[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]







     CYBERSECURITY: AN OVERVIEW OF RISKS TO CRITICAL INFRASTRUCTURE

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 26, 2011

                               __________

                           Serial No. 112-80









      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
73-391 PDF                WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001






                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas
  Vice Chairman                      DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma              LOIS CAPPS, California
TIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia                MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana             JIM MATHESON, Utah
ROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin 
BILL CASSIDY, Louisiana              Islands
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                 _____

              Subcommittee on Oversight and Investigations

                         CLIFF STEARNS, Florida
                                 Chairman
LEE TERRY, Nebraska                  DIANA DeGETTE, Colorado
SUE WILKINS MYRICK, North Carolina     Ranking Member
JOHN SULLIVAN, Oklahoma              JANICE D. SCHAKOWSKY, Illinois
TIM MURPHY, Pennsylvania             MIKE ROSS, Arkansas
MICHAEL C. BURGESS, Texas            KATHY CASTOR, Florida
MARSHA BLACKBURN, Tennessee          EDWARD J. MARKEY, Massachusetts
BRIAN P. BILBRAY, California         GENE GREEN, Texas
PHIL GINGREY, Georgia                DONNA M. CHRISTENSEN, Virgin 
STEVE SCALISE, Louisiana                 Islands
CORY GARDNER, Colorado               JOHN D. DINGELL, Michigan
H. MORGAN GRIFFITH, Virginia         HENRY A. WAXMAN, California (ex 
JOE BARTON, Texas                        officio)
FRED UPTON, Michigan (ex officio)

                                  (ii)










                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     1
    Prepared statement...........................................     4
Hon. Diana DeGette, a Representative in Congress from the State 
  of Colorado, opening statement.................................     7
    Prepared statement...........................................     9
Hon. Michael C. Burgess, a Representative in Congress from the 
  State of Texas, opening statement..............................    11
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................    11
    Prepared statement...........................................    13
Hon. Donna M. Christensen, a Representative in Congress from the 
  Virgin Islands, opening statement..............................    14
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, prepared statement..............................    75
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, prepared statement...................................    77

                               Witnesses

Roberta Stempfley, Acting Assistant Secretary, Office of 
  Cybersecurity and Communications, National Protection and 
  Programs Directorate, Department of Homeland Security..........    15
    Prepared statement \1\.......................................
Sean P. McGurk, Director, National Cybersecurity and 
  Communications Integration Center, Office of Cybersecurity and 
  Communications, National Protection and Programs Directorate, 
  Department of Homeland Security................................    16
    Prepared statement...........................................    19
Gregory C. Wilshusen, Director, Information Security Issues, 
  Government Accountability Office...............................    31
    Prepared statement...........................................    33

----------
\1\ Ms. Stempfley issued a joint statement with Mr. McGurk for 
  the record.

 
     CYBERSECURITY: AN OVERVIEW OF RISKS TO CRITICAL INFRASTRUCTURE

                              ----------                              


                         TUESDAY, JULY 26, 2011

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 11:00 a.m., in 
room 2322 of the Rayburn House Office Building, Hon. Cliff 
Stearns (chairman of the subcommittee) presiding.
    Members present: Representatives Stearns, Murphy, Burgess, 
Blackburn, Scalise, Griffith, DeGette, Schakowsky, Castor, 
Green, Christensen, and Waxman (ex officio).
    Staff present: Carl Anderson, Counsel, Oversight and 
Investigations; Todd Harrison, Chief Counsel, Oversight and 
Investigations; Karen Christian, Counsel, Oversight and 
Investigations; Alan Slobodin, Deputy Chief Counsel, Oversight 
and Investigations; Peter Spencer, Professional Staff Member, 
Oversight and Investigations; Carly McWilliams, Legislative 
Clerk; Andrew Powaleny, Press Assistant; Sean Bonyun, Deputy 
Communications Director; Kristin Amerling, Democratic Chief 
Counsel and Oversight Staff Director; Tiffany Benjamin, 
Democratic Investigative Counsel; Karen Lightfoot; Democratic 
Communications Director and Senior Policy Advisor; and Ali 
Neubauer, Democratic Investigator.
    Mr. Stearns. Good morning, everybody. And the subcommittee 
will come to order. And I will start with my opening statement.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    I have called to order this subcommittee's first hearing on 
cybersecurity and critical infrastructure protection. Over the 
last 15 years, our Federal Government has wrestled with the 
question of how best to protect our Nation's critical 
infrastructures from cyber attacks. Since September 11, our 
infrastructure systems have become even more automated and more 
reliant on information systems and computer networks to 
operate. This has allowed our systems to become more efficient, 
but it has also opened the door to cyber threats and cyber 
attacks.
    Recent reports and news articles have highlighted how 
threats and risks to cybersecurity have created vulnerabilities 
in our Nation's critical infrastructures and information 
systems. For example, just last week, the Department of 
Homeland Security sent out a bulletin about potential insider 
threats to utilities. That bulletin stated that outsiders have 
attempted to obtain information about the utilities' 
infrastructure to use in coordinating and conducting a cyber 
attack.
    In March 2011, the computer systems of RSA were breached. 
RSA manufactures tokens for secure access to computer networks. 
Sensitive information about these tokens was stolen and later 
used to hack into the network of Lockheed Martin, a Department 
of Defense contractor.
    Last summer, the Stuxnet attack was identified. Stuxnet 
targets vulnerabilities in industrial control systems such as 
nuclear and energy to gain access to the systems and then 
manipulate the control process. This kind of attack has the 
potential to bring down or severely interrupt the functions of 
an electricity or even a nuclear plant.
    The issues surrounding critical infrastructure protection 
and security are complex. Our systems are interconnected and 
depend on one other to operate. A vulnerability in one critical 
infrastructure naturally exposes other critical infrastructures 
to the same threats and risks, either because they are linked 
together through information systems or because one 
infrastructure depends on another to operate. In addition, much 
of the country's critical infrastructures are privately owned, 
as much as 80 or 90 percent. They therefore have different 
operations, components, control systems, and computer 
networks--as well as vastly different resources available to 
address problems like cybersecurity and infrastructure 
protection.
    My colleagues, we must identify and protect the very 
systems that make our country run: energy, water, healthcare, 
manufacturing, and communications. Pursuant to the Homeland 
Security Act of 2002, DHS has led the coordination of 
infrastructure protection efforts with the private and public 
sectors and numerous federal agencies. One way DHS does this is 
to coordinate working groups and information sharing and 
analysis centers or ISACs in the individual critical 
infrastructure sectors and in cross-sector working groups.
    DHS is primarily responsible for conducting threat analysis 
and issuing warnings about cyber threats so that other federal 
agencies and the owners and operators of critical 
infrastructure can simply protect their systems. DHS' efforts 
to protect our critical infrastructure have been the subject of 
some criticism.
    Since 2003, the Government Accountability Office has 
designated ``protecting the Federal Government's information 
systems and the Nation's cyber critical infrastructures'' as a 
``high risk'' area. In particular, in a report issued last 
July, GAO found that public- and private-sector owners and 
operators of critical infrastructure were not satisfied with 
the kind of cyber threat information they were getting from 
DHS. GAO has also expressed some concern that the sector-
specific plans for dealing with cybersecurity need to be 
updated. In light of growing and more sophisticated cyber 
attacks, this is obviously a critical issue.
    As I mentioned previously, this is the subcommittee's first 
hearing in this Congress on critical infrastructure protection 
and cybersecurity. The purpose of this hearing in particular is 
to get an overview of DHS' role and responsibilities and how it 
coordinates with the sector-specific federal departments and 
agencies, many of which are subject to this committee's 
jurisdiction. Once we have a better understanding of DHS' role, 
it is my intention to call additional hearings to understand 
the issues that are presented in protecting the individual 
sectors, such as energy and information systems and 
communications.
    Many ideas have been presented about how to improve 
critical infrastructure protection and cybersecurity. I believe 
the Oversight and Investigations Subcommittee has an important 
role to play in examining and bringing to light what is working 
now, and what can be done better.
    I should note that this subcommittee's inquiry into this 
matter began with a bipartisan letter to the Department of 
Homeland Security asking for a briefing about its efforts to 
protect critical infrastructure. I appreciate the support of 
Ranking Member, Ms. DeGette, and the minority in this 
investigation. As Members of Congress, one of our foremost 
responsibilities is protecting our Nation's security and the 
safety of its citizens.
    With that I yield opening statement to the ranking member, 
Ms. DeGette.
    [The prepared statement of Mr. Stearns follows:]



    
 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you very much, Mr. Chairman. And like 
you, this is a matter of great urgency. I am glad we are having 
this overview hearing and I am also happy to work with the 
majority on additional hearings in the particular issues of 
cybersecurity.
    Just today, in the Washington Post it talked about a GAO 
report on significant breaches of classified computer networks 
in the Department of Defense. And while that is not in the 
jurisdiction of this committee, it just points out how 
vulnerable this country can be and why it is so important to 
keep our information systems safe.
    The chairman referred to the cyber attack on RSA, which 
compromises the Department of Energy systems that necessitated 
shutting down internet connectivity for several days and 
breaches of Citibank data belonging to hundreds of thousands of 
customers. Anecdotally, at least, it seems like these breaches 
are becoming more and more frequent. The incidents remind us of 
the need for vigilance regarding efforts to prevent 
cybersecurity breaches and respond effectively when they occur 
and the importance of congressional oversight in these areas.
    As the chairman mentioned, I asked him earlier this 
Congress to look into these issues, and I am really glad that 
we are going to have a rigorous review of all of the 
cybersecurity issues. As the chairman mentioned, we have 
jurisdiction over a number of key components of our Nation's 
critical infrastructure, including the electrical grid, 
drinking water system, chemical plants, healthcare system, and 
telecommunications activities. In the last Congress, we saw 
progress in this committee regarding addressing cybersecurity 
issues in a number of these areas. The committee developed and 
passed on a bipartisan basis legislation to promote security 
and resiliency in the electrical power grid by providing the 
Federal Energy Regulatory Commission new authorities and 
providing for Department of Energy assistance to industry to 
protect the grid against cyber threats and other 
vulnerabilities. The committee also developed and passed 
legislation regarding chemical and drinking water facilities to 
meet the risk-based cybersecurity performance standards.
    Cybersecurity issues are complex and evolving and deserve 
continuing and focused attention. One major question is how to 
best ensure an effective public-private partnership to address 
cybersecurity threats. The majority of our Nation's critical 
infrastructure is owned or operated by the private sector. 
While there are incentives for private-sector entities to 
protect the security of their information networks, national 
security priorities may not always align with priorities and 
capabilities of the private sector.
    I know that the Department of Homeland Security witnesses 
before us today are helping lead the administration's efforts 
to foster private- and public-sector cooperation in promoting 
cybersecurity and I look forward to hearing their insights on 
progress that is being made and obstacles that may still exist.
    Another question we have to ask is how to best ensure that 
the Federal Government is drawing on its own expertise and 
experience to ensure cybersecurity measures are appropriately 
tailored to address specific needs in different critical 
infrastructure sectors. I look forward to hearing from GAO 
about these challenges. But even with a maximally effective 
partnership of federal agencies, state and local governments, 
and the private sectors in our country on cybersecurity 
protection, we must still address issues raised by the fact 
that information networks do not have national boundaries. Many 
reports suggested that the cyber attacks have started outside 
of American borders, raising serious questions about how we 
ensure international cooperation to protect against threats 
that cross borders. And in this DOD example, in the GAO report 
today, apparently the cyber attack came from a portable 
computer, a laptop computer that was somehow tapped into.
    And so I look forward to the insights of today's witnesses 
on these and other issues. I hope that we will build on this 
hearing with additional hearings on cybersecurity. It is one of 
the few bastions of bipartisanship left around here this week 
and I am happy to be part of it.
    I yield back.
    [The prepared statement of Ms. DeGette follows:]



    
    Mr. Stearns. I thank the gentlelady and recognize the 
gentleman from Texas, Dr. Burgess, for 2 minutes.

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE 
              IN CONGRESS FROM THE STATE OF TEXAS

    Mr. Burgess. I thank the chair.
    To say that this committee has been working diligently for 
years is kind of an oxymoron but it does seem through several 
terms on this subcommittee we have indeed delved into this 
issue. I am anxious that we bring this to a legislative 
conclusion and institute those things that will provide the 
protection that I think we all feel that we need. There are 
critical urgent things that need to be done to protect our 
transmission grid, our power plants from attacks from those who 
wish to do us harm. The threats are real. It is time to move 
the legislation forward.
    We do have to be careful that we don't unduly shift the 
balance of responsibility that has been properly maintained 
between the government and the private sector for decades. It 
is important that we be careful; it is important that we be 
prudent in providing the Federal Government any additional 
authority. If indeed any is necessary, it must be done in a way 
that cannot be abused and will not result in significantly 
higher cost to consumers and businesses at a time when the 
economy is so fragile. And it must not result in the loss of 
any personal freedoms that people now have.
    The testimony we will hear today will help this committee 
in perfecting legislation that was considered last year. I 
certainly look forward to working with members on both sides of 
the dais to ensure that the legislation is mindful of both the 
real threats that we face and the burdens that granting new 
powers to the Federal Government can create. Ensuring this 
balance can and should be done.
    Thank you, Mr. Chairman, for the recognition. I will yield 
back my time.
    Mr. Stearns. The gentleman yields back and the gentlelady 
from Tennessee, Ms. Blackburn, is recognized for 2 minutes.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. Thank you, Mr. Chairman. And I want to 
welcome our witnesses. We appreciate that you would take the 
time and come over here to the Hill. We all do know and do 
agree that cybersecurity is an important issue and we know that 
there are those who are, as we speak, waging war if you will on 
our vital infrastructure.
    Last month, Wall Street Journal reported that the IMF was 
investigating a recent cyber attack. Not surprisingly, this 
attack came just 1 month after a group called Anonymous 
indicated its hackers would target the IMF Web site in response 
to the strict austerity measures in its financial package of 
Greece.
    Closer to home, in my State of Tennessee, presides our 
Nation's largest public power utility, the Tennessee Valley 
Authority. TVA's power networks stretch across 80,000 square 
miles in the Southeastern U.S. and provide electricity to more 
than 8.7 million Americans. Under Homeland Security 
Presidential Directive number 7, TVA is considered a National 
Critical Infrastructure and must take great steps to protect 
and to safeguard its essential cyber assets. A power grid 
disruption or other threat on TVA operations or any other 
public utility in our country would cause a cascading effect 
impacting our economy, safety, and daily lives.
    In fact, this concern was reaffirmed last month as former 
CIA director and current Secretary of Defense Panetta appeared 
before the Senate Armed Services Committee and declared that 
the next Pearl Harbor our Nation confronts could very well be a 
cyber attack that cripples our power systems, the grid, our 
security systems, our financial systems, and our governmental 
systems.
    With all that in mind, I thank the chairman for the 
hearing. I thank you all for your participation as we discuss 
what steps DHS is taking to avoid what would be the 
unimaginable, a Pearl Harbor attack on our Nation's vital 
infrastructure.
    And I yield back.
    [The prepared statement of Mrs. Blackburn follows:]



    
    Mr. Stearns. The gentlelady yields back and I recognize Ms. 
Christensen from the Virgin Islands for 5 minutes.

 OPENING STATEMENT OF HON. DONNA CHRISTENSEN, A REPRESENTATIVE 
              IN CONGRESS FROM THE VIRGIN ISLANDS

    Mrs. Christensen. Thank you, Chairman Stearns, and thank 
you, Ranking Member DeGette, for holding this hearing to 
discuss cybersecurity risks, threats, and challenges to our 
Nation's critical infrastructure. Many of today's battles are 
in cyberspace where terrorism and hackers help attack our cell 
phones, computer grids, and have the potential to destroy 
sensitive information in 18 of our Nation's most critical 
sectors.
    Since 9/11, we have known to expect that we would 
experience terrorist attacks that would be cyber attacks. As a 
former member of the Homeland Security Committee, I have taken 
part in many hearings and worked on legislation addressing this 
issue. As our witnesses who we welcome here today will testify, 
a lot has been done to create entities to coordinate and 
oversee efforts to address and prevent cybersecurity threats. 
But there are still challenges to protecting our Nation's 
infrastructure from these threats and we must continue to 
examine how we can overcome these challenges.
    In doing so, it is important that we pass legislation to 
protect our Nation's electric grid. All of these long-term 
initiatives require a national electric grid that is reliable 
and secure. The electrical grid serves more than 143 million 
American customers, has to operate without interruption, and is 
a key foundation of our national security. Designing and 
operating an electrical system that prevents cybersecurity 
events from having a catastrophic impact is a challenge we must 
all address. And I want to add that the healthcare sector is 
not immune to these attacks either.
    So I would like to thank DHS and GAO and commend both 
Agencies for their efforts to address imminent cybersecurity 
threats. And with that, I will yield back the balance of my 
time.
    Mr. Stearns. The gentlelady yields back.
    And at this time, we will move to our first panel, our 
witnesses. Let me address you folks.
    You are aware that the committee is holding an 
investigative hearing and when doing so has had the practice of 
taking testimony under oath. Do you have any objections to 
taking testimony under oath? All right. No.
    The chair then advises you that under the rules of the 
House and the rules of the committee you are entitled to be 
advised by counsel. Do you desire to be advised by counsel 
during your testimony today? All right.
    In that case, if you will please rise and raise your right 
hand, I will swear you in.
    [Witnesses sworn.]
    Mr. Stearns. You are now under oath and subject to the 
penalties set forth in Title XVIII, Section 1001, of the United 
States Code.
    We welcome the three of you for your 5-minute summary 
statement. And we have Ms. Bobbie Stempfley, Acting Secretary 
of the DHS Office of Cybersecurity and Communications, welcome; 
and Mr. Sean P. McGurk, Director, National Cybersecurity and 
Communications Integration Center in the Office of 
Cybersecurity and Communications at DHS; and lastly, Mr. 
Gregory Wilshusen, Government Accountability Office Director of 
Information Security Issues. Thank you.
    And Ms. Stempfley, we welcome your opening statement. Just 
turn the mike on if you don't mind. Just move it close to you 
so we can hear you. That would be super. Thanks.

 STATEMENTS OF ROBERTA STEMPFLEY, ACTING ASSISTANT SECRETARY, 
OFFICE OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION 
AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY; SEAN 
P. MCGURK, DIRECTOR, NATIONAL CYBERSECURITY AND COMMUNICATIONS 
INTEGRATION CENTER, OFFICE OF CYBERSECURITY AND COMMUNICATIONS, 
  NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF 
    HOMELAND SECURITY; AND GREGORY C. WILSHUSEN, DIRECTOR, 
 INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

                 STATEMENT OF ROBERTA STEMPFLEY

    Ms. Stempfley. OK. Thank you very much. So thank you very 
much, Chairman Stearns, Ranking Member DeGette, and other 
members of the subcommittee.
    As you heard, my name is Bobbie Stempfley, and I am the 
Acting Assistant Secretary in the Office of Cybersecurity and 
Communications at the Department of Homeland Security, and it 
is definitely my privilege to be here to speak to you today 
with my colleagues from across government to talk about 
cybersecurity, which is an area of great passion for all of us.
    The opening comments did such a wonderful job describing 
the threat landscape that we operate in today. It certainly is 
one we have increasing sophistication, increasing severity, and 
an environment where no one is immune from individuals to 
private-sector companies, and one where we see it slightly 
untenable where the threat actors have to make one right choice 
in an environment where only a single wrong implementation in 
the networks that are being defended enables access. And so it 
is an environment where we spend a great deal of time bringing 
together private-sector partners and others.
    We have identified 38,000 vulnerabilities over a period of 
time in critical infrastructures and provide warning 
notification and awareness products around those 
vulnerabilities to private-sector individuals. It is an 
environment, as the chairman pointed out, of significant 
interdependence, both between critical infrastructure sectors, 
between corporations, between environments. Several examples 
that you provided do a wonderful job illuminating that 
interdependence across the board. And that means that it 
requires an interdependent and integrative approach in order to 
provide protective, preventative, and restoral and defensive 
measures both across government and within the private sector.
    It is the job of the National Protection and Programs 
Directorate; it is our mission responsibility to secure the 
federal executive civilian branch--that is the federal 
departments and agencies--to provide technical support to 
private-sector individuals, owners, and operators to help them 
with risk assessment, with mitigation, with restoral and 
response activities. It is also our mission to provide general 
awareness to the broad public. And finally, as Mr. McGurk will 
discuss, to provide national coordination and response across 
the board.
    It is, as I said, not an environment where a single 
solution works or a single organization provides all of the 
answers. It is an environment where much progress has been made 
and it is a team sport for us all. Cooperation between law 
enforcement, between intelligence agencies, between the 
Homeland Security, between, as I said, government and private 
sector is a significant part of how we need to move forward of 
the successes we have had to date.
    Examples such as you pointed out, the compromise in RSA 
really helps demonstrate the progress that has been made in 
government. The response that we had in that worked across a 
set of responsibilities defined in the National Cybersecurity 
Instant Response Plan where law enforcement has responsibility 
for pursuit and for investigation, where intelligence has 
warning responsibilities and attribution responsibilities, and 
where Homeland Security's responsibilities are in protection, 
prevention, restoral, and response. And that partnership across 
government is so important for us as we work through each of 
the events that occur.
    We have in a proactive manner responded to 100 requests 
from critical infrastructure partnerships, largely across 
water, oil, and gas and power to help identify vulnerabilities 
in their environment and help them improve the capabilities 
that they have for protection and for response. It is through 
that partnership that we continue to work to enhance our 
prevention activities because, as we said, we are in that 
untenable environment today.
    What we have also put a great deal of effort in is to 
increase visibility and information sharing across 
environments. Again, I look forward to the comments of Mr. 
McGurk in our operations center. But it is information sharing 
not only in operations and in response, but information sharing 
at large that is important across the board.
    And so in conclusion, I look forward to further questions 
from the committee to discuss what we have done. And it, again, 
is my pleasure to be here today.
    [The joint prepared statement of Ms. Stempfley and Mr. 
McGurk appears after Mr. McGurk's testimony.]
    Mr. Stearns. Thank you.
    Mr. McGurk, you are welcome for your opening statement.

                  STATEMENT OF SEAN P. MCGURK

    Mr. McGurk. Thank you, Chairman Stearns, Ranking Member 
DeGette, and distinguished members of the subcommittee. My name 
is Sean McGurk. I am the director of the National Cybersecurity 
and Communications Integration Center, also known as the NCCIC. 
Thank you for inviting me here today along with my 
distinguished colleagues to discuss the overall cyber-risk to 
critical infrastructure. The Department greatly appreciates the 
committee's support for our central mission and looks forward 
to working with the committee to establish the necessary plans 
and programs moving forward to address risks to the critical 
infrastructure.
    The cyber environment is not homogenous under a single 
department or agency nor under the private sector. Each of the 
18 critical infrastructure and key resource sectors are 
completely different--energy, water, nuclear, transportation, 
they all have their unique challenges and their unique 
environments. In fact, within a particular company, two plants 
may not have the same operating environment. We rely on this 
continuous availability of a vast, interconnected, critical 
infrastructure to sustain our way of life. A successful cyber 
attack could potentially result in physical damage and even 
loss of life. We face a significant challenge moving forward--
strong and rapidly expanding adversary capabilities and a lack 
of comprehensive threat and vulnerability awareness.
    Support of these efforts from our private-sector partners 
is key to securing these critical infrastructures. The 
government does not have all the answers, so we must work with 
the private sector to establish those guidelines. There is no 
one-size-fits-all solution in a cyber environment. There is no 
cyber Maginot Line. We must leverage our expertise and our 
access to information, along with industry-specific needs, 
capabilities and timelines. Each partner has a role and a 
unique capability, as demonstrated by the diversity of this 
panel.
    Two-factor authentication was mentioned earlier, the RSA 
example. In that particular example, within a 24-hour period, 
the Department, working along with law enforcement and with the 
intelligence community, responded to a request from the private 
industry partner to provide a mitigation, identification, and 
assessment team in support of their mitigation efforts. The 
Department continuously works with our private-sector partners 
and the financial-services sector, energy sector, 
communications, IT, and others to prepare, prevent, respond, 
recover, and restore.
    Coordinating the national response of domestic cyber 
emergencies is the focus of the National Cyber Incident 
Response Plan and indeed the NCCIC. The what and the how on the 
cyber attack is the focus and the intent of our mitigation 
activities. The who and the why usually come later.
    The NCCIC works closely with the government at all levels 
and private sector to coordinate and integrate a unified cyber 
response. Sponsoring security clearances for our partners 
enable them to participate fully in our watch-center 
environment. To date, we have physical representation from the 
communications sector and its Information Sharing and Analysis 
Center and also with companies such as AT&T, Verizon, and 
Sprint. The information technology sector is represented 
physically on the watch floor along with the financial-services 
sector, NERC, representing the North American Energy 
Reliability Corporation; representing the energy sector, 
Information Sharing and Analysis Center; and most recently, we 
have begun to coordination and share information with the 
National Electric Sector Cybersecurity Organization, or NESCO.
    We have virtual connections as well as physical connections 
with these organizations and we share data in near-real time. 
Additionally, we have a physical representative from the Multi-
State ISAC, enabling us to provide actionable intelligence to 
state, local, tribal, and territorial governments and their 
representatives. Each of these partners bring a unique 
perspective and a unique capability to the watch environment.
    Currently, within our legal authorities, we continue to 
engage, collaborate with our partners and provide analysis, 
vulnerability, and mitigation assistance to the private sector. 
We have experience and expertise in dealing with the private 
sector in planning steady-state and crisis scenarios. We have 
deployed numerous incident-response teams and assessment teams 
that enable us to prevent and to respond, recover, and restore 
to cyber impacts.
    Finally, we work closely with the private sector and our 
interagency partners and law enforcement and intelligence to 
provide the full complement of capabilities from the federal 
standpoint in preparation for and response to significant cyber 
incidents.
    Chairman Stearns, Ranking Member DeGette, and distinguished 
members of the subcommittee, let me conclude by reiterating 
that I look forward to exploring opportunities to advance the 
mission and collaboration with the subcommittee and my 
colleagues in the public and private sector. Thank you again 
for this opportunity to testify and would be happy to answer 
your questions.
    [The joint prepared statement of Ms. Stempfley and Mr. 
McGurk follows:]




    Mr. Stearns. Thank you. Mr. Wilshusen?

               STATEMENT OF GREGORY C. WILSHUSEN

    Mr. Wilshusen. Chairman Stearns, Ranking Member DeGette, 
and members of the subcommittee, thank you for the opportunity 
to testify in today's hearing on the cybersecurity risks to the 
Nation's critical infrastructure. But before I begin, if I may, 
Mr. Chairman, I would like to recognize Mike Gilmore, Tammy 
Carvette, and Lee McCracken, who is sitting behind me, and also 
Brad Becker from our Denver office, who are responsible for the 
significant contributions in reviewing this area and helping me 
prepare this testimony today.
    Mr. Stearns. I am glad you did. Thank you.
    Mr. Wilshusen. Critical infrastructures are systems and 
assets, whether physical or virtual, so vital to our Nation 
that their incapacity or destruction would have a debilitating 
effect on our national security, economic wellbeing and public 
health and safety. They include, among other things, banking 
and financial institutions, telecommunications networks, and 
energy production transmission facilities, most of which are 
owned by the private sector. These infrastructures have become 
increasingly interconnected and dependent on interconnected 
networks and systems. And while the benefits of this 
interconnectivity have been enormous, they can also pose 
significant risk to the networks and systems, and more 
importantly, to the critical operations and services they 
support.
    In my testimony today, I will describe the cyber threats 
confronting critical infrastructures, recent actions by the 
Federal Government to identify and protect these 
infrastructures and ongoing challenges to protecting them.
    Mr. Chairman, our Nation's critical infrastructures face a 
proliferation of cyber threats. These threats can be 
intentional or unintentional. Unintentional threats can be 
caused by equipment failures, software upgrades, or maintenance 
procedures that inadvertently disrupt the systems. Intentional 
threats include both targeted and non-targeted attacks from a 
variety of sources, including criminal groups, hackers, 
insiders, and foreign nations engaged in intelligence gathering 
and espionage.
    First, recent reports of cyber attacks incidents involving 
cyber-reliant critical infrastructure underscore the risks and 
illustrate that they can be used to disrupt industrial control 
systems and operations, commit fraud, steal intellectual 
property and personally identifiable information, and gather 
intelligence for future attacks. Over the past 2 years, the 
Federal Government has taken a number of steps aimed at 
addressing cyber threats and better protecting critical 
infrastructures.
    For example, a cyberspace policy review identified 24 
recommendations to address the organizational and policy 
changes needed to approve the current U.S. approach to 
cybersecurity. DHS updated the National Infrastructure 
Protection Plan in part to provide a greater focus on cyber 
issues and issued an interim version of the National Cyber 
Incident Response Plan. It also conducted Cyber Storm III, a 
cyber attack simulation exercise intended to test elements of 
the National Response Plan.
    In addition, DHS, as you know, created the National 
Cybersecurity and Communications Integration Center, or NCCIC, 
to coordinate national response efforts, as well as work 
directly with other private- and public-sector partners.
    Despite these threats, more needs to be done to address a 
number of remaining challenges. For example, implementing the 
recommendations made by the President's Cybersecurity Policy 
Review, updating the national strategy for securing the 
information and communications infrastructure, strengthening 
the public-private partnerships for securing cyber-reliant 
critical infrastructures, enhancing cyber analysis and warning 
capabilities, and securing the modernized electricity grid.
    In summary, the threats to information systems are evolving 
and growing and systems supporting our Nation's critical 
infrastructures are not yet sufficiently protected to 
consistently thwart the threats. While actions have been taken, 
federal agencies and partnership with the private sector need 
to act to improve our Nation's cybersecurity posture, including 
enhancing cyber analysis and warning capabilities and 
strengthening the public-private partnerships. Until these 
actions are taken, our Nation's critical infrastructure will 
remain vulnerable.
    Mr. Chairman, this concludes my statement. I would be happy 
to answer any questions for you or other members of the 
subcommittee.
    [The prepared statement of Mr. Wilshusen follows:]



    
    Mr. Stearns. I thank the gentleman.
    Let me ask you a question. I have your opening statement 
here in which you mention various cybersecurity attacks. They 
are putting software viruses into the network. Is that 
primarily what it is?
    Mr. Wilshusen. It could be a number of different attacks. 
In terms of one to include computer intrusions in which 
individuals are able to gain access through the installation of 
malicious software. For example, if a user inadvertently 
plugged a USB into his computer that was corrupted, it could 
install some malicious software, which might facilitate an 
attack.
    Mr. Stearns. Now, when an attack occurs----
    Mr. Wilshusen. Um-hum.
    Mr. Stearns [continuing]. Generally, what does that attack 
look like? They are coming in to steal information, or are they 
coming to put in a replicating software that will destroy it, 
or is it just putting in there to observe? What of those three?
    Mr. Wilshusen. It could be any of the combinations.
    Mr. Stearns. Any of those three combinations?
    Mr. Wilshusen. Right. One, in terms of either to sabotage 
his particular system or gain information for future attacks 
perhaps or as well to----
    Mr. Stearns. Depending upon their motivation.
    Mr. Wilshusen. Depending upon their motivation.
    Mr. Stearns. Mr. McGurk, what do you think?
    Mr. McGurk. Yes, sir. I would also echo my colleague's 
statements that the vast array of capability we see 
demonstrated with the malicious code is such that it 
encompasses all of those things.
    Mr. Chairman, you had mentioned Stuxnet earlier. That is a 
great example of a particular piece of malicious code that 
demonstrated very unique capabilities. It not only exploited 
what we call zero-day vulnerabilities, which are 
vulnerabilities that are not known in the public environment, 
but also it used advanced communication capability. It did 
advanced reconnaissance, so it was gathering information. And 
subsequently, it left behind that malicious code that was able 
to have a physical impact.
    Mr. Stearns. Now, are we in the United States, you know, we 
have jurisdiction over energy, water, information technology, 
communication, nuclear plants--are we vulnerable to Stuxnet in 
your opinion?
    Mr. McGurk. Sir, because of the ubiquitous nature of 
information technology in the critical infrastructure, the 
exploitation may occur in one sector and it could actually 
migrate into another sector.
    Mr. Stearns. So yes or no? Do you think we are vulnerable?
    Mr. McGurk. I would say the vulnerabilities exist and the 
capability to exploit those vulnerabilities exist.
    Mr. Stearns. OK. So the big question is that the American 
people want to know what has the United States Government done 
about that to make sure we don't have that attack?
    Mr. McGurk. Much of the Department's focus over the past 
several years has been on mitigating the vulnerabilities 
associated with those critical infrastructure systems.
    Mr. Stearns. Do you do it by having innocuous or something 
that inoculates us from this software or do you do it to make 
sure you don't put the USB port or how are you doing this?
    Mr. McGurk. So it is a multifaceted approach, sir. Much of 
it is through an education program, so we work with the private 
sector to develop standards required to educate the community 
on good practices and uses of equipment and technology. We 
actually conduct----
    Mr. Stearns. You think education alone would do it?
    Mr. McGurk. No, sir. We also conduct vulnerability analyses 
of products in our laboratories in conjunction with the 
national laboratory community where we actually take vendors 
products and do a complete vulnerability assessment of those 
products. We also develop practices for owners and operators 
because in some cases, especially in the power companies, it is 
not a matter of replacing the technology, so you have to be 
able to put practices in place that mitigate the risk. And they 
are also working with the security communities to actually 
provide an enclaving capability so that we can secure the 
environments around which they operate.
    So by taking this multifaceted approach, we can identify 
not necessarily the threat actors and focus on the threats 
which are coming from many areas, but the vulnerabilities 
themselves and mitigating the risks associated with those 
vulnerabilities.
    Mr. Stearns. Let me ask you a question but with this 
Stuxnet. What have we done to protect those specific 
vulnerabilities in Seimens' product? In other words, has DHS 
issued a guidance on this?
    Mr. McGurk. Yes, sir. The Department, when we started 
analyzing Stuxnet back in July of last year, we identified the 
capabilities of the particular piece of mal code. We understood 
its capabilities and subsequently we put mitigation plans in 
place working with the specific sectors to identify the 
mitigation strategies associated with that. But since that 
particular piece of mal code was looking for a very unique 
combination of hardware and software, it was easy to identify 
what the mitigation strategies would be.
    Mr. Stearns. OK. Ms. Stempfley, just last Friday, the head 
of US-CERT resigned. US-CERT is the group charged with 
collaborating with state and local governments and private 
industry on cyber attacks. There have been a number of recent 
attacks on government systems, the Senate, FBI, CIA, and even a 
Gmail hacking aimed at top government officials. Have all of 
these recent attacks caused any change in the direction or 
change in the operation in US-CERT?
    Ms. Stempfley. No, sir. The US-CERT's set of 
responsibilities stays the same. And as we commented in the 
opening statements and your opening statements as well, this is 
a very sophisticated environment and it is constantly evolving. 
And as a part of that evolution, we understand that we have to 
have a bench and a mechanism for growth of individuals as we go 
forward. And so Randy's departure was a decision that he made 
and we have a continued direction and focus in prevention, 
preparedness, and restoral responsibilities across the board.
    Mr. Stearns. What were the vulnerabilities that allowed 
these systems to be infiltrated, and do these same kind of 
vulnerabilities exist in the private sector and on control 
systems?
    Ms. Stempfley. I am sorry, sir. Could you repeat the 
question?
    Mr. Stearns. With regard to the Senate, FBI, and CIA and 
even the Gmail hacking aimed at top government officials, what 
were the vulnerabilities that allowed these systems to be 
infiltrated?
    Ms. Stempfley. There were a number of vulnerabilities that 
were associated with these kinds of events that occurred, and 
to respond to where are other members of the private sector 
potentially vulnerable, I believe that is a true statement. As 
we commented earlier, there are a great deal of vulnerabilities 
that exist in the environment, and you will see that through 
the production of warning products and awareness notifications, 
we provide mitigations and indicators for private-sector owners 
and operators to put in place in their infrastructure. It is a 
shared responsibility between us and the private sector in 
order to implement the restorative and preventative measures.
    Mr. Stearns. Thank you. My time has expired. The gentlelady 
from Colorado.
    Ms. DeGette. Thank you very much, Mr. Chairman.
    I want to go a little bit more in depth into some of the 
issues that we face trying to work on interoperability between 
our governmental agencies and privately owned endeavors. In 
particular with our communications infrastructure, which is of 
course an essential part of our critical infrastructure, one of 
the things I am concerned about 90 percent of our 
communications networks are privately owned by commercial 
carriers. So traditionally, the FCC has worked with commercial 
carriers to ensure the reliability of the communications 
networks, and under current FCC rules, carriers have to report 
regarding outages on legacy telecommunications system. Now, the 
FCC in turn uses this data to help industry standards groups to 
improve on the best practices.
    So I am wondering, Ms. Stempfley and Mr. McGurk, if you can 
talk to me a minute given FCC's historical involvement with the 
communications infrastructure and the relationship with 
commercial carriers, don't you think that they can take an 
important role in helping drive greater awareness of cyber 
threats?
    Ms. Stempfley. So reporting is always good and the ability 
to get information about what is going on is an important part 
of how we can frame that national picture of what is happening 
and the response activities. So we have a history of working 
both with private industry directly and with other members of 
government in order to increase the awareness and the response 
actions that are necessary. I think the same would be true 
here.
    Ms. DeGette. Mr. McGurk?
    Mr. McGurk. In addition, ma'am, what I would like to add is 
that in response to the reporting that is conducted, part of 
the capability that exists within the NCCIC is our National 
Center for Coordination for Communications. And they receive 
those direct reports. So from a situational-awareness 
standpoint, the watch center receives real-time reporting from 
not only the telecommunication industry itself but also from 
other federal departments and agencies so that we get a better 
understanding from a holistic view on the impacts to 
communications because as we recognize that many of the 
critical infrastructures are relying on communications for 
controlling issues, for communications issues, and for flowing 
of data.
    In addition, we have the physical carriers themselves 
located within the watch environment so that they can provide 
up-to-date and actionable intelligence so that we can take the 
necessary steps and make proper recommendations.
    Ms. DeGette. Now, the office of Homeland Security 
coordinates those efforts on cyber threats. And so I guess my 
question to you following up is if there is a breach in the 
communications network, then how do DHS and FCC respond? How do 
they interact together to respond?
    Mr. McGurk. Part of the National Cyber Incident Response 
Plan includes the development and coordination of a cyber-
unified coordination group or cyber UCG. This is a steady state 
body of emergency response and incident handlers at working 
level, at the operational level, and then also at the senior 
decision-making level. For our cyber UCG seniors, it 
encompasses individuals from the departments and agencies that 
are at the assistant secretarial level or higher. So these are 
the actual decision-makers in the Federal Government. And then 
we have a staff which encompasses not only private sector but 
representatives from the federal departments and agencies that 
coordinate on a daily basis and share real-time information 
whether it comes from the communications sector, the energy 
sector, or one of the other 18 critical infrastructures. So 
that enables us to have that constant flow of data and provide 
that actionable intelligence so that private-sector companies 
can take the necessary steps to mitigate risk.
    Ms. DeGette. OK. Now, as I understand it, the FCC has 
proposed to rule this spring to extend reporting requirements 
about network shortages to the broadband network and they are 
taking public comments on that issue. And so, Mr. Wilshusen, I 
was going to ask you do you think that collecting data on 
broadband outages would help gain a better understanding of 
when hackers have gotten into our systems?
    Mr. Wilshusen. We haven't examined that issue, but I would 
imagine collecting information can only be helpful in making 
such a determination.
    Ms. DeGette. OK. And for the other two witnesses, do you 
have any thoughts on the potential for reporting broadband 
network outages to contribute to situational awareness like 
after there is a major emergency, something like that?
    Mr. McGurk. Yes, ma'am. I believe as Ms. Stempfley had 
mentioned earlier, reporting is good and more reporting is even 
better. So the more information that enables us to develop that 
common operation picture that takes all of the data that we are 
receiving and then fuses that together. So the more information 
we receive in the NCCIC the better situational awareness we can 
provide not only to the secretary of Homeland Security and the 
other executive secretaries, but also to the President for 
decision-making capability.
    Ms. DeGette. And just one last question relating to my 
opening statement about our communications networks is there is 
a lot of issues around supply chains for equipment and 
components that have been manufactured abroad for use in the 
U.S. So I am wondering if these two witnesses on the end, Ms. 
Stempfley and Mr. McGurk, can talk about this publicly. Can you 
talk about how DHS is working with other federal agencies to 
address that issue of supply chain that part of it is foreign?
    Ms. Stempfley. So as you pointed out, the 
telecommunications supply chain activities are an interagency 
response within the Federal Government. It would be more than 
happy to bring another agency body back to discuss that in 
detail?
    Ms. DeGette. Thank you.
    Thank you very much, Mr. Chairman.
    Mr. Stearns. I thank the gentlelady.
    The gentleman from Texas, Dr. Burgess, recognized for 5 
minutes.
    Mr. Burgess. Thank you, Mr. Chairman.
    Now, if I understand things correctly, there is an 
authority that exists within the executive branch to take some 
control of transmission grid operations in the event of a 
national emergency, is that correct? Either of DHS witnesses.
    Mr. McGurk. Yes, sir. The Secretary for the Department of 
Energy has that authority.
    Mr. Burgess. And is it necessary to place any limits on 
that authority?
    Mr. McGurk. Sir, I have the luxury of being a simple sailor 
and an operator and I don't normally identify or make 
recommendations on policy or operational requirements. I can 
say that within the guidelines that we currently have and the 
authorities that we currently have, we are able to execute our 
mission both efficiently and effectively. So I will leave that 
to other members of the Department to comment as far as 
additional requirements.
    Mr. Burgess. Ms. Stempfley, do you have any thoughts on 
that?
    Ms. Stempfley. Respectfully, sir, I believe that would be 
most appropriate for DHS not to comment on the legal 
authorities of another department.
    Mr. Burgess. Well, let me ask you this. Should such an 
authority be necessary? Should such an occurrence happen that 
the authority was necessary? How long would you expect that 
presidential emergency authority to be exercised over a 
continuous time period?
    Ms. Stempfley. Regrettably, sir, I am not in the position 
to answer that question.
    Mr. Burgess. Well, let me ask you this. It seems like--and 
I think it was referenced by either the chairman or the ranking 
member in their opening statements--is that we are hearing more 
and more about this. Does this just reflect the situational 
awareness that these types of threats and these types of 
attacks can occur or is, in fact, this a real phenomenon with 
the rapidity with which these attacks are coming is increasing?
    Ms. Stempfley. So I believe it is all of those things, sir. 
There is certainly more awareness within the community of the 
importance of cybersecurity and the overall activity. That is 
increasing both the detection actions that are occurring and 
the reporting actions that exist. Based on that awareness and 
what we are seeing is that increase across the board.
    We are also, as we all indicated in our opening statement, 
seeing an increase in sophistication of the attacks as they 
occurred as well. So I believe it is a phenomenon of all 
things, sir.
    Mr. Burgess. Mr. McGurk, do you have any thoughts on that?
    Mr. McGurk. Not in addition, sir. The only thing I would 
add was that because of the adoption of information technology 
capabilities into the critical infrastructure, we are also 
exposing a greater landscape of vulnerabilities to areas that 
were in the past specifically closed off and proprietary in 
nature. So by adopting that technology, we also advance the 
vulnerability landscape associated with those critical 
infrastructure operations.
    Mr. Burgess. Well, one of the hazards in this is you are 
always fighting the last attack. What sort of forward-looking 
policies and procedures are being implemented by DHS? Are you 
looking into for wherever the perpetrator is, what is the value 
that they are deriving from these and are there ways that we 
can perhaps preempt some of these attacks before they happen 
rather than just simply reacting to them?
    Mr. McGurk. Sir, part of what the National Cyber Incident 
Response Plan focuses on is moving from the left end of the 
continuum where we are primarily focusing on response and 
recovery, which to your point, sir, is accurate. We are always 
fighting that last event or that last battle.
    What we are looking forward to working with the private 
sector is moving to the right and putting the preparedness, the 
protective, and the preventative measures in place. And we are 
taking, again, a multifaceted approach through advanced 
technology, working with the owners and operators, and also 
with the vendor community to establish criteria for new systems 
and new operational parameters.
    The Department produces a procurement guideline for owners 
and operators which talks about security requirements for new 
systems and new operating procedures. And we also work closely 
with the integration community so that we are identifying how 
to install and how to manage these systems as they are being 
updated in the critical infrastructure. So we are looking at it 
as a continuum shifting more from the left, the responsive 
part, over to the right where we are being preventative and 
predictive.
    Mr. Burgess. Now, a vast majority of this critical 
infrastructure is in private hands, is that correct?
    Mr. McGurk. That is correct, sir.
    Mr. Burgess. So is there any type of analysis as to the 
cost that may be incurred by the private sector to keep up with 
what you just articulated.
    Mr. McGurk. Yes, sir. In fact, the Department identifies 
and describes risk as an equation of threats, vulnerabilities, 
and consequences. When we work with the private sector, we 
understand that the denominator there is also cost. So the 
procurement standards that I had mentioned earlier takes that 
into account. Not everything can be a gold standard. We are not 
saying that you have to have absolute security across the 
board. It is a risk-based approach so we take that same 
levelized approach and build the business case to identify what 
we need to implement in what areas. So if we are going to spend 
a dollar to mitigate risk, should we focus on the threats or 
should we focus on mitigating the risks and the 
vulnerabilities? And then what are the subsequent consequences 
associated with that? That is really one of the approaches that 
we are taking in addressing this issue.
    Mr. Burgess. And do you solicit and accept input from the 
private sector, the owners of the critical infrastructure as to 
that pricing consideration?
    Mr. McGurk. Yes, sir. In fact, as the chairman had 
mentioned earlier, one of the things that we focus on is a 
number of working groups. And in the industrial control systems 
area, we actually sponsor a joint public-private working group, 
the Industrial Controls System Joint Working Group, ICSJWG, 
which looks at not only mitigating risks but also product 
development, implementation, education, and a whole host of 
issues. And that is a complete joint environment with both 
public and private members represented.
    Mr. Burgess. Thank you, Mr. Chairman. I will yield back.
    Mr. Stearns. I thank the gentleman.
    Dr. Christensen is recognized for 5 minutes.
    Mrs. Christensen. Thank you, Mr. Chairman.
    Again, welcome to our panel.
    Under Homeland Security Presidential Directive 7, 
healthcare and public health are identified as critical 
infrastructure sectors, and of course the healthcare sector 
plays a significant role in response and recovery in the event 
of a disaster. So I would like to talk with all of our 
witnesses about the efforts to protect this sector against 
cyber threats.
    Beginning with Ms. Stempfley and Mr. McGurk, what do you 
see as the major challenges to ensuring cybersecurity in the 
healthcare sector?
    Ms. Stempfley. Ma'am, I will begin with some of the kinds 
of policy challenges we have been working through in the 
Federal Government associated with this. And so, for example, 
we are working to deploy technological solutions that enable 
detection and prevention measures in place. Those technological 
solutions oftentimes require a very detailed analysis of the 
kinds of privacy and protection requirements that need to be 
put in place that we all feel so strongly about as well and we 
need to work through some of those key policy nexuses between 
the two so that we can provide that kind of support and 
prevention support while still being very true to the 
protection measures that we feel so strongly about in terms of 
privacy and other areas.
    Those kinds of infrastructure systems are very important to 
us and we agree with that. Once we get past the policy 
questions, it is a matter of how we employ those solutions, 
best practices across the board and handle the equally 
important integrative systems that exist in healthcare and have 
that nexus between IT and embedded systems as well.
    Mr. McGurk. Yes, ma'am. I would also mention that one of 
the Department's focuses is also on not just protecting the 
information in accordance with a number of regulations and 
requirements but also the equipment itself. When we look at the 
vulnerabilities associated with the other sectors, the 
healthcare industry also has an equal number of vulnerabilities 
associated with embedded medical devices or with advanced 
technology that could potentially be exploited because of the 
inherent communications capability of those devices.
    So again, the Department is taking not just a data-in-
motion, data-at-rest approach, but a holistic approach to the 
healthcare industry, working with the private sector, working 
with the manufacturers of these pieces of equipment, and also 
with the necessarily federal departments and agencies so that 
we understand the risks associated with healthcare industry and 
provide actionable steps that will better improve not only the 
quality of service but the quality of life.
    Mrs. Christensen. Thank you. And those focuses estimates 
are great. I am assuming you are working with the Department of 
Health and Human Services as well as with the private sector.
    Ms. Stempfley. With any of the particular sectors, ma'am, 
we work very strongly with the sector-specific agency in 
helping Human Services specifically in the situation.
    Mr. McGurk. In fact, ma'am, we have the National Health 
Information Sharing and Analysis Center coming to visit and 
tour the NCCIC tomorrow and part of our development process to 
get them physically located on board. So they will be actually 
visiting us tomorrow so that we can identify those connections.
    Mrs. Christensen. Great. Great.
    Mr. Wilshusen, I am also interested in hearing more about 
GAO's work on cybersecurity issues that affect health and 
public health. As providers use more computer-based mechanisms 
and programs to help them treat patients, and I guess this sort 
of follows up on what you were saying, Mr. McGurk, do you agree 
that it poses additional risk to the personal health 
information could be released to the public?
    Mr. Wilshusen. Certainly. In fact, we have a couple of 
engagements that we have ongoing or will start soon. One was 
mandated by the High-Tech Act in which GAO is responsible for 
reviewing the security and privacy protections over information 
that is transferred and exchanged through the Electronic 
Prescription System or E-Prescribing.
    Mrs. Christensen. Um-hum.
    Mr. Wilshusen. We anticipate starting that engagement in 
September with the report release date on September 2012.
    In addition, we have another engagement that we are 
currently working on to look at the security controls and risks 
associated with embedded or implantable medical devices such as 
insulin pumps, pacemakers and that that can be accessed through 
wireless technologies and may have chips in place. So we are 
also examining the report of security risk associated with 
that, as well as FDA's premarket and post-market review 
processes to address those particular risks.
    Mrs. Christensen. Well, thank you. My time is running out. 
I appreciate the information because the ever-increasing use of 
technology in our healthcare system obviously holds a lot of 
promise and many benefits. But also as we increase our reliance 
on technology, there is also--as you have pointed out very 
clearly--the opportunity to hack in and interfere with that.
    So thank you, Mr. Chairman. I am out of time.
    Mr. Stearns. I thank the gentlelady. Gentlelady from 
Tennessee, Mrs. Blackburn, recognized for 5 minutes.
    Mrs. Blackburn. Thank you, Mr. Chairman.
    Ms. Stempfley, I wanted to come with you. I was just 
meeting with one of my airports, and I wanted to know--TSA. 
What does the DHS and TSA do with the body images that they 
collect from the scanners at the airports? How long are they 
stored and do you protect these images? Do you share them with 
any other agency? And what action would you take in case you 
had a breach?
    Ms. Stempfley. Ma'am, the Office of Cybersecurity and 
Communications is responsible for setting standards that the 
Federal Government has to comply with to include TSA. I am not 
familiar with their specific----
    Mrs. Blackburn. Would you get back to me on this?
    Ms. Stempfley. I certainly would.
    Mrs. Blackburn. OK. I know that it is a part of what we are 
talking about and it also pertains to the privacy work that we 
are doing in our CMT Committee. And I think as we work with 
some of the issues we are having with TSA, I would love to have 
the answer if you could do that.
    I have got another question. This would be for you and Mr. 
McGurk. And I mentioned TVA in my opening comments and the 
amount of coverage that we have with the power security. I want 
to see what your interface is with the state and local 
governments and the infrastructure by facilitating the 
information sharing of the cyber threats and the incidents and 
through the ISACs. So there are 16 of those ISACs, right? OK. 
And very briefly if you would just go through how it works, 
what kind of information that is shared, what is your process 
how you protect the data that you get and what your expectation 
is, the state and local governments, that they are going to 
protect that data and then what your response would be if you 
had a breach?
    Mr. McGurk. Thank you, ma'am. I would just like to start 
off by saying that we have a very close working relationship 
with the Tennessee Valley Authority. In fact, we visited many 
times and we share real-time information through a number of 
sensor programs that we operate so that we have a better 
understanding of the actual threats and impacts and associated 
with those operational environments.
    What we do and how we share that information from the 
standpoint at the national level is much of the data that is 
voluntarily submitted through the NCCIC comes from either the 
ISACs themselves--the Information Sharing and Analysis Centers, 
including the Multi-State--or it comes from the private-sector 
companies themselves. Much of that data is submitted under the 
secretary's authority for the protection of critical 
infrastructure information or PCII. That protects that 
information from being released even to a regulator, for 
instance if it is a power company and they submit the 
information to us.
    We then take that and we work directly with that company to 
develop a mitigation strategy that is a) company-specific and 
then b) we anonymize it to the point where it becomes a sector-
specific mitigation strategy. The RSA data breach was a great 
example of how, within a short period of time, less than 24 
hours of notification of the breach, we had more than 50 
companies and federal departments and agencies represented 
under the Cyber Unified Coordination Group developing sector-
specific mitigation plans. So those individuals--not only from 
a physical environment but also a data-sharing environment--
collaborate to generate those mitigation plans.
    Mrs. Blackburn. OK. And at what point do you pull state or 
local government into that to participate?
    Mr. McGurk. Continuously. So they actually have a 
representative on the floor of the Multi-State ISAC.
    Mrs. Blackburn. OK. OK.
    Mr. McGurk. So they are there in real time.
    Mrs. Blackburn. All right.
    Ms. Stempfley. And ma'am, to continue on in that 
discussion, we have worked with the 50 states to provide 
clearances to the chief security officers in each of the states 
and then share classified information through their fusion 
centers so that that provides not just their representation on 
floor in real time around an event but also gives us an ability 
post-date it to them in their states as well.
    Mrs. Blackburn. And then do you do any coeducation and 
training with local law enforcement back into your protocols?
    Ms. Stempfley. The training activity that we provide--all 
of our training is provided on an open basis so that state 
representatives can come and participate. I can't speak to 
which states have chosen to come in with particular law 
enforcement individuals, but we make it available to them in 
order for them to take it up.
    Mrs. Blackburn. Excellent. Thank you, Mr. Chairman. Yield 
back.
    Mr. Stearns. The gentlelady from Florida, Ms. Castor, is 
recognized for 5 minutes.
    Ms. Castor. Thank you, Mr. Chairman. Thank you to the 
witnesses for your insight today.
    It is apparent that an effective partnership between the 
Federal Government and the private sector is necessary to 
ensure the security of all of our networks, whether those 
networks manage critical infrastructure or simply handle the 
day-to-day data of the Federal Government and communications.
    Mr. Wilshusen, in your testimony you noted that the private 
sector has expressed concerns that DHS is not meeting their 
expectations in terms of information sharing. What concerns 
does private industry have about DHS' willingness to provide 
information?
    Mr. Wilshusen. Yes, ma'am. We did a review in which we 
surveyed 56 individuals from the private sector from five 
private-sector councils. And we found that they identified a 
number of key activities that they thought were critical or 
important for the public-private partnership to include the 
provision of timely and actionable threat and alert 
information, having a secure mechanism for collecting 
information or sharing information with the public sector. And 
they indicated only 27 percent of those respondents indicated 
that they felt that their public-sector partners were actually 
meeting those expectations to a great or moderate extent. And 
so there are a number of concerns about being able, on the part 
of the private sector, to collect timely information from the 
public-sector partners.
    Ms. Castor. Were there any particular sectors that stood 
out that appeared to be problematic?
    Mr. Wilshusen. Well, from the private-sector side, it was 
pretty much across the board. The five sectors that were 
included in our study included the banking and finance sector, 
the IT sector, the communications, energy, and the defense 
industrial base sectors. And it was pretty much across the 
board. As I mentioned, only 27 percent out of the 56 
respondents actually felt that they were receiving support to a 
great or moderate extent.
    Ms. Castor. So Mr. McGurk, what is DHS doing to address 
these concerns and to ensure that you all are working 
collaboratively with the private sector?
    Mr. McGurk. Ma'am, I would like to start off by saying, you 
know, can we do better? Absolutely. We have modified much of 
the structures by actually standing up and creating the NCCIC 
that met some of the requirements moving forward, by actually 
having the private sector participate and not only receiving 
the information but developing the information. By having them 
physically present in the environment really assists us in 
putting the information in a language that is necessary to 
reach our constituents.
    A great example is in the past when we would produce 
information, we would produce it in a language that we 
understood, and then we would send that out and that may or may 
not meet the needs of our private-sector partners. By having 
power engineers and financial services specialists and IT 
specialists physically sitting there working with us and 
collaboratively developing the knowledge necessary to 
distribute, we are able to provide actionable intelligence.
    Just last year we received a report in an intelligence 
communication of a particularly malicious piece of mal code 
that had a subject line on an email called ``here you have.'' 
Within a few hours of that appearing in a classified report, 
the US-CERT produced an early warning and notice that went out 
to the broad private sector because we took that data, 
declassified it, and provided actionable intelligence for our 
private-sector partners. But by having them there and 
participating really enables us to provide better products for 
our partners and also speeds up the time necessary to generate 
that product.
    Ms. Castor. Well, how about the flip side? I am also 
curious about how well the private sector is communicating with 
DHS when they suffer a cyber attack or a breach, Mr. McGurk, 
are private companies required to report cyber attacks or 
coordinate their responses to those attacks with DHS?
    Mr. McGurk. So there is no requirement to report the 
information directly to the Department, but I think what has 
happened over the development of the partnership over the past 
several years is the stigma associated with cyber breaches has 
started to be removed and companies are volunteering the 
information because they understand that it not only benefits 
their ability to maintain goods and services but it will also 
assist the broader community because they recognize that when 
they share with the Department, we are not going to publish 
company-specific information. We are going to anonymize that 
and produce mitigation strategies and plans that help the broad 
sectors. And they have been working very closely with us in 
developing that.
    Ms. Castor. Are there instances where DHS has become aware 
of a cyber attack or a breach in a particular company and then 
you contacted that company to assist and they declined your 
offers to work with them, declined assistance?
    Mr. McGurk. Yes, ma'am.
    Ms. Castor. What can we do about that? How do we improve 
the collaboration in working together?
    Mr. McGurk. Part of that is an awareness and an 
understanding. From the private-sector standpoint, I understand 
that we have to demonstrate value and they have to see how 
working with DHS and partnering with DHS adds value to their 
capability. In some cases, those particular companies had a 
very advanced capability. We gave them the early-warning notice 
that they needed to take the necessary steps to protect their 
networks. So subsequently, additional response from DHS wasn't 
required. And in the extreme case, we received declination for 
support but recognition of the awareness or the alert.
    Ms. Castor. Thank you very much.
    Mr. McGurk. Thank you, ma'am.
    Mr. Stearns. The gentleman from Virginia is recognized for 
5 minutes, Mr. Griffith.
    Mr. Griffith. I am just curious, Mr. McGurk, under what 
circumstances, if any, would the DHS NCCIC withhold cyber 
threat information that it has encountered from owners or 
operators of critical infrastructure?
    Mr. McGurk. Sir, we do not withhold threat information, but 
subsequently, we don't develop threat information. Under the 
authorities of the Department, we focus primarily on mitigation 
of risk, and that is where we focus our activities. Threat 
information is really developed by the intelligence community 
and we rely on that partnership with the intelligence community 
to identify threat actors.
    Mr. Griffith. All right. Do you have any indication that 
they may be sometimes withholding information?
    Mr. McGurk. No, sir. In many cases, what is germane to 
mitigation is not necessarily associated with the actor. It is 
the activity. So it is the exploitation of the vulnerability 
which is necessary to share to protect the networks, not who is 
actually doing it.
    Mr. Griffith. Mr. Wilshusen, the GAO reported in October of 
2010 that only 2 of 24 recommendations by the President 
Cybersecurity Policy Review had been implemented and the rest 
had only been partially implemented. What can you tell us about 
whether any additional progress has been made?
    Mr. Wilshusen. Well, one of the reasons we found that the 
partial implementation occurred was because many of the 
agencies were not taking effect because they were not given 
specific roles and responsibilities to implement some of those 
recommendations, and that kind of delayed actions to 
implementing that. We will be following up as part of our 
annual review follow-up on our recommendations to see what 
extent those recommendations are now being met. But since we 
just issued that in October, we have not gone back to follow up 
on our prior recommendations and to do a reassessment.
    Mr. Griffith. Should we expect an updated report this 
coming October?
    Mr. Wilshusen. We will be updating the status of our 
recommendations, and if you request us to do it, we will 
certainly do it.
    Mr. Griffith. I would be curious since only 2 of the 24----
    Mr. Wilshusen. Right.
    Mr. Griffith [continuing]. Were implemented as of last 
year, and I am just wondering should we be concerned that so 
few of the recommendations had been fully implemented at that 
time?
    Mr. Wilshusen. Well, there are 10 near-term recommendations 
coming out of that policy review, 14 mid-term recommendations. 
Several of the mid-term recommendations are actions of such a 
nature that it is going to take multiple years to fully 
implement those. But the near-term recommendations are very 
important and they should be implemented as soon as possible.
    Mr. Griffith. All right. I thank you. Yield back my time.
    Mr. Stearns. The gentleman yields back.
    Yes?
    Mr. Burgess. Would you yield to me for follow-up questions?
    Mr. Griffith. I yield for follow-up.
    Mr. Burgess. Dr. Christensen asked some very good questions 
on the healthcare aspects of the critical infrastructure and 
going along with what the gentleman was just asking as far as 
those forward-looking threats, it seems like we have created 
some problems for ourselves in the High-Tech Act and some of 
the things we have done with the information technology 
infrastructure as applied to health. Star Clause, for example, 
which prohibit hospitals from putting wire in a doctor's office 
if the doctor is not directly affiliated with the hospital. So 
pushing a lot of these vertically integrated systems to go on 
the internet in order to have the abilities or the ease of 
transfer of the data, which then renders them vulnerable to 
attacks on the internet. Have you looked at that, whether 
perhaps there is something that could be done on the policy 
side to lessen the impact of the vulnerability if we were to 
make some changes on the regulatory side? A closed loop if you 
would between the hospital and a group of doctors, even though 
they are not all part of the same business model might be one 
way to do that. Have you explored that at all?
    Ms. Stempfley. So your example is a wonderful example of 
furthering the independence between the infrastructures as they 
go forward.
    Mr. Burgess. No, it is an example of how we make things 
harder than they need to be in the first place and then we have 
got to do a whole bunch more stuff to make it workable in the 
real world. But continue.
    Ms. Stempfley. Thank you, sir. The specific reviews, 
technical reviews of proposals is not something that we 
certainly do. What we work towards are best practices for the 
kinds of separation and containment that might be necessary in 
order to understand the environment. Each of the owners and 
operators has a better understanding of the risks in their 
particular environment in the business models that best serve 
them in each of these cases. And so the set of best practices 
are an important part of how we do this.
    Mr. Burgess. But do we look at the regulations that we, the 
Federal Government, have put in place that make it harder for 
people to do the right thing in the real world?
    Ms. Stempfley. So I am not sure I can say that specific 
regulation was reviewed prior to in order to understand the 
potential implications across the board, but we do look at 
regulations and procedures as they come up.
    Mr. Burgess. I appreciate the gentleman for yielding. My 
time has expired. Let us look at that going forward. I yield 
back.
    Mr. Stearns. I thank the gentleman.
    Ms. Schakowsky is recognized for 5 minutes.
    Ms. Schakowsky. Thank you.
    Have any of you, the three of you, read Stieg Larsson's 
book, the Girl with the Dragon Tattoo, et cetera?
    Mr. Wilshusen. Yes.
    Ms. Schakowsky. You have. If you haven't, people who are 
into cybersecurity would not only enjoy them but probably be a 
little worried about it. The pretty flawed heroine, Lisbeth 
Salander, there is no firewall too high or wide or low that she 
can't get through. And I think she is the heroine, sort of the 
good guy, but the notion of individual actors out there who 
have this tremendous capacity to infiltrate I think is a real 
concern. I sit also on the Intelligence Committee, and we think 
about that a lot.
    So here is what I wanted to ask. Do we employ sort of old-
school kinds of techniques like redundancy to make sure--I 
remember sitting in a hotel room watching a rolling blackout in 
Ohio a number of years ago, which turned out to be a failure of 
the grid and not some sort of attack--this was post-9/11--but 
felt like it might have been. So do we build in things like we 
do in aircraft or whatever, just redundancies so we are not as 
vulnerable? Can someone answer?
    Mr. McGurk. Yes, ma'am. I do agree that one of the salient 
points of the book was that they were focusing on perimeter 
defense as a method of ensuring their security, and as you 
quite adequately pointed out that there was no wall too high or 
too thick that she couldn't get through in the process, and 
subsequently, that is why the Department doesn't look at only a 
perimeter-defense strategy as part of enabling a sound 
cybersecurity profile. We look at a defense-in-depth strategy 
so that there is layers upon layers of security implemented. In 
addition, we want to focus on the practices and procedures to 
address the various risk associated with operating those 
networks. Whether it is from insider activity, whether it is 
from nation-state-sponsored, whether it is criminal activity, 
we treat the act separate from the actors so that we can 
understand what they are trying to exploit as far as the 
vulnerabilities. So that is the approach that the Department 
takes, and we do work very closely with the intelligence 
community, law enforcement community, and the private sector to 
develop those necessary strategies so that we can have a better 
and more secure defense posture.
    Ms. Schakowsky. Let me ask another question. There is a lot 
of talk and even advertising about how we can centralize data 
management and storage and concentration and that you can 
access that without individual servers and all kinds of things 
to make business more efficient, et cetera. I am wondering if 
this creates a new layer, then, of vulnerability if everything 
is sort of outsourced to one place.
    Ms. Stempfley. The what I call re-architecting moments that 
are going on in the environment, things like the movement to 
cloud computing and mobility are intelligent and opportunity at 
the same time. So there certainly are vulnerabilities that 
exist in that environment that must be addressed as we 
architect to move things there. But it isn't generally a lump 
sum, just pick up and move. There are design considerations 
that must be taken into account as you move. And so they are 
these opportunities for individuals to look at how they both 
handle their data procedurally and how they protect it through 
this defense-in-depth approach across the board.
    Mr. Wilshusen. And if I may add we did a review over the 
clouds computing security and identified a number of both 
positive as well as negative security implications of going to 
the cloud computing. Particularly of the negative sort is just 
agencies lose control over the access to their data, who has 
access to it, as well as the ability of agencies who are still 
responsible for the protection of that information to assure 
themselves through independent testing or other evaluations 
that the cloud service provider is actually implementing 
security effectively over their environment and the 
information. And those are still issues that are still being 
worked out. The Federal Government, through GSA--I am not sure 
if DHS is involved in this--OMB and others are studying up 
different procedures through FedRAMP and some other programs to 
try to address some of those areas.
    Ms. Schakowsky. I started by talking about this rolling 
blackout that I saw. I wondered if we can talk about how secure 
our power grid really is. I don't know if you addressed that 
earlier. There was a project that showed the effect of hacking 
into a power plant's control station via computers and digital 
devices, so I am just wondering how that came out and if there 
are vulnerabilities that we are correcting?
    Mr. McGurk. Yes, ma'am. The purpose behind the Aurora 
evaluation and experiment that was conducted by the Department 
in conjunction with the Idaho National Lab back in 2007 was 
essentially identifying the interdependencies between the 
critical infrastructures. That is how it started out. We wanted 
to see if we could have a negative impact in an environment by 
attacking the capabilities or the equipment of another 
environment. For instance, if I destroyed the generation 
capability, could I then have an adverse impact on a data-
storage center or an airport or some other physical 
infrastructure? So subsequently, we took a look at the 
interconnected nature of these devices and we conducted a 
series of experiments that identified the capability by 
modifying settings and accessing control networks to actually 
take a digital protective circuit and turn it into a digital 
destructive circuit.
    A simple explanation of what we did with Aurora it is like 
you are driving down the road at 60 miles an hour and you throw 
your transmission in reverse, it is going to have a negative 
impact on that car to operate.
    Ms. Schakowsky. Yes.
    Mr. McGurk. So that is really what we were trying to 
demonstrate. And then subsequently, once we identify the 
vulnerabilities, how do we put those protective measures in 
place, whether it is through equipment design and modification 
or in many cases it is just through procedural changes? So we 
look at low-cost or no-cost approach. From that point forward, 
the Department has conducted numerous equipment vulnerability 
assessments to not only identify inherent vulnerabilities in 
devices but to work with industry to develop those mitigation 
strategies and in some cases working with the manufacturers to 
physically modify the equipment so it is more secure.
    Ms. Schakowsky. Thank you. My time has well expired. Thank 
you.
    Mr. Stearns. The gentleman from Louisiana, Mr. Scalise, 
recognized for 5 minutes.
    Mr. Scalise. Thank you, Mr. Chairman. If I could ask all 
the panelists first, I just want to get your opinion on if our 
critical networks are more vulnerable today than they were 5 
years ago?
    Ms. Stempfley. So my opinion is they are not necessarily 
more vulnerable than they were 5 years ago. A great deal has 
happened over the last 5 years in terms of coordination, 
collaboration across the board. What I believe is that we are 
much more aware now than we were 5 years ago both of the role 
that they play in the environment. We are certainly more 
dependent on cybersecurity solutions and interdependent today, 
more aware of that, and there is a higher sophistication in the 
threat that exists today than did some time ago.
    Mr. Scalise. Mr. McGurk?
    Mr. McGurk. Thank you, sir. I would also agree that I 
believe it has been an evolutionary period. Perhaps in the past 
we were focusing more on information assurance as a method of 
achieving cybersecurity, but since then, we have recognized 
that since the physical and the virtual are all interconnected, 
we are taking a more direct approach towards cybersecurity. So 
there may be more reporting but there is more awareness as 
well.
    Mr. Wilshusen. And I would also say that the threats to 
cyber critical infrastructures are increasing. They are 
evolving and growing and becoming more sophisticated. So those 
two raise the overall risk to those infrastructures. Our 
reviews have shown that where we have evaluated the security 
over specific systems that they are vulnerable and that 
numerous vulnerabilities exist because appropriate information 
security controls, which are well known, have not been 
implemented on a consistent basis throughout. So while there is 
greater awareness, there is also a greater threat I believe and 
also the vulnerabilities still remain.
    Mr. Scalise. Mr. Wilshusen, in your testimony, the GAO--and 
you listed here some GAO recommendations to enhance the 
protection of cyber-reliant critical infrastructure. Regarding 
these recommendations that you laid out, do you see that other 
agencies are looking at these or open to these and specifically 
with members of DHS that are here and, you know, I would like 
to get their take, too, but what has been the reaction you have 
seen from the GAO report of these specific recommendations?
    Mr. Wilshusen. Well, for most of our reports in this area, 
we have received largely concurrences with our recommendations, 
particularly from DHS. They have taken a number of actions to 
implement our recommendations and we will be following up with 
them to ensure that they are effectively implemented over time. 
In some cases, even when DHS non-concurred for the purposes of 
our report with the recommendation, they ultimately reversed 
themselves and decided to implement the recommendations. So I 
think there is awareness and concurrence for the most part of 
the agencies to implement our recommendations.
    Mr. Scalise. I will ask the same, Mr. McGurk and Ms. 
Stempfley, just both of those recommendations but also other 
tools that you think should be available.
    Mr. McGurk. I would like to add that in addition to the 
recommendations of GAO--and we do evaluate them not only from a 
technical standpoint but also from an implementation 
standpoint, and that is part of the challenge that we 
identified. In the critical infrastructure, the networks are 
so--in some cases--unique that you can't apply a particular 
standard or requirement that is identified by a recommendation 
and you may actually cause an interoperability challenge. So we 
do look at that from a technical standpoint and then we work 
with other standards-settings bodies such as NIST to identify 
those best practices and those requirements and then work with 
the private sector to ensure that we can actually implement 
that without causing an adverse impact or additional cost.
    Mr. Scalise. Ms. Stempfley?
    Ms. Stempfley. So we agree that the recommendations in the 
GAO report are ones that we focus a great deal of attention on 
and recognize that cyber is one of the high-risk items that GAO 
executes. We have a regular interaction with them around this 
particular activity, particularly given the consequences. We 
talked a great deal about consequences of malicious activity in 
this particular environment. We watch very closely that. And as 
we work through issues both in terms of owners and operators, 
execution and implementation of practices in their environment 
and come out as we are requested to come out and provide 
voluntary review of information and infrastructures and the 
owner/operators we are also able to identify how they are doing 
in terms of implementation and get information about what is 
generally accepted practices across the board.
    Mr. Scalise. Real quickly one final question before my time 
runs out. The Department of Defense's director of intelligence 
and counterintelligence has talked about supply chain integrity 
and, you know, they suggest that some equipment that we buy, 
hardware that we buy could be corrupted both hardware and 
software. And there are some things that they are looking at in 
that regard, and I wanted to get your take from Homeland 
Security or if GAO wants to chime in. Is that something that 
you all have looked at as well? Have you seen any problems 
there?
    Ms. Stempfley. So I believe I made an offer earlier to 
bring back an interagency review around supply chain. We 
appreciate that it is important for us to look across the 
entire lifecycle of both equipment and of software development 
as well so that we can make sure that we have good practices in 
each of the steps of the lifecycle.
    Mr. Wilshusen. And if I may chime in, we are currently 
evaluating the supply chain risk process at several agencies 
including DOD, DHS, Justice, Energy as part of our review over 
the supply chain risks for IT. We are assessing also the 
agencies' efforts to employ a risk-based approach to assessing 
supply chain risks.
    Mr. Scalise. Thank you, Mr. Chairman. I yield back.
    Mr. Stearns. Thank you.
    The gentleman from Texas, Mr. Green, is recognized for 5 
minutes.
    Mr. Green. Thank you, Mr. Chairman.
    And following up our colleague from Tennessee, Ms. 
Blackburn, you know, our committee has jurisdiction both over 
cybersecurity and healthcare, and so when we go through those 
screenings, could we at least maybe in our jurisdiction have a 
radiologist look at those so we can do those full body scans 
and it maybe save us on our imaging cost.
    But I want to welcome our panel here. It has been a long 
hearing for you all and I thought we ought to laugh a little 
bit.
    The GAO has long identified protecting the Federal 
Government's information system and Nation's cyber-critical 
structures. And Mr. Wilshusen, when did the GAO first identify 
cybersecurity as part of our high-risk series?
    Mr. Wilshusen. That was back in 2003.
    Mr. Green. OK. And you did your first major review of DHS 
cybersecurity efforts in 2005?
    Mr. Wilshusen. That is right. That is when we assessed the 
Department's performance and actually implementing some 13 
roles and responsibilities that it was responsible for.
    Mr. Green. Have you seen improvements in the way that the 
Federal Government prepares for and addresses cyber threats 
since you have been reviewing DHS' program?
    Mr. Wilshusen. We have seen progress at DHS in the way that 
it is addressing some of these areas. We also recognize that 
there is more that needs to be done, particularly with some of 
the sector's specific planning efforts, its cyber analysis and 
warning capabilities, as well as just as I mentioned earlier 
related to its private-public partnerships.
    Mr. Green. OK. I understand in 2009 DHS launched the 24-
hour DHS-led coordinated watch and warning system known as the 
National Cybersecurity Communications Integrations System. Mr. 
McGurk, what private-sector entities have current access to the 
resources of this facility?
    Mr. McGurk. Certainly, sir. Currently, we have a direct 
partnership with each of the 18 critical infrastructure and key 
resource sectors. Physically located on the watch floor today 
we have representatives from the energy sector, the financial 
services sector, the communications sector, IT sector, Multi-
State ISAC. We are also finalizing agreements with chemical and 
others so they can be physically present on the watch floor. In 
addition, we recognize the unique capabilities of some of our 
other partners in the manufacturing and antivirus environment. 
And we are working with them to develop cooperative research 
and development agreements so that they can be physically 
present so that we can share data in real time.
    Mr. Green. Last week there were reports emerged about a 
Department of Homeland Security report insider threat to 
utilities, and when you mentioned utilities were involved in 
it, do you have pretty well unanimous support or working 
relationship with our utilities in our country from investor-
owned, municipal-owned co-ops like the TVA even? Is that pretty 
well uniform throughout the country?
    Mr. McGurk. Yes, sir. We have very direct connections with 
many of our private-sector partners. We have spent a lot of 
time developing cooperative agreements with--for instance, 
there is an organization that is made up of the 18 largest 
utilities in the United States and they have a Chief 
Information Security Officer Panel, which we interface with 
directly. I have personally briefed them on a number of 
occasions and provided input into those organizations so that 
they have a better cyber awareness.
    Mr. Green. OK. I know the report was not released to the 
public and in the news story we talked about, we have a high 
confidence in our judgment that insiders and their actions pose 
a significant threat to infrastructure and information systems 
of U.S. facilities, and I understand, like I said, the report 
is not made public. I would like to ask some questions about 
insider threats to our utilities.
    Ms. Stempfley, could utility facilities be targets for 
terrorists on the cyber side? We know physical targets.
    Ms. Stempfley. So I think you will find that the 
vulnerabilities that exist and are possible to be exploited 
exist in many places to include utilities across the board. 
That is one of the reasons why, as we have reiterated, we try 
to look at this from a common approach across the environment.
    Mr. Green. I am aware in Texas and Houston we have mostly 
investor-owned utilities, our service provider center point, 
and I know they are doing some really great things, but does 
access to these sensitive facilities--mostly owned by the 
private companies--need to be closer guarded and carefully 
monitored to protect these threats?
    Ms. Stempfley. So best practice activities in the cyber 
security systems are ones of multiple layers of defense, which 
would include not just perimeter defense but internal 
architecture approaches that separate sensitive data from each 
other, rely on identity and other services. Those kinds of best 
practices, which are widely available, should be employed 
across the board.
    Mr. Green. I know a news story last week described an 
insider sabotage in April in a water treatment plant in Arizona 
where a disgruntled employee took control of the control room 
to create a methane gas explosion. What is DHS doing to ensure 
that these type of insider sabotage, again, whether they are 
just one person or a plan, what is DHS doing to try and limit 
some of these insider cyber sabotage?
    Ms. Stempfley. As we have identified, we continue to 
provide the kinds of warning products, indicators of activities 
that might be necessary and the kinds of best practice guides 
for owners and operators to employ. In your example, it would 
be up to that particular owner and operator to employ those 
practices.
    Mr. Green. And Mr. Chairman, I would just like to ask one 
last thing.
    And do you get pretty good cooperation throughout the 
country with the utilities?
    Mr. McGurk. Yes, sir, absolutely. We get a very close 
working relationship with utilities.
    Mr. Green. Thank you, Mr. Chairman.
    Mr. Stearns. I thank the gentleman. We will quickly go for 
a second round. We don't have votes and so I welcome my 
colleagues if they wish to have a second round.
    I would like to return to the Stuxnet issue if you don't 
mind, Mr. McGurk. If you can, just answer yes or no.
    Do you know how many operators in the industrial controls 
infrastructure actually implemented DHS guidance on Stuxnet?
    Mr. McGurk. No, sir.
    Mr. Stearns. OK. How many U.S. companies use a type of 
Siemens industrial-controlled products that were the target of 
Stuxnet attacks?
    Mr. McGurk. A total number of companies? It is very 
difficult to quantify, sir, because we don't have this ability 
into all of their networks, but there were approximately 300 
companies that had some combination of hardware and software.
    Mr. Stearns. So 300 U.S. companies?
    Mr. McGurk. Yes, sir.
    Mr. Stearns. Approximately. Good. Do you believe that if 
the U.S. companies implemented the DHS guidance on Stuxnet, 
they will be able to fend off a future attack from this 
software?
    Mr. McGurk. Yes, sir, from this particular piece of mal 
code.
    Mr. Stearns. In addition to this software, we have heard 
that there are other vulnerabilities identified in industrial-
controlled systems, including a Beresford vulnerability or 
exploit. Does that ring a bell?
    Mr. McGurk. Yes, sir.
    Mr. Stearns. Um-hum. Given that Stuxnet's impact and the 
other vulnerabilities that exist, are you comfortable that our 
country's industrial control systems are secure from cyber 
attacks?
    Mr. McGurk. I think it is an evolving threat, sir, so we 
have to continue to move forward and not focus on the previous 
attacks.
    Mr. Stearns. Wasn't the Beresford attack developed by one 
researcher in about 2-1/2 months? That is our background. And 
what does that say about the safety of our system if someone 
could work with his laptop computer in 2-1/2 months, develop 
something that is vulnerable, and be used? Would you care to 
comment?
    Mr. McGurk. Yes, sir. What that really highlights is the 
fact that it is not necessarily attributed to the actor itself 
but it is the action and the vulnerabilities that we need to 
focus on. Because as you had mentioned in your opening 
statement and again when focusing on Stuxnet, it is not the 
capability of the actor that necessarily brings about the 
consequence. It is the actual vulnerability associated that is 
being exploited, and that is really where the Department is 
focusing much of its efforts.
    Mr. Stearns. OK. What step has DHS taken to prepare and 
defend against a Beresford type of attack to industrial control 
system and has this guidance or other direction been issued to 
the industry of the private sector? And I will ask you later. 
Go ahead, Mr. McGurk.
    Mr. McGurk. Sir, the Department has produced a number of 
specific actions and guidance associated with various types of 
cyber risk and cyber threats but again, not focusing on the 
actor or the activity but focusing on the vulnerability and the 
necessary methods to secure the networks. We actually will not 
only address that issue but maybe the next-generation issue 
that could occur.
    Mr. Stearns. Do you actually talk to these U.S. companies 
to see how they are implementing and doing this?
    Mr. McGurk. Yes, sir. In many cases, we are invited to 
actually do an onsite assessment associated with the 
vulnerabilities to see how they implement the mitigation plans.
    Mr. Stearns. Well, just approximately how many do you think 
you have assessed?
    Mr. McGurk. We have assessed approximately--this past year 
we did 53. The year before we did about 40. These are voluntary 
assessments. The year prior to that, another 30. So we have 
done over 100 voluntary assessments and incident response 
activities over the past 3 years.
    Mr. Stearns. Now, was that oriented towards the Stuxnet or 
was it also involved with the Beresford?
    Mr. McGurk. It is involved with all types of 
vulnerabilities, not just those two particular instances.
    Mr. Stearns. Mr. Wilshusen, do you mind commenting?
    Mr. Wilshusen. Well, in our reviews we often also focus on 
the vulnerabilities of systems because that is what the 
agencies or the operators can control. They can't always 
control the threats that come their way, but they can control 
how well they protect their systems and protect against known 
vulnerabilities. And so that is one thing that we often look 
at. And at the systems that we examine at a detailed level, we 
typically find that they are vulnerable.
    Mr. Stearns. Ms. Stempfley, you had indicated in a question 
5 years ago are we more vulnerable today than we were 5 years 
indicate, you seemed to indicate you didn't think so. And I 
guess the question is based upon what I have just given you 
some examples how a man in just 2-1/2 months could come up with 
something that can make our system vulnerable, I guess the 
question for each panelist, can you explain how the cyber 
threats you are seeing now are different from 2 or 3 or 5 years 
ago? And I will start with you, Ms. Stempfley?
    Ms. Stempfley. So the cyber threats now are certainly more 
sophisticated than they were several years ago. The threats are 
focused more on individuals and very specific activities. An 
example I have used is spear fishing is very targeted to an 
individual. I received an email not too long ago that appeared 
to be from my husband as a situation and it was about a topic 
about college payment activities, and that was identified and 
sent to me. And had I clicked on it, it may have been something 
that was malicious. That is an example of increased 
sophistication and increased focus that exists.
    The number of vulnerabilities that have existed and the 
kind of model that you presented where a researcher identified 
a vulnerability and something that is already in existence, 
that vulnerability had been there from the beginning. It was 
just recently identified. And so the specific vulnerabilities 
have not increased in that scenario. We are just more aware of 
it now and more able to respond.
    Our protective measures and protective guidance are about 
building these infrastructures in a way that reduces the 
exposure of those vulnerabilities and makes it less likely for 
threat actors to be able to be successful.
    Mr. Stearns. And Mr. McGurk?
    Mr. McGurk. Yes, sir. I would also agree that, you know, it 
is a matter of awareness and understanding the interconnected 
nature of the----
    Mr. Stearns. But you don't see the cybersecurity increasing 
in the last 5 years?
    Mr. McGurk. Do I see cybersecurity risk?
    Mr. Stearns. Threats increasing.
    Mr. McGurk. Threats, yes, sir, as a result of exploiting 
those vulnerabilities because of the sophistication and also 
the targeted nature. In the past we were talking about just 
basic data ex-filtration from a very broad audience. Now, we 
are seeing--in the RSA example that was mentioned earlier--very 
specific, targeted attacks against these aggregation centers.
    Mr. Wilshusen. And I agree, and I think you will continue 
to see more blended types of attacks that exploit a number of 
different vulnerabilities in order to gain access to its 
target.
    Mr. Stearns. So you would agree that the cyber threats are 
more now than they were 5 years ago?
    Mr. Wilshusen. And more sophisticated.
    Mr. Stearns. Let me just close by this question. I am not 
quite clear myself what this Beresford software does or did. 
Can you describe, Mr. McGurk, what it does? Do you know 
anything about it?
    Mr. McGurk. I don't have those specific details of the 
analysis in front of me today, sir, so I couldn't really 
comment on that.
    Mr. Stearns. Anybody?
    Mr. Wilshusen. No.
    Mr. Stearns. OK. All right. My time has expired.
    The gentlelady from Colorado.
    Ms. DeGette. Thank you very much, Mr. Chairman.
    First of all, I would like to ask unanimous consent to put 
Mr. Waxman's opening statement in the record.
    Mr. Stearns. By unanimous consent, so ordered.
    [The prepared statement of Mr. Waxman follows:]



    
    Ms. DeGette. Thank you.
    So this is the perfect segue actually to just one question 
I had of clarification. We are all throwing around the words 
threat, vulnerability, and risk quite a bit today. And Mr. 
Wilshusen, I am wondering as we prepare for our subsequent 
hearings on these topics, you can just basically describe for 
us whether there is a difference between those three words and 
what the technical descriptions are.
    Mr. Wilshusen. Sure. Yes. And there is a difference. A 
threat is basically any circumstance or event that can 
potentially cause harm to an organization's operations, assets, 
personnel, or whatever. A vulnerability is a weakness in the 
security controls that are over a system or network. There is 
actually a fourth component here before we get to risk, and 
that is impact. What is the impact that could occur should a 
threat, either a threat actor or an event occur, exploit a 
vulnerability? What is the impact that it could have? And then 
those three of those kind of equate to what risk is.
    Ms. DeGette. Thank you. And are they all three things we 
should be concerned about?
    Mr. Wilshusen. Yes, indeed. Absolutely. Threats are what 
you try to guard against. The vulnerabilities are what you try 
to prevent and minimize by taking corrective actions and 
implementing appropriate security controls. And you do that in 
such a manner that you minimize the impact should such a 
security incident occur. And so, yes, it is important to think 
of all of them.
    Ms. DeGette. So you have heard both me and the chairman and 
other members of this subcommittee talk about this committee's 
jurisdiction. I am wondering if there is any particular sectors 
of our jurisdiction that you think we should look more closely 
at in subsequent hearings?
    Mr. Wilshusen. I think in terms of from a cyber 
perspective, I think probably the key sectors would be energy, 
electricity, both nuclear and other just because of the 
interdependencies that they have with other sectors, IT, 
finance and banking, and also communications would be I think 
the four that are the most important just because of the 
interdependencies that they have with the other critical 
sectors.
    Ms. DeGette. Great. Thank you.
    Thank you very much, Mr. Chairman. I yield back.
    Mr. Stearns. I thank the gentlelady. I want to thank the 
witnesses for their participation, their coming here this 
morning.
    The committee rules provide that members have 10 days to 
submit additional questions for the record, the witnesses. And 
with that, the subcommittee is adjourned.
    [Whereupon, at 12:41 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]



    

                                 
