[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]




 
   CYBERSECURITY: ASSESSING THE IMMEDIATE THREAT TO THE UNITED STATES

=======================================================================

                                HEARING

                               before the

                   SUBCOMMITTEE ON NATIONAL SECURITY,
                HOMELAND DEFENSE AND FOREIGN OPERATIONS

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 25, 2011

                               __________

                           Serial No. 112-55

                               __________

Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform



                  U.S. GOVERNMENT PRINTING OFFICE
70-676                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
DAN BURTON, Indiana                  ELIJAH E. CUMMINGS, Maryland, 
JOHN L. MICA, Florida                    Ranking Minority Member
TODD RUSSELL PLATTS, Pennsylvania    EDOLPHUS TOWNS, New York
MICHAEL R. TURNER, Ohio              CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 DENNIS J. KUCINICH, Ohio
CONNIE MACK, Florida                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
ANN MARIE BUERKLE, New York          GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               MIKE QUIGLEY, Illinois
RAUL R. LABRADOR, Idaho              DANNY K. DAVIS, Illinois
PATRICK MEEHAN, Pennsylvania         BRUCE L. BRALEY, Iowa
SCOTT DesJARLAIS, Tennessee          PETER WELCH, Vermont
JOE WALSH, Illinois                  JOHN A. YARMUTH, Kentucky
TREY GOWDY, South Carolina           CHRISTOPHER S. MURPHY, Connecticut
DENNIS A. ROSS, Florida              JACKIE SPEIER, California
FRANK C. GUINTA, New Hampshire
BLAKE FARENTHOLD, Texas
MIKE KELLY, Pennsylvania

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                     Robert Borden, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director

    Subcommittee on National Security, Homeland Defense and Foreign 
                               Operations

                     JASON CHAFFETZ, Utah, Chairman
RAUL R. LABRADOR, Idaho, Vice        JOHN F. TIERNEY, Massachusetts, 
    Chairman                             Ranking Minority Member
DAN BURTON, Indiana                  BRUCE L. BRALEY, Iowa
JOHN L. MICA, Florida                PETER WELCH, Vermont
TODD RUSSELL PLATTS, Pennsylvania    JOHN A. YARMUTH, Kentucky
MICHAEL R. TURNER, Ohio              STEPHEN F. LYNCH, Massachusetts
PAUL A. GOSAR, Arizona               MIKE QUIGLEY, Illinois
BLAKE FARENTHOLD, Texas


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 25, 2011.....................................     1
Statement of:
    McGurk, Sean, Director, National Cybersecurity & 
      Communications Integration Center, U.S. Department of 
      Homeland Security; Phillip Bond, president, TechAmerica; 
      James A. Lewis, director, Technology and Public Policy 
      Program, Center for Strategic and International Studies; 
      and Dean Turner, director, Global Intelligence Network, 
      Symantec Corp..............................................     9
        Bond, Phillip............................................    23
        Lewis, James A...........................................    24
        McGurk, Sean.............................................     9
        Turner, Dean.............................................    33
Letters, statements, etc., submitted for the record by:
    Chaffetz, Hon. Jason, a Representative in Congress from the 
      State of Utah, prepared statement of.......................     4
    Lewis, James A., director, Technology and Public Policy 
      Program, Center for Strategic and International Studies, 
      prepared statement of......................................    26
    McGurk, Sean, Director, National Cybersecurity & 
      Communications Integration Center, U.S. Department of 
      Homeland Security, prepared statement of...................    12
    Turner, Dean, director, Global Intelligence Network, Symantec 
      Corp., prepared statement of...............................    35


   CYBERSECURITY: ASSESSING THE IMMEDIATE THREAT TO THE UNITED STATES

                              ----------                              


                        WEDNESDAY, MAY 25, 2011

                  House of Representatives,
Subcommittee on National Security, Homeland Defense 
                            and Foreign Operations,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 3 p.m. in room 
2157, Rayburn House Office Building, Hon. Jason Chaffetz 
(chairman of the subcommittee) presiding.
    Present: Representatives Chaffetz, Labrador, Tierney, 
Quigley and Kucinich.
    Staff present: Ali Ahmad, deputy press secretary; Thomas A. 
Alexander, senior counsel; Molly Boyl, parliamentarian; Kate 
Dunbar, staff assistant; Mitchell S. Kominsky, counsel; John 
Ohly and Tim Lewis, professional staff members; Kevin Corbin, 
minority staff assistant; Scott Lindsay and Carlos Uriarte, 
minority counsels; and Amy Miller, minority professional staff 
member.
    Mr. Chaffetz. The subcommittee will come to order.
    Good afternoon and welcome to today's hearing, 
Cybersecurity: Assessing the Immediate Threat to the United 
States.
    We appreciate your patience and understanding as we had 
votes earlier. I know we are getting off to a delayed start, 
but I appreciate you all being here and participating.
    Welcome, Ranking Member Tierney and members of the 
subcommittee. I appreciate everybody being here today.
    Today's hearing is designed to act as a prelude to the full 
committee hearing which will be conducted a week later on June 
1st, just a short time from now. It is entitled, 
``Cybersecurity: Assessing the Nation's Ability to Address the 
Growing Cyber Threat.''
    During today's hearing, the subcommittee is scheduled to 
receive testimony from the administration, industry and 
civilian cyber threat experts, all of whom will likely state 
that cyber-related intrusions pose one of the greatest threats 
to our national security.
    The intent is to obtain detailed information from various 
sources and from various perspectives as to what the current 
threat actually entails so the committee can later delve more 
deeply into how effective the Nation has been in confronting 
the immediate cyber threat as well as building defenses which 
safeguard us from what appears to be a daunting future cyber-
security environment.
    Given the unusual nature of the cyber threat, it cannot be 
addressed solely by using the traditional national security 
apparatus. In short, the Federal Government is currently 
incapable of securing the Nation against cyber threats on its 
own and must embrace the broad, transparent involvement of non-
government entities.
    Like other countries, approximately 85 percent of the 
Nation's critical infrastructure is owned by the private 
sector--many of which are small businesses. Because the Nation 
relies so heavily on private industry to protect this 
infrastructure, trusted partnerships between the government and 
the private sector must also be a priority.
    In the words of the President, ``Cybersecurity is a 
challenge that we as a government or as a country are not 
adequately prepared to counter.'' In addition, in a recent 
interview, Howard Schmidt, the U.S. Cybersecurity Coordinator, 
emphasized the critical nature of public-private partnerships 
as it relates to cybersecurity.
    Unfortunately, Mr. Schmidt refused to testify today. I 
truly do find this unfortunate because I believe he should be 
here in this important discussion. I am deeply concerned that 
Mr. Schmidt, as the executive branch's Cybersecurity 
Coordinator, charged with the responsibility for 
``orchestrating the many important cybersecurity activities 
across the government,'' believes that his management of this 
critical issue is exempt from congressional oversight. That is 
certainly inconsistent with what I have heard the 
administration and this President say about the openness and 
transparency of the administration.
    In his absence, the administration sent to us an expert 
from the Department of Homeland Security. There was quite a 
debate whether the administration would allow him to sit on the 
same panel as the industry experts sitting in front of us 
today. I am glad the issue was resolved, in a matter of a few 
hours ago and we will now be able to receive testimony from 
both the public and private perspective together on one panel. 
In the future, I hope this is not so difficult.
    That said, I must stress my sincere disappointment in the 
number of days waste debating the need to hear testimony from 
government and private witnesses alike at the same time on the 
same panel in a manner that allows Members to most effectively 
oversee this critical public/private partnership.
    I believe it is critical that while we focus on the cyber 
threat, we also keep in mind the need to develop well 
coordinated, strategic cybersecurity partnerships with the 
private sector in order to confront the threat. The 
administration has made repeated public statements about the 
importance of this partnership. Even the White House-directed 
cyberspace policy review concluded that the United States 
cannot succeed in securing cyberspace if it works in isolation 
and should enhance its partnerships with the private sector.
    Cybersecurity experts agree that given the likely national 
security impact of cyber attacks on the economy, our critical 
infrastructure such as transportation, energy and 
communications, both private and public sectors must work 
together closely and in a very transparent way. This would also 
appear to be in line with the President's stated commitment to 
``create an unprecedented level of openness in government'' and 
``to establish a system of transparency, public participation 
and collaboration.''
    The ever changing face of the cyber threat means that the 
authorities and capabilities needed to confront the threat will 
likely need to be changed or updated on a regular basis. This 
is the reason why Congress must be as attentive to the threat 
as any other part of the government. I do not believe anybody 
knowledgeable of cyber security would deny that cyber threat is 
a major national security issue for the United States.
    The National Security Strategy published in May 2010 
highlights that cyber security threats represent one of the 
most serious national security, public safety and economic 
challenges we face as a Nation. Therefore, a national dialog in 
securing the Nation's digital infrastructure must happen now 
and continue indefinitely.
    It is my sincere hope that this dialog can include many 
segments of society and can be done in a nonpartisan way. It is 
my hope that we as a Nation bring to bear against this threat 
all expertise that resides within the country. Strangely, we 
are faced with the critical national security threat to which 
the expertise needed to confront it does not necessarily reside 
solely in the Federal Government but also in the private 
sector.
    A recent research project conducted by McAfee and the 
Center for Strategic and International Studies looked at the 
threats to power grids, oil, gas and water across 14 countries. 
It concluded that there had been dramatic increases in cyber 
attacks against critical infrastructure with as much as 80 
percent of the companies experiencing ``large scale attacks.''
    According to the project report, nearly 30 percent of the 
companies believed they were unprepared for the attack and more 
than 40 percent expected a major cyber attack within the next 
12 months. Also, according to an Office of Management and 
Budget report, the number of reported cyber incidents affecting 
U.S. Federal agencies shot up 39 percent in 2010, approximately 
41,776 reported attacks, up from roughly 30,000 the year 
before.
    I am positive the witnesses will elaborate on the threat 
and I look forward to hearing from the panel.
    [The prepared statement of Hon. Jason Chaffetz follows:]

    [GRAPHIC] [TIFF OMITTED] T0676.001
    
    [GRAPHIC] [TIFF OMITTED] T0676.002
    
    [GRAPHIC] [TIFF OMITTED] T0676.003
    
    Mr. Chaffetz. I will now recognize the distinguished 
ranking member, the gentleman from Massachusetts, Mr. Tierney, 
for his opening statement.
    Mr. Tierney. Thank you, Chairman Chaffetz, for convening 
this hearing today. Thank you to our witnesses for agreeing to 
testify.
    I particularly want to thank the administration's witnesses 
here today, Sean McGurk, the Director of the Control Systems 
Security Program at the Department of Homeland Security's 
National Cyber Security Division. Mr. McGurk has agreed to 
testify before the subcommittee on very short notice and during 
a week in which the Department of Homeland Security will 
testify at five different cybersecurity hearings, including a 
similar hearing held this morning.
    Next week, the full committee is going to hold another 
hearing on cybersecurity featuring four different senior-level 
administration witnesses to discuss the administration's 
comprehensive legislative proposal to improve cybersecurity 
with a focus on our Nation's critical infrastructure and the 
Federal Government's own networks and computers.
    The proposal was drafted in response to numerous 
legislative proposals introduced in the last Congress and 
specific requests from congressional leadership. That White 
House legislation won't be the focus of today's hearing, but is 
still a much needed starting point for very important 
conversation.
    As someone who doesn't purport to be a techie at all, I can 
tell you I have a great deal of concern about the exposure we 
have in this area, particularly having served a number of years 
on the Intelligence Committee and where that conversation goes 
should cause some sleepless nights for a lot of people.
    As computer technology has advanced, Federal agencies and 
our Nation's critical infrastructure, such as power 
distribution, water supply, telecommunications and emergency 
services, have all become increasingly dependent on 
computerized information systems to carry out their operations 
and to process, maintain and report essential information.
    Public and private organizations increasingly rely on 
computer systems to transfer money and sensitive and 
proprietary information, conduct operations and deliver 
services. The interconnected nature of these systems creates 
risks for our national security, economic security and public 
safety.
    Just last month, in Massachusetts, a virus called 
``W32.QAKBOT'' was discovered on computers at the Executive 
Office of Labor and Workforce Development. As a result, the 
Labor Department said as many as 210,000 unemployed workers may 
have had data compromised, including their names, social 
security numbers, employer identification numbers, addresses 
and email addresses.
    Although the virus was originally discovered back in April, 
it wasn't until last week that the Labor Department realized 
the virus had survived its early eradication efforts and 
results in a data breach. That specific example happened at a 
State government agency, but highlights the potential threat to 
Americans across the country if our Federal computer networks 
are not adequately protected.
    As many commentators have documents, cyber attacks on our 
Federal IT systems are on the rise. The chairman just went 
through the numbers on that. It is becoming increasingly clear 
that current efforts to counteract the attacks are woefully 
insufficient.
    The connectivity between information systems, the Internet 
and other infrastructures also creates opportunities for 
attackers to disrupt telecommunications, electrical power and 
other critical services. Some industry sectors are so vital to 
the Nation that their incapacity or destruction would have a 
debilitating impact on national security, national economic 
security or public health and safety.
    Federal law enforcement and intelligence agencies have 
identified multiple sources of threats to our information 
systems and our critical infrastructure. These threats include 
foreign nations engaged in espionage and information warfare, 
criminals, hackers, disgruntled employees and contractors. In 
one recent example, it has been alleged that the Chinese 
Government spread a virus that attacked Google and at least 80 
other U.S. companies.
    Not all threats to Federal cybersecurity are external. In 
June 2010, Wikileaks released thousands of classified 
Department of State and Department of Defense documents. 
Immediately following the release of those documents, the 
Secretary of Defense commissioned two internal Department of 
Defense studies to evaluate any weaknesses in their systems.
    The studies found that the Department's policies for 
dealing with an internal security threat were inadequate and 
that the Department had limited capability to detect and 
monitor anomalous behavior on its classified computer networks.
    These examples simply underline the need for a 
comprehensive legislative approach that will protect our 
national security and the health and safety of the American 
people. We have an obligation to ensure that the government's 
IT systems are secure and that any critical infrastructure is 
protected from the threat of a cyber attack. The failure to 
properly secure these networks could have dire consequences.
    I look forward to this hearing and learning more about the 
threat landscape and the challenges we face in addressing this 
growing problem.
    Again, I thank our witnesses and the chairman for bringing 
this hearing.
    Mr. Chaffetz. Thank you.
    Members will have 7 days to submit opening statements for 
the record.
    We will now recognize the panel.
    Mr. Sean McGurk is the Director of National Cybersecurity & 
Communications Integration Center at the U.S. Department of 
Homeland Security. Mr. Phillip Bond is the president of 
TechAmerica. Mr. James A. Lewis is the director, Technology and 
Public Policy Program at the Center for Strategic and 
International Studies. Mr. Dean Turner is the director, Global 
Intelligence Network Security Response at Symantec.
    Again gentlemen, we appreciate your being here. I would 
like to recognize each of you for 5 minutes for an opening 
statement. If you will try to keep it to 5 minutes, any 
additional information you want to provide we will submit to 
the record.
    Pursuant to committee rule, all witnesses must be sworn 
before they testify. Please rise and raise your right hands.
    [Witnesses sworn.]
    Mr. Chaffetz. Let the record reflect that all witnesses 
answered in the affirmative.
    We will now recognize Mr. McGurk for 5 minutes.

 STATEMENTS OF SEAN MCGURK, DIRECTOR, NATIONAL CYBERSECURITY & 
COMMUNICATIONS INTEGRATION CENTER, U.S. DEPARTMENT OF HOMELAND 
SECURITY; PHILLIP BOND, PRESIDENT, TECHAMERICA; JAMES A. LEWIS, 
  DIRECTOR, TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR 
STRATEGIC AND INTERNATIONAL STUDIES; AND DEAN TURNER, DIRECTOR, 
          GLOBAL INTELLIGENCE NETWORK, SYMANTEC CORP.

                    STATEMENT OF SEAN MCGURK

    Mr. McGurk. Thank you, Chairman Chaffetz, Ranking Member 
Tierney and distinguished members of the committee. My name is 
Sean McGurk. I am the Director for the National Cybersecurity & 
Communications Integration Center [NCCIC]. Thank you for 
inviting me today to discuss this important issue along with 
this distinguished panel of experts on cyber threats and the 
impact on critical infrastructure.
    As both the chairman and ranking member have already 
identified, sensitive information is routinely stolen from both 
government and private sector networks. Last year, we saw an 
increase in the threat as a result of not what was being taken 
from networks but what was being left behind in the result of 
what was known as Stuxnet.
    Successful cyber attacks could potentially result in 
physical damage and loss of life. There are many challenges in 
the current landscape, strong and rapidly expanding 
capabilities, lack of comprehensive threat and vulnerability 
awareness and our information infrastructure is dependent upon 
its continual availability for our way of life.
    The cyber environment is not homogenous under a single 
department or agency or the private sector. We recognize that 
cybersecurity is a team sport. Government does not have all the 
answers, so we must work closely with the private sector to 
provide solutions. There is no one size fits all and there is 
no magical line to protect the cyber domain. It is about 
information sharing and it is about sharing knowledge 
collectively. Knowledge is only power when it is shared. We 
must leverage our expertise and our access to information along 
with industry's specific needs, capabilities and timelines.
    Each partner has a significant role to play and a unique 
capability in this environment. In my 34 years of experience, 
with over 28 years serving in the U.S. Navy, you learn that 
everyone has an ability to contribute. The mission in cyber is 
manyfold and our goals are clear.
    In the law enforcement environment, they work closely with 
the other agencies to identify and prosecute cyber intrusions. 
The intelligence and military community work to attribute, to 
defend and to pursue those individuals. DHS, along with the 
private sector, including the financial services sector, the 
energy sector, communications and others, work to prepare, 
prevent, respond, recover and restore. Coordinating the 
national response to domestic emergencies is more of a matter 
of what and how and not necessarily of who and why until much 
later.
    To that end, I would like to emphasize that my 
responsibilities from an operational standpoint are focused on 
preventing and resolving attacks, not attributing the source of 
those threats.
    I would be willing to take any questions in the future 
regarding the cyber threats and the cyber capabilities of other 
countries with the committee under an appropriately classified 
setting with the available interagency representatives.
    NCCIC or the National Cybersecurity & Communications 
Integration Center, works closely with government and all 
levels of the private sector to coordinate the integrated and 
unified response to cyber communications incidents. Sponsoring 
security clearances for the private sector enables us to have 
our industry partners on the watch floor in a classified 
environment looking at actionable intelligence and providing 
information to asset owners and operators in near real time.
    The DHS components have all been integrated into the NCCIC 
along with representatives from other agencies such as the 
National Security Agency, U.S. Cyber Command, the FBI, the U.S. 
Secret Service, and representatives from the intelligence 
community at large. In addition, we have private sector 
representatives sitting on the watch floor from the 
communications sector, the IT sector, the financial services 
sector and the energy sector. Additionally, we have 
representatives from State, local, tribal and territorial 
governments represented by the Multistate Information Sharing 
and Analysis Center.
    In conclusion, within our current legal authorities, we 
continue to engage, collaborate and provide analysis of 
vulnerability and mitigation assistance to the private sector. 
We have experience and expertise in dealing with the private 
sector in planning steady state and crisis scenarios. We have 
deployed numerous incident response teams and assessment teams 
that enable us to prevent, respond, recover and restore from 
cyber incidents.
    Finally, we work closely with the private sector and our 
interagency partners in law enforcement and in the intelligence 
community to provide the full complement and capabilities of 
the Federal Government for the private sector in response to a 
cyber incident.
    Chairman Chaffetz, Ranking Member Tierney and distinguished 
members of the panel, let me conclude by reiterating that I 
look forward to exploring opportunities to advance this mission 
in collaboration with the subcommittee and my colleagues in the 
public and private sector.
    Also, if the committee has any questions regarding the 
administration's legislative proposal, I will be happy to defer 
those issues to the policy representatives testifying before 
the full committee next week.
    Thank you again for this opportunity to testify and I would 
be happy to answer any of your questions.
    [The prepared statement of Mr. McGurk follows:]

    [GRAPHIC] [TIFF OMITTED] T0676.004
    
    [GRAPHIC] [TIFF OMITTED] T0676.005
    
    [GRAPHIC] [TIFF OMITTED] T0676.006
    
    [GRAPHIC] [TIFF OMITTED] T0676.007
    
    [GRAPHIC] [TIFF OMITTED] T0676.008
    
    [GRAPHIC] [TIFF OMITTED] T0676.009
    
    [GRAPHIC] [TIFF OMITTED] T0676.010
    
    [GRAPHIC] [TIFF OMITTED] T0676.011
    
    [GRAPHIC] [TIFF OMITTED] T0676.012
    
    [GRAPHIC] [TIFF OMITTED] T0676.013
    
    [GRAPHIC] [TIFF OMITTED] T0676.014
    
    Mr. Chaffetz. Thank you.
    Mr. Bond, you are now recognized for 5 minutes.

                   STATEMENT OF PHILLIP BOND

    Mr. Bond. Thank you, Mr. Chairman, Ranking Member Tierney, 
members of the committee. I am honored to be here on behalf of 
TechAmerica, the largest industry trade association in the 
United States with some 1,000 member companies. I will offer 
just a few thoughts on the challenge in cyber and the policy 
response we need.
    First, I would observe that cyber criminals respond 
rapidly; they are creative. In 2010, McAfee Labs identified 
more than 20 million new pieces of malware globally. A 2011 
online fraud report from RSA, the security division of EMC, 
found that the U.S has consistently hosted and been the target 
of a majority of the worldwide cyber attacks.
    Economic impact is serious. It is about $6 million a day 
when a corporationsite is down, on average, and worldwide, the 
economy loses some $86 billion a year due to cyber attacks. 
Protecting our networks, is as the Chair has observed, a 
public/private shared responsibility. Neither one of us can do 
it alone.
    The private sector's responsibility is to innovate and 
operate its own infrastructure in a safe way. The government 
has an obligation to share timely and accurate information so 
that the private sector can secure itself and turn around and 
help to secure the government.
    I will defer to our witness from Symantec on a little bit 
more technical descriptions of some of the threats. I would 
just underscore this. The range of threat actors--especially 
right now--including advanced, persistent threats, APTs--you 
will hear more about that--are going directly after the end 
user.
    They attempt to trick them into downloading malware or 
divulging sensitive information. Again, it is the actual user 
being targeted, not the mechanical system, the software or 
whatever. It is going after human error. As criminals probe for 
a soft spot in a system, they are also probing now the 
individuals who connect to that network.
    With the increased reliance on all IT devices now, we see 
the great shift to mobile devices and that too will be an 
opportunity for cyber criminals. Applications many times are 
downloaded by users and not always being properly vetted.
    We would submit that the policymakers and the industry as 
well and the government need to view security as an absolute 
basic, not to be added on after but to be built-in from the 
ground up. I would observe many companies are doing exactly 
that. We need everybody to do that.
    I want to spend a couple of my remaining minutes on some 
thoughts for you to consider as you draft legislation, but let 
me break here to underscore something that needs to be said. 
Technology and innovation are a huge net positive for the U.S. 
economy and for government, for government service as well. 
They are our key to national security, the war fighter has an 
advantage, the key to homeland security, the key to economic 
security, high paying jobs, where we need to be as an economy, 
but with those advantages there also have been some down sides. 
That is what we are attempting to talk about today.
    Please consider, first, in policy, Congress should do no 
harm. Do not undermine innovation; it is our advantage. One 
size fits all will not work. Second, government should promote 
an outcome-based, layered security approach. Government should 
develop processes to manage and measure performance associated 
with real security. Third, government should adopt a risk-based 
approach to our Nation's infrastructure. That means critical 
infrastructure should be defined to include only that which is 
of the utmost importance to national security and then truly 
work to secure it.
    Fourth, we believe government can provide incentives to 
encourage industry to invest in best practices in security, for 
example, safe harbor, from data breach notification, when an 
organization does what it should in advance of a breach 
incident.
    Fifth, Congress should update our government's Federal 
information security practices and laws to perform in a more 
nimble environment, so we strongly support updating FISMA. I 
know the committee knows about that.
    Finally, if industry is to act at the behest of government, 
it is necessary that there be clear liability protections, so 
if you do what you should do or at the government's behest, you 
should also be protected from unintended consequences or 
liabilities.
    Again, on behalf of the industry, thank you for holding 
this hearing. We look forward to doing all that we can to be a 
part of the public/private partnership to find a solution and 
maintain our national advantage in innovation.
    Mr. Chaffetz. Thank you.
    Mr. Lewis, you are recognized for 5 minutes.

                  STATEMENT OF JAMES A. LEWIS

    Mr. Lewis. Thank you, Mr. Chairman. I thank the committee 
for the opportunity to testify. I am really impressed with the 
energy that the committee is bringing to this issue. It is 
something we need.
    We depend, as a Nation, on the Internet, but it is not 
secure and this gives criminals and foreign opponents real 
opportunity to damage the United States. Cyber threats fall 
into two categories: high end attacks that cause damage, 
destruction or casualties and threats from cyber crime and 
cyber espionage.
    Five countries, including Russia and China, can launch high 
end cyber attacks. Another 30 countries are developing these 
capabilities. States use skilled proxies, cyber criminals and 
hackers to help them. Cyber attacks could destroy critical 
infrastructure or disrupt essential networks and services. At 
the moment, however, no nation is likely to attack the United 
States because they fear retaliation.
    Terrorists do not yet have cyber attack capabilities, nor 
do dangerous nations like Iran and North Korea. However, they 
are eagerly pursuing these cyber capabilities. We do not know 
how close they are to acquiring them, but the moment they 
acquire them, we can expect to see damaging cyber attacks.
    The immediate threat to the national interest comes from 
crime and espionage. The Internet, with all its weaknesses, 
created a golden age for espionage and the United States has 
been the chief victim. We have lost military technology, 
intellectual property for high tech companies, oil exploration 
data and confidential business information. Banks suffer 
million dollar losses almost every month.
    None of this attracts much attention and some companies 
prefer to conceal their losses and in some cases, companies may 
not even know they have been hit. Our estimates of the damages, 
as you heard, are in the billions of dollars. Weak cyber 
security damages our economic competitiveness and technological 
leadership.
    What can we do about this? There is certainly a new energy 
in Washington about approaching this problem, which is great. 
First, we need to accept that we need a new approach that puts 
cyber security as a major, national security problem. The most 
dangerous threats in cyberspace come from foreign militaries 
and foreign intelligence agencies.
    Second, this new approach needs to combine trade policy, 
law enforcement, military strategy and critical infrastructure 
protection. For critical infrastructure, this means that DHS 
must be able to mandate risk-based performance standards. 
Public/private partnerships are an important part of this. It 
would help, however, to differentiate where the private sector 
is strongest in things like information sharing and innovation 
and where government action is needed.
    The immediate question is whether we can improve our 
defenses before there is a damaging attack. Most of the experts 
I know believe this is not possible, that America will only act 
after a crisis. I believe that the work of this committee and 
others can help us avoid that fate and let us do what is 
necessary to improve public safety and national security in 
cyber space.
    Thank you for the opportunity to testify and I look forward 
to your questions.
    [The prepared statement of Mr. Lewis follows:]

    [GRAPHIC] [TIFF OMITTED] T0676.015
    
    [GRAPHIC] [TIFF OMITTED] T0676.016
    
    [GRAPHIC] [TIFF OMITTED] T0676.017
    
    [GRAPHIC] [TIFF OMITTED] T0676.018
    
    [GRAPHIC] [TIFF OMITTED] T0676.019
    
    [GRAPHIC] [TIFF OMITTED] T0676.020
    
    [GRAPHIC] [TIFF OMITTED] T0676.021
    
    Mr. Chaffetz. Thank you.
    Mr. Turner, you are recognized for 5 minutes.

                    STATEMENT OF DEAN TURNER

    Mr. Turner. Chairman Chaffetz, Ranking Member Tierney and 
members of the subcommittee, thank you for the opportunity to 
testify today as the committee considers cybersecurity and the 
current threat level to the United States.
    Mr. Chairman, on behalf of the nearly 500 Symantec 
employees based in your district in Linden, we certainly 
appreciate your focus on cybersecurity issues.
    My name is Dean Turner. I am director of Symantec's Global 
Intelligence Network.
    Symantec is the world's information security leader with 
over 25 years experience in developing Internet security 
technology. Our best-in-class Global Intelligence Network 
allows us to capture worldwide security intelligence data. We 
maintain 11 security response centers globally and utilize over 
240,000 attack sensors in more than 200 countries to track 
malicious activity 24 hours a day, 365 days a year. In short, 
if there is a class of threat on the Internet, Symantec knows 
about it.
    In my written testimony, I have provided the committee with 
greater detail on the evolving threat landscape, as well as an 
assessment of some of the real world impacts of cyber attacks 
on businesses and individuals. I also touch on major challenges 
and the vulnerabilities associated with securing new 
technologies and how organizations can better secure their 
important and critical systems.
    In our April 2011 Symantec Internet Security Threat Report, 
we observed several key threat landscape trends for the 
calendar year 2010. The year was book-ended by two significant 
targeted attacks, including Hydraq, otherwise known as Aurora, 
and Stuxnet. Stuxnet was a game changer, exemplifying just how 
sophisticated and targeted threats are becoming. It 
demonstrated the vulnerability of critical national 
infrastructure to attack and Stuxnet was the first publicly 
known threat to target industrial control systems.
    Social networks continue to be a security concern for 
organizations as government agencies and companies struggle to 
find a satisfactory compromise between leveraging the advantage 
of social networking and limiting the dangers posed by the 
increased exposure of potentially sensitive and exploitable 
information.
    Leveraging information from social networking sites as part 
of a social engineering campaign is one of the simplest and 
most effective ways an attacker can lure their target to a 
malicious Web site. For example, an attacker can use 
information gathered from a social networking site to create a 
target email that then lures a victim to a Web site that hosts 
malicious code. If the victim visits the Web site, a Trojan, 
for example a key logger or a backdoor can be installed and 
that begins ex-filtrating sensitive information back to the 
attacker.
    In 2010, attack tool kits continued to see widespread use. 
A typical tool kit today is built to allow the cyber criminal 
to monetize infected machines in every way possible. For 
example, keystroke loggers are a simple way to capture any 
password a user types in. Other Trojans can also steal email 
addresses found on the machine as well as add additional 
malware.
    Attack tool kits and their ability to update over the Web 
greatly increase the speed with which new vulnerabilities are 
packaged, exploited and spread. One of the most significant 
attack kits known at the moment is the Zeus Trojan and is a 
favorite of cyber criminals due to its ease of use and low 
cost, about $400 in the underground economy. It takes little to 
no technical knowledge to launch this type of attack and it can 
be extremely profitable for cyber criminals.
    With the proliferation of smart phones and mobile devices, 
users are increasingly downloading third party applications 
which is creating an opportunity for the installation of 
malicious applications. In 2010, there was a 42 percent 
increase in the number of reported new mobile operating system 
vulnerabilities and most mobile malicious code is now designed 
to generate revenue. Therefore, there is likely going to be 
more threats created for these devices as people increasingly 
use them for sensitive transactions such as on-line shopping 
and banking.
    We have learned many lessons from today's threat landscape 
and while the sophistication level of attacks is increasing as 
is the potential and real damage caused by such attacks, we 
need to turn these lessons into action. In addition to the 
recommendations contained in my written testimony, the 
following steps must be taken in order to better protect 
critical systems from cyber attack.
    First, develop and enforce IT policies and automate 
compliance processes. Second, authenticate identities by 
leveraging solutions that allow business to ensure only 
authorized personnel have access to those systems. Third, 
secure end points, messaging and Web environments. In addition, 
defending critical internal servers and implementing the 
ability to backup and recover data need to be top priorities.
    Members of the committee, cybersecurity faces a constantly 
evolving threat and there is no single solution to prevent 
attacks. Attackers are getting smarter and more resourceful 
every day. Because of that, any solution must include the 
private sector's expertise and innovation. We must continue to 
be vigilant in protecting our economy, our national security 
and our way of life.
    Symantec applauds Congress for focusing much needed 
attention on cybersecurity and we look forward to continuing 
this important dialog. I will be happy to answer any questions 
you might have.
    [The prepared statement of Mr. Turner follows:]

    [GRAPHIC] [TIFF OMITTED] T0676.022
    
    [GRAPHIC] [TIFF OMITTED] T0676.023
    
    [GRAPHIC] [TIFF OMITTED] T0676.024
    
    [GRAPHIC] [TIFF OMITTED] T0676.025
    
    [GRAPHIC] [TIFF OMITTED] T0676.026
    
    [GRAPHIC] [TIFF OMITTED] T0676.027
    
    [GRAPHIC] [TIFF OMITTED] T0676.028
    
    [GRAPHIC] [TIFF OMITTED] T0676.029
    
    [GRAPHIC] [TIFF OMITTED] T0676.030
    
    [GRAPHIC] [TIFF OMITTED] T0676.031
    
    [GRAPHIC] [TIFF OMITTED] T0676.032
    
    Mr. Chaffetz. Thank you.
    We will now start the questioning. I am going to recognize 
myself for 5 minutes--maybe even a little bit longer than that.
    I appreciate all the expertise and routinely what we hear 
is the threat, the threat, the threat, it is happening and we 
are quantifying something at $86 billion and perhaps beyond. I 
do think there are probably a number of companies that would be 
embarrassed to allow it out there that there was some sort of 
security breach.
    We are constantly told that it is consumers and shoppers, 
that it is safe and secure to type in our critical information, 
our personal information just because it has that little lock 
on there. What should the average person in Topeka, Kansas be 
thinking about when they go type in, how do you really tell if 
it is secure or not and can you ever? Do you want to take a 
stab at that, Mr. Bond.
    Mr. Bond. I will take a first stab at it, Mr. Chairman. I 
think I would urge consumers to do what a national education 
campaign has urged which is stop, think and connect. Many of 
these newly designed threats that come in and pose as something 
they are not, trying to get you to either give information or 
simply click on a bogus connection which very often can be 
understood, gleaned or perceived as a threat by simply stopping 
and thinking through, wait a minute, is this really coming from 
the company or an entity that it purports to be.
    This links to issues about short address names and other 
things that are part of the challenge right now, but I do think 
that a public education campaign that tells people to stop and 
think before they connect can have measurable impact. That is a 
beginning point.
    Mr. Chaffetz. Certainly the success of Twitter and Facebook 
and particular networks has become immense globally. Mr. Lewis, 
what sort of threat or danger to young people, old people, 
people who participate on those types of social networks 
exists? How secure, if at all, is the information that is 
provided?
    Mr. Bond. The intent with information is to be public, so 
it is easily collected. We know there have been many problems 
in the past. One of them, my favorite in some ways, is the fact 
that people will often use their pet's name or birthplace as 
their password and then they will list it on the Web site, so 
we have seen many, many incidences where guessing the password 
on these sites isn't that difficult.
    We are a treasure trove for cyber criminals because you can 
harvest all kinds of data that will give you hints on 
passwords, employment, where you bank is, so they have become 
kind of unmanageable problems. There is little the companies 
can do about that. I don't want to blame Twitter or Facebook or 
any of them. People choose to put their information up there 
and they haven't thought enough, as you heard from Phil, about 
what the implications are. If you are going to have a Facebook 
account, don't use your dog's name as the password.
    Mr. Chaffetz. Mr. McGurk, I would like to learn a bit more 
about the differences or perhaps the similarities between cyber 
attacks from domestic and international sources. Are there 
distinguishable differences or motives between the domestic and 
the international actors?
    Mr. McGurk. In the Department, as I mentioned earlier 
during my testimony, we are focused more on the risk mitigation 
strategy, so when we look in the national infrastructure 
protection plan, at the definition of risk, we identified as 
threat, vulnerability and consequence. The Department takes an 
all hazards approach.
    The challenge there is identifying where the threat actors 
are originating. That is a part of it but from our standpoint, 
from the mitigation standpoint, in protecting the networks, 
restoring services and recovery, the actual source is not as 
important as the vulnerability and the consequence of those 
vulnerabilities. That is really where the Department focuses 
most of its attention and how to provide actionable 
intelligence to the asset owners and operators to prevent 
further escalation of the consequences of the breach.
    Mr. Chaffetz. How far and wide are you doing that? You are 
doing that, I would assume, with the national interest, the 
Federal assets that we have. What about the private sector? How 
involved do you get with them? There is obviously Microsoft, 
Goggle and Yahoo in the world, but there are also your medium 
level guys. How interactive are you, can you possibly be where 
there will be virtually every single entity you could possibly 
think of?
    Mr. McGurk. One of the areas we focus on in NCCIC is our 
assist and assess mission where we actually send incident 
response teams and assessment teams out into the field. We have 
gone to companies of only seven employees that were 
experiencing cyber intrusion to Fortune 10 companies, working 
with them to not only identify what the risk is but to mitigate 
that risk in their cyber environments.
    On average, a week does not go by where I do not have a 
team in the field working with the private sector to address 
those cyber vulnerabilities and to mitigate those risks.
    Mr. Chaffetz. What percentage of the companies can you 
possibly get to?
    Mr. McGurk. Again, to date, we have been able to conduct 75 
risk assessments over this past year. We have not had the 
opportunity or the requirement to turn anyone away. It is 
completely voluntary. Part of the challenge is when a risk, 
threat or intrusion is identified to the Department, we will 
respond in kind with a team of cybersecurity experts to assist 
in restoring services. Again, that is a matter of the request 
coming from industry.
    Mr. Chaffetz. Yes, Mr. Bond?
    Mr. Bond. I want to observe here that this is where the 
power of the network can be tremendously valuable. DHS does not 
to physically go out and talk to every company. We do need 
timely, actionable sharing of information so that the network, 
led by great vendors like Symantec and others, and then 
proliferate and spread that word to address whatever the 
vulnerability is at the earliest possible stage as soon as we 
know about the threat.
    You will uncover, through the committee's efforts and 
hearings, that there are information sharing challenges between 
the government and private sector, between the private sector 
and the private sector.
    Mr. Chaffetz. Thank you. My time has expired. I will now 
recognize Mr. Tierney for 5 minutes or whatever he would like.
    Mr. Tierney. I am trying to work out something in my mind 
that Mr. Bond got me thinking about as he was talking, about 
who is responsible for what, liability protections, incentives 
and all of that.
    I understand with respect to our national security concerns 
and homeland protection, being a part of that, that the 
government systems, we have the responsibility, we have to take 
care of it and move on from that, but in terms of the private 
sector, when you are not doing business with the government, 
why isn't that on you? Why isn't it on you to make sure that 
your systems are protected?
    I see Mr. McGurk has teams running all over the place doing 
what I would have thought was your job, making sure you are 
safe, making sure nobody can get into your system, making sure 
consumer information is protected. If you don't do a good job 
of that, I suspect people aren't going to buy your product or 
utilize your services. I don't know why we have to give you 
incentives and I don't know why you wouldn't be held liable if 
you make a mess of it.
    Mr. Bond. It is an important observation because we believe 
market forces are primary to shaping good behavior and we see 
that time and again. However, let me try to give you an 
example.
    If a small community is targeted, say the bank in that 
community is targeted because they want to get personal 
information or financial information because there may be a lot 
of DOD workers in that community, the Federal Government says, 
gee, that small community bank has somehow been breached and we 
need you to go off line for a minute to help figure this out 
and because it is a serious threat.
    Mr. Tierney. Let me back up. The government didn't supply 
that system to that bank?
    Mr. Bond. No.
    Mr. Tierney. If it is breached, let's say there aren't any 
government workers in that area?
    Mr. Bond. That is not the point of liability. For their 
inability to provide a secure system, there are going to be 
questions about a community bank in the future, but while they 
are down because of a government request or demand and Farmer 
McDonald doesn't get his loan or loses the farm, is the bank 
liable because they went down at the government request?
    Mr. Tierney. Forget the bank, the bank didn't put the 
system in, they bought it from somebody and paid for the 
service of installing it. If it goes down, whether it goes down 
because somebody breached it, the government suggests they go 
down or whatever, it is still their fault and their problem. 
Why wouldn't all the responsibility and obligation lie with 
them, not lie with the government in protecting national 
security? We don't assess the government every time they come 
in and protect us, but the people who go out and sell to a bank 
in a community, that they are going to give them a system that 
is safe and secure, why doesn't the buck stop there?
    Mr. Bond. I am trying to make a distinction that I think is 
legitimate. When the government says, based on what we know, 
you should do this or we require you to do this and you do 
that, any liability that stems from that step should be 
protected because you are doing something in accord with policy 
or government request.
    Mr. Tierney. You wouldn't do it on your own is what you are 
saying, look and see what happened, figure you have to put in 
those safeguards of your own volition?
    Mr. Bond. You would and I am failing to communicate.
    Mr. Tierney. No, you are not. I am just failing to accept 
your premise. It is not that you are failing to communicate. 
For whatever reason you have to do something, it seems a 
customer would want you to do and expect you to do, I don't 
understand the shifting of responsibility and obligation.
    Mr. Bond. If it is an action taken at government 
requirement or policy, I don't think it is the government's 
intent to make a company liable for obeying the law.
    Mr. Tierney. Let us take your example, which I thought was 
the most favorable position you could take for yourself. A lot 
of people work in the government, Department of Defense or 
something, living in a particular neighborhood doing business 
with a credit union or a bank and the system someone in private 
industry installed was secure, goes down and there is a breach, 
you are telling me if the government tells you to shut it down, 
or the government tells you how to bring it up safely, you 
wouldn't come across that on your own and if you didn't come 
across that, the government had to take action, therefore you 
shouldn't be responsible for anything that results from you 
taking those steps.
    One of two things can happen. You are going to try to 
resolve it yourself or somebody is going to have to suggest to 
protect the consumers and the community that it is going to be 
done, then you say if I do it the way they say do it, because I 
wouldn't do it on my own, then I am going to be shielded the 
responsibility or liability. Is that your position?
    Mr. Bond. No, but I appreciate your framing it for me. What 
I am trying to underscore is that when there is a policy or 
something in place that has a requirement to it that there not 
be liability attached to it being the requirement. I could 
think of a lot of different examples but if you are adhering to 
the rules and best practices, and something about that policy 
causes harm as a response, that is something you are obeying 
policy on and you should not be liable.
    Mr. Tierney. How do we ever get best policies to keep 
getting better if you never have an incentive to do it because 
you are covered--the threshold thing that is in place at a 
given time?
    Mr. Bond. I could reverse it and say why would you ever 
obey the government rule if you also not protected when obeying 
that rule?
    Mr. Tierney. Maybe we don't have a government rule. Maybe 
we just leave you out there to the market, so when you go down 
and that community goes down or whatever, then you are on your 
own. Would that be something you want, no consumer protections, 
no government regulations, would that make you happier?
    Mr. Bond. I am taking your earlier point that market forces 
really do matter, but I am trying to make the point that if we 
pass rules and companies obey those rules, that should not 
usher in some liability because you obeyed the rule.
    Mr. Tierney. I am not trying to be contentious with you, I 
am trying to get to the bottom. I think it is an interesting 
question to ask, but there be no government regulations in this 
area. Mr. Bond, go ahead.
    Mr. Bond. I am not advocating that. I think there are 
already some regulations in place, certainly around the 
government systems and how they interact with private sector 
systems, contractors and others.
    Mr. Tierney. Other than that, should there be any 
government regulations on your provision of systems to private 
entities at all or should it just be totally unregulated?
    Mr. Bond. I think that is a good question we should look 
at, what is the use of standards, what is the use of industry 
best practices and other things that government and the private 
sector are coming up with together and that any regulatory 
steps should be taken very carefully with all the expertise of 
the different players in the room.
    I am not here to draw any kind of line in the sand, I am 
here to say that you need technical experts like Mr. Turner and 
others in the room to understand what the implications in an 
interconnected world.
    Mr. Turner. Just to add to that, I think it is important 
when we are discussing liability, we acknowledge the fact that 
it is incredibly difficult to pin where that liability sets. 
There is no such thing as a 100 percent secure, fool proof 
piece of software. It doesn't exist out there, I am sorry to 
say. Vulnerabilities are a fact of life.
    Mr. Tierney. But there was never a 100 percent secure train 
either, but at some point liability went to the locomotive 
company because technology had advanced to the point where they 
were the ones to be held responsible for anything.
    Mr. Turner. I understand but when you are asking to assess 
liability on a particular focal point, whether that be the 
Federal Government, the private sector or the vendor, we have 
to deal with something called the law of unintended 
consequences. It is virtually impossible for us, as an industry 
or anybody, to be able to test with 100 percent certainty how 
that particular product, software or service is going to be 
used in that situation.
    Mr. Tierney. A product liability system has never gone on 
100 percent certainty, who is responsible and then people make 
a decision about what is reasonable. I was trying to figure out 
whether it is reasonable to leave it all to the industry to set 
the standards and suffer whatever consequences or obligations 
there might be or is there some advocacy here that the 
government should, on behalf of the consumer, whoever that 
might be, a business or an individual, set some standards for 
compliance and I haven't figured out whether you are for or 
against yet.
    Mr. Turner. I suspect you will find that the answer lies 
somewhere in the middle, that it is again the public/private 
partnership.
    Mr. Lewis. Can I add something, Mr. Chairman, because it is 
an interesting line of questioning. There is a point we might 
want to put out in the open and I think if you would use your 
experience and the experience of other committee members with 
the intelligence community, you would be able to confirm this, 
but there is no such thing as a secure, unclassified system. I 
have been told by senior intelligence officials that they have 
never seen an unclassified system that has not been penetrated. 
We are dealing with a problem where anyone can get in. The 
solution to that is not a technological solution.
    Yes, over time, our technologies will get better and that 
will squeeze out the low end threat, so the high school kid who 
used to be able to break in in a couple of hours now he might 
have to spend a little more time. I think that is why a lot of 
us are in favor of a comprehensive approach. You need to have 
law enforcement cooperation with other countries. You need to 
have strong military forces to deter potential opponents. You 
need to work with the service providers to get them to help 
consumers and you do need some kind of what we are calling now 
risk-based standards run through the government that would 
impose some requirements on at least critical infrastructure 
companies.
    If we can get a package together, we can deal with the 
problem, but no single part will solve this very damaging 
situation.
    Mr. Tierney. I guess what I am taking from that is you 
don't feel you can do your optimum job without the assistance 
of the government in some respect, is that fair to say? You are 
all talking about partnerships. I am guessing what the industry 
is saying is we can't do this right without government 
assistance at some level.
    Mr. Bond. I think I would say that we absolutely need and 
welcome government involvement around the critical 
infrastructure and as they do that, we want to make sure 
experts are in the room because these are very complicated and 
interconnected issues. That is simply it.
    Mr. Chaffetz. Mr. McGurk, as we talk about the threat, 
where do you see the biggest threats outside of the domestic 
United States? What are the biggest threats? Where do you see 
them coming from?
    Mr. McGurk. Again, focusing on the total consequence and 
vulnerability aspect, the threat actors range in sophistication 
and capability from nation state-sponsored through criminal 
activity down to a hactivist, entirely into what we call the 
script kiddie environment.
    Mr. Chaffetz. How many nations are attacking this country 
on the cybersecurity front, how many nation actors?
    Mr. McGurk. The challenge with that was the point made 
earlier by some of the members of attribution. It is very 
difficult to positively attribute known activity. Even if I 
were to say an IP address or the source address originated in a 
particular country or a particular area, that may not be actual 
actor, so the attribution piece is very difficult.
    Mr. Chaffetz. I recognize that it is difficult, but you 
have some number that you have assessed, at least I hope you 
do. What is that number, how many countries?
    Mr. McGurk. I would actually defer that to the intelligence 
community representatives in another forum. I wouldn't be able 
to comment on that here today.
    Mr. Chaffetz. What is the consequence for somebody who is 
attacking us on the cybersecurity front? Is there anything we 
can do or have done? Is there any instance where we have 
actually said, Country X, you have been doing this and this is 
the consequence? Is there any consequence to that?
    Mr. McGurk. To my knowledge, I am not familiar with any 
official demarche that has ever been issued or ever been 
delivered to a particular nation state associated with 
malicious cyber activity.
    Mr. Chaffetz. How often are we getting attacked from nation 
states--daily, hourly?
    Mr. McGurk. There are hourly cyber attacks. Whether they 
originate and are state-sponsored or if they just originate 
from IP addresses that are being spoofed as far as the 
location, if they are criminal activity or if they are 
independent activists that are operating under the protection 
of a nation state.
    Mr. Chaffetz. Let us pretend we have a nation state that 
says yes, what is the consequence? What do we do?
    Mr. McGurk. Not necessarily dealing in hypotheticals, but 
looking at the consequence analysis that the Department 
conducts associated with cyber physical systems, one of the 
demonstrations we conducted in 2007 was known as the Aurora 
Experiment where we demonstrated the capability of taking 
digital protective circuits and physically destroying large 
pieces of rotating equipment. This type of equipment has years 
to repair or replace.
    Mr. Chaffetz. That is cool, I like hearing that. What else 
can we do?
    Mr. McGurk. Subsequently, we recognize we have to apply a 
defense in-depth strategy.
    Mr. Chaffetz. I hope we are doing that.
    Mr. McGurk. Yes, sir. In many of these cases, these legacy-
based systems are 10, 20 or 30 years old, so subsequently we 
can't bolt on a new application so we either need to enclave 
these pieces of equipment in a secure environment or mitigate 
the risk associated with operating those systems in a connected 
world.
    The comment was made earlier about separating networks and 
never finding a secure network. In our experience, in 
conducting hundreds of vulnerability assessments in the private 
sector, in no case have we ever found the operations network, 
the SCADA system or energy management system separated from the 
Enterprise network. On average, we see 11 direct connections 
between those networks and in some extreme cases, we have 
identified up to 250 connections between the actual producing 
network and the enterprise environment. That is one of the 
challenges we have, as I mentioned earlier, in actually 
securing these networks and understanding the consequences 
associated with the vulnerabilities and not just the threat 
actors.
    Mr. Chaffetz. That doesn't give us much confidence, but it 
is reality. That is what we are after here.
    If I went down the row here, what do you all see as the 
singlemost, significant weakness in the system right now? I 
will start with you, Mr. Bond, and then we will loop around and 
get to you, Mr. McGurk.
    Mr. Bond. I would probably identify better information 
sharing coming between the government and the private sector. I 
don't think we are sometimes free to discuss the threats we see 
so that we can respond quickly.
    Mr. Chaffetz. Mr. Lewis.
    Mr. Lewis. I would go back to your point about 
consequences. If nobody is ever punished for doing something 
bad or even chastised, they are just going to do more of it, so 
I think our failure to have any consequence for any sort of 
cyber action is really damaging.
    Mr. Chaffetz. Mr. Turner.
    Mr. Turner. I would have a tendency to agree with Mr. Bond 
that information sharing is the key component, but I would also 
add and rank just as highly that we need to start moving away 
from the mindset in which we currently find ourselves which is 
detection and remediation. This is the cycle we are in, we 
detect and remediate, detect and remediate. We are always 
behind the curve. We need to get a little more predictive and a 
little more proactive in terms of reaching out which sort of 
dovetails into Mr. Lewis' comment about the consequences for 
actions.
    Mr. Chaffetz. Mr. McGurk.
    Mr. McGurk. Thank you for the opportunity to last because I 
would say all of the above.
    Mr. Chaffetz. I agree with you.
    Mr. McGurk. If I may add on the information sharing piece, 
arguably we have been sharing information for years between the 
government and the private sector. We need to focus on 
collaboratively developing knowledge so that we can provide 
actionable intelligence to mitigate the risk.
    The great example of that was in November of last year, 
there was a particularly malicious piece of code known as the 
``Here You Have'' virus. It was actually identified through the 
intelligence community as being a known malicious piece of 
software and within hours, the Department was able to identify 
that particular piece of code and provide actionable 
intelligence to the community through a series of 
declassification measures using the private sector's expertise 
to provide information to the private sector so they could take 
the necessary steps to mitigate the risk.
    That is the step we need to do to actually have an effect 
on cyber risk at that speed and not just simply put together 
another information sharing body.
    Mr. Chaffetz. I want to go quickly here to the cloud. There 
is a lot of movement within the industry to encourage people to 
store their information on the cloud which creates questions 
about security and do I trust some major provider more than I 
trust my own local server, do I think it is more safe than my 
individual computer.
    What are the vulnerabilities there? Should be feel more 
secure, more safe with cloud and movement to the cloud or less? 
Let us start with Mr. Lewis this time.
    Mr. Lewis. You caught me off guard, Mr. Chairman. Right 
now, I would say there is probably a slight advantage to having 
your stuff in the cloud because some of the companies, some of 
the service providers can devote more attention, particularly 
for small and medium size enterprises. They may actually 
benefit from having a big company--a Google or a Microsoft or 
an IBM--manage their data. There are other drawbacks to it.
    For large enterprises, I am not sure they benefit and a lot 
depends on how well the cloud service providers actually do. On 
the whole, small companies are better off. Big companies may be 
a wash.
    Mr. Chaffetz. Mr. Turner.
    Mr. Turner. I agree with Mr. Lewis in a sense. I do think, 
however, enterprises do benefit because a lot of what we are 
seeing in the move to the cloud is driven by total cost of 
ownership and reduction of costs, and so forth. From a security 
perspective, it is going to be contextual because you are going 
to have to ask yourself those very important questions about 
with whom do I trust my data. That is going to come down to 
reputation and past behavior.
    It is not meant to be a pitch but that is certainly the 
case in the questions that have to be asked. If they don't, 
there will be a lot people, as we move to the cloud, that will 
be able to make these services available whether they be 
onshore in the United States or offshore and these other 
places. What is the track record going to be? We have to make a 
very clear and very careful assessment of the information we 
are willing to share because not all information could be 
protected.
    Mr. Chaffetz. Let me shift here a little, if I could. Mr. 
McGurk, let us talk about data bases. The Federal Government 
has over 2,000 data bases. On one hand, you can say maybe that 
diversified portfolio provides a degree of safety and security, 
so the Bureau of Indian Affairs is separate from the Department 
of Justice. I can understand the security component at the 
Department of Justice is probably a little bit higher than the 
Bureau of Indian Affairs.
    What are the weak links associated with that? Do we want to 
consolidate those and have five really good data warehouses or 
data bases or is this diversified portfolio advisable? I worry 
that so many agencies are trying to create so many things, we 
are duplicating efforts and consequently, they are all probably 
not nearly as secure as we want them to be. What is your 
perception of that?
    Mr. McGurk. I believe it is actually a capabilities versus 
a requirements discussion. When you talk about the disbursed 
nature of the data base as in the infrastructure, it goes to 
the cloud discussion we were just having.
    One of the benefits of that secure environment is that you 
can have a disparate approach to data storage so that not all 
the keys to the kingdom are in one location. That provides an 
obscurity model for data in motion and data at rest. By being 
able to do that, we can better allow for a distributed approach 
for data security.
    That being said, one of the initiatives the Department has 
been executing for quite some time now is a trusted Internet 
connection program. That was part of the Comprehensive National 
Cybersecurity Initiative. Instead of trying to instrument or 
monitor each of the separate departments and agencies, but we 
roll that up to an aggregation point so that we can understand 
flow and control the information access points at an aggregated 
standpoint and still allow for the diversity of the independent 
departments and agencies.
    Mr. Bond. Just quickly, I want to make sure to offer to 
brief the committee and its members. Our TechAmerica Foundation 
actually has 73 companies and academics involved in commission 
right now to advise the government on the cloud and the 
leadership opportunity for the US and the cloud. One of the 
questions they are going to be addressing is the security 
profile of the cloud. There are leading thinkers who would 
challenge Jim's assertion and maybe even say the cloud would be 
more secure for all enterprises.
    Mr. Chaffetz. Mr. Tierney.
    Mr. Tierney. Mr. Bond, in your testimony you emphasized the 
public/private relationship, particularly with respect to 
education and information sharing. Do you think education and 
information sharing are sufficient to protect the critical 
infrastructure from cyber attacks? Do you think that is where 
we should leave it?
    Mr. Bond. No, I think we presume there are going to be 
special rules, regulations and requirements around the critical 
infrastructure. We think education jointly identifying where 
the government should invest R&D dollars in cybersecurity, all 
will be a part of that ultimate solution. We certainly advocate 
for clear distinction of what the critical infrastructure, a 
good definition of it and special requirements for it.
    Mr. Tierney. In that vein--and I ask this of all of you--
the present CEO of the North American Electrical Reliability 
Corp., a fellow named Gerry Cauley, that you are all probably 
familiar with, testified before the Armed Services Committee on 
this topic. He said he didn't think there was clarity of 
responsibility. He thinks collaboration and consultation have 
been good but should be based on an ad hoc relationship with 
clear lines of responsibility and authority. Are you all pretty 
much in agreement with that or do you disagree?
    Mr. Lewis. In some ways, the electrical grid is the most 
attractive target we have for some of our opponents. It is not 
secure, so if the statement he made was that we have been 
relying on an ad hoc process, I think that is right and there 
is a lot of room for improvement.
    Mr. Tierney. Do you know why there isn't a clear line of 
responsibility? What is the impediment to deciding who will be 
in charge of this overall, overriding plan we have?
    Mr. Turner. I think part of the issue too is the 
responsibility in sharing the data itself. What data can you 
share? There are a whole host of impediments and barriers to 
sharing what is arguably confidential information in some 
areas. That is part of the issue I think gets in the way of 
trying to formalize relationships and put them in a 
hierarchical order to say this is who is doing this and this is 
who is doing that. I think that has primarily been holding back 
even the larger information sharing relationship that goes on 
between the public and private sector, not limited to that 
particular sector itself.
    Mr. Tierney. Can I assume that some countries share this 
problem and some countries don't depending on the nature of the 
government in a given country?
    Mr. Turner. I am not so sure it actually comes down to a 
country by country level, to be perfectly honest with you. I 
think it is the nature of the issue itself that you are talking 
about the sharing of that information. This is merely to 
illustrate a problem with the information sharing network that 
sometimes when information goes from the private sector to the 
public sector, it is a one way street. Part of the whole 
education thing is we have to come to agreement on how we share 
that information to ensure that there is valuable information 
that can come back the other way as well.
    Mr. Lewis. On that note, I talked with one of the larger 
European countries. They have set up something like our Cyber 
Command. They were telling me what they had done with their 
electrical grid and requiring their grid operators to be more 
secure. I said, that is amazing, how did you guys get away with 
that? We could never do that. They said, when they privatize, 
they made sure to keep two board seats.
    Where you are seeing a difference emerge is in the 
countries that still have a small number of service providers, 
where the government has a more directive role, they are 
pulling ahead a little bit. Right now, I would say we are all 
sort of in equally bad shape and one of the trends to watch is 
whether that changes in a way that disadvantages us.
    Mr. Tierney. Let me ask one last question of each of you. 
What do each of you as individuals think the government role 
ought to be in protecting the infrastructure for private 
companies? Mr. McGurk.
    Mr. McGurk. I believe the current role we are executing as 
a coordinator and integrator to provide understanding and 
awareness across the 18 critical infrastructures is a key role 
and a service that we provide. As many of my distinguished 
panel members have said, information may come from one sector 
and may be germane to another but there is no direct connection 
to share that information.
    By aggregating that at the Department, we are able to take 
alerts, warnings or indications coming from the electric 
sector, anonimize that information or identify the 
vulnerability and provide that to the water sector, the 
chemical sector or the petroleum sectors. That is a service and 
capability we provide because we do have broad exposure into 
each of those 18 critical infrastructures.
    Mr. Tierney. Mr. Bond.
    Mr. Bond. Certainly I would underscore the notion that 
there needs to be a key role in defining the critical 
infrastructure and having special requirements for that. The 
farther out you move on the network and the closer to consumer 
applications and so forth, I think we need this roundtable of 
real experts to understand what it means in a networked world 
because they are all connected and difficult to determine 
regulatory schemes.
    Mr. Tierney. Mr. Lewis.
    Mr. Lewis. Three things--some kind of flexible, standard-
based approach that I would think DHS and the other regulatory 
agencies would oversee for critical infrastructure; better 
information sharing as you have heard; and finally, steps that 
would make the international environment more secure, steps 
that would deter criminals and other potential hackers.
    Mr. Tierney. Mr. Turner.
    Mr. Turner. I would agree with everything that has been 
said on the panel. Going last, it is easier to do that.
    I would add in addition to facilitating information sharing 
and making it easier, keeping an eye toward that liability. We 
have to keep in mind that most of the attacks that we see 
today, the attacks themselves are international in nature, so 
we are not just dealing with threat actors or threat 
intelligence that comes from the five I's or the United States 
alone.
    We are also dealing with issues that come from other 
jurisdictions, other western jurisdictions where the sharing of 
that information is considered, to put it bluntly, very 
difficult to do and can put you in a lot of hot water. Those 
issues have to be addressed if we are going to get down to the 
role where we talk about how do we make it easier for 
governments to protect the private sector especially when we 
are talking about critical infrastructure. Those are some of 
the hurdles we have to address. If we don't address them at the 
higher level, sharing the information formally at a lower level 
is difficult. It happens informally now.
    I wouldn't want to leave the panel with the impression that 
we do not share information because that is certainly not the 
case. I personally have worked with all the levels of the U.S. 
Government on sharing information about current threats to 
critical infrastructure but it is in an unofficial capacity 
because there doesn't exist an official capacity in which we 
can do that.
    Mr. Tierney. Thank you.
    Thank you, Mr. Chairman.
    Mr. Chaffetz. I want to thank all the panel members for 
their participation today and your expertise. If there are 
additional comments or information you would like to share with 
us, I would appreciate it.
    Mr. McGurk, if you would commit to this committee to help 
us conduct that confidential briefing, a classified briefing, I 
should say, we would certainly appreciate that. Is that 
something you could commit to?
    Mr. McGurk. Yes, Mr. Chairman, it would be my pleasure to 
help facilitate that.
    Mr. Chaffetz. That would be great.
    Thank you again for your expertise. This is a fast moving 
industry, it changes every moment and we appreciate your 
participation. Thank you again for your expertise and your 
comments.
    The committee now stands adjourned.
    [Whereupon, at 4:15 p.m., the subcommittee was adjourned.]

                                 
