b"<html>\n<title> - DRAFT LEGISLATIVE PROPOSAL ON CYBERSECURITY</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n              DRAFT LEGISLATIVE PROPOSAL ON CYBERSECURITY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            DECEMBER 6, 2011\n\n                               __________\n\n                           Serial No. 112-61\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n\n74-646PDF                 WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Peter T. King, New York, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nDaniel E. Lungren, California        Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nMichael T. McCaul, Texas             Henry Cuellar, Texas\nGus M. Bilirakis, Florida            Yvette D. Clarke, New York\nPaul C. Broun, Georgia               Laura Richardson, California\nCandice S. Miller, Michigan          Danny K. Davis, Illinois\nTim Walberg, Michigan                Brian Higgins, New York\nChip Cravaack, Minnesota             Jackie Speier, California\nJoe Walsh, Illinois                  Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         Hansen Clarke, Michigan\nBen Quayle, Arizona                  William R. Keating, Massachusetts\nScott Rigell, Virginia               Kathleen C. Hochul, New York\nBilly Long, Missouri                 Janice Hahn, California\nJeff Duncan, South Carolina\nTom Marino, Pennsylvania\nBlake Farenthold, Texas\nRobert L. Turner, New York\n            Michael J. Russell, Staff Director/Chief Counsel\n               Kerry Ann Watkins, Senior Policy Director\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                Daniel E. Lungren, California, Chairman\nMichael T. McCaul, Texas             Yvette D. Clarke, New York\nTim Walberg, Michigan, Vice Chair    Laura Richardson, California\nPatrick Meehan, Pennsylvania         Cedric L. Richmond, Louisiana\nBilly Long, Missouri                 William R. Keating, Massachusetts\nTom Marino, Pennsylvania             Bennie G. Thompson, Mississippi \nPeter T. King, New York (Ex              (Ex Officio)\n    Officio)\n                    Coley C. O'Brien, Staff Director\n                 Zachary D. Harris, Subcommittee Clerk\n        Chris Schepis, Minority Senior Professional Staff Member\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     1\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     2\n\n                               Witnesses\n\nMr. Gregory E. Shannon, Chief Scientist for Computer Emergency \n  Readiness Team, Software Engineering Institute, Carnegie Mellon \n  University:\n  Oral Statement.................................................     4\n  Prepared Statement.............................................     6\nMs. Cheri F. McGuire, Vice President of Global Government Affairs \n  and Cybersecurity Policy, Symantec Corporation:\n  Oral Statement.................................................    11\n  Prepared Statement.............................................    13\nMr. Gregory T. Nojeim, Senior Counsel and Director, Project on \n  Freedom, Security and Technology, Center for Democracy and \n  Technology:\n  Oral Statement.................................................    18\n  Prepared Statement.............................................    20\nMr. Kevin R. Kosar, Analyst in American Government, Congressional \n  Research Service:\n  Oral Statement.................................................    28\n  Prepared Statement.............................................    30\n\n \n              DRAFT LEGISLATIVE PROPOSAL ON CYBERSECURITY\n\n                              ----------                              \n\n\n                       Tuesday, December 6, 2011\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:15 a.m., in \nRoom 311, Cannon House Office Building, Hon. Daniel E. Lungren \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Lungren, McCaul, Walberg, Meehan, \nLong, King (ex officio), Clarke, Richardson, Richmond, Keating, \nand Thompson (ex officio).\n    Mr. Lungren. The Committee on Homeland Security \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies will come to order. We have been advised \nby top staff on the subcommittee that we may proceed. Ms. \nClarke, unfortunately, is caught in traffic, which I think a \nlot of people are this morning, but we will proceed.\n    The subcommittee is meeting today to examine the \ncommittee's ``Draft Legislative Proposal on Cybersecurity.'' \nThe draft legislation was distributed with the hearing notice, \nalthough the draft was circulated with Members of the other \nside of the aisle, I believe, in August, and there have been \nvery few changes made since that time. I would ask other \nMembers if they wish at the conclusion of this hearing to co-\nsponsor the draft before us. We intend to drop this immediately \nso that we can begin the process moving this forward.\n    Top Government intelligence and military leaders point to \ncybersecurity as the issue that worries them the most, \nprimarily because it touches every aspect of American life, \nincluding our military operations. Tomorrow is December 7, the \ndate recalled by CIA Director Leon Panetta in recent testimony \nbefore Congress about his fear of a cyber Pearl Harbor. The \ngrowing connectivity between information systems, the internet, \nand our critical infrastructure creates opportunities for \nattackers to disrupt telecommunications, electric power, energy \npipelines, and our financial networks. We hear every day that \ncyber attacks are escalating around the world, but particularly \nhere in the United States where extensive digital networks' \ninformation systems provide a rich target for thieves and rogue \nnations. Disgruntled employees, hackers, even foreign \ngovernments, ``are knocking on the door of these systems and \nthere have been intrusions.'' There has been a 40 percent spike \nin cyberthreats to Government networks in the last year alone, \nas reported. The Commerce Department estimates that the theft \nof intellectual property, most stolen via electronic means, \ncosts $250 billion annually and eliminates approximately \n750,000 U.S. jobs.\n    Cybertheft, unfortunately, is no longer our only concern. \nThe Stuxnet virus demonstrates the offensive capability to \nattack and incapacitate critical infrastructure. This presents \na more immediate destructive threat, a digital warhead \ndelivered through the internet. Cybersecurity is now recognized \nas a critical component of our National economic and National \nsecurity. Failure to improve our cyberdefenses will expose our \nintellectual property to continued theft and damage to our \ncritical infrastructure, putting in jeopardy our future \neconomic prosperity. Congress needs to act to improve our \ncyberdefenses by designating the responsible agency and \nGovernment to coordinate defense of the Government networks.\n    We agree with the administration that the Department of \nHomeland Security is the appropriate agency to lead this effort \nand protect our critical information infrastructure, and our \nbill codifies DHS' cyber roles and responsibilities. Further, \nwe need to improve our ability to assess cyber risks and \nstrengthen cyber standards, generally with help from NIST. We \nshould also encourage existing regulators to improve the cyber \nstandards for the most critical infrastructure within their \npurview. The cyberthreat must be addressed in partnership with \nthe private sector which owns, as we know, most of the \ncountry's critical infrastructure. This will require \nestablishing a true, trusted partnership between Government and \nthe private sector. Our objective is to create a partnership of \nequals designed to facilitate the exchange of cyber information \nand intelligence, thereby to accelerate cyberthreat \nidentification and remedies. This trusted partnership under our \nbill will be known as the National information-sharing \norganization.\n    These changes proposed in our legislation are within our \ncommittee's jurisdiction and will, we believe, enhance \ncybersecurity of our critical information infrastructure. \nToday's hearing will afford our private sector partners another \nopportunity to weigh in on our approach to protecting critical \ninformation infrastructure from this escalating cyberthreat.\n    We look forward to hearing your comments. I now would \nrecognize the Ranking Member of our subcommittee, the \ngentlelady from New York, Ms. Clarke.\n    Ms. Clarke. Thank you very much, Mr. Chairman, and thank \nyou for bringing your proposed legislation to our subcommittee. \nI appreciate the diligence that our witnesses have shown in \nanalysis of the legislation and want to particularly thank Mr. \nKosar for his scholarly work and quick turnaround. From my \nperspective, the Department must have sufficient authority to \nmake sure that Government and privately-owned critical \ninfrastructure install and monitor ample protection for their \ncyber systems, both agency-wide in the Federal Government and \nfor identified critical infrastructure that supports the \neconomic, social, and security needs of our Nation. Effective \nimplementation of that authority will enable DHS to lead by \nexample a prerequisite for building credibility and trust with \nprivately-owned critical infrastructure.\n    In H.R. 174, the Homeland Security Cyber and Physical \nInfrastructure Protection Act of 2011, introduced by Mr. \nThompson in January of this year, and which I co-sponsor, the \nDepartment is specifically given major cybersecurity \nresponsibility and includes a plan to oversee cybersecurity \nefforts for identified critical infrastructure, much like we \nalready do in the CFATS program, which I think is a prudent \nrisk-based approach.\n    The draft legislation we have before us includes an \nemphasis on voluntary incentives for private companies with \nsome narrowly-targeted regulation for critical infrastructure \nindustries that are already highly regulated. I think we are \nall looking for a way not to have regulation that duplicates \nwhat is already being done. Government can ask the critical \ninfrastructure systems to improve security only if Government \nis a model leading by example.\n    Mr. Chairman, I am glad to see the language of the \ndiscussion draft does provide some provisions that are broadly \nsimilar to provisions in H.R. 174 and the White House cyber \nproposal. For example, by increasing the responsibilities of \nthe Department for cybersecurity in Federal agencies and \ncritical infrastructure, authorizing US-CERT, addressing supply \nchain vulnerabilities, increasing cyber R&D, and providing \nenhanced personnel authorities to improve the cybersecurity \nworkforce.\n    My concern is two-fold. How can we realistically increase \nour cybersecurity efforts if the House appropriations \ndrastically-reduced level of funding is implemented? Second, \nthe discussion draft relies on purely voluntary actions and \nestablishes a non-profit quasi-Governmental entity, the \nNational Information-Sharing Organization, with private and \npublic sector members, for the purposes of facilitating \ninformation exchange, performing collaborative cybersecurity \nR&D, and encouraging non-Federal use of voluntary cybersecurity \nstandards.\n    I think it is important that we look closely at the details \nof this quasi-Governmental entity to explore the real-life \nimplications of such a body and its actions, and how it would \naffect the Department's ability to enhance cybersecurity for \nour Government agencies, our crucial critical infrastructure, \nand ultimately for our citizens.\n    So thank you again, Mr. Chairman. These are issues that I \nam anxious to learn more about, and I look forward to the \ntestimony today, and I yield back.\n    Mr. Lungren. I thank the gentlelady. Other Members of the \ncommittee are reminded that opening statements may be submitted \nfor the record.\n    We are pleased to have a very distinguished panel of \nwitnesses before us today on this very important topic.\n    Dr. Greg Shannon is the chief scientist for the CERT \nProgram at Carnegie Mellon University Software Engineering \nInstitute. In this role he works with CERT management and staff \nto establish and enhance the program's research visibility, \ninitiatives, strategies and policies. Prior to joining CERT, \nDr. Shannon was the chief scientist at two startups where he \nworked on insider threats, the science of cybersecurity and \nstatistical anomaly detection.\n    Ms. Cheri McGuire serves as the vice president of Global \nGovernment Affairs and Cybersecurity Policy, where she leads a \nglobal team focused on cybersecurity, data integrity, and \nprivacy issues. She works extensively with industry and \nGovernment, including serving as chair of the IT Sector \nCoordinating Council. That is one of the 18 critical sectors \nidentified by the President and DHS to work with the Government \non critical infrastructure, protection, and cybersecurity \nmatters. Prior to joining Symantec in 2010, she served as \ndirector for critical infrastructure and cybersecurity in \nMicrosoft's trustworthy computing group.\n    Mr. Gregory Nojeim is senior counsel at the Center for \nDemocracy and Technology, or CDT. In this capacity he conducts \nmuch of CDT's work in the areas of National security, \nterrorism, and Fourth Amendment protection. Prior to joining \nCDT in May 2007, he was legislative counsel of the American \nCivil Liberties Union and for 7 years was the associate \ndirector and chief legislative counsel of the ACLU's Washington \nlegislative office.\n    Dr. Kevin Kosar is an Analyst in American National \nGovernment for the Congressional Research Service where he has \nserved since 2003. CRS' research portfolio includes \nCongressionally-chartered organizations, the U.S. Postal \nService classified information policy, Government \ncommunications and privatization, all obviously non-\ncontroversial areas. He previously testified before Congress in \nApril 2010, before the House Oversight and Government Reform \nCommittee, regarding the U.S. Postal Service's financial \ncondition. A contributing editor at Public Administration \nReview Journal, Dr. Kosar received his Ph.D. in politics from \nNew York University.\n    As you all know, your printed texts will be made a part of \nthe record in their entirety. You are each recognized for 5 \nminutes to give us a summary of your testimony, and at the \nconclusion of which we will go in order for questions.\n    So the Chairman will recognize Dr. Shannon to testify.\n\n STATEMENT OF GREGORY E. SHANNON, CHIEF SCIENTIST FOR COMPUTER \n   EMERGENCY READINESS TEAM, SOFTWARE ENGINEERING INSTITUTE, \n                   CARNEGIE MELLON UNIVERSITY\n\n    Mr. Shannon. Thank you Chairman Lungren, Ranking Member \nClarke, and subcommittee Members. I am honored to testify \nbefore you again now on this important legislation. I am the \nchief scientist for the CERT cybersecurity program at the \nSoftware Engineering Institute which is a DOD FFRDEC, operated \nby Carnegie Mellon. The CERT Program's Associated Coordination \nCenter was created in 1988 in response to the moratorium \nincident, and we have grown into a National asset in \ncybersecurity with 250 staff supporting the cybersecurity needs \nof the DOD, DHS, and others. CERT has been and continues to be \na key partner with US-CERT in its important work.\n    As we talk today about the draft legislation and in \nparticular the concept of a National Information-Sharing \nOrganization, or NISO, please consider the role of trust in \nsharing sensitive information, especially the process of \nestablishing trust. Consider for a moment, if you will, your \nown personal experience in trusting--consider for a moment, if \nyou will, your own personal experience in trusted sharing of \nsensitive information with an organization such as your last \nvisit to the doctor, a parent-teacher conference, or the voting \nbooth. Your willingness to share sensitive information was \nprobably driven by the degree to which you trusted that \norganization and derived benefit from that organization. That \ntrust took time to establish and is expressed in cultural \nnorms, laws, relationships, processes, et cetera. That trust \nwasn't legislated, though it often is assisted by a \nlegislation. So it is likewise with sensitive cybersecurity \ninformation provided by private entities to a NISO.\n    I appreciate the frustrations with the current range and \npace of information sharing. We all wish for more, better, \nsooner. Our view is that DHS is making great progress and this \nlegislation should augment that work. I endorse the committee's \nproposal to establish a non-profit private entity to serve as a \nNational clearinghouse for the exchange of cyberthreat \ninformation. We believe that a third-party, honest broker \nfacilitator for the disclosure and dissemination of \ncybersecurity knowledge creates an excellent environment where \nall participants, both Government and non-Government, almost \nreadily share sensitive information. Like with the conflict of \na working group, trusted relationships are a critical success \nfactor for NISO and reliable trust takes time to establish, \nespecially that scale.\n    The type of information that organizations are being asked \nto share with each other in the U.S. Government is sensitive, \nand sharing such information requires trusted relationships \nestablished and tested over time.\n    Another critical success factor is data value, in addition \nto protections and policy that we discuss in our testimony. The \ndata information and knowledge that the NISO collects and \nshares must be distinct and not readily available; else there \nis little or no incentive to participate. Value results from \nnot only access to unique data but also from analysis that \nenables reactive and proactive responses by participants. Like \nthe CDC, the Centers for Disease Control, the NISO must have \ndistinct capabilities that make it the go-to organization for \ncyberthreat awareness for private entities.\n    Federally-enabled sharing of cybersecurity information is \nevolving. Many of the existing sharing relationships are shown \nin diagram 2 of my written testimony. The jumbledness of the \nlinks demonstrates that a NISO should complement sharing, \nclarify roles and responsibilities and, as appropriate, help \nconsolidate those roles and responsibilities. We don't need yet \nanother loosely mandated cybersecurity information-sharing \norganization, and NISO can be a step in the right direction, \nespecially in helping to clarify interactions.\n    Since we are discussing data, information, and knowledge, \nlet's also talk about the importance of operationally and \nscientifically valid data, especially in the context of \nresearch, development, acquisition, and assessment. This \napplies to both sections 2 and 4 of the draft legislation.\n    Given the preponderance of threats, standards, \ntechnologies, products, best practices, et cetera, in \ncybersecurity, I strongly encourage the committee to include \nlanguage in the legislation that emphasizes the need for \noperationally and scientifically valid, scientifically sound \ncapabilities. Not every best practice scales well and not every \ntechnology has scientifically sound evidence of its efficacy \nand its limitations. Such legislation language would create an \nimportant positive demand for well-formed pilots and \nexperiments that produce broadly meaningful data and results. \nThis would stimulate the development and maturation of ever-\nimproving methodologies for pilot projects, assessments, \nexperiments, and research.\n    In conclusion, I look forward to working with the \nsubcommittee to improve the timely sharing of actionable \ncybersecurity information that is operationally and \nscientifically valid. Thank you.\n    [The statement of Mr. Shannon follows:]\n                Prepared Statement of Gregory E. Shannon\n                            December 6, 2011\n    Chairman Lungren, Ranking Member Clarke, and other distinguished \nMembers of the subcommittee, thank you for the opportunity to testify; \nit is my pleasure to discuss your draft legislation.\n                              about cert\x04\n    The CERT Program is part of the Carnegie Mellon University Software \nEngineering Institute (SEI), a Department of Defense Federally-funded \nresearch and development center (FFRDC) located on the Carnegie Mellon \ncampus in Pittsburgh, Pennsylvania (www.sei.cmu.edu).\n    The CERT Program (www.cert.org) has evolved from the first computer \nemergency response team, created by the SEI at the request of the \nDefense Advanced Research Projects Agency (DARPA), in 1988 as a direct \nresponse to the Morris worm incident. The CERT Program continues to \nresearch, develop, and promote the use of appropriate technology and \nsystems management practices to resist attacks on networked systems, \nlimit damage, restore continuity of critical systems services, and \ninvestigate methods and root causes. CERT works both to mitigate cyber \nrisks and to facilitate local, National, and international cyber \nincident responses. Over the past 23 years, CERT has led efforts to \nestablish over 200 computer security incident response teams (CSIRTs) \naround the world--including the Department of Homeland Security (DHS) \nUS-CERT. We have a proven track record of success in transitioning \nresearch and technology to those who can implement it on a National \nscale.\n    I am Dr. Greg Shannon, the Chief Scientist for the CERT Program, \nwhere I lead efforts to sustain and broaden CERT's strategic research, \ndevelopment, and policy initiatives.\n                               testimony\n    I first want to ensure that the committee appreciates the \nexceptional work that is under way at the Department of Homeland \nSecurity (DHS) in the area of information sharing. I understand \nfrustrations with the current range and pace of information sharing, \nbut I assure you that DHS is making great progress. The type of \ninformation that organizations are being asked to share with each other \nand the U.S. Government is sensitive, and sharing such information \nrequires trusted relationships, established and tested over time. \nEstablished trust is a key success factor for such programs, and \nreliable trust takes time.\n    Working from the objectives of the current draft legislation, \ndrawing on CERT's 23 years of experience, and using concepts from \npublic health models,\\1\\ I will discuss how to leverage current \nefforts, the strengths and challenges of both the current efforts and \nthe legislation, and specific recommendations. The mission of our FFRDC \nis to improve the state of the practice, so I will focus on what should \nbe done versus who should be doing it.\n---------------------------------------------------------------------------\n    \\1\\ I am drawing on ideas and language in the forthcoming report \nfrom the EastWest Institute, Using a Public Health Model to Support \nCollective Action to Improve Global Internet Health, that is being \nwritten by an international private-sector-led working group.\n---------------------------------------------------------------------------\n    I endorse the committee's proposal to position a non-profit private \nentity to serve as a National clearinghouse for the exchange of cyber \nthreat information--the NISO (National Information Sharing \nOrganization). We believe that a ``third-party, honest broker'' \nfacilitator for the disclosure and dissemination of cyber-security \nintelligence creates a superior and more productive environment where \nall participants, both Government and non-Government, more readily \nshare sensitive information. Moreover, it is imperative that the \ndesignated organization is making decisions for the greater good based \non the highest quality data, openly acquired and objectively analyzed.\n    Many of the goals proposed for the NISO have parallels to the \nactivities of the Centers for Disease Control and Prevention (CDC)--the \nfact that it is a Federal agency notwithstanding. As the Nation's \nleader in health, monitoring, prevention, and preparedness, the CDC \nworks to monitor and prevent outbreaks, implement prevention \nstrategies, and maintain National statistics--it is a central \nclearinghouse for information with response capabilities. Crucially, it \ndoes so by working with partners throughout the Nation and the world to \ncollaboratively create the expertise, information, and tools that \npeople and communities need to protect themselves.\n    We envision the NISO, like the CDC, filling a cyber information \nleadership role while interacting with existing groups. The NISO, run \nby a non-profit would have in-house functions, maintain a common \noperating picture, and the 24/7 help desk, but its biggest role will be \nto interface with present-day efforts and improve communications and \ncollaboration. I want to ensure the committee recognizes the on-going \nwork within established frameworks and discuss the benefits of \nutilizing progress already made. To add yet another institution could \nin practice derail the current advancements and delay the committee's \nultimate goal of timely information sharing. I suggest that instead of \ncreating a duplicative organization, the committee charge the NISO with \nbeing the single point of interaction for those successful efforts and, \nwhen appropriate, consolidate work under the NISO.\n    I share and understand frustration that capabilities for cyber \nthreat information sharing are not being created quickly enough. Human \nnature reasons that adding people to a late or slow project will \naccelerate performance; however, Brooks's Law, also known as the \n``mythical man-month,'' suggests otherwise. Based on his experiences at \nIBM, Dr. Fred Brooks states: ``adding manpower to a late software \nproject makes it later.''\\2\\ Brooks found that there is ``ramp-up'' \ntime to adding staff to a project--they aren't productive immediately, \nand their education diverts resources from the rest of the team. \nFurthermore, a new player sharply increases communication costs. As you \nadd additional ``reporting'' bodies, confusion as to who should be told \nwhat and when is only exacerbated. Everyone working on the same task \nneeds stay synchronized, so as more people are added, they spend more \ntime trying to find out what everyone else is doing. Furthermore, Dr. \nBrooks famously said, ``Nine women can't make a baby in one month,'' \nimplying that regardless of the manpower, some undertakings just take \ntime. For information sharing, building the necessary trust \nrelationships cannot be rushed.\n---------------------------------------------------------------------------\n    \\2\\ Frederick P. Brooks, Jr. ``The Mythical Man-Month.'' 1995 \n[1975]. Addison-Wesley.\n---------------------------------------------------------------------------\n    To better understand our vision, I have mapped out how a NISO \norganization might look--see Diagram 1. In doing so, we made \nassumptions about the overall goals of the organization based on the \nstated and implied objectives, and I encourage the committee to think \ncarefully about what problems they want the NISO to solve and how the \nstructure and authority of the NISO helps solve those problems. Using \nCERT's experience we have listed what we see as the necessary \ncapabilities and enablers for a successful NISO.\n    There are four critical success factors for such an entity to \naccomplish the objectives set out: Data of value, trust, protections, \nand policy. First, for the NISO to have success, it absolutely must be \nable both to share and facilitate the sharing of timely, actionable \ninformation. The existence of the former will enable the latter. \nFurthermore, that which the NISO shares must be distinct and not \nreadily attainable by participating organizations. Otherwise there is \nlittle or no incentive to participate. The value of NISO's information \nwould come from either being the exclusive distributor of an insight \nthrough novel aggregations or applying a new analysis technique to \nunique, participant-shared, or public information. Providing valuable \ndata is not only the result of having access to unique data, but also \nthe ability to fundamentally analyze the data differently to provide \nreal, actionable, intelligence from which best practices are derived. \nFor the NISO to truly serve a significant and useful role, the timely \nand actionable information they disseminate to participating \norganizations must be reactive as well as proactive, such as best \npractices. The promise of exclusive information, such as fused analysis \nof network data, network traffic, or forensic artifacts, will be the \nvalue added that NISO participants need to justify their participation. \nThis information will also differentiate the suggested common operating \npicture (COP) from the several entities that offer situational \nawareness, and bring the necessary added value to ensure participant \ninvolvement. Furthermore, the COP should strive to be able to \nfundamentally analyze the data differently, further differentiating the \nNISO from similar organizations and enticing participation. This \nfunction would draw nicely from the anticipated collaborative research \nand development. Like the CDC, the NISO needs distinctive capabilities \nthat make it the ``go-to'' organization for cyber threat awareness.\n    Next, I want to stress to the committee the importance of trust to \nfacilitate meaningful exchanges. The need for trust is yet another \nreason that building on existing efforts is important. While there may \nbe frustrations with the current range and pace of information sharing, \nyou cannot legislate trust, and any new organization needs time to \nbuild the necessary relationships for meaningful communications. I \nbelieve the committee's intentions are best served by building upon the \nexisting rapports.\n    Last, it is imperative that solid protection mechanisms and safe \nharbors be in place for the designated organization and its \nparticipants for unencumbered information sharing and analytical \nproduct delivery to occur. This will likely require both legislative \nupdates and policy changes, which must be done with the utmost care to \nprivacy and civil liberties. This is an important yet difficult task, \nand I commend the committee for beginning the dialogue.\n    Moving on to the information-sharing objective of the NISO \norganization: As you can see from Diagram 2 \\3\\ (NISO relationships \nwith existing efforts), there are currently many organizations that \n``specialize'' in information sharing. Several Government agencies have \ninformation-sharing entities--not just DHS--and not to mention the \nhundreds of private-sector and academic entities, some quasi-\nGovernment, that all claim to be centers where cyber information can be \nshared. Without a recognized body, coordinated with United States \nGovernment (USG) efforts, private-sector organizations are confused \nabout with whom and under what circumstances they should engage all of \nthese other efforts. This fragmentation results in sub-optimal \ndissemination of timely information. NISO would serve as the National \ncyber-security aggregation point and coordination center endorsed by \nand coordinating with the Federal Government. We advocate establishing \na single point of interaction, to be run by the designated non-profit \nentity, while collaborating and working with the mechanisms and \norganizations already in place. For certain operational tasks, it might \nmake sense to re-brand current efforts and place them under the NISO, \nall the while ensuring we are building on the successes and not \nstarting over.\n---------------------------------------------------------------------------\n    \\3\\ Caveat: The diagram is in no way truly comprehensive of all the \ncurrent organizations that claim to be cyber information-sharing \ncenters. These are simply some of the most prominent entities. \nFurthermore the relationships represented in the diagram are derived \nfrom public mission statements and budget documents and are meant to be \nillustrative, not comprehensive.\n---------------------------------------------------------------------------\n    For the sake of clarity I will run through a real-world example of \na cyber threat and how a NISO, organized as suggested above, would have \nhad a positive impact on the situation. Let us take the Conficker worm, \nfirst discovered in early November 2008, which used flaws in Microsoft \nWindows software to infect millions of computers. Realizing a \ncollaborative effort was needed to combat the advanced malware \ntechniques behind Conficker, an industry group was serendipitously \nformed during an ICANN conference in February 2009. While the Conficker \nworking group (CWG) had many successes, and several similar working \ngroups have since formed using the same model, the threat clearly \ndemonstrated gaps in our National capabilities. First and foremost, the \nramp-up delay: The effort expended to form the group and time spent \nfinding the right skill sets, capabilities, and authorities before any \nwork could be done on the problem at hand. Had there been an \nestablished and trusted entity, such as a NISO, Microsoft could have \napproached them and begun combating the problem much sooner. There are \nother gaps the CWG has conceded they were unable to fill, such as the \nneed for a dedicated project manager, administrative support, testing \nfacilities, and a more coordinated approach with the anti-malware tool \nvendors--roles that a NISO could clearly execute. Likewise, there are \nlessons to be learned from why the group was successful. The CWG has \nattributed their success to trust. The operational members of the group \nall knew each other, had previously worked with each other, and had \nconfidence that all members would a good job, follow through with their \ngiven tasks, and do no intentional harm. That trust was the glue that \nenabled a group of colleagues to form an effective collaboration that \nwas largely able to contain the worm. Their success corroborates the \nmodel of a third-party organization working with existing functions and \nbuilding on already established relationships.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ Nazario, Jose. ``Conficker Working Group Overview.'' Institute \nfor Information Infrastructure Protection (I3P). 12 October 2011. Web. \nhttp://www.thei3p.org/docs/events/cybercprfiles/\nNAZARIOI3PCONFICKER.pdf.\n---------------------------------------------------------------------------\n    I encourage the committee to require that the NISO maintain a \nNational repository of malware for research purposes. Currently there \nare several organizations that have malware repositories but they are \nseen as a competitive advantage and rarely shared. Access to such a \nrepository would enable cyber research to reach new levels. Currently \nresearchers work with only small pieces of the puzzle, resulting in \nreactive research, and impeding research that can look more globally at \nthe problem. Again, if we use the public health model, imagine if \ncancer researchers were only told that cancer affects thousands of \npeople who die every year, and the data was broken down by neither type \nnor outcome. Such data would make it impossible to make well-informed \ndecisions about priorities for response as well as research. Armed with \na well-maintained malware repository, with appropriate controls on \naccess, the NISO could provide more effective methods for basic cyber \nhygiene.\n    Finally, I want to touch upon the bill's research and development \nobjectives. Given the preponderance of threats, standards, \ntechnologies, products, best practices, etc. in cybersecurity, I \nstrongly encourage the committee to include language in the legislation \nthat emphasizes the need for operationally and scientifically sound \ncapabilities. Not every best practice scales well, and not every \ntechnology has scientifically sound evidence of its efficacy and its \nlimitations. The academic research community increasingly recognizes \nthe need for such sound methods as evidenced by workshops on Cyber \nSecurity Experimentation and Testing (CSET)\\5\\ and Learning from \nAuthoritative Security Experiment Results (LASER).\\6\\ Such legislation \nlanguage would create an important positive demand for well-formed \npilots and experiments that produce broadly meaningful data and \nresults. This would stimulate the development and maturation of ever-\nimproving methodologies for pilot projects, assessments, experiments, \nand research.\n---------------------------------------------------------------------------\n    \\5\\ Established 2008: http://www.usenix.org/events/cset12/\nindex.html.\n    \\6\\ New: Learning from Authoritative Security Experiment Results \n(LASER), http://www.laser-workshop.org.\n---------------------------------------------------------------------------\n    For example, in the draft language, phrases such as the following \nare used:\n  <bullet> Develop and conduct risk assessments;\n  <bullet> Comprehensive assessment techniques;\n  <bullet> Foster the development of essential information security \n        technologies;\n  <bullet> Facilitate the adoption of new cybersecurity technologies \n        and practices;\n  <bullet> Guidelines for making information systems more secure at a \n        fundamental level;\n  <bullet> Catalogue of risk-based performance standards;\n  <bullet> Cybersecurity research and development.\n    I recommend adding clarifications that such artifacts and \nactivities are:\n  <bullet> Operationally valid and scalable in situ;\n  <bullet> Scientifically, theoretically, and/or experimentally valid \n        or sound;\n  <bullet> Evidence-based capabilities and limitations.\n    Participants can further facilitate effective security by \nauthorizing the NISO to support creation of and access to high-fidelity \ndata sets to qualified researchers, of course with appropriate access \ncontrols. Access to such data is essential for creating and evaluating \ncritical technologies and best practices, especially to understand \nimportant limitations.\n    To finish, I want to applaud the committee's foresight in combining \nresearch functions with operational objectives in the NISO design. It \nis an ambitious and difficult task, and consequently there are \ncurrently few successful mixed organizations. Nevertheless, combining \nresearch and operations can and does have many benefits. I see the \nSEI's CERT Program as a viable model for successfully bringing together \nresearch and operations to add value to both communities. At CERT, our \nstrategy is to create usable technologies, apply them to real problems, \nand amplify their impact by accelerating broad adoption. Having one \nfoot in operations gives us the insight into real-world problems and \nensures our research has real-world applications. Moreover, having \noperational access gives us the opportunity to test our research and \nmake the necessary improvements for a successful and scalable \ntransition.\n    Thank you for the opportunity to comment on this important \nlegislation and leverage CERT's 23 years of experience in the area of \ninformation sharing.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Lungren. Thank you very much.\n    Ms. McGuire.\n\n   STATEMENT OF CHERI F. MC GUIRE, VICE PRESIDENT OF GLOBAL \n     GOVERNMENT AFFAIRS AND CYBERSECURITY POLICY, SYMANTEC \n                          CORPORATION\n\n    Ms. McGuire. Chairman Lungren, Ranking Member Clarke, and \ndistinguished Members of the subcommittee, thank you for the \nopportunity to testify today on behalf of Symantec Corporation \nand the Business Software Alliance. In addition to my role at \nSymantec Corporation, I also serve as the chair of the IT \nSector Coordinating Council, as well as a member of the board \nof Information Technology and Information Sharing and Analysis \nCenter or the IT ISAC. I also serve as the principal IT sector \nrepresentative to the Partnership for Critical Infrastructure \nSecurity, which is the cross-sector cyber working group, a \ncross-sector critical infrastructure working group that works \nmost closely with the Department of Homeland Security and other \nagencies on infrastructure protection matters.\n    As the world's information security leader, Symantec \nmaintains 11 security response centers globally and we utilize \nover 240,000 attack sensors in more than 200 countries to track \nmalicious activity 24 hours a day, 365 days a year.\n    As you all are too well aware, our Nation's critical \ninfrastructure systems are constantly under attack. In our \nlatest internet security threat report, we observed a 19 \npercent year-over-year increase in threat activity and \nidentified more than 286 million unique variations of malware \nalone. In addition, based on data in our 2011 Norton cybercrime \nsurvey we estimated that 431 million cybercrime victims have \nbeen impacted globally with cyber attacks in the past year. At \nan annual combined cost of $388 billion globally, based on both \nfinancial losses and the lost time to recover from attacks, \ncybercrime costs us more today than the global black market for \nmarijuana, cocaine, and heroin combined.\n    Symantec has been a long-time proponent for improving our \nNation's cybersecurity. As a member of the Business Software \nAlliance, we were part of a coalition that offered a white \npaper on improving our Nation's cybersecurity through public-\nprivate partnerships. This paper laid out core principles for \ncybersecurity policy. I would like to submit it for the record \nas part of my testimony today.\n    As part of these core principles, first we must promote and \nimprove information sharing, which is often referred to as the \nkey to combating cyberthreats. However, we also must recognize \nthat information sharing is not an end goal but rather is a \ntool to providing situational awareness or visibility so that \nappropriate protective and risk mitigation actions may be \ntaken.\n    Second, effective and efficient cybersecurity cannot be \naccomplished under a one-size-fits-all regime. For example, a \nsmall mom-and-pop convenience store should not be required to \nimplement the same policies or standards as a nuclear facility. \nUsing a risk-based approach provides a mechanism for the \nGovernment and industry to assess risk and expend the necessary \nresources on areas that are truly needed.\n    Third, any proposed legislation must also promote, not \nstifle, innovation. Cybersecurity policy should maximize the \nability of organizations to develop and adopt the widest \npossible choice of cutting-edge cybersecurity solutions.\n    With regard to roles of industry and Government in \ncybersecurity, the private sector's role is clearly defined to \noperate and protect their networks. Industry must continually \ntune their security environments to manage the level of risk \nassociated with the information they are protecting, while at \nthe same time working within the current economic pressures of \ndoing more with less.\n    Further, industry must move from a device-centric security \nmodel to one that is identity- and information-centric. This \nnew security paradigm of data-centricity is not only about \nprotection of devices, but more importantly is about protecting \nthe information. The Government, of course, plays an important \nrole in cybersecurity. Government can create incentives to \nencourage the adoption of cybersecurity technologies, it can \nassist with education, training, and awareness to empower \nusers, it can serve as a facilitator for preparedness by \nsponsoring exercises, and it can share actionable information \nwith industry to improve cybersecurity situational awareness \nand the ability to respond.\n    Symantec was very pleased to review the draft bill that has \nbeen circulated by you, Mr. Chairman. The draft legislation we \nbelieve is a positive step forward in developing a National \ncybersecurity policy that helps fulfill the core principles \nthat I have just discussed.\n    First, we believe there needs to be improved coordination \nbetween and among public and private entities. Thus we are very \nsupportive of the bill's designation of a single entity as the \nNational cybersecurity authority.\n    Second, we support the bill's inclusion of a risk-based \napproach to cybersecurity so that we do not overburden small \nbusinesses with unnecessary security requirements, while still \nensuring that our critical infrastructures are protected.\n    We are also supportive of using existing internationally-\nrecognized performance standards, including those developed by \nNIST. We are also pleased that the legislation takes into \naccount how our National cybersecurity policy will enhance \neconomic prosperity. Keeping this goal in mind will help to \nprevent burdensome regulations, and it also appropriately \nemphasizes the need to maximize market-based incentives and \npublic-private partnerships.\n    Finally, we support the bill's emphasis on promoting \ninformation sharing. The bill clearly articulates that the \nGovernment must share real-time actionable information with \ncritical infrastructure, owners, and operators. The mandate \nwithin the structure of the proposed NISO that the Government \nmust share information is a strong step in the right direction. \nHowever, some questions still remain about how we will continue \nto utilize the existing entities under the proposed framework. \nWe believe that it is important to give the significant time \nand resources that companies have invested in the sector \ncoordinating councils and the ISACs the appropriate venue to \nparticipate.\n    In conclusion, recognizing that there is no silver bullet \nfor cybersecurity as a first step, but we really do have to \nshift this dialogue from solving the cybersecurity problem to \nmanaging the risks associated with it. We welcome the \nopportunity to answer any questions you may have at this time. \nThank you.\n    [The statement of Ms. McGuire follows:]\n                 Prepared Statement of Cheri F. McGuire\n                            December 6, 2011\n                              introduction\n    Chairman Lungren, Ranking Member Clarke and distinguished Members \nof the subcommittee, thank you for the opportunity to testify today on \nbehalf of Symantec Corporation \\1\\ and the Business Software Alliance \n(BSA) \\2\\ as you consider this very important issue.\n---------------------------------------------------------------------------\n    \\1\\ Symantec is a global leader in providing security, storage, and \nsystems management solutions to help consumers and organizations secure \nand manage their information-driven world. Our software and services \nprotect against more risks at more points, more completely and \nefficiently, enabling confidence wherever information is used or \nstored. More information is available at www.symantec.com.\n    \\2\\ The Business Software Alliance (www.bsa.org) is the leading \nglobal advocate for the software industry. It is an association of \nnearly 100 world-class companies that invest billions of dollars \nannually to create software solutions that spark the economy and \nimprove modern life. Through international government relations, \nintellectual property enforcement, and educational activities, BSA \nexpands the horizons of the digital world and builds trust and \nconfidence in the new technologies driving it forward.\n---------------------------------------------------------------------------\n    My name is Cheri McGuire and I am the vice president of global \ngovernment affairs and cybersecurity policy at Symantec Corporation. I \nalso serve as the current chair of the Information Technology (IT) \nSector Coordinating Council (SCC), which is one of 18 critical sectors \nidentified by the President and the U.S. Department of Homeland \nSecurity (DHS) to work in partnership with the Government on critical \ninfrastructure protection (CIP) and cybersecurity policy and \noperational matters. I am also a member of the board for the IT \nInformation Sharing and Analysis Center (ISAC), and serve as the \nprincipal IT Sector representative to the Partnership for Critical \nInfrastructure Security (PCIS). Prior to joining Symantec in 2010, I \nserved as Director for Critical Infrastructure and Cybersecurity in \nMicrosoft's Trustworthy Computing Group, and before that, at the U.S. \nDepartment of Homeland Security (DHS), where I led the National Cyber \nSecurity Division and the U.S. Computer Emergency Readiness Team (US-\nCERT).\n    Symantec is the world's information security leader, with over 25 \nyears of experience in developing internet security technology. Today, \nwe protect more people and businesses from more on-line threats than \nanyone in the world. We maintain 11 Security Response Centers globally \nand utilize over 240,000 attack sensors in more than 200 countries to \ntrack malicious activity 24 hours a day, 365 days a year. Our best-in-\nclass Global Intelligence Network allows us to capture world-wide \nsecurity intelligence data that gives our analysts an unparalleled view \nof the entire internet threat landscape, including emerging cyber \nattack trends, malicious code activity, phishing, and spam. In short, \nif there is a class of threat on the internet, Symantec knows about it.\n    At Symantec, we are committed to assuring the security, \navailability, and integrity of our customers' information and the \nprotection of critical infrastructure is a top priority for us. We \nbelieve that CIP is an essential element of a resilient and secure \nNation. From water systems to computer networks, power grids to \ncellular phone towers, risks to critical infrastructure can result from \na complex combination of threats and hazards, including terrorist \nattacks, accidents, and natural disasters.\n    We welcome the opportunity to provide comments as the committee \ncontinues its important efforts to bolster the state of cybersecurity \nin the United States and abroad. In my testimony today, I will provide \nthe subcommittee with:\n  <bullet> our latest analysis of the threat landscape as detailed in \n        the Symantec Internet Security Threat Report Volume XVI (ISTR \n        XVI) and in the 2011 Norton Cybercrime Report;\n  <bullet> principles for improving our Nation's cybersecurity;\n  <bullet> appropriate roles of industry and Government in \n        cybersecurity; and\n  <bullet> our views on your draft legislative proposal for \n        cybersecurity.\n                            threat landscape\n    Today, we rely on technology for virtually everything we do, from \ndriving to and from work, to mobile banking, to securing our most \ncritical systems that protect our Nation such as our nuclear plants and \nelectric grid. Our Nation's critical infrastructure systems are \nconstantly under attack, and the methods for attacking us are \nconstantly evolving and becoming more sophisticated with each passing \nminute. It is our goal to ensure that we are thinking ten steps ahead \nof the attackers. Looking at the current threat landscape is not \nenough--we must also keep our eyes on the horizon for evolving trends.\n    In the latest Symantec Internet Security Threat Report (ISTR) \nVolume XVI, we observed significant changes to the threat landscape in \n2010.\\3\\ The volume and sophistication of threat activity increased \nmore than 19 percent over 2009, with Symantec identifying more than 286 \nmillion unique variations of malicious software or malware. These \nincluded threats to social networking sites and users, mobile devices, \nand phishing.\n---------------------------------------------------------------------------\n    \\3\\ Symantec Internet Security Threat Report XVI, April 2011. \nhttp://www.symantec.com/business/threatreport/index.jsp.\n---------------------------------------------------------------------------\n    However, to understand the evolving threat landscape, we first need \nto look at who is behind the vast array of cyber attacks that we are \nseeing today. Attacks originate from a range of individuals and \norganizations, with a wide variety of motivations and intended \nconsequences. Attackers can include hackers (both individual and \norganized gangs), cybercriminals (from petty operators to organized \nsyndicates), cyber spies (industrial and nation-state), and \n``hacktivists'' (with a specific political or social agenda). \nConsequences can also take many forms, from stealing resources and \ninformation, to extorting money, to outright destruction of information \nsystems.\n    It is also important to recognize that attackers have no boundaries \nwhen it comes to their intended victims. All organizations and \nindividuals are potential targets. Corporate enterprises are often the \nobject of targeted attacks not only to steal customer data and \nintellectual property, but also to disrupt business processes and \ncommerce. Small businesses are often less resilient and the impacts of \nstolen bank accounts and business disruption can be catastrophic in a \nvery short time frame. In addition, end-users or consumers are \nconfronted with the financial and disruptive impacts of identity theft, \nscams, and system clean-ups, not to mention the lost productivity and \nfrustration of restoring their accounts. Finally, Governments are most \noften the victims of cyber sabotage, cyber espionage, and hactivism, \nall of which can have significant National security implications.\n    Over the years, we have observed an ominous change that has swept \nacross the internet. The threat landscape once dominated by worms and \nviruses developed by irresponsible hackers is now being ruled by a new \nbreed of cybercriminals. As more people have access to technology, \ncriminals leverage it for criminal purposes. In October, we released \nour 2011 Norton Cybercrime Report where we examined on-line behavior in \n24 countries and interviewed nearly 20,000 consumers.\\4\\ We calculated \nthe cost of global cybercrime at $114 billion annually. We also \ncalculated that lost time due to recovery and impact on personal lives \nwas an additional $274 billion world-wide. Further, we found that more \nthan two-thirds of on-line adults (69 percent) reported having been a \nvictim of cybercrime in their lifetime. Every second, 14 adults become \na victim of cybercrime, resulting in more than 1 million cybercrime \nvictims every day.\n---------------------------------------------------------------------------\n    \\4\\ 2011 Norton Cybercrime Report. www.norton.com/cybercrimereport\n---------------------------------------------------------------------------\n    With an estimated 431 million adult victims globally in the past \nyear, and at an annual combined cost of $388 billion globally based on \nfinancial losses and time lost, cybercrime costs are significantly more \nthan the global black market in marijuana, cocaine, and heroin \ncombined--which is estimated at $288 billion per year.\n    It is not just our computers that we need to secure from \ncybercriminals. Today, a high percentage of consumers use their mobile \nphones to conduct nearly every aspect of their life, from basic \ncommunication to on-line shopping to mobile banking. Most of these \nphones are not secure. The Norton Cybercrime Report revealed that 10 \npercent of adults on-line have experienced cybercrime on their mobile \nphone. Further, we reported in the Symantec ISTR XVI that there were 42 \npercent more mobile vulnerabilities in 2010 compared to 2009--a sign \nthat cybercriminals are turning their efforts to the mobile space.\n    Recently, there has been an up-swing in press reports regarding \ncyber attacks and the ``advanced persistent threat'' or APT. While APT \nis one of the most overused terms in the security industry today, it is \nnevertheless something to be taken seriously. APTs covertly infiltrate \nsystems and hide and wait for opportune moments to steal information or \ndamage systems.\n    The APT is not one entity; rather it is many different and \nindependent entities, with a tremendous range of motivations. Some of \nthese motivations include financial gain, exfiltration (or theft) of \nsensitive and personal information, cyber espionage, and a new turn in \nthe last 18 months, cyber sabotage as exemplified by the Stuxnet \nmalware.\n    Another trait of the APT is to infiltrate a system, enterprise, or \norganization, but not immediately execute the ultimate mission. Often \nthe APT will lie in wait, gaining intelligence, observing patterns, and \nuse this information to glean information to further refine the \nultimate attack.\n    The threats we are seeing are not new, they are just newly \npackaged. However, while the attacks are not new, they are becoming \nmore targeted and the monetary losses have grown exponentially. Most \nindicators point to future cyber attacks as being more severe, more \ncomplex, and more difficult to prevent and address than current \nthreats. Thus, it is even more vital that we have a cybersecurity \npolicy that is flexible, fosters innovation, and enables us to stay \nahead of those with bad intentions.\n          principles for improving our nation's cybersecurity\n    Symantec has been a long-time proponent for improving our Nation's \ncybersecurity. We have testified before Congress on the issue each of \nthe last 4 years and have been a key stakeholder in the numerous \nlegislative efforts and public-private partnerships to improve cyber \nresearch and development, cyber education, security standard setting, \nCIP, and more. We have also participated in various multi-industry \nefforts aimed at improving our cybersecurity policies. For example, as \na member of the Business Software Alliance, we were part of a large \ncoalition of cybersecurity stakeholders that authored a white paper on \n``Improving our Nation's Cybersecurity through Public Private \nPartnerships.''\\5\\ This paper laid out a number of principles, and we \nbelieve any cybersecurity legislation should stay true to the core \nprinciples associated with these key elements:\n---------------------------------------------------------------------------\n    \\5\\ March 8, 2011. ``Improving our Nation's Cybersecurity through \nPublic Private Partnerships: A White Paper.'' http://www.bsa.org/\x08/\nmedia/Files/Policy/Security/CyberSecure/\ncybersecurity_white_paper_publicprivatepartnership.ashx.\n---------------------------------------------------------------------------\n  <bullet> Risk management standards, assessment, and incentives;\n  <bullet> Incident management;\n  <bullet> Information sharing and privacy;\n  <bullet> International engagement;\n  <bullet> Supply chain security;\n  <bullet> Innovation and research and development (R&D); and,\n  <bullet> Education and awareness.\n    For the purposes of my testimony, I will discuss a few of these in \nthe context of your draft legislative proposal.\nInformation Sharing\n    Any cybersecurity legislation must promote and improve information \nsharing. Information sharing is often referred to as the key to \ncombating cyber threats. However, we must first recognize that \ninformation sharing is not an end goal, but rather a tool or mechanism \nto provide situational awareness, or visibility, so that appropriate \nprotective and risk mitigation actions may be taken. In order for \ninformation sharing to be effective, information must be shared in a \ntimely manner, must be shared with the right people or organizations, \nand must be shared with the understanding that so long as an entity \nshares information in good faith, it will not be faced with legal \nliability for sharing the information.\n    In order to achieve truly effective information sharing, there must \nbe increased coordination between and among industry and Government. In \nmy roles both inside and outside of the Government, and more recently \nas Chair of the IT Sector Coordinating Council and on the Board of the \nIT-ISAC, I have seen first-hand both successes and challenges in our \ncurrent public-private partnership with respect to information sharing.\n    In particular, cybersecurity exercises have been one of the most \nsuccessful public-private partnership and information-sharing \ninitiatives to date. The level of engagement and resources brought to \nbear from the Government and industry to jointly plan, develop \nscenarios, define information-sharing processes, and execute the \nexercises has been unprecedented. The lessons learned from these \nexercises have been invaluable to both industry and Government. \nHowever, much work still needs to be done to address recommended \nactions associated with information sharing and realize improvements.\n    One way to improve information sharing is to provide the Government \nwith the proper tools and authority to effectively disseminate \ninformation. I have seen too many instances of the Government releasing \ninformation on cyber threats, days and sometimes weeks, after the \nthreat has been identified. In many of these cases, by the time the \nGovernment releases the information, it has little use because the \nprivate sector has already identified and taken actions to mitigate the \nthreat. There is no single solution that will eliminate these delays, \nbut passing legislation that sends a clear message to the Government \nthat sharing information with the private sector is both a priority and \nnecessary to protect our infrastructure from cyber attacks will go a \nlong way.\n    At Symantec, we also support an incentive-based approach to \ninformation sharing. There is no doubt that businesses can gain a \ncompetitive advantage by not disclosing information to their \ncompetitors. However, a well-incentivized program of collaboration can \nhelp offset the disadvantages and keep the information flowing freely.\n    At the same time, Government does have an important role in \nfostering the effectiveness of information sharing. For example, \nGovernment can increase voluntary information sharing through tax \nincentives, grant funding, and streamlining of regulatory procedures. \nWe also need to address policies that discourage businesses who would \nbe willing to share information but choose not to because of fear of \nprosecution. Therefore, liability protections are necessary to improve \nbi-directional information sharing.\n    As with any partnership, information sharing is founded upon and \nenabled by trust. That trust is weakened when Government information-\nsharing mandates are imposed on industry. Enhanced self-interest and a \nflexible approach are more likely to improve information sharing than \nGovernment mandates to private industry.\nRisk Assessment\n    Effective and efficient cybersecurity cannot be accomplished under \na ``one-size-fits-all'' regime. Each system within our critical \ninfrastructure and each cyber threat pose different risks. For example, \na small mom-and-pop convenience store should not be required to \nimplement the same policies or standards as a nuclear facility. Using a \nrisk-based approach, as outlined in the National Infrastructure \nProtection Plan (NIPP),\\6\\ provides a mechanism for the Government and \nindustry to assess risk and expend the necessary resources on areas \nthat truly need it, rather than spending equal amounts of resources on \nboth high- and low-risk targets. Thus, it is imperative that any \ncybersecurity legislation use a risk-based analysis system rather than \na one-size-fits-all regime. Leveraging existing regulatory and \nvoluntary regimes to encourage cybersecurity risk assessments and the \nadoption of standards should be considered first in any proposals.\n---------------------------------------------------------------------------\n    \\6\\ National Infrastructure Protection Plan, http://www.dhs.gov/\nxlibrary/assets/NIPP_Plan.pdf.\n---------------------------------------------------------------------------\nInnovation\n    Any proposed legislation must also promote, not stifle, innovation. \nAs I discussed earlier, threats are constantly evolving and so must the \ntechnology to mitigate those threats. Symantec has long been a \nsupporter of a National cyber R&D strategy. Any cybersecurity \ninnovation legislation must promote technology advancement so we can \nstay ahead of the curve. Cybersecurity policy should therefore maximize \nthe ability of organizations to develop and adopt the widest possible \nchoice of cutting-edge cybersecurity solutions. An effective way to do \nthis is through the creation and implementation of a National \nCybersecurity R&D Plan.\n    Currently, we have a Federal plan for cyber R&D, but industry must \nbe part of the larger process, with prioritized, National-level \nobjectives set jointly by public and private partners. The public-\nprivate partnership should be used to create a genuine National \nCybersecurity R&D Plan that contains a detailed road map and specifies \nthe respective roles of each partner. This would include input from \nindustry, academia, and Federal, State, and local governments. The plan \nand its implementation road map should be regularly reviewed by the \npartners to verify the action plan, determine progress and \naccountability, and adjust as necessary.\n           roles of industry and government in cybersecurity\n    In discussing public-private partnerships, we should first consider \nthe various roles of industry and Government with regard to defending \ncritical infrastructure. The private sector's role is clearly defined \nto operate and protect their critical information networks. Just as a \nprivate citizen needs to lock the doors to their home, infrastructure \nowners and operators need to ensure that their network security \nenvironment is the most up to date to defend against the latest \nthreats.\n    In addition, industry must continually tune their security \nenvironments to manage the level of risk associated with the \ninformation they are protecting, while at the same time working within \nthe current economic pressures of doing more with less. Further, \nindustry must move from a device-centric security model to one that is \nidentity- and information-centric, with a focus on infrastructure that \nis secured and more importantly trustworthy. The new security paradigm \nof ``data-centricity'' is not only about protection of devices, but \nmore importantly is about protecting the information.\n    While the defense of critical infrastructures and the networks they \nrely on rests with owners and operators, the Government does play an \nimportant role in cybersecurity. As discussed above, Government has the \nability to create incentives that encourage the adoption of \ncybersecurity technologies. It can also assist with education, \ntraining, and awareness to improve the first line of defense by \nempowering users. In addition, the Government can serve as a \nfacilitator for preparedness by sponsoring exercises and drills that \ninclude private industry. Further, it can raise the bar of security \nwithin the Government by outlining minimum requirements for Government \nprocurement. Last, the Government can support public-private \npartnerships and information sharing with industry to improve overall \ncybersecurity situational awareness.\n    While the Government plays a number of roles in cybersecurity, one \nof the challenges is measuring the effectiveness of Government CIP \nprograms. To examine awareness, engagement, and readiness with regard \nto Government CIP programs, Symantec conducts an annual global survey \nof critical infrastructure providers. Released in October, our 2011 \nCritical Infrastructure Protection Survey, found a drop in awareness \nand engagement on a global basis.\\7\\ We saw a marked decline in \ncompanies that are engaged in Government CIP programs, with 37 percent \nin 2011, compared to 56 percent in 2010.\n---------------------------------------------------------------------------\n    \\7\\ Symantec's Critical Infrastructure Protection Survey is the \nresult of research conducted in August and September 2011 by Applied \nResearch, which surveyed C-level, IT professionals in SMBs and \nenterprises in 14 industries specifically designated as critical \ninfrastructure industries. The survey included 3,475 organizations from \n37 countries in North America, Europe, Middle East and Africa, Asia \nPacific, and Latin America http://www.symantec.com/about/news/release/\narticle.jsp?prid=20111030_01.\n---------------------------------------------------------------------------\n    While the findings of this survey are somewhat alarming, it is not \nthat surprising. Many survey respondents reported limitations on \nstaffing and resources which help explain why critical infrastructure \nproviders have had to prioritize and focus their efforts on more day-\nto-day cyber threats. However, given the increase in targeted attacks, \nsuch as Stuxnet, Duqu, and Nitro, against critical infrastructure \nproviders, businesses and governments around the world should be \naggressive in their efforts to promote and coordinate protection of \ncritical cyber networks. Given the survey results, we have several \nrecommendations for governments to promote CIP programs to owners and \noperators in order to raise awareness:\n  <bullet> Governments should continue to put forth the resources to \n        establish government critical infrastructure programs.\n    <bullet> The majority of critical infrastructure providers confirm \n            that they are aware of government critical infrastructure \n            programs.\n    <bullet> Furthermore, a majority of critical infrastructure \n            providers support efforts by the government to develop \n            protection programs.\n  <bullet> Governments should partner with industry associations and \n        private enterprise groups to disseminate information to raise \n        awareness of government CIP organizations and plans, with \n        specifics about how a response would work in the face of a \n        national cyber attack, what the roles of government would be, \n        who the specific contacts are for various industries at a \n        regional and national level, and how government and private \n        business would share information in the event of an emergency.\n  <bullet> Governments should emphasize to critical infrastructure \n        providers and enterprises that their information be stored, \n        backed up, organized, prioritized, and that proper identity and \n        access control processes are in place.\n         views on draft legislative proposal for cybersecurity\n    Symantec was pleased to review the draft bill that has been \ncirculated by you, Mr. Chairman. The draft legislation is a positive \nstep forward in developing a National cybersecurity policy that helps \nfulfill the core principles I discussed above.\nNational Cybersecurity Authority\n    To accomplish the goal of improving cybersecurity, we believe there \nneeds to be improved coordination between and among entities. \nCurrently, there are several Government agencies working on various \naspects of cybersecurity, though there is no designated lead. Thus, we \nare supportive of the bill's designation of a single entity as the \n``National Cybersecurity Authority.'' We must be mindful, however, that \nwe do not create an additional level of bureaucracy.\nRisk Assessment and Standards\n    We support the bill's inclusion of a risk-based approach to \ncybersecurity. Requiring the Secretary of Homeland Security--in \ncollaboration with industry--to identify risks within our cybersecurity \ninfrastructure ensures that we do not overburden small businesses with \nunnecessary security requirements, while ensuring that our chemical \nfacilities, dams, and electric grid are appropriately protected. We are \nalso supportive of using existing internationally recognized consensus-\ndeveloped risk-based performance standards, including those developed \nby the National Institute of Standards and Technology (NIST). In \naddition, we support the bill's instruction to the Secretary to develop \nmarket-based incentives designed to encourage the use of such \nstandards.\n    We are also especially pleased that the legislation directs DHS to \ntake into account how our National cybersecurity strategy and \nimplementation policies will enhance economic prosperity. Keeping this \ngoal in mind will help to prevent burdensome regulatory policies from \nbeing implemented. It also appropriately emphasizes the need to \nmaximize market-based incentives and public-private partnerships for \nimproved cybersecurity.\nInformation Sharing\n    Finally, we support the bill's emphasis on promoting information \nsharing. The bill clearly articulates that the Government must share \nreal-time, actionable information with critical infrastructure owners \nand operators.\n    We also understand the motivation to create a National Information \nSharing Organization, or the NISO. The current system of SCCs and ISACs \nwas developed to facilitate bi-directional information sharing between \nand among Government and private industry. These entities have been \nsuccessful in facilitating information sharing within industry, and \nhave had varying levels of success in industry-to-Government sharing. \nHowever, improvements must be made with regard to how well the \nGovernment shares threat information with private industry.\n    We believe that one of the reasons the Government is reluctant to \nshare real-time actionable information is because there is no mandate \nto do so. The mandate within the structure of the NISO that the \nGovernment must share information is a strong step in the right \ndirection. However, questions remain about how we will continue to \nutilize the existing entities under the proposed NISO framework. We \nbelieve this is important given the significant time and resources that \ncompanies have invested in the SCCs and ISACs. We look forward to \nworking with the committee to address these important issues.\n                               conclusion\n    In conclusion, if we are to successfully mitigate today's multi-\ndimensional threats more effectively--and use public-private \npartnerships and information sharing as tools--we must incorporate a \ncomprehensive approach for risk, resiliency, and collaboration to \nimprove critical infrastructure and cybersecurity. The U.S. public-\nprivate partnership has encountered both successes and challenges over \nthe years, but it is clear that we must continue to work together to \nleverage the best that industry and Government bring to the table and \nconfront the challenges directly. Recognizing there is no silver bullet \nfor cybersecurity, we must shift the dialogue from ``solving'' the \ncybersecurity problem, to ``managing the risk'' associated with it.\n    On behalf of Symantec and the Businesses Software Alliance, we \ncommend you and your staff's efforts in crafting this legislation that \nappropriately focuses on risk management, information sharing, and \ntechnology innovation. We look forward to working with you in the \nfuture as the bill moves through the Congress. I look forward to \nanswering any questions you may have.\n\n    Mr. Lungren. Thank you very much.\n    Mr. Nojeim.\n\n STATEMENT OF GREGORY T. NOJEIM, SENIOR COUNSEL AND DIRECTOR, \n    PROJECT ON FREEDOM, SECURITY AND TECHNOLOGY, CENTER FOR \n                    DEMOCRACY AND TECHNOLOGY\n\n    Mr. Nojeim. Chairman Lungren, Ranking Member Clarke, and \nMembers of the subcommittee, thank you for the opportunity to \ntestify today on behalf of the Center for Democracy and \nTechnology. CDT is a nonprofit public-interest organization \ndedicated to keeping the internet open, innovative, and free.\n    We applaud the subcommittee for holding this hearing on \ncybersecurity legislation. I will address the information-\nsharing provisions in the draft bill in some detail, but start \nwith some high-level observations about the bill which we think \nis a very good start. It has a light regulatory touch, \ngenerally relying on market incentives rather than Government \nmandates to increase cybersecurity performance. A heavy-handed \napproach, by contrast, could discourage security innovation. \nThe regulation it imposes would extend primarily to owners and \noperators of critical infrastructure information systems. It \ndefines critical infrastructure more carefully than do other \nbills, but more specificity would be helpful. It properly \ncements DHS as the lead Federal agency for the civilian \ncybersecurity program instead of giving this role to NSA or \nCyber Command.\n    Civilian control promotes the transparency and trust that \nare essential to program success. The bill appropriately avoids \ngiving the Government the authority to shut down or limit \ninternet traffic in a cybersecurity emergency. Conferring such \nauthority is anthema to civil liberties. It also undermines \nsecurity by discouraging companies from sharing information \nthat could be used to shut down their operations. Most \nimportantly, instead of giving the Government the authority to \nmonitor privately-owned networks for intrusions, it leaves this \nauthority where it belongs: With the private sector network \noperators who know their systems best.\n    We are, concerned, though about the information-sharing \nprovisions of the bill and we encourage you to tighten them. \nThe bill would create a non-profit industry-led, quasi-\nGovernmental National Information-Sharing Organization, NISO, \nthrough which cyberthreat information would be shared among its \nGovernmental and private sector members. A privately-run \ninformation-sharing organization is more likely to have the \nnecessary agility than would a Government-run entity. NISO's \ninitial board of directors, hand-picked by DHS, would set the \ninformation-sharing rules, but the current draft of the bill \ngives it little guidance on what those rules should require and \nprovides little privacy protection.\n    Some amendments could address these problems. The bill \nshould narrowly define the cyberthreat information that can be \nshared. This would preclude the flow--the unnecessary flow of \nlarge streams of private communications through NISO to its \nGovernmental members.\n    The bill should ensure that information shared for \ncybersecurity purposes is used for cybersecurity. This would \nprevent cybersecurity information sharing from devolving into \nsomething approaching a surveillance program. It would also \nprevent companies from using the data that is shared for \ncommercial purposes unrelated to cybersecurity, such as for \nbehavioral advertising.\n    The bill should require minimization of personally \nidentifiable information and communication shared through NISO.\n    Finally, the information-sharing rule should be \nenforceable. The bill currently imposes no liability on \nprivate-sector employees and on employees of State and local \ngovernments who violate the information-sharing rules. These \nmatters must be addressed in the legislation. NISO's board will \nnot adopt rules to adequately address them absent clear, \nstrong, specific Congressional direction to do so. We caution \nyou against amending the bill to permit information to flow to \nor from NISO, notwithstanding any law. Such provisions are \nalmost sure to have unintended consequences.\n    The cybersecurity bill of the House Intelligence Committee \nreported last week includes such a provision, and it is coupled \nwith an overbroad definition of cyberthreat. They worked \ntogether in that legislation to permit communication service \nproviders to share with intelligence, law enforcement, and \nother agencies' ordinary user traffic that the providers \nroutinely monitor for cyberthreats. It would be unwise to go \ndown that road. Cybersecurity legislation need not override \nprivacy and other laws to promote information sharing. An \nincremental approach is called for.\n    Targeted exceptions to privacy and other laws may be \nnecessary and we will work with you to craft them. Thank you.\n    [The statement of Mr. Nojeim follows:]\n                Prepared Statement of Gregory T. Nojeim\n                            December 6, 2011\n    Chairman Lungren, Ranking Member Clarke, and Members of the \nsubcommittee: Thank you for the opportunity to testify today on behalf \nof the Center for Democracy & Technology.\\1\\ We applaud the \nsubcommittee for holding a hearing on draft legislation to address \nsignificant cybersecurity challenges. Clearly, cybersecurity is a \ngrowing problem that Congress needs to address, but with a careful, \nnuanced, and incremental approach in order to minimize the unintended \nconsequences, such inhibiting innovation, diminishing privacy, or \ndamaging civil liberties. We believe that the legislation you are \nconsidering is a good start in many ways and that it could use some \nimprovements in key areas:\n---------------------------------------------------------------------------\n    \\1\\ The Center for Democracy & Technology is a non-profit public \ninterest organization dedicated to keeping the internet open, \ninnovative, and free. Among our priorities is preserving the balance \nbetween security and freedom. CDT coordinates a number of working \ngroups, including the Digital Privacy and Security Working Group \n(DPSWG), a forum for computer, communications, and public interest \norganizations, companies, and trade associations interested in \ninformation privacy and security issues.\n---------------------------------------------------------------------------\n  <bullet> The draft bill has a light regulatory touch, generally \n        relying on market incentives rather than Government mandates to \n        increase cybersecurity performance. This approach, which we \n        favor, encourages companies to enhance their cyber defenses \n        without forcing compliance with Government-imposed standards \n        that could discourage security innovation.\n  <bullet> The regulation that the draft bill would impose extends \n        primarily to owners and operators of critical infrastructure \n        systems, so it is important to carefully define those systems.\n  <bullet> The draft bill wisely cements the role of the Department of \n        Homeland Security as the lead Federal agency for cybersecurity \n        for the civilian Government and private sectors, instead of \n        putting an element of the Defense Department in this role.\n  <bullet> The draft bill appropriately avoids giving the Government \n        authority to shut down or limit internet traffic in a \n        ``cybersecurity emergency.''\n  <bullet> We are concerned about the information-sharing provisions of \n        the draft bill and the impact that they could have on privacy. \n        We will share our suggested changes to those provisions.\n network providers--not the government--should monitor privately-owned \n                        networks for intrusions\n    One of the most important things to get right about cybersecurity--\nfor civil liberties and for effectiveness--is to ensure that the \nprivate sector remains responsible for monitoring and protecting its \nown networks and that monitoring authority not be transferred, directly \nor indirectly, to the Government. When the White House released the \nCyberspace Policy Review on May 29, 2009, President Obama embraced this \nprinciple, stating:\n\n``Our pursuit of cybersecurity will not--I repeat, will not--include \nmonitoring private sector networks or internet traffic. We will \npreserve and protect the personal privacy and civil liberties that we \ncherish as Americans.''\n\n    CDT strongly agrees. No Governmental entity should be involved in \nmonitoring private communications networks as part of a cybersecurity \ninitiative. This is the job of the private-sector communications \nservice providers themselves, not of the Government. Most critical \ninfrastructure computer networks are owned and maintained by the \nprivate sector. Private system operators know their systems best and \nthey already monitor those systems on a routine basis to detect and \nrespond to attacks as necessary to protect their networks; it is in \ntheir business interest to continue to ramp up these defenses.\n    At a top-line level, all of the major cybersecurity bills, \nincluding the legislation the White House has proposed, honor the \nadministration's pledge. But Government monitoring of private-to-\nprivate communications likely will not occur through the front door. \nRather, Government monitoring would most likely grow as an indirect \nresult of information sharing between the private and public sectors or \nas an unintended by-product of programs put in place to monitor \ncommunications to or from the Government. For that reason, we focus \nextensively here on the information-sharing provisions of the draft \nbill. We conclude that they have benefits over the language in both the \nadministration bill and the Cyber Intelligence Sharing and Protection \nAct reported by the House Intelligence Committee on December 1 (H.R. \n3523), but we also see areas that need to be clarified or otherwise \nimproved.\n   sharing information between the private sector and the government\n    There is widespread agreement that the current level of \ncybersecurity information sharing is inadequate. Private-sector network \noperators and Government agencies monitoring their own networks could \nbetter respond to threats if they had more information about what other \nnetwork operators are seeing. How to encourage more robust information \nsharing without putting privacy at risk is a central policy challenge \nthat falls to Congress to resolve.\nPreferred Approach to Information Sharing\n    CDT strongly recommends an incremental approach to the information-\nsharing problem. First, Congress should determine exactly what \ninformation should be shared that is not shared currently, and why it \nis not being shared. We believe that what is most important to share is \nattack signatures, information describing other exploits, and \ninformation identifying the source or attribution of attacks or probes. \nThe assessment of current practices should start with an understanding \nof why existing structures, such as the U.S. Computer Emergency \nReadiness Team (``US-CERT'') \\2\\ and the public-private partnerships \nrepresented by the Information Sharing and Analysis Centers (ISACs),\\3\\ \nare inadequate. The Government Accountability Office (GAO) has made a \nseries of suggestions for improving the performance of US-CERT.\\4\\ The \nsuggestions include giving US-CERT analytical and technical resources \nto analyze multiple, simultaneous cyber incidents and to issue more \ntimely and actionable warnings; developing more trusted relationships \nto encourage information sharing; and providing US-CERT sustained \nleadership within DHS that could make cyber analysis and warning a \npriority. All of these suggestions merit attention.\n---------------------------------------------------------------------------\n    \\2\\ US-CERT is the operational arm of the Department of Homeland \nSecurity's National Cyber Security Division. It helps Federal agencies \nin the .gov space to defend against and respond to cyber attacks. It \nalso supports information sharing and collaboration on cybersecurity \nwith the private sector operators of critical infrastructures and with \nState and local governments.\n    \\3\\ Each critical infrastructure industry sector defined in \nPresidential Decision Directive 63 has established an Information \nSharing and Analysis Center (ISAC) to facilitate communication among \ncritical infrastructure industry representatives, a corresponding \nGovernment agency, and other ISACs about threats, vulnerabilities, and \nprotective strategies. See Memorandum from President Bill Clinton on \nCritical Infrastructure Protection (Presidential Decision Directive/\nNSC-63) (May 22, 1998), http://www.fas.org/irp/offdocs/pdd/pdd-63.htm. \nThe ISACs are linked through an ISAC Council, and they can play an \nimportant role in critical infrastructure protection. See The Role of \nInformation Sharing and Analysis Centers (ISACs) in Private/Public \nSector Critical Infrastructure Protection 1 (January 2009), http://\nwww.isaccouncil.org/whitepapers/files/ISAC_Role_in_CIP.pdf.\n    \\4\\ See Government Accountability Office, Cyber Analysis and \nWarning: DHS Faces Challenges in Establishing a Comprehensive National \nCapability (July 2008), http://www.gao.gov/products/GAO-08-588.\n---------------------------------------------------------------------------\n    Second, an assessment should be made of whether the newly-\nestablished National Cybersecurity and Communications Integration \nCenter (NCCIC) has addressed some of the information-sharing issues \nthat have arisen. The NCCIC is a round-the-clock watch and warning \ncenter established at DHS. It combines US-CERT and the National \nCoordinating Center for Communications and is designed to provide \nintegrated incident response to protect infrastructure and networks.\\5\\ \nIndustry is now represented at the NCCIC \\6\\ and its presence there \nshould facilitate the sharing of cybersecurity information about \nincidents.\n---------------------------------------------------------------------------\n    \\5\\ See DHS Press Release announcing opening of the NCCIC, http://\nwww.dhs.gov/ynews/releases/pr_1256914923094.shtm.\n    \\6\\ See DHS Press Release announcing that it has agreed with the \nInformation Technology Information Sharing and Analysis Center (IT-\nISAC) to embed a full-time IT-ISAC analyst at the NCCIC, November 18, \n2010, http://www.dhs.gov/ynews/releases/pr_1290115887831.shtm.\n---------------------------------------------------------------------------\n    Third, Congress must make a realistic assessment as to whether an \ninformation-sharing model that puts the Government at the center--\nreceiving information, analyzing it, and sharing the resulting analysis \nwith industry--could ever act quickly enough to respond to fast-moving \nthreats. Though the White House cybersecurity proposal \\7\\ and the lead \nSenate bill, the Cybersecurity and Internet Freedom Act, (S. 413) adopt \nthe Government-centric approach, we have serious concerns about it. An \nindustry-based model, subject to strong privacy protections, would be \nable to act more quickly and would raise few, if any, of the Fourth \nAmendment concerns associated with a Government-centric model.\n---------------------------------------------------------------------------\n    \\7\\ The text and an analysis of the White House proposal are at \nhttp://www.whitehouse.gov/omb/legislative_letters.\n---------------------------------------------------------------------------\n    Fourth, Congress must account for the significant authority current \nlaw gives providers of communications service authority to monitor \ntheir own systems and to disclose to Governmental entities in formation \nabout cyber attack incidents for the purpose of protecting their own \nnetworks. In particular, the Federal Wiretap Act already provides that \nit is lawful for any provider of electronic communications service to \nintercept, disclose, or use communications passing over its network \nwhile engaged in any activity that is a necessary incident to the \nprotection of the rights and property of the provider.\\8\\ This includes \nthe authority to disclose communications to the Government or to \nanother private entity when doing so is necessary to protect the \nservice provider's network. Likewise, under the Electronic \nCommunications Privacy Act (ECPA), a service provider, when necessary \nto protect its system, can disclose stored communications \\9\\ and \ncustomer records \\10\\ to any Governmental or private entity.\\11\\ \nFurthermore, the Wiretap Act provides that it is lawful for a service \nprovider to invite in the Government to intercept the communications of \na ``computer trespasser''\\12\\ if the owner or operator of the computer \nauthorizes the interception and there are reasonable grounds to believe \nthat the communication will be relevant to investigation of the \ntrespass.\\13\\ These provisions do not, in our view, authorize on-going \nor routine disclosure of traffic by the private sector to Governmental \nentities but, rather, go a long way to authorizing the type of targeted \ninformation sharing that we believe is needed.\n---------------------------------------------------------------------------\n    \\8\\ 18 U.S.C. \x06 2511(2)(a)(i).\n    \\9\\ 18 U.S.C. \x06 2702(b)(3).\n    \\10\\ 18 U.S.C. \x06 2702(c)(5).\n    \\11\\ Another set of exceptions authorizes disclosure if ``the \nprovider, in good faith, believes that an emergency involving danger of \ndeath or serious physical injury to any person requires disclosure \nwithout delay of communications [or information] relating to the \nemergency.'' 18 U.S.C. \x06\x06 2702(b)(8) and (c)(4).\n    \\12\\ A ``computer trespasser'' is someone who accesses a computer \nused in interstate commerce without authorization. 18 U.S.C. \x06 \n2510(21).\n    \\13\\ 18 U.S.C. \x06 2511(2)(i).\n---------------------------------------------------------------------------\n    While current law authorizes providers to monitor their own systems \nand to disclose voluntarily communications and records necessary to \nprotect their own systems, the law does not authorize service providers \nto make disclosures to other service providers or to the Government to \nhelp protect the systems of those other service providers. We believe \nit probably should. There may be a need for a very narrow exception to \nthe Wiretap Act, ECPA, FISA, and other laws that would permit \ndisclosures about specific attacks and malicious code on a voluntary \nbasis and that would immunize companies against liability for these \ndisclosures.\n    The exception would be narrow so that routine disclosure of \ninternet traffic to the Government or other entities remains clearly \nprohibited. It would bar the disclosure to the Government of vast \nstreams of communications data, but permit liberal disclosure of \ncarefully defined cyber attack signatures and cyber attack attribution \ninformation. It may also need to permit disclosure of communications \ncontent that defines a method or the process of a cyber attack. Rather \nthan taking the dangerous step of overriding the surveillance statutes, \nsuch a narrow exception could operate within them, limiting the impact \nof cybersecurity information sharing on personal privacy.\nInformation Sharing in the Draft Bill \\14\\\n---------------------------------------------------------------------------\n    \\14\\ In addition to the information-sharing entity discussed at \nlength below, the draft bill calls on DHS to facilitate information \nsharing and interactions and collaborations among Federal agencies, \nState and local governments and academic and international partners, to \ndisseminate timely and actionable cybersecurity threat, vulnerability, \nand mitigation information, to compile and analyze risks and incidents \nregarding threats to Federal systems and critical infrastructure \ninformation systems, and to provide incident detection, analysis, \nmitigation, and response information to Federal agencies and to private \nentities and other Governmental entities that own or operate critical \ninfrastructure. This is consistent with its duties today.\n---------------------------------------------------------------------------\n    The draft bill establishes \\15\\ the National Information Sharing \nOrganization (NISO), a non-profit, quasi-Governmental organization to \nserve as a National clearinghouse for the exchange of undefined ``cyber \nthreat information''--including information derived from intelligence \ncollection--among owners and operators of critical and non-critical \nnetworks and systems in the private sector, the Federal Government, \nState and local governments, and educational institutions. One of its \ngoals would be to create a ``common operating picture'' by combining \nnetwork and cyber threat warning information shared with the Federal \nGovernment and with NISO members designated by its board of directors. \nNISO would be required by law to ensure that information exchanged is \nstripped of all information that identifies the submitting entity, but \nit would not be required by law to minimize personally identifiable \ninformation that is shared. Threat and vulnerability information \nderived from intelligence collection could only be shared with cleared \nNISO members.\n---------------------------------------------------------------------------\n    \\15\\ It is not clear whether NISO is a newly-established non-\nprofit, or whether an existing non-profit, or existing non-profits, \nwould become NISO. This should be clarified.\n---------------------------------------------------------------------------\n    DHS would select NISO's initial board of directors. That board \nwould set procedures for future board elections and criteria for \nmembership in NISO by non-Federal entities. It would establish a \ngoverning charter setting information-sharing rules for NISO and its \nmembers, including the treatment of intellectual property, limitations \non liability, measures to mitigate anti-trust concerns, and protections \nof privacy and civil liberties. NISO would determine the extent to \nwhich its own activities would be transparent to the public--\ninformation submitted to and exchanged through NISO would be exempt \nfrom disclosure under FOIA and information it shares with State and \nlocal governments would be exempt from disclosure under State law.\n    Participation in NISO would be mandatory for the Departments of \nEnergy, Defense, and Homeland Security and the FBI. Other entities such \nas companies, State and local governments, and academic institutions \nwould participate voluntarily by becoming members under criteria \nestablished by the NISO board of directors and by paying membership \nfees determined by the board.\\16\\ Industry representatives would \ndominate its board of directors, which would include representatives of \nsmall business, seven critical infrastructure sectors, DHS, the \nDepartment of Defense, the Department of Justice, the intelligence \ncommunity and the privacy and civil liberties community.\\17\\\n---------------------------------------------------------------------------\n    \\16\\ Up to 15 percent of NISO's annual expenses would come out of \nthe DHS budget.\n    \\17\\ Industry representatives would outnumber Governmental \nrepresentatives by 2-1 and would outnumber privacy and civil liberties \ncommunity representatives by 5-1.\n---------------------------------------------------------------------------\nEvaluation of the Proposed Information-Sharing Regime\n    At a top-line level, NISO would be something of a ``super ISAC.'' \nLike an ISAC, it would be convened by the Government, devoted to \ncybersecurity information sharing, and dominated and paid for by \nindustry. It would partner with the same Governmental and private \norganizations that an effective ISAC would. The largest differences are \nthat NISO is not sector-specific, thus facilitating information sharing \nacross sectors, that some of its information-sharing rules are guided \nby statute instead of being set by its members or governing board, and \nits enabling statute removes any doubt that classified cybersecurity \ninformation could be shared with participating entities cleared to \nreceive it. Whether NISO will be effective or not seems to turn on \nwhether it addresses deficiencies in the current ISAC/US-CERT \nstructures. We suggest that you measure NISO against any identified \nshortcomings in these existing structures to ensure that the bill does \nnot establish a redundant information-sharing entity.\n    We would make a number of suggestions to protect privacy and \npromote efficacy if the committee determines to move forward with \nNISO:\\18\\\n---------------------------------------------------------------------------\n    \\18\\ The NISO provisions are very much a work in progress and we \nwill be suggesting some technical clarifications to staff that are not \noutlined here.\n\n    1. Carefully define, with reference to existing law, the cyber \n        threat information that can be shared with or through NISO. It \n        is not necessary to run a bulldozer through existing laws that \n        protect privacy and other societal values with a provision \n        permitting the sharing of broadly-defined cyber threat \n        information ``notwithstanding any law.'' Such an open-ended \n        exception would be damaging to privacy and would likely have \n        adverse unintended effects. Both the White House information-\n        sharing proposal and the House Intelligence Committee's Cyber \n        Intelligence Sharing and Protection Act, H.R. 3523, have this \n        defect.\\19\\ In contrast, CIFA, the lead Senate bill, explicitly \n        provides that cyber attack reporting must comply with the \n        surveillance statutes, rather than override them.\\20\\\n---------------------------------------------------------------------------\n    \\19\\ The House Intelligence Committee's bill defines cyber threat \ninformation so broadly that it would permit carriers to share all of \nthe communications traffic they scan to protect their networks, and to \nshare that traffic with the FBI, NSA, and other Governmental agencies. \nOur analysis of the bill can be found at http://www.cdt.org/blogs/\ngregnojeim/112cyber-intelligence-bill-threatens-privacy-and-civilian-\ncontrol.\n    \\20\\ S. 413, the Cybersecurity and Internet Freedom Act of 2011, \nproposed Section 246(c)(1)(A)(ii) to the Homeland Security Act.\n\n    2. Restrict the purpose and use of the information being shared to \n        cybersecurity. Cybersecurity should not become a back door for \n        the flow of information to the Government for law enforcement \n        purposes, or to the private sector to help it target \n        advertising or for other commercial purposes unrelated to \n        cybersecurity. The draft bill falls short in this area, \n        permitting Government participants in NISO to use information \n        shared to prosecute any crime,\\21\\ and permitting industry \n        participants to use the information for any commercial purpose, \n        including commercial purposes that might be at odds with the \n        interests of the party submitting the information. While the \n        bill permits entities submitting information to NISO to impose \n        use and disclosure restrictions on the information when it is \n        disclosed to officials of the U.S. Government, this provides \n        little comfort to the computer user to whom the disclosed \n        information may pertain and whose interests may not align with \n        those of the company submitting the information. We are \n        particularly concerned about the degree to which personally \n        identifiable information and communications content would flow \n        to Governmental entities through the NISO. These issues should \n        be addressed by law; rules and procedures the NISO board adopts \n        will not be sufficient.\n---------------------------------------------------------------------------\n    \\21\\ Since the prosecution of cybersecurity crimes serves a \ncybersecurity purpose, cyber threat information shared through the NISO \ncould be used to prosecute such crimes, including violations of the \nComputer Fraud and Abuse Act.\n\n    3. Make the restrictions on information sharing enforceable by \n        people and entities aggrieved by violations. Companies that \n        share carefully-defined cyber threat information through NISO \n        should be insulated against liability for doing so. However, if \n        they break the rules, there should be consequences. The current \n        draft makes it a misdemeanor for an employee of the Federal \n        Government to knowingly disclose without authorization cyber \n        threat information protected against disclosure. There are no \n        penalties if a State or local official or an employee of a \n        company participating in the NISO makes a similar disclosure. \n        The bill's penalties should apply to intentional violations by \n---------------------------------------------------------------------------\n        State or local officials or private-sector employees.\n\n    4. Require that information sharing to and from the NISO minimize \n        the personally identifiable information and communications \n        content that is shared. When cyber threat information includes \n        PII or communications content that is not necessary to identify \n        and respond to the threat, such information need not, and \n        should not be shared, and the bill should so provide. Like the \n        White House bill, it should require destruction of \n        communications intercepted or disclosed for cybersecurity \n        purposes that do not appear to be related to cybersecurity \n        threats.\n\n    5. Ensure that information sharing by NISO members is voluntary. We \n        assume that the bill does not intend to mandate information \n        sharing, but proposed Section 248 in the draft bill, entitled \n        ``Voluntary Information Sharing,'' does not actually specify \n        that information-sharing be voluntary. Instead, the bill \n        permits the NISO board to set the information-sharing rules, \n        which could be misread as permitting the board to adopt a rule \n        that would require members to share information as a condition \n        of membership. The enabling statute should prohibit the NISO \n        board from adopting any such rule.\n\n    6. Enhance transparency with audits and Inspector General reports. \n        DHS Inspector General should be required to issue an annual \n        report that evaluates the efficacy of NISO's information-\n        sharing activities and their impact on privacy. These reports \n        should be public, but may have a classified annex. The bill \n        could also require publicly-reported independent audits to \n        ensure that information sharing though NISO comports with \n        statutory requirements and rules and procedures adopted by the \n        NISO board.\n\n    7. Consider whether information sharing through NISO should be \n        complemented by efforts to enhance information sharing directly \n        within industry, subject to audits, reporting and other privacy \n        controls. While it may have disadvantages, a distributed \n        information-sharing system may be more nimble than a \n        centralized, hub-and-spoke model.\n cybersecurity role of the department of homeland security and of dod \n                                entities\n    The draft bill would firmly establish DHS as lead Federal agency \nresponsible for improving the security of civilian Federal systems and \nfor working with the private sector to improve the security of civilian \ncritical infrastructure systems. Under the bill, DHS cybersecurity \nactivities would include: Conducting risk assessments of Federal \nsystems and, upon request, of privately-owned critical infrastructure \ninformation systems; facilitating adoption of new cybersecurity \npolicies and practices; becoming a focal point within the Federal \nGovernment for protecting Federal systems and critical infrastructure \nsystems; coordinating among Federal agencies and State and local \ngovernments, academia, and international partners on cybersecurity; \ndeveloping a cybersecurity incident response plan; sharing information \nabout cyber threats and vulnerabilities and mitigation strategies with \nGovernmental agencies and with owners and operators of critical \ninfrastructure information systems; and a host of other cybersecurity \nactivities.\n    Putting DHS in the lead is the right approach, and in this regard \nthe draft bill is superior to other proposals that could put an element \nof the Department of Defense--the National Security Agency or Cyber \nCommand--formally or de facto at the head of civilian cybersecurity \nefforts. Some have suggested that these military entities be given a \nlead role because of their expertise and resources. We believe that to \nbe most effective, the Government's cybersecurity program should \nharness the expertise and resources of the DOD, but a civilian agency \nmust remain in control of the overall program in order to ensure \ntransparency and thereby instill trust of the private sector and the \npublic. Less transparency means less trust, less corporate \nparticipation, and less effectiveness of the Government's cybersecurity \nprogram.\n    Over 85% of critical infrastructure information systems are owned \nand operated by the private sector, which also provides much of the \nhardware and software on which Government systems rely, including the \nGovernment's classified systems. The private sector has valuable \ninformation about vulnerabilities, exploits, patches, and responses. \nPrivate-sector operators may hesitate to share this information if they \ndo not know how it will be used and whether it will be shared with \ncompetitors. Private-sector cooperation with Government cybersecurity \neffort depends on trust. A lack of transparency undermines trust and \nhas hampered cybersecurity efforts to date. In addition, without \ntransparency, there is no assurance that cybersecurity measures \nadequately protect privacy and civil liberties and adhere to due \nprocess and Fair Information Practice Principles. Transparency is also \nessential if the public is to hold the Government accountable for the \neffectiveness of its cybersecurity measures and for any abuses that \noccur.\n    NSA and Cyber Command, operate, understandably, in a culture of \nsecrecy that is incompatible with the information sharing necessary for \nthe success of a civilian cybersecurity program. As a result, a DOD \nentity should not be given a leading role in monitoring the traffic on \nunclassified civilian Government systems, nor in making decisions about \ncybersecurity as it affects such systems; its role in monitoring \nprivate sector systems should be even smaller. Instead, procedures \nshould be developed for ensuring that whatever expertise and technology \nDOD has in discerning attacks is made available to a civilian agency. \nWe applaud steps taken in this direction, such as the September 27, \n2010 MOU between DHS and DOD setting forth the terms by which each \nagency provides personnel, equipment, and facilities to increase \ncollaboration and support and synchronize each other's cybersecurity \noperations.\\22\\\n---------------------------------------------------------------------------\n    \\22\\ Memorandum Agreement Between DHS and DOD Regarding \nCybersecurity, effective September 27, 2010, http://www.dhs.gov/\nxlibrary/assets/20101013-dod-dhs-cyber-moa.pdf.\n---------------------------------------------------------------------------\n  designations of critical infrastructure should be narrowly targeted\n    DHS should concern itself only with genuinely critical \ninfrastructure, and that infrastructure should be narrowly defined. A \nnarrow definition focuses agency resources where they are most needed \nand ensures minimal conflicts with other regulatory regimes. Such a \ndefinition also ensures that the burdens of Government reporting and \nregulatory compliance are imposed only on private-sector network \noperators who are truly ``critical'' and limits impact on traditionally \nnon-regulated entities.\n    In this regard, other cybersecurity proposals raise very serious \nconcerns. The May 12, 2011 White House proposal does little to provide \nspecificity, defining critical infrastructure as those entities whose \nincapacity or disruption would cause ``a debilitating impact.''\\23\\ \nThis standard is ambiguous and could sweep vast swaths of U.S. industry \ninto a regulatory fold. The Senate's CIFA bill does a better job, and \nrequires that the disruption of any critical infrastructure system \nwould cause ``a mass casualty event which includes an extraordinary \nnumber of fatalities,'' ``severe economic consequences,'' ``mass \nevacuations with a prolonged absence,'' or ``severe degradation of \nNational security capabilities, including intelligence and defense \nfunctions.''\\24\\\n---------------------------------------------------------------------------\n    \\23\\ White House proposal, proposed Section 3(b)(1)(A) of the \nCybersecurity Regulatory Framework for Critical Infrastructure Act.\n    \\24\\ S. 413, Cybersecurity and Internet Freedom Act of 2011, \nproposed Section 254 of the Homeland Security Act and amendments to \nSection 210E of the Homeland Security Act.\n---------------------------------------------------------------------------\n    The draft bill does better than either the administration proposal \nor the Senate bill. It defines covered critical infrastructure as a \nfacility or function which, if destroyed, disrupted, or accessed \nwithout authorization, through exploitation of a cyber vulnerability, \nwould result in: (i) loss of thousands of lives; (ii) major economic \ndisruption, including disruption or failure of financial markets; (iii) \nmass evacuation of a major metropolitan area for longer than 30 days; \nor (iv) severe degradation of national security or non-military defense \nfunctions. While more precise than the definition of critical \ninfrastructure in either the White House proposal or in CIFA, this \ndefinition, too, would benefit from more specificity.\n    It would be useful, for example, for the statute to define the \nlevel of economic disruption and of lives lost that would trigger \ncoverage as ``critical infrastructure.'' DHS has already drawn these \nlines in its definitions of Tier 1 and Tier 2 Critical Infrastructures \nand Key Resources, and DHS uses these more precise definitions to \nallocate resources used to protect critical assets. If the draft bill \nbecomes law as written, DHS would have discretion in specifying what is \ncritical and what is not. It could draw those lines as it already has \nor it could draw new lines. The question for the committee is whether \nCongress draws the lines that determine what assets are subject to DHS \nregulation or whether to leave that decision to DHS. We favor Congress \ndrawing those lines in a transparent, precise, and measureable way. We \nalso suggest that the draft bill be amended to include a meaningful \nappeal process companies could trigger when they believe an asset of \ntheirs has been incorrectly designated as ``critical infrastructure.''\n   incentivizing risk-based conduct to secure critical infrastructure\n    In terms of enhancing the security of private networks and systems, \nthe Government may assist the private sector but it should not intrude \ninto the details of private sector cybersecurity planning processes and \nit should not dictate technology standards. Certain agencies may have \nunique insights into burgeoning threats, specific attack signatures, or \nuseful defensive techniques, but private-sector information \ntechnologists typically understand the operation of their own networks \nbetter than Government regulators. The goal should be to enhance the \ncapability of the private sector, not to transfer it to the Government. \nFurthermore, when it comes to securing critical infrastructure, one \nsize does not fit all. Existing regulatory regimes reflect this \nreality: The regime governing operation of a nuclear power plant is \nmuch more prescriptive that the regulatory regime governing most \ninformation technology. Cybersecurity measures should build on this \ninsight.\n    The draft bill would authorize DHS, in coordination with Federal \nagencies and owners and operators of critical infrastructure, to assess \ncybersecurity risks to critical infrastructure and the harms that could \nresult from disruption, destruction, or unauthorized use of critical \ninfrastructure information systems. DHS would also catalogue \ninternationally recognized consensus-developed risk-based performance \nstandards and develop unspecified market-based incentives designed to \nencourage use of those standards. It would then coordinate with the \nrelevant regulatory agencies and private-sector entities to work to \ninclude the risk-based performance standards in the regulatory regimes \napplicable to the covered critical infrastructure. This approach helps \nensure alignment between existing regulatory regimes and performance \nstandards DHS has identified. In cases where there is no existing risk-\nbased security performance standard, DHS would work with the owners and \noperators of critical infrastructure to mitigate identified risks and \nwould coordinate with international bodies to develop and strengthen \nstandards to address the identified risks.\n    We believe this consultative, risk-based approach will contribute \nto cybersecurity without inhibiting innovation. It gives DHS \nflexibility to draw distinctions between different types of critical \ninfrastructure and to work with industry to identify appropriate risk-\nbased performance standards for each.\n    For the sake of privacy, innovation, and effectiveness, Government \nefforts to improve private-sector cybersecurity should adhere to \nseveral overarching principles. The Government should generally avoid \ntechnical mandates. DHS in particular should not have the power to \ndictate technical standards or to override a company's decisions about \nhow to best protect its information systems. Nor should DHS have any \nenforcement power with respect to the performance-based standards it \nidentifies. Instead, enforcement and oversight should occur through \nexisting regulatory schemes. When trying to raise standards, the \nGovernment should generally avoid punitive measures. Penalizing \ncompanies that fall short of some standard will discourage the \nreporting of security incidents and will put the Government in the role \nof adversary rather than partner.\n    As we understand the section of the draft bill adding a new Section \n227 to the Homeland Security Act, it adheres to these principles. In \ncontrast, some of the Senate bills have been particularly worrisome in \nthis regard, giving DHS open-ended regulatory powers to approve \nsecurity plans and to penalize actors who fail to comply with those \nregulations.\\25\\ Under the draft bill, existing regulatory regimes that \nalready authorize a Governmental agency (other than DHS) to dictate \ntechnical standards for an industry or to override decisions of a \nparticular company would remain in place. This seems appropriate--it \nwould leave enforcement with those agencies already set up to regulate \na given sector, most of which have already been addressing \ncybersecurity, sometimes for years. The draft bill seeks to empower \nthose regulators with additional knowledge about risk-based performance \nstandards. It would encourage DHS to play a consultative, rather than a \ndirective role, and to work with industry rather than against it. We \nbelieve the bill is intended to leave decisions about the measures a \ncompany should take to reach the necessary level of performance where \nthose decisions belong, with the people who know those systems best--\nthe owners and operators of critical infrastructure information systems \nand the regulators who intimately know the industry. It might be \nappropriate to amend the bill to make the foregoing more explicit, as \nthe White House did in its own legislative proposal.\\26\\\n---------------------------------------------------------------------------\n    \\25\\ S. 413, Cybersecurity and Internet Freedom Act of 2011, \nproposed Section 250(c) of the Homeland Security Act (civil authorizing \npenalties for violators of Section 248, as added by the bill, which \nestablishes a risk management regulatory regime).\n    \\26\\ White House proposal, proposed Section 4(b)(5) of the \nCybersecurity Regulatory Framework for Critical Infrastructure Act.\n---------------------------------------------------------------------------\n    For companies that operate critical infrastructure in sectors that \ndo not have an existing regulatory regime, the bill includes no \nmechanism to promote the adoption of internationally recognized, \nconsensus-driven risk-based performance standards, other than market-\nbased incentives and the existing authority of the Federal Trade \nCommission, which has brought cases against companies engaging in \ninappropriate security practices involving consumers' personal data. \nWhile this seems to leave a gap in oversight and enforcement, we \nbelieve that there is relatively little critical infrastructure that \ndoes not fall within an existing regulatory scheme. To the extent that \nthere are such critical infrastructure systems that do not fall within \nan existing scheme (other than the FTC's overarching Section 5 \nauthority), the committee to might consider whether it would be \nappropriate to require some level of transparency for companies of a \ncertain size so that the public and/or Congress is made aware of when \nsuch companies fail to adopt and adhere to relevant standards. Any \ntransparency requirement should not mandate disclosure of information \nthat would tip off hackers to particular vulnerabilities.\n          presidential authority in cybersecurity emergencies\n    There has been much discussion about whether the President or the \nDepartment of Homeland Security ought to be given authority to limit or \nshut down internet traffic to or over a privately-owned \\27\\ critical \ninfrastructure information system in an emergency or to disconnect such \nsystems from other networks for reasons of National security.\\28\\ \nThrough omission, both the draft bill, and the White House legislative \npackage implicitly reject this dangerous idea, and we urge you to \noppose any efforts that may be made to include it in any cybersecurity \nlegislation.\n---------------------------------------------------------------------------\n    \\27\\ Presumably, the Government already has the authority to \ndisconnect its own systems from the internet and CDT does not challenge \nsuch authority.\n    \\28\\ The leading Senate cybersecurity bill, S. 413, the \nCybersecurity and Internet Freedom Act, includes such a provision. For \nan analysis, see http://www.cdt.org/blogs/greg-nojeim/does-senate-\ncyber-bill-include-internet-killswitch.\n---------------------------------------------------------------------------\n    To our knowledge, no circumstance has yet arisen that could justify \na Governmental order to limit or cut off internet traffic to a \nparticular privately owned and controlled critical infrastructure \nsystem. We know of no dispute where a critical infrastructure operator \nhas refused to take appropriate action on its network that would \njustify the exercise of such a power. Operators have strong financial \nincentives to quarantine network elements and limit or cut off internet \ntraffic to particular systems when they need to do so. They know better \nthan do Government officials whether their systems need to be shut down \nor isolated.\n    In contrast, a new Presidential ``shut-down'' power comes with a \nmyriad of unexamined risks. A shut-down could interfere with the flow \nof billions of dollars necessary for the daily functioning of the \neconomy. It could deprive doctors of access to medical records and \ncripple communications among first responders in an emergency. These \nand other consequences could have world-wide effect because much of the \nworld's internet traffic flows through U.S. networks.\n    Even if such power over private networks were exercised only \nrarely, its mere existence would pose other risks, enabling a President \nto coerce costly, questionable--even illegal--conduct by threatening to \nshut down a system.\n    Giving the Government the power to shut down or limit internet \ntraffic would also create perverse incentives. Private-sector operators \nwill be reluctant to share information if they know the Government \ncould use that information to order them to shut down. Conversely, when \nprivate operators do determine that shutting down a system would be \nadvisable, they might hesitate to do so without a Government order, and \ncould lose precious time waiting to be ordered by the Government to \nshut down so as to avoid liability for the damage a shut-down could \ncause others.\n    Finally, the grant of unfettered ``shut-down'' authority to the \nPresident would give aid and comfort to repressive countries around the \nworld. The Government of Egypt was widely condemned when it cut off \ninternet services to much of its population on January 27, 2011, in \norder to stifle dissent. The United States should not now endorse such \na power, even if only for cybersecurity purposes, because to do so \nwould set a precedent other countries would cite when shutting down \ninternet services for other purposes.\n    We urge you to reject proposals to give the President or another \nGovernmental entity power to limit or shut down internet traffic to \nprivately-held critical infrastructure systems.\n                               conclusion\n    We appreciate the opportunity to testify about the draft \nlegislative proposal that is before the committee. We believe the \nlegislation is in many ways a good start and that its light regulatory \ntouch would enhance cybersecurity without stifling innovation. The bill \nwould benefit from some substantial tightening of the information-\nsharing provisions, and we have suggested a number of changes. We look \nforward to working with you on those changes and on other provisions of \nthe draft legislation as it moves through the legislative process.\n\n    Mr. Lungren. Thank you very much, Mr. Nojeim.\n    Mr. Kosar.\n\n STATEMENT OF KEVIN R. KOSAR, ANALYST IN AMERICAN GOVERNMENT, \n                 CONGRESSIONAL RESEARCH SERVICE\n\n    Mr. Kosar. Chairman Lungren, Ranking Member Clarke, Members \nof the subcommittee, on behalf of the Congressional Research \nService I would like to thank you for the opportunity to \ntestify today.\n    CRS was asked to examine draft legislation to amend the \nHomeland Security Act of 2002 to establish a National \nInformation-Sharing Organization, or NISO. CRS' examination \nfocused solely upon the organizational structure of NISO and \ndoes not address cybersecurity policy.\n    My written testimony provided a preliminary examination and \nanalysis of NISO as presently proposed. In my limited time \nhere, I will briefly review NISO's proposed structure and \nprovide comments on it.\n    The draft legislation would establish NISO as a not-for-\nprofit organization for sharing cyberthreat information and \nexchanging technical assistance, advice, and support, and \ndeveloping and disseminating necessary information security \ntechnology. NISO would have a 15-person board of directors that \ninitially would be appointed by the Secretary of the Department \nof Homeland Security. Board members would include a \nrepresentative from DHS, four persons from Federal agencies \nwith cybersecurity responsibilities and ten individuals from \nthe private sector.\n    After the first year, the private-sector members would be \nreplaced through elections held by NISO. As my written \nstatement indicates, NISO would appear to meet CRS' definition \nof a quasi-Governmental entity. It would be a Government-\nestablished organization that combines the legal \ncharacteristics of both the Governmental and private sectors. \nNISO would be authorized by Federal statute and required to \nserve purposes set by Federal statute. Yet NISO also would be \nled by a board comprised mostly of individuals from the private \nsector, and NISO would be mostly funded by the private sector.\n    In the limited time available, I was able to locate only \none precedent for an organization that was substantially \nstructured like NISO: SEMATECH, which Congress established by a \nstatute in 1987. That said, NISO would have notable differences \nfrom SEMATECH. Now, quasi-Governmental organizations are not \nnew in the United States. Congress chartered the quasi-\nGovernmental First Bank of the United States in 1791. Quasi-\nGovernmental entities can be creative vehicles for addressing \ncomplex public policy issues.\n    However, for Congress an enduring question with quasi-\nGovernmental entities is the matter of accountability; \nspecifically, how to ensure a partially or mostly private \norganization will faithfully execute the law and be responsive \nto policymakers.\n    Now, trying to ascertain how an organization might behave \nbased upon examining its statute is inherently challenging as \nits plain organizational behavior is affected by non-statutory \nfactors, such as the quality of its management and the Federal \nGovernment's oversight thereof.\n    With those caveats noted, based upon a preliminary \nanalysis, NISO appeared to likely be an organization that would \noperate in a largely self-directed private-sector manner.\n    I suggest this based upon the following observations:\n    First, the draft legislation would have Federal \nrepresentatives fill a minority, five, of the 15 board \npositions. The rest would be private-sector representatives.\n    Second, the board itself, not the President or the DHS \nSecretary, would have the authority to choose NISO's chair and \nco-chair, and these persons must be private-sector \nrepresentatives. Additionally, the board would also be \nempowered to incorporate NISO as an organization, set all its \nrules for operations, employment, and compensation, and to \nappoint its officers.\n    Third, who would actually do the day-to-day work of NISO is \nunclear. NISO's board would choose one or more operators based \nupon the criteria set in section 241(d). Additionally, whether \nboard members would be full-time employees actively engaged in \noperational oversight is not clear.\n    Fourth, NISO would appear to have considerable discretion \nto decide which non-Federal organizations would be permitted or \nable to join NISO.\n    Fifth, there would not appear to be any requirement that \nGAO or an inspector general be able to audit or examine NISO's \nbooks. NISO would not be required, so far as I can tell, to \nprovide annual reports to the Congress and the President on its \noperations and whether or not it is reaching its benchmarks.\n    Sixth and finally, the draft legislation would limit the \nFederal Government's contribution to no more than 15 percent of \nNISO's annual operating costs. Whether the threat of losing \nthat 15 percent contribution would be a sufficient carrot to \nencourage on-going NISO compliance to Government direction is \nnot clear.\n    I will conclude my testimony here. If CRS may be of further \nassistance to you, I and my colleagues stand ready to help. \nOnce again, thank you for the privilege to appear before you \ntoday.\n    [The statement of Mr. Kosar follows:]\n                  Prepared Statement of Kevin R. Kosar\n                            December 6, 2011\n                              introduction\n    Chairman Lungren and Ranking Member Clarke, and Members of \nsubcommittee--on behalf of the Congressional Research Service, I would \nlike to thank you for this opportunity to appear before you today.\n    CRS was asked to examine draft legislation that would amend the \nHomeland Security Act of 2002 (6 U.S.C. 101 et seq.; HSA) for multiple \npurposes.\\1\\ In particular, CRS was asked to provide its observations \non Section 3 of the draft legislation, which would amend Title II of \nHSA to establish a National Information Sharing Organization (NISO).\n---------------------------------------------------------------------------\n    \\1\\ The draft legislation supplied by the committee is dated \nNovember 2, 2011 (1:58 p.m.).\n---------------------------------------------------------------------------\n    Per your request, this written statement focuses solely upon the \norganizational structure of the NISO.\\2\\ It first describes the \norganizational attributes of NISO as proposed in draft legislation, and \nthen provides observations on NISO as a type of quasi-Governmental \nentity.\n---------------------------------------------------------------------------\n    \\2\\ Thus, no analysis is provided of the role the NISO would play \nin the realm of cybersecurity policy or how NISO would integrate or \ncoordinate with existing cybersecurity authorities.\n---------------------------------------------------------------------------\n             organizational attributes of the proposed niso\n    The draft legislation would establish NISO as a ``not-for-profit \norganization for sharing cyber threat information and exchanging \ntechnical assistance, advice, and support and developing and \ndisseminating necessary information security technology.'' The draft \nfurther defines the NISO's purpose as:\n\n``serving as a National clearinghouse for the exchange of cyber threat \ninformation so that the owners and operators of networks or systems in \nthe private sector, educational institutions, State, Tribal, and local \ngovernments, entities operating critical infrastructure, and the \nFederal Government have access to timely and actionable information in \norder to protect their networks or systems as effectively as \npossible.''\n\n    The NISO would have a 15-person Board of Directors that would be \nappointed by the Secretary of the Department of Homeland Security. \nBoard members would include a representative from the Department of \nHomeland Security, four persons from Federal agencies with \n``significant responsibility for cybersecurity,'' and 10 individuals \nfrom the private sector. These latter appointees would include two \nrepresentatives from the ``privacy and civil liberties community,'' and \neight representatives of critical infrastructure stakeholders, \nincluding: Banking and finance, communications, defense industrial \nbase, energy (electricity, oil, and natural gas), health care, and \ninformation technology. Each Board member would serve 3-year terms, and \nprivate sector members would be replaced through elections held by the \nNISO.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ The initial private-sector Board members would serve 1-year \nterms, and then would be replaced through elections. Whether said \nmembers would be permitted to seek re-election is not addressed by the \nlegislation.\n---------------------------------------------------------------------------\n    The Board would be empowered to incorporate the NISO, to choose its \nown chairperson and co-chairperson, and to devise all bylaws and rules \nfor the operation of NISO. The draft bill does not address explicate \nwhether NISO Board Members would be full-time employees or what their \ncompensation would be.\n    The draft legislation would limit the Federal Government's \ncontribution to 15% of NISO's annual operating costs.\n                              observations\nNISO: A Governmental, Private Sector, or Quasi-Governmental Entity?\n    According to the discussion draft, the NISO would appear to meet \nCRS's definition of a quasi-Governmental entity: A Government-\nestablished organization that combines the legal characteristics of \nboth the Governmental and private sectors.\\4\\ As Table 1 indicates, the \nNISO would have attributes that are Governmental, private sector, and \nhybrid (both Governmental and private sector).\n---------------------------------------------------------------------------\n    \\4\\ Generally, see CRS Report RL30533, The Quasi Government: Hybrid \nOrganizations with Both Government and Private Sector Legal \nCharacteristics, by Kevin R. Kosar.\n\n                TABLE 1.--ATTRIBUTES OF THE PROPOSED NISO\n------------------------------------------------------------------------\n                                    Private Sector\n     Governmental Attributes          Attributes       Hybrid Attributes\n------------------------------------------------------------------------\nAuthorized by Federal statute...  Board members       The Board of\n                                   would incorporate   Directors is\n                                   the NISO by         comprised of 10\n                                   filing              private-sector\n                                   incorporation       representatives\n                                   papers with a non-  and 5 Federal\n                                   Federal authority   agency\n                                   (e.g., a State or   representatives.\n                                   District of\n                                   Columbia).\nRequired to serve purposes set    The NISO would      NISO would be\n by Federal statute.               have the            funded by both\n                                   authority to        the Federal\n                                   establish its own   Government and\n                                   operating           the private\n                                   procedures and      sector.\n                                   mission statement.\nSecretary of Homeland Security    The NISO is         NISO membership is\n appoints the Board of Directors.  explicitly          partially set by\n                                   exempted from the   statute, and\n                                   Freedom of          partially devised\n                                   Information (Act    by NISO's Board\n                                   5 U.S.C. 552).      of Directors.\n------------------------------------------------------------------------\n\n    When Congress creates quasi-Governmental entities, it tends to do \nso on an ad hoc basis. That is, each quasi-Governmental entity is \ncrafted by a separate statute, and that statute is sculpted according \nto a variety of policy and political considerations. That caveat noted, \nCRS previously has identified a number of types of quasi-Governmental \nentities.\\5\\ The entities for each of these types share basic \norganizational attributes (e.g., GSEs are for-profit), and these quasi-\nGovernmental types are listed in Table 2.\n---------------------------------------------------------------------------\n    \\5\\ CRS Report RL30533, The Quasi Government: Hybrid Organizations \nwith Both Government and Private Sector Legal Characteristics, by Kevin \nR. Kosar.\n\n    TABLE 2.--TYPES OF QUASI GOVERNMENTAL ENTITIES IDENTIFIED BY CRS\n------------------------------------------------------------------------\n                   Type                                Example\n------------------------------------------------------------------------\nQuasi-Official Agencies...................  State Justice Institute.\nGovernment-Sponsored Enterprises..........  Fannie Mae.\nFederally-Funded Research and Development   Sandia National\n Centers.                                    Laboratories.\nAgency-Related Nonprofit Organizations....  (See below):\n    Adjunct Organizations Under the         National Pork Board.\n     Control of a Department or Agency.\n    Organizations Independent of, But       Henry M. Jackson Foundation.\n     Dependent Upon, Agencies.\n    Nonprofit Organizations Affiliated      National Park Foundation.\n     with Departments or Agencies.\nVenture Capital Funds.....................  In-Q-Tel.\nCongressionally Chartered Nonprofit         American Legion.\n Organizations.\nInstrumentalities of Indeterminate          U.S. Investigation Services.\n Character.\n------------------------------------------------------------------------\nSource.--CRS Report RL30533, The Quasi Government: Hybrid Organizations\n  with Both Government and Private Sector Legal Characteristics.\n\n    As presently proposed, the NISO could be characterized as an \nagency-related non-profit organization. NISO would be a non-profit \norganization and it would have an affiliation with the Department of \nHomeland Security by virtue of the Secretary's role in selecting a \nminority of NISO's board members.\n    However, NISO organizationally would not fit neatly into any of the \nsubtypes of agency-related non-profit organizations above. Rather, it \nwould possess characteristics associated with all three subtypes. Like \nthe National Pork Board and other agricultural check-off entities, it \nwould charge its members fees. As with the Henry M. Jackson Foundation, \nthe NISO would undertake a research agenda that is broadly defined in \nstatute. And like the National Park Foundation, the NISO would be \naffiliated with a Federal agency and have Federal representatives on \nits board.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ A board comprised of representatives of both the Government and \nprivate sector is not unusual for quasi-Governmental entities. The \nAmerican National Red Cross, which chartered a century ago, is a well-\nknown example. Federal representation on the board of the Red Cross was \nchanged most recently in 2007. Pub. L. 110-26 authorizes the President \nto appoint one board member and to name the chairman of the board. CRS \nReport RL33910, The Charter of the American National Red Cross: Current \nIssues and Proposed Changes, by Kevin R. Kosar.\n---------------------------------------------------------------------------\n    One particularly notable aspect of the NISO as currently proposed \nis that it would charter itself. Typically, quasi-Governmental entities \nare chartered via Federal statute; the law itself incorporates the \nentity. Such charters typically set forth the corporation's: (1) Name; \n(2) purpose(s); (3) duration of existence (limited or in perpetuity); \n(4) governance structure (e.g., executives, board members, etc.); (5) \npowers; and (6) the schema for Federal oversight (e.g., annual \nreporting).\\7\\\n---------------------------------------------------------------------------\n    \\7\\ CRS Report RS22230, Congressional or Federal Charters: Overview \nand Current Issues, by Kevin R. Kosar, p. 1.\n---------------------------------------------------------------------------\n    In the limited time available, CRS could locate only one recent \nprecedent for self-chartering--the Semiconductor Manufacturing \nTechnology (SEMATECH) consortium--an entity established by Congress in \n1987 (Pub. L. 100-180, Part F; 101 Stat. 1068).\\8\\\n---------------------------------------------------------------------------\n    \\8\\ A copy of SEMATECH's legislation is attached to this \nmemorandum.\n---------------------------------------------------------------------------\n    Congress established SEMATECH in response to the United States' \ngrowing dependency upon Japan for semiconductors.\\9\\ Viewing this as a \nNational security vulnerability, SEMATECH was a quasi-Governmental \nentity comprised of more than a dozen major domestic semiconductor \nmanufacturers, such as AT&T Microelectronics and Intel.\\10\\ SEMATECH \nwas a research and development enterprise whose purposes were to \n``encourage the semiconductor industry in the United States--(A) to \nconduct research on advanced semiconductor manufacturing techniques; \nand (B) to develop techniques to use manufacturing expertise for the \nmanufacture of a variety of semiconductor products.'' SEMATECH was \naffiliated with the Department of Defense (DoD) but was led and staffed \nby the private-sector stakeholders (not Government appointees and \nemployees).\n---------------------------------------------------------------------------\n    \\9\\ CRS Report 92-749 SPR, SEMATECH: Issues in Evaluation and \nAssessment, by Glenn J. McLoughlin. (Archived report available from the \nauthor of this report.)\n    \\10\\ CRS Report 91-831 SPR, SEMATECH Facts, by Glenn J. McLoughlin. \n(Archived report available from the author of this report.) SEMATECH \nalso had an adjunct organization, SEMI/SEMATECH, comprised of \napproximately 130 U.S. equipment suppliers and materials suppliers.\n---------------------------------------------------------------------------\n    The costs of SEMATECH were shared between the Federal Government \nand the private sector--the Federal Government funded SEMATECH via \ngrants authorized by the Secretary of Defense, and SEMATECH charged its \nmembers annual dues.\n    While NISO and SEMATECH share some organizational attributes, there \nare at least two considerable differences (Table 3). First, SEMATECH's \nlegislation required the DoD and SEMATECH operate under a memorandum of \nunderstanding (MOU) that provided the DoD with certain authorities over \nSEMATECH, such as the authority to participate in the development of \nSEMATECH's annual operating plan. Additionally, SEMATECH's statute \ncreated an Advisory Council on Federal Participation in SEMATECH. This \n12-person panel was comprised of both Federal stakeholders and \nPresidential appointees from the private sector.\\11\\ The panel advised \n``Sematech and the Secretary of Defense on appropriate technology goals \nfor the research and development activities of Sematech and a plan to \nachieve those goals,'' and conducted annual reviews of its \nprogress.\\12\\ The draft legislation for the NISO does not include \nsimilar provisions.\n---------------------------------------------------------------------------\n    \\11\\ The members were: The Under Secretary of Defense for \nAcquisition, who served as chair; the Director of Energy Research of \nthe Department of Energy; the Director of the National Science \nFoundation; the Under Secretary of Commerce for Economic Affairs; the \nChairman of the Federal Laboratory Consortium for Technology Transfer; \nand seven Presidential appointees who were to include four members \n``who are eminent individuals in the semiconductor industry and related \nindustries;'' two members ``who are eminent individuals in the fields \nof technology and defense;'' and one member ``who represents small \nbusinesses.''\n    \\12\\ Additionally, SEMATECH's legislation required annual \nindependent audits of SEMATECH and Comptroller General review of these \naudits. SEMATECH had to submit its audits to Congress and the DoD \nSecretary. No reporting or audit requirements are including in the \ndraft legislation for the NISO.\n\n    TABLE 3.--COMPARISON OF SELECTED NISO AND SEMATECH ORGANIZATIONAL\n                               ATTRIBUTES\n------------------------------------------------------------------------\n               Similarities                          Differences\n------------------------------------------------------------------------\nSelf-chartering.                            MOU between SEMATECH and\n                                             DoD.\nAffiliated with a Federal agency.           Advisory Council on Federal\n                                             Participation in SEMATECH.\nFunded by the Federal Government and\n private sector.\nPrivate sector leadership and employees...\n------------------------------------------------------------------------\n\n   quasi-governmental entities: rationales, accountability, and niso\nBenefits and History\n    Congress has been establishing quasi-Governmental entities since \nthe Nation's founding. For example, Congress chartered the First Bank \nof the United States in 1791 (1 Stat. 192, Section 3) to stabilize the \nNation's currency and provide a safe depository for funds and serve as \na source of credit. The bank was a hybrid entity--it was capitalized \nthrough a stock offering, and both the Federal Government and private \ninvestors purchased shares. The bank's debt was the Nation's debt. \nPrivate shareholders elected most board members, and the Treasury \nDepartment was authorized to inspect the bank's accounts.\n    The creation of Federal quasi-Governmental entities has increased \nsince the 1960s. Many arguments have been advanced to support the \ncreation of these hybrid organizations. However, the current popularity \nof the quasi-Government option may be traced to the following \nimpetuses:\n    1. the desire to avoid creating another Federal ``bureaucracy;''\n    2. the current controls on the Federal budget process that \n        encourage Federal agencies to rely less on annual \n        appropriations;\n    3. the desire to make Government operate more like a private-sector \n        organization; and\n    4. the belief that management flexibility requires entity-specific \n        laws and regulations, and thus exemption from Government-wide \n        management statutes (e.g., Administrative Procedure Act; 5 \n        U.S.C. 551 et seq.)\\13\\\n---------------------------------------------------------------------------\n    \\13\\ CRS Report RL30533, The Quasi Government: Hybrid Organizations \nwith Both Government and Private Sector Legal Characteristics, by Kevin \nR. Kosar, p. 1. On the Federal Government's management laws, see CRS \nReport RL30795, General Management Laws: A Compendium, Clinton T. \nBrass, Coordinator.\n---------------------------------------------------------------------------\n    Many quasi-Governmental entities exist, and many have been \nconsidered to be successful. The National Park Foundation, for example, \nannually raises significant private support for the Nation's public \nparks.\\14\\\n---------------------------------------------------------------------------\n    \\14\\ National Park Foundation, 2011 Annual Report, at http://\nwww.nationalparks.org/files/about/financials/annual-report-2011.pdf.\n---------------------------------------------------------------------------\nCost\n    With quasi-Governmental entities there also may come a cost--\nreduced accountability to Federal Governmental direction.\\15\\\n---------------------------------------------------------------------------\n    \\15\\ Jonathan G.S. Koppell, The Politics of Quasi Government: \nHybrid Organizations and the Control of Public Policy (New York: \nCambridge University Press, 2003); and Ronald C. Moe, ``The Emerging \nFederal Quasi Government: Issues of Management and Accountability,'' \nPublic Administration Review, vol. 61, iss. 3, May/June 2001, pp. 290-\n312.\n---------------------------------------------------------------------------\n    An organization's institutional structure can affect its \naccountability to Congress and the President. In simplest terms, the \nmore tightly yoked to Legislative and Executive Branch authorities an \norganization is, the more responsive to those authorities the \norganization can be expected to be. Hence, if organizations are \nconsidered as existing on a spectrum--with a wholly-Governmental agency \non one end and a wholly-private firm on the other--the former would \ntend to be the most accountable and responsive to Federal direction, \nwhile the latter the least.\n    This organizational responsiveness to Federal direction comes \nthrough a number of means, including: (1) Federal involvement in the \nappointment of the organization's leadership; (2) the organization's \nlocation within or outside the Government; (3) requirements for annual \nauditing and reports to Federal authorities (Congress, the President, \nand agency heads); and (4) the organization's reliance on appropriated \nfunding.\\16\\\n---------------------------------------------------------------------------\n    \\16\\ An organization that is required to be self-financing will \nhave a strong incentive to act in its own self-interest, possibly at \nthe cost of fully pursuing its statutorily-prescribed goals or \ncomplying with Government-prescribed operational rules.\n---------------------------------------------------------------------------\n    Assessed on these criteria, NISO might be expected to behave \nindependently of the Federal Government (Table 4).\n\n            TABLE 4.--ORGANIZATIONAL ACCOUNTABILITY AND NISO\n------------------------------------------------------------------------\n                                                        NISO\n------------------------------------------------------------------------\nFederal appointees........................  Minority; 5 of 15 directors\n                                             would be Federal\n                                             representatives; the board\n                                             would choose its chair and\n                                             co-chair, who cannot be\n                                             Federal representatives.\nLocation within or outside the Government.  Private sector; not\n                                             explicitly placed within a\n                                             Federal agency or branch of\n                                             Government.\nAnnual auditing and reporting requirements  None.\nReliance on appropriated funding..........  Low Federal contribution\n                                             (not more than 15% of\n                                             annual operating costs).\n------------------------------------------------------------------------\n\n    Organizational accountability to overseers, it has been noted, is \nnot an unalloyed good. A frequent criticism of Federal Governmental \nentities (such as agencies) is that they are too responsive to diverse \nFederal oversight authorities. Their efforts to satisfy the demands of \ndiverse stakeholders may result in underperformance of an agency's \ngeneral or National policy objectives.\\17\\ As noted above, one of the \narguments for establishing a quasi-Governmental entity is the intention \nthat it operate less like a Governmental entity and more like a private \nfirm.\\18\\\n---------------------------------------------------------------------------\n    \\17\\ For example, Congress established Base Realignment Commissions \nin order to close unneeded DoD facilities. CRS Report 97-305, Military \nBase Closures: A Historical Review from 1988 to 1995, by David E. \nLockwood and George Siehl.\n    \\18\\ The presumption is that a private firm will perform more \noptimally than a Governmental one.\n---------------------------------------------------------------------------\n    Additionally, an aspect of organizational accountability is \npredictability, that is, that the entity created will behave as its \ncreators expect. When Congress establishes an entity, Governmental or \nquasi-Governmental, it inevitably includes in the statutes the \n``purposes'' of the organization and provides the organizations with \nauthorities to attain its purposes.\n    In public administration parlance, there is a principal-agent \nrelationship, wherein Congress (the principal) has established an agent \n(the entity) to execute the law. Quasi-Governmental entities sometimes \nbehave unpredictably should they be established with starkly competing \norganizational imperatives. Governmental entities are to pursue policy \nobjectives (e.g., National defense, poverty reduction, etc.); private \nfirms pursue private objectives (e.g., profit, financial self-\nperpetuation, etc.) Arguably, the Government-sponsored enterprises, \nFannie Mae and Freddie Mac, serve as examples of the unpredictability \nof entities driven by competing Governmental (diverse housing policy \ngoals) and private-sector imperatives (maximizing private shareholder \nvalue).\\19\\\n---------------------------------------------------------------------------\n    \\19\\ These GSEs' statutes contain five different public policy \nobjectives. CRS Report R40800, GSEs and the Government's Role in \nHousing Finance: Issues for the 112th Congress, pp. 2-3. See also \nKoppell, The Politics of the Quasi Government, chapter 5; and \nCongressional Budget Office, Controlling the Risks of Government-\nSponsored Enterprises (Washington: GPO, 1991), chapter 1.\n---------------------------------------------------------------------------\n    Whether NISO would face strongly competing organizational \nimperatives is unclear.\\20\\ Unlike the GSEs, the NISO would be a not-\nfor-profit organization and would not have stockholders. Its objective \nis a collective good--improving security against cyber threats, an end \nwhich each stakeholder has an interest in but cannot attain alone. \nNISO's board would have both Governmental and private-sector \nrepresentatives, whose interests may or may not coalesce.\\21\\\n---------------------------------------------------------------------------\n    \\20\\ As NISO resembles SEMATECH, Congress may find value in \nreviewing the performance of SEMATECH.\n    \\21\\ Determining the alignment of interests among the board's \nGovernmental and private-sector board interest goes beyond the scope of \nthis memorandum and would involve cybersecurity policy and other \nconsiderations.\n---------------------------------------------------------------------------\n    The legal framework within which organizations operate can greatly \ninfluence their behavior by setting incentives and expectations for \noperations.\\22\\ Quasi-Governmental entities sometimes behave \nunpredictably due to their ambiguous legal nature. When Congress \nestablishes a fully Governmental entity, such as an agency, many of \nentity's attributes are set by default. That is, absent statutory \nprovisions exempting the agency from Federal laws and regulations, the \nagency is subject to them.\\23\\ The Federal Government-wide management \nlaws are many, and include statutes such as the aforementioned \nAdministrative Procedures Act, the various civil service employment and \ncompensation statutes (5 U.S.C. 101 et seq.), and the Lobbying with \nAppropriated Monies Act (18 U.S.C. 1913).\\24\\ Government agencies' \nactions also are bound by various Constitutional limitations. \nOppositely, when a private individual or group establishes a \ncorporation, this private entity will not be subject to the general \nmanagement laws that are applicable to Federal agencies.\n---------------------------------------------------------------------------\n    \\22\\ Thomas H. Stanton, ``Assessing Institutional Development: The \nLegal Framework That Shapes Public Institutions,'' in Robert Picciotto \nand Ray C. Rist, eds., Evaluating Country Development Policies and \nPrograms: New Approaches for a New Agenda (Jossey-Bass, 1995), pp. 55-\n68.\n    \\23\\ Ronald C. Moe, ``The Importance of Public Law: New and Old \nParadigms of Government Management,'' in Phillip J. Cooper and Chester \nA. Newland, eds., Handbook of Public Law and Administration (Jossey-\nBass, 1997), p. 46. To be clear Congress may exempt a Governmental or \nquasi-Governmental entity from coverage by a particular Government \nmanagement statute. For example, in 1995 the Supreme Court considered \nthe issue of distinguishing between a Governmental and private \ncorporation. The National Railroad Passenger Corporation (AMTRAK) \nestablished by Congress (45 U.S.C. 451), and enumerated under 31 U.S.C. \n9101 as a ``mixed-ownership corporation'' (e.g., it was owned by both \nthe private and Governmental shareholders), was sued by Michael Lebron \nfor rejecting, on political grounds, an advertising sign he had \ncontracted with them to display. Lebron claimed that his First \nAmendment rights had been abridged by AMTRAK because it is a Government \ncorporation, and therefore an agency of the United States. AMTRAK \nargued, on the other hand, that its legislation stated that it ``will \nnot be an agency or establishment of the United States Government'' and \nthus is not subject to Constitutional provisions governing freedom of \nspeech. The Court decided that, although Congress can determine \nAMTRAK's Governmental status for purposes within Congress's control \n(e.g., whether it is subject to statutes such as the Administrative \nProcedure Act), Congress cannot make the final determination of \nAMTRAK's status as a Government entity for purposes of determining \nConstitutional rights of citizens affected by its actions. Michael A. \nLebron v. National Railroad Passenger Corporation; 513 U.S. 374 (1995). \nThe AMTRAK Reform and Accountability Act of 1997 (Pub. L. 105-134; 111 \nStat. 2570) removed AMTRAK from the GCCA list of mixed-ownership \nGovernment corporations.\n    \\24\\ CRS Report RL30795, General Management Laws: A Compendium.\n---------------------------------------------------------------------------\n    The United States, then, ``has two distinctive forms of law: public \nlaw, which governs the activities of governmental bodies in their \ncapacities as agents of the sovereign . . . and private law, which \ngoverns the relations of private parties with one another.''\\25\\ Thus, \nwhen Congress creates quasi-Governmental entities that are not clearly \nGovernmental nor private sector, confusion may result as to which laws \napply to the quasi-Governmental entity.\\26\\ To cite just four examples, \nquasi-Governmental entities have found themselves in legal disputes \ninvolving questions as to which courts may hear suits against them, \nwhich Government-wide management laws apply to them, to what extent \nthey need to respect a private citizen's First Amendment rights, and \nthe constitutionality of prohibiting the removal of their directors \nexcept for cause. \\27\\\n---------------------------------------------------------------------------\n    \\25\\ Moe, ``The Importance of Public Law: New and Old Paradigms of \nGovernment Management,'' p. 42.\n    \\26\\ Statutes establishing quasi-Governmental entities often \ninclude provisions exempting the entity from a particular Government \nmanagement law. SEMATECH, for example, was exempted from the Freedom of \nInformation Act (5 U.S.C. 552). Yet, this effort at clarification may \nlead Federal overseers to question whether the statute's silence \nregarding other Government management laws implies that they are \napplicable to the entity. Currently, Congress is considering whether \nthe Freedom of Information act ought to apply to the GSEs Fannie Mae \nand Freddie Mac since they are in Federal receivership and effectively \nGovernment-owned. See CRS Report R42080, Fannie Mae, Freddie Mac, and \nFOIA: Information Access Policy for the Government-Sponsored \nEnterprises, by Wendy Ginsberg and Eric Weiss.\n    \\27\\ Respectively, see Michael T. Maloan, ``Federal Jurisdiction \nand Practice: The American National Red Cross and the Interpretation of \n`Sue and Be Sued' Clauses,'' Oklahoma Law Review, vol. 45, 1992, pp. \n739-760; Animal Legal Defense Fund v. Shalala, 104 F.3d 424 (D.C. Cir \n1997); Michael A. Lebron v. National Railroad Passenger Corporation \n(513 U.S. 374 (1995)); and Free Enterprise Fund, et al. v. Public \nCompany Accounting Oversight Board, et al., 561 U.S. ____, 130 S.Ct. \n3138, 177 L.ed.2d 706 (2010).\n---------------------------------------------------------------------------\n    It is difficult to anticipate how predictably the proposed NISO \nwould behave due to its ambiguous nature. The draft legislation for \nNISO does not explicitly state whether it is a Governmental entity or a \nprivate-sector entity. By virtue of the provision that the entity \nshould charter itself (presumably under State law), it might be assumed \nthat it is intended to be private. The legislation also exempts the \nNISO from the anti-trust provisions of the Clayton Act (15 U.S.C. 12), \na statute which apply to private-sector firms.\n    However, the draft legislation also would make non-applicable to \nNISO two Government management statutes, the Freedom of Information Act \n(5 U.S.C. 552) and the Federal Advisory Committee Act (5 U.S.C. \nAppendix). Furthermore, as NISO would be designed to serve as an \n``information-sharing'' venue regarding cybersecurity issues, the draft \nlegislation does provide for the protection of this information. It \nwould forbid ``any officer or employee of the United States or any \nFederal agency'' from knowingly disclosing information regarding a \ncyber threat. Violators could be removed from their positions, fined, \nand imprisoned. Whether such information protections would apply to all \nNISO directors and employees is unclear. \n\n    Mr. Lungren. Thank you very much for the testimony of each \nmember of the panel. I appreciate you staying within the time \nlimits assigned. We will have a round of questions and I will \nstart with 5 minutes.\n    Dr. Nojeim, thank you--or Mr. Nojeim, thank you very much \nfor your testimony. I wonder if you might elaborate on why it \nis important that the DHS is the lead agency in charge of \ncivilian cybersecurity. We generally speak about the notion \nthat under our Constitutional Governmental structure, it is \nboth explicit and implicit that there is civilian control of \nthe military. This administration engaged in a memorandum of \nunderstanding between DOD and DHS so that you have some cross-\nfertilization there, but I think they have done a pretty good \njob of making sure that we don't violate the notion of civilian \ncontrol of the military. We happen to think it was important in \nthis bill to make it clear that DHS was in charge of civilian \ncybersecurity. But I wonder if you would elaborate a little bit \non that issue.\n    Mr. Nojeim. Thank you for the question. I agree, the bill \ndoes cement DHS as the lead for civilian cybersecurity \noperations. That is important because those operations need to \nbe transparent, and they need to be transparent because the \nprivate sector controls about 85 percent of the critical \ninfrastructure that needs to be protected. It needs to be able \nto trust that information it shares will be used for the proper \npurposes, and it needs to know what is going on because that \nwill encourage the private sector to cooperate.\n    In a military-led operation, something led by NSA or Cyber \nCommand wouldn't be able to build that trust, because for \notherwise legitimate reasons they operate secretly. So I think \nthe administration is right to try to draw on the expertise of \nCyber Command and NSA without putting those agencies in control \nof a civilian program.\n    Mr. Lungren. Directed to both Dr. Shannon and Ms. McGuire, \nduring the both formal and informal discussions we had, both \nthe Republican task force and this committee, and other things \nthat we have done with our Democratic counterparts in the past, \nthere seem to be at least to me a consensus that with the \nstructures we already have, as good as they may be in the \ndifferent industry sectors, the idea that timely access of \ninformation of threat from the Government to the private sector \nhas been an issue, and the issue of trust; that is, that we \nhave not established the mechanism by which the private sector \nis encouraged to share more of their information in a timely \nfashion, I guess in some ways because we haven't articulated \nthe limits of the use of that information. Why are you going to \nself-report if there is some liability on the other end? So on \nour efforts in coming up with this draft, we came up with a \nconcept of NISO.\n    Can you give us your thoughts on, if you disagree or if you \nagree, why this shouldn't be done by already existing \nstructures, or what problems we have with the suggestion we \nhave got in the bill right now? Ms. McGuire.\n    Ms. McGuire. So first off, I think there is a couple of \nissues that we see on a regular basis with the current system. \nOne is that we don't see that timely actionable information \ncoming from the Government flowing to industry. So we have a \nlittle bit of a chicken-and-an-egg problem here. Industry \ndoesn't see valuable information coming from Government, \ntherefore industry doesn't perceive the need to provide \ninformation back to the Government.\n    But we also see a situation where industry is not \nnecessarily incentivized to provide information to the \nGovernment. There is not a clear articulation of what kind of \ninformation the Government needs from industry. I have actually \nsat in meetings where I have had Government folks actually say \nto me: Well, just give us everything. Well, that is impossible. \nI don't think the Government has enough data centers to store \nall the information that industry has, nor do they want it.\n    Mr. Lungren. Nor do you want to give it all to them.\n    Ms. McGuire. Nor do we want to give it all to them. \nExactly. So we have a little bit of that situation. So I think \nthat this notion of incentivizing industry to share more \ninformation is a really important concept that is articulated \nin the bill.\n    To your question about why current structures in existence \nshouldn't be used for the NISO, my view is that we already have \nprivate industry engagement and buy-in to a NISO-like concept \nand that we really do need to build on those existing \nstructures and frameworks that we have in place. So if there is \na way to articulate this NISO framework that includes those \nexisting structures, I think you will get a lot more buy-in \nfrom industry than trying to set up a separate new entity.\n    Mr. Lungren. Dr. Shannon.\n    Mr. Shannon. Thank you. I have four quick points. One is \nthe notion of sharing information has been evolving for over 2 \ndecades, and the need for timeliness and what information there \nis, the technologies involved, the players involved, the civil \nliberties issues involved, have been evolving. So I think that \nis part of why you see in that second diagram this jumble of \nlinks is kind of what has accrued over the decades. This sort \nof legislation I think is another important attempt to try and \nget it to the right point.\n    Incentives are about encouraging the emergence of a capable \norganization. We are not going to know, a priori, what the \nright incentives are, so I suggest soft incentives rather than \nhard incentives, such as tax breaks and such, to encourage \npeople to consider doing the right thing. As you see them doing \nthe right thing, then you can provide for their encouragement \nfor those lagging behind.\n    As Ms. McGuire mentioned, I think feedback, timely feedback \nfrom the Government to private entities is a missing \ncapability, and that really will cement the deal. It is about \nvalued propositions on both sides. Regardless of how much the \nprivate industry is paying up front, if anything, the fact is \nthey invest a tremendous amount in cybersecurity on their own, \nand so any involvement has a price and they want to know kind \nof how they can benefit from that for the benefit of their \nshareholders and their customers. Thank you.\n    Mr. Lungren. Ms. Clarke is recognized for her questions.\n    Ms. Clarke. Thank you, Mr. Chairman. Thank you to our \npanelists for your testimony here this morning.\n    My first question is posed to Ms. McGuire and to Dr. \nShannon and to Mr. Nojeim. There is general agreement that \nenhanced information sharing is key to improving cybersecurity. \nFor DHS' part, it has worked diligently to support sector ISACs \nas forums for information sharing and has stepped up its cyber \noperations with the creation of NCIC and US-CERT. There is \nlimited cybersecurity resources, financial and personnel, in \nthe private sector and Government.\n    If the NISO was established, how do we guard against these \nlimited resources being diverted from existing efforts to the \nnew platform?\n    Ms. McGuire. Well, I think that your statement about the \nlimited resources is a particularly challenging area for the \nDepartment of Homeland Security. As a former employee, I \nactually was the director for awhile, as well as a deputy \ndirector of the National Cybersecurity Division in the US-CERT, \nwith first-hand knowledge and experience of some of those \nresource challenges. I think they are particularly challenged, \nthough, by a lot of staff turnover amongst their leadership. \nThis is creating a continuity issue there. So the progress that \nthey have made thus far with the NCIC, while I think it is \ncommendable given the current situation, there is still a long \nway to go. In particular, dealing with private industry, the \nlevel of which we are seeing information sharing has not \nmatured to a level where I think it is creating the kind of \nvalue proposition that Dr. Shannon just talked about, and that \neffort really needs a focused concerted effort by the \nDepartment and its leadership if we are going to realize this \ninformation sharing. I am not even going to say nirvana, just a \nprogress step forward.\n    Mr. Shannon. Thank you. There are two elements. One is that \nthere is a desire to reach a broad spectrum very quickly. Some \nof the programs that you talked about, the NCIC and the DIB \nprograms, for example, are just beginning to scale and still \nhaven't demonstrated what the challenges are going to be in \nreaching full scale. So I see the current NISO effort as \nbeing--it will help existing efforts by in some sense taking \nthe pressure off and trying to reach a broader audience faster, \nas opposed to waiting for these smaller efforts to mature.\n    Mr. Nojeim. We think that an incremental approach is called \nfor, an examination of why information sharing under the \ncurrent structures isn't working. Then once those problems are \nidentified, Congress should ask, well, does NISO address each \none? If it doesn't, then you are creating a redundant \ninformation-sharing entity. But if it does, you are creating \none that will solve problems. So that is the approach that we \nwould recommend.\n    Ms. Clarke. I fully understand where all three of you are \ncoming from, but the issue, though, is resources, right? So if \nwe are at a point where resources are limited and there is a \npossibility that there could be some redundancy, how do we sort \nof reconcile that? You could have a situation where you are \nspread so thin that no one meets their mission, and I don't \nknow whether that has been a consideration, given the entities \nthat we currently have that are working on these efforts--we \nare now considering an additional, and how we would make sure \nthat they have what they need to meet their mission.\n    So I wanted to just sort of get a sense of, you know, is \nthere something innovative that you can think of that would \nmaybe make one of the entities self-funding, I don't know. But \nit would appear to me that if we have all of these entities out \nthere, many of whom have not fully stood up yet but are going \nto require a resource in order to meet their mandates, that is \nsomething that we ought to consider up front.\n    Mr. Shannon. If I might add, setting measures of success \nand expectations of success I think is important. It goes back \nto being operationally and scientifically valid, to know what \nthe intention of the organization is and how you will know when \nthat organization's mission is being met. As I mentioned, \nbecause of the evolving threat, landscape, and technologies, \nwhat works today may not work as well tomorrow. So it is \ndifficult to divine what the right organization is today. So I \nencourage you to consider multiple efforts such as we do have \ntoday, but I would agree that consolidation to the current \nbudget environment is important.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    Mr. Lungren. Thank you. The gentleman from Texas, Mr. \nMcCaul, is recognized for questioning.\n    Mr. McCaul. Thank you, Mr. Chairman. Let me commend you for \nthis legislation. I think it provides clarity and guidance as \nto who should be in charge. For a long time we have talked \nabout who is in charge of cybersecurity in the Federal \nGovernment. For a long time NSA was not coordinating with the \nDepartment of Homeland Security, and they are now.\n    But when we talk about the issue of information sharing, \nwhich is critical to protecting these infrastructures, that is \nwhere I think this bill really comes into play. Mr. Nojeim, you \ntalked about civilian control, and I agree with that \nassessment. There is a bill that was passed out of the \nIntelligence Committee that does not really specify which \nagency within the Federal Government should be in charge of \nthis effort of information sharing. Some would argue that the \nNSA, because of the pilot program, the Defense industrial base \npilot program, that NSA is the best agency to conduct that.\n    I tend to disagree with that assessment, because as you \nmentioned, civilian control is important here. In terms of \ninternational sharing of information, I don't think going to \nthe intelligence community is going to be the right answer to \nthis issue.\n    So with that, I just want to throw that out to the panel. \nWho do you see is the best agency to be in charge of this \ncritical component of information sharing? I personally think \nit should be DHS. Tell me why I am right, or maybe why I am \nwrong, in that assessment.\n    Mr. Nojeim, if you want to lead on this.\n    Mr. Nojeim. I will start. As I said a minute ago, civilian \ncontrol will promote the transparency that is essential to \nbuilding cooperation and trust with the private sector. You got \nto have the private sector involved because they own and \noperate most of the critical infrastructure.\n    But thinking for a minute through what the House \nIntelligence Committee did, one thing they did that seems like \na good idea is to unlock the classified information, \nparticularly the classified attack signatures that the NSA has, \nfor the benefit of industry. It is important to accomplish that \nin legislation. If that legislation stopped there, with this \nflow of information from the intelligence agencies to private \nnetwork operators who could then use it to protect their \nsystems, we would support it.\n    The problem with that bill is that it opens a flow back to \nthe intelligence agencies and to Cyber Command, and to other \nGovernmental agencies that are not specified at all, of \ninformation from the private sector that could include regular \nuser communications. It is important to limit that flow back, \nand I think that your bill, the bill that you are looking at, \ncould do that with some very targeted amendments.\n    Mr. McCaul. Dr. Shannon and Ms. McGuire, what is your \nassessment in terms of who should be the lead agency?\n    Mr. Shannon. I have to say no comment, thank you. We are a \nFederally-funded research and development laboratory.\n    Mr. McCaul. I understand. Ms. McGuire, you may have the \nsame response.\n    Ms. McGuire. We believe that a civilian agency is the right \nand appropriate authority for this entity. As a global private \ncompany, it is very difficult for us to operate in a global \nplaying field if we have this kind of interaction direct with \nsome of the other agencies.\n    Mr. McCaul. For a long time we have had the ISACs. The \nInformation Sharing Analysis Centers have been kind of the \nvehicle for information sharing in the past. I think this bill \nactually provides again that clarity that I think is needed.\n    The ISACs have not been totally functional. They haven't \nworked as I think they were expected to work. I think this is a \ngood opportunity to really put something in place in \nlegislation that can be a real vehicle for information sharing. \nDo you all agree with that assessment?\n    Ms. McGuire. While I agree that the NISO as a concept and a \nframework can seek to accomplish that, I do have concerns about \nensuring that those existing entities, such as the ISACs and \nthe sector coordinating councils, that industry has put so much \neffort and resources into over the last 10 years, do not go by \nthe wayside. I am a firm believer that we have to improve those \nentities. I think that the information sharing and the direct \nengagement with Government has not always been, shall I say, as \npositive between the ISACs and the Government agency of DHS. I \nwould be happy to share some specific examples with you after \nthis hearing when there is more time.\n    Mr. McCaul. How would you recommend merging--I see my time \nis about expired--how would you recommend merging the \nexisting--you know, the ISACs--with this National information \nsharing organization?\n    Ms. McGuire. Well, I think that is something that we need \nto explore more in depth, because those ISACs for the most part \nare privately funded, privately incorporated, industry-owned \nand -operated entities, and so I think we need to have that \ndialogue of how we would incorporate them into this framework.\n    Mr. McCaul. Dr. Shannon, do you have any comments?\n    Mr. Shannon. One comment is, again, going back to measures \nof expectations. When you stand up, whether it is the ISACs or \nany other entity over the last couple of decades, there were \noriginal intentions about what they should be able to achieve. \nSome of the things they were able to achieve and some things \nthey were not, for various reasons. So I think doing a critical \nassessment at the current time of what those needs are would be \nhelpful. I mean that is part of what CERT and the SEI has been \ninvolved in in assisting the Government with the DIB \nevaluations that have gone on. It is excruciating, but I think \nin the end it was very valuable to policymakers.\n    Mr. McCaul. We look forward to your comments following up \non how we can best merge these entities. Mr. Chairman, my time \nis expired. Thank you.\n    Mr. Lungren. Thank you. Mr. Walberg is recognized for his \nquestions.\n    Mr. Walberg. Thank you, Mr. Chairman. Living in a \ndelegation who has the dubious distinction of having the \nChairman of the Intelligence Committee in our delegation, with \na perverted sense of just giving us enough information about \ncybersecurity potential attacks and causing us to not sleep as \nmuch as he, I think that is a challenge that we have. So I \nappreciate your efforts here and I appreciate the panel being \nhere today as well.\n    Mr. Kosar, let me ask you, is there anything in the draft \nlanguage regarding the structure of NISO that in your opinion \nwould prevent the NISO from accomplishing its mission?\n    Mr. Kosar. It is difficult to say. I think one underlying \nrequirement for the organization to be functional is that \norganizations have to feel it is going to be a safe space where \nthey can share information and that the information is not \ngoing to get out. I looked over the information protection \nprovisions, and I confess I just didn't quite fully understand \nwhether there were sufficient incentives to ensure that NISO \nparticipants did not leak or illicitly share information and \ncause damage to members.\n    Mr. Walberg. How could that be remedied?\n    Mr. Kosar. I honestly don't know at this point. I would \nhave to think further about it and consult with my colleagues.\n    Mr. Walberg. Okay. You were going on. I apologize for \njumping in.\n    Mr. Kosar. Oh, sure. No, I think one interesting aspect \nthat I gleaned from looking at this is that if NISO is able to \nget up and running and to gain a reputation for appearing to be \na very sound organization, private-sector members might want to \nflock to be part of this organization, not only because they \ncould get information from it which is valuable to it, but also \nbecause it might kind of create a sort of Good Housekeeping \nSeal of Approval for companies who are participants. So that \nmight be a pull factor and encourage collaboration.\n    Mr. Walberg. Thank you.\n    Ms. McGuire, you evidently have a lot of personal \nexperience with DHS and its cybersecurity mission. With regard \nto the authorities provided to DHS in the draft bill, are there \nany left out?\n    Ms. McGuire. I don't think so. I mean, I read the draft \nlegislation in detail, of course, in preparing for the hearing \nand I don't see anything there that--or didn't see anything \nthat was missing, no.\n    Mr. Walberg. Well, a credit to the bill sponsor then. Let \nme follow up and ask you if you could explain what you mean by \nrisk assessment and any examples that you might have where a \nrisk assessment approach has been used to protect against the \ncyberthreats.\n    Ms. McGuire. So when we talk about risk assessment we are \nreally looking at what are the threats, vulnerabilities, and \nconsequences of any particular threat vector. With regard to \nspecific examples where risk assessments have been used, the IT \nsector endeavored in 2009 to develop a sector-wide, not a \ncompany-by-company, but a sector-wide risk assessment to look \nat specific risk to the IT sector at large. We worked in \nconcert, public-private partnership, with DHS to develop that \nrisk assessment and we identified some specific areas in DNS \nrouting, identity management, supply chains, some specific \nareas that we felt that we needed as a sector to focus some \nmore detail on.\n    As a follow-on to that work, we developed some specific \nguidance that was released earlier this year to provide to IT \nsector companies' owners and operators, to help them focus on \nparticular risks that we saw from a National level to the \nsector. Interestingly enough, what that risk assessment, \nthough, demonstrated was that we as an industry were largely \nresilient because we had a lot of redundancies and processes in \nplace to deal with incidents such as cybersecurity attacks and \nthings of that nature, but there still were areas that we need \nto improve on.\n    So from a risk assessment standpoint, we believe that that \nallows companies to focus in their resources and efforts on \nwhat they should potentially be protecting according to that \nNational-level risk.\n    Mr. Walberg. Thank you.\n    Mr. Nojeim, how important do you think it is for the \nDepartment of Homeland Security to identify sector-specific \ncybersecurity risks?\n    Mr. Nojeim. I think that having a sector-specific approach \nhelps DHS modulate its level of regulation of cybersecurity \ninformation systems. So, for example, you wouldn't want, as \nCheri said earlier, you wouldn't want a situation where the \nsame kind of security performance standard is applied to a \nnuclear power plant as is applied to something that is much \nless dangerous but it fits within a definition of covered \ncritical infrastructure. So DHS needs to have the flexibility \nto adopt a risk-based approach, and I think that the bill gives \nit that flexibility.\n    Mr. Walberg. Thank you.\n    Mr. Lungren. We have time for a second round. So I just \nremember the old deal about tomato-tomahto, we now have \n``NESO'' and ``NISO.'' I asked my staff what is it, and they \nsaid, Well, since you wrote the legislation you can say. We \nwill wait until later until we figure that one out.\n    Mr. Nojeim, we talked about protection of privacy and civil \nliberties, how important they are. Would limiting the type of \ninformation that is shared with the NISO and then limiting how \nthat information can be used by members, including the Federal \nGovernment, address your concerns; and how would you define \nthat?\n    Mr. Nojeim. I think NISO can be nice to civil liberties. \nThe way it could do that, I would define it as, first, I would \nstart with attack signatures. Everybody agrees that cyber \nattack signatures ought to be freely shareable. There may be a \nneed also to define cyberthreats with reference to actually \novercoming a technical control, something that is in place to \nstop unwarranted access to a database. We think that this \ninformation can be defined, we think it can be defined broadly \nenough to permit the share of information that is necessary, \nand we have provided some language to your staff and we will \ncontinue to work with your staff on that language.\n    Mr. Lungren. Ms. McGuire and Dr. Shannon, if NISO is going \nto be successful, there has to be some value there for the \nprivate sector as well as for the Government. But we are the \nGovernment setting this concept up, so I suppose we should be \nappealing to the private sector. So it has got to be value.\n    So as I think, Ms. McGuire, you mentioned, it has got to be \nsomething that is unique or something that they can't get \notherwise, because otherwise why buy into this?\n    On the other hand, in terms of the participation of the \nprivate sector, we could set up rules, as suggested by Mr. \nNojeim, to say this is the limitation on the use of the \ninformation by the Government that has been given to them by \nthe private sector.\n    But does the concept of subsequent liability protection \ncome into play, or is that something we don't have to discuss? \nIf I'm making a decision for myself or my company as to whether \nI should share this information with the Government, even \nthrough this entity, I might be dissuaded if I thought that is \ngoing to subject me to a slew of lawsuits. Do we have to deal \nwith that concept? I know there are other things to figure out. \nHave they followed proper procedures and so forth before they--\nbut is that something that is necessary, or is that a concept \nthat is redundant or unnecessary?\n    Mr. Shannon. As I testified back in June, the notion of \nsafe harbor protections I think is important. You want to free \nthe people involved in incidents and collecting using the \ninformation.\n    Mr. Lungren. I know it is important. Is it crucial?\n    Mr. Shannon. I think it is. You want to enable \norganizations to do the right thing.\n    Mr. Lungren. Ms. McGuire, is it necessary?\n    Ms. McGuire. I would agree with that, yes.\n    Mr. Lungren. Mr. Nojeim, do you have any problems with \nthat?\n    Mr. Nojeim. I think it is important that there be \nconsequences for breaking the rules. If the rules are followed, \nI think there should be immunity for people who are following \nthe rules. For people who are breaking the rules, I think there \nshould be consequences. Without them, you put companies between \na rock and a soft place.\n    Mr. Lungren. Ms. Clarke.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    Dr. Kosar and Mr. Nojeim, in your testimony, you mention \nthat, as designed in the proposed legislation, it would be \ndifficult to know how the NISO would behave. The lack of \npredictability, even as the Federal Government invests \nsignificant resources, is a concern. Please explain the \npossible risks to the Government of establishing this quasi-\nGovernmental entity without specificity as to its range of \nactivities and responsibilities to its members; more \nespecially, DHS.\n    Mr. Kosar. Well, I guess the first question that I would \nhave is whether or not the NISO would see strong incentives to \ncoordinate its activities with the Department and to be \nresponsive to the Department's needs, or would it have \nincentives to basically act otherwise?\n    A second issue or question I would have is: If this \norganization does not stand up well, will it have long-term \nnegative ramifications for future efforts to do something on \nthis? Will it kind of poison the well in some way, shape, or \nform? As I mentioned earlier, it seems like this kind of \nconsortium for sharing this information is heavily based upon \ntrust, and if something gets done incorrectly, there could be a \nlot of very bad feelings all around.\n    Third is the question of predictability. One thing I \nnoticed in the mission for this organization is that on the one \nhand it is to be a place where information and advice is to be \nshared. But it is also a place where there seems to be R&D \nactivities that will be undertaken to develop new technologies \nto aid in cybersecurity production.\n    So you have kind of two different operational activities, \nand I guess the question that entered my head is, these new \ntechnologies, are these going to be sold to companies? Will \nthey be given to members of NISO? Will this organization split \nitself off and create a for-profit side organization?\n    It is not unprecedented that organizations created by the \nFederal Government have in the past, without Congress' \nexpecting it, to have split themselves and have divided \nthemselves into multiple organizations. So I guess those would \nbe my thoughts.\n    Mr. Nojeim. I actually think that the bill includes a \nnumber of provisions that will allow the Government to protect \nits own interests in NISO. First, it reserves a number of seats \non the board of directors to Governmental entities. Many of \nNISO's member entities, the ones who receive information, will \nbe Governmental entities, State, and local, and Federal.\n    It also gives the Department of Homeland Security the \nability to partially fund NISO. One could discuss whether 15 \npercent is enough or not, but it is a significant chunk of \nmoney. But the Government has something that NISO members will \nwant. It has classified information about attacks that in a way \ngive it a lot of leverage, maybe more leverage than it ought to \nhave, over NISO's operations.\n    So I think that as it is structured, there is actually \nenough--there are enough provisions in the bill to protect the \nGovernment's interests in the NISO.\n    Ms. Clarke. So in other words, you are saying that the way \nthat the bill is currently constructed it should mitigate risk; \nis that what you are saying? Because I'm asking about possible \nrisk.\n    Mr. Nojeim. I think you were asking about whether the bill, \nas structured, protects the Government's interests in the NISO. \nMy answer is I think it does, because I think it gives the \nGovernment substantial authorities. In fact, if we were \ndrafting the bill, we would probably more limit the \nGovernment's participation and make it more clearly a \nprivately-run entity as opposed to a Governmental entity.\n    One of our biggest concerns is the flow of personally \nidentifiable information to Government members of NISO through \nthe NISO entity.\n    Ms. Clarke. Thank you.\n    Then just a final question. Dr. Kosar, you mentioned that \nthe legal framework within which organizations operate can \ngreatly influence their behavior by setting incentives and \nexpectations for operations. You are a specialist in American \nGovernment, and in your opinion how does the legal framework \ndescribed in this proposed legislation for NISO lend itself to \ndefining the actions, incentives, and goals of the \norganization?\n    Mr. Kosar. Well, I really appreciate the point brought up \njust a moment ago about DHS possibly having a lever for dealing \nwith the NISO by virtue of its access to classified information \npolicy. I think that is a subtle insight.\n    This entity, as structured, is primarily private-sector; \nand so presumably, its incentives lie with the perceived self-\ninterest of the members.\n    Just going back to the example of SEMATECH, created in \n1987, that was an organization--that legislation is \nsubstantially similar to this one. It created an organization \nof kind-of like firms, firms that produced, manufactured, \nsemiconductors here in the United States. It looked at them and \nsaid, you have a shared interest in upping your technology and \njumping forward, vis-a-vis Japan. This was a shared goal, and \nyou guys can work together on this, you just need a little \nGovernment coordination.\n    Here we have, I think, members that are a little more \ndiverse than those that were participating in SEMATECH. I guess \nan open question for me is whether or not the individual \nincentives of these organizations align as neatly as they did \nwith SEMATECH. Because of this organization's success it would \nseem to me to be largely dependent on the activities of the \nprivate-sector parties.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    Mr. Lungren. Thank you very much. I think the questions of \nthe hearing have indicated the fact that we are going into a \nnew area here. We are trying to create a platform that makes \nsense for both the private sector side and the Governmental \nside. It is creating a mechanism in which there are incentives \nso that all will cooperate.\n    We thank you for your thoughts on this. We seek your \nthoughts in the future as we move forward. We intend to move on \nthis because the issue is one that cannot wait. I am encouraged \nby the interest that we have received from our colleagues on \nboth sides of the aisle, from people in the administration, \nfrom those in the private sector, because I think that is a \ngood sign that while we are certainly not perfect, we are at \nleast moving forward with a concept in an area that needs to be \ndealt with.\n    I want to thank all witnesses for your valuable testimony \nand the Members for their questions.\n    The Members of the subcommittee may have some additional \nquestions for you. We would ask if we would submit them to you, \nthat you would respond to these in writing. The hearing record \nwill be held open for 10 days.\n    The subcommittee stands adjourned.\n    [Whereupon, at 11:25 a.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"