[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY: ASSESSING THE IMMEDIATE THREAT TO THE UNITED STATES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON NATIONAL SECURITY,
HOMELAND DEFENSE AND FOREIGN OPERATIONS
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
MAY 25, 2011
__________
Serial No. 112-55
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
70-676 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
DARRELL E. ISSA, California, Chairman
DAN BURTON, Indiana ELIJAH E. CUMMINGS, Maryland,
JOHN L. MICA, Florida Ranking Minority Member
TODD RUSSELL PLATTS, Pennsylvania EDOLPHUS TOWNS, New York
MICHAEL R. TURNER, Ohio CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of
JIM JORDAN, Ohio Columbia
JASON CHAFFETZ, Utah DENNIS J. KUCINICH, Ohio
CONNIE MACK, Florida JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
ANN MARIE BUERKLE, New York GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona MIKE QUIGLEY, Illinois
RAUL R. LABRADOR, Idaho DANNY K. DAVIS, Illinois
PATRICK MEEHAN, Pennsylvania BRUCE L. BRALEY, Iowa
SCOTT DesJARLAIS, Tennessee PETER WELCH, Vermont
JOE WALSH, Illinois JOHN A. YARMUTH, Kentucky
TREY GOWDY, South Carolina CHRISTOPHER S. MURPHY, Connecticut
DENNIS A. ROSS, Florida JACKIE SPEIER, California
FRANK C. GUINTA, New Hampshire
BLAKE FARENTHOLD, Texas
MIKE KELLY, Pennsylvania
Lawrence J. Brady, Staff Director
John D. Cuaderes, Deputy Staff Director
Robert Borden, General Counsel
Linda A. Good, Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on National Security, Homeland Defense and Foreign
Operations
JASON CHAFFETZ, Utah, Chairman
RAUL R. LABRADOR, Idaho, Vice JOHN F. TIERNEY, Massachusetts,
Chairman Ranking Minority Member
DAN BURTON, Indiana BRUCE L. BRALEY, Iowa
JOHN L. MICA, Florida PETER WELCH, Vermont
TODD RUSSELL PLATTS, Pennsylvania JOHN A. YARMUTH, Kentucky
MICHAEL R. TURNER, Ohio STEPHEN F. LYNCH, Massachusetts
PAUL A. GOSAR, Arizona MIKE QUIGLEY, Illinois
BLAKE FARENTHOLD, Texas
C O N T E N T S
----------
Page
Hearing held on May 25, 2011..................................... 1
Statement of:
McGurk, Sean, Director, National Cybersecurity &
Communications Integration Center, U.S. Department of
Homeland Security; Phillip Bond, president, TechAmerica;
James A. Lewis, director, Technology and Public Policy
Program, Center for Strategic and International Studies;
and Dean Turner, director, Global Intelligence Network,
Symantec Corp.............................................. 9
Bond, Phillip............................................ 23
Lewis, James A........................................... 24
McGurk, Sean............................................. 9
Turner, Dean............................................. 33
Letters, statements, etc., submitted for the record by:
Chaffetz, Hon. Jason, a Representative in Congress from the
State of Utah, prepared statement of....................... 4
Lewis, James A., director, Technology and Public Policy
Program, Center for Strategic and International Studies,
prepared statement of...................................... 26
McGurk, Sean, Director, National Cybersecurity &
Communications Integration Center, U.S. Department of
Homeland Security, prepared statement of................... 12
Turner, Dean, director, Global Intelligence Network, Symantec
Corp., prepared statement of............................... 35
CYBERSECURITY: ASSESSING THE IMMEDIATE THREAT TO THE UNITED STATES
----------
WEDNESDAY, MAY 25, 2011
House of Representatives,
Subcommittee on National Security, Homeland Defense
and Foreign Operations,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 3 p.m. in room
2157, Rayburn House Office Building, Hon. Jason Chaffetz
(chairman of the subcommittee) presiding.
Present: Representatives Chaffetz, Labrador, Tierney,
Quigley and Kucinich.
Staff present: Ali Ahmad, deputy press secretary; Thomas A.
Alexander, senior counsel; Molly Boyl, parliamentarian; Kate
Dunbar, staff assistant; Mitchell S. Kominsky, counsel; John
Ohly and Tim Lewis, professional staff members; Kevin Corbin,
minority staff assistant; Scott Lindsay and Carlos Uriarte,
minority counsels; and Amy Miller, minority professional staff
member.
Mr. Chaffetz. The subcommittee will come to order.
Good afternoon and welcome to today's hearing,
Cybersecurity: Assessing the Immediate Threat to the United
States.
We appreciate your patience and understanding as we had
votes earlier. I know we are getting off to a delayed start,
but I appreciate you all being here and participating.
Welcome, Ranking Member Tierney and members of the
subcommittee. I appreciate everybody being here today.
Today's hearing is designed to act as a prelude to the full
committee hearing which will be conducted a week later on June
1st, just a short time from now. It is entitled,
``Cybersecurity: Assessing the Nation's Ability to Address the
Growing Cyber Threat.''
During today's hearing, the subcommittee is scheduled to
receive testimony from the administration, industry and
civilian cyber threat experts, all of whom will likely state
that cyber-related intrusions pose one of the greatest threats
to our national security.
The intent is to obtain detailed information from various
sources and from various perspectives as to what the current
threat actually entails so the committee can later delve more
deeply into how effective the Nation has been in confronting
the immediate cyber threat as well as building defenses which
safeguard us from what appears to be a daunting future cyber-
security environment.
Given the unusual nature of the cyber threat, it cannot be
addressed solely by using the traditional national security
apparatus. In short, the Federal Government is currently
incapable of securing the Nation against cyber threats on its
own and must embrace the broad, transparent involvement of non-
government entities.
Like other countries, approximately 85 percent of the
Nation's critical infrastructure is owned by the private
sector--many of which are small businesses. Because the Nation
relies so heavily on private industry to protect this
infrastructure, trusted partnerships between the government and
the private sector must also be a priority.
In the words of the President, ``Cybersecurity is a
challenge that we as a government or as a country are not
adequately prepared to counter.'' In addition, in a recent
interview, Howard Schmidt, the U.S. Cybersecurity Coordinator,
emphasized the critical nature of public-private partnerships
as it relates to cybersecurity.
Unfortunately, Mr. Schmidt refused to testify today. I
truly do find this unfortunate because I believe he should be
here in this important discussion. I am deeply concerned that
Mr. Schmidt, as the executive branch's Cybersecurity
Coordinator, charged with the responsibility for
``orchestrating the many important cybersecurity activities
across the government,'' believes that his management of this
critical issue is exempt from congressional oversight. That is
certainly inconsistent with what I have heard the
administration and this President say about the openness and
transparency of the administration.
In his absence, the administration sent to us an expert
from the Department of Homeland Security. There was quite a
debate whether the administration would allow him to sit on the
same panel as the industry experts sitting in front of us
today. I am glad the issue was resolved, in a matter of a few
hours ago and we will now be able to receive testimony from
both the public and private perspective together on one panel.
In the future, I hope this is not so difficult.
That said, I must stress my sincere disappointment in the
number of days waste debating the need to hear testimony from
government and private witnesses alike at the same time on the
same panel in a manner that allows Members to most effectively
oversee this critical public/private partnership.
I believe it is critical that while we focus on the cyber
threat, we also keep in mind the need to develop well
coordinated, strategic cybersecurity partnerships with the
private sector in order to confront the threat. The
administration has made repeated public statements about the
importance of this partnership. Even the White House-directed
cyberspace policy review concluded that the United States
cannot succeed in securing cyberspace if it works in isolation
and should enhance its partnerships with the private sector.
Cybersecurity experts agree that given the likely national
security impact of cyber attacks on the economy, our critical
infrastructure such as transportation, energy and
communications, both private and public sectors must work
together closely and in a very transparent way. This would also
appear to be in line with the President's stated commitment to
``create an unprecedented level of openness in government'' and
``to establish a system of transparency, public participation
and collaboration.''
The ever changing face of the cyber threat means that the
authorities and capabilities needed to confront the threat will
likely need to be changed or updated on a regular basis. This
is the reason why Congress must be as attentive to the threat
as any other part of the government. I do not believe anybody
knowledgeable of cyber security would deny that cyber threat is
a major national security issue for the United States.
The National Security Strategy published in May 2010
highlights that cyber security threats represent one of the
most serious national security, public safety and economic
challenges we face as a Nation. Therefore, a national dialog in
securing the Nation's digital infrastructure must happen now
and continue indefinitely.
It is my sincere hope that this dialog can include many
segments of society and can be done in a nonpartisan way. It is
my hope that we as a Nation bring to bear against this threat
all expertise that resides within the country. Strangely, we
are faced with the critical national security threat to which
the expertise needed to confront it does not necessarily reside
solely in the Federal Government but also in the private
sector.
A recent research project conducted by McAfee and the
Center for Strategic and International Studies looked at the
threats to power grids, oil, gas and water across 14 countries.
It concluded that there had been dramatic increases in cyber
attacks against critical infrastructure with as much as 80
percent of the companies experiencing ``large scale attacks.''
According to the project report, nearly 30 percent of the
companies believed they were unprepared for the attack and more
than 40 percent expected a major cyber attack within the next
12 months. Also, according to an Office of Management and
Budget report, the number of reported cyber incidents affecting
U.S. Federal agencies shot up 39 percent in 2010, approximately
41,776 reported attacks, up from roughly 30,000 the year
before.
I am positive the witnesses will elaborate on the threat
and I look forward to hearing from the panel.
[The prepared statement of Hon. Jason Chaffetz follows:]
[GRAPHIC] [TIFF OMITTED] T0676.001
[GRAPHIC] [TIFF OMITTED] T0676.002
[GRAPHIC] [TIFF OMITTED] T0676.003
Mr. Chaffetz. I will now recognize the distinguished
ranking member, the gentleman from Massachusetts, Mr. Tierney,
for his opening statement.
Mr. Tierney. Thank you, Chairman Chaffetz, for convening
this hearing today. Thank you to our witnesses for agreeing to
testify.
I particularly want to thank the administration's witnesses
here today, Sean McGurk, the Director of the Control Systems
Security Program at the Department of Homeland Security's
National Cyber Security Division. Mr. McGurk has agreed to
testify before the subcommittee on very short notice and during
a week in which the Department of Homeland Security will
testify at five different cybersecurity hearings, including a
similar hearing held this morning.
Next week, the full committee is going to hold another
hearing on cybersecurity featuring four different senior-level
administration witnesses to discuss the administration's
comprehensive legislative proposal to improve cybersecurity
with a focus on our Nation's critical infrastructure and the
Federal Government's own networks and computers.
The proposal was drafted in response to numerous
legislative proposals introduced in the last Congress and
specific requests from congressional leadership. That White
House legislation won't be the focus of today's hearing, but is
still a much needed starting point for very important
conversation.
As someone who doesn't purport to be a techie at all, I can
tell you I have a great deal of concern about the exposure we
have in this area, particularly having served a number of years
on the Intelligence Committee and where that conversation goes
should cause some sleepless nights for a lot of people.
As computer technology has advanced, Federal agencies and
our Nation's critical infrastructure, such as power
distribution, water supply, telecommunications and emergency
services, have all become increasingly dependent on
computerized information systems to carry out their operations
and to process, maintain and report essential information.
Public and private organizations increasingly rely on
computer systems to transfer money and sensitive and
proprietary information, conduct operations and deliver
services. The interconnected nature of these systems creates
risks for our national security, economic security and public
safety.
Just last month, in Massachusetts, a virus called
``W32.QAKBOT'' was discovered on computers at the Executive
Office of Labor and Workforce Development. As a result, the
Labor Department said as many as 210,000 unemployed workers may
have had data compromised, including their names, social
security numbers, employer identification numbers, addresses
and email addresses.
Although the virus was originally discovered back in April,
it wasn't until last week that the Labor Department realized
the virus had survived its early eradication efforts and
results in a data breach. That specific example happened at a
State government agency, but highlights the potential threat to
Americans across the country if our Federal computer networks
are not adequately protected.
As many commentators have documents, cyber attacks on our
Federal IT systems are on the rise. The chairman just went
through the numbers on that. It is becoming increasingly clear
that current efforts to counteract the attacks are woefully
insufficient.
The connectivity between information systems, the Internet
and other infrastructures also creates opportunities for
attackers to disrupt telecommunications, electrical power and
other critical services. Some industry sectors are so vital to
the Nation that their incapacity or destruction would have a
debilitating impact on national security, national economic
security or public health and safety.
Federal law enforcement and intelligence agencies have
identified multiple sources of threats to our information
systems and our critical infrastructure. These threats include
foreign nations engaged in espionage and information warfare,
criminals, hackers, disgruntled employees and contractors. In
one recent example, it has been alleged that the Chinese
Government spread a virus that attacked Google and at least 80
other U.S. companies.
Not all threats to Federal cybersecurity are external. In
June 2010, Wikileaks released thousands of classified
Department of State and Department of Defense documents.
Immediately following the release of those documents, the
Secretary of Defense commissioned two internal Department of
Defense studies to evaluate any weaknesses in their systems.
The studies found that the Department's policies for
dealing with an internal security threat were inadequate and
that the Department had limited capability to detect and
monitor anomalous behavior on its classified computer networks.
These examples simply underline the need for a
comprehensive legislative approach that will protect our
national security and the health and safety of the American
people. We have an obligation to ensure that the government's
IT systems are secure and that any critical infrastructure is
protected from the threat of a cyber attack. The failure to
properly secure these networks could have dire consequences.
I look forward to this hearing and learning more about the
threat landscape and the challenges we face in addressing this
growing problem.
Again, I thank our witnesses and the chairman for bringing
this hearing.
Mr. Chaffetz. Thank you.
Members will have 7 days to submit opening statements for
the record.
We will now recognize the panel.
Mr. Sean McGurk is the Director of National Cybersecurity &
Communications Integration Center at the U.S. Department of
Homeland Security. Mr. Phillip Bond is the president of
TechAmerica. Mr. James A. Lewis is the director, Technology and
Public Policy Program at the Center for Strategic and
International Studies. Mr. Dean Turner is the director, Global
Intelligence Network Security Response at Symantec.
Again gentlemen, we appreciate your being here. I would
like to recognize each of you for 5 minutes for an opening
statement. If you will try to keep it to 5 minutes, any
additional information you want to provide we will submit to
the record.
Pursuant to committee rule, all witnesses must be sworn
before they testify. Please rise and raise your right hands.
[Witnesses sworn.]
Mr. Chaffetz. Let the record reflect that all witnesses
answered in the affirmative.
We will now recognize Mr. McGurk for 5 minutes.
STATEMENTS OF SEAN MCGURK, DIRECTOR, NATIONAL CYBERSECURITY &
COMMUNICATIONS INTEGRATION CENTER, U.S. DEPARTMENT OF HOMELAND
SECURITY; PHILLIP BOND, PRESIDENT, TECHAMERICA; JAMES A. LEWIS,
DIRECTOR, TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR
STRATEGIC AND INTERNATIONAL STUDIES; AND DEAN TURNER, DIRECTOR,
GLOBAL INTELLIGENCE NETWORK, SYMANTEC CORP.
STATEMENT OF SEAN MCGURK
Mr. McGurk. Thank you, Chairman Chaffetz, Ranking Member
Tierney and distinguished members of the committee. My name is
Sean McGurk. I am the Director for the National Cybersecurity &
Communications Integration Center [NCCIC]. Thank you for
inviting me today to discuss this important issue along with
this distinguished panel of experts on cyber threats and the
impact on critical infrastructure.
As both the chairman and ranking member have already
identified, sensitive information is routinely stolen from both
government and private sector networks. Last year, we saw an
increase in the threat as a result of not what was being taken
from networks but what was being left behind in the result of
what was known as Stuxnet.
Successful cyber attacks could potentially result in
physical damage and loss of life. There are many challenges in
the current landscape, strong and rapidly expanding
capabilities, lack of comprehensive threat and vulnerability
awareness and our information infrastructure is dependent upon
its continual availability for our way of life.
The cyber environment is not homogenous under a single
department or agency or the private sector. We recognize that
cybersecurity is a team sport. Government does not have all the
answers, so we must work closely with the private sector to
provide solutions. There is no one size fits all and there is
no magical line to protect the cyber domain. It is about
information sharing and it is about sharing knowledge
collectively. Knowledge is only power when it is shared. We
must leverage our expertise and our access to information along
with industry's specific needs, capabilities and timelines.
Each partner has a significant role to play and a unique
capability in this environment. In my 34 years of experience,
with over 28 years serving in the U.S. Navy, you learn that
everyone has an ability to contribute. The mission in cyber is
manyfold and our goals are clear.
In the law enforcement environment, they work closely with
the other agencies to identify and prosecute cyber intrusions.
The intelligence and military community work to attribute, to
defend and to pursue those individuals. DHS, along with the
private sector, including the financial services sector, the
energy sector, communications and others, work to prepare,
prevent, respond, recover and restore. Coordinating the
national response to domestic emergencies is more of a matter
of what and how and not necessarily of who and why until much
later.
To that end, I would like to emphasize that my
responsibilities from an operational standpoint are focused on
preventing and resolving attacks, not attributing the source of
those threats.
I would be willing to take any questions in the future
regarding the cyber threats and the cyber capabilities of other
countries with the committee under an appropriately classified
setting with the available interagency representatives.
NCCIC or the National Cybersecurity & Communications
Integration Center, works closely with government and all
levels of the private sector to coordinate the integrated and
unified response to cyber communications incidents. Sponsoring
security clearances for the private sector enables us to have
our industry partners on the watch floor in a classified
environment looking at actionable intelligence and providing
information to asset owners and operators in near real time.
The DHS components have all been integrated into the NCCIC
along with representatives from other agencies such as the
National Security Agency, U.S. Cyber Command, the FBI, the U.S.
Secret Service, and representatives from the intelligence
community at large. In addition, we have private sector
representatives sitting on the watch floor from the
communications sector, the IT sector, the financial services
sector and the energy sector. Additionally, we have
representatives from State, local, tribal and territorial
governments represented by the Multistate Information Sharing
and Analysis Center.
In conclusion, within our current legal authorities, we
continue to engage, collaborate and provide analysis of
vulnerability and mitigation assistance to the private sector.
We have experience and expertise in dealing with the private
sector in planning steady state and crisis scenarios. We have
deployed numerous incident response teams and assessment teams
that enable us to prevent, respond, recover and restore from
cyber incidents.
Finally, we work closely with the private sector and our
interagency partners in law enforcement and in the intelligence
community to provide the full complement and capabilities of
the Federal Government for the private sector in response to a
cyber incident.
Chairman Chaffetz, Ranking Member Tierney and distinguished
members of the panel, let me conclude by reiterating that I
look forward to exploring opportunities to advance this mission
in collaboration with the subcommittee and my colleagues in the
public and private sector.
Also, if the committee has any questions regarding the
administration's legislative proposal, I will be happy to defer
those issues to the policy representatives testifying before
the full committee next week.
Thank you again for this opportunity to testify and I would
be happy to answer any of your questions.
[The prepared statement of Mr. McGurk follows:]
[GRAPHIC] [TIFF OMITTED] T0676.004
[GRAPHIC] [TIFF OMITTED] T0676.005
[GRAPHIC] [TIFF OMITTED] T0676.006
[GRAPHIC] [TIFF OMITTED] T0676.007
[GRAPHIC] [TIFF OMITTED] T0676.008
[GRAPHIC] [TIFF OMITTED] T0676.009
[GRAPHIC] [TIFF OMITTED] T0676.010
[GRAPHIC] [TIFF OMITTED] T0676.011
[GRAPHIC] [TIFF OMITTED] T0676.012
[GRAPHIC] [TIFF OMITTED] T0676.013
[GRAPHIC] [TIFF OMITTED] T0676.014
Mr. Chaffetz. Thank you.
Mr. Bond, you are now recognized for 5 minutes.
STATEMENT OF PHILLIP BOND
Mr. Bond. Thank you, Mr. Chairman, Ranking Member Tierney,
members of the committee. I am honored to be here on behalf of
TechAmerica, the largest industry trade association in the
United States with some 1,000 member companies. I will offer
just a few thoughts on the challenge in cyber and the policy
response we need.
First, I would observe that cyber criminals respond
rapidly; they are creative. In 2010, McAfee Labs identified
more than 20 million new pieces of malware globally. A 2011
online fraud report from RSA, the security division of EMC,
found that the U.S has consistently hosted and been the target
of a majority of the worldwide cyber attacks.
Economic impact is serious. It is about $6 million a day
when a corporationsite is down, on average, and worldwide, the
economy loses some $86 billion a year due to cyber attacks.
Protecting our networks, is as the Chair has observed, a
public/private shared responsibility. Neither one of us can do
it alone.
The private sector's responsibility is to innovate and
operate its own infrastructure in a safe way. The government
has an obligation to share timely and accurate information so
that the private sector can secure itself and turn around and
help to secure the government.
I will defer to our witness from Symantec on a little bit
more technical descriptions of some of the threats. I would
just underscore this. The range of threat actors--especially
right now--including advanced, persistent threats, APTs--you
will hear more about that--are going directly after the end
user.
They attempt to trick them into downloading malware or
divulging sensitive information. Again, it is the actual user
being targeted, not the mechanical system, the software or
whatever. It is going after human error. As criminals probe for
a soft spot in a system, they are also probing now the
individuals who connect to that network.
With the increased reliance on all IT devices now, we see
the great shift to mobile devices and that too will be an
opportunity for cyber criminals. Applications many times are
downloaded by users and not always being properly vetted.
We would submit that the policymakers and the industry as
well and the government need to view security as an absolute
basic, not to be added on after but to be built-in from the
ground up. I would observe many companies are doing exactly
that. We need everybody to do that.
I want to spend a couple of my remaining minutes on some
thoughts for you to consider as you draft legislation, but let
me break here to underscore something that needs to be said.
Technology and innovation are a huge net positive for the U.S.
economy and for government, for government service as well.
They are our key to national security, the war fighter has an
advantage, the key to homeland security, the key to economic
security, high paying jobs, where we need to be as an economy,
but with those advantages there also have been some down sides.
That is what we are attempting to talk about today.
Please consider, first, in policy, Congress should do no
harm. Do not undermine innovation; it is our advantage. One
size fits all will not work. Second, government should promote
an outcome-based, layered security approach. Government should
develop processes to manage and measure performance associated
with real security. Third, government should adopt a risk-based
approach to our Nation's infrastructure. That means critical
infrastructure should be defined to include only that which is
of the utmost importance to national security and then truly
work to secure it.
Fourth, we believe government can provide incentives to
encourage industry to invest in best practices in security, for
example, safe harbor, from data breach notification, when an
organization does what it should in advance of a breach
incident.
Fifth, Congress should update our government's Federal
information security practices and laws to perform in a more
nimble environment, so we strongly support updating FISMA. I
know the committee knows about that.
Finally, if industry is to act at the behest of government,
it is necessary that there be clear liability protections, so
if you do what you should do or at the government's behest, you
should also be protected from unintended consequences or
liabilities.
Again, on behalf of the industry, thank you for holding
this hearing. We look forward to doing all that we can to be a
part of the public/private partnership to find a solution and
maintain our national advantage in innovation.
Mr. Chaffetz. Thank you.
Mr. Lewis, you are recognized for 5 minutes.
STATEMENT OF JAMES A. LEWIS
Mr. Lewis. Thank you, Mr. Chairman. I thank the committee
for the opportunity to testify. I am really impressed with the
energy that the committee is bringing to this issue. It is
something we need.
We depend, as a Nation, on the Internet, but it is not
secure and this gives criminals and foreign opponents real
opportunity to damage the United States. Cyber threats fall
into two categories: high end attacks that cause damage,
destruction or casualties and threats from cyber crime and
cyber espionage.
Five countries, including Russia and China, can launch high
end cyber attacks. Another 30 countries are developing these
capabilities. States use skilled proxies, cyber criminals and
hackers to help them. Cyber attacks could destroy critical
infrastructure or disrupt essential networks and services. At
the moment, however, no nation is likely to attack the United
States because they fear retaliation.
Terrorists do not yet have cyber attack capabilities, nor
do dangerous nations like Iran and North Korea. However, they
are eagerly pursuing these cyber capabilities. We do not know
how close they are to acquiring them, but the moment they
acquire them, we can expect to see damaging cyber attacks.
The immediate threat to the national interest comes from
crime and espionage. The Internet, with all its weaknesses,
created a golden age for espionage and the United States has
been the chief victim. We have lost military technology,
intellectual property for high tech companies, oil exploration
data and confidential business information. Banks suffer
million dollar losses almost every month.
None of this attracts much attention and some companies
prefer to conceal their losses and in some cases, companies may
not even know they have been hit. Our estimates of the damages,
as you heard, are in the billions of dollars. Weak cyber
security damages our economic competitiveness and technological
leadership.
What can we do about this? There is certainly a new energy
in Washington about approaching this problem, which is great.
First, we need to accept that we need a new approach that puts
cyber security as a major, national security problem. The most
dangerous threats in cyberspace come from foreign militaries
and foreign intelligence agencies.
Second, this new approach needs to combine trade policy,
law enforcement, military strategy and critical infrastructure
protection. For critical infrastructure, this means that DHS
must be able to mandate risk-based performance standards.
Public/private partnerships are an important part of this. It
would help, however, to differentiate where the private sector
is strongest in things like information sharing and innovation
and where government action is needed.
The immediate question is whether we can improve our
defenses before there is a damaging attack. Most of the experts
I know believe this is not possible, that America will only act
after a crisis. I believe that the work of this committee and
others can help us avoid that fate and let us do what is
necessary to improve public safety and national security in
cyber space.
Thank you for the opportunity to testify and I look forward
to your questions.
[The prepared statement of Mr. Lewis follows:]
[GRAPHIC] [TIFF OMITTED] T0676.015
[GRAPHIC] [TIFF OMITTED] T0676.016
[GRAPHIC] [TIFF OMITTED] T0676.017
[GRAPHIC] [TIFF OMITTED] T0676.018
[GRAPHIC] [TIFF OMITTED] T0676.019
[GRAPHIC] [TIFF OMITTED] T0676.020
[GRAPHIC] [TIFF OMITTED] T0676.021
Mr. Chaffetz. Thank you.
Mr. Turner, you are recognized for 5 minutes.
STATEMENT OF DEAN TURNER
Mr. Turner. Chairman Chaffetz, Ranking Member Tierney and
members of the subcommittee, thank you for the opportunity to
testify today as the committee considers cybersecurity and the
current threat level to the United States.
Mr. Chairman, on behalf of the nearly 500 Symantec
employees based in your district in Linden, we certainly
appreciate your focus on cybersecurity issues.
My name is Dean Turner. I am director of Symantec's Global
Intelligence Network.
Symantec is the world's information security leader with
over 25 years experience in developing Internet security
technology. Our best-in-class Global Intelligence Network
allows us to capture worldwide security intelligence data. We
maintain 11 security response centers globally and utilize over
240,000 attack sensors in more than 200 countries to track
malicious activity 24 hours a day, 365 days a year. In short,
if there is a class of threat on the Internet, Symantec knows
about it.
In my written testimony, I have provided the committee with
greater detail on the evolving threat landscape, as well as an
assessment of some of the real world impacts of cyber attacks
on businesses and individuals. I also touch on major challenges
and the vulnerabilities associated with securing new
technologies and how organizations can better secure their
important and critical systems.
In our April 2011 Symantec Internet Security Threat Report,
we observed several key threat landscape trends for the
calendar year 2010. The year was book-ended by two significant
targeted attacks, including Hydraq, otherwise known as Aurora,
and Stuxnet. Stuxnet was a game changer, exemplifying just how
sophisticated and targeted threats are becoming. It
demonstrated the vulnerability of critical national
infrastructure to attack and Stuxnet was the first publicly
known threat to target industrial control systems.
Social networks continue to be a security concern for
organizations as government agencies and companies struggle to
find a satisfactory compromise between leveraging the advantage
of social networking and limiting the dangers posed by the
increased exposure of potentially sensitive and exploitable
information.
Leveraging information from social networking sites as part
of a social engineering campaign is one of the simplest and
most effective ways an attacker can lure their target to a
malicious Web site. For example, an attacker can use
information gathered from a social networking site to create a
target email that then lures a victim to a Web site that hosts
malicious code. If the victim visits the Web site, a Trojan,
for example a key logger or a backdoor can be installed and
that begins ex-filtrating sensitive information back to the
attacker.
In 2010, attack tool kits continued to see widespread use.
A typical tool kit today is built to allow the cyber criminal
to monetize infected machines in every way possible. For
example, keystroke loggers are a simple way to capture any
password a user types in. Other Trojans can also steal email
addresses found on the machine as well as add additional
malware.
Attack tool kits and their ability to update over the Web
greatly increase the speed with which new vulnerabilities are
packaged, exploited and spread. One of the most significant
attack kits known at the moment is the Zeus Trojan and is a
favorite of cyber criminals due to its ease of use and low
cost, about $400 in the underground economy. It takes little to
no technical knowledge to launch this type of attack and it can
be extremely profitable for cyber criminals.
With the proliferation of smart phones and mobile devices,
users are increasingly downloading third party applications
which is creating an opportunity for the installation of
malicious applications. In 2010, there was a 42 percent
increase in the number of reported new mobile operating system
vulnerabilities and most mobile malicious code is now designed
to generate revenue. Therefore, there is likely going to be
more threats created for these devices as people increasingly
use them for sensitive transactions such as on-line shopping
and banking.
We have learned many lessons from today's threat landscape
and while the sophistication level of attacks is increasing as
is the potential and real damage caused by such attacks, we
need to turn these lessons into action. In addition to the
recommendations contained in my written testimony, the
following steps must be taken in order to better protect
critical systems from cyber attack.
First, develop and enforce IT policies and automate
compliance processes. Second, authenticate identities by
leveraging solutions that allow business to ensure only
authorized personnel have access to those systems. Third,
secure end points, messaging and Web environments. In addition,
defending critical internal servers and implementing the
ability to backup and recover data need to be top priorities.
Members of the committee, cybersecurity faces a constantly
evolving threat and there is no single solution to prevent
attacks. Attackers are getting smarter and more resourceful
every day. Because of that, any solution must include the
private sector's expertise and innovation. We must continue to
be vigilant in protecting our economy, our national security
and our way of life.
Symantec applauds Congress for focusing much needed
attention on cybersecurity and we look forward to continuing
this important dialog. I will be happy to answer any questions
you might have.
[The prepared statement of Mr. Turner follows:]
[GRAPHIC] [TIFF OMITTED] T0676.022
[GRAPHIC] [TIFF OMITTED] T0676.023
[GRAPHIC] [TIFF OMITTED] T0676.024
[GRAPHIC] [TIFF OMITTED] T0676.025
[GRAPHIC] [TIFF OMITTED] T0676.026
[GRAPHIC] [TIFF OMITTED] T0676.027
[GRAPHIC] [TIFF OMITTED] T0676.028
[GRAPHIC] [TIFF OMITTED] T0676.029
[GRAPHIC] [TIFF OMITTED] T0676.030
[GRAPHIC] [TIFF OMITTED] T0676.031
[GRAPHIC] [TIFF OMITTED] T0676.032
Mr. Chaffetz. Thank you.
We will now start the questioning. I am going to recognize
myself for 5 minutes--maybe even a little bit longer than that.
I appreciate all the expertise and routinely what we hear
is the threat, the threat, the threat, it is happening and we
are quantifying something at $86 billion and perhaps beyond. I
do think there are probably a number of companies that would be
embarrassed to allow it out there that there was some sort of
security breach.
We are constantly told that it is consumers and shoppers,
that it is safe and secure to type in our critical information,
our personal information just because it has that little lock
on there. What should the average person in Topeka, Kansas be
thinking about when they go type in, how do you really tell if
it is secure or not and can you ever? Do you want to take a
stab at that, Mr. Bond.
Mr. Bond. I will take a first stab at it, Mr. Chairman. I
think I would urge consumers to do what a national education
campaign has urged which is stop, think and connect. Many of
these newly designed threats that come in and pose as something
they are not, trying to get you to either give information or
simply click on a bogus connection which very often can be
understood, gleaned or perceived as a threat by simply stopping
and thinking through, wait a minute, is this really coming from
the company or an entity that it purports to be.
This links to issues about short address names and other
things that are part of the challenge right now, but I do think
that a public education campaign that tells people to stop and
think before they connect can have measurable impact. That is a
beginning point.
Mr. Chaffetz. Certainly the success of Twitter and Facebook
and particular networks has become immense globally. Mr. Lewis,
what sort of threat or danger to young people, old people,
people who participate on those types of social networks
exists? How secure, if at all, is the information that is
provided?
Mr. Bond. The intent with information is to be public, so
it is easily collected. We know there have been many problems
in the past. One of them, my favorite in some ways, is the fact
that people will often use their pet's name or birthplace as
their password and then they will list it on the Web site, so
we have seen many, many incidences where guessing the password
on these sites isn't that difficult.
We are a treasure trove for cyber criminals because you can
harvest all kinds of data that will give you hints on
passwords, employment, where you bank is, so they have become
kind of unmanageable problems. There is little the companies
can do about that. I don't want to blame Twitter or Facebook or
any of them. People choose to put their information up there
and they haven't thought enough, as you heard from Phil, about
what the implications are. If you are going to have a Facebook
account, don't use your dog's name as the password.
Mr. Chaffetz. Mr. McGurk, I would like to learn a bit more
about the differences or perhaps the similarities between cyber
attacks from domestic and international sources. Are there
distinguishable differences or motives between the domestic and
the international actors?
Mr. McGurk. In the Department, as I mentioned earlier
during my testimony, we are focused more on the risk mitigation
strategy, so when we look in the national infrastructure
protection plan, at the definition of risk, we identified as
threat, vulnerability and consequence. The Department takes an
all hazards approach.
The challenge there is identifying where the threat actors
are originating. That is a part of it but from our standpoint,
from the mitigation standpoint, in protecting the networks,
restoring services and recovery, the actual source is not as
important as the vulnerability and the consequence of those
vulnerabilities. That is really where the Department focuses
most of its attention and how to provide actionable
intelligence to the asset owners and operators to prevent
further escalation of the consequences of the breach.
Mr. Chaffetz. How far and wide are you doing that? You are
doing that, I would assume, with the national interest, the
Federal assets that we have. What about the private sector? How
involved do you get with them? There is obviously Microsoft,
Goggle and Yahoo in the world, but there are also your medium
level guys. How interactive are you, can you possibly be where
there will be virtually every single entity you could possibly
think of?
Mr. McGurk. One of the areas we focus on in NCCIC is our
assist and assess mission where we actually send incident
response teams and assessment teams out into the field. We have
gone to companies of only seven employees that were
experiencing cyber intrusion to Fortune 10 companies, working
with them to not only identify what the risk is but to mitigate
that risk in their cyber environments.
On average, a week does not go by where I do not have a
team in the field working with the private sector to address
those cyber vulnerabilities and to mitigate those risks.
Mr. Chaffetz. What percentage of the companies can you
possibly get to?
Mr. McGurk. Again, to date, we have been able to conduct 75
risk assessments over this past year. We have not had the
opportunity or the requirement to turn anyone away. It is
completely voluntary. Part of the challenge is when a risk,
threat or intrusion is identified to the Department, we will
respond in kind with a team of cybersecurity experts to assist
in restoring services. Again, that is a matter of the request
coming from industry.
Mr. Chaffetz. Yes, Mr. Bond?
Mr. Bond. I want to observe here that this is where the
power of the network can be tremendously valuable. DHS does not
to physically go out and talk to every company. We do need
timely, actionable sharing of information so that the network,
led by great vendors like Symantec and others, and then
proliferate and spread that word to address whatever the
vulnerability is at the earliest possible stage as soon as we
know about the threat.
You will uncover, through the committee's efforts and
hearings, that there are information sharing challenges between
the government and private sector, between the private sector
and the private sector.
Mr. Chaffetz. Thank you. My time has expired. I will now
recognize Mr. Tierney for 5 minutes or whatever he would like.
Mr. Tierney. I am trying to work out something in my mind
that Mr. Bond got me thinking about as he was talking, about
who is responsible for what, liability protections, incentives
and all of that.
I understand with respect to our national security concerns
and homeland protection, being a part of that, that the
government systems, we have the responsibility, we have to take
care of it and move on from that, but in terms of the private
sector, when you are not doing business with the government,
why isn't that on you? Why isn't it on you to make sure that
your systems are protected?
I see Mr. McGurk has teams running all over the place doing
what I would have thought was your job, making sure you are
safe, making sure nobody can get into your system, making sure
consumer information is protected. If you don't do a good job
of that, I suspect people aren't going to buy your product or
utilize your services. I don't know why we have to give you
incentives and I don't know why you wouldn't be held liable if
you make a mess of it.
Mr. Bond. It is an important observation because we believe
market forces are primary to shaping good behavior and we see
that time and again. However, let me try to give you an
example.
If a small community is targeted, say the bank in that
community is targeted because they want to get personal
information or financial information because there may be a lot
of DOD workers in that community, the Federal Government says,
gee, that small community bank has somehow been breached and we
need you to go off line for a minute to help figure this out
and because it is a serious threat.
Mr. Tierney. Let me back up. The government didn't supply
that system to that bank?
Mr. Bond. No.
Mr. Tierney. If it is breached, let's say there aren't any
government workers in that area?
Mr. Bond. That is not the point of liability. For their
inability to provide a secure system, there are going to be
questions about a community bank in the future, but while they
are down because of a government request or demand and Farmer
McDonald doesn't get his loan or loses the farm, is the bank
liable because they went down at the government request?
Mr. Tierney. Forget the bank, the bank didn't put the
system in, they bought it from somebody and paid for the
service of installing it. If it goes down, whether it goes down
because somebody breached it, the government suggests they go
down or whatever, it is still their fault and their problem.
Why wouldn't all the responsibility and obligation lie with
them, not lie with the government in protecting national
security? We don't assess the government every time they come
in and protect us, but the people who go out and sell to a bank
in a community, that they are going to give them a system that
is safe and secure, why doesn't the buck stop there?
Mr. Bond. I am trying to make a distinction that I think is
legitimate. When the government says, based on what we know,
you should do this or we require you to do this and you do
that, any liability that stems from that step should be
protected because you are doing something in accord with policy
or government request.
Mr. Tierney. You wouldn't do it on your own is what you are
saying, look and see what happened, figure you have to put in
those safeguards of your own volition?
Mr. Bond. You would and I am failing to communicate.
Mr. Tierney. No, you are not. I am just failing to accept
your premise. It is not that you are failing to communicate.
For whatever reason you have to do something, it seems a
customer would want you to do and expect you to do, I don't
understand the shifting of responsibility and obligation.
Mr. Bond. If it is an action taken at government
requirement or policy, I don't think it is the government's
intent to make a company liable for obeying the law.
Mr. Tierney. Let us take your example, which I thought was
the most favorable position you could take for yourself. A lot
of people work in the government, Department of Defense or
something, living in a particular neighborhood doing business
with a credit union or a bank and the system someone in private
industry installed was secure, goes down and there is a breach,
you are telling me if the government tells you to shut it down,
or the government tells you how to bring it up safely, you
wouldn't come across that on your own and if you didn't come
across that, the government had to take action, therefore you
shouldn't be responsible for anything that results from you
taking those steps.
One of two things can happen. You are going to try to
resolve it yourself or somebody is going to have to suggest to
protect the consumers and the community that it is going to be
done, then you say if I do it the way they say do it, because I
wouldn't do it on my own, then I am going to be shielded the
responsibility or liability. Is that your position?
Mr. Bond. No, but I appreciate your framing it for me. What
I am trying to underscore is that when there is a policy or
something in place that has a requirement to it that there not
be liability attached to it being the requirement. I could
think of a lot of different examples but if you are adhering to
the rules and best practices, and something about that policy
causes harm as a response, that is something you are obeying
policy on and you should not be liable.
Mr. Tierney. How do we ever get best policies to keep
getting better if you never have an incentive to do it because
you are covered--the threshold thing that is in place at a
given time?
Mr. Bond. I could reverse it and say why would you ever
obey the government rule if you also not protected when obeying
that rule?
Mr. Tierney. Maybe we don't have a government rule. Maybe
we just leave you out there to the market, so when you go down
and that community goes down or whatever, then you are on your
own. Would that be something you want, no consumer protections,
no government regulations, would that make you happier?
Mr. Bond. I am taking your earlier point that market forces
really do matter, but I am trying to make the point that if we
pass rules and companies obey those rules, that should not
usher in some liability because you obeyed the rule.
Mr. Tierney. I am not trying to be contentious with you, I
am trying to get to the bottom. I think it is an interesting
question to ask, but there be no government regulations in this
area. Mr. Bond, go ahead.
Mr. Bond. I am not advocating that. I think there are
already some regulations in place, certainly around the
government systems and how they interact with private sector
systems, contractors and others.
Mr. Tierney. Other than that, should there be any
government regulations on your provision of systems to private
entities at all or should it just be totally unregulated?
Mr. Bond. I think that is a good question we should look
at, what is the use of standards, what is the use of industry
best practices and other things that government and the private
sector are coming up with together and that any regulatory
steps should be taken very carefully with all the expertise of
the different players in the room.
I am not here to draw any kind of line in the sand, I am
here to say that you need technical experts like Mr. Turner and
others in the room to understand what the implications in an
interconnected world.
Mr. Turner. Just to add to that, I think it is important
when we are discussing liability, we acknowledge the fact that
it is incredibly difficult to pin where that liability sets.
There is no such thing as a 100 percent secure, fool proof
piece of software. It doesn't exist out there, I am sorry to
say. Vulnerabilities are a fact of life.
Mr. Tierney. But there was never a 100 percent secure train
either, but at some point liability went to the locomotive
company because technology had advanced to the point where they
were the ones to be held responsible for anything.
Mr. Turner. I understand but when you are asking to assess
liability on a particular focal point, whether that be the
Federal Government, the private sector or the vendor, we have
to deal with something called the law of unintended
consequences. It is virtually impossible for us, as an industry
or anybody, to be able to test with 100 percent certainty how
that particular product, software or service is going to be
used in that situation.
Mr. Tierney. A product liability system has never gone on
100 percent certainty, who is responsible and then people make
a decision about what is reasonable. I was trying to figure out
whether it is reasonable to leave it all to the industry to set
the standards and suffer whatever consequences or obligations
there might be or is there some advocacy here that the
government should, on behalf of the consumer, whoever that
might be, a business or an individual, set some standards for
compliance and I haven't figured out whether you are for or
against yet.
Mr. Turner. I suspect you will find that the answer lies
somewhere in the middle, that it is again the public/private
partnership.
Mr. Lewis. Can I add something, Mr. Chairman, because it is
an interesting line of questioning. There is a point we might
want to put out in the open and I think if you would use your
experience and the experience of other committee members with
the intelligence community, you would be able to confirm this,
but there is no such thing as a secure, unclassified system. I
have been told by senior intelligence officials that they have
never seen an unclassified system that has not been penetrated.
We are dealing with a problem where anyone can get in. The
solution to that is not a technological solution.
Yes, over time, our technologies will get better and that
will squeeze out the low end threat, so the high school kid who
used to be able to break in in a couple of hours now he might
have to spend a little more time. I think that is why a lot of
us are in favor of a comprehensive approach. You need to have
law enforcement cooperation with other countries. You need to
have strong military forces to deter potential opponents. You
need to work with the service providers to get them to help
consumers and you do need some kind of what we are calling now
risk-based standards run through the government that would
impose some requirements on at least critical infrastructure
companies.
If we can get a package together, we can deal with the
problem, but no single part will solve this very damaging
situation.
Mr. Tierney. I guess what I am taking from that is you
don't feel you can do your optimum job without the assistance
of the government in some respect, is that fair to say? You are
all talking about partnerships. I am guessing what the industry
is saying is we can't do this right without government
assistance at some level.
Mr. Bond. I think I would say that we absolutely need and
welcome government involvement around the critical
infrastructure and as they do that, we want to make sure
experts are in the room because these are very complicated and
interconnected issues. That is simply it.
Mr. Chaffetz. Mr. McGurk, as we talk about the threat,
where do you see the biggest threats outside of the domestic
United States? What are the biggest threats? Where do you see
them coming from?
Mr. McGurk. Again, focusing on the total consequence and
vulnerability aspect, the threat actors range in sophistication
and capability from nation state-sponsored through criminal
activity down to a hactivist, entirely into what we call the
script kiddie environment.
Mr. Chaffetz. How many nations are attacking this country
on the cybersecurity front, how many nation actors?
Mr. McGurk. The challenge with that was the point made
earlier by some of the members of attribution. It is very
difficult to positively attribute known activity. Even if I
were to say an IP address or the source address originated in a
particular country or a particular area, that may not be actual
actor, so the attribution piece is very difficult.
Mr. Chaffetz. I recognize that it is difficult, but you
have some number that you have assessed, at least I hope you
do. What is that number, how many countries?
Mr. McGurk. I would actually defer that to the intelligence
community representatives in another forum. I wouldn't be able
to comment on that here today.
Mr. Chaffetz. What is the consequence for somebody who is
attacking us on the cybersecurity front? Is there anything we
can do or have done? Is there any instance where we have
actually said, Country X, you have been doing this and this is
the consequence? Is there any consequence to that?
Mr. McGurk. To my knowledge, I am not familiar with any
official demarche that has ever been issued or ever been
delivered to a particular nation state associated with
malicious cyber activity.
Mr. Chaffetz. How often are we getting attacked from nation
states--daily, hourly?
Mr. McGurk. There are hourly cyber attacks. Whether they
originate and are state-sponsored or if they just originate
from IP addresses that are being spoofed as far as the
location, if they are criminal activity or if they are
independent activists that are operating under the protection
of a nation state.
Mr. Chaffetz. Let us pretend we have a nation state that
says yes, what is the consequence? What do we do?
Mr. McGurk. Not necessarily dealing in hypotheticals, but
looking at the consequence analysis that the Department
conducts associated with cyber physical systems, one of the
demonstrations we conducted in 2007 was known as the Aurora
Experiment where we demonstrated the capability of taking
digital protective circuits and physically destroying large
pieces of rotating equipment. This type of equipment has years
to repair or replace.
Mr. Chaffetz. That is cool, I like hearing that. What else
can we do?
Mr. McGurk. Subsequently, we recognize we have to apply a
defense in-depth strategy.
Mr. Chaffetz. I hope we are doing that.
Mr. McGurk. Yes, sir. In many of these cases, these legacy-
based systems are 10, 20 or 30 years old, so subsequently we
can't bolt on a new application so we either need to enclave
these pieces of equipment in a secure environment or mitigate
the risk associated with operating those systems in a connected
world.
The comment was made earlier about separating networks and
never finding a secure network. In our experience, in
conducting hundreds of vulnerability assessments in the private
sector, in no case have we ever found the operations network,
the SCADA system or energy management system separated from the
Enterprise network. On average, we see 11 direct connections
between those networks and in some extreme cases, we have
identified up to 250 connections between the actual producing
network and the enterprise environment. That is one of the
challenges we have, as I mentioned earlier, in actually
securing these networks and understanding the consequences
associated with the vulnerabilities and not just the threat
actors.
Mr. Chaffetz. That doesn't give us much confidence, but it
is reality. That is what we are after here.
If I went down the row here, what do you all see as the
singlemost, significant weakness in the system right now? I
will start with you, Mr. Bond, and then we will loop around and
get to you, Mr. McGurk.
Mr. Bond. I would probably identify better information
sharing coming between the government and the private sector. I
don't think we are sometimes free to discuss the threats we see
so that we can respond quickly.
Mr. Chaffetz. Mr. Lewis.
Mr. Lewis. I would go back to your point about
consequences. If nobody is ever punished for doing something
bad or even chastised, they are just going to do more of it, so
I think our failure to have any consequence for any sort of
cyber action is really damaging.
Mr. Chaffetz. Mr. Turner.
Mr. Turner. I would have a tendency to agree with Mr. Bond
that information sharing is the key component, but I would also
add and rank just as highly that we need to start moving away
from the mindset in which we currently find ourselves which is
detection and remediation. This is the cycle we are in, we
detect and remediate, detect and remediate. We are always
behind the curve. We need to get a little more predictive and a
little more proactive in terms of reaching out which sort of
dovetails into Mr. Lewis' comment about the consequences for
actions.
Mr. Chaffetz. Mr. McGurk.
Mr. McGurk. Thank you for the opportunity to last because I
would say all of the above.
Mr. Chaffetz. I agree with you.
Mr. McGurk. If I may add on the information sharing piece,
arguably we have been sharing information for years between the
government and the private sector. We need to focus on
collaboratively developing knowledge so that we can provide
actionable intelligence to mitigate the risk.
The great example of that was in November of last year,
there was a particularly malicious piece of code known as the
``Here You Have'' virus. It was actually identified through the
intelligence community as being a known malicious piece of
software and within hours, the Department was able to identify
that particular piece of code and provide actionable
intelligence to the community through a series of
declassification measures using the private sector's expertise
to provide information to the private sector so they could take
the necessary steps to mitigate the risk.
That is the step we need to do to actually have an effect
on cyber risk at that speed and not just simply put together
another information sharing body.
Mr. Chaffetz. I want to go quickly here to the cloud. There
is a lot of movement within the industry to encourage people to
store their information on the cloud which creates questions
about security and do I trust some major provider more than I
trust my own local server, do I think it is more safe than my
individual computer.
What are the vulnerabilities there? Should be feel more
secure, more safe with cloud and movement to the cloud or less?
Let us start with Mr. Lewis this time.
Mr. Lewis. You caught me off guard, Mr. Chairman. Right
now, I would say there is probably a slight advantage to having
your stuff in the cloud because some of the companies, some of
the service providers can devote more attention, particularly
for small and medium size enterprises. They may actually
benefit from having a big company--a Google or a Microsoft or
an IBM--manage their data. There are other drawbacks to it.
For large enterprises, I am not sure they benefit and a lot
depends on how well the cloud service providers actually do. On
the whole, small companies are better off. Big companies may be
a wash.
Mr. Chaffetz. Mr. Turner.
Mr. Turner. I agree with Mr. Lewis in a sense. I do think,
however, enterprises do benefit because a lot of what we are
seeing in the move to the cloud is driven by total cost of
ownership and reduction of costs, and so forth. From a security
perspective, it is going to be contextual because you are going
to have to ask yourself those very important questions about
with whom do I trust my data. That is going to come down to
reputation and past behavior.
It is not meant to be a pitch but that is certainly the
case in the questions that have to be asked. If they don't,
there will be a lot people, as we move to the cloud, that will
be able to make these services available whether they be
onshore in the United States or offshore and these other
places. What is the track record going to be? We have to make a
very clear and very careful assessment of the information we
are willing to share because not all information could be
protected.
Mr. Chaffetz. Let me shift here a little, if I could. Mr.
McGurk, let us talk about data bases. The Federal Government
has over 2,000 data bases. On one hand, you can say maybe that
diversified portfolio provides a degree of safety and security,
so the Bureau of Indian Affairs is separate from the Department
of Justice. I can understand the security component at the
Department of Justice is probably a little bit higher than the
Bureau of Indian Affairs.
What are the weak links associated with that? Do we want to
consolidate those and have five really good data warehouses or
data bases or is this diversified portfolio advisable? I worry
that so many agencies are trying to create so many things, we
are duplicating efforts and consequently, they are all probably
not nearly as secure as we want them to be. What is your
perception of that?
Mr. McGurk. I believe it is actually a capabilities versus
a requirements discussion. When you talk about the disbursed
nature of the data base as in the infrastructure, it goes to
the cloud discussion we were just having.
One of the benefits of that secure environment is that you
can have a disparate approach to data storage so that not all
the keys to the kingdom are in one location. That provides an
obscurity model for data in motion and data at rest. By being
able to do that, we can better allow for a distributed approach
for data security.
That being said, one of the initiatives the Department has
been executing for quite some time now is a trusted Internet
connection program. That was part of the Comprehensive National
Cybersecurity Initiative. Instead of trying to instrument or
monitor each of the separate departments and agencies, but we
roll that up to an aggregation point so that we can understand
flow and control the information access points at an aggregated
standpoint and still allow for the diversity of the independent
departments and agencies.
Mr. Bond. Just quickly, I want to make sure to offer to
brief the committee and its members. Our TechAmerica Foundation
actually has 73 companies and academics involved in commission
right now to advise the government on the cloud and the
leadership opportunity for the US and the cloud. One of the
questions they are going to be addressing is the security
profile of the cloud. There are leading thinkers who would
challenge Jim's assertion and maybe even say the cloud would be
more secure for all enterprises.
Mr. Chaffetz. Mr. Tierney.
Mr. Tierney. Mr. Bond, in your testimony you emphasized the
public/private relationship, particularly with respect to
education and information sharing. Do you think education and
information sharing are sufficient to protect the critical
infrastructure from cyber attacks? Do you think that is where
we should leave it?
Mr. Bond. No, I think we presume there are going to be
special rules, regulations and requirements around the critical
infrastructure. We think education jointly identifying where
the government should invest R&D dollars in cybersecurity, all
will be a part of that ultimate solution. We certainly advocate
for clear distinction of what the critical infrastructure, a
good definition of it and special requirements for it.
Mr. Tierney. In that vein--and I ask this of all of you--
the present CEO of the North American Electrical Reliability
Corp., a fellow named Gerry Cauley, that you are all probably
familiar with, testified before the Armed Services Committee on
this topic. He said he didn't think there was clarity of
responsibility. He thinks collaboration and consultation have
been good but should be based on an ad hoc relationship with
clear lines of responsibility and authority. Are you all pretty
much in agreement with that or do you disagree?
Mr. Lewis. In some ways, the electrical grid is the most
attractive target we have for some of our opponents. It is not
secure, so if the statement he made was that we have been
relying on an ad hoc process, I think that is right and there
is a lot of room for improvement.
Mr. Tierney. Do you know why there isn't a clear line of
responsibility? What is the impediment to deciding who will be
in charge of this overall, overriding plan we have?
Mr. Turner. I think part of the issue too is the
responsibility in sharing the data itself. What data can you
share? There are a whole host of impediments and barriers to
sharing what is arguably confidential information in some
areas. That is part of the issue I think gets in the way of
trying to formalize relationships and put them in a
hierarchical order to say this is who is doing this and this is
who is doing that. I think that has primarily been holding back
even the larger information sharing relationship that goes on
between the public and private sector, not limited to that
particular sector itself.
Mr. Tierney. Can I assume that some countries share this
problem and some countries don't depending on the nature of the
government in a given country?
Mr. Turner. I am not so sure it actually comes down to a
country by country level, to be perfectly honest with you. I
think it is the nature of the issue itself that you are talking
about the sharing of that information. This is merely to
illustrate a problem with the information sharing network that
sometimes when information goes from the private sector to the
public sector, it is a one way street. Part of the whole
education thing is we have to come to agreement on how we share
that information to ensure that there is valuable information
that can come back the other way as well.
Mr. Lewis. On that note, I talked with one of the larger
European countries. They have set up something like our Cyber
Command. They were telling me what they had done with their
electrical grid and requiring their grid operators to be more
secure. I said, that is amazing, how did you guys get away with
that? We could never do that. They said, when they privatize,
they made sure to keep two board seats.
Where you are seeing a difference emerge is in the
countries that still have a small number of service providers,
where the government has a more directive role, they are
pulling ahead a little bit. Right now, I would say we are all
sort of in equally bad shape and one of the trends to watch is
whether that changes in a way that disadvantages us.
Mr. Tierney. Let me ask one last question of each of you.
What do each of you as individuals think the government role
ought to be in protecting the infrastructure for private
companies? Mr. McGurk.
Mr. McGurk. I believe the current role we are executing as
a coordinator and integrator to provide understanding and
awareness across the 18 critical infrastructures is a key role
and a service that we provide. As many of my distinguished
panel members have said, information may come from one sector
and may be germane to another but there is no direct connection
to share that information.
By aggregating that at the Department, we are able to take
alerts, warnings or indications coming from the electric
sector, anonimize that information or identify the
vulnerability and provide that to the water sector, the
chemical sector or the petroleum sectors. That is a service and
capability we provide because we do have broad exposure into
each of those 18 critical infrastructures.
Mr. Tierney. Mr. Bond.
Mr. Bond. Certainly I would underscore the notion that
there needs to be a key role in defining the critical
infrastructure and having special requirements for that. The
farther out you move on the network and the closer to consumer
applications and so forth, I think we need this roundtable of
real experts to understand what it means in a networked world
because they are all connected and difficult to determine
regulatory schemes.
Mr. Tierney. Mr. Lewis.
Mr. Lewis. Three things--some kind of flexible, standard-
based approach that I would think DHS and the other regulatory
agencies would oversee for critical infrastructure; better
information sharing as you have heard; and finally, steps that
would make the international environment more secure, steps
that would deter criminals and other potential hackers.
Mr. Tierney. Mr. Turner.
Mr. Turner. I would agree with everything that has been
said on the panel. Going last, it is easier to do that.
I would add in addition to facilitating information sharing
and making it easier, keeping an eye toward that liability. We
have to keep in mind that most of the attacks that we see
today, the attacks themselves are international in nature, so
we are not just dealing with threat actors or threat
intelligence that comes from the five I's or the United States
alone.
We are also dealing with issues that come from other
jurisdictions, other western jurisdictions where the sharing of
that information is considered, to put it bluntly, very
difficult to do and can put you in a lot of hot water. Those
issues have to be addressed if we are going to get down to the
role where we talk about how do we make it easier for
governments to protect the private sector especially when we
are talking about critical infrastructure. Those are some of
the hurdles we have to address. If we don't address them at the
higher level, sharing the information formally at a lower level
is difficult. It happens informally now.
I wouldn't want to leave the panel with the impression that
we do not share information because that is certainly not the
case. I personally have worked with all the levels of the U.S.
Government on sharing information about current threats to
critical infrastructure but it is in an unofficial capacity
because there doesn't exist an official capacity in which we
can do that.
Mr. Tierney. Thank you.
Thank you, Mr. Chairman.
Mr. Chaffetz. I want to thank all the panel members for
their participation today and your expertise. If there are
additional comments or information you would like to share with
us, I would appreciate it.
Mr. McGurk, if you would commit to this committee to help
us conduct that confidential briefing, a classified briefing, I
should say, we would certainly appreciate that. Is that
something you could commit to?
Mr. McGurk. Yes, Mr. Chairman, it would be my pleasure to
help facilitate that.
Mr. Chaffetz. That would be great.
Thank you again for your expertise. This is a fast moving
industry, it changes every moment and we appreciate your
participation. Thank you again for your expertise and your
comments.
The committee now stands adjourned.
[Whereupon, at 4:15 p.m., the subcommittee was adjourned.]
�