Chairman earlier. I think that is very 
important that we are working with the private sector 
cooperatively and we are setting standards that can work for 
Government, and then we can figure out how those can be used 
together.
    Mr. Issa. Thank you.
    Thank you, Mr. Chairman. I yield back.
    Mr. Goodlatte. I thank the gentleman.
    The Chair recognizes the gentleman from Michigan, Mr. 
Conyers.
    Mr. Conyers. Thank you, Mr. Chairman.
    Mr. Schaffer, the notice would have to be given to an 
entity of the Department of Homeland Security. That is a 
national standard requirement for reporting breaches of private 
consumer data. What entity of the Department of Homeland 
Security?
    Mr. Schaffer. I think, as we are currently constructed, it 
is the NCIC and U.S. CERT entity. I think that the drafting 
recognizes that names of entities can change over time, but the 
notion is that that portion of my organization at Cyber 
Security and Communications would be where those central 
reports would flow.
    Mr. Conyers. So everybody has got to come back and read 
this transcript to find out what the answer to my question is.
    Mr. Schaffer. I apologize, sir. The United States Computer 
Emergency Response Team is part of the Cyber Security and 
Communications organization, and there is a watch floor called 
the National Cyber Security and Communications Integration 
Center that works with U.S. CERT to be a collection point for 
information aggregation and dissemination.
    Mr. Conyers. So we just go to some entity and that is what 
it is. So now we know.
    All right. Who is going to have primary responsibility to 
investigate criminal violations as between the FBI and the 
Secret Service?
    Mr. Baker. As it is today, it is a variety--the two of them 
work it out. They coordinate their activities to determine who 
is going to investigate a particular offense. They have 
overlapping jurisdiction. They have to coordinate their 
activities, and so that is how it is done with those agencies. 
It is common to do that with a variety of different law 
enforcement agencies that exist in the Federal Government.
    Mr. Conyers. Well, they have enough differences of opinion 
often enough as it is.
    Mr. Baker. They may have differences of opinion. At the end 
of the day, they don't get to go to court unless they come 
through the Department of Justice. The Department of Justice is 
in control of what cases get indicted and what cases are 
brought forward and how appeals are handled and so on and so 
forth. So at the end of the day, it is the Attorney General.
    Mr. Conyers. Thanks, Mr. Chairman.
    Mr. Goodlatte. I thank the gentleman.
    And the Chair now recognizes the gentleman from Arizona, 
Mr. Quayle.
    Mr. Quayle. Thank you, Mr. Chairman, and thanks to all the 
witnesses for being here.
    One thing I want to know--it is for all of you and whoever 
best can answer this just pipe in. Can you explain exactly how 
you plan to address some of the duplicative regulation work 
that might be happening here? Because NIST has historically 
been the lead agency in setting standards, especially working 
with industry to create those standards. But the 
Administration's proposal seems to shift that responsibility to 
DHS.
    For example, will DHS first assess the cybersecurity 
requirements of the various Federal agencies to determine if 
they are adequate before creating their own regulations, or do 
you intend that DHS just creates their own regulations and then 
waits for the request from various agencies for exceptions?
    Mr. Schwartz. Let me just briefly talk about NIST's role 
because I think there is a misunderstanding there about what 
NIST's role currently is. NIST today sets the standards for the 
Federal Government. Then OMB takes that and approves them for 
the agencies.
    Under this proposal--and there has recently been a memo 
that also passed some of that authority to DHS. So this would 
codify the ways that things are actually currently being run, 
which is that NIST would still write the standards. In fact, 
the Secretary of Commerce publishes those standards. It is very 
clearly in the proposal. Then DHS can draw on those to decide 
what the agencies should do specifically.
    So NIST is still writing the standards the way that we have 
and we will continue to write the standards in that way and, in 
fact, gain slightly more independence in that because OMB has 
traditionally just passed on exactly what we have said to the 
other agencies. This will allow DHS to tailor better to 
different agencies and hopefully create better technical 
standards that can be tied to performance standards as well so 
that we can react better more quickly over time inside of the 
Federal Government.
    Mr. Quayle. But so then is DHS then going to take the 
various standards that NIST comes up with and then implement 
them through the other various Federal agency, or is the 
Federal agency going to be able to use NIST standards to create 
their own cybersecurity framework within that agency and then 
have to get approval from DHS?
    Mr. Schaffer. As Mr. Schwartz said, this really codifies 
the way things are operating now through delegations of 
authority. So NIST would continue to draft the standards. DHS 
would take those standards and would be applying them to the 
Departments and agencies. If Departments and agencies had 
specific issues that needed to be addressed in some special 
way--the standards are not written for each individual agency, 
they are written holistically--then we would be in a position 
to work with an agency and come up with a set of requirements 
that made sense specifically for the set of threats or risks. 
But ideally we would be working starting from the NIST 
standards just as we are today, and as Mr. Schwartz said, that 
was being done by OMB recently delegated through a memorandum 
to DHS. But the statute would just codify that oversight 
authority moving to DHS.
    Mr. Quayle. And, Mr. Schwartz, when you are talking about 
the standards that are being developed by NIST, that kind of 
does conjure up a very static procedural way that we are not 
going to be able to have the flexibility to respond to various 
cyber threats which evolve very quickly in the future. How is 
NIST going to develop those standards and do them in a way that 
allows for the flexibility to have best practices from various 
areas to come in and make sure that, instead of just being 
reactive, we are being proactive to make sure that we are still 
using the best standards to address cybersecurity threats?
    Mr. Schwartz. One of the problems we have today under FISMA 
is that the focus has been on trying to cover all of the 
different controls that NIST puts out, so the IG, the Inspector 
General, has said you have to make sure that you cover all of 
these controls rather than saying we need to focus the controls 
that work best for each agency, which is what NIST really says 
in our guidance on the subject. So this structure helps to get 
that point across better, that we are really aiming at 
performance here and not at you have to follow every single 
standard that NIST puts out.
    As NIST puts these out, we do think that we have 
flexibility and we spend a lot of time with some more technical 
standards. Encryption is a good example of that, which we try 
to think very far ahead in trying to make sure that things are 
done, and the world depends on the NIST encryption standards 
for that reason because it is so thought out, et cetera. There 
are others that we try to act much more quickly, try to be 
reactive, et cetera, and get things out very quickly. So we try 
to have that kind of flexibility so we can do both.
    But we need the independence also of not having to answer 
every agency question that comes in on every topic. We need 
someone to be able to do that. We work with the agencies as 
clients, et cetera, and work with them on the standards, but 
there is a different piece of it in terms of performance and 
getting the performance measures out. It is good to have 
another body do that. OMB was doing that role before. Now that 
is moving more to DHS.
    Mr. Quayle. Thank you very much.
    I yield back.
    Mr. Goodlatte. I thank the gentleman.
    The gentlewoman from Florida, Ms. Adams, is recognized for 
5 minutes.
    Ms. Adams. Thank you, Mr. Chair.
    Earlier I heard you, Mr. Schwartz, say ``performance 
measures.'' Can you give me your definition for performance 
measures?
    Mr. Schwartz. What we are aiming at is trying to figure out 
exactly how to improve the actual way that the Internet is 
protected so that we can come up with measures that show when 
we have been successful in protecting cybersecurity as opposed 
to ``technical standard,'' which is to say that you must follow 
a certain set of controls in order to come up and make sure 
that you are interoperable with other types of controls.
    Ms. Adams. So that is your explanation of performance 
measure.
    Mr. Schwartz. Again, performance measure is something that 
can be measured that shows that you are continually improving 
the cybersecurity as we know it, that we can show continued 
positive performance over time.
    Ms. Adams. Well, I have to tell you that your description 
kind of concerns me because you had to grapple at what it was. 
So it concerns me when an agency is going to decide what the 
performance standards are when they are still grappling with 
what are the performance standards, how do you define 
performance standards.
    Mr. Schwartz. Again, I am not the technical person that is 
going and writing these technical standards, and I am not the 
person that is writing the performance standards. What a 
performance standard will be will be a particular number or a 
particular set of--particular targets.
    Ms. Adams. So that is not static.
    Mr. Schwartz. It is not static, exactly. It is something 
that is not static. It is something that can change over time, 
something that can be revisited, whereas a technical standard 
is something that is written, people need to be able to follow 
it and be able to interoperate.
    Ms. Adams. And following along what--Mr. Watt I believe was 
the one that brought it up on the Federal preemption with Mr. 
Baker. You said that you had not reviewed all 47--that they had 
been reviewed, but you had not reviewed them. So you don't know 
if the Federal preemption would preempt a State that actually 
might have a better system than what the Federal Government 
would come up with. Is that correct?
    Mr. Baker. That is correct.
    Ms. Adams. So you still advocate for Federal preemption 
even though you could actually do more harm than good?
    Mr. Baker. Well, our folks have looked at it carefully and 
we believe that this is the right balance. If there are State 
standards that Members of Congress feel should be included in 
the Federal legislation, we are happy to work with you on that. 
We have tried to get the balance right. If you think we should 
add things, we are happy to work with you and look forward to 
that because we want to make sure that----
    Ms. Adams. Well, I am happy to hear that agencies want to 
work with us on legislation that we would be drafting. That is 
a good thing. I would hate to think that you would think you 
could draft the legislation.
    Let's see. Mr. Schaffer, I believe. You are from DHS? Do 
you believe that there should be limits to the power that the 
Secretary of Homeland Security can exert on private industry?
    Mr. Schaffer. I am sorry. I missed the last phrase.
    Ms. Adams. Do you believe that there should be limits to 
the power that the Secretary of Homeland Security can exert on 
private industry?
    Mr. Schaffer. I am sorry, ma'am. I believe----
    Ms. Adams. That is a yes or a no?
    Mr. Schaffer. Yes, and I think they are in the statute.
    Ms. Adams. Would the Administration's plan give the 
Secretary unfettered authority over any business?
    Mr. Schaffer. No, it certainly wouldn't give unfettered 
authority.
    Ms. Adams. Maximum authority?
    What large industries would be excluded?
    Mr. Schaffer. Ma'am, the way the statute is configured--and 
I assume that we are talking about the critical infrastructure 
portion of the statute because other portions have a different 
scope.
    Ms. Adams. Are there any that have been excluded so far?
    Mr. Schaffer. I certainly don't think that every large 
enterprise would be part of critical infrastructure under this 
construct.
    Ms. Adams. How about under cybersecurity as a whole that 
would be monitored under this?
    Mr. Schaffer. Certainly the statute is designed to improve 
cybersecurity across the entire ecosystem, but the critical 
infrastructure piece is, indeed, intended to be focused on 
critical infrastructure, those infrastructures which, if 
disrupted through a cyber attack, would have cascading and 
devastating effects across a significant portion of our day-to-
day lives.
    Ms. Adams. Mr. Baker, do you know any that would be 
excluded?
    Mr. Baker. I am sorry.
    Ms. Adams. Any industries that would be excluded outside 
the critical infrastructure? Large corporations.
    Mr. Baker. Categories of industries. I mean, I guess it 
depends on the facts and circumstances and how they 
interrelate, but I think I----
    Ms. Adams. How would you define that? Would that be clearly 
defined in what you were doing?
    Mr. Baker. In the proposal that I was talking about earlier 
on the critical infrastructure, we have got a fairly specific--
--
    Ms. Adams. I am sorry, Mr. Chair. I guess I have overrun my 
time.
    But I am just curious. If you are outside the critical 
infrastructure, you are on the cybersecurity issue, is there 
any of that that falls into the exclusion?
    Mr. Baker. Any that would fall into the exclusion in terms 
of the--well, with respect to the proposal I was referring to, 
we couldn't use it if it didn't meet the test that was set 
forth in the statute, and that would be determined at the end 
of the day by a court. We would have to make the case to the 
court that it was part of the----
    Ms. Adams. You think it might end up in court.
    Mr. Baker. Well, this one, the one I am referring to, 
absolutely would, yes, because it would be a criminal offense 
and we would have to show that it was vital to the country.
    Ms. Adams. I was actually talking about the statute if we 
were to pass it.
    Mr. Baker. The statute what? I am sorry.
    Ms. Adams. The law, if we were to pass it. I thought you 
meant you thought it would be in court.
    Mr. Baker. I am sorry. I couldn't hear, Congresswoman. I am 
sorry.
    Mr. Goodlatte. I thank the gentlewoman.
    And the gentleman from Pennsylvania, Mr. Marino, is 
recognized for 5 minutes. The gentleman has no questions.
    We will thank our panel then. This has been very 
interesting, and I think it is just the beginning of a lot of 
discussion about the Administration's proposal and potential 
legislation that I and others are working on here in the 
Congress. So we very much appreciate your contribution, and we 
will thank all of you and excuse you and move to the second 
panel.
    We will now move to our second distinguished panel of 
witnesses today, and as I advised earlier, each of the 
witnesses' written statements will be entered into the record 
in its entirety. And I ask that each witness summarize his or 
her testimony in 5 minutes or less, and to help stay within 
that time, there is a timing light on your table. When the 
light switches from green to yellow, you have 1 minute to 
conclude your testimony. When the light turns red, that is it.
    Before I introduce our witnesses, I would like them to 
stand and be sworn, and we would ask you to do that at this 
time. It is the custom of the Committee to swear in our 
witnesses.
    [Witnesses sworn.]
    Mr. Goodlatte. Thank you very much.
    Our first witness is Mr. Robert Holleyman. Mr. Holleyman 
serves as the President and CEO of the Business Software 
Alliance. He has headed BSA since 1990, expanding their 
operations to more than 80 countries and launched 13 foreign 
offices, in addition to their D.C. headquarters. Mr. Holleyman 
has been named one of the 50 most influential people in the 
intellectual property world by the international magazine, 
Managing IP. He was also named by the Washington Post as one of 
the key players in the U.S. Government's cybersecurity efforts 
for his work on behalf of industry on national cybersecurity 
policy.
    Before joining BSA, Mr. Holleyman served as counsel in the 
U.S. Senate and was an attorney with a leading law firm in 
Houston, Texas.
    He earned his bachelor of arts degree at Trinity University 
in San Antonio, Texas and his juris doctor from Louisiana State 
University Law Center in Baton Rouge. He also completed the 
executive management program at the Stanford Graduate School of 
Business.
    Our second witness is Mr. Leigh Williams. Mr. Williams 
serves as BITS President for the Financial Services Roundtable. 
Since 2007, Leigh Williams has served as President of BITS, the 
technology policy division of The Financial Services 
Roundtable, focusing on improving operational practices and 
public policy in the financial sector. Previously Mr. Williams 
was a senior fellow at Harvard's Kennedy School of Government 
researching public and private sector collaboration in the 
governance of privacy and security.
    Mr. Williams worked for many years at Fidelity Investments 
in various risk, security, privacy, and policy roles, including 
chief risk officer, chief privacy officer, and senior vice 
president for public policy.
    Mr. Williams earned a bachelor of arts in economics from 
Rice University and a master of public and private management 
from Yale University where he currently serves as the Yale 
School of Management Alumni Association President.
    Our third witness is Ms. Leslie Harris. Ms. Harris serves 
as the President and CEO of the Center for Democracy and 
Technology. Ms. Harris is responsible for the overall direction 
of the organization and serves as its chief strategist and 
spokesperson. Ms. Harris has worked extensively in policy 
issues related to civil liberties, new technologies, 
cybersecurity, and global Internet freedom. In 2009, she was 
named one of Washington's ``tech titans'' by Washingtonian 
Magazine.
    Prior to joining CDT, Ms. Harris founded Leslie Harris and 
Associates, a public policy firm. She has also worked for the 
People for the American Way and the American Civil Liberties 
Union.
    Ms. Harris received her B.A. from the University of North 
Carolina at Chapel Hill and her law degree from the Georgetown 
University Law Center.
    I want to welcome all of you and we will begin with Mr. 
Holleyman.

        TESTIMONY OF ROBERT W. HOLLEYMAN, II, PRESIDENT 
           AND CEO, BUSINESS SOFTWARE ALLIANCE (BSA)

    Mr. Holleyman. Thank you. Chairman Goodlatte, Ranking 
Member Watt, BSA appreciates the opportunity to work with this 
Committee on a variety of challenges that we face in the area 
of cyberspace. These include the continuing problem of software 
piracy and threats to cybersecurity. Indeed, the two issues are 
connected because pirated software, which cost our industry 
nearly $60 billion last year, is increasingly used to 
distribute malicious computer code, and this puts companies, 
governments, and consumers at risk.
    Today I would like to address three issues: first, the 
evolving nature of security threats; second, the link between 
piracy and the spread of those threats; and third, specific 
actions this Committee should take to address these problems.
    Just 10 years ago, the primary threats to security online 
were hackers and vandals, and they primarily chased notoriety 
and the opportunity to take down systems through denial-of-
service attacks against entities like eBay and CNN.
    But the stakes are now much higher. Organized criminals 
have entered this arena and they are using the Internet to 
distribute malware so that they can make big money. And today's 
scams build off both fears and social trends, and they take 
advantage of worms, viruses, adware, links to fake websites, 
and other fraudulent activity, and they steal valuable data 
from consumers and enterprises. It has been estimated that for 
U.S. businesses alone, the costs of this are approximately $45 
billion annually.
    The link to software piracy is also evolving. The research 
firm IDC estimates that fully one-third of illegally installed 
software contains some form of malware, and organizations using 
pirated software have a 73 percent greater chance of serious 
security problems than companies that use licensed software.
    Before turning to specific legislative recommendations, I 
would like to note, and importantly for this Subcommittee and 
Committee, that the U.S. Government does not yet have in place 
a policy to require Federal contractors to use licensed 
software, even though Federal agencies must. And, indeed, I 
find it astonishing, given the security threats associated with 
illegal software, that this action has not been taken. The 
Administration is now considering an executive order that would 
require Federal contractors to use licensed technologies, and I 
urge this Committee to express its support for that order and 
push the Administration to act in this area.
    We believe this Committee can also bolster America's 
cybersecurity in at least three additional ways.
    First, by strengthening the hand of law enforcement and 
prosecutors. As cyber criminals adapt, so must our cyber crime 
laws, and BSA supports legislation to strengthen penalties and 
expand the scope of offenses. We need new causes of action that 
toughen the hand of prosecutors while, at the same time, 
preventing opportunistic private litigation.
    Second, we need clear, uniform Federal data protection and 
data breach rules. Today more than 40 States have enacted such 
laws. This patchwork is confusing for consumers and inefficient 
for businesses. The Federal Government should require 
notification of breaches that pose a genuine risk of harm. It 
should preempt State laws, and it should prevent excessive 
notification which can overwhelm and confuse consumers. 
Importantly, notification should not be required when the 
stolen data is worthless to the thief because it has been 
rendered unusable through deployment of security technologies 
such as encryption.
    And finally, the law should provide specific incentives for 
sharing information about cyber threats with Government 
agencies. Companies should be able to share records and other 
information with DHS about the specific nature of the threat 
without the risk that sharing that information will lead to 
suits against the company. Similarly, critical infrastructure 
companies that comply with the security requirements of DHS or 
act to mitigate risks identified by DHS should also be 
protected from liability.
    Lastly, Mr. Chairman, Mr. Ranking Member, Mr. Quayle, this 
Committee is looking at the consequences of cybersecurity as 
they affect the Nation's economy. The economic consequences of 
this are greater for this Nation than any other because of the 
way in which we deploy this technology throughout our society. 
And by acting to deter cyber threats and to take more actions, 
we can believe that the economy will be healthier by deploying 
new resources to creating new jobs and overall strengthening 
economic security.
    So I look forward to working with this Committee as always 
on these important issues. Thank you.
    [The prepared statement of Mr. Holleyman follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
        
                               __________

    Mr. Goodlatte. Thank you, Mr. Holleyman.
    Mr. Williams, welcome.

         TESTIMONY OF LEIGH WILLIAMS, BITS PRESIDENT, 
            THE FINANCIAL SERVICES ROUNDTABLE (FSR)

    Mr. Williams. Thank you, Mr. Chairman, Representative 
Quayle, Ranking Member Watt, for the opportunity to testify on 
the financial community's cybersecurity efforts, on the case 
for new legislation and in support of the Administration's 
proposal.
    My name is Leigh Williams and I am President of BITS, the 
technology policy division of the Financial Services 
Roundtable. BITS addresses security, fraud, and public policy 
issues on behalf of 100 of the Nation's largest financial 
institutions, their hundreds of millions of customers, and all 
of the stakeholders in the financial infrastructure.
    From this perspective, I can assure you that cybersecurity 
matters a great deal to financial institutions not because 
regulations require it, although they do, but because good 
business practices and customers require it.
    At the industry level, BITS' 2011 agenda--set by chief 
information security officers, by CIOs and CEOs--addresses 
secure software, protection from malicious software, security, 
in social media, cloud computing, and mobile computing, secure 
email, and security education and awareness. While some of this 
work can be done within the industry, more and more requires 
cross-sector collaboration. For example, our sector council is 
working with the Treasury Department and with our financial 
regulators on cybersecurity exercises. We are working with law 
enforcement in an account takeover task force led by our 
Information Sharing and Analysis Center. And I thank you, Mr. 
Baker.
    Beyond our traditional circle, with DHS, we are developing 
a pilot to offer expert assistance to institutions in the Cyber 
Operational Risk review program. Thank you, Mr. Schaffer.
    And broader still, we are working with NIST to implement 
the National Strategy for Trusted Identities in Cyberspace. 
Thank you, Mr. Schwartz.
    As the Committee considers legislative options, I urge 
Members to leverage this existing body of work and the existing 
controls, but also to strengthen our connections with our 
Federal partners and our peers in other sectors. Talking this 
through with my colleagues, I hear words like ``integrate'' and 
``harmonize,'' ``align,'' and ``reconcile.'' I don't hear 
``replace'' or ``substitute.'' And as I am sure you appreciate, 
I don't generally hear ``add on'' or ``layer on.''
    Even given this head start and our substantial momentum, we 
think that cybersecurity legislation is warranted. We believe 
that a comprehensive bill could improve security throughout the 
ecosystem, including in the networks on which our institutions 
depend. It could strengthen the security of Federal systems and 
mobilize law enforcement and other Federal resources. It could 
spur voluntary action through safe harbors and outcome-based 
metrics.
    Attached to my written testimony is a list of 13 policy 
approaches that our sector council endorsed, along with three 
that it found more problematic. I urge the Committee to 
consider these consensus recommendations of the financial 
community.
    OMB recently transmitted to Congress the Administration's 
proposal to improve cybersecurity. The Financial Services 
Roundtable supports this legislation and we look forward to 
working for its passage. We support many of the provisions on 
their own merits, and we see the overall proposal as an 
important step toward building a more integrated approach.
    I will structure the remainder of my testimony around the 
key provisions of the proposal.
    We support the strengthening of criminal penalties for 
damage to critical computers, for committing computer fraud, 
and for trafficking in passwords. We also urge escalated 
treatment for the theft of proprietary business information.
    We support the adoption of a uniform national standard for 
breach notification.
    We strongly recommend full Federal preemption and 
reconciliation with the existing banking regulations.
    We support exemptions, as you have heard from BSA, for data 
rendered unreadable and for situations in which there is no 
reasonable risk of harm.
    We support strengthening cybersecurity authorities within 
DHS and codifying DHS's collaboration with the sector-specific 
agencies such as the Treasury Department and with sector 
regulators such as our banking, securities, and insurance 
supervisors.
    We support each of the seven purposes articulated in the 
regulatory framework, including especially: enhancing 
infrastructure security, complementing currently available 
measures, and balancing efficiency, innovation, security, and 
privacy.
    We think this evenhanded approach will help calibrate the 
effort, capitalize on existing oversight, and prevent the 
release of public information.
    In closing, let me just underscore how much we appreciate 
your attention in this matter and commit that for our part we 
will continue to work on cybersecurity with our members and 
partners. We will support legislation that leverages existing 
protections, and we will support and help to implement the 
Administration's proposal.
    Thank you for your time.
    [The prepared statement of Mr. Williams follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
        
                               __________

    Mr. Goodlatte. Thank you, Mr. Williams.
    Ms. Harris, welcome.

   TESTIMONY OF LESLIE HARRIS, PRESIDENT AND CEO, CENTER FOR 
                 DEMOCRACY AND TECHNOLOGY (CDT)

    Ms. Harris. Chairman Goodlatte, Ranking Member Watt, 
Members of the Subcommittee, thank you for the opportunity to 
testify today.
    Charting a path forward on cybersecurity policy that makes 
meaningful improvements in security and at the same time 
protects privacy and innovation requires a very nuanced 
approach that encourages collaboration between Government and 
industry. One size does not fit all. Policies for Government-
owned systems should be distinct from those aimed at the 
private sector. Government regulation needs to be limited very 
narrowly to critical infrastructure, and importantly particular 
caution has to be applied to systems like the Internet that 
support Americans' rights to free speech. That means as a first 
principle network providers--and not the Government--need to be 
in the business of monitoring their own networks for 
intrusions.
    Here the Administration's bill rightly honors this 
principal. No Government entity needs to be involved in 
monitoring private communications networks as part of 
cybersecurity. There is no evidence that the Government can do 
this better and no need to move toward middle-of-the-network 
solutions that would put civil liberties at risk.
    Second, information sharing needs to be enhanced without 
putting privacy at risk. There is a general agreement that more 
sharing is good between Government and the private sector and 
within industry. The White House proposal anticipates a very 
sweeping, albeit voluntary, information sharing regime that 
encourages sharing of information, including communications 
traffic to DHS, regardless of whether the use or disclosure of 
that information is otherwise restricted by law. And that means 
that it effectively sweeps away protections of the Wiretap Act, 
ECPA, FISA, FOIA--all statutes within the jurisdiction of this 
Committee--and many, many more. We appreciate the bill's 
promise of yet-to-be-articulated privacy rules, but we don't 
see how they can adequately police such a vast sharing regime 
in contrast to well understood statutory protections.
    Third, the designation of critical infrastructure needs to 
be very narrowly tailored. Getting the government role in 
private cybersecurity efforts right first requires getting the 
designation of critical infrastructure right. Here we believe 
that the definition provided in the Administration's bill is 
overbroad and that the ``debilitating impact'' standard is 
simply too ambiguous and could sweep vast swaths of U.S. 
industry into the critical infrastructure fold.
    Fourth, Congress should not give the President shut-off 
authority in cybersecurity emergencies. We certainly appreciate 
the White House's implicit rejection of this power in its 
proposal and hope that this puts this dangerous idea to rest. 
After the Egyptian cutoff earlier this year, it should be clear 
that a grant of presidential shut-down authority would set a 
very dangerous precedent for the world.
    Fifth, the Computer Fraud and Abuse Act law needs to be 
tightened before we consider any new or enhanced penalties. It 
is a very, very important component of our online trust 
framework and it has given the Federal Government authority to 
pursue cyber crime, hacking, and identity theft. But its vague 
terms have led to troubling civil and more recently criminal 
actions that have stretched the law far beyond what Congress 
intended. Indeed, some courts have interpreted unauthorized 
access so broadly that companies, when setting terms of service 
that few users will ever read, are in effect getting to 
determine what user conduct is criminal. So before there is any 
expansion of the law or increase in penalties, we need to look 
at those questions.
    We also caution about ratcheting up penalties. The 
mandatory minimums in CFAA were actually repealed in the 
PATRIOT Act, and I think we have to know why before we put them 
back in. And while we have no opposition to the law being a 
RICO predicate, we are concerned about the consequences for 
civil actions where triple damages may encourage civil 
litigants to further pursue what we see as novel uses of this 
statute.
    Finally, we believe the White House proposal on data breach 
provides a very good starting point for consideration of the 
Federal law. The notification trigger we think is right. The 
standards in the bill we think are right. But we will caution 
that we are talking about preempting 46 State laws, and there 
are some areas--for example, California has very specific 
protections for health information--that are not reflected. So 
when we are talking about the definitions in the law and when 
we are talking about the extent of preemption, we would urge 
you to be very careful.
    We appreciate the opportunity to testify here today and 
look forward to working with this Committee on this important 
issue.
    [The prepared statement of Ms. Harris follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
        
                               __________

    Mr. Goodlatte. Thank you, Ms. Harris.
    I will begin the questioning, and my first question is 
directed to you, Mr. Holleyman.
    To what extent has the Administration worked with the 
technology sector and incorporated their best practices into 
the cybersecurity legislative proposal?
    Mr. Holleyman. We have worked closely with the 
Administration throughout this process, have particularly 
worked closely with NIST over a period of time. I think, in 
large part, the Administration's proposals reflect ones that we 
would endorse. There are other issues where we have proposed 
recommended changes, as we submitted in our testimony and a few 
issues that have not been resolved. So I think that the 
inclusion of this effort from the Administration has been 
helpful and it is good to see them come forward with a concrete 
proposal.
    Mr. Goodlatte. How can Congress encourage innovative 
solutions to combat this dynamic problem and avoid the one-
size-fits-all regulation that Ms. Harris and others have 
expressed concern about?
    Mr. Holleyman. By making sure that there are technology 
neutrality provisions that are always taken into place. There 
is no one-size-fits-all technology that will work for every 
solution, every customer, every government. We need to have the 
flexibility to adapt and use new technologies as the nature of 
the crimes adapt. So maintaining that principle is important.
    And I think, secondly, by ensuring that the level of 
Federal resources against cyber crime can be escalated in a way 
that there is a greater deterrent, because we are all at risk, 
and the Federal Government has a unique role in fighting cyber 
crime.
    Mr. Goodlatte. Mr. Williams, what are banks proactively 
doing to ensure that critical data is protected from hackers 
and economic espionage by foreign competitors?
    Mr. Williams. Individual institutions are doing a great 
deal. They each have programs that are embedded within their 
operational risk and their general risk management programs, 
some of which are subject to review by regulators of the 
banking securities or the insurance industries, others of which 
exist solely on the basis of it being good practice. They also 
conduct, through BITS and many other coalitions, a great deal 
of industry-level work to ensure some consistency throughout 
the industry and to help connect the industry--the sector with 
other sectors.
    Mr. Goodlatte. When there are data breaches, how are they 
generally handled? Is it standard practice to provide public 
notification or inform Federal authorities or both?
    Mr. Williams. There are actually already, within the 
banking subsector of financial services, uniform national 
standards for preparing for, responding to, and notifying of 
breaches, and over the last several years, as the industry has 
gravitated toward that uniform approach, we have found it to be 
very effective.
    Mr. Goodlatte. Ms. Harris, do you think it should be 
Government or the private sector to take the lead in 
determining best practices for cybersecurity?
    Ms. Harris. I think it should be the private sector, and I 
think in this regard, the Administration's bill does a very 
good job of putting the private sector in the lead for 
developing these sectoral risk plans and then allowing the 
companies to develop their own individual plans. Our only 
concern is making sure that the definitions in this bill are 
sufficiently precise so that as we go down the road to deciding 
which sectors are cybersecurity infrastructure, critical 
infrastructure, we don't come up with a definition that is 
overbroad.
    I think on the second part, whether they have gotten a good 
balance between public and private, I think they have done a 
pretty good job, but that is once you have been designated 
``critical infrastructure.'' Our concern is not to have too 
many industries swept into that basket.
    Mr. Goodlatte. You are all saying that there is a good deal 
of collaboration in writing this legislation, and that is good 
to hear.
    What can the Congress do to strengthen the ongoing 
cooperation between private enterprise and the Federal 
Government on cybersecurity? Does anybody want to tackle that 
first? Mr. Holleyman?
    Mr. Holleyman. Two things. One is to enable the private 
sector to share more information about the specific nature of 
threats, but we also very much feel that there needs to be 
mechanisms by which the Federal Government shares information 
with companies, particularly in the security space, about the 
nature of the threats so that we can work in closer 
partnership. Generally our companies do share a lot of 
information. We think this proposed legislation would help 
foster a better climate for more, but we would like to see more 
from the Federal Government in appropriate circumstances that 
could be shared with industry.
    Mr. Goodlatte. Thank you.
    Mr. Williams?
    Mr. Williams. Mr. Chairman, I would offer two responses.
    First, I was very encouraged in the first panel to hear the 
phrase ``providing opportunities for voluntary information 
sharing.'' We think that they should be voluntary but enabling 
those opportunities we think is very important.
    The second thing I might say is that we already have very 
strong information sharing within the financial services 
sphere. Part of the reason, a great deal of the motivation, for 
our supporting this comprehensive legislation is to extend 
beyond our sphere, to extend to our service providers, to our 
customers, to agencies other than our banking regulators to 
ensure that the overall ecosystem is protected.
    Mr. Goodlatte. Thank you.
    Ms. Harris?
    Ms. Harris. So I agree that data sharing is important. We 
have some very specific concerns, and those concerns are in the 
way this law is constructed. Rather than trying to figure out 
what aspects of the law, particularly ECPA, may not be adequate 
to allow more sharing to occur, it simply sweeps away all of 
these laws in favor of this broad voluntary mechanism.
    So I think that this Committee is the right Committee to 
try to figure out whether we can pinpoint in a serious way what 
is the legal barrier that exists right now in our Government 
information sharing laws and how do we narrowly fix that 
without basically throwing out all those laws and other Federal 
and State laws that touch on privacy. I just think this is the 
right Committee to do that and that this is a big challenge. It 
is, I think, not the right approach to simply say, 
``notwithstanding any other provision,'' and sweep everything 
away. It is this Committee's laws. It is health laws. It is 
Gramm-Leach-Bliley. It goes on and on, and I don't think 
anybody can tell us what the implications of that might be.
    And second, this is a law enforcement Committee. I guess, 
no, it is not because we switched Committees here. And getting 
a law enforcement piece right is important. And I think I have 
mentioned some of the changes that I think are necessary in the 
CFAA before we start to take a look at penalties and other 
changes.
    Mr. Goodlatte. Thank you.
    The gentleman from North Carolina, Mr. Watt, is recognized.
    Mr. Watt. Thank you, Mr. Chairman.
    I am trying to get to this question that Ms. Harris has 
touched upon here, the definition. And I think that is what is 
troubling me here and probably what is troubling the Chairman 
is where the divide is between what the Government should be 
doing and taking control of and what is outside what the 
Government should be doing.
    So I am looking here closely at the legislation, and there 
is section 242 which defines ``critical infrastructure'' that 
refers us back to the emergency preparedness statute which 
defines the word ``critical infrastructure.'' And then there is 
a separate section which defines something new, I take it, 
which is called ``critical information infrastructure,'' which 
goes beyond the emergency preparedness thing.
    I think we have probably all gotten comfortable with the 
emergency preparedness part of this. That is the Government's 
role clearly. I am not even second-guessing that. That has been 
in the statute.
    But this definition of ``critical information 
infrastructure,'' a new term in this statute, seems to be very, 
very broad. And I think we have got probably some very serious 
work to do.
    Can you help me, Mr. Holleyman, kind of understand what you 
perceive to be critical information infrastructure? I mean, you 
are familiar with these two things that I just talked about. 
Right? Have you looked at the statute?
    Mr. Holleyman. I am familiar with what you are talking 
about, but I can't offer today a recommendation. I would like 
to get back to you with some thoughts.
    Mr. Watt. And I am going to tell you the one thing that is 
troubling here--and I raised it with the first panel because 
once you start defining ``critical information 
infrastructure,'' if it is defined too broadly, it has a lot of 
implications. And then you start talking about preempting State 
laws with respect to any critical information infrastructure, 
then you get into a whole other segment of things. Then when 
you start saying the Government can demand or request certain 
information and provide legal immunity for providing that 
information, you get into a whole different set. And that is 
very delicate territory.
    Is my personal information, if it is breached in a 
corporate computer--is that critical information infrastructure 
or is it outside? Mr. Williams? Let's put it in the financial 
services context. I serve on the Financial Services Committee 
too. So I am very familiar with this. We have debating this for 
a long time. Is a breach of my personal information by--
somebody craps into Bank of America or Mechanics and Farmers 
Bank, which is where I bank, and breaches their--and they get 
my personal--does that make that critical information 
infrastructure?
    Mr. Williams. If I might answer your direct question and 
maybe extend it a little bit. I think the direct answer is yes. 
If your personal information--collected, aggregated with the 
personal information of a lot of the other customers of a 
particular bank--is breached, it absolutely constitutes what I 
think the legislation calls a risk to critical economic 
security of the United States. If it is any one person, perhaps 
not, but in the aggregate absolutely.
    In extension, I would say that within financial services, 
we have begun to think about what is and is not critical. As 
you know, institutions now are subject to a designation by the 
Treasury and the Financial Services Oversight Council of being 
systemically important which we could think of as financially 
systemically important or operationally systemically important.
    We also, outside of our industry, have begun----
    Mr. Watt. Okay. Well, let me just take this one step 
further. My personal information, aggregated with other 
people's personal information, can bring down the whole system. 
I acknowledge that. But does that give the Federal Government 
the right to preempt a State law that says it will protect my 
personal information? Where does that fall?
    Mr. Williams. I think in the narrowest sense, our banking 
regulators have already said that we need to have notification 
requirements and security requirements that protect single 
individuals' information at the Federal level.
    Mr. Watt. Yes. We are fighting that battle. I was involved 
in drawing the preemption language in Dodd-Frank. It was an 
absolute nightmare. I had consumer groups in the room. I had 
bankers in the room. The Senate took it and referred it to some 
case law, some case that had been decided by the Supreme Court, 
and they are still fighting about what is preempted and what is 
not preempted.
    This is much, much, much broader than that, and we couldn't 
even agree on what the Federal preemption standards should be 
for the financial services bill. This is so much broader than 
what we were talking about in the financial services bill. I 
mean, something that is so vital to the United States that the 
incapacity or destruction of such systems would have a 
debilitating impact on national security, that is fine.
    But when you talk about national economic security or 
national public health or safety, this is a very, very broad 
definition of how you are defining that. And I think it is that 
discomfort with the Federal Government being too much in that 
space that people start to say are we setting up a Big Brother 
system here where the tail is wagging the dog basically.
    I am sure people have been working on this, but we have got 
a lot of work to do, I think, on this definition before we can 
get the public comfortable with having Homeland Security call 
up a company and demand that it give--well, they say they are 
not demanding. They are just requesting it. But you heard Mr. 
Baker say when the Government requests and you couple that with 
giving immunity to the companies for providing the information 
to the Government, then you are right back to where we were 
under the PATRIOT Act. And people get very uncomfortable with 
the Government being so powerful that it can then call up and 
demand certain information and then provide immunity for 
somebody when they provide that information because they don't 
necessarily even want the Government to have immunity in that 
case if they violate the standard that is applicable.
    It is a very difficult line that we are walking here. We 
can't define it today. I am way over my time, but I think that 
is the most troubling aspect of what we have got to deal with 
here, and it is providing discomfort on the left and it will 
provide discomfort on the far right. That is when I used to 
jokingly say I would quite often back around the circle into 
Jesse Helms. I would be backing from the left and he would be 
backing from the right, and all of a sudden, we would be 
standing in the same place because both of us were suspicious 
of too powerful a Government. And that is where we could get if 
we are not careful.
    Mr. Chairman, I am on a soapbox, so I am going to yield 
back.
    Mr. Goodlatte. Well, I have enjoyed standing here listening 
to you.
    The gentleman from Arizona, Mr. Quayle, is recognized for 5 
minutes.
    Mr. Quayle. Thank you, Mr. Chairman.
    Mr. Williams and Mr. Holleyman, I am kind of going along 
the same lines. My concern is that with the broad definition 
for the covered critical infrastructure and how it is going to 
apply to various small business, medium-sized businesses that 
are starting to grow and then their inability to be able to 
cover those expenses or at least they might be eating into 
their margins because they don't have the ability like some of 
the other large financial institutions that have the capital to 
be able to comply with these various regulations.
    How will this, because it is so broad--and I know that we 
are talking about having to tighten up the language and all, 
but my concern is how are we going to be able to make it so 
that we are not going to be inhibiting growth in the private 
sector. Because if the regulations are overly burdensome, we 
are going to have a situation where companies are going to look 
to see their cost-benefit analysis of whether they are going to 
grow and then fall under that critical infrastructure or stay 
the same size and not have to comply. That is one of my biggest 
concerns, because this is overbroad and how that is going to 
affect growth in the private sector.
    Mr. Williams. I absolutely share your interest in setting 
those criteria. I will leave it to the judgment of the Congress 
how much of the specificity belongs in the legislation, in 
regulation, or in judicial reviews as we heard earlier on this 
point and on several other points.
    What I will say is at least in financial services, we have 
begun to set a fairly high threshold. So the systemically 
important financial institutions are really the largest and the 
most interconnected. The operationally significant financial 
utilities are a small number of highly connected organizations 
that I don't think would qualify in the small business category 
that you----
    Mr. Quayle. Kind of running on the same lines, if the 
private sector is already addressing the situation, if like you 
were saying, large financial institutions--you know, a lot of 
their business is made at lightning speed transactions and they 
make or don't make money based on that. And so having that 
cybersecurity infrastructure within that framework is important 
to them, but they are doing it on their own initiative.
    So if you are saying that you are already having a lot of 
these critical pieces of infrastructure doing it without the 
regulatory framework in place, why don't we just leave it to 
the people to do best practices and then be able to make their 
own determination on what level? Because quite frankly, I think 
that somebody who is banking with a Bank of America or a Chase 
or whatever--they will be looking to those that have the 
cybersecurity framework in place as a way to make a decision in 
the private sector and let the market kind of take that 
approach.
    Mr. Williams. It does happen, we think, with a lot of 
companies in a lot of sectors, many of whom are business 
partners to financial providers, but we think it happens 
unevenly. So we depend on electric utilities. We depend on the 
telecom networks. We depend on software providers, many of whom 
are strong and responsible but not all of whom operate with the 
same level of resilience. We think raising that general bar 
makes a lot of sense.
    Mr. Quayle. Okay.
    And Mr. Holleyman, you were mentioning a lot of the 
trademark infringement that happens in the Internet and 
elsewhere. That is rampant. Anytime you do a search, you can 
find copyright infringed products out there.
    But is this the right piece of legislation to be going for 
that? Wouldn't it be a lot more effective to have independent 
legislation that is outside of this larger regulatory framework 
to address that situation? Because it doesn't seem like it goes 
really hand in hand.
    Mr. Holleyman. Well, I think that is a great question. We 
do think that this is a piece of legislation that should 
address the cyber framework. I was drawing into that, however, 
one other area that this Committee has responsibility for which 
is the area around intellectual property protection but 
specifically the nature of software because fully a third of 
the software that is used illegally and downloaded off the 
Internet contains malware. And malware is providing a 
penetration in the systems that has a pervasive impact well 
beyond the intellectual property or the software industry.
    And I was encouraging this Committee to encourage the 
Administration to issue the executive order that requires 
Federal contractors to use only legal software in the same way 
that is required of Federal agencies, not only because it is 
important for intellectual property protection, but because the 
same type of vulnerabilities are being introduced into the 
Federal network when Federal contractors are using illegal 
software which oftentimes contains the type of malware that 
poses a cybersecurity risk. So I am linking the two issues.
    Mr. Quayle. Thank you very much.
    I yield back.
    Mr. Goodlatte. I thank the gentleman.
    The Chair recognizes the gentlewoman from California, Ms. 
Lofgren.
    Ms. Lofgren. Thank you, Mr. Chairman.
    First, my apologies for not being here for this whole 
hearing. We had a markup in the House Administration Committee 
that I had to go to, but I have read all the testimony and it 
is very, very helpful.
    Ms. Harris, your testimony relative to the standards is 
very, very useful.
    And Bob--I mean, Mr. Holleyman--your preemption issue is an 
important one. It is difficult, as the Ranking Member has 
discussed, but I think we are going to have to address it in 
terms of data breaches because the current situation is 
chaotic. And that is going to be hard to do since all of us--
States have been aggressive about privacy. We are not going to 
be able to go home if we don't maintain some similar types of 
standards.
    I credit the Administration for working with the technology 
sector, but we are a long ways from where we are going to need 
to be on this. The idea that we would waive all other law, 
provide immunity. I mean, when the Government goes to the 
private sector and asks for something, it is more than just 
asking. I mean, there is an obligation. We have seen that in 
many other contexts. There is no liability. Even with 
liability, companies respond. If there is no liability and the 
standards are as vague as this, we have created a big 
Government nightmare, and we just can't go there.
    On the other hand, cybersecurity and the threat to our 
cyber infrastructure is very real. And I am wondering, as we 
move forward, if we can make some distinctions not just on the 
nature of the activity but the origin of the threats because 
there are different levels based on where the threat is coming 
from.
    I am not an anti-government person, but I am mindful that 
the Department of Homeland Security for over a year and a half 
maintained a miniature golf site on its list of critical 
infrastructure and wouldn't take it off. So let's not be 
believing that the Department knows everything there is to know 
about the critical infrastructure threat that we face. We tend 
to over-categorize things in Government, and if we do that in 
this case, we will see Government encroaching on really what 
should be the private sector's primary responsibility and 
certainly that of free Americans to be able to communicate 
without fear of intrusion or monitoring by their own 
Government.
    So those are big-deal defects in what has been presented so 
far, and I am hearing some bipartisan concern along those 
lines. And I am confident that the Administration will want to 
work with us to fix those items.
    I am just wondering. Maybe all of you can comment on this. 
To some extent, the Administration's proposal seems to put the 
Government at sort of the center of the cybersecurity 
information sharing. And I think it is true that the private 
sector has given up more than they have gotten back, and that 
has to change. But I am wondering whether that is really 
optimal, whether we want the Federal Government to have that 
man-in-the-middle centrality role or whether there is some 
other way to structure it that might be more nimble.
    Do you have any comment on that, the three of you?
    Ms. Harris. So that is a question that we have been asking 
as well, as to whether or not all information in and all 
information out, which has been the model, really is the most 
nimble way to share information and there are a variety of 
private sector sharing groups going on. But I think it is worth 
exploring whether or not that is--I mean, we have information 
sharing already set up in the Federal Government, and in fact, 
in the last couple of years, that has improved, I think, quite 
a bit.
    But, obviously, the civil liberties issues are ratcheted up 
when all sharing has to go through the Government or is 
encouraged to go through the Government. I need a better 
understanding of sort of the value added. Obviously, the 
Government needs that information for its own purposes, but the 
question is whether or not everybody has to go to ``go'' first 
before they deal with each other.
    I know there is sectoral sharing. I find this very 
difficult.
    Ms. Lofgren. If I can just add in one other element, which 
is some sectors that are, in fact, critical that an attack 
would deal with systems and create cascading failures have 
taken significant steps to protect themselves, the financial 
sector among them. Other sectors, not so much. The ISACs--you 
know, some have worked well, some not so well.
    And so maybe one thing that we could do--I don't really see 
a robust section here--is really even the assessment of--you 
know, maybe it is the liability that ought to be imposed on 
certain sectors--and they tend not to be the technology 
sector--where they have not taken the minimal steps necessary 
to protect themselves, and their lack of doing so puts the 
Nation at risk. Maybe we ought to be doing some incentives in 
the negative way for some of those sectors where the 
catastrophe awaits us.
    Mr. Williams. I certainly agree, ma'am, that the private 
sector should be the primary locus of all of this work. We 
within financial services, and I suspect in many other sectors, 
have utilities that are entirely private and we have the ISACs 
that are semi-private. And a great deal of the work occurs in 
all of those places. There should be incentives and 
disincentives that strengthen all of that private sector work.
    I suspect that if we create more resources on the Federal 
side and strengthen a hub of information sharing on the Federal 
side, it will still allow for that rich private work to take 
place. I would never support substituting all of the dispersed 
private effort for a centralized Government effort, but I 
suspect that there is room for both.
    Mr. Holleyman. Ms. Lofgren, if I can mention two ideas.
    One is we think that the most important role for the 
Federal Government is to serve as a convener by bringing in the 
interested parties together. We think in particular NIST and 
others have done a great job in taking on that role.
    Secondly, where critical infrastructure may ultimately be 
defined, we think there are two hallmarks to it. One, it needs 
to be a narrow definition, and second, there needs to be 
flexibility around how entities in critical infrastructure use 
security products to create the kind of security and deal with 
the evolving nature of the threats.
    Ms. Lofgren. I know my time is up, but in some cases that 
includes--our own Government has failed to do even the minimal 
thing. I remember a hearing on US-VISIT in the Homeland 
Security Committee where we learned for the first time that 
they hadn't even deployed intrusion detection software. I mean, 
it was stunning.
    So we have a long way to go, but this bill also has a long 
way to go.
    And I thank the Chairman for indulging me over my 5 minutes 
and yield back.
    Mr. Goodlatte. I thank the gentlewoman.
    And I am pleased to recognize the gentlewoman from Texas, 
Ms. Jackson Lee, for 5 minutes.
    Ms. Jackson Lee. Mr. Chairman, thank you very much.
    To the witnesses, I was detained. We held, Mr. Chairman, a 
hearing in Homeland Security that actually overlapped some of 
the very questions that are being raised here from a different 
perspective, and that is the in-depth use of cyber sites by 
individuals intending to do us harm. So I think it is a two-
edged sword or focus in terms of the protection of data, but as 
well as protection of the American homeland. And I raise my 
questions accordingly.
    And I would just like to put the President's remarks in the 
record by reading them in part. His statement was: ``We count 
on computer networks to deliver our oil and gas, our power, and 
our water, rely on them for public transportation, air traffic 
control. But just as we failed in the past to invest in our 
physical infrastructure, our roads, our bridges, and rails, we 
have failed to invest in the security of our digital 
infrastructure and the status quo is not acceptable.'' And I 
join him in that, which is I guess the basis of his plan and 
initiative.
    I want to start with Mr. Williams because I might not have 
heard you correctly when you seemed to have been arguing 
against a central Government plan which I took to be focused on 
how to structure our security and data protection versus the 
private sector involvement. Can you just expand on what you 
were saying there, please?
    Mr. Williams. Yes, ma'am. We certainly believe that 
expanded authorities in the Department of Homeland Security and 
an expanded role of the Government are appropriate. We think 
that this is important, as we go through this arc that Mr. 
Holleyman described where we have gone from very simple, 
unsophisticated hackers to much more sophisticated attacks. 
This warrants a more collective approach to protecting the 
overall ecosystem.
    What I would say--and maybe this is where that has softened 
a bit--is that even if we build up that center, even if we 
build those resources and improve our ability to take advantage 
of that hub and that convening authority, we will still very 
much have a widely dispersed expertise and set of resources 
that are at the disposal of companies. Individual companies, 
their utilities, their service providers, their nonprofits, 
their coalitions I think probably will still be the primary 
gravitational center of the work.
    Ms. Jackson Lee. So it is important for the private sector 
to develop cutting edge technology simply to provide 
protection. Is that what you are saying? You should continue to 
do research and develop that next level of software that 
provides that protection.
    Mr. Williams. Absolutely, absolutely.
    Ms. Jackson Lee. Let me follow up on some of the materials 
that we received in the previous hearing that spoke about some 
of the either unknown or unattended to sites where the Taliban 
in Afghanistan can, without hindrance, have friendly 
conversations that may even intrude into the United States.
    Let me ask all of you. Do you have an intensity with your 
particular companies, those you represent where you are aware 
of that usage of sites seemingly unimpeded? Do you cooperate 
with, for example, the FBI? Do you believe the FBI has 
sufficient tools on this? And I am saying this in the backdrop 
of a very sensitive concern about civil liberties and civil 
rights. So I am particularly concerned about sites that are 
international that are able to pierce the cyberspace that we 
have. Do you want to start, Mr. Holleyman?
    Mr. Holleyman. Ms. Jackson Lee, I don't have any 
information about the specific narrow question you posed. 
Certainly in a variety of cyber crime activities, companies in 
the software industry do cooperate with law enforcement, but I 
can't comment on your specific question.
    Ms. Jackson Lee. So you are not aware----
    Mr. Holleyman. I am personally not in my role as the 
president of our association.
    Ms. Jackson Lee. Mr. Williams?
    Mr. Williams. We do work very actively with law enforcement 
at every level with both the U.S. authorities and with non-U.S. 
authorities to ensure that our systems--financial services 
systems--are not used for malicious purposes, to protect the 
intellectual property that lives in those systems, to protect 
the personally sensitive information that is in those systems. 
We have a lot of good motivations for working actively with 
people in the private sector and the public sector to protect 
the financial infrastructure.
    Ms. Jackson Lee. Do you have any comment, Ms. Harris?
    Ms. Harris. Well, I represent a civil liberties 
organization.
    Ms. Jackson Lee. Right. That is why I asked if you had a 
comment.
    Ms. Harris. Beyond that----
    Ms. Jackson Lee. I will move to my next question. Thank 
you.
    Ms. Harris. Okay.
    Ms. Jackson Lee. The next question is the current trend of 
technology is to place information onto the cloud of third 
party operating systems and allows phones and computers to 
access this information. How does this rapidly growing 
dependence on storing information remotely in the cloud impact 
the steps individuals, businesses, and the Government should 
take to enhance cybersecurity? And how will the Government 
address jurisdictional issues? I don't want to ask about the 
Government, but what are you all doing with respect to that 
concept?
    Mr. Holleyman. Well, from a software industry perspective, 
there are several things we are doing. One is companies that 
are providing cloud services or hosting very much realize that 
the security associated with their cloud offerings is going to 
be critical not only to comply with a variety of laws, but also 
to gain customer confidence. It is probably one of the most 
important things that you can do, and they are very active at 
the top of the list.
    Second is that we are building awareness of the fact that 
customers should be asking questions about where their data is 
hosted and the level of security that that cloud service 
provides.
    And finally, if a cloud offering is, in fact, secure, we 
believe it could provide a higher level of security than the 
very dispersed nature of servers and networks that exist today. 
So we are trying to make it clear that there is nothing 
inherently problematic about storing information in the cloud. 
In fact, it could be better in many circumstances, but you have 
to ask the questions about how providers are securing 
information and what steps are they taking.
    Mr. Williams. We have specialists in a lot of different 
disciplines active in our program, and people from every one of 
those disciplines have asked about and worked on cloud. So we 
have security specialists thinking about what the marginal 
security requirements would be and what the security 
improvements might be coming from a cloud-based infrastructure.
    We have people who work with service providers who are 
asking what contractual provisions can help protect information 
and systems in the cloud in a way that might not have been 
contemplated when servers were all in one location.
    And we have people who work on public policy thinking about 
what the right regulatory framework would be for looking at 
cloud where geological boundaries make a little bit less sense.
    Everyone has an interest in it and many of those interests, 
we hope, will lead to cloud being not something that would ever 
degrade security or degrade resiliency but would improve it.
    Ms. Jackson Lee. So you are not running away from that. The 
business community is actively engaged.
    Mr. Williams. We are absolutely engaged. I can tell you 
that within financial services, firms are very reluctant to 
move their information to a public cloud where the resiliency 
standards are set on the basis of what is publicly appropriate 
for relatively nonsensitive information. They are much more 
likely to use proprietary clouds or industry-specific or 
regional clouds where they can have elevated controls in place.
    Mr. Goodlatte. The time of the gentlewoman has expired.
    Ms. Jackson Lee. Ms. Harris, was trying to answer. Could 
she----
    Mr. Goodlatte. Without objection, the gentlewoman will be 
granted an additional minute.
    Ms. Jackson Lee. I thank the gentleman.
    Ms. Harris. I think that security in the cloud certainly 
with companies that are providing applications and storage and 
other services, cloud services, to business, security is good 
and getting better.
    I think that the unanswered question here is security and 
privacy and other rights for consumers in the cloud, and that 
is certainly beyond the scope of this hearing. But it is far 
less clear to me that as consumers are encouraged to move their 
information to the cloud, that they can be guaranteed the same 
level of security protections, nor can they be guaranteed the 
same level of privacy protections. Our constitutional 
protections, our Fourth Amendment protections, our ECPA 
protections have been outstripped by technology. We don't have 
consumer privacy laws in this country that broadly apply to 
data. So there are a lot of issues for consumers in the cloud 
that go sort of beyond what business has to face.
    Ms. Jackson Lee. I thank the Chairman very much. Mr. 
Chairman, I just want to make this one comment, and I know that 
we are speaking of software, but I really appreciate this 
hearing. I am sorry I was not here for its entirety. But there 
really is--besides the constitutional issues--Ms. Harris, I am 
not ignoring that and the civil liberties. There really are 
real challenges for cybersecurity and particularly unhosted 
sites, and I would imagine that there would be overlap between 
Judiciary and Homeland Security on these issues that have to do 
with terrorism.
    Mr. Goodlatte. Undoubtedly there is.
    Ms. Jackson Lee. I yield back.
    Mr. Goodlatte. I have one additional question. I direct it 
to Mr. Holleyman an Mr. Williams.
    How worried is the tech industry about state-sponsored 
hacking and theft?
    Mr. Holleyman. The tech industry is certainly very worried. 
It is probably one of the fastest growing forms of risk. I 
can't quantify the extent today, but it is certainly something 
that we work closely with Government in trying to identify 
where those risks may be occurring.
    Mr. Goodlatte. Mr. Williams?
    Mr. Williams. The financial services industry is very 
focused on the most sophisticated threats with or without 
attribution, whether they happen to be state-sponsored or 
sponsored by some other malicious actor. We are very focused on 
ensuring that the simplest, most unsophisticated threats are 
absolutely taken care of, but we are more and more focused on 
this more sophisticated tier.
    Mr. Goodlatte. Thank you.
    Mr. Watt?
    Mr. Watt. I think I might pass except to observe that 
having dealt with the systemic risk issue, it seems to me that 
that is in the financial services sector. This bill seems to me 
to be putting Homeland Security in a much, much, much more 
powerful position on a much, much broader range of issues than 
we dealt with with just financial services' systemic risk.
    And one might wonder at some point whether the director of 
Homeland Security is a lot more powerful than the chairman of 
the Federal Reserve. I don't ask that. I was just wondering 
aloud. Just wondering aloud. We will talk off the record.
    Thank you, Mr. Chairman.
    Mr. Goodlatte. I thank the gentleman.
    And I want to thank all of our witnesses. It has been a 
very helpful contribution to this hearing. In fact, the entire 
hearing has been very useful. It is very clear that this is a 
wide-ranging subject that, in terms of the Congress tackling 
it, is going to involve a lot of input from a lot of 
Committees. But I think this Committee has a critical role to 
play both the Intellectual Property, Competition and the 
Internet Subcommittee, as well as the Crime Subcommittee, and 
we look forward to working together to accomplish some good 
legislation that would buttress the work of the Administration 
and certainly give guidance to the private sector.
    So without objection, all Members will have 5 legislative 
days to submit to the Chair additional written questions for 
the witnesses, which we will forward and ask the witnesses to 
respond to as promptly as they can so that their answers may be 
made a part of the record.
    Without objection, all Members will have 5 legislative days 
to submit any additional materials for inclusion in the record.
    With that, I would again like to thank our witnesses and 
declare the hearing adjourned.
    [Whereupon, at 12:27 p.m., the Subcommittee was adjourned.]

                                 
