b"<html>\n<title> - EXAMINING THE CYBER THREAT TO CRITICAL INFRASTRUCTURE AND THE AMERICAN ECONOMY</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \nEXAMINING THE CYBER THREAT TO CRITICAL INFRASTRUCTURE AND THE AMERICAN \n                                ECONOMY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n\n                       INFRASTRUCTURE PROTECTION,\n\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 16, 2011\n\n                               __________\n\n                           Serial No. 112-11\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC] [TIFF OMITTED] \n\n\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n72-221                    WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Peter T. King, New York, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nDaniel E. Lungren, California        Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nMichael T. McCaul, Texas             Henry Cuellar, Texas\nGus M. Bilirakis, Florida            Yvette D. Clarke, New York\nPaul C. Broun, Georgia               Laura Richardson, California\nCandice S. Miller, Michigan          Danny K. Davis, Illinois\nTim Walberg, Michigan                Brian Higgins, New York\nChip Cravaack, Minnesota             Jackie Speier, California\nJoe Walsh, Illinois                  Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         Hansen Clarke, Michigan\nBen Quayle, Arizona                  William R. Keating, Massachusetts\nScott Rigell, Virginia               Vacancy\nBilly Long, Missouri                 Vacancy\nJeff Duncan, South Carolina\nTom Marino, Pennsylvania\nBlake Farenthold, Texas\nMo Brooks, Alabama\n            Michael J. Russell, Staff Director/Chief Counsel\n               Kerry Ann Watkins, Senior Policy Director\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                Daniel E. Lungren, California, Chairman\nMichael T. McCaul, Texas             Yvette D. Clarke, New York\nTim Walberg, Michigan, Vice Chair    Laura Richardson, California\nPatrick Meehan, Pennsylvania         Cedric L. Richmond, Louisiana\nBilly Long, Missouri                 William R. Keating, Massachusetts\nTom Marino, Pennsylvania             Bennie G. Thompson, Mississippi \nPeter T. King, New York (Ex              (Ex Officio)\n    Officio)\n                    Coley C. O'Brien, Staff Director\n                    Alan Carroll, Subcommittee Clerk\n             Dr. Chris Beck, Minority Subcommittee Director\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     1\nThe Honorable Yvette D. Clark, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     2\n\n                                Witness\n\nMr. Philip Reitinger, Deputy Under Secretary, National Protection \n  and Programs Directorate, Department of Homeland Security:\n  Oral Statement.................................................     5\n  Prepared Statement.............................................     6\nMr. Gregory Wilshusen, Director of Information Security Issues, \n  Government Accountability Office:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    16\nDr. Phyllis Schneck, Vice President and Chief Technical Officer, \n  McAfee Inc.:\n  Oral Statement.................................................    32\n  Prepared Statement.............................................    34\nMr. James A. Lewis, Director and Senior Fellow, Technology and \n  Public Policy Program, Center for Strategic and International \n  Studies:\n  Oral Statement.................................................    39\n  Prepared Statement.............................................    40\nMs. Mischel Kwon, President, Mischel Kwon Associates:\n  Oral Statement.................................................    46\n  Prepared Statement.............................................    47\n\n                                Appendix\n\nQuestion From Chairman Daniel E. Lungren of California...........    63\n\n\n                     EXAMINING THE CYBER THREAT TO \n            CRITICAL INFRASTRUCTURE AND THE AMERICAN ECONOMY\n\n                              ----------                              \n\n\n                       Wednesday, March 16, 2011\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:05 a.m., in \nRoom 311, Cannon House Office Building, Hon. Daniel E. Lungren \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Lungren, McCaul, Walberg, Meehan, \nLong, Marino, Clarke, Richmond, and Keating.\n    Mr. Lungren. The Committee on Homeland Security, \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies will come to order.\n    The subcommittee is meeting today to hear testimony from \nPhil Reitinger, the Deputy Under Secretary for National \nProtection and Programs Directorate of DHS; Gregory Wilshusen, \nthe Director of Information Security Issues at GAO; Phyllis \nSchneck, Vice President and Chief Technology Officer at McAfee, \nInc.; James Lewis, Director and Senior Policy Fellow at the \nCenter for Strategic and International Studies; and Mischel \nKwon, President of Mischel Kwon Associates, LLC.\n    Today we will examine the cyber threat to U.S. critical \ninfrastructure, how it affects the economy, and what Government \nis doing to address the threat.\n    Twenty-five years ago, the concept of cyber threat, or a \ncyber attack, was an issue of interest to really only a few \nresearchers in academics. In this post-9/11 terrorist era the \ncyber threat is serious, multifaceted, and boundless, posing a \nsignificant risk to U.S. economic and National security.\n    The Director of National Intelligence stated in testimony \nbefore the Congress, ``The growing connectivity between \ninformation systems, the internet, and other infrastructures \ncreates opportunities for attackers to disrupt \ntelecommunications, electrical power, energy pipelines, \nfinancial networks, and other critical infrastructures.''\n    The information revolution launched by the internet has \nreached into every corner of our lives. While it provides users \nmany benefits, it also exposes them to new and dangerous risks. \nThese new risks include cyber criminals, spies and terrorists, \nusing the digital internet as a pathway to personal bank \naccounts as well as Government and industrial secrets. Cyber \nattacks are growing more frequent, targeted, sophisticated, and \ndangerous.\n    Most of these attacks are motivated by financial or \nintellectual property theft, disruption of commerce, or \nintelligence collection. Cyber attacks have been launched \nagainst nations, Estonia in 2007, Georgia in 2009, and Iran in \n2010. They were all the subject of cyber attacks that either \nparalyzed Government operations or targeted critical \ninfrastructure. Last year, Google and 20 other major companies \nwere the targets of highly sophisticated attacks to steal their \nintellectual property and user accounts. This attack allegedly \nemanated from China.\n    If terror groups are watching this cyber activity and \ntargeting our critical infrastructure--and we believe they \nare--this raises the stakes in our war on terror. U.S. critical \ninfrastructure--by that I mean roads, bridges, dams, electrical \nsystem, power systems--overall, that critical infrastructure is \nthe backbone of our dynamic and productive economy. Attacks on \nthis critical infrastructure will impact our National and \neconomic security as well as the health and safety of our \nfellow citizens.\n    Today, our critical infrastructure relies extensively on \ncomputerized information systems and the internet which cannot \nbe protected as in the traditional way with guns, gates, and \nguards. This reliance on computers and the internet makes our \ncritical infrastructure operations vulnerable to cyber attack. \nThis vulnerability was demonstrated a few years ago in a \nsimulated attack on our electric power grid, which also was \ncode-named Aurora.\n    The computer security company, McAfee, reports that 54 \npercent of executives of critical infrastructure companies \nsurveyed said their companies had been the victims of denial of \nservice attacks and network infiltration from organized crime, \nterrorists, or other nation states.\n    Recent media reports have described a new cyber threat \ncalled Stuxnet, which can target critical infrastructure, \nincluding nuclear facilities. According to these published \nreports, Stuxnet is a complex piece of malware designed to \ninterfere with the seamen's industrial control systems \noperating the Iranian nuclear facilities. This makes Stuxnet, \nat least according to published reports, it makes that malware \na very dangerous offensive cyber weapon that overtakes critical \ncontrol system operations.\n    So if an anonymous enemy or terrorist ever seizes the \ncontrol systems of, let's say, dams or chemical or power plants \nvia the cyber world, that terrorist could cause death and \ndestruction in the real world.\n    So many questions remain about how to defend our \ncyberspace. What solutions, policies, or technology can we \ndevelop to improve our Nation's cybersecurity? We welcome our \npublic and private witnesses today who will begin us on a \njourney to answer these questions.\n    It is now my pleasure to recognize the Ranking Member of \nour subcommittee, Ms. Clarke, for her opening statement.\n    Ms. Clarke. Good morning, and thank you to all of our \nwitnesses for appearing before us today.\n    I would like to thank Chairman Lungren for holding this \nhearing on cybersecurity and for your intention to move \nexpeditiously on what I know we both recognize as a critical \nissue.\n    While there are a number of new faces up here on the dais, \nI believe this subcommittee will continue to place significant \nfocus on the issue of cybersecurity just as we did during the \n110th Congress. I know Mr. Lungren takes this responsibility as \nseriously as I do, and I look forward to partnering with him \nagain over the next 2 years to ensure the safety and security \nof the American people, American businesses, American \ninfrastructure, and the American way of life.\n    Today's hearing will likely be the first of several \ncybersecurity hearings that the subcommittee will hold, and it \nis easy to understand why this issue dominates our agenda. We \nrely on information technology in every aspect of our lives, \nfrom our electric grid, banking systems, military and \ngovernment functions, to our e-mail and web browsers. \nInterconnected computers and networks have led to amazing \ndevelopments in our society. Increased productivity, knowledge, \nservices, and revenues are all benefits generated by our modern \nnetworked world. But in our rush to network everything, few \nstopped to consider the security ramifications of this new \nworld we were creating, and so we find ourselves in an \nextremely dangerous situation today.\n    Too many vulnerabilities exist on too many critical \nnetworks which are exposed to too many skilled attackers who \ncan inflict too many intrusions into our systems. \nUnfortunately, to this day, too few people are even aware of \nthese dangers and fewer still are doing anything about it. This \ncommittee will continue to sound the alarm, raise awareness of \nthe problems we face, and move forward with practical, \neffective solutions.\n    This hearing comes at a critical moment in our Nation's \napproach to the cyber threat. There is a very real and \nsignificant threat to our National and economic security that \nwe now face in cyberspace, and we must do something equally \nreal and significant to meet this challenge.\n    We are expecting, and this committee is eager to see, a \nNational cybersecurity strategy from the White House to be \nreleased very soon. The Department is finalizing its National \ncyber incident response plan and will also include a \ncybersecurity strategy as called for in the 2010 Quadrennial \nHomeland Security Review.\n    The Congress is interested in legislation to afford DHS \nauthority it needs to protect the dot-gov domain and critical \ninfrastructures in the private sector. The previous two decades \nhave seen countless reports from America's thought leaders in \ncybersecurity containing hundreds of recommendations about how \nto improve America's posture in cyberspace. What has been \nlacking is the courage and leadership to actually implement \nthese recommendations. To ensure our National and economic \nsecurity, now is the time we must act.\n    The U.S. Government must chart a new course to cyberspace. \nThe private sector must also be a full partner and accept its \nshare of responsibility for our combined security. Now is the \ntime to stop planning and start acting.\n    The Chairman's intention with this hearing is to give this \nsubcommittee some background on the issues facing us. \nCybercrime costs this country billions of dollars a year. We \nknow that our Government networks are attacked tens of \nthousands of times per day and private sector networks are \nattacked even more often. We know that our critical \ninfrastructures are already compromised and penetrated. The \nenemy has already successfully attacked and continues to do so. \nWe need to absorb this information, get up to speed quickly, \nand move forward to address this issue. We have already lost \nmany small battles. We have to start protecting ourselves \nbefore an attack big enough to cause irreparable damage is \ncarried out.\n    To the witnesses appearing before us today, I thank you for \nbeing here, and I welcome your thoughts on the issues before \nus, including what you think an effective National \ncybersecurity policy should look like. Chairman Lungren and I \nintend for this subcommittee, as well as the full committee, to \nplay a leading role in shaping our National cyber posture in \nthe years to come.\n    Thank you, Chairman, and I yield back.\n    Mr. Lungren. Thank you very much, Madam Ranking Member, and \nI appreciate your spirit of cooperation with which you led this \nsubcommittee and continuing now.\n    Other Members are reminded that they may give us their \nstatements that will be entered into the record.\n    We are pleased to have a very distinguished panel of \nwitnesses before us today on this important topic. Deputy Under \nSecretary Phil Reitinger was named Deputy Under Secretary for \nNPPD in 2009. He also serves as the Director of the National \nCybersecurity Center. In this role, he provides strategic \ndirection to the Department's cybersecurity efforts. Prior to \njoining the Department, he was the senior security strategist \nfor Microsoft's trustworthy computing program, so he is well \nversed in the challenges facing both Government and the private \nsector in dealing with the important issue of cybersecurity.\n    Prior to serving with Microsoft, Deputy Under Secretary \nReitinger was the Executive Director for the Department of \nDefense's Cybercrime Center. Before that, he was the Deputy \nChief of the Department of Justice's Computer Crime and \nIntellectual Property Section, proving that he just can't keep \na job. No. He has had tremendous experience and has a unique \nperspective from multiple positions within the administration \nand therefore has much wisdom with which to guide us.\n    Greg Wilshusen has been with the GAO for over 13 years and \nhas been over 29 years in auditing financial management \ninformation systems. He is a certified public accountant, \ncertified internal auditor, certified information systems \nauditor. He holds a B.S. degree in business administration from \nthe University of Missouri. Are they in the----\n    Mr. Wilshusen. Yes, they are. In fact, they are playing \ntomorrow evening at 9:50 against----\n    Mr. Lungren. I see. Notre Dame doesn't play until Friday at \n1:40 eastern time, but I hope to be in California so I will be \nwatching them from the Pacific coast.\n    An MS in information management from George Washington \nUniversity School of Engineering and Applied Sciences. At GAO, \nhe has overseen multiple reports on information security, both \nat DHS and Government-wide.\n    The Chair recognizes Mr. Reitinger, who will testify on \nbehalf of the Department of Homeland Security.\n\nSTATEMENT OF PHILIP REITINGER, DEPUTY UNDER SECRETARY, NATIONAL \n  PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Mr. Reitinger. Thank you very much, Chairman Lungren and \nRanking Member Clarke. It is indeed an honor to be here today \nto talk before the committee.\n    As you pointed out, sir, my name is Phillip Reitinger, and \nI am the Deputy Under Secretary at the Department of Homeland \nSecurity.\n    Appropos of your comment about my inability to keep a job, \nI would say I am not sure I need to be here today based on the \nopening comments that you and the Ranking Member made. Let me \ngive you an Amen from the congregation; you understand the \nissue, you get it. So I am going to speak very briefly about \nthree quick points, and then I would be happy, after Greg \ntalks, to answer any questions that you have.\n    The three points I wanted to quickly raise are that \ncybersecurity is a critical issue; second, there is no simple \nsolution, neither entity or technology, that is going to solve \nthe problem; and three, that although we have made significant \nprogress over the course of my 15 to 20 years involved in this \nspace and the more significant efforts of many more people over \na longer period of time, we are not yet where we need to be. We \nneed to actually--not to be jargonistic, but we need to take \nthis to a new level.\n    So let me start with the first point, that cybersecurity is \na critical issue. This goes back to the comments that you made, \nChairman. The threat is significant, and the threat is getting \nmore significant. Perhaps more important, we are depending more \non information networks every day--not just for looking at a \ncute video on-line or our ability to send an e-mail, but for \nthe basic functioning of our economy.\n    It is not just a security issue, it is an economic issue. \nWe don't have power, we don't have phone service, we don't have \n9-1-1 service, we don't get water, we don't have banking \nwithout the proper functioning of the internet and the systems \nthat are connected to it. So we must treat this as a critical \nissue, and, in fact, we have, over the course of the last two \nadministrations. Cybersecurity has been a bipartisan issue, \ngoing from the launch of the Comprehensive National \nCybersecurity Initiative in the prior administration through \nthe current Presidents's Cyberspace Policy Review and the on-\ngoing work to cross both administrations and across both \nparties in both Houses of Congress to move the issue forward.\n    But it is a complex problem. There is no simple solution. \nThere is no single entity, no private sector player or even the \nprivate sector together. DHS, DOD, the Department of Commerce, \nall of them need to be involved, and none of them standing \nalone--and none of them even standing in the forefront with a \nlittle bit of help from others is going to solve the problem. \nWe actually do have to work this broadly in partnership. By \npartnership, I don't mean saying partnership we all sing \nKumbaya and we go home. I mean, we actually work together to \ndrive outcomes, that we have known roles and responsibilities \nand we execute on those things.\n    In that space, DHS plays a critical role. We are \nresponsible for leading the protection of the civilian \ngovernment systems and private sector, so-called dot-com \nsystems, even though it is broader than that. I say ``lead'' \nadvisedly because this is not about DHS will come in and solve \nall your problems for you. We are not going to do that. But \nwhat we can do is we can help. Everybody has got to build \nsecurity into their own operations--private sector companies, \ncivilian government agencies and DHS; we have got to build it \ninto our DNA. DHS has got to do the job of helping people to \nexecute much more effectively. We have had signal successes in \nthat role. The Chairman mentioned the creation of the first \nreal National incident response plan to bring all of Government \nand private sector together so we can respond as one Nation to \na significant cyber event.\n    A plan that we tested in a major exercise last year that \ninvolved several thousand people--literally, several thousand \npeople around the globe, tens of private sector companies, over \n10 nations around the world and over 10 States and localities. \nI will talk more after my opening statement in response to your \nquestions.\n    The last thing I would say in closing is that much more \nremains to be done. As the Ranking Member indicated, we are \nsystemically vulnerable. We have made significant progress, but \nwe are not yet where we need to be. So as the Ranking Member \nindicated, what we have to do is focus on implementation. What \nmakes a difference day to day, week to week, month to month? \nHow can we do that? That is one of the reasons why partnership \nfrom the Government Accountability Office is so important to \nus. It can help us prioritize, indicate areas for further \nprogress, and help us find the best way forward.\n    Together, we need to have that broad public dialogue which \nI am sure will take place this year across the public and \nprivate sectors about how we close the gap between where we are \nnow and where we need to be. With that, I will look forward \nvery much to the questions of the subcommittee. Thank you.\n    [The statement of Mr. Reitinger follows:]\n                 Prepared Statement of Philip Reitinger\n                             March 16, 2011\n                              introduction\n    Chairman Lungren, Vice Chairman Walberg, Ranking Member Clarke, and \ndistinguished Members of the subcommittee, it is a pleasure to appear \nbefore you today to discuss the Department of Homeland Security's (DHS) \ncybersecurity mission. I will provide an overview of the current \ncybersecurity environment, the Department's cybersecurity mission as it \nrelates to critical infrastructure, and the coordination of this \nmission with our public and private sector partners.\n    We would like to work more with you to convey the relevance of \ncybersecurity to average Americans. Increasingly, the services we rely \non for daily life, such as water distribution and treatment, \nelectricity generation and transmission, health care, transportation, \nand financial transactions depend on an underlying information \ntechnology and communications infrastructure. Cyber threats put the \navailability and security of these and other services at risk.\n                 the current cybersecurity environment\n    The United States confronts a combination of known and unknown \nvulnerabilities, strong and rapidly expanding adversary capabilities, \nand a lack of comprehensive threat and vulnerability awareness. Within \nthis dynamic environment, we are confronted with threats that are more \ntargeted, more sophisticated, and more serious.\n    Sensitive information is routinely stolen from both Government and \nprivate sector networks, undermining confidence in our information \nsystems and the information collection and sharing process, and as bad \nas the loss of precious National intellectual capital is, we \nincreasingly face threats that are even greater. We currently cannot be \ncertain that our information infrastructure will remain accessible and \nreliable during a time of crisis.\n    We face persistent, unauthorized, and often unattributed intrusions \ninto Federal Executive Branch civilian networks. These intruders span a \nspectrum of malicious actors, including nation states, terrorist \nnetworks, organized criminal groups, or individuals located here in the \nUnited States. They have varying levels of access and technical \nsophistication, but all have nefarious intent. Several are capable of \ntargeting elements of the U.S. information infrastructure to disrupt, \ndismantle, or destroy systems upon which we depend. Motives include \nintelligence collection, intellectual property or monetary theft, or \ndisruption of commercial activities, among others. Criminal elements \ncontinue to show increasing levels of sophistication in their technical \nand targeting capabilities and have shown a willingness to sell these \ncapabilities on the underground market. In addition, terrorist groups \nand their sympathizers have expressed interest in using cyberspace to \ntarget and harm the United States and its citizens. While some have \ncommented on terrorists' own lack of technical abilities, the \navailability of technical tools for purchase and use remains a \npotential threat.\n    Malicious cyber activity can instantaneously result in virtual or \nphysical consequences that threaten National and economic security, \ncritical infrastructure, public health and welfare, and confidence in \nGovernment. Similarly, stealthy intruders can lay a hidden foundation \nfor future exploitation or attack, which they can then execute at their \nleisure--and at their time of greatest advantage. Securing cyberspace \nrequires a layered security approach. Moreover, securing cyberspace is \nalso critical to accomplishing nearly all of DHS's other missions \nsuccessfully.\n    We need to support the efforts of our State and local government \nand private sector partners to secure themselves against malicious \nactivity in cyberspace. Similarly, we need to ensure that the Federal \ncivilian environment is secure and that legitimate traffic is allowed \nto flow freely while malicious traffic is prevented from penetrating \nour defenses. Collaboratively, public and private sector partners must \nuse our knowledge of these systems and their interdependencies to \nprepare to respond should defensive efforts fail. This is a serious \nchallenge, and DHS is continually making strides to improve the \nNation's overall operational posture and policy efforts. In addition, \nother departments, such as the Department of Education, are working to \neducate parents and students on internet safety and privacy protection.\n                         cybersecurity mission\n    Let me be clear that no single technology--or single Government \nentity--alone can overcome the cybersecurity challenges our Nation \nfaces. Cybersecurity must start with informed users taking necessary \nprecautions and extend through a coordinated effort between the private \nsector, critical infrastructure owners and operators, and the extensive \nexpertise that lies across coordinated Government entities. The \nNational Protection and Programs Directorate (NPPD) within DHS is \nresponsible for the following key cybersecurity missions:\n  <bullet> Leading the effort to secure Federal Executive Branch \n        civilian departments and agencies' unclassified networks;\n  <bullet> Providing technical expertise to the private sector and \n        critical infrastructure and key resources (CIKR) owners and \n        operators--whether private sector, State, or municipality \n        owned--to bolster their cybersecurity preparedness, risk \n        assessment, mitigation and incident response capabilities;\n  <bullet> Raising cybersecurity awareness among the general public; \n        and\n  <bullet> Coordinating the National response to domestic cyber \n        emergencies.\n  <bullet> Leveraging cyber defense capability across all departments \n        and agencies to detect, respond, isolate, and remediate cyber \n        attacks or practices dangerous to security and privacy.\n    In a reflection of the bipartisan nature with which the Federal \nGovernment continues to approach cybersecurity, President Obama \ndetermined that the Comprehensive National Cybersecurity Initiative \n(CNCI) and its associated activities should evolve to become key \nelements of the broader National cybersecurity efforts. These CNCI \ninitiatives play a central role in achieving many of the key \nrecommendations of the President's Cyberspace Policy Review: Assuring a \nTrusted and Resilient Information and Communications Infrastructure. \nFollowing the publication of those recommendations in May 2009, DHS and \nits components developed a long-range vision of cybersecurity for the \nDepartment and the Nation's homeland security enterprise, which is \nencapsulated in the Quadrennial Homeland Security Review (QHSR). The \nQHSR provides an overarching framework for the Department and defines \nour key priorities and goals. One of the five priority areas detailed \nin the QHSR is safeguarding and securing cyberspace. Within the \ncybersecurity mission area, the QHSR identifies two overarching goals: \nTo help create a safe, secure, and resilient cyber environment; and to \npromote cybersecurity knowledge and innovation.\n    In alignment with the QHSR, Secretary Napolitano consolidated many \nof the Department's cybersecurity efforts under NPPD. The Office of \nCybersecurity and Communications (CS&C), a component of NPPD, focuses \non reducing risk to the Nation's communications and information \ntechnology infrastructures and the sectors that depend upon them, as \nwell as enabling timely response and recovery of these infrastructures \nunder all circumstances. The functions and mission of the National \nCybersecurity Center (NCSC) are now supported by CS&C. These functions \ninclude coordinating operations among the six largest Federal cyber \ncenters. CS&C also coordinates National security and emergency \npreparedness communications planning and provisioning for the Federal \nGovernment and other stakeholders. CS&C comprises three divisions: the \nNational Cyber Security Division (NCSD), the Office of Emergency \nCommunications, and the National Communications System. Within NCSD, \nthe United States Computer Emergency Readiness Team (US-CERT) is \nworking more closely than ever with our public and private sector \npartners to share what we learn from EINSTEIN 2, a Federal executive \nagency computer network intrusion detection system, to deepen our \ncollective understanding, identify threats collaboratively, and develop \neffective security responses. EINSTEIN enables us to respond \nproactively to warnings and other indicators of operational cyber \nattacks, and we have many examples showing that this program investment \nhas paid for itself several times over.\n    Teamwork--ranging from intra-agency to international \ncollaboration--is essential to securing cyberspace. Simply put, the \ncybersecurity mission cannot be accomplished by any one agency; it \nrequires teamwork and coordination. Together, we can leverage \nresources, personnel, and skill sets that are needed to achieve a more \nsecure and reliable cyberspace.\n    NCSD collaborates with Federal Government stakeholders, including \ncivilian agencies, law enforcement, the military, the intelligence \ncommunity, State and local partners, and private sector stakeholders, \nto conduct risk assessments and mitigate vulnerabilities and threats to \ninformation technology assets and activities affecting the operation of \ncivilian government and private sector critical infrastructures. NCSD \nalso provides cyber threat and vulnerability analysis, early warning, \nand incident response assistance for public and private sector \nconstituents. To that end, NCSD carries out the majority of DHS' non-\nlaw enforcement cybersecurity responsibilities.\n                    national cyber incident response\n    The President's Cyberspace Policy Review called for ``a \ncomprehensive framework to facilitate coordinated responses by \ngovernment, the private sector, and allies to a significant cyber \nincident.'' DHS coordinated the interagency, State and local \ngovernment, and private sector working group that developed the \nNational Cyber Incident Response Plan. The plan provides a framework \nfor effective incident response capabilities and coordination among \nFederal agencies, State and local governments, the private sector, and \ninternational partners during significant cyber incidents. It is \ndesigned to be flexible and adaptable to allow synchronization of \nresponse activities across jurisdictional lines. In September 2010, DHS \nhosted Cyber Storm III, a response exercise in which members of the \ndomestic and international cyber incident response community addressed \nthe scenario of a coordinated cyber event. During the event, the \nNational Cyber Incident Response Plan was activated and its incident \nresponse framework was tested. Based on observations from the exercise, \nthe plan is in its final stages of revision prior to publication.\n    Cyber Storm III also tested the National Cybersecurity and \nCommunications Integration Center (NCCIC)--DHS' 24-hour cyber watch and \nwarning center--and the Federal Government's full suite of \ncybersecurity response capabilities. The NCCIC works closely with \nGovernment at all levels and with the private sector to coordinate the \nintegrated and unified response to cyber and communications incidents \nimpacting homeland security.\n    Numerous DHS components, including US-CERT, the Industrial Control \nSystems Cyber Emergency Response Team (ICS-CERT), and the National \nCoordinating Center for Telecommunications (NCC), are collocated into \nthe NCCIC. Also present in the NCCIC are other Federal partners, such \nas the Department of Defense (DoD) and members of the law enforcement \nand intelligence communities. The NCCIC also physically collocates \nFederal staff with private sector and non-Governmental partners. \nCurrently, representatives from the Information Technology and \nCommunications sectors are located at the NCCIC. We are also finalizing \nsteps to add representatives from the Banking and Finance sector, as \nwell as the Multi-State Information Sharing and Analysis Center (MS-\nISAC).\n    By leveraging the integrated operational capabilities of its member \norganizations, the NCCIC serves as an ``always on'' cyber incident \nresponse and management center, providing indications and warning of \nimminent incidents, and maintaining a National cyber ``common operating \npicture.'' This facilitates situational awareness among all partner \norganizations, and also creates a repository of all vulnerability, \nintrusion, incident, and mitigation activities. The NCCIC also serves \nas a National point of integration for cyber expertise and \ncollaboration, particularly when developing guidance to mitigate risks \nand resolve incidents. Finally, the unique and integrated nature of the \nNCCIC allows for a scalable and flexible coordination with all \ninteragency and private sector staff during steady-state operations, in \norder to strengthen relationships and solidify procedures as well as \neffectively incorporate partners as needed during incidents.\n   providing technical expertise to the private sector and critical \n                             infrastructure\n    DHS has significant cybersecurity capabilities, and we are using \nthose capabilities to great effect as we work collaboratively with the \nprivate sector to protect the Nation's CIKR. We engage with the private \nsector on a voluntary basis to provide on-site analysis, mitigation \nsupport, and assessment assistance. Over the past year, we have \nrepeatedly shown our ability to materially and expeditiously assist \ncompanies with cyber intrusion mitigation and incident response. We are \nable to do so through our trusted and close relationships with private \nsector companies as well as Federal departments and agencies. Finally, \nour success in assisting the private sector is due in no small part to \nour dedication to properly and fully addressing privacy, civil rights, \nand civil liberties in all that we do. Initiating technical assistance \nwith a private company to provide them analysis and mitigation advice \nis a sensitive endeavor--one that requires trust and strict \nconfidentiality. Within our analysis and warning mission space, DHS has \na proven ability to provide that level of trust and confidence in the \nengagement. Our efforts are unique among Federal agencies' capabilities \nin that DHS focuses on computer network defense and protection rather \nthan law enforcement or intelligence functions. DHS engages precisely \nto mitigate the threat to the network to reduce future risks.\n    Our approach requires vigilance and a voluntary public-private \npartnership. Indeed, we are continuing to build our capabilities and \nour relationships; we must because the cyber threat trends only more \nsophisticated and more frequent.\n    Over the past year, we stood up the NCCIC and are adding staff to \nthat center, both from existing DHS personnel and from partner \norganizations in the public and private sectors. More broadly, we are \ncontinuing to hire more cybersecurity professionals and are increasing \ntraining available to our employees. We have an operational National \nCyber Incident Response Plan (NCIRP), and we continue to update and \nimprove it with input from senior cybersecurity leaders. We will be \nreleasing the NCIRP publicly in the coming weeks. We are executing \nwithin our current mission and authorities now: Receiving and \nresponding to substantial netflow data from our intrusion detection \ntechnologies deployed to our Federal partners, and leveraging that data \nto provide early warnings and indicators across Government and \nindustry. With our people, processes, and technology, we stand ready to \nexecute the responsibilities of the future.\n    US-CERT provides remote and on-site response support and defense \nagainst malicious cyber activity for the Federal Executive Branch \ncivilian networks. US-CERT also collaborates, provides remote and on-\nsite response support and shares information with State and local \ngovernment, critical infrastructure owners and operators, and \ninternational partners to address cyber threats and develop effective \nsecurity responses.\n    In addition to specific mitigation work we conduct with individual \ncompanies and sectors, DHS looks at the interdependencies across \ncritical infrastructure sectors for a holistic approach to providing \nour cyber expertise. For example, the electric, nuclear, water, \ntransportation, and communications sectors support functions across all \nlevels of government including Federal, State, local, and Tribal \ngovernments, and the private sector. Government bodies and \norganizations do not inherently produce these services and must rely on \nprivate sector organizations, just as other businesses and private \ncitizens do. Therefore, an event impacting control systems has \npotential implications at all these levels, and could also have \ncascading effects upon all 18 sectors. For example, water and \nwastewater treatment, chemical, and transportation depend on the energy \nsector, and failure in one of these sectors could subsequently affect \nGovernment and private sector operations.\n    NCCIC's operations are complemented in the arena of industrial \ncontrol systems by ICS-CERT. The term ``control system'' encompasses \nseveral types of systems, including Supervisory Control and Data \nAcquisition (SCADA), process control, and other automated systems that \nare found in the industrial sectors and critical infrastructure. These \nsystems are used to operate physical processes that produce the goods \nand services that we rely upon, such as energy, drinking water, \nemergency services, transportation, postal and shipping, and public \nhealth. Control systems security is particularly important because of \nthe inherent interconnectedness of the CIKR sectors and their \ndependence on one another.\n    As such, assessing risk and effectively securing industrial control \nsystems are vital to maintaining our Nation's strategic interests, \npublic safety, and economic well-being. A successful cyber attack on a \ncontrol system could result in physical damage, loss of life, and \ncascading effects that could disrupt services. DHS recognizes that the \nprotection and security of control systems is essential to the Nation's \noverarching security and economy. In this context, as an example of \nmany related initiatives and activities, DHS--in coordination with the \nDepartment of Commerce's National Institute of Standards and Technology \n(NIST), the Department of Energy, and DoD--has provided a forum for \nresearchers, subject matter experts and practitioners dealing with \ncyber-physical systems security to assess the current state of the art, \nidentify challenges, and provide input to developing strategies for \naddressing these challenges. Specific infrastructure sectors considered \ninclude energy, chemical, transportation, water and wastewater \ntreatment, health care and public health, and commercial facilities. A \n2010 published report of findings and recommendations is available upon \nrequest.\n    ICS-CERT provides on-site support to owners and operators of \ncritical infrastructure for protection against and response to cyber \nthreats, including incident response, forensic analysis, and site \nassessments. ICS-CERT also provides tools and training to increase \nstakeholder awareness of evolving threats to industrial control \nsystems.\n    A real-world threat emerged last year that significantly changed \nthe landscape of targeted cyber attacks on industrial control systems. \nMalicious code, dubbed Stuxnet, was detected in July 2010. DHS analysis \nconcluded that this highly complex computer worm was the first of its \nkind, written to specifically target mission-critical control systems \nrunning a specific combination of software and hardware.\n    ICS-CERT analyzed the code and coordinated actions with critical \ninfrastructure asset owners and operators, Federal partners, and \nInformation Sharing and Analysis Centers. Our analysis quickly \nuncovered that sophisticated malware of this type potentially has the \nability to gain access to, steal detailed proprietary information from, \nand manipulate the systems that operate mission-critical processes \nwithin the Nation's infrastructure. In other words, this code can \nautomatically enter a system, steal the formula for the product being \nmanufactured, alter the ingredients being mixed in the product, and \nindicate to the operator and the operator's anti-virus software that \neverything is functioning normally.\n    To combat this threat, ICS-CERT has been actively analyzing and \nreporting on Stuxnet since it was first detected in July 2010. To date, \nICS-CERT has briefed dozens of Government and industry organizations \nand released multiple advisories and updates to the industrial control \nsystems community describing steps for detecting an infection and \nmitigating the threat. As always, we attempt to balance the need for \npublic information sharing while limiting the information that \nmalicious actors may exploit. DHS provided the alerts in accordance \nwith its responsible disclosure processes.\n    The purpose and function for responsible disclosure is to ensure \nthat DHS executes its mission of mitigating risk to critical \ninfrastructure, not necessarily to be the first to publish on a given \nthreat. For example, ICS-CERT's purpose in conducting the Stuxnet \nanalysis was to ensure that DHS understood the extent of the risks so \nthat they could be mitigated. After conducting in-depth malware \nanalysis and developing mitigation steps, we were able to release \nactionable information that benefited our private sector partners.\n    Looking ahead, the Department is concerned that attackers could use \nthe increasingly public information about the code to develop variants \ntargeted at broader installations of programmable equipment in control \nsystems. Copies of the Stuxnet code, in various different iterations, \nhave been publicly available for some time now. ICS-CERT and the NCCIC \nremain vigilant and continue analysis and mitigation efforts of any \nderivative malware.\n    ICS-CERT will continue to work with the industrial control systems \ncommunity to investigate these and other threats through malicious code \nand digital media analysis, on-site incident response activities, and \ninformation sharing and partnerships.\n            protecting federal civilian government networks\n    In addition to its support of private sector owners and operators \nof infrastructure, DHS also collaborates with its partners to increase \nthe security of Federal Executive Branch civilian agency networks. The \nfundamental ways that DHS works to secure Federal networks are by \nimproving the ability of departments and agencies to defend their \nsystems and by directly providing expertise and specific technology \nthat detects, mitigates, and prevents malicious activity on these \nnetworks.\n    As part of the CNCI, DHS works with the Office of Management and \nBudget (OMB) to reduce and consolidate the number of external \nconnections that Federal agencies have to the internet through the \nTrusted Internet Connection (TIC) initiative. This initiative reduces \nthe number of entry points for potential vulnerabilities into \nGovernment networks and allows DHS to focus monitoring efforts on \nlimited and known avenues through which internet traffic must travel. \nDHS conducts on-site evaluations of agencies' progress toward \nimplementing TIC goals.\n    In conjunction with the TIC initiative, the EINSTEIN system is \ndesigned to provide the U.S. Government with an early warning system \nfor intrusions to Federal Executive Branch civilian networks, near \nreal-time identification of malicious activity, and automated \ndisruption of that malicious activity. The second phase of EINSTEIN, \nknown as EINSTEIN 2 and developed in 2008 as part of the CNCI, \nincorporates intrusion detection capabilities into the original \nEINSTEIN system. DHS is currently deploying EINSTEIN 2 to Federal \nExecutive Branch civilian agency TIC locations and Networx Managed \nTrusted Internet Protocol Services (MTIPS) providers, which are private \ninternet service providers that serve Federal agencies, to assist them \nwith protecting their computers, networks, and information. EINSTEIN 2 \nhas now been deployed at 15 of the 19 large departments and agencies \nwho maintain their own TIC locations. Also, the four MTIPS providers \ncurrently provide service to seven additional Federal agencies. In \n2010, EINSTEIN 2 sensors registered 5.4 million ``hits,'' an average of \nmore than 450,000 hits per month or nearly 15,000 hits per day. A hit \nis an alert triggered by a predetermined intrusion detection signature \nthat corresponds to a known threat. Each hit represents potential \nmalicious activity for further assessment by US-CERT.\n    DHS is currently developing the third phase of the EINSTEIN \nsystem--an intrusion prevention capability which will provide DHS with \nthe ability to automatically detect and disrupt malicious activity \nbefore harm is done to critical networks and systems. In advance of \nthis development, DHS, in coordination with the National Security \nAgency (NSA), conducted the CNCI Initiative 3 Exercise, which advanced \nthe potential capabilities of the EINSTEIN system by demonstrating \ndefensive technology, sharing near real-time threat information with \nDoD for enhanced situational awareness, and providing a platform upon \nwhich an oversight and compliance process can be implemented for the \nevolving set of EINSTEIN capabilities. The Department's Privacy Office \nand its Office for Civil Rights and Civil Liberties carefully reviewed \nthe exercise concept of operations, and the Privacy Office worked with \nUS-CERT to publicly release a detailed Privacy Impact Assessment \nevaluating the exercise. US-CERT also briefed the exercise to the cyber \nsubcommittee of the independent DHS Data Privacy and Integrity \nCommittee.\n    Beyond the TIC initiative and the EINSTEIN system, DHS, OMB, and \nthe National Institute for Standards and Technology work cooperatively \nwith agencies across the Federal Government to coordinate the \nprotection of the Nation's Federal information systems through \ncompliance with the Federal Information Security Management Act of 2002 \n(FISMA). US-CERT monitors EINSTEIN 2 sensors for intrusion activity and \nreceives self-reported incident information from Federal agencies. This \ninformation is reported to OMB for use in its FISMA oversight capacity. \nIn 2010, DHS also began to administer oversight of the CyberScope \nsystem, which was developed by the Department of Justice. This system \ncollects agency information regarding FISMA compliance and, as DHS, \nOMB, and their agency partners move toward automated reporting, the \nsystem will enable real-time assessments of baseline security postures \nacross individual agencies and the Federal enterprise as a whole. This \nactivity complements the development of reference architectures that \nDHS designs for Federal agency stakeholders that are interested in \nimplementing security solutions based on standards and best practices. \nDHS also works with the General Services Administration to create \nBlanket Purchase Agreements that address various security solutions for \nFederal agencies.\n                    the dhs cybersecurity workforce\n    As DHS continues to make progress on initiatives such as TIC and \nEINSTEIN, the Department is also mindful that the Nation's \ncybersecurity challenge will not be solved by a single technology \nsolution. Multiple innovative technical tools are necessary and indeed, \ntechnology alone is insufficient. The mission requires a larger \ncybersecurity professional workforce, governance structures for \nenhanced partnerships, more robust information sharing and identity \nprotection, and increased cybersecurity awareness among the general \npublic. Responsibility for these solutions is, and will remain, \ndistributed across public and private sector partners.\n    DHS is focused on building a world-class cybersecurity team by \nhiring a diverse group of cybersecurity professionals--computer \nengineers, scientists, and analysts--to secure the Nation's digital \nassets and protect against cyber threats to our critical infrastructure \nand key resources. NCSD continues to hire cybersecurity and information \ntechnology professionals, nearly tripling its cybersecurity workforce \nin fiscal year 2009 and nearly doubling that number again in fiscal \nyear 2010. NCSD currently has more than 230 cybersecurity professionals \non board, with dozens more in the hiring pipeline.\n    Several initiatives are designed to increase the Nation's number of \nhighly qualified cybersecurity professionals. DHS and NSA co-sponsor \nthe Centers of Academic Excellence in Information Assurance Education \nand Research programs, the goal of which is to produce a growing number \nof professionals with information assurance expertise in various \ndisciplines. DHS and the Department of State co-hosted Operation Cyber \nThreat (OCT1.0), the first in a series of Government-wide experiential \nand interactive cybersecurity training pilots designed to apply \nlearning concepts and share best practices in a secure, simulated \nenvironment to build capacity within the Federal workforce. In December \n2010, the Institute of Electrical and Electronics Engineers Computer \nSociety, the world's leading organization of computing professionals, \nformally recognized the Master of Software Assurance (MSwA) Reference \nCurriculum, which DHS sponsored through its Software Assurance (SwA) \nCurriculum Project. The MSwA program is the first curriculum of its \nkind to focus on assuring the functionality, dependability, and \nsecurity of software and systems. Finally, DHS co-sponsored the annual \nColloquium for Information Systems Security Education and the \nScholarship for Services (SFS) Job Fair/Symposium, which brought \ntogether 55 Federal agencies and more than 200 SFS students.\n    The National Initiative for Cybersecurity Education (NICE) has the \ndual goals of a cyber-savvy citizenry and a cyber-capable workforce. \nWorking with NIST, which is the overall interagency lead, DHS heads the \nNICE awareness elements and co-leads the training and professional \ndevelopment components with DoD and the Office of the Director of \nNational Intelligence.\n              interagency and public-private coordination\n    Overcoming new cybersecurity challenges requires a coordinated and \nfocused approach to better secure the Nation's information and \ncommunications infrastructures. President Obama's Cyberspace Policy \nReview reaffirms cybersecurity's significance to the Nation's economy \nand security. Establishment of a White House Cybersecurity Coordinator \nposition solidified the priority the administration places on improving \ncybersecurity.\n    No single agency controls cyberspace and the success of our \ncybersecurity mission relies on effective communication and critical \npartnerships. Many Government players have complementary roles--\nincluding DHS, the intelligence community, DoD, the Department of \nJustice, the Department of State, and other Federal agencies--and they \nrequire coordination and leadership to ensure effective and efficient \nexecution of our collective cyber missions. The creation of a senior-\nlevel cyber position within the White House ensures coordination and \ncollaboration across Government agencies.\n    DHS works closely with its Federal, State, and local partners to \nprotect Government cyber networks. In September 2010, DHS and DoD \nsigned a memorandum of agreement that aligns and enhances America's \ncapabilities to protect against threats to our critical civilian and \nmilitary computer systems and networks, including deploying a National \nSecurity Agency support team to the NCCIC to enhance the National Cyber \nIncident Response Plan and sending a full-time senior DHS leader and \nsupport team to the National Security Agency.\n    In November 2010, the MS-ISAC opened its Cyber Security Operations \nCenter, a 24-hour watch and warning facility, which will both enhance \nsituational awareness at the State and local level for the NCCIC and \nallow the Federal Government to quickly and efficiently provide \ncritical cyber risk, vulnerability, and mitigation data to State and \nlocal governments. An MS-ISAC analyst/liaison is collocated in the \nNCCIC.\n    Private industry owns and operates the vast majority of the \nNation's critical infrastructure and cyber networks. Consequently, the \nprivate sector plays an important role in cybersecurity, and DHS has \ninitiated several pilot programs to promote public-private sector \ncollaboration. In its engagement with the private sector, DHS \nrecognizes the need to avoid technology prescription and to support \ninnovation that enhances critical infrastructure cybersecurity. DHS, \nthrough the National Infrastructure Protection Plan partnership \nframework, has many years of experience in private sector \ncollaboration, leveraging our relationships in both the physical and \ncybersecurity protection areas. Within current legal authorities, DHS \nengages with the private sector on a voluntary basis. We stand by to \nassist our private sector partners upon their request, and thus far \nhave been able to do so successfully due to our technical capabilities, \nexisting private sector relationships, and expertise in matters \nrelating to privacy and civil rights and civil liberties.\n    In February 2010, DHS, DoD, and the Financial Services Information \nSharing and Analysis Center (FS-ISAC) launched a pilot designed to help \nprotect key critical networks and infrastructure within the financial \nservices sector by sharing actionable, sensitive information. Based on \nlessons learned from the pilot, DHS is developing comprehensive \ninformation-sharing and incident response coordination processes with \nCIKR sectors, leveraging capabilities from within DHS and across the \nresponse community, through the NCCIC.\n    In June 2010, DHS implemented the Cybersecurity Partner Local \nAccess Plan, which allows security-cleared owners and operators of \nCIKR, as well as State technology officials and law enforcement \nofficials, to access secret-level cybersecurity information and video \nteleconference calls via State and local fusion centers. In November \n2010, DHS signed an agreement with the Information Technology \nInformation Sharing and Analysis Center (IT-ISAC) to embed a full-time \nIT-ISAC analyst and liaison to DHS at the NCCIC, part of the on-going \neffort to collocate private sector representatives alongside Federal \nand State government counterparts. The IT-ISAC consists of information \ntechnology stakeholders from the private sector and facilitates \ncooperation among members to identify sector-specific vulnerabilities \nand risk mitigation strategies.\n    In July 2010, DHS worked extensively with the White House on the \npublication of a draft National Strategy for Trusted Identities in \nCyberspace, which seeks to secure the digital identities of \nindividuals, organizations, services, and devices during on-line \ntransactions, as well as the infrastructure supporting the transaction. \nThis fulfills one of the near-term action items of the President's \nCyberspace Policy Review. The strategy is based on public-private \npartnerships and supports the protection of privacy, and civil rights \nand civil liberties by enabling only the minimum necessary amount of \npersonal information to be transferred in any particular transaction. \nIts implementation will be led by the Department of Commerce.\n    In December 2010, DHS and NIST signed a Memorandum of Understanding \nwith the Financial Services Sector Coordinating Council. The goal of \nthe agreement is to speed the commercialization of cybersecurity \nresearch innovations that support our Nation's critical \ninfrastructures. This agreement will accelerate the deployment of \nnetwork test beds for specific use cases that strengthen the \nresiliency, security, integrity, and usability of financial services \nand other critical infrastructures.\n    While considerable activity is focused on public and private sector \ncritical infrastructure protection, DHS is committed to developing \ninnovative ways to enhance the general public's awareness about the \nimportance of safeguarding America's computer systems and networks from \nattacks. Every October, DHS and its public and private sector partners \npromote efforts to educate citizens about guarding against cyber \nthreats as part of National Cybersecurity Awareness Month. In March \n2010, Secretary Napolitano launched the National Cybersecurity \nAwareness Challenge, which called on the general public and private \nsector companies to develop creative and innovative ways to enhance \ncybersecurity awareness. In July 2010, seven of the more than 80 \nproposals were selected and recognized at a White House ceremony. The \nwinning proposals helped inform the development of the National \nCybersecurity Awareness Campaign, Stop. Think. Connect., which DHS \nlaunched in conjunction with private sector partners during the October \n2010 National Cybersecurity Awareness Month. Stop. Think. Connect., a \nmessage developed with the private sector, has evolved into an on-going \nNational public education campaign designed to increase public \nunderstanding of cyber threats and how individual citizens can develop \nsafer cyber habits that will help make networks more secure. The \ncampaign fulfills a key element of President Obama's Cyberspace Policy \nReview, which tasked DHS with developing a public awareness campaign to \ninform Americans about ways to use technology safely. The program is \npart of the NIST National Initiative for Cyber Education (NICE).\n    Throughout its public and private sector activities, DHS is \ncommitted to supporting the public's privacy, civil rights, and civil \nliberties. Accordingly, the Department has implemented strong privacy \nand civil rights and civil liberties standards into all of its \ncybersecurity programs and initiatives from the outset. To support \nthis, DHS established an Oversight and Compliance Officer within NPPD, \nand key cybersecurity personnel receive specific training on the \nprotection of privacy and other civil liberties as they relate to \ncomputer network security activities. In an effort to increase \ntransparency, DHS also publishes privacy impact assessments on its \nwebsite, www.dhs.gov, for all of its cybersecurity systems.\n                               conclusion\n    Set within an environment characterized by a dangerous combination \nof known and unknown vulnerabilities, strong and rapidly expanding \nadversary capabilities, and a lack of comprehensive threat and \nvulnerability awareness, the cybersecurity mission is truly a National \none requiring collaboration across the homeland security enterprise. \nThe Department of Homeland Security is committed to creating a safe, \nsecure, and resilient cyber environment while promoting cybersecurity \nknowledge and innovation. We must continue to secure today's \ninfrastructure as we prepare for tomorrow's challenges and \nopportunities. It is important to recognize that we do not undertake \ncybersecurity for the sake of security itself, but rather to ensure \nthat Government, business, and critical societal functions can continue \nto use the information technology and communications infrastructure on \nwhich they depend.\n    Within our current legal authorities, DHS continues to engage and \ncollaborate with partners in the private and public sectors. We are \ndeploying intrusion detection and prevention technologies across the \nFederal enterprise, aiding departments and agencies in securing their \nnetworks, and providing analysis, vulnerability, and mitigation \nassistance to private sector CIKR partners. Our continued dedication to \nprivacy, civil rights, and civil liberties ensures a positive, \nsustainable model for cybersecurity engagement in the future. Finally, \nwe work closely with our interagency partners in law enforcement and \nintelligence, providing the full complement of Federal capabilities in \npreparation for, and in response to, significant cyber incidents.\n    Chairman Lungren, Vice Chairman Walberg, Ranking Member Clarke, and \ndistinguished Members of the subcommittee, let me end by reiterating \nthat I look forward to exploring opportunities to advance this mission \nin collaboration with the subcommittee and my colleagues in the public \nand private sectors. Thank you again for this opportunity to testify. I \nwould be happy to answer your questions.\n\n    Mr. Lungren. Thank you very much, Mr. Reitinger.\n    Now Mr. Wilshusen, who is looking forward to tomorrow's \nbasketball game, if you could give us about 5 minutes of your \nbest pitch right now and then we can ask questions.\n\n    STATEMENT OF GREGORY WILSHUSEN, DIRECTOR OF INFORMATION \n       SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Chairman Lungren, Ranking Member Clarke, and \nMembers of the subcommittee, thank you for the opportunity to \ntestify at today's hearing on cyber threats to critical \ninfrastructure and the American economy.\n    As you mentioned in your opening statements, pervasive and \nsustained cyber attacks against the United States continue to \nthreaten Federal and non-Federal systems and operations. The \nevery-increasing interdependence on these systems to carry out \nessential everyday operations and activities makes us \nvulnerable to a wide array of cyber-based threats. Thus, it is \nincreasingly important that Federal and non-Federal entities \ncarry out concerted efforts to safeguard their systems and the \ninformation they contain.\n    Mr. Chairman, today we will discuss the threats to cyber-\nreliant critical infrastructures and with Federal information \nsystems and the challenges agencies face in protecting them.\n    Cyber threats to critical infrastructure and Federal \nservices are evolving and growing and can come from a variety \nof sources, including criminals and foreign nations, as well as \nhackers and disgruntled employees. It is important not to \nforget about the insider threat. Potential hackers have a \nvariety of techniques at their disposal that can vastly expand \nthe risk, the reach, and impact of their operations, including \nuse of social engineering and malicious software. The \ninterconnectivity between information systems, the internet, \nand other infrastructure also presents increasing opportunities \nfor such attacks. Not surprisingly, security incidents reported \nby Federal agencies are on the rise, increasing over 650 \npercent during the past 5 years to nearly 42,000 in fiscal year \n2010.\n    Cyber attack incidents can seriously impact our National \nand economic security and have resulted in the loss of \nclassified information and intellectual property, and financial \ncrimes reportedly totaling billions of dollars. Although the \nadministration and Federal agencies continue to act to \nstrengthen the Nation's cybersecurity posture, challenges \nremain. Key actions to improve our National approach to \ncybersecurity have not been fully implemented, Federal capacity \nto protect against cyber threats needs to improve, and Federal \nagencies have not fully addressed persistent control weaknesses \nor consistently implemented effective information security \nprograms. For these reasons, GAO once again identified \nprotecting the Federal Government's information systems and the \nNation's critical infrastructure as a Government-wide high-risk \narea in its biennial report to the Congress on high-risk \nGovernment programs.\n    Mr. Chairman, much work remains to be done. Additional \nFederal efforts are needed to implement actions recommended by \nthe President's Cybersecurity Policy Review, update the \nNational strategy for securing the information and \ncommunications infrastructure, develop a National strategy for \naddressing the global aspects of cybersecurity, and create a \nprioritized National and Federal cybersecurity research and \ndevelopment agenda.\n    Federal agencies, and in particular DHS, need to enhance \ntheir cyber analysis and warning capabilities and help \nstrengthen the effectiveness of public-private sector \npartnerships in securing cyber critical infrastructure. Federal \nagencies also need to mitigate known vulnerabilities, fully \nimplement comprehensive information security programs, and \nfacilitate Government-wide efforts to secure their systems.\n    GAO has made numerous recommendations to assist agencies in \nthese areas, and agencies have implemented or are in the \nprocess of implementing many of them.\n    In summary, Mr. Chairman, the threats to information \nsystems are evolving and growing, and systems supporting \nFederal operations and the Nation's critical infrastructures \nare not sufficiently protected to consistently thwart those \nthreats. Until the administration and Federal agencies working \nwith the private sector fully address the challenges before \nthem, our Nation's cybersecurity critical infrastructure will \nremain vulnerable.\n    Mr. Chairman, this concludes my statement. I would be happy \nto answer any questions.\n    [The statement of Mr. Wilshusen follows:]\n                Prepared Statement of Gregory Wilshusen\n                             March 16, 2011\n   cybersecurity: continued attention needed to protect our nation's \n        critical infrastructure and federal information systems\n    Chairman Lungren, Ranking Member Clarke, and Members of the \nsubcommittee: Thank you for the opportunity to testify at today's \nhearing on the cyber threats to critical infrastructure and the \nAmerican economy.\n    Pervasive and sustained cyber attacks against the United States \ncontinue to pose a potentially devastating impact on Federal and non-\nFederal systems and operations. In February 2011, the Director of \nNational Intelligence testified that, in the past year, there had been \na dramatic increase in malicious cyber activity targeting U.S. \ncomputers and networks, including a more than tripling of the volume of \nmalicious software since 2009.\\1\\ Recent press reports that computer \nhackers broke into and stole proprietary information worth millions of \ndollars from the networks of six U.S. and European energy companies \nalso demonstrate the risk that our Nation faces. Such attacks highlight \nthe importance of developing a concerted response to safeguard Federal \nand non-Federal information systems.\n---------------------------------------------------------------------------\n    \\1\\ Director of National Intelligence, Statement for the Record on \nthe Worldwide Threat Assessment of the U.S. Intelligence Community, \nstatement before the Senate Select Committee on Intelligence (Feb. 16, \n2011).\n---------------------------------------------------------------------------\n    Mr. Chairman, GAO recently issued its high-risk list of Government \nprograms that have greater vulnerability to fraud, waste, abuse, and \nmismanagement or need transformation to address economy, efficiency, or \neffectiveness challenges.\\2\\  Once again, we identified protecting the \nFederal Government's information systems and the Nation's cyber \ncritical infrastructure as a Government-wide high-risk area. We have \ndesignated Federal information security as a high-risk area since 1997; \nin 2003, we expanded this high-risk area to include protecting systems \nsupporting our Nation's critical infrastructure, referred to as cyber \ncritical infrastructure protection or cyber CIP.\n---------------------------------------------------------------------------\n    \\2\\ GAO, High-Risk Series: An Update, (Washington, DC: February \n2011).\n---------------------------------------------------------------------------\n    In my testimony today I will describe: (1) Cyber threats to cyber-\nreliant critical infrastructures and Federal information systems and \n(2) the continuing challenges Federal agencies face in protecting the \nNation's cyber-reliant critical infrastructures and Federal systems. In \npreparing this statement in March 2011, we relied on our previous work \nin these areas (please see the related GAO products page at the end of \nthis statement). These products contain detailed overviews of the scope \nand methodology we used. The work on which this statement is based was \nperformed in accordance with generally accepted Government auditing \nstandards. Those standards require that we plan and perform audits to \nobtain sufficient, appropriate evidence to provide a reasonable basis \nfor our findings and conclusions based on our audit objectives. We \nbelieve that the evidence obtained provided a reasonable basis for our \nfindings and conclusions based on our audit objectives.\n                               background\n    As computer technology has advanced, Federal agencies and our \nNation's critical infrastructures \\3\\--such as power distribution, \nwater supply, telecommunications, and emergency services--have become \nincreasingly dependent on computerized information systems to carry out \ntheir operations and to process, maintain, and report essential \ninformation. Public and private organizations rely on computer systems \nto transfer increasing amounts of money and sensitive and proprietary \ninformation, conduct operations, and deliver services to constituents.\n---------------------------------------------------------------------------\n    \\3\\ Critical infrastructures are systems and assets, whether \nphysical or virtual, so vital to the Nation that their incapacity or \ndestruction would have a debilitating impact on National security, \nNational economic security, National public health or safety, or any \ncombination of those matters.\n---------------------------------------------------------------------------\n    The security of these systems and data is essential to protecting \nNational and economic security, and public health and safety. \nConversely, ineffective information security controls can result in \nsignificant risks, including the loss of resources, such as Federal \npayments and collections; inappropriate access to sensitive \ninformation, such as National security information, personal \ninformation on taxpayers, or proprietary business information; \ndisruption of critical operations supporting critical infrastructure, \nNational defense, or emergency services; and undermining of agency \nmissions due to embarrassing incidents that diminish public confidence \nin Government.\n    cyber-reliant critical infrastructure and federal systems face \n                        increasing cyber threats\n    Threats to systems supporting critical infrastructure and Federal \ninformation systems are evolving and growing. Government officials are \nconcerned about attacks from individuals and groups with malicious \nintent, such as criminals, terrorists, and foreign nations. Federal law \nenforcement and intelligence agencies have identified multiple sources \nof threats to our Nation's critical information systems, including \nforeign nations engaged in espionage and information warfare, \ncriminals, hackers, virus writers, and disgruntled employees and \ncontractors. These groups and individuals have a variety of attack \ntechniques at their disposal that can be used to determine \nvulnerabilities and gain entry into targeted systems. For example, \nphishing involves the creation and use of fake e-mails and websites to \ndeceive internet users into disclosing their personal data and other \nsensitive information.\n    The connectivity between information systems, the internet, and \nother infrastructures also creates opportunities for attackers to \ndisrupt telecommunications, electrical power, and other critical \nservices. For example, in May 2008, we reported that the Tennessee \nValley Authority's (TVA) corporate network contained security \nweaknesses that could lead to the disruption of control systems \nnetworks and devices connected to that network.\\4\\ We made 19 \nrecommendations to improve the implementation of information security \nprogram activities for the control systems governing TVA's critical \ninfrastructures and 73 recommendations to address weaknesses in \ninformation security controls. TVA concurred with the recommendations \nand has taken steps to implement them. As Government, private sector, \nand personal activities continue to move to networked operations, the \nthreat will continue to grow.\n---------------------------------------------------------------------------\n    \\4\\ GAO, Information Security: TVA Needs to Address Weaknesses in \nControl Systems and Networks, (Washington, DC: May 21, 2008).\n---------------------------------------------------------------------------\nReported Security Incidents Are on the Rise\n    Consistent with the evolving and growing nature of the threats to \nFederal systems, agencies are reporting an increasing number of \nsecurity incidents. These incidents put sensitive information at risk. \nPersonally identifiable information about U.S. citizens has been lost, \nstolen, or improperly disclosed, thereby potentially exposing those \nindividuals to loss of privacy, identity theft, and financial crimes. \nAgencies have experienced a wide range of incidents involving data loss \nor theft, computer intrusions, and privacy breaches, underscoring the \nneed for improved security practices. Further, reported attacks and \nunintentional incidents involving critical infrastructure systems \ndemonstrate that a serious attack could be devastating.\n    When incidents occur, agencies are to notify the Federal \ninformation security incident center--the United States Computer \nEmergency Readiness Team (US-CERT). Over the past 5 years, the number \nof incidents reported by Federal agencies to US-CERT has increased \ndramatically, from 5,503 incidents reported in fiscal year 2006 to \nabout 41,776 incidents in fiscal year 2010 (a more than 650 percent \nincrease). The three most prevalent types of incidents and events \nreported to US-CERT during fiscal year 2010 were: (1) Malicious code \n(software that infects an operating system or application), (2) \nimproper usage (a violation of acceptable computing use policies), and \n(3) unauthorized access (where an individual gains logical or physical \naccess to a system without permission). Additionally, according to \nDepartment of Homeland Security (DHS) officials, US-CERT detects \nincidents and events through its intrusion detection system, \nsupplemented by agency reports, for investigation (unconfirmed \nincidents that are potentially malicious or anomalous activity deemed \nby the reporting entity to warrant further review).\n    Reports of cyber attacks and information security incidents against \nFederal systems and systems supporting critical infrastructure \nillustrate the effect that such incidents could have on National and \neconomic security.\n  <bullet> In July 2010, the Department of Defense (DOD) launched an \n        investigation to identify how thousands of classified military \n        documents (including Afghanistan and Iraq war operations, as \n        well as field reports on Pakistan) were obtained by the group \n        WikiLeaks.org. According to DOD, this investigation was related \n        to an on-going investigation of an Army private charged with, \n        among other things, transmitting National defense information \n        to an unauthorized source.\n  <bullet> In 2010, the Deputy Secretary of Defense stated that DOD \n        suffered a significant compromise of its classified military \n        computer networks in 2008. It began when a flash drive's \n        malicious computer code, placed there by a foreign intelligence \n        agency, uploaded itself onto a network and spread on both \n        classified and unclassified systems.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ Foreign Affairs, Defending a New Domain: The Pentagon's \nCyberstrategy, William J. Lynn III, U.S. Deputy Secretary of Defense \n(New York, NY: September/October 2010).\n---------------------------------------------------------------------------\n  <bullet> In February 2011, media reports stated that computer hackers \n        broke into and stole proprietary information worth millions of \n        dollars from the networks of six U.S. and European energy \n        companies.\nthe federal government has taken actions to address cyber threats, but \n            challenges remain in protecting critical systems\n    The Federal Government has a variety of roles and responsibilities \nin protecting the Nation's cyber-reliant critical infrastructure, \nenhancing the Nation's overall cybersecurity posture, and ensuring the \nsecurity of Federal systems and the information they contain. In light \nof the pervasive and increasing threats to critical systems, the \nExecutive branch is taking a number of steps to strengthen the Nation's \napproach to cybersecurity. For example, in its role as the focal point \nfor Federal efforts to protect the Nation's cyber critical \ninfrastructures,\\6\\ DHS issued a revised National infrastructure \nprotection plan in 2009 and an interim National cyber incident response \nplan in 2010. Executive branch agencies have also made progress \ninstituting several Government-wide initiatives that are aimed at \nbolstering aspects of Federal cybersecurity, such as reducing the \nnumber of Federal access points to the internet, establishing security \nconfigurations for desktop computers, and enhancing situational \nawareness of cyber events. Despite these efforts, the Federal \nGovernment continues to face significant challenges in protecting the \nNation's cyber-reliant critical infrastructure and Federal information \nsystems.\n---------------------------------------------------------------------------\n    \\6\\ As established by Federal law and policy, including the \nHomeland Security Act of 2002, Homeland Security Presidential \nDirective--7, and the National Strategy to Secure Cyberspace.\n---------------------------------------------------------------------------\nKey Actions to Improve Our Current National Approach to Cybersecurity \n        Have Not Yet Been Fully Implemented\n    The administration and Executive branch agencies have not yet fully \nimplemented key actions that are intended to address threats and \nimprove the current U.S. approach to cybersecurity.\n  <bullet> Implementing actions recommended by the President's \n        Cybersecurity Policy Review. In February 2009, the President \n        initiated a review of the Government's cybersecurity policies \n        and structures, which resulted in 24 near- and mid-term \n        recommendations to address organizational and policy changes to \n        improve the current U.S. approach to cybersecurity.\\7\\ In \n        October 2010, we reported that 2 recommendations had been \n        implemented and 22 were partially implemented.\\8\\ Officials \n        from key agencies involved in these efforts (e.g., DHS, DOD, \n        and the Office of Management and Budget (OMB)) stated that \n        progress had been slower than expected because agencies lacked \n        assigned roles and responsibilities and because several of the \n        mid-term recommendations would require action over multiple \n        years. We recommended that the National Cybersecurity \n        Coordinator (whose role was established as a result of the \n        policy review) designate roles and responsibilities for each \n        recommendation and develop milestones and plans, including \n        measures to show agencies' progress and performance.\n---------------------------------------------------------------------------\n    \\7\\ The White House, Cyberspace Policy Review: Assuring a Trusted \nand Resilient Information and Communications Infrastructure \n(Washington, DC: May 29, 2009).\n    \\8\\ GAO, Cyberspace Policy: Executive Branch Is Making Progress \nImplementing 2009 Policy Review Recommendations, but Sustained \nLeadership Is Needed, GAO-11-24 (Washington, DC: Oct. 6, 2010).\n---------------------------------------------------------------------------\n  <bullet> Updating the National strategy for securing the information \n        and communications infrastructure. In March 2009, we testified \n        on the needed improvements to the Nation's cybersecurity \n        strategy.\\9\\ In preparation for that testimony, we convened a \n        panel of experts that included former Federal officials, \n        academics, and private sector executives. The panel highlighted \n        12 key improvements that are, in its view, essential to \n        improving the strategy and our National cybersecurity posture, \n        including the development of a National strategy that clearly \n        articulates strategic objectives, goals, and priorities.\n---------------------------------------------------------------------------\n    \\9\\ GAO, National Cybersecurity Strategy: Key Improvements Are \nNeeded to Strengthen the Nation's Posture, GAO-09-432T (Washington, DC: \nMar. 10, 2009).\n---------------------------------------------------------------------------\n  <bullet> Developing a comprehensive National strategy for addressing \n        global cybersecurity and governance. In July 2010, we reported \n        that the U.S. Government faced a number of challenges in \n        formulating and implementing a coherent approach to global \n        aspects of cyberspace, including, among other things, providing \n        top-level leadership and developing a comprehensive \n        strategy.\\10\\ Specifically, we found that the National \n        Cybersecurity Coordinator's authority and capacity to \n        effectively coordinate and forge a coherent National approach \n        to cybersecurity were still under development. In addition, the \n        U.S. Government had not documented a clear vision of how the \n        international efforts of Federal entities, taken together, \n        support overarching National goals. We recommended that, among \n        other things, the National Cybersecurity Coordinator develop \n        with other relevant entities a comprehensive U.S. global \n        cyberspace strategy. The coordinator and his staff concurred \n        with our recommendations and stated that actions had already \n        been initiated to address them.\n---------------------------------------------------------------------------\n    \\10\\ GAO, Cyberspace: United States Faces Challenges in Addressing \nGlobal Cybersecurity and Governance, GAO-10-606 (Washington, DC: July \n2, 2010).\n---------------------------------------------------------------------------\n  <bullet> Finalizing cybersecurity guidelines and monitoring \n        compliance related to electricity grid modernization. In \n        January 2011, we reported on efforts by the National Institute \n        of Standards and Technology (NIST) to develop cybersecurity \n        guidelines and Federal Energy Regulatory Commission (FERC) \n        efforts to adopt and monitor cybersecurity standards related to \n        the electric industry's incorporation of IT systems to improve \n        reliability and efficiency--commonly referred to as the smart \n        grid.\\11\\ We determined that NIST had not addressed all key \n        elements of cybersecurity in its initial guidelines or \n        finalized plans for doing so. We also determined that FERC had \n        not developed an approach for monitoring industry compliance \n        with its initial set of voluntary standards. Further, we \n        identified six key challenges with respect to securing smart \n        grid systems, including a lack of security features being built \n        into certain smart grid systems and an ineffective mechanism \n        for sharing information on cybersecurity within the industry. \n        We recommended that NIST finalize its plans for updating its \n        cybersecurity guidelines to incorporate missing elements and \n        that FERC develop a coordinated approach to monitor voluntary \n        standards and address any gaps in compliance. Both agencies \n        agreed with these recommendations.\n---------------------------------------------------------------------------\n    \\11\\ GAO, Electricity Grid Modernization: Progress Being Made on \nCybersecurity Guidelines, but Key Challenges Remain to be Addressed, \nGAO-11-117 (Washington, DC: Jan. 12, 2011).\n---------------------------------------------------------------------------\n  <bullet> Creating a prioritized National and Federal cybersecurity \n        research and development (R&D) agenda. In June 2010, we \n        reported that while efforts to improve cybersecurity R&D were \n        under way by the White House's Office Science and Technology \n        Policy (OSTP) and other Federal entities, six major challenges \n        impeded these efforts.\\12\\ Among the most critical was the lack \n        of a prioritized National cybersecurity research and \n        development agenda. We found that despite its legal \n        responsibility and our past recommendations, a key OSTP \n        subcommittee had not created a prioritized National R&D agenda, \n        increasing the risk that research pursued by individual \n        organizations will not reflect National priorities. We \n        recommended that OSTP direct the subcommittee to take several \n        actions, including developing a National cybersecurity R&D \n        agenda. OSTP agreed with our recommendation and provided \n        details on planned actions.\n---------------------------------------------------------------------------\n    \\12\\ GAO, Cybersecurity: Key Challenges Need to Be Addressed to \nImprove Research and Development, GAO-10-466 (Washington, DC: June 3, \n2010).\n---------------------------------------------------------------------------\n    We are in the process of verifying actions taken to implement our \nrecommendations. In addition, we have on-going work related to cyber \nCIP efforts in several other areas including: (1) Cybersecurity-related \nstandards used by critical infrastructure sectors, (2) Federal efforts \nto recruit, retain, train, and develop cybersecurity professionals, and \n(3) Federal efforts to address risks to the information technology \nsupply chain.\nFederal Capacity to Protect Against Cyber Threats Needs to Improve\n    In addition to improving our National capability to address \ncybersecurity, Executive branch agencies, in particular DHS, also need \nto improve their capacity to protect against cyber threats by, among \nother things, advancing cyber analysis and warning capabilities and \nstrengthening the effectiveness of the public-private sector \npartnerships in securing cyber critical infrastructure.\n  <bullet> Enhancing cyber analysis and warning capabilities. In July \n        2008, we reported that DHS's US-CERT had not fully addressed 15 \n        key attributes of cyber analysis and warning capabilities.\\13\\ \n        As a result, we recommended that the Department address \n        shortfalls associated with the 15 attributes in order to fully \n        establish a National cyber analysis and warning capability as \n        envisioned in the National strategy. DHS agreed in large part \n        with our recommendations and has reported that it is taking \n        steps to implement them. We are currently working with DHS \n        officials to determine the status of their efforts to address \n        these recommendations.\n---------------------------------------------------------------------------\n    \\13\\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in \nEstablishing a Comprehensive National Capability, GAO-08-588 \n(Washington, DC: Jul. 31, 2008).\n---------------------------------------------------------------------------\n  <bullet> Strengthening the public-private partnerships for securing \n        cyber critical infrastructure. In July 2010, we reported that \n        the expectations of private sector stakeholders were not being \n        met by their Federal partners in areas related to sharing \n        information about cyber-based threats to critical \n        infrastructure.\\14\\ Federal partners, such as DHS, were taking \n        steps that may address the key expectations of the private \n        sector, including developing new information-sharing \n        arrangements. We also reported that public sector stakeholders \n        believed that improvements could be made to the partnership, \n        including improving private sector sharing of sensitive \n        information. We recommended that the National Cybersecurity \n        Coordinator and DHS work with their Federal and private sector \n        partners to enhance information-sharing efforts, including \n        leveraging a central focal point for sharing information among \n        the private sector, civilian government, law enforcement, the \n        military, and the intelligence community. DHS officials stated \n        that they have made progress in addressing these \n        recommendations, and we will be determining the extent of that \n        progress as part of our audit follow-up efforts.\n---------------------------------------------------------------------------\n    \\14\\ GAO, Critical Infrastructure Protection: Key Private and \nPublic Cyber Expectations Need to Be Consistently Addressed, GAO-10-628 \n(Washington, DC: July 15, 2010).\n---------------------------------------------------------------------------\nFederal Agencies Have Not Addressed Persistent Control Weaknesses or \n        Implemented Effective Information Security Programs\n    Federal systems continue to be afflicted by persistent information \nsecurity control weaknesses. Specifically, agencies did not \nconsistently implement effective controls to prevent, limit, and detect \nunauthorized access or manage the configuration of network devices to \nprevent unauthorized access and ensure system integrity. Most of the 24 \nmajor Federal agencies had information security weaknesses in five key \ninternal control categories,\\15\\ as illustrated in Figure 1. In \naddition, GAO determined that serious and widespread information \nsecurity control deficiencies were a Government-wide material weakness \nin internal control over financial reporting as part of its audit of \nthe fiscal year 2010 financial statements for the United States \nGovernment.\n---------------------------------------------------------------------------\n    \\15\\ The five internal controls are access controls, which ensure \nthat only authorized individuals can read, alter, or delete data; \nconfiguration management controls, which provide assurance that only \nauthorized software programs are implemented; segregation of duties, \nwhich reduces the risk that one individual can independently perform \ninappropriate actions without detection; continuity of operations \nplanning, which provides for the prevention of significant disruptions \nof computer-dependent operations; and an agency-wide information \nsecurity program (security management), which provides the framework \nfor ensuring that risks are understood and that effective controls are \nselected and properly implemented.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Over the past several years, we and inspectors general have made \nhundreds of recommendations to agencies for actions necessary to \nresolve prior significant control deficiencies and information security \nprogram shortfalls. For example, we recommended that agencies correct \nspecific information security deficiencies related to user \nidentification and authentication, authorization, boundary protections, \ncryptography, audit and monitoring, physical security, configuration \nmanagement, segregation of duties, and contingency planning. We have \nalso recommended that agencies fully implement comprehensive, agency-\nwide information security programs by correcting weaknesses in risk \nassessments, information security policies and procedures, security \nplanning, security training, system tests and evaluations, and remedial \nactions. The effective implementation of these recommendations will \nstrengthen the security posture at these agencies. Agencies have \nimplemented or are in the process of implementing many of our \nrecommendations.\n    In addition, the White House, OMB, and selected Federal agencies \nhave undertaken Government-wide initiatives to enhance information \nsecurity at Federal agencies. For example, the Comprehensive National \nCybersecurity Initiative, a series of 12 projects, is aimed primarily \nat improving DHS's and other Federal agencies' efforts to reduce \nvulnerabilities, protect against intrusion attempts, and anticipate \nfuture threats against Federal Executive branch information systems. \nHowever, the projects face challenges in achieving their objectives \nrelated to securing Federal information, including better defining \nagency roles and responsibilities, establishing measures of \neffectiveness, and establishing an appropriate level of transparency. \nThese challenges require sustained attention, which agencies have begun \nto provide.\n    In summary, the threats to information systems are evolving and \ngrowing, and systems supporting our Nation's critical infrastructure \nand Federal systems are not sufficiently protected to consistently \nthwart the threats. Administration and Executive branch agencies need \nto take actions to improve our Nation's cybersecurity posture, \nincluding implementing the actions recommended by the President's \ncybersecurity policy review and enhancing cyber analysis and warning \ncapabilities. In addition, actions are needed to enhance security over \nFederal systems and information, including fully developing and \neffectively implementing agency-wide information security programs and \nimplementing open recommendations. Until these actions are taken, our \nNation's Federal and non-Federal cyber critical infrastructure will \nremain vulnerable. Mr. Chairman, this completes my statement. I would \nbe happy to answer any questions you or other Members of the \nsubcommittee have at this time.\n\n    Mr. Lungren. Thank you very much. We will now start a round \nof questioning, and I yield myself 5 minutes.\n    Mr. Reitinger, it is so easy to be a Monday morning \nquarterback. As we look at what is happening in Japan, you see \nthe effects of one of the largest recorded, most powerful \nearthquakes in history, a tsunami that, if you watch it via the \ninternet, if you watch it via YouTube, you see something that \nis stronger than any words could present. Then you see the \nresulting failure at the nuclear power plants. I wonder if \nJapan, in analyzing threats, would ever have seen that triple \nwhammy scenario.\n    So I wonder what is it that you worry most about, Mr. \nReitinger? The only reason I ask you that is, I think we need \nto do something to get a sense of urgency about this particular \nsubject matter, not only in the Congress, but in the public at \nlarge. So what is the most serious threat that you see to our \ncritical infrastructure as a result of something that may visit \nit by way of cybersecurity, or a lack of cybersecurity, an \ninvasion of our cyber system, penetration of our cyber system.\n    Mr. Reitinger. Thank you very much, Mr. Chairman.\n    I would like to take that in a slightly different \ndirection, if I might. The threats are very serious, but I \nthink it is somewhat difficult to say that this particular \nvector of attack is greater than this particular vector. \nCertainly I do worry very much about things like attacks on \ncontrol systems, where it is not just, well, we can't get \naccess to our data, but we can't have the power on; or it is \nnot just we can't get access to our data or somebody access to \nour data, somebody may have filled with our data, not just \nattacks on confidentiality, but integrity. So if someone got \naccess to a major medical database and changed the contents of \nit, that could have significant consequences in terms of human \nlife for a large number of people.\n    But what concerns me the most is not any of those \nparticular things, it is what you started out your question \nwith. Was Japan fully prepared? As much as they prepared, were \nthey prepared? Are we now prepared for that type of cyber \nattack and are we doing the things that we need to do now to be \nready when and if that sort of event takes place? We have done \nconsiderable things to raise the priority of cybersecurity.\n    Just last year, the Ranking Member mentioned the first-ever \nQuadrennial Homeland Security Review which identified \ncybersecurity as one of the top mission areas for the entire \nhomeland security enterprise on a par with protecting our \nborders and having domestic security and providing resilience \nto disasters. On a par with those things, cybersecurity is just \nas important. But are we, as a Nation, going to do the things \nthat we need to do to make sure that we have got the \ncapabilities and ability to respond across the public and \nprivate sectors? Are we going to keep the focus and move \nforward rather than waiting to respond when it is too late?\n    Mr. Lungren. Mr. Wilshusen, looking at your report and your \ncomments, your suggestion is we are not doing all that we need \nto do. Can you outline, in your opinion, for instance, what is \nhindering DHS's cybersecurity mission right now?\n    Mr. Wilshusen. Well, I think there are probably a couple of \nissues. Just to echo what Mr. Reitinger mentioned, too, is that \npreparation is key in order to address these threats because \noften you may not know exactly what will happen, but you will \nneed to be able to respond to them and hopefully take \ncorrective action before the need occurs.\n    One of the things that DHS could do to help the private \nsector and others to better protect their systems is to provide \nclear, actionable, and alert threat information and share \ntechniques with the private sector to improve their security.\n    Mr. Lungren. Is that not being done, in your opinion, to \nthe extent necessary?\n    Mr. Wilshusen. Well, we recently completed a review in \nwhich we asked private sector organizations what its key \nexpectations are of the private sector/public partnerships. \nOver 98 percent of the respondents indicated that having \nactionable and timely threat and alert information was \nessential to a great or moderate extent, but only 27 percent \nfelt that they were actually receiving that type of information \nto a great or moderate extent.\n    So clearly, one of the actions that DHS can do is to help \nprovide value-added services to its constituents and to the \nprivate sector. It is attempting to and has taken actions to \nhelp improve its cyber analysis and warning capabilities, but \nas Mr. Reitinger mentioned in his opening remarks, more needs \nto be done.\n    Mr. Lungren. My time is up.\n    The Ranking Member is recognized for 5 minutes.\n    Ms. Clarke. Mr. Reitinger and Mr. Wilshusen, DHS has many \ndetractors on any number of issues, but we want to make sure \nthat the right people are tasked with doing the job of \naddressing cybersecurity to our critical infrastructure. The \nother agencies in the Federal Government with considerable \ncybersecurity expertise are the NSA and the DOD. Is DHS the \nproper agency to lead Federal cybersecurity efforts? Is there \nanother Federal agency that should do this?\n    Mr. Reitinger. Thank you, ma'am. I think I will start, if \nthat is all right.\n    I think DHS absolutely is the right place to lead efforts \nwith regard to Federal civilian systems and the private sector. \nI would like to respond in part of response to your question to \nwhat Greg had indicated. There is a long way to go in terms of \nbeing able to share the right information with the private \nsector. We have made significant strides. If you just take the \nlast couple of years, at the start of fiscal year 2009, DHS and \nthe entire National Cybersecurity Division had, I think, 38 \npeople at the start of the year. Over the last 2 years, we have \nroughly tripled that, and then roughly doubled it in 2009 and \n2010, so we are up to about 240 right now. In the President's \nrequest in the fiscal year 2012 budget, we grow that to a \nlittle more than 400 people.\n    So we are significantly expanding our people, and expanding \nour people expands our capabilities. I think Greg would tell \nyou that we have done a lot.\n    We have had significant successes, for example, in terms of \nsharing actionable information. We are in the course of a pilot \nright now with the financial services sector where we share \ninformation--and we partnered with DOD and the financial \nservices sector for this. We have shared literally hundreds of \npieces of actionable information with the financial services \nsector, which has also shared hundreds of pieces of information \nback to us. We then take that information, it comes back to us \nin an itemized form, we can glean data from it and pass that \nout. So we are moving forward on actionable activities that \nactually add value.\n    There are lots of roles to play here. DOD has an essential \nrole to play protecting military systems and providing a core \nand deep technical expertise in the National Security Agency \nand Cyber Command on which all of us in appropriate cases rely. \nWe at DHS have our own expertise. For example, we have \ndeployed, in the much messier environment of the Federal \ncivilian infrastructure, EINSTEIN 2, which is a system designed \nto detect attempts to break into Federal civilian systems. Just \nlast year, it detected over 5.4 million events. We have not \ndone that in a unitary network that is subject to command and \ncontrol, but in, so far, 15 of 19 different major Federal \nagencies and at four internet service providers.\n    So we have developed the expertise on how to act in that \nenvironment, move forward to protect security, and to protect \nprivacy at the same time.\n    Mr. Wilshusen. I would just like to add that DHS is \nbuilding out its capabilities to provide services to its \nconstituents. It has also received responsibility for providing \nincreased oversight and assistance to other Federal agencies in \nimplementing their information security programs and practices.\n    One of the issues confronting DHS, at least as we see it, \ndo they have the proper authorities to do that? There are \nchallenges associated with one agency providing oversight over \nanother agency. At present, under the Federal Information \nSecurity Management Act, many of the authorities are granted to \nthe Office of Management and Budget. But last year, in July, \nOMB assigned some of those responsibilities over to DHS, and \nDHS is working to build out its capacity to perform those \nservices.\n    Certainly, as you mentioned before with DOD and NSA, they \nhave a high level of skill and capabilities in this area. To my \nknowledge, they have been working with DHS to some extent in \ntransferring some of those skills and abilities as DHS builds \nout its own capabilities.\n    Ms. Clarke. Just following up, Mr. Reitinger, on the \nEINSTEIN issue, the National Cybersecurity Division is \ncurrently planning to deploy five EINSTEIN monitors or five key \nnodes in the dot-gov domain that will be used to prevent and \ndetect intrusions on computer systems. If the continuing \nresolution is adopted by Congress and you don't receive your \nrequested funds for 2011, how would it affect this much-needed \nproject and the request for $226.6 million in the fiscal year \n2012 budget?\n    Mr. Reitinger. Thank you, ma'am.\n    I think the proposal under H.R. 1 would cut roughly $60 \nmillion from the entire NPPD budget. It is actually a budget \ncut not specifically to cyber, but more broadly to NPPD, but \nthere is no way in our budget to do that without a cut to \ncyber. So a big chunk of those resources would, in fact, be \ndrawn from the resources we would use to deploy what you are \nreferring to, the EINSTEIN 3 system, and it would adversely \naffect the time line for deployment of those sensors, yes, \nma'am, and our ability to provide advice and assistance to \nagencies on the data that we receive.\n    Ms. Clarke. Thank you very much.\n    I yield back, Mr. Chairman.\n    Mr. Lungren. Mr. Reitinger, you are not here to testify as \nto whether or not we should have another month in which we have \na $228 billion addition to the debt, are you? I didn't think \nso.\n    Mr. Walberg is recognized for 5 minutes.\n    Mr. Walberg. Thank you, Mr. Chairman. Thanks to the panel \nfor being here talking about an area that is expanding my mind \ndaily, as I think about it--so far not causing me a lot of loss \nof sleep because I know that there are people who are thinking \nabout it regularly, but I appreciate your testimony this \nmorning.\n    The question I would just begin with to each of you is a \nshort question with an answer that probably I would ask you to \nconsider answering in relationship to what you know today and \nwhat you perceive today.\n    In which sector could a cyber attack do the most damage?\n    Mr. Reitinger. So, sir, I am somewhat hesitant simply \nbecause it is hard to say that one sector grown large is \ncritical from top to bottom whereas another sector is not \ncritical from top to bottom. There are, however, critical \nentities in many sectors, and some of the sectors we worry most \nabout are, for example, financial services and electric power, \nprimarily because those are sectors, along with information and \ncommunications, where you notice adverse effects in \nmilliseconds--and I mean that, milliseconds--as opposed to \nseconds, minutes, hours, or days.\n    Mr. Walberg. Thank you.\n    Mr. Wilshusen.\n    Mr. Wilshusen. I would agree with Mr. Reitinger's remarks, \nparticularly as it relates to the financial services and \nelectrical power sectors.\n    There was an incident a couple years ago at a power plant, \nnuclear power plant in Alabama. Now this was an unintended \nincident, it was not due to a cyber attack, but it does \nrepresent and illustrate the impact that could occur from such \nan attack. It was due to an equipment failure on a network that \nwas connected to one of the control systems. Through a series \nof events that occurred as a result of that equipment failure, \nthe plant had to bring down its nuclear reactor for a time. Its \ndue to, in part, because of the interconnectivity of these \nsystems to control systems. So it can have a potentially \ndevastating effect.\n    Certainly on the financial services side, there have been \nnumerous reports where literally millions of dollars have been \nlost and absconded with through cyber attacks.\n    Mr. Walberg. Thank you.\n    Mr. Reitinger, moving on from that--and I would suggest \nthat your answers coincided with my thoughts, as elementary as \nthey may be, in talking with energy providers and financial \ninstitutions in the past several weeks, that just the effect of \na keystroke is amazing.\n    But let me ask you, Mr. Reitinger, are private sector \nentities responsive to the efforts the Government makes with \nthem to warn of threats and mitigate the consequence of \nattacks? What is the experience there?\n    Mr. Reitinger. I think, sir, you would find that the \nexperience in the private sector is similar to that in \nGovernment agencies. There are a lot of entities who get it and \nsome who don't. The private sector has created wholly new \ntechnical capabilities over the last 10 years and has itself \nbuilt new ways of working together and sharing information, not \nonly expanding their information sharing and analysis centers, \nbut creating other mechanisms to work together.\n    All that said, we are not yet where we need to be in terms \nof broad awareness, but within the business community and among \nindividuals, in terms of what the threat is and what actions \nthey need to take. One of the things that we are trying very \nmuch to do in the Department of Homeland Security is do less of \nthe talking to ourselves, and as we raise awareness, making \nsure we are talking to the right people, talking not just to \nCISs, chief information security officers or chief risk \nmanagement officers, but talking to chief financial officers \nand chief operating officers, the people who cut the checks and \nsay this will affect your bottom line.\n    There is broad willingness and interest across the public \nand private sectors to work together. There is still a long way \nto go to have uniform action.\n    Mr. Walberg. Mr. Wilshusen, you mentioned that the \nGovernment must improve the public-private partnership by \nimproving information sharing. What are some specific \nrecommendations you would have?\n    Mr. Wilshusen. Well, one is, as I mentioned before, for \nDHS, in its role as a key focal point with dealing with the \nprivate sector, is to provide actionable, timely notices of \neither warnings, threat warnings, as well as alerts of specific \nactions currently underway. That has been one of the key \nservices that the private sector organizations have indicated \nthat they expect to receive but have not yet fully received to \nthe levels of expectations. So that would be one area that DHS \ncould work on. Indeed, as Mr. Reitinger mentioned earlier, they \nare taking steps to address those areas.\n    Mr. Walberg. I see my time is up. Thank you.\n    Mr. Lungren. The gentleman from Louisiana, Mr. Richmond, is \nrecognized for 5 minutes.\n    Mr. Richmond. Thank you, Mr. Chairman.\n    I guess my question is for whoever wants to answer. Part of \nwhat at least I saw in the BP Horizon oil spill in Louisiana \nwas that as soon as it happened, there was a clear chain of \ncommand and there was a set up protocol and people who took \nover at certain points. Do we have, in the event of a cyber \nattack, a clear chain of command with defined roles and \nresponsibilities within Government?\n    Mr. Reitinger. Sir, to be frank, I think we could use \nfurther clarity. We have made significant strides in that \nregard. Overall, cyber incidents are going to be incredibly \ncomplex, and so it is hard to generalize. But it is clear that \nthe President is in charge overall, that with regard to \ndomestic response, the Secretary of Homeland Security, under \nher Homeland Security Act and authorities under the various \nPresidential directives, is responsible, and DOD is responsible \nfor National defense. We built the mechanisms to work \neffectively together. We now have a National cyber incident \nresponse plan that defines roles and responsibilities, and we \nare going to continue to improve that as our experience \ndevelops.\n    We have also established a mechanism so that two of the \nlargest players--DOD and DHS--can work effectively together, \nnotably signing a memorandum of agreement which was driven, I \nwill tell you, at the Secretarial level; so directly between \nthe Secretary of Homeland Security and the Secretary of Defense \nto enable effective synchronization between DOD. So we have a \nteam of senior people, are deploying a team of senior people at \nNSA and Cyber Command, and they are deploying two groups--one \nfrom NSA and one from Cyber Command--to our cyber operation \ncenter so they can effectively support us.\n    One of the things that we are doing in DHS is--and this is \nnot just about cyber, it is also about infrastructure \nprotection--is, as we develop capability, we are becoming an \noperational entity. We think it is very important that we be \nnot about discussing, but about doing and enabling others to \ndo. So that is where our focus is.\n    Mr. Wilshusen. I would just add that one of the key aspects \nto this that would also be helpful to have a straight line of \nchain of command is for the administration and Federal agencies \nto establish and update the National Policy for Securing \nCyberspace. This is a document that is many years old. It has \nhad a number of issues with it that have impeded its progress \nin being able to be implemented. One thing that needs to be \ndeveloped is just a clear articulation of the objectives, \ngoals, and priorities for Federal agencies and the private \nsector to implement security over cyberspace and the systems \nthat they operate.\n    Mr. Richmond. Thank you.\n    As I was talking to my community health centers yesterday, \nwe started talking about electronic health records and they \nmentioned to me that there were 60 companies just in my area \nthat provided those services. Then I started thinking about \nsmart grids. Do we have an industry standard or is there a \npublished standard that these companies have to have in \nrelation to protecting their electronic health records? Or have \nwe set a baseline that they have to at least adhere to to make \nsure that we protect people's privacy and we protect the risk \nof an attack in that area?\n    Mr. Wilshusen. Well, the Department of Health and Human \nServices, under HIPAA, issues a security rule that health care \nproviders are required to follow certain security and privacy \nguidelines. So that is probably as close as anything that \nexists to a standard, if you will, or guidelines and \nrequirements for protecting the confidentiality and integrity \nof health information.\n    Mr. Richmond. But under HIPAA, have they--I hate to put it \nthis way, have they gotten to the level of sophistication to \naddress cybersecurity in terms of protecting those health \nrecords? I know traditionally we just said don't leak people's \nmedical condition, don't publish it, you have to protect it and \nput it in a safe place. But now when we start going to \nelectronic health records, the question is whether somebody has \nput out the technical guidelines and the technical \nresponsibilities to make sure that at least those companies are \nnot easily hacked. That will be my question, and I yield back, \nMr. Chairman.\n    Mr. Wilshusen. Well, the security rule does provide some \nguidelines, but probably not to the level that you are \nreferring to in terms of the very detailed technical standards \nthat may be required.\n    One of the issues that also comes up is in terms of data \ninteroperability between various different health organizations \nand States to make sure that this health information is \nactually interoperable among different States as they develop \ntheir own individual standards. So that is another issue that \nis attendant to the one you are asking about.\n    Mr. Lungren. The gentleman's time has expired.\n    Mr. Meehan is recognized for 5 minutes.\n    Mr. Meehan. Thank you, Mr. Chairman. Thank you to each of \nour panelists for their very revealing testimony today.\n    Let me ask both of you, 15 million reports in the course of \na year, and yet we are trying to communicate with the private \nsector simultaneously, particularly those with these control \nsystems. How do you triage to know what to communicate down the \nline and say this is something we ought to be reaching out to \nwithout becoming a point in time where you are--what is the old \nadage--crying wolf and they don't know when to really be \nalerted?\n    Mr. Reitinger. Sir, I would say you have to do a couple of \nthings. One, you broadly have to find the broader points of \ninfluence. In a time that we all have those scarce resources, \nwhat is the most effective way to institute protections to get \nthe private sector not only to understand the threat, but \nimplement the threat? So we focus very much on that.\n    You try to have broad campaigns. So one of the things that \nwe did this year for the first time as a response to the \nPresident's Cyberspace Policy Review, instead of just having an \nannual Cybersecurity Security Awareness Month, we have now got \nan annual campaign, the ``Stop. Think. Connect.'' Campaign, \nwhich we are advocating for. It was developed--not by DHS, but \nactually by a partnership. That is something a partnership can \ndo; it is people in the private sector and the public sector \nworking together to come up with a message that we can all work \ntogether to implement, something fairly actionable.\n    The last thing is that you do have to make choices, you do \nhave to triage. That is something we do generally in the space. \nWe have 5.4 million events. You can't look in detail at every \none of them. You have to figure out fairly rapidly, look for \nindicators for what are the most severe? You try to expand our \ncapabilities.\n    One of the things we have done in DHS is established fly-\naway teams. So we have a team of people that we can deploy if \nthere is a significant incident in at a private sector company \nand they need our assistance.\n    In some sense it is because of the act, in some sense it is \nbecause of a prioritization, that team is typically deployed \nfor control systems-type incidents because that is one of the \nthings that we worry about significantly. So there are a lot of \nprocesses that one has to go through to try to figure out where \nyou are most effectively applying resources to the effect you \nneed.\n    Mr. Meehan. Do you agree with that sort of assessment?\n    Mr. Wilshusen. Yes, I would.\n    Mr. Meehan. The thing that really strikes me again is the \ninteroperability. We keep talking about these control systems \nand the capacity to be able to impact entire areas which are \ninterdependent. How can we create the kind of requirement, so \nto speak, from the private sector to collaborate with you to be \nable to, as we say, meet some kind of National policy standards \nor objectives so that we are working together? We have \neffectively independent agencies that have oversight over \ncritical pieces of this infrastructure which are at risk.\n    Mr. Reitinger. So, sir--I feel like I keep jumping ahead of \nGreg. Do you want to go first or I will?\n    I would say there are a number of things we need to do. We \nat DHS are focused on executing within our existing authorities \nto accomplish that mission. There are a number of things we can \ndo. We talked a lot about awareness, so raising awareness among \nthe companies is a key part of this. As Greg has indicated, \nsharing classified and unclassified threat information so that \nthey are really sensitized to what the issues are.\n    Second, we can work on things like helping develop \nstandards and working with the private sector to make sure that \nthey have available solutions so that there is a known path to \nbetter security.\n    Mr. Meehan. My time will run out, but are there minimal \nstandards right now that we have in the industry that we can \nexpect people to abide by so that at least there is some kind \nof a baseline that we can expect collaboration that they will \naddress within their own institution so that they are capable \nof communicating with you about these issues?\n    Mr. Reitinger. So there are many standards, sir, of \ndiffering degrees or prescriptiveness, if you will, and \neffectiveness. One of the things that I don't think we have \nright now is what one might think of as a baseline ability to \nsay across all of the critical infrastructures we are meeting \nthe standard that we need. So one of the things that we are \ndoing is working with not only other agencies within the \nFederal Government so that they are aware of what the \nrequirements are, but we have, in one case, DHS has specific \nauthority, and that is for the chemical facilities sector, or \nthe chemical sector where we have put in a risk-based \nperformance standard into the existing CFATS regime related to \ncybersecurity. We will be continuing to look at that going \nforward to make sure that it meets National requirements.\n    Mr. Wilshusen. If I may add, we have an on-going engagement \nright now looking at what standards are in effect at various \ndifferent critical infrastructure sectors and to assess, to the \nextent that those standards exist, whether they are voluntary; \nand how those sectors either enforce or assure that their \nmembers actually implement those standards. We expect to be \nreporting out on that later this year.\n    Mr. Meehan. Thank you, Mr. Chairman.\n    Mr. Lungren. I will just tell the gentleman that we will \nshortly schedule a markup on the CFATS bill so that we will \nhave that issue going forward.\n    I understand Mr. Keating has no questions at this time, so \nMr. McCaul is recognized for 5 minutes.\n    Mr. McCaul. Thank you, Mr. Chairman. Phil, it is good to \nsee you again. Thank you for your hard work on the CSIS \nCommission. It is a great report, outstanding.\n    I mean, the threats are real, we all know what they are--\nthe power grids, financial sectors. You know, when I was \nRanking Member of this subcommittee two Congresses ago, we held \nhearings and talked about what is the coordination between DHS? \nDHS has a primary mission to defend. Are they talking to DOD or \nNSA that has the offensive capability, not that one is charged \nwith defensive, are those coordinating as well?\n    I will say, I think, DHS has come a long way since those \nhearings, and that is very good news. I noticed, Phil, in your \ntestimony you talked about an MOU that has been signed between \nDHS and the DOD, and I was very glad to see that. Can you \nexplain how that is working? Also, do you anticipate doing \nsomething similar with NSA?\n    Mr. Reitinger. Absolutely, sir. So I talked a little bit \nabout that before. We signed, at the Secretarial level, an MOA, \na memorandum of agreement--sorry, I fall back into acronyms too \nmuch--between the Department of Defense and the Department \nHomeland Security. There are two points of contact on that; one \nis me, and the other is Dr. Jim Miller, who is the Principal \nUnder Secretary of Defense for Policy at DOD. Under that \nagreement, DHS, so that we can stay fully synched with our \npartners in the Department of Defense, has and is deploying a \nteam of people to Fort Meade that will be led by a DHS senior, \nwho is currently Rear Admiral Mike Brown, who has been in the \nDepartment of Homeland Security on detail from DOD for a number \nof years.\n    He will have a team of people that will comprise first a \njoint coordination element to do joint planning at DOD, make \nsure we can stay operationally synched, a group of people who \nare going to work with NSA on its technology, and another group \nof people who will be embedded in the NTOC at NSA so that we \nhave full assay of the NSA's knowledge of the threat.\n    NSA and Cyber Command are both deploying teams of people to \nour Cyber Operation Center to support our domestic cyber \noperations. So there will be a cryptologic support group from \nNSA and a cyber support element--I am more comfortable with CSG \nand CSE, but those are what they are called--from Cyber Command \nthat will directly support us. We are in the initial stages of \ndeveloping these capabilities, but it is already working very \nwell. I would also say that those are not the only means that \nwe have to coordinate. So we literally hold a weekly SVTC, a \nsecure video teleconference, with our partners in DOD to make \nsure we are staying coordinated. We work with them at deputies \ncommittee meetings and lots of other administrative policy and \nother processes. So we have come a long way between these two \ndepartments in our ability to support each other and our \nrespective mission spaces.\n    Mr. McCaul. That is certainly good news, and I do want to \ncommend you for that. Again, from two Congresses ago, that is \ngreat progress, and I am very glad to hear that. They have the \nassets, the expertise, and the capabilities, so it makes no \nsense for them not to work with you and share that.\n    Private sector sharing threat information, it is always \ndifficult for the private sector to share that with the Federal \nGovernment. The incentives are still lacking, I think, to some \nextent. They have a duty to their shareholders, they don't want \nto report this kind of stuff. How do you incentivize them to do \nthat? Would an exception to FOIA be helpful in terms of that \nthreat information not being subjected to a FOIA request?\n    Mr. Reitinger. With regard to at least some information \nsubmitted under the Protected Critical Information \nInfrastructure program, the PCII program, there is a FOIA \nexception. The issue I think is a little broader, and that is \nthat there remains a lack of clarity about the costs and risks \nof sharing information from the private sector to the \nGovernment. So sometimes one has the problem that when the \nprivate sector and Government want to talk--I think generally \nif something is happening, the private sector will lean forward \nto figure out a way to share information, as will the \nGovernment. Because when you get operators talking with \noperators, they have a problem to solve. If it is more on-\ngoing, the problem is, nowadays, if you get together and you \nwant to work together, you want to share information, not just \nto share information to solve a particular problem, sometimes \nthe first thing you have to do is call the lawyers into the \nroom. You and I, sir, are both lawyers, we love lawyers, but--\n--\n    Mr. McCaul. I wouldn't necessarily say that.\n    Mr. Reitinger. So we have some internal processes going now \nto try and generate some clarity with the private sector about \nwhat the rules are so that you can have a more rapid and \neffective conversation.\n    Mr. McCaul. Last, if I could indulge the Chair, the \nNational Policy for Cyberspace--it was mentioned earlier--sir, \nthe last one was developed in 2003, I think one of the \nrecommendations we had with the Commission was to develop a \nNational policy. That is within the jurisdiction and authority \nof the White House. Can you demonstrate why that is so \nimportant and so critical?\n    Mr. Reitinger. Well, I think having a National policy is \ncritical. I would personally favor, while I think we knew new \nways to do things, focusing very heavily on implementation. We \nat DHS are working right now on the strategy which will \nunderlie the cybersecurity part of the Quadrennial Homeland \nSecurity Review that the Ranking Member brought up. So for us \nthis is mission four or cybersecurity across the Homeland \nSecurity enterprise. We are working now across Government and \nwith the private sector to develop that strategy that will roll \nout to the broader National strategy.\n    Mr. McCaul. Thank you so much.\n    Mr. Lungren. I want to thank our panelists for not only \nyour oral testimony here today but your written testimony. You \nhave helped us considerably.\n    Mr. Reitinger, and also in classified briefings, I just \nwant to tell you that members of this panel very much \nappreciated your participation and the participation of others, \nand that has helped us a great deal.\n    I will be calling on both of you in the future to help us a \nlittle bit more as we go forward on an issue that will not go \naway and only needs greater clarity and greater visibility. So \nwe thank both of you.\n    Now, we would move to our second panel, and I know it will \ntake a little while for the three of them to get there.\n    We are very pleased to have our second panel. We have \noutstanding panelists in both panels, and we very much \nappreciate your time and your effort and the knowledge that you \nare relaying to us here today.\n    Dr. Phyllis Schneck is the vice president and chief \ntechnical officer of Global Public Sector for McAfee. She also \nserves as a volunteer as chairman of the board of directors of \nthe National Cyber-Forensics & Training Alliance, which is an \nimportant partnership between Government, law enforcement, and \nthe private sector for information analytics and has been used \nto prosecute over 150 cyber criminals worldwide.\n    Earlier Dr. Schneck worked as vice president of Threat \nIntelligence at McAfee and was responsible for the design and \napplication of McAfee's internet reputation intelligence. She \nhas Ph.D. in computer science from Georgia Tech where she \npioneered the field of information security and security-based \nhigher-performance computing.\n    Thank you for being here.\n    Dr. James Lewis is a senior fellow and program director at \nCSIS where he writes on technology, National security, and the \ninternational economy.\n    Before joining CSIS, he worked in the Federal Government as \na Foreign Service officer and as a member of the Senior \nExecutive Service. Most recently he was the project director of \nCSIS's Commission on Cyber Security for the 44th Presidency. \nThat report has been downloaded, I understand, more than 40,000 \ntimes, so no secrets there. He received his Ph.D. from the \nUniversity of Chicago in 1984.\n    Mischel Kwon is an IT executive with more than 29 years of \nexperience ranging from application, design, and development to \nbuilding organizational and National level computer emergency \ninstant response and readiness teams. She is most recently the \nvice president of Public Sector Security for RSA, the security \ndivision of the EMC Corporation, and prior to that, she was the \ndirector of the United States Computer Emergency Readiness \nTeam, US-CERT, at DHS.\n    We welcome all of our witnesses. We are pleased that you \nare able to share your perspective with us. As I said, your \nwritten testimony will be made part of the record. We would \nlike to recognize each of you in order for 5 minutes, and I \nknow that is a short period of time, but we will try and stay \nwith that as much as possible and then ask you questions.\n    So, first of all, Dr. Schneck.\n\n    STATEMENTS OF PHYLLIS SCHNECK, VICE PRESIDENT AND CHIEF \n                TECHNICAL OFFICER, MC AFEE INC.\n\n    Ms. Schneck. Good morning.\n    Chairman Lungren, Ranking Member Clarke, and other \ndistinguished Members of the subcommittee, thank you for \nrequesting McAfee's views on cyber threat to critical \ninfrastructure and the American economy. It is an honor and a \npleasure to be part of the process and to be here today.\n    Your committee is playing a vital role in helping to define \nthe contours of cybersecurity debate, and your aim to write \nthoughtful and incentives-based legislation must be commended.\n    As you mentioned, I focused my entire career on \ncybersecurity, looking at both the technology and the \napplications and certainly the trust engaged in public-private \npartnership and the need for more information sharing.\n    McAfee is the largest dedicated cybersecurity company in \nthe world, and we are also a wholly-owned subsidy of the Intel \nCorporation. We protect the cyber spectrum, from the biggest \ncomputers and the big cloud computing, as we all refer, to the \nsmallest components, even down to our cell phones or airplane \navionics systems and our cars and certainly now to the chip.\n    My testimony will focus on the following key areas: The \nevolution of the cyber threat landscape; McAfee's Global Threat \nIntelligence Solution; and the paradigm change that we need to \nmake in order to protect our cyber infrastructures and thus our \nglobal critical infrastructures; two major cyber security \nevents, advanced persistent threats that we have seen, these \nare just two of many, many, just two that have been vocalized; \nand certainly some policy recommendations to improve public-\nprivate sector information sharing.\n    Our adversary is strong. Our adversary is smart. They act \nfaster than we do. They have full funding, in many cases, from \ngovernments, from nation states. They have malicious intent, \nand they don't have the intellectual property barriers that we \ndo. They don't have the legal barriers that we do to execute. \nThey are criminals; there is nothing to lose.\n    So when you look at the landscape from 20 years ago and you \nlook at ``antivirus,'' all of the adversary's ability over the \npast 2 decades, all of the damage we have talked about this \nmorning, has been enabled by malicious code, the ability of an \nadversary to execute their will somewhere else, and whether it \ncauses, as in the old days, just something to prove that \nsomebody can do something all the way to financial organized \ncrime with a financial motivation, and now, as we are seeing, \ngovernment-structured or nation-state attacks that look for \ndestruction and/or the taking of intellectual property.\n    As we look at how we fight that, a signature will not beat \nthis adversary. Signature was a legacy model. We should know \nabout the attack. We will protect everybody, and boom, they are \nfine when they get it, sort of like a vaccination.\n    That doesn't work anymore. We need a full paradigm shift to \nretake the global cybersecurity picture that we have as a \nprivate industry and Government and infuse that into our \nnetwork fabric, again from cloud to chip, where the enemy's \nwill is blocked before it reaches a target.\n    When you think about global threat intelligence and what we \nmean by that, McAfee and other companies in the IT \ninfrastructure and other infrastructures have the ability and \nhave developed very sophisticated information-gathering \ncapabilities where we have a weather map, a cyber weather map \nof events that happen all over the world, an understanding of \ntraffic volumes, an understanding of what machines are doing, \nwhat harm and to where, where they are targeting, where \nmalicious code that looks just like other malicious code is \nbeing sent.\n    We have to react in two ways: We have to react first and \nforemost to beat this adversary in milliseconds. The one thing \nthis enemy can't do is understand how the entire system works \nand block it in real time, so the disease never reaches your \nbody or your body can fight the disease in real time without \nunderstanding the name of the germ first.\n    The second thing we have to do is better enable ourselves \nto share information at the human level. While that is not real \ntime, it helps us understand the motivation, understand future \ntargets and, first and foremost, protect ourselves.\n    We looked at two major threats over the past couple of \nyears and led the investigations at McAfee. There are many \nothers like this, but first one was Operation Aurora, same name \nas the diesel generator explosion at INL; however, we kept the \nname for this one. That is the name the bad guys gave it. It is \nin the file path.\n    This was the most sophisticated event we have ever seen \ntargeted toward the private sector. They usually save this for \nour friends in Government. We estimate it took teams of people \nmany weeks to target the 20 or so companies they looked for, \nthe information they wanted to get, and, most powerfully, the \npeople in those companies that had an access to code stores of \nthat size, meaning the people that tested the code, the people \nthat have to see all of it working together.\n    They exfiltrated or took the copies of the code out to \nservers placed in different countries, and they are using that \nlikely today. Many attacks exist that look just like this \ntoday. They lurk; they are often called advance persistent \nthreat.\n    The other one we recently discovered and investigated was \ncalled Night Dragon, similar set up but less sophisticated, \nagain one of many. But they were looking specifically at \narchitectural plans for pipelines in the oil and gas sector, \nand this one was around the world.\n    Leading to the policy recommendations, the private sector \nneeds some stronger protections to share information with \nGovernment and law enforcement. It was said in the earlier \npanel, in the middle of the crisis, the operators will talk, \nand they do. But we need to be better protected.\n    We and other companies put little pieces of the puzzle \ntogether, and we get a very big picture, and we want to share \nthat with our colleagues in Government and in law enforcement.\n    We want to do that faster. We can't. It creates in many \ncases material information that affects shareholders, \ncompanies' bottom lines, and it can breach trust. We need much \nstronger protection, so that when someone in law enforcement, \nas they did, called me up and says, why didn't I have this \nyesterday when you knew it, my answer doesn't have to be, \nbecause I could get fired.\n    We have to beat this adversary, and we have to--we all of \nthe--we have a lot of the information we need among the private \nsector to use the great collaborative organizations that DHS \nand the FBI and others have created for us with the private \nsector. Great construct exists. If we can put more information \ninto those, we can use those constructs to their fullest \npotential.\n    So, in conclusion, I do want to thank you very much for \nhaving us today, for being a part of the process. McAfee is \nvery committed to working with the U.S. Government to solve the \ncybersecurity challenges and to beat this adversary.\n    [The statement of Ms. Schneck follows:]\n                 Prepared Statement of Phyllis Schneck\n                             March 16, 2011\n    Chairman Lungren, Ranking Member Clarke, and other distinguished \nMembers of the subcommittee, thank you for requesting McAfee's views on \nthe cyber threat to critical infrastructure and the American economy. \nYour committee is playing a vital role in helping to define the \ncontours of the cyber security debate, and your aim to write \nthoughtful, incentives-based legislation must be commended.\n    My name is Phyllis Schneck and I have dedicated my entire \nprofessional career to the security and infrastructure protection \ncommunity. My technical background is in high performance computing and \ncryptography. In addition to serving as Vice President and Chief \nTechnology Officer, Global Public Sector, for McAfee, I serve as \nChairman of the Board of Directors of the National Cyber Forensics and \nTraining Alliance, a partnership between Government, law enforcement, \nand the private sector for information analytics that has been used to \nprosecute over 150 cyber criminals world-wide. Earlier, I worked as \nVice President of Threat Intelligence at McAfee and was responsible for \nthe design and application of McAfee's<SUP>TM</SUP> internet reputation \nintelligence. I have also served as a commissioner and working group \nco-chair on the public-private partnership for the CSIS Commission to \nAdvise the 44th President on Cyber Security.\n    Additionally, I served for 8 years as chairman of the National \nBoard of Directors of the FBI's InfraGard<SUP>TM</SUP> program and as \nfounding president of InfraGard Atlanta, growing the InfraGard program \nfrom 2,000 to over 33,000 members Nation-wide. Before joining McAfee, I \nwas Vice President of Research Integration at Secure Computing. I hold \na Ph.D. in Computer Science from Georgia Tech, where I pioneered the \nfield of information security and security-based high-performance \ncomputing.\n    My testimony will focus on the following key areas:\n  <bullet> The evolution of the cyber security threat landscape;\n  <bullet> McAfee's Global Threat Intelligence Solution and the role it \n        plays in enabling us to detect and remediate a wide range of \n        cyber security attacks on our Nation's critical \n        infrastructures;\n  <bullet> Two major cyber security attacks, Night Dragon and Operation \n        Aurora, and their implications for our homeland security; and\n  <bullet> Policy recommendations to improve public/private sector \n        information sharing that is essential to give the Government \n        the capabilities it needs to respond to the modern \n        cybersecurity challenge.\n    First I would like to provide a little background on McAfee and \nsome of our cybersecurity initiatives.\n                    mc afee's role in cyber security\n    McAfee, Inc. protects businesses, consumers, and the public sector \nfrom cyber attacks, viruses, and a wide range of on-line security \nthreats. Headquartered in Santa Clara, California, and Plano, Texas, \nMcAfee is the world's largest dedicated security technology company and \nis a proven force in combating the world's toughest security \nchallenges. McAfee is a wholly owned subsidiary of Intel Corporation.\n    McAfee delivers proactive and proven solutions, services, and \nglobal threat intelligence that help secure systems and networks around \nthe world, allowing users to safely connect to the internet and browse \nand shop the web more securely. Fueled by an award-winning research \nteam, McAfee creates innovative products that empower home users, \nbusinesses, the public sector and service providers by enabling them to \nprove compliance with regulations, protect data, prevent disruptions, \nidentify vulnerabilities, and continuously monitor and improve their \nsecurity.\n    To help organizations take full advantage of their security \ninfrastructure, McAfee launched the Security Innovation Alliance, which \nallows organizations to benefit from the most innovative security \ntechnologies from thousands of developers who can now snap into our \nextensible management platform. Today, more than 100 technology \npartners--large and small businesses all committed to continuous \ninnovation in security--have joined the alliance, with more to be \nannounced soon.\n    Two years ago, McAfee announced an initiative to fight cybercrime, \na wide-ranging initiative aimed at closing critical gaps in assisting \nvictims of cybercrime and preventing new events. The initiative is \nanchored by a multi-point plan that includes calls for action from law \nenforcement, academia, service providers, Government, the security \nindustry and society at large to deliver more effective investigations \nand prosecutions of cybercrime.\n    Key elements of the plan include:\n  <bullet> Education and Awareness.--McAfee works to ensure that \n        officials around the world have the capacity to properly fight \n        cybercrime, while helping users build ``street smarts'' so that \n        they don't become easy victims.\n  <bullet> Legal Frameworks and Law Enforcement.--McAfee works to \n        facilitate international collaboration and mutual assistance on \n        cybercrime among governments, industry, and non-governmental \n        organizations (NGOs).\n  <bullet> Innovation.--McAfee works with the technology industry to \n        provide technology solutions that stay one step ahead of the \n        threats.\n    McAfee is also supportive of the National Strategy for Trusted \nIdentities in Cyberspace (NSTIC), working with our partners in \nGovernment and industry to enable innovation for more efficient \nauthentication and other technologies facilitating a safer and more \npleasant experience for electronic transactions.\n    McAfee is committed to bringing the best security products and \nservices to the market, partnering with leading IT vendors to ensure \nthat customers have the ability to pick and choose the best solutions \nto close their security gaps, and giving consumers and organizations \nadditional resources and support to fight cyber-crime ranging from \norganized financial crime to attacks that user the cyber infrastructure \nto gain access to intellectual property or physical infrastructure. \nLikewise, McAfee is committed to taking part in a constructive dialogue \nwith policy makers on cyber security initiatives, as we are pleased to \ndo in this hearing today.\n          the evolution of the cyber security threat landscape\n    For purposes of this testimony, we define malware as a set of \ninstructions for a computer that causes the computer to behave in the \nwill of the malware owner, such as providing unauthorized access to \ninformation or systems that control physical/kinetic infrastructure. \nComputers execute instructions. Malware puts the enemy's instruction \nnext on the list, and then the adversary controls all actions forward, \nsometimes hiding its presence. Malware enters a machine from a variety \nof ports, typically email, web, or connection-level access that is \nunprotected or ill advised to admit these harmful instructions. Malware \ncan also be referred to commonly as a ``virus.'' As in biology, when a \nmachine has a virus it is compromised and its functions can cause harm.\n    Historically, security software relied on antivirus ``signatures'' \nto recognize and block malware. Once a virus was detected, a signature \nwas developed by the security software vendor and deployed in the form \nof a DAT file downloaded to the security software on customers' \ncomputers. That software would then be in a position to recognize and \nblock the malware--an approach much like a vaccine that requires \nadvance knowledge of the threat. However, this approach is not \nsufficiently fast to fight today's cyber adversary, and that is why \nMcAfee is changing the paradigm to proactive defence in real-time: to \nmake our networks sufficiently intelligent to prevent malicious \ninstructions from reaching the target--instead of requiring that the \ntarget be vaccinated with a signature.\n    Today, malware developers combine web, host, and network \nvulnerabilities with spam, rootkits, spyware, worms, and other means of \nattack. Significantly, malware is often distributed with micro-\nvariations (polymorphism), or the ability to change quickly, with the \neffect that a signature developed when the malware is first discovered \nis ineffective against the multiple, very slightly different forms of \nthe same malware. This is analogous to a disease mutating so that the \nvaccine is no longer effective. Malware may be distributed indirectly \nby networks of computers that have been corrupted by a criminal (a \n``botnet'').\n    Criminals, terrorists, and nation states often invest great efforts \nto deploy their software in hundreds of thousands or indeed millions of \ncomputers owned by innocent third parties, in order then remotely to \ncommand their botnet to launch an attack on a particular set of \ntargets. The malicious software distributed by botnets will often \nactively evolve to become whatever is needed by its controller and is \nnot limited by the boundaries of antivirus labels. This means that code \nthat appears otherwise harmless in order to be let into the network can \nbe told to spread rapidly. This is why we refer to this type of code as \na worm. It means, for example, that malware originally configured to \ngenerate spam messages can be instructed to steal banking information. \nAgain, cyber actions rely on the execution of instructions, and a \ncompromised machine often follows the adversary's instructions to reach \nout to a server in another location for its next set of instructions, \nwhich can vary widely.\n    By leveraging multiple threat vectors and ``one-time usage,'' \nhackers are able to extend the time period in which their malware \nremains undetected and are thus able to steal the money, personal data, \nand other valuable information of users throughout the United States \nand the world. In this way, what might be called classic ``viruses'' \nhave been blended in recent years with other types of malware and \ntechniques used by malicious hackers intent on stealing personal data. \nHackers have discovered that direct external attacks are unnecessary \nand risky. It is now easier to engineer malicious software that is \ndelivered to a system remotely through various means.\n    Modern malware thus can no longer be classified by its perceived \npurpose or propagation method, because those change in an instant. Some \ntypes of software can be engineered to gain access to and maintain \ncontrol over the victim's machine. Once the malware is on the system, \nit seeks to communicate with its controlling entity--the criminal \nactor. Once communication is established over the internet, any \ncompromised machine can be instructed both to pass over any data of \nvalue to the criminal and to act as an instrument of attack against \nother computers and networks.\n                   mc afee global threat intelligence\n    McAfee and other sophisticated cyber security providers have \ndeveloped multi-vector, real-time, predictive protection against these \nmore sophisticated attacks on information systems. McAfee's solution is \nknown as Global Threat Intelligence, or GTI. Cybersecurity solutions \nbased on this GTI approach protect the customer's computer by \ncalculating the potential risk of a piece of content based on \nexperience with the IP address from which it originates, the website, \nor other elements associated with the content in question.\n    Thus cybersecurity providers offer solutions enabling the customer \nto stop content that is analyzed as having a risk probability score \nthat in the customer's view is ``too risky'' to be loaded into the \nmemory of the customer's computer. McAfee GTI tracks the anomalous \nbehavior and proactively adjusts an entity's reputation--its website, \nIP address, domain, file, network connection, and so forth--so that \nMcAfee products can block the threat and protect customers. Then McAfee \nGTI looks out across its broad network of sensors and connects the dots \nbetween the website and associated malware, email messages, IP \naddresses, and other associations, adjusting the reputation of each \nrelated entity so that McAfee's security products--from endpoint to \nnetwork to gateway--can protect users from cyber threats at every \nangle.\n    McAfee GTI offers the most comprehensive threat intelligence in the \nmarket. With visibility across all threat vectors--file, web, message, \nand network--and a view into the latest vulnerabilities across the IT \nindustry, McAfee correlates real-world data collected from millions of \nsensors around the globe and delivers real-time, and often predictive, \nprotection via its security products.\n    Our cyber enemies are smart and fast. They maintain their knowledge \nof networks and techniques by freely sharing information, enjoying a \nlack of legal or intellectual property barriers that often block the \ndefenders. The adversary is well-funded, often by governments, and has \nno barrier to swift execution. This is why our cyber infrastructures \nhave become their play land. The ability to see a global cyber picture \nand to have situational awareness is what the adversary cannot do. This \nis where we can win--by making the network fabric reject malicious \ninstructions in real-time, at the speed of light, before they can hit a \ntarget. This is how we can be faster than the adversary, and this is \nthe paradigm shift from vaccines to a cyber immune system that enhances \ncross-sector cyber resiliency.\n    Our Global Threat Intelligence service as well as a number of our \nother products and services helped us first detect and then remediate \ntwo important global cyber security attacks--Night Dragon and Operation \nAurora. These attacks are significant because they were managed by \ncoordinated and organized teams that succeeded in extracting billions \nof dollars of intellectual property from leading American companies in \nthe information technology, defense, and energy sectors--strategic \nindustries vital to the country's long-term economic success and \nNational security.\n                            operation aurora\n    On January 14, 2010 McAfee Labs identified a zero-day (previously \npublicly unknown) vulnerability in Microsoft Internet Explorer that was \nused as an entry point for Operation Aurora to exploit Google and at \nleast 20 other companies. Microsoft has since issued a security \nbulletin and patch.\n    Operation Aurora was a coordinated attack that included a piece of \ncomputer code that exploits the Microsoft Internet Explorer \nvulnerability to gain access to computer systems. This exploit is then \nextended to download and activate malware within the systems. The \nattack, which was initiated surreptitiously when targeted users \naccessed a malicious web page (likely because they believed it to be \nreputable), ultimately connected those computer systems to a remote \nserver. That connection was used to steal company intellectual property \nand, according to Google, additionally gain access to user accounts.\n    We also discovered that intruders used a social engineering \nmessage, known as spear-phishing, to target employees with a high level \nof access in these companies (either software developers, quality \nassurance engineers, or domain administrators). The message would come \nfrom a previous acquaintance of the targeted user and would ask them to \nclick on a web link pointing to a web server in Taiwan. As we uncovered \nand then reported to Microsoft, the web link hosted an obfuscated and \nencoded exploit for a zero-day vulnerability in Internet Explorer.\n    If a user had clicked on a link with Internet Explorer version 6, \ntheir machine would be automatically compromised and malicious code \nwould be downloaded and executed stealthily on the computer. The Trojan \nwould establish an evasive backdoor command and control channel to the \nsame server in Taiwan through which live attackers would jump onto the \nsystem and proceed to escalate their privileges on the local machine as \nwell as other servers within the network. As they moved rapidly through \nthe network, they would identify and compromise repositories of \nintellectual property and exfiltrated data of interest out of the \ncompany. In many cases, this data included source code--the crown \njewels of these information technology companies--which then could be \nused by attackers to discover new vulnerabilities in software that is \nused by the critical infrastructure industry, Government agencies, and \nmany other organizations across the globe.\n    McAfee is continuing to work with multiple organizations that were \nimpacted by this attack, as well as with various Government agencies, \nto address this major supply chain attack in the U.S. commercial \nsector.\n                              night dragon\n    McAfee has identified a string of attacks designed to steal \nsensitive data from targeted organizations. Unlike opportunistic \nattacks, the perpetrators appear to be highly organized, premeditative, \nand motivated in their pursuits.\n    Night Dragon attacks are similar to Operation Aurora and other \nadvanced persistent threats, or APTs, in that they employ a combination \nof social engineering and well-coordinated, targeted cyber attacks \nusing remote control software and other malware. McAfee has linked \nthese attacks to intrusions starting in November 2009, and there is \ncircumstantial evidence suggesting they may have begun as early as \n2007. Currently, new Night Dragon victims are being identified almost \nweekly.\n    Night Dragon attacks leverage coordinated, covert, and targeted \ncyber attacks involving social engineering, spear-phishing, \nvulnerability exploits in the Windows operating system, Active \nDirectory compromises, and remote administration tools, or RATs. The \nattack sequence is as follows:\n  <bullet> Public-facing web servers are compromised via SQL injection; \n        malware and RATs are installed.\n  <bullet> The compromised web servers are used to stage attacks on \n        internal targets.\n  <bullet> Spear-phishing email attacks on mobile, VPN-connected \n        workers are used to gain additional internal access.\n  <bullet> Attackers use password-stealing tools to access other \n        systems--installing RATs and malware as they go.\n  <bullet> Systems belonging to executives are targeted for emails and \n        files, which are captured and extracted by the attackers.\n    McAfee has evidence of Night Dragon malware infections in the \nAmericas, Europe, and Asia. McAfee has also identified tactics, \ntechniques, and procedures (TTPs) utilized during these continuing \nattacks that point to individuals in China as the primary source. The \nNight Dragon attackers are currently targeting global oil, energy, and \npetrochemical companies with the apparent intent of stealing sensitive \ninformation such as operational details, exploration research, and \nfinancial data related to new oil and gas field bid negotiations. As we \nsaw with the WikiLeaks document disclosures brought about by a \nmalicious insider, sensitive data theft can be highly damaging beyond \nregulatory penalties and lost revenue. And unlike Stuxnet, the tools \nand techniques behind Night Dragon are not specific to critical \ninfrastructure and can be used to launch attacks against any industry.\n                         policy recommendations\n    Officials have made tremendous progress in the creation of \ninformation-sharing constructs comprising multiple agencies and the \nprivate sector. With good information, the collaboration enabled by \nthese constructs will help us to achieve what the enemy already has: \nSpeed and alacrity of information sharing and acting on it for high \nimpact.\n    In many cases, private sector companies can solve a cybersecurity \npuzzle by evaluating many disparate clues. Private companies need \nprotected ways to share their big-picture research findings with the \nGovernment without loss of trust or creation of material events for \nstockholders, so that the most significant cybersecurity information is \nexpeditiously actionable. This is the human component of what Global \nThreat Intelligence does at machine speed. We need both in order to \ndefeat cyber adversaries, whose aim is to harm our way of life.\n    Existing public/private partnerships should ensure that senior \ncorporate and Government officials are positioned to share vital \ninformation and best practices. Among other things, this means access \nto sensitive (or classified) information and a secure mechanism for \nsharing it.\n    Broad-based situational awareness is vital to securing our global \ncyber systems and ensuring our National security. Policies that enable \ncompanies and governments to work together, using global threat \nintelligence (e.g., combining cyber, energy, finance, and other data) \nto enhance correlation and predictive capabilities, are critical to \nreal-time responsiveness within the network switching/routing fabric. \nThe Lieberman-Collins-Carper bill supports such information sharing by \nrequiring the Government to share information, including threat \nanalysis and warning information, with owners and operators regarding \nrisks to their networks. Legislation developed in the House of \nRepresentatives would benefit from similar language.\n                               conclusion\n    The cybersecurity challenge faced by our country is a serious \nmatter that requires an evolution in the way in which both the public \nand private sectors collaborate. Each sector has its own set of core \ncapabilities; only the Government can implement the complex set of \norganizational and policy responses necessary to counter the growing \ncybersecurity threat. Leading information technology companies and \ntheir customers are uniquely positioned to act as early warning systems \nthat can identify and help address cybersecurity attacks as a real-time \ncyber immune system.\n    With the right industry-Government collaboration, networks of the \nfuture can comprise intelligence and create resiliency by instantly \nrejecting harmful code in milliseconds as opposed to the hours it \ntraditionally takes to make a signature, just as our bodies reject \nviruses even though we may not know the name of the particular disease. \nInformation technology companies focused on cybersecurity in particular \nhave the resources and the economic incentives to continue to invent \nand develop the technologies and solutions needed to stay ahead of \nsophisticated cyber attackers. In the best American tradition of \ncollaboration, the public and private sectors have made important \nstrides to address the cybersecurity challenge and to enhance trusted \nworking relationships. As we work together to further evolve our \ncollaboration models, we can succeed in protecting our homeland from \nthe threat of cyber attacks.\n    Thank you for asking me to take part in this hearing on behalf of \nMcAfee. I would be happy to answer your questions.\n\n    Mr. Lungren. Thank you very much.\n    Mr. Lewis.\n\n   STATEMENT OF JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW, \nTECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND \n                     INTERNATIONAL STUDIES\n\n    Mr. Lewis. Thank you very much, Mr. Chairman, and thanks to \nRanking Member Clarke and, of course, hello to Congressman \nMcCaul, who was invaluable as the cochair in leading the CSIS \ncommission. So one of the reasons it has been downloaded so \nmany times is due to him.\n    This will be a good year for cyber security because of the \nwork of this committee and others. With luck, I think in this \nCongress, we will see real progress in making our Nation more \nsecure.\n    But this outcome is not guaranteed. We have been trying for \nyears to secure our networks, and we have not succeeded, right.\n    So you have heard the litany of problems, major \ncorporations, banks, Government agencies; they have all been \nvictims. We have lost sensitive military information, oil \nexploration data, valuable commercial technologies and millions \nof dollars from banks.\n    The interesting thing about these crimes is that they are \nrisk-free. No one has ever been punished for them, and so, of \ncourse, when you have a crime and no one gets punished, they \nare just going to do it again, right.\n    What we are doing now to secure cyberspace is not working. \nThere has been real progress at some agencies, like DHS, but we \nneed to rethink our approach. To put this in perspective, think \nabout the threats we face. First, a few advanced militaries \nhave the ability to use cyber attacks to disrupt critical \ninfrastructure and service. They have done the reconnaissance \non critical infrastructure. They have planned how to do this.\n    They will not launch a cyber attack because they are not \ngoing to start a war for no reason with the United States; they \nare deterred by our military. But if they ever did attack us, \nwe are prepared to defend ourselves.\n    Terrorists do not yet have the capability to launch cyber \nattacks, but groups like al-Qaeda in the Arabian Peninsula are \nseeking to acquire these capabilities. Perhaps more worrisome, \nIran and North Korea are developing cyber attack capabilities. \nWhen these terrorist and rogue states can launch a cyber \nattack, they, too, will find that we are unprepared.\n    Cyber espionage and cyber crime are daily occurrences in \nthe United States, and they do long-term damage to our economy \nand to our global competitiveness. They also help set the stage \nfor cyber attack. Some of our opponents use cyber criminals as \nmercenaries, as proxy forces. Our most advanced opponents in \ncyber crime and cyber espionage can overpower even the most \ntechnologically sophisticated U.S. company, and we have seen \nmany examples of that.\n    Agencies have made strenuous efforts, but we are not yet \nprepared to defend ourselves. There are three key issues that I \ncall to the committee's attention, how to give Government a \nleading role in cybersecurity, how to ensure cybersecurity at \ncritical infrastructure, something we cannot do now, and how to \ncreate international rules to reduce the risk of cyber crime \nand the risk of cyber war?\n    These are all hard problems, but they are not impossible. \nCSIS' Cyber-Security Commission, which Congressman McCaul \nhelped lead, has released two reports with recommendations. Our \nfundamental point, and this gets to the question about the 2003 \nNational strategy, our fundamental point is that the old \napproach doesn't work, and we need a new strategy that uses all \nthe tools of American power, military, law enforcement, \nHomeland Security, partnership with the private sector. If we \ncan come up with this new combined strategy, we will be able to \ndo something effective to protect ourselves, but we are not \nthere yet by any stretch of the imagination.\n    With this, I thank the committee and look forward to your \nquestions.\n    [The statement of Mr. Lewis follows:]\n                  Prepared Statement of James A. Lewis\n                             March 16, 2010\n    Chairman Lungren, Ranking Member Clarke, and Members of the \ncommittee. Let me begin by thanking you for this opportunity to testify \non this important subject.\n    Cybersecurity first came to the attention of the public in the mid-\n1990s, some 15 years ago. The first major policy for cybersecurity, \nPresidential Decision Directive 63, appeared in 1998.\n    In the intervening years, there has been much discussion and a few \nnew ideas. We can get a sense of the state of cybersecurity and whether \nthere has been any progress the United States by reviewing major \ncybersecurity events that have occurred since the start of 2010.\n  <bullet> January 2010.--Google announced that an attack had \n        penetrated its networks, along with the networks of more than \n        80 other U.S. high-tech companies. The goal of the \n        penetrations, which Google ascribed to China, were to collect \n        technology, gain access to activist Gmail accounts and to \n        Google's password management system.\n  <bullet> January 2010.--Intel Corporation also disclosed that it has \n        experienced a harmful cyber attack at the same time.\n  <bullet> January 2010.--Global financial services firm Morgan Stanley \n        experienced a ``very sensitive'' break-in to its network by the \n        same hackers who attacked Google, according to leaked e-mails.\n  <bullet> March 2010.--NATO and the European Union warned that the \n        number of successful cyber attacks against their networks have \n        increased significantly over the past 12 months.\n  <bullet> March 2010.--Australian authorities say there were more than \n        200 attempts to hack into the networks of the legal defense \n        team for executives from Australian energy company Rio Tinto, \n        to gain inside information on the trial defense strategy.\n  <bullet> April 2010.--Hackers break into classified systems at the \n        Indian Defence Ministry and Indian embassies around the world, \n        gaining access to Indian defense and armament planning.\n  <bullet> May 2010.--A leaked memo from the Canadian Security and \n        Intelligence Service (CSIS) says, ``Compromises of computer and \n        combinations networks of the Government of Canada, Canadian \n        universities, private companies and individual customer \n        networks have increased substantially . . . In addition to \n        being virtually unattributable, these remotely operated attacks \n        offer a productive, secure, and low-risk means to conduct \n        espionage.''\n  <bullet> October 2010.--Stuxnet, a complex piece of malware designed \n        to interfere with Siemens Industrial Control Systems discovered \n        in Iran, Indonesia, and elsewhere, results in significant \n        physical damage to the Iranian nuclear program.\n  <bullet> October 2010.--The Wall Street Journal reports that hackers \n        using ``Zeus'' malware, available in cybercrime black markets \n        for about $1,200, were able to steal over $12 million from five \n        banks in the United States and United Kingdom.\n  <bullet> December 2010.--British Foreign Minister William Hague \n        reported (in February 2011) attacks by a foreign power on the \n        U.K. Foreign Ministry, a defence contractor and ``other British \n        interests.'' The attack succeeded by pretending to come from \n        the White House.\n  <bullet> January 2011.--The Canadian government reports a major cyber \n        intrusion involving the Defence Research and Development \n        Canada, a research agency for the Department of National \n        Defence, the Department of Finance, and the Treasury Board, \n        Canada's main economic agencies. The intrusions forced the \n        Finance Department and the Treasury Board, to disconnect from \n        the internet.\n  <bullet> March 2011.--Hackers penetrate French government computer \n        networks in search of sensitive information on upcoming G-20 \n        meetings.\n  <bullet> March 2011.--The Republic of Korea said that foreign hackers \n        penetrated its defense networks in an attempt to steal \n        information on the U.S.-made Global Hawk unmanned aircraft, \n        provided to Korea as it considers whether to buy the UAV.\n    Major corporations, financial firms, Government agencies, and \nallies have all been victims, and these are just the events we know \nabout. There are of course many more incidents stretching back into the \n1990s, that include the loss of tens of thousands of pages of sensitive \nmilitary information, market and exploration data worth millions from \noil companies, the loss of valuable commercial technologies, and \nhundreds of millions of dollars from banks and other financial \ninstitutions. Classified military networks have been penetrated by \nforeign intelligence agencies. Best of all, from the perpetrators' \nperspective, no one has ever been punished for any of these actions.\n    This is not a record of success. Whatever we are doing is not \nworking. Since 1998, we have repeatedly tried a combination of \ninformation sharing, market-based approaches, public/private \npartnership and self-regulation in a vain effort to strengthen our \ncyber defenses. However, despite this dispiriting record of opponent \nsuccess, I feel confident in predicting that this year, the old, failed \nformulas will be trotted out again this year. Many of the reports and \nessays we see emerging now will advocate tired ideas in order to block \nchange rather than increase cybersecurity. While individual Government \nagencies have made strenuous efforts to improve our cyber defenses, as \na Nation, despite all the talk, we are still not serious about \ncybersecurity.\n    This is due to a reluctance to make the changes cybersecurity \nrequires. People still advocate strategies and policies that appeared \nmore than a decade ago and which have not worked. We have consistently \nunderestimated the risks and damage from weak cybersecurity. Everyone \nis for better security, but there has always been some other objective \nthat seemed more important.\n    Cybersecurity is another of those situations in American history, \nranging from Pearl Harbor to 9/11, where we knew there was risk and \nthat we were unprepared, but assumed it would never happen because \nAmerica is too powerful or too big to attack.\n    Nothing has yet punctured this misplaced sense of invulnerability. \nAmerica is still powerful, and it is easy to say that the sky is not \nfalling and there is no need for haste. The effect of this over \nconfidence is to make tolerable the slow erosion of our National power \ndue to feeble cybersecurity. Some call it the ``death of a thousand \ncuts,'' where each tiny cut goes unnoticed by the victim. There are \nwarning signs that even a Nation as rich and as powerful as the United \nStates is at risk. The challenges to our financial system and the loss \nof manufacturing and innovative capabilities are subjects for another \nhearing, but weak cybersecurity exacerbates these problems. Business as \nusual means long-term decline as our economic and technological \nleadership is damaged by cyber espionage.\n    There are also two sets of risk. One is immediate and real. Two of \nour potential military opponents have the capability to launch damaging \ncyber attacks against America's critical infrastructure. The Aurora \ntest at the Idaho National Labs and the Stuxnet worm showed that cyber \nattacks can do physical damage. These opponents have carried out \nnetwork reconnaissance against critical infrastructure to allow them to \nplan their attacks. The issue for this committee is that after 12 years \nof information sharing, public private partnership, and voluntary \naction, critical infrastructure in the United States is not ready for \nan attack.\n    While these militaries have the capability to launch a damaging \ncyber attack, they are unlikely to do so short of an armed conflict. \nThey are deterred by the threat of an American military response. Only \nif we were to get into a shooting war with them, over Taiwan or \nEstonia, could we expect to see cyber attacks. However, while we can \ndeter military attack, our military strength does not deter espionage \nand crime in cyberspace. Deterrence not a solution for cybersecurity's \nmost pressing problems.\n    Cyber terrorism is still a distant threat, but it is a threat that \nis increasing. Terrorists lack the capability to launch cyber attacks. \nIf they had this capability, they would have already used it. Our \noriginal emphasis on ``cyber terrorism'' was wrong. The day a terrorist \ngroup gets cyber attack capabilities, they will use them. At that \nmoment, if we have not improved our cyber defenses, they will succeed \nin causing disruption and damage. It is concerning to note that a few \nterrorist groups have expressed interest in acquiring cyber attack \ncapabilities--the most recent was al-Qaeda in the Arabian Peninsula \n(AQAP). This group is worrisome. They are inventive in using the \ninternet for propaganda and organization, and they have said one of \ntheir goals is to disrupt the American economy--this was the alleged \nmotive for their effort using printer cartridges in air shipments. We \nhave some number of years--I hope--before AQAP or another group, or an \nirresponsible nation like North Korea or Iran, acquires cyber attack \ncapabilities, because we will not be able to deter them from attacking \nand our defenses are inadequate.\n    If there is one conclusion that we can draw from the long list of \ncyber incidents, it is that we are not prepared to defend ourselves. So \nwe are vulnerable, but the risk of attack is low for the moment. As \nlong as our opponents do not attack us, we are safe. This is not an \nideal strategy for a superpower. Our current approach to cybersecurity \nleaves initiative and control to our opponents. It also is ineffective \nin stopping the slow but steady damage to our economy and to our \nNational security that comes from cyber espionage.\n    Remedying the situation will take a concerted effort, but we are \nfar from consensus on how to proceed. We will hear that public-private \npartnership is essential, because the private sector owns 85% of \ncritical infrastructure. The private sector owns 100% of the airlines \nin the United States as well, but no one uses this as an excuse to say \nwe do not need an air force. We will hear that the internet must be \nprotected because it is a source of innovation. Now, in other fora, it \nis common to hear that the United States is lagging behind in \ninnovation, so it is fair to ask just how much the internet has helped. \nInnovation is a complex process and focusing on the internet as its \nsource is probably wrong, perhaps a last left-over form the dot-com \nbubble. But the notion that ability to better protect intellectual \nproperty and proprietary business information will somehow hurt \ninnovation is bound to reappear. We will hear that technology moves too \nfast for regulation, but this is true only if you try to write \nprescriptive regulations. It is an avoidable mistake. And there will be \na call for incentives, as if paying for an inadequate defense will \nsomehow make it better.\n    No sector has a greater incentive than banks to protect their \nnetworks. They are a constant target. Some banks, particularly the top \ntier banks, have sophisticated defenses. Despite this, they are hacked. \nThis is not surprising considering the thousand of probes they face \neach year, but even with all the incentives in the world and with a \nstrong focus on cybersecurity that is matched in few other critical \nsectors, they cannot be secure. If the banks cannot protect themselves, \nwhy do we think other sectors will be able to do so?\n    The business implications for spending on cybersecurity by private \ncompanies, especially critical infrastructure companies, are \nstraightforward. Investing in increased cybersecurity requires them to \nspend on nonproductive assets. They will not get an increased return on \ninvestment from this spending. There is a notion that if we could only \ndemonstrate the scope of the losses, companies would be incentivized to \nrecalculate the business case for cybersecurity and spend more. This \nmay not make sense for critical infrastructure. The bulk of the losses \ncome from the theft of intellectual property from commercial research \nand manufacturing companies. Critical infrastructure companies are \nlikely experience less loss of this kind of data. The risk they face is \nthe potential for service disruption, but before the disruption occurs, \nthe cost may be so low as to be unnoticeable.\n    Additionally, it is likely that some industry sectors are more \nimportant than others for cybersecurity. Opponents may consider the \ndefense, high-tech, or energy sectors as higher-value targets for \neconomic espionage. Electrical and telephone grids may be high-value \ntargets for critical infrastructure attacks, as disrupting them could \nhave cascading effects through the economy. The financial sector may be \nparticularly attractive as it is both a critical infrastructure--stop \nthe flow of money and you trigger immense disruption--and attractive as \na target for crime. There are indications that the financial sector and \nthe electrical grid face increasing risk because of heightened opponent \ninterest (whether State or criminal) in these sectors as targets.\n    This has implications for a National resiliency strategy. Without \nexternal incentives, companies will be unwilling to invest in redundant \ninfrastructure to provide resilience. On the other hand, providing \nincentives without also being able to enforce compliance means at best, \nwe will get a very uneven level of implementation and continued \nvulnerability. Incentives only make sense if increased authority for \nthe Department of Homeland Security (DHS) accompanies them. Incentives \nby themselves are a give-away without benefit to security.\n    Incentives will not solve the problem of our reliance on a \ndisaggregated, point cyber defense, where each network or user is \nresponsible for their own defense. This is the worst possible defense \nagainst a skilled opponent. Every company is on its own, and they can \nbe picked off one by one. Providing incentives without being able to \ncoordinate our cyber defenses and ensure a common level of performance \nis not an improvement.\n    Voluntary action is also not enough. Is there a more sophisticated \ntechnology company than Google? Google has unparalleled skills and \nresources. The same is true for Intel, Adobe, Microsoft, and the many \nother companies that have allegedly been hacked. Voluntary action by \neven the most sophisticated tech companies is inadequate. The reason \nfor this is simple. Pros always beat amateurs. We are asking \ncorporations to take on the most powerful military and intelligence \nagencies in the world, agencies that do not observe our laws and that \ndo not like us. It is no contest. It is like sending the company \nsoftball team against the Giants or the Yankees. Voluntary action by \nitself will always be inadequate against dangerous foreign opponents.\n    Efforts to secure the Smart Grid are a good example of the problems \nwith a voluntary approach. Security standards published by the National \nInstitute for Standards and Technology in August 2010 were developed by \na consensus process that included 475 participants from the private \nsector participants. A consensus process involving 475 people is itself \nproblematic. This is why the founders wisely opted for majority rule in \nthe Constitution. A report by the General Accountability Office from \nJanuary 2011 found that since these consensus standards are voluntary, \nthere is no way to enforce them or even know if companies are following \nthem. Perhaps unsurprisingly, the GAO also found that critical smart \ngrid elements ``do not have adequate security built in, thus increasing \ntheir vulnerability to attack.''\\1\\\n---------------------------------------------------------------------------\n    \\1\\ GAO, Electricity Grid Modernization (http://www.gao.gov/\nnew.items/d11117.pdf).\n---------------------------------------------------------------------------\n    Voluntary action has not worked, but some argue it deserves another \nchance and that we should pay companies to put better cybersecurity in \nplace, using incentives, but that we should also not tell them what to \ndo. This is a recipe for disaster. There is no other area of National \nsecurity were we rely on voluntary action reinforced by incentives. A \npolicy of voluntary efforts for better cybersecurity reinforced by \nincentives is not a serious effort to protect National security against \nreal damage and a growing threat. These proposals are best seen as \nintended to block reform rather than to promote cybersecurity.\n    Information sharing is a more difficult problem. No single agency \nor company knows the full range of threats we face in cyberspace. The \nNational Security Agency, Cyber Command, and DHS have part of the \npuzzle, the big telecom companies have another part, the antivirus \ncompanies and big internet service providers another. If we could put \nthese parts together, our ability to protect the Nation would be \nsignificantly improved. Perhaps 20 or 30 companies and two or three \nagencies would need to share information and be partners in a National \ndefense. This would be a public-private partnership that could make a \ndifference.\n    And of course, it is impossible do to this in the United States. \nOur laws and our policies block the one area where we could have \nmeaningful public private partnership and information sharing that \ncould make a difference. Some of the very organizations that stoutly \nproclaim the need for public-private partnership also object to \nmeaningful information sharing, the one area where public-private \npartnership makes sense.\n    After 12 years of experience, we can now say with confidence that a \nvoluntary approach to cybersecurity based on public-private partnership \nand information sharing is inadequate to defend America. These are \nelements of a comprehensive defense, but by themselves they are not \nenough. They must be reinforced by an active defense that uses our \nmilitary and intelligence assets, by flexible regulation of critical \ninfrastructures and internet service providers, by a strong diplomatic \neffort to extend the rule of law into cyberspace, and by expanding law \nenforcement cooperation in every country to which we are connected.\n    In December 2008, CSIS issued a report by its Commission on \nCybersecurity for the 44th Presidency that laid out a number of \nrecommendations for a comprehensive National approach to \ncybersecurity.\\2\\ While the report was well received, the \nimplementation of the recommendation has been slow. In February 2011, \nthe Commission issued a second, final report \\3\\ that assessed where \nprogress still needs to be made. We identified ten key areas and listed \nthe tangible steps that need to be taken. The most important of these \nwere the need for coherent Federal leadership, clear authority to \nmandate better cybersecurity in critical infrastructure, and a foreign \npolicy that used both military and diplomatic tools to bring the rule \nof law to cyberspace.\n---------------------------------------------------------------------------\n    \\2\\ http://csis.org/files/media/csis/pubs/\n081208_securingcyberspace_44.pdf.\n    \\3\\ http://csis.org/files/publication/\n110128_Lewis_CybersecurityTwoYearsLater_Web.pdf.\n---------------------------------------------------------------------------\n    These are crucial areas for improvement, but each raises \nsignificant issues for the upcoming legislative debate. One issue is \nwhether DHS or at the White House should lead cybersecurity efforts. In \nthis case, there is not simple answer. DHS is best placed, working with \nthe Department of Defense and the National Institute of Standards and \nTechnology (NIST), to develop standards and regulations. DHS is best \nplaced to work with first-party regulators--FERC, FCC, FFIEC, and \nothers--to ensure compliance. On the other hand, the White House is \nbest placed to develop a National strategy, to coordinate military, \nintelligence, law enforcement, and diplomatic activities, and to \nprovide Executive branch oversight and guidance for cybersecurity \nactivities and for privacy protection.\n    The first CSIS report discussed a new, flexible approach to \nregulation that gave the private sector a greater role in designing the \nrules while leaving enforcement to the Federal Government. Now, it is \nquite true that regulation done badly can be very damaging. There are \ncountless example of that kind of prescriptive overregulation and \nfinding ways to streamline regulation is an essential task for America. \nIt is also true that no regulation leads to disaster. Even the \nstrongest proponents of deregulation do not call for the elimination of \nthe Federal Aviation Authority. All the airlines mean well and do their \nbest, but we do not feel comfortable leaving air safety to voluntary \naction because lives are at stake. We do not feel comfortable saying to \ncompanies, you make the decision on whether to sell nuclear or missile \ntechnology to a foreign customer. We regulate them. Public safety and \nNational security require it. Regulation is unpleasant, but in some \ncases, the alternative is worse. Cybersecurity is one such case. The \napproach proposed in draft legislation, which is based on the Chemical \nFacilities Anti-Terrorism Standards found in the Homeland Security Act, \noffers a reasonable approach to better cybersecurity.\n    Precedents for a new approach can be found in recent changes to the \nimplementation of the Federal Information Systems Management Act \nReporting Guidelines or in the Consensus Audit Guidelines developed by \na consortium of Federal agencies including NSA and private \norganizations. These guidelines identify technical security controls \nthat are effective in blocking high-priority attacks. They show that is \npossible to identify practices that improve cybersecurity and measure \ntheir effectiveness, since technology does not change too fast. I \nrecently spoke to the Deputy Chief Information Officer of an agency \nthat had implemented the guidelines--this was an agency that suffered \nmajor losses to hacking a few years ago--and he said the improvement in \ntheir defenses has been dramatic. I asked if the Guidelines are not \ngetting out of date, as they are 2 years old, and he replied that not \nonly are they are still effective, that implementing the first four \nguidelines stops most of the attacks. It is now possible to identify \neffective practices and continuously measure how well they work--if \nthey are implemented.\n    A comprehensive strategy that coordinates military, intelligence, \nlaw enforcement, and diplomatic activities is essential for securing a \nglobal network. Reducing cyber crime will require a strategic, \nNational-level approach that uses law enforcement, intelligence, and \ndiplomacy. The most sophisticated cyber criminals live overseas, in \ncountries that do not cooperate with U.S. law enforcement. The problem \nis complicated by the fact that a few countries tolerate and even \nencourage cyber criminals. They use them as proxies, as irregular \nforces to carry out operations for the Government. The provide \nresources and sometimes training. It will not be an easy task to get \nthese countries to stop cybercrime, and there is little that the \nprivate sector can do.\n    Limitations on the use of our military and intelligence \ncapabilities continue to weaken cybersecurity in the United States. A \ncase from last year shows the situation. We are told that a leading \nAmerican bank had its networks penetrated by Russian hackers. The \nhackers extracted millions of dollars. The bank, of course, said \nnothing publicly. But while the crime was in progress, it was detected \nby an American intelligence agency. As an intelligence agency with no \ndomestic authority, there was nothing it could do other than relay the \ninformation to law enforcement agencies, a cumbersome process under \ntoday's laws. By the time this was done, the crime was over. Active \ndefense would have let the intelligence agency detect the incoming \nattack on the internet backbone, on the borders of America's National \nnetworks, and stop it. Active defense could be structured to operate \nlike NORAD, where the Air Force protects our skies, by focusing on \nforeign threats. It is not perfect, but it works and other nations are \ndeploying this kind of defense against foreign attacks.\n    Active defense is the future of cybersecurity. It raises two key \nissues, the first being the need for additional privacy safeguards and \noversight and the second being the division of responsibility between \nDHS and DOD. Stronger cybersecurity probably requires a new approach to \nprivacy and a strengthening of existing oversight mechanisms. To give \ntwo examples, the Privacy and Civil Liberties Oversight Board, PCLOB, \ndoes not have cybersecurity in its legislative charter, nor is there \nExecutive branch guidance (along the lines of Executive Order 12333, \nwhich governs intelligence activities) for agencies in how to perform \ntheir cybersecurity missions. Both of these reflect the need to adjust \nour laws and regulations to the new cyber environment.\n    DHS and DOD both have important and potentially complementary roles \nto play in cybersecurity. DHS is best placed to work with critical \ninfrastructure and to ensure domestic preparedness. Only DOD has the \ncapability to respond to foreign opponents. There are still \ncoordination issues that need to be worked through, and some of these \nissues will be resolved only when the White House has a stronger role \nin cybersecurity, but the recently signed Memorandum of Understanding \nsigned between Secretaries Napolitano and Gates is an important first \nstep in building a coordinated defense.\n    The problem of international engagement is challenging, in part \nbecause for years the United States believed that cyberspace would be \nsome kind of self-governing utopia. As the security situation worsened, \nas cyberspace became a new domain for conflict, and as the political \nimplications of the new technologies became apparent, other nations \nhave decided to extend government control into cyberspace. This trend \nis irreversible. The United States must engage with these nations in \norder to influence, if not lead, this restructuring of cyberspace \ngovernance, in order to ensure that the political values we cherish--\nopenness, global connectivity, and freedom of speech--continue to guide \ndevelopment of the global network. Thinking on how to do this is at a \nvery early stage. New kinds of expertise are required and there are \nonly a handful of people with relevant experience. The State Department \nhas just created a new cyber coordinator position and with the right \nsupport form Congress, this could allow the United States to regain \ninternational influence.\n    These are complicated issues and the account above is necessarily \nsummary. They receive more detailed treatment in the CSIS reports. \nHowever, in drafting the final report, we found that as the prospect \nfor change increases, so will resistance to it. People are wedded to \nold ideas, even if they do not work. New kinds of expertise are \nrequired for understanding cybersecurity. Above all, many still place \nsome other priority above securing our Nation's networks.\n    It is this last point that worries me the most. When we look at \nnations that have fallen on hard times, losing their power and their \ninternational standing, very often it was because of internal problems. \nOften, the leaders of these countries knew what the problems were. They \neven knew what the solutions were, but their beliefs and reliance on \nold approaches kept them from making the needed changes. So far, this \nhas been the case with cybersecurity in America. We are in a new world \nand face new problems that old ideas will not solve, but it is hard to \ngive them up. Better cybersecurity is possible, but not if we continue \nto use failed approaches.\n    This puts a great responsibility on Congress and the White House. \nWe have a real opportunity in the next 2 years to improve our cyber \ndefense. Doing this will require leaving old ideas behind, even though \nmany will still advocate them, and moving to a new, comprehensive \napproach to cybersecurity that treats it as a major component of \nNational defense and homeland security. I thank the committee for the \nopportunity to testify and will be happy to take any questions.\n\n    Mr. Lungren. Ms. Kwon.\n\n STATEMENT OF MISCHEL KWON, PRESIDENT, MISCHEL KWON ASSOCIATES\n\n    Ms. Kwon. Thank you.\n    Good morning, Chairman Lungren, Ranking Member Clarke, and \nother distinguished Members of the subcommittee.\n    My name is Mischel Kwon, and I am the president of Mischel \nKwon and Associates, LLC, a consulting firm specializing in \ntechnical defense security, security operations, and \ninformation assurance.\n    It is interesting to look at the changes and advances and \nstruggles of IT over the 30 years of my experience. If we look \nout into the future, if I were to be testifying before this \ncommittee in 10 years, I predict a very different situation. No \nlonger will governments or car manufacturers or hospitals or \nelectric power companies be in the business of IT.\n    None of these organizations will have large data centers \nand infrastructures, e-mail servers, or application \nprogrammers. Instead, we will have IT providers, just as we \nhave power providers and health care providers.\n    The cloud today is the first move to this new paradigm. \nThis movement is our opportunity to fix many of the problems \nthat rapid individualized IT growth has caused. We have the \nopportunity to build security in, to fix the IT refresh \nproblem, to enable innovative technology, and to collapse the \nIT community, allowing better collaboration, communication, and \nsharing.\n    In looking to the future, it is important to recognize \nwhere we have been successful and where we are stuck. We must \nlook at where IT is going in the next 10 years and prioritize \nwhat we are working on so that we are addressing the issues \nhead on.\n    We have had significant progress over the 10 years in \nheightening the importance of securing our IT systems and \ninfrastructures. We now understand the importance of policy, \nprocess, technology, and detection.\n    We clearly understand the need for information sharing. We \nnow also realize we are all in the same infrastructure, the \ninternet, and that the idea of sharing infrastructure is the \nwave of future.\n    Much-needed progress is being made in the modernization of \nFISMA, understanding the need for continuous monitoring and \ncyber scope that will enable the departments and agencies to \nhave a real understanding of the health and well-being of the \nsystems and networks supporting the Federal missions.\n    It is critical that as we move into this era of the cloud \nthat we are careful not to create home-grown solutions but rely \non the private sector and the COTS, commercial off-the-shelf \nproducts, that can accomplish the requirements needed.\n    Difficulties have challenged us in security governance, \nauthorities, and information sharing. Many of these issues have \nbeen complicated because we are trying to solve the policy \nissues and the operational issues at the same time.\n    I do believe good efforts by good people with good \nintentions have been made at the Department of Homeland \nSecurity and across the U.S. Federal Government.\n    Today, many of the impediments in Federal Government that \nslow down efforts to improve cybersecurity are caused by a lack \nof clear governance structure, clear defined mission spaces, \nand the authorities and budgets to successfully accomplish \nthose missions and understanding where collaboration is needed.\n    I do believe DHS has a primary role in cyber. Though I have \nnot always thought DHS could handle the important and broad \nmission of cyber because of the maturation level of this young \nagency, I do believe the operational mission of US-CERT belongs \nto DHS, but as an autonomous, operational component, similar to \nFEMA, with direct reporting capabilities to the Secretary.\n    I believe the mission of US-CERT must be more clearly \ndefined to enable it to be successful. It must be enabled to \nsucceed in the important operational mission and firewalled \naway from the struggles of policy and relationship development. \nThe appropriate authorities must be given to US-CERT to allow \nit to carry out the assigned mission.\n    Effective and actionable information sharing and a public-\nprivate partnership is essential for cyber today and for the \nfuture. We have made significant progress over the years but \nnow seem to be in a holding pattern, struggling with \nprocurement and legal issues that have frozen progress.\n    As we move to the new model of IT and the cloud, we will \nneed to take two steps: One to understand how we can \ntechnologically share information more efficiently; and two, \nhow the private sector can take a leadership role, possibly \nthrough a non-profit organization, to help free us from the \nholding pattern from both sides.\n    We are moving rapidly to the new world in IT, a new world \nin cyber with many opportunities. We must be prepared with a \nstrong, well-defined operational US-CERT that has the autonomy, \nauthority, budget to be successful in protecting the Federal-\ncivilian space. We must defend the shared space together with \nthe ability to share information through a healthy, public-\nprivate partnership.\n    Thank you very much for the opportunity to testify.\n    [The statement of Ms. Kwon follows:]\n                   Prepared Statement of Mischel Kwon\n                             March 16, 2011\n    Good morning Chairman Lungren, Ranking Member Clarke, and other \ndistinguished Members of the subcommittee. Thank you for the \nopportunity to testify before the Subcommittee for Cybersecurity, \nInfrastructure Protection, and Security Technologies.\n    My name is Mischel Kwon and I am the President of Mischel Kwon and \nAssociates, LLC, a consulting firm specializing in Technical Defensive \nSecurity, Security Operations and Information Assurance.\n    Previously I served as the Director of the United States Computer \nEmergency Readiness Team (US-CERT) at the Department of Homeland \nSecurity (DHS), and as the Deputy Chief Information Security Officer \nand Director of the Justice Security Operations Center at the \nDepartment of Justice. Most recently I was the Vice President of Public \nSector Security Solutions for RSA, the Security Division of EMC \nCorporation. I received my Bachelor of Science and Master of Science \nfrom Marymount University and a Master Certificate in Information \nAssurance from George Washington University. I was a Cyber Corps \nScholar. In the nearly 30 years of my career to date as an IT \nprofessional I have been a programmer, systems developer, network \nengineer, program manager, and security professional.\n    Over the past 10 years the U.S. Federal Government has been \nstruggling, learning, and discovering what to do about ``cyber''. We \nhave been moving on a continuum that started with the discovery of \nadversaries in our networks, has found us struggling with how to manage \nour systems through the Federal Information Security and Management Act \n(FISMA) and compliance, how to identify threats, attacks, \nvulnerabilities, and how to work together to defend our networks. As we \nmove forward in a constantly evolving world of technology, life as we \nknow it is changing rapidly. Soon, most companies, even Government \ndepartments and agencies, will no longer have data centers or continue \nto own or manage their own e-mail servers, applications, or desktops.\n    The use of virtualized IT infrastructure is the future. \nVirtualization, as the foundation of cloud computing infrastructure \nwill enable the ``Cloud'' to be the provider of most IT services. You \nmay say this is jumping ahead, but we must look at the answers to the \nquestions you are asking with the near-term future in mind, and the \nnear-term future is now--as many departments and agencies are already \nmoving applications such as e-mail to the cloud, many are building \nprivate clouds, and many private sector companies are rapidly moving to \nthe cloud. This is not only an innovative solution to a much-needed \ntechnology refresh in the civil government space, but if done \ncorrectly, could be the answer to information sharing, infrastructure-\nbased defensive security, the cyber talent pool shortage and guaranteed \nlife-cycle management of our infrastructure resources. No longer will \ncompanies or departments and agencies with missions different than \nInformation Technology need to be in the ``IT'' business. No longer \nwill we need to educate the heads of these organizations and have them \nmaking IT risk decisions outside of the scope of their knowledge base. \nWe will deliver the requirements to the vendors; the vendors will then \nsupply the appropriate infrastructure and services, with security built \nright into the technologies and the offerings.\n    This brings us to a critical crossroads in the continuum of \ncybersecurity. Not only are we at the point where we realize the need \nfor governance, leadership, and cooperation between the Government and \nprivate sector in order to have a chance at combating the adversaries \nin an efficient manner, but we also are now at the part of the \ncontinuum where the responsibility of protecting our assets processed \non IT systems--whether it is data or an operational function--will be \nthe responsibility of the private sector infrastructure providers. This \npoint was driven home during the initial phases of the Comprehensive \nNational Cybersecurity Initiative (CNCI) when the Federal Government \nrealized just how much of the internet is private sector-owned and -\noperated, and that even if we do better at securing Federal systems, we \ncan't improve our Nation's cybersecurity posture without improvements \nin the private sector in partnership with industry. As we continue to \nmove infrastructure and services to the ``cloud'', effective and \nlasting partnerships with the private sector must be fully embraced and \nleveraged.\n    Understanding the Information Technology roadmap that we are all \nmoving rapidly on also increases the importance of enhancing the \ngovernance, authorities, and relationships that the Federal Government \nhas between and among the civilian departments and agencies, the \nhomeland security and law enforcement communities, the defense and \nintelligence community and of course, the private sector.\n    As I move into the portion of my testimony where I will be \nidentifying obstacles and problems I have encountered during my Federal \nGovernment service, there are a few caveats and points I would like to \nmake clear. First of all, cyber is a new field. At most, we can say \nthis is a 25-30-year-old industry. We must understand this is going to \ntake some time to mature. We will and have encountered issues, we will \nlearn of new problems . . . but we must work together to overcome these \nchallenges, quickly and effectively. Second, the Department of Homeland \nSecurity (DHS) is a new Department and because of that it struggles \nwith the fundamental daily functions of being a Department from \nprocurement and budgets to hiring and operations. DHS is going to take \nsome time to develop the processes, policies, and procedures needed to \nrun smoothly and efficiently. It will not happen overnight and will not \noccur without specific actions and programs to improve the baseline \noperations. In addition, DHS has a very broad set of missions and \nduties. Cybersecurity often takes a back seat to physical threats and \nnatural disasters in the daily and weekly grind of the Department. \nCongress should do more to enable the cybersecurity components in the \nDepartment to operate more effectively and independently without \ngetting bogged down in other DHS mission spaces, allowing cyber to \neffectively operate as an independent component; allowing cyber to \nseparate itself from the quagmire of internal politics and jostling for \nresources and mindshare. Third, there are a lot of really good people \nwho have worked this problem in the past and are working on \ncybersecurity challenges today. As we point out the weaknesses and \nproblems, we must be cautious of tying the hands of dedicated security \nprofessionals who are currently doing battle on a daily basis \n(unfortunately not just with adversaries in cyberspace, but with the \nbureaucracy within DHS). We cannot afford to forget these people. We \nneed these qualified individuals in this young and growing field. They \nmake sacrifices with their families, careers, and personal sanity to \nserve our country in trying to fix these problems. We should take the \ntime to remember their service and take care not to diminish their \ncontributions as we examine and address cybersecurity challenges in \nboth the public and private sector.\n    During my tenure at US-CERT, we were at the very early stages of \ndeveloping critical relationships with Federal civilian departments and \nagencies as well as relationships with the homeland security, law \nenforcement, defense and intelligence communities, and the private \nsector. It was clear there was a lack of governance and lack of \nauthorities to carry out the poorly-defined mission US-CERT set out to \naccomplish. To examine this problem it is critical to break down the \nUS-CERT mission into: (1) Protecting the Federal civilian departments \nand agencies, and (2) coordinating and collaborating with the private \nsector.\n    Governance over IT in the Federal space has been an issue for many \nyears and to date has not been solved. FISMA, which was enacted in late \n2002, was a start in attempting to set up roles and responsibilities, \nincluding defining the roles of Federal CIOs and CISOs enabling \nsecurity structures to be built in Federal Executive branch departments \nand agencies, as well as establishing reporting process for incidents \nto US-CERT. This all being said, there were overarching and important \ncomponents of a success risk management strategy that have been \nmissing. As it stands today, the only requirement a Federal department \nor agency has is to report the incident to US-CERT in the dictated time \nframe based upon incident categorization using a 20-year-old taxonomy \nthat no longer describes the types of attacks that organizations are \nexperiencing. This creates inaccurate metrics, and little to no real \ndata on the actual attacks that are occurring in the Federal civil \nspace. US-CERT does not have the authority to require the departments \nor agencies to share detailed information, or follow any specific \ninstructions. Departments and agencies interpret their reporting \nrequirements differently and therefore each reports incidents using \ndifferent definitions and methodologies. When I was the Director of US-\nCERT if we needed Federal departments and agencies to follow specific \ninstructions, we would have to have the Office of Management and Budget \n(OMB) require them to follow the instructions. Despite even OMB \nguidance, the cooperation from Federal civilian agencies was \nconsistently on the low end.\n    Because many of the existing IT systems are owned and operated by \nFederal departments and agencies, there is no existing direct authority \nfor DHS to require cooperation with US-CERT. This being said, it should \nalso be understood that some of the departments and agencies have more \nsophisticated operations than US-CERT. The security operations centers \nat State Department, Department of Justice, the Federal Aviation \nAdministration have a much higher technical monitoring and response \ncapability than US-CERT. In order for US-CERT to accomplish the mission \nof protecting the Federal civilian agencies and departments day in and \nday out, US-CERT must be empowered and its capabilities must continue \nto be developed. It must have a clearly defined mission, authority, and \nbudget. It must have tools. These tools must be determined by what will \nsupport the mission, not be tied to legacy systems, management, or \ncontractors. This must be a collaborative mission between US-CERT and \nthe departments and agencies. A ``dictatorship'' is not what is needed. \nCollaboration and cooperation will enable the road to success. Even \nmore important is to clearly define US-CERT's role and the authorities \nthe organization and Director carry. Developing a ``council'' of \nFederal department and agency Security Operations Center Directors and \nthe Director of US-CERT to help guide this mission makes sense in order \nto ensure the mission of US-CERT stays on track, serves its Government \ncustomers, and has a focused and effective mission strategy.\n    Today US-CERT is buried too deep within DHS. To even confuse the \nissue more, US-CERT is a part of the National Cybersecurity and \nCommunications Integration Center. Instead of integrating the NCC into \nUS-CERT, yet another functional area has been opened, creating and \ncompounding the confusion. US-CERT must be given autonomy to allow it \nto function as a successful operational entity--not laden in the \npolitical quagmire of DHS, NPPD, CS&C, NCSD. In my view, in order to be \nsuccessful, US-CERT should be removed from the National Cybersecurity \nDivision (NCSD) and treated as a component organization similar to \nFEMA. It should have its own budget that is not constantly diluted by \nother, projects, programs and internal politics in NPPD, CS&C and NCSD. \nUS-CERT should have a clearly defined mission with attainable goals and \nthe autonomy to succeed in this operational mission. Yes, operational. \nThis is a roll up your sleeves and respond mission. This mission cannot \nbe performed anywhere else in the Federal civilian government . . . the \nWhite House cannot carry out an operational function, the DoD cannot \nperform an operational function of this nature domestically based on \nthe Constitution, and no other department or agency has the overarching \nmission that allows for both emergency response and homeland \nprotection. DHS makes functional sense; US-CERT must be empowered to \nfulfill its operational mission. As it stands today, US-CERT is \nconstantly caught up in political priorities and much time is spent \nthrashing around, attempting to service too many projects and \nstakeholders. A clear governance process in the Federal space, a \nclearly defined mission and the authorities to support that mission, a \nbudget to carry out this operational mission, as well as autonomy to \noperationally perform the operational duties are the steps to US-CERT \nhaving the capability to make a difference in supporting the \ndepartments and agencies as a part of DHS.\n    US-CERT's other mission is to coordinate and collaborate with the \nprivate sector--specifically with critical infrastructure owners and \noperators--is equally as important. Again, great mission, but rarely \naccomplished. The work is often clouded by poorly defined expectations \nand internal politics. US-CERT has absolutely no authority within \ncritical infrastructure that is owned or operated by the private \nsector--nor should it. The Federal Government has no claims or \nauthority over privately held companies. Even in some of the current \ndraft legislation in both the House and Senate, participation in \nGovernment-led cyber activities is by invitation only. Today's private-\npublic partnership efforts are bogged down with the same rhetoric, \npolitics, and legal barriers of the past 20 years. I will say that \npresently US-CERT does little of the coordination. This is done \nprimarily through NCSD. Most of the communications is done by the \nCSCSWG (Cross Sector Cybersecurity Working Group, a working group of \nthe ISACs) and most of the members are not actual security \nprofessionals running security organizations, but a confusing mix of IT \nand communications companies with individual company-focused agendas \nand little or no focus on the operational agenda. An operational unit \nlike US-CERT must be firewalled away from this kind of dysfunction to \nallow it to concentrate on the operation response mission.\n    The relationship between US-CERT and the private sector must be a \nfocused and well-defined mission. Prioritizing work with the \ninfrastructure providers--not individual IT product vendors--such as \nISPs, web hosting and caching, cloud providers and IT infrastructure \nproviders--to enable the focus on the operational response mission. I \nunderstand the entire private sector IT and communications sector wants \nto participate in future policy creation, but that function must not be \nmixed with the operational mission US-CERT must succeed in.\n    So far, I haven't painted a very pretty picture of what is going on \nat DHS in regards to cyber, but I want to re-iterate that I do believe \nDHS is the right place for cyber. I also believe changes need to be \nmade in order for DHS to have a successful cyber mission. Giving US-\nCERT the autonomy to embrace a well-defined operational response \nmission (both with the departments and agencies as well as with \ncritical private sector players), with a budget and capabilities to \nexecute on the mission, and authorities to enable them to execute on \nthe mission is a very important step to success.\n    Creating a successful public-private partnership to help secure \ncyber space is yet another mission that must be addressed. I think we \nneed to approach this problem from a different direction. We must not \nlook at it as a ``cyber space'' problem. That mission space is far too \nbroad. We must look at this problem in digestible pieces. Internet \ninfrastructure: Internet Service Providers, Cloud Providers, Web \nProviders and Information Infrastructure Providers. Separate this from \nthe ``cyber war'' issue, separate this from the policy and legislative \nissues. Move these layers away from the operational mission of US-CERT. \nTake on the protect the infrastructure problem first. Work on the \ninformation sharing problem with an operational lens. I truly believe a \ntechnical solution must come in order to break the stalemate we find \nourselves in with regards to cooperation and information sharing. The \nstalemate is centered on procurement, legal, privacy and proprietary \ninformation issues. We must determine a technical function for \nanonymously exchanging information. In addition, we must start \narticulating the problem with the same vernacular. We must spend time \nredefining the taxonomy and vernacular we use to work the cyber \nproblem. We must do this in order to establish meaningful metrics, \nsolutions, and focused solutions to the problem.\n    The ancient category one through eight taxonomy, where 99% of all \nincidents are categorized as category three ``malware''--is useless in \nthe world of complex attacks and sophisticated adversaries. I do \nbelieve this will become easier as we move on our continuum to the \ncloud. I believe as it becomes a more defined industry and who actually \nruns the ``IT infrastructures'' (i.e. clouds) becomes more defined, \ninformation sharing will become better as a function of how many \nentities must actually participate in the defense of IT as a whole. It \nmust be understood that a public-private relationship is a two-way \nstreet. Often the Government is left holding the bag of failure when it \ncomes to this relationship. The burden here is not and should not be \nsolely on the Government. We all have critical information that, if \nshared, would help the community as a whole. In the near future, the \nGovernment will be squarely in the customer role as we move on the IT \ncontinuum to the Cloud. We must look at how the Government and private \nsector can shape a healthy relationship. I am a firm believer that the \nprivate sector needs a private non-profit entity that would facilitate \nthe relationships of the many privately held IT companies. This non-\nprofit entity would facilitate the information sharing both on the \nprivate side as well as a focused conduit for information sharing with \nthe Government. I do not see this as an inherent Government-only role. \nI clearly understand there is a National defense role for the \nGovernment in times of war, but we need to clearly define what that \nmeans in terms of cyber, and yes that is clearly a DoD role--not a \ncivil Government role.\n    This being said, I do see technology developments that will remove \nthe legal and privacy issues around information sharing. We must \ntechnologically come to a place where we can exchange information on a \ntechnical level about threats, attacks, and mitigations without \ndisclosing information about the entity or entities involved. We must \nfocus as a community--not as a Government--on moving this solution \ntrack along. We must be mindful of the circular rhetoric trap we get \ncaught in when we hear the words--public-private partnership--and \nrealize the actual work that needs to happen to accomplish the goal--\ndefending our IT assets and missions. The work that needs to be done is \nto create technical processes, overcome procurement and legal issues. \nThis must be done as a community, lead by the private sector. The \nGovernment's participation should be as a member of the community.\n    In conclusion, I do believe DHS has a primary role in cyber. Though \nI have not always thought DHS could handle the important mission \nbecause of its maturation level, I do believe the operational mission \nof US-CERT belongs in DHS--but as an autonomous operational component \nwith direct reporting capabilities to the Secretary. I believe the \nmission of US-CERT must be more clearly defined to enable it to be \nsuccessful. The appropriate authorities must be given to US-CERT to \nallow it to function. Public-private partnerships need to be rescued \nfrom the circling drain of rhetoric and lead by the private sector with \nGovernment participation.\n    We are moving rapidly to a new world--we must clear our plates of \nthe static yada yada of stale circular discussions, identify the \noperational function and technical solutions. Empower US-CERT to \nsucceed. Empower the private sector to lead. Empower the Government to \nparticipate.\n    Thank you for this opportunity to testify. I would be happy to \nanswer any questions you may have at this time.\n\n    Mr. Lungren. I thank you all for your testimony.\n    I thank you all for being cognizant of our time limits, and \nI appreciate that.\n    Dr. Schneck, how do we solve this problem of stronger \nprotections for sharing information from the private sector to \nthe Government? The reason I say that is, you have members of \nthe public who are naturally suspicious or skeptical of the \nGovernment working with the private sector and not protecting \nthe individual rights of consumers and so forth.\n    If I am a credit card holder and all of a sudden, I find \nthat my credit card has been cancelled through no action of my \nown, which happened one time when I tried to present it at a \nrestaurant, and then 2 days later, after we called one of the \nmajor credit--that night when we tried to call them--well, \nfirst of all, my wife went on the internet to find out what our \naccount was, and our account was gone. Then they told us, well, \nthey would send us a card in a couple of days. Now, obviously \nthere had been some sort of a loss of security within their \noperation, but they didn't tell me what it was all about.\n    I suppose, so long as I didn't suffer anything beyond \nthat--however, if I had been traveling in the middle of the \ncountry and only had one credit card, I would have been in real \ntrouble. But they obviously didn't want to share with me \nwhatever that was; they believe that they took care of it \ninternally.\n    But members of the public might be a little skeptical if \nthere is this broad protection that no matter what the company \ninvolved with that information did, as long as they shared it \nwith the Government, they were protected from any liability, on \nthe one hand.\n    On the other hand, we want companies to come forward with \ninformation about how there has been an intrusion. We want that \nshared.\n    Where do we strike that balance? How do we strike that \nbalance from your point of view?\n    Ms. Schneck. So, thank you, Chairman Lungren, I will start \nout by saying I am not a lawyer. I surround myself with a lot \nand actually find it fun.\n    Mr. Lungren. Well, we have an abundance of lawyers here, so \nwe need some help.\n    Ms. Schneck. So, first, on the note of your lost account, \nit likely is somewhere in Romania, and we can help with that \nlater.\n    The issue is difficult at best from what we see. You said \nthe word that I would choose, and that is balance. So, first \nand foremost, we are not talking about sharing any kind of PII \nor private information.\n    This type of data looks at volumes of traffic, malicious \ncode, malicious code that we can say, at a human level and at a \nmachine level for a lot of math, looks the same for a variety \nof parameters. One might be an encryption algorithm that is not \ncommonly used, but, look, it is used here and it was used here \non the other side of the planet within the same 2 hours from \nmachines that have the same pattern of sending traffic.\n    That is the kind of data that our analysts and we call our \ncolleagues within the sector and across the critical \ninfrastructure sectors, and we reach out to the US-CERT. We \nreach out to the FBI National Cyber Investigative Joint Task \nForce with this kind of data of, and then it builds into a much \nbigger picture.\n    The analogy I would use is from my days working as an \nintern in a weather lab. If you see a lot of cold air above a \nlot of hot air with wind direction in the opposite waves at \ncertain levels from the altitudes and then an air pressure that \nis fairly low over a large region, any one of those things \ncould mean just a little storm. But if you put those together, \nand you have a tornado, high probability.\n    What we want to share is not the air temperature in every \ncounty; what we want to share is the people that need to leave \ntheir homes, and we need to be able to do that more quickly. So \nthere is a big picture that we draw.\n    The problem is when you share out that big picture, such as \nXYZ is happening in this sector, are we endangering the \ncompanies in those sectors that we have already protected, both \nelectronically as well as informing the humans in those \ncompanies, do we risk them having material shareholder issues? \nThis is such a new area for policy. That is the problem.\n    Mr. Lungren. Well, I would love to work with you and any \nlawyers that you might run into on that, because I do think \nthat we have to have a greater accessibility of information in \nboth directions, and sometimes liability issues will interfere.\n    Let me ask you this. You used a great analogy, you said \nvaccination doesn't work any more. Golly, I have McAfee on my \ncomputer, and I thought I had vaccinated myself against \nintrusions. Now you are telling me that my attempt at \nvaccinating myself, my computer system, isn't enough?\n    Ms. Schneck. First of all, any security provider that says \nyou are 100 percent safe, I would get rid of them.\n    Mr. Lungren. Well, McAfee has never told me that.\n    Ms. Schneck. All right. So, second, you are vaccinated \nagainst everything that we in the community know about.\n    The problem is the bad guy creates this code that changes \nitself, just like the flu mutates, so we worry about the new \nvaccine, in case your body can't deal with the mutation of the \ndisease and you get sick anyway.\n    What you are protected by with McAfee is the view of the \nwhole world now, so not just what we know about but what we are \nseeing happening right now. Believe it or not, you are able to \nbe protected against something that might have been developed \non the other side of the planet that comes in with a risk score \nso high it may not have a name, but you are going to block it.\n    That is the new paradigm we need, and it is not just our \ndata. We need the ability to combine our data with data from \nother sectors, across the energy sector. What is the energy \nsector seeing in cyber?\n    As a vision for the future, to Mischel's point, it will \nlook a lot different and a lot better in the future and we can \nleverage the power of the cloud that was mentioned by being \nable to put this kind of data together, infuse it into the \nfabric, and make things more intelligent.\n    Mr. Lungren. Thank you.\n    My time has expired.\n    The gentlelady from New York is recognized for 5 minutes.\n    Ms. Clarke. Thank you very much, Mr. Chairman.\n    Ms. Kwon, cyber intrusions affect the private sector even \nmore than Government networks. Some of these private networks \ninvolve critical infrastructures necessary for our society and \nour economy to function.\n    What can DHS do to foster better cybersecurity practices in \nthe private sector? Does DHS need regulatory or enforcement \nauthority for critical infrastructure sectors, and should the \nprivate sector be doing more on its own? If so, why isn't it \nhappening?\n    Ms. Kwon. Well, this has been always the very difficult \nquestion because our critical infrastructure is not owned or \noperated by the Government. Therefore, the Government does not \nhave any authority over the private sector.\n    What is needed here is better collaboration and better \ncommunication.\n    Whether regulation is needed or not, I am not a regulator. \nI am not in that kind of business. I am a technical geek by \nnature. So I will leave that decision to the lawmakers and the \nregulators.\n    But enabling us to more clearly communicate amongst the \nGovernment and the private sector and share that critical \nthreat information is actually--is very important. But even \nmore than that, DHS helping the security teams that work in \nthose critical infrastructure environments to communicate with \ntheir executives and their board members to enable the \nfinancing that needs to be put behind securing critical \ninfrastructure is critical and important and to helping them \naccomplish their mission.\n    Mr. Lewis. Can I just jump in on that one for a second? We \ndid a poll with McAfee recently, and it found that two-thirds \nof the electrical companies in the United States had found \nStuxnet on their system, two-thirds. Of those two-thirds, only \n40 percent had taken steps to remove it.\n    Does that make you feel good? Not me.\n    I think if we don't give DHS more authority, we will not \nsucceed at this, and I think CFATS might be a useful model to \nthink about.\n    Ms. Clarke. Thank you.\n    Dr. Schneck, your recent report on Chinese-sponsored \nhacking into our energy sector computers was very concerning. \nIs the industry now fully aware of this issue, and if so, have \nyou seen evidence that they have acted to protect themselves? \nIf not, why not, and where is the disconnect?\n    Ms. Schneck. So, on the question of, is the industry fully \naware, from reports like these that we have done with CSIS, we \nconsistently get surprise answers back. So, for example, \nsecurity spending last year went down with the recession, even \nthough awareness of the threat went up. So awareness and acting \nmay not always be related.\n    In addition, when you talk about being aware, although many \nare aware there is a threat, I think that both public and \nprivate can do a better job of explaining what that threat \nreally means. For example, you can have, you can have the \nmalicious code on your system, and it wouldn't be a threat, and \nthere are two cases why this is true.\n    One is, if you are not running any systems that that code \ncan actually access or use to your harm, you don't need to \nworry about that particular threat, so we need to do some risk \nanalysis, back to the comment earlier about looking to the CFOs \nand the risk people in each company; this is all a question of \nthe risk.\n    But the second thing is there is technology today that can \nsit very quietly on a system and just decide these X processes \nmay run, that is it. Anything outside of those processes simply \nshould not run. So we are working with our colleagues and our \npartners on how you embed this kind of technology into the big \ncomponent levels of industrial control systems, because we \ncan't always assume everyone is aware. This rose so quickly, we \ncan't make everyone aware, and we certainly can't predict the \nnext threat as quickly as the bad guy can send it.\n    You are leveraging the power of light. This is happening in \nbits and bytes at the speed of light. So what we can do is say, \nonly those authorized can act.\n    Ms. Clarke. Thank you.\n    Mr. Lewis, in your writings, you have talked a lot about \npublic-private partnerships for the cybersecurity mission. Can \nyou explain to us what roles you feel each side needs to play? \nWhat, for example, are the inherently Government functions, the \npublic side, and what components are best left for or even must \nbe left for the private sector?\n    Mr. Lewis. Thanks. That is a great question. The obvious \nplace to start for me is that development of technology has to \nbe left to the private sector, and they are just the masters at \nit. We have to let them do it.\n    A place where public-private partnership makes sense is on \ninformation sharing, and it is easy to get sort-of distracted \nby the numbers in information sharing, but basically, there is \na small set of companies that have, including McAfee and \nSymantec and others, the big telco operators, the big ISPs like \nComcast or Cox, put them together with DHS and with NSA, and we \nwill have a pretty complete picture of what is going on, on the \ninternet.\n    Now there are legal impediments to doing that, right, and \nthat is a harm to the ability to secure our Nation's networks. \nBut that kind of focused information sharing with a small group \nof companies is a perfect place for a public-private \npartnership.\n    On the other hand, there are some threats that only the \ngovernment can deal with. If we are talking about the Russian \nmilitary or the German military or al-Qaeda or the Iranian and \nNorth Korean military, that is a government response, and there \nis no company--the story I like to show is Google, greatest \ntechnology company in the world, some would say, didn't take \nthe Chinese very long to get through their defenses. There are \nsome things only government can do.\n    Mr. Lungren. The gentleman from the second-largest State in \nthe union, Mr. McCaul, is recognized.\n    Mr. McCaul. California is close behind, I might add.\n    Jim, it is great to see you again.\n    Dr. Schneck, thank you for your service on the commission \nas well.\n    I assure the Chairman that I was not personally responsible \nfor the 40,000 downloads of that report, but I will, I just \nwant to commend your leadership, which was far greater than \nmine, in really herding cats on some of the top experts in the \nNation, putting that report together. Perhaps we should call \nyou the bots herder in cyber terms, I don't know.\n    You know, 15,000 Federal intrusions take place per day, so \nyou are going to have 40,000 downloads over a period of a year \nor so, but 15,000 intrusions per day on the Federal Government. \nAs was pointed out, the three levels we always talk about is \nthe criminal aspect, the espionage and the warfare piece.\n    God knows how many are taking place in the private sector. \nI am sure it is far greater than that. When you look at the \namount of data that has been stolen from just the Federal \nGovernment alone, it rivals the Library of Congress, so it is a \nvery serious issue.\n    Jim, I just want to throw out just a very generic question. \nSince the time of the report, I think the threat level has \nincreased. Do you feel that we have made any progress, and do \nyou feel that in any way we are safer?\n    Mr. Lewis. Thank you, and I do want to say that I believe \nCongressman McCaul is right in that there were lots of clicking \nnoises late at night from both of our offices, but that wasn't \nthe cause of the downloads. So are we making progress? The \nanswer, I think, is, ``Depends.''\n    When you look at the Department of Defense, some tremendous \nefforts with the creation of Cyber Command. When you look at \nthe Department of Homeland Security, significant improvement. I \nthink you heard Phil describe that. Other departments, State, \nCommerce, have made some efforts.\n    So, overall as a Nation, OMB with its efforts to revise \nFISMA and to find a better way to secure Federal systems, those \nare all signs of progress, but it is not enough. We were behind \nwhen we started, as you know, and we have not caught up.\n    So do I feel like we were more secure? We were on the path \nto being more secure, and I think the work that this committee \nand others in Congress can do might get us there by 2012, but \nwe are not there yet.\n    Mr. McCaul. With respect to--I am sorry, Ms. Kwon.\n    Ms. Kwon. Yes. I just want to add something to that in that \nwe do spend a lot of time talking about the success of DHS, but \nI also want to say that there has been a lot of great success \namong the departments and agencies. They have, over the past \nseveral years, stood up several security operation centers and \nhave improved the security amongst some of the larger \ndepartments and agencies, and I think that needs to be \nrecognized.\n    I think a lot of that comes from the actual awareness that \nhas been brought to bear through the CSIS Commission and other \nefforts in getting the word out that cyber needs to be a \npriority.\n    But I do think, in looking towards the future and things \nthat we need to improve is improving that communication within \nthe Government on the Federal, civil, civilian side of the \nhouse, getting DHS to work more closely, not only with private \nsector but with the civil agencies, CIOs and CISOs and work \nthat improvement across the Federal space together.\n    Mr. McCaul. One thing I noticed both you, Ms. Kwon, and Jim \nmentioned was that DHS needs more authorities and that you, I \nthink you mentioned appropriate authorities must be given to \nUS-CERT. Can you be more specific?\n    Ms. Kwon. Well US-CERT does not--the authorities US-CERT \nhas today are centered around what they have with FISMA and the \nreporting that the departments and agencies must do with them.\n    The problem with that is reporting is simply reporting, \nworking together is not working together.\n    So being able to work from a position of authority during \nan incident with the departments and agencies, to request \ninformation from them, to have certain actions performed, it is \nvery important for them to have that authority over the space \nthey are trying to protect, and they don't have that authority \ntoday.\n    But in giving them the authority, they also have to have \nthe relationship with those departments and agencies. I think \nthat is where we are falling short; we are talking a lot about \nauthorities and more of a dictatorship and what we really need \nto have is a collaborative partnership with those departments \nand agencies so that they can take the actions needed in the \ntime of an event.\n    Mr. McCaul. I couldn't agree with you more on that.\n    You said something interesting that caught my attention \nthat I hadn't heard before, and that is that the nonprofit \ncould play a role in protecting the private sector.\n    Ms. Kwon. Well, I often find that private sector also has a \nproblem sharing with themselves. So sharing information about a \ncyber attack is very difficult. I mean, it goes to reputation. \nIt has financial implications. It can ruin and crush companies, \nas we have seen in the near recent past.\n    So it is important to be able to share. I think if we take \nthe Government out of the picture and allow private sector to \ncreate a nonprofit together and start that sharing with the \nGovernment as being a member but not the leader, I think we \nmight be able to find some success.\n    I also think that there are different levels of information \nthat we are talking about here, whether we are talking about \nbroad-threat information with attribution or whether we are \ntalking about technical TTPs, ways in which the malware works, \nthe actual code itself, how to detect it.\n    Being able to put together an organization that can share \nthose very granular, technical bits of information I think is \ncritical and important in moving forward and a way in which we \ncan do it circumventing some of the problems of law.\n    Mr. McCaul. I wanted to ask a question about Einstein-3, \nbut I see my time has expired.\n    Mr. Lungren. We might come back to you.\n    Mr. McCaul. Or somebody else. I would love a grade on \nEinstein-3. Maybe I will ask it in a written question.\n    Mr. Lungren. The gentleman from Louisiana, Mr. Richmond, is \nrecognized for 5 minutes.\n    Mr. Richmond. Thank you, Mr. Chairman.\n    I guess this question is to Mr. Lewis. You were here when I \nwas asking the question about the health, electronic health \nrecords and a baseline or a set of standards that we should \nhave, and I am looking at part of your testimony where we talk \nabout the smart grids and the voluntary approach.\n    I guess I am interested in your opinion on both with \nelectronic health records and the small grid and how vulnerable \nwe are, where we should be going and where we are today in \nlight of where we should be.\n    Mr. Lewis. Certainly. Thank you.\n    You know, a lot of times you will hear people say that we \ndon't know what standards to put in place and there are too \nmany standards or there are lots of standards, and that was \nprobably true a few years ago.\n    But we are now at the point where between our ability to \ncollect data, our ability to identify best practices, we can \nnow start to do things. We can now start to think of standards \nor mandatory best practices that would improve cybersecurity, \neither in health or in smart grids, in the electrical sector.\n    So I think we are on the cusp of being able to make that \nleap. You can look at places like the Department of State that \nhave put into place a set of standards that have been very \neffective.\n    In 2003, State lost 3 to 4 terabytes of information to an \nunknown foreign opponent who probably lived in China. Three or \n4 terabytes is about the equivalent of a third of the Library \nof Congress. Today that couldn't happen because they have \nidentified best practices and things you can do.\n    So I think we can say now, do this and we will be safer, \nright.\n    When it comes to actually putting those in place, HIPAA, \nvery old, very prescriptive regulations have immense drawbacks, \nand we need to find a more flexible approach.\n    Smart grids, well, it will take a while before it's secure, \nthat might be the nicest thing to say. It is not secure now.\n    People are trying hard, but as I think I mentioned in my \nwritten testimony, the process that the National Institute of \nStandards and Technology used was a consensus process of 475 \nmembers. One way to put that in perspective is that is about as \nmany people as there are in the Congress. Suppose you had to \nget every single person in the Congress to agree to a rule. It \nwould be a challenging exercise, and I think that is what is in \nfront of us.\n    We can come up with standards. It is possible to say what \nworks, but we don't have the processes in place to do that yet.\n    Mr. Richmond. Well, which is very long and especially when \nyou talk about the smart grid, and now I think that my utility \nis starting to experiment with smart meters on homes. Is that \njust as vulnerable?\n    Mr. Lewis. No, fortunately, because it means that an \nindividual home or perhaps a block of homes would be more \nvulnerable, right, because the smart grid itself can be hacked. \nBut it doesn't mean you will be able to hack the actual power-\ngenerating facility. It doesn't increase the vulnerability \nthere.\n    So are you as an individual more vulnerable? Yes. But as a \nNation, is our critical infrastructure more vulnerable? Not as \nmuch.\n    Mr. Richmond. It appears that in, I think it is just a \ngiven that we can accept is true, that this changes every \nminute, every second of every day, the risk assessment. I know, \nas a lawyer, the law changes a little less frequently, but we \nare required to do continuing education on changes in the law.\n    Is there an industry practice where the chief technology \nofficer or whoever is responsible for threat assessments, do we \nhave an industry standard or something where they stay up-to-\ndate with the new threats, new technology, and as it comes \nabroad? I am sure McAfee probably has it; they do it on their \nown. But what I am thinking about, just smaller businesses, to \nmake sure that they are aware of the seriousness of the \nthreats.\n    Mr. Lewis. I think we all want to talk on this one.\n    Ms. Schneck. So, thank you. I can speak for McAfee, and I \ncan speak for the colleagues with whom we work. I will leverage \na little bit of my experience.\n    A few years ago I ran, for about 8 years, the private-side \nsector of the FBI's InfraGard program. We grew that from 2,000 \nmembers to 33,000 members, bringing subject-matter experts \nacross the critical infrastructure sectors into relationships \nwith their Federal, State, and, most importantly, local \ncommunity law enforcement officers and Government officials to \nshare information about cyber and about all the sectors as they \nare all connected.\n    One of the things we learned very quickly is our small to \nmedium business base, about 60 percent of our GDP, was probably \nthe biggest beneficiary of these relationships because without \nthat, they don't have the access and the resources that we are \nprivileged to have in larger companies to educate our \nexecutives, to give our executives the time to go out and learn \nwhat is really outside of your four walls.\n    I would recommend that, not just our organization but \nothers, small to medium businesses, to your point, need to \neducate their executives on the crossover between the legal, \nthe policy, and the technical because it really--they work \ntogether so much now. The point was made, a beautiful point \nearlier, about how we are now focusing on the chief financial \nofficers and the risk officers.\n    When we need to tell a company not to sell something but to \nunderstand that there is a big risk, we go to the CEO or the \nCFO, so you will see law and policy, I believe, greater value \nplaced on that and more effused used in our businesses' future.\n    Mr. Richmond. Thank you, Mr. Chairman. I yield back.\n    Mr. Lungren. The gentleman from Missouri, Mr. Long, is \nrecognized for 5 minutes.\n    Mr. Long. Thank you, Mr. Chairman. Mr. Lewis, I don't \nunderstand if I understood you right, were you talking about \nCFATS program when you said we should emulate that? CFATS, can \nyou elaborate on that?\n    Mr. Lewis. Sure, I think it was in Phil Reitinger's \ntestimony as well. This is a program for the Department of \nHomeland Security that lets the Department set standards in \ncooperation with the operators and owners of chemical \nfacilities for anti-terrorism purposes to make the chemical \nfacilities more secure.\n    It is a little bit of a regulatory authority. It is a \nlittle bit of a partnership. CFATS is not a bad model, and \nthere are things that need to be fixed in it, I think, and \nthere are probably some issues on liability. But it is a way to \nsay to the companies, here is our goal, you need to make your \nnetwork secure and here are some hints, here are some \nsuggestions on how you can do that. But you can do whatever you \nthink is best to secure your networks. We have the ability to \ncome in and look and say is it actually working.\n    So CFATS, not a perfect model, but it is a little more \nflexible than a heavy-handed regulatory approach, and it does \nseem to have had some success.\n    Mr. Long. I, as a precautionary note, we had the folks from \nCFATS in a couple of weeks ago, and I asked them, after 4 years \nof their program and hundreds of millions of dollars, if they \ncould name their top three accomplishments, things they had \ndone. They said, well, Mr. Long, we would say, No. 1, we have \nidentified the problem. So I didn't listen too hard to 2 and 3. \nSo before we go dovetailing in and trying to emulate CFATS, I \njust want to make sure I understood which program you were \ntalking about.\n    Dr. Schneck, I think that you kind of answered my question \nthat I was going to ask you and on Mr. Richmond, however, I \njust wanted to for the record state that there is a small \nbusiness in my district, a title company, that had $400,000 \nelectronically removed, and we think, over the weekend, this is \nwithin the last 12 months, $400,000 removed from their bank \naccount, and we believe, the authorities are telling us, that \nit ended up in Pakistan.\n    When we had Secretary Napolitano in, I was asking her about \nif the Secret Service is the one that is in charge of that. She \ndidn't seem to think they were. The Secret Service had told us \nall please listen all along that they are. So I guess, is there \nany way small businesses like that can protect themselves? So \nyou did kind of cover part of it in Mr. Richmond's testimony.\n    Ms. Schneck. Absolutely. I think it is a good point to note \nalso, and Ms. Kwon made this point earlier, there are many \nagencies that work together in this cyber endeavor. The FBI or \nthe Secret Service, there are ways that they are \ninterconnected. I think sometimes when we name one agency over \nanother, we don't give enough credit to that point.\n    The Secret Service, not only part of DHS and their efforts, \nbut they are an integral part of the National Cyber \nInvestigative Joint Task Force, which I analogize a little bit \nto Noah's ark. There are one or two of each in that task force, \nso when we have a cyber investigation, we call them directly \nbecause I know that that data that we can share will get all \nacross the agencies more quickly than if I make 20 phone calls.\n    So the Secret Service or the FBI, one may be working it at \none point; the other organizations, like the US-CERT, the NCIC, \neverybody is engaged at that point.\n    There are things that small to medium businesses can do. My \nbest advice from personal experience driving news programs at \nthe local level as well, build those relationships before you \nneed them. You can meet your State Homeland Security officers. \nYou can meet your local police. You can meet--every FBI, every \nState has an FBI field office, some have more than one. Go in \nand meet, I would recommend, the cyber people, meet the Secret \nService people that work there. They are all friendly, and they \nreally do want that outreach.\n    DHS actually has a Protective Service Advisor Program, the \nCSAs. These are Federal employees that are positioned in each \nof our States. Some States, the bigger ones, have more than \nothers. Their job, part of their job is to know the community, \nknow the people there and know the mission of that State, and \nthose are also great people and know they can tie you directly \nback to DHS.\n    The resources are there. I don't think we as a country have \ndone enough to tell the smallest communities and the small to \nmedium businesses that they are available.\n    Mr. Long. Okay, thank you.\n    Ms. Kwon, for you, the large U.S. banks have tremendous \nsecurity setups, and they still get hit, and if the largest \nU.S. banks can't defend themselves, how are regulations that we \nare going to impose, or what can we do to help the small \nbusinesses?\n    Ms. Kwon. Well, this actually goes back to the question \nwith Mr. Richmond and is a very difficult question because \noften implementing defensive security is expensive and often it \nis not affordable for a small business or even a medium-sized \nbusiness, or in large corporations where large budget cuts have \nbeen seen over the past year, this is often a problem.\n    I do see the future of moving IT out of the individual \norganizations and into a hosted environment, into a cloud \nenvironment, is a good defensive mechanism for a lot of small \ncompanies. You are seeing a lot of that happening today, \nparticularly in health care, as we are going to electronic \nhealth care records.\n    You are seeing a lot of doctors moving to IT services \ninstead of hosting it in their own offices. That way the \nsecurity costs can be spread over many doctors' offices as \nopposed to being burdened with one. So I definitely see moving \nto new ways of implementing IT as a good solution for \nparticularly small businesses.\n    Mr. Long. Okay, thank you.\n    I yield back.\n    Mr. Lungren. I thank the gentleman for yielding back.\n    I thank the witnesses for your valuable testimony, both \nthis panel and the previous panel. You have both help us very \nmuch as we are on this journey to ask the right questions and \nto come up with some of the right answers and to see what the \nproper role of the Federal Government is in this and where \nregulation is appropriate, where cooperation is appropriate.\n    I have also wondered where the insurance industry is \nappropriate in this, since they seem to have a record for risk \nmanagement in the world, and how you join all those things \ntogether? Those are some of the things that we will be pursuing \nwith this subcommittee.\n    Some Members of the committee may have additional questions \nfor our witnesses, and I would ask you, if you would, to \nrespond to those in writing. The hearing record will remain \nopen for 10 days.\n    Without objection, the subcommittee stands adjourned.\n    [Whereupon, at 11:55 a.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n  Questions From Chairman Daniel E. Lungren of California for Philip \n                               Reitinger\n    Question 1. The various drafts of comprehensive cyber legislation \nthat have been circulating recently have attempted to re-organize the \nDepartment. In fact, the former Director of US-CERT states today in her \nwritten testimony that US-CERT should report directly to the Secretary.\n    Is this necessary?\n    What are the positives and negatives, as the Department sees them, \nto re-organization?\n    Answer. As detailed in the Quadrennial Homeland Security Review \n(QHSR), cybersecurity is a recognized and vital mission responsibility \nof the Department of Homeland Security (DHS). The United States \nComputer Emergency Readiness Team (US-CERT) is the operational \ncomponent of the integrated capabilities within the Department to \nsatisfy its cybersecurity responsibilities. US-CERT has an enhanced \nability to keep DHS informed about important cybersecurity events since \n2009. US-CERT provides watch, warning, and response functions through \nthe National Cybersecurity and Communications Integration Center to the \nGovernment and to our international and private sector partners. The \nUS-CERT provides daily input to the Secretary of Homeland Security. The \ncurrent reporting arrangement has proven successful through CyberStorm \nIII as well as all cyber events that have occurred over the past year.\n    Moreover, the QHSR was followed by the Bottom-Up Review (BUR), \nwhich included a plan for DHS to:\n\n``Increase the focus and integration of DHS's operational cybersecurity \nand infrastructure resilience activities. DHS has substantial \noperational cybersecurity responsibilities, which are inextricably \nintertwined with its responsibilities to manage all hazards risk to \ncritical infrastructure. DHS typically manages its operational \nresponsibilities through operating components. However, the majority of \nDHS's operational activities relating to cybersecurity and \ninfrastructure protection and resilience are currently administered by \nNPPD, which is designated as a DHS headquarters element. DHS will focus \nNPPD's activities on operations and more closely align cyber and \ncritical infrastructure protection and resilience efforts, in \ncooperation with the private sector, to secure cyber networks and make \ncritical infrastructure resilient.''\n\n    Thus, DHS is moving to increasingly integrate physical and \ncybersecurity operations across critical infrastructure. Isolating US-\nCERT from that integration could degrade the Department's ability to \nrespond to complex incidents.\n    Question 2. You mentioned in your statement that DHS signed an MOU \nwith DoD that ``aligns and enhances America's capabilities to protect \nagainst threats to our critical civilian and military computer systems \nand networks.'' How does this MOU benefit the private sector, if at \nall?\n    Answer. The Department of Defense (DOD) and the Department of \nHomeland Security (DHS) already work closely together, and this \nagreement formalizes a process to increase the ability of each agency \nto work in its mission space. In particular, DHS leverages DOD's \nsignificant technical capabilities through its National Security Agency \n(NSA). To support DHS activities in protecting Government civilian \nnetworks and critical infrastructure, DOD has collocated a Cryptologic \nServices Group and a Cyber Support Element at DHS's National \nCybersecurity and Communications Integration Center (NCCIC), the hub \nfor responding to domestic cyber incidents.\n    Through enhanced joint planning and better visibility into each \nothers' operational processes, the Memorandum of Agreement (MOA) will \nincrease each agency's effectiveness and build on the capabilities of \neach. This in turn will enhance the response capabilities of both \nagencies while dealing with incidents that may affect the private \nsector.\n    The MOA does not alter existing DOD and DHS authorities, command \nrelationships, or other oversight relationships. The MOA will not \nextend DOD's cyber involvement with the private sector beyond its \ncurrent role. DOD already operates within DHS's National Infrastructure \nProtection Plan (NIPP) framework as the Sector Specific Agency for the \nDefense Industrial Base. Within the critical infrastructure and key \nresources community, DOD works directly with defense industrial base \npartners, DHS and Sector Specific Agencies (SSA), and other critical \ninfrastructure partners in developing plans to assist in reducing risk \nand better securing critical infrastructure information systems.\n    Moreover, the MOA provides a framework that enables DHS to fuse DOD \nand NSA information, through the NCCIC, with that of the private \nsector. This provides all parties with a more comprehensive situational \nawareness of cyber activity impacting the Nation, and permits all \nparties to respond more effectively to those threats.\n    Question 3. How has the OMB memo providing DHS with operational \nreview of Federal CIO's compliance with FISMA going to affect the \ncybersecurity program within NPPD?\n    Will taking on such wide responsibilities alter the priorities \nwithin the cybersecurity mission? How will the cyber mission be \naffected?\n    Answer. Office of Management and Budget (OMB) Memorandum M-10-28 \n``outlines and clarifies the respective responsibilities and activities \nof OMB, the Cybersecurity Coordinator, and the Department of Homeland \nSecurity (DHS), in particular with respect to the Federal Government's \nimplementation of the Federal Information Security Management Act of \n2002 (FISMA).'' It assigns DHS immediate primary responsibility for the \noperational aspects of Federal agency cybersecurity with respect to \nFISMA, including, but not limited to:\n    1. Overseeing the Government-wide and agency-specific \n        implementation of and reporting on cybersecurity policies and \n        guidance;\n    2. Overseeing and assisting Government-wide and agency-specific \n        efforts to provide adequate, risk-based and cost-effective \n        cybersecurity;\n    3. Overseeing the agencies' compliance with FISMA and developing \n        analyses for OMB to assist in the development of the FISMA \n        annual report;\n    4. Overseeing the agencies' cybersecurity operations and incident \n        response and providing appropriate assistance; and,\n    5. Annually reviewing the agencies' cybersecurity programs.\n    The memorandum enables new, proactive protection activities, which \ncomplement the Department's pre-existing, reactive incident response \nactivities in the area of Federal Executive branch agency \ncybersecurity. While the United States Computer Emergency Readiness \nTeam (US-CERT) is already focused on detecting malicious activity and \nproviding incident response support, the new activities permit DHS to \nbetter understand the Federal Executive branch's cybersecurity posture \nfrom both an agency-specific perspective and on an enterprise-wide \nbasis. Examples of specific activities include: FISMA reporting to OMB \nbased on agency periodic reporting through the CyberScope platform; \nrecurring Cybersecurity Compliance Validation (CCV) program engagements \nwith agencies; and establishment of Government or private sector Shared \nService Centers (SSCs) and Blanket Purchase Agreements (BPAs) that \ndeliver cost-effective security solutions to Federal agencies and \nfurther permit those agencies to allocate limited resources to more \nmission-critical activities.\n    As it continues to implement the memorandum, DHS will conduct \nannual agency Chief Information Officer (CIO)/Chief Information \nSecurity Officer (CISO) interviews to maintain awareness of agency-\nspecific successes and challenges. Interview input enables DHS to \nbetter assess Government-wide and agency-specific needs and gaps, which \nultimately leads to establishing new, targeted capabilities or \nprocesses. DHS recently also began conducting CyberStat reviews with \nAgency CIOs and CISOs in coordination with the National Security Staff \nand OMB to assist agencies in defining action plans to improve FISMA-\nrelated cybersecurity capabilities.\n    Undertaken by the Federal Network Security (FNS) branch within DHS' \nNational Cyber Security Division, the activities pursuant to the \nmemorandum enable DHS and its agency partners to enhance their security \nposture before incidents occur. They also provide US-CERT with a \nclearer picture of an agency's networks, systems, and policies when \ninvestigating an incident and providing support.\n    Question 4. With regard to the private sector the Department is \nstill more of a coordinator rather than a directive authority, is that \nan effective role?\n    Is the private sector being best served by DHS?\n    What additional authorities does the Department feel are necessary \nto better serve and protect the private sector, and especially critical \ninfrastructure?\n    Answer. The Department of Homeland Security (DHS) has a clear \nauthority to conduct analysis, develop mitigation plans, and provide \nwarnings with regards to cybersecurity. DHS serves the private sector \nin these capacities on a daily basis. However, nearly all of our \nprivate sector programs are built on voluntary participation. These \nprograms have provided valuable, timely, and actionable vulnerability \ninformation, risk assessments, and mitigation strategies to our private \nsector partners.\n    For instance, both the Cyber Security Evaluations Program and the \nControl Systems Security Program (CSSP) conducted more than 50 on-site \nvoluntary assessments in fiscal year 2010. Within CSSP, the Industrial \nControl Systems Cyber Emergency Response Team (ICS-CERT) provides on-\nsite support to owners and operators of critical infrastructure for \nprotection against and response to cyber threats, including incident \nresponse, forensic analysis, and site assessments. ICS-CERT also \nprovides tools and training to increase stakeholder awareness of \nevolving threats to industrial control systems. The United States \nComputer Emergency Readiness Team (US-CERT) also provides similar \nvulnerability, assessment, and mitigation information for private \nsector business networks, upon request. Similarly, a large number of \nprivate sector participants take part in the Cyber Exercise Program, \nincluding the recent Cyber Storm III. These exercises are designed to \nincrease the preparedness of individual participants, and across the \npublic-private response community as a whole.\n    Question 5. What is the goal 10-15 years down the road for dot-gov \nprotection?\n    Answer. Dot-gov protection is a complex, multi-enterprise issue. \nThe challenge for dot-gov protection increases as the complexity of the \nInformation Technology (IT) environment and the data and services \nconsumed become more distributed. The technologies used to manage \ninformation and to create services that defend information must evolve \nwith the larger environment.\n    Dot-gov protection must transition from network and signature-based \nsecurity to security that also incorporates information and user-\ncentric security. Government must adopt IT innovations that better \nserve Federal dot-gov users and the users who interface with Government \nsystems. To effect this transition, Government must make fundamental \nchanges in the following areas:\nSecurity Operations\n    Coordinated Risk Management.--Policy and standards must build on \nknowledge and experience drawn from various sources, including \nintelligence, law enforcement, industry, Government departments and \nagencies (D/As), and others. The Federal Government will continue to \nplay a significant role in the development of policy, standards, and \ncountermeasures.\n    Information Sharing.--Information sharing that ensures the rights, \nprivacy, and protection of individuals and their information is \ncritical--particularly with the continued expansion of cloud computing, \nsolutions as a service, and social networking.\n    Distributed Execution.--Distributed execution requires increased \npartnership with D/As and industry. D/As must continuously monitor \ntheir networks and hosts in order to provide insight into the health \nand status of Federal systems. Government relies on industry to: (1) \nBuild product capabilities that secure customers, (2) develop system \ncapabilities to provide increased capability to self-heal, and (3) \nprovide prevention-oriented solutions to seek out, detect, and protect \nthe user from malicious actors.\nTechnology Attributes\n    Identity Awareness.--Full protection of dot-gov requires \ndevelopment of ``identity awareness,'' which is a capability that \nprovides every component in the ``service chain'' with the ability to \nvalidate identity, ensure its authenticity, and provide access based on \nthe role of that identity.\n    Agility.--Advances in mobile computing, cloud-based systems, and \ntelework are posing new security challenges to the traditional concept \nof a static security perimeter protecting private Government systems \nand information. Government must be able to adapt as Government \ninformation is stored and accessed wherever an agency mission requires \nit. The security challenge associated with this agility is deciding \nwhich new risks are, or are not, acceptable when operating in a \ndynamic, mobile, and cloud-based computing environment, which may be \nonly partially under the agency's control.\n    Diversity.--In the past, Government agencies operated relatively \nhomogenous computing environments; Intel-based workstations running \nMicrosoft operating systems were the norm. Now, we see a proliferation \nof device types (netbooks, smart-phones, and tablets) joining \ntraditional workstations and laptops. The industry development cycle is \nnow measured in months. We can't predict the next great device or \nprogram, however, we know the trend runs towards smaller, more capable, \nand cheaper devices. Furthermore, capabilities begin to blur as new \ngenerations of devices emerge. For example, we now judge phones on \ntheir ability to run applications and computers on their ability to \nmake calls. The security challenges associated with this diversity of \ndevices ultimately impacts our ability to secure these devices without \ndegrading their capabilities.\n    Convergence.--As device diversity grows, we begin to see a \nconvergence in network space and functionality. Accessing dot-gov no \nlonger requires a user to sit in front of a computer. They may access \nour networks from any type of network, including traditional Ethernet, \ntelephone systems, cellular lines, or wireless networks. Gone are the \ndays when we could devise protections based on relatively stable, \npredicable network paths. The security challenge associated with this \nconvergence ultimately concerns our ability to secure these pathways \nwithout disrupting connectivity.\n    In order to address these changes, Government must partner with the \nprivate sector and academia to develop new security ideas. These new \nideas must be based on an information- and user-centric view that \nenhances new capabilities, rather than impeding them. These \nconsiderations are among those addressed in Enabling Distributed \nSecurity in Cyberspace: Building a Healthy and Resilient Cyber \nEcosystem with Automated Collective Action. This paper, recently \npublished by DHS, presents a five-level maturity model for ecosystem \nfocus and convergence that is associated with increasing agility and \nprovides an approach for achieving and employing these various levels. \nEcosystem maturity is further explored through a discussion of healthy \nattributes.\n    Source: http://blog.dhs.gov/2011/03/enabling-distributed-security-\nin.html.\n    Question 6. Are private sector entities responsive to the efforts \nthe Government makes with them to warn of threats and mitigate the \nconsequences of attacks?\n    Answer. Due to the variety of Department of Homeland Security (DHS) \nprograms and activities engaged in collaboratively improving \ncybersecurity, and the diverse nature of the private sector, private \nsector responsiveness varies considerably. Several examples of private \nsector responsiveness are outlined below.\n    United States Computer Emergency Readiness Team (US-CERT).--Formed \nin 2003, US-CERT is the operational arm of DHS' National Cyber Security \nDivision. US-CERT's mission is to lead and direct efforts to improve \nthe Nation's cybersecurity posture, coordinate cyber information \nsharing, and proactively manage cyber risks to the Nation while \nprotecting the Constitutional rights of Americans.\n    If a private-sector entity requests assistance from the Government, \nDHS may provide on-site or remote assistance to perform analysis and \nrecommend mitigation actions through US-CERT. This assistance, which is \nbased on a signed request for technical assistance, is designed to \nassist private sector entities in detecting the scope of the malicious \nactivity and determining mitigation actions to protect the system from \ncurrent and future attacks or breaches. In addition, US-CERT provides \nstandardized warning and mitigation information products to its private \nsector partners and constituents through its secure portal and through \nits public facing website.\n    The private sector's response varies depending on the entity and \ncircumstances. However, we have seen growing private sector interest in \nreceiving DHS on-site or remote analytical support. Some issues that \nmay inhibit private sector responsiveness include concerns about: (1) \nExposure of proprietary data; (2) prosecution or regulatory action; and \n(3) negative publicity.\n    Cyber Security Evaluations Program.--Since 2009, the National Cyber \nSecurity Division's (NCSD) Cyber Security Evaluations Program has \nconducted on-site assessments through its Cyber Resilience Review. In \n2010, NCSD deployed its first Cyber Security Advisor (CSA), located in \nthe mid-Atlantic region, to promote cyber preparedness, risk \nmitigation, and incident response. In this short period of time, it has \nbecome apparent that many critical infrastructure owners and operators \nhave a general awareness of cybersecurity issues, but only those \npartnering with fusion centers, the Federal Bureau of Investigation's \n(FBI) Infragard program, local communities-of-interest, or those that \nsubscribed to the United States Computer Emergency Readiness Team (US-\nCERT) informational products, routinely receive Government-provided \nthreat warnings. To date, only a limited set of owners and operators \nhave been directly engaged in assessments or other targeted \ncybersecurity activities.\n    Private sector entities, however, respond well when the Government \nsolicits their participation in specific initiatives and they readily \nwork with the Government to identify appropriate subject matter experts \nwithin their organizations. They also work with DHS personnel and other \nGovernment representatives to develop threat mitigations. For example, \nrecent Cyber Unified Coordination Group Integrated Management Team \noperations, under the National Cyber Incident Response Plan (NCIRP), \nused joint private-public partnerships to raise alerts, and to focus \nsubject matter expertise and create tractable risk mitigations.\n    Cyber Exercise Program.--Private sector partners repeatedly mention \nthat Cyber Storm and other DHS-sponsored exercises help improve their \nindividual and collective cybersecurity and incident response \ncapabilities. The number of private sector organizations that played in \nCyber Storm III represented a 75 percent increase over Cyber Storm II \n(from 40 to 70 participants). Private sector organizations also \nactively participated in initiatives resulting from Cyber Storm III, \nincluding development of the Cyber Storm III summary and observations \nreport, making edits to the NCIRP, and continuing active membership in \nthe Unified Coordination Group, an interagency and inter-organizational \ncoordination body that incorporates public and private sector \nofficials. Private sector organizations from three critical \ninfrastructure sectors already have engaged with NCSD to conduct \nfollow-on exercise activities that examine operational changes made as \na result of Cyber Storm III.\n    Control Systems Security Program.--The private sector has shown \ngrowing interest in the services of the DHS Control Systems Security \nProgram (CSSP), which works with public and private sector partners to \nimprove cybersecurity of critical infrastructure industrial control \nsystems. Since the advent of their activities, CSSP and the Industrial \nControl Systems Cyber Emergency Response Team (ICS-CERT) have grown in \nscope and received increasingly more requests for on-site incident \nresponse, assessments, control systems training, and other offerings. \nThe statistical trend from year-to-year indicates that the community as \na whole is showing an increased interest in the Government program. \nTheir interest also serves as an indicator of the effectiveness of the \nprogram's outreach and awareness efforts.\n    More specifically, ICS-CERT works on a voluntary basis with \ncritical infrastructure owner-operators to respond to and analyze \ncontrol systems related incidents, vulnerabilities, and threats. The \nteam can perform a comprehensive range of services and activities, \nincluding providing sophisticated analysis of malware and deploying \nfull fly-away teams. ICS-CERT incident response teams (also known as \nfly-away teams), which are routinely requested by the private sector, \ndeploy to critical infrastructure facilities bringing advanced and \nunique malware evaluation capabilities and leveraging our control \nsystems expertise and fused intelligence analysis. The team then works \nwith the company to develop and implement a mitigation plan to \neliminate the malicious activity and limit the risk of future \nincidents. The team appropriately addresses sensitive information using \nProtected Critical Infrastructure Information (PCII) protections and \nworks to mitigate any privacy and civil liberties issues. ICS-CERT is \nthen able to carefully aggregate and anonymize data about the incident \nand disseminate early warning alerts and advisories to critical \ninfrastructure owners and operators on a sector-by-sector basis. \nActionable alerts to our stakeholder communities include threat \ninformation, validated vulnerabilities, and related patches and \nmitigation strategies.\n    Once the ICS-CERT actively engages with a specific private sector \nentity via the voluntary incident response process, oftentimes the \ncompany will continue to implement the mitigation solutions that are \noffered, and, if needed, request additional support from DHS in the \narea of control systems security. Quite often these engagements evolve \ninto trusted long-term information-sharing relationships that benefit \nboth the Government and the private sector.\n    In addition to sending fly-away teams, DHS is also able to \nproactively work with companies to conduct cybersecurity assessments \nusing the Cyber Security Evaluation Tool (CSET). These no-cost \nassessments enable users to assess their network and ICS security \npractices against recognized industry and Government standards, \nguidelines, and practices. The assessment tool can be used \nindependently by the asset owner, or upon request, CSSP teams can \nassist with a full assessment on-site. The completed CSET assessment \nprovides a prioritized list of recommendations for increasing the \ncybersecurity posture of an organization's ICS or enterprise network \nand identifies what is needed to achieve the desired level of security \nwithin the specific standard(s) selected. The CSET has increased in \npopularity among our partners over the years; in 2010, for example, the \nCSSP conducted 50 on-site assessments spanning 12 critical \ninfrastructure sectors (including the Electric subsector) and is on \ntarget to complete 75 in fiscal year 2011. The tool is now publicly \navailable for download on the CSSP website, and countless copies of the \nCSET have already been handed out at conferences and other events.\n    CSSP also works closely with the Department of Energy Idaho \nNational Laboratory (INL) to provide cybersecurity training to private \nsector employees. The training consists of a weeklong class held at \nINL, instructing in cyber protection and intrusion mitigation \ntechniques. Response to the classes has been highly positive--thus far, \nDHS and Idaho National Labs have trained over 16,000 control system \nofficials, from chief executive officers to technical operators.\n    DHS has worked closely with the private sector as it expands its \ndiverse set of resources available to the private sector, including \nthreat and vulnerability situational awareness, risk assessment, and \nmitigation, and remote and on-site assistance. The trusted \nrelationships DHS has with the private sector--through engagements, \nworking groups, co-location on the NCCIC operations floor, and \noutreach--have allowed DHS to incorporate private sector input at every \nstep as we build our capabilities. Private sector engagement is a \ncornerstone of the Department's cybersecurity mission and we look \nforward to working with Congress to continue to improve private sector \noutreach efforts.\n    Question 7. How does the cloud, or computing as a service, change \nthe cybersecurity mission?\n    Is the Department prepared for the Government's effort to move more \nand more computing resources to ``the cloud''?\n    Answer. The cyber threat environment changes continuously as \nmalicious actors adjust their tactics and adopt new technologies. \nSimilarly, the evolution of network architectures necessitates a \ncybersecurity posture that is adaptable and focused on risk mitigation. \nRegardless of changes in network architecture, the Department of \nHomeland Security (DHS) will continue to execute its critical mission \nto create a safe and secure cyberspace.\n    Cloud computing, computing as a service, time-sharing, and utility \ncomputing raise many of the same security issues that emerged when \nshared computer services were created in the 1960's. Yet, the \ncybersecurity mission remains the same. The many advantages of cloud \ncomputing also create many security challenges. We can never eliminate \nall the risks inherent to cloud computing. Instead, we must accept that \ndiffering levels of acceptable risk will exist for different users. \nEven if private, community, and public cloud computing business models \nuse the same security techniques and tools, different business models \ncreate different security risk environments.\n    DHS encourages cloud computing providers to propose innovative \nsecurity solutions that effectively protect Federal systems, \ninformation, communications, and ultimately, the agency's mission.\n    DHS has avoided requiring providers to follow particular designs or \narchitecture for cloud computing. For example, due to a constantly \nevolving threat environment, the Federal Risk and Authorization \nManagement Program (FedRAMP) was established to provide a standard \napproach to assessing and authorizing cloud computing services and \nproducts. The National Cyber Security Division is actively \nparticipating in the FedRAMP development. FedRAMP allows joint \nauthorizations and continuous security monitoring services for \nGovernment and commercial cloud computing systems intended for multi-\nagency use.\n    These considerations are among those addressed in Enabling \nDistributed Security in Cyberspace: Building a Healthy and Resilient \nCyber Ecosystem with Automated Collective Action. This paper, recently \npublished by DHS, presents a five-level maturity model for ecosystem \nfocus and convergence that is associated with increasing agility and \nprovides an approach for achieving and employing these various levels. \nEcosystem maturity is further explored through a discussion of healthy \nattributes.\n    Source: http://blog.dhs.gov/2011/03/enabling-distributed-security-\nin.html.\nQuestions From Chairman Daniel E. Lungren of California for Gregory C. \n                               Wilshusen\n    Question 1a. In your testimony you comment how the Government is \nlacking a National cybersecurity strategy. I have three related \nquestions for that issue:\n    How is the lack of a National cybersecurity strategy hindering the \nGovernment-wide cybersecurity mission?\n    Question 1b. How, in your opinion, is it hindering DHS's \ncybersecurity mission?\n    Question 1c. How is it affecting the private sector?\n    Answer. The lack of an updated National cybersecurity strategy can \nhinder the effective implementation of the Government-wide \ncybersecurity mission. Our work has demonstrated the importance of \ncomprehensive strategies that specify overarching goals, subordinate \nobjectives, supporting activities, roles, and responsibilities, and \noutcome-oriented performance metrics, as well as time frames to help \nensure accountability and align agency activities with National \npriorities. National strategies help shape the policies, programs, \npriorities, resource allocations, and standards that can enable Federal \nagencies and other stakeholders to implement the strategies and achieve \nthe intended results. Without such an updated comprehensive National \nstrategy for cybersecurity, increased risk exists that our Nation will \nnot be able to obtain the desired posture against sophisticated \nthreats.\n    Our work has shown that Federal initiatives and efforts to improve \ninformation security have consistently fallen short of the mark. The \nfollowing are illustrative examples:\n  <bullet> In October 2010, we reported that only 2 of the 24 \n        recommendations in the President's May 2009 cyber policy review \n        had been fully implemented. Officials from key agencies \n        involved in these efforts attributed the partial implementation \n        status of the remaining 22 recommendations in part to the fact \n        that agencies had not been assigned roles and responsibilities \n        with regard to recommendation implementation.\\1\\ One of these \n        recommendations was to develop an updated National cyber \n        strategy; however, administration officials were unable to \n        provide a draft strategy or milestones for when the updated \n        strategy is to be finalized and issued. We concluded that \n        Federal agencies appeared to be making progress toward \n        implementing the recommendations, but lacked milestones, plans, \n        and measures that are essential to ensuring successful \n        recommendation implementation, including the development of an \n        updated strategy. We recommended that the National \n        Cybersecurity Coordinator (whose role was established as a \n        result of the policy review) designate roles and \n        responsibilities for each recommendation and develop milestones \n        and plans, including measures to show agencies' progress and \n        performance.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Cyberspace Policy: Executive Branch Is Making Progress \nImplementing 2009 Policy Review Recommendations, but Sustained \nLeadership Is Needed, GAO-11-24 (Washington, DC: Oct. 6, 2010).\n---------------------------------------------------------------------------\n  <bullet> Our examination of Federal efforts to address the global \n        aspects of cyberspace determined that the U.S. Government had \n        not documented a clear vision of how the international efforts \n        of Federal entities, taken together, support overarching \n        National goals and that the Federal Government had not forged a \n        coherent and comprehensive strategy for cyberspace security and \n        governance policy.\\2\\ As a result, the United States is \n        hindered in promoting our National interests in the realm of \n        cyberspace. We recommended that, among other things, the \n        National Cybersecurity Coordinator develop with other relevant \n        entities a comprehensive U.S. global cyberspace strategy. The \n        coordinator and his staff concurred with our recommendations.\n---------------------------------------------------------------------------\n    \\2\\ GAO, Cyberspace: United States Faces Challenges in Addressing \nGlobal Cybersecurity and Governance, GAO-10-606 (Washington, DC: July \n2, 2010).\n---------------------------------------------------------------------------\n  <bullet> Our review of Federal cybersecurity research and development \n        efforts found that among the most critical challenges was the \n        lack of a prioritized National cybersecurity research and \n        development agenda, which increased the risk that research and \n        development efforts will not reflect National priorities, key \n        decisions will be postponed, and Federal agencies will lack \n        overall direction for their efforts.\\3\\ We recommended several \n        actions, including developing such a National cybersecurity \n        research and development agenda. The White House Office of \n        Science and Technology Policy agreed with our recommendation \n        and provided details on planned actions.\n---------------------------------------------------------------------------\n    \\3\\ GAO, Cybersecurity: Key Challenges Need to Be Addressed to \nImprove Research and Development, GAO-10-466 (Washington, DC: June 3, \n2010).\n---------------------------------------------------------------------------\n    The lack of an updated strategy can also affect the Department of \nHomeland Security's (DHS) and the private sector's cybersecurity \nefforts. While the existing strategy encourages action by private-\nsector owners and operators of cyber critical infrastructure, we \ntestified in March 2009 that a panel of experts agreed that there were \nnot adequate economic and other incentives (i.e., a value proposition) \nfor greater investment and partnering in cybersecurity.\\4\\ The \npanelists also stated that the Federal Government should provide valued \nservices (such as offering useful threat or analysis and warning \ninformation) or incentives (such as grants or tax reductions) to \nencourage action by and effective partnerships with the private sector.\n---------------------------------------------------------------------------\n    \\4\\ GAO, National Cybersecurity Strategy: Key Improvements Are \nNeeded to Strengthen the Nation's Posture, GAO-09-432T (Washington, DC: \nMar. 10, 2009).\n---------------------------------------------------------------------------\n    In addition, we reported in July 2010 that public sector \nstakeholders from DHS and other entities stated that improvements could \nbe made to the public-private partnership, including improving private \nsector sharing of sensitive information.\\5\\ We also reported that the \nexpectations of private sector stakeholders were not being met by their \nFederal partners in areas related to sharing information about cyber-\nbased threats to critical infrastructure. We concluded that the public-\nprivate partnership remained a key part of our Nation's efforts but \nwithout improvements in meeting public and private sector expectations, \nthe partnership would remain less than optimal. As a result, increased \nrisk existed that owners of critical infrastructure would not have the \nappropriate information and mechanisms to thwart sophisticated cyber \nattacks that could have catastrophic effects on our Nation's cyber-\nreliant critical infrastructure. We recommended that the National \nCybersecurity Coordinator and DHS work with their Federal and private \nsector partners to enhance information-sharing efforts, including \nleveraging a central focal point for sharing information among the \nprivate sector, civilian government, law enforcement, the military, and \nthe intelligence community. DHS officials stated that they have made \nprogress in addressing these recommendations; we will be determining \nthe extent of that progress as part of our follow-up efforts.\n---------------------------------------------------------------------------\n    \\5\\ GAO, Critical Infrastructure Protection: Key Private and Public \nCyber Expectations Need to Be Consistently Addressed, GAO-10-628 \n(Washington, DC: July 15, 2010).\n---------------------------------------------------------------------------\n    Updating the National cybersecurity strategy can increase the \nlikelihood of improving the cybersecurity posture of our Nation. \nAdditionally, an updated strategy could help ensure accountability and \nalign agency activities with the United States' long-term economic and \nNational security interests, including globally promoting our National \ninterests in the realm of cyberspace and ensuring that the Nation does \nnot fall behind in cybersecurity and will be able to adequately protect \nits digital infrastructure. As the administration updates the current \nstrategy, it needs to focus on clearly articulating goals and \nobjectives, assigning roles and responsibilities, developing \nmilestones, deploying sufficient resources, defining performance \nmetrics, monitoring progress, and validating effectiveness of completed \nactions.\n    Our responses to these questions are based on previous work that \nwas performed in accordance with generally accepted Government auditing \nstandards. Those standards require that we plan and perform the audit \nto obtain sufficient, appropriate evidence to provide a reasonable \nbasis for our findings and conclusions based on our audit objectives. \nWe believe that the evidence obtained provides a reasonable basis for \nour findings and conclusions based on our audit objectives. Should you \nor your office have any questions on the matters discussed in this \nletter, please contact me.\n  Questions From Chairman Daniel E. Lungren of California for Phyllis \n                                Schneck\n    Question 1a. In your Although it's oft repeated, McAfee shared with \nus that when they discovered the Night Dragon attacks, those Federal \nagencies who were not contacted first, even maybe hours later, \nexpressed their disapproval.\n    How do you coordinate sharing the information with the Federal \nGovernment?\n    Answer. We are committed to sharing threat information to help the \nU.S. Government gain a deeper insight into the threat landscape and \nrespond to specific attacks. Toward this goal, we work closely with our \ncustomers to ensure that we adhere to our NDA's as required by the law. \nOnce we are sure that we have met all of our obligations to our \ncustomers, we contact representatives in the various agencies with \nauthority over cyber security. We do our best to contact all of the \nactors at the same time--whether in defense, civilian, or crime \nprevention institutions.\n    Question 1b. Does there need to be a single source of contact?\n    Answer. We believe that the information-sharing process is \nimproving. A few years ago, we would experience, on a regular basis, a \nhigh degree of complexity and difficulty getting to all of the right \ndecision makers in a timely way. We often found that agencies that had \nbeen briefed were unwilling to share information with their colleagues \nin other agencies. It generally took us 2 weeks to brief all of the \nofficials in the agencies. More recently, we have found that the \nprocess is improving. During the recent Night Dragon event, we did one \nbriefing, for instance, which included defense, NSA, and FBI officials. \nThis was an example of an improved process.\n    We understand how complex the information-sharing challenge is in \nthe U.S. Government. Many rules regulate the way in which information \nsharing is done, and there are limitations on the types of information \nvarious agencies can share with each other. These limitations derive \nfrom law and agency regulations that seek to balance National security, \ndomestic security, and privacy rights. Nevertheless, we would urge that \nsome type of enhanced procedure be put in place to facilitate the \nability of companies to share information in a manner that enhances \ntheir ability to share information in a rapid and efficient manner with \nthe Government. Remediating cyber attacks is a complex, time-consuming \nprocess and the more rapidly the private and the public sectors can \nrespond, the sooner our teams can ensure that vital information and \nsystems are protected from additional attacks. Bringing down the \nresponse time from weeks to a few days would do much to enhance the \nsecurity posture of our country.\n    Question 2. In a briefing to staff, McAfee brought up the technique \nof ``white listing'' where a computer is essentially limited in what \napplications it could run, which could potentially limit malware from \ninfecting a computer.\n    Could you give us a little more information about the technique and \nhow you see it being used most effectively?\n    Answer. White listing technology ensures that only good executable \ncode can run on protected systems. The technology is used to protect \nservers, endpoints, embedded devices, and mobile devices. It is used in \nmany ATM's, point-of-sale terminals, and Supervisory Control and Data \nAcquisition (SCADA) systems. White listing technology narrows the scope \nof many embedded systems to ensure that an attacker can't install \nmalicious code.\n    White listing is one of the exciting technologies of the future \nbecause it can enable organizations to be much more proactive in \nprotecting their systems--it gives them much more control because only \ngood communications can be received. This contrasts in a considerable \nway with the older model of security, the anti-virus model, which is \ninherently defensive. This model is based on blocking malicious code \nand letting everything else into customer sites. This model has been \nbreaking down for some time given the geometric growth in malware over \nthe last few years. McAfee detected as much new malware in 2010 as we \ndetected since the founding of our company 19 years ago. White listing \nis an important part of the cyber security solution moving forward.\n Questions From Chairman Daniel E. Lungren of California for James A. \n                                 Lewis\n    Question 1a. In some regulated industries, companies do only the \nminimum needed to stay compliant with the regulations. In the world of \nsecurity, the minimum effort does not necessarily make one more secure.\n    How does one prevent the ``race to the bottom'' in a regulatory \nregime?\n    Question 1b. How do we change that culture of security to one not \nof mere compliance, but security?\n    Answer. Doing the minimum would be an improvement from where we are \nnow. That said, there are several measures that can to prevent a ``race \nto the bottom.''\n    The first is to increase transparency and reporting on the number \nof probes, breaches, or service disruptions of computer networks. By \nreporting on the number of security failures, we would be able to \nassess the effectiveness of regulations. The larger goal is to move \ncompanies to automatic monitoring of networks and to adopt something \nlike the ``IT Dashboard'' OMB is putting in place for Federal networks. \nThe Security Content Automation Protocol (SCAP) NIST is developing is \nan example of emerging approaches that could automatic and accelerate \ncybersecurity efforts.\n    The second would be to allow for some kind of ``spot checks'' of \ncomputer systems, random checks to see if computer networks were \nadequately secured. This is a standard law enforcement and regulatory \ntechnique, and could involve DHS or some outside auditor inspecting the \nadequacy of a company's cybersecurity efforts. The knowledge that a \nrandom check could be carried out would in and of itself encourage \nbetter compliance.\n    A related goal would be to avoid defining compliance as a paper-\ndriven process, where companies filed regular reports on performance. \nThese are inadequate for several reasons, but the most important is \nfrequency. Long annual written reports on compliance only benefit \nreport writers. A better approach would be to require companies to \nimmediately inform the appropriate agency when their networks have been \nsuccessfully penetrated. This changes the metric for compliance. We \nwant people to report failures and report the actions they have taken \nin response immediately. In this, a regulatory approach would be part \nof a larger effort to develop a broad understanding of the level and \nkind of malicious activities in cyberspace.\n  Questions From Chairman Daniel E. Lungren of California for Mischel \n                                  Kwon\n    Question 1. In your written statement you advocate separating US-\nCERT, the operational arm, from the more policy- and coordination-\ndriven NCSD. I'm interested in having you elaborate a bit more on that: \nHow does separating elements of the cybersecurity mission benefit the \nDepartment and/or the private sector especially the critical \ninfrastructure?\n    Answer. US-CERT is an operational unit with a very important \nmission to support the Federal departments and agencies.\n    (1) This mission is buried deep within DHS, which makes decision-\nmaking slow because of all the chains of command it must go through \n(NCSD, CS&C, NPPD). The operational mission is one that must be enabled \nto focus and act quickly.\n    (2) US-CERT is often distracted and taken off this mission by the \npolicy and coordination arm of NCSD.\n    Cyber is a fast-moving space where nimbleness is important for \nsuccess. It often takes US-CERT days, even weeks, to get approval for \nactions because of the need to go through NCSD, CS&S, NPPD, and then to \nget to the Secretaries' attention. As issues go through this chain they \nare often distracted by politics and other priorities and delayed \nfurther, or veered off from the operationally correct decision. US-CERT \nis often volunteered for programs and projects by the policy and \ncoordination arm, thereby taking it off its core mission and into \nprojects that are not planned for, budgeted for, or in the scope of \ntheir expertise.\n    It is important for this operational mission to be clear. There \nmust be firm process for changing this mission. It cannot be constantly \nchanging and moving at the whim of politics driven by a policy team \nseeking its own success at the price of US-CERT's.\n    Today, US-CERT's clear mission--as stated in FISMA--is to support \nthe Federal departments and agencies. If you were to ask the major \ndepartments and agencies how often US-CERT assists them, you will be \nsurprised to find out that it is very little. US-CERT's focus is very \nfragmented and confused. It has been tasked by NCSD, CS&S, and NPPD to \nparticipate in a plethora of other projects that take US-CERT's \nunderstaffed, under budgeted, and technology-limited National security \noperations unit far away from its legislated mission space.\n    Question 2a. While you were with US-CERT, how often did you provide \ntechnical assistance to private sector entities?\n    Answer. Once. This is not US-CERT's mission, nor do they have the \nexpertise, staff, or budget to assist the private sector on a regular \nbasis.\n    Question 2b. Does the Department have an established process for \nprivate entities to request assistance?\n    Answer. No.\n    Question 2c. If so, how can it be improved? If not, what should it \nlook like?\n    Answer. If US-CERT is to take on the mission of assisting private \nsector entities it would have to have an increase in budget, staffing, \nand tools. Currently, it is not their mission to assist private sector \nentities.\n    Question 3a. In your testimony, you stated that virtualization \nthrough ``cloud'' technologies is the future for information technology \ninfrastructures.\n    What are the security risks of moving systems and applications to \nthe ``cloud''?\n    Answer. The security risks are similar to those of any IT \ninfrastructure. The key here is that moving to the ``cloud'' is an \nopportunity to bake security in, build it more securely, and revitalize \nIT infrastructure and share in the cost of better security mechanisms.\n    Question 3b. Will we be more secure or less secure from cyber \nattacks?\n    Answer. It depends. If the opportunity to improve security is \ntaken, it could be more secure, if not . . . no.\n    Question 3c. If the Federal Government and private companies are \nmoving to the ``cloud,'' what precautionary measures should be taken to \nmaintain the integrity of these information systems?\n    Answer. First and foremost, we should be looking at new security \ntechnologies. Technologies where we can cleanse the known malware from \nthe infrastructure layer. We need to move to technologies that allow us \nto understand what is good and what is bad. We need to move away from \nsignature-based tools where we have to be infected first in order to \ndetect the attack. We must move to a more defensive posture where the \nattacks can be detected and stopped on the infrastructure layer, before \nthey reach the users.\n    Question 4a. In your testimony you discussed the stalemate of \ncooperation and information sharing with the private sector as a result \nof procurement, privacy, and proprietary information issues.\n    Answer. First it must be understood that most networks have already \nbeen compromised. It is actually the rare few who identify the \nintrusions. With this in mind, we must not take a position of \npunishment for those who identify the problems, but we must assist. We \ncannot allow cyber attacks to defeat our private or public sector \nentities.\n    Question 4b. What actions need to be taken to aggregate shared \ninformation about known cyber vulnerabilities from the private sector?\n    Answer. I'm not sure cyber vulnerabilities are the problem. We know \nabout millions of vulnerabilities. We need to understand more about the \nattacks. As a community--whether we are private or public--we need to \nknow more about the details of the attack that would enable detection. \nNot the ``who'', not the ``what'' was taken, but the TTPs, The Tactics, \nTechniques, and Procedures the attackers use. I believe, for both \nprivate and public, we need an autonomous entity (I referred to this in \nmy testimony as a non-profit organization) that can take anonymous TTP \ninformation and make it available for others to use.\n    Question 4c. What other measures should be taken to encourage \nprivate sector's willingness to share information?\n    Answer. There are a few places where this can be improved for both \nprivate and public sectors.\n    (1) Take the attacks and the responses out of the public and press. \n        You must take the reputational damage issue off the table.\n    (2) Lower the liability concerns.\n    (3) Have an anonymous way to share.\n\n                                 <all>\n\x1a\n</pre></body></html>\n"