[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
THE DHS CYBERSECURITY MISSION: PROMOTING INNOVATION AND SECURING
CRITICAL INFRASTRUCTURE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
APRIL 15, 2011
__________
Serial No. 112-19
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
72-229 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Daniel E. Lungren, California Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Michael T. McCaul, Texas Henry Cuellar, Texas
Gus M. Bilirakis, Florida Yvette D. Clarke, New York
Paul C. Broun, Georgia Laura Richardson, California
Candice S. Miller, Michigan Danny K. Davis, Illinois
Tim Walberg, Michigan Brian Higgins, New York
Chip Cravaack, Minnesota Jackie Speier, California
Joe Walsh, Illinois Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania Hansen Clarke, Michigan
Ben Quayle, Arizona William R. Keating, Massachusetts
Scott Rigell, Virginia Vacancy
Billy Long, Missouri Vacancy
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Mo Brooks, Alabama
Michael J. Russell, Staff Director/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Daniel E. Lungren, California, Chairman
Michael T. McCaul, Texas Yvette D. Clarke, New York
Tim Walberg, Michigan, Vice Chair Laura Richardson, California
Patrick Meehan, Pennsylvania Cedric L. Richmond, Louisiana
Billy Long, Missouri William R. Keating, Massachusetts
Tom Marino, Pennsylvania Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Coley C. O'Brien, Staff Director
Alan Carroll, Subcommittee Clerk
Dr. Chris Beck, Minority Subcommittee Director
C O N T E N T S
----------
Page
Statements
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Yvette D. Clark, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 3
Witnesses
Mr. Sean McGurk, Director, National Cybersecurity and
Communications Integration Center, Department of Homeland
Security:
Oral Statement................................................. 5
Prepared Statement............................................. 7
Mr. Gerry Cauley, President and CEO, North American Electric
Reliability Corporation:
Oral Statement................................................. 15
Prepared Statement............................................. 16
Ms. Jane Carlin, Chair, Financial Services Sector Coordinating
Council:
Oral Statement................................................. 20
Prepared Statement............................................. 22
Mr. Edward Amoroso, Senior Vice President and Chief Security
Officer, AT&T:
Oral Statement................................................. 34
Prepared Statement............................................. 35
THE DHS CYBERSECURITY MISSION: PROMOTING INNOVATION AND SECURING
CRITICAL INFRASTRUCTURE
----------
Friday, April 15, 2011
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 10:08 a.m., in
Room 311, Cannon House Office Building, Hon. Daniel E. Lungren
[Chairman of the subcommittee] presiding.
Present: Representatives Lungren, McCaul, Meehan, Marino,
Clarke, and Richardson.
Mr. Lungren. The Committee on Homeland Security
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will come to order.
I apologize for being a few minutes late. We had a special
Republican Conference.
We are supposed to have votes at 10:15 and then at 11:15
and then at 12:15. So we will be bopping back and forth between
those. Actually, they are single votes, I think, so we can come
right back after that. So I apologize to our panel.
We have had a slightly different schedule so that we would
not have interrupted hearings, but today is a little bit of a
different day. We are only going to vote on visions of the
budget for this coming year and the next 10 years, and this
week we get to talk about trillions instead of billions. So it
is just small votes that we have got today. I am sorry that
that will take us away, but I do thank you for being here.
Today, the subcommittee will examine the relationship
between the Department of Homeland Security and the owners and
operators of critical infrastructure. What is working well,
what could be done better, and how to improve in the future.
So we are meeting today to hear testimony from Sean McGurk,
the Director of National Cybersecurity and Communications
Integration Center, or NCCIC--once we start with all these
initials, it gets confusing, so I will try to stay away from
that as much as possible--Gerry Cauley, President and CEO of
North American Electric Reliability Corporation; Jane Carlin,
Chair of the Financial Services Sector Coordinating Council;
and Dr. Edward Amoroso, the Senior Vice President and CSO of
AT&T.
This is an important hearing, so important I had a nice
long statement. But because of the time that we have, I will
have my statement entered for the record and recognize my
Ranking Minority Member of the subcommittee, the gentlelady
from New York, Ms. Clarke, for any statement she may have.
[The statement of Mr. Lungren follows:]
Prepared Statement of Chairman Daniel E. Lungren
April 15, 2011
Welcome to the second in our series of cybersecurity hearings.
Today's hearing will focus on ``the Department of Homeland Security's
Cybersecurity Mission.''
Homeland Security Presidential Directive 7, issued on December 17,
2003 outlines our National policy for Federal departments and agencies
to partner with the private sector to identify and prioritize United
States critical infrastructure and key resources and to protect them
from terrorist attacks. The Secretary of Homeland Security was given
the responsibility for ``coordinating the overall National effort to
enhance the protection of the critical infrastructure,'' whether owned
and operated by the public or private sector. With the private sector
owning more than 80% of the Nation's critical infrastructure, the DHS-
Private Sector relationship is crucial.
As stated in our previous subcommittee hearing on March 16,
information networks and computer systems face a combination of known
and unknown vulnerabilities, strong and rapidly expanding adversary
capabilities, and a lack of comprehensive threat and vulnerability
awareness. A successful attack on our power grid or our communications
networks could not only cripple our economy but threaten our National
security.
Under current law the vast majority of critical infrastructure fall
outside the Department's direct cybersecurity regulatory authority.
Under the Homeland Security Act of 2002, the Department was authorized
to provide, upon request, analysis and warnings related to threats and
crises management support to private sector owners and operators of
critical information systems. They can also provide technical
assistance to the private sector with respect to emergency recovery
plans when responding to major failures of critical information
systems. The Department does not have the ability to require the
private sector use of any particular cybersecurity processes or tools.
In this environment of ever-changing technology and innovation, I
believe this is sound policy.
It is important to note that just because the Department can not
directly regulate the cybersecurity requirements of various sectors
that the private sector is completely unregulated. The electric power
sector has had mandatory cybersecurity standards in place since 2008
and Sarbanes Oxley Act requires all publically traded companies certify
that they have proper internal controls in place on their financial
accounting systems. This requirement, in essence, equates to requiring
proper cybersecurity in their IT/Finance systems.
Without direct regulatory authority, the Department exercises much
of its responsibility for securing private critical infrastructure as a
coordinating agent. The Department has established a number of
cybersecurity functions and services to help in its role as
coordinator. The National Cybersecurity and Communications Integration
Center (NCCIC) enables the Department to bring together its Federal
partners as well as members of the private sector to integrate
information and provide the focus of cybersecurity operations for the
entire Federal Government. I was privileged to be invited to the
ribbon-cutting ceremony for this cybersecurity and communications
integration center which we all hope will become the model for a
successful public-private cybersecurity partnership.
The public-private partnership remains a key part of the Nation's
efforts to secure and protect its critical cyber-reliant
infrastructure. While criticized by some, it is still evolving since
its inception a decade ago. Because of the leadership of NPPD Under
Secretary Rand Beers and Deputy Secretary Phillip Reitinger, the
Department has strategically positioned cybersecurity resources and
assets in an effort to develop a more trusted and mutually beneficial
public-private partnership that is needed to defend cyberspace. Without
ownership, partnership is the next best thing for promoting
cybersecurity and protecting our critical infrastructure. If properly
developed and implemented, the public-private partnership cybersecurity
model can be leveraged to improve the culture of security and the
willingness of the private sector to make the necessary investments to
secure their critical infrastructure.
With all this cyber expertise, is the Department making a real
difference in defending critical infrastructure? Are they protecting
Government and private sector cyber space and responding effectively to
cyber attacks? Are they assisting the private sector in detecting,
defending, and recovering from cyber attack? Is the Department making
available to its partners the critical threat information they need to
protect their networks?
Today we will hear from the Homeland Security Department and a
number of key economic sectors, whose critical infrastructure is vital
to maintaining our robust economy, on how this public-private
partnership is progressing.
I now recognize the Ranking Member Ms. Clarke for her opening
statement.
Ms. Clarke. Thank you very much.
Good morning and thanks to all of our witnesses for
appearing before us today. I would like to thank you, Chairman
Lungren, for holding our second hearing on cybersecurity this
session and for your intention to move expeditiously on what I
know we both recognize as a critical issue. I know Mr. Lungren
takes this responsibility as seriously as I do, and I look
forward to partnering with him again over these 2 years to
ensure the safety and security of the American people, American
businesses, American infrastructure, and the American way of
life.
Today's hearing will focus on our critical infrastructure
sectors, their cybersecurity posture, and the DHS role in
helping them to be as secure and simultaneously as open and as
efficient as possible.
We rely on information technology in every aspect of our
lives, from our electric grid, financial and communication
systems, and Government functions, to name just a few that our
witnesses here today represent. Interconnected computers and
networks have led to amazing developments in our society.
Increased productivity, knowledge, services, and revenues are
all benefits generated by our modern, networked world.
But in our rush to network everything, few stop to consider
the security ramifications of this new world we are creating;
and so we find ourselves in a very vulnerable situation today.
As I stated at our last hearing, too many vulnerabilities exist
on too many critical networks which are exposed to too many
skilled attackers who can steal from or damage too many of our
systems. Unfortunately, to this day, too few people are even
aware of these dangers, and fewer still are doing anything
about it.
This committee will continue to discuss and examine these
issues in an attempt to raise awareness of the problems we
face, and we hope to identify and implement practical and
effective solutions. There is a very real and significant
threat to our National and economic security that we now face
in cyberspace, and we must do something equally real and
significant to meet this challenge.
As I noted at our hearing last month, we are expecting that
this committee is eager to see a National cybersecurity
strategy from the White House to be released very soon. I also
stated at our last hearing that the Department is finalizing
its National security incident response plan and will also
include a cybersecurity strategy, as called for in the 2010
Quadrennial Homeland Security Review.
Mr. McGurk I hope to hear some good news from you on these
items, because we can't keep waiting for these things. The
Congress is interested in moving legislation to afford DHS the
authority it needs to protect the dot-gov domain and critical
infrastructures in the private sectors. Hopefully, we are
downplaying these Government shutdown games here in Congress,
and we will get on to the business that our constituents
elected us to do.
This cybersecurity issue is complicated, and no one entity
or approach will work. I firmly believe that the U.S.
Government and the private sector must be full partners in this
effort; and both must accept their share of burden,
responsibility, and cost of our combined security.
The intention behind this hearing is to focus on the
protection of the critical infrastructures that sustain our
lives and our economy. These infrastructures are under constant
attack. Cybercrime alone costs this country billions of dollars
a year. We know that our Government networks are attacked tens
of thousands of times per day, and private sector networks are
attacked even more often. We know that our critical
infrastructures are already compromised and penetrated. We need
to absorb this information, get up to speed quickly, and move
forward to address this issue. We have to start protecting
ourselves before an attack big enough to cause irreparable
damage is carried out.
To the witnesses appearing before us today, I thank you for
being here, and I welcome your thoughts on the issues before
us, including what you think an effective National
cybersecurity policy should look like and especially the
critical details needed to make this public-private partnership
work. Chairman Lungren and I intend for this subcommittee as
well as the full committee to play a leading role in shaping
our National cyber posture in the years to come.
Finally, I would like to thank Dr. Chris Beck for his hard
work on behalf of this subcommittee. Dr. Beck has worked
tirelessly on chemical security legislation. He will be leaving
the subcommittee and will be missed.
Thank you, Mr. Chairman; and I yield back.
Mr. Lungren. Thank you very much.
I appreciate the comments, and I would echo the statements
that you made about Dr. Beck. I know he will still be around in
town, and we will be able to see him.
Other Members of the committee are reminded that their
opening statements may be submitted for the record.
We are now pleased to have a very distinguished panel of
witnesses before us on this important topic.
Sean McGurk has over 32 years of experience in advanced
systems operations and information systems security. He joined
DHS in 2008 after a full career in the Navy. He was named
Director of the Control System Security Program and led the
Industrial Control Systems Computer Emergency Response Team
prior to leading NCCIC. NCCIC is a 24-by-7 integrated
cybersecurity and communications operation center, providing
indications and warnings of incidents through cross-domain
situational awareness. It is a hub of information sharing
amongst various Government agencies as well as private-sector
stakeholders.
Gerry Cauley is President and Chief Executive Officer of
the North American Electric Reliability Corporation.
Previously, he served as President and Chief Executive Officer
of the SERC Reliability Corporation, a nonprofit corporation
responsible for promoting and assessing the reliability and
critical infrastructure protection of the bulk power system in
16 southeastern and central States.
Prior to that, Mr. Cauley worked for NERC for 10 years in
positions of increasing responsibility, ultimately as Vice
President and Director of Standards. He was instrumental in
preparing NERC's application to become the electric reliability
organization and spearheaded their development of an initial
set of standards to ensure the reliability of the bulk power
system in North America.
He is also a lead investigator of the August, 2003,
northeast blackout and coordinated all aspects of the NERC Y2K
program, supervising the reporting and readiness of 3,100
electric organizations in the United States and Canada.
Jane D. Carlin, Chair of the Financial Services Sector
Coordinating Council for Critical Infrastructure Protection and
Homeland Security. But in her spare time she is Managing
Director of Morgan Stanley and Global Head of Operational Risk
Management, Business Continuity, Information Security, and Risk
and Insurance Management.
Ms. Carlin has concentrated on legal and risk issues in
banking and investment banking related to international and
domestic securities, derivatives, and commodities as well as
foreign exchange. She received her J.D. from Benjamin Cardoza
School of Law and her B.A. from the State University of New
York at Stony Brook.
Dr. Edward Amoroso is presently Senior Vice President and
Chief Security Officer for AT&T, where he is directly
responsible for managing the day-to-day information, computer,
and network security protection of AT&T's vast global
infrastructure. He and his team of security engineers,
developers, researchers, and consultants design and manage all
security policy, security regulatory issues, scanning,
firewall, intrusion detection, data fusion, anti-virus, anti-
spam, instant response, emergency response, and other
protection systems for the corporation and its customers. He
also directs the design and development of AT&T's rich
portfolio of managed and customized security services for
business and Government clients.
We would ask each of you to try to limit your remarks to
about 5 minutes. We have your prepared remarks. They will be
entered in as a part of the record.
As I say, we probably will have to break and go and vote
and then come back. I am going to see if we can get the opening
statements finished before we have to go vote.
So, Mr. McGurk, you are asked to please give us your best
shot for 5 minutes.
STATEMENT OF SEAN MCGURK, DIRECTOR, NATIONAL CYBERSECURITY AND
COMMUNICATIONS INTEGRATION CENTER, DEPARTMENT OF HOMELAND
SECURITY
Mr. McGurk. Thank you Chairman Lungren, Ranking Member
Clarke, and distinguished Members of the committee. My name is
Sean McGurk, and I thank you for those kind opening words and
introduction.
I also thank you for inviting me to be part of this very
distinguished panel of experts to discuss the challenges
associated with innovation and securing critical
infrastructure.
Recently, Deputy Under Secretary Reitinger testified before
this panel, and the Department greatly appreciates the support
and the guidance that we have been receiving in completing our
essential mission.
As several of the distinguished Members of the committee
have already mentioned, the cyber environment is not a
homogenous environment under a single department, agency, or
private-sector entity. The National Infrastructure Protection
Plan identifies the 18 sectors of the critical infrastructure,
each being unique and diverse. In fact, in many facilities, two
operating plants under the same control of an organization have
completely different network environments. We rely on these
continuously available services for our vast way of life and
the interconnected critical infrastructure to sustain those.
Successful cyberattacks against these systems could potentially
result in a physical damage or loss of life.
We face many challenges--strong and rapidly expanding
adversary capabilities, a lack of comprehensive threat and
vulnerability awareness--and in these efforts we must support
our private-sector partners in securing the systems and
themselves against these malicious activities.
The Government does not have all the answers, so we must
work closely with the private sector to ensure that we have
identified the vulnerabilities and the risks to the critical
infrastructure. There is no one size fits all. There is no
cyber Maginot Line that will enable us to provide security
across the board.
What I have learned in my experience both in the United
States Navy and as a member of the Department in over 34 years,
it is not all about 10-pound brains or bigger guards, gates,
and guns that gets the job done. It is about involving a very
broad audience and sharing information and building a
collective body of knowledge. We must leverage the Government's
expertise and our access to information, including classified
data, along with industry-specific needs, capabilities, and
timelines. Each partner has a role to play and a unique
capability that adds value to the team.
In a recent example involving two-factor authentication, we
worked closely with our law enforcement partners to identify
and hopefully potentially prosecute those responsible. We
worked with the intelligence community and the military to
attribute the activity and also to provide defensive capability
and potential pursuit.
The Department of Homeland Security's primary focus is on
mitigation and risk protection of systems, working closely with
the private sector. In this particular example, we have
representatives from the financial sector, the communications
sector, the energy sector, and the IT sector working on a broad
mitigation strategy to aggressively address those challenges.
We are looking to prepare, prevent, respond, recover, and
restore in the Department's role.
Coordinating a National response under the National cyber
incident response plan enables us to bring these private-sector
partners to the table and their subject matter expertise to
determine the ``what'' and the ``how'' to protect these
networks and not necessarily worry about the ``who'' and the
``why'' until much later.
The NCCIC closely works with all Government agencies and
the private sector through our partnership model. We have
representatives from the Communications Information Sharing and
Analysis Center, along with companies such as AT&T. The IT,
ISAC, and the financial services sector are all physically
represented on the watch floor. We are finalizing our agreement
with the North American Electric Reliability Corporation and
the energy sector ISAC to have full-time support on the watch
floor as well.
In addition, working with our State, local, Tribal, and
territorial partners through the multi-State Information
Sharing and Analysis Center, we can virtually reach out to each
of the States and localities to ensure that they are fully
aware of the cyber vulnerabilities and risk mitigation
strategies that are being developed.
In conclusion, within our current legal authorities we
continue to engage, collaborate, and provide analysis,
vulnerability, and mitigation assistance to the private sector.
We have the experience and the expertise in dealing with the
private sector in planning steady state and crisis scenarios.
In support of that we deploy numerous incident response and
assessment teams that enable us to help prevent, prepare, and
recover from these cyber impacts.
Finally, we work closely with the private sector and our
interagency partners in law enforcement and intelligence to
provide a full complement and capabilities for preparation for
and in response to significant cyber events.
Chairman Lungren, Ranking Member Clarke, and distinguished
Members of the subcommittee, let me conclude in reiterating
that I look forward to exploring the opportunities to support
this mission and collaborate with the subcommittee and my
colleagues in the public and private sectors.
Thank you again for this opportunity, and I would be happy
to stand by and answer any of your questions.
[The statement of Mr. McGurk follows:]
Prepared Statement Sean P. McGurk
April 15, 2011
introduction
Chairman Lungren, Vice Chairman Walberg, Ranking Member Clarke, and
distinguished Members of the subcommittee, it is a pleasure to appear
before you today to discuss the Department of Homeland Security's (DHS)
cybersecurity mission. Specifically, I will discuss the Department's
cybersecurity mission as it relates to critical infrastructure and our
coordination of this mission with the private sector.
Deputy Under Secretary Philip Reitinger recently testified before
this subcommittee, and I would like to reiterate the Department's
desire to work more with you to convey the relevance of cybersecurity
to average Americans. Increasingly, the services we rely on in our
daily life, such as water distribution and treatment, electricity
generation and transmission, health care, transportation, and financial
transactions depend on an underlying information technology and
communications infrastructure. Cyber threats put the availability and
security of these and other services at risk.
the current cybersecurity environment
The United States faces a combination of known and unknown
vulnerabilities, strong and rapidly expanding adversary capabilities,
and a lack of comprehensive threat and vulnerability awareness. Within
this dynamic environment, we are confronted with threats that are more
targeted, more sophisticated, and more serious.
Sensitive information is routinely stolen from both Government and
private sector networks, undermining confidence in our information
systems and the sharing of information. As bad as the loss of precious
National intellectual capital is, we increasingly face threats that are
even greater. We face threats that could significantly compromise the
accessibility and reliability of our information infrastructure.
Malicious actors in cyberspace, including nation states, terrorist
networks, organized criminal groups, and individuals located here in
the United States, have varying levels of access and technical
sophistication, but all have nefarious intent. Several are capable of
targeting elements of the U.S. information infrastructure to disrupt,
or destroy systems upon which we depend. Motives include intelligence
collection, intellectual property or monetary theft, or disruption of
commercial activities, among others. Criminal elements continue to show
increasing levels of sophistication in their technical and targeting
capabilities and have shown a willingness to sell these capabilities on
the underground market. In addition, terrorist groups and their
sympathizers have expressed interest in using cyberspace to target and
harm the United States and its citizens. While some have commented on
terrorists' own lack of technical abilities, the availability of
technical tools for purchase and use remains a potential threat.
Malicious cyber activity can instantaneously result in virtual or
physical consequences that threaten National and economic security,
critical infrastructure, public health and welfare. Similarly, stealthy
intruders can lay a hidden foundation for future exploitation or
attack, which they can then execute at their leisure--and at their time
of greatest advantage. Securing cyberspace requires a layered security
approach across the public and private sectors.
We need to support the efforts of our private sector partners to
secure themselves against malicious activity in cyberspace.
Collaboratively, public and private sector partners must use our
knowledge of information technology systems and their interdependencies
to prepare to respond should defensive efforts fail. This is a serious
challenge, and DHS is continually making strides to improve the
Nation's overall operational posture and policy efforts.
cybersecurity mission
No single technology--or single Government entity--alone can
overcome the cybersecurity challenges our Nation faces. Consequently,
the public and private sectors must work collaboratively. Cybersecurity
must start with informed users taking necessary precautions and extend
through a coordinated effort among the private sector, including
critical infrastructure owners and operators, and the extensive
expertise that lies across coordinated Government entities. In addition
to leading the effort to secure Federal Executive Branch civilian
departments and agencies' unclassified networks, the National
Protection and Programs Directorate (NPPD) within DHS is responsible
for the following key cybersecurity missions:
Providing technical expertise to the private sector and
critical infrastructure and key resources (CIKR) owners and
operators--whether private sector, State, or municipality-
owned--to bolster their cybersecurity preparedness, risk
assessment, mitigation and incident response capabilities;
Raising cybersecurity awareness among the general public;
and
Coordinating the National response to domestic cyber
emergencies.
In a reflection of the bipartisan nature with which the Federal
Government continues to approach cybersecurity, President Obama
determined that the Comprehensive National Cybersecurity Initiative
(CNCI) and its associated activities should continue to evolve as key
elements of the broader National cybersecurity efforts. These CNCI
initiatives play a central role in achieving many of the key
recommendations of the President's Cyberspace Policy Review: Assuring a
Trusted and Resilient Information and Communications Infrastructure.
Following the publication of those recommendations in May 2009, DHS and
its components developed a long-range vision of cybersecurity for the
Department and the Nation's homeland security enterprise, which is
encapsulated in the Quadrennial Homeland Security Review (QHSR). The
QHSR provides an overarching framework for the Department and defines
our key priorities and goals. One of the five priority areas detailed
in the QHSR is safeguarding and securing cyberspace. Within the
cybersecurity mission area, the QHSR identifies two overarching goals:
To help create a safe, secure, and resilient cyber environment and to
promote cybersecurity knowledge and innovation.
In alignment with the QHSR, Secretary Napolitano consolidated many
of the Department's cybersecurity efforts under NPPD. The Office of
Cybersecurity and Communications (CS&C), a component of NPPD, focuses
on reducing risk to the communications and information technology
infrastructures and the sectors that depend upon them, as well as
enabling timely response and recovery of these infrastructures under
all circumstances. The functions and mission of the National
Cybersecurity Center (NCSC) are now supported by CS&C. These functions
include coordinating operations among the six largest Federal cyber
centers. CS&C also coordinates National security and emergency
preparedness communications planning and provisioning for the Federal
Government and other stakeholders. CS&C comprises three divisions: The
National Cyber Security Division (NCSD), the Office of Emergency
Communications, and the National Communications System. It also houses
the National Cybersecurity and Communications Integration Center
(NCCIC)--DHS' 24-hour cyber and communications watch and warning
center. Within NCSD, the United States Computer Emergency Readiness
Team (US-CERT) is working more closely than ever with our public and
private sector partners to share what we learn from EINSTEIN 2, a
Federal executive agency computer network intrusion detection system,
to deepen our collective understanding, identify threats
collaboratively, and develop effective security responses. EINSTEIN
enables us to respond to warnings and other indicators of operational
cyber attacks, and we have many examples showing that this program
investment has paid for itself several times over.
Teamwork--ranging from intra-agency to international
collaboration--is essential to securing cyberspace. Together, we can
leverage resources, personnel, and skill sets that are needed to
achieve a more secure and reliable cyberspace. Although DHS leads
significant cybersecurity mission activities in the public sector, I
will focus the rest of my testimony on private sector coordination.
The NCCIC works closely with Government at all levels and with the
private sector to coordinate the integrated and unified response to
cyber and communications incidents impacting homeland security.
Numerous DHS components, including US-CERT, the Industrial Control
Systems Cyber Emergency Response Team (ICS-CERT), and the National
Coordinating Center for Telecommunications, are collocated in the
NCCIC. Also present in the NCCIC are other Federal partners, such as
the Department of Defense (DoD) and members of the law enforcement and
intelligence communities. The NCCIC also physically collocates Federal
staff with private sector and non-governmental partners. Currently,
representatives from the Information Technology and Communications
Sectors and the Multi-State Information Sharing and Analysis Center are
located on the NCCIC watch floor. We are also finalizing steps to add
representatives from the Banking and Finance Sector, as well as the
Energy Sector.
By leveraging the integrated operational capabilities of its member
organizations, the NCCIC serves as an ``always on'' cyber incident
response and management center, providing indications and warning of
imminent incidents, and maintaining a national cyber ``common operating
picture.'' This facilitates situational awareness among all partner
organizations, and also creates a repository of all reported
vulnerability, intrusion, incident, and mitigation activities. The
NCCIC also serves as a National point of integration for cyber
expertise and collaboration, particularly when developing guidance to
mitigate risks and resolve incidents. Finally, the unique and
integrated nature of the NCCIC allows for a scalable and flexible
coordination with all interagency and private sector staff during
steady-state operations, in order to strengthen relationships and
solidify procedures as well as effectively incorporate partners as
needed during incidents.
NCSD collaborates with private sector stakeholders to conduct risk
assessments and mitigate vulnerabilities and threats to information
technology assets and activities affecting the operation of private
sector critical infrastructures. NCSD also provides cyber threat and
vulnerability analysis, early warning, incident response assistance,
and exercise opportunities for private sector constituents. To that
end, NCSD carries out the majority of DHS' non-law enforcement
cybersecurity responsibilities.
national cyber incident response
The President's Cyberspace Policy Review called for ``a
comprehensive framework to facilitate coordinated responses by
government, the private sector, and allies to a significant cyber
incident.'' DHS coordinated the interagency, State and local
government, and private sector working group that developed the
National Cyber Incident Response Plan (NCIRP). The NCIRP provides a
framework for effective incident response capabilities and coordination
among Federal agencies, State and local governments, the private
sector, and international partners during significant cyber incidents.
It is designed to be flexible and adaptable to allow synchronization of
response activities across jurisdictional lines. In September 2010, DHS
hosted Cyber Storm III, a response exercise in which members of the
domestic and international cyber incident response community addressed
the scenario of a coordinated cyber event. During the event, the NCIRP
was activated and its incident response framework was tested. Based on
observations from the exercise, the plan is in its final stages of
revision prior to publication. Cyber Storm III also tested the NCCIC
and the Federal Government's full suite of cybersecurity response
capabilities.
providing technical operational expertise to the private sector
DHS has significant cybersecurity capabilities, and we are using
those capabilities to great effect as we work collaboratively with the
private sector to protect the Nation's CIKR. We engage with the private
sector on a voluntary basis to provide onsite analysis, mitigation
support, and assessment assistance. Over the past year, we have
repeatedly demonstrated our ability to materially and expeditiously
assist companies with cyber intrusion mitigation and incident response.
We are able to do so through our trusted and close relationships with
private sector companies as well as Federal departments and agencies.
Finally, our success in assisting the private sector is due in no small
part to our dedication to properly and fully addressing privacy, civil
rights, and civil liberties in all that we do. Initiating technical
assistance with a private company to provide analysis and mitigation
advice is a sensitive endeavor--one that requires trust and strict
confidentiality. Within our analysis and warning mission space, DHS has
a proven ability to provide that level of trust and confidence in the
engagement. Our efforts are unique among Federal agencies' capabilities
in that DHS focuses on civilian computer network defense and protection
rather than law enforcement, military, or intelligence functions. DHS
engages to mitigate the threat to the network to reduce future risks.
Our approach requires vigilance and a voluntary public/private
partnership. We are continuing to build our capabilities and
relationships because the cyber threat trends are more sophisticated
and frequent.
Over the past year, we established the NCCIC and are adding staff
to that center, both from existing DHS personnel and from partner
organizations in the public and private sectors. More broadly, we are
continuing to hire more cybersecurity professionals and increasing
training availability to our employees. The NCIRP is operational, and
we continue to update and improve it with input from senior
cybersecurity leaders. We will be releasing the NCIRP publicly in the
near future. We are executing within our current mission and
authorities now, receiving and responding to substantial netflow data
from our intrusion detection technologies deployed to our Federal
partners, and leveraging that data to provide early warnings and
indicators across Government and industry. With our people, processes,
and technology, we stand ready to execute the responsibilities of the
future.
In addition to specific mitigation work we conduct with individual
companies and sectors, DHS looks at the interdependencies across
critical infrastructure sectors for a holistic approach to providing
our cyber expertise. For example, the Electric, Nuclear, Water,
Transportation, and Communications Sectors support functions across all
levels of government including Federal, State, local, and Tribal
governments, and the private sector. Government bodies and
organizations do not inherently produce these services and must rely on
private sector organizations, just as other businesses and private
citizens do. Therefore, an event impacting control systems has
potential implications at all these levels, and could also have
cascading effects upon all 18 sectors. For example, Water and
Wastewater Treatment, Chemical, and Transportation sectors depend on
the Energy Sector, and failure in one of these sectors could
subsequently affect Government and private sector operations.
US-CERT also collaborates, provides remote and on-site response
support, and shares information with Federal, State, and local
governments; critical infrastructure owners and operators; and
international partners to address cyber threats and develop effective
security responses.
DHS provides on-site and remote incident response assistance to its
public and private sector partners. Upon notification of a cyber
incident, ICS-CERT and/or US-CERT can perform a preliminary diagnosis
to determine the extent of the compromise. At the partner's request and
when appropriate, either ICS-CERT or US-CERT can deploy a team to meet
with the affected organization to review network topology, identify
infected systems, create image files of hard drives for analysis, and
collect other data as needed to perform thorough follow-on analysis.
Both ICS-CERT and US-CERT can provide mitigation strategies, advise
asset owners and operators on their efforts to restore service, and
provide recommendations for improving overall network and control
systems security.
An incident in early 2010 illustrates the incident response support
that DHS provides. In this case, an employee of a company had attended
an industry event and used an instructor's flash drive to download
presentation materials to the company's laptop. The flash drive was
infected with the Mariposa botnet, unbeknownst to the event organizer.
When the employee returned to the work location and used the laptop,
the virus quickly spread to nearly 100 systems. US-CERT and ICS-CERT
had already been tracking a trend of removable media involved in
malware infections, and, on request, deployed a team to the company's
location to help diagnose the malware and identify those infected
systems.
The team spent 2 days with the company reviewing the incident
details, network topology, and the company's control systems
architecture to identify systems of interest. The company was
ultimately able to leverage all of the information to contain the
infection and remove the malware from the infected systems. ICS-CERT
and US-CERT provided follow-on reporting, mitigation measures, and
access to additional resources through the US-CERT secure portal.
US-CERT's operations are complemented in the arena of industrial
control systems by ICS-CERT. The term ``control system'' encompasses
several types of systems, including Supervisory Control and Data
Acquisition, process control, and other automated systems that are
found in the industrial sectors and critical infrastructure. These
systems are used to operate physical processes that produce the goods
and services that we rely upon, such as energy, drinking water,
emergency services, transportation, postal and shipping, and public
health. Control systems security is particularly important because of
the inherent interconnectedness of the CIKR sectors and their
dependence on one another.
As such, assessing risk and effectively securing industrial control
systems are vital to maintaining our Nation's strategic interests,
public safety, and economic well-being. A successful cyber attack on a
control system could result in physical damage, loss of life, and
cascading effects that could disrupt services. DHS recognizes that the
protection and security of control systems is essential to the Nation's
overarching security and economy. In this context, as an example of
many related initiatives and activities, DHS--in coordination with the
Department of Commerce's National Institute of Standards and Technology
(NIST), the Department of Energy, and DoD--has provided a forum for
researchers, subject matter experts and practitioners dealing with
cyber-physical systems security to assess the current state of the art,
identify challenges, and provide input to developing strategies for
addressing these challenges. Specific infrastructure sectors considered
include energy, chemical, transportation, water and wastewater
treatment, health care and public health, and commercial facilities. A
2010 published report of findings and recommendations is available upon
request.
An additional real-world threat emerged last year that
significantly changed the landscape of targeted cyber attacks on
industrial control systems. Malicious code, dubbed Stuxnet, was
detected in July 2010. DHS analysis concluded that this highly complex
computer worm was the first of its kind, written to specifically target
mission-critical control systems running a specific combination of
software and hardware.
ICS-CERT analyzed the code and coordinated actions with critical
infrastructure asset owners and operators, Federal partners, and
Information Sharing and Analysis Centers. Our analysis quickly
uncovered that sophisticated malware of this type potentially has the
ability to gain access to, steal detailed proprietary information from,
and manipulate the systems that operate mission-critical processes
within the Nation's infrastructure. In other words, this code can
automatically enter a system, steal the formula for the product being
manufactured, alter the ingredients being mixed in the product, and
indicate to the operator and the operator's anti-virus software that
everything is functioning normally.
To combat this threat, ICS-CERT has been actively analyzing and
reporting on Stuxnet since it was first detected in July 2010. To date,
ICS-CERT has briefed dozens of Government and industry organizations
and released multiple advisories and updates to the industrial control
systems community describing steps for detecting an infection and
mitigating the threat. As always, our goal is to balance the need for
public information sharing while protecting the information that
malicious actors may exploit. DHS provided the alerts in accordance
with its responsible disclosure processes.
The purpose and function for responsible disclosure is to ensure
that DHS executes its mission of mitigating risk to critical
infrastructure, not necessarily to be the first to publish on a given
threat. For example, ICS-CERT's purpose in conducting the Stuxnet
analysis was to ensure that DHS understood the extent of the risks so
that they could be mitigated. After conducting in-depth malware
analysis and developing mitigation steps, we were able to release
actionable information that benefited our private sector partners.
Looking ahead, the Department is concerned that attackers could use
the increasingly public information about the code to develop variants
targeted at broader installations of programmable equipment in control
systems. Copies of the Stuxnet code, in various different iterations,
have been publicly available for some time now. ICS-CERT and the NCCIC
remain vigilant and continue analysis and mitigation efforts of any
derivative malware.
ICS-CERT will continue to work with the industrial control systems
community to investigate these and other threats through malicious code
and digital media analysis, on-site incident response activities, and
information sharing and partnerships.
interagency and public-private coordination
Overcoming new cybersecurity challenges requires a coordinated and
focused approach to better secure the Nation's information and
communications infrastructures. President Obama's Cyberspace Policy
Review reaffirms cybersecurity's significance to the Nation's economy
and security. Establishment of a White House Cybersecurity Coordinator
position solidified the priority the administration places on improving
cybersecurity.
No single agency has sole responsibility for securing cyberspace,
and the success of our cybersecurity mission relies on effective
communication and critical partnerships. Many Government players have
complementary roles as well as unique capabilities--including DHS, the
intelligence community, DoD, the Department of Justice, the Department
of State, and other Federal agencies--and they require coordination and
leadership to ensure effective and efficient execution of our
collective cyber missions. The creation of a senior-level cyber
position within the White House ensures coordination and collaboration
across Government agencies.
Private industry owns and operates the vast majority of the
Nation's critical infrastructure and cyber networks. Consequently, the
private sector plays an important role in cybersecurity, and DHS has
initiated several pilot programs to promote public-private sector
collaboration. In its engagement with the private sector, DHS
recognizes the need to avoid technology prescription and to support
innovation that enhances critical infrastructure cybersecurity. DHS,
through the National Infrastructure Protection Plan partnership
framework, has many years of experience in private sector
collaboration, leveraging our relationships in both the physical and
cybersecurity protection areas. For example, the Office of
Infrastructure Protection and the National Cyber Security Division
partnered with the chemical industry to publish the Roadmap to Secure
Industrial Control Systems in the Chemical Sector in 2009, available at
www.us-cert.gov. To meet the first set of milestones set forth in this
10-year plan, industry, in partnership with DHS, developed a suite of
control systems security awareness materials that will be shared widely
within the Chemical Sector this summer.
DHS engages with the private sector on a voluntary basis in
accordance with our responsibilities under the Homeland Security Act.
We stand by to assist our private sector partners upon their request,
and thus far have been able to do so successfully due to our technical
capabilities, existing private sector relationships, and expertise in
matters relating to privacy and civil rights and civil liberties.
In February 2010, DHS, DoD, and the Financial Services Information
Sharing and Analysis Center (FS-ISAC) launched a pilot designed to help
protect key critical networks and infrastructure within the financial
services sector by sharing actionable, sensitive information. Based on
lessons learned from the pilot, DHS is developing comprehensive
information-sharing and incident response coordination processes with
CIKR sectors, leveraging capabilities from within DHS and across the
response community, through the NCCIC.
In June 2010, DHS implemented the Cybersecurity Partner Local
Access Plan, which allows security-cleared owners and operators of
CIKR, as well as State technology officials and law enforcement
officials, to access secret-level cybersecurity information and video
teleconference calls via State and major urban area fusion centers. In
November 2010, DHS signed an agreement with the Information Technology
Information Sharing and Analysis Center (IT-ISAC) to embed a full-time
IT-ISAC analyst and liaison to DHS at the NCCIC, part of the on-going
effort to collocate private sector representatives alongside Federal
and State government counterparts. The IT-ISAC consists of information
technology stakeholders from the private sector and facilitates
cooperation among members to identify sector-specific vulnerabilities
and risk mitigation strategies.
In July 2010, DHS worked extensively with the White House on the
publication of a draft National Strategy for Trusted Identities in
Cyberspace, which seeks to secure the digital identities of
individuals, organizations, services, and devices during on-line
transactions, as well as the infrastructure supporting the transaction.
The final strategy is set to be released in the near future, fulfilling
one of the near-term action items of the President's Cyberspace Policy
Review. The strategy is based on public-private partnerships and
supports the protection of privacy and civil rights and civil liberties
by enabling only the minimum necessary amount of personal information
to be transferred in any particular transaction. Its implementation
will be led by the Department of Commerce.
In September 2010, Secretary Napolitano and Secretary Gates co-
signed a Memorandum of Agreement between DHS and DoD regarding
cybersecurity. The MOA established a Joint Coordination Element (JCE)
led by a DHS senior official at DoD's National Security Agency. The
intent of the MOA was to enable DHS and DoD to leverage each other's
capabilities, and more readily share cybersecurity information on
significant cyber incidents. The JCE has been in place and building to
fully operational capability since October 2010.
In December 2010, the DHS Science and Technology Directorate and
NIST signed a Memorandum of Understanding with the Financial Services
Sector Coordinating Council. The goal of the agreement is to speed the
commercialization of cybersecurity research innovations that support
our Nation's critical infrastructures. This agreement will accelerate
the deployment of network test beds for specific use cases that
strengthen the resiliency, security, integrity, and usability of
financial services and other critical infrastructures.
collaborative risk management forums
The increased pace of collaborative cybersecurity operations
between DHS and the private sector is due, in part, to standing public-
private forums that support on-going process improvements across the
partnership. A few of these forums--the Cross-Sector Cyber Security
Working Group, the IT CIKR Sector, and the Industrial Control Systems
Joint Working Group--meet under the auspices of the Critical
Infrastructure Partnership Advisory Council and conduct their
activities consistent with the National Infrastructure Protection Plan
(NIPP) partnership framework.
The Cross-Sector Cyber Security Working Group was established to
address cross-sector cyber risk and explore interdependencies between
and among various sectors. The working group serves as a forum to bring
government and the private sector together to address common
cybersecurity elements across the 18 CIKR sectors. They share
information and provide input to key policy and planning documents
including the NCIRP, the President's Cyberspace Policy Review, and the
National Strategy for Trusted Identities in Cyberspace.
The IT CIKR Sector security partnership is comprised of DHS as the
IT Sector Specific Agency, public sector partners in the IT Government
Coordination Council, and private sector partners in the IT Sector
Coordinating Council. This partnership forms to execute the IT Sector's
risk management framework: To identify and prioritize risks to IT
Sector critical functions, to develop and implement corresponding risk
management strategies, and to report on progress of risk management
activities and adjustments to the IT Sector's risk profile. IT Sector
public-private partners worked collaboratively to produce the 2009 IT
Sector Baseline Risk Assessment (ITSRA), prioritizing risks to the
sector's critical functions, and have subsequently been working to
finalize corresponding risk management strategies outlining a portfolio
of sector risk management activities to reduce the evaluated risks from
the ITSRA across the functions. Progress reporting on implementation of
these risk management strategies will be provided in the IT Sector
Annual Report (as required by the NIPP).
In partnership with the Department of Energy, which is the Sector
Specific Agency responsible for the Energy Sector under the NIPP, the
Industrial Control Systems Joint Working Group provides a vehicle for
stakeholders to communicate and partner across all critical
infrastructure sectors to better secure industrial control systems and
manage risk. The Industrial Control Systems Joint Working Group is a
representative group comprising owners and operators, international
stakeholders, Government, academia, system integrators, and the vendor
community. The purpose of the ICSJWG is to facilitate the collaboration
of control systems stakeholders to accelerate the design, development,
deployment, and secure operations of industrial control systems. Based
on public and private sector partner input, CSSP uses the Industrial
Control Systems Joint Working Group to inform its mission activities
and deliver needed products and services.
As you are aware, cybersecurity training is essential to increasing
awareness of threats and the ability to combat them. To that end, CSSP
conducts multi-tiered training through web-based and instructor-led
classes across the country. In addition, a week-long training course is
conducted at CSSP's state-of-the-art advanced training facility at the
Idaho National Laboratory to provide hands-on instruction and
demonstration. This training course includes a red team/blue team
exercise in which the blue team attempts to defend a functional mockup
control system while the red team attempts to penetrate the network and
disrupt operations. The positive response to this week-long course has
been overwhelming, and the classes are filled within a few days of
announcement. To date, more than 16,000 public and private sector
professionals have participated in some form of CSSP training through
classroom venues and web-based instruction.
CSSP also provides leadership and guidance on efforts related to
the development of cybersecurity standards for industrial control
systems. CSSP uses these industry standards in a variety of products
and tools to achieve its mission.
First, CSSP uses and promotes the requirements of multiple Federal,
commercial, and international standards in its Cyber Security
Evaluation Tool (CSET), which has been requested by and distributed to
hundreds of asset owners across each of the 18 CIKR sectors. Tool users
are evaluated against these standards based on answers to a series of
standard-specific questions. CSET is also used by CSSP assessment teams
to train and bolster an asset owner's control system and cybersecurity
posture in on-site assessments. In fiscal year 2010, the program
conducted more than 50 on-site assessments in 15 different States and
two U.S. territories, including several remote locations where the
control systems represent potential single points of failure for the
community. The program is planning for 75 on-site assessments in fiscal
year 2011.
Second, CSSP developed the Catalog of Control Systems Security:
Recommendations for Standards Developers, which brings together
pertinent elements from the most comprehensive and current standards
related to control systems. This tool is designed as a superset of
control systems cybersecurity requirements and is available in the CSET
and on the website for standards developers and asset owners.
Last, the CSSP provides resources, including time and expertise, to
standards development organizations including NIST, the International
Society of Automation, and the American Public Transportation
Association. Experts provide content, participate in topic discussions,
and review text being considered by the standards body.
the general public
While considerable activity is focused on public and private sector
critical infrastructure protection, DHS is committed to developing
innovative ways to enhance the general public's awareness about the
importance of safeguarding America's computer systems and networks from
attacks. Every October, DHS and its public and private sector partners
promote efforts to educate citizens about guarding against cyber
threats as part of National Cybersecurity Awareness Month. In March
2010, Secretary Napolitano launched the National Cybersecurity
Awareness Challenge, which called on the general public and private
sector companies to develop creative and innovative ways to enhance
cybersecurity awareness. In July 2010, 7 of the more than 80 proposals
were selected and recognized at a White House ceremony. The winning
proposals helped inform the development of the National Cybersecurity
Awareness Campaign, Stop. Think. Connect., which DHS launched in
conjunction with private sector partners during the October 2010
National Cybersecurity Awareness Month. Stop. Think. Connect., has
evolved into an on-going National public education campaign designed to
increase public understanding of cyber threats and how individual
citizens can develop safer cyber habits that will help make networks
more secure. The campaign fulfills a key element of President Obama's
Cyberspace Policy Review, which tasked DHS with developing a public
awareness campaign to inform Americans about ways to use technology
safely. The program is part of the NIST National Initiative for Cyber
Education.
DHS is committed to safeguarding the public's privacy, civil
rights, and civil liberties. Accordingly, the Department has
implemented strong privacy and civil rights and civil liberties
standards into all of its cybersecurity programs and initiatives from
the outset. To support this, DHS established an Oversight and
Compliance Officer within NPPD, and key cybersecurity personnel receive
specific training on the protection of privacy and other civil
liberties as they relate to computer network security activities. In an
effort to increase transparency, DHS also publishes privacy impact
assessments on its website, www.dhs.gov, for all of its cybersecurity
systems.
conclusion
Set within an environment characterized by a dangerous combination
of known and unknown vulnerabilities, strong and rapidly expanding
adversary capabilities, and a lack of comprehensive threat and
vulnerability awareness, the cybersecurity mission is truly a National
one requiring broad collaboration. DHS is committed to creating a safe,
secure, and resilient cyber environment while promoting cybersecurity
knowledge and innovation. We must continue to secure today's
infrastructure as we prepare for tomorrow's challenges and
opportunities. Cybersecurity is critical to ensure that Government,
business, and the public can continue to use the information technology
and communications infrastructure on which they depend.
DHS continues to engage, collaborate, and provide analysis,
vulnerability, and mitigation assistance to its private sector CIKR
partners. Our continued dedication to privacy and civil rights and
civil liberties ensures a positive, sustainable model for cybersecurity
engagement in the future. Finally, we work closely with our interagency
partners in law enforcement, military, and intelligence, providing the
full complement of Federal capabilities in preparation for, and in
response to, significant cyber incidents.
Chairman Lungren, Vice Chairman Walberg, Ranking Member Clarke, and
distinguished Members of the subcommittee, let me conclude by
reiterating that I look forward to exploring opportunities to advance
this mission in collaboration with the subcommittee and my colleagues
in the public and private sectors. Thank you again for this opportunity
to testify. I would be happy to answer your questions.
Mr. Lungren. Thank you very much, Mr. McGurk.
Now the Chairman recognizes Mr. Cauley to testify.
STATEMENT OF GERRY CAULEY, PRESIDENT AND CEO, NORTH AMERICAN
ELECTRIC RELIABILITY CORPORATION
Mr. Cauley. Good morning, Chairman Lungren, Ranking Member
Clarke, distinguished Members of the subcommittee, and fellow
panelists. My name is Gerry Cauley. I am the President and CEO
of the North American Electric Reliability Corporation, and I
appreciate the opportunity to testify this morning.
NERC is an independent, nonprofit corporation, and our
mission is to ensure the reliability of the bulk power system
of North America, which includes both the United States and
Canada. I wake up every day thinking of two words,
``reliability'' and ``accountability.'' We assure reliability
of the bulk power system by working closely with industry to
ensure that we are continuously learning and improving and
striving for excellence and reliability of the bulk power
system. We also ensure the accountability for a reliable system
through our mandatory standards and our compliance program.
Some associate NERC as being an industry association.
However, NERC has a very diverse mix of interests that we
represent, including small and large customers, Government
entities, and a diverse range of industry owners, operators,
and users.
NERC was initially formed in 1968 and operated for several
decades as a voluntary organization. In 2006, we were certified
by the Federal Energy Regulatory Commission as the electric
reliability organization within the United States, and we have
similar authorities in Canada. In 2007, our standards became
mandatory and enforceable for the power system, including nine
cybersecurity standards that we have in effect.
In terms of the challenge for the grid, I think everyone
recognizes that there is a lot of concern for the security of
the power grid in North America, and we understand that the
grid is essentially at the hub of all critical infrastructures
and that everyone depends on a reliable supply of electricity.
Over the past couple of decades, the power grid has become
increasingly more digital as the grid was modernized to improve
reliability and efficiency, cost and quality benefits.
What I want to assure you, though, despite becoming more
digital, the underlying power grid is very robust and
resilient. The underlying power grid is nondigital. It is not
as weak as may be conveyed to some and certainly is not
operated over the public internet.
Many companies have taken prudent steps, such as providing
dedicated control networks, redundant systems, tight access
controls, adopting best security practices and patches.
Certainly every day business continuity, reliability, and
security are at the foremost of the industry and the
leadership, the CEO-level leadership of the industry.
That is not to say, however, that there are not
vulnerabilities. There are very serious vulnerabilities and
threats that we face, and there are very serious adversaries
that would do harm to the power grid in North America. The
challenge is that the network has become very interconnected, a
series of very interconnected digital networks and
communications, that we do have portals from our control
systems to the internet and to business systems, and that our
digital assets are very widely distributed. They are varied.
They come from a range of suppliers, and some of those
suppliers are international. So we do have challenges on the
supply side as well.
What is NERC doing with regard to this? We have our
standards, as I mentioned, and we are doing hundreds of audits
across the industry to ensure that our standards are being
followed. We are doing readiness reviews and sharing best
practices. We are conducting an exercise in November of this
year to test our National response capability.
We issue alerts in cooperation with Homeland Security and
other agencies. We have issued alerts on Stuxnet, Aurora, BP,
and tunneling in other areas. We are monitoring activities that
might impact the grid.
I would like to turn finally to just the importance of the
relationship to homeland security and the Federal Government. I
think the key there is the sharing of actionable information
that we can use to protect the grid, not sort of general and
vague information but timely, operational-type information.
Homeland Security has helped us in terms of providing
security clearances not only to NERC staff but to industry
personnel and provides periodic briefings to help us better
understand the threats and vulnerability. As Mr. McGurk
mentioned, we are working on a memorandum of understanding to
integrate our ES-ISAC, our Information Sharing Analysis Center
with the National center that he is the head of.
In conclusion, NERC is working very closely with Homeland
Security and other Government agencies to ensure our critical
infrastructure. Every day I am focused on the reliability and
security of the grid and the interests of the American public.
I am here to answer your questions, and I appreciate the
opportunity to speak today. Thank you.
[The statement of Mr. Cauley follows:]
Prepared Statement of Gerry Cauley
April 15, 2011
introduction
Good morning Chairman Lungren, Members of the subcommittee and
fellow panelists. My name is Gerry Cauley and I am the president and
CEO of the North American Electric Reliability Corporation (NERC). I am
a graduate of the U.S. Military Academy, a former officer in the U.S.
Army Corps of Engineers, and have more than 30 years experience in the
bulk power system industry, including service as a lead investigator of
the August 2003 Northeast blackout and coordinator of the NERC Y2K
program. I appreciate the opportunity to testify today on the topic
``The DHS and the Cybersecurity Mission: Promoting Innovation and
Securing Critical Infrastructure.''
nerc background
NERC's mission is to ensure the reliability of the bulk power
system of North America and promote reliability excellence. NERC was
founded in 1968 to develop voluntary standards for the owners and
operators of the bulk power system (BPS).\1\ NERC is an independent
corporation whose membership includes large and small electricity
consumers, Government representatives, municipalities, cooperatives,
independent power producers, investor-owned utilities, independent
transmission system operators and Federal power marketing agencies such
as TVA and Bonneville Power Administration.
---------------------------------------------------------------------------
\1\ The Bulk Power System (BPS) is defined as generation and
transmission of electricity greater than 100kv, in contrast to the
distribution of electricity to homes and businesses at lower voltages.
---------------------------------------------------------------------------
In 2007, NERC was designated the Electric Reliability Organization
(ERO) by the Federal Energy Regulatory Commission (FERC) in accordance
with Section 215 of the Federal Power Act (FPA), enacted by the Energy
Policy Act of 2005. Upon approval by FERC, NERC's reliability standards
became mandatory across the BPS. These mandatory reliability standards
include Critical Infrastructure Protection (CIP) Standards 002 through
009, which address the security of cyber assets essential to the
reliable operation of the electric grid. To date, these standards [and
those promulgated by the Nuclear Regulatory Commission] are the only
mandatory cybersecurity standards in place across the critical
infrastructures of North America. Subject to FERC oversight, NERC and
its Regional Entity partners enforce these standards, which are
developed with substantial input from industry and approved by FERC, to
accomplish our mission to ensure the reliability of the electric grid.
In its position between industry and government, NERC embodies the
often-invoked goal of creating effective partnerships between the
public sector and the private sector.
As a result of society's growing dependence on electricity, the
electric grid is one of the Nation's most critical infrastructures. The
bulk power system in North America is one of the largest, most complex,
and most robust systems ever created by man. It provides electricity to
more than 334 million people, is capable of generating more than 830
gigawatts of power and sending it over 211,000 miles of high voltage
transmission lines, and represents more than $1 trillion in assets. The
electricity being used in this room right now is generated and
transmitted in real time over a complex series of lines and stations
from possibly as far away as Ontario or Tennessee. As complex as it is,
few machines are as robust as the BPS. Decades of experience with
hurricanes, ice storms, and other natural disasters, as well as
mechanical breakdowns, vandalism and sabotage, have taught the electric
industry how to build strong and reliable networks that generally
withstand all but the worst natural and physical disasters while
supporting affordable electric service. The knowledge that disturbances
on the grid can impact operations thousands of miles away has
influenced the electric industry culture of planning, operating, and
protecting the BPS.
the cybersecurity challenge for the grid
Along with the rest of our economy, the electric industry has
become increasingly dependent on digital technology to reduce costs,
increase efficiency and maintain the reliability of the BPS. The
networks and computer environments that make up this digital technology
could be as vulnerable to malicious attacks and misuse as any other
technology infrastructure. Much like the defense of this country, the
defense of the BPS requires constant vigilance and expertise.
The assets that make up the BPS are varied and widespread.
Consequently, the architecture within the systems varies from operator
to operator. However, the computer systems that monitor and control BPS
assets are based on relatively few elements of technology. Due to
increasing efficiencies and globalization of vendors, the universe of
suppliers for industrial control systems is limited. This trend is
leading toward a fairly homogenous technological underpinning and, as
older proprietary technology is replaced, the variation may decrease
further.
For example, the bulk power system could be as vulnerable to
digital threats as IT systems, but with far more critical implications.
As proprietary industrial control systems continue to integrate
Commercial Off-The-Shelf (COTS) systems, these platforms could inherit
the embedded vulnerabilities of those systems. As illustrated by the
Stuxnet malware, industrial control system software can be changed and
a loss of process control can occur without intrusions even being
detected. The Stuxnet intrusion methods may serve as a blueprint for
future attackers who wish to access controllers, safety systems, and
protection devices to insert malicious code that could result in
changes to set points and switches, as well as the alteration or
suppression of measurements. NERC, through the Electricity Sector-
Information Sharing and Analysis Center (ES-ISAC), issued an alert on
Stuxnet, as it has done with other vulnerabilities, to inform the
industry and recommend preventative action.
Establishment and continued refinement of NERC's enterprise risk-
based programs, policies, and processes to prepare for, react to, and
recover from cybersecurity vulnerabilities need to continue to be a
high priority for the industry. The bulk power system has not yet
experienced wide-spread debilitating cyber-attacks due in large part to
the traditional physical separation between the industrial control
system environment and business and administrative networks. However,
the increased sharing of internet and computer networking by control
systems and business and administrative networks means that digital
infrastructures that were formerly physically separated are now
becoming susceptible to common threats.
the role of nerc and critical infrastructure protection reliability
standards
The NERC CIP standards require electric sector entities to develop
a risk-based security policy based upon their specific assets,
architecture, and exposure. This policy, if properly implemented, will
provide insight into the entity's systems and provide the opportunity
to mitigate potential threats and vulnerabilities before they are
exploited. Compliance with the NERC CIP standards is a first step in
properly securing the BPS. However, there is no single security asset,
security technique, security procedure, or security standard that, even
if strictly followed or complied with, will protect an entity from all
potential threats. The cybersecurity threat environment is constantly
changing and our defenses must keep pace. Security best practices call
for additional processes, procedures, and technologies beyond those
required by the CIP standards. Simple implementation of enforceable
standards, while valuable and a necessary first step should not be seen
as the security end-state.
It is important to emphasize the difficulty of addressing grid
security through a traditional regulatory model that relies principally
on mandatory standards, regulations, and directives. The defensive
security barriers mandated by CIP standards can be effective in
frustrating ordinary hackers by increasing the costs and resources
necessary to harm to the grid. They may not, however, stop the
determined efforts of the intelligent, adaptable adversaries supported
by nation states or more sophisticated terrorist organizations.
NERC is moving forward with a number of actions to complement our
mandatory CIP standards and provide enhanced resilience for the grid.
As chair of the Electricity Sub-Sector Coordinating Council (ESCC), I
work with industry CEOs and our partners within the Government,
including the Department of Energy, Department of Defense, and
Department of Homeland Security, to discuss and identify critical
infrastructure protection concepts, processes, and resources, as well
as to facilitate information sharing about cyber vulnerabilities and
threats. This type of public/private partnership is key to coordination
and communication efforts on cybersecurity topics and initiatives. NERC
is also developing a North American cybersecurity exercise to prepare
for and test a National response plan for the electric sector.
The most effective approach for combating sophisticated adversaries
is to apply resiliency principles, as outlined in a set of nine
recommendations the National Infrastructure Advisory Council delivered
to the White House in October 2010. I served on that Council, along
with a number of nuclear and electric industry CEOs. Resiliency
requires more proactive readiness for whatever may come our way.
Resiliency includes providing an underlying robust system; the ability
to respond in real-time to minimize consequences; the ability to
restore essential services; and the ability to adapt and learn. The
industry is already resilient in many aspects, based on system
redundancy and the ability to respond to emergencies. To further
enhance resiliency, examples of the NIAC team's recommendations
include: (1) A National response plan that clarifies the roles and
responsibilities between industry and Government; (2) improved
information sharing by Government regarding actionable threats and
vulnerabilities; (3) cost recovery for security investments driven by
National policy or interests; and (4) a National strategy on spare
equipment with long lead times, such as transformers. At NERC, we are
working with stakeholders to develop programs that build upon the
resiliency inherent in the grid to better secure critical assets and
ensure the continued reliability of the BPS.
information exchange is critical
NERC and the electric industry can only deal with the risks they
are aware of. It is impractical, inefficient, and impossible to defend
against all possible threats or vulnerabilities. Entities must
prioritize their resources to ensure that they are protected against
those risks that pose the greatest harm to their assets, their
business, and their customers. The electric industry is in the best
position to understand the impact that a particular event or incident
could have on the BPS, but they do not have the same access to
actionable intelligence and analysis that the Government does. This
lack of information leads the industry to be, at best, a step behind
when it comes to protecting against potential threats and unknown
vulnerabilities. Too often the industry has heard from Government
agencies that the threats are real, but are given little or no
additional information. This leads to frustration among the private
sector leaders who are unable to respond effectively due to ill-defined
and nebulous threat information.
nerc and dhs
Improving the amount and quality of actionable intelligence
available to industry is a priority for NERC and is reflected in a
number of joint projects underway with DHS and DOD.
NERC is working with DHS' National Cybersecurity and Communications
Integration Center to develop a Memorandum of Understanding for bi-
directional sharing of critical infrastructure protection information
between the Government and the electricity sector in North America. The
MOU will result in cybersecurity data flow, analytical collaboration,
and incident management activities across the spectrum of cybersecurity
coordination to include detection, prevention, mitigation, and
response/recovery.
NERC and DHS cooperative activities will align differing, but
related missions, business interests, strengths, and capabilities to
identify and develop mitigations for emerging cybersecurity risks,
which will enhance the protection of critical infrastructure and
Government networks and systems that are vital to National security and
the Nation's economy. Under this MOU, NERC, as the ES-ISAC, will act as
a clearing house, disseminating actionable intelligence, including
classified contextual information to appropriately cleared staff within
the BPS community. NERC also will provide anonymous situational
awareness to DHS analysts to supplement the information DHS received
from the intelligence community. We see this effort as crucial to
improving the level of threat awareness within the industry and
improving information between Government and industry.
As noted before, NERC also uses the ES-ISAC to send Alerts and
Notifications to registered BPS entities. These Alerts and
Notifications are developed with the strong partnership of Federal
technical partners, including DHS and the Department of Energy National
Laboratories, and BPS subject matter experts, called the HYDRA team by
NERC.
NERC also provides leadership to two significant DHS-affiliated
public-private partnerships. These are the Partnership for Critical
Infrastructure Security (PCIS) and the Industrial Control Systems Joint
Working Group (ICSJWG). The PCIS is the senior-most policy coordination
group between public and private sector organizations. On the
Government side, PCIS is comprised of the National Infrastructure
Protection Plan (NIPP) Federal Senior Leadership Council (FSLC) and the
State, Local, and Tribal Government Coordinating Council (SLTGCC), as
well as the chairs of all of the other Government Sector Coordinating
councils. On the private side, PCIS is comprised of the chairs of all
of the private sector coordinating councils. The ICSJWG is a cross-
sector industrial control systems working group that focuses on the
areas of education, cross-sector strategic roadmap development,
coordinated efforts on developing better vendor focus on security needs
and cybersecurity policy issues.
nerc, doe, and dod
NERC is engaged with other agencies besides DHS, including DOD and
DOE National laboratories, to further the level of awareness and
expertise focused on cybersecurity, especially as it pertains to the
BPS. We are working with Pacific Northwest National Laboratory on
developing certification guidelines for Smart Grid Cyber Operators and
the Electric Sector Network Monitoring initiative. Similarly, we are
working with the Idaho National Laboratory to promote the Cyber
Security Evaluation Tool for use within the electric sector. NERC also
is partnering with the Industrial Control Systems Cyber Emergency
Response Team to share threat, vulnerability, and security incident
information.
Additionally, NERC is working with DOE and the National Institute
of Standards and Technology to develop comprehensive cybersecurity risk
management process guidelines for the entire electric grid, including
the BPS and distribution systems. We believe this to be particularly
important with the increasing availability of smart grid technologies.
While the majority of technology associated with the smart grid is
found within the distribution system, vulnerabilities realized within
the distribution system could potentially impact the BPS. Everyone
engaged in smart grid implementation should ensure that appropriate
security applications and technologies are built into the system to
prevent the creation of additional threats and vulnerabilities.
conclusion
As our Nation becomes more dependent upon electricity and as the
BPS becomes more dependent on information systems, we must secure those
systems that enable our way of life. As discussed today, NERC is
committed to working with DHS and other Government agencies on several
efforts to promote innovation and secure our critical infrastructure.
As Congress considers policy decisions in this arena, NERC would
suggest that the ESCC and the ES-ISAC be considered as key elements in
the cybersecurity mission. NERC continues to work with Government and
industry to utilize its expertise and promote thoughtful innovation as
we address the question of how to ensure security in our open society.
The cybersecurity challenges facing us are not intractable--they are
the result of our own great innovation and can be overcome through our
own great ingenuity.
Mr. Lungren. Thank you very much, Mr. Cauley.
Now the Chairman would recognize Ms. Carlin to testify.
STATEMENT OF JANE CARLIN, CHAIR, FINANCIAL SERVICES SECTOR
COORDINATING COUNCIL
Ms. Carlin. Thank you, Chairman Lungren and other Members
of the committee, for hearing our thoughts today in this
important area and for inviting me to testify on behalf of the
Financial Services Sector Coordinating Council.
I am Jane Carlin, and I serve as chairperson of the council
that we refer to as FSSCC. I have submitted a detailed written
statement that addresses several areas, including how the FSSCC
and others in the sector engage with DHS on cybersecurity
issues, lessons learned from recent cyberattacks,
recommendations for improved public-private information
sharing, and comments on cybersecurity legislation. In the
interest of time, I would like to focus mostly on information
sharing today following a brief overview of the FSSCC.
FSSCC was created in 2002 in response to the September 11
attacks. It operates under the support of the U.S. Treasury as
our sector-specific agency in harmony with a Presidential
directive. The FSSCC does not collect dues. It is entirely a
volunteer organization. Accordingly, it relies heavily on the
time members contribute and to the expertise and leadership
roles members play within their respective financial
institutions and associations.
In recent years, FSSCC has had a highly productive and
expanding relationship with DHS at the most senior levels and
on many fronts, including information sharing, research and
development, cyber exercises, and cross-sector coordination.
Information sharing is of critical importance to the
financial services sector for several reasons. First, financial
institutions and others that make up the critical
infrastructure are on the front line of cybercrime and
malicious attacks. When a financial institution is the victim
of a cyberattack, it is concerned about protecting its
customers, its reputation, and complying with all relevant
regulatory requirements.
Second, others in the sector may be concerned about the
impact that this attack could have on its organization and
counterparties, as well, of course, as the potential for
systemic risk to the entire financial services sector.
Third, the Government is responsible for enforcing laws and
promoting critical infrastructure protection, and the
Government ultimately holds important information that is both
technical and contextual. Technical information such as malware
signatures, contextual in terms of what type of entity appears
to be initiating the attack.
There is a strong need to establish appropriate and well-
understood protocols to share information so that we
collectively understand the problems and risks that we face in
order to arrive at the right response or solution. When attacks
occur, the FSSCC has a defined crisis management process,
escalation and notification protocols, including sending rapid
notifications to members throughout financial services.
Although we have made good progress in creating
information-sharing entities and mechanisms for information
sharing, we have not adequately tackled the critically
important issues associated with timeliness and completeness of
information sharing. We now need to focus on clarifying and
compartmentalizing information so that so-called actionable
intelligence can be disseminated to responsible parties that
will use it to protect critical infrastructure.
What I mean by actionable intelligence is simply redacted
technical and contextual information without revealing sources
and uses or tipping off criminals or adversaries.
The fundamental issue of striking a balance between
confidentiality for criminal investigations and timely
information sharing remains a work in progress. An example of
an incident where too much secrecy led to an increased exposure
was the cyberattacks on a major exchange which was discovered
by the exchange in October, 2010. The exchange alerted its
primary regulator in law enforcement for a variety of reasons,
including an investigation of the attack by law enforcement and
intelligence agencies. Information about the attack and its
impact on other financial institutions was not disclosed to
others in the financial services sector for 102 days. The lack
of meaningful information sharing for more than 3 months left
the entire sector unnecessarily vulnerable.
In this connection, we would like to suggest two
recommendations: First, a more transparent decision-making
process to facilitate information sharing would accelerate the
dissemination of information without interfering or undermining
criminal or National security investigations. To implement this
kind of information-sharing protocol, the FSSCC and senior DHS
officials have agreed in principle to collaborate on protocols
for sharing technical and contextual information, again without
interfering with an on-going investigation.
Second, we believe that DHS needs to regularly leverage the
security clearances that DHS and other Government agencies have
sponsored for members of the FSSCC as part of the information-
sharing framework. The Government should be able to more easily
consult with industry experts and to better understand the
systemic risk implications of these cyber events by leveraging
the secured and cleared community.
On behalf of the FSSCC, I ask this committee in its
oversight capacity to support DHS's work in these areas. It is
my hope that this good work to enhance the public-private
partnership will continue so that together we can be more
resilient and combat those who would seek to undermine our
economy and stability, be they homegrown or foreign, criminal
or terrorist, rogue- or State-sponsored. It is only by working
together that we will prevail in the complex and ever-changing
internet-connected world.
Thank you.
[The statement of Ms. Carlin follows:]
Prepared Statement of Jane Carlin
April 15, 2011
Chairman King, Subcommittee Chairman Lungren, Ranking Member
Thompson and Members of the subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies of the Homeland
Security Committee, I am Jane Carlin. I serve as the chairperson of
Financial Services Sector Coordinating Council for Critical
Infrastructure Protection and Homeland Security (``FSSCC''). I also am
the Managing Director and Global Head of Operational Risk, Business
Continuity, Information Security, and Risk and Insurance Management at
Morgan Stanley.
Thank you for inviting me to testify on behalf of the Financial
Services Sector Coordinating Council for Homeland Security and Critical
Infrastructure Protection (``FSSCC'') on ``The Department of Homeland
Security Cybersecurity Mission: Promoting Innovation and Securing
Critical Infrastructure.'' My testimony today will address the
following: Background information on the FSSCC, engagement with DHS,
lessons learned from recent cyber attacks, recommendations for
improving public-private partnership, and comments on cybersecurity
legislation.
background on fsscc and public-private partnership
The FSSCC was established in 2002 in response to the September 11,
2001 attacks and at the request of the U.S. Treasury Department in
harmony with Presidential Decision Directive 63 of 1998. Presidential
Decision Directive 63 required sector-specific Federal departments and
agencies to identify, prioritize, and protect United States critical
infrastructure and key resources and to establish partnerships with the
private sector.
The FSSCC has 52 member associations and financial institutions
representing clearinghouses, commercial banks, credit rating agencies,
exchanges/electronic communication networks, financial advisory
services, insurance companies, financial utilities, Government-
sponsored enterprises, investment banks, merchants, retail banks, and
electronic payment firms.\1\ FSSCC members dedicate a significant
amount of time and resources to this partnership for critical
infrastructure protection and homeland security. The FSSCC does not
collect dues and its success as a volunteer organization relies heavily
on the time members contribute and to the expertise and leadership
roles members play within their respective financial institutions and
associations. Appendix A includes the current FSSCC organizational
chart, including those who serve in leadership roles of seven
committees that address crisis event management, cross-sector
coordination, cybersecurity, international, long-range vision, policy,
and research and development.
---------------------------------------------------------------------------
\1\ Members including: American Bankers Association, American
Council of Life Insurers, American Insurance Association, American
Society for Industrial Security International, BAI, Bank of America,
Bank of NY/Mellon, Barclays, BITS/The Financial Services Roundtable,
CME Group, ChicagoFIRST, Citigroup, The Clearing House, CLS Group,
Consumer Bankers Association, Credit Union National Association, The
Depository Trust & Clearing Corporation, Fannie Mae, Financial Industry
Regulatory Authority, Financial Information Forum, Financial Services
Information Sharing and Analysis Center, Freddie Mac, Futures Industry
Association, Goldman Sachs, ICE Futures U.S., Independent Community
Bankers of America, Investment Company Institute, JP Morgan Chase,
Managed Funds Association, Morgan Stanley, NACHA--The Electronic
Payments Association, The NASDAQ Stock Market, Inc., National Armored
Car Association, National Association of Federal Credit Unions,
National Futures Association, Navy Federal Credit Union, NYSE Euronext,
The Options Clearing Corporation, Securities Industry and Financial
Markets Association, State Farm, State Street Global Advisors,
Travelers, VISA USA Inc.
---------------------------------------------------------------------------
On August 3, 2010, I was selected by members of the FSSCC to serve
as the chairperson. I am preceded by four FSSCC chairpersons: Shawn
Johnson of State Street Global Advisors (SSGA) from 2008-10, George
Hender of the Options Clearing Corporation (OCC) from 2006-08, Don
Donahue of Depository Trust and Clearing Corporation (DTCC) from 2004-
06, and Rhonda MacLean of Bank of America from 2002-04. Prior to my
selection, I served as FSSCC's vice chairperson and head of the FSSCC
Cybersecurity Committee from June 2008 to August 2010. Additionally, I
serve on the Executive Committee and Board of the Partnership for
Critical Infrastructure Security (PCIS), which is the private sector
organization that coordinates homeland security issues for all National
critical infrastructure sectors.
Each year the FSSCC submits an annual report on our activities.
This annual report is published by the Department of Homeland Security
along with reports from the other CIP sectors. Appendix B is the
executive summary of our most recent Sector Annual Report which
provides an overview of our role and activities. Our partnership is
frequently heralded as the model and aspired to by the other 17
critical infrastructure sectors.
The goal of the FSSCC is to continue to improve the resilience and
availability of financial services by working through its public-
private partnership to address the evolving nature of threats and
vulnerabilities and the risks posed by the sector's dependence on other
critical sectors. In support of this goal, the FSSCC established four
objectives in 2010:
Identify threats and promote protection;
Drive preparedness;
Collaborate with the Federal Government;
Coordinate crisis response.
In support of these objectives the FSSCC's current priorities
include:
Information sharing;
Crisis event management;
Threat matrix dissemination and management;
Communication and outreach;
Identity assurance.
In 2002, the Treasury Department also chartered the Financial and
Banking Information Infrastructure Committee (FBIIC) under the
President's Working Group on Financial Markets.\2\ The FBIIC is charged
with improving coordination and communication among financial
regulators, enhancing the resiliency of the financial sector, and
promoting the public/private partnership. The U.S. Department of the
Treasury serves as the Sector Specific Agency (SSA) for the Banking and
Finance Sector. The FSSCC-FBIIC public-private partnership was
confirmed in Homeland Security Presidential Directive 7 of 2003.
---------------------------------------------------------------------------
\2\ The FBIIC was organized under Executive Order 13231 of October
16, 2001 entitled Critical Infrastructure Protection in the Information
Age. Members of the FBIIC include: American Council of State Savings
Supervisors; Commodity Futures Trading Commission; Conference of State
Bank Supervisors; Department of the Treasury; Farm Credit
Administration; Federal Deposit Insurance Corporation; Federal Housing
Finance Agency; Federal Reserve Bank of New York; Federal Reserve
Board; National Association of Insurance Commissioners; National
Association of State Credit Union Supervisors; National Credit Union
Administration; North American Securities Administrators Association;
Office of the Comptroller of the Currency; Office of Thrift
Supervision; Securities and Exchange Commission; and Securities
Investor Protection Corporation.
---------------------------------------------------------------------------
The FSSCC and FBIIC meet jointly at least three times a year,
supplemented by monthly conference calls. Earlier this week, over 80
executives, experts, and officials from the FSSCC and FBIIC met in
Chicago to discuss a wide range of issues, including: Information
sharing, regional coalitions, threats, and cyber incident reviews.
In addition to the collaboration with the FBIIC, it is important to
remind the committee that the financial services sector is highly
regulated by international, Federal, and State authorities. Through
numerous laws enacted by Congress over the past 150 years, Federal
financial regulators have implemented a complex regime that includes
supervision of the financial institutions' operational, financial, and
technological systems. Regulators, such as the Federal Reserve, Federal
Deposit Insurance Corporation, Office of the Comptroller of the
Currency and Securities and Exchange Commission, conduct examinations
to assess the adequacy of controls to address financial and other
risks. These examinations focus on information security, business
continuity, vendor management, and other operational risks.
In addition to these public sector entities, self-regulatory
organizations (SROs), such as the Municipal Securities Rulemaking Board
(MSRB), the Financial Industry Regulatory Authority (FINRA), the
National Futures Association (NFA), and exchanges, such as the Chicago
Mercantile Exchange (CME), and the New York Stock Exchange (NYSE), also
play an important role in industry oversight.
engagement with dhs
The FSSCC has a productive and expanding relationship with the
Department of Homeland Security (DHS), but more is needed. Our
engagement with DHS covers a wide range of activities, including crisis
management, information sharing, research and development, and managing
the risks posed by our sector's dependency on other critical sectors,
such as communications and information technology, for which DHS serves
as the SSA. In addition to meeting with senior officials at DHS, the
FSSCC and FS-ISAC have engaged in numerous projects and initiatives to
improve critical infrastructure and cybersecurity, including:
Information Sharing and Threat Identification.--On a daily basis,
there are cyber attacks. The financial services sector develops its own
information about threats, vulnerabilities, and incidents. These
threats, vulnerabilities, and incidences are shared within the
protection protocols of the sector. Financial institutions view the
risk environment much broader than just within our individual
organizations. Given the interconnections and risk exposure among
participants and counterparties, an attack on one institution could
have cascading implications for others in the sector.
When cyber attacks occur, the FSSCC has a defined crisis management
process, escalation and notification protocols to share information. As
part of this process, our sister organization, the Financial Services
Information Sharing and Analysis Center (known as the ``FS-ISAC''),
sends rapid notifications to member firms to protect critical systems
and assets.
The FS-ISAC reaches more than 20,000 sector participants daily and
promotes information sharing between the public and private sectors.
The FS-ISAC allows its members to receive threat and vulnerability
information immediately; communicate within a secure portal to share
vulnerability assessments and other information anonymously; and access
new data feeds of threat and vulnerability information. In addition,
the FS-ISAC has implemented a crisis communications system to notify
its members of emergencies in minutes.
In 2010, the Financial Services Information Sharing and Analysis
Center (FS-ISAC), which serves as the information-sharing operational
arm of the FSSCC, the Department of Defense and DHS, collaborated to
launch the Government Information Sharing Framework initiative (GISF)
based on initiatives with the Defense Industrial Base (DIB). This pilot
program consists of information sharing of threat and attack data
between the Federal Government and about a dozen financial services
firms. Beyond this, the FS-ISAC is the third sector (following the
Communications and IT sectors) to embed at the classified level, senior
and operational representatives within the DHS National Cybersecurity
and Communications Integration Center (NCCIC) as core members of the
watch and response teams. The Government's plan is to use these
examples as models for public-private sector information sharing for
other sectors to follow.
In early April, senior DHS officials and the FSSCC agreed to
collaborate on developing guidelines for when information should be
shared, especially information that is technical and contextual. This
decision to collaborate arose in response to a review of lessons
learned from recent cyber attacks, which I will review in greater
detail later in my testimony. In addition, the FSSCC is working with
the National Infrastructure Assurance Council (NIAC) on an information-
sharing study.
Sponsoring Security Clearances for Industry Professionals.--At the
urging of the FSSCC years ago, DHS and the Treasury have increased the
number of clearances for senior executives and experts from our sector.
In addition, DHS and the Treasury have arranged classified level
briefings each year, typically in conjunction with the FSSCC and FBIIC
meetings. Dozens of FSSCC members and all member firms represented on
the FS-ISAC Threat Intelligence Committee (TIC) are cleared to at least
the SECRET level. In addition, at least seven financial services
private sector individuals with cybersecurity responsibilities are
cleared at TOP SECRET/SCI level. For those individuals who have been
cleared, the process took a significant amount of time (not to mention
the time and expense from the Government side).
Collaborate on R&D.--The FSSCC R&D Committee has been working
closely with the Science and Technology Directorate of DHS for many
years. Our collaboration began in 2005 when the FSSCC established an
R&D Committee and shared the results of our efforts to identify the top
R&D priorities.\3\ Recently, we have focused considerable attention on
improving identity assurance. Our collaboration resulted in a
groundbreaking Memorandum of Understanding (MOU), which was signed on
December 6, 2010 by the FSSCC, DHS, and the National Institute of
Standards and Technology (NIST) with active support by the White House
Cybersecurity Advisor and head of the Office of Science and Technology
Policy.\4\ The MOU lays the foundation for developing an identity
assurance test bed that will focus on improving the accuracy and
timeliness of identity proofing, and reducing identity impersonation.
The collaborative initiative includes the concept of a ``financial
services credential verification gateway'' to enable direct
verification of identity credentials with the authenticating
authorities.
---------------------------------------------------------------------------
\3\ See https://www.fsscc.org/fsscc/news/default.jsp for the list
of top R&D priorities including: Advancing the state of the art in
designing and testing secure applications; making financial transaction
systems more secure and resilient; improving enrollment and identity
credential management; understanding human insider threats and
developing deterrence and detection; developing data-centric protection
strategies to better classify and protect sensitive information;
devising better measures of the value of security investments; and
developing practical standards to reduce risk and enhance resiliency.
\4\ See http://www.whitehouse.gov/blog/2010/12/06/partnership-
cybersecurity-innovation.
---------------------------------------------------------------------------
As a follow-up to the MOU, the FSSCC is working with DHS and NIST
on a Cooperative Research and Development Agreement (CRADA) on identity
proofing. Also envisioned in the MOU is an effort to define and test
the concept of establishing a secure domain within the larger internet,
where critical industries and Government can more securely exchange
sensitive information and complete high-risk transactions. This effort
also includes planning and testing for IPv6 and DNSSEC transitioning.
Other R&D activities include establishing and/or expanding
relationships with academia, DHS, National Science Foundation (NSF),
NIST, and the Department of Defense's Networking and Information
Technology Research and Development (NITRD) to provide financial
services expertise and enhance the transfer of promising research into
commercial use. In addition, members of the FSSCC have participated in
an insider threat study that DHS's U.S. Secret Service has been
conducting for several years.
Comments on Strategies and Cyber Incident Response Plans.--The
FSSCC has worked with DHS and White House officials in commenting on
the National Strategy for Trusted Identities in Cyberspace (NSTIC). The
FSSCC also has provided input into the National Cyber Incident Response
Plan and supported the National Security Telecommunications Advisory
Committee (NSTAC) Cross Sector Information Sharing Pilot.
Cross-Sector Coordination.--The FSSCC continues to work with cross-
sector councils. For example, the FSSCC and FS-ISAC participate in the
DHS Cross Sector Cyber Security Working Group (CSCWG), which has
representation across the 18 critical infrastructure sectors and meets
monthly to review cross-sector cybersecurity strategies, programs, and
projects of interest. From a crisis management perspective, the FS-ISAC
presence in both the National Infrastructure Coordination Center (NICC)
and the NCCIC supports close cooperation and coordination for disaster,
physical security, and cybersecurity events. We also are working with
the other critical sectors through the Partnership for Critical
Infrastructure Security (PCIS), an ``arm'' of DHS's partnership
structure outlined in the NIPP, to share critical contact information
for each sector as a first step to developing an efficient all hazards
cross-sector crisis response plan.
In 2010, a more formal cross-sector information-sharing pilot was
funded by the President's National Security Telecommunications Advisory
Committee (NSTAC). Four sectors participated in this pilot: Financial
services, communications, IT, and the defense industrial base. The FS-
ISAC provided the secure portal by which the four sectors exchanged
cyber threat data. Relevant and actionable cyber threat information was
exchanged during the pilot, which would not have been known to the
other sectors. As a result of the program's success, the pilot was
extended in 2011 with the intent of rolling it out to all interested
sectors later in the year. Furthermore, the FSSCC is involved in cross-
sector work of the PCIS in order to share critical contact information
for each sector as a first step to developing an efficient cross-sector
crisis response plan.
Participation in Cyber Exercises and Crisis Playbooks.--The
financial services sector has performed multiple exercises testing
various perceived vulnerabilities and establishing follow-up actions as
a result of lessons learned. Significant tests were run to evaluate
sector preparedness related to social engineering attacks, payment
processing attacks, and communication during a crisis. In particular,
the 2009 Cyber Financial Industry and Regulators Exercise (CyberFIRE)
and Cyber Attack against Payment Processes (CAPP) exercise were jointly
executed by the FSSCC, FS-ISAC, and included many FBIIC members, the
U.S. Secret Service, the Federal Bureau of Investigation (FBI), DHS,
and more than 800 individual participants. Members of the FSSCC are
also planning to participate in the upcoming National Level Exercise
No. 13 in May. The FSSCC and FS-ISAC have created crisis response
playbooks in order to clarify lines of communication during crises. The
sector provided leadership for recent events requiring a coordinated
response, including the earthquake in Haiti, pandemic flu, and
hurricane situations.
Support for Regional Coalitions and Fusion Centers.--Since 2002,
the FBIIC and the FSSCC have supported the formation of regionally-
based financial partnerships and coalitions dedicated to enhancing the
resilience of the financial community in specific geographic areas. At
present, there are nearly two dozen regional coalitions that consist of
private sector members who partner with the public sector. DHS and the
Treasury Department have been very supportive of these organizations,
primarily through the Regional Partnership Council (RPCfirst), the
umbrella organization to which the coalitions belong. Chicago FIRST, as
the Chair of RPCfirst, partnered with the DHS National Cyber Security
Division (NCSD) to develop ``cyber tabletop in a box.'' Regional
coalitions are conducting these tabletop exercises involving Federal,
State, and local law enforcement in their respective regions. In
addition, there are 72 fusion centers where experts from various
Federal and local government agencies share information and collaborate
with private sector participants.
Supply Chain Risks.--One of the emerging issues that FSSCC members
are evaluating is the security of the global supply chain. Members
continue to seek better assurances from our vendors that the major
information technology and communications hardware and software systems
that we deploy in our networks employ secure development practices and
are free from malware or other threats that may have been implanted in
the supply chain process. For example, in 2010, the sector published,
the Resilient International Telecommunications Guidelines for the
Financial Services Sector, highlighting the international risks
associated with the undersea cables network.\5\ This report identified
both the risks associated with a critical infrastructure component,
provided guidelines for managing those risks, and the need for
increased international collaboration. The FSSCC worked closely with
FBIIC members, most notably the Federal Reserve Board, and the National
Communications System, a division of DHS, that works closely with major
telecommunications providers.
---------------------------------------------------------------------------
\5\ See https://www.fsscc.org/fsscc/publications/default.jsp.
---------------------------------------------------------------------------
information sharing lessons learned from recent cyber attacks
Information sharing is of critical importance to the financial
services sector, other critical infrastructure sectors and the
Government. Without it, none of the FSSCC's other top priorities--
crisis event management, threat matrix dissemination and management,
identity assurance--would be achievable. Although we have made good
progress in creating information-sharing entities, to share information
securely and efficiently, we have not adequately tackled the critically
important issues associated with the timeliness and completeness of
information. We now need to focus on clarifying and compartmentalizing
information so that ``actionable intelligence'' can be disseminated to
responsible parties that will use it to protect critical
infrastructure. What I mean by ``actionable intelligence'' is redacted
technical information and contextual information without revealing
sources and uses or tipping off criminals or adversaries.
Information sharing among financial institutions, other critical
infrastructure sectors, and the Government is important for several
reasons. First, a company that is a victim of a cyber attack is
concerned about protecting its customers, its reputation and complying
with regulatory requirements. Second, others in the sector are
concerned about the impact that this a cyber attack could have on its
organization and counterparties or provider might have on their
operations, as well as the potential for systemic risk to entire
financial services sector. Third, the Government is responsible for
enforcing laws and promoting protecting critical infrastructure
protection. The Government also holds important information that is
both technical, such as malware signatures, and contextual, such as
what type of entity appears to be initiating the attack. This is due to
the Government's own operations in cyberspace and other roles including
law enforcement, defense, and regulation.
There is a strong need to establish appropriate and well-understood
protocols to share information so that we collectively understand the
problems and risks that we face in order to arrive at the right
response or solution. The fundamental issue of striking a balance
between confidentiality for criminal investigations and timely
information sharing remains a work in progress.
An example of an incident where too much secrecy led to an
increased exposure was the cyber attack on a major exchange, which was
discovered by the exchange in October 2010. The exchange alerted its
primary regulator and law enforcement. For a variety of reasons,
including an investigation of the attack by law enforcement and
intelligence agencies, information about the attack and its impact on
other financial institutions was not disclosed to others in the
financial services sector for 102 days. This 102-day period included
year-end, when financial institutions closed their books and prepare
annual reports. This could have had an enormous impact on employees,
stockholders, large and small, and the market as a whole. The lack of
meaningful information for more than 3 months left the entire sector
unnecessarily vulnerable.
In response to this event and recent discussions with senior DHS
officials, the FSSCC and DHS have agreed to collaborate on developing
guidelines for when information should be shared, especially
information that is technical and contextual. FSSCC members believe
that a more transparent decision-making process would accelerate the
dissemination of information without interfering or undermining
criminal and National security investigations. We also hope that these
protocols will elevate the priority that government places on sharing
information associated with protecting critical infrastructure. Also,
by leveraging the security clearances that DHS and other Government
agencies have sponsored for members of the FSSCC, the Government could
consult with industry experts to better understand the systemic risk
implications of the cyber events.
recommendations for improving public-private partnership
FSSCC recommends the following activities to improve the public-
private partnership with DHS and other Government agencies:
1. Protecting Critical Infrastructure Through Enhanced Information
Sharing.--We have made good progress in creating utilities to share
information securely and efficiently. However, we have not adequately
tackled the critically important issues associated with the timeliness
and completeness of information. We now need to focus on clarifying and
compartmentalizing information so that it can be disseminated via the
FS-ISAC. This is also important for the Government to better understand
the significance of information, including the impact on the critical
infrastructure sectors. We cannot assume the Government will know how
to evaluate the risks unless experts from the financial services sector
(or other CIP sectors) have a seat at the table. We also recognize that
there will be times when the Government cannot consult with industry
sectors and thus there needs to be clarity as to when and how
information will be shared.
As noted earlier in my testimony, FSSCC and DHS have agreed to
collaborate on developing guidelines for when information should be
shared, especially information that is technical and contextual.
Together, we need to learn from the recent breaches and establish
guidelines where we have more predictability in knowing when
information will be shared.
Building trust and enhancing understanding is a compelling reason
for expanding the number of clearances to senior executives and experts
in the financial services sector who are in position to
``operationalize'' timely and relevant threat and attack intelligence.
We also urge DHS to establish clearer protocols for the sponsorship of
private sector security clearances that are not directly related to a
Government contract and for non-U.S. citizens. We recognize that this
is a fairly new development and one which does not have clear
protocols, either among the sponsoring agencies, or in the private
sector. A system that would identify and categorize critical job
functions into ``need to know'' status should effectively expand the
community of private sector stakeholders who can get early Government
notification of significant issues. FSSCC members also suggest better
``tearline'' documents and the availability of classified information
on a geographically, disaggregated basis. Moreover, nationality is a
consideration not covered under current ``cold war''-derived clearance
protocols as not all the appropriate individual's in corporate
information security group who have a ``need-to-know'' homeland
cybersecurity information are U.S. citizens. We propose that the
clearance mechanism should expand to consider at minimum clearing
individuals from the UKUSA agreement countries (United Kingdom, Canada,
Australia, and New Zealand) and other countries, as possible, based on
government-to-government background check arrangements.
We need to enhance improve information sharing with the
communications, information technology, and electricity sectors.
Currently the FS-ISAC and FSSCC have little to no operational
transparency into other sectors. This may somewhat be addressed by the
embedding of personnel in the NCCIC however further policy and
engagement is required to provide a Common Operating Picture (COP)
across those dependent infrastructures.
2. Conduct more exercises and training.--In addition to clearances
and information sharing, we have found that we build greater trust
through exercises and training. By routinely engaging in exercises and
training through tabletop exercise, meetings, and awareness campaigns
we bring the right public and private sector participants together on a
regular basis. Working together, building relationships and
establishing trust are essential parts of creating a culture that can
share useful and timely information. The embedding of financial sector
personnel in the NCCIC and NICC is a positive step in that engagement
process.
3. Invest in R&D.--In addition to supporting the MOU and CRADAs on
identity assurance, we also encourage the Government to look to
emerging research on automated methods of attack detection,
communication, and prevention. As an example of the possibilities that
could be considered, DHS released a white paper entitled, Enabling
Distributed Security in Cyberspace. While this was only a concept
paper, it suggests a thoughtful, if ambitious vision for the future
where: ``A healthy cyber ecosystem would interoperate broadly,
collaborate effectively in a distributed environment, respond with
agility, and recover rapidly. With a rich web of security partnerships,
shared strategies, preapproved and prepositioned digital policies,
interoperable information exchanges, . . . healthy cyber ecosystem
could defend against a full spectrum of known and emerging threats,
including attacks against the supply chain, remote network-based
attacks, proximate or physical attacks, and insider attacks . . .''.\6\
---------------------------------------------------------------------------
\6\ http://www.dhs.gov/xlibrary/assets/nppd-healthy-cyber-
ecosystem.pdf.
---------------------------------------------------------------------------
4. Coordinate efforts internationally.--Cybersecurity is not an
issue that can be defined by geographic or political borders. The
National Cybersecurity and Communications Integration Center is slowly
making strides in bringing together industry and Government operational
capabilities under one roof, breathing the same air, to create a cross-
sector common operational picture about our cyber threats and
vulnerabilities. The FS-ISAC has a seat in the NCCIC, and both FSSCC
and FS-ISAC are participating in the Unified Coordination Group that is
developing the NCCIC's information sharing and incident response
process.
The FSSCC recognizes that this is a difficult endeavor--one that
involves numerous complexities around National security intelligence,
legal authorities, regulatory requirements, privacy protections, and
contractual restrictions. We are not where we need to be yet, but we
are moving in the right direction--to an envisioned end state where
private sector members of the NCCIC are able to communicate threat
intelligence in real time to their sector partners and coordinate
protective or mitigating action jointly with the Government and other
sectors.
comments on cybersecurity legislation
The committee had also asked for me to comment on cybersecurity
legislation. In general, the FSSCC is supportive of policies in which a
``rising tide lifts all boats''. By that I mean the Government should
offer incentives and, in some cases, require minimum security and
resiliency standards for utilities that service critical infrastructure
sectors. These utilities include entities like internet service
providers and others with whom our sector and other critical
infrastructure sector are dependent. For example, we need to ensure
that these utilities adopt practices to protect networks, manage
incidences, and address our long-standing concerns with internet
congestion during a time of crisis.\7\ The development of these
standards should be driven by private sector, consensus-driven bodies.
What has been lacking is a comprehensive cross-cutting review of the
cyber risk, mitigation, and regulatory dynamics across all of the
critical sectors to ensure that any ``minimum standards'' legislation
can allow specific security gaps in each sector to be addressed without
imposing one-size-fits-all standards that contradict existing sector
regulation.
---------------------------------------------------------------------------
\7\ U.S. Department of Homeland Security, Pandemic Influenza Impact
on Communications Networks Study, December 2007. http://www.ncs.gov/
library/pubs/
Pandemic%20Comms%20Impact%20Study%20%20Best%20Practices.pdf; GAO,
Influenza Pandemic: Key Securities Market Participants Are Making
Progress, but Agencies Could Do More to Address Potential Internet
Congestion and Encourage Readiness, GAO-10-8, October 2009. http://
www.gao.gov/new.items/d108.pdf.
---------------------------------------------------------------------------
The FSSCC supports the following provisions:
Commitment to two-way public-private information sharing and
cross-sector information-sharing efforts, leveraging the
Information Sharing and Analysis Centers (ISACs), the Sector
Specific Agencies (SSAs), US-CERT, safe harbors, clearances,
and confidentiality guarantees. Such a commitment is vital to
facilitate the sharing of actionable and timely information,
particularly during cyber emergencies.
Focused efforts to address critical interdependencies such
as our sector's reliance on telecommunications, information
technology, energy, and transportation sectors.
Leveraging Federal cybersecurity supply chain management and
promotion of cybersecurity as a priority in Federal
procurement.
Public education and cybersecurity awareness campaigns to
promote safe computing practices.
Enhanced international collaboration and accountability in
law enforcement and industry, including increased funding for
law enforcement and facilitating the development of global
cybersecurity standards.
Increasing funding for applied research and encouraging
collaboration with Government research agencies on
authentication, access control, identity management,
attribution, social engineering, data-centric solutions, and
other cybersecurity issues. It is only through such public-
private efforts, combined with adequate funding, that leading-
edge research in these important areas can enhance our ability
to secure on-line transactions, maintain data integrity, and
enhance user confidence.
Attention to ICANN and other international internet
governance bodies especially as ICANN begins a new application
round for what could be as many as a thousand new top-level
internet domains later this year. It is vitally important that
effective oversight exist to enhance security and privacy
protections.
Need for enhanced supervision of service providers on whom
financial institutions depend, while at the same time
recognizing the role of Federal financial regulators in issuing
regulations and supervisory guidance on security, privacy
protection, business continuity, and vendor management for
financial institutions and for many of the largest service
providers. Strengthening Government-issued credentials (e.g.,
birth certificates, driver's licenses and passports) that serve
as foundation documents for private sector identity management
systems.
The FSSCC does not support provisions that provide sweeping new
authority for the Executive branch to remove access to the internet and
other telecommunications networks, without clarifying how, when, and to
what extent this would be applied to our critical infrastructures. Such
a provision also sets the wrong precedent in light of recent
restrictions on internet use imposed in other countries.
conclusion
In conclusion, I would like to thank the committee for inviting me
to testify today on behalf of the FSSCC on the DHS cybersecurity
mission and how they interact with private sector owners. Both the
public and private sector financial services organizations recognize
the importance of improving information sharing as part of continuity
planning, crisis management, and enhancing resiliency in preparing for
and responding to significant events. We know that during a real crisis
we cannot operate as independent entities and thus we must establish
trusted relationships and plan ahead of time so that we are prepared to
respond to a real crisis. It is my hope that the good work done to date
in bridging the public-private divide by FSSCC and DHS continues and
that we find additional ways to effectively combat those who would seek
to undermine our economy and stability--be they homegrown or foreign,
criminal or terrorist, rogue or state-sponsored. It is only by working
together that we will prevail in the complex and every changing
internet-connected world.
Appendix A: FSSCC Org Chart
Appendix B: Executive Summary of Sector Annual Report
executive summary
In 2003, the Banking and Finance Sector, hereinafter referred to as
the Financial Services Sector, was identified as a critical
infrastructure sector pursuant to Homeland Security Presidential
Directive 7 (HSPD-7); the U.S. Department of the Treasury was
identified as the Sector-Specific Agency (SSA) for the sector. As the
SSA, the Treasury Department works with its public and private sector
partners to maintain a robust sector that is resilient against manmade
or natural incidents. The Financial Services Sector is essential to the
efficiency of world economic activity. This Sector Annual Report
outlines the requirements for current and future protective programs
based on HSPD-7.
Both the private and public sectors, through the Financial Services
Sector Coordinating Council for Critical Infrastructure Protection and
Homeland Security (FSSCC) and the Financial and Banking Information
Infrastructure Committee (FBIIC), respectively, have key roles in
implementing the Financial Services Sector's critical infrastructure
and key resources (CIKR) protective programs. Through direct mandates
and regulatory authority, Federal and State financial regulators have
specific regulatory tools that they can implement in response to a
crisis. In addition, the Department of the Treasury--along with the
FBIIC, the FSSCC, Financial Services Information Sharing and Analysis
Center (FS-ISAC), and regional partnerships--have developed and
continue to implement numerous protective programs to meet the
Financial Services Sector's goals. The protective programs range from
developing and testing robust emergency communication protocols, to
identifying critical Financial Services Sector threats, to addressing
cybersecurity protection needs. The success of the public-private
partnership has proven critical to the Financial Services Sector's
achievements through one of the most challenging periods for the sector
with respect to credit and liquidity risks.
The scope of the Financial Services Sector includes public and
private institutions involved in carrying out the primary sector
functions of clearing, payment, settlement, and trading. Multiple
organizations perform these functions and collectively represent the
Financial Services Sector.
Clearinghouses
Commercial banks
Credit rating agencies
Exchanges/electronic communication networks
Financial advisory services
Financial utilities
Government and industry regulators
Government subsidized entities
Investment banks
Merchants
Retail banks
Insurance companies
Electronic payment firms
Through the public-private partnership, the following vision
statement for the Financial Services Sector has been established.
``Vision Statement
``To continue to improve the resilience and availability of financial
services, the Banking and Finance Sector will work through its public-
private partnership to address the evolving nature of threats and the
risks posed by the sector's dependence on other critical sectors.''
The Financial Services Sector pursues this vision by working toward
its three sector goals:
1. To achieve the best possible position in the face of myriad
intentional, unintentional, manmade, and natural threats
against the sector's physical and cyber infrastructure;
2. To address and manage the risks posed by the dependence of the
sector on the Communications, Information Technology, Energy,
and Transportation Systems Sectors; and
3. To work with the law enforcement community, financial regulatory
authorities, the private sector, and our international
counterparts to address threats facing the Financial Services
Sector.
In support of the sector goals, the FSSCC has recently updated its
mission and objectives, as is further described in Section 3.
Representing the strategic arm of the Financial Services Sector, the
FSSCC has established the following objectives:
Identify Threats and Promote Protection
Drive Preparedness
Collaborate with the Federal Government
Coordinate Crisis Response
The Financial Services Sector's goals and objectives guide our
activities in managing significant sector risks. Significant sector
risk considerations have been identified and are described in greater
detail in Section 2. They are summarized as follows:
Confidence Risk
Concentration Risk
Supply Chain Risk
Infrastructure Risk
Geographic Proximity Risk
Technology Risk
Management of these risks has resulted in the identification of the
following potentially significant sector vulnerabilities:
1. Confidentiality.--Maintaining the confidentiality of clients and
meeting all legal requirements for maintaining confidentiality;
2. Integrity.--Ensuring transactional integrity to support
financial transactions; and
3. Availability.--Ensuring that financial services are available to
maintain the smooth flow of capital.
The sector's goals, initiatives, and activities are in pursuit of
achieving the four objectives identified above to effectively manage
sector risks and vulnerabilities.
The following sections summarize the significant activities that
are described in subsequent chapters of this Financial Services Sector
Annual Report.
ES.1 Strategic Goals
Over the past year, the Financial Services Sector set forth the
following objectives and goals that drive the FSSCC activities and
guide activities of the sector's multiple organizations.
------------------------------------------------------------------------
Strategic Objectives 2010 Goals
------------------------------------------------------------------------
Identify Threats and Promote Finalize updated Threat Matrix.
Protection. Disseminate Threat Matrix and build into
strategy.
Build Threat Matrix into ongoing planning
and execution of FSSCC goals.
Drive Preparedness........... Establish regularized process for
escalating events and disseminating
information in the form of actionable
intelligence.
Establish more direct international
relationships.
Further the undersea cables work.
Develop supply chain frameworks.
Disseminate CyberFIRE and Cyber Attack
against Payment Processes (CAPP)
Exercise learning.
Support regional coalitions.
Collaborate with the Federal Establish on-going interaction with (1)
Government. the new White House Cybersecurity
Coordinator and (2) DHS/National
Security Agency (NSA).
Address internet congestion as part of
DHS interaction.
Develop Identity Management Principles
and request for investment.
Implement Government Information Sharing
Framework initiative with Department of
Defense (DoD) and DHS.
Develop sector-wide position on Internet
Corporation for Assigned Names and
Numbers (ICANN).
Engage in conversation on cyber and
critical infrastructure legislation and
determine appropriate next steps.
Deliver a finance and banking educational
session.
Coordinate Crisis Response... Expand and improve crisis management
response playbooks.
Improve usefulness and mindshare of
playbooks.
------------------------------------------------------------------------
ES.1.1 Identify Threats and Promote Protection
The Financial Services Sector is developing a comprehensive All-
Hazards Threat Matrix accounting for over 1,900 individual threats. A
risk-ranking methodology is being used that can be applied at the
sector level and adopted by individual organizations to adapt to their
specific needs. As a major initiative for the sector, begun in 2009, it
will continue throughout 2010 and serve as the foundation for strategic
efforts going forward.
Additionally, the sector published the Resilient International
Telecommunications Guidelines for the Financial Services Sector
(Undersea Cables Report), highlighting the international risks
associated with our undersea cables network. This significant report
highlights both the risks associated with a critical infrastructure
component and the need for increased international collaboration.
Additionally, the sector has elevated its focus on cybersecurity.
Several exercises have been run to identify cyber threats, and research
and development (R&D) efforts have been focused on addressing
vulnerabilities through a collaborative public-private joint effort.
The sector made significant contributions to the National Cyber
Incident Response Plan, created new FSSCC working groups focusing on
Identity Management and Supply Chain issues, and engaged with the
Director of National Intelligence and the intelligence community on
multiple cyber issues.
ES.1.2 Drive Preparedness
The sector has performed multiple exercises testing various
perceived vulnerabilities and establishing follow-up actions as a
result of the learning. Significant tests were run to evaluate sector
preparedness related to social engineering attacks, payment processing
attacks, and communication during a crisis. In particular, the Cyber
Financial Industry and Regulators Exercise (CyberFIRE) and Cyber Attack
against Payment Processes (CAPP) Exercises were jointly executed by the
FSSCC, FS-ISAC, and FBIIC and included the U.S. Secret Service, the
Federal Bureau of Investigation (FBI), and the U.S. Department of
Homeland Security (DHS), plus more than 800 individual participants.
Sector crisis response playbooks have been created and strategic
and tactical efforts have been delivered to clarify lines of
communication critical in crisis response. The sector coordinated over
45 operators and associations and performed multiple other FS-ISAC and
regional exercises throughout the year.
ES.1.3 Collaborate with the Federal Government
The Financial Services Sector has stepped up its partnership with
the U.S. Government, academia, and related sectors. The sector has
established successful working relationships with academia, the
National Institute of Standards and Technology (NIST), the Department
of Homeland Security, the National Science Foundation (NSF), and the
Networking and Information Technology Research and Development (NITRD)
program; participated in a roundtable with the DHS Secretary; and
established a working dialogue with the White House's Office of Science
and Technology Policy (OSTP) through Aneesh Chopra.
The sector has further contributed significantly to Government-led
initiatives in identity management and the development of incident
response plans. Coordination among intelligence agencies, regulators,
other Government agencies, and the private sector has received
considerable focus and is a hallmark of the sector's achievements.
The FS-ISAC has collaborated with DoD and DHS to launch the
Government Information Sharing Framework initiative. This pilot program
has been implemented in 2010 and consists of large-scale information
sharing of threat and attack data between the Federal Government and
financial services firms that have agreed to participate. The
Government's plan is to use this as a public-private sector
information-sharing model for other sectors and other Federal
Government agencies to follow.
ES.1.4 Coordinate Crisis Response
The sector collaborated to develop crisis response plans for all
hazards, as well as specific plans for hurricanes. The sector provided
leadership for recent events requiring a coordinated response,
including Haiti, pandemic flu, and hurricane situations.
ES.1.5 Conduct Research and Development
Led by the FSSCC R&D Committee, the sector has identified and
progressed on seven R&D priorities it has established (further
described in Section 5):
Advancing the State of the Art in Designing and Testing
Secure Applications
Making Financial Transaction Systems More Secure and
Resilient
Improving Enrollment and Identity Credential Management
Understanding Human Insider Threats and Developing
Deterrence and Detection
Developing Data-Centric Protection Strategies to Better
Classify and Protect Sensitive Information
Devising Better Measures of the Value of Security
Investments
Developing Practical Standards to Reduce Risk and Enhance
Resiliency.
The FSSCC R&D Committee has proposed to senior White House and
other Government officials a public-private sector collaboration to
improve identification validation and has drafted a proposal on an
identity credential verification gateway. Further, it participated in
the Federal Government's National Cyber Leap Year Summit and put forth
the Financial Communications and Authentication Pilot (``testbed'') in
response to discussions among the FSSCC R&D Committee, senior White
House personnel, and NIST and DHS officials.
Outreach for R&D efforts has been significantly expanded. Several
comment letters have been sent, and engagements have occurred with
multiple Government organizations, including the U.S. Department of
State on ``Current Challenges and Future Strategies for Improving
Identity Management,'' the Critical Infrastructure Protection Congress
on identity management, and the Internet Corporation for Assigned Names
and Numbers (ICANN) on the expansion of top-level domains, among
others.
ES.2 Sector Challenges and Looking Forward
Looking forward to the next year, the Financial Services Sector
will build on its substantial success achieved in the past year. While
priorities will be set later in the year, significant efforts are
expected to focus on the following:
Evaluating the top threats to the Financial Services Sector
Coordinating multiple Government activities
Researching internet congestion
Investigating ICANN proposals to expand top-level domains
Exploring identity management issues
Expanding international coordination.
Mr. Lungren. Thank you very much.
Now Dr. Amoroso.
STATEMENT OF EDWARD AMOROSO, SENIOR VICE PRESIDENT AND CHIEF
SECURITY OFFICER, AT&T
Mr. Amoroso. Well, thank you very much.
This is a topic I have spent the last 30 years thinking
about exclusively. So I am not a lot of fun at cocktail
parties. But it is something that I know a fair bit about.
Let me see if I can boil down the fundamental issue of
cybersecurity in particular as it relates to homeland security.
It is something that I think people can pretty well understand.
That is how you protect your home computer.
Like if I had asked everybody in the room to take a moment
and think about what you do at home, you probably went to
Staples or something and bought, you know, a box of internet
security or it came with the computer. You enabled it, and that
is pretty much it. You are completely on your own. Like you
might call the Geek Squad if you get in trouble, or you might
have a really smart teenager in the family who can do something
if you get hopelessly tangled up. Or you might just give up and
go buy a new computer, right, if you think that you are full of
malware and other types of things.
This experience that we all have at home is exactly the
experience that small businesses and Government agencies and
large businesses have as well. We go out and we buy software
and systems that we hope are going to work, and then we are
pretty much on our own. I know in each of the districts that
you represent, you probably hear that from small business
owners all the time. Citizens are starting to recognize that
this is an issue.
I think from a homeland perspective, this causes a big
problem, right, because, as you all know, the new battlefield
that we work from a cyber perspective includes all our home
PCs, right? That is how botnets are created. We are in some
sense kind of negligent in protecting our PCs, and criminals
and terrorists and enemy states take advantage of that and
create weapons in that respect.
So we have prepared some formal remarks that we have issued
that have some suggestions, but I just want to summarize a
couple of them.
If you think about that question of coordination, like when
a group is under attack, it is the case now in 2011 that there
is no good way to share information in real time. I know that
at AT&T, for me to try to do something like that with
Government involves as many lawyers as there are in this room
for us to just share something. It is ironic that I can
probably share information back and forth with a hacking group
with complete impunity, but with the Government I have to have
a team of lawyers present.
So that concept and the whole issue of a National sort of
cyber coordinating capability that has real-time information
sharing--and I don't mean after the fact. I mean something that
would allow us in real time to share and to coordinate.
Let's say you are in Brooklyn and you are living and you
see something funny going on that you are not sure is normal in
your neighborhood. We are all kind of trained to kind of take
action. You can imagine that a nation of businesses and
agencies and individuals who in some sense have it in their
best interest to behave accordingly and to share that
information would make us all a heck of a lot safer.
There really is no mechanism for that. I know at AT&T
sometimes we find that kind of frustrating. Because we have
information that may be very useful at times to DHS, and we
know DHS does as well. I think the NCCIC is a good example of
moving in the right direction toward trying to sort of connect
different groups together. But I think the essence of real
time, the essence of situational awareness, these are things
that are very immature in our country right now.
I would add, you will see in the remarks that we have
prepared for the group, it extends to global as well. It turns
out that political boundaries don't map too nicely to
cybersecurity infrastructure. There are ways that we do naming,
for example, on the internet, the way you get your website
named or your e-mail address named. These are global standards,
and they run on systems that transcend political boundaries. I
have infrastructure at AT&T that is located around the globe,
under different jurisdictions with different laws. So even if
we got our act together and really laid out a good domestic
plan, it is not enough. We have to go out and work it globally.
So I hope you will read our prepared remarks. We make some
suggestions there. But keep in mind that the challenge you have
at home with your home PC is a good model for the kinds of
problems that Government agencies and businesses have as well.
So I appreciate the invite and look forward to the
discussion.
[The statement of Mr. Amoroso follows:]
Prepared Statement of Edward Amoroso
April 15, 2011
Chairman Lungren and Ranking Member Clarke, I would like to thank
you and all the Members of the subcommittee for this invitation to
address the significant challenges facing the private sector and the
Department of Homeland Security in securing critical infrastructure
from cyber threats. In my testimony, I will try to identify current
challenges as well as the actions that can be taken to address those
challenges; and in particular how to coordinate the Government's
cybersecurity capabilities with the private sector's investment in
infrastructure and operational capabilities.
my background
I currently serve as senior vice president and chief security
officer of AT&T, where I have worked in the area of cybersecurity for
the past 26 years. My educational background includes a Bachelor's
degree in physics from Dickinson College, as well as Masters and Ph.D.
degrees in computer science from the Stevens Institute of Technology,
where I have also served as an adjunct professor of computer science
for the past 22 years. I am a graduate of the Columbia Business School,
and have written many articles and five books on the topic of
cybersecurity. My most recent book is entitled ``Cyber Attacks:
Protecting National Infrastructure'' (Butterworth-Heinemann, 2011).
My current responsibilities include design and operation of the
security systems and processes that protect AT&T's vast domestic and
international wired and wireless infrastructure. This infrastructure is
the core asset that permits AT&T to provide the wide variety of
advanced network services that AT&T offers to its many millions of
customers around the world, ranging from the largest global business
enterprises to individual consumers. AT&T has also had the opportunity
to work with the Department of Homeland Security (DHS) in a variety of
ways in the decade since the Department was created.
For instance, we actively participate with DHS in the National
Cybersecurity Communications Integration Center (NCCIC) in both its
National security/emergency preparedness and cybersecurity missions. We
are also active participants in the President's National Security
Telecommunications Advisory Council (NSTAC) and the Communications
Sector Information Sharing and Analysis Center, both of which are
administered by DHS. We have also supported DHS in the testing and
evaluation of prototype network-based cybersecurity capabilities over
the last several years. Finally, we were the first company to obtain a
formal Authority-To-Operate to provide Trusted Internet Connection
service to Government Agencies through the General Services
Administration (GSA)/DHS joint Managed Internet Protection Service
initiative under the GSA Networx contracts.
what is cybersecurity?
Simply put, from the perspective of protecting the Nation's
critical infrastructure, cybersecurity is the ability to protect
critical systems from disruption, or critical information from
alteration or theft. Potential threats range from disgruntled
individuals to criminal elements to transnational actors to
sophisticated and well-resourced nation states. Motives can range from
mischief to deliberate acts of hostility through sabotage and
terrorism. The methods and forms of infrastructure intrusion are
continually advancing so as to bypass standard preventive measures such
as the application of firewalls and intrusion detection systems between
the critical system and the internet at large. One such form of
evolving cyber attack uses ``botnets''--which are run by malicious
parties who are increasingly adept at harnessing the power of dispersed
personal computers and other smart devices attached to the Nation's
networks and using them to attack unsuspecting victims.
As the largest provider of communications and network services in
the world, AT&T takes very seriously its responsibility to protect our
infrastructure and our customers from the vast and ever-changing cyber
threats. Cybersecurity is a business imperative at AT&T, and we work
very hard at it, investing significant resources to innovate and keep
pace with technology that may be either the source or target of the
threats. The size and scope of AT&T's global network, coupled with our
industry-leading cybersecurity capabilities, gives AT&T a unique
perspective into malicious cyber-activity. AT&T offers one of the
world's most advanced and powerful global backbone networks, carrying
23.7 Petabytes of data traffic on an average business day to nearly
every continent and country (a Petabyte is a million billion bytes of
data, or a ``one'' followed by 15 zeros), and we expect that to double
every 18 months for the foreseeable future. Our intelligent network
technologies give us the capability to analyze traffic flows to detect
malicious cyber-activities, and in many cases, identify very early
indicators of attacks before they have the opportunity to become major
events. For example, we have implemented the capability within our
network to automatically detect and mitigate most Distributed Denial of
Service Attacks within our network infrastructure before they affect
service to our customers, and we continue to improve our ability to
provide global coverage to mitigate denial-of-service attacks from
multiple locations across the United States, as well as nodes in Europe
and Asia. We are constantly improving our cyber capabilities, including
the ability to detect and mitigate Advanced Persistent Threats, the
most sophisticated and pernicious forms of cyber attack.
what needs to be done?
I would like to outline four broad themes for your consideration
during today's hearing. Improving the overall cybersecurity posture of
the United States is a daunting task. We cannot undertake this
challenge unilaterally--it is clearly a global issue in all its
dimensions. The administration and the Congress have put forth a
variety of ideas and initiatives on how we can begin to tackle this
challenge; some are helpful, and some would stifle the innovation and
flexibility we need to identify and respond to the ever-changing
threats. Improving our National cybersecurity posture is a long journey
that will not be solved by simple pronouncements or regulatory
dictates. We can, however, start to put some foundational elements in
place to build on for the future.
1. Build a Collaborative Active Cyber-Defense Capability.
First and foremost, the United States needs to build a
collaborative active cyber-defense capability. The global
communications infrastructure is the primary vehicle for delivery of
cyber attacks against U.S. interests, yet there is no comprehensive
coordination mechanism for rapidly detecting and analyzing attacks and
responses. Each Tier One communications network operator and service
provider monitors its own network to varying degrees, with varying
capabilities to mitigate or block attacks. In addition, the multiple
Government programs which already exist are focused on monitoring
traffic to and from multiple Government networks--none of which are
operationally integrated. Given the increasing sophistication and scope
of cyber attacks, we can no longer expect that individual companies or
consumers, or disparate Government network monitoring programs, provide
adequate protection against evolving threats.
Attack-related protective information might be known to the Federal
Government, for example, but otherwise unknown to private industry. In
the event that a Government agency becomes aware of a malicious attack
signature that could be deployed into intrusion detection systems to
protect industrial, non-Government assets, the Government should have
the confidence that it can be so deployed without further delay or
review. A collaborative active cyber-defense capability to detect,
analyze, and mitigate malicious cyber activities in the core networks
that make up the internet itself will enable cyber attacks to be
detected and attempts be made to stop them before they reach their
target.
Such a capability should leverage and build upon the existing
cybersecurity capabilities of the Tier One network operators and
service providers whose networks are the core of the internet in the
United States, as well as the complimentary capabilities of the
security technology and software industries. Critical National systems,
large and small business, industrial concerns, and individual internet
users can all be better protected by this umbrella approach. Combining
these elements to work in a collaborative and coordinated fashion can
provide the basic foundation for the active cyber-defense capability.
National intelligence capabilities to identify cyber threats and
provide advanced warning can also be leveraged. In this way, a new
collaborative cyber defense capability will both feed into and
strengthen existing public-private coordination and response efforts.
2. Government Leadership in Acquisitions and Cyber Management.
The United States Government should lead by example in
cybersecurity. The Federal Government is the largest single purchaser
of information technology and network services in the United States,
and its leadership and buying power can have great influence on the
cybersecurity marketplace. Several worthwhile Federal initiatives are
in place to improve cybersecurity for the ``.gov'' domain, such as the
Trusted Internet Connection effort by the Office of Management and
Budget (OMB) and its instantiation via the General Service
Administration/Department of Homeland Security joint initiative on
Managed Trusted Internet Protection Service, but they are being applied
inconsistently. The Department of Defense also has its own effort to
protect ``.mil'', separate from the ``.gov'' efforts. These initiatives
do not yet take full advantage of the portfolio of managed security
services offered by many private sector network service providers, such
as network-based protection against Distributed Denial of Service
(DDOS) attacks. The Federal Government needs a clear and comprehensive
strategy for cybersecurity of all Federal systems which make up
``.gov'' and ``.mil''--one which effectively leverages existing
cybersecurity capabilities offered by the network service providers.
Further, the current roles and authorities of the various Federal
agencies overlap and are unclear with respect to cybersecurity for
Federal Government infrastructure, as well as the protection of other
critical infrastructure, National assets and individual consumers.
Congress can lead by establishing the respective and definitive roles
and authorities of the various Executive Branch elements involved in
all aspects of cyber security--including the National Security Council
and the Cyber Policy Coordinator, the Office of Management and Budget,
the Office of Science and Technology Policy, the Department of Homeland
Security, the Department of Commerce including the National Institute
of Standards and Technology and the National Telecommunications and
Information Administration, the Department of Defense including U.S.
Cyber Command and the National Security Agency, the Department of
State, the Federal Communications Commission, and the Federal Trade
Commission. The United States needs a unified Federal effort on
cybersecurity with a clear understanding of the roles involved--not the
confusion, inconsistency, and overlap that currently exists.
3. Global Strategy.
The United States must move forward aggressively to create a
comprehensive strategy for addressing global cooperation in
cybersecurity. We must reinforce the leadership of the United States in
shaping the future of the internet, and assuring its stable, reliable,
and secure operation, concurrent with the expansion of U.S. enterprise
in the global internet marketplace. In particular, all members and
participants of the global internet community must achieve consensus on
the fundamental point that malicious cyber activities of any sort will
simply not be tolerated. Concurrent with these efforts, Congress should
also expand incentives for investment by the private sector to help
invigorate U.S. technology leadership in cybersecurity and the
internet.
4. Cyber literacy.
We all must redouble our efforts in cybersecurity education and
awareness across the full spectrum of the internet user base--from the
boardrooms of our largest companies to the millions of individuals who
surf the 'net. Current efforts in cybersecurity education and awareness
are fragmented and the messaging is often confusing. The ultimate key
to improving our National cybersecurity is technology innovation driven
by market demand from informed users and purchasers of all kinds. By
creating market demand for cybersecurity through heightened consumer
awareness, we can spur fundamental security innovation at all levels of
the internet eco-system, and allow the United States to continue as a
leader in internet development. To that end, Congress should designate
a lead agency on cybersecurity education, and support that designation
with an appropriate level of funding to make it effective. The roles of
other Federal agencies in supporting this effort should also be
clarified. AT&T is itself actively engaged in the provision of
cybersecurity information and protective tools to our customers, and
actively participates in pan-industry cyber awareness education efforts
such as ``Stop.Think.Connect,'' the coordinated messaging effort
spearheaded by the Anti-Phishing Working Group and the National Cyber
Security Alliance and comprised of Government agencies, private sector
entities, and not-for-profit corporations.
In the past, cybersecurity legislative proposals have included a
variety of regulatory schemes, such as certification regimes, that,
while well-intentioned, are too often the antithesis of innovation--
such requirements could have an unintended stifling effect on making
real cybersecurity improvements. Our cyber adversaries are very dynamic
and ever more sophisticated, and do not operate under a laboriously
defined set of rules or processes. The challenges we face in
cybersecurity simply cannot be solved by imposing slow-moving,
consensus-based bureaucracy on those who build, operate, and use cyber
space. Overbroad regulation and certification requirements can have
unintended consequences, such as emphasizing the status quo by focusing
on yesterday's challenges. An overly prescriptive approach can only
serve to stifle internet innovation and the technology leadership of
the United States in the global information infrastructure.
The internet itself was created through innovation. Some key early
investments by the Government helped spur that innovation. Congress and
the administration have leadership roles to play in assuring that the
United States continues to focus on technology innovation. Burdening
the private sector with the cost of unnecessary and ineffective
regulations and processes is contrary to that objective, and will only
slow advances in cybersecurity. Congress must insist on and support
initiatives that provide the flexibility needed to deal with the
dynamics of the threat and the technology, while creating innovation
and investment through market demand.
I thank the subcommittee for its timely and focused attention on
cybersecurity, and I look forward to providing on-going guidance,
assistance, and recommendations as we collectively work to reduce the
cybersecurity threat to our Nation and our critical infrastructure.
Mr. Lungren. Thank you very much.
I thank all the panelists for your testimony.
We will go into a round of questioning of 5 minutes a
piece, and I will start with that.
Dr. Amoroso, in your testimony you talked about if we were
to have enhanced market demand for cybersecurity through
heightened consumer awareness that might be an element to help
us along the way in creating those kinds of mechanisms
necessary from the ultimate consumer to major corporations.
This is one of the things that has always been presented to
me. How do we make it bottom-line relevant for both individuals
and businesses? Because when you say increasing consumer
awareness will lead to that, that presumes that people will be
aware enough to spend the money to do those things that are
necessary and to spend the time to take those simple steps that
would be necessary to engage those systems that they have on a
regular basis.
Do you have any suggestions about how we do that,
particularly with corporations so that corporations--look, in
the financial services industry and in the communications
industry, I think it is fairly more self-evident to people
that, bottom line, it is important. Cybersecurity destroys your
very product, your very service.
In others, they might hedge and say, well, the chance that
someone is going to attack me in a way that is really going to
hurt me may not be that great. If they really do succeed, that
would hurt me, but the chances of them doing that are not very
great. So how can I justify that to my shareholders?
Could you give us some insight on that?
Mr. Amoroso. Well, one thing Government can do is lead by
example. Certainly I think a lot of the cybersecurity
mechanisms that are laid out, say through GSA and DHS and other
places, are applied pretty unevenly. I know that my team owns
and operates infrastructure in support of the GSA network's
MTIPS program, which is a trusted internet connection. I will
say that it is applied somewhat unevenly. There are some
excellent services that GSA provides, data analysis service,
real-time capabilities for making sense of what is happening on
a given network.
I think that one of the responsibilities of Government is
to look first inward at civilian and defense and other types of
agencies, even State and local to the degree that we have that
kind of jurisdiction, and to show by example that not only is
this important but it can actually be done.
There are two problems. One is, a lot of groups--to your
point--don't necessarily see it as urgent. But perhaps more
troublesome, even if they saw this urgent, they are not really
sure what they should even be doing, right, just as you would
at home.
If I convinced you tomorrow that identity theft was the
most important thing in your life, how would your PC usage
change? You would probably shrug and say, all right, I am a
believer. What do I do?
We start these things by saying how complex a problem it
is. Here is one of the dimensions that makes this particularly
troublesome for this committee. Once we get our arms around
some techniques that seem to work, the technology has already
changed.
I am guessing most of the people in here have a Smartphone
in their pocket. That is an internet-connected computer that
you have in your pocket that probably has more power than a
data center had when you started your career, and now you carry
it around with you in your pocket. Just graph that out another
10 years, and that is the threat that we should be planning for
now, not the threat that exists today. It makes it extremely
difficult, because the technology changes so dramatically.
So, again, cooperation, coordination, those are the types
of things that we really need to foster. Because the hacking
community seems to do that maybe even better than we do as a
Federal Government.
Mr. Lungren. Ms. Carlin, if you could respond to that.
Also, you made some suggestions about how we might be able to
improve some things in a coordinating council. Part of that is
relationship building. You can have it all in the schematic,
but unless people have trust that they can share information
they won't do that and not even get to Dr. Amoroso's point
about how you make it in real time. Could you just comment
first on the bottom-line relevance and then secondly about
specific improvements maybe we need on the Government side with
respect to a coordinating council?
Ms. Carlin. Sure. Thank you.
As to the first question, I guess I think of it a little
differently maybe than Dr. Amoroso in the following sense: Many
of the institutions that make up the financial services
marketplace, including the critical infrastructure components
we depend on, are then each regulated often by different
regulators. Many of the regulators in financial services
already have robust standards around data security principles
and standards they expect the banks and other regulated
entities to observe.
Where I think there is really a significant remaining gap
is in what I think of as utility standards. There are utilities
operating that constitute critical infrastructure assets who
themselves are not subject to baseline minimum standards
related to data security.
Now I don't think of that, quite frankly, as regulation or
legislation, for that matter but, rather, baseline minimum
operating standards, recognizing the interconnectedness and
interdependence that we all have. A failure of one represents a
failure of all, and we have seen it over and over and over
again.
As to the second question and our specific recommendations,
what we are recommending is a documented protocol that will
provide a more regularized and repeatable process to the
decision of when to disclose information to the community. So
rather than making it up each time as we go along and treating
it almost as an artist's project, let's inject some science
into that question. What are the considerations that the law
enforcement, intelligence, regulatory, and private industry
communities bring to bear when an event happens? How do we
appropriately balance, as an example, the importance of an on-
going investigation with the public policy considerations
related to disclosure? The event that I refer to in my
testimony, the 102-day delay, cut across fiscal year end for
the vast majority of public companies in the United States. How
did we do that without this information?
Mr. Lungren. Thank you very much.
I recognize now for 5 minutes the Ranking Member from
Brooklyn.
Ms. Clarke. Thank you, Mr. Chairman.
Mr. McGurk, you have told my staff on previous occasions
that when your office conducts analysis of control systems in
critical infrastructure sectors, such as the electric sector,
they often report to you that those systems are air gapped or
physically separated from their business system. But, in fact,
when you check their system, that is almost never the case. Can
you tell us about that, please? Is it your experience that,
once this is pointed out, that the companies fix the problem or
do they just ignore it? Are there other sectors where this is
the case?
Mr. McGurk. Yes, ma'am. Thank you very much for that
question.
Indeed, the results of our on-site assessments as well as
our incident and response events have identified that in no
case had we ever found a situation where the operations network
and enterprise networks were fully air gapped. There were
always types of connections and, for many systems, very good
reasons why they are connected. The challenge runs the gamut of
service-level agreements, regulatory reporting requirements, or
other information-sharing information. So there are good
reasons.
What we found is that not necessarily is there a good cyber
hygiene approach to securing those communications networks or
those nodes. There is technology available which provides
unidirectional flow of information that cannot be breached so
that they could put processes and procedures in place to
prevent the flow of information or preventing a malicious actor
from coming back into those networks and those systems. So
those technologies are out there, and they have been analyzed,
and they have been validated by various members of our National
lab complex.
We work closely with the private sector in identifying
those vulnerabilities. Once we do, in every case, the asset
owners and operators have taken necessary and proactive steps
to close or mitigate those vulnerabilities by actually
incorporating new procedures or new technology to mitigate that
risk. The private sector has been very responsive in complying
with those requirements and those necessary risk mitigation
strategies.
Ms. Clarke. So in speaking with the sector now that that
has been identified, has there been a new terminology that is
utilized? Because I mean I am just trying to think of the
mindset that would believe that, you know, they have got this
air gapped situation in place and not really acknowledging the
vulnerability that exists because of the connection. Has there
been a change in thought from your perspective in working with
the sector?
Mr. McGurk. In each case, in several sectors that we have
worked with and many of the sectors are being proactive about
it, they are focusing on trusted connections, as opposed to no
connections. People recognize that there is a need for the
connections, but they must be trusted connections. There are a
number of industry and Federally identified standards which
focus on increasing that level of security and that level of
trust.
So, yes, ma'am, they are certainly taking those necessary
steps.
Ms. Clarke. Wonderful.
Mr. Cauley, it is good to see you again; and thank you for
participating in the Electric Infrastructure Security Summit on
Tuesday. Your contributions were very valuable, and your
presence here today is very important as well.
I want to follow up with you on the question I just asked
Mr. McGurk. Do you recommend that critical control systems be
air gapped? What are some of the recommended or required
approaches? How are you ensuring that the electric sector
companies are putting them in place? I think this sort of goes
to Ms. Carlin's point with respect to the financial sector. It
is the utilities that I think we are all relying on as part of
an ecosystem, if you will.
Mr. Cauley. Ranking Member Clarke, I think you have really
hit on a really critical issue. The challenge is the power
system, if you look at it from the bulk power all the way down
to the meter, is everywhere. There are hundreds of thousands of
substations. We are distributed on down every street and every
corner. So the concept of air gapping the power system is
really a conceptual one, and I think it has merit, and we are
looking at it.
I agree with most of the comments of Mr. McGurk. I think
the awareness of the industry has improved. There have been
efforts. You have vendors or employees who can dial in remotely
and access equipment to do maintenance and special tasks.
The number of those ports have been reduced. The number of
interfaces between the control systems and the business systems
have been reduced. I think there is a general awareness. But to
say we could air gap the power system is really challenging
just because of the hundreds of thousands of locations and
computers and equipment. So I think we have to challenge
ourselves.
Also, there is an enormous dependency between operating the
power grid and the communications that underlie it. Many of the
companies depend on telecom companies, phone companies for the
wires that connect the communications between the power grid
stations. So it is an important issue.
Can we get to an air-gapable power system or an electric
system? I think we are a ways away from that. Right now, we are
prioritizing on critical assets and making sure they are
firewalled and protected and that we have proper protocols.
I think the issue of one-way data communications is new. We
are pressing to get that more widely used in the industry.
Thank you.
Ms. Clarke. Thank you, Mr. Chairman.
Mr. Lungren. Mr. McCaul from Texas is recognized for 5
minutes.
Mr. McCaul. Thank you, Mr. Chairman.
I am not Mr. King. I just wanted to see what it felt like
to be King for a day. I hope Pete is not watching this hearing.
It feels good.
Let me thank the witnesses for being here.
We have had hearings on the dot-mil and the dot-gov; and
today's hearing, in my judgment, is on the dot-coms and how do
we protect the private sector that controls a majority of the
critical infrastructures? What can the Government do and what
can we do in Congress in terms of the legislation? I think
there is some legislation out there--our first credo should be
to do no harm. I think sometimes we legislate, and there is a
law of unintended consequences, and I will get to that in a
minute.
I remember working at the Justice Department, with the FBI,
and then the ISACs came around, and they have been around for
about a decade. We are still not there, in my judgment, with
the ISACs in terms of full--Dr. Amoroso, as you mentioned--full
real-time information sharing.
You made a comment that I wanted to follow up on that,
thought it was real interesting, that you need a team of
lawyers to talk to the Government. I know there is a FOIA
exemption for critical infrastructure sharing, but I don't know
if that is always applied or if that exemption always attaches
to that information sharing. But could you elaborate, Doctor,
on that point that you made?
Mr. Amoroso. This is a concept I know you are aware of,
signature. So somebody figures out that there might be an
attack, and if you look for this particular file or this
command or some little tip that would help either an operator
or a government or anybody figure out that this attack is going
on, it is sort of the currency that we all work in. That is how
we tip each other off in cybersecurity. We provide signatures.
For the Government to provide a signature to a carrier that
we would then embed into our services to protect customers and
so on and so forth, there is a tremendous lack of clarity
around whether that is legal or not or whether we would be
operating as an agent of the Federal Government or whomever.
As I sort of joked, if I am wandering around a hacker
conference and somebody gives me the same information, not in
Government, some hacker dude with a Grateful Dead t-shirt on or
something, I pop it right into our infrastructure and
everything works great. So that lack of clarity, it really
points to the fact that, depending on which attorneys you are
talking to or which person, some might say, oh, no, no, no, no,
you can't do that. Others would say, no way can you do that. I
work for a very conservative firm, so we are going to err on
the side of not doing it. So we need clarity there.
Mr. McCaul. That is an interesting point. Mr. McGurk, how
can we fix that? What would you propose? I assume we are going
to be legislating cyber out of this committee, subcommittee.
What would you propose?
Mr. McGurk. Yes, sir. Actually, we are currently sharing
that information with our private-sector partners but not
insofar as signatures. Because, going back a bit, a signature
is specific to whatever box--to use the analogy--that you
pulled off the shelf at Staples. It may be system-specific or
product-specific.
So what we can share and derive are the smaller part of
that called indicators, and we publish those indicators
routinely. Those indicators can then be taken by the technical
representatives of each of the facilities or firms and generate
those signatures that then are specific to those pieces of
equipment. So we are currently doing that.
In fact, in light of the recent situation with the two-
factor authentication issue, we produced about 26 indicators
that asset owners and operators could then load into their
systems to look for malicious activity. So it is a very complex
but multi-pronged approach that we are taking to provide
actionable intelligence to the community.
Mr. McCaul. I agree with Dr. Amoroso. I think clarity would
be helpful, whether that comes through legislation or through
policy within the Executive branch.
But, lastly, just to throw out there, how do we incentivize
the private sector to harden its networks? AT&T, certainly you
guys are ahead of the curve, but a lot of companies aren't.
There is the Senate bill which is very comprehensive. It has
DHS regulating the industry. I personally don't agree with that
legislation. But how can we incentivize the private sector to
harden their networks?
Mr. McGurk. Sir, I believe a comment was made earlier that
we can lead by example, and that is one of the areas that we
are really looking to focus on both at the National and at the
Federal and international level, is how can we provide
guidelines and steps? The Department actually publishes and
updates on a quarterly basis procurement standards for asset
owners and operators that are buying new technology or
incorporating new pieces of equipment. In addition, we write a
comprehensive guide for standards developers so that they
understand what the market is driving as far as requirements.
So by providing that and also identifying best practices
through either Federal standards or industry adopted standards,
we can identify what a network topology can and may look like
to increase security.
But, again, it is more descriptive in nature, not
proscriptive. Because no one network or network configuration
is going to operate--an automobile manufacturing plant, a
chemical processing facility, or a nuclear power plant, they
are all unique and different, which is why we have to take a
very sector-specific approach.
Mr. McCaul. That is a good point.
I yield back.
Mr. Lungren. The gentlelady from California, Ms.
Richardson, is recognized for 5 minutes.
Ms. Richardson. Thank you, Mr. Chairman.
I have got five questions, so hopefully we can get through
them pretty quickly.
Mr. McGurk, what would you rate as the rating for DHS when
you hosted your Cyber Storm III exercise?
Mr. McGurk. As far as an opportunity to learn and to
explore, I would say it was probably, on a scale of 1 to 10,
about a 7. Because we had a very large play this time with both
of our State partners, private-sector partners, and
international partners. We learned a lot of important lessons,
and this was actually the first time we got to exercise the
National cyber incident response plan and execute it in
accordance with the system and the NCCIC. So it really helped
us out.
Ms. Richardson. Have you briefed this committee on that
yet?
Mr. McGurk. I don't believe so, ma'am, but I would have to
check with our team back at headquarters.
Ms. Richardson. If not, if you would work with Mr. Lungren
and with our staff and hopefully maybe we could get some
further information on it.
No. 2, do you think the NCCIC, which is your organization,
should be voluntary with the private sector?
Mr. McGurk. It is currently voluntary with the private
sector, ma'am. We have----
Ms. Richardson. I said, do you think it should be
voluntary? Or should it be mandatory?
Mr. McGurk. I am not really sure what you mean by voluntary
versus mandatory. As far as participation, we open it up to the
broad sectors. Each of the sectors have the potential of being
represented, but the products that we produce and the
information that we share goes to the broad community. So we do
not restrict it in any way.
Ms. Richardson. No. What I mean is, the private sector--
let's take, for example, AT&T. Although it is a private
company, you know, has its own business, it is still providing
a very important service that we, as the American public,
expect to be able to use our phones in the event of an
emergency. I am saying, has there been a discussion ever that
maybe your role would need to be a mandatory or a more formal
relationship versus voluntary involvement?
Mr. McGurk. No, ma'am. At the present, we are not looking
at that particular type of involvement. AT&T has been
represented in the National Coordination Center for
Telecommunications since its inception as well as the NCCIC
since October, 2009. So they have been a direct partner with us
since the beginning of the organization.
Ms. Richardson. Are there any industries that you have felt
you needed to work with that you currently don't really have
the authority and the ability to do so?
Mr. McGurk. No, ma'am. Each of the sectors have been very
responsive and receptive to coordinating, sharing information,
and receiving information from the Department.
Ms. Richardson. Okay. Within your voluntary public-private
partnerships, how many would you say are corporation size, mid-
size, small business, if you could give a percentage of who you
work with.
Mr. McGurk. It is actually very broad. We work with Fortune
One companies, the large carriers, and the large manufacturing
facilities here in the United States, all the way down to small
companies which employ only seven employees.
Ms. Richardson. But of those that you work with, what would
you say would the percentage be? So would you say corporations,
you spend 50 percent of your time and small business 10
percent? What is kind of a percentage?
Mr. McGurk. It is more of a broad range. I would say that
we spend 100 percent of our time within each of the sectors
focusing on, from the small community up to the large
community. In the case of developing mitigation strategies and
plans, we are looking more for the subject matter expertise,
not necessarily at what level they reside. So we do try to
focus across the board a very broad spectrum.
Ms. Richardson. Okay. How many approximately in your
private sector have you worked with, approximately? One
thousand? Two thousand?
Mr. McGurk. It is very hard to quantify, ma'am. I would
have to get back with you on that type of number.
During the last mitigation development process, we had over
50 companies from six sectors represented full time working on
mitigation plans.
Ms. Richardson. Okay, so if you could supply to the
committee the different levels that you worked with and
approximately how many. So, for example, of corporations, if
out of the 2,000 you have worked with, 1,500 are major Fortune
500 companies, then say that. If 10 percent are small business,
say that.
Mr. McGurk. Yes, ma'am.
Ms. Richardson. My last question. In the event of a
cyberattack, who is in charge?
Mr. McGurk. In the event of a cyberattack, ma'am, the
President is in charge. The President has designated the
Secretary of Homeland Security as the senior Federal official
for incident response and incident coordination.
Ms. Richardson. Do you believe that is understood with the
Pentagon and NSA and so on?
Mr. McGurk. I believe that the Pentagon and NSA understand
that the President is in charge.
Ms. Richardson. If something were to happen in the private
sector, what would be the response?
Mr. McGurk. The response, in accordance with the National
Cyber Incident Response Plan, would be a coordination effort on
the part of the Department, working with those private-sector
entities or those individual companies to mitigate the risk and
prevent it from cascading into other areas.
Ms. Richardson. Thank you very much.
Mr. McGurk. Thank you, ma'am.
Ms. Richardson. I yield back.
Mr. Lungren. Thank you.
The gentleman from Pennsylvania is recognized for 5
minutes.
Mr. Marino. Thank you, Mr. Chairman.
I have a question for each of you. I have 5 minutes, so we
have about a minute and 15 seconds for each, so I will start
with Dr. Amoroso.
Can we really stay ahead of the criminals?
Mr. Amoroso. Well, historically, we haven't, and we
probably should assume that we won't. I mean, it makes sense to
take a pretty conservative view as we build out our protection
approaches. So I think the answer to that is ``no.''
Mr. Marino. Because they are going to have the information
that--even if the Government puts out there that the citizens
are aware of, and they are always trying to manipulate and
massage that. So we have to come up with a system whereby we
try to step ahead of them, if that is possible.
Mr. Amoroso. Right.
Mr. Marino. Attorney Carlin, I am an attorney, too. I was a
prosecutor for 18 years. So I know, as the doctor said, once
you get some attorneys involved, particularly at the
bureaucratic level, it can be a real catastrophe. But what
legal issues do you think we face from a liability standpoint
if the Government gets involved and, for example, mandates?
Ms. Carlin. First, I am a reformed lawyer. So I am not
actively practicing, but I am in inactive status.
I think there are plenty of legal and policy issues that
have not been sorted through, and I think that is part of what
we would contemplate, including in this information-sharing
protocol or framework exercise, including, quite obviously,
privacy issues.
A couple of points, just to add them to your consideration.
One is, when we talk about information sharing, we mean
that bilaterally. So there is an equivalent interest on the
part of Government in having private industry disclose events
as they are happening in our respective companies as there is
on the part of private industry in having the Government
disclose when they are, frankly, working on something that we
may not be aware of.
The emphasis that I have placed on contextual information I
think is part of the secret sauce of being more proactive on a
going-forward basis. The signatures, the technical information
is obviously critical to shutting down that board, that
opportunity for malicious behavior. But the context is what
allows us to plan for the next attack.
It is not that the same person will do it in the same way,
attacking the same server. It is extrapolating from the
experience that we have had to contemplate other comparable
vulnerabilities and to get ahead in that way by shutting them
down.
Mr. Marino. All right. Thank you.
If you haven't noticed, I am taking advantage of your
educational backgrounds. Mr. Cauley, you have an MBA. Does a
company or the Government, for that matter, balance the
implementation, the cost to the risk before making any
decision?
Mr. Cauley. Thank you for the question. I am really an
engineer, but the MBA was incidental.
We really strive to do that both at NERC, as the industry
organization, as well as across the industry to assess risk
priorities. We deal with hurricanes and other natural disasters
as well as these emerging new risks. So it is always a
challenge to make the greatest value of the customers', the
rate payers' investment in reliability and a reliable supply of
electricity.
So I think cost is always a consideration, and I think
maximizing value against the risks that we are facing is always
something that we are looking at.
Mr. Marino. Okay. Thank you.
Mr. McGurk, taking advantage of your psychology background,
can we really persuade the public in business and, for that
matter, as a last resort, the Government to take the steps
necessary to effectuating protection against ourselves? What do
we need to do to persuade people like myself, not only the
computer in my home but the computer in my office and the small
business that my wife has?
Mr. McGurk. Thank you for the question, sir.
I would like to also add on to what Mr. Cauley had said, is
that when we are evaluating risk--and in the Department we
define risk as threat, vulnerability, and consequence--each of
those variables is relevant. Then you need to divide that over
cost. So we have to identify where can we get the most benefit
or the most gain by addressing the vulnerabilities, the
threats, or the consequences.
So making it actionable for the asset owners and operators
of the general public and making it understandable, taking all
the ones and zeros out and putting it in a language that people
can readily understand, helps us convey that message. Getting
away from the geek speak and getting into the real speak is
what our primary focus is.
Mr. Marino. Good. Thank you.
I yield.
Mr. Lungren. The other gentleman from Pennsylvania, Mr.
Meehan, is recognized for 5 minutes.
Mr. Meehan. Thank you, Mr. Chairman.
I want to thank the panel for their testimony. I apologize,
because of the nature of our work, we aren't always able to be
here for the full time. But I did take the time to read each of
your written testimonies last night. As a former prosecutor,
United States Attorney, I am very interested in these issues.
Let me just ask, stepping back, because, Mr. Amoroso, I was
struck by some of your comments. In our effort to try to assure
that both the private sector and the Government are working
together in this area of assuring cybersecurity, you know, you
have some testimony that says the initiatives don't take full
advantage of the portfolio of managed services offered by many
private-sector network service providers. You were discussing
the Federal Government.
Just the panel, in essence, we have the National
Infrastructure Protection Plan. It was put in place to pull the
Federal Government together with the private sector to use all
of our assets to try to do, you know, protect this
infrastructure. What should we be doing? Is it working? What is
not working?
Mr. Amoroso, I want to ask you specifically because you
made this note. If other panelists in my remaining 3 minutes
and 40 seconds have observations, I would like to hear from you
as well.
Mr. Amoroso. Well, most of the ideas are great. It is just
the technology and infrastructure changes so quickly that it is
hard to keep up.
For example, we talk about air gap. My company is in the
business of using the air to connect systems. So it is almost--
it doesn't make a lot of sense to even talk architecturally
about something that made a lot of sense 10 years ago. I spent
a lot of time trying to air gap systems in AT&T. We used to
have two jacks in the wall; and, depending on what network you
were on, you would sort of air gap between this and that.
In 2011, that makes no sense. Equipment comes built in with
3G, 4G connectivity. You have to change all the assumptions.
So the problem is, private sector, you know, through
competition and through mobility and cloud and all these
exciting things that we use to try to generate interest amongst
customers to buy our services, we are moving at a rate that is
almost impossible to keep up with from the perspective of kind
of the way we legislate and regulate. It takes a long time to
debate these issues. By the time you have debated and come to
some agreement on something it is largely irrelevant. So we
really have to come to a different approach.
Mr. Meehan. Well, how do you do that? How do you police
that? Because, in essence, you are right. The technology is
always going to be ahead. The only thing is that the cyber
sleuths are trying to catch up with the technology. That may be
that you are one step ahead, but, as Mr. Marino pointed out,
there is a lot of people that are still using simplistic
systems that are being victimized as well.
Mr. Amoroso. It is tricky. You have to build forward-
looking constructs and then let them work the way you set them
up to work without sort of worrying about every little thing.
Every day-to-day detail has to be allowed to track technology
growth and innovation.
So, you know, the comment I made earlier about signatures,
you know, the fact that anytime some information sharing is
posed, at least in our company, there is a big debate about
each and every situation. I think what we need is a broader
framework that allows us a little bit more leeway so that if
technology goes in this direction or that direction or
whatever, the framework would be broad enough to allow us to be
flexible. I think we have been too inflexible in that regard.
Mr. Meehan. Thank you.
Ms. Carlin, did you have a thought?
Ms. Carlin. I just wanted to add one comment. I am not a
native technologist, by the way, so maybe it gives me a
different perspective.
I don't think it is all about technology and sort of trying
to keep apace with the criminal and the nation state elements
and such. I think there is a large component that relates to
behavior and practices, and I will give you one quick example.
As we have seen in all these incidents, the criminals are
increasingly targeting what we might call target-rich
environments. You see that in all kinds of respects. You see it
at the exchange level. You saw it in the RSA incident. You see
it in Epsilon. Why Epsilon? Because it was a warehouse of all
of these other connections and such.
So on the practices level, there are many opportunities for
improvement, and I will share one with you. We have privileged
users--so-called privileged users in our environment who are
often IT administrators who have much broader access to data
and applications than the average employee would have. We have
significantly tightened standards around behavior by IT
administrators, how they access the network, how they change
their passwords, how frequently, password sharing. I could give
you a litany of practices.
So I think let's not put all of our eggs in the--we need
the new-age technology. That is part of it.
Mr. Meehan. Thank you, Mr. Chairman.
Mr. Lungren. Thank you.
I want to thank the witnesses. The reason why we were able
to stay here this long is they changed the votes on the floor,
and now we have a series of votes. So I thank you for being
with us, and we were able to get through the panel and not have
to keep you here in suspense.
One of the things I would just ask is that I hope that you
would continue to work with us. We don't, obviously, have all
the answers. We have got some of the questions. We probably
don't have all the questions. Perhaps the overarching question
we have is: How do we make it work better? That is, the
Government/private-sector partnership. It is a continuing
question that is going to bedevil us, but we need to look at it
and work with it, and you folks have helped us today. But I
hope we could ask you to help us in the future as well.
We thank you very much for your testimony. It has been
very, very helpful. There may be some questions offered by some
of the Members of the panel in writing to you; and if that is
done, we would hope that you would respond to that to help us.
Again, your full statements are made a part of the record.
We thank you for being with us, and this hearing is
adjourned.
[Whereupon, at 11:16 a.m., the subcommittee was adjourned.]
�