b"<html>\n<title> - EXAMINING THE HOMELAND SECURITY IMPACT OF THE OBAMA ADMINISTRATION'S CYBERSECURITY PROPOSAL</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n EXAMINING THE HOMELAND SECURITY IMPACT OF THE OBAMA ADMINISTRATION'S \n                         CYBERSECURITY PROPOSAL\n\n=======================================================================\n\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n\n                       INFRASTRUCTURE PROTECTION,\n\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 24, 2011\n\n                               __________\n\n                           Serial No. 112-33\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n72-253                    WASHINGTON : 2012\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Peter T. King, New York, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nDaniel E. Lungren, California        Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nMichael T. McCaul, Texas             Henry Cuellar, Texas\nGus M. Bilirakis, Florida            Yvette D. Clarke, New York\nPaul C. Broun, Georgia               Laura Richardson, California\nCandice S. Miller, Michigan          Danny K. Davis, Illinois\nTim Walberg, Michigan                Brian Higgins, New York\nChip Cravaack, Minnesota             Jackie Speier, California\nJoe Walsh, Illinois                  Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         Hansen Clarke, Michigan\nBen Quayle, Arizona                  William R. Keating, Massachusetts\nScott Rigell, Virginia               Kathleen C. Hochul, New York\nBilly Long, Missouri                 Vacancy\nJeff Duncan, South Carolina\nTom Marino, Pennsylvania\nBlake Farenthold, Texas\nMo Brooks, Alabama\n            Michael J. Russell, Staff Director/Chief Counsel\n               Kerry Ann Watkins, Senior Policy Director\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                Daniel E. Lungren, California, Chairman\nMichael T. McCaul, Texas             Yvette D. Clarke, New York\nTim Walberg, Michigan, Vice Chair    Laura Richardson, California\nPatrick Meehan, Pennsylvania         Cedric L. Richmond, Louisiana\nBilly Long, Missouri                 William R. Keating, Massachusetts\nTom Marino, Pennsylvania             Bennie G. Thompson, Mississippi \nPeter T. King, New York (Ex              (Ex Officio)\n    Officio)\n                    Coley C. O'Brien, Staff Director\n                    Alan Carroll, Subcommittee Clerk\n        Chris Schepis, Minority Senior Professional Staff Member\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     1\nThe Honorable Yvette D. Clark, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Oral Statement.................................................     4\n  Prepared Statement.............................................     5\n\n                               Witnesses\n\nMs. Melissa E. Hathaway, President, Hathaway Global Strategies, \n  LLC:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................    10\nMr. Gregory E. Shannon, Chief Scientist for Computer Emergency \n  Readiness Team (Cert), Software Engineering Institute, Carnegie \n  Mellon University:\n  Oral Statement.................................................    17\n  Prepared Statement.............................................    18\nMr. Leigh Williams, President, BITS, The Financial Services \n  Roundtable:\n  Oral Statement.................................................    21\n  Prepared Statement.............................................    23\nMr. Larry Clinton, President, Internet Security Alliance:\n  Oral Statement.................................................    28\n  Prepared Statement.............................................    30\n\n                             For the Record\n\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Statement of the American Chemistry Council....................     6\n\n                                Appendix\n\nQuestions From Chairman Daniel E. Lungren for Melissa Hathaway...    57\nQuestions From Chairman Daniel E. Lungren for Gregory E. Shannon.    61\nQuestions From Chairman Daniel E. Lungren for Leigh Williams.....    64\nQuestions From Chairman Daniel E. Lungren for Larry Clinton......    65\n\n\n EXAMINING THE HOMELAND SECURITY IMPACT OF THE OBAMA ADMINISTRATION'S \n                         CYBERSECURITY PROPOSAL\n\n                              ----------                              \n\n\n                         Friday, June 24, 2011\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:05 a.m., in \nRoom 311, Cannon House Office Building, Hon. Daniel E. Lungren \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Lungren, McCaul, Walberg, Long, \nMarino, Clarke, Richardson, Richmond, and Keating.\n    Mr. Lungren. With the concurrence of the Ranking Member of \nthe full committee, the Subcommittee on Cybersecurity, \nInfrastructure Protection, and Security Technology will come to \norder.\n    The subcommittee is meeting today to examine the homeland \nsecurity impact of the administration's cybersecurity proposal.\n    I would just say at the outset, we have a vote, I guess a \nsingle vote, scheduled at about 10:15, so we will have to go \nover there and then come back. We are going to try and get our \nopening statements in so that we can proceed directly with our \nwitnesses as soon as we get back from the vote.\n    I recognize myself for an opening statement.\n    We are meeting today to examine the impact of the \nadministration's cybersecurity proposal on the Department of \nHomeland Security. The proposal touches on a number of issues, \nsuch as increasing the penalty for hacking, putting in place a \ncomprehensive regime around the issue of large-scale breaches \nof personally identifiable information, regulating the \ncybersecurity of the private-sector critical infrastructure \nowners and operators, and providing needed clarity on the \ncybersecurity mission of the Department of Homeland Security.\n    While I may differ on certain elements of their proposal, I \nam pleased the administration has provided thoughtful inputs to \nCongress to help us craft an effective National cybersecurity \npolicy. That being said, I believe this proposal is not the end \nof our effort but the beginning of a much-needed debate on how \nwe, as a Nation, will address these dynamic cybersecurity \nthreats in the future.\n    With the growing number of computer network cyber \nintrusions and attacks being reported in the media, the need \nfor strengthening cybersecurity is obviously more evident every \nday. The status quo is not acceptable. The internet and our \ndigital society provide our adversaries multiple attack \navenues.\n    We must continue to innovate and to build a culture of \ncybersecurity. We must also find a way to incentivize critical \ninfrastructure owners and operators to build security into \ntheir business model. Although our Nation faces a difficult \nfiscal environment, securing our critical infrastructure assets \ncannot be ignored.\n    We must be creative and develop ways to improve the return \non our security investments. Developing the right liability \nsafe harbors for growing a more robust and mature cyber \ninsurance market won't happen by itself, particularly in this \neconomic downturn. We must tap the talent of the private sector \nto develop the appropriate ways and means to improve the \ncybersecurity economic equation. The cost if we don't secure \nour critical infrastructure and our business networks and data \nwill be far greater.\n    I thank all of our witnesses for their appearances today. \nThis is the third in our series of hearings on the cyber threat \nto critical infrastructure.\n    The administration's proposal outlines their cybersecurity \nvision, and I, frankly, thank them for it. It will help inform \nour efforts to develop legislation to better secure our \ncritical infrastructure and Government networks. I am eager to \nhear how the proposed language would impact those in the \nprivate sector, how it would increase the authority of the \nDepartment of Homeland Security, and how it positions the \nDepartment of Homeland Security to be the focal point of our \ncybersecurity in the civilian government.\n    I believe the Department is the appropriate place within \nthe Government to take responsibility for our cybersecurity \noperations and establish policies and priorities for protecting \nour civilian departments and agencies. I think having the \nGovernment lead by example is critically important.\n    As Chairman of the House Committee on Administration, I \nhave the cybersecurity responsibility for the House of \nRepresentatives. I take that responsibility very seriously and \nam proud of the job that the CIO and his team have done. Having \nDHS lead by example is critically important, as I mentioned.\n    We are going to hear from Dr. Greg Shannon this morning \nabout the future of incident response operations. Carnegie \nMellon CERT has long been recognized for its excellence in \ncomputer emergency response, and I am hopeful that their \nexperience will help DHS build a world-class computer instant \nresponse capability.\n    I am also honored to have Melissa Hathaway, the former \ncybersecurity advisor to both President Bush and President \nObama, here to discuss the administration's proposal. She was \nthe director of President Bush's Comprehensive National \nCybersecurity Initiative. Additionally, as primary author of \nthis administration's 60-Day Cyberspace Policy Review, she is \nin a unique position to share with us her expertise and \nperspective on improving the overall cybersecurity enterprise \nacross Government--in particular, how the Government can best \ninteract with private-sector critical infrastructure owners and \noperators.\n    I applaud the administration for coming forward with a \nproposal. They have, I think, some of the answers. I don't \nthink they believe, nor do I believe, that any one of us has \nall of the answers. But, together, we can certainly forge ahead \nto improve from where we are now.\n    As I mentioned, we have had a vote called. Interesting, we \nhave a little TV screen up here which shows what is going on, \nbut they have managed to put it in mirror fashion so it is \nreverse of what it says. But I do believe that means we have 11 \nminutes left. Somebody has invaded our little system here.\n    But I would like to recognize the Ranking Member from New \nYork, Ms. Clarke, for her opening statement.\n    Ms. Clarke. Thank you very much, Mr. Chairman, Ranking \nMember Thompson, my colleagues, and to the panelists this \nmorning.\n    We live in a world where it seems that everything relies on \ncomputers and the internet. The effective functioning of our \ncritical infrastructure from airports, financial systems, to \nwater systems, factories, the electric grid is highly dependent \non computer-based systems called control systems that are used \nto monitor and control sensitive processes and physical \nfunctions.\n    The danger of both unintentional and intentional cyber \nattack is real. The potential consequences for an attack on \ncontrol systems vary widely, from the introduction of raw \nsewage into potable water systems to the catastrophic failure \nof critical electrical generators due to the change of a single \nline of code in the critical system.\n    We have come to recognize that public-private partnerships \nare a key component of securing our Nation's computer-reliant \ncritical infrastructure. Private-sector involvement is crucial, \nas it collectively owns the vast majority of the Nation's cyber \ninfrastructure and is responsible for protecting its networks \nand systems from the growing threat of a cyber attack. \nEnhancing the public-private partnerships by developing an \nimproved value proposition and implementing better incentives, \namong other measures, will be essential to encouraging greater \nprivate-sector involvement.\n    Control systems are not the only computers subject to \nattack. Every day, thousands of attacks are launched against \nFederal and private networks by hackers, terrorist groups, \nnation-states attempting to access classified and unclassified \ninformation. The infiltration by foreign nationals of Federal \nGovernment networks is one of the most pressing issues \nconfronting our National security. Federal networks have been \nunder attack for years. These attacks have resulted in the loss \nof massive amounts of critical information, so many of these \nattacks are classified.\n    We all know that cybersecurity is a critical National \nsecurity issue, and this committee has taken the lead. My \nRanking Member, Mr. Thompson, reintroduced his cybersecurity \nbill from last year, H.R. 174, in January of this year and made \nsure it was referred to this subcommittee. The need to improve \nAmerica's cyber defense posture is clear, and the Homeland \nSecurity Committee has been arguing this point for a long time.\n    Now the President has come forward with a comprehensive \nstrategy and some legislative proposals about how it will \nprevent, detect, and respond to attacks on computer systems and \ninfrastructure. There have been many cyber-related bills in the \nlast session of Congress, and the Members of Congress wrote to \nthe President and asked for his input on cybersecurity \nlegislation. As part of the President's 2-year cyberspace \npolicy review, the White House has put forth a detailed and \ndetermined cybersecurity legislative proposal. I look forward \nto examining that proposal today.\n    I thank you for calling this hearing, Mr. Chairman, and I \nyield back the balance of my time.\n    [The statement of Ranking Member Clarke follows:]\n         Prepared Statement of Ranking Member Yvette D. Clarke\n                             June 24, 2011\n    We live in a world where it seems that everything relies on \ncomputers and the internet.\n    The effective functioning of our critical infrastructure--from \nairports, financial systems, to water systems, factories, the electric \ngrid--is highly dependent on computer-based systems called ``control \nsystems'' that are used to monitor and control sensitive processes and \nphysical functions.\n    The danger of both unintentional and intentional cyber attack is \nreal, and the potential consequences of an attack on control systems \nvary widely from the introduction of raw sewage into potable water \nsystems to the catastrophic failure of critical electrical generators \ndue to the change of a single line of code in a critical system.\n    We've come to recognize that public/private partnerships are a key \ncomponent of securing our Nation's computer-reliant critical \ninfrastructure. Private sector involvement is crucial, as it \ncollectively owns the vast majority of the Nation's cyber \ninfrastructure and is responsible for protecting its networks and \nsystems from the growing threat of a cyber attack.\n    Enhancing the public/private partnerships by developing an improved \nvalue proposition and implementing better incentives, among other \nmeasures, will be essential to encouraging greater private sector \ninvolvement.\n    Control systems are not the only computers subject to attack. Every \nday, thousands of attacks are launched against Federal and private \nnetworks by hackers, terrorist groups, and nation-states attempting to \naccess classified and unclassified information, and the infiltration by \nforeign nationals of Federal Government networks is one of the most \npressing issues confronting our National security.\n    Federal networks have been under attack for years; these attacks \nhave resulted in the loss of massive amounts of critical information, \nthough many of these attacks are classified.\n    We all know that cybersecurity is a critical National security \nissue, and this committee has taken the lead. My Ranking Member, Mr. \nThompson re-introduced his cybersecurity bill from last year, H.R. 174, \nin January of this year, and made sure it was referred to this \nsubcommittee. The need to improve America's cyber defense posture is \nclear, and the Homeland Security Committee has been arguing this point \nfor a long time.\n    Now, the President has come forward with a comprehensive strategy, \nand some legislative proposals, about how it will prevent, detect, and \nrespond to attacks on computer systems and infrastructure.\n    There have been many cyber-related bills in the last session of \nCongress, and Members of Congress wrote to the President and asked for \nhis input on cybersecurity legislation.\n    As part of the President's 2-year Cyberspace Policy Review, the \nWhite House has put forth a detailed and determined cybersecurity \nlegislative proposal.\n    I look forward to examining that proposal today, and thank you for \ncalling this hearing Mr. Chairman.\n\n    Mr. Lungren. I thank the gentlelady.\n    I now recognize the Ranking Member of the full committee, \nthe gentleman from Mississippi, Mr. Thompson, for any statement \nhe may have.\n    Mr. Thompson. Thank you very much, Mr. Chairman, for \nholding this hearing.\n    I welcome our witnesses also.\n    Being, as you have already indicated, that there is a vote \non the way, I will submit my opening statement for the record.\n    [The statement of Ranking Member Thompson follows:]\n        Prepared Statement of Ranking Member Bennie G. Thompson\n                             June 24, 2011\n    When President Obama released his Cyberspace Policy Review almost 2 \nyears ago, he declared that the ``cyber threat is one of the most \nserious economic and National security challenges we face . . .''.\n    I agree with him and I am pleased that his administration has taken \nsignificant steps to put forth a clear path to update our cybersecurity \nlaws.\n    I am also pleased we are examining the President's proposal here \ntoday.\n    This committee is the lead on cybersecurity in the House, as it \nshould be, and we have been examining this issue and calling for action \nsince our formation.\n    I re-introduced my cybersecurity bill, H.R. 174, in January of this \nyear with the continuing hope that it might get a hearing in this \ncommittee.\n    Frankly, the White House proposal we are examining today has used \nmany of the concepts I suggest in my legislation.\n    We are facing a National and global challenge on cybersecurity, and \nwe must be internationally engaged to make improvements.\n    Simply put, we must figure out how cyberspace is to be governed, \nand how it is to be secured. We know that decisions being made by \ninternational bodies that govern the internet do not necessarily \nreflect U.S. National interests.\n    Major corporations, financial firms, Government agencies, and \nallies have all been victims of cybersecurity breaches, and these are \njust the events we know about.\n    Classified military networks have been penetrated by foreign \nintelligence agencies, and from the perpetrators' perspective, no one \nhas ever been punished for any of these actions. This is not a record \nof success.\n    Since 1998, we have repeatedly tried a combination of information \nsharing, market-based approaches, public/private partnership, and self-\nregulation in an effort to strengthen our cyber defenses.\n    Hopefully, we are learning from the shortcomings of the past and \npreparing for future challenges.\n    Mr. Chairman, I look forward to today's examination of the \nPresident's proposal, and thank you for calling this hearing.\n\n    Mr. Lungren. I thank the gentleman for submitting his \nopening statement.\n    We will recess until we vote and complete the vote. I \nbelieve we just have one vote. So we will return immediately \nand begin with our witnesses.\n    With that, this subcommittee hearing is recessed.\n    [Recess.]\n    Mr. Lungren. The subcommittee will resume.\n    Other Members of the subcommittee are reminded that opening \nstatements may be submitted for the record.\n    We are pleased to have a distinguished panel of witnesses \nbefore us today on this most important topic.\n    Melissa Hathaway served in President Obama's \nadministration, 2009, where she coordinated the 60-Day \nCyberspace Policy Review. Following the report, she stood up \nthe Cybersecurity Office within the National security staff to \nconduct work based on the blueprint. Previously, she served \nunder President Bush as cyber coordinator executive and \ndirector of the Joint Interagency Cyber Task Force in the \nOffice of the Director of National Intelligence. Ms. Hathaway \npreviously worked as principal with Booz Allen & Hamilton; \ncurrently is a strategic consultant in the field of \ncybersecurity.\n    Mr. Greg Shannon is the chief scientist for the CERT \nprogram at Carnegie Mellon University Software Engineering \nInstitute, a Federally-funded research and development center. \nMr. Shannon has previously led applied research and development \nefforts in cybersecurity and data analysis at a number of \nprivate companies as well as the Los Alamos National \nLaboratory.\n    Leigh Williams has served as the president of BITS, the \ntechnical policy division of The Financial Services Roundtable, \nsince 2007, focusing on improving operational practices and \npublic policy in the financial sector. Previously, he was a \nsenior fellow at Harvard's Kennedy School of Government, \nresearching public- and private-sector collaboration in the \ngovernance of privacy and security. In addition, he has worked \nat Fidelity Investments, where he was the chief risk officer \nand chief privacy officer.\n    Then we have Mr. Larry Clinton, president and CEO of the \nInternet Security Alliance, a multi-sector industry group which \nwas created to integrate advanced technology with the needs of \nthe business community, leading to a secure internet. During \nhis tenure at the Internet Security Alliance, Mr. Clinton \ncreated the ``Cyber Security Social Contract.'' He has \npreviously worked as vice president of the USTelecom \nAssociation and as legislative director for our former \ncolleague Rick Boucher, who was the subcommittee chair on the \nEnergy and Commerce Committee with jurisdiction over \ntelecommunications and the internet.\n    We welcome all of you. We would ask you to try and stay \nwithin the 5 minutes. Your prepared written text will be made a \npart of the record.\n    Before you begin, I would just ask unanimous consent that a \nletter that we received from the American Chemistry Council in \nregard to the subject before this committee be made a part of \nthe record.\n    Without objection, it will be.\n    [The information follows:]\n              Statement of the American Chemistry Council\n                             June 24, 2011\n       acc members are a critical aspect of the nation's economy\n    The American Chemistry Council (ACC) represents the leading \ncompanies in the United States who produce the chemical products \nessential for everyday life. And, the business of chemistry is a \ncritical aspect of our Nation's economy employing more than 800,000 \nAmericans in good-paying, high-tech positions and produces 20% of the \nworld's chemical products.\n    More than 96% of all manufactured goods are directly touched by the \nbusiness of chemistry. The chemical industry provides vital products \nand materials that help improve our standard of living, advance green \nenergy objectives and protect the health and welfare of all Americans. \nOur industry produces critical components used in lifesaving \nmedications, medical devices, body armor for our armed forces and law \nenforcement, energy-efficient light-weight components for vehicles that \nimprove gas mileage, energy-saving building materials, and the durable, \nlight-weight wind turbine blades that help generate green energy that \ncreates jobs while protecting the environment.\n   cybersecurity is a top priority for acc and the chemical industry\n    Because of our critical role in the economy and our responsibility \nto our communities, security continues to be a top priority for ACC \nmembers. In 2001, our members voluntarily adopted an aggressive \nsecurity program that became the Responsible Care\x04 Security Code \n(RCSC). Responsible Care implementation is mandatory for all members of \nthe ACC and is regularly reviewed by independent, credentialed third-\nparty auditors. The RCSC is a comprehensive security program that \naddresses physical and cybersecurity risks. The Security Code requires \na comprehensive assessment of its cybersecurity vulnerabilities and \nimplementation of appropriate protective measures throughout a \ncompany's supply chain, The RCSC has been a model for State-level \nchemical security regulatory programs in New Jersey, New York, and \nMaryland and was deemed equivalent to the U.S. Coast Guard's Maritime \nTransportation Security Act (MTSA).\n    The Security Code covers the crucial area of cyber and information \nsecurity and we were gratified that in 2009 the Obama administration \nmade cybersecurity a top priority. Along with physical security, ACC \nmembers began actively addressing cybersecurity issues before and after \nthe attacks of September 11, 2001. Cyber experts from member companies \nalso work closely with the DHS National Cyber Security Division (NCSD) \nin many areas including: National Cyber Storm exercises, information \nsharing programs, development of the Roadmap to Control Systems \nSecurity for the Chemical Sector, A 2009 Program Update can be found on \nthe Obama administration's website--``Making Strides to Improve Cyber \nSecurity in the Chemical Sector.''\n    Security in all its dimensions continues to be a top priority for \nthe ACC and the chemical industry, and we're proud of our record of \naccomplishment and cooperation on cybersecurity with Congress, DHS, and \nothers.\n  the chemical industry complies with tough cybersecurity regulations\n    On April 9, 2007 the U.S. Department of Homeland Security published \nthe ``Chemical Facilities Anti-terrorism Standards'' (CFATS) regulatory \nprogram. This comprehensive Federal regulatory program requires high-\nrisk chemical facilities to register with DHS, conduct a thorough site \nsecurity assessment and implement protective measures that comply with \n18 risk-based performance standards (RBPS).\n    In particular, RBPS No. 8 establishes performance standards for \ncybersecurity that must be implemented by each covered facility. RBPS \nNo. 8 requires facilities to deter cyber sabotage and prevent \nunauthorized access to critical process control systems including \nSupervisory Control and Data Acquisition (SCADA) systems, Distributed \nControl Systems (DCSs), Process Control Systems (PCSs), Industrial \nControl Systems (ICSs) and other sensitive computerized systems. To do \nthis, RBPS No. 8 requires a combination of policies and practices that \nhigh-risk chemical facilities must address to effectively secure a \nfacility's cyber systems from attack or manipulation including:\n    (1) security policy,\n    (2) access control,\n    (3) personnel security,\n    (4) awareness and training,\n    (5) monitoring and incident response,\n    (6) disaster recovery and business continuity,\n    (7) system development and acquisition,\n    (8) configuration management, and\n    (9) audits.\n    In addition, CFATS specifies critical cyber systems that may \nrequire certain enhanced security activities including those that \nmonitor and/or control physical processes that contain a chemical of \ninterest (COI); those that are connected to other systems that manage \nphysical processes that contain a COI; or those that contain business \nor personal information that, if exploited, could result in the theft, \ndiversion, or sabotage of a COI.\n        acc recommendations for effective cybersecurity policies\n    ACC and its members support comprehensive cybersecurity legislation \nthat promotes effective collaboration between the chemical industry and \nthe Department of Homeland Security and ensures that robust \ncybersecurity practices are implemented across the chemical supply \nchain, while maintaining the free flow of commerce.\n    To do this ACC recommends the following:\n  <bullet> Create cybersecurity standards that are prioritized based on \n        risk and focused at protecting critical systems that if \n        compromised would truly pose a significant threat to National \n        security, public safety or the National economy. Cybersecurity \n        legislation should establish performance standards to allow for \n        flexibility in their application so that chemical industry \n        entities can use appropriate measures that fit their unique \n        circumstances while ensuring the security of their critical \n        systems. The standards should take advantage of the incredible \n        wealth of knowledge embodied in the international cybersecurity \n        standards community.\n  <bullet> Establish a public/private partnership to effectively share \n        information that is timely, specific, and actionable and is \n        properly protected from public disclosure. Such a partnership \n        will vastly improve the flow of information and ideas to help \n        quickly identify threats and vulnerabilities. Such an approach \n        will also generate flexible solutions that protect critical \n        cyber systems that operate complex process controls, contain \n        valuable intellectual property and trade secrets and personal \n        information on employees, customers, and suppliers. To help \n        promote the flow of information, information voluntarily \n        provided by the private sector should be adequately protected \n        from public disclosure including Freedom of Information Act \n        requests.\n  <bullet> Provide limited liability protection for the private sector \n        as a result of a cyber-attack, so long as recognized \n        technologies have been applied to address potential threats. In \n        order to promote the more rapid penetration of state-of-the-art \n        emerging technologies to protect against cyber threats, the \n        Government should hold technology users harmless from damages \n        resulting from cyber-attacks on their IT and control systems, \n        so long as recognized technologies have been applied to address \n        potential threats. For example, the liability protections \n        provided by the Safety Act are appropriate to consider. This \n        will in turn provide the private sector better access to more \n        advanced and affordable end products that are safe and secure \n        as possible.\n  <bullet> Strengthen U.S. laws against cybercrimes and aggressively \n        prosecute cyber criminals and promote international \n        cooperation, U.S. laws should be updated and strengthened to \n        protect critical infrastructure from cyber-attacks and hold \n        those accountable for perpetrating said acts that are intended \n        to cause harm to critical infrastructure operating systems, \n        steal intellectual property and trade secrets, or obtain \n        personal information for financial gain.\n  <bullet> Consider the borderless nature of the international cyber \n        community and the challenges that it presents. The U.S. Federal \n        Government should develop strong National and international \n        partnerships to work together in identifying international \n        threats, investigate cyber-crimes, and vigorously prosecute \n        cyber criminals. The American chemical industry is one of the \n        most creative and effective manufacturing enterprises in the \n        world. However, with the advent of the Advanced Persistent \n        Threat (APT), international cyber criminals are attempting to \n        steal our intellectual property with little risk of getting \n        caught. Successful APTs could compromise our industry's ability \n        to compete in the global market place. Without a focused \n        strategy to address this issue, the private sector will \n        continue to fight an uphill battle. ACC encourages the Federal \n        Government to include this issue as a central component of its \n        strategy and strengthen our fight against international cyber \n        theft of intellectual property.\n                               conclusion\n    We agree that our shared priority is to enhance cybersecurity \nacross the chemical supply chain Nation-wide. ACC looks forward to a \nproductive debate on cybersecurity legislation that protects our \ncritical information infrastructure while promoting effective and \nefficient commerce that will continue to strengthen our economy.\n    The members of ACC and the chemical industry are committed to \nsafeguarding America's chemical facilities and the cyber systems that \nenable their efficient and effective operations. It is in this spirit, \nthat we offer our assistance to work with the DHS and Members of \nCongress in support of this shared goal.\n\n    Mr. Lungren. Ms. Hathaway.\n\n STATEMENT OF MELISSA E. HATHAWAY, PRESIDENT, HATHAWAY GLOBAL \n                        STRATEGIES, LLC\n\n    Ms. Hathaway. Thank you, Chairman Lungren, Ranking Member \nClarke, Members of the committee, for the opportunity to \ntestify on cybersecurity and its importance to homeland \nsecurity.\n    I am appearing today solely in my individual capacity, and \nI am not representing any clients or other organizations. \nPlease accept my testimony for the record.\n    My testimony is divided into three sections: It is a review \nof the threat; it is an assessment of the current legislative \ndocket and unaddressed needs; and a view of the need to clarify \nthe role for the Department of Homeland Security.\n    Target attacks are increasing, and our defensive posture \nremains weak. Our opponents harness precision-guided bits and \nbytes to deliver spam, cast phishing attacks, facilitate click \nfraud, and launch a distributed denial-of-service attack. The \nfrequency of events and affected people and enterprises are \nalarming. Recent headlines will show that our money, our \npersonal privacy, our infrastructure, and our children are at \nrisk.\n    The NASDAQ breach showed us that our investment plans and \nmoney are exposed. The Epsilon breach showed us that our \npersonal credentials and privacy is at risk. The RSA SecureID \nbreach showed us that our trusted transactions and \nauthenticated transactions are at risk. The Sony PlayStation \nnetwork showed that our children are at risk. Then, finally, \nthe Stuxnet worm showed that our critical infrastructures are \nat risk.\n    The cybersecurity problem is growing faster than the \nsolution. The Comprehensive National Cybersecurity Initiative, \nas well as the Cyberspace Policy Review, highlighted the need \nto address the threat.\n    Clearly, cybersecurity is a topic of interest, based on the \nsheer number of bills that were highlighted in the 111th \nCongress--over 55 bills--and now in the 112th Congress, showing \nthat a legislative conversation needs to address the shortfalls \nin our current laws. As of June 2011, at least 10 pieces of \ncybersecurity legislation have been introduced in the U.S. \nSenate, and at least another 9 have been introduced in the U.S. \nHouse of Representatives. I have highlighted those in my \ntestimony.\n    The cybersecurity legislative proposals reflect different \napproaches and priorities. The 21st-Century digital environment \nrequires new laws that, at a minimum, address: Data ownership, \ndata handling, data protection and privacy, evidence gathering, \nincident handling, monitoring and traceability, rights and \nobligations related to data breach and data transfers, and \naccess to data based on law enforcement and intelligence \nservices.\n    The administration outlines six proposals that anchor the \npriorities for debate here in Congress. As Congress considers \nthese proposals, it will be important to gain industry's \nperspective and understand the second- and third-order effects \nof these proposals.\n    For example, which sectors will be covered critical \ninfrastructure and, therefore, be subject to regulation under \nthe new rules? The President's international strategy for \ncyberspace implies that energy, finance, transportation, and \nthe defense industrial base sectors will be named covered \ncritical infrastructures.\n    The proposal attempts to establish a minimum standard of \ncare and an audit and certification function that would be \nsimilar in kind to the Securities and Exchange Commission \nrequirement for attestation of material risk. In my view, \ninserting DHS into a regulatory role in this context could \ndilute its operational and policy responsibilities and likely \ndistract from the Nation's security posture.\n    Additionally, the administration is proposing new \nauthorities for DHS by establishing a National Cybersecurity \nProtection Program, which authorizes the DHS to explore \ncountermeasures for the overall infrastructure. The discussion \nwill become even more important as Congress debates the merits \nof Government involvement in the protection of private-sector \nnetworks.\n    As scary and as problematic as these threats are and the \nintrusions may be and as devastating as they may be, it is \nimportant that the defensive posture not overtake our core \nfreedoms. We should also respect the longstanding limitations \non the role of the military as it relates to public safety and \nour civilian activities.\n    I think the most important thing that this committee can \naddress is whether and how we clarify DHS's overall role. Are \nwe going to ask them to be a policy-maker, are we going to be \nasked them to be a regulator, or are we going to ask them to be \nan operator?\n    All of the legislative proposals reflect the dilemma of a \ncodependent relationship between the private sector as it \ndevelops, owns, and operates the internet-based infrastructure \nfor which the Government is responsible for delivering \nessential services of power, water, telephone, et cetera, and \nultimately providing economic prosperity and security.\n    Our response includes restructuring regulation and attempts \nto centralize decision-making, all with the intent to reduce \nvulnerabilities and minimize the damages of intrusion. My \ntestimony reflects different ideas on each of the roles: \nOperational, regulatory, and policy.\n    In conclusion, the 112th Congress has an opportunity to \ndrive a new legislative conversation and address the shortfalls \nin current laws. The cybersecurity problem is growing faster \nthan the solution, and we cannot afford to be faced with \nstrategic surprise to address this problem. FISMA reform and a \nNational data breach umbrella are needed.\n    Additionally, modern-day criminals are using our legal \nsystem's speed and lack thereof to their advantage. We need to \nstiffen the penalties and modernize the laws that are not \nkeeping pace with today's digital environment. We need to \nempower the National security community charged with protecting \nthe Nation and its critical infrastructure from cyber \nexploitation or attack.\n    The Computer Fraud and Abuse Act, the Electronic \nCommunications and Privacy Act, the Stored Communications Act, \nthe Telecommunications Act, and the Economic Espionage Act are \namong some of the laws that need to be reviewed and updated.\n    Congress should seek industry's perspective and debate the \nadvantages and challenges associated with fielding a robust and \nactive defense capability, imposing standards and regulation on \nindustry, and demanding more of DHS. An overly restrictive \napproach should be avoided. We cannot afford to pass \nlegislation that would prove to be feckless.\n    I thank you very much for the opportunity to testify, and I \nlook forward to your questions.\n    [The statement of Ms. Hathaway follows:]\n               Prepared Statement of Melissa E. Hathaway\n                             June 24, 2011\n    Mr. Chairman and Members of the committee: Thank you for the \nopportunity to testify on the subject of cybersecurity and its \nimportance to homeland security. I am appearing today solely in my \nindividual capacity, and not on behalf of any clients or other \norganizations.\n    My testimony is divided into three parts: (1) A review of the \nthreat, (2) an assessment of the current legislative docket and the \nunaddressed needs, and (3) a view on the need to clarify the role of \nDHS.\n    Targeted attacks are increasing and our defensive posture remains \nweak.--A sense of urgency is rising because the media reports how our \ninsecure computers are being infected every day. Our opponents harness \nprecision-guided bits and bytes to deliver spam, cast phishing attacks, \nfacilitate click-fraud, and launch a distributed denial of service \n(DDoS). The frequency of events and affected people and enterprises are \nalarming. Recent headlines expose that our money, personal privacy, \ninfrastructure, and even our children are at risk. These network \nintrusions include but are not limited to:\n  <bullet> NASDAQ.--The operator of the Nasdaq Stock Market said it \n        found ``suspicious files'' on its U.S. computer servers and \n        determined that hackers could have affected one of its \n        internet-based client applications.\\1\\ Investigators are \n        considering a range of possible motives, including unlawful \n        financial gain, theft of trade secrets, and a National-security \n        threat designed to damage the exchange.\\2\\ Impact: Our \n        investment plans and money are exposed.\n---------------------------------------------------------------------------\n    \\1\\ Jonathan Spicer. UPDATE 2-Hackers breach Nasdaq's computers. \nReuters On-line. 5 February 2011. http://www.reuters.com/article/2011/\n02/05/nasdaq-hackers-idUSN05148621- 20110205.\n    \\2\\ Devlin Barrett. ``Hackers Penetrate Nasdaq Computers.'' The \nWall Street Journal. 5 February 2011. http://online.wsj.com/article/\nSB10001424052748704709304576124502351- 634690.html.\n---------------------------------------------------------------------------\n  <bullet> Epsilon.--Epsilon, which sends 40 billion emails annually on \n        behalf of more than 2,500 clients, detected an incident on 30 \n        March 2011. It determined that a subset of Epsilon clients' \n        customer data were exposed by an unauthorized entry into \n        Epsilon's email system. The information that was obtained was \n        limited to email addresses and/or customer names and \n        represented approximately 2% or 50 customers including \n        Walgreens, Disney destinations, Best Buy, and Citigroup.\\3\\ The \n        worry is that even months down the road, customers could get an \n        email impersonating their bank or credit-card issuer containing \n        poisonous web links. Once clicked, those links could install \n        malicious code on their computers or try to trick them into \n        giving up valuable information, such as credit card information \n        or log-in data to their banks or social media accounts.\\4\\ \n        Impact: Our personal credentials and privacy are at risk.\n---------------------------------------------------------------------------\n    \\3\\ Epsilon. Public Statement by Epsilon. 1 April 2011.\n    \\4\\ Ki Mae Heussner. Epsilon Email Breach: What You Should Know. \nABC News Online. 4 April 2011. http://abcnews.go.com/Technology/\nepsilon-email-breach/story?id=13291589.\n---------------------------------------------------------------------------\n  <bullet> RSA SecureID.--In March 2011, RSA informed its customers of \n        a breach of its corporate network which could reduce the \n        effectiveness of its SecureID two factor authentication token. \n        On 21 May 2011, a leading U.S. defense contractor, Lockheed \n        Martin, had its networks penetrated. The perpetrator(s) used \n        duplicates of RSA's SecureID tokens to gain access to \n        Lockheed's internal network.\\5\\ After this breach and several \n        others resulting from the SecureID issue, RSA Security says it \n        will replace tokens, upon customer request.\\6\\ Impact: Our \n        trusted transactions (authenticated transactions) are at risk.\n---------------------------------------------------------------------------\n    \\5\\ Jeffrey Carr. ``An Open Source Analysis Of The Lockheed Martin \nNetwork Breach.'' Digital Dao Blog. 31 May 2011. http://\njeffreycarr.blogspot.com/2011/05/open-source-analysis-of-lockheed-\nmartin.html.\n    \\6\\ http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-\ntokens/.\n---------------------------------------------------------------------------\n  <bullet> Sony's PlayStation Network was taken down on 20 April \n        2011.--A forensics team investigated the scope of the breach \n        and by May 2, the breach reportedly had affected an estimated \n        100 million people and spread to Sony's Online Entertainment \n        division. In an effort to show how vulnerable Sony was to a \n        breach, the hacker group LulzSec exposed names, birth dates, \n        addresses, emails, passwords, etc. of Sony's customers.\\7\\ As \n        of the end of May, Sony has spent $171 million closing the \n        vulnerabilities on its network and informing its customers of \n        their exposure.\\8\\ Impact: Our children are at risk.\n---------------------------------------------------------------------------\n    \\7\\ Andy Bloxham. ``Sony hack: private details of million people \nposted online.'' The Telegraph. 3 June 2011. http://\nwww.telegraph.co.uk/technology/news/8553979/Sony-hack-private-details-\nof-million-people-posted-online.html\n    \\8\\ Robert Westervelt. ``Sony breach timeline shows missteps.'' \nSecurity Bytes on-line. http://itknowledgeexchange.techtarget.com/\nsecurity-bytes/sony-breach-timeline-shows-missteps-says-security-firm/ \n31 May 2011.\n---------------------------------------------------------------------------\n  <bullet> Citigroup.--In early June 2011, computer hackers breached \n        Citigroup's network and accessed the names, account numbers, \n        and contact data of hundreds of thousands of bankcard holders \n        in North America.\\9\\ This may be the largest breach of a \n        financial institution to date, arming criminals with victim \n        data. Impact: Our banks and money are at risk.\n---------------------------------------------------------------------------\n    \\9\\ Maria Aspan. ``Regulators pressure banks after Citi data \nbreach.'' Reuters. 9 June 2011. http://news.yahoo.com/s/nm/20110609/\nbs_nm/us_citi.\n---------------------------------------------------------------------------\n  <bullet> Stuxnet.--The Stuxnet worm that was used to shut down Iran's \n        nuclear program has been widely analyzed around the world. It \n        targets control system vulnerabilities and its source code has \n        been traded on the black market. Security officials worry that \n        this worm will be used again to attack other critical \n        infrastructures that rely on computers and have the same \n        security flaws.\\10\\ Impact: Our critical infrastructure is at \n        risk.\n---------------------------------------------------------------------------\n    \\10\\ Stewart Meagher. ``Stuxnet worm hits the black market.'' \nTHINQ. 25 November 2010. http://www.thinq.co.uk/2010/11/25/stuxnet-\nworm-hits-black-market/.\n---------------------------------------------------------------------------\n    The cybersecurity problem is growing faster than the solution.--\nUpon review of these cases, it can be determined that it costs less to \nbreak into a system or enterprise than it does to defend it. An \ninfected thumb drive (USB key) that costs less than $10 can undermine \nan enterprise's security in minutes and nullify years' worth of \ninformation technology (IT) investments. Organizations everywhere are \nbeing penetrated--from small businesses to the world's largest \ninstitutions. Policy makers, legislators, and businessmen are assessing \nthe gap between their current defensive posture (the floor) and their \nneeded front-line defense (ceiling) in the face of a growing \nsophisticated range of actors. All of these facts are exasperated by \nthe prolonged economic recovery that has placed significant pressures \non enterprise IT budgets and focused actions toward meeting the minimum \nregulatory requirements like compliance at the expense of broader \ninformation security initiatives.\n    The Comprehensive National Cybersecurity Initiative (CNCI) outlined \nthese multidimensional threats along four attack vectors: Insider \naccess,\\11\\ proximity access;\\12\\ remote access;\\13\\ and supply chain \naccess \\14\\ and it provided a framework for unifying investments to \nshore up the Government's defense. President Obama's Cyberspace Policy \nReview re-stated that the Nation must become more resilient to all \ntypes of cyber-based attacks. While there has been activity against \nmany of the recommendations in the Cyberspace Policy Review, there is a \nlot more that needs to be done.\n---------------------------------------------------------------------------\n    \\11\\ Unauthorized use or access to information, systems, and \nnetworks by otherwise trusted agents (employees).\n    \\12\\ Gaining access to information or systems via deployment of \ntechnology in proximity to the target.\n    \\13\\ Accessing target information and/or systems through network-\nbased technical means (internet).\n    \\14\\ Gaining advantage, control, and/or access to systems and the \ninformation they contain through manipulation by cooperative/witting \nvendors or unilaterally at any point in the supply chain between the \nmanufacturer and end-user.\n---------------------------------------------------------------------------\n             cybersecurity in the 111th and 112th congress\n    The 111th Congress considered more than 50 pieces of cybersecurity \nlegislation. The wide range of topics addressed in these bills included \nproposed changes to organizational responsibilities; instituting \ncompliance and accountability mechanisms; implementing data \naccountability standards and reporting requirements for personal data \nprivacy, data breach handling and identity theft; enhancing \ncybersecurity education; advancing research and development grants; \nevaluating critical electric infrastructure protection and conducting \nvulnerability analysis of other critical infrastructures; expanding \ninternational cooperation on cybercrime; and addressing procurement, \nacquisition, and supply-chain integrity.\n    Clearly, cybersecurity is a topic of interest and the sheer number \nof bills highlights the cross-jurisdictional interest of the subject. \nThe 112th Congress has an opportunity to drive a new legislative \nconversation and address the shortfalls in our current laws. As of June \n2011, at least ten pieces of cybersecurity legislation have been \nintroduced in the United States Senate and at least another nine have \nbeen introduced in the United States House of Representatives. Appendix \nA contains a table that outlines some of the cybersecurity bills under \nconsideration in the 112th Congress. Like many of the bills of the \n111th Congress, the bills in the 112th address niches of the \ncybersecurity problems facing the Nation; even if taken together, none \nof them address the situation in a comprehensive manner.\n    Cybersecurity legislative proposals reflect different approaches \nand priorities.--The 21st Century digital environment requires new laws \nthat at a minimum address: data ownership; data handling; data \nprotection and privacy; evidence gathering; incident handling, \nmonitoring and traceability; rights and obligations related to data \nbreach and data transfers; access to data by law enforcement or \nintelligence services; and degree of Government assistance (e.g., \nsubsidy, information, technology, liability relief) to close the gap \nbetween threat, innovation, and competitiveness. The Cyberspace Policy \nReview identified scores of laws that needed to be updated. In May \n2011, the administration put forward its cybersecurity legislative \nproposal. It reflects the efforts of an interagency, consensus-based \nsystem and a diversity of views across six proposals. Like Congress, it \nshows the jurisdictional focus by specific mission areas.\n    Two specific areas of the administration's package have been \ndebated in the last two sessions of Congress: (1) Amending the Federal \nInformation Security Management Act (FISMA) from a static compliance-\nbased system to one of continuous monitoring; and (2) providing a \nFederal umbrella to unify guidance of the 47 disparate State data \nbreach laws. The four remaining areas of the administration's package \nrepresent new legislative proposals. Briefly, they seek to: (1) Update \nthe Computer Fraud and Abuse Act (CFAA) by stiffening penalties for \nbreaches and theft of information; (2) grant new authorities for DHS--\nenabling them to deploy Intrusion Prevention Systems (IPS) in the .gov \ndomain and allow DHS to turn to Internet Service Providers (ISPs) to \nconduct that mission on behalf of the Government (with liability \nrelief); (3) establish critical infrastructure regulation, set \nmandatory standards for ``covered'' critical infrastructures, and an \naudit and compliance regime that mandates private sector entities to \nattest to cybersecurity risk management plans; and (4) prevents \nrestrictions on data center locations (i.e., States can't specify that \na data center be located in a certain State).\n    As Congress considers these proposals, it will be important to gain \nindustry's perspective and understand the second- and third-order \neffects of the proposals. For example, which sectors will be considered \n``covered'' critical infrastructure, and therefore subject to \nregulation under the new rules? The President's International Strategy \nfor Cyberspace implies that the Energy, Transportation, Financial \nServices, and Defense Industrial Base (DIB) sectors will be named the \n``covered'' critical infrastructures. The legislative proposal states, \n``the owners or operators of covered critical infrastructure shall \ndevelop cybersecurity plans that identify the measures selected by the \ncovered critical infrastructure to address the cybersecurity risks in a \nmanner that complies with the regulations promulgated, and are guided \nby an applicable framework designated.''\\15\\ This proposal attempts to \nestablish a minimum standard of care and an audit and certification \nfunction that would be similar in kind to the Securities and Exchange \nCommission (SEC) requirement for attestation of material risks. In my \nview, inserting DHS into a regulator role in this context could dilute \nits operational and policy responsibilities and likely detract from the \nNation's security posture. In May 2011, Senator Rockefeller asked the \nSEC to look into corporate accountability for risk management through \nthe enforcement of material risk reporting.\\16\\ And in June 2011, \nChairman Schapiro said that the SEC would look into the matter. If \nCongress believes corporations should meet such a reporting requirement \nthen it should turn the Executive Branch Independent Agency that is \nresponsible for this type of reporting and not add an additional \nmission responsibility to DHS. And while regulation may be necessary, \nCongress should also consider the use of other market levers (e.g., tax \nrelief, research and development subsidy, etc.) to incentivize industry \ninvestment in information security.\n---------------------------------------------------------------------------\n    \\15\\ The White House. Cybersecurity Legislative Package: \nCybersecurity Regulatory Framework For Covered Critical Infrastructure \nAct. Page 3.\n    \\16\\ Senator Rockefeller letter to SEC Chairman Mary Schapiro. 11 \nMay 2011.\n---------------------------------------------------------------------------\n    Additionally, the administration is proposing new authorities for \nDHS by establishing a National Cybersecurity Protection Program \n(Section 244) that authorizes DHS to actively protect Federal systems. \nThe package states, ``the Secretary is authorized, notwithstanding any \nother provision of law and consistent with section 248(a), to acquire, \nintercept, retain, use, and disclose communications and other system \ntraffic that are transiting to or from or stored on Federal systems and \nto deploy countermeasures with regard to such communications and system \ntraffic.''\\17\\ Of course more active measures must be taken to protect \nFederal systems from cybersecurity threats because passive defenses are \nsimply not enough. The question that Congress needs to carefully \nconsider is which entities in the Government (e.g., Federal Bureau of \nInvestigation (FBI), National Security Agency (NSA), or DHS) are the \nappropriate entities to help secure the Federal Government systems? Are \nthere appropriate checks and balances in place to oversee these new or \nextended authorities?\n---------------------------------------------------------------------------\n    \\17\\ The White House. Cybersecurity Legislative Package: Department \nof Homeland Security Cybersecurity Authority. Page 6.\n---------------------------------------------------------------------------\n    This discussion will become even more important as Congress debates \nthe merits of Government involvement in the protection of private \nsector networks. The Washington Post reported last week that NSA ``is \nworking with internet service providers to deploy a new generation of \ntools to scan e-mail and other digital traffic with the goal of \nthwarting cyber-attacks against defense firms by foreign \nadversaries.''\\18\\ Certainly other nations are turning to their ISPs as \na front line of defense in protecting their Government and private \nsector networks. But, is this a mission that we want NSA to lead, or is \nit one that we expect DHS to undertake?\n---------------------------------------------------------------------------\n    \\18\\ Ellen Nakashima. ``NSA allies with internet carriers to thwart \ncyber attacks against defense firms'' The Washington Post. 7 June 2011.\n---------------------------------------------------------------------------\n    As scary and as problematic as these threats are and intrusions may \nbe (and as devastating as they may be), it is important that the \ndefensive posture not overtake our core freedoms. We should also \nrespect the long-standing limitations on the role of the military as it \nrelates to public safety and civilian activities. This is why, in my \nopinion, the administration's legislative package proposes the section \n(245) for voluntary disclosure of cybersecurity information. It \naddresses shortfalls in the law and aims to extend the Provider \nException (i.e., 18 U.S.C. \x06 2511(2)(a)(i)) to include protection \nagainst network attacks and prevention of delivery of malware to the \nend user and provides liability relief for the reporting mechanism back \nto the Government (currently not permitted under the law). One could \nargue that this is what is being mandated via the code of conduct in \nAustralia and via the recent pan-European telecommunications reform \nthat will be transposed into National laws in the coming months. The \nEuropean mandate obliges the ISPs to take more responsibility for \nproviding enhanced security services to their customers and report all \nsecurity incidents to the European Network and Information Security \nAgency (ENISA).\n       clarifying dhs's role: policy, operational, or regulatory\n    All of the legislative proposals reflect the dilemma of a co-\ndependent relationship between the private sector that develops, owns, \nand operates the internet-based infrastructure for which the Government \nis responsible for delivering essential services (e.g., power, water, \ntelephone, etc.) and ultimately providing economic prosperity and \nsecurity. Our responses include organizational restructuring, \nregulation, and attempts to centralize decisionmaking all with the \nintent to reduce the vulnerabilities and minimize the damages of \nintrusions. We appear to be asking DHS to take on new cybersecurity \nroles and missions while it is establishing its basic core \ncompetencies. Is this reasonable? Do we want DHS to become a first-\nparty regulator? Do we want DHS to assume an operational role that \nprovides actionable information to the private sector and provides \nactive defense of Federal systems? Or do we want DHS to assume a \nbroader policy role and become the National architect for a more secure \nand resilient infrastructure? Perhaps it would be better to focus DHS \non becoming a center of excellence in one or two areas.\n           24\x1d7 information security capability (operational)\n    Becoming an operational center of excellence that disseminates \ntimely and actionable cybersecurity threat, vulnerability, mitigation, \nand warning information, including alerts, advisories, indicators, \nsignatures, and mitigation and response measures, to improve the \nsecurity and protection of Federal systems and critical information \ninfrastructure is necessary. To be successful requires DHS to adopt a \n24\x1d7 ``customer service'' business model, where its customers are other \nFederal agencies; State, local, Tribal, and territorial governments; \nthe private sector; academia; and international partners. It would need \nto learn from successful customer service industries and embed the \nnecessary industry partners (like the member companies of the National \nSecurity Telecommunications Advisory Committee) within its operations. \nIt would need to pass knowledge onto its customers that removes the \nsensitive sources and methods that make it classified and therefore \nmake it more readily available and actionable.\n    There are many other aspects of a 24\x1d7 information security \noperation that DHS could take on. Some of these capabilities are \noutlined in the administration's legislative package and some \nadditional capabilities are outlined in other pieces of pending \nlegislation. Yet it is important to admit that establishing an \neffective 24\x1d7 operation is no small task. It requires real \nspecialization and technical expertise, a commitment to providing a \n100% up-time service, and if an incident occurs, an ability to turn to \nthe private entities that will likely be called upon to operate in a \ndegraded state and restore operations (and infrastructures) quickly. \nWhile it is possible that the National Cybersecurity and Communications \nIntegration Center (NCCIC) could evolve and assume this role, it would \nrequire it to become an independent operational unit carved out of the \nheadquarters entity of DHS--akin to United States Secret Service or the \nDrug Enforcement Agency.\n    If we are truly interested in setting up a 24\x1d7 operation \nimmediately, then DHS in cooperation with the Department of Defense \n(DoD) could call up specialist cybersecurity units within the National \nGuard or DoD Reserve Forces. DHS could also turn to outside \norganizations, such as the Carnegie Mellon Computer Emergency Response \nTeam (CERT-CC) to further augment its staff.\n       national architect and advocate for secure and resilient \n                        infrastructures (policy)\n    Congress and the administration also turn to DHS raise awareness, \nfund education initiatives, incubate technology, and broadly set \ncybersecurity policies for the critical infrastructures. At the \nforefront, DHS is responsible for increasing public awareness. It is \ncurrently sponsoring a competition to develop a public service \nannouncement (PSA) on cybersecurity to augment the October \nCybersecurity Awareness Month. It is also conducting a review of the \nuniversity participation in the National Centers of Academic Excellence \nin Information Assurance to determine how it can increase the number of \nuniversities participating, obtain full 50-State participation, \nincrease the output of students per program, and align more closely \nwith the National Science Foundation's Scholarship for Service. Linking \nthese programs to hands-on experiential learning like that of the high-\nschool, university, and professional competitions sponsored by the U.S. \nCyber Challenge would be a natural next step.\n    Moreover, DHS's recently released a paper entitled, ``Enabling \nDistributed Security in Cyberspace Building a Healthy and Resilient \nCyber Ecosystem with Automated Collective Action'' that explores the \nidea of a healthy, resilient--and fundamentally more secure--cyber \necosystem of the future. It envisions an environment of cyber \nparticipants, including cyber devices, that are able to work together \nin near-real time to anticipate and prevent cyber attacks, limit the \nspread of attacks across participating devices, minimize the \nconsequences of attacks, and recover to a trusted state.\\19\\ If DHS \nwere to drive the implementation of this vision it will require DHS to \nmodify its relationship with industry, consolidate the number of \nprivate-public partnerships, and drive the development of standards in \npartnership with the National Institute of Standards and Technology \n(NIST). It will also require DHS to lead the discussion on behalf of \nthe Executive Branch for the following questions: ``What are the \nbusiness drivers that will incentivize the necessary investments? What \nare the appropriate roles and responsibilities of the public and \nprivate sector in delivering the healthy ecosystem? Which elements \nshould be prioritized for early realization? As a healthy cyber \necosystem emerges, governance questions become salient. Will system \nowners cede decisionmaking to the community? Who sets policy for inter-\nenterprise information exchange and deployment of countermeasures? What \nliability regimes apply for collateral consequences of countermeasure \ndeployment (or the failure to deploy known countermeasures)? What legal \nauthorities should local and National governments, as well as \ninternational entities, have to compel action by devices owned by or \nserving private parties in order to secure the larger cyber \ncommons?''\\20\\\n---------------------------------------------------------------------------\n    \\19\\ Department of Homeland Security. ``Enabling Distributed \nSecurity in Cyberspace Building a Healthy and Resilient Cyber Ecosystem \nwith Automated Collective Action.'' 23 March 2011.\n    \\20\\ Department of Homeland Security. ``Enabling Distributed \nSecurity in Cyberspace Building a Healthy and Resilient Cyber Ecosystem \nwith Automated Collective Action.'' 23 March 2011. Page 27.\n---------------------------------------------------------------------------\n    Like the operational role, this policy-based role requires \npersonnel who are steeped with background in policy development and the \nart of negotiation. It also requires understanding of the technical \nunderpinnings of the next generation hardware and software and \nknowledge of the standards-setting processes. Raising awareness and \nadvocating a new architecture of hardware and software products for \nindustry to build toward is no small task. If Congress and the \nadministration want DHS to be the National voice for cybersecurity, \nthey cannot necessarily be saddled with all of the operational and \nregulatory missions that are recommended in the legislative proposals.\n           first-party regulatory role vice-setting standards\n    Is it possible for regulation to keep pace with technology \ndevelopment and adoption? Has the market failed to produce secure and \nresilient hardware and software products?\n    Many of the critical infrastructures are already regulated (e.g., \nenergy, finance, telecommunications) and NIST works with the Sector \nAgency and DHS to set the standards by which industry has to meet. But \nas evidenced by the three volume edition on Guidelines for Smart Grid \nCybersecurity,\\21\\ the standards are not always published in time for \nmarket penetration and adoption. So, what is the role of the private \nsector in policing itself, adapting to new industry standards and \nupgrades, and coping with accelerating threats? The North America \nElectric Reliability Corporation (NERC) works across the electric power \nsector to set the standards and help ensure compliance. However, due to \nthe intermingling of State and Federal regulation the industry usually \nadopts a lower standard leaving some vulnerabilities unaddressed. \nExisting standards will never be sufficient in light of a \nsophisticated, perhaps nation-state adversary, but they can be \nstrengthened.\n---------------------------------------------------------------------------\n    \\21\\ Department of Commerce, National Institute of Standards and \nTechnology. Guidelines for Smart Grid Cybersecurity (3 volumes). August \n2010.\n---------------------------------------------------------------------------\n    What may be more useful would be if DHS, supported by the FBI and \nintelligence community, were to inform industry of the threats they are \nfacing and how they are being exploited or penetrated. A training \nprogram that educates corporate leadership on how to mitigate the risk \nof being a high-value target including providing them with briefings \nabout the threat to their industry using specific case studies may go \nalong way to reducing the number of incidents and loss of confidential \ninformation. Furthermore, as some companies are ``personally'' touched \nby the penetration of their networks (e.g., Sony and Citigroup), they \nmay be extra motivated to invest in and promote stronger information \nsecurity standards for their industry and customers alike.\n    As Congress considers placing DHS into more of a regulatory role, \nit should consider the impact of the possible dilution of its \noperational and policy responsibilities. While some say DHS's input and \nsupport of streamlining CIP standards has had a positive affect, is it \nmaking enough of a difference? Is it best to educate the first-party \nregulators and help them improve the security posture of the Nation? \nHow are the other existing regulatory bodies (SEC, FCC, FERC, or FTC) \nusing their current authorities to address the situation? Would \nstrengthening the regulatory oversight of the SEC, FCC, FERC, or FTC \nhelp or hurt the situation?\n                               conclusion\n    The 112th Congress has an opportunity to drive a new legislative \nconversation and address the shortfalls in our current laws. The \ncybersecurity problem is growing faster than the solution and we cannot \nafford to be faced with strategic surprise to address the problem. \nFISMA reform and a National data breach umbrella are needed. \nAdditionally, modern-day criminals are using our legal systems' speed, \nor lack thereof, to their advantage. We need to stiffen penalties and \nmodernize the laws that are not keeping pace with today's digital \nenvironment. We need to empower the National security community charged \nwith protecting the Nation and its critical infrastructure from cyber \nexploitation or attack. The Computer Fraud and Abuse Act, Electronic \nCommunications and Privacy Act, Stored Communications Act, \nTelecommunications Act, and Economic Espionage Act are among some of \nthe laws that need to be reviewed and updated. Congress should seek \nindustry's perspective and debate the advantages and challenges \nassociated with fielding a robust active defense capability, imposing \nstandards and regulation on industry, and demanding more of DHS. An \noverly restrictive approach should be avoided yet, we cannot afford to \npass legislation that would prove to be feckless.\n    I thank you very much for the opportunity to testify, and look \nforward to your questions.\n                               Exhibit A\n\n        REVIEW OF CYBERSECURITY LEGISLATION IN THE 112TH CONGRESS\n------------------------------------------------------------------------\n                                              United States House of\n          United States Senate                   Representatives\n------------------------------------------------------------------------\nS. 8, Tough and Smart National Security  H.R. 76, Cybersecurity\n Act.                                     Education Enhancement Act of\n                                          2011.\nS. 21, Cyber Security and American       H.R. 96, Internet Freedom Act\n Cyber Competitiveness Act of 2011.       of 2011.\nS. 28, Public Safety Spectrum and        H.R. 174, Homeland Security\n Wireless Innovation Act.                 Cyber and Physical\n                                          Infrastructure Protection Act\n                                          of 2011.\nS. 372, Cybersecurity and Internet       H.R. 607, Broadband for First\n Safety Standards Act.                    Responders Act of 2011.\nS. 413, The Cybersecurity and Internet   H.R. 668, Secure High-voltage\n Freedom Act of 2011.                     Infrastructure for Electricity\n                                          from Lethal Damage Act (SHIELD\n                                          Act).\nS. 709, Secure Chemical Facilities Act.  H.R. 1136, Executive Cyberspace\n                                          Coordination Act of 2011.\nS. 813, Cyber Security Public Awareness  H.R. 1389, Global Online\n Act of 2011.                             Freedom Act of 2011.\nS. 968, Preventing Real Online Threats   H.R. 1540, National Defense\n to Economic Creativity and Theft of      Authorization Act for Fiscal\n Intellectual Property Act of 2011        Year 2012.\n (PROTECT IP Act).\nS. 1101, Electronic Communications and   ...............................\n Privacy Act--Amendments Act (Digital\n Privacy Bill).\nS. 1151, Personal Data Privacy and       ...............................\n Security Act of 2011.\n------------------------------------------------------------------------\n\n    Mr. Lungren. Thank you very much for your testimony.\n    Now Dr. Shannon.\n\n STATEMENT OF GREGORY E. SHANNON, CHIEF SCIENTIST FOR COMPUTER \n     EMERGENCY READINESS TEAM (CERT), SOFTWARE ENGINEERING \n             INSTITUTE, CARNEGIE MELLON UNIVERSITY\n\n    Mr. Shannon. Thank you, Chairman Lungren, Ranking Member \nClarke, and other Members of the subcommittee, for me to talk \nabout, this morning, the future of cyber incident response. I \napplaud the current efforts of Congress to mitigate risks to \nour public and private critical information infrastructures.\n    CERT, as you mentioned, is a Federally-funded Department of \nDefense research and development lab. We have over 250 staff \nthat have been working on this challenge of incident response \nsince 1988, when the Morris worm first was experienced. For \nexample, we catalogue over a quarter-million malware artifacts \neach month. We assist in major, on-going cybersecurity \nincidents of National importance. We release security coding \nguidelines and technologies for the C, C++, and Java \nprogramming languages.\n    While much is said about risk mitigation, incident response \nreceives less focused attention as a strategic technical area, \nyet it is critically important. Vigorous attacks on our network \nenvironments will continue for the foreseeable future, failures \nwill occur, and effective responses are required. The Federal \nGovernment must look at incident response as strategic, just as \nit looks at preventative efforts. The U.S. CERT and other \ncapabilities are a part of this effort.\n    Our country needs legislation that will facilitate capable, \nscalable, cost-effective cybersecurity incident response for \ncritical Government infrastructure. Things will fail in \nunexpected ways, and our Nation must have the capacity to \nrespond accordingly.\n    I believe that the most difficult technical challenge to \nboth effective risk mitigation and incident response is \nselecting practices that are scientifically sound and \noperationally proven. We do not want to be guessing. I \nencourage you to consider in the rulemaking language that valid \napproaches be considered. The complexity of practices and \nregimes being proposed will probably have unintended and \nunexpected consequences. Some approaches aren't fully proven, \nexperimentally or operationally. Again, I encourage you to use \nlanguage that calls that out in the rulemaking.\n    I believe that the most difficult policy challenge for \neffective Government incident response is harmonizing the \nresponsibilities, authorities, capabilities, and communication \nacross the various agencies, as Ms. Hathaway has highlighted. \nAt CERT, part of our value to the Government has been the \nability to bridge these gaps and misalignments in the midst of \nthe response to a critical cybersecurity incident. But we \nrecognize that that is not the ideal way, going forward, to be \nad hoc.\n    Three areas that we highlight in the written testimony is: \nData sharing, forensics, and training. I would encourage--I \napplaud the effort of safe harbors in Section 246 for \norganizations and individuals that are attempting to do the \nright thing. The notion of ``right thing'' in incident response \nis a well-founded principle that individuals, organizations \noften know what the right thing to do is, and it is important \nthat the policies and such be aligned to support that.\n    On the forensics side, what we are seeing is an excellent \nuse of potential cloud-based computing, private clouds, to \nsupport a broad capability for the law enforcement community to \ndo investigations at scale. As these incidents increase in \nscope and scale, the ability to respond quickly with \nappropriate forensics, to maintain the velocity of the \ninvestigation, as well as to collect the evidence that could be \nused in court, is important.\n    Finally, on training, one of the key challenges is how to \ntrain as the technical people work, or, as the Department of \nDefense says, train as you fight. The environments that we are \nin are complex. The threats that are experienced are even more \ncomplex and less likely to be experienced. Part of the work we \ndo is to encourage the ``train as you work'' mentality, to be \nrealistic.\n    We at CERT look forward to the day when our Nation's \ncybersecurity resiliency is founded on the effective mitigation \nof cyber risks and pervasive capabilities to respond to \ncybersecurity incidents. I see this legislation and the related \nmodifications and efforts as an important step in the right \ndirection.\n    For your benefit, I would like to also submit an article \nfrom Nature. It talks about the Stuxnet. This was in the June \nissue. At the end of it, it highlights some of the technical \nchallenges from a science-of-security point of view. I would \nlike to also submit that into the written record.\n    Mr. Lungren. Without objection, that shall be accepted.*\n---------------------------------------------------------------------------\n    * The information has been retained in committee files and is \navailable at http://www.nature.com/news/2011/110608/full/474142a.html.\n---------------------------------------------------------------------------\n    Mr. Shannon. Okay. Thank you for your time.\n    [The statement of Mr. Shannon follows:]\n                Prepared Statement of Gregory E. Shannon\n                             June 24, 2011\n    Chairman Lungren, Ranking Member Clarke, and other distinguished \nMembers of the subcommittee, thank you for the opportunity to testify, \nit is my pleasure to be here this morning to discuss cyber incident \nresponse.\n                              about cert\x04\n    The CERT Program is part of Carnegie Mellon University's Software \nEngineering Institute, a Federally-funded research and development \ncenter, and is located on the Carnegie Mellon campus in Pittsburgh, \nPennsylvania.\n    The CERT program (http://www.cert.org/) was charged by DARPA in \n1988 to set up the first Computer Emergency Response Team (CERT) as a \nresponse to the Morris worm incident. We continue to develop and \npromote the use of appropriate technology and systems management \npractices to resist attacks on networked systems, limit damage, and \nrestore continuity of critical services. CERT works both to mitigate \ncyber risks and coordinate cyber incident responses at local, National, \nand global levels. Over the last 23 years CERT has helped to establish \nover 200 CERT computer security incident response teams (CSIRTs) around \nthe world--including the DHS US-CERT. We continue to have proven \nsuccess transitioning research and technology to those who can \nimplement it on a National scale.\n    Dr. Greg Shannon is the Chief Scientist for the CERT Program, where \nhe works to establish and enhance the program's research visibility, \ninitiatives, strategies, and policies.\n                               testimony\n    Today's operational cyber environments are complex and dynamic. \nUser needs and environmental factors are constantly changing, which \nleads to unanticipated usage, reconfiguration, and continuous evolution \nof practices and technologies. New defects and vulnerabilities in these \nenvironments are continually being discovered, and the means to exploit \nthese environments continues to rise. The CERT Coordination Center \ncataloged \x08250,000 instances of malicious artifacts last month alone. \nFrom this milieu, public and private institutions respond daily to \nrepeated attacks and also to the more serious previously un-experienced \nfailures (but not necessarily unexpected); both demand rapid, capable, \nand agile responses.\n    Incident response, as a discipline, is maturing. Over the last two \ndecades, it has emerged from the shadows of IT and risk management, to \nachieve recognition as a robust and growing discipline.\\1\\ Signs of \nthis progress include the emergence of process models, meta-models, \nbodies of knowledge, common data representations, and auditable \nstandards. Further development, and continued funding, will enable \nfaster and more efficient dissemination of information to trusted \npartners in larger trust networks.\n---------------------------------------------------------------------------\n    \\1\\ For example, this fall, CERT and the Institute for Information \nInfrastructure will hold a workshop on Coordinated Private-Sector \nResponses to Cyber Security Incidents. This is a follow on to I3P's \n2009 workshop on Protecting Critical Infrastructures: The National \nCapital Region as a Model for Cyber Preparedness.\n---------------------------------------------------------------------------\n    I applaud the current efforts of the Federal Government to mitigate \nrisk to our public and private critical information infrastructures; \nCERT has worked tirelessly to improve cybersecurity in areas such as \nsecure coding, insider threat, and vulnerability analysis. But, while \nmuch is said about risk mitigation, incident response is often not as \nthoroughly addressed, and is critically important. Networked \nenvironments will continue to be vigorously attacked for the \nforeseeable future. Failure will occur and effective responses are \nrequired. Incident response is not a single action but rather a complex \nfunction that includes containment, repair, and recovery.\\2\\ The \nFederal Government must look at incident response as strategic, just as \nit looks at preventative efforts. Our country needs legislation that \nwill facilitate capable, scalable, and cost-effective cyber-incident \nresponse for critical and Government infrastructure. Things will fail \nin unexpected ways and our Nation must have the capacity to respond \naccordingly.\n---------------------------------------------------------------------------\n    \\2\\ Some contend that retaliation is part of incident response; I \ndisagree. The response community does not consider it in scope for \nincident response as practiced today. Other organizations and \ndisciplines are better suited to address this issue.\n---------------------------------------------------------------------------\n    I believe that the most difficult technical challenge to effective \nrisk mitigation and incident response is selecting practices that are \nscientifically sound and operationally proven. The complexity of \npractices and regimes being proposed in legislation and elsewhere will \nprobably have unintended and unexpected consequences. I encourage the \nsubcommittee to use language in legislation that encourages practices \nthat are both experimentally and operationally validated.\n    I believe that the most difficult policy challenge for effective \nGovernment incident response is harmonizing the responsibilities, \nauthorities, capabilities, and communication across the various \nagencies involved. I support the current efforts in this.\n    In my remaining testimony I discuss three areas that we at CERT \nbelieve are key to the future of incident response.\n                          information sharing\n    We all realize how critical it is for stakeholders to share \ninformation, but good incident response is contingent upon sharing the \nright information, with the right people, at the right time. High-\nquality and actionable information comes from superior situational \nawareness only possible with robust information sharing and sufficient \nvisibility into one's own enterprise. Currently, our technical \ncapabilities allow us to see and respond to variant indicators, but to \nbetter detect, share, and respond to incidents analysts need to be able \nto look past narrowly-focused indicators.\n    Achieving this enhanced situational awareness will require \ncontinued research on network traffic and data. The ability to detect \nmalicious markers that are invariant, such as behavioral-based \nindicators (e.g. insider threats) will enable a more proactive \nresponse. To facilitate innovation, richer data needs to be shared with \nthe research community, not only incident data itself, but also data-\nsets that will enable an understanding of what ``normal'' resembles. \nCurrently, the community does not have a clear understanding of what \nthis data set would look like. If situational awareness is to develop \nbeyond simple indicators, regulatory frameworks must allow access to \neveryday data, so that investigators can begin to recognize what data-\nset are important. This data sharing should start with limited access \nto high-fidelity data sets for researchers so that data with \nscientifically proven value is considered for sharing operationally. \nOtherwise, policymakers and experts are left to speculate what is the \nright data to share. To further improve the future efficiency and \neffectiveness of incident response, the community also needs to develop \nand use automated tools and techniques to analyze and correlate the \nvast amount of log files, artifacts, and other event information.\n    Moreover, compliance-driven information sharing will only lead to \nthe bare minimum disclosure of sensitive information related to \nproblems, concerns, and vulnerabilities. Building trusted relationships \nwith stakeholders becomes essential to avoiding such limited \ninformation exchange and is a fundamental ingredient to a successful \nresponse. We also have to trust the people in the field and those who \nfirst respond to incidents. I applaud the effort in this legislation to \nsupport actions to do the ``Right Thing<SUP>TM</SUP>''; this is an \nimportant principle in the response community and is the basis of \nsuccessful responses in many highly stressful incidents. Safe harbor \nmeasures such as Sec. 246 in the administration's Cybersecurity \nLegislative Proposal work towards continued encouragement to share \ndata; however in response scenarios it is worthwhile to consider \nincluding the actions of cyber ``first responders'' into good faith \nlegislation as well.\n                               forensics\n    While gains have been made in the field of incident response the \nnature of the ever-evolving cyber threat poses a huge challenge and \ndemand for incident response expertise that has far outstripped the \nsupply.\n    Computers are no longer just the targets of crime; our adversaries \nnow use them to facilitate every aspect of their illicit activities and \nachieve effects at scale. Once an incident occurs Federal agencies are \nfacing several hurdles to recover the needed data in order to locate \nthe source of the incident and contain the problem. First, computer \nforensic labs are constrained by a lack of resources, creating an \nenormous backlog rendering them unable to handle the megafold increases \nin the volumes of data that need to be examined for evidence. While \nsome agencies may have the qualified examiners, and many do not, they \nlack the funds to properly equip them for the mission. For example, \ncurrent examination methods rely heavily on processor power, but due to \ndramatically increased computer memory, examination stations often \ncannot keep up. Finally, the current state of the practice does not \nallow examiners to easily access varied levels of expertise in a timely \nor cost-effective way; frequently people are sent Temporary Duty or \nimages are shipped to higher level units, resulting in time delays and \nincreased costs.\n    To successfully respond to cyber incidents these obstacles must be \novercome in a way that allows for high-quality collaborative \nexaminations. For instance, what would happen if an adversary \nperpetrated an actual, severe cyber event with National consequences? \nCurrently there is no one facility or lab that could support the volume \nof data these kinds of events would generate. Under current conditions, \ndata would have to be distributed, adding to the time and complexity of \nconducting examinations. Agencies will need to augment scarce resources \nby having multiple users viewing the same data either remotely or \nlocally, while maximizing the application of specialized computing \nresources, and allowing for massive, coordinated efforts. Analysts and \ninvestigators will need flexible, secure access to high-performance \nsystems, to increase productivity and facilitate effective distributed \ncollaboration in a scalable and cost-effective way.\n                                training\n    In order to rapidly handle cyber incidents the Federal Government \nneeds a workforce educated and equipped to respond. However, the rapid \nchanges and dynamic nature of cybersecurity make keeping the workforce \nup to date a very challenging problem. Responding to critical cyber \nevents requires technical knowledge and skills, decision-making \nabilities, and effective coordination--all while moving rapidly. \nMoreover, a lack of preparation inhibits secondary incident-handling \nactivities, such as: Evidence gathering, identifying the attacker, and \nreporting the incident to other affected organizations. The Federal \nGovernment must have an agile and prepared workforce to deal with cyber \nincidents, and should to be able to train them in a cost-effective and \nscalable manner.\n    The most common workforce development training solution is the \ntraditional classroom training model. While this training model is easy \nto implement and is widely used, there are a number of reasons why it \nis not adequate for providing effective, large-scale training to a \ntechnical workforce, including time, cost, and scalability. \nFurthermore, traditional classroom training is not optimal for rapidly-\nchanging fields such as cybersecurity.\n    The best way to prepare the workforce is to have them practice \nunder realistic conditions with interactive simulations, and the \nability to interface with participants across multiple locations who \ncan work together to analyze and respond to the latest threats and \nattacks. Individuals need to be trained on a platform that safely \nmimics how the internet would respond to stress and exposes them to \nreal-world scenarios, events, and activities that are similar to those \nthey will encounter in their jobs.\n    In addition, there are two incident response domains where we see \nan immediate need for further training. The first is reverse \nengineering, to grow capacity in analyzing malware recovered from an \nincident. The second domain is embedded systems, which pose many unique \nchallenges for incident response and which some experts believe will be \na major cybersecurity problem area in the near future.\n    The workforce needs to not only be trained, but also educated. For \nexample, in the case of forensics, much of the training the workforce \nreceives is how to use tools, but when those tools are not effective no \none is educated on how to manage the situation or apply critical \nthinking to determine alternative approaches. What's more, to train the \nworkforce to manage cyber incidents the Federal Government needs to \nexpand the scope of computer or cybersecurity training to include first \nresponder training and best practice guidance. Without proper education \na first responder may unintentionally cause irrevocable damage by doing \nsomething as simple as turning off a computer. This will not only cause \nlost data, but can also result in severely slowing an investigation and \ncompromise the potential prosecution of the perpetrator.\n    In conclusion, I thank the subcommittee again for inviting me and \nconsidering my testimony. Our Nation will continue to see significant \nserious cyber incidents for the foreseeable future. CERT's mission is \nto help ensure that these incidents are not catastrophic and that we \nrecover as quickly as possible. We at CERT look forward to the day when \nour Nation's cyber resiliency is founded on the effective mitigation of \ncybersecurity risks and pervasive capabilities to respond to \ncybersecurity incidents. I see this legislation and the related \nmodifications and efforts as an important step in the right direction.\n\n    Mr. Lungren. Mr. Williams.\n\n  STATEMENT OF LEIGH WILLIAMS, PRESIDENT, BITS, THE FINANCIAL \n                      SERVICES ROUNDTABLE\n\n    Mr. Williams. Thank you, Chairman Lungren, Ranking Member \nClarke, and Members of the committee.\n    My name is Leigh Williams, and I am president of BITS, the \ntechnology policy division of The Financial Services \nRoundtable, where we address security fraud and other \ntechnology issues on behalf of our 100 member institutions, \ntheir millions of customers, and all of the stakeholders in the \nU.S. financial system.\n    In my remarks today, I will briefly describe cybersecurity \nin financial services, explain why The Roundtable supports the \nObama administration's cybersecurity legislation, and comment \non some of the strong provisions of H.R. 174.\n    In my view, most cybersecurity protection arises from \nindividual institutions investing literally tens of billions of \ndollars and tens of millions of hours in voluntary measures for \nbusiness reasons. Up at the industry level, BITS and several \nother coalitions promote best practices for protecting customer \ninformation. For example, BITS is currently addressing security \nin mobile, cloud computing, social networking, protection from \nmalicious software, and security training and awareness.\n    Beyond these voluntary efforts, our members are also \nsubject to a range of oversight mechanisms to ensure \nconsistency throughout the industry. Just to take security and \nprivacy provisions of Gramm-Leach-Bliley as an example, \nCongress enacted GLB; the banking regulators detailed it in Reg \nP; Reg P was translated into examination guidance; banks used \nthat guidance to manage their risk and the risk of their \nservice providers; examiners audit the banks against it; \nTreasury monitors their consistency; and then just to bring \nthis whole process full circle, the Congress oversees Treasury \nand the agencies.\n    Beyond this sector-specific work, we collaborate more and \nmore with DHS, with law enforcement, with the intelligence \ncommunity, and with other industries on a variety of projects, \nincluding one that we have launched recently with DHS, the \nCyber Operational Resiliency Review, where institutions can \ninvite DHS to review their control practices and their network \ntraffic.\n    As the committee considers action on cybersecurity, I would \nurge Members to appreciate these current safeguards and these \nexisting collaborations so that we might leverage all of them \nfor maximum benefit.\n    Even given this headstart, we believe that comprehensive \ncybersecurity legislation is warranted. It can improve security \nthroughout the cyber ecosystem, including in telecom networks, \nin software and hardware supply chains, in Federal systems, and \nin our sector.\n    Specifically, The Roundtable supports the administration's \nlegislative proposal. We support many of the provisions on \ntheir individual merits, and we see the overall proposal as an \nimportant first step in building a more integrated approach.\n    We do believe that harmonizing the comprehensive approach \nand the sector-specific mechanisms will be a challenge. There \nare at least a couple of ways of bridging this ecosystem sector \ndivide. First, Congress could establish uniform standard but \nwith exceptions where substantially similar requirements \nalready are in place, as in the banking regulators' breach \nnotification rules. Or Congress could reserve more autonomy for \nthe sectors. For example, it could be the sector-specific \nagencies, and not DHS, that designate the critical sector \nentities or systems or assets.\n    In other specific provisions of the proposal, we support \nstrengthening penalties for computer crime, including the theft \nof intellectual property. We support a uniform national \nstandard for breach notification with strong preemption. And we \nsupport the Federal systems provisions, both to safeguard the \ndata that we report and to the systems and because we believe, \nas the Chairman has suggested, that Government should use its \nprocurement power to model good behavior.\n    On H.R. 174, the Homeland Security Cyber and Physical \nInfrastructure Protection Act, we see two more promising \noptions for harmonizing DHS and sector-level work. DHS can \ndelegate authority to the sector, and DHS is instructed to use \nthe primary regulators as conduits to the covered companies. \nWith these options, delegation and conduit, and the options in \nthe administration proposal already in place, and sector plus \naggregation, we should be able to take full advantage of both \nthe sector and DHS. Finally, we appreciate H.R. 174's focus on \nrisk-based performance-based regulation, on R&D, and on \ninformation-sharing among the critical companies and key \nagencies.\n    In conclusion, may I just say that at The Financial \nServices Roundtable we will continue to strengthen security \naround our customers' information, we will help answer the \nquestion of ecosystem sector balance, and we will support and \nwe will work to implement the administration's cybersecurity \nproposal.\n    Thank you very much for your time.\n    [The statement of Mr. Williams follows:]\n                  Prepared Statement of Leigh Williams\n                             June 24, 2011\n    Thank you Chairman Lungren, Ranking Member Clarke, and Members of \nthe committee for the opportunity to testify before you today.\n    My name is Leigh Williams and I am president of BITS, the \ntechnology policy division of The Financial Services Roundtable. BITS \naddresses issues at the intersection of financial services, technology, \nand public policy, on behalf of its 100 member institutions, their \nmillions of customers, and all of the stakeholders in the U.S. \nfinancial system.\n    From this perspective, I will briefly describe cybersecurity and \ndata protection in financial services, including private sector \nefforts, sector-specific oversight and inter-sector interdependencies. \nI will explain why The Financial Services Roundtable supports the \ncybersecurity proposal delivered by the Obama administration to the \nCongress on May 12. Finally, I will comment on the key provisions of \nH.R. 174, which I understand is under active consideration by the \ncommittee.\n        financial institutions' voluntary cybersecurity efforts\n    Within the financial services sector, the greatest amount of \ncybersecurity protection arises from voluntary measures taken by \nindividual institutions for business reasons. To protect their retail \ncustomers, commercial clients and their own franchises, industry \nprofessionals--from Chief Information Security Officers to CIOs to \nCEOs--are increasingly focused on safeguards, investing tens of \nbillions of dollars in data protection. They recognize the criticality \nof confidentiality, reliability, and confidence to their success in the \nmarketplace. This market-based discipline is enforced through an \nincreasingly informed consumer base, and by a very active commercial \nclientele that often specifies security standards and negotiates for \naudit and notification rights.\n    At the industry level, BITS and several other coalitions facilitate \na continuous process of sharing expertise, identifying and promoting \nbest practices, and making these best practices better, to keep pace in \na dynamic environment. For example, as BITS and our members implement \nour 2011 business plan, we are addressing the following items \nassociated with protecting customer data:\n  <bullet> Security standards in mobile financial services.\n  <bullet> Protection from malicious or vulnerable software.\n  <bullet> Security in social media.\n  <bullet> Cloud computing risks and controls.\n  <bullet> Email security and authentication.\n  <bullet> Prevention of retail and commercial account takeovers.\n  <bullet> Security training and awareness.\n    While much of this institution-level and industry-level effort is \nvoluntary--not driven primarily by regulation--it is not seen by \nindustry executives as discretionary or optional. The market, good \nbusiness practices and prudence all require it.\n                               oversight\n    To strengthen public confidence and to ensure consistency across a \nwide variety of institutions, Federal financial regulators codify and \nenforce an extensive system of requirements. Many of these represent \nthe distillation of previously voluntary best practices into \nlegislation introduced in Congress, enacted into law, detailed in \nregulation, enforced in the field, with feedback to the Congress in its \noversight capacity.\n    In addition to these Federal authorities, institutions are subject \nto self-regulatory organizations like the Financial Industry Regulatory \nAuthority (FINRA), State regulators like the banking and insurance \ncommissioners, independent auditors, outside Directors, and others.\n    These various oversight bodies, for example, apply the Financial \nServices Modernization Act of 1999 (GLB), the Fair and Accurate Credit \nTransactions Act (FACTA), Electronic Funds Transfers (Regulation E), \nSuspicious Activity Reporting (SARs), the International Organization \nfor Standardization criteria (ISO), the Payment Card Industry Data \nSecurity Standard (PCI), BITS' own Shared Assessments and many, many \nmore regulations, rules, guidelines, and standards.\n                       inter-sector collaboration\n    Commensurate with the escalating cybersecurity challenges and \nincreasing interconnectedness among sectors, more and more of our work \nentails public/private and financial/non-financial partnerships. Our \nFinancial Services Sector Coordinating Council (FSSCC) of 52 \ninstitutions, utilities, and associations actively partners with the 17 \nagencies of the Finance and Banking Information Infrastructure \nCommittee (FBIIC). [For additional detail on the FSSCC's perspective on \ncybersecurity, research and development, and international issues, \nplease refer to the April 15, 2011 testimony of FSSCC Chair Jane Carlin \nbefore this subcommittee.] Our Financial Services Information Sharing \nand Analysis Center (FS-ISAC) is in constant communication with the \nDepartment of Homeland Security (DHS), law enforcement, the \nintelligence community and ISACs from the other critical infrastructure \nsectors, to address individual incidents and to coordinate broader \nefforts.\n    Other examples of collaboration with non-financial partners, drawn \njust from BITS' 2011 agenda, include:\n    The Cyber Operational Resiliency Review (CORR) pilot, in which \n        institutions may voluntarily request Federal reviews of their \n        systems, in advance of any known compromise--with DHS and the \n        Treasury.\n    Multiple strategies for enhancing the security of financial \n        internet domains--with the Internet Corporation for Assigned \n        Names and Numbers (ICANN) and Verisign, in partnership with the \n        American Bankers Association (ABA) and in consultation with \n        members of the Federal Financial Institutions Examination \n        Council (FFIEC).\n    A credential verification pilot--with DHS and the Department of \n        Commerce--building on private sector work that began in 2009, \n        was formalized in a FSSCC memorandum of understanding in 2010, \n        and was featured in the April 15, 2011 announcement of the \n        National Strategy for Trusted Identities in Cyberspace (NSTIC).\n    Through the processes and initiatives above and in many other \nefforts, financial institutions, utilities, associations, service \nproviders and regulators continue to demonstrate a serious, collective \ncommitment to strengthening the security and resiliency of the overall \nfinancial infrastructure. As the committee considers action on \ncybersecurity, I urge Members to be conscious of the protections and \nsupervisory structures already in place and the collaborations \ncurrently underway, and to leverage them for maximum benefit.\n                          need for legislation\n    Even given this headstart and substantial momentum, we believe that \ncybersecurity legislation is warranted. Strong legislation can catalyze \nsystemic progress in ways that are well beyond the capacity of \nindividual companies, coalitions, or even entire industries. For \nexample, comprehensive legislation can:\n    Raise the quality and consistency of security throughout the full \n        cyber ecosystem, including the telecommunications networks on \n        which financial institutions depend.\n    Enhance confidence among U.S. citizens and throughout the global \n        community.\n    Strengthen the security of Federal systems.\n    Mobilize law enforcement and other Federal resources.\n    Enable and incent voluntary action through safe harbors and \n        outcome-based metrics, rather than relying primarily on static \n        prescriptions.\n    Attached are a list of 13 policy approaches that the FSSCC recently \nendorsed, along with three that it deemed problematic. We urge the \ncommittee to consider the FSSCC's input, particularly in light of the \nFSSCC's leadership of the financial services industry on this issue.\n                        administration proposal\n    On May 12, 2011, on behalf of the administration, the Office of \nManagement and Budget transmitted to Congress a comprehensive \nlegislative proposal to improve cybersecurity. The Financial Services \nRoundtable supports this proposal and looks forward to working for its \npassage. We support many of the provisions of this proposal on their \nindividual merits, and we see the overall proposal as an important step \ntoward building a more integrated approach to cybersecurity. Given that \nour member institutions operate Nationally, are highly interdependent \nwith other industries, and are already closely supervised by multiple \nregulators, we appreciate that this proposal promotes uniform National \nstandards, throughout the cyber ecosystem, with the active engagement \nof sector-specific agencies and sector regulators.\n    Consistent with its comprehensive approach, the proposal strives to \naddress cybersecurity both at the level of the entire ecosystem and \nalso within specific sectors. For example:\n    The DHS Cybersecurity Authority title naturally stresses DHS' role, \n        but it also mentions ``other relevant agencies'' and sector \n        coordinating councils.\n    The Regulatory Framework title focuses largely on DHS leadership \n        and standardized evaluations, but it also mentions ISACs and \n        sector-specific regulatory agencies, and provides for sector-\n        level exemptions.\n    We believe that harmonizing the comprehensive approach with the \nneed to incorporate sector-specific mechanisms will be one of the most \nimportant challenges as the Congress considers this proposal. As this \ncommittee considers DHS' role, and its relationship to the sector-\nspecific roles, we urge Members to leverage existing financial services \nprotections and circumstances, and their analogs in other sectors, \nwhile preserving the inter-sector quality of the proposal. Below, we \noffer the committee two potential approaches and illustrations for \naddressing this DHS/sector nexus:\n  <bullet> Establish a uniform standard with specified exceptions.--In \n        the Data Breach Notification title, the Federal Trade \n        Commission (FTC) could enforce the requirements enacted under \n        this bill, but defer to sector-specific regulators where \n        substantially similar sector-specific rules and guidelines \n        already are in place (e.g. the FFIEC could continue to enforce \n        its 2005 interagency breach response guidance, and the \n        Department of Health and Human Services could continue to \n        enforce HITECH).\n  <bullet> Preserve sector autonomy with centralized information \n        aggregation and coordination.--In the Regulatory Framework \n        title, rather than requiring DHS to list critical \n        infrastructure entities for every sector, the sector-specific \n        agencies could make that determination, just as the Financial \n        Stability Oversight Council is responsible for designating \n        Systemically Important Financial Institutions.\n    Given the likely fluidity of the overall solution, we cannot yet \nmake a definitive recommendation for either approach. We do believe \nthat this question of ecosystem/sector balance warrants careful \ndeliberation.\nLaw Enforcement\n    We support the proposal's clarification and strengthening of \ncriminal penalties for damage to critical infrastructure computers, for \ncommitting computer fraud, and for the unauthorized trafficking in \npasswords and other means of access. We also urge similar treatment for \nany theft of proprietary business information. With this extension to \nintellectual property, the law enforcement provisions will improve \nprotections for both consumers and institutions, particularly when \npaired with expanded law enforcement budgets and the recruitment of \npersonnel authorized in later titles. For purposes of this title and \nothers, we presume that many, but not all, financial services systems \nand entities will be designated as critical infrastructure vital to \nNational economic security, and we look forward to further work on the \nassociated criteria.\nData Breach Notification\n    We support the migration to a uniform National standard for breach \nnotification. Given existing State and financial services breach \nnotification requirements, this migration will require both strong pre-\nemption and reconciliation to existing regulations and definitions of \ncovered data. [Please see the 2005 FFIEC Interagency Guidance on \nResponse Programs for Unauthorized Access to Customer Information and \nCustomer Notice.] We support the exemptions for data rendered \nunreadable, in breaches in which there is no reasonable risk of harm, \nand in situations in which financial fraud preventions are in place.\nDHS Authority\n    We support strengthening cybersecurity authorities within DHS--and \nthe active collaboration of DHS with the National Institute of \nStandards and Technology (NIST), sector-specific agencies such as the \nTreasury Department, and sector regulators such as our banking, \nsecurities, and insurance supervisors. This title demonstrates both the \nadministration's commitment to an integrated approach and the challenge \nof achieving it. Federal and commercial systems, financial and non-\nfinancial information, DHS planning and sector coordinating council \ncollaboration, are all addressed here and all will need to be very \ncarefully integrated. Within financial services, we are conscious of \nthe many current mechanisms for oversight, information-sharing and \ncollaboration, but we are also conscious of the need for better \nalignment with our partners in other sectors. We look forward to \nfurther work in this area of integration and harmonization, at both the \nlegislative and implementation stages.\n    We also believe that two areas mentioned in this section--fostering \nthe development of essential technologies, and cooperation with \ninternational partners--merit considerable investment. As DHS and NIST \npursue their research and development agenda, and as the administration \npursues its recently announced International Strategy for Cyberspace, \nwe hope to see substantial resource commitments and advances in these \nareas.\nRegulatory Framework\n    We support all of the purposes of this section, including, \nespecially: The consultation among sector-specific agencies, \nregulators, and infrastructure experts; and the balancing of \nefficiency, innovation, security, and privacy. We recognize that giving \nDHS a window into financial services' cybersecurity risks, plans, and \nincident-specific information is an important element of building a \ncomprehensive solution. Reconciling all of these elements--Treasury and \nour regulators' sector-specific roles, DHS' integration role, and the \ndual objectives of flexibility and security--will be critically \nimportant if we are to capitalize on existing oversight, avoid \nduplication, and avoid the hazards of public disclosures of sensitive \ninformation.\nFederal Information Security Policies\n    We are encouraged by the proposal of a comprehensive framework for \nsecurity within Federal systems. As institutions report more and more \nsensitive personal and financial data to regulators (and directly and \nindirectly to DHS), it is critically important that this data be \nappropriately safeguarded. Protecting this data, modeling best \npractices, and using Federal procurement policies to expand the market \nfor secure products, are all good motivations for adopting these \nproposed mandates.\nPersonnel Authorities\n    Because we recognize how difficult it is to recruit the most \ntalented cybersecurity professionals, we support the expanded \nauthorities articulated in this section. We particularly support \nreactivating and streamlining the program for exchanging public sector \nand private sector experts.\nData Center Locations\n    Consistent with our view of financial services as a National \nmarket, we support the presumption that data centers should be allowed \nto serve multiple geographies. We encourage Congress to consider \nextending this logic for interstate data centers to the international \nlevel, while recognizing that the owners, operators, and clients of \nspecific facilities and cloud networks must continue to be held \naccountable for their security, resiliency, and recoverability of \ncustomer data, regardless of the servers' geographic location or \ndispersion.\n                                h.r. 174\n    We share the overall objective of H.R. 174, the Homeland Security \nCyber and Physical Infrastructure Protection Act of 2011, and we \nsupport many of its specific provisions. Listed below are a few \ncomments and questions that we commend to the committee as it considers \nthis bill and the overall issue of cybersecurity policy.\n    By establishing an Office of Cybersecurity and Communications \nwithin DHS, and vesting it with the authority to establish and enforce \nrequirements across sectors, the bill provides for the comprehensive \ntreatment of cybersecurity that we have endorsed above. It offers two \noptions for enlisting sector-specific agencies and primary regulatory \nauthorities in the effort:\n    Delegation of authorities and responsibilities.--The Director of \n        the Office is given the option to delegate authority to the \n        sector-specific agencies and authorities. We think it is \n        appropriate to invest the Director with this option, much as \n        the administration's proposal has invested it in the Secretary \n        of the Department of Homeland Security and the Director of the \n        Office of Management and Budget.\n    However, given the inherent uncertainties in how this option might \n        be exercised, we do not believe this should be the sole \n        mechanism for employing sector-specific expertise and \n        authority.\n    Oversight through sector-specific agencies and authorities.--\n        Throughout the bill, DHS is instructed to consult with its \n        sector-specific partners, have private entities submit \n        information to them, and operate under their guidance. This \n        approach--with DHS setting ecosystem-level standards and sector \n        partners applying them as intermediaries--will reduce the \n        confusion and fragmentation that otherwise could occur in a \n        dual reporting system. We believe that financial institutions \n        will prefer to have their primary regulators continue to serve \n        as their direct supervisor on these issues, even if the \n        Congress determines that some requirements warrant \n        standardization. We believe that this approach merits \n        consideration, along with the standard-with-exceptions and \n        autonomy-with-aggregation approaches discussed in connection \n        with the administration's proposal.\n    We appreciate the bill's focus on risk-based, performance-based \nregulations, rather than prescribed measures. As more detail is \ndeveloped around this approach, at both the legislative and regulatory \nstages, we believe it may obviate any need for the more prescriptive \nInternational Organization for Standardization and the International \nElectrotechnical Commission standard 15408 (ISO/IEC 15408).\n    We appreciate the bill's commitment to sharing relevant information \nto the maximum extent possible, and its designation of private-sector \nsubmissions as sensitive security information requiring commensurate \nsafeguards. If other Federal Authorities are actively involved in this \nprocess--consulting on threats, vulnerabilities, and consequences, or \nas members of the interagency working group--we ask that the same \ninformation-sharing objectives and protections apply. As the central \nDepartment in this process, we see DHS as providing a very valuable \ncontribution by aggregating, analyzing, and disseminating this cross-\nsector information. We encourage the committee, and ultimately DHS, to \nleverage the ISACs as a key channel for these communications. We also \nview research and development as a high value-added opportunity, and \nappreciate the bill's attention to this function and enumeration of a \npotential research agenda.\n    We think two of the definitions articulated in the bill are \nparticularly important, and therefore warrant close consideration. \nFirst, the characterization of Covered Critical Infrastructure as \nsystems and assets diverges from the entity-level approach historically \napplied in the financial services sector. Whether the systems-and-\nassets or entity-level approach is selected, we urge the Congress to \ninclude in Covered Critical Infrastructure not only the core of the \ncritical infrastructures, but also their mission-critical service \nproviders. In financial services, both the operational reality and the \nregulatory approach require that oversight and other controls extend \nwell beyond the institution.\n    Second, because the definition of Cyber Incident drives reporting \nand response protocols, we see it as a key threshold. The current \ndefinition, as an occurrence that jeopardizes security, may be \ninterpreted very broadly and, without further detail, may set reporting \nand response thresholds lower than necessary.\n                               conclusion\n    We very much appreciate the committee's interest in the important \ntopic of cybersecurity, and particularly in the role DHS plays in this \nelement of critical infrastructure protection. Because The Financial \nServices Roundtable is fully committed to enhancing cybersecurity:\n  <bullet> We will continue to strengthen security with our members and \n        partners,\n  <bullet> We will help answer this question of integrating DHS' \n        ecosystem-level program and the financial authorities' sector-\n        specific efforts,\n  <bullet> And we will work to pass and implement the administration's \n        cybersecurity proposal.\n    Thank you very much for your time. I would be happy to answer any \nquestions you might have.\n        Financial Services Cybersecurity Policy Recommendations\n     financial services sector coordinating council--april 15, 2011\nPolicy Approaches the FSSCC Supports\n    Federal leadership on a National cybersecurity framework, \nimplemented with the active involvement, judgment, and discretion of \nTreasury and the other sector-specific agencies (SSAs).\n    Commitment to two-way public/private information-sharing, \nleveraging the Information Sharing and Analysis Centers (ISACs), the \nUS-CERT, safe harbors, clearances, and confidentiality guarantees. This \nmust include sharing of actionable and timely information.\n    Support focused efforts to address critical interdependencies such \nas our sector's reliance on telecommunications, information technology, \nenergy, and transportation sectors. Continue to leverage and expand on \nexisting mechanisms (e.g., NSTAC, NIAC, PCIS).\n    Involvement of Treasury and other SSAs in cyber emergencies.\n    Federal cybersecurity supply chain management and promotion of \ncybersecurity as a priority in Federal procurement.\n    Public education and awareness campaigns to promote safe computing \npractices.\n    Attention to international collaboration and accountability in law \nenforcement, standards, and regulation/supervision.\n    Increased funding of applied research and collaboration with \nGovernment research agencies on authentication, access control, \nidentity management, attribution, social engineering, data-centric \nsolutions, and other cybersecurity issues.\n    Increased funding for law enforcement at the international, \nNational, State, and local levels and enhanced collaboration with \nfinancial institutions, service providers, and others that are critical \nto investigating cyber crimes and creating a better deterrent.\n    Heightened attention to ICANN and other international internet \ngovernance bodies to enhance security and privacy protection.\n    Strengthening of Government-issued credentials (e.g. birth \ncertificates, driver's licenses, and passports) that serve as \nfoundation documents for private sector identity management systems.\n    Enhanced supervision of service providers on whom financial \ninstitutions depend (e.g. hardware and software providers, carriers, \nand internet service providers).\n    Recognize the role of Federal financial regulators in issuing \nregulations and supervisory guidance on security, privacy protection, \nbusiness continuity, and vendor management for financial institutions \nand for many of the largest service providers.\nPolicy Approaches the FSSCC Opposes\n    Detailed, static cybersecurity standards defined and maintained by \nFederal agencies in competition with existing, private, standard-\nsetting organizations.\n    Establishment of vulnerability, breach, and threat clearinghouses, \nunless security and confidentiality concerns can be definitively \naddressed.\n    Sweeping new authority for Executive Branch to remove access to the \ninternet and other telecommunications networks without clarifying how, \nwhen, and to what extent this would be applied to critical \ninfrastructure.\n\n    Mr. Lungren. I thank you, Mr. Williams.\n    Now Mr. Clinton.\n\n   STATEMENT OF LARRY CLINTON, PRESIDENT, INTERNET SECURITY \n                            ALLIANCE\n\n    Mr. Clinton. Thank you, Mr. Chairman, Ms. Clarke, Members \nof the committee. I appreciate your inviting the Internet \nSecurity Alliance to this hearing to examine the \nadministration's legislative proposal.\n    Since ISA represents primarily companies that represent \ncritical infrastructure, I am going to confine my remarks to \nthe regulatory aspects and proposals in the administration's \nplan.\n    The Internet Security Alliance is a multi-sector trade \norganization focused exclusively on cybersecurity. We were \nformed in 2000. That is nearly 2 years before the events of 9/\n11, 4 years before DHS was created, 6 years before DHS created \na cyber assistant secretary, 7 years before they filled that \nposition, 9 years before the President appointed a cyber czar, \nand 11 years before the President sent a legislative proposal \non cybersecurity to the Congress. For more than a decade, the \nprivate sector has been leading the fight to improve \ncyberspace.\n    During this time, we have testified several times before \nCongress, constantly urging, even begging, Congress and the \nadministration to take a more active role in addressing our \ncyber threat. There may be some in the private sector who think \nthat the Government should take a hands-off role in this \nregard. ISA is not among them.\n    As the Chairman pointed out, the ISA has proposed its own \nmarket-based system for improving our cybersecurity system, the \n``Cyber Security Social Contract,'' which was cited early and \noften in the President's Cyberspace Policy Review. We are not \nalone. Earlier this year, several of the major organizations \nthat represent industry in this space--BSA, CDT, TechAmerica, \nChamber of Commerce, and the ISA--banded together to present a \ndetailed white paper of policy proposals for improving our \nNation's cybersecurity.\n    With regard to the administration's position, we find the \nproposal is both too broad and too Government-centric. Although \nit has been suggested that the intent of the administration's \nproposal is to cover core infrastructure, we find a reading of \nthe legislative language rates it as far more extensive.\n    While there are provisions in the proposal calling for \ncollaboration with industry, we don't need an act of Congress \nfor that sort of collaboration, and the collaboration always \nends with Government fiat. For example, Section 7 requires CEOs \nto certify that they are in compliance with plans required \nunder Section 8 and empowers the Secretary to review any \nentity's plan. If DHS finds the plan wanting for some reason, \nthey are empowered to, ``take any action the Secretary deems \nappropriate.''\n    In addition, paragraph 4 empowers the Secretary to evaluate \nthe frameworks created through various discussions with the \nprivate sector. However, should DHS decide that the standard \nframeworks don't meet their own criteria, they are empowered to \nadopt their own criteria and force the companies to choose \nthose.\n    Government does not have all the answers, and it will not \nbe the best judge of how to manage private systems. Altering \nour strategy of the public-private partnership to give the \nFederal Government final say over how private companies manage \ntheir systems will be costly, inefficient, and ineffectual.\n    Moreover, creating this regulatory role for DHS will \nfundamentally alter the nature of the relationship between \nGovernment and the private sector by replacing a voluntary \nrelationship built on collaboration with an adversarial \nrelationship based on regulatory mandates, reports, and \ncompliance. As the research I cite in my written testimony \nshows, a security system based on that reactive model will be \nless effective and sustainable.\n    Now, there is a lot we can do to improve our cybersecurity. \nAs the Chairman pointed out, we need to alter the economic \nbalance with regard to the incentives dealing with \ncybersecurity. Our testimony, as well as the multi-trade \nassociation paper, points out that there is a great deal \nCongress could do to provide incentives at no cost to the \nGovernment which will lead to the adoption of best practices \nwhich a range of studies have indicated can stop between 80 and \n94 percent of cyber attacks.\n    There is another area of cyber attack, many of which \nMelissa mentioned earlier on, known as the APT, ultra-\nsophisticated sorts of attack, that are going to require an \nentirely different strategy. But we do have things in place to \ndeal with that also.\n    With regard to the administration's proposal, however, we \nfind that the mandatory reporting that they use will diminish \nmotivation for internal investigators, who may worry about \nfinding out material that will be harmful to their company. It \nwill add to the ultimate cost of detection tools and services, \nmaking companies more reluctant to spend money on them.\n    Moreover, we find the evaluation program that is proposed \nby the administration's proposal to be anti-security. One of \nthe things that everybody agrees on in this space is that we \ndon't have enough cybersecurity professionals. This proposal \nrequires virtually all entities that are covered--and that \ncould be many, many entities--to have annual evaluations. So we \nare creating an army of insiders roaming throughout the \nsecurity procedures of our most critical networks on an on-\ngoing basis. The value that they would have in terms of \nproviding actual, real security is far offset by the increased \nrisk of having an army of poorly-trained insiders going through \nour security.\n    We feel it will be far more preferable for Congress to work \nwith DHS and the rest of the administration to create a system \nwhere there are market incentives so that organizations will \nseek to alter the balance with regard to security return on \ninvestment--invest appropriately so that they can have \nimprovements in their own security and our Nation's security.\n    Thank you.\n    [The statement of Mr. Clinton follows:]\n                  Prepared Statement of Larry Clinton\n                             June 24, 2011\n                            i. introduction\n    Good morning Mr. Chairman, and thank you for inviting the Internet \nSecurity Alliance to testify before the Cybersecurity, Infrastructure \nProtection, and Security Technologies Subcommittee.\n    The Internet Security Alliance is a multi-sector trade association \nthat develops best practices and standards, along with technological, \neconomic, and public policy services focused exclusively on \ncybersecurity.\n    ISA was founded and fully funded by a group of private sector \nentities in 2000. That's nearly 2 years before the tragic events of 9\n///11, 4 years before Congress created DHS, 6 years before DHS created its \nfirst cybersecurity assistant secretary, 7 years before they filled \nthat position, 9 years before the President appointed his first ``cyber \nczar'' and 11 years before the President presented his first set of \nlegislative proposals on cybersecurity to the Congress.\n    For more than a decade, the private sector has been taking a \nleadership role in the fight to secure cyber space. That is one reason \nwe were delighted when President Obama addressed this issue from the \nWhite House and published the Cyberspace Policy Review shortly after \ntaking office--an enlightened document based on an extensive and wide-\nranging study by staff of the National Security Council.\nii. the private sector has been aggressively attempting to utilize the \n        public-private partnership to enhance our cybersecurity\n    Over the past decade, ISA has testified approximately a dozen times \nbefore various Congressional committees constantly urging, even \npleading, for the Government to take more aggressive steps to enhance \nour Nation's cybersecurity. There may be some in the private sector \nthat have suggested a hands-off role for the Government in this space, \nbut ISA is not one of them.\n    And, we are not alone. When legislation began heating up in the \nlast Congress we heard reports from policymakers that there were so \nmany private-sector entities that were interested in the subject that \nis was becoming difficult for our Government partners to achieve \nclarity as to where the private sector stood on the issue.\n    As a result, several of the major associations involved in this \ndebate banded together and worked over a period of 6 months to create a \ndetailed--26-page--white paper specifying our overall approach to \ncybersecurity and providing detailed policy recommendations.\n    This unique coalition, which included the Internet Security \nAlliance, the Business Software Alliance, the Center for Democracy and \nTechnology, Tech America and the U.S. Chamber of Commerce is noteworthy \nfor several reasons.\n    First, is the obvious size of the coalition, covering literally \ntens of thousands of companies. Second, is the breadth of the \ncoalition. In the cybersecurity field, the ``partisan divide'' is \ngenerally between the providers of technology and the users of \ntechnology. This coalition included both. In addition, the civil \nliberties community is represented by the most active such organization \nin this space, CDT.\n    Finally, there is the depth of the coalition. It is not uncommon to \nsee a coalition of this size in the District of Columbia; however, they \nare usually brought together on a 1- or 2-page letter. In this case, we \nhave produced an extended, and we think a cutting-edge, detailed policy \npaper that analyzes a wide range of issues in the cybersecurity space \nand proposes specific policies--not just broad principles.\n    Moreover, we sought, as much as possible to be open with our \nGovernment partners. We took as our starting points the official \npublications produced by our Government partners: the National \nInfrastructure Protection Plan (NIPP) and the Cyberspace Policy Review \nreleased by President Obama in May of 2009. Central to both these \ndocuments is the need for the Government to work in partnership with \nthe private sector.\n    This realization has nothing to do with politics. It is based on \nthe fact that in cyber conflicts, it is the private sector that is most \nlikely to be on the front lines and it is the networks owned and \noperated by the private sector that provide the critical \ninfrastructure--both the regulated and non-regulated ones--upon which \nany modern nation relies.\n    Government does not have all the answers and often will not be the \nbest judge of how to manage private systems. Altering our strategy to \ngive the Federal Government final say over how private companies manage \ntheir systems will be costly, inefficient, and ineffectual. \nCybersecurity must be achieved through a true partnership between the \npublic and private sectors. We specifically endorsed this foundation as \nembraced in these documents:\n\n``The current critical infrastructure protection partnership is sound, \nthe framework is widely accepted, and the construct is one in which \nboth Government and industry are heavily invested. The current \npartnership model has accomplished a great deal. However, an effective \nand sustainable system of cybersecurity requires a fuller \nimplementation of the voluntary industry-government partnership \noriginally described in the NIPP. Abandoning the core tenets of the \nmodel in favor of a more Government-centric set of mandates would be \ncounterproductive to both our economic and National security. Rather \nthan creating a new mechanism to accommodate the public-private \npartnership, Government and industry need to continue to develop and \nenhance the existing one.''\\1\\\n---------------------------------------------------------------------------\n    \\1\\ Business Software Alliance, Center for Democracy & Technology, \nU.S. Chamber of Commerce, Internet Security Alliance, TechAmerica; \nImproving our Nation's Cybersecurity through the Public-Private \nPartnership: A White Paper; March 2011.\n\n    In an attempt to develop our own policy proposals via the \nestablished partnership model, we not only notified the White House of \nour intent to create the industry White Paper, but reached out to them \non a regular basis to keep them informed of our progress. We discussed \nthe work at the forums established under the NIPP, such as the IT \nSector Coordinating Council meetings, which are regularly attended by \nDHS staff. When the paper was completed, well prior to release, we sent \na full copy to the White House for their review and comment. We \nrequested, and eventually received, a 1-hour meeting at the White House \nto brief them on our proposals and requested on-going interaction so \nthat we could, as partners, come to a common ground on the way forward. \nUnfortunately, no subsequent meetings were scheduled and we were never \nbriefed on the White House's own--substantially different--approach \nuntil it was released and sent to the Congress.\n              iii. we have the tools to stop basic attacks\n    The committee is aware of numerous and varied cyber attacks. Indeed \nthe internet is under attack all day, every day, and while we \nsuccessfully deal with the vast majority of the attacks, we also must \naggressively improve our cybersecurity.\n    However, not all attacks are the same. Cyber attacks can of course \nbe segmented many ways, but given the shortage of time, we can create \ntwo broad categories; one of basic attacks (which can be extremely \ndamaging) and one of very sophisticated attacks.\n    Most cyber attacks fall into the first--the basic--category. \nAlthough these attacks can be devastating from many different \nperspectives, they also are largely preventable.\n    Several different sources including Government, industry, and \nindependent evaluators have concluded that the vast majority of these \nattacks--between 80% and 90%--could be prevented or successfully \nmitigated simply by adopting best practices and standards that already \nexist. Among the sources who have reported this finding we can list the \nCIA, the NSA, PricewaterhouseCoopers, and CIO Magazine.\n    Most recently, a comprehensive study jointly conducted by the U.S. \nSecret Service and Verizon included a forensic analysis of hundreds of \nbreaches and literally thousands of data points and concluded that 94% \nof these, otherwise successful, cyber attacks could have been \nsuccessful managed simply by employing existing standards and \npractices.\n             iv. why are we not stopping the basic attacks?\n    Cost.\n    Some have suggested that the market has failed to produce the \nneeded technology to address the cyber threat. That is not the case.\n    President Obama's own Cyberspace Policy Review documents the fact \nthat the private sector has developed many adequate mechanisms to \naddress our cyber insecurity but they are not being deployed: ``many \ntechnical and network management solutions that would greatly enhance \nsecurity already exist in the marketplace but are not always used \nbecause of cost and complexity.''\\2\\\n---------------------------------------------------------------------------\n    \\2\\ Obama administration, Cyberspace Policy Review--Assuring a \nTrusted and Resilient Information and Communications Infrastructure at \n31.\n---------------------------------------------------------------------------\n    This finding is substantiated by multiple independent surveys that \nalso identified cost as the biggest barrier to deploying effective \ncybersecurity solutions. This research shows that although many \nenterprises are investing heavily in cybersecurity, many others, \nlargely due to the economic downturn, are reducing their cybersecurity \ninvestments.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ PricewaterhouseCoopers, The Global State of Information \nSecurity, 2008. Center for Strategic & International Studies, In the \nCrossfire: Critical Infrastructure in the Age of Cyber War, 2010.\n---------------------------------------------------------------------------\n    The fact is that many companies don't see an adequate ROI to cyber \ninvestments. This real-world problem cannot be permanently wiped away \nby granting a Government department the power to mandate uneconomic \nexpenditures as President Obama himself pointed out last year at the \nWhite House: ``Due to the interconnected nature of the system this lack \nof uniform implementation of sound security practices both undermines \ncritical infrastructure and makes using traditional regulatory \nmechanisms difficult to achieve security.''\\4\\\n---------------------------------------------------------------------------\n    \\4\\ White House, Remarks by President Obama at White House Meeting \non Cyber Security, July, 2010.\n---------------------------------------------------------------------------\n    Rather, we need to find ways to work within the partnership to \nencourage firms to make investments that may go beyond their own \ncommercial risk management requirements for security, but might rise to \nthe level of a broader National interest. This principle was recognized \nin the creation of the original NIPP:\n\n``The success of the [public-private] partnership depends on \narticulating the mutual benefits to Government and private sector \npartners. While articulating the value proposition to the Government \ntypically is clear, it is often more difficult to articulate the direct \nbenefits of participation for the private sector . . . In assessing the \nvalue proposition for the private sector, there is a clear National \nsecurity and homeland security interest in ensuring the collective \nprotection of the Nation's [critical infrastructure and key resources] \n(CI/KR). Government can encourage industry to go beyond efforts already \njustified by their corporate business needs to assist in broad-scale \nCI/KR protection through activities such as:\n  <bullet> ``Providing owners and operators timely, analytical, \n        accurate, and useful information . . . \n  <bullet> ``Ensuring industry is engaged as early as possible in the \n        development of initiatives and policies related to [the NIPP].\n  <bullet> ``Articulating to corporate leaders . . . both the business \n        and National security benefits of investing in security \n        measures that exceed their business case.\n  <bullet> ``Creating an environment that encourages and supports \n        incentives for companies to voluntarily adopt widely accepted, \n        sound security practices.\n  <bullet> ``Providing support for research needed to enhance future \n        CI/KR protection efforts.''\\5\\\n---------------------------------------------------------------------------\n    \\5\\ National Infrastructure Protection Plan, 2006 at 9.\n---------------------------------------------------------------------------\n    The Obama ``Cyberspace Policy Review'' went even further in \nsuggesting this pathway by suggesting a mix of tailored incentives \nincluding liability incentives, procurement incentives, \nindemnification, and even tax incentives.\n    The multi-trade association White Paper continued this chorus of \nsupport for this approach.\n    ``One of the most immediate, pragmatic, and effective steps that \nthe Government could take to improve our Nation's cybersecurity would \nbe to implement the recommendations made in the CSPR to explore \nincentives, such as liability considerations, indemnification, and tax \nincentives. For example:\n  <bullet> ``Tax incentives that encourage establishing additional \n        cybersecurity investments, such as the R&D tax credit;\n  <bullet> ``Grant funding is used effectively in other homeland \n        security areas such as emergency preparedness and response. \n        Critical infrastructure industries can use grant funds for \n        research and development, to purchase equipment, and to train \n        personnel;\n  <bullet> ``Streamlining regulatory procedures, which would cut both \n        Government and industry costs;\n  <bullet> ``Updating the SAFETY Act to better appreciate the cyber \n        threat that has become more evident since its enactment. This \n        Act, which provides a mix of marketing, insurance, and \n        liability benefits for technologies designated or certified by \n        DHS, can be expanded to standards and practices as well as \n        technologies that protect against commercial as well as \n        terrorist threats;\n  <bullet> ``Liability protections or regulatory obligations (e.g., for \n        utilities) adjusting in numerous ways to provide incentives for \n        enhanced security practices, such as adoption of standards and \n        practices beyond what is required to meet commercial risks, or \n        enhanced information sharing. Liability benefits do not need to \n        be elevated to immunity to be attractive. Categories of \n        liability (e.g., punitive vs. actual damages) or burden of \n        proof levels (preponderance rather than clear and convincing \n        evidence) can be adjusted to motivate pro-security behavior \n        without costing taxpayer dollars; and\n  <bullet> ``Stimulating the growth of a private cyber insurance \n        industry that can both provide private economic incentives to \n        spur greater cybersecurity efforts while also creating a \n        private market mechanism that fosters adoption and compliance. \n        The Government should give consideration to implementing \n        reinsurance programs to help underwrite the development of \n        cybersecurity insurance programs. Over time, these reinsurance \n        programs could be phased out as insurance markets gain \n        experience with cybersecurity coverage.\n    To accommodate the needs of a wide variety of critical \ninfrastructures with different economic models, the public-private \npartnership should develop a menu of incentives that can be tied to \nvoluntary adoption of widely-accepted and proven-successful security \nbest practices, standards, and technologies. The R&D tax credit may be \nthe most attractive option for an IT security vendor, while a defense \nfirm may be more interested in procurement options, an electric utility \nin a streamlined regulatory environment, or an IT-user enterprise in an \ninsurance discount and risk transfer. Many of these incentives are \ndeployed successfully in other areas of the economy, but not yet to \ncybersecurity.''\\6\\\n---------------------------------------------------------------------------\n    \\6\\ Business Software Alliance, Center for Democracy & Technology, \nU.S. Chamber of Commerce, Internet Security Alliance, TechAmerica; \nImproving our Nation's Cybersecurity Through the Public-Private \nPartnership: A White Paper; March 2011 at 10-11.\n---------------------------------------------------------------------------\n                  v. addressing sophisticated attacks\n    While most cyber attacks are fairly basic and can be stopped or \nmitigated with the deployment of existing standards, practices, and \ntechnologies which could be achieved through the use of a creative \nincentive system, there are still other much more insidious and \nsophisticated attacks that are not going to be stopped with best \npractices.\n    Again, there are many ways to characterize these attacks but one \ncommon term that has come to be used somewhat generically in the field \nis the Advanced Persistent Threat (APT).\n    Without getting into the academic debate over what constitutes the \nAPT, it suffices to say these are sophisticated attacks. These are not \n``hacker kids'' or kids in basements. These attacks are formulated by \nhighly sophisticated, well-organized, well-funded, often state-\nsponsored attackers. These guys are pros. They are very good, and if \nthey target you or your system you can be pretty sure they will succeed \nin penetrating, or ``breaching'' your system.\n    However, this does not mean we have no defense. Indeed, many \ncompanies have been working for several years with some success on \nmitigating APT attacks although it necessitates altering our defensive \nposture from one of perimeter defense geared to stopping breaches to \ninternal detection and mitigation.\n    Again, the private sector White Paper identifies some of the \ncurrent core strategies that the Government, in collaboration with the \nprivate sector ought to be deploying to address the APT style (ie. more \nsophisticated) attacks. However, it is important to note that there is \nno silver bullet to addressing these advanced threats.\n    The core reason we have attacks, and they will likely continue, is \nthat the economic incentives generally favor the attackers. Many \nattacks are cheap, easy, and profitable while on the other hand, an \ninfinite perimeter needs defending, it is very hard to catch and \nprosecute cyber attackers and it is difficult to demonstrate ROI to \nthings that you have prevented such as cyber attacks.\n    So long as our economic equation for cybersecurity remains out of \nbalance, we are going to continue to have attacks. This needs to be \nunderstood not as a discrete problem for which there will be a simple \nand unchanging security technology--like a seat belt or a set of gold \nstandard Government metrics. Rather, this is an on-going and persistent \nthreat that needs continuous deployment of creative strategies that \nevolve with the dynamic threat.\n             vi. the administration's legislative proposal\n    Unfortunately, after waiting 2 years for the administration to \nfollow up on its CSPR, we received a legislative proposal produced \nwithout coordination with the private-sector partnership the \nadministration itself had established for this purpose, and which:\n  <bullet> Fails to follow up on the promise of earlier work by this \n        and the previous administration;\n  <bullet> Does not address the core economics issues which drive our \n        lack of cyber insecurity;\n  <bullet> Would create an extensive new bureaucracy that will not \n        address the persistent cyber threats we face; and\n  <bullet> Could add significant new threats that are not justified by \n        the dubious benefits of the unbounded intrusions into our most \n        critical infrastructure.\n    Since ISA works primarily with major entities from most for our \nNation's critical infrastructure, we will focus our testimony to \nSection 3 of the President's proposal, which establishes a new and \nextensive regulatory structure over the private sector.\nvii. the administration's legislative proposal fundamentally alters the \n                       public-private partnership\n    When he released the Cyberspace Policy Review in 2009 President \nObama himself said:\n    ``Let me be very clear: My administration will not dictate security \nstandards for private companies. On the contrary we will collaborate \nwith industry to find technology solutions that ensure our security and \npromote prosperity.''\\7\\\n---------------------------------------------------------------------------\n    \\7\\ President Barack Obama, Release of the Cyberspace Policy \nReview, May 29, 2009.\n---------------------------------------------------------------------------\n    Unlike the rigorous and open process the Obama administration \nconducted in developing the Cyberspace Policy Review, the current \nlegislative proposal was not developed in any way by ``collaboration \nwith industry to find technology solutions.''\n    ISA participates in numerous bodies set up under the NIPP to \nfacilitate this sort of coordination including the Sector Coordinating \nCouncils, the Cross Sector Cybersecurity Working Group, the Critical \nInfrastructure Partnership Advisory Council (CIPAC) and the Software \nAssurance Forum. Despite repeated requests for the administration to \nengage with these bodies, designated by them for collaboration to \ndevelop solutions, there were no discussions at even a conceptual level \nabout this proposal which would, if enacted, fundamentally alter the \nlong-standing relationship.\n    Had the administration used the bodies designated for this sort of \ninteraction, I believe the proposal would be both substantively \nstronger and politically more practical.\n    Notwithstanding the process, the Centerpiece of the proposal--the \nestablishment of an unbounded regulatory structured for the Department \nof Homeland Security--is obviously directly at odds with what the \nPresident pledged when he released the Cyberspace Policy Review 2 years \nago.\n    Obviously it will be the the committee and the Congress' decision \nwhether to follow this new Government-centric approach, but there \nshould be clarity at the very least that by establishing a broad \nregulatory framework, as this proposal does, it will fundamentally \nalter the nature of the relationship between the Government and private \nsector.\n    It's often said that to a hammer, everything looks like a nail. And \nprisoners and prison guards do not have a partnership. One body is \nmandated to do what the other entity directs. While there is a fair \namount of verbiage in the administration's proposal about working with \nthe private sector, as we will discuss shortly, at the end of the day, \nthis legislative proposal will allow DHS to regulate pretty much any \nentity it elects to regulate and mandate whatever DHS elects ought to \nbe mandated.\n    Some may argue that such a system of regulatory mandates will \nfinally solve our cybersecurity problem; however, there is no evidence \nthat this will be the case. Indeed, the academic research on motivating \ninvestment in information security specifically points in the opposite \ndirection indicating that ``proactive'' investments motivated by market \nincentives are more effective than reactive (prompted by regulation) \nare.\n    A new study released from Dartmouth College earlier this month \ndocuments this finding, ``Proactive investments are more effective at \nreducing security failures than reactive investments. When proactive \ninvestments are forced by an external requirement, the effect of the \nproactive investment is diminished . . . our results show that learning \nby doing through proactive security investments relies on economic \nincentives whereas unilaterally mandated procedures do not have any \neconomic incentive . . . Government requirements simply focus attention \non the problem area rather than discovery and learning by doing . . . \nexternal pressure does not have significant social incentives.''\\8\\\n---------------------------------------------------------------------------\n    \\8\\ Kwon, Juhee, and Johnson, Eric; An Organizational Learning \nPerspective on Proactive vs. Reactive Investment in Information \nSecurity. Dartmouth College, NH. June 2011 at 18.\n---------------------------------------------------------------------------\n  viii. the administration's legislative proposal is not supported by \n                         research or precedent\n    Research \\9\\ has consistently shown that the single biggest barrier \nto enhancing the cybersecurity of our Nation's critical infrastructure \nis economic. As previously mentioned, the National Infrastructure \nProtection Plan (NIPP)\\10\\ identified the need for Government to create \na value proposition for industry to make investments in cybersecurity \nthat are not justified by their business needs, but may be required for \noverall National security. In fact, the Cyberspace Policy Review \nspecifically advocated the development of proactive market incentives \nsuch as procurement, tax, and liability to incentivize additional \ncybersecurity investments.\\11\\\n---------------------------------------------------------------------------\n    \\9\\ PricewaterhouseCoopers, The Global State of Information \nSecurity, 2008. Center for Strategic & International Studies, In the \nCrossfire: Critical Infrastructure in the Age of Cyber War, 2010.\n    \\10\\ The National Infrastructure Protection Plan (NIPP) is \navailable at http://www.dhs.gov/files/programs/editorial_0827.shtm#0.\n    \\11\\ Executive Office of the President, Cyberspace Policy Review--\nAssuring a Trusted and Resilient Information and Communications \nInfrastructure, May 2009.\n---------------------------------------------------------------------------\n    However, the administration's legislative proposal does not follow \nthrough on any of these policy commitments.\n    Instead the administration's current legislative proposal relies \nprimarily on ``disclosure'' as a market incentive, to hoping that \nreaction to such a public disclosure will generate increased \ncybersecurity investment. While at one point this may have made sense, \nit is not likely to be helpful when addressing the current attacks we \nface.\n          ix. the focus on disclosure of breaches is outdated\n    Most cyber attack disclosure requirements are founded on \nmisconceptions about what it is companies have available to disclose. \nMost successful modern cyber attacks go undetected. Furthermore, cyber \nintrusions and malware, as they become more sophisticated and more \ndamaging, become increasingly difficult to detect. The tools and \nservices for detecting them are very expensive, and the evidence for \ntheir presence is often very ambiguous.\n    The fact that the proposed legislation and the discussions that \nsurround it are constantly referring to ``breaches'' shows how rapidly \npolicy in this field becomes dated. ``Breaches'' were the big \ncybersecurity concern of the last few years, but they are not the big \ncybersecurity concern of the era that began with Stuxnet. What's more, \nthe very term ``breaches'' suggests that the remedy to cyber attacks is \nperimeter defense--guarding the organization's information border \nagainst forces attempting to penetrate, or ``breach'' it. This is a way \nof thinking about cybersecurity that many of the foremost cybersecurity \nexperts have been arguing is obsolete for half-dozen years now. ISA \npresented this finding to the Obama administration which cited the \nstudy in their Cyberspace Policy Review and published it on the White \nHouse website, but did not reference it in their own legislative \nproposal.\n    In fact, most companies are unable to tell whether they have been \nthe victim of a successful cyber attack unless they make a special \neffort to investigate, spend additional resources on the effort, and \nhave the necessary skills and tools already on hand. The initial signs \nthat need to be pursued in order to discover a skilled cyber attack are \nhard to define, constantly changing, and often very subtle and thus \nunsuitable for the annual evaluation procedure the administration \nproposes to rely on. Uncovering a highly-skilled cyber attack is \ncurrently much more of an art than a science. It can require intuition, \ncreativity, and a very high degree of motivation.\n     x. the administration's proposal creates the wrong incentives\n    Mandatory disclosure punishes companies that are good at detecting \nintrusions and malware. It creates an incentive not to know, so that \nthere is no obligation to report. It diminishes the motivation of \ninternal investigators, who may worry that finding out exactly what \nhappened may do their company more harm than good. It adds to the \nultimate costs of detection tools and services, making companies more \nreluctant to spend money on them.\n    Requiring companies to disclose their cybersecurity plans and \ncertifications is, if anything, even more likely to have unintended \nconsequences than requiring disclosures of successful cyber attacks. \nThe kinds of language and administrative formulas that would be adopted \nto comply with such requirements would almost certainly have little to \ndo with real cybersecurity. This is partly because the field is \ndeveloping so rapidly that by the time cybersecurity plans were \nrecognized as fulfilling administrative expectations, they would \nalready be obsolete. There is also no way to tell at the level of a \n``general plan'' whether the cybersecurity measures involved would be \ndoing any good or not. The consequence of disclosing such plans would \nbe another, costly level of administrative bureaucracy and auditors \nthat would probably only be getting it the way of good security.\nxi. administration's proposed language provides dhs with unfettered and \n               unjustified authority over private systems\n    Although it has been suggested that the intent of this legislation \nis to cover only the most critical ``core'' infrastructure, a careful \nreading of the legislative language indicates that it provides \nessentially unfettered authority to DHS to mandate technical standards \nfor almost any aspect of the private sector.\n    Sec. 3 of the Regulatory Framework for Covered Critical \nInfrastructure lists a full page of requirements to be met before an \nentity is subject to these, as yet unspecified, Federal mandates.\n    However, when reading through them, they don't provide any limit on \nthe Secretary's authority to designate any enterprise as a so-called \n``covered critical infrastructure'' and thus subject to DHS mandates.\n    It's easiest to analyze the impact of the sections if we review \nthem in reverse order.\n    Subsection D states that being named on the list as a covered \ncritical infrastructure under this section ``shall be considered a \nfinal action for purposes of judicial review.''\n    Subsection C lists a variety of criteria to be placed on a ``risk-\nbased tier,'' but criteria No. 4 is ``such other factors as the \nSecretary deems appropriate,'' which means the Secretary can place any \nentity on any tier for any reason he or she wants to.\n    Subsection B, which lists only 2 criteria for inclusion. One \ncriterion is that the entity or system ``is dependent on information \ninfrastructure to operate.''\n    Since virtually all modern systems that are reliant on some form of \ninformation infrastructure to operate, those criteria are all-\nencompassing.\n    That leaves us only with the criteria listed section B1, which is \nthat incapacity or disruption of the reliable operation of the system \nwould have a ``debilitating effect on National security, National \neconomy, or National public health or safety.''\n    We regard ``debilitating'' as a fairly loose, and frankly weak, \ncriterion for conferring such broad authority to the Secretary. To \n``debilitate'' simply means to weaken--it doesn't necessarily mean to \nweaken a lot--just weaken. When I catch a cold I'm somewhat \ndebilitated--but I wouldn't want the CDC to have the power to therefore \nregulate me.\n    According to this legislative language, if the Secretary decides, \nfor any reason, that the incapacity of a system might in some way \nweaken our economy, security, or safety, he or she has the authority to \nmandate--as a final action--whatever technical standards over their \ncyber systems the Secretary desires.\n    For example, the recent SONY Play Station attacks reportedly will \ncost more than a billion dollars in damage, which one can argue weakens \nor ``debilitates'' the economy at least somewhat. Would that then make \nSONY Play Station's ``covered critical infrastructures'' under this \ndefinition? When asked that question at a recent Judiciary Committee \nhearing, an administrative witness replied that that determination \nwould have to be made through rulemaking under the Act.\n    In addition, the language does not state that the debilitating \neffect referred to in Sec. (b)(1) has to be from a cyber incident. \nAccording to this legislative language, the fact that the World Trade \nCenter was attacked with airplanes, which obviously had a debilitating \neffect on our security and economy, would be justification for DHS to \nimpose mandates on the cyber systems operating in the WTC, even though \nthey had nothing to do with the attack.\n    In addition, one criteria DHS will use in assigning an entity as a \ncovered critical infrastructure is its interconnectedness with other \ninfrastructures. That again allows for a tremendous expansion of \npotential DHS authority.\n    For example, the supply chain for weapons systems can be thousands \nof companies long. Obviously, interruption of the operation of these \nsystems for whatever reason--including non-cyber reasons--affect our \nNational security. So under this language, all these thousands of other \ncompanies would be potentially subject to DHS regulation due to their \ninterconnection to the main weapons system project.\n    Moreover, under Sec. B1 of this provision, DHS will regulate \n``entities'' as opposed to systems or assets. This presumably means \nthat an attack having a debilitating--however minor--effect on \nsecurity, economy, or health would result in the regulation of the \nentire entity the system is interconnected with.\n    The bottom line is that this legislative proposal provides almost \nunbounded discretion for DHS to classify an entity as covered critical \ninfrastructure and subject the entire entity to unspecified regulation.\n    Section 9 states specifically that ``the Secretary shall promulgate \nregulations . . . to carry out the provisions of the Title.''\n    Section 2 states clearly that one of the purposes of the Act is to \n``establish workable frameworks for implementing cybersecurity minimum \nstandards and practices.''\n    Some may ask, ``what's wrong with DHS establishing minimum \nstandards for industry through a rulemaking.'' The problem is it won't \nwork and it is substantially counterproductive.\n    Now, ISA is a big fan of standards and practices and we work with \nmany entities, including NIST and other Federal Government agencies as \nwell as private sector entities to create and constantly update them.\n    However, there is a major difference between using the existing \nconsensus process to develop international standards and practices and \nhaving a Government entity determine such standards and mandate them on \nthe private sector.\n    The multi-trade association White Paper addresses this argument in \nan entire section, concluding that:\n\n``[w]e have already seen that attempts to impose Nation-specific \nrequirements under the auspices of security are not embraced by the \nprivate sector or the civil liberties and human rights community for \nboth public policy and economic reasons. A Government-controlled system \nof standards development that resides outside the existing global \nregime will not be accepted. If imposed, it would quickly become a \nsecond-tier system without widespread user or technology community \nadoption, thereby fracturing the global network of networks and \nweakening its security.''\\12\\\n---------------------------------------------------------------------------\n    \\12\\ Business Software Alliance, Center for Democracy & Technology, \nU.S. Chamber of Commerce, Internet Security Alliance, TechAmerica; \nImproving our Nation's Cybersecurity Through the Public-Private \nPartnership: A White Paper; March 2011 at p. 8.\n---------------------------------------------------------------------------\n    Again, although there is a great deal of verbiage discussing how \nthe Government will work with the private sector, the bottom line is \nthat this legislative proposal consistently gives DHS massive new \nregulatory authority.\n    Section 7 requires CEOs to certify that they are in compliance with \nthe plans required under the Act. Although there is substantial \nverbiage suggesting that DHS will work with the covered entities in \ncreating these plans, Section 8 empowers the Secretary to review any \nentity's plan, and if DHS finds the plan wanting for some reason, they \nare empowered to ``take such action as the Secretary deems \nappropriate.'' In addition, paragraph 4 empowers the Secretary to \nevaluate the frameworks created through various discussions with the \nprivate sector. However, should DHS determine that the standardized \nframeworks don't meet their criteria, they are empowered to adopt their \nown framework to meet their criteria, and, thus, the DHS framework \nwould be what a covered entity would be required to implement and \ncertify.\n   xii. the administration's proposal for evaluation is anti-security\n    Under this proposal, an apparently enormous range of companies \nwould be required to construct plans for cybersecurity and plans and be \nrequired to hire Federally-approved ``evaluators'' to review their \ninternal security on an annual basis. There is little if any evidence \nthat regulatory compliance is per se improved security. Indeed, many \nreport that compliance requirements distract personnel from security \nwork to attend to the compliance regime.\n    Moreover, it is acknowledged on all sides that we face a critical \nshortage of qualified cybersecurity personnel and so the army of \nevaluators created under this proposal will almost by definition not be \nadequately trained.\n    The single largest vulnerability of our cyber systems comes not \nfrom hackers using technology to break into systems but from \n``insiders'' with approved access to the systems. This proposal creates \na virtual army of insiders crawling through our most critical \ninfrastructure's security systems on an annual basis.\n    The threat of introducing constant stream of new ``insiders'' into \nour Nation's most critical infrastructure far outweighs the dubious \nassumption that they will provide a tangible security benefit. That \ndoes not even account for the costs industry will bear to hire these \nevaluators, the cost of new manpower at DHS to comb through this \nmountain of data and the potential of an ideal attack vector where all \nthese reports detailing our Nation's security will be stored.\n  xiii. the information generated by these disclosures won't enhance \n                                security\n    Ironically, one of the unintended effects of more comprehensive or \nstringent disclosure laws could be less information about the sort of \ncyber attacks that really matter. This is because most of the mandated \ndisclosures would simply be noise. There would be a constant stream of \nreports, based on what lawyers believe would demonstrate compliance, \nwhile actually revealing as little as possible. This stream of reports \nwould obscure the attack trends that really matter, while allowing \ncompanies to conceal events that might otherwise provoke public outcry \nand more active Government intervention. As cyber attack disclosures \nhave become more frequent and more routine, this has already been \nalready happening.\n    The information made public by disclosure requirements is usually \nnot very meaningful. Most cyber attacks, even if they are successful, \ndo relatively little harm. They gather information that the attackers \nare never able to utilize. They provide one component of a larger \nattack program that never comes to fruition. In many cases, the effects \nof the disclosure are considerably worse than the effects of the attack \nitself. The mere fact that a company has suffered a successful attack \ngives little indication of its actual losses, even if specific numbers \nare mentioned. This is because there are so many factors that can \ninfluence the scale of loss, including the wording of the disclosure \nitself. Determining how much a successful cyber attack will hurt a \ncompany is very difficult even for those who have access to all of the \ndetails of the attack, the operations affected, and the company's \nfinances. For the general public, the bare facts of a successful cyber \nattack are often very misleading.\n    The cumulative data from the cyber attacks that have so far been \npublicly reported are also very misleading. Many of the biggest \nreported losses of personal data were due to lost or stolen laptops. \nThis is not because it is the main way personal data is stolen; it is \nbecause the loss or theft of a laptop is an unambiguous event that it \nis hard not to acknowledge. Many of the other reported losses of data \nhave been from major defense contractors. This is not because the major \ndefense contractors are losing more data than other companies or than \nGovernment departments; it is because they have the best detection \nsystems in place. Some of the most publicized cyber attacks have \ninvolved Google mail. This is not because Google mail has been \ncompromised more than other e-mail systems; it is because Google's \nbusiness model depends more on trust and on certain types of \ntransparency than the business models of the other companies providing \ne-mail services. Since most cyber attacks go unrecognized, the mere \nfact that a cyber attack is being reported means that it is atypical.\n                xiv. using effective models (a) the cdc\n    All of this does not mean that all disclosure laws or bad or even \nthat the existing ones are bad. It merely points out the unintended \neffects of such laws that legislators need to make an effort to avoid \nin drafting additional laws. More information about cyber attacks in \ngeneral and about the degree to which individual systems and companies \nare at risk is necessary for markets to take adequate account of these \nthings. Disclosure laws could provide some considerable benefits. But \nthey will not provide the intended benefits unless they take into \naccount how systems are monitored for attacks and what additional \ninformation might be needed to put the attacks in context.\n    It is possible that the best approach might be to have the \nreporting go to a special legislatively-created institution, rather \nthan directly to the public. This is the model used with disease \ncontrol and public health issues. With sufficiently clear instructions \nas to how this institution would handle the information, its actions \ncould potentially be accepted by all parties. There are other ways \ndisclosure could be handled that would be less crude in its effects. \nThe point here is that any disclosure laws need to be framed with a \nconscious acknowledgment of the pitfalls.\n                    xv. effective model (b) sematech\n    In the 1980s, the United States also faced a technological \nonslaught. During this decade, the nation of Japan began flooding the \nU.S. market with computer chips, which threatened to drive U.S. chip \nmanufacturers out of business. Recognizing the economic and security \nthreat that this posed, the U.S. enacted legal measures such as the \nFederal R&D tax credit and the Cooperative Research Act of 1984, which \neventually led to the private sector and U.S. Department of Defense \ncooperative known as SemaTech. Within 2 years, sub-micron \narchitectures, advanced X-ray lithography and a number of other \ncritical innovations pushed U.S. chip makers back into world \nleadership, and produced generation jumps in computing capabilities \njust as the internet was dawning.\n    A similar Cybersecurity Public-Private Cooperative could be \ncomposed of the private sector, academia, and the Government in a \nminority role. This organization could be charged with improving, even \nreinventing the cyber ecosystem in a more secure manner. Under this \nCooperative's umbrella, stakeholders could share information and \ncybersecurity technology development to create (or fund the creation \nof) more alternative networking protocols, software languages, and/or \nhardware architectures that are more secure. It could also act as an \nincubator for ideas to create better strategies to combat APT's and \ntheir equivalent. It could also serve as the equivalent of an \nunderwriters laboratory for cybersecurity by independently assessing \nbest practices and standards along sliding scales. These proven \nincreasing levels of security, if voluntarily adopted, could then be \nused to qualify enterprises for subscribing to them in return for the \nincentive programs suggested earlier which will help mitigate costs \nwhile enhancing proven security practices.\n    The ISA, its members and partners are aware of the need to combat \ncyber threats--indeed that is why ISA was created over a decade ago. \nHowever this must be done in collaboration with Government, not as \nmandated by Government. Moreover, the solutions we derive must be both \ntechnologically and economically practical if they are to have the \nsustainable effect we require.\n\n    Mr. Lungren. Thank you very much, Mr. Clinton.\n    We will now go to a round of questions, 5 minutes for each \nMember, and I will begin.\n    Ms. Hathaway, you heard Mr. Clinton's forceful testimony \nthere. How do you respond to that?\n    Let me just give a little background. I have said as a \ngeneral rule what I would like to do is to ensure that we have \na cooperative spirit between the private sector and the public \nsector, No. 1. No. 2, my concern is, if we are not deft enough \nin the way we have our regulatory schematic, we could--not \nintended to do this--but we could have the result of stifling \ncreative ways of protecting against cyber attack that might \ncome from the private sector as we impose a Government one-\nsize-fits-all approach.\n    So I would like to see us, I guess, hit the sweet spot in \nthat. You have been there, you have been through these \narguments, and helped set up the contours of the debate. How do \nyou respond to Mr. Clinton's observation about the \nadministration's proposal?\n    Ms. Hathaway. Sir, I think that the administration's \nproposal had the opportunity to engage the private sector to \ninform the debate and the items within the proposal. But during \nthe course of their review, they did not engage the private \nsector, which is why it is so important that this committee and \nother committees do engage the private sector in understanding \nwhat are the second- and third-order effects of regulation and \nother market levers.\n    I think it will be important to take a look at both a \nregulatory framework and an incentives-based framework for \nresearch and development, for incentivizing industry to \nactually get to a standard of care where we are not actually \nseeing breaches on a regular basis.\n    Mr. Lungren. One of the concerns that I have had expressed \nto me by some in the private sector--others have indicated very \nstrong support for the overall proposal--but one of the areas \nof concern was the auditing aspect contained in the proposal, \nwhere some suggested it was overreach.\n    Now, Mr. Clinton, you suggested this sort of a continual \npresence there might open up the possibility of security \nbreaches that wouldn't otherwise exist. I suppose that is \nalways a balance you have to have.\n    How do you ensure that those that you hope are protecting \nagainst cyber attack in the private sector, with consequences \nto individuals on a more general basis, how do you ensure that \nthat is being done and, at the same time, don't have a heavy \nhand, which may result in exposures to intrusions that you \notherwise would not have? How do you hit that balance?\n    Mr. Clinton. The best way to do it, I believe, Mr. \nChairman, is to make the system--to establish the system so \nthat the organizations want to invest in security, so that they \nsee it as in their own self-interest.\n    As I think was pointed out earlier in some of the opening \nstatements, what we currently have and what the National \nInfrastructure Protection Plan says is that we have not \ncurrently recognized the value proposition for industry. In \nsome industries, there may not be an adequate value \nproposition. But there are a variety of ways that we can alter \nthat so that they want to invest more in cybersecurity, they \nsee a benefit to it.\n    One way----\n    Mr. Lungren. So they can explain to their shareholders or \njustify to their shareholders and their board of directors that \nit is bottom-line-effective.\n    Mr. Clinton. Sure. One of the ways I think you mentioned in \nyour opening statement is through the use of insurance. We have \nnot been done enough to bring the insurance industry into the \ncybersecurity equation. Insurance is one of the great drivers \nof pro-social behavior. We use it in health care. We use it \nin--my daughter drives more carefully because she wants a \n``good driver'' discount on her insurances. This affects \nthings. But we have not brought insurance into the \ncybersecurity arena.\n    If we were able to motivate the greater adoption of \ninsurance, the insurance companies will do the evaluation for \nus because their money is at risk. We can also use the \nreductions in premiums to provide a motivation for the adoption \nof increased best practices, just as we do when people give up \nsmoking to have lower insurance rates, et cetera, et cetera.\n    Insurance, liability reform, better use of procurement, \nwhich has already been mentioned, streamlined regulation--these \nare all things that could be offered to the private sector in \nreturn for investing more in cybersecurity that will adhere to \ntheir bottom line, making it so they want to do it, not because \nwe are making them do it, and at the same time enhance our own \nNation's cybersecurity.\n    Mr. Lungren. Within the administration's proposal is a \nproposal for a National law on notice of breaches, which would, \nas I read it, preempt the States from doing that and, \ntherefore, alleviate what some would say is a patchwork of \ndifferent notice requirements. On the other hand, people say \nStates should have the right to do that.\n    Does anybody on the panel have a disagreement with the \nadministration's approach on that?\n    All right.\n    The gentlelady from New Jersey, the Ranking Member of the \nsubcommittee, is recognized.\n    Ms. Clarke. I am from New York.\n    Mr. Lungren. Excuse me. New York.\n    Ms. Clarke. It is okay. But you know, as a New Yorker, we \nhave to set the record straight.\n    Mr. Lungren. After Mr. Pascrell yesterday indicating that \nhe represented the entire region, I am sorry.\n    Ms. Clarke. There you go. There you go.\n    Let me start with you, Mr. Clinton, and the whole idea of \nincentivizing and the how-tos. You raised the issue of \ninsurance, and I want to explore that a little bit further. \nCertainly, incentivizing insurance, on the surface, seems like \na proposal that perhaps could work.\n    What would happen if industry didn't bite or part of \nindustry did but the other part didn't? How do we create sort \nof a uniform incentive?\n    Because, you know, some folks could say they want it, and \nsome folks could say, you know what, thanks but no thanks. Then \nwe are still left vulnerable, because if everyone isn't \ninvolved, then vulnerabilities will exist.\n    Can you speak to that?\n    Mr. Clinton. Certainly, Ms. Clarke. Thank you very much.\n    What the ISA proposes and, frankly, what is proposed in the \nmulti-trade association white paper speaks exactly to your \npoint, which is accurate. We have a very diverse private \nsector. So what we advocate is that we need to develop a menu \nof incentives.\n    Certain incentives will be very attractive to certain \nareas. So, for example, if you are in the defense industrial \nbase, procurement incentives are going to be particularly of \ninterest to you. If you are in the public utility space, \nperhaps streamlining some of the regulation to make it more \ncost-effective may be appropriate to you. Other sectors are \ngoing to be interested, perhaps, in insurance. Still others \nmight be interested in liability reform. You have to have a \nmultitude of incentives, because different things will motivate \nother people.\n    Were you also asking about how to get the insurance stuff \nstarted?\n    Ms. Clarke. Well, I think my question is more to, when you \ndeal with things from a voluntary perspective, entities can opt \nout. With cybersecurity, any opt-out equates to a \nvulnerability. Any area of penetration can then have a \ncascading effect. So, you know, while we want to resist the \nidea of imposing anything, I am just trying to get at, you \nknow, how do we deal with trying to get as much coverage as we \npossibly can?\n    I understand the menu that you have discussed. Perhaps it \nis industry by industry, where we get buy-in through each \nindustry and its leadership, that will then cast the net that \nwe are looking for to close those vulnerabilities.\n    Would anyone else want to address that issue?\n    I am just trying to figure out, without imposing a \nstandard, if you will, how do we get everyone to see the virtue \nin establishing a standard that we can hold everyone \naccountable for?\n    Mr. Williams. Representative Clarke, if I might, I \nabsolutely agree with Mr. Clinton, that we should do everything \nin our power to set a private-sector leadership model in this, \nas we have in the past, to rely on markets wherever possible. \nIf the insurance and incentive models work where they work, \nfantastic.\n    Our experience in financial services is that, with a \ncombination of regulatory oversight and our own business \nmotivations, we have done a better and better job of protecting \nour sector. We have also reached out to other sectors with \nuneven results. So our service providers and the sectors on \nwhich we in a very interconnected way always depend are often \nreceptive to their business partners saying, ``Security is \nimportant; we need you to invest in it,'' but not always.\n    That is our concern. That is our motivation for supporting \na comprehensive proposal here, is that if some opt out and they \ndon't happen to be in a critical tier, well, that may be \nperfectly reasonable. But at least for that most critical tier, \nopt-out and the possibility that at least some business \npartners will just decide to go their own way and put others at \nrisk we think is problematic.\n    Ms. Clarke. Mr. Williams, let me just ask another question. \nWhy do you think that preemption is important? Do you think \nthere is a role for States in cybersecurity policy?\n    Mr. Williams. One way to think about the State model, as \npeople often describe it, is that it is a laboratory. In breach \nnotification and in many other areas of cybersecurity and \nconsumer protection, it has been a wonderful laboratory. We \nhave seen these breach-notification rules evolve over the last \nseveral years with various experiments in the different States.\n    We believe that it is now much more mature and that now we \nare ready for a National model. Those experiments have yielded \nthe fruit that we would expect, we have some experience now, \nand we would like to see some uniformity at the National level.\n    The States may still very well have responsibility for, in \nour case, overseeing State-chartered institutions like banks \nand insurers. They may still have consumer protection \nauthority. But cybersecurity we think of as a National issue \nwhere uniformity, we think, makes the most sense.\n    Ms. Clarke. Thank you very much, Mr. Chairman. I yield \nback.\n    Mr. Lungren. The gentlelady yields back.\n    The gentleman from Texas, Mr. McCaul, is recognized for 5 \nminutes.\n    Mr. McCaul. Thank you, Mr. Chairman.\n    I think as you point out, Mr. Williams, I agree with the \nbreach-notification law. It really cries out for National \nFederal law.\n    There are many things in the administration's proposals \nthat I agree with: The increased penalties for computer \nhacking; the notification law; the clearer cybersecurity \nauthority for DHS; the FISMA reforms, which I think are \nnecessary. So I would have to say, overall, I think Howard \nSchmidt, I think, did a pretty good job.\n    But the one area where I find myself in disagreement really \nrelates to the private sector and what role the Government \nplays in regulating the private sector. I think the first \nprinciple that we have, particularly in this area, in Congress \nis to do no harm. I think we can legislate and have unintended \nconsequences, particularly as it applies to the private sector.\n    We can harden the Federal networks, and I think that is \nsomething we are very focused on. You know, the Einstein 3--I \nmean, there are a lot of things in this proposal that deal with \nthat. But it is really hardening the private sector and the \ncritical infrastructures in the private sector that I think are \nthe greatest challenge for us as policymakers. Ninety percent \nof the critical infrastructures, up to, are really controlled \nby the private sector.\n    So my first question is to you, Mr. Clinton. How can we \nenhance that and incentivize the private sector without having \nthese punitive mandates?\n    The one thing in this proposal I disagree with is the \nregulating over the private sector. Then if they are out of--I \nmean, the remedy for a violation is basically what we call \n``name and shame.'' You know, we will call out the company and \nthen publicly call out the vulnerability, which I don't think \nthat is very good policy, to be, you know, publicly showing \nwhere a company is vulnerable. That just invites more mischief.\n    So give me your thoughts on the regulating part of this \nprovision, and what would you recommend?\n    Mr. Clinton. Well, certainly, I agree with you, Mr. McCaul, \nabout the disclosure aspects here. It creates a target. Not \nonly that, it creates an incentive for companies not to find \nout things. You know, we need to incentivize people to be doing \na better job of reviewing their cyber systems.\n    You know, the modern cyber threat is geared around not \nallowing you to know that it is there. I mean, you know, a few \nyears ago, cyber threats, you know, were--you had big cutesy \nnames like the ``Love Bug'' and ``Blaster'' and all that kind \nof thing. Modern cyber threats are stealthy. They get in your \nsystem, and the first thing they do is clean out your system, \nso that when there is detection done, none of these lousy cyber \nthreats let you know that the really bad guy is there. They go \nin your system and they hide. So it is very difficult to find \nthese guys.\n    So we want to provide incentives for people to go and look \nat them. If the corporation knows that the harder they look for \na problem, the more likely are they are going to be named and \nshamed for finding it, we have created exactly the wrong \nincentives.\n    It would be much better if companies were proactively \nincented in the way that I suggested with Ms. Clarke so that \nthey wanted to go find these things because they were going to \nlower their liability, they were going to lower their insurance \nrate, they were going to have a better chance at a Federal \ncontract, et cetera, et cetera.\n    The one point that I think we have to be sure, though, is \nthat we don't assume that there is some sort of minimum \nNational standard that everybody has to get to. That is not \ntrue. The problem that we have with cybersecurity is not that \nthe technology is broken and so we have to bring it up to \nstandard; the problem with cybersecurity is that it is being \nattacked from the outside. So we have to find a way to motivate \na continual investigation and innovation of mechanisms, rather \nthan bring people up to some sort of stable standard.\n    Mr. McCaul. Thank you.\n    My time is limited. Ms. Hathaway, I wanted to ask you a \nquick question. You have a lot of expertise in these public-\nprivate partnerships. We have had the ISACs, the information \nsharing and analysis centers; have never really gotten to the \npoint where we want them to be. You know, when I met with some \nof these firms in Silicon Valley, they talked about the \nliability protections. You know, there is a FOIA exemption, or \nexception, for critical infrastructures in terms of the \nsharing, but there still isn't any liability protection for \nthem. So they are not incentivized to share information.\n    Can you speak to that? What would be your recommendation as \nto how we can better enhance these public-private partnerships?\n    Ms. Hathaway. Representative McCaul, I agree that many \ncompanies perceive that the FOIA is not strong enough if it \nwere actually leveraged, and, therefore, private-sector \nentities are not as willing to share information.\n    I think that the question we need to be asking ourselves on \nthe Government side is, how can we share more and better \ninformation with the private sector so they can appreciate the \nthreat that they are dealing with and the exposure that they \nhave as multinational corporations?\n    I think the Government does not share actionable \ninformation with the private sector and should increase their \ninformation-sharing mechanisms that are informed from the law \nenforcement and the intelligence community.\n    DHS, as the forward-facing entity, needs better information \nfrom the law enforcement and intelligence community and should \nbe sharing actionable information and real case studies with \nthe private sector of what is happening in their industry, how \ncertain corporations are being exposed--not necessarily naming \nthem, but saying company X was exposed with the following \nbreach and lost X quantity of confidential information. It is \nonly when we start using real cases and real information that \nthe private sector will be able to better defend itself.\n    Mr. McCaul. Thank you, Ms. Hathaway.\n    Mr. Lungren. The gentleman yields back.\n    The gentleman, Mr. Richmond, is recognized for 5 minutes.\n    Mr. Richmond. I defer to Laura my time. I think she needs \nto leave.\n    Mr. Lungren. Oh, okay. Well, according to the rules of the \ncommittee, it is in order of appearance. So Mr. Keating would \nbe next unless he allows Ms. Richardson----\n    Ms. Richardson. I think I was here.\n    Mr. Lungren. Okay. The gentlelady from California, Ms. \nRichardson, is recognized.\n    Ms. Richardson. Thank you.\n    Thank you, gentlemen. That was very kind of you.\n    Ms. Hathaway, in your opinion, which sectors are the most \ncritical that we should be focusing on? We obviously can't do \neverything. We are not going to have money for everywhere. In \nour critical infrastructure, what would you say would be most \nvulnerable?\n    Ms. Hathaway. Ma'am, I think that the most important \nprobably starts with our energy sector. Without the power, you \ncan't run a business and you can't sustain operations. Given \nthe system control vulnerabilities and in the wake of the \nproliferation of Stuxnet, it is a high priority for the country \nto address the vulnerabilities that are within the power \nsector.\n    I think followed by power is telecommunications, because \nwithout telecommunications you don't have the internet and you \ndon't have the ability to do e-commerce and e-business.\n    I would start with those two sectors.\n    Ms. Richardson. On a scale of 1 to 5, 5 being best \nprepared, how would you rate that we would be from an energy \nperspective?\n    Ms. Hathaway. On a scale of 1 to 5, I think that the energy \nsector probably was in a better prepared state and it is now \ngoing down the scale, as it moves more and more of its \ninfrastructure to an internet-based protocol and as we, the \nGovernment, have been offering to the private sector that they \nneed to move more and more of their infrastructure to a smart \ngrid. I don't believe that a smart grid has been approached \nwith the security in mind first and foremost and so, therefore, \nis making that infrastructure more vulnerable.\n    Ms. Richardson. Thank you.\n    Mr. Clinton, according to the White House proposal, \ncompanies would be subject to reporting--and it was a previous \nquestion by my colleague--would be subject to reporting \nsignificant incidents to DHS. Do you have an objection to that?\n    Mr. Clinton. Well, the problem is, what is a significant \nincident? As I tried to articulate in my testimony, there is \ncurrently an opinion, a common thought in the press, anyway, \nthat when you have been breached, that is a significant \nincident. We would probably disagree with that. In the modern \nworld, with modern attacks, virtually everybody gets breached. \nIf you are going to have some of these advanced persistent \nthreat guys come after you, you are going to be breached, \nmeaning they are going to get in your system.\n    That means that we have to alter the way we do defense away \nfrom perimeter defense, keeping them out, to recognizing them \nwhen they are in the system and mitigating the attack there. So \neven though you may have been breached, that does not mean that \nit is necessarily a significant incident, because, as I say, \nthese guys are going to get in.\n    If we made that the line, that you had to report the fact \nthat somebody successfully got into your system and then you \nwere subject to some of these ``name and shame'' penalties that \nwe discussed earlier, I think that that would be a mistake.\n    So it really has to do with the definition of what is a \nsignificant incident, is where I have my problem.\n    Ms. Richardson. Ms. Hathaway, would you view a significant \nincident being a breach, as Mr. Clinton described?\n    Ms. Hathaway. I think a significant incident is any time \nthat you lose confidential information and/or put an operation \nat risk that it can no longer deliver essential services.\n    Ms. Richardson. Have you worked with various private \nindustry to define what a significant incident would be?\n    Ms. Hathaway. No, I have not.\n    Ms. Richardson. Do you have an interest in doing so?\n    Ms. Hathaway. I think that it is important for each sector, \nwhether it is the financial services, defense industrial base, \nelectric power, and the other 17 critical infrastructures, to \ndefine what is a significant incident in each one of those \nsectors and then define the appropriate response and mitigation \nstrategies.\n    Ms. Richardson. Okay.\n    Last question, for Mr. Williams: What amount of risk should \nthe Government be responsible for in the event of a major \ncybersecurity attack in the private sector, if at all?\n    Mr. Williams. I think the Government is certainly \nresponsible for collaborating with the private sector if there \nis an incident. I wouldn't say that that is the same as \naccepting financial responsibility or operational \nresponsibility. I absolutely believe that as much as possible \nof both of those need to live with those who have direct \nownership of systems and connections.\n    I would say that in an incident, as in a steady state, if \nthere is a way that we can set up the kind of voluntarily \ncollaboration that I think many of us support, then Government \nhas an obligation to participate in that process. We believe \nthat for DHS; we believe it for our financial regulators. We \nbelieve that they have an opportunity to protect other sectors \nwhen incidents like that occur. But that is very different from \naccepting risk and somehow relieving others of that risk.\n    Ms. Richardson. Thank you.\n    I yield back.\n    Mr. Lungren. The gentlelady yields back.\n    The gentleman, Mr. Long, is recognized for 5 minutes.\n    Mr. Long. Thank you, Mr. Chairman.\n    Ms. Hathaway, you spoke about stiffening the penalties. To \nwhat degree? Do you agree with the overall proposal, the \npenalties that have been proposed in that? What degree do the \npenalties need to be stiffened to curb some of this activity?\n    Ms. Hathaway. Sir, I think that it is essential that we \nupdate the Computer Fraud and Abuse Act. Right now, we do not \nhave enough penalties for the breaches that are happening every \nday that we read about. I think that the administration's \nproposal is important.\n    I would take it one step further and remove the connotation \nof ``protected systems.'' Protected systems are usually defined \nas Government and financial institutions. I think that any \nbreach, regardless of where it has happened, in the private \nsector, the Government, and/or in academia, should be deemed a \nbreach, with the same penalties.\n    Mr. Long. Has there been any indication that the penalties \nthat are there now have been effective or the increase that \nthey are going to in years and dollars, do you have any----\n    Ms. Hathaway. I believe that the stiffened and higher \npenalties, if they are communicated, will start to act as a \ndeterrent, a domestic deterrent. I believe that, also, law \nenforcement needs to have additional capacity to be able to \ninvestigate these breaches and impose those penalties as they \nfind those who are committing those crimes.\n    Mr. Long. What percent of cyber attacks would you say are \ndomestic and what percent are non-domestic right now?\n    Ms. Hathaway. I think it would be difficult to quantify the \nnumber of incidents and/or breaches. They are going up \nexponentially every day. I think all countries are suffering \nthe same amount of intrusions.\n    Mr. Long. Okay. Thank you.\n    Mr. Williams, I hail from the Seventh District of Missouri, \nand we had an incident there where a title company, just a \nsmall mom-and-pop shop title company, had, I believe, $440,000 \ntaken out of their account, their bank account, over the \nweekend. This has been within the last 12 months, maybe a \nlittle longer, 15 months, or somewhere in that neighborhood, \nand had $440,000 wiped out of their account through their bank.\n    The Secret Service is the investigative arm that looks into \nthat. They have ascertained, I think, that the money first went \nto Turkey, then Cyprus, ended up in Pakistan. Apparently the \nhopes of getting it back are about like the hopes of me \ncollecting the $800 million I have been e-mailed here this \nmorning that is in an account in my name.\n    How can we protect--I mean, this is a mom-and-pop title \ncompany. They had the financial resources and backing to be \nable to go out and qualify for an SBA loan, because, as you \nknow, in a title company, that was not their money they were \nholding. It was money they were holding for real estate \ntransactions to close. So they at least had the ability to go \nout and borrow the $440,000, which is not a lot of consolation \nto them.\n    But how in the world can we in Congress help the financial \nservices industries in this cyber attack situation?\n    Mr. Williams. We certainly can use some help with it. I can \ntell you some of the things that we are already doing.\n    One of the evolutions in this whole process over the last \nfew years is that much of the work used to happen solely within \nan institution, but now it really has to include business \nclients, like the title company, in the process----\n    Mr. Long. And their bank.\n    Mr. Williams. And their bank. They absolutely need to be \ncooperating so that the bank builds secure systems, the title \ncompany secures its system and its credentials, so that they \nhave this collaborative arrangement where it is not entirely \nwithin the bank's systems and the title company is not entirely \non its own in this process.\n    If we have more research and development, as most of these \nproposals I think suggest, we will find better and better ways \nto authenticate, so that if someone over a weekend has gained \nthe credentials of the title company, it will be harder and \nharder for them to pose as a business client of the bank \nwithout the bank being able to detect it.\n    Mr. Long. I don't know how we can ever get ahead of the \ncurve on this situation, because it seems like we are \nconstantly behind the curve, and the curve is moving at a rapid \npace. So if there anything, off-mike or whatever, later, if you \ncan get to me, as far as how Congress can help, for the entire \npanel, I would appreciate it.\n    Mr. Williams. Yes, sir.\n    Mr. Long. Mr. Clinton, you made reference to the fact of \ninsurance two or three times. Walk me through that a little \nbit. What type of insurance? What do you incentivize? The \ninsurance companies in this, what type of insurance are you \ntalking about?\n    Mr. Clinton. Well, there are a variety of insurance \ninstruments that are available--protect against breaches, \nprotect your liability of losses, protect your system, loss of \ndata. It is possible to, for example, in the example of your \ntitle company, that they could have bought insurance----\n    Mr. Long. You are talking pretty much liability insurance?\n    Mr. Clinton. Yes, sir. The typical policies don't tend to \ncover these cyber events. So there are special instruments that \nare available for that.\n    The way that that would probably be best done--there are \ntwo things that we propose to get that started, one of which \nwould be for greater information-sharing in return for some \nsort of Federal benefit. One of the problems the insurance \ncompanies have is that they don't have the actuarial data, \nbecause companies keep that private. But we believe that, \nprobably, working with the Government, we could get that sort \nof actuarial data. That will help to bring the rates down. If \nwe can get the rates brought down, then people will sell more \ninsurance, and we can start kind of a virtuous cycle.\n    The other thing, which is a much bigger idea, would be--we \nhave had this problem of not having enough insurance for an \nimportant social good in the past: Crop insurance, flood \ninsurance, et cetera. In those instances, the Federal \nGovernment has set up a revolving fund, and that was a better \nway to manage risk.\n    This is one of the things I would propose that the \ncommittee ought to look at, because right now the Federal \nGovernment is carrying all the risk of a major cyber event. If \nthe East Coast goes down for 3 weeks, Congress is going to pay \nfor it all. That is bad risk management. You ought to be \nsetting up a revolving fund so that we can get some private \ncoverage there.\n    Mr. Long. Thank you.\n    Mr. Chairman, I have no time to yield back, but if I did, \ntrust me, I would.\n    Mr. Lungren. I was going to say, as a conservator, you are \nnot used to giving back something you don't have. But that is \nall right. I won't interject that.\n    Mr. Richmond, you are recognized for at least 5 minutes.\n    Mr. Richmond. First of all, Mr. Chairman, let me thank you \nfor having the hearing, and to the Ranking Member who has been \nvery passionate about this issue.\n    The overwhelming concern that I have--and any of the \npanelists can chime in--is just the country's awareness of this \nas a real threat. I chaired Judiciary in the State of \nLouisiana, which under our jurisdiction we had homeland \nsecurity and all of those things, and this was not an issue \nthat got a lot of attention, if any.\n    So what can we do in the importance of raising awareness of \nit to help combat the threats that we have out there? Just \ngeneral public awareness, and then we can go from small \nbusinesses to major businesses, and then we can just talk about \nStates, because I don't see Louisiana being prepared or being a \nleader on this at the State level.\n    So, in any particular order. We could start with you, Ms. \nHathaway.\n    Ms. Hathaway. Thank you very much, sir.\n    I think that we do need to have a National conversation \nabout what is happening on our networks, and it needs to begin \nreally at all levels.\n    We need to begin the conversation about cybersecurity and \nnetwork hygiene in the K-through-12 program. As our children \nare being asked to bring in thumb drives to carry their \nhomework back and forth between school and our home networks, \nthey are being used as a path to actually infect our homes that \ninfect our enterprises which infects our governments and \ninfects our banks. So we need to begin with the children.\n    If we then move into a university program that extends the \nInformation Assurance Centers of Excellence to all 50 States \nand beyond 5 percent of our universities, we can start to get \nto the actual practitioners of and create a stronger workforce.\n    If we start to have a stronger, more informed workforce on \nthe information security that is trained from K through 12 \nthrough university, then we start to have a better-informed \nworkforce and enterprises that can contribute to the National \nconversation.\n    I would ask you, as Members, if you could go back and have \na conversation in each of one of your districts and start a \nconversation in the schools and with the enterprises, because I \ncan guarantee you the schools have been breached or the \nenterprises in your districts have been breached. You can start \na simple conversation of what it means to them and what it \nmeans to you and how can we begin that National conversation in \nevery district of America.\n    Mr. Shannon. Yes. Thank you.\n    The challenge here is getting people to realize that it is \na community impact, that having one organization, one entity, \none individual compromised is really not the issue; it is when \nit happens en masse. So, from CERT's experience, starting with \nthe Morris worm, you know, there was a realization of everyone \ninvolved that this is a community event, it is not just their \nnetwork that has been compromised, not just their host.\n    So I think part of the challenge, especially when you are \nlooking at insurance issues and regulatory issues, is \nacknowledging that community aspect. What we find is that \norganizations, individuals usually are surprised when they \nrealize that the compromise in their system is part of an \noverall industrialization of the threat and it is affecting the \nwhole community.\n    So, actually, their--putting themselves at risk, as Ms. \nHathaway mentioned, that puts everyone at risk, realizing that \nwe are all in this together. I think that is where the \nconversation needs to lead. It is not just about your own \nassets, your own data. Your vulnerabilities actually expose \neverybody else.\n    Mr. Williams. I would have a thought or two at the family \nor small-business end of the spectrum and at the more corporate \nend.\n    At the family level, people shouldn't be worried about \nadvanced persistent threats or some vague notion of identity \ntheft. There are some very concrete things that they can be \nthinking about. They can be more technology literate from the \nschools at the children's level and the adults in the home. \nThey can be watching that their PCs and their smart phones have \nantivirus protection on them, that they are well-maintained. \nThey can be watching their financial statements to ensure that \ntransactions don't appear----\n    Mr. Richmond. Mr. Williams, I know I am going to get cut \noff in a few minutes. But if you could get me that information \nor get that to the committee, I think it would be helpful. \nBecause a lot of us send out information to our districts all \nthe time, and that is something that we could put in there, \nthose small things to push people to do.\n    Before you, Mr. Clinton, I would just--you talked a little \nbit about ``name and shame.'' Part of the question is the \nbalance between the public's right to know--because a lot of \ntimes we, as Government, and private sector, we clash, because \nthe private sector would say, ``Nothing bad has happened yet. \nThere is no reason to act until something really, really bad \nhappens.'' Well, we have to take a different approach, and part \nof that is to try to make sure nothing ever happens.\n    So how do we balance ``name and shame,'' as it is \ndescribed, with the public's right to know and the fact that \ninformation is power, and we can prevent it that way, and not \njust leaving it up the private sector until something bad \nhappens?\n    I yield back, Mr. Chairman.\n    Mr. Clinton. A couple things. I will try to be really \nquick. Be happy to chat with you more off-line.\n    First of all, putting in those incentives so that we can \nget to those best practices and standards that the NSA, CIA, \neverybody, Secret Service, would solve 90 percent of the \nproblem. That is the first thing we need to do.\n    With regard to disclosure, ISA is very much in favor of \ndisclosure. But the disclosure, as I have detailed in my \ntestimony, the disclosures have been to be purposeful \ndisclosures. The public's right to be secure, I would say, is \nthe higher value here.\n    What we have proposed is, instead of having general broad \ndisclosure, which will go to the press, which will treat it \nsensationally, will skip over the details as to whether or not \nthis was really harm here or not, we would propose more of a \nCDC sort of model. That is where the reporting ought to be. It \nshould be going into entities that can understand the real \nproblem and can work on solving the problem so that we don't \nhave the losses that come out.\n    One of the problems here is our definitions. Think of \ncybersecurity like a football game, okay? If you are the \ndefense in a football game, it is not a--everybody gives up \nyards, right? So the fact that you have been breached, that is \nnot the problem. The problem is when the offense scores. So you \ncan have breaches that don't lead to scores.\n    We shouldn't be putting out publications, you know, and \nhaving news conferences about somebody being--you know, \nsomebody losing just some yardage. We should confine that to \nexperts detailing when there has actually been losses, and then \nwe can deal with, you know, some sort of SEC filings that are \nappropriate, which the SEC already will do.\n    So we are arguing for a more sophisticated form of \ndisclosure to deal with a more sophisticated sort of attack. We \nthink that that will lead to greater security, which is our \ngoal.\n    Mr. Lungren. Now, the gentleman, Mr. Marino, a great \nfootball fan, is recognized for 5 minutes to continue the \nanalogy.\n    Mr. Marino. Thank you, Mr. Chairman.\n    Carrying that ball down the field on the offensive end of \nthings, I want to turn this conversation a little bit. We are \ntalking about the breaching of the systems and increasing the \npenalties. But I find it ironic that we are here--and, \nobviously, I am a big supporter of public hearings--but we are \nhere talking about security measures, which--we could have a \nhacker sitting out in the audience.\n    So where do we draw that line between sharing public \ninformation and not sharing it to prevent it from the hackers \ngetting control of it? But, by the same token, the hackers are \npretty sharp. No. 2, as far as penalty-wise, what do we do with \nthe 15-year-old genius who gets into the system just for fun \nand causes havoc?\n    With those two questions, could we start with Ms. Hathaway? \nMy father told me ladies before gentlemen.\n    Ms. Hathaway. Well, let me start with the 15-year-old \ngenius. There are some efforts within the law enforcement \ncommunity and with the actual school districts to identify \nthose genius hackers. Instead of a sentencing or going to \njuvenile hall, they actually start working with the law \nenforcement community or get prepared to work for our \nintelligence community. So they are the next-generation \nworkforce with the skill set that we need.\n    Mr. Marino. Okay. Let me interrupt just for a moment. \nPrimarily--and the former attorney general from California will \nagree with me, I think, that the Federal system has very little \njurisdiction or, actually, maybe no ability to deal with \njuveniles.\n    Ms. Hathaway. I understand that the law enforcement \ncommunity has been working with the high schools to actually \nhelp identify and work with using their skill set and turning \nit to good as opposed to harm.\n    Mr. Marino. I understand that. But how about the penalty \naspect of it? What is your position on that? Do you have a \nsuggestion on that?\n    Ms. Hathaway. I think that penalties for kids, we need to \nlook into, the penalty could actually be serving, you know, for \nthe U.S. Government or serving on behalf of the communities to \nactually go out and prosecute.\n    Mr. Marino. Mr. Shannon.\n    Mr. Shannon. Could you repeat the question? I have lost the \ntrack of what you--the first part of the question.\n    Mr. Marino. The two questions were: Keeping it \nconfidential; and how do we deal with the juveniles? Because \nthe Federal system is not that well-equipped to deal with \njuveniles when it comes to penalties.\n    Mr. Shannon. Yeah, I will deal with the confidentiality \nissue.\n    One of the great innovations of the internet is the freedom \nto express yourself, the freedom to create new technical \ncapabilities, to innovate quickly. It is enabled by open \ndisclosure, open sharing of information.\n    Clearly, disclosing vulnerabilities is a challenge, but \nwhen you realize that there is a threat and there is a \nremediation, sharing that quickly and openly is better than \nwhat is the alternative, remaining ignorant. Because I can \nassure you that the hackers do know, and if you try and \ncommunicate it in some out of sort of closed or secure manner, \nonce you get to sufficient scale, they will still know. So, you \nknow, there is no hiding it, in that sense.\n    So it is better to put the information out there, let \npeople be informed, and then they can make the appropriate \ndecision, especially when it comes to a mitigation.\n    Mr. Marino. Okay.\n    Mr. Williams.\n    Mr. Williams. I think, quite appropriately, most of this \nconversation already occurs in confidential spheres and should \ncontinue that way. So companies, when they contract with other \ncompanies, will talk very explicitly about their security \nposture. That has a very strong market incentive for people to \ndo the right thing.\n    In our industry, institutions talk with their regulators, \nbut they do that almost exclusively behind closed doors. The \nkind of sharing that I think the administration proposal \ncontemplates would also be confidential, two-way sharing \nbetween DHS and some of the other agencies and the companies.\n    There are, I think, a couple of exceptions to this idea \nthat there should be a cloak of confidentiality generally. One \nis, if there is information that can help consumers to protect \nthemselves, if an individual consumer has been put at risk, \nthere are and should be rules to ensure that that person knows \nwhat they need to know to protect themselves. The same at the \nSEC level for investors.\n    Mr. Marino. Okay. All right. Thank you.\n    Mr. Clinton, you have 18 seconds.\n    Mr. Clinton. We are dealing with different levels of data, \nso the sophisticates ought to be meeting amongst themselves and \nsharing data and then atomizing it and then have it pushed out \nto the broader community.\n    We have a proposal we actually started with Melissa \nHathaway a couple of years ago with DHS to do exactly that. I \nwould be happy to talk with you more off-line.\n    Mr. Marino. Thank you. Touchdown.\n    Thank you very much, Mr. Chairman.\n    Mr. Lungren. Now I will be happy to recognize the gentleman \nin this Congress who probably was happier than any other Member \nthat Whitey Bulger got nabbed yesterday, Mr. Keating.\n    Mr. Keating. Happy and relieved.\n    You know, interestingly enough--I will just a little share \ninformation with you--in terms of getting the word out, I was \nstruck by the fact that there is a group in the Boston area \nwhere the 30 top executives, largest firms, they meet usually \nannually to discuss what their biggest issue is. That could be \ntaxes, it could be anything; it is open-ended. They decided it \nwas cybersecurity. So I do think that people understand the \nmagnitude and the importance of this, and that is out there.\n    What I am struggling with is this, and I don't know if \nthere is an answer. Mr. Clinton started down that track, but I \nwould just like to ask the rest of the panel if they could help \nin this regard. I am looking for something, an existing model, \npublic-private model, quasi-governmental model, that already is \nthere, may not be a perfect fit, but just to give me an idea of \nwhere the Chairman said, the sweet spot is. We are looking for \nsomething that is flexible enough so that regulations don't \nsmother the ability and provide deterrence.\n    But I don't agree with, you know, the CDC model approach, \nthat, you know, it is just out there. I think we have to more \noversight proactively on that. I don't know where that is. I \nknow that the ``name and shame'' issue can, I think, be \nmitigated by having, you know, rankings, the way they do in \nfinancial institutions. When they do an audit, you can have \nCAMEL ratings, whatever ratings they might be--1, 2, 3, 4--and \nyou are in categories where, you know, companies will have some \nresponsibility, and insurance companies can look at that as \nwell.\n    But if you could--and I don't anticipate anyone has a \nperfect fit--can you think of some existing models in other \nareas? You know, Mr. Clinton has mentioned the CDC. I would \nlike to ask the other panelists.\n    Mr. Shannon. So I think there are a couple of models. There \nis the automotive and airline industry that, you know, have \nreporting on accidents and incidents that allows for an \nappropriate oversight. So it is a more closed--the NTSB, you \nknow, has a closed investigation when an incident happens.\n    I think it is important also to look at the CDC model and \nthink about where it actually is appropriate and where it is \nnot appropriate. I mean, where it is not appropriate maybe is \nnation-state threats. But certainly in terms of deal with \nindustrial challenges in malware and exploitation, being able \nto have a better situational awareness based on the \npreponderance of incidents is what is needed.\n    An individual, just because I got hacked, I don't know if I \nam the only one in the world or whatever. But if the Government \nwants to or organizations want to be able to do a broad \nresponse, having that sort of situational awareness is \nimperative. Otherwise, you don't know that there is a \nchallenge.\n    Mr. Keating. Thank you, Dr. Shannon. That is great after \nsomething has happened, too, and that is important.\n    What about trying to prevent areas and to rank or to find \nsome kind of oversight that is not too, you know, over-\nregulatory in nature?\n    Mr. Shannon. I will defer to my colleagues. We deal with \nthings when----\n    Mr. Keating. That is all right. Thank you.\n    Mr. Williams. If I might, one macro example, one micro \nexample.\n    A macro example I think is environmental protection. There \nwas a time when the best thinking on environmental protection \nwas simple command-and-control regulation. I don't think that \nis the right model for us here.\n    But over time, environmental protection advocates realized \nthat industry needed to be at the table in determining what the \nsolution was and then also needed to be at the table in \nexecuting it. I think that is where we are in cybersecurity. We \nneed to work together to figure out what the right answers are \nand then to deliver them.\n    The micro example, just the information-sharing and \nanalysis center within our sector I think is a good model of \npublic-private collaboration. It is largely chartered and, in \nmany ways, supported by Government resources. It helps us \nconnect with other sectors. But it is a private-led, voluntary \neffort that we think has brought us great progress.\n    Mr. Keating. Ms. Hathaway, did you have any thoughts?\n    Ms. Hathaway. I think that there is a lot that could be \ndone by turning to the internet service providers and the \ntelecommunications companies as the first order of warning and \ndefense.\n    Australia has adopted a code of practice or a code of \nconduct where 90 percent of their telecommunications providers \nhave opted in, without regulation, to provide that service to \nthe core infrastructure. Europe, within the European Union, \nhave adopted Telecommunications Directive 13a, which is \nregulating all of the internet service providers within all 27 \ncountries to provide that service across their infrastructure.\n    I think that the United States could learn from those \ndifferent experiments and/or capabilities and understand what \nthe costs are to better clean and keep our infrastructure clean \nand warn us of the impending threats.\n    Mr. Keating. Great. Thank you very much.\n    Mr. Lungren. I thank my fellow Members of the subcommittee \nfor attending.\n    I thank the witnesses for their valuable testimony. This \nhas been very, very helpful. It is the beginning of the \ninquiry, in a real sense, rather than the end of it.\n    Members of the committee may have some additional questions \nfor the witnesses, and we would ask you to please respond to \nthose in writing. The hearing record will be held open for 10 \ndays.\n    The subcommittee stands adjourned.\n    [Whereupon, at 11:50 a.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n     Questions From Chairman Daniel E. Lungren for Melissa Hathaway\n    Question 1. From media reports, China is engaged in the most \ndamaging hacking campaign in history. At the same time, its primary \ntelecommunications equipment provider continues to gain U.S. market \nshare, including in the Federal market.\n    What solutions can the Federal Government pursue against foreign \nespionage? How can the private sector protect against the threat?\n    Answer. The Webster's definition of espionage is, ``the practice of \nspying or using spies to obtain information about the plans and \nactivities especially of a foreign government or a competing \ncompany.''\\1\\ There is a long history of espionage and in general, it \nis a globally accepted practice of intelligence collection to better \nunderstand Government and company intentions. The National Counter \nIntelligence Executive (NCIX) tracks these trends and reports to \nCongress the status of foreign economic collection efforts and \nindustrial espionage.\\2\\ In its fiscal year 2008 annual report, NCIX \nreported that ``foreign economic intelligence collection and industrial \nespionage has continued unabated.''\\3\\ The newspapers highlight \neveryday that companies and governments regularly face attempts by \nothers to gain unauthorized access through the internet to the \ninformation technology systems by, for example, masquerading as \nauthorized users or through the surreptitious introduction of software. \nHowever, this does not negate the need to limit foreign espionage that \nhas become increasingly more pervasive and sophisticated against our \npublic and private sectors. Furthermore, focusing on one opponent may \ndistract our industry and Government from implementing a more complete \nstrategy.\n---------------------------------------------------------------------------\n    \\1\\ http://www.merriam-webster.com/dictionary/espionage.\n    \\2\\ Industrial espionage, which is the knowing misappropriation of \ntrade secrets related to or included in a product that is produced for \nor placed in interstate or foreign commerce to the economic benefit of \nanyone other than the owner, with the knowledge or intent that the \noffense will injure the owner of that trade secret. Misappropriation \nincludes, but is not limited to stealing, copying, altering, \ndestroying, transmitting, sending, receiving, buying, possessing, or \nconspiring to misappropriate trade secrets without authorization. \nIndustrial espionage is also criminalized under the Economic Espionage \nAct.\n    \\3\\ http://www.ncix.gov/publications/reports/fecie_all/fecie_2008\n///2008_FECIE_Blue.pdf.\n---------------------------------------------------------------------------\nPotential Solutions\n  <bullet> The Federal Bureau of Investigation (FBI) and the \n        intelligence community need to better inform industry of the \n        threats they are facing and how they are being exploited or \n        penetrated. A training program to educate corporate leadership \n        on how to mitigate the risk of being a high-value target, \n        including providing them with briefings about the threat to \n        their industry using specific case studies, would go a long way \n        to reducing the number of incidents and loss of confidential \n        information.\n  <bullet> DoD is proposing to amend the Defense Federal Acquisition \n        Regulation Supplement (DFARS) to add a new subpart and \n        associated contract clauses to address requirements for \n        safeguarding unclassified DoD information. This development is \n        essential because emerging, pre-classified military \n        technologies or commercial breakthrough technologies are \n        increasingly becoming the target of espionage. The proposed \n        DFAR changes would require industry to implement basic security \n        measures to increase their defenses from cyber intruders.\n  <bullet> Engage the United States Department of State's International \n        Telecommunication Advisory Committee (ITAC) \\4\\ and the \n        Advisory Committee on International Communications and \n        Information Policy (ACICIP)\\5\\ to better understand predatory \n        trade practices in the United States and elsewhere and develop \n        strategies to respond to these practices in a timely manner. \n        Use these advisory councils and others to gain a better \n        understanding of what trade and economic implications are to \n        U.S.-based corporations if other countries impose a Committee \n        for Foreign Investment in the United States (CFIUS) like regime \n        to protect their respective National and economic security \n        interests.\n---------------------------------------------------------------------------\n    \\4\\ The United States International Telecommunication Advisory \nCommittee (ITAC) advises the Department of State in the preparation of \nU.S. positions for meetings of international treaty organizations, \ndevelops and coordinates proposed contributions to international \nmeetings as U.S. contributions, and advises the Department on other \nmatters to be undertaken by the United States at these international \nmeetings. The international meetings addressed by the ITAC are those of \nthe International Telecommunication Union, the Inter-American \nTelecommunication Commission (CITEL) of the Organization of American \nStates, the Organisation for Economic Co-operation and Development \n(OECD) and the Asia-Pacific Economic Cooperation (APEC). Members of the \nITAC are drawn from the Government, network operators, service \nproviders, and manufacturers involved in the telecommunications sector.\n    \\5\\ The Advisory Committee on International Communications and \nInformation Policy (ACICIP) serves the Department of State in an \nadvisory capacity concerning major economic, social, and legal issues \nand problems in international communications and information policy. \nThese issues and problems involve users and providers of information \nand communication services, technology research and development, \nforeign industrial and regulatory policy, the activities of \ninternational organizations in communications and information, and \ndeveloping country interests.\n---------------------------------------------------------------------------\n  <bullet> Congress should consider updating the Economic Espionage \\6\\ \n        Act of 1996. While the definition of trade secret is consistent \n        with the Uniform Trade Secrets Act, which states that the \n        information is subject to reasonable measures to preserve its \n        secrecy and derives independent economic value from not being \n        generally known to or ascertainable by the public, the \n        threshold for protection is too high. As such, industry is \n        required at the onset of the development to protect any idea as \n        a trade secret. Addressing the broad-based economic industrial \n        espionage that we are observing on our corporate networks \n        requires that the Government lower the threshold for a trade \n        secret or add a threshold around proprietary information.\n---------------------------------------------------------------------------\n    \\6\\ Economic espionage, which is the knowing misappropriation of \ntrade secrets with the knowledge or intent that the offense will \nbenefit a foreign government, foreign instrumentality, or foreign \nagent. Misappropriation includes, but is not limited to, stealing, \ncopying, altering, destroying, transmitting, sending, receiving, \nbuying, possessing, or conspiring to obtain trade secrets without \nauthorization. Section 101(a) of the Economic Espionage Act (EEA) of \n1996 criminalizes economic espionage.\n---------------------------------------------------------------------------\n    Question 2. A large issue facing appropriate risk management for \nGovernment and critical infrastructure is supply chain risk management \nsince so much of our software and IT equipment is manufactured \noverseas.\n    What's the best approach for better evaluating the security of our \nIT supply chain?\n    Answer. The internet and the information communications \ninfrastructure has evolved and has been enhanced by global commercial \ninnovation. While the United States incubated its beginning through the \nAdvanced Research Projects Agency (ARPA) in the late 1960s, and helped \nit flourish through Palo Alto Research Center and the companies of \nsilicon valley, its evolution and the attendant benefits to society \nhave come from many other countries and global corporations. Our \ninfrastructure is dependent on this global marketplace and our economy \nis dependent upon this backbone remaining secure and resilient. A \nbroad, holistic approach to risk management is required rather than a \nwholesale condemnation of off-shore development, foreign products and \nservices, or foreign ownership.\n    The best approach to securing our IT supply chain is one that is \ntransparent, mindful of unintended second order consequences, and aids \nin decision making. We must recognize that the supply chain consists of \nmany phases: Design, manufacture, integrate, distribute, install and \noperate, maintain, and retire--and any conversation regarding security \nof the supply chain must apply to the entire lifecycle. To meet \ntomorrow's threats, we must develop protection measures across the \nproduct lifecycle and reinforce these measures through acquisition \nprocesses and effective implementation of agency security practices. \nFor example, the highest risks in the supply chain are ``after build'' \n(e.g. install and operate and retire phases) because this is where \nmultiple vendors participate in the process (e.g., integrate products \nwith other systems, patch/update, etc.) and there are few measures to \nmonitor and assure integrity throughout the entire process.\n    To understand alternative approaches will require a partnership \nwith industry that assures coordination and buy-in that enables \nindustry to ``do the right thing'' and not be penalized in the process. \nA dialogue has begun via the Open Group Trusted Technology Forum and it \nenjoys international participation by governments and industry alike. \nThe Open Trusted Technology Provider Framework sets forth best \npractices identified by a cross-industry forum which, if used by a \ntechnology vendor, may allow a Government or commercial enterprise \ncustomer to consider the vendor's products as more secure and trusted.\n    Moreover, the Cyberspace Policy Review called for the need to \n``define procurement strategies through the General Services \nAdministration, building on work by the National Security Agency for \nthe Department of Defense, for commercial products and services in \norder to create market incentives for security to be part of hardware \nand software product designs, new security technologies, and secure \nmanaged services.'' The efforts of the United States General Services \nAdministration (GSA) in working to address this requirement through the \nSmartBUY blanket purchase agreement awards aimed at providing better \ncybersecurity protection to Federal, State, local, and Tribal \ngovernments should be strongly supported. Under its new Federal-wide \nSituational Awareness and Incident Response (SAIR) Tier II \ncybersecurity initiative, GSA will use the procurement process to help \nprotect our IT infrastructure from cybersecurity incidents and other \nvulnerabilities, while providing maximum value for taxpayer dollars.\n    These two initiatives are good steps toward enhancing the security \nof the supply chain while at the same time being mindful of market \nforces.\n    Question 3. Will the administration's proposal of DHS authority \nover the private sector--which envisions Federal ``framework,'' used to \ndevelop cyber plans, and a subsequent evaluation of those plans--\nprovide the necessary flexibility to optimize private sector security?\n    Answer. Not necessarily. The legislative proposal states, ``the \nowners or operators of covered critical infrastructure shall develop \ncybersecurity plans that identify the measures selected by the covered \ncritical infrastructure to address the cybersecurity risks in a manner \nthat complies with the regulations promulgated, and are guided by an \napplicable framework designated.''\\7\\ This proposal attempts to \nestablish a minimum standard of care and an audit and certification \nfunction that would be similar in kind to the Securities and Exchange \nCommission (SEC) requirement for attestation of material risk. \nInserting DHS into a regulator role runs the risk of diluting its \noperational and policy responsibilities, which would detract from the \nNation's security posture. In May 2011, Senator Rockefeller asked the \nSEC to look into corporate accountability for risk management through \nthe enforcement of material risk reporting.\\8\\ And in June 2011, \nChairman Schapiro said that the SEC would look into the matter. If \nCongress believes corporations should meet such a reporting requirement \nthen it should turn to the SEC, which is the Executive Branch \nIndependent Agency responsible for this type of reporting, and not add \nan additional mission responsibility to DHS.\n---------------------------------------------------------------------------\n    \\7\\ The White House. Cybersecurity Legislative Package: \nCybersecurity Regulatory Framework For Covered Critical Infrastructure \nAct.\n    \\8\\ Senator Rockefeller letter to SEC Chairman Mary Schapiro. 11 \nMay 2011.\n---------------------------------------------------------------------------\n    Question 4. Will the authorizations for DHS to ``work with'' the \nFederal Acquisitions Regulatory (FAR) Council to improve supply chain \nsecurity have any practical effect?\n    Answer. It is unclear. Adjusting the way that the Government \nprocures goods and services can be a catalyst for change but may not \nnecessarily make a material difference in the security of the supply \nchain. The key is to decide what are the measures of performance that \nare desired and under what conditions? If the level of security \nassurance increases, but price goes up unacceptably, is that success? \nChanges to the FAR can certainly result in change to business \nprocesses. The changes in business processes may result in increased \ncosts which will be passed onto the Government and other customers.\n    It also is important to realize that any change to the FAR may not \napply across the Federal Government. Some agencies are exempt from \nthese rules including: the Central Intelligence Agency, the United \nStates Postal Service, the Tennessee Valley Authority, the Federal \nAviation Administration, and the Bonneville Power Administration. In \nthese cases, the agency promulgates its own specific procurement rules.\n    Question 5a. The White House has directed that all Federal \nDepartments and Agencies move a portion of their data processing and \nstorage to the cloud in the coming years.\n    While that strategy is a good one when it comes to making the most \nof Federal IT spending in these fiscally demanding times, how can the \nsecurity of the cloud be evaluate and improved to ensure that we're not \ntaking unnecessary risks with mission-critical data?\n    Answer. According to the National Institute of Standards and \nTechnology (NIST), ``Cloud computing is a model for enabling \nconvenient, on-demand network access to a shared pool of configurable \ncomputing resources [e.g., networks, servers, storage, applications, \nand services] that can be rapidly provisioned and released with minimal \nmanagement effort or service provider interaction.'' The key tenet of \nthe cloud is availability. But the other two cornerstones of \ninformation security--integrity and availability--are not readily \ncommanded by the cloud environment. The October 2010 report from \nForrester on cloud security states that security is the single biggest \nbarrier to broad cloud adoption.\n    In December 2010, the Office of Management and Budget (OMB) issued \na report entitled the ``25 Point Plan to Reform Federal Information \nTechnology Management'' and in February 2011 it published another \nreport entitled, the ``Federal Cloud Computing Strategy,'' where it \narticulated the need for: Consolidation, efficiency, and reduction in \nIT spend. The second report directed each department and agency to \nidentify three ``must move'' services within 3 months, and move one of \nthose services to the cloud within 12 months and the remaining two \nwithin 18 months. Most departments and agencies are looking to move \nemail to the cloud as their first project.\n    The GSA is developing a contract vehicle to service agency needs \nfor cloud computing, entitled Federal Risk and Authorization Management \nProgram (FedRAMP). Many within industry are raising substantive \nconcerns with the proposed controls and specifications as being too \ndifficult and costly, and that they potentially could prevent vendors \nfrom being able to move agency computing operations to the cloud by the \ndeadline. Any cloud environment that is to be used to process \nGovernment workloads must be able, at a minimum, to demonstrate that it \nprovides the same level of security (as defined in the question) as a \ntraditional system. Currently, this is demonstrated via a Federal \nInformation Security Management Act (FISMA) certification and \naccreditation (C&A) process, which process has been roundly criticized \nas a compliance-based framework focused upon a snap-shot in time. While \none can argue that a cloud computing environment can be made more \nsecure than a traditional one by leveraging certain aspects and \nfeatures of virtualization and other enabling cloud technologies, the \nsecurity ecosystem (technologies, control frameworks, audit procedures, \nthreat models, etc.) must account for the unique attributes and \nvulnerabilities of cloud computing to be relevant.\n    Having said that, several large-scale efforts are in progress, in \nboth Government and industry, to rigorously measure risk related to \ncloud computing implementation. Among these are: (1) The ``Proposed \nSecurity Assessment & Authorization for U.S. Government Cloud \nComputing'', drafted and released for comment and public input jointly \nby National Institute for Standards and Technologies (NIST), GSA, the \nFederal CIO Council, and some of its subordinate working bodies; (2) \nthe Cloud Security Alliance, an industry association centered on cloud \ncomputing, has developed a Cloud Controls Matrix, which cross-connects \nestablished security requirements in the Health Insurance Portability \nand Accountability Act of 1996 (HIPAA), the Health Information \nTechnology for Economic and Clinical Health (HITECH) Act, International \nStandards Organization (ISO), IEEE, NIST publications, FedRAMP, and \nother sources; and (3) the Defense Science Board has launched a task \nforce to review cybersecurity and reliability in a digital cloud. There \nis broad agreement among serious information security practitioners \nthat the task of defining security standards for cloud computing is a \nwork in progress, and several organizations have commissioned studies, \n(e.g., the Intelligence and National Security Alliance (INSA) and the \nArmed Forces Communications and Electronics Association (AFCEA)) now in \nprogress, to evaluate and report on specific aspects of the subject. In \nmy opinion, one of the best, objective reports that describes the \nopportunities and vulnerabilities associated with cloud computing, is \none that was published in November of 2010 by the European Network and \nInformation Security Agency (ENISA), entitled: Cloud Computing: \nBenefits, Risks, and Recommendations for Information Security.\n    Question 5b. How can continuous monitoring be implemented in the \ncloud environment? Do you have any current examples of strong security \nin the cloud?\n    Answer. It is important to recognize that the term ``cloud \ncomputing'' embraces several different technical and process models, \nwhich by their nature have highly-differentiated levels of monitoring \nand control by sponsoring organizations/hosts, and concomitantly, very-\ndifferent levels of active participation by hosted entities. And when \nconsidering these, one must keep in mind that the implementation of the \ncloud is the most important aspect and no two clouds are implemented \nexactly the same.\n    How continuous monitoring gets implemented in the cloud very much \ndepends on the type of cloud environment and the willingness and \ncapabilities of the provider to conduct continuous monitoring \nactivities. There are numerous technologies that exist today or that \nare in development to enable the monitoring of the cloud (e.g., \ninfrastructure, systems, and data). The real question is: What is being \nmonitored and does it actually correspond to the proper threat model? \nThe United States Department of State may be an example to turn to as \nit has the ``first mover advantage'' for use of a secure cloud \nenvironment. It is applying a high degree of rigor in timely scanning \nand prioritized remediation through continuous monitoring--thereby \nproviding a more secure common baseline for all.\n    As such, there can be no general answer to this question. However, \ncertain ``private clouds'', hosted by highly-competent security \norganizations and providing infrastructure, platform, and/or software \nservices to members of their own organization only, may be considered \nhighly-secure. Examples would include certain clouds developed and used \ninside National intelligence agencies, hosted on-site and with access \nlimited to authorized employees of those organizations. In such cases, \nthe economic virtues of efficiency and economy of scale is use of IT \nresources may accrue, but security of hosted data, participants, \ninfrastructure, and services are all tightly controlled.\n    Questions From Chairman Daniel E. Lungren for Gregory E. Shannon\n    Question 1a. DHS has been developing the National Cyber Incident \nResponse Plan, which it exercises through its bi-annual response plan.\n    What more should the Federal Government be doing to improve \nresponse to cyber attacks?\n    Answer. Encourage more frequent agency and interagency cyber \nexercises that will identify technological and procedural gaps as well \nas build working relationships and trust both within and across \nagencies. For any response activity to be effective the organizations \nthat participate in the response need regular, structured, measured \npractice, weekly or monthly if possible. This practice builds common \nunderstanding of the processes and technologies to be used as well as \nbuilds trust among the various participants. These exercises need not \nbe immense/expensive; smaller-scale exercises testing various \nsubcomponents of a response plan on a regular basis would be valuable \nand cost-effective.\n    Support timely access to operational situation and incident data. \nThe Federal Government should study the history of the PCII program and \nthe lessons learned to update it to be more attractive to industry.\n    Encourage making meaningful sets of operational data accessible to \nresearchers so that they can determine what data is best to share and \nwhat prevention/response tactics are most effective.\n    Question 1b. Are there priorities for DHS response planning that \nwould be helpful to include in legislation?\n    Answer. Priority: How the Federal Government should engage the \nprivate sector in a major incident--what information should agencies \nprovide and when will they provide it? Plans should include: How to \nengage the private sector in a major incident, which entities does the \nGovernment need cooperation from, and how is best to collaborate? This \nwill make the Government more predictable; allowing the private sector \nto then plan appropriately.\n    Priority: Grant Federal CIOs more authority for protecting their \ncyber infrastructures before incidents occur. It's difficult, if not \nimpossible, to defend that for which one had no hand in creating.\n    Question 2. When CMU-CERT is engaged in a response to a cyber \nattack, what is the greatest difficulty of getting information from the \nprivate sector?\n    Answer. There are several significant barriers to getting the \nprivate sector to share information.\n    The Federal Government is frequently hard-pressed to convince the \nprivate sector that there is real value in sharing information with \nthem. The perception continues to be that when industry shares \ninformation they receive nothing (or nothing of value) in return from \nthe Government. CERT has been a part of successful models, such as the \nwork done by DC3 in the operation of the DoD-Defense Industrial Base \nCollaborative Information Sharing Environment (D-CISE), whose example \ncould be built upon in other critical infrastructure sectors. It takes \neffort to demonstrate to the private sector that the Government can be \nhelpful; e.g. by extracting indicators from sensitive data or by \ncreating the environments and the tools for cleansing data so it cannot \nbe attributed to its source and thereby shared with the private sector. \nAdditionally, the private sector has multiple concerns about the \npotential adverse effects of sharing information--those barriers, such \nas fines, litigation, etc. should be identified and eliminated through \nincentives and safe harbors, where possible.\n    On the other hand, while some entities might not want to share, a \nlarge number of companies (particular small- to medium-sized \nbusinesses) do not have the capabilities to collect and/or analyze the \ndata that is necessary for their own protection much less useful to the \nGovernment. What needs to be shared is actionable information and the \ncapability to successfully implement the actions must still be built. \nThe Government could encourage industry to develop the competency using \nincentives (e.g. the Government could consider subsidizing these \ncompetencies thru CNDSP or MSSP models).\n    How information comes to the Government can also have significant \nimpact on whether or not the Government can disseminate critical data \nto prevent further impact to other entities. In many cases, the \nGovernment knows what is happening, but effective communication of \nremediation information is often limited. At times, information comes \nin via reporting with so many restrictions that the Federal Government \ncannot share the data. Savvy organizations are realizing that they can \n``have their cake and eat it too'' by complying with the reporting \nrequirements but while still ensuring that no data, remediation \ninformation, or conclusions from their incident is distributed.\n    Lastly, the Government, in its handling of classified information, \nshould examine current practices to find effective ways to separate \nactionable information from classified or privileged data so that \nincident data can be used to help others protect themselves.\n    Question 3a. How do we bridge the gap between operations and \nresearch to transition technology in a timely and effective manner?\n    Answer. In order to effectively transition research for real-time \noperations there must be stronger feedback mechanisms between \noperations and research.\n    We believe CERT is a successful model that brings together \nresearchers and operators and could be an effective paradigm for \nothers. The CERT Program at the SEI, through its customer engagements \nwith security operations centers, network operators, vulnerability and \nmalicious code analysis centers, incident response teams, law \nenforcement investigators, and intelligence analysts, has a first-hand \nview into the state of security in our National critical information \ninfrastructures. This view helps us understand the security strengths \nand weaknesses of fielded technology and systems, the evolving threats \nand associated attack methods and tools, the effectiveness of current \nsecurity technologies and practices, and the security needs of system \noperators. Empirical data from our DoD and other Government customer \nengagements ensure our research and development agenda is grounded in \noperational problems and realities, and we are addressing significant \nproblems for which effective solutions do not currently exist. This \nmodel also creates an environment where solutions can be rapidly \ndeployed and prototyping with strategic customers helps set realistic \ntransition paths for the broader community.\n    The challenge in transitioning potentially important cybersecurity \ninnovations from small companies and startups is especially profound. \nHaving spent half of my (Dr. Shannon) career in such companies, I know \nthis challenge first-hand; it is difficult, if not impossible, to get \ntimely operational feedback on one's technology when dealing with \nGovernment customers. I encourage the subcommittee to support efforts \nto bring together operationally relevant data and small companies so \nthat: (1) Government entities can determine if there's promise in the \ntechnology, and (2) the small company can quickly iterate and adapt to \nthe realities of the operational data.\n    The challenge is to create a continuous capability with steady \ninflows of technologies, operational knowledge, and Government needs. \nCERT/SEI/CMU is already doing this successfully but intermittently for \nspecific customers with innovations from academia. Sustaining this \nactivity at CERT and elsewhere and expanding it to small companies \nwould improve the flow of effective cybersecurity and incident response \ninnovations into the Government.\n    Question 3b. And what resources are needed?\n    Answer. The Government would greatly benefit from establishing and \nmaintaining a sustained cybersecurity and response innovation \nacceleration program focused on transitioning innovations from the \nprivate sector to the Government with subsidies for small businesses \nand universities and incentives for larger businesses. This endeavor \ncould be funded at $4-6 million/year and would bring four essential \nelements together: Unique operational data sources, private \ninnovations, informed scientific evaluation, and Government needs. The \ngoal, from first contact with a company, would be to operationally \ndeploy their validated innovation(s) in less than a year within some \nmeaningful part of the Government.\n    Question 4. How can we increase our confidence in the various \ntechnical and policy solutions proposed at any point will be as \neffective as promised/implied?\n    Answer. Encourage the use of scientifically validated metrics and \nmeasurements in studies about proposed solutions. Too often \ncybersecurity solutions proposed have been based on limited evidence \nand/or scientifically unvalidated data and techniques.\n    The ability to measure effectiveness of technology and new policy \nis an area sorely in need of research and deeply in need of funding. I \n(Dr. Shannon) am truly humbled at how little that we experts say we \n``know'' about cybersecurity and incident response that has actually \nbeen scientifically validated. Research sponsors should be encouraged \nto invest in ``the empirical science of cybersecurity'', including the \ndevelopment of metrics and experimental methods that support \nmeasurement of the effectiveness and cost/benefit of proposed security \nsolutions.\n    Question 5a. In your testimony you mention that the Government \nshould focus on three things to improve incident response capability, \ninformation sharing, forensic analysis capability and training.\n    Focusing on information sharing, in your opinion does requiring \nreporting improve the quality of reporting or just the quantity?\n    Answer. Today, such a requirement would only increase the quantity. \nPer our answers to the other questions above, research into what is the \nright data to share as well as cost-effective means to collect and \nanalyze the data will enable mandatory reporting requirements to \nimprove the quality of the data.\n    With mandatory reporting requirements should come clear guidance on \nwhat data and associated meta-data needs to be shared; under what \ncircumstances; ideally normalized using a common taxonomy represented \nand exchanged using standardized formats and protocols. Research is \nneeded in these areas; NIST and others are already working on some of \nthese issues. How the data should look (form/format) is the easy part; \nwhat data is most useful is much harder.\n    Question 5b. Can too much information actually be a problem or can \nthere never be too little information when it comes to cybersecurity \nincidents?\n    Answer. Since a cybersecurity incident investigation often starts \nas an attempt to discover the true scope and scale of what transpired, \nvarious data sources need to be synthesized. The issue is not \nnecessarily having more data, but the right data. We frequently see \ncases where information collected and shared is useless. Without \ncontext about the incident, it is difficult to abstractly predict what \nmight be needed in advance. There is inherent cost in extracting and \ndelivering the data. Hence, it is convenient to know what data is \navailable and to be able to request it on demand. Achieving this \nenhanced situational awareness will require continued research and \npilot programs with data owners.\n    Question 6. How can legislation assist in facilitating capable, \nscalable, and cost-effective cyber incident response for Government and \ncritical infrastructure?\n    Answer.\n  <bullet> Encourage public/private cooperation and access to data for \n        empirical research.\n  <bullet> Support training operators in the same context as they work.\n  <bullet> Support scalable forensics capabilities.\n  <bullet> Regularly recognize successes in cybersecurity and incident \n        response.\n    Successful response requires close cooperation between the \nGovernment and the private sector, so as mentioned in question No. 1, \ninclusion of the private sector in plans for incident response would \ngreatly improve response effectiveness. Expanding the scope of the \ncurrent policies to include plans for working with industry would allow \nfor more timely and capable responses. Cooperation should also include \naccess for innovators to incident data, which will result in better, \nscientifically validated solutions. Additionally, the Government must \ncontinue to engage the community at large to maintain perspective on \nwhat currently exists, both in terms of technological gaps and \nsolutions.\n    People who respond to cyber incidents must be adequately trained. \nThe Government needs a training solution that is scalable and cost-\neffective, such as CERT's Virtual Training Environment (VTE) and X-NET.\n    Traditional training and education models still employ brick and \nmortar classrooms to provide infrequent instruction directed at \nindividual students. These models simply cannot keep up with the pace \nof change or provide successful and cost-effective mechanisms for \norganizations to gain and maintain the real-world experience needed to \noperate effectively in cyberspace. Civilian employees cannot use \nproduction agency networks for operational training and ranges or \nlaboratory environments can be costly to develop, operate, and \nmaintain.\n    In addition to training and practice limitations, agencies \ncurrently do not have any reliable capability to assess the operational \nmission readiness of their cyber workforce. The current unit-level \ncyber assessment mechanisms rely on artificial paper-based simulations \nand ``cyber-add-ons'' to intra- and interagency exercises. Neither \napproach provides for reliable mission-readiness evaluation and \nreporting of workforce effectiveness.\n    CERT's VTE provides rich media instruction and hands-on training \nlabs to remote students over the internet. It enables students to \naccess high-quality training on security, computer forensics, and \nincident response anywhere in the world, with only a web browser and an \ninternet connection. What's more, VTE is a cost-effective way to train \nthe workforce,\\1\\ and has no expiration date, allowing students access \nto all training modules as often as they want and for as long as they \nwant after completing training. Students can continually return to the \nmodule to practice and test the network, closing the gap between \nlearning a concept and using that concept.\n---------------------------------------------------------------------------\n    \\1\\ High-Fidelity e-Learning: SEI's Virtual Training Environment \n(VTE): TECHNICAL REPORT CMU/SEI-2009-TR-005 ESC-TR-2009-005: VTE was \nused to deliver 38,157 hours of training for DISA during the period \nfrom January 1, 2007 through October 31, 2007. The American Society of \nTraining and Development (ASTD) reports that the average cost per \nlearning hour delivered by its members in 2006 was $54.25. According to \nthe ASTD data, the value of VTE-delivered training is therefore \n$2,070,017 ($54.25 per hour \x1d 38,157 hours = $2,070,017.25). The total \ncost to DISA for the VTE-delivered training was $858,250. This \nrepresents a cost savings to the DISA of $1,211,767 as compared to what \nthey could have expected to pay at prevailing industry average costs. \nThe total return on investment for the DISA is 141 percent. \n(($2,070,017 - $858,250) / $858,250 = 141%).\n---------------------------------------------------------------------------\n    CERT's Exercise Network (XNET) provides real-world experience \nbuilding and readiness evaluation via synchronous, team-based, \nscenario-driven cyber exercises. Experience through routine practice is \nknown to be the decisive factor in how effectively individuals and \norganizations respond during incidents and emergency situations. XNET \nis designed to make this routine practice web-accessible for globally \ndistributed teams and units.\n    The Federal Government needs to address its current backlog of \ncyber forensics data, as well as, collect forensics data in on-going \ncases in a timely and cost-effective manner. To help augment the cyber \nforensic capabilities of law enforcement the CERT program created the \nClustered-Computing Analysis Platform (C-CAP). C-CAP is designed to \nsupport 200 concurrent computer examinations looking at 200 terabytes \nof data, allowing for a massive, coordinated effort. Absent \ncatastrophic events, the C-CAP environment can offer underequipped or \noverwhelmed agencies real-time additional resources. C-CAP is a state-\nof-the-art forensics analysis environment that provides a complete \nsuite of tools for host-based and network investigations. C-CAP \naugments scarce resources by allowing multiple users to view the same \ndata, either remotely or locally; while maximizing the application of \nspecialized computing resources to the forensic and incident response \nmissions. Analysts and investigators enjoy flexible, secure access to \nhigh-performance systems, increasing productivity and facilitating \ndistributed collaboration. Designed specifically for forensics and \nincident response analysis, this unique integration and packaging of \ntools, accelerates the analysis processes, maximizes performance and \nreduces costs. C-CAP is a flexible solution, allowing agencies to add \nor remove components that are relevant to their particular needs. Its \nunique centralized management interface allows organizations to rapidly \nallocate platform resources to tasks or analysts. Scalable and cost-\neffective, C-CAP can be customized to suit any organization, regardless \nof size and mission.\n    Finally, we recommend that the Government recognize and reward good \nexamples of secure systems and practices. In the end, infrastructure \ncomponents need to be built more securely in the first place and by \nhighlighting those organizations who are doing it right, the Government \ncan incentive others. The Baldrige Program is administered by the \nNational Institute of Standards (NIST) and educates organizations in \nperformance excellence management and administers the Malcolm Baldrige \nNational Quality Award. This public-private partnership is helping \norganizations achieve best-in-class levels of performance; identifying \nand recognizing role-model organizations; identifying and sharing best \nmanagement practices, principles, and strategies. A similar program or \naward in the area of security and resiliency could yield substantial \nbenefits.\n      Questions From Chairman Daniel E. Lungren for Leigh Williams\n    Question 1a. You describe a large number of items members of the \nfinancial services sector undertake with respect to cybersecurity.\n    Can you compare these activities with those of the other sectors?\n    Answer. We are not in a position to compare the quality or quantity \nof cybersecurity efforts in other sectors to financial services, but we \ncan identify some similarities and differences. As a similarity, we \nrecognize that individual companies in telecommunications and \ninformation technology invest heavily in cybersecurity and resiliency. \nWe understand that one difference is that financial institutions may do \nmore collaborative work because they are so technically and \ncommercially interconnected and because regulations tend to promote \nstandardization.\n    Question 1b. Which of these activities are the product of voluntary \naction by the BITS community and which are the result of Federal or \nState regulations?\n    Answer. At the institution level, most BITS members' cybersecurity \nprograms are primarily motivated by business and customer interests. \nRegulations sometimes reinforce these motivations, but also sometimes \nrequire slightly different solutions. For example, under Gramm-Leach-\nBliley, banks are required to have security programs that incorporate \nspecific elements and that are reviewed by their boards. Without the \nregulation, the vast majority of banks would still have plans, but \nperhaps with different mixes of elements, and with review processes \nspecific to their governance strategies. At the industry level--in \nefforts such as the mobile, cloud, social networking, and malware \nefforts mentioned in our June 24 testimony--virtually all of the \ncollaboration is purely voluntary.\n    Question 1c. What is the cost of complying with these activities?\n    Answer. We do not have a specific estimate of regulatory compliance \ncosts in cybersecurity. We do believe, however, that elevated \ncompliance costs can crowd out risk management spending and investments \nin innovation, and can increase costs to customers and reduce \ninstitutions' returns.\n    Question 2. Under the administration's proposal what new \ncybersecurity activities would BITS members undertake that they are not \nnow doing?\n    Answer. Under the administration proposal, there would be at least \ntwo ways in which BITS members could more effectively share information \nwith other sectors. First, because other sectors could be prompted to \nproduce more information and DHS would be tasked with aggregating it, \nthere would be more information available to exchange with our \ncolleagues in other sectors. Second, the safe harbor and \nconfidentiality provisions would reduce the risk of actively sharing \ninformation with the other critical infrastructures and with DHS.\n    Question 3. You are endorsing the administration's legislative \nproposal, which does not carve out the financial sector from its reach.\n    With this endorsement is it to safe to assume that the financial \nindustry will not be lobbying for a carve-out or any special treatment \nif the administration's proposal moves forward?\n    Answer. BITS does not intend to advocate for the financial services \nsector to be carved out. BITS and its members do believe that the \nexisting financial regulatory frameworks and the proposed approach will \nhave to be reconciled. As we testified, this could be accomplished, for \nexample, by recognizing where substantially similar requirements \nalready exist, by leaving substantial authority within the sector, by \nrequiring DHS to work through the sector-specific agencies and primary \nregulators, or by DHS delegating authority back to the sector-specific \nagencies and primary regulators.\n    Question 4a. Your testimony praises the administration's \nlegislative proposal for a variety of things like coordinating with \ncompanies and other agencies; however, it was my understanding that \nmost, if not all, these activities are currently going on without this \nlegislation.\n    Which specific provisions of the administration's proposal will \ncause BITS members to make security improvements beyond their current \nactivities and why is legislation required to get the BITS membership \nto undertake these activities?\n    Answer. Yes, BITS members are already satisfying many of the \nrequirements of the administration's proposal. The value of the \nproposal does not arise primarily from BITS members individually \nimproving their security programs. Much of the value arises from \ncompanies in multiple industries and Federal agencies with various \nmissions working in closer cooperation on common problems. We think \nthis is happening reasonably well within our sector, but we see room \nfor improvement between sectors.\n    Question 4b. How much will these legislatively-mandated activities \nby BITS members improve security?\n    Answer. While the mandates in the proposal may improve BITS \nmembers' cybersecurity practices, we see much of the potential \nimprovement coming from enabling more voluntary collaboration. For \nexample, as noted above, we would anticipate improved information \nsharing and consequently better collective security among multiple \nsectors, including financial services.\n    In closing, we reaffirm our commitment to addressing this critical \nissue, and thank the committee for its active engagement. Please feel \nfree to contact me with any further questions or concerns.\n      Questions From Chairman Daniel E. Lungren for Larry Clinton\n    Question 1. Playing Devil's advocate, if critical infrastructure \nmust be regulated, what do you think that regulations should look like?\n    What is an appropriate framework for regulations?\n    Answer. Although the ISA generally supports market incentives as \nopposed to Government regulation as the best way to spur the needed \ninvestment in cybersecurity, this is not an absolute.\n    In fact ISA has always advocated a multi-tiered system with \nappropriate regulation mixed with market incentives. This approach is \ndeveloped more fully in the ``The Cyber Security Social Contract: \nPolicy Recommendations for the Obama Administration and the 11th \nCongress'' (2008) and the ``Social Contract 2.0: A 21st Century Program \nfor Effective Cyber Security'' (2009)--both attached.\n    The key consideration is that cybersecurity is not simply an ``IT'' \nissue but an enterprise-wide risk management issue. If we are \nconsidering cybersecurity as a risk management issue we need to assess \nnot only the technical considerations, but also the economic \nconsiderations. Research has consistently demonstrated that cost is the \nsingle biggest barrier to implementing effective cybersecurity \nstandards, practices (see CSIS and Pricewaterhouse Coopers studies \ncited in my written testimony) and technologies which other research \nhas demonstrated to work (see NSA testimony, PWC survey, and Verizon\n///Secret Service studies cited in my written testimony).\n    Where regulation is an inherent part of the economics of an \nindustry, such as in many critical infrastructures (electricity, water, \nnuclear power etc. as well as some element of the financial system) \nthan the traditional regulatory structures may be an effective tool for \npromoting appropriate investment in cybersecurity. Indeed in some \nindustry sectors of great interest to cybersecurity policy makers \nregulation could be a more effective mechanism than a market incentive \nif, as in the case of water systems for example, there really is no \nmarket.\n    Of course many of these entities are regulated at the State and \nlocal, not Federal level. Moreover, as the decision making devolves to \nlower levels of Government more localized issues may evolve. For \nexample a State PUC may be resistant to approving investments by a \npower company for fear of the effect this may have on local utility \nrates which could have political complications for members of the State \ncommission. However the Federal Government has long history in finding \nways to provide incentives to the States and localities to adopt \npolicies in the National interest.\n    However even in some of these regulated sectors, market incentives \nmay still be a better mechanism than regulation. The regulatory \nstructure in most instances is too slow to keep up with the pace of \ncyber attack vectors which change with the speedy evolution of \ntechnology. Also regulation tends to push entities to achieve minimal \ncompliance whereas we may need a more aggressive effort on the part of \nenterprises not just to comply with minimum standards but to \naffirmatively look for malware and cooperate with broad industry \nsectors, and possibly beyond in information-sharing activities (see \npaper on information sharing by Jeff Brown in the attached Social \nContract 2.0).\n    For many of these sectors a more effective mechanism may well be \nthe use of streamlined regulation wherein outdated provisions or \nredundant audit requirements could be offered in return for investment \nin more aggressive methods of cybersecurity including intensive \ninternal monitoring of unauthorized outbound traffic and participation \nin creative and more modern models of information sharing than are \ncurrently being operated by DHS (see Brown paper cited above).\n    Question 2. We have had a public-private partnership for several \nyears yet the cyber problem continues to grown, doesn't that indicate \nthat the model doesn't work?\n    Answer. To begin with I'd suggest this is a non-sequitur. The \nreason the cyber problem has grown is not that the partnership has \nfailed but because the current incentive structure massively favors the \nattackers. Cyber attacks are cheap, easy to acquire, and can generate \nmassive profits. While cyber defense is a generation behind the \nattackers, it's difficult to justify ROI since metrics for prevented \nattacks are impossible to generate and cyber criminals are rarely \ncaught.\n    Moreover, both the Cyber Space Policy Review and the most recent \nVerizon/Secret Service study have demonstrated that the market has \nalready produced adequate mechanisms to prevent or stop most attacks \nwhich suggests the market is working (indeed most attacks are currently \nstopped--just too many still get through).\n    That said, the ISA has said from the first publication of the \nNational Strategy to Secure Cyber Space (2002) that the missing link in \nthe public-private partnership is the lack of incentives. The public-\nprivate partnership is the right model but it needs to be evolved to \nmeet the modern threats and more fully implemented--especially by the \nGovernment partners.\n    Research cited above as well as in my written testimony has long \ndemonstrated that that only a substantial minority (probably between \n30% and 40%) of enterprises have what may be called a natural ROI for \nsecurity investment. When such as natural confluence occurs then \nprivate sector entities will make adequate security investment.\n    However, as illustrated in the pan-association White Paper on \ncybersecurity (cited in my written testimony and also attached) in most \ninstances the public sector and private sector assess risk differently.\n    In short form, for most of the private sector security is simply an \neconomic consideration. If you own a warehouse and 10% of your \ninventory is ``walking out the back door'' every month, you will not \nbuy the cameras, hire the guards, etc. to solve your security problem \nif your study shows that it costs 11% to do so. That is a good risk \nmanagement decision from a private-sector perspective.\n    The public sector has economic considerations, but also additional \nnon-economic considerations (National security, privacy, politics etc.) \nand thus may have a lower-risk tolerance than their private partners \nbecause they simply assess risk differently.\n    However, as the trade associations who signed onto that paper have \nattested, we recognize that in an interconnected cyber world the \nprivate sector may be required to take on new, non-economic, and \ntraditional public sector responsibilities with respect to \ncybersecurity.\n    Therefore the public-private partnership which has heretofore \nignored the economic aspects of cybersecurity needs to evolve into a \nfuller and more sustainable model which includes Government finding \nways to offset the non-economic investments it would like private \nindustry to make in the interests of broad National security.\n    Additionally, the fact is that the public sector has not been \nfaithful to following through on their responsibilities in the \npartnership as laid out both in the NIPP and the Cyber Space Policy \nReview. For example, markets cannot function without information--a \ncentral tenant of Wall Street--but it is well-acknowledged that despite \nmillions spent on supposed Government information-sharing programs most \nsuch shared information is of little or no use to the private sector. \nGovernment still does not share the actionable threat information that \nwould allow among other things for a proper assessment of cyber risk \nand assist greatly in making the proper investments.\n    Industry is not blameless here also. As illustrated in two \nadditional volumes attached (``50 Questions Every CFO Should Ask About \nCyber Security'' and ``The Financial Management of Cyber Risk'') \nindustry, largely due to antiquated corporate structures and \nmisunderstandings about the true nature of the cyber threat tends to \nmisunderstand the true financial implications they are dealing with.\n    These and other issues explain why the partnership has not fully \nworked are more extensively detailed in the pan-association white \npaper.\n    Question 3. Mr. Clinton, you advocate for the providing of market \nincentives to the private sector to improve cybersecurity, given the \nsignificant budget issues the Congress faces how can we afford to \nprovide market incentives for cybersecurity to the private sector?\n    Answer. One of the most persistent problems with digital economics \nis that everyone wants to capture the profits of digital technology but \nresists reinvesting a small portion of these profits in securing the \ntechnology that is generating them.\n    Nearly every company in the world has by now factored into its \nbusiness plan the wonders of digitalization--web-based marketing, \ninternational supply chains, VOIP instead of traditional \ntelecommunications, and remote workers. Yet, as described above we are \nnot getting the investment in cybersecurity that we should.\n    This is true for the Federal Government as well. For example the \nObama administration has announced a ``cloud first'' strategy for the \nFederal electronic systems that they claim will save them between $20-\n50 billion a year. Some of that money ought to be being plowed back \ninto system-wide--not just Government--cybersecurity.\n    However, assuming that none of this money will be invested in \nmarket incentives there are still many levers the Federal Government \ncan use to generate more private cyber investment which require little \nor no Government spending. Ironically, many of these incentive \nstructures are widely used in other areas of our economy; we simply \nhave not yet applied them to cybersecurity.\n    The key is to reduce Government-induced costs on industry, rather \nthan provide direct Government subsidies such as with tax incentives.\n    For example many companies may be attracted to making greater \ncybersecurity investments in return for lower liability. Less stringent \nliability costs the Government nothing but cold be perceived as an \neconomic benefit to industry.\n    Another example is streamlined regulations, or as appropriate \naccelerated permitting and approvals. For example many enterprises are \nbuckling under redundant cybersecurity auditing requirements. If the \nGovernment could develop a sound baseline audit to simply remove the \nredundancy this could be offered as a carrot to enterprises that \ndemonstrate investment in proven effective e-cybersecurity techniques \nsuch as those identified in the Verizon/Secret Service study cited in \nmy testimony.\n    On a broader scale there are numerous outdated analogue-based laws \n(see Cyber Space Policy Review Appendix A) which could be modified \npossible with reduced cost to industry.\n    Government procurement--not just for IT equipment--could also be \ntied to more stringent cybersecurity on the part of firms that compete \nfor Government contracts, or access existing (not additional) \nGovernment spending programs (e.g. small business loans--and all the \nTARP money should have come with cybersecurity requirements). In these \ncases we are not talking about Government spending more, we are simply \ntalking about who gets the spending the Government is making--weigh it \nmore heavily in terms of the compelling National interest of \ncybersecurity. No new spending required.\n    There is also a great deal that can be done to stimulate the cyber \ninsurance market. With a broader insurance market we can off-load much \ncurrent Government risk to the private sector. Moreover, insurance \n(discounts) are a major motivator of all sorts of pro-social behavior \nfrom smoking reduction to improved driving and building safety. ISA has \ndone a fair amount of work on how to use insurance better ranging from \nsome relatively immediate items such as sharing information leading to \nlower rates and greater uptake (due to more realistic risk assessments \nand pricing) to broader programs dealing with National re-insurance.\n    The Social Contract documents (attached) provide some additional \nexamples.\n    Question 4. If as you say we know how to prevent or mitigate most \nbasic cyber attacks by use of current standards and activities why \ndon't we just mandate that companies do these best practices?\n    Answer. We can't just put seatbelts on the internet and think we \nhave solved the problem.\n    As identified in answer No. 2, the problem is that there are \nmassive incentives right now favoring the attackers.\n    Yes we have come up with ways to deal with most current attacks, \nbut the attack methods will continually evolve.\n    ISA is not interested in solutions; it is interested in creating a \nsustainable system of cybersecurity.\n    To do this we need a much more dynamic motivator than Government \nregulations, we need to use the market.\n    As described in greater detail in Chapter 1 of each of the Cyber \nSocial Contract documents attached, the Government regulatory model \ninvented to address the hot technology of 2 centuries ago--the \nrailroads--is not going to work for the 21st Century problem of \ncybersecurity. We need a more active model which will keep up with \nattacks, can be applied internationally, will not provide a roadmap to \nthe attackers and generate an atmosphere of foe compliance (equivalent \nto campaign finance laws which everyone complies with and no one thinks \nactually addresses the ``problem'' they are supposed to solve).\n    Regulations, (outside of those sectors for which the regulations \nare part of the inherent economy of the sector as described in answer \n1) will be too slow, outdated quickly, and too minimalistic to address \nthe modern problem we face.\n    Question 5. If companies are losing so much money due to cyber \nattacks, why are there not already enough incentives for them to invest \nto stop the attacks?\n    Answer. Part of this answer was addressed in the answer to question \n3, above, where we discussed the fact that industry and the Government \nassess risk in fundamentally different ways with industry, concerned \nalmost entirely about the economics of the situation, have a greater \nrisk tolerance than the public sector.\n    However there are many other problems. For example, it is very hard \nto make truly accurate assessments of economic cyber losses for a \nvariety of reasons including the fact that for sophisticated cyber \nattacks one may not know they have been the victim of the attack until \nlong after it has occurred because as in the case of the loss of \ncorporate IP, (the largest economic loss) the property is not stolen in \nthe physical since--it remains--it's just a copy has been made and \nmaybe being used to create a clone product or service.\n    In still another complication we have the ``interconnection \nproblem''. Due to the inherent interconnectedness of the internet it is \npossible for a thief to steal your data that happens to be residing on \nmy system (I may not even have a direct relationship with you--I could \nbe a sub-contractor to a subcontractor--with little or no incentive to \nprotect your data which is valuable whereas my own data may not be as \nvaluable so I don't invest in security adequate to your needs.\n    Additionally, we have the problem with poor appreciation of actual \nfinancial risk as described above.\n    Finally, there is the fact that in the current economic climate \nbusiness are being forced to make themselves ever more efficient \nincluding cutting costs by adopting less secure technologies. VOIP, \ninternational supply chains and cloud computing are all examples of \ntechnologies that are increasing our cyber risks but are being widely \ndeployed (including by the U.S. Federal Government) despite their \nsecurity flaws due to the irresistible economic imperatives we all \nface.\n    Government's job ought not to be to punish the victims of cyber \nattacks who are forced to compete in the digital world we now inhabit \nbut to use the mechanisms at its disposal creatively, as described \nabove to assist enterprises in securing our Nation's system in a \nsustainable and economically sensible way.\n\n                                 <all>\n\n\x1a\n</pre></body></html>\n"