[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]




 
 CYBERSECURITY: ASSESSING THE NATION'S ABILITY TO ADDRESS THE GROWING 
                              CYBER THREAT

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              JULY 7, 2011

                               __________

                           Serial No. 112-73

                               __________

Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform



                  U.S. GOVERNMENT PRINTING OFFICE
71-615                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
DAN BURTON, Indiana                  ELIJAH E. CUMMINGS, Maryland, 
JOHN L. MICA, Florida                    Ranking Minority Member
TODD RUSSELL PLATTS, Pennsylvania    EDOLPHUS TOWNS, New York
MICHAEL R. TURNER, Ohio              CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 DENNIS J. KUCINICH, Ohio
CONNIE MACK, Florida                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
ANN MARIE BUERKLE, New York          GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               MIKE QUIGLEY, Illinois
RAUL R. LABRADOR, Idaho              DANNY K. DAVIS, Illinois
PATRICK MEEHAN, Pennsylvania         BRUCE L. BRALEY, Iowa
SCOTT DesJARLAIS, Tennessee          PETER WELCH, Vermont
JOE WALSH, Illinois                  JOHN A. YARMUTH, Kentucky
TREY GOWDY, South Carolina           CHRISTOPHER S. MURPHY, Connecticut
DENNIS A. ROSS, Florida              JACKIE SPEIER, California
FRANK C. GUINTA, New Hampshire
BLAKE FARENTHOLD, Texas
MIKE KELLY, Pennsylvania

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                     Robert Borden, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 7, 2011.....................................     1
Statement of:
    Schafer, Greg, Acting Deputy Under Secretary, National 
      Protection and Programs Directorate, U.S. Department of 
      Homeland Security; James A. Baker, Associate Deputy 
      Attorney General, U.S. Department of Justice; Robert J. 
      Butler, Deputy Assistant Secretary for Cyber Policy, U.S. 
      Department of Defense; and Ari Schwartz, Senior Internet 
      Policy Advisor, National Institute of Standards and 
      Technology, U.S. Department of Commerce....................    11
        Baker, James A...........................................    20
        Butler, Robert J.........................................    21
        Schafer, Greg............................................    11
        Schwartz, Ari............................................    22
Letters, statements, etc., submitted for the record by:
    Connolly, Hon. Gerald E., a Representative in Congress from 
      the State of Virginia, prepared statement of...............    40
    Cummings, Hon. Elijah E., a Representative in Congress from 
      the State of Maryland......................................     6
    Schafer, Greg, Acting Deputy Under Secretary, National 
      Protection and Programs Directorate, U.S. Department of 
      Homeland Security, prepared statement of...................    14


 CYBERSECURITY: ASSESSING THE NATION'S ABILITY TO ADDRESS THE GROWING 
                              CYBER THREAT

                              ----------                              


                         THURSDAY, JULY 7, 2011

                          House of Representatives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 9:33 a.m. in room 
2154, Rayburn House Office Building, Hon. Darrell E. Issa 
(chairman of the committee) presiding.
    Present: Representatives Issa, Burton, Platts, Jordan, 
Chaffetz, Amash, Buerkle, Gosar, Labrador, Meehan, DesJarlais, 
Gowdy, Farenthold, Kelly, Cummings, Norton, Kucinich, Tierney, 
Connolly, Quigley, and Langevin.
    Staff present: Ali Ahmad, deputy press secretary; Thomas A. 
Alexander, senior counsel; Michael R. Bebeau, assistant clerk; 
Robert Borden, general counsel; Lawrence J. Brady, staff 
director; Adam P. Fromm, director of Member services and 
committee operations; Linda Good, chief clerk; Christopher 
Hixon, deputy chief counsel, oversight; Mitchell S. Kominsky, 
counsel; Jim Lewis, senior policy advisor; Laura L. Rush, 
deputy chief clerk; Sang H. Yi, professional staff member; 
Jennifer Hoffman, minority press secretary; Carla Hultberg, 
minority chief clerk; Amy Miller, minority professional staff 
member; Dave Rapallo, minority senior counsel; and Carlos 
Uriarte, minority counsel.
    Chairman Issa. The committee will come to order.
    The Oversight Committee exists to secure two fundamental 
principles: first, Americans have a right to know that the 
money Washington takes from them is well spent; and second, 
Americans deserve an efficient, effective government that works 
for them.
    Our duty on the Oversight and Government Reform Committee 
is to protect these rights. Our solemn responsibility is to 
hold government accountable to taxpayers because taxpayers have 
a right to know what they get from their government. We will 
work tirelessly in partnership with citizen watchdogs to 
deliver the facts to the American people and bring genuine 
reform to the Federal bureaucracy.
    Today's hearing is the first in what will likely be a long 
series of committee hearings related to the nature, extent and 
threat to America's digital infrastructure. On May 25th, the 
Subcommittee on National Security and Homeland Defense and 
Foreign Operations held a hearing on the issue that focused on 
the importance of strategic public-private partnership to 
effectively combat the threat we face.
    The important work that our colleague Mr. Chaffetz began 
will continue both at the subcommittee and the full committee. 
His groundwork and this committee's continued focus on what 
spans all of government, all of the private sector and, as we 
know every day, more of all of the world, is critical.
    Today, we have representatives from each of the major areas 
of government that are often not seen together but are critical 
to implementing a plan which includes initiative by the 
President, a task force by the Republicans, a similar effort by 
Democrats and this committee, on a bipartisan basis, to ensure 
that both the House and the Senate act on the President's 
proposal in a timely fashion and recognize that the 
vulnerabilities, both public and private, which are well known, 
are, in fact, growing every day.
    Our vulnerability is not just because of enemies well know, 
but can often be because of enemies unknown, enemies who simply 
have a grudge against society. It is today possible to be a 
great warrior with nothing but your slippers and your bedroom 
and the desire to bring down some aspect of public or private 
infrastructure related to the Internet.
    A recent Office of Management and Budget report revealed 
that the number of cyber incidents affecting U.S. Federal 
agencies shot up 39 percent in 2010. The committee has even 
heard reports that potential U.S. losses of intellectual 
property last year could exceed $240 billion. Unfortunately, 
there is no reliable data and it is unlikely that this 
committee can see that that type of data is produced. It is 
clear we will continue to have losses. Some of those losses are 
unavoidable. If you leave your door open, you can lose the 
contents of your house.
    Today, we are going hear about efforts to make sure that at 
least in the public sector, in cooperation with private 
enterprise, we are attempting to provide the locks and the 
master key system to ensure that you have the ability to close 
that door if you do all that can be done.
    Cyber security is not simply for the large reports. Often 
the people hacked the most are small companies, companies who 
are not particularly targeted but ultimately might have great 
losses. One of the areas of concern in the President's proposal 
is in fact the vast reporting requirements. We want to ensure 
that information is a two-way street and that this not simply 
be about a way to empower the trial lawyers to ensure that 
someone who doesn't report in a timely fashion, particularly a 
smaller company that may be somewhat unaware as to the loss, 
doesn't find themselves simply being victimized by a lawsuit 
having been victimized by a hacker.
    It is important to note that cyber threats are forever 
changing and that cyber attacks are always adapting to get 
around our defenses. This committee is ideally suited to 
evaluate the Federal Government's strategy and ability to 
counter these threats by both defensive and most importantly 
potentially, offensive innovations.
    Recently, the Secretary of Defense, Robert Gates, stated 
that cyber attacks were an act of war. War is not a defensive 
only measure. War is something that, at times, needs to have a 
counterattack. Practically every committee of Congress can 
claim jurisdiction over cybersecurity because of the uniquely 
expansive nature of the threat, the strength of our Nation's 
commerce, utilities, transportation, banking, 
telecommunications and national defense all depend on nimble 
response and aggressive cybersecurity infrastructure.
    We claim no special jurisdiction here today, just the 
opposite. The Committee on Government Reform claims to be a 
conduit for all committees. We will be joined by one or more 
individuals from other committees and this committee will 
welcome other individuals to be allowed to sit on the dais and 
to participate in future hearings because we view our committee 
as a conduit for all committees, recognizing that any proposal, 
although it may well originate from this committee or pass 
through this committee, will also likely pass through virtually 
every committee of the Congress.
    In closing, not since the end of World War II has America 
seen a threat so great looming for so long. As we led up to 
World War II, we had plenty of warning that the Fascists were a 
threat. We watched them arm, we saw them attack others, and we 
did little to prepare. Today, we have bolstered many defenses, 
but let us understand there is a difference between World War 
II and today.
    We as a Nation, have already been attacked during my 
opening statement thousands of times. Attacks go on every day. 
Because one doesn't appear to be as large as Pearl Harbor 
doesn't change the fact that sooner or later, America will have 
to respond in a more aggressive fashion to some and be better 
prepared defensively for others.
    With that, I would recognize the ranking member for his 
opening statement.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    I thank you very much for holding this hearing today.
    In testimony before the House Intelligence Committee 
earlier this year, then CIA Director Leon Panetta called 
cybersecurity the battleground for the future. Our Nation's 
critical infrastructure, including power distribution, water 
supply, telecommunications and emergency services, has become 
increasingly dependent on computerized information systems to 
manage their operations and to process, maintain and report 
essential information.
    Our government's national defense and critical information 
systems are also becoming increasingly reliant on information 
technology systems and Web-based transactions and services. 
Successful attacks on these systems threaten our troops, impair 
vital Federal programs and jeopardize the privacy of citizens 
whose personal information is maintained in government computer 
systems.
    Mr. Chairman, I have served on the Naval Academy Board of 
Visitors of the last 10 years and we have recently made it a 
priority to change our curriculum so that every midshipman and 
woman is required now to take defensive courses with regard to 
cybersecurity.
    In the last Congress, Members of the House and Senate 
introduced at least 50 cybersecurity related bills to address 
these issues. Given that urgency and the complexity of these 
challenges, congressional leadership called on the 
administration to help develop comprehensive cybersecurity 
legislation.
    On May 12th, the Obama administration issued a legislative 
proposal that would significantly strengthen our ability to 
guard against cyber attacks. I applaud the President for his 
leadership on this issue and for creating a strong legislative 
framework to help Congress complete this important work.
    For example, the administration's proposal would make key 
changes to the Federal Information Security Management Act 
including shifting to continuous monitoring and streamlined 
reporting for all Federal systems. I supported similar 
legislation last year and the committee successfully reported 
bipartisan legislation that would have achieved these goals. I 
am glad to see the administration's proposal has incorporated 
many of the improvements included in that legislation.
    There are several provisions in the administration's 
proposal that I would like to see strengthened. First, I hope 
we will consider the creation of a Senate confirmable official 
with authority to set administration-wide cybersecurity policy. 
It is important that the official responsible for implementing 
FISMA have the authority to task all civilian departments and 
agencies with implementation of the Federal security standards.
    The administration's proposal also creates a framework to 
ensure that the Federal Government and private industry are 
working together to protect our critical infrastructure. 
Private industry owns approximately 85 percent of the Nation's 
critical infrastructure and the administration's proposal 
allows critical infrastructure operators to develop their own 
frameworks for addressing cyber threats.
    However, while there is room for healthy debate, even 
industry agrees that some level of government oversight is 
necessary to protect the American public from the potentially 
devastating consequences of a cyber attack.
    At a recent hearing before the National Security 
Subcommittee, Tech America President, Phil Bond, testified that 
education and information sharing alone are inadequate to 
protect critical infrastructure and that the government rules, 
regulations and requirements are necessary to secure the 
Nation's critical infrastructure.
    Other parts of the administration's proposal attempt to 
help consumers and companies by creating uniform reporting 
standards to address cyber attacks that result in breaches of 
personally identifiable consumer information. However, the 
proposal also would allow any entity to share with DHS 
personally identifiable information that otherwise could not be 
shared under existing law.
    I agree that we should encourage information sharing 
between industry and government, but we also have to be careful 
that personally identifiable information is appropriately 
protected and shared with the government only when necessary.
    Finally, I agree that law enforcement should have every 
tool necessary to go after hackers. I am concerned that the 
imposition of mandatory minimum sentencing unduly interferes 
with judges' discretion to set appropriate penalties. I hope 
that future drafts of the legislation will not include this 
specific provision.
    I would like to thank Chairman Issa for agreeing to include 
our distinguished colleague, Congressman Jim Langevin, in our 
hearing today. Jim has been a leader on cybersecurity for many, 
many years. As he has recently highlighted, the issue of 
cybersecurity is not a partisan one and I am glad that the 
chairman agrees with that, but is an issue on which Democrats 
and Republicans should be able to work together to come up with 
common sense solutions to help protect the American people.
    Mr. Chairman, I look forward to working with you and the 
staff in a bipartisan way to update FISMA and pass 
comprehensive cybersecurity legislation in this Congress and I 
would ask unanimous consent that Mr. Langevin be a part of this 
hearing today.
    [The prepared statement of Hon. Elijah E. Cummings 
follows:]

[GRAPHIC] [TIFF OMITTED] T1615.001

[GRAPHIC] [TIFF OMITTED] T1615.002

    Chairman Issa. I would join with you in that unanimous 
consent. I have served with Mr. Langevin on the Select 
Intelligence Committee and he has always been bipartisan.
    Hearing no objection, so ordered.
    Chairman Issa. I would now recognize the chairman of the 
Subcommittee on National Security, Mr. Chaffetz, for his 
opening statement.
    Mr. Chaffetz. Thank you, Mr. Chairman, and thanks for your 
leadership on this issue. It is certainly one of the most 
important topics.
    The growing cyber threat is one of the greatest national 
security challenges facing the United States of America. It 
affects nearly every facet of the private and public sector and 
reaches deep into our personal lives.
    On May 25, 2011, the Subcommittee on National Security, 
Homeland Defense and Foreign Operations conducted a hearing to 
examine the threat. Government officials testified alongside 
their private sector counterparts about the challenges that we 
face. Each gave us sobering overview of the threat and each 
communicated that the threat is real, is extremely dangerous 
and is persistent.
    While digital connectivity has made life more convenient, 
it has exposed new vulnerabilities. Our personal computers are 
at risk, as well as cell phones, financial institutions, water 
and power infrastructure, State, local and Federal Government 
institutions. Bad actors continually scour the Web for our most 
sensitive information, social security numbers, credit card 
information, bank accounts, proprietary business information, 
defense and intelligence secrets, plans and intentions for our 
political and business leaders. They gain this information 
through advanced, persistent threats, social engineering and 
spear fishing.
    Some hacks are carried out by individual actors and small-
time crooks and other breaches are coordinated efforts by 
foreign governments. The most devastating attacks such as the 
Wiki leaks incident come from within. Each has the ability to 
inflict significant and irreparable harm.
    Statistics indicate that corporations lose roughly $6 
million per day when sites are down because of cyber attacks. 
The global economy loses approximately $86 billion per year. 
There is every indication that these costs will continue to 
increase. The President and members of the administration have 
publicly stated that the Federal Government is ill prepared to 
mitigate the threat.
    The Department of Homeland Security testified ``We cannot 
be certain that our information infrastructure will remain 
accessible and reliable during a time of crisis.'' Phillip 
Bond, the President of Tech America, testified ``Cyber crime 
represents today's most prolific threat.'' It is no secret that 
the Federal Government's IT infrastructure has significant 
weaknesses. Across the executive branch, systems are outdated 
and technology is behind. Legal and regulatory frameworks are 
equally behind. The authorities, roles and responsibilities of 
Federal, State, local and private entities are unclear and 
insufficient to meet the threat.
    The administration has submitted a proposal to remedy these 
shortfalls and this is a good first step. However, it will 
continue to need examination by this committee. It will also 
need extensive input from the private sector which owns roughly 
85 percent of the digital infrastructure. The solutions must be 
effective, efficient and allow all parties to be as nimble as 
the enemy.
    I am confident the solutions put forth by this Congress, 
the administration and the private sector will yield exactly 
the results we need to protect our critical infrastructure. As 
a member of the House Cybersecurity Task Force and as the 
chairman of the National Security, Homeland Defense and Foreign 
Operations Subcommittee, I look forward to working toward an 
effective and efficient solution to the cyber threat.
    I look forward to hearing from the witnesses, appreciate 
their expertise and your willingness to be here today.
    I yield back, Mr. Chairman.
    Chairman Issa. I thank the gentleman.
    We now recognize the ranking member of the subcommittee for 
his opening statement.
    Mr. Tierney. Thank you, Mr. Chairman.
    I want to thank you, Mr. Chairman, as well as Mr. Chaffetz, 
for putting this matter on the agenda and for taking it as 
seriously as we have in a bipartisan fashion. We are all 
familiar with the various incidents that have happened, 
including earlier this month when CitiGroup revealed that 
hackers had stolen personal information from more than 200,000 
credit card holders. This was one of the larger direct attacks 
on a major bank ever reported, but it is not singular in its 
occurrence. Thieves obtained customer names, card numbers, 
addresses and email information. The unfortunate part is it 
took the company, as it does too many companies, over a month 
to notify all the customers of the breach, so that sheds some 
light on the need for stringent reporting requirements for 
breaches of personal information.
    It highlights the fact that banks and some other companies 
are focused on fraud and reducing fraud but they also have to 
be concerned about the prevention of data theft itself and the 
impact it can have on the consumer. In fact, the data theft 
arguably is of less cost to the entities than is the fact of 
consumer information getting out. The question is where the 
incentives really lie in terms of making people do what they 
need to do to meet the standards to prevent this from happening 
in the first place.
    I join others in applauding the administration for creating 
a national data breach regulation system that will ensure that 
consumers learn about the data breaches as soon as possible. I 
applaud their efforts to encourage companies to share data 
about cyber attacks and the Federal Government to improve 
defenses against these types of attacks.
    When we hear about all of the incidents that occur, I think 
it becomes clear that we need some standards. Of course the 
issue then becomes if everyone doesn't adhere to those 
standards, how well protected are those that actually do. That 
is where we get into at what point does it become too costly to 
adhere to the standards, and if some play and others don't, do 
we just leave everyone exposed. I think that is the critical 
thing I would ask our witnesses to hone in on today and help us 
with because it is going to take an effort from everyone, the 
companies, the government, and the consumers.
    We have to be careful when we start talking about 
immunization. I know there may be a place for it but I am 
concerned it is going to put the incentives in the wrong place 
and take away from some incentive to really focus on the need 
to go after stopping these data attacks from happening in the 
first place and from having people comply. I would like to hear 
a lot of discussion on that.
    I don't want to see us take the wrong approach and sort of 
immunize people, then get lax and think, I don't have to play, 
I don't want to spend that money, and I don't want to be 
responsible for it. I think we have to talk about people being 
accountable, particularly those that will profit from it, but 
we have to reasonable and understand that in some places there 
may be a need for incentives that draws in everyone because of 
the expense involved.
    I thank our witnesses for being here today, and the 
chairman for raising this issue.
    I would like to yield the balance of my time to the 
gentleman from Rhode Island, Mr. Langevin.
    Mr. Langevin. I would like to thank the gentleman for 
yielding. I would also like to thank Chairman Issa and Ranking 
Member Cummings for allowing me to sit in on today's hearing.
    Mr. Chairman, I deeply appreciate the time and attention 
you and this committee have paid to this issue. As a member of 
both the House Armed Services Committee and the House 
Intelligence Committee, as co-creator of the Bipartisan 
Cybersecurity Caucus, and as someone who has spent many years 
on this issue, I have a deep appreciation for the challenges we 
face in the field of cybersecurity. I echo the comments and 
concerns that you, Mr. Chairman, the ranking member and others 
have raised today.
    Earlier this year, I introduced legislation to strengthen 
the outdated Federal Information Security Management Act. This 
language was developed last year by my friend and former 
colleague, Representative Diane Watson, as well as this 
committee and that legislation was passed by this committee.
    Unfortunately, due to concerns over cost estimates, we were 
unable to pass these provisions as an amendment to the Fiscal 
Year 2012 Defense Authorization bill. However, I know that 
members of this committee are committed to working on this 
problem and I am heartened to see the administration coming 
forward in this area as well.
    With that, again I deeply appreciate the opportunity to 
join you today and look forward to the testimony of our 
witnesses.
    I yield back.
    Chairman Issa. I thank the gentleman.
    Members may have 7 days to submit opening statements and 
extraneous materials for the record.
    We now recognize our panel of witnesses. Mr. Greg Schaffer 
is the Acting Deputy Assistant Secretary of the National 
Protection and Programs Directorate of the U.S. Department of 
Homeland Security. Mr. James A. Baker is Associate Deputy 
Attorney General at the Department of Justice. Mr. Robert J. 
Butler is the Deputy Assistant Secretary for Cyber Policy at 
the U.S. Department of Defense. Mr. Ari Schwartz is the Senior 
Internet Policy Advisor at the National Institute of Standards 
and Technology at the Department of Commerce.
    Welcome to all of you.
    Pursuant to committee rules, would you please rise to take 
the oath. Please raise your right hands.
    [Witnesses sworn.]
    Chairman Issa. Let the record reflect that the witnesses 
answered in the affirmative.
    Some of you are returning heroes, so you know this drill. 
In order to allow enough time, your entire statements as 
presented will be placed in the record. We would ask you to 
summarize in any way you choose but keep it within 5 minutes. 
When you see the yellow light go on, it is not shameful to stop 
sooner than when the red comes on, but in all cases, please 
wrap up by the time the red comes on.
    With that, Mr. Schaffer.

  STATEMENTS OF GREG SCHAFER, ACTING DEPUTY UNDER SECRETARY, 
 NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT 
OF HOMELAND SECURITY; JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY 
 GENERAL, U.S. DEPARTMENT OF JUSTICE; ROBERT J. BUTLER, DEPUTY 
   ASSISTANT SECRETARY FOR CYBER POLICY, U.S. DEPARTMENT OF 
  DEFENSE; AND ARI SCHWARTZ, SENIOR INTERNET POLICY ADVISOR, 
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT 
                          OF COMMERCE

                   STATEMENT OF GREG SCHAFFER

    Mr. Schaffer. Thank you, Chairman Issa, Ranking Member 
Cummings and members of the committee. It is an honor to appear 
before you today.
    I know that the committee has already had a number of 
hearings and briefings on this topic, so I will briefly 
summarize the current state of affairs and the impetus for the 
legislative proposal that you have from the administration 
today.
    There is no security issue facing our Nation that is more 
pressing than cybersecurity. The vulnerability of our networks 
is an issue of national security, of homeland security and of 
economic security. The reality is that the United States is 
increasingly confronted by a dangerous cyber environment where 
threats are more targeted, are more sophisticated and more 
serious than they have ever been before.
    Our adversaries are stealing sensitive information and 
intellectual property from both government and private sector 
networks, comprising our competitive economic advantage and 
jeopardizing individual privacy.
    More disturbing, we also know that our adversaries are also 
capable of targeting elements of our critical infrastructure to 
disrupt, dismantle or destroy the systems upon which we depend 
every day. As the electric grid, major financial institutions 
and mass transportation and other critical infrastructure 
elements attach to the networks, they can become vulnerable to 
cyber attack.
    This is not conjecture, it is reality. Hackers probe 
critical infrastructure companies on a daily basis. The status 
quo is simply unacceptable and we believe a solution can be 
found if we work together. Today's threats require engagement 
of our entire society from government to the private sector to 
the individual citizen. For that reason, the administration has 
recently sent a legislative proposal to Congress that focuses 
on clarifying cybersecurity authorities and collaborating with 
the private sector.
    I will briefly talk about portions of the proposal and the 
rest of the panel will address some of the other portions.
    With respect to protecting the Federal Government, the 
proposal clarifies DHS' leadership role in civilian 
cybersecurity consistent with the last administration's CNCI, 
Comprehensive National Cybersecurity Initiative proposals. 
First, the proposal solidifies that the Department of Homeland 
Security's responsibility for leading and protecting Federal 
civilian networks and ensure that our authorities are 
commensurate with our responsibilities.
    DHS provides a number of services to departments and 
agencies today and sometimes the lack of clear legal authority 
slows us down in doing that and this proposal will clarify our 
legal authority. It will also modernize, as noted, the Federal 
Information Security Management Act [FISMA], to focus on 
continuous monitoring and operational risk reduction rather 
than a paper-based compliance reporting regime.
    We believe that the transfer of the FISMA oversight 
responsibilities from OMB to DHS, which started under an OMB 
memorandum last year, would just be solidified by the proposal 
and it would enhance by consolidating the policy development, 
oversight and operational expertise within one agency.
    Under personnel authority, the proposal would give DHS the 
ability to attract and retain cybersecurity professionals in an 
environment that is extraordinarily competitive by extending to 
DHS, DOD's current cybersecurity personnel authorities and 
create an exchange program for cybersecurity experts to move 
between government and the private sector.
    To protect critical infrastructure, we have a combination 
of voluntary and mandatory programs to focus on public/private 
partnerships. The administration proposal clarifies DHS' 
authority provide a range of voluntary assistance to a 
requesting private sector company, State or local government. 
It clarifies the type of assistance that DHS will be able to 
provide, including alerts, warnings, risk assessments, onsite 
technical support and incident response.
    Organizations that suffer attacks often ask the Federal 
Government to assist, but the lack of clear statutory authority 
and a framework sometimes slows down that process and we think 
this will accelerate it.
    From an information sharing perspective, we will remove the 
barriers to sharing cybersecurity between industry and 
government. It will allow industry partners to share with us 
that which they learn from their networks without having to go 
through a series of legal conversations in order to ensure 
themselves that they are allowed to share. That will eliminate 
delays sometimes of days, sometimes of weeks, before we can get 
data that can be leveraged to help the entire community.
    Under the mandatory provisions of the proposal, we would 
leverage our existing and consistent partnership with the 
private sector to develop a set of frameworks that would be 
used to reduce risk. We would work with the private sector to 
identify the risk, we would work with the private sector to 
identify the frameworks and then the private sector would 
develop plans to actually implement and reduce the risk within 
their organizations. It is a proposal that really works with 
industry and leverages industry's expertise more than thinking 
that the government has all the answers.
    We look forward to working with you. This is a proposal. It 
is not the end of the discussion but the beginning of the 
discussion. We look forward to working with the committee on a 
going forward basis.
    [The prepared statement of Mr. Schaffer follows:]

    [GRAPHIC] [TIFF OMITTED] T1615.003
    
    [GRAPHIC] [TIFF OMITTED] T1615.004
    
    [GRAPHIC] [TIFF OMITTED] T1615.005
    
    [GRAPHIC] [TIFF OMITTED] T1615.006
    
    [GRAPHIC] [TIFF OMITTED] T1615.007
    
    [GRAPHIC] [TIFF OMITTED] T1615.008
    
    Chairman Issa. Thank you.
    Mr. Baker.

                  STATEMENT OF JAMES A. BAKER

    Mr. Baker. Good morning, Mr. Chairman, Ranking Member 
Cummings and members of the committee. Thank you for the 
opportunity to testify on behalf of the Department of Justice 
today regarding the administration's cyber legislation 
proposal.
    Because of the short time I have this morning, rather than 
commenting further on the cyber threat, which as the committee 
is well aware, is very serious, I will focus my remarks on two 
portions of the administration's proposal intended to enhance 
our ability to protect the American people from cyber crime.
    First is data breach notification. Data breaches frequently 
involve the compromise of sensitive, personal information and 
expose consumers to identity theft and other crimes. Right now, 
there are 47 different State laws requiring companies to report 
data breaches in different situations and through different 
mechanisms.
    The administration's data breach proposal would replace 
those 47 State laws with a single national standard, applicable 
to all entities that meet the minimum threshold as set forth in 
the proposal. If enacted into law, this proposal would better 
ensure that companies notify customers promptly when sensitive, 
personally identifiable information is compromised and that 
they inform consumers about what they can do to protect 
themselves.
    The proposal would empower the Federal Trade Commission to 
enforce the reporting requirements. It would also establish 
rules about what must be reported to law enforcement agencies 
when there is a significant intrusion so that, for example, the 
FBI and the U.S. Secret Service can work quickly to identify 
the culprit and protect others from being victimized.
    The national standard would also make compliance easier for 
industry, we believe, which currently has the burden of 
operating under the patchwork of different State laws that I 
mentioned a moment ago.
    Second, the administration's proposal includes a handful of 
changes to criminal laws aimed at ensuring that computer crimes 
and cyber intrusions can be investigated and punished to the 
same extent as other similar criminal activity. Of particular 
note, the administration's proposal will make it clearly 
unlawful to damage or shut down a computer system that manages 
or controls a critical infrastructure and would establish 
minimum sentence requirements for such activities. This narrow 
focused proposal is intended to provide strong deterrence to 
this class of very serious, potentially life threatening 
crimes.
    Moreover, because cyber crime has become big business for 
organized crime groups, the administration's proposal would 
make it clear that the Racketeering Influenced and Corrupt 
Organizations Act applies to computer crimes. Also, the 
proposal would harmonize the sentences and penalties in the 
Computer Fraud and Abuse Act with other similar laws.
    For example, acts of wire fraud in the United States carry 
a maximum penalty of 20 years in prison but violations of the 
Computer Fraud and Abuse Act involving very similar behavior 
carry a maximum of only 5 years.
    Thank you, Mr. Chairman and members of the committee. I 
look forward to your questions on this important topic.
    Chairman Issa. Thank you.
    Mr. Butler.

                 STATEMENT OF ROBERT J. BUTLER

    Mr. Butler. Thank you, Mr. Chairman, Ranking Member 
Cummings and distinguished members of the committee. It truly 
is a pleasure to appear before you today.
    On behalf of the Department of Defense, we are aware, of 
course, and are working against the persistent threat. The DOD 
is reliant on a large portion of the Nation's critical 
infrastructure such as power generation, transportation, 
telecommunications and of course, the defense industrial base 
to defend the Nation and perform those missions assigned to and 
expected of DOD.
    The most important aspect of the Nation's critical 
infrastructure protection, from our standpoint, is the 
recognition that no one person or agency can protect the Nation 
from this advanced, persistent threat that we have been 
discussing. Rather, it will require a whole of government 
approach, necessitating many different Federal agencies, State 
governments and the private sector to work together. This 
legislation is an important step in that direction.
    It criminalizes the damage to critical infrastructure 
systems, breaks down barriers to information sharing so that 
stakeholders can communicate effectively. It engages the 
private sector as valuable stakeholders and strengthens the 
ability of the Department of Homeland Security to lead the 
executive branch in defending the Nation against the very real 
cyber threat.
    Importantly, this legislation accomplishes all of the above 
while respecting the values of freedom and ensuring the 
protection of privacy and civil liberties that we cherish in 
this country.
    The Department of Defense has an important role in this 
Nation's cybersecurity such as protecting our military networks 
and national security systems while providing support and 
technical assistance to the Department of Homeland Security in 
carrying out other protection issues regarding critical 
infrastructure.
    DOD has and will continue to work hand in hand with 
Homeland Security, Commerce, Justice and the other departments, 
along with the private sector in countering cyber threats and 
protecting our Nation's critical infrastructure. Further, the 
administration's legislative proposal allows DHS to leverage 
DOD's practices in hiring and personnel exchange programs as 
well as reinforcing the complementary and continuing defense 
role in providing information systems controls of defense and 
national security systems under the Federal Information 
Security and Management Act.
    We do look forward to working with Congress to ensure the 
executive branch has the appropriate authorities for 
cybersecurity and improving the overall security and safety of 
our Nation.
    I would like to close by noting by that while the work of 
defending the Nation is never done, this legislation will 
greatly help the U.S. Government close the gap between us and 
those who would want to do us harm. As I noted before, the 
threat is constantly evolving and we must evolve to meet it.
    The Department of Defense is ready to play its role in 
meeting this challenge and to work with the rest of government 
to protect the citizens and resources of the United States.
    Thank you.
    Chairman Issa. Thank you.
    Mr. Schwartz.

                   STATEMENT OF ARI SCHWARTZ

    Mr. Schwartz. Chairman Issa, Ranking Member Cummings and 
members of the committee, thank you having me today to testify 
on behalf of the Department of Commerce on the administration's 
cybersecurity legislative proposal.
    The main goal of this proposal is to maximize the country's 
effectiveness in protecting the security of key critical 
infrastructure networks and the systems that rely on the 
Internet, while also minimizing regulatory burdens on the 
entities that it covers and protecting the privacy and civil 
liberties of the public. To accomplish this balance, we focused 
on building transparency throughout the process that rely 
heavily on public/private partnerships.
    I will be addressing four important pieces of the proposal: 
creating security plans for covered critical infrastructure; 
protecting Federal systems; protecting data breach reporting, 
and privacy protection.
    One important theme of the proposal is accountability 
through disclosure. In requiring creating of security plans, 
the administration is promoting use of private sector expertise 
and innovation over top down government regulation. 
Importantly, the proposal only covers the core critical 
infrastructure as it relates to cybersecurity.
    DHS would define these sectors through an open, public 
rulemaking process. The critical infrastructure entities will 
take the lead in developing frameworks of performance standards 
for mitigating identified cybersecurity risks and could ask 
NIST to work with them to help create security frameworks.
    There would be strong incentive for both industry to build 
effective frameworks and for DHS to improve those created by 
industry. The entities involved would want the certainty of 
knowing their approach has been approved and the Federal 
Government will benefit from knowing it will not need to invest 
in the resource intensive approach or development of 
government-mandated frameworks unless industry fails to act.
    Covered critical infrastructure firms and their executives 
will then have to sign off on their cybersecurity plans, 
subject them to performance evaluations and disclose them in 
their annual reports.
    Rather than substituting the government's judgment for 
private firms, the plan holds covered entities accountable to 
consumers and the market. This encourages innovation and 
mitigation strategies as well as improving adherence to best 
practices by facilitating greater transparency in public/
private partnerships. The main goal is to create an 
institutional culture in which cybersecurity is part of every 
day practice without creating a slow moving regulatory 
structure.
    The proposal also clarifies the roles and responsibilities 
for setting Federal information security standards. 
Importantly, the Secretary of Commerce will maintain the 
responsibility for promulgating standards and guidelines which 
will continue to be developed by NIST. DHS will then use these 
standards as a basis for binding directives and memoranda it 
issues to the Federal agencies.
    A working partnership between Commerce, NIST and DHS will 
be important to ensure that agencies received information 
security requirements that are developed with appropriate 
technical operational and policy expertise.
    On data breach reporting, the administration has learned a 
great deal from the States selecting and augmenting the 
strategies and practices we feel most effective to protect 
security and privacy. The legislation will help build certainty 
and trust in the marketplace by making it easy for consumers to 
understand the data breach notices they receive, why they are 
receiving them and as a result, they will better be able to 
take appropriate action.
    As Secretary Locke and others at the Commerce Department 
have heard from many companies and different industries, 
including responses to our Notice of Inquiry last year, a 
nationwide standard for data breach notification will make 
compliance much easier for the wide range of businesses that 
must follow 47 different legal standards today.
    Finally, I would like to point out that many of the new and 
augmented authorities in this package are governed by a new 
privacy framework for government that we believe would enhance 
privacy protection for information collected by and shared with 
the government for cybersecurity purposes.
    This framework would be created in consultation with 
privacy and civil liberties experts and the Attorney General, 
subject to regular reports to Congress and overseen by the 
Independent Privacy and Civil Liberties Oversight Board. 
Governmental violations of this framework will be subject to 
criminal and financial penalties.
    Thank you again for holding this important hearing and I 
look forward to your questions.
    Chairman Issa. Thank you.
    I will now recognize myself for a first round of questions.
    Just a comment, Mr. Schwartz. One of the challenges I face, 
as I am a Californian, I know that when we harmonize a 50-State 
solution, it is 50 States plus California's add-on, so I look 
forward to working on this legislation so that it not be 49 
States plus California as it has been in so many other areas. I 
agree that we have to get to an interstate commerce, genuine 
compact with all States. Hopefully, we can find a 
constitutional way to bind all States so that there is a one 
for all and all for one law.
    I have a couple of questions. Mr. Baker, I looked through 
your background and you worked here for the fights on FISMA but 
Mr. Tierney referred to it and Mr. Schaffer, with his 
background, very much knows its history.
    When we asked communications companies to give us 
information after 9/11, they found themselves embroiled in 
lawsuits because of it. One of the challenges in the proposal 
is that it presumes there will be this free flow of information 
one way and only one way which is from the private sector to 
government, but it doesn't specify the actual protections for 
those who give what is otherwise not the requirement to give, 
at least federally.
    Have you worked out how you are going to propose keeping 
the plaintiffs' trial bar out of the businesses each and every 
time something goes wrong for these companies that have been 
reporting or if there is, effectively, a leak of private 
information from the government that is then traced back to a 
private company who delivered? I understand there is a 
mandatory part and there is implied immunity but on the 
voluntary part?
    Mr. Baker. Thank you, Mr. Chairman.
    I think on the voluntary part there is an immunity 
provision in the proposal and that would apply to the voluntary 
sharing so that if they shared the information and then somehow 
found themselves embroiled in a lawsuit, they could rely on 
that provision. We think that is how it would come out. At the 
end of the day, a judge would have to rule on whether it 
applied or not and if it was proper.
    Chairman Issa. With AT&T and the others, that was exactly 
the problem. The Federal Government had a need to make sure 
that information not be made public. As a result, the companies 
were unable to properly defend themselves. We have been down 
the road of an implied immunity versus and explicit one and 
also one of the concerns, and Mr. Tierney isn't here but I will 
share perhaps what is one of this concerns, we don't want 
somebody to voluntarily deliver information in order to gain 
immunity they otherwise wouldn't have.
    Have you looked at that side of the equation? Not from the 
standpoint of a judge will decide, but that our two bodies will 
write it in a way in which it is predictable, what the outcome 
would be?
    Mr. Baker. Yes, we are very aware of that concern and we 
have tried to factor that into our thinking very much. That is 
why I think you see the immunity provision has sort of two 
parts to it. One is appropriate sharing pursuant to the 
subtitle that would be this provision. The other is where you 
have a good faith belief that your sharing is lawful.
    If you have a bad faith belief that you are sharing, you 
are sharing for some ulterior purpose, that would not be 
covered, but if you are sharing within the confines of the 
subtitle or sharing in good faith, then you would be protected.
    Chairman Issa. Mr. Langevin and I both worked on this 
sometime ago. Having been there, if the government asks, one 
might say that if you answer that is a good faith belief. That 
is exactly where George W. Bush and his Attorney General found 
themselves sideways. They had clearly asked, industry had 
answered and then there was a debate about whether or not that 
was covered.
    You may want to look at that as we go through the drafting 
process to make sure that effectively if government, whatever 
government, thinks it is legal and they ask the question, that 
should be, in my opinion, at least, an explicit immunity 
because even though it is voluntary, I think all of us on both 
sides of the dais know that a voluntary question asked by a 
governing body has a certain amount of you will answer 
gravitas.
    Mr. Schaffer, only a few weeks ago, we thought this was 
going to come out as recommendations and it came out as a 
proposal. Is that because you felt you were closer to, if you 
will, final legislative language or was it simply easier to put 
it into this format? We were a little surprised when it came 
out in legislative format.
    Mr. Schaffer. Thank you, Mr. Chairman.
    I can't speak to exactly the decision process to bring it 
out in this way. I can say that in the development of the 
various pieces of the proposal, there was legislative language 
prepared as we transmitted it and the decision was made that 
would be the easiest way to bring those ideas forward.
    Chairman Issa. As I recognize the ranking member, the 
reason I asked that was that our intention is to bring a series 
of private sector individuals both in a formal fashion and in a 
less formal fashion, so that we can glean their input. Our 
understanding is this has been government formatted and there 
has been no formal outreach to the private sector.
    That is one of our concerns. All the opening statements 
talked about the 85/15. Our goal is, now that this in a 
proposed language, to begin communicating with the stakeholders 
and the private sector, and quite frankly, also some of the 
State representatives. Hopefully we can share in that.
    I recognize the ranking member for his round of questions.
    Mr. Cummings. Thank you very much.
    In the wake of 9/11, new attention been focused on the 
significance of information sharing as a matter of national 
security. The 9/11 Commission report says the biggest 
impediment to all source analysis to a great likelihood of 
connecting the dots is the human or systemic resistance to 
sharing information. They said something. There is widespread 
consensus on the need for more robust information sharing from 
the private sector to the government and vice versa to better 
protect our cyber networks and critical infrastructure.
    To all the panelists, how do we overcome this systemic 
resistance to achieving this goal? Mr. Schaffer.
    Mr. Schaffer. Thank you, sir.
    I think the proposal is designed to eliminate some of the 
barriers that we see to information sharing. One of the 
challenges we have consistently when an entity has information 
they believe the government should know and would help the 
broader community to protect both government and the private 
sector, is there they are not sure what they are allowed to 
share and what they are not allowed to share. They are not sure 
whether there is some legal provision somewhere that is going 
to get them into hot water if they provide the information on 
an expedited basis to the government.
    This mention of it being one way sharing, our goal when we 
receive the information at DHS is to use that information and 
distribute the pieces that can be used to defend networks as 
quickly as possible to the broadest audience.
    The provision in the proposal that provides, 
notwithstanding any other law, you can provide that information 
and there is immunity for the sharing of that information if it 
is for a legitimate cybersecurity purpose, we think will 
enhance the ability of private sector entities to give 
information to the government.
    Mr. Cummings. Mr. Baker.
    Mr. Baker. Thank you, sir.
    I think that the key, as Mr. Schaffer touched on, is 
clarity in the law. I think we need language that clearly would 
authorize the sharing. We need clear limitations on that, in 
other words privacy protections in particular. You need a clear 
immunity provision, as I was just discussing with the chairman 
a few minutes, and then you also need, what we have heard, 
clear exemptions from FOIA as well because when folks share 
information with the government, they become concerned it is 
going to be discoverable, if you will, under FOIA.
    I think the key is clarity so that they don't have to 
search through the Federal Code to determine what provisions 
they may or not be violating if they were to share this 
information. I think clear language that is straight forward is 
the main objective.
    Mr. Cummings. Mr. Butler or Mr. Schwartz, do you have 
anything in addition to what they just said? I don't want us 
repeating each other.
    Mr. Butler. I support what they described. Beyond the 
legislation, I was going back to the intent of the post-9/11 
Commission. I think we have been working on is building 
relationships. You saw that within the Department of Defense, 
the Department of Homeland Security building MOAs, building 
collaboration and second, planning together, the National Cyber 
Incidence Response Plan. That developmental activity is really 
enabling information sharing in new and different ways and 
exercising together, cyberwatch and those kinds of exercises 
really help us to build the connective tissue to enable an 
information sharing approach.
    Mr. Schwartz. I will just briefly say that we have made 
large strides in terms of getting greater information sharing. 
I think you gave an excellent overview of all the difficulties. 
We tried to address some of those in sharing with government in 
the proposal. We are certainly open to broader discussions of 
other kinds of sharing and other ways of addressing these 
issues without unduly affecting privacy and other issues.
    Mr. Cummings. One of the things, Mr. Butler, and some of 
the others may be able to answer this, in the Naval Academy, we 
made this a top priority. In our last meeting, we were 
discussing how while the Naval Academy is moving forward with 
phenomenal speed now that we need to get this kind of teaching 
to private colleges. We were trying to figure out how we could 
take the Naval Academy's curriculum and then spread it.
    We were very concerned that we are not preparing enough of 
our young people to deal with this threat. I am just wondering 
what we are doing with regard to that because we can create all 
the rules we want, but if we don't have folks who are equipped 
to address this, we have major problems. We have become 
basically a defenseless nation. You are all pointing out how 
urgent the situation is, what are we doing in that regard?
    Mr. Butler. From the DOD perspective, Secretary Gates made 
it a top priority in terms of next gen work force education for 
defense and the national security base so it is the Academy at 
Annapolis and certainly the other academies. We have a fairly 
large program through the Department of Defense on information 
assurance which reaches colleges around the United States, 
working with them on curriculum development as well as 
internships and scholarships for students.
    We build on that with the Cyber Patriot Program where we 
are involved with high school and junior high students. We 
support the National Cyber Collegiate Defense competitions. 
More than competitions, they are actually coaching and 
mentoring programs. There are continuous education outreach 
programs to allow us to help young people understand what we 
are faced with and to actually cast a dream for them to get 
involved.
    Mr. Cummings. Thank you very much.
    Mr. Chaffetz [presiding]. I will now recognize myself for 5 
minutes.
    One of the emergency national security concerns is that you 
have software infrastructure, hardware, other things that are 
built overseas that comes to the United States with items that 
are already embedded in them by the time they get here. This 
obviously poses security and intellectual property risks. Is 
any of this happening, Mr. Schaffer, and what are we going to 
do to fight this?
    Mr. Schaffer. Clearly supply chain risk management is an 
issue that the administration is focused on. Homeland Security 
is working with partners at the table.
    Mr. Chaffetz. How are they focused on it? Is this 
happening?
    Mr. Schaffer. Whether or not there are specific examples of 
insertions is something I would rather talk about----
    Mr. Chaffetz. I think you would rather not. It is just a 
yes or no question. Is this happening or not?
    Mr. Schaffer. We believe that there is significant risk in 
the area of supply chain.
    Mr. Chaffetz. Is it happening, to the best of your 
knowledge? I am sorry. I thought I threw you a softball to 
begin with. Is this happening or not?
    Mr. Schaffer. I missed the very beginning of the question 
and the wording that you gave me and I apologize. I don't want 
to get this wrong. Can you rephrase for me?
    Mr. Chaffetz. Are you aware of any component software/
hardware coming to the United States of America that have 
security risks already embedded into those components?
    Mr. Schaffer. I am aware there have been instances where 
that has happened.
    Mr. Chaffetz. What is Homeland Security doing about this? 
What can we do about this?
    Mr. Schaffer. This is one of the most complicated and 
difficult challenges that we have. The range of issues goes to 
the fact that there are foreign components in many U.S.-
manufactured devices.
    Mr. Chaffetz. Yes. That is the obvious. Go faster, I only 
have 5 minutes here. There are many foreign components in our 
materials, yes. I got it.
    Mr. Schaffer. There is a task force that DHS and DOD co-
chair to look at these issues with goals to identify short term 
mitigation strategies and to also make sure that we have 
capability for maintaining U.S. manufacturing capability over 
the long term and are in a position to ensure that the critical 
infrastructure pieces have what we need.
    Mr. Chaffetz. It is terribly complicated, I understand it 
is difficult, but the concern is that it is happening and 
probably happening on a more frequent basis than most people 
recognize. These things are embedded in devices and software 
and people don't know that. It is very difficult to detect.
    Let me move on and stick with you, Mr. Schaffer, on this. 
There is a lot of discussion here about private to public 
having to report to the government. How much did the 
government--the White House, Homeland Security and others--work 
with the private sector? The numbers are pretty big, upwards of 
85 percent of the infrastructure that is used is from the 
private sector, the networks used are run by the private 
sector, but there is a lot of concern that the private sector 
really wasn't at the table when this was developed. Were they 
at the table and how much so?
    Mr. Schaffer. With respect to the proposal you have before 
you, as we said, we think this is the beginning of the 
conversation. It was developed and informed by our long term 
and existing relationships with the private sector. Frankly, I 
have spent the vast majority of my career in the private sector 
working as a chief information security officer and as a 
consultant to large corporations.
    We built this proposal based on what we have learned 
through the National Infrastructure Protection Plan process, 
our relationships with each of the sectors, the sector 
coordinating councils, the ISACs and others. I believe this 
proposal is designed to give the private sector tremendous 
input into the process both in identifying the risk, 
identifying the frameworks, building their own plans.
    This doesn't prescribe specific technologies they need to 
use, it doesn't give them a mandate to do this in any certain 
way. It gives them an opportunity to participate in developing 
a regime that will allow us to reduce risk.
    Mr. Schwartz. Mr. Chairman, just briefly. The Department of 
Commerce actually had a Notice of Inquiry last summer that 
addressed many of the pieces that are now in this legislative 
proposal that were informed by input from the private sector, 
so at the beginning, there was some informed piece that came 
from this.
    Mr. Chaffetz. I guess one of the concerns I have moving 
forward, for further discussion, one of the shortcomings I see 
is how do we take it from the public realm and inform the 
private sector? It seems to be very much a one way street. It 
needs to be back and forth. I see you are all shaking your 
heads, I hope there is concurrence on this. We will have to 
work on the specific language and how that information would 
flow because it does need to be communicated back and forth.
    I have lots more questions but my time has expired. With 
that, we will now recognize the gentleman from Tennessee, Mr. 
DesJarlais for 5 minutes.
    Mr. DesJarlais. Thank you, Mr. Chairman. Thank you, 
gentlemen.
    A growing threat in both the public and private sector 
information systems is cyber attacks from foreign governments 
or organizations mostly aligned with them. Cyber attacks 
certainly are not exclusive to the United States, other 
countries have experienced such attacks. At what point do cyber 
attacks carried out by foreign governments become an act of war 
or what some refer to as cyber warfare against another nation? 
I would open that to everyone.
    Mr. Baker. That is a legally difficult question to answer 
but certainly acts that would be equivalent in their effects to 
a kinetic attack on the United States would fall within the 
category I think you are talking about there. If you look at 
the effects that were equivalent to a kinetic attack, that 
would be an act of war.
    Mr. DesJarlais. Have we developed any effective means of 
identifying who the actors or players in these attacks are?
    Mr. Baker. Attribution is very difficult in this area. That 
is challenging. It doesn't mean it can't be done, but it is 
challenging. I would defer to my colleagues if they want to add 
something on that.
    Mr. Butler. We continue to evolve with the technology to 
help us with attribution and tactics, techniques and procedures 
but right now, it is a fairly intensive forensic analysis 
process that we go through to attribute to actors.
    Mr. DesJarlais. Both public and private sectors are deeply 
interwoven and dependent upon each other for their operations 
and functionality. For example, telecommunications and 
transportation are heavily dependent on the power grid for 
operations and vice versa. Does our current Internet or 
communications infrastructure have enough redundancy built in 
to ensure that we could survive a catastrophic attack on its 
physical or technical assets, Mr. Schaffer?
    Mr. Schaffer. There have been numerous attempts to look at 
that question through risk analysis by various sectors 
including the IT sector, the calm sector and the belief is 
there is a significant amount of resiliency within the network. 
Certainly the Internet was built with resiliency in mind and 
the ability to route around various types of problems.
    On any given day with any particular kind of attack, it is 
hard to say whether you will have enough resiliency in that 
particular place but I do think the architecture of the system 
is designed to be quite resilient. There are certain pieces of 
the puzzle that obviously need more security and that is where 
I think we are with the legislative proposal today.
    Mr. DesJarlais. Does the Federal Government have an 
effective defensive posture to ensure that attacks on private 
sector networks or infrastructure can be isolated with little 
damage to its own assets?
    Mr. Schaffer. I would say that we are very much, both 
industry and government, dependent on one another in a variety 
of ways. It would be very difficult to isolate the government 
from the critical infrastructure pieces that are provided by 
industry. As noted, they own a substantial portion of that 
infrastructure.
    Mr. DesJarlais. There have been a number of economic 
estimates regarding the cost of a major cyber attack on the 
economy. Are there consistent, reliable numbers that tell us 
how much cyber crime or cyber attacks cost the United States 
each year?
    Mr. Schaffer. There are a wide range of estimates. I don't 
know there is a single, consistent, across the board way to 
estimate what those costs would be. Over the last several years 
we have seen we are attaching more and more of our critical 
infrastructure to the Internet for the efficiencies that it can 
bring. That adds to the potential for damage if those systems 
are compromised. I am not aware of a single metric that can be 
used to identify how much damage is within the art of the 
possible.
    Mr. DesJarlais. Where are the most significant weaknesses 
in our IT supply chain?
    Mr. Schaffer. I don't know that I can identify the most 
significant weaknesses within the supply chain. As I said, the 
supply chain issues are increasingly complex because we do have 
a global economy in which our products and equipment is 
installed and embedded in foreign product, foreign product is 
installed and embedded in our product, and the need to have 
appropriate processes to address risk and manage ways of 
identifying where there might have been a compromise to the 
system is what we focus on in terms of programmatics at the 
Department.
    Mr. DesJarlais. Thank you all. I yield back.
    Mr. Chaffetz. The gentleman yields. I now recognize the 
gentleman from Virginia, Mr. Connolly, for 5 minutes.
    Mr. Connolly. Thank you, Mr. Chairman, and welcome to the 
panel.
    I certainly agree that cybersecurity is perhaps the largest 
growing single threat both to American infrastructure and to 
national security. The number of cybersecurity incidents 
reported by Federal agencies has increased from 5,000 to 41,000 
over the last 5 years. One of the concerns I have is that when 
we had hearings on this subject a few years ago in this 
committee, we took testimony from a lot of Federal agency heads 
who focused on the part of FISMA that requires education, 
training and awareness. They could check off that box and say 
80 percent of our work force is trained.
    When you ask the question, are threats going up or down, 
they were going up, of course, and are successful, hacking 
attempts or cybersecurity threats going up or down, that also 
was going up. I would ask first, Mr. Schaffer, and anyone else 
on the panel, are we really working with the right metrics here 
on the subject of cybersecurity with Federal agencies or are we 
measuring the easy to measure?
    Second, what kind of uniformity is there across dozens of 
Federal agencies to take the proper measures to protect the 
systems in place understanding the differentiation among those 
agencies?
    Mr. Schaffer. Thank you for the question. Indeed, the 
reason you see this legislative proposal around FISMA is we 
recognize there needs to be a change in the way FISMA works. 
Even without the legislation in place, we have taken an 
approach that is much more aggressive since the Department has 
been asked to take on more responsibility.
    We are meeting with the department CIOs to sit down and 
walk through all of the various requirements, not just the 
training requirements, but all of the requirements that 
currently exist and talk about how to prioritize those things 
that really matter and that will reduce operational risk.
    Our approach is to get to continuous monitoring so we 
aren't reporting annually with a piece of paper what is 
happening on someone's network, which as you know is outdated 
before the paper is written, but are seeing what is happening 
on those networks, can correlate that data with what we are 
seeing from our intrusion detection and intrusion prevention 
technology at DHS and actually work with the departments and 
agencies to reduce the risk they are seeing in terms of the 
kind of attack experience they have on a daily basis.
    Mr. Schwartz. You asked very good and extremely important 
questions.
    Mr. Connolly. I hope the chairman heard that, very good and 
extremely important questions, Mr. Chaffetz.
    Mr. Schwartz. In terms of what we are measuring, one of the 
main problems we have seen is inspectors general have looked at 
the controls that have been put in place as a checklist rather 
than trying to get at the main set of problems out there. One 
of the things we try to do in the administration proposal is to 
provide more flexibility in the structure so that the inspector 
general will look at what is important for that particular 
agency.
    At the same time as Mr. Schaffer suggested, we try to 
increase automation through continuous monitoring through other 
means that we have a better standard across all different 
agencies. That doesn't mean we can stop other means of looking 
at the best practices and the controls that are in place, but 
we do need to do a better job of making sure we have the right 
controls for the right agency. We think the administration 
proposal does that with changes to FISMA.
    Mr. Butler. I would just add what we see in the Department 
of Defense I think is reflective of our general sense of where 
we need to go with metrics. We look at technology, tactics, 
techniques and procedures and people in an integrated way, so 
as we work to harden networks and improve our cyber hygiene 
practices, we also look at proactive defense measures that we 
continue to incorporate in those areas.
    Continuous red teaming, testing against what we are doing 
helps us to update the metrics. As we have stood up, 
organizational structures like Cyber Command and others, we are 
moving more and more toward what others are talking about with 
a continuous monitoring mode that builds beyond FISMA and helps 
us to ensure what anomalies we are missing that potentially 
could be problems down the road.
    Mr. Connolly. Is there a mechanism within the Federal 
Government for exchanging best practices, experiences, tapping 
into the private sector expertise and the like? Is there some 
kind of forum, formal or informal, that does that?
    Mr. Schaffer. Actually, there is. One of the things DHS 
sponsors is something called the Cross Sector Cybersecurity 
Working Group. This represents the critical infrastructure, 18 
sector cybersecurity resources and gives them an opportunity to 
work together to bring the knowledge that one sector may have 
learned to the other sectors. It is one of the goals of the 
program to make sure that wherever we see an issue we can get 
that information out to the entire community.
    Mr. Connolly. Mr. Chairman, I know my time is up but I 
think that is very important point. We want to break down the 
stovepipes here so that we are sharing experience and 
intelligence across agencies to try to deter the threat.
    Thank you very much.
    Mr. Chaffetz. Thank you. The gentleman yields.
    We will now recognize the gentleman from Texas, Mr. 
Farenthold, for 5 minutes.
    Mr. Farenthold. Mr. Schaffer, I think you used the term you 
are seeing attacks every single day, 41,000 attacks reported. 
We see this growing at an incredible rate. I am very much 
afraid that we have a problem here that is going to be very 
difficult and very expensive to fix, both within the government 
and within the private sector.
    Correct me if I am wrong. We have a wide variety of threats 
coming from everywhere. We have nation states as possible 
offenders, terrorists, criminals, industrial espionage, I guess 
we will call them hobby hackers, a wide variety of people 
intruding into computer systems. I don't think a day goes by 
that I don't have to install some sort of security update on my 
computer.
    I guess my question is, I guess we need to take a multi-
tiered approach. Where do you see the focus needs to be? Do we 
need to be focusing more on hardening systems to attack, do we 
need to be focusing on prosecutions? Where is the balance we 
will get the most bang for the buck?
    Mr. Schaffer. Thank you for the question Congressman. 
Frankly, I think we need to do it all. This is not a single 
solution problem, it is not a problem that can be solved by any 
one entity, it can't be solved by government alone, it can't be 
solved by industry alone, it can't be solved by a single 
technology. This is going to take a whole of government effort, 
it is going to take a whole of society effort, right down to 
individuals who need to apply the patches and the virus updates 
to their machines.
    The ecosystem was built in a way that allowed us to take 
advantage of moving very fast but the security pieces have 
been, for the large measure, bolted on after the fact. We are 
trying now to fix those issues but I do think it is going to 
require us to build better perimeters, apply those patches 
everywhere on all of the systems, update those systems to the 
best technology and do this vigilantly in all cases.
    Mr. Farenthold. I guess I will open this up to the rest of 
the panel. I don't know who might be the expert on this or if 
anyone has any ideas. Does anyone have a clue what this is 
going to cost in some reasonable term that we can understand? 
The price of a computer now is $500, an average piece of 
software, depending on what is? Percentage-wise, how much is it 
going to raise the cost of computing to do this?
    Mr. Schaffer. While I can't say how much it will cost to do 
this, what I think has been said repeatedly is how much it is 
costing us for not having done it. The cost to our society, all 
that we are spending on trying to chase this problem, deal with 
the intrusions when they occur, the intellectual property loss 
that is going to hit us in terms of our economic 
competitiveness at a later point in time, those costs are also 
very hard to estimate but we know they are large.
    Mr. Farenthold. Where do you balance it between what the 
government spends and what the private sector spends and 
businesses and what I have to spend in order to surf the 
Internet at home?
    Mr. Schaffer. What I think this proposal does that we never 
had before is a way to design for critical infrastructure a 
regime that actually allows for a standard of care to be 
developed for clear frameworks to be laid out that industry 
agrees with, they understand the risks, they know what they 
need to do in order to meet those risks and make them go down. 
If we do that, I think the markets will develop to produce the 
products that will make that easier and less expensive if 
everyone is working to that end.
    Mr. Farenthold. I only have a minute left and I want to hit 
on one other topic. I am deeply concerned that as you see 
increased cooperation between the government and the private 
sector, my data stored out in the Cloud becomes accessible to 
the government and either by accident or through some sort of 
fishing expedition, what I would consider to be my private 
communications are accessible to the government or worse yet, 
become public. How are we addressing those concerns?
    Mr. Baker. We have to make sure, as I mentioned earlier, 
that we have clear and understandable laws in place to protect 
the legitimate privacy expectations of Americans. We absolutely 
want that to happen. There are a range of different laws today 
that protect your privacy, so whatever we do, we need to make 
sure we address all of those sort of holistically, if you will, 
because different types of data are protected under different 
regimes and we need to make sure we do this in a smart way. 
There are a variety of laws that are implicated and we need to 
closely look at all of those.
    Mr. Farenthold. I am out of time. Thank you all very much.
    Mr. Chaffetz. I will now recognize the gentleman from 
Idaho, Mr. Labrador, for 5 minutes.
    Mr. Labrador. Thank you, Mr. Chairman.
    As you know, there are private sector organizations that 
exist today that are working to help private industry help 
protect against these cyber threats. The estimate is about 80 
percent of our cyber threats to security and critical 
infrastructure is through the private sector. For example, many 
of the critical infrastructures have organizations within which 
companies can share threat information and best practices. The 
government should always be looking to these organizations to 
assist in the effort to protect the country.
    Do you currently work with any private sector organizations 
to facilitate the threat information sharing and best security 
practices and if you do, can you tell me which organizations 
you are working with?
    Mr. Schaffer. Indeed, the Department of Homeland Security 
is working with many private sector organizations in an effort 
to share best practices and to share information about threats 
and vulnerabilities. We work through the Sector Coordinating 
Councils under the National Infrastructure Protection Plan; we 
work with the ISAC organizations, the Information, Security and 
Analysis Centers for the various sectors, including the 
financial services sector; the multi-state ISAC which goes to 
State and local governments; and the IT ISAC representatives 
from the communications sector. We work with all of those ISAC 
organizations.
    Not only do we work with them, but we have been working to 
integrate them into our process on the National Cybersecurity 
and Communications Integration Center watch floor. We actually 
have representatives from many of the sectors who are either on 
or coming onto the floor and will participate in the incident 
response plan processes to address issues when they occur.
    We are working extensively with private sector 
organizations. We can certainly get you a full list if you 
would like after the hearing.
    Mr. Labrador. Anyone else want to add anything to that?
    Mr. Schwartz. NIST is designed to work very closely with a 
range of private sector players, including the standards 
development organizations and the wide range of other private 
sector standards setting organizations and take the standards 
best practices from their side, take the standards best 
practices from the government side and develop those to do work 
within the Federal Government and vice versa.
    A lot of standards that are developed within the Federal 
Government are then taken into the private sector and are free 
and open for them to use as well. We have a strong relationship 
and we could get you a full list if you like.
    Mr. Butler. For the Department of Defense, consulting, 
services and products are heavily engaged with a lot of 
different security firms with regards to ensuring we have the 
latest and greatest products installed. HBSS is an example as 
we kind of worked through the Wikileaks mitigation but 
continuous efforts working with them on threat mitigation.
    Mr. Baker. A significant amount of information sharing goes 
on as well with respect to law enforcement agencies, back and 
forth. Obviously when you have a crime that has occurred, you 
have information sharing that goes on, but in other forums, law 
enforcement agencies, the FBI, the Secret Service, are working 
regularly to make sure this information is shared back and 
forth.
    Mr. Labrador. I have one more question. While protecting 
ourselves from cyber attacks we know is extremely critical, 
many private industry individuals have witnessed a 
proliferation of Federal initiatives dedicated to this issue. 
For example, there are over 25 different working groups or task 
forces being led by the Federal Government. Is there any 
analysis being conducted right now that would provide ways to 
streamline this activity to avoid duplicative spending and 
minimize the amount of Federal dollars spent?
    Mr. Schaffer. I think we are continually looking, 
Congressman, at ways to coordinate our activity and make sure 
the groups we are working with are focused on different 
problems and are bringing to the table not duplicative but 
complementary sets of information. I know within DHS, we have 
several groups that do have overlapping jurisdiction, if you 
will, they have some of the same members, but we have them 
focused on different pieces of the elephant that is the 
cybersecurity problem. We are working to try to coordinate and 
make sure we are not introducing a lot of redundancy.
    Mr. Schwartz. We haven't been afraid to close down working 
groups that have outlived their time. Everyone working on this 
issue has many meetings to go to for many of the different task 
forces and the fewer we can have is a benefit. I think there 
has been leadership in that regard in terms of trying to work 
through a problem, cut it off and move on when we can do that.
    Mr. Labrador. Thank you. I yield back.
    Mr. Chaffetz. The gentleman yields.
    I will now recognize the gentleman from Rhode Island, Mr. 
Langevin, for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman.
    I want to thank the panel for their testimony today.
    I want to return to an issue I raised in my opening 
comments. Some members have objected to updating our Federal 
cyber readiness due to potentially large, upfront costs. 
Undoubtedly, these efforts will save billions of dollars in 
efficiencies while providing long, overdue cyber protections 
and integrity to our Federal networks.
    This question would be more appropriate for an entity with 
a top line view of our cyber efforts across all government 
agencies such as the cyber director that I have proposed. 
However, since the administration's current cyber coordinator 
lacks this authority and as DHS is taking on the operational 
lead on these efforts, I am going to pose the first question to 
Mr. Schaffer and then to the rest of the panel.
    Mr. Schaffer, what is your assessment of the costs required 
to carry out the administration's plans to move to an IT 
infrastructure based on continuous monitoring and automated 
reporting that was proposed by the administration in its 
legislative proposal, what efforts have already been 
implemented, and what are your projected estimates on cost 
savings and efficiencies and security as a result of these 
efforts?
    Mr. Schaffer. I think the key to the FISMA reform proposal 
is that we recognize much of the work, effort and spending that 
is done today to meet the FISMA requirements that are really 
compliance oriented, check the box kind of exercises with an 
annual report can be repurposed in a way that allows us to 
actually buy down risk through the continuous monitoring and 
other solutions being proposed.
    The work that we are doing with the departments and 
agencies on a general basis to improve cyber security across 
the board can also be done in a way that will get us to better 
FISMA compliance.
    I can't give you a dollar figure with respect to how much 
it will cost, but I can tell you that we believe over the long 
run, if this is done and security is improved as dramatically 
as we think it can be, the expense associated with all the work 
we do to chase the problems and address all the intrusion 
activity that is happening will be reduced. Net, I think we 
will have a positive result over the long run.
    Once we start building security into everything we are 
doing, there is consistent data that suggests building it in is 
much cheaper than bolting it on.
    Mr. Langevin. The other parts of my question, what efforts 
have already been implemented and what are your projected cost 
savings on the efficiencies and security as a result of the 
updates?
    Mr. Schaffer. We are certainly happy to work with you to 
think about how to score this. I don't have any numbers that I 
can present today with respect to estimates of what the actual 
savings would be. Again, we know this is the beginning of a 
conversation and a proposal and expect the final result may or 
may not look exactly the way we are now, but we certainly want 
to work with you and the committee as we think about what the 
cost estimates will be.
    Mr. Langevin. Let me move on to another question. I have 
noticed that one element left out of the legislative proposal 
was a strengthened White House office with budgetary authority 
and Senate confirmation. This is something I feel strongly 
about. In fact, just last year, the White House moved further 
away from this model by moving OMB's oversight for the Federal 
security to DHS.
    While DHS clearly has the operational lead for protecting 
the .gov network, what authority do they have to oversee agency 
budgets and actually compel these important technical 
challenges actually be addressed? The various departments and 
agencies, their mission, looking at State or Commerce, isn't 
necessarily the security of our .gov network. How do we 
actually compel compliance? OMB could do it but does DHS have 
that sufficient authority because I really question that. Also, 
I would like to know why wasn't a strengthened White House 
office considered?
    Mr. Schaffer. In the delegation of authority from OMB to 
DHS to undertake the work we are now doing on FISMA, OMB 
retained the budget authority to effectively be the entity that 
enforces those requirements from a budgetary perspective. DHS, 
as you pointed out, has the operational responsibility.
    The legislative proposal would consolidate the oversight 
responsibility with the operational responsibility that we have 
and move things in the direction where we would be given the 
authority to direct departments and agencies to take action to 
improve their security and deploy appropriate protection.
    With respect to today, you have a dual arrangement where 
DHS has the operational responsibility and OMB has the budget 
responsibility. That is the way it would line out I think 
today.
    Mr. Langevin. I know my time has expired, but for the 
record, I would like to get an answer to the question of why a 
strengthened White House office wasn't considered?
    I yield back.
    Mr. Chaffetz. I now recognize myself for 5 minutes.
    Mr. Schaffer, according to press reports, the U.S. Chamber 
of Commerce has rejected the legislative proposal as 
``regulatory overreach.'' We found an internal Chamber document 
that revealed that the Chamber believed ``layering new 
regulations on critical infrastructure will harm public/private 
partnerships, cost industry substantial sums and not 
necessarily improve national security.''
    Their general concern is that it is overly broad. How do 
you respond to that and how involved is the Chamber in these 
types of discussions?
    Mr. Schaffer. I believe this proposal is carefully crafted 
to give industry a strong voice in designing the solutions, so 
it is hard to understand the suggestion that it will be overly 
expensive or over reaching when in fact, industry will have an 
opportunity to say what the threats are that need to be 
mitigated, what the framework should be in order to address 
those risks and then develop their own plans in order to meet 
those frameworks.
    Mr. Chaffetz. Part of this proposal calls for Homeland 
Security to authorized to publicly name critical infrastructure 
providers whose plans you deem to be inadequate and then 
publish those. How is that going to help protect them?
    Mr. Schaffer. The transparency at the end of the day will 
engage market forces, we believe, in order to drive toward 
better results.
    Mr. Chaffetz. You are going to tell the world, here are the 
weakest of the weak. Is that what your plan is?
    Mr. Schaffer. The proposal would provide summaries of the 
plans and summaries of the evaluations. It is not as if all of 
these entities aren't under attack today and if they are weak, 
in fact, the adversaries are taking advantage of them. The 
proposal here is to make sure that not just the adversaries 
know they are weak, but in fact, the public knows and the 
markets can take appropriate action.
    Mr. Chaffetz. So which of these companies would be required 
to report to the SEC, for instance, and have their plan 
certified as sufficient? How does that work?
    Mr. Schaffer. Those who are already subject to SEC 
reporting requirements would be required to include this 
information in that reporting. The proposal doesn't include any 
suggestion that others would be required to come into that kind 
of reporting.
    Mr. Chaffetz. I have a lot more questions about that but 
given the time, I want to go to one other quick subject. Let us 
focus with Mr. Butler and Mr. Baker here.
    Obviously a lot of these concerns come from overseas 
players who are a little bit outside of our reach but 
increasing penalties, how do we highlight these concerns? If 
someone walked into a computer and physically blew it up, it 
would be national news, a big deal. If someone comes in through 
the back door electronically and is blowing up, destroying or 
stealing information, nothing seems to happen, nobody seems to 
know. How do we expose this and what kind of penalties can we 
possibly put in place?
    Mr. Baker. The issue is making sure we have the penalties 
in place that we then can try to enforce. The enforcement part, 
I agree with you is a separate question and a separate thing we 
need to deal with. We deal with that in a variety of different 
ways, principally through appropriations to make sure we have 
enough people who are skilled in this area to go out and do 
this around the world.
    Mr. Chaffetz. How does that work on the international stage 
when you have someone who is in some other country doing this?
    Mr. Baker. Internationally, the FBI and the U.S. Secret 
Service are engaged every day in working with international 
partners to bring these kinds of people to justice.
    Mr. Chaffetz. How many of them are actual state actors? You 
have some kid in a van down by the river, I am sure, in some 
other country doing this stuff, but you also have concerted 
efforts from state sponsors. What are we doing about that?
    Mr. Baker. On the state sponsors, I think I will defer to 
DOD on that one.
    Mr. Butler. In May, the White House issued the 
International Cyberspace Strategy which beings to lay out 
principles and norms that will guide our efforts as we try to 
engage on this problem you highlighted. One of the ideas is to 
work with nations to determine what is going on inside their 
sovereign territory and like-minded folks getting together to 
figure out what we need to do so we can not only share 
information.
    Mr. Chaffetz. My specific question is when you know it is 
an actual country, a state, what are we doing about that? If 
someone were to fire upon us, we would be outraged, but if they 
seem to do it as a cyber attack, it seems to be quietly pushed 
under the rug because we don't want to be embarrassed.
    Mr. Butler. Again, I will go back to the International 
Cyberspace Strategy for a moment. We say in that document that 
as we look at cyber incidents and we deem potentially this is 
something malicious and as we work through attribution, we 
reserve the right to respond, and that is through a variety of 
means. Those include law enforcement means, diplomatic means 
and what have you. We are just at the beginning of now moving 
from that declaratory position to now considering policy 
priorities.
    Mr. Chaffetz. Obviously we are going to have to explore 
this in greater detail. We know it is happening on all levels 
in all forms and it is one of the biggest threats to the United 
States of America.
    If there aren't any other questions from any other Members? 
Yes, the ranking member.
    Mr. Cummings. I just want to thank you all but I also want 
to remind you, piggybacking on what Mr. Chaffetz just said, 9/
11 should be seared in all our memories and I know it is, but 
the terrorists were trying to send a message, several messages 
and one of them was disruption of our way of life.
    When you think about terrorists and now that we have killed 
Osama Bin Laden, trying to figure out ways to bring harm to the 
United States, and everyone says how are they going to do it 
next, somebody can actually sit a computer and do all kinds of 
harm. I can hear from you we are dealing with this in the words 
of the President, with the urgency of now, because it is 
extremely urgent. I hope we will move this along as rapidly as 
possible.
    Again, I want to thank you.
    Mr. Chaffetz. I also want to echo and thank you for your 
work, your dedication and commitment. It is a very difficult 
and challenging question. It is something incredibly nimble and 
continues to evolve and change. There is no end to the 
creativity of terrorists and others who wish harm to the United 
States of America. We don't want to have another major, major 
incident, someday we wake up and some major portion of our 
infrastructure, whether private or public. This has to have a 
lot more attention placed upon it. We certainly don't want to 
have the kind of incident that we would all regret knowing we 
could do everything we can to help prevent it.
    At the same time, I think we also need to recognize we need 
to preserve people's individual liberties, need to make we 
don't overstep and overreach into what private companies are 
doing, and finding that right balance will be one of the 
challenges for this Congress and in the future Congresses as 
well, but we will do so, I hope, in a very bipartisan way.
    We thank you for your expertise. We thank you for being 
here today.
    The committee stands adjourned.
    [Whereupon, at 11:05 a.m., the committee was adjourned.]
    [The prepared statement of Hon. Gerald E. Connolly 
follows:]

[GRAPHIC] [TIFF OMITTED] T1615.009

                                 
