[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY: AN OVERVIEW OF RISKS TO CRITICAL INFRASTRUCTURE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
JULY 26, 2011
__________
Serial No. 112-80
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
73-391 PDF WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas HENRY A. WAXMAN, California
Chairman Emeritus Ranking Member
CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York
MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas
Vice Chairman DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma LOIS CAPPS, California
TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana JIM MATHESON, Utah
ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington JOHN BARROW, Georgia
GREGG HARPER, Mississippi DORIS O. MATSUI, California
LEONARD LANCE, New Jersey DONNA M. CHRISTENSEN, Virgin
BILL CASSIDY, Louisiana Islands
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia
_____
Subcommittee on Oversight and Investigations
CLIFF STEARNS, Florida
Chairman
LEE TERRY, Nebraska DIANA DeGETTE, Colorado
SUE WILKINS MYRICK, North Carolina Ranking Member
JOHN SULLIVAN, Oklahoma JANICE D. SCHAKOWSKY, Illinois
TIM MURPHY, Pennsylvania MIKE ROSS, Arkansas
MICHAEL C. BURGESS, Texas KATHY CASTOR, Florida
MARSHA BLACKBURN, Tennessee EDWARD J. MARKEY, Massachusetts
BRIAN P. BILBRAY, California GENE GREEN, Texas
PHIL GINGREY, Georgia DONNA M. CHRISTENSEN, Virgin
STEVE SCALISE, Louisiana Islands
CORY GARDNER, Colorado JOHN D. DINGELL, Michigan
H. MORGAN GRIFFITH, Virginia HENRY A. WAXMAN, California (ex
JOE BARTON, Texas officio)
FRED UPTON, Michigan (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 1
Prepared statement........................................... 4
Hon. Diana DeGette, a Representative in Congress from the State
of Colorado, opening statement................................. 7
Prepared statement........................................... 9
Hon. Michael C. Burgess, a Representative in Congress from the
State of Texas, opening statement.............................. 11
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 11
Prepared statement........................................... 13
Hon. Donna M. Christensen, a Representative in Congress from the
Virgin Islands, opening statement.............................. 14
Hon. Henry A. Waxman, a Representative in Congress from the State
of California, prepared statement.............................. 75
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, prepared statement................................... 77
Witnesses
Roberta Stempfley, Acting Assistant Secretary, Office of
Cybersecurity and Communications, National Protection and
Programs Directorate, Department of Homeland Security.......... 15
Prepared statement \1\.......................................
Sean P. McGurk, Director, National Cybersecurity and
Communications Integration Center, Office of Cybersecurity and
Communications, National Protection and Programs Directorate,
Department of Homeland Security................................ 16
Prepared statement........................................... 19
Gregory C. Wilshusen, Director, Information Security Issues,
Government Accountability Office............................... 31
Prepared statement........................................... 33
----------
\1\ Ms. Stempfley issued a joint statement with Mr. McGurk for
the record.
CYBERSECURITY: AN OVERVIEW OF RISKS TO CRITICAL INFRASTRUCTURE
----------
TUESDAY, JULY 26, 2011
House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 11:00 a.m., in
room 2322 of the Rayburn House Office Building, Hon. Cliff
Stearns (chairman of the subcommittee) presiding.
Members present: Representatives Stearns, Murphy, Burgess,
Blackburn, Scalise, Griffith, DeGette, Schakowsky, Castor,
Green, Christensen, and Waxman (ex officio).
Staff present: Carl Anderson, Counsel, Oversight and
Investigations; Todd Harrison, Chief Counsel, Oversight and
Investigations; Karen Christian, Counsel, Oversight and
Investigations; Alan Slobodin, Deputy Chief Counsel, Oversight
and Investigations; Peter Spencer, Professional Staff Member,
Oversight and Investigations; Carly McWilliams, Legislative
Clerk; Andrew Powaleny, Press Assistant; Sean Bonyun, Deputy
Communications Director; Kristin Amerling, Democratic Chief
Counsel and Oversight Staff Director; Tiffany Benjamin,
Democratic Investigative Counsel; Karen Lightfoot; Democratic
Communications Director and Senior Policy Advisor; and Ali
Neubauer, Democratic Investigator.
Mr. Stearns. Good morning, everybody. And the subcommittee
will come to order. And I will start with my opening statement.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
I have called to order this subcommittee's first hearing on
cybersecurity and critical infrastructure protection. Over the
last 15 years, our Federal Government has wrestled with the
question of how best to protect our Nation's critical
infrastructures from cyber attacks. Since September 11, our
infrastructure systems have become even more automated and more
reliant on information systems and computer networks to
operate. This has allowed our systems to become more efficient,
but it has also opened the door to cyber threats and cyber
attacks.
Recent reports and news articles have highlighted how
threats and risks to cybersecurity have created vulnerabilities
in our Nation's critical infrastructures and information
systems. For example, just last week, the Department of
Homeland Security sent out a bulletin about potential insider
threats to utilities. That bulletin stated that outsiders have
attempted to obtain information about the utilities'
infrastructure to use in coordinating and conducting a cyber
attack.
In March 2011, the computer systems of RSA were breached.
RSA manufactures tokens for secure access to computer networks.
Sensitive information about these tokens was stolen and later
used to hack into the network of Lockheed Martin, a Department
of Defense contractor.
Last summer, the Stuxnet attack was identified. Stuxnet
targets vulnerabilities in industrial control systems such as
nuclear and energy to gain access to the systems and then
manipulate the control process. This kind of attack has the
potential to bring down or severely interrupt the functions of
an electricity or even a nuclear plant.
The issues surrounding critical infrastructure protection
and security are complex. Our systems are interconnected and
depend on one other to operate. A vulnerability in one critical
infrastructure naturally exposes other critical infrastructures
to the same threats and risks, either because they are linked
together through information systems or because one
infrastructure depends on another to operate. In addition, much
of the country's critical infrastructures are privately owned,
as much as 80 or 90 percent. They therefore have different
operations, components, control systems, and computer
networks--as well as vastly different resources available to
address problems like cybersecurity and infrastructure
protection.
My colleagues, we must identify and protect the very
systems that make our country run: energy, water, healthcare,
manufacturing, and communications. Pursuant to the Homeland
Security Act of 2002, DHS has led the coordination of
infrastructure protection efforts with the private and public
sectors and numerous federal agencies. One way DHS does this is
to coordinate working groups and information sharing and
analysis centers or ISACs in the individual critical
infrastructure sectors and in cross-sector working groups.
DHS is primarily responsible for conducting threat analysis
and issuing warnings about cyber threats so that other federal
agencies and the owners and operators of critical
infrastructure can simply protect their systems. DHS' efforts
to protect our critical infrastructure have been the subject of
some criticism.
Since 2003, the Government Accountability Office has
designated ``protecting the Federal Government's information
systems and the Nation's cyber critical infrastructures'' as a
``high risk'' area. In particular, in a report issued last
July, GAO found that public- and private-sector owners and
operators of critical infrastructure were not satisfied with
the kind of cyber threat information they were getting from
DHS. GAO has also expressed some concern that the sector-
specific plans for dealing with cybersecurity need to be
updated. In light of growing and more sophisticated cyber
attacks, this is obviously a critical issue.
As I mentioned previously, this is the subcommittee's first
hearing in this Congress on critical infrastructure protection
and cybersecurity. The purpose of this hearing in particular is
to get an overview of DHS' role and responsibilities and how it
coordinates with the sector-specific federal departments and
agencies, many of which are subject to this committee's
jurisdiction. Once we have a better understanding of DHS' role,
it is my intention to call additional hearings to understand
the issues that are presented in protecting the individual
sectors, such as energy and information systems and
communications.
Many ideas have been presented about how to improve
critical infrastructure protection and cybersecurity. I believe
the Oversight and Investigations Subcommittee has an important
role to play in examining and bringing to light what is working
now, and what can be done better.
I should note that this subcommittee's inquiry into this
matter began with a bipartisan letter to the Department of
Homeland Security asking for a briefing about its efforts to
protect critical infrastructure. I appreciate the support of
Ranking Member, Ms. DeGette, and the minority in this
investigation. As Members of Congress, one of our foremost
responsibilities is protecting our Nation's security and the
safety of its citizens.
With that I yield opening statement to the ranking member,
Ms. DeGette.
[The prepared statement of Mr. Stearns follows:]
OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF COLORADO
Ms. DeGette. Thank you very much, Mr. Chairman. And like
you, this is a matter of great urgency. I am glad we are having
this overview hearing and I am also happy to work with the
majority on additional hearings in the particular issues of
cybersecurity.
Just today, in the Washington Post it talked about a GAO
report on significant breaches of classified computer networks
in the Department of Defense. And while that is not in the
jurisdiction of this committee, it just points out how
vulnerable this country can be and why it is so important to
keep our information systems safe.
The chairman referred to the cyber attack on RSA, which
compromises the Department of Energy systems that necessitated
shutting down internet connectivity for several days and
breaches of Citibank data belonging to hundreds of thousands of
customers. Anecdotally, at least, it seems like these breaches
are becoming more and more frequent. The incidents remind us of
the need for vigilance regarding efforts to prevent
cybersecurity breaches and respond effectively when they occur
and the importance of congressional oversight in these areas.
As the chairman mentioned, I asked him earlier this
Congress to look into these issues, and I am really glad that
we are going to have a rigorous review of all of the
cybersecurity issues. As the chairman mentioned, we have
jurisdiction over a number of key components of our Nation's
critical infrastructure, including the electrical grid,
drinking water system, chemical plants, healthcare system, and
telecommunications activities. In the last Congress, we saw
progress in this committee regarding addressing cybersecurity
issues in a number of these areas. The committee developed and
passed on a bipartisan basis legislation to promote security
and resiliency in the electrical power grid by providing the
Federal Energy Regulatory Commission new authorities and
providing for Department of Energy assistance to industry to
protect the grid against cyber threats and other
vulnerabilities. The committee also developed and passed
legislation regarding chemical and drinking water facilities to
meet the risk-based cybersecurity performance standards.
Cybersecurity issues are complex and evolving and deserve
continuing and focused attention. One major question is how to
best ensure an effective public-private partnership to address
cybersecurity threats. The majority of our Nation's critical
infrastructure is owned or operated by the private sector.
While there are incentives for private-sector entities to
protect the security of their information networks, national
security priorities may not always align with priorities and
capabilities of the private sector.
I know that the Department of Homeland Security witnesses
before us today are helping lead the administration's efforts
to foster private- and public-sector cooperation in promoting
cybersecurity and I look forward to hearing their insights on
progress that is being made and obstacles that may still exist.
Another question we have to ask is how to best ensure that
the Federal Government is drawing on its own expertise and
experience to ensure cybersecurity measures are appropriately
tailored to address specific needs in different critical
infrastructure sectors. I look forward to hearing from GAO
about these challenges. But even with a maximally effective
partnership of federal agencies, state and local governments,
and the private sectors in our country on cybersecurity
protection, we must still address issues raised by the fact
that information networks do not have national boundaries. Many
reports suggested that the cyber attacks have started outside
of American borders, raising serious questions about how we
ensure international cooperation to protect against threats
that cross borders. And in this DOD example, in the GAO report
today, apparently the cyber attack came from a portable
computer, a laptop computer that was somehow tapped into.
And so I look forward to the insights of today's witnesses
on these and other issues. I hope that we will build on this
hearing with additional hearings on cybersecurity. It is one of
the few bastions of bipartisanship left around here this week
and I am happy to be part of it.
I yield back.
[The prepared statement of Ms. DeGette follows:]
Mr. Stearns. I thank the gentlelady and recognize the
gentleman from Texas, Dr. Burgess, for 2 minutes.
OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF TEXAS
Mr. Burgess. I thank the chair.
To say that this committee has been working diligently for
years is kind of an oxymoron but it does seem through several
terms on this subcommittee we have indeed delved into this
issue. I am anxious that we bring this to a legislative
conclusion and institute those things that will provide the
protection that I think we all feel that we need. There are
critical urgent things that need to be done to protect our
transmission grid, our power plants from attacks from those who
wish to do us harm. The threats are real. It is time to move
the legislation forward.
We do have to be careful that we don't unduly shift the
balance of responsibility that has been properly maintained
between the government and the private sector for decades. It
is important that we be careful; it is important that we be
prudent in providing the Federal Government any additional
authority. If indeed any is necessary, it must be done in a way
that cannot be abused and will not result in significantly
higher cost to consumers and businesses at a time when the
economy is so fragile. And it must not result in the loss of
any personal freedoms that people now have.
The testimony we will hear today will help this committee
in perfecting legislation that was considered last year. I
certainly look forward to working with members on both sides of
the dais to ensure that the legislation is mindful of both the
real threats that we face and the burdens that granting new
powers to the Federal Government can create. Ensuring this
balance can and should be done.
Thank you, Mr. Chairman, for the recognition. I will yield
back my time.
Mr. Stearns. The gentleman yields back and the gentlelady
from Tennessee, Ms. Blackburn, is recognized for 2 minutes.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Mrs. Blackburn. Thank you, Mr. Chairman. And I want to
welcome our witnesses. We appreciate that you would take the
time and come over here to the Hill. We all do know and do
agree that cybersecurity is an important issue and we know that
there are those who are, as we speak, waging war if you will on
our vital infrastructure.
Last month, Wall Street Journal reported that the IMF was
investigating a recent cyber attack. Not surprisingly, this
attack came just 1 month after a group called Anonymous
indicated its hackers would target the IMF Web site in response
to the strict austerity measures in its financial package of
Greece.
Closer to home, in my State of Tennessee, presides our
Nation's largest public power utility, the Tennessee Valley
Authority. TVA's power networks stretch across 80,000 square
miles in the Southeastern U.S. and provide electricity to more
than 8.7 million Americans. Under Homeland Security
Presidential Directive number 7, TVA is considered a National
Critical Infrastructure and must take great steps to protect
and to safeguard its essential cyber assets. A power grid
disruption or other threat on TVA operations or any other
public utility in our country would cause a cascading effect
impacting our economy, safety, and daily lives.
In fact, this concern was reaffirmed last month as former
CIA director and current Secretary of Defense Panetta appeared
before the Senate Armed Services Committee and declared that
the next Pearl Harbor our Nation confronts could very well be a
cyber attack that cripples our power systems, the grid, our
security systems, our financial systems, and our governmental
systems.
With all that in mind, I thank the chairman for the
hearing. I thank you all for your participation as we discuss
what steps DHS is taking to avoid what would be the
unimaginable, a Pearl Harbor attack on our Nation's vital
infrastructure.
And I yield back.
[The prepared statement of Mrs. Blackburn follows:]
Mr. Stearns. The gentlelady yields back and I recognize Ms.
Christensen from the Virgin Islands for 5 minutes.
OPENING STATEMENT OF HON. DONNA CHRISTENSEN, A REPRESENTATIVE
IN CONGRESS FROM THE VIRGIN ISLANDS
Mrs. Christensen. Thank you, Chairman Stearns, and thank
you, Ranking Member DeGette, for holding this hearing to
discuss cybersecurity risks, threats, and challenges to our
Nation's critical infrastructure. Many of today's battles are
in cyberspace where terrorism and hackers help attack our cell
phones, computer grids, and have the potential to destroy
sensitive information in 18 of our Nation's most critical
sectors.
Since 9/11, we have known to expect that we would
experience terrorist attacks that would be cyber attacks. As a
former member of the Homeland Security Committee, I have taken
part in many hearings and worked on legislation addressing this
issue. As our witnesses who we welcome here today will testify,
a lot has been done to create entities to coordinate and
oversee efforts to address and prevent cybersecurity threats.
But there are still challenges to protecting our Nation's
infrastructure from these threats and we must continue to
examine how we can overcome these challenges.
In doing so, it is important that we pass legislation to
protect our Nation's electric grid. All of these long-term
initiatives require a national electric grid that is reliable
and secure. The electrical grid serves more than 143 million
American customers, has to operate without interruption, and is
a key foundation of our national security. Designing and
operating an electrical system that prevents cybersecurity
events from having a catastrophic impact is a challenge we must
all address. And I want to add that the healthcare sector is
not immune to these attacks either.
So I would like to thank DHS and GAO and commend both
Agencies for their efforts to address imminent cybersecurity
threats. And with that, I will yield back the balance of my
time.
Mr. Stearns. The gentlelady yields back.
And at this time, we will move to our first panel, our
witnesses. Let me address you folks.
You are aware that the committee is holding an
investigative hearing and when doing so has had the practice of
taking testimony under oath. Do you have any objections to
taking testimony under oath? All right. No.
The chair then advises you that under the rules of the
House and the rules of the committee you are entitled to be
advised by counsel. Do you desire to be advised by counsel
during your testimony today? All right.
In that case, if you will please rise and raise your right
hand, I will swear you in.
[Witnesses sworn.]
Mr. Stearns. You are now under oath and subject to the
penalties set forth in Title XVIII, Section 1001, of the United
States Code.
We welcome the three of you for your 5-minute summary
statement. And we have Ms. Bobbie Stempfley, Acting Secretary
of the DHS Office of Cybersecurity and Communications, welcome;
and Mr. Sean P. McGurk, Director, National Cybersecurity and
Communications Integration Center in the Office of
Cybersecurity and Communications at DHS; and lastly, Mr.
Gregory Wilshusen, Government Accountability Office Director of
Information Security Issues. Thank you.
And Ms. Stempfley, we welcome your opening statement. Just
turn the mike on if you don't mind. Just move it close to you
so we can hear you. That would be super. Thanks.
STATEMENTS OF ROBERTA STEMPFLEY, ACTING ASSISTANT SECRETARY,
OFFICE OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION
AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY; SEAN
P. MCGURK, DIRECTOR, NATIONAL CYBERSECURITY AND COMMUNICATIONS
INTEGRATION CENTER, OFFICE OF CYBERSECURITY AND COMMUNICATIONS,
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF
HOMELAND SECURITY; AND GREGORY C. WILSHUSEN, DIRECTOR,
INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
STATEMENT OF ROBERTA STEMPFLEY
Ms. Stempfley. OK. Thank you very much. So thank you very
much, Chairman Stearns, Ranking Member DeGette, and other
members of the subcommittee.
As you heard, my name is Bobbie Stempfley, and I am the
Acting Assistant Secretary in the Office of Cybersecurity and
Communications at the Department of Homeland Security, and it
is definitely my privilege to be here to speak to you today
with my colleagues from across government to talk about
cybersecurity, which is an area of great passion for all of us.
The opening comments did such a wonderful job describing
the threat landscape that we operate in today. It certainly is
one we have increasing sophistication, increasing severity, and
an environment where no one is immune from individuals to
private-sector companies, and one where we see it slightly
untenable where the threat actors have to make one right choice
in an environment where only a single wrong implementation in
the networks that are being defended enables access. And so it
is an environment where we spend a great deal of time bringing
together private-sector partners and others.
We have identified 38,000 vulnerabilities over a period of
time in critical infrastructures and provide warning
notification and awareness products around those
vulnerabilities to private-sector individuals. It is an
environment, as the chairman pointed out, of significant
interdependence, both between critical infrastructure sectors,
between corporations, between environments. Several examples
that you provided do a wonderful job illuminating that
interdependence across the board. And that means that it
requires an interdependent and integrative approach in order to
provide protective, preventative, and restoral and defensive
measures both across government and within the private sector.
It is the job of the National Protection and Programs
Directorate; it is our mission responsibility to secure the
federal executive civilian branch--that is the federal
departments and agencies--to provide technical support to
private-sector individuals, owners, and operators to help them
with risk assessment, with mitigation, with restoral and
response activities. It is also our mission to provide general
awareness to the broad public. And finally, as Mr. McGurk will
discuss, to provide national coordination and response across
the board.
It is, as I said, not an environment where a single
solution works or a single organization provides all of the
answers. It is an environment where much progress has been made
and it is a team sport for us all. Cooperation between law
enforcement, between intelligence agencies, between the
Homeland Security, between, as I said, government and private
sector is a significant part of how we need to move forward of
the successes we have had to date.
Examples such as you pointed out, the compromise in RSA
really helps demonstrate the progress that has been made in
government. The response that we had in that worked across a
set of responsibilities defined in the National Cybersecurity
Instant Response Plan where law enforcement has responsibility
for pursuit and for investigation, where intelligence has
warning responsibilities and attribution responsibilities, and
where Homeland Security's responsibilities are in protection,
prevention, restoral, and response. And that partnership across
government is so important for us as we work through each of
the events that occur.
We have in a proactive manner responded to 100 requests
from critical infrastructure partnerships, largely across
water, oil, and gas and power to help identify vulnerabilities
in their environment and help them improve the capabilities
that they have for protection and for response. It is through
that partnership that we continue to work to enhance our
prevention activities because, as we said, we are in that
untenable environment today.
What we have also put a great deal of effort in is to
increase visibility and information sharing across
environments. Again, I look forward to the comments of Mr.
McGurk in our operations center. But it is information sharing
not only in operations and in response, but information sharing
at large that is important across the board.
And so in conclusion, I look forward to further questions
from the committee to discuss what we have done. And it, again,
is my pleasure to be here today.
[The joint prepared statement of Ms. Stempfley and Mr.
McGurk appears after Mr. McGurk's testimony.]
Mr. Stearns. Thank you.
Mr. McGurk, you are welcome for your opening statement.
STATEMENT OF SEAN P. MCGURK
Mr. McGurk. Thank you, Chairman Stearns, Ranking Member
DeGette, and distinguished members of the subcommittee. My name
is Sean McGurk. I am the director of the National Cybersecurity
and Communications Integration Center, also known as the NCCIC.
Thank you for inviting me here today along with my
distinguished colleagues to discuss the overall cyber-risk to
critical infrastructure. The Department greatly appreciates the
committee's support for our central mission and looks forward
to working with the committee to establish the necessary plans
and programs moving forward to address risks to the critical
infrastructure.
The cyber environment is not homogenous under a single
department or agency nor under the private sector. Each of the
18 critical infrastructure and key resource sectors are
completely different--energy, water, nuclear, transportation,
they all have their unique challenges and their unique
environments. In fact, within a particular company, two plants
may not have the same operating environment. We rely on this
continuous availability of a vast, interconnected, critical
infrastructure to sustain our way of life. A successful cyber
attack could potentially result in physical damage and even
loss of life. We face a significant challenge moving forward--
strong and rapidly expanding adversary capabilities and a lack
of comprehensive threat and vulnerability awareness.
Support of these efforts from our private-sector partners
is key to securing these critical infrastructures. The
government does not have all the answers, so we must work with
the private sector to establish those guidelines. There is no
one-size-fits-all solution in a cyber environment. There is no
cyber Maginot Line. We must leverage our expertise and our
access to information, along with industry-specific needs,
capabilities and timelines. Each partner has a role and a
unique capability, as demonstrated by the diversity of this
panel.
Two-factor authentication was mentioned earlier, the RSA
example. In that particular example, within a 24-hour period,
the Department, working along with law enforcement and with the
intelligence community, responded to a request from the private
industry partner to provide a mitigation, identification, and
assessment team in support of their mitigation efforts. The
Department continuously works with our private-sector partners
and the financial-services sector, energy sector,
communications, IT, and others to prepare, prevent, respond,
recover, and restore.
Coordinating the national response of domestic cyber
emergencies is the focus of the National Cyber Incident
Response Plan and indeed the NCCIC. The what and the how on the
cyber attack is the focus and the intent of our mitigation
activities. The who and the why usually come later.
The NCCIC works closely with the government at all levels
and private sector to coordinate and integrate a unified cyber
response. Sponsoring security clearances for our partners
enable them to participate fully in our watch-center
environment. To date, we have physical representation from the
communications sector and its Information Sharing and Analysis
Center and also with companies such as AT&T, Verizon, and
Sprint. The information technology sector is represented
physically on the watch floor along with the financial-services
sector, NERC, representing the North American Energy
Reliability Corporation; representing the energy sector,
Information Sharing and Analysis Center; and most recently, we
have begun to coordination and share information with the
National Electric Sector Cybersecurity Organization, or NESCO.
We have virtual connections as well as physical connections
with these organizations and we share data in near-real time.
Additionally, we have a physical representative from the Multi-
State ISAC, enabling us to provide actionable intelligence to
state, local, tribal, and territorial governments and their
representatives. Each of these partners bring a unique
perspective and a unique capability to the watch environment.
Currently, within our legal authorities, we continue to
engage, collaborate with our partners and provide analysis,
vulnerability, and mitigation assistance to the private sector.
We have experience and expertise in dealing with the private
sector in planning steady-state and crisis scenarios. We have
deployed numerous incident-response teams and assessment teams
that enable us to prevent and to respond, recover, and restore
to cyber impacts.
Finally, we work closely with the private sector and our
interagency partners and law enforcement and intelligence to
provide the full complement of capabilities from the federal
standpoint in preparation for and response to significant cyber
incidents.
Chairman Stearns, Ranking Member DeGette, and distinguished
members of the subcommittee, let me conclude by reiterating
that I look forward to exploring opportunities to advance the
mission and collaboration with the subcommittee and my
colleagues in the public and private sector. Thank you again
for this opportunity to testify and would be happy to answer
your questions.
[The joint prepared statement of Ms. Stempfley and Mr.
McGurk follows:]
Mr. Stearns. Thank you. Mr. Wilshusen?
STATEMENT OF GREGORY C. WILSHUSEN
Mr. Wilshusen. Chairman Stearns, Ranking Member DeGette,
and members of the subcommittee, thank you for the opportunity
to testify in today's hearing on the cybersecurity risks to the
Nation's critical infrastructure. But before I begin, if I may,
Mr. Chairman, I would like to recognize Mike Gilmore, Tammy
Carvette, and Lee McCracken, who is sitting behind me, and also
Brad Becker from our Denver office, who are responsible for the
significant contributions in reviewing this area and helping me
prepare this testimony today.
Mr. Stearns. I am glad you did. Thank you.
Mr. Wilshusen. Critical infrastructures are systems and
assets, whether physical or virtual, so vital to our Nation
that their incapacity or destruction would have a debilitating
effect on our national security, economic wellbeing and public
health and safety. They include, among other things, banking
and financial institutions, telecommunications networks, and
energy production transmission facilities, most of which are
owned by the private sector. These infrastructures have become
increasingly interconnected and dependent on interconnected
networks and systems. And while the benefits of this
interconnectivity have been enormous, they can also pose
significant risk to the networks and systems, and more
importantly, to the critical operations and services they
support.
In my testimony today, I will describe the cyber threats
confronting critical infrastructures, recent actions by the
Federal Government to identify and protect these
infrastructures and ongoing challenges to protecting them.
Mr. Chairman, our Nation's critical infrastructures face a
proliferation of cyber threats. These threats can be
intentional or unintentional. Unintentional threats can be
caused by equipment failures, software upgrades, or maintenance
procedures that inadvertently disrupt the systems. Intentional
threats include both targeted and non-targeted attacks from a
variety of sources, including criminal groups, hackers,
insiders, and foreign nations engaged in intelligence gathering
and espionage.
First, recent reports of cyber attacks incidents involving
cyber-reliant critical infrastructure underscore the risks and
illustrate that they can be used to disrupt industrial control
systems and operations, commit fraud, steal intellectual
property and personally identifiable information, and gather
intelligence for future attacks. Over the past 2 years, the
Federal Government has taken a number of steps aimed at
addressing cyber threats and better protecting critical
infrastructures.
For example, a cyberspace policy review identified 24
recommendations to address the organizational and policy
changes needed to approve the current U.S. approach to
cybersecurity. DHS updated the National Infrastructure
Protection Plan in part to provide a greater focus on cyber
issues and issued an interim version of the National Cyber
Incident Response Plan. It also conducted Cyber Storm III, a
cyber attack simulation exercise intended to test elements of
the National Response Plan.
In addition, DHS, as you know, created the National
Cybersecurity and Communications Integration Center, or NCCIC,
to coordinate national response efforts, as well as work
directly with other private- and public-sector partners.
Despite these threats, more needs to be done to address a
number of remaining challenges. For example, implementing the
recommendations made by the President's Cybersecurity Policy
Review, updating the national strategy for securing the
information and communications infrastructure, strengthening
the public-private partnerships for securing cyber-reliant
critical infrastructures, enhancing cyber analysis and warning
capabilities, and securing the modernized electricity grid.
In summary, the threats to information systems are evolving
and growing and systems supporting our Nation's critical
infrastructures are not yet sufficiently protected to
consistently thwart the threats. While actions have been taken,
federal agencies and partnership with the private sector need
to act to improve our Nation's cybersecurity posture, including
enhancing cyber analysis and warning capabilities and
strengthening the public-private partnerships. Until these
actions are taken, our Nation's critical infrastructure will
remain vulnerable.
Mr. Chairman, this concludes my statement. I would be happy
to answer any questions for you or other members of the
subcommittee.
[The prepared statement of Mr. Wilshusen follows:]
Mr. Stearns. I thank the gentleman.
Let me ask you a question. I have your opening statement
here in which you mention various cybersecurity attacks. They
are putting software viruses into the network. Is that
primarily what it is?
Mr. Wilshusen. It could be a number of different attacks.
In terms of one to include computer intrusions in which
individuals are able to gain access through the installation of
malicious software. For example, if a user inadvertently
plugged a USB into his computer that was corrupted, it could
install some malicious software, which might facilitate an
attack.
Mr. Stearns. Now, when an attack occurs----
Mr. Wilshusen. Um-hum.
Mr. Stearns [continuing]. Generally, what does that attack
look like? They are coming in to steal information, or are they
coming to put in a replicating software that will destroy it,
or is it just putting in there to observe? What of those three?
Mr. Wilshusen. It could be any of the combinations.
Mr. Stearns. Any of those three combinations?
Mr. Wilshusen. Right. One, in terms of either to sabotage
his particular system or gain information for future attacks
perhaps or as well to----
Mr. Stearns. Depending upon their motivation.
Mr. Wilshusen. Depending upon their motivation.
Mr. Stearns. Mr. McGurk, what do you think?
Mr. McGurk. Yes, sir. I would also echo my colleague's
statements that the vast array of capability we see
demonstrated with the malicious code is such that it
encompasses all of those things.
Mr. Chairman, you had mentioned Stuxnet earlier. That is a
great example of a particular piece of malicious code that
demonstrated very unique capabilities. It not only exploited
what we call zero-day vulnerabilities, which are
vulnerabilities that are not known in the public environment,
but also it used advanced communication capability. It did
advanced reconnaissance, so it was gathering information. And
subsequently, it left behind that malicious code that was able
to have a physical impact.
Mr. Stearns. Now, are we in the United States, you know, we
have jurisdiction over energy, water, information technology,
communication, nuclear plants--are we vulnerable to Stuxnet in
your opinion?
Mr. McGurk. Sir, because of the ubiquitous nature of
information technology in the critical infrastructure, the
exploitation may occur in one sector and it could actually
migrate into another sector.
Mr. Stearns. So yes or no? Do you think we are vulnerable?
Mr. McGurk. I would say the vulnerabilities exist and the
capability to exploit those vulnerabilities exist.
Mr. Stearns. OK. So the big question is that the American
people want to know what has the United States Government done
about that to make sure we don't have that attack?
Mr. McGurk. Much of the Department's focus over the past
several years has been on mitigating the vulnerabilities
associated with those critical infrastructure systems.
Mr. Stearns. Do you do it by having innocuous or something
that inoculates us from this software or do you do it to make
sure you don't put the USB port or how are you doing this?
Mr. McGurk. So it is a multifaceted approach, sir. Much of
it is through an education program, so we work with the private
sector to develop standards required to educate the community
on good practices and uses of equipment and technology. We
actually conduct----
Mr. Stearns. You think education alone would do it?
Mr. McGurk. No, sir. We also conduct vulnerability analyses
of products in our laboratories in conjunction with the
national laboratory community where we actually take vendors
products and do a complete vulnerability assessment of those
products. We also develop practices for owners and operators
because in some cases, especially in the power companies, it is
not a matter of replacing the technology, so you have to be
able to put practices in place that mitigate the risk. And they
are also working with the security communities to actually
provide an enclaving capability so that we can secure the
environments around which they operate.
So by taking this multifaceted approach, we can identify
not necessarily the threat actors and focus on the threats
which are coming from many areas, but the vulnerabilities
themselves and mitigating the risks associated with those
vulnerabilities.
Mr. Stearns. Let me ask you a question but with this
Stuxnet. What have we done to protect those specific
vulnerabilities in Seimens' product? In other words, has DHS
issued a guidance on this?
Mr. McGurk. Yes, sir. The Department, when we started
analyzing Stuxnet back in July of last year, we identified the
capabilities of the particular piece of mal code. We understood
its capabilities and subsequently we put mitigation plans in
place working with the specific sectors to identify the
mitigation strategies associated with that. But since that
particular piece of mal code was looking for a very unique
combination of hardware and software, it was easy to identify
what the mitigation strategies would be.
Mr. Stearns. OK. Ms. Stempfley, just last Friday, the head
of US-CERT resigned. US-CERT is the group charged with
collaborating with state and local governments and private
industry on cyber attacks. There have been a number of recent
attacks on government systems, the Senate, FBI, CIA, and even a
Gmail hacking aimed at top government officials. Have all of
these recent attacks caused any change in the direction or
change in the operation in US-CERT?
Ms. Stempfley. No, sir. The US-CERT's set of
responsibilities stays the same. And as we commented in the
opening statements and your opening statements as well, this is
a very sophisticated environment and it is constantly evolving.
And as a part of that evolution, we understand that we have to
have a bench and a mechanism for growth of individuals as we go
forward. And so Randy's departure was a decision that he made
and we have a continued direction and focus in prevention,
preparedness, and restoral responsibilities across the board.
Mr. Stearns. What were the vulnerabilities that allowed
these systems to be infiltrated, and do these same kind of
vulnerabilities exist in the private sector and on control
systems?
Ms. Stempfley. I am sorry, sir. Could you repeat the
question?
Mr. Stearns. With regard to the Senate, FBI, and CIA and
even the Gmail hacking aimed at top government officials, what
were the vulnerabilities that allowed these systems to be
infiltrated?
Ms. Stempfley. There were a number of vulnerabilities that
were associated with these kinds of events that occurred, and
to respond to where are other members of the private sector
potentially vulnerable, I believe that is a true statement. As
we commented earlier, there are a great deal of vulnerabilities
that exist in the environment, and you will see that through
the production of warning products and awareness notifications,
we provide mitigations and indicators for private-sector owners
and operators to put in place in their infrastructure. It is a
shared responsibility between us and the private sector in
order to implement the restorative and preventative measures.
Mr. Stearns. Thank you. My time has expired. The gentlelady
from Colorado.
Ms. DeGette. Thank you very much, Mr. Chairman.
I want to go a little bit more in depth into some of the
issues that we face trying to work on interoperability between
our governmental agencies and privately owned endeavors. In
particular with our communications infrastructure, which is of
course an essential part of our critical infrastructure, one of
the things I am concerned about 90 percent of our
communications networks are privately owned by commercial
carriers. So traditionally, the FCC has worked with commercial
carriers to ensure the reliability of the communications
networks, and under current FCC rules, carriers have to report
regarding outages on legacy telecommunications system. Now, the
FCC in turn uses this data to help industry standards groups to
improve on the best practices.
So I am wondering, Ms. Stempfley and Mr. McGurk, if you can
talk to me a minute given FCC's historical involvement with the
communications infrastructure and the relationship with
commercial carriers, don't you think that they can take an
important role in helping drive greater awareness of cyber
threats?
Ms. Stempfley. So reporting is always good and the ability
to get information about what is going on is an important part
of how we can frame that national picture of what is happening
and the response activities. So we have a history of working
both with private industry directly and with other members of
government in order to increase the awareness and the response
actions that are necessary. I think the same would be true
here.
Ms. DeGette. Mr. McGurk?
Mr. McGurk. In addition, ma'am, what I would like to add is
that in response to the reporting that is conducted, part of
the capability that exists within the NCCIC is our National
Center for Coordination for Communications. And they receive
those direct reports. So from a situational-awareness
standpoint, the watch center receives real-time reporting from
not only the telecommunication industry itself but also from
other federal departments and agencies so that we get a better
understanding from a holistic view on the impacts to
communications because as we recognize that many of the
critical infrastructures are relying on communications for
controlling issues, for communications issues, and for flowing
of data.
In addition, we have the physical carriers themselves
located within the watch environment so that they can provide
up-to-date and actionable intelligence so that we can take the
necessary steps and make proper recommendations.
Ms. DeGette. Now, the office of Homeland Security
coordinates those efforts on cyber threats. And so I guess my
question to you following up is if there is a breach in the
communications network, then how do DHS and FCC respond? How do
they interact together to respond?
Mr. McGurk. Part of the National Cyber Incident Response
Plan includes the development and coordination of a cyber-
unified coordination group or cyber UCG. This is a steady state
body of emergency response and incident handlers at working
level, at the operational level, and then also at the senior
decision-making level. For our cyber UCG seniors, it
encompasses individuals from the departments and agencies that
are at the assistant secretarial level or higher. So these are
the actual decision-makers in the Federal Government. And then
we have a staff which encompasses not only private sector but
representatives from the federal departments and agencies that
coordinate on a daily basis and share real-time information
whether it comes from the communications sector, the energy
sector, or one of the other 18 critical infrastructures. So
that enables us to have that constant flow of data and provide
that actionable intelligence so that private-sector companies
can take the necessary steps to mitigate risk.
Ms. DeGette. OK. Now, as I understand it, the FCC has
proposed to rule this spring to extend reporting requirements
about network shortages to the broadband network and they are
taking public comments on that issue. And so, Mr. Wilshusen, I
was going to ask you do you think that collecting data on
broadband outages would help gain a better understanding of
when hackers have gotten into our systems?
Mr. Wilshusen. We haven't examined that issue, but I would
imagine collecting information can only be helpful in making
such a determination.
Ms. DeGette. OK. And for the other two witnesses, do you
have any thoughts on the potential for reporting broadband
network outages to contribute to situational awareness like
after there is a major emergency, something like that?
Mr. McGurk. Yes, ma'am. I believe as Ms. Stempfley had
mentioned earlier, reporting is good and more reporting is even
better. So the more information that enables us to develop that
common operation picture that takes all of the data that we are
receiving and then fuses that together. So the more information
we receive in the NCCIC the better situational awareness we can
provide not only to the secretary of Homeland Security and the
other executive secretaries, but also to the President for
decision-making capability.
Ms. DeGette. And just one last question relating to my
opening statement about our communications networks is there is
a lot of issues around supply chains for equipment and
components that have been manufactured abroad for use in the
U.S. So I am wondering if these two witnesses on the end, Ms.
Stempfley and Mr. McGurk, can talk about this publicly. Can you
talk about how DHS is working with other federal agencies to
address that issue of supply chain that part of it is foreign?
Ms. Stempfley. So as you pointed out, the
telecommunications supply chain activities are an interagency
response within the Federal Government. It would be more than
happy to bring another agency body back to discuss that in
detail?
Ms. DeGette. Thank you.
Thank you very much, Mr. Chairman.
Mr. Stearns. I thank the gentlelady.
The gentleman from Texas, Dr. Burgess, recognized for 5
minutes.
Mr. Burgess. Thank you, Mr. Chairman.
Now, if I understand things correctly, there is an
authority that exists within the executive branch to take some
control of transmission grid operations in the event of a
national emergency, is that correct? Either of DHS witnesses.
Mr. McGurk. Yes, sir. The Secretary for the Department of
Energy has that authority.
Mr. Burgess. And is it necessary to place any limits on
that authority?
Mr. McGurk. Sir, I have the luxury of being a simple sailor
and an operator and I don't normally identify or make
recommendations on policy or operational requirements. I can
say that within the guidelines that we currently have and the
authorities that we currently have, we are able to execute our
mission both efficiently and effectively. So I will leave that
to other members of the Department to comment as far as
additional requirements.
Mr. Burgess. Ms. Stempfley, do you have any thoughts on
that?
Ms. Stempfley. Respectfully, sir, I believe that would be
most appropriate for DHS not to comment on the legal
authorities of another department.
Mr. Burgess. Well, let me ask you this. Should such an
authority be necessary? Should such an occurrence happen that
the authority was necessary? How long would you expect that
presidential emergency authority to be exercised over a
continuous time period?
Ms. Stempfley. Regrettably, sir, I am not in the position
to answer that question.
Mr. Burgess. Well, let me ask you this. It seems like--and
I think it was referenced by either the chairman or the ranking
member in their opening statements--is that we are hearing more
and more about this. Does this just reflect the situational
awareness that these types of threats and these types of
attacks can occur or is, in fact, this a real phenomenon with
the rapidity with which these attacks are coming is increasing?
Ms. Stempfley. So I believe it is all of those things, sir.
There is certainly more awareness within the community of the
importance of cybersecurity and the overall activity. That is
increasing both the detection actions that are occurring and
the reporting actions that exist. Based on that awareness and
what we are seeing is that increase across the board.
We are also, as we all indicated in our opening statement,
seeing an increase in sophistication of the attacks as they
occurred as well. So I believe it is a phenomenon of all
things, sir.
Mr. Burgess. Mr. McGurk, do you have any thoughts on that?
Mr. McGurk. Not in addition, sir. The only thing I would
add was that because of the adoption of information technology
capabilities into the critical infrastructure, we are also
exposing a greater landscape of vulnerabilities to areas that
were in the past specifically closed off and proprietary in
nature. So by adopting that technology, we also advance the
vulnerability landscape associated with those critical
infrastructure operations.
Mr. Burgess. Well, one of the hazards in this is you are
always fighting the last attack. What sort of forward-looking
policies and procedures are being implemented by DHS? Are you
looking into for wherever the perpetrator is, what is the value
that they are deriving from these and are there ways that we
can perhaps preempt some of these attacks before they happen
rather than just simply reacting to them?
Mr. McGurk. Sir, part of what the National Cyber Incident
Response Plan focuses on is moving from the left end of the
continuum where we are primarily focusing on response and
recovery, which to your point, sir, is accurate. We are always
fighting that last event or that last battle.
What we are looking forward to working with the private
sector is moving to the right and putting the preparedness, the
protective, and the preventative measures in place. And we are
taking, again, a multifaceted approach through advanced
technology, working with the owners and operators, and also
with the vendor community to establish criteria for new systems
and new operational parameters.
The Department produces a procurement guideline for owners
and operators which talks about security requirements for new
systems and new operating procedures. And we also work closely
with the integration community so that we are identifying how
to install and how to manage these systems as they are being
updated in the critical infrastructure. So we are looking at it
as a continuum shifting more from the left, the responsive
part, over to the right where we are being preventative and
predictive.
Mr. Burgess. Now, a vast majority of this critical
infrastructure is in private hands, is that correct?
Mr. McGurk. That is correct, sir.
Mr. Burgess. So is there any type of analysis as to the
cost that may be incurred by the private sector to keep up with
what you just articulated.
Mr. McGurk. Yes, sir. In fact, the Department identifies
and describes risk as an equation of threats, vulnerabilities,
and consequences. When we work with the private sector, we
understand that the denominator there is also cost. So the
procurement standards that I had mentioned earlier takes that
into account. Not everything can be a gold standard. We are not
saying that you have to have absolute security across the
board. It is a risk-based approach so we take that same
levelized approach and build the business case to identify what
we need to implement in what areas. So if we are going to spend
a dollar to mitigate risk, should we focus on the threats or
should we focus on mitigating the risks and the
vulnerabilities? And then what are the subsequent consequences
associated with that? That is really one of the approaches that
we are taking in addressing this issue.
Mr. Burgess. And do you solicit and accept input from the
private sector, the owners of the critical infrastructure as to
that pricing consideration?
Mr. McGurk. Yes, sir. In fact, as the chairman had
mentioned earlier, one of the things that we focus on is a
number of working groups. And in the industrial control systems
area, we actually sponsor a joint public-private working group,
the Industrial Controls System Joint Working Group, ICSJWG,
which looks at not only mitigating risks but also product
development, implementation, education, and a whole host of
issues. And that is a complete joint environment with both
public and private members represented.
Mr. Burgess. Thank you, Mr. Chairman. I will yield back.
Mr. Stearns. I thank the gentleman.
Dr. Christensen is recognized for 5 minutes.
Mrs. Christensen. Thank you, Mr. Chairman.
Again, welcome to our panel.
Under Homeland Security Presidential Directive 7,
healthcare and public health are identified as critical
infrastructure sectors, and of course the healthcare sector
plays a significant role in response and recovery in the event
of a disaster. So I would like to talk with all of our
witnesses about the efforts to protect this sector against
cyber threats.
Beginning with Ms. Stempfley and Mr. McGurk, what do you
see as the major challenges to ensuring cybersecurity in the
healthcare sector?
Ms. Stempfley. Ma'am, I will begin with some of the kinds
of policy challenges we have been working through in the
Federal Government associated with this. And so, for example,
we are working to deploy technological solutions that enable
detection and prevention measures in place. Those technological
solutions oftentimes require a very detailed analysis of the
kinds of privacy and protection requirements that need to be
put in place that we all feel so strongly about as well and we
need to work through some of those key policy nexuses between
the two so that we can provide that kind of support and
prevention support while still being very true to the
protection measures that we feel so strongly about in terms of
privacy and other areas.
Those kinds of infrastructure systems are very important to
us and we agree with that. Once we get past the policy
questions, it is a matter of how we employ those solutions,
best practices across the board and handle the equally
important integrative systems that exist in healthcare and have
that nexus between IT and embedded systems as well.
Mr. McGurk. Yes, ma'am. I would also mention that one of
the Department's focuses is also on not just protecting the
information in accordance with a number of regulations and
requirements but also the equipment itself. When we look at the
vulnerabilities associated with the other sectors, the
healthcare industry also has an equal number of vulnerabilities
associated with embedded medical devices or with advanced
technology that could potentially be exploited because of the
inherent communications capability of those devices.
So again, the Department is taking not just a data-in-
motion, data-at-rest approach, but a holistic approach to the
healthcare industry, working with the private sector, working
with the manufacturers of these pieces of equipment, and also
with the necessarily federal departments and agencies so that
we understand the risks associated with healthcare industry and
provide actionable steps that will better improve not only the
quality of service but the quality of life.
Mrs. Christensen. Thank you. And those focuses estimates
are great. I am assuming you are working with the Department of
Health and Human Services as well as with the private sector.
Ms. Stempfley. With any of the particular sectors, ma'am,
we work very strongly with the sector-specific agency in
helping Human Services specifically in the situation.
Mr. McGurk. In fact, ma'am, we have the National Health
Information Sharing and Analysis Center coming to visit and
tour the NCCIC tomorrow and part of our development process to
get them physically located on board. So they will be actually
visiting us tomorrow so that we can identify those connections.
Mrs. Christensen. Great. Great.
Mr. Wilshusen, I am also interested in hearing more about
GAO's work on cybersecurity issues that affect health and
public health. As providers use more computer-based mechanisms
and programs to help them treat patients, and I guess this sort
of follows up on what you were saying, Mr. McGurk, do you agree
that it poses additional risk to the personal health
information could be released to the public?
Mr. Wilshusen. Certainly. In fact, we have a couple of
engagements that we have ongoing or will start soon. One was
mandated by the High-Tech Act in which GAO is responsible for
reviewing the security and privacy protections over information
that is transferred and exchanged through the Electronic
Prescription System or E-Prescribing.
Mrs. Christensen. Um-hum.
Mr. Wilshusen. We anticipate starting that engagement in
September with the report release date on September 2012.
In addition, we have another engagement that we are
currently working on to look at the security controls and risks
associated with embedded or implantable medical devices such as
insulin pumps, pacemakers and that that can be accessed through
wireless technologies and may have chips in place. So we are
also examining the report of security risk associated with
that, as well as FDA's premarket and post-market review
processes to address those particular risks.
Mrs. Christensen. Well, thank you. My time is running out.
I appreciate the information because the ever-increasing use of
technology in our healthcare system obviously holds a lot of
promise and many benefits. But also as we increase our reliance
on technology, there is also--as you have pointed out very
clearly--the opportunity to hack in and interfere with that.
So thank you, Mr. Chairman. I am out of time.
Mr. Stearns. I thank the gentlelady. Gentlelady from
Tennessee, Mrs. Blackburn, recognized for 5 minutes.
Mrs. Blackburn. Thank you, Mr. Chairman.
Ms. Stempfley, I wanted to come with you. I was just
meeting with one of my airports, and I wanted to know--TSA.
What does the DHS and TSA do with the body images that they
collect from the scanners at the airports? How long are they
stored and do you protect these images? Do you share them with
any other agency? And what action would you take in case you
had a breach?
Ms. Stempfley. Ma'am, the Office of Cybersecurity and
Communications is responsible for setting standards that the
Federal Government has to comply with to include TSA. I am not
familiar with their specific----
Mrs. Blackburn. Would you get back to me on this?
Ms. Stempfley. I certainly would.
Mrs. Blackburn. OK. I know that it is a part of what we are
talking about and it also pertains to the privacy work that we
are doing in our CMT Committee. And I think as we work with
some of the issues we are having with TSA, I would love to have
the answer if you could do that.
I have got another question. This would be for you and Mr.
McGurk. And I mentioned TVA in my opening comments and the
amount of coverage that we have with the power security. I want
to see what your interface is with the state and local
governments and the infrastructure by facilitating the
information sharing of the cyber threats and the incidents and
through the ISACs. So there are 16 of those ISACs, right? OK.
And very briefly if you would just go through how it works,
what kind of information that is shared, what is your process
how you protect the data that you get and what your expectation
is, the state and local governments, that they are going to
protect that data and then what your response would be if you
had a breach?
Mr. McGurk. Thank you, ma'am. I would just like to start
off by saying that we have a very close working relationship
with the Tennessee Valley Authority. In fact, we visited many
times and we share real-time information through a number of
sensor programs that we operate so that we have a better
understanding of the actual threats and impacts and associated
with those operational environments.
What we do and how we share that information from the
standpoint at the national level is much of the data that is
voluntarily submitted through the NCCIC comes from either the
ISACs themselves--the Information Sharing and Analysis Centers,
including the Multi-State--or it comes from the private-sector
companies themselves. Much of that data is submitted under the
secretary's authority for the protection of critical
infrastructure information or PCII. That protects that
information from being released even to a regulator, for
instance if it is a power company and they submit the
information to us.
We then take that and we work directly with that company to
develop a mitigation strategy that is a) company-specific and
then b) we anonymize it to the point where it becomes a sector-
specific mitigation strategy. The RSA data breach was a great
example of how, within a short period of time, less than 24
hours of notification of the breach, we had more than 50
companies and federal departments and agencies represented
under the Cyber Unified Coordination Group developing sector-
specific mitigation plans. So those individuals--not only from
a physical environment but also a data-sharing environment--
collaborate to generate those mitigation plans.
Mrs. Blackburn. OK. And at what point do you pull state or
local government into that to participate?
Mr. McGurk. Continuously. So they actually have a
representative on the floor of the Multi-State ISAC.
Mrs. Blackburn. OK. OK.
Mr. McGurk. So they are there in real time.
Mrs. Blackburn. All right.
Ms. Stempfley. And ma'am, to continue on in that
discussion, we have worked with the 50 states to provide
clearances to the chief security officers in each of the states
and then share classified information through their fusion
centers so that that provides not just their representation on
floor in real time around an event but also gives us an ability
post-date it to them in their states as well.
Mrs. Blackburn. And then do you do any coeducation and
training with local law enforcement back into your protocols?
Ms. Stempfley. The training activity that we provide--all
of our training is provided on an open basis so that state
representatives can come and participate. I can't speak to
which states have chosen to come in with particular law
enforcement individuals, but we make it available to them in
order for them to take it up.
Mrs. Blackburn. Excellent. Thank you, Mr. Chairman. Yield
back.
Mr. Stearns. The gentlelady from Florida, Ms. Castor, is
recognized for 5 minutes.
Ms. Castor. Thank you, Mr. Chairman. Thank you to the
witnesses for your insight today.
It is apparent that an effective partnership between the
Federal Government and the private sector is necessary to
ensure the security of all of our networks, whether those
networks manage critical infrastructure or simply handle the
day-to-day data of the Federal Government and communications.
Mr. Wilshusen, in your testimony you noted that the private
sector has expressed concerns that DHS is not meeting their
expectations in terms of information sharing. What concerns
does private industry have about DHS' willingness to provide
information?
Mr. Wilshusen. Yes, ma'am. We did a review in which we
surveyed 56 individuals from the private sector from five
private-sector councils. And we found that they identified a
number of key activities that they thought were critical or
important for the public-private partnership to include the
provision of timely and actionable threat and alert
information, having a secure mechanism for collecting
information or sharing information with the public sector. And
they indicated only 27 percent of those respondents indicated
that they felt that their public-sector partners were actually
meeting those expectations to a great or moderate extent. And
so there are a number of concerns about being able, on the part
of the private sector, to collect timely information from the
public-sector partners.
Ms. Castor. Were there any particular sectors that stood
out that appeared to be problematic?
Mr. Wilshusen. Well, from the private-sector side, it was
pretty much across the board. The five sectors that were
included in our study included the banking and finance sector,
the IT sector, the communications, energy, and the defense
industrial base sectors. And it was pretty much across the
board. As I mentioned, only 27 percent out of the 56
respondents actually felt that they were receiving support to a
great or moderate extent.
Ms. Castor. So Mr. McGurk, what is DHS doing to address
these concerns and to ensure that you all are working
collaboratively with the private sector?
Mr. McGurk. Ma'am, I would like to start off by saying, you
know, can we do better? Absolutely. We have modified much of
the structures by actually standing up and creating the NCCIC
that met some of the requirements moving forward, by actually
having the private sector participate and not only receiving
the information but developing the information. By having them
physically present in the environment really assists us in
putting the information in a language that is necessary to
reach our constituents.
A great example is in the past when we would produce
information, we would produce it in a language that we
understood, and then we would send that out and that may or may
not meet the needs of our private-sector partners. By having
power engineers and financial services specialists and IT
specialists physically sitting there working with us and
collaboratively developing the knowledge necessary to
distribute, we are able to provide actionable intelligence.
Just last year we received a report in an intelligence
communication of a particularly malicious piece of mal code
that had a subject line on an email called ``here you have.''
Within a few hours of that appearing in a classified report,
the US-CERT produced an early warning and notice that went out
to the broad private sector because we took that data,
declassified it, and provided actionable intelligence for our
private-sector partners. But by having them there and
participating really enables us to provide better products for
our partners and also speeds up the time necessary to generate
that product.
Ms. Castor. Well, how about the flip side? I am also
curious about how well the private sector is communicating with
DHS when they suffer a cyber attack or a breach, Mr. McGurk,
are private companies required to report cyber attacks or
coordinate their responses to those attacks with DHS?
Mr. McGurk. So there is no requirement to report the
information directly to the Department, but I think what has
happened over the development of the partnership over the past
several years is the stigma associated with cyber breaches has
started to be removed and companies are volunteering the
information because they understand that it not only benefits
their ability to maintain goods and services but it will also
assist the broader community because they recognize that when
they share with the Department, we are not going to publish
company-specific information. We are going to anonymize that
and produce mitigation strategies and plans that help the broad
sectors. And they have been working very closely with us in
developing that.
Ms. Castor. Are there instances where DHS has become aware
of a cyber attack or a breach in a particular company and then
you contacted that company to assist and they declined your
offers to work with them, declined assistance?
Mr. McGurk. Yes, ma'am.
Ms. Castor. What can we do about that? How do we improve
the collaboration in working together?
Mr. McGurk. Part of that is an awareness and an
understanding. From the private-sector standpoint, I understand
that we have to demonstrate value and they have to see how
working with DHS and partnering with DHS adds value to their
capability. In some cases, those particular companies had a
very advanced capability. We gave them the early-warning notice
that they needed to take the necessary steps to protect their
networks. So subsequently, additional response from DHS wasn't
required. And in the extreme case, we received declination for
support but recognition of the awareness or the alert.
Ms. Castor. Thank you very much.
Mr. McGurk. Thank you, ma'am.
Mr. Stearns. The gentleman from Virginia is recognized for
5 minutes, Mr. Griffith.
Mr. Griffith. I am just curious, Mr. McGurk, under what
circumstances, if any, would the DHS NCCIC withhold cyber
threat information that it has encountered from owners or
operators of critical infrastructure?
Mr. McGurk. Sir, we do not withhold threat information, but
subsequently, we don't develop threat information. Under the
authorities of the Department, we focus primarily on mitigation
of risk, and that is where we focus our activities. Threat
information is really developed by the intelligence community
and we rely on that partnership with the intelligence community
to identify threat actors.
Mr. Griffith. All right. Do you have any indication that
they may be sometimes withholding information?
Mr. McGurk. No, sir. In many cases, what is germane to
mitigation is not necessarily associated with the actor. It is
the activity. So it is the exploitation of the vulnerability
which is necessary to share to protect the networks, not who is
actually doing it.
Mr. Griffith. Mr. Wilshusen, the GAO reported in October of
2010 that only 2 of 24 recommendations by the President
Cybersecurity Policy Review had been implemented and the rest
had only been partially implemented. What can you tell us about
whether any additional progress has been made?
Mr. Wilshusen. Well, one of the reasons we found that the
partial implementation occurred was because many of the
agencies were not taking effect because they were not given
specific roles and responsibilities to implement some of those
recommendations, and that kind of delayed actions to
implementing that. We will be following up as part of our
annual review follow-up on our recommendations to see what
extent those recommendations are now being met. But since we
just issued that in October, we have not gone back to follow up
on our prior recommendations and to do a reassessment.
Mr. Griffith. Should we expect an updated report this
coming October?
Mr. Wilshusen. We will be updating the status of our
recommendations, and if you request us to do it, we will
certainly do it.
Mr. Griffith. I would be curious since only 2 of the 24----
Mr. Wilshusen. Right.
Mr. Griffith [continuing]. Were implemented as of last
year, and I am just wondering should we be concerned that so
few of the recommendations had been fully implemented at that
time?
Mr. Wilshusen. Well, there are 10 near-term recommendations
coming out of that policy review, 14 mid-term recommendations.
Several of the mid-term recommendations are actions of such a
nature that it is going to take multiple years to fully
implement those. But the near-term recommendations are very
important and they should be implemented as soon as possible.
Mr. Griffith. All right. I thank you. Yield back my time.
Mr. Stearns. The gentleman yields back.
Yes?
Mr. Burgess. Would you yield to me for follow-up questions?
Mr. Griffith. I yield for follow-up.
Mr. Burgess. Dr. Christensen asked some very good questions
on the healthcare aspects of the critical infrastructure and
going along with what the gentleman was just asking as far as
those forward-looking threats, it seems like we have created
some problems for ourselves in the High-Tech Act and some of
the things we have done with the information technology
infrastructure as applied to health. Star Clause, for example,
which prohibit hospitals from putting wire in a doctor's office
if the doctor is not directly affiliated with the hospital. So
pushing a lot of these vertically integrated systems to go on
the internet in order to have the abilities or the ease of
transfer of the data, which then renders them vulnerable to
attacks on the internet. Have you looked at that, whether
perhaps there is something that could be done on the policy
side to lessen the impact of the vulnerability if we were to
make some changes on the regulatory side? A closed loop if you
would between the hospital and a group of doctors, even though
they are not all part of the same business model might be one
way to do that. Have you explored that at all?
Ms. Stempfley. So your example is a wonderful example of
furthering the independence between the infrastructures as they
go forward.
Mr. Burgess. No, it is an example of how we make things
harder than they need to be in the first place and then we have
got to do a whole bunch more stuff to make it workable in the
real world. But continue.
Ms. Stempfley. Thank you, sir. The specific reviews,
technical reviews of proposals is not something that we
certainly do. What we work towards are best practices for the
kinds of separation and containment that might be necessary in
order to understand the environment. Each of the owners and
operators has a better understanding of the risks in their
particular environment in the business models that best serve
them in each of these cases. And so the set of best practices
are an important part of how we do this.
Mr. Burgess. But do we look at the regulations that we, the
Federal Government, have put in place that make it harder for
people to do the right thing in the real world?
Ms. Stempfley. So I am not sure I can say that specific
regulation was reviewed prior to in order to understand the
potential implications across the board, but we do look at
regulations and procedures as they come up.
Mr. Burgess. I appreciate the gentleman for yielding. My
time has expired. Let us look at that going forward. I yield
back.
Mr. Stearns. I thank the gentleman.
Ms. Schakowsky is recognized for 5 minutes.
Ms. Schakowsky. Thank you.
Have any of you, the three of you, read Stieg Larsson's
book, the Girl with the Dragon Tattoo, et cetera?
Mr. Wilshusen. Yes.
Ms. Schakowsky. You have. If you haven't, people who are
into cybersecurity would not only enjoy them but probably be a
little worried about it. The pretty flawed heroine, Lisbeth
Salander, there is no firewall too high or wide or low that she
can't get through. And I think she is the heroine, sort of the
good guy, but the notion of individual actors out there who
have this tremendous capacity to infiltrate I think is a real
concern. I sit also on the Intelligence Committee, and we think
about that a lot.
So here is what I wanted to ask. Do we employ sort of old-
school kinds of techniques like redundancy to make sure--I
remember sitting in a hotel room watching a rolling blackout in
Ohio a number of years ago, which turned out to be a failure of
the grid and not some sort of attack--this was post-9/11--but
felt like it might have been. So do we build in things like we
do in aircraft or whatever, just redundancies so we are not as
vulnerable? Can someone answer?
Mr. McGurk. Yes, ma'am. I do agree that one of the salient
points of the book was that they were focusing on perimeter
defense as a method of ensuring their security, and as you
quite adequately pointed out that there was no wall too high or
too thick that she couldn't get through in the process, and
subsequently, that is why the Department doesn't look at only a
perimeter-defense strategy as part of enabling a sound
cybersecurity profile. We look at a defense-in-depth strategy
so that there is layers upon layers of security implemented. In
addition, we want to focus on the practices and procedures to
address the various risk associated with operating those
networks. Whether it is from insider activity, whether it is
from nation-state-sponsored, whether it is criminal activity,
we treat the act separate from the actors so that we can
understand what they are trying to exploit as far as the
vulnerabilities. So that is the approach that the Department
takes, and we do work very closely with the intelligence
community, law enforcement community, and the private sector to
develop those necessary strategies so that we can have a better
and more secure defense posture.
Ms. Schakowsky. Let me ask another question. There is a lot
of talk and even advertising about how we can centralize data
management and storage and concentration and that you can
access that without individual servers and all kinds of things
to make business more efficient, et cetera. I am wondering if
this creates a new layer, then, of vulnerability if everything
is sort of outsourced to one place.
Ms. Stempfley. The what I call re-architecting moments that
are going on in the environment, things like the movement to
cloud computing and mobility are intelligent and opportunity at
the same time. So there certainly are vulnerabilities that
exist in that environment that must be addressed as we
architect to move things there. But it isn't generally a lump
sum, just pick up and move. There are design considerations
that must be taken into account as you move. And so they are
these opportunities for individuals to look at how they both
handle their data procedurally and how they protect it through
this defense-in-depth approach across the board.
Mr. Wilshusen. And if I may add we did a review over the
clouds computing security and identified a number of both
positive as well as negative security implications of going to
the cloud computing. Particularly of the negative sort is just
agencies lose control over the access to their data, who has
access to it, as well as the ability of agencies who are still
responsible for the protection of that information to assure
themselves through independent testing or other evaluations
that the cloud service provider is actually implementing
security effectively over their environment and the
information. And those are still issues that are still being
worked out. The Federal Government, through GSA--I am not sure
if DHS is involved in this--OMB and others are studying up
different procedures through FedRAMP and some other programs to
try to address some of those areas.
Ms. Schakowsky. I started by talking about this rolling
blackout that I saw. I wondered if we can talk about how secure
our power grid really is. I don't know if you addressed that
earlier. There was a project that showed the effect of hacking
into a power plant's control station via computers and digital
devices, so I am just wondering how that came out and if there
are vulnerabilities that we are correcting?
Mr. McGurk. Yes, ma'am. The purpose behind the Aurora
evaluation and experiment that was conducted by the Department
in conjunction with the Idaho National Lab back in 2007 was
essentially identifying the interdependencies between the
critical infrastructures. That is how it started out. We wanted
to see if we could have a negative impact in an environment by
attacking the capabilities or the equipment of another
environment. For instance, if I destroyed the generation
capability, could I then have an adverse impact on a data-
storage center or an airport or some other physical
infrastructure? So subsequently, we took a look at the
interconnected nature of these devices and we conducted a
series of experiments that identified the capability by
modifying settings and accessing control networks to actually
take a digital protective circuit and turn it into a digital
destructive circuit.
A simple explanation of what we did with Aurora it is like
you are driving down the road at 60 miles an hour and you throw
your transmission in reverse, it is going to have a negative
impact on that car to operate.
Ms. Schakowsky. Yes.
Mr. McGurk. So that is really what we were trying to
demonstrate. And then subsequently, once we identify the
vulnerabilities, how do we put those protective measures in
place, whether it is through equipment design and modification
or in many cases it is just through procedural changes? So we
look at low-cost or no-cost approach. From that point forward,
the Department has conducted numerous equipment vulnerability
assessments to not only identify inherent vulnerabilities in
devices but to work with industry to develop those mitigation
strategies and in some cases working with the manufacturers to
physically modify the equipment so it is more secure.
Ms. Schakowsky. Thank you. My time has well expired. Thank
you.
Mr. Stearns. The gentleman from Louisiana, Mr. Scalise,
recognized for 5 minutes.
Mr. Scalise. Thank you, Mr. Chairman. If I could ask all
the panelists first, I just want to get your opinion on if our
critical networks are more vulnerable today than they were 5
years ago?
Ms. Stempfley. So my opinion is they are not necessarily
more vulnerable than they were 5 years ago. A great deal has
happened over the last 5 years in terms of coordination,
collaboration across the board. What I believe is that we are
much more aware now than we were 5 years ago both of the role
that they play in the environment. We are certainly more
dependent on cybersecurity solutions and interdependent today,
more aware of that, and there is a higher sophistication in the
threat that exists today than did some time ago.
Mr. Scalise. Mr. McGurk?
Mr. McGurk. Thank you, sir. I would also agree that I
believe it has been an evolutionary period. Perhaps in the past
we were focusing more on information assurance as a method of
achieving cybersecurity, but since then, we have recognized
that since the physical and the virtual are all interconnected,
we are taking a more direct approach towards cybersecurity. So
there may be more reporting but there is more awareness as
well.
Mr. Wilshusen. And I would also say that the threats to
cyber critical infrastructures are increasing. They are
evolving and growing and becoming more sophisticated. So those
two raise the overall risk to those infrastructures. Our
reviews have shown that where we have evaluated the security
over specific systems that they are vulnerable and that
numerous vulnerabilities exist because appropriate information
security controls, which are well known, have not been
implemented on a consistent basis throughout. So while there is
greater awareness, there is also a greater threat I believe and
also the vulnerabilities still remain.
Mr. Scalise. Mr. Wilshusen, in your testimony, the GAO--and
you listed here some GAO recommendations to enhance the
protection of cyber-reliant critical infrastructure. Regarding
these recommendations that you laid out, do you see that other
agencies are looking at these or open to these and specifically
with members of DHS that are here and, you know, I would like
to get their take, too, but what has been the reaction you have
seen from the GAO report of these specific recommendations?
Mr. Wilshusen. Well, for most of our reports in this area,
we have received largely concurrences with our recommendations,
particularly from DHS. They have taken a number of actions to
implement our recommendations and we will be following up with
them to ensure that they are effectively implemented over time.
In some cases, even when DHS non-concurred for the purposes of
our report with the recommendation, they ultimately reversed
themselves and decided to implement the recommendations. So I
think there is awareness and concurrence for the most part of
the agencies to implement our recommendations.
Mr. Scalise. I will ask the same, Mr. McGurk and Ms.
Stempfley, just both of those recommendations but also other
tools that you think should be available.
Mr. McGurk. I would like to add that in addition to the
recommendations of GAO--and we do evaluate them not only from a
technical standpoint but also from an implementation
standpoint, and that is part of the challenge that we
identified. In the critical infrastructure, the networks are
so--in some cases--unique that you can't apply a particular
standard or requirement that is identified by a recommendation
and you may actually cause an interoperability challenge. So we
do look at that from a technical standpoint and then we work
with other standards-settings bodies such as NIST to identify
those best practices and those requirements and then work with
the private sector to ensure that we can actually implement
that without causing an adverse impact or additional cost.
Mr. Scalise. Ms. Stempfley?
Ms. Stempfley. So we agree that the recommendations in the
GAO report are ones that we focus a great deal of attention on
and recognize that cyber is one of the high-risk items that GAO
executes. We have a regular interaction with them around this
particular activity, particularly given the consequences. We
talked a great deal about consequences of malicious activity in
this particular environment. We watch very closely that. And as
we work through issues both in terms of owners and operators,
execution and implementation of practices in their environment
and come out as we are requested to come out and provide
voluntary review of information and infrastructures and the
owner/operators we are also able to identify how they are doing
in terms of implementation and get information about what is
generally accepted practices across the board.
Mr. Scalise. Real quickly one final question before my time
runs out. The Department of Defense's director of intelligence
and counterintelligence has talked about supply chain integrity
and, you know, they suggest that some equipment that we buy,
hardware that we buy could be corrupted both hardware and
software. And there are some things that they are looking at in
that regard, and I wanted to get your take from Homeland
Security or if GAO wants to chime in. Is that something that
you all have looked at as well? Have you seen any problems
there?
Ms. Stempfley. So I believe I made an offer earlier to
bring back an interagency review around supply chain. We
appreciate that it is important for us to look across the
entire lifecycle of both equipment and of software development
as well so that we can make sure that we have good practices in
each of the steps of the lifecycle.
Mr. Wilshusen. And if I may chime in, we are currently
evaluating the supply chain risk process at several agencies
including DOD, DHS, Justice, Energy as part of our review over
the supply chain risks for IT. We are assessing also the
agencies' efforts to employ a risk-based approach to assessing
supply chain risks.
Mr. Scalise. Thank you, Mr. Chairman. I yield back.
Mr. Stearns. Thank you.
The gentleman from Texas, Mr. Green, is recognized for 5
minutes.
Mr. Green. Thank you, Mr. Chairman.
And following up our colleague from Tennessee, Ms.
Blackburn, you know, our committee has jurisdiction both over
cybersecurity and healthcare, and so when we go through those
screenings, could we at least maybe in our jurisdiction have a
radiologist look at those so we can do those full body scans
and it maybe save us on our imaging cost.
But I want to welcome our panel here. It has been a long
hearing for you all and I thought we ought to laugh a little
bit.
The GAO has long identified protecting the Federal
Government's information system and Nation's cyber-critical
structures. And Mr. Wilshusen, when did the GAO first identify
cybersecurity as part of our high-risk series?
Mr. Wilshusen. That was back in 2003.
Mr. Green. OK. And you did your first major review of DHS
cybersecurity efforts in 2005?
Mr. Wilshusen. That is right. That is when we assessed the
Department's performance and actually implementing some 13
roles and responsibilities that it was responsible for.
Mr. Green. Have you seen improvements in the way that the
Federal Government prepares for and addresses cyber threats
since you have been reviewing DHS' program?
Mr. Wilshusen. We have seen progress at DHS in the way that
it is addressing some of these areas. We also recognize that
there is more that needs to be done, particularly with some of
the sector's specific planning efforts, its cyber analysis and
warning capabilities, as well as just as I mentioned earlier
related to its private-public partnerships.
Mr. Green. OK. I understand in 2009 DHS launched the 24-
hour DHS-led coordinated watch and warning system known as the
National Cybersecurity Communications Integrations System. Mr.
McGurk, what private-sector entities have current access to the
resources of this facility?
Mr. McGurk. Certainly, sir. Currently, we have a direct
partnership with each of the 18 critical infrastructure and key
resource sectors. Physically located on the watch floor today
we have representatives from the energy sector, the financial
services sector, the communications sector, IT sector, Multi-
State ISAC. We are also finalizing agreements with chemical and
others so they can be physically present on the watch floor. In
addition, we recognize the unique capabilities of some of our
other partners in the manufacturing and antivirus environment.
And we are working with them to develop cooperative research
and development agreements so that they can be physically
present so that we can share data in real time.
Mr. Green. Last week there were reports emerged about a
Department of Homeland Security report insider threat to
utilities, and when you mentioned utilities were involved in
it, do you have pretty well unanimous support or working
relationship with our utilities in our country from investor-
owned, municipal-owned co-ops like the TVA even? Is that pretty
well uniform throughout the country?
Mr. McGurk. Yes, sir. We have very direct connections with
many of our private-sector partners. We have spent a lot of
time developing cooperative agreements with--for instance,
there is an organization that is made up of the 18 largest
utilities in the United States and they have a Chief
Information Security Officer Panel, which we interface with
directly. I have personally briefed them on a number of
occasions and provided input into those organizations so that
they have a better cyber awareness.
Mr. Green. OK. I know the report was not released to the
public and in the news story we talked about, we have a high
confidence in our judgment that insiders and their actions pose
a significant threat to infrastructure and information systems
of U.S. facilities, and I understand, like I said, the report
is not made public. I would like to ask some questions about
insider threats to our utilities.
Ms. Stempfley, could utility facilities be targets for
terrorists on the cyber side? We know physical targets.
Ms. Stempfley. So I think you will find that the
vulnerabilities that exist and are possible to be exploited
exist in many places to include utilities across the board.
That is one of the reasons why, as we have reiterated, we try
to look at this from a common approach across the environment.
Mr. Green. I am aware in Texas and Houston we have mostly
investor-owned utilities, our service provider center point,
and I know they are doing some really great things, but does
access to these sensitive facilities--mostly owned by the
private companies--need to be closer guarded and carefully
monitored to protect these threats?
Ms. Stempfley. So best practice activities in the cyber
security systems are ones of multiple layers of defense, which
would include not just perimeter defense but internal
architecture approaches that separate sensitive data from each
other, rely on identity and other services. Those kinds of best
practices, which are widely available, should be employed
across the board.
Mr. Green. I know a news story last week described an
insider sabotage in April in a water treatment plant in Arizona
where a disgruntled employee took control of the control room
to create a methane gas explosion. What is DHS doing to ensure
that these type of insider sabotage, again, whether they are
just one person or a plan, what is DHS doing to try and limit
some of these insider cyber sabotage?
Ms. Stempfley. As we have identified, we continue to
provide the kinds of warning products, indicators of activities
that might be necessary and the kinds of best practice guides
for owners and operators to employ. In your example, it would
be up to that particular owner and operator to employ those
practices.
Mr. Green. And Mr. Chairman, I would just like to ask one
last thing.
And do you get pretty good cooperation throughout the
country with the utilities?
Mr. McGurk. Yes, sir, absolutely. We get a very close
working relationship with utilities.
Mr. Green. Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman. We will quickly go for
a second round. We don't have votes and so I welcome my
colleagues if they wish to have a second round.
I would like to return to the Stuxnet issue if you don't
mind, Mr. McGurk. If you can, just answer yes or no.
Do you know how many operators in the industrial controls
infrastructure actually implemented DHS guidance on Stuxnet?
Mr. McGurk. No, sir.
Mr. Stearns. OK. How many U.S. companies use a type of
Siemens industrial-controlled products that were the target of
Stuxnet attacks?
Mr. McGurk. A total number of companies? It is very
difficult to quantify, sir, because we don't have this ability
into all of their networks, but there were approximately 300
companies that had some combination of hardware and software.
Mr. Stearns. So 300 U.S. companies?
Mr. McGurk. Yes, sir.
Mr. Stearns. Approximately. Good. Do you believe that if
the U.S. companies implemented the DHS guidance on Stuxnet,
they will be able to fend off a future attack from this
software?
Mr. McGurk. Yes, sir, from this particular piece of mal
code.
Mr. Stearns. In addition to this software, we have heard
that there are other vulnerabilities identified in industrial-
controlled systems, including a Beresford vulnerability or
exploit. Does that ring a bell?
Mr. McGurk. Yes, sir.
Mr. Stearns. Um-hum. Given that Stuxnet's impact and the
other vulnerabilities that exist, are you comfortable that our
country's industrial control systems are secure from cyber
attacks?
Mr. McGurk. I think it is an evolving threat, sir, so we
have to continue to move forward and not focus on the previous
attacks.
Mr. Stearns. Wasn't the Beresford attack developed by one
researcher in about 2-1/2 months? That is our background. And
what does that say about the safety of our system if someone
could work with his laptop computer in 2-1/2 months, develop
something that is vulnerable, and be used? Would you care to
comment?
Mr. McGurk. Yes, sir. What that really highlights is the
fact that it is not necessarily attributed to the actor itself
but it is the action and the vulnerabilities that we need to
focus on. Because as you had mentioned in your opening
statement and again when focusing on Stuxnet, it is not the
capability of the actor that necessarily brings about the
consequence. It is the actual vulnerability associated that is
being exploited, and that is really where the Department is
focusing much of its efforts.
Mr. Stearns. OK. What step has DHS taken to prepare and
defend against a Beresford type of attack to industrial control
system and has this guidance or other direction been issued to
the industry of the private sector? And I will ask you later.
Go ahead, Mr. McGurk.
Mr. McGurk. Sir, the Department has produced a number of
specific actions and guidance associated with various types of
cyber risk and cyber threats but again, not focusing on the
actor or the activity but focusing on the vulnerability and the
necessary methods to secure the networks. We actually will not
only address that issue but maybe the next-generation issue
that could occur.
Mr. Stearns. Do you actually talk to these U.S. companies
to see how they are implementing and doing this?
Mr. McGurk. Yes, sir. In many cases, we are invited to
actually do an onsite assessment associated with the
vulnerabilities to see how they implement the mitigation plans.
Mr. Stearns. Well, just approximately how many do you think
you have assessed?
Mr. McGurk. We have assessed approximately--this past year
we did 53. The year before we did about 40. These are voluntary
assessments. The year prior to that, another 30. So we have
done over 100 voluntary assessments and incident response
activities over the past 3 years.
Mr. Stearns. Now, was that oriented towards the Stuxnet or
was it also involved with the Beresford?
Mr. McGurk. It is involved with all types of
vulnerabilities, not just those two particular instances.
Mr. Stearns. Mr. Wilshusen, do you mind commenting?
Mr. Wilshusen. Well, in our reviews we often also focus on
the vulnerabilities of systems because that is what the
agencies or the operators can control. They can't always
control the threats that come their way, but they can control
how well they protect their systems and protect against known
vulnerabilities. And so that is one thing that we often look
at. And at the systems that we examine at a detailed level, we
typically find that they are vulnerable.
Mr. Stearns. Ms. Stempfley, you had indicated in a question
5 years ago are we more vulnerable today than we were 5 years
indicate, you seemed to indicate you didn't think so. And I
guess the question is based upon what I have just given you
some examples how a man in just 2-1/2 months could come up with
something that can make our system vulnerable, I guess the
question for each panelist, can you explain how the cyber
threats you are seeing now are different from 2 or 3 or 5 years
ago? And I will start with you, Ms. Stempfley?
Ms. Stempfley. So the cyber threats now are certainly more
sophisticated than they were several years ago. The threats are
focused more on individuals and very specific activities. An
example I have used is spear fishing is very targeted to an
individual. I received an email not too long ago that appeared
to be from my husband as a situation and it was about a topic
about college payment activities, and that was identified and
sent to me. And had I clicked on it, it may have been something
that was malicious. That is an example of increased
sophistication and increased focus that exists.
The number of vulnerabilities that have existed and the
kind of model that you presented where a researcher identified
a vulnerability and something that is already in existence,
that vulnerability had been there from the beginning. It was
just recently identified. And so the specific vulnerabilities
have not increased in that scenario. We are just more aware of
it now and more able to respond.
Our protective measures and protective guidance are about
building these infrastructures in a way that reduces the
exposure of those vulnerabilities and makes it less likely for
threat actors to be able to be successful.
Mr. Stearns. And Mr. McGurk?
Mr. McGurk. Yes, sir. I would also agree that, you know, it
is a matter of awareness and understanding the interconnected
nature of the----
Mr. Stearns. But you don't see the cybersecurity increasing
in the last 5 years?
Mr. McGurk. Do I see cybersecurity risk?
Mr. Stearns. Threats increasing.
Mr. McGurk. Threats, yes, sir, as a result of exploiting
those vulnerabilities because of the sophistication and also
the targeted nature. In the past we were talking about just
basic data ex-filtration from a very broad audience. Now, we
are seeing--in the RSA example that was mentioned earlier--very
specific, targeted attacks against these aggregation centers.
Mr. Wilshusen. And I agree, and I think you will continue
to see more blended types of attacks that exploit a number of
different vulnerabilities in order to gain access to its
target.
Mr. Stearns. So you would agree that the cyber threats are
more now than they were 5 years ago?
Mr. Wilshusen. And more sophisticated.
Mr. Stearns. Let me just close by this question. I am not
quite clear myself what this Beresford software does or did.
Can you describe, Mr. McGurk, what it does? Do you know
anything about it?
Mr. McGurk. I don't have those specific details of the
analysis in front of me today, sir, so I couldn't really
comment on that.
Mr. Stearns. Anybody?
Mr. Wilshusen. No.
Mr. Stearns. OK. All right. My time has expired.
The gentlelady from Colorado.
Ms. DeGette. Thank you very much, Mr. Chairman.
First of all, I would like to ask unanimous consent to put
Mr. Waxman's opening statement in the record.
Mr. Stearns. By unanimous consent, so ordered.
[The prepared statement of Mr. Waxman follows:]
Ms. DeGette. Thank you.
So this is the perfect segue actually to just one question
I had of clarification. We are all throwing around the words
threat, vulnerability, and risk quite a bit today. And Mr.
Wilshusen, I am wondering as we prepare for our subsequent
hearings on these topics, you can just basically describe for
us whether there is a difference between those three words and
what the technical descriptions are.
Mr. Wilshusen. Sure. Yes. And there is a difference. A
threat is basically any circumstance or event that can
potentially cause harm to an organization's operations, assets,
personnel, or whatever. A vulnerability is a weakness in the
security controls that are over a system or network. There is
actually a fourth component here before we get to risk, and
that is impact. What is the impact that could occur should a
threat, either a threat actor or an event occur, exploit a
vulnerability? What is the impact that it could have? And then
those three of those kind of equate to what risk is.
Ms. DeGette. Thank you. And are they all three things we
should be concerned about?
Mr. Wilshusen. Yes, indeed. Absolutely. Threats are what
you try to guard against. The vulnerabilities are what you try
to prevent and minimize by taking corrective actions and
implementing appropriate security controls. And you do that in
such a manner that you minimize the impact should such a
security incident occur. And so, yes, it is important to think
of all of them.
Ms. DeGette. So you have heard both me and the chairman and
other members of this subcommittee talk about this committee's
jurisdiction. I am wondering if there is any particular sectors
of our jurisdiction that you think we should look more closely
at in subsequent hearings?
Mr. Wilshusen. I think in terms of from a cyber
perspective, I think probably the key sectors would be energy,
electricity, both nuclear and other just because of the
interdependencies that they have with other sectors, IT,
finance and banking, and also communications would be I think
the four that are the most important just because of the
interdependencies that they have with the other critical
sectors.
Ms. DeGette. Great. Thank you.
Thank you very much, Mr. Chairman. I yield back.
Mr. Stearns. I thank the gentlelady. I want to thank the
witnesses for their participation, their coming here this
morning.
The committee rules provide that members have 10 days to
submit additional questions for the record, the witnesses. And
with that, the subcommittee is adjourned.
[Whereupon, at 12:41 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
�