[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



 
               IRANIAN CYBER THREAT TO THE U.S. HOMELAND

=======================================================================

                             JOINT HEARING

                               before the

                    SUBCOMMITTEE ON COUNTERTERRORISM

                            AND INTELLIGENCE

                                and the

                     SUBCOMMITTEE ON CYBERSECURITY,

                       INFRASTRUCTURE PROTECTION,

                       AND SECURITY TECHNOLOGIES

                                 of the

                     COMMITTEE ON HOMELAND SECURITY

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 26, 2012

                               __________

                           Serial No. 112-86

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC] [TIFF OMITTED] CONGRESS

                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________



                  U.S. GOVERNMENT PRINTING OFFICE
77-381                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                     COMMITTEE ON HOMELAND SECURITY

                   Peter T. King, New York, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Daniel E. Lungren, California        Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Michael T. McCaul, Texas             Henry Cuellar, Texas
Gus M. Bilirakis, Florida            Yvette D. Clarke, New York
Paul C. Broun, Georgia               Laura Richardson, California
Candice S. Miller, Michigan          Danny K. Davis, Illinois
Tim Walberg, Michigan                Brian Higgins, New York
Chip Cravaack, Minnesota             Cedric L. Richmond, Louisiana
Joe Walsh, Illinois                  Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Ben Quayle, Arizona                  Kathleen C. Hochul, New York
Scott Rigell, Virginia               Janice Hahn, California
Billy Long, Missouri                 Vacancy
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
            Michael J. Russell, Staff Director/Chief Counsel
               Kerry Ann Watkins, Senior Policy Director
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
           SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE

                 Patrick Meehan, Pennsylvania, Chairman
Paul C. Broun, Georgia, Vice Chair   Brian Higgins, New York
Chip Cravaack, Minnesota             Loretta Sanchez, California
Joe Walsh, Illinois                  Kathleen C. Hochul, New York
Ben Quayle, Arizona                  Janice Hahn, California
Scott Rigell, Virginia               Vacancy
Billy Long, Missouri                 Bennie G. Thompson, Mississippi 
Peter T. King, New York (Ex              (Ex Officio)
    Officio)
                    Kevin Gundersen, Staff Director
                 Zachary D. Harris, Subcommittee Clerk
               Hope Goins, Minority Subcommittee Director

                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                Daniel E. Lungren, California, Chairman
Michael T. McCaul, Texas             Yvette D. Clarke, New York
Tim Walberg, Michigan, Vice Chair    Laura Richardson, California
Patrick Meehan, Pennsylvania         Cedric L. Richmond, Louisiana
Billy Long, Missouri                 William R. Keating, Massachusetts
Tom Marino, Pennsylvania             Bennie G. Thompson, Mississippi 
Peter T. King, New York (Ex              (Ex Officio)
    Officio)
                    Coley C. O'Brien, Staff Director
                 Zachary D. Harris, Subcommittee Clerk
        Chris Schepis, Minority Senior Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Patrick Meehan, a Representative in Congress From 
  the State of Pennsylvania, and Chairman, Subcommittee on 
  Counterterrorism and Intelligence:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     6
  Prepared Statement.............................................     7
The Honorable Brian Higgins, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Counterterrorism and Intelligence..............................     8
The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies...................................................     4

                               Witnesses

Mr. Frank J. Cilluffo, Associate Vice President and Director, 
  Homeland Security Policy Institute, The George Washington 
  University:
  Oral Statement.................................................     9
  Prepared Statement.............................................    12
Mr. Ilan Berman, Vice President, American Foreign Policy Council:
  Oral Statement.................................................    18
  Prepared Statement.............................................    20
Mr. Roger L. Caslow, Executive Cyber Consultant, Suss Consulting:
  Oral Statement.................................................    23
  Prepared Statement.............................................    25

                                Appendix

Questions From Chairman Michael T. McCaul........................    43


               IRANIAN CYBER THREAT TO THE U.S. HOMELAND

                              ----------                              


                        Thursday, April 26, 2012

     U.S. House of Representatives,        
      Committee on Homeland Security,      
      Subcommittee on Counterterrorism and 
                          Intelligence, and
     Subcommittee on Cybersecurity, Infrastructure 
             Protection, and Security Technologies,
                                            Washington, DC.
    The subcommittees met, pursuant to call, at 10:06 a.m., in 
Room 311, Cannon House Office Building, Hon. Patrick Meehan 
[Chairman of the Subcommittee on Counterterrorism and 
Intelligence] presiding.
    Present from the Subcommittee on Counterterrorism and 
Intelligence: Representatives Meehan, Cravaack, and Hahn.
    Present from the Subcommittee on Cybersecurity, 
Infrastructure Protection, and Security Technologies: 
Representatives Lungren, Higgins, Clarke, Richardson, and 
Richmond.
    Also present: Representative Green.
    Mr. Meehan. Good morning, the Committee on Homeland 
Security Subcommittees on Counterterrorism and Intelligence and 
Cybersecurity, Infrastructure Protection, and Security 
Technologies--this is a joint committee hearing--will come to 
order. Subcommittees are meeting today to hear the testimony 
regarding the threat of a cyber attack to the United States 
homeland from the Islamic Republic of Iran. I will now 
recognize myself for an opening statement.
    I would like to begin today by thanking Chairman Lungren 
and Ranking Member Clarke and all of the Members of the 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies for joining us here today to examine the 
threat posed by Iran in the cyber arena. The combination of our 
expertise on counterterrorism and intelligence, and your 
expertise on cybersecurity will inform and enhance our 
discussion. I look forward to hearing from you, and our panel.
    I believe the joint hearing represents the attitude we must 
have when confronted with emerging threats that may not be 
adequately understood. In my view, the adaptability, 
flexibility, and willingness to erase institutional barriers 
called for in the 9/11 Commission Report is on display here, 
with each of us bringing our own expertise to study a threat 
which crosses borders and cannot easily be put into a box. 
While Chairman Lungren and his colleagues on the CIPST 
Subcommittee have studied the ins and outs of protecting our 
Nation's critical infrastructure from cyber attack, the 
membership of the CT&I Subcommittee have spent a lot of time 
examining the threat posed by Iran in the world's largest state 
sponsor of terrorism, and its proxies, of course, principally 
including Hezbollah.
    For the Subcommittee on Counterterrorism and Intelligence, 
this hearing is a continuation of our previous work examining 
the threat from Tehran. Last year our subcommittee examined the 
Hezbollah presence in Latin America that detailed the recently 
exposed Iranian government plot to conduct a brazen attack here 
in Washington, DC. I have also recently returned from the 
region, where I met with defense and intelligence officials and 
government leaders in Israel and Turkey and Jordan. After in-
depth conversations and briefings including with Turkey 
president Abdullah Gul, Israeli Prime Minister Benjamin 
Netanyahu, and His Majesty King Abdullah of Jordan, it became 
increasingly clear that Iran is the most destructive and 
malicious actor in the region, and will persist in antagonizing 
the United States and our allies, especially the State of 
Israel.
    As Iran's illicit nuclear program continues to inflame 
tensions between Tehran and the West, I am struck by the 
emergence of another possible avenue of attack emanating from 
Iran--the possibility that Iran could conduct a cyber attack 
against the United States homeland. Now, many will discount 
this threat just as many ignored the possibility that Iran 
would conduct any kind of attack on American soil. Well, this 
assumption was proven woefully wrong when last year's plot to 
kill the Saudi Ambassador was uncovered. Now we are adjusting 
to a realistic understanding of Iran's intent to conduct terror 
attacks and to kill innocent Americans in the U.S. homeland, we 
cannot blind ourselves to this new threat. After all, if Iran 
is willing to blow up a Washington restaurant, and kill 
innocent Americans, we would be naive to think that Iran could 
never conduct a cyber attack against the United States 
homeland.
    Earlier this year, in testimony before the Senate 
Intelligence Committee, Director of National Intelligence James 
Clapper clearly stated that Iran's intelligence operations 
against the United States, including cyber capabilities, have 
dramatically increased in recent years in depth and complexity. 
What I view as a private-sector validation of the cyber threat 
posed by Iran, Google executive Chairman Eric Schmidt recently 
stated the Iranians are talented in cyber war for some reasons 
we don't fully understand.
    In the event of a military strike against Iranian nuclear 
facilities, former director of the National Counterterrorism 
Center, Michael Leiter, assessed that a cyber attack conducted 
by Iran--Tehran against the United States, would be reasonably 
likely.
    The threat of cyber warfare may be relatively new, but it 
is not small. Iran has reportedly invested over $1 billion in 
developing their cyber capabilities, and it appears they may 
have already carried out attacks against organizations like the 
BBC, and Voice of America. There have been reports that Iran 
may have even attempted to breach the private networks of a 
major Israeli financial institution. Iran is very publicly 
testing its cyber capabilities in the region, and in time, will 
expand its reach.
    Other nations such as Russia and China may have more 
sophisticated cyber capabilities, but there should be little 
doubt that a country that kills innocent civilians around the 
world, guns down its own people, and calls for the destruction 
of the State of Israel, would not hesitate to conduct a cyber 
attack against the United States homeland.
    That is why today's hearing is so important.
    I want to thank you for joining us today, and I look 
forward to hearing from our witnesses.
    [The statement of Mr. Meehan follows:]
                  Statement of Chairman Patrick Meehan
                             April 26, 2012
                                welcome
    I would like to begin today by thanking Chairman Lungren and 
Ranking Member Clarke, and all the Members of the Subcommittee on 
Cybersecurity, Infrastructure Protection, and Security Technologies for 
joining us here today to examine the threat posed by Iran in the cyber 
arena. The combination of our expertise on counterterrorism and 
intelligence and your expertise on cybersecurity will inform and 
enhance our discussion, and I look forward to hearing from you and our 
panel.
                      importance of joint hearing
    I believe this joint hearing represents the attitude we must have 
when confronted with emerging threats that may not be adequately 
understood. In my view, the adaptability, flexibility, and willingness 
to erase institutional barriers called for in the 9/11 Commission 
Report is on display here, with each of us bringing our own expertise 
to study a threat which crosses borders and cannot easily be put into 
one box. While Chairman Lungren and his colleagues on the CIPST 
subcommittee have studied the ``ins'' and ``outs'' of protecting our 
Nation's critical infrastructure from cyber attack, the Members of the 
CTI subcommittee have spent a lot of time examining the threat posed by 
Iran, the world's largest state sponsor of terrorism, and its proxies, 
including Hezbollah.
                  past subcommittee iran examinations
    For the Subcommittee on Counterterrorism and Intelligence, this 
hearing is a continuation of our previous work examining the threat 
from Tehran. Last year, our subcommittee examined the Hezbollah 
presence in Latin America that detailed the recently exposed Iranian 
government plot to conduct a brazen terror attack here in Washington, 
DC. I have also recently returned from the region, where I met with 
defense and intelligence officials and government leaders in Israel, 
Turkey, and Jordan. After in-depth conversations and briefings, 
including with Turkey President Abdullah Gul, Israeli Prime Minister 
Benjamin Netanyahu, and His Majesty King Abdullah of Jordan, it became 
increasingly clear that Iran is the most destructive and malicious 
actor in the region and will persist in antagonizing the United States 
and our allies, especially the State of Israel.
                    emerging cyber threat from iran
    As Iran's illicit nuclear program continues to inflame tensions 
between Tehran and the West, I am struck by the emergence of another 
possible avenue of attack emanating from Iran: The possibility that 
Iran could conduct a cyber attack against the U.S. homeland.
    Many will discount this threat--just as many ignored the 
possibility that Iran would conduct an attack on American soil. This 
assumption was proven woefully wrong when last year's plot to kill the 
Saudi Ambassador was uncovered. Now that we are adjusting to a 
realistic understanding of Iran's intent to conduct terror attacks and 
kill innocent Americans in the U.S. homeland, we cannot blind ourselves 
to this new threat. After all, if Iran is willing to blow up a 
Washington restaurant and kill innocent Americans, we would be naive to 
think Iran would never conduct a cyber attack against the U.S. 
homeland.
                        senior officials warning
    Earlier this year in testimony before the Senate Intelligence 
Committee, Director of National Intelligence James Clapper clearly 
stated: ``Iran's intelligence operations against the United States, 
including cyber capabilities, have dramatically increased in recent 
years in depth and complexity.'' In what I view as a private sector 
validation of the cyber threat posed by Iran, Google Executive Chairman 
Eric Schmidt recently stated, the ``Iranians are unusually talented in 
cyber war for some reason we don't fully understand.'' And, in the 
event of a military strike against Iranian nuclear facilities, former 
director of the National Counterterrorism Center Michael Leiter 
assessed that a cyber attack conducted by Tehran against the United 
States would be ``reasonably likely.''
    The threat of cyber warfare may be relatively new--but it is not 
small. Iran has reportedly invested over $1 billion in developing their 
cyber capabilities, and it appears they may have already carried out 
attacks against news organizations like the BBC and Voice of America. 
There have been reports that Iran may have even attempted to breach the 
private networks of a major Israeli financial institution. Iran is very 
publicly testing its cyber capabilities in the region and, in time, 
will expand its reach.
                        don't ignore this threat
    Other nations such as Russia and China may have more sophisticated 
cyber capabilities, but there should be little doubt that a country 
that kills innocent civilians around the world, guns down its own 
people, and calls for the destruction of the State of Israel would not 
hesitate to conduct a cyber attack against the U.S. homeland. That is 
why today's hearing is so important.
    I want to thank all of you for joining us today, and I look forward 
to hearing from our witnesses.

    Mr. Meehan. Now, I know that co-Chairman, or the Ranking 
Member Mr. Higgins is expected today at this moment, but until 
such time as he is able to join us at the hearing, the Chairman 
would now recognize Ms. Clarke for any opening comments she may 
have. Thank you.
    Ms. Clarke. Thank you very much, Mr. Chairman. Chairman 
Lungren, Chairman Meehan, thank you for holding this joint 
hearing on the Iranian cyber threat. State-sponsored cyber 
threats from Iran and actual attacks from other countries 
directed at the United States, have been a hot topic over the 
past few years. As you know, we have had a number of classified 
briefings concerning these state-sponsored attacks. Our ability 
to detect, prevent, preempt, and deter terrorists and malicious 
state-sponsored cyber attacks reflect on our capability, and 
our political will to protect our vital National infrastructure 
from devastating consequences.
    I am glad my colleague and fellow New Yorker, Mr. Higgins, 
has brought some legislation to bear on the issue we are 
discussing today. His bill would amplify the State Department's 
report to Congress on the proficiencies of Iran cyber and 
technological capabilities. This will help us assess Iran's 
threat in greater detail. This is quite a story to be told 
about Iran and cyber threats, and I will be interested in 
hearing the testimony today.
    I have seen the report put out by Reporters Without 
Borders, that places Iran on the list of enemies of the 
internet, describing the various censoring techniques that Iran 
used to control the flow of information among its own people.
    The report refers to the government-sponsored cyber police 
function that uses a combination of content filtering and 
access control. The report also mentions the use of distributed 
denial of service cyber attack techniques used as a form of 
political oppression, which it says may or may not be official 
state-sponsored activity. Reports on Iranian Cyber Army have 
raised questions about the regime's cyber attack capabilities 
and the extent to which these attacks are coordinated by the 
government. Some have said the Iranian Cyber Army may be a 
loose confederation of hackers and cyber activists similar to 
other hacking clusters, and may include cyber crime networks 
and other groups.
    One such known as the Ashiyane Digital Security Team, has 
claimed responsibility for hacking into and defacing thousands 
of websites. Both Iranian Cyber Army, and the Ashiyane are 
alleged to have ties with the Iranian government's 
revolutionary guard, but who can tell? Given the Iranian 
regime's control over the internet and attempts to crack down 
on citizen's internet activity, it would appear to be a 
sweeping promotion of hacking without any legal or public 
recourse and suggests a tacit governmental approval of these 
activities.
    Some have said the Iranian Cyber Army resembles a 
collective of regime-backing hackers acting of their own 
volition; yet it may be that the regime has actively leveraged 
and employed the talents of a young population adept with 
computer tools. In the wake of Iran's presidential election in 
June 2009, protesters had used Twitter to skirt government 
filters to promote, to report events, and organize opposition 
rallies prompting the U.S. State Department to request that 
Twitter reschedule its planned maintenance activities in order 
to ensure access to pro-democracy users. But the Iranian 
regime's brutal crackdown on the protesters seemingly 
succeeded. Demonstrations are now few and far between, and many 
of the web-based citizen journalists that have documented the 
uprising have been killed, imprisoned, or gone underground; 
their voices silenced.
    The most well-known cyber event in Iran occurred late in 
2009, when this Central European security firm reported the 
discovery of a software worm called Stuxnet, that had infected 
computers controlling centrifuges of several Iranian nuclear 
enrichment plants. However, these computers were not connected 
to the internet, and the worm was said to have been injected 
into those computers using an external device such as a thumb 
drive. Stuxnet may be proof of Iran's vulnerability and the 
effectiveness of other nation's state cyber arsenals. However, 
it would be--it would also be possible for Iran to gain some 
knowledge of creating a Stuxnet-like virus from analyzing its 
network effects.
    This leads to fear of reverse engineering leading to a 
capability of the types of cyber attacks on U.S. critical 
infrastructure that could rise to the level of a National 
security crisis. We must be prepared for such rogue actions and 
be prepared on the National defense level, as well as 
protecting our critical business operations, vital 
infrastructure functions, and frankly, our daily lives.
    The rapid technological advances in cybersecurity threats 
over the last several years have outpaced our ability as 
lawmakers to keep our laws up-to-date. The needed coordination 
of the many Governmental agencies and private institutions, and 
the implementation of the procedures that would protect our 
infrastructure, are huge undertakings and will continue to have 
huge challenges.
    We are seeing some of those challenges being played out on 
the House floor this week, and my Ranking Member, Mr. Thompson, 
is talking about some of the most constructive alternatives to 
the cyber legislation we are considering. Our intelligence 
community and law enforcement agencies face many challenges to 
anticipate, investigate, and respond to cyber threats.
    Simply, all these challenges must be overcome, and 
protection of our infrastructure accomplished without violating 
our fundamental rights of individual privacy that are enshrined 
in our Constitution. With that, Mr. Chairman, I yield back.
    Mr. Meehan. Thank you, Ms. Clarke. Before I begin, let me 
recognize that the gentleman from Texas, Mr. Green, has joined 
us today, and I would like to ask unanimous consent that he be 
able to participate in today's hearing. Hearing no objection, 
so ordered. Welcome Mr. Green. Thank you for being here with us 
today. The Chairman now recognizes my good friend, the Chairman 
of the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, the gentleman from 
California, Mr. Lungren, for any statement he may have.
    Mr. Lungren. Thank you very much, Mr. Chairman. I want to 
thank all of my colleagues for being here, particularly those 
from our companion subcommittee to meet on a very important 
subject. Those of us in the Congress know that we have an 
obligation to proceed with legislation on important issues such 
as cybersecurity.
    We have an obligation to conduct appropriate oversight of 
the Executive branch to ensure that they are doing that which 
needs to be done, in concert, or consistent with legislation 
that has been duly passed, but we also have another obligation, 
it seems to me, and that is to raise the knowledge of the 
public on issues of true National and international importance, 
and cybersecurity is one of those subjects, and we hope that 
this hearing provides insight into possible legislation, 
insight into oversight, and particularly, helps us to raise the 
public knowledge of this important issue.
    As we all know, communicating through cyber space, is now 
an integral part of the international marketplace, and the 
global economy. Businesses of all sizes, increasingly depend 
upon it in their daily operations as well as for market growth. 
Individuals utilize it on a daily basis. Many people enter into 
the commercial market by way of the internet these days and 
other uses of cyber space.
    These innovative cyber technologies help U.S. businesses to 
achieve great efficiencies and to run their vital 
infrastructures. But the tremendous opportunities provided by 
cyber space, are accompanied by obvious vulnerabilities. For 
instance, along with all of the other benefits, with all of the 
benefits, cyber space is replete with nefarious actors, 
including organized criminals, industrial spies, foreign 
governments taking inappropriate advantage of a cyber 
environment open to all users. The very openness of cyber space 
contributes to its vulnerability, and its possibility of abuse.
    We have been warning about cyber threats in this committee 
for a long time. It has been a bipartisan effort to warn of 
these threats. The Nation's top Government, intelligence, and 
military leaders often cite the cyber threat as the issue that 
worries them the most. The reason is that a successful cyber 
attack on a power grid, transportation system, or communication 
networks could cripple our economy and threaten our National 
security. Any doubt about the physical damage that could be 
caused by a cyber attack should have been eliminated by the 
Stuxnet virus. I am happy the Stuxnet virus was used by 
somebody who was a friendly, and it is probably the best 
example of the cyber and physical worlds intersecting.
    Like Aurora, Stuxnet demonstrates that vital critical 
infrastructure can be physically disabled or destroyed by a 
capable and motivated enemy, and as we know in those attacks, 
they were done with a certain stealth element to them. That is, 
the destruction took place before the operators that were 
supposed to protect against such destruction were able to even 
understand that they were under attack.
    In addition to these National security concerns, cyber 
threat thefts are also robbing us of our intellectual property. 
We have had examples already of how this has cost U.S. jobs and 
jeopardized our economic future. Cyber threats are real. They 
are growing in number and sophistication. In assessing the 
Iranian threat to the U.S. homeland, we need to examine their 
motivation, their opportunity, and their capability. As the 
victim of two recent cyber attacks nuclear and oil 
infrastructure, and multiple U.S. embargoes, Iran, it would 
seem, would have motivation to strike out against those they 
think are responsible, or anybody associated with those they 
think are responsible, or anybody who would stand on the 
sidelines and cheer those efforts.
    The opportunity arises as U.S. critical infrastructure 
companies have been slow to harden their assets against cyber 
attacks. Unfortunately, cyber attacks can be launched from any 
place in the world, because cyber space does not recognize 
borders. The important question when assessing Iran as a cyber 
threat is their cyber capability. American Security Contracting 
Firm issued a report in 2008 rating Iran cyber capability among 
the top five globally. A December 2011 report indicated that 
Tehran was investing $1 billion in new cyber warfare 
technology.
    So let me underscore a point made by the Chairman of our 
other subcommittee. According to the DNI Director Clapper, 
Iran's intelligence operations against the United States 
including cyber capabilities, have dramatically increased in 
recent years, in depth, and complexity.
    Since Iran appears to have the necessary cyber capability, 
we can only hope that they will fear attribution and the 
overwhelming U.S. response that would surely follow such an 
Iranian cyber attack against our Nation. I look forward, along 
with my colleagues, to the testimony of the distinguished panel 
this morning on the nature of the cyber threat from this rogue 
Iranian regime. Thank you very much, Mr. Chairman.
    [The statement of Mr. Lungren follows:]
                Statement of Chairman Daniel E. Lungren
                             April 26, 2012
    Communicating through cyber space is now an integral part of the 
international marketplace and the global economy. Businesses of all 
sizes increasingly depend upon it for their daily operations as well as 
for market growth. These innovative cyber technologies help U.S. 
businesses achieve great efficiencies and run their vital 
infrastructures. However, along with all the benefits, cyber space is 
replete with nefarious actors--including organized criminals, 
industrial spies, and foreign governments taking inappropriate 
advantage of a cyber environment open to all users.
    We have been warning about cyber threats in this committee for a 
long time. The Nation's top Government, intelligence, and military 
leaders often cite the cyber threat as the issue that worries them the 
most. The reason is that a successful cyber attack on our power grid, 
transportation systems, or communication networks could cripple our 
economy and threaten our National security. Any doubt about the 
physical damage that can be caused by a cyber attack should have been 
eliminated by the Stuxnet virus. Stuxnet is the best example of the 
cyber and physical worlds intersecting. Like Aurora, Stuxnet 
demonstrates that vital critical infrastructure can be physically 
disabled or destroyed by a capable and motivated enemy.
    In addition to these National security concerns, cyber thefts are 
also robbing us of our intellectual property, costing U.S. jobs and 
jeopardizing our economic future. Cyber threats are real and growing in 
number and sophistication.
    In assessing the Iranian threat to the U.S. homeland, we need to 
examine their motivation, opportunity, and capability. As the victim of 
two recent cyber attacks (nuclear and oil infrastructure) and multiple 
U.S. embargoes, Iran clearly has motivation to strike us.
    Their opportunity arises as U.S. critical infrastructure companies 
have been slow to harden their assets against cyber attacks. 
Unfortunately, cyber attacks can be launched from any place in the 
world because cyber space doesn't recognize international borders.
    The important question when assessing Iran as a cyber threat is 
their cyber capability. An American security contracting firm issued a 
report in 2008 rating Iran's cyber capability among the top five 
globally. A December 2011 report indicated that Tehran was investing $1 
billion in new cyber warfare technology. According to DNI Director 
Clapper, ``Iran's intelligence operations against the U.S., including 
cyber capabilities, have dramatically increased in recent years in 
depth and complexity''.
    Since Iran appears to have the necessary cyber capability, we can 
only hope that they will fear attribution and the overwhelming U.S. 
response that would surely follow such an Iranian cyber attack against 
our Nation.
    I look forward to the testimony of our distinguished panel this 
morning on the nature of the cyber threat from this rogue Iranian 
regime.

    Mr. Meehan. Thank you, Mr. Lungren. The Chairman now 
recognizes the Ranking Minority Member of the Subcommittee on 
Counterterrorism and Intelligence, my good friend, the 
gentleman from New York, Mr. Higgins, for any statement he may 
have.
    Mr. Higgins. Thank you, I would like to thank both Chairman 
Lungren and Meehan for holding this important hearing. It is 
also a pleasure to hold this hearing are Ranking Member Clarke, 
a fellow Member from New York. I would also like to thank the 
witnesses for appearing here today. Cyber threat is a threat 
that knows no limit, and has no boundaries. We know that Iran 
poses a threat to our cybersecurity. We also know that our 
information technology has massive vulnerabilities. We know 
that our dependence on technology is pervasive and growing. We 
know that our moving forward as a Nation depends on our having 
a robust, comprehensive cybersecurity policy in place. 
Therefore, we must have legislation and policies that not only 
examine the threat, but also protect critical infrastructure 
and promote research and development that will ensure that we 
have the proper protocols in place to prevent a cyber attack. I 
look forward to hearing the testimony and I yield back.
    Mr. Meehan. Thank you, Ranking Member Higgins. Other 
Members of the committee are reminded that opening statements 
may be submitted for the record. Now we are pleased to have a 
distinguished panel of witnesses before us today on this very, 
very important topic. Let me first give the biography of Mr. 
Frank Cilluffo. He is the associate vice president and director 
of the Homeland Security Policy Institute at George Washington 
University, where he directs the homeland security efforts from 
policy, research, education, and training on a wide range of 
homeland security matters including counterterrorism and cyber 
threats.
    Before joining the staff at GW, Mr. Cilluffo served as the 
special assistant to the President for Homeland Security. 
Shortly following September 11, 2001 terrorist attack, Mr. 
Cilluffo was appointed by President Bush to the newly-created 
Office of Homeland Security, and served as the principal 
advisor to Governor Tom Ridge.
    Prior to his White House appointment he spent 8 years in 
senior policy positions for the Center for Strategic and 
International Studies where he directed numerous committees and 
task forces homeland defense.
    We are also joined by Mr. Ilan Berman, Mr. Ilan Berman is 
the vice president of the American Foreign Policy Council in 
Washington, DC. Mr. Berman is an expert on regional security in 
the Middle East, Central Asia, and the Russian Federation. He 
has consulted for both the United States Central Intelligence 
Agency, and the United States Department of Defense, and 
provided assistance on foreign policy and National security 
issues in a range of Governmental agencies and Congressional 
offices. He is a member of the associated faculty at Missouri 
State University's Department of Defense, and Strategic 
Studies.
    Last, we are joined by Roger Caslow. He is an executive 
cyber consultant for Suss Consulting. Prior to joining Suss, 
Mr. Caslow served as the chief of risk management and 
information security programs for the chief information officer 
of the intelligence community. In this role, he is responsible 
for the development, implementation, and oversight of multiple 
risk management policies, security programs, and technology 
solutions supporting the intelligence community, and DoD. He 
has led the intelligence community in partnering with the 
National Institute of Standards, at all phases of planning, 
development, and delivery of significant body of Federal 
security guidance. He has held a number of positions with the 
DoD and intelligence community, including senior policy and 
plans leader for the chief information officer.
    I welcome each of the witnesses today, and the Chairman now 
recognizes Mr. Cilluffo to testify.

 STATEMENT OF FRANK J. CILLUFFO, ASSOCIATE VICE PRESIDENT AND 
   DIRECTOR, HOMELAND SECURITY POLICY INSTITUTE, THE GEORGE 
                     WASHINGTON UNIVERSITY

    Mr. Cilluffo. Chairman Meehan, Chairman Lungren, Ranking 
Members Higgins and Clarke, thank you for the opportunity to 
appear before you today. As you will note from my prepared 
remarks, it is difficult to compress such a complex set of 
issues into 5 minutes, coupled with the fact that I have never 
had an unspoken thought, but hopefully we can delve into some 
of the specificities during the Q&A.
    First, I don't think it is a newsflash to underscore that 
we as a country still have a lot of work to do on the cyber 
front. I think it is appropriate and fair to suggest, while an 
imperfect analogy, that our cyber community is where our 
homeland community was shortly after 9/11.
    Second, compounding the specific challenge before us, you 
cannot effectively evaluate, assess, and ultimately address the 
Iranian cyber threat through a counterterrorism, homeland 
security, cybersecurity, or infrastructure protection lens 
alone; rather, the complexity demands that we look at it 
through a prism that incorporates all of these views. Let me 
just also applaud both Chairmen that you saw the need to do 
some cross-committee pollination on some of these issues.
    Iran through its Islamic Revolutionary Guard Corps, 
associated Quds Force, and its proxies have long had the United 
States in their cross-hairs. Up until 9/11 it was Iran's chief 
proxy, Hezbollah, that held the mantle of the deadliest 
terrorist organization, having killed more Americans up to that 
point than any other terrorist group.
    The current climate is particularly challenging and 
concerning, however, because the level of tension appears to be 
rising. We have seen an uptick in attempted and actual attacks 
on and assassinations of Israeli, Jewish, U.S., and Western 
interests from Beirut to Baku, to Bangkok and, of course, the 
recent assassination attempt on the Saudi Ambassador on the 
U.S. soil.
    Against this backdrop, getting ahead of the Iranian cyber 
threat to the United States is all the more relevant and all 
the more timely. The reach of Iran's proxies have gone global. 
Hezbollah activities now stretch from West Africa to the tri-
border area of Argentina, Brazil, and Paraguay. Within the 
United States, there have been 16 arrests in 2010 of Hezbollah 
sympathizers seeking stinger missiles, M-4 rifles, and night 
vision equipment. Based on this recent activity, the Los 
Angeles Police Department has elevated the government of Iran 
and its proxies to a tier 1 threat.
    Notably, the city of Los Angeles, contains the most active 
Hezbollah presence in this country, and Los Angeles happens to 
also be home to the largest ethnic Iranian population outside 
of Iran itself.
    Law enforcement officials have also observed a striking 
convergence of crime and terrorism, a trend highlighted, I 
might note earlier this week by Defense Secretary Panetta, and 
further reinforced by SOUTHCOM Commander General Fraser. 
Hezbollah's nexus with criminal activity is greater than that 
of any other known terrorist group. These links, including with 
gangs and cartels, generate new possibilities for outsourcing, 
and new networks that can facilitate terrorist travel, 
logistics, recruitment, and operations, and I might note, 
including cyber.
    Moreover, authorities have noted significant terrorist 
interest in the tactics, techniques, and procedures of 
smuggling drugs and people into the United States. These 
developments suggest that our long-standing frames of 
reference, our so-called red lines, have shifted. First and 
foremost, whereas previously Iran and it proxies targeted U.S. 
interests and personnel abroad, the cleave between here, our 
homeland, and overseas is wearing away as these two fronts 
merge. As you know in cyber, where we particularly know no 
borders, this has great resonance.
    As you mentioned, the Director of National Intelligence, 
General Clapper, was very bold in stating now that Iran is now 
more willing to conduct an attack in the United States. I might 
note that his assessment has been echoed by many others in the 
National security and law enforcement community of late.
    Let me state a couple of very quick words, specifically on 
Iran cyber attack capabilities. As has been mentioned, Iran is 
investing heavily in building its cyber warfare capabilities, 
including standing up the Iranian Cyber Army, which is in 
addition to their more conventional and traditional electronic 
warfare capabilities, which were quite sophisticated to begin 
with. Recent open-source and public incidents demonstrate a 
growing level of sophistication.
    Ms. Clarke, you mentioned many of the examples earlier 
today, but I might note there is one that you did not mention, 
that I thought demonstrated the highest level of 
sophistication, and that was the recent hack of a security 
certificate company in the Netherlands, a Dutch company, that 
demonstrated not only their hacking skills, but their ability 
to manipulate data as well.
    Prior to the official pronouncements regarding the Iranian 
Cyber Army, numerous hacker groups have operated pro-regime 
groups in Iran. These range from the broader Basige, to the 
recent stand up of the Cyber Hezbollah, and perhaps the most 
sophisticated group from a trade craft perspective, the 
Ashiyane. It in increasingly becoming clear, however, that the 
IRGC is not only cultivating, but also guiding, and I think 
trying to assume control over these various organizations.
    These developments aside, the good news is that if you were 
to rack and stack the greatest cyber threats in nations, Iran 
is not at the top of the list. Russia, PRC, and others are. The 
bad news is is what they lack in capability, they make up for 
in intent, and are not as constrained as other countries may be 
from engaging in cyber attacks or computer network attacks. 
Given Iran's history to employ proxies for terrorist purposes, 
there is little, if any, reason to think that Iran would 
hesitate to engage proxies to conduct cyber attacks against 
perceived adversaries.
    To paraphrase Mark Twain, whereas history may not repeat 
itself, it tends to rhyme. If they did it in the kinetic and 
the physical world, you can assume that they will be looking to 
cyber capacities as well. I know I am over my time, but a 
couple of very quick points. Another thing to think about is 
cyber basically levels the playing field. It provides asymmetry 
that can give small groups disproportionate impact and 
consequence. Whereas they may not have the capability, they can 
rent or buy that capability. There is a cyber arms bizarre on 
the internet. Intent and cash can take you a long way, and that 
is what I think we need to be thinking about. I might note that 
many have assumed and looked at the cyber threat more from a 
contingency or preemptive action that one of our allies may 
have in Iran. I don't think that bar is there. I think that 
they already feel, as has been mentioned by Mr. Lungren, and 
yourself, Mr. Chairman, and Mr. Higgins as well, that they are 
taking the gloves off right now in a cyber environment. I might 
also note that specifically, the fact that they have tried to 
demonstrate such a capability with the drones, which I don't 
necessarily believe at all, but they need to demonstrate that 
capability or they potentially lose all credibility. So I think 
now is the time to act.
    [The prepared statement of Mr. Cilluffo follows:]
                Prepared Statement of Frank J. Cilluffo
                             April 26, 2012
    Chairman Meehan, Chairman Lungren, Ranking Members Higgins and 
Clarke, and distinguished Members of the subcommittees, thank you for 
the opportunity to testify before you today. The subject is one of 
National importance--we, as a country, still have work to do in order 
to best respond to, and get ahead of, threats on the cybersecurity 
front. Indeed, with regard to cyber, the United States is in a position 
akin to where the homeland security community was shortly after 9/11. 
This is problematic in terms of both cybersecurity and infrastructure 
protection, as well as counterterrorism and intelligence. There are 
many points of intersection and overlap between these two ``lenses''; 
and if recent history has taught us anything, it is that bureaucratic 
stovepiping can have fatal consequences. Your demonstrated commitment 
to tackle the subject under study jointly is therefore all the more 
commendable, and indeed a model for moving the Nation forward on the 
truly difficult interdisciplinary challenges that characterize the 
current National security ecosystem.
    Iran (its Islamic Revolutionary Guard Corps, and associated Quds 
Force; the Ministry of Intelligence and Security; etc.) and proxies 
have long had the United States in their cross-hairs. Up until 9/11, in 
fact, it was Iran's chief proxy, Hezbollah, that held the mantle of 
deadliest terrorist organization, having killed more Americans up to 
that point than any other terrorist group. The October 23, 1983 bombing 
of the U.S. Marine Barracks in Beirut, Lebanon, cost the lives of 241 
soldiers, marines, and sailors.
    The current climate is particularly concerning however, because the 
level of tension appears to be rising. We have seen an uptick in 
attempted and actual attacks on and assassinations of Israeli, Jewish, 
U.S., and Western interests. This past February saw apparently 
coordinated bomb attacks against the embassies of one ally, Israel, in 
the capitals of two others--India and Georgia. February also saw 
Iranian agents in Bangkok prematurely detonate explosives, while 
preparing devices, resulting in injuries only to the perpetrators. 
Consider also the recently thwarted Iranian plot to assassinate Saudi 
Arabia's ambassador to the United States.
    While Iran has sought to distance itself from the incidents 
described above and denied responsibility for them (not credibly mind 
you), the reach of Iran's proxies has gone global. Hezbollah's 
activities now stretch from West Africa to the Tri-Border Area of 
Argentina, Brazil, and Paraguay. Within the United States, there were 
16 arrests of Hezbollah activists in 2010 based on Joint Terrorism Task 
Force investigations in Philadelphia, New York, and Detroit; and the 
organization has attempted to obtain equipment in the United States, 
including Stinger missiles, M-4 rifles, and night vision equipment.\1\ 
Based on recent activity, the Los Angeles Police Department has 
elevated the Government of Iran and its proxies to a Tier One threat. 
Notably, the city of Los Angeles contains the most active Hezbollah 
presence in this country (Detroit is their ``traditional'' U.S. base of 
operations). Los Angeles also happens to be home to the largest ethnic 
Iranian population outside of Iran itself.
---------------------------------------------------------------------------
    \1\ Immigration and Customs Enforcement, DHS. ``Indictment charges 
4 with conspiracy to support Hezbollah 6 others charged with related 
crimes,'' press release, November 24, 2009. Accessed 4/23/12 http://
www.ice.gov/news/releases/0911/091124philadelphia.htm; Mike Newall, 
``Road to terrorism arrests began at Deptford Mall, Moussa Ali Hamdan's 
meeting in 2007 with an undercover FBI informant led to the indictment 
of 26 with alleged Hezbollah ties,'' The Philadelphia Inquirer, January 
25, 2010. Accessed 4/23/12 http://articles.philly.com/2010-01-25/news/
25210171_1_hezbollah-fbi-informant-indictment; and Anti-Defamation 
League, ``Four Men Indicted in Philadelphia for Attempting to Support 
Hezbollah,'' modified 6/16/2010. Accessed 4/23/12 http://www.adl.org/
main_Terrorism/philadelphia_hezbollah_- 
indictment.htm.
---------------------------------------------------------------------------
    Law enforcement officials have observed a striking convergence of 
crime and terror. Hezbollah's nexus with criminal activity is greater 
than that of any other terrorist group. These links, including with 
gangs and cartels, generate new possibilities for outsourcing, and new 
networks that can facilitate terrorist travel, logistics, recruitment, 
and operations. Authorities have noted significant terrorist interest 
in tactics, techniques, and procedures used to smuggle people and drugs 
into the United States from Mexico. According to Texas State Homeland 
Security Director, Steve McCraw, Hezbollah operatives were captured 
trying to cross the border in September 2007.\2\
---------------------------------------------------------------------------
    \2\ ``Terrorists have been arrested on the border, security chief 
says,'' Associated Press, September 13, 2007.
---------------------------------------------------------------------------
    Law enforcement officials also confirm that Shia and Sunni forces 
are cooperating to an extent. For instance, Shia members of Lebanese 
Hezbollah and Sunni (Saudi/Iraqi) militant forces are drawing on each 
other's skills. That said, competition persists even within Shia 
circles, including between Lebanese Hezbollah and Iran's Quds Force.
    These developments suggest that our long-standing frames of 
reference and the ``redlines'' they incorporated have shifted. First 
and foremost: Whereas previously Iran and its proxies targeted U.S. 
interests and personnel abroad, the cleave between here (the homeland) 
and overseas is wearing away, as the two fronts merge. The Director of 
National Intelligence recently stated that Iran is ``now more willing 
to conduct an attack in the United States.''\3\ His assessment does not 
stand alone. In a recent hearing before the House Committee on Homeland 
Security, the NYPD's Director of Intelligence Analysis asserted that 
``New York City and its plethora of Jewish and Israeli targets could be 
targeted by Iran or Hezbollah in the event that hostilities break out 
in the Persian Gulf.''\4\ At the same hearing, the committee heard from 
a former Assistant Director of the FBI that Hezbollah's fundraising 
infrastructure in the United States could serve as a ``platform'' for 
launching attacks against the homeland.\5\
---------------------------------------------------------------------------
    \3\ Testimony of James R. Clapper before the Senate Select 
Committee on Intelligence, Worldwide Threat Assessment of the U.S. 
Intelligence Community, January 31, 2012, Washington, DC. Accessed 4/
18/2012 http://www.dni.gov/testimonies/20120131_testimony_ata.pdf.
    \4\ Testimony of Mitchell D. Silber before the U.S. House of 
Representatives Committee on Homeland Security, Iran, Hezbollah, and 
the Threat to the Homeland, March 21, 2012, Washington, DC. Accessed 4/
16/2012 http://homeland.house.gov/sites/homeland.house.gov/files/
Testimony-Silber.pdf.
    \5\ Testimony of Chris Swecker before the U.S. House of 
Representatives Committee on Homeland Security, Iran, Hezbollah, and 
the Threat to the Homeland, March 21, 2012, Washington, DC. Accessed 4/
22/2012 http://homeland.house.gov/sites/homeland.house.gov/files/
Testimony-Swecker.pdf.
---------------------------------------------------------------------------
    With Iran's nuclear program under scrutiny and sanctions, the 
potential for escalation is heightened. As a result of his policy 
choices, President Ahmadinejad is under increasing pressure both 
internationally and domestically.\6\ The complexity of the situation is 
increased by the tendency of Iran and its allies to conflate the United 
States and our ally Israel in the context of Israeli contingency and 
attack plans. Events from Baku to Bangkok (referenced above) have been 
characterized by some analysts as a ``shadow war''.\7\
---------------------------------------------------------------------------
    \6\ Rick Gladstone and Alan Cowell, ``Iran's President Unfazed in 
Parliamentary Grilling,'' The New York Times, March 14, 2012. Accessed 
4/18/12 http://www.nytimes.com/2012/03/15/world/middleeast/iran-
ahmadinejad-questioned-before-parliament-majlis.html?_r=1&page- 
wanted=all.
    \7\ Andrew R.C. Marshall and Peter Apps, ``Iran `shadow war' 
intensifies, crosses borders,'' Reuters, February 16, 2012. Accessed 4/
17/12 http://www.reuters.com/article/2012/02/16/us-iran-israel-
security-idUSTRE81F1E720120216.
---------------------------------------------------------------------------
    The conflict is not limited to the kinetic or to the physical 
world. In 2010, the Stuxnet worm disabled Iranian centrifuges used to 
enrich uranium. Attribution for this attack remains unresolved, 
although speculation has centered on Israel and the United States. The 
possibility that Iran may feel aggrieved and seek to retaliate, even in 
the absence of proof of attribution, is not to be dismissed--
particularly against the backdrop of ever-tougher U.S. and global 
sanctions, and historically turbulent (at least as measured in decades) 
bilateral relations with the United States. The recent SWIFT sanctions 
have proven particularly effective in crippling Iran's financial 
system, adding further pressure.\8\ Iran is also grappling with Duqu, a 
worm which seems ``designed to gather data to make it easier to launch 
future cyber attacks.''\9\
---------------------------------------------------------------------------
    \8\ Corey Flintoff, ``New Sanctions Severely Limit Iran's Global 
Commerce,'' NPR, March 19, 2012. Accessed 4/18/12. http://www.npr.org/
2012/03/19/148917208/without-swift-iran-adrift-in-global-banking-world.
    \9\ Yaakov Katz, ``Iran Embarks on $1b. cyber-warfare program,'' 
The Jerusalem Post, December 18, 2011. Accessed 4/16/12. http://
www.jpost.com/Defense/Article.aspx?id=249864.
---------------------------------------------------------------------------
    With Stuxnet, the virtual and real worlds collided, as the worm 
caused physical damage to infrastructure. Former head of the CIA and 
the NSA, General Michael Hayden, has (rightly I would suggest) 
characterized Stuxnet as both ``a good idea'' and ``a big idea''--
suggesting also that it represents a crossing of the Rubicon in that 
``someone has legitimated this type of activity as acceptable.''\10\ 
The vulnerability to cyber attack of critical systems, including 
nuclear facilities and supervisory control & data acquisition (SCADA)/
industrial control systems--with concomitant possibility of loss of 
life, and less than fatal but still serious and widespread 
consequences--raises a host of implications for U.S. National and 
homeland security. Potential targets are many and varied, and extend to 
critical sectors such as finance and telecommunications. Assistant to 
the President for Homeland Security and Counterterrorism, John O. 
Brennan, has stated that U.S. water and power systems are under cyber 
attack almost daily.\11\ Press reports also suggest that the U.S. 
nuclear industry has experienced up to 10 million cyber attacks.\12\ 
Even if only one attempt were to succeed, the magnitude of the impact 
could significantly undermine, if not shatter, trust and confidence in 
the system. In addition, cyber capabilities may be used as a force 
multiplier in a conventional attack.
---------------------------------------------------------------------------
    \10\ ``Fmr. CIA head calls Stuxnet virus `good idea,' '' 60 
Minutes, March 1, 2012. Accessed 
4/20/12. http://www.cbsnews.com/8301-18560_162-57388982/fmr-cia-head-
calls-stuxnet-virus-good-idea/.
    \11\ John O. Brennan, ``Time to protect against dangers of 
cyberattack,'' The Washington Post, April 15, 2012. Accessed 4/23/12. 
http://www.washingtonpost.com/opinions/time-to-protect-against-dangers-
of-cyberattack/2012/04/15/gIQAdJP8JT_story.html.
    \12\ Jason Koebler, ``U.S. Nukes face up to 10 miilion cyber 
attacks daily,'' US News & World Report, March 20, 2012. Accessed 4/24/
12. http://www.usnews.com/news/articles/2012/03/20/us-nukes-face-up-to-
10-million-cyber-attacks-daily.
---------------------------------------------------------------------------
    The good news is that Iran is not as sophisticated as China or 
Russia insofar as computer network exploitation (CNE), cyber attack, 
and warfare capabilities are concerned (to be distinguished from 
intent). As yet, Iran has not shown itself to be a similarly advanced 
or persistent threat.\13\ This is not to give Iran a pass. To the 
contrary, U.S. officials are investigating ``reports that Iranian and 
Venezuelan diplomats in Mexico were involved in planned cyber attacks 
against U.S. targets, including nuclear power plants.'' Press reports 
based on a Univision (Spanish TV) documentary that contained ``secretly 
recorded footage of Iranian and Venezuelan diplomats being briefed on 
the planned attacks and promising to pass information to their 
governments,'' allege that ``the hackers discussed possible targets, 
including the FBI, the CIA and the Pentagon, and nuclear facilities, 
both military and civilian. The hackers said they were seeking 
passwords to protected systems and sought support and funding from the 
diplomats.''\14\
---------------------------------------------------------------------------
    \13\ But note Google executive Eric Schmidt's statement: ``Iranians 
are unusually talented [at cyber warfare] for some reason we don't 
fully understand.'' ``Google admits Iranian superiority in cyber 
warfare,'' Payvand, December 18, 2011. Accessed 4/17/12. http://
www.payvand.com/news/11/dec/1189.html
    \14\ Shaun Waterman, ``U.S. authorities probing alleged cyberattack 
plot by Venezuela, Iran,'' The Washington Times, December 13, 2011. 
Accessed 4/18/12 http://www.washingtontimes.com/news/2011/dec/13/us-
probing-alleged-cyberattack-plot-iran-venezuela/?page=all.
---------------------------------------------------------------------------
    Cyberspace largely levels the playing field, allowing individuals 
and small groups to have disproportionate impact. This asymmetry can be 
leveraged by nation-states that seek to do us harm, by co-opting or 
simply buying/renting the services and skills of criminals/hackers to 
help design and execute cyber attacks against the United States. For 
example, do-it-yourself code kits for exploiting known vulnerabilities 
are easy to find and even the Conficker worm (variants of which still 
lurk, forming a botnet of approximately 1.7 million computers) was 
rented out for use.\15\ In short, no comfort can be taken from the fact 
that Iran lacks the sophistication of nations such as China, Russia, or 
the United States. Proxies for cyber capabilities are available. There 
exists an arms bazaar of cyber weapons. Adversaries do not need 
capabilities, just intent and cash.
---------------------------------------------------------------------------
    \15\ Conficker Working Group, ``Conficker Working Group: Lessons 
Learned,'' accessed 4/18/12 http://www.confickerworkinggroup.org/wiki/
uploads/Conficker_Working_Group_- 
Lessons_Learned_17_June_2010_final.pdf
---------------------------------------------------------------------------
    Iran has a long history of demonstrated readiness to employ proxies 
for terrorist purposes, drawing on kinetic means. There is little, if 
any, reason to think that Iran would hesitate to engage proxies to 
conduct cyber strikes against perceived adversaries. To paraphrase Mark 
Twain, history may not repeat itself, but it does tend to rhyme. 
Elements of the IRGC have openly sought to pull hackers into the 
fold;\16\ and the Basij, who are paid to do cyber work on behalf of the 
regime, provide much of the manpower for Iran's cyber operations.\17\ 
As in the physical world however, we must keep in mind when crafting 
security solutions and response mechanisms that Iran is not monolithic: 
Command-and-control there is murky, even within the IRGC, let alone 
what is outsourced. The attribution challenge associated with cyber 
space is therefore all the more complicated where Iran is concerned. 
Smoking keyboards are hard to find. Cyber space is a domain made for 
plausible deniability.
---------------------------------------------------------------------------
    \16\ Golnaz Esfandiari, ``Iran Says it Welcomes Hackers Who Work 
for Islamic Republic,'' Radio Free Europe, March 07, 2011. Accessed 4/
18/12. http://www.rferl.org/content/
iran_says_it_welcomes_hackers_who_work_for_islamic_republic/
2330495.html
    \17\ ``The Role of the Basij in Iranian Cyber Operations,'' 
Internet Haganah, March 24, 2011. Accessed 4/17/12. http://internet-
haganah.com/harchives/007223.html.
---------------------------------------------------------------------------
    In addition to hired or acquired cyber capabilities, the Government 
of Iran is, according to press reports, investing heavily ($1 billion) 
to develop and build out its own cyber war capabilities, both offense 
and defensive.\18\ There is evidence that at the heart of IRGC cyber 
efforts one will find the Iranian political/criminal hacker group 
``Ashiyane.''\19\ In late 2009 and early 2010, hackers calling 
themselves the Iranian Cyber Army struck Twitter and the Chinese search 
engine Baidu.\20\ The group also appears to have struck Iranian 
websites managed by the opposition Green Movement, with deleterious 
results for the opposition's ability to coordinate its activities.\21\ 
The high visibility of these attacks suggests that the Iranian Cyber 
Army and similar groups might be utilized as proxies by Iran's Islamic 
Revolutionary Guard Corps. In the event of a conflict in the Persian 
Gulf, similar attacks on public-facing websites could provide Iran an 
avenue for psychological operations directed against the U.S. public. 
Though fluid, hacker groups could be cultivated and guided--if not 
directly managed--by the IRGC. Iran's ability to conduct Electronic 
Warfare, including the jamming and spoofing of radar and communications 
systems, has been enhanced through its acquisition of advanced jamming 
equipment. In the event of a conflict in the Persian Gulf, Iran might 
hope to combine electronic and computer network attack methods to 
degrade U.S. and allied radar systems, complicating both offensive and 
defensive operations. \22\
---------------------------------------------------------------------------
    \18\ Yaakov Katz, ``Iran embarks on $1b. cyber-warfare program,'' 
The Jerusalem Post, December 18, 2011. Accessed 4/18/12 http://
www.jpost.com/Defense/Article.aspx?id=249864.
    \19\ Iftach Ian Amit, ``Cyber[Crime/War],'' paper presented at 
DEFCON 18 conference, July 31, 2010.
    \20\ Robert Mackey, `` `Iranian Cyber Army' Strikes Chinese 
Sites,'' The Lede (NYT Blog), January 12, 2010; Scott Peterson, 
``Twitter hacked: `Iranian Cyber Army' signs off with poem to 
Khamenei,'' Christian Science Monitor, December 18, 2009.
    \21\ Robert F. Worth, ``Iran: Opposition Web Site Disrupted,'' The 
New York Times, December 18, 2009.
    \22\ Michael Puttre, ``Iran bolsters naval, EW power,'' Journal of 
Electronic Defense vol. 25 no. 4 (April 2002): 24; Robert Karniol, 
``Ukraine sells Kolchuga to Iran,'' Jane's Defense Weekly, vol. 43 no. 
39 (September 27, 2006): 6; Stephen Trimble, ``Avtobaza: Iran's weapon 
in alleged RQ-170 affair?'' The DEW Line, December 5, 2011. Accessed 4/
23/12 http://www.flightglobal.com/blogs/the-dewline/2011/12/avtobaza-
irans-weapon-in-rq-17.html.
---------------------------------------------------------------------------
    There is also an Iranian ``cyber police force''\23\ that blocks 
``foreign websites and social networks deemed a threat to national 
security,'' with overall policy guidance provided by ``The Supreme 
Council of Virtual Space.''\24\ Interestingly, a distributed denial of 
service (DDoS) attack against the BBC this year happened to ``coincide 
with efforts to jam two of the service's satellite feeds in Iran.''\25\ 
There has also been considerable speculation about Government of Iran 
involvement in a number of hacking incidents including against Voice of 
America, and a Dutch firm in the business of issuing security 
certificates. Fallout from the latter was significant and affected a 
range of entities including western intelligence and security services, 
Yahoo, Facebook, Twitter, and Microsoft.\26\
---------------------------------------------------------------------------
    \23\ Thomas Erdbrink, ``Iran cyber police cite U.S. threat,'' The 
Washington Post, October 29, 2011. Accessed 4/18/12 http://
www.washingtonpost.com/world/middle_east/iran-cyber-police-cite-us-
threat/2011/10/27/gIQA1yruSM_story.html.
    \24\ ``Cyber-attack on BBC leads to suspicion of Iran's 
involvement,'' BBC News, March 14, 2012. Accessed 4/17/12. http://
www.bbc.co.uk/news/technology-17365416.
    \25\ ``Cyber-attack on BBC leads to suspicion of Iran's 
involvement,'' BBC News, March 14, 2012.
    \26\ Kevin Kwang, ``Spy agencies hit by CA hack; Iran suspected,'' 
ZDNet Asia, September 5, 2011. Accessed 4/18/12. http://
www.zdnetasia.com/spy-agencies-hit-by-ca-hack-iran-suspected-
62301930.htm. See also Bill Gertz, ``Iranians hack into VOA website,'' 
The Washington Times, February 21, 2011. Accessed 4/19/12. http://
www.washingtontimes.com/news/2011/feb/21/iranian-hackers-break-voa-
deface-web-sites/.
---------------------------------------------------------------------------
    Not surprisingly, Iran is trying to make its cyber capabilities 
appear truly muscular. When a U.S. drone fell into Iranian hands in 
December 2011, Iranian officials were quick to claim that it was 
brought down by ``electronic ambush of the armed forces.''\27\ The 
facts surrounding this incident are not all known, but from what U.S. 
authorities suggest, it seems that the drone likely malfunctioned, and 
perhaps was also affected by jamming efforts. Regardless, the fact that 
Iranian officials went public about their supposed capabilities 
suggests that they plan to do something significant by cyber means, or 
else they risk losing credibility.
---------------------------------------------------------------------------
    \27\ Thomas Erdbrink, ``Iran shows alleged downed US drone,'' The 
Washington Post, December 8, 2011. Accessed 4/18/12. http://
www.washingtonpost.com/blogs/blogpost/post/iran-shows-alleged-downed-
us-drone/2011/12/08/gIQAKciXfO_blog.html.
---------------------------------------------------------------------------
    In June 2011, Hezbollah too entered the fray, establishing the 
Cyber Hezbollah organization. Law enforcement officials note that the 
organization's goals and objectives include training and mobilizing 
pro-regime (that is, Government of Iran) activists in cyber space. In 
turn and in part, this involves raising awareness of, and schooling 
others in, the tactics of cyber warfare. Hezbollah is deftly exploiting 
social media tools such as Facebook to gain intelligence and 
information. Even worse, each such exploit generates additional 
opportunities to gather yet more data, as new potential targets are 
identified, and tailored methods and means of approaching them are 
discovered and developed.
    Given all the above evidence of (both conventional and cyber) 
capability and intent on the part of Iran and its proxies, the United 
States requires a robust posture. There are steps we can take to shore 
up our stance and create a more solid platform for proactive and, if 
necessary, reactive purposes. From a counterterrorism and intelligence 
standpoint, it is crucial to focus on and seek to enhance all-source 
intelligence efforts. Such is the key to refining our understanding of 
the threat in its various incarnations, and to facilitating the 
development and implementation of domestic tripwires designed to thwart 
our adversaries and keep us ``left of boom.''\28\ Disruption should be 
our goal. Planning and preparation to achieve this end includes 
information gathering and sharing--keeping eyes and ears open at home 
and abroad to pick up indications and warnings (I&W) of attack, and 
reaching out to and partnering with State and local authorities as well 
as technical and academic communities. Outreach to respected leaders in 
the community is essential to keep channels open, build trust, and 
foster mutual assistance. These dialogues should take place across the 
board, and not just in major metropolitan centers. The history of the 
Conficker Working Group, captured in a DHS-sponsored lessons learned 
document, provides examples of the types of relationships that need to 
be established and maintained.\29\
---------------------------------------------------------------------------
    \28\ Frank J. Cilluffo, Sharon Cardash, and Michael Downing, ``Is 
America's View of Iran and Hezbollah Dangerously Out of Date?'' 
FoxNews.com, March 20, 2012. Accessed 4/18/12 http://www.foxnews.com/
opinion/2012/03/20/is-americas-view-iran-and-hezbollah-dangerously-out-
date/.
    \29\ Conficker Working Group, ``Conficker Working Group: Lessons 
Learned,'' accessed 4/18/12 http://www.confickerworkinggroup.org/wiki/
uploads/Conficker_Working_Group_- 
Lessons_Learned_17_June_2010_final.pdf.
---------------------------------------------------------------------------
    Searching for I&W will require fresh thinking that identifies and 
pursues links and patterns not previously established. The above-
described nexus between terrorist and criminal networks offers new 
possibilities to exploit for collection and analysis. To take full 
advantage, we will have to hit the beat hard, with local police tapping 
informants and known criminals for leads. State and local authorities 
can and should complement what the Federal Government does not have the 
capacity or resources to collect, and thereby help determine the scope 
and contours of threat domains in the United States. Further leveraging 
our decentralized law enforcement infrastructure could also serve to 
better power our Fusion Centers. The post-9/11 shift of U.S. law 
enforcement resources away from ``drugs and thugs'' toward 
counterterrorism is, ironically, in need of some recalibration in order 
to serve counterterrorism aims. For the last decade, furthermore, U.S. 
Government analysts have (understandably) focused on al-Qaeda, 
resulting in a shallower pool of U.S. intelligence on Hezbollah. Recent 
incidents cited above may provide insight into current tactics, 
techniques, and procedures, and we should comb through further to mine 
for and learn possible lessons.
    Officials in the homeland security community must undertake 
contingency planning that incorporates attacks on U.S. infrastructure. 
At minimum, ``red-teaming'' and additional threat assessments are 
needed. The latter should include modalities of attack (such as cyber, 
and attacks on our critical infrastructures) and potential 
consequences.
    From the perspective of cybersecurity and infrastructure 
protection, the United States should develop and clearly articulate a 
cyber-deterrence strategy. Computer network exploitation directed 
against us is presently a major issue--we are losing billions of 
dollars in intellectual property as a result. Even more ominous are 
adversary efforts underway to engage in the cyber equivalent of 
intelligence preparation of the battlefield, again to be used against 
us.\30\ There is simply no other explanation for the nature and extent 
of the activity that we have seen so far. Yet, insofar as our response 
posture is concerned, the current situation is arguably the worst of 
all worlds: Certain adversaries have been singled out in Government 
documents released in the public domain, yet it is not altogether clear 
what we are doing about these activities directed against us.\31\ The 
better course would be to undertake and implement a cyber-deterrence 
policy that seeks to dissuade, deter, and compel both as a general 
matter, and in a tailored manner that is actor/adversary-specific. A 
solid general posture could serve as an 80 percent solution, 
neutralizing the majority of threats before they manifest fully. This 
would free up resources (human, capital, technological, etc.) to focus 
in context-specific fashion on the remainder, which constitute the 
toughest threats and problems, in terms of their level of 
sophistication and determination. To operationalize these 
recommendations, we must draw lines in the sand or, in this case, the 
silicon. Preserving flexibility of U.S. response by maintaining some 
measure of ambiguity is useful, so long as we make parameters clear by 
laying down certain markers or selected redlines whose breach will not 
be tolerated. The entire exercise must, of course, be underpinned by 
all-source intelligence. Lest the task at hand seem overly daunting, 
remember that we have in past successfully forged strategy and policy 
in another new domain devoid of borders, namely outer space.
---------------------------------------------------------------------------
    \30\ Nick Hopkins, ``Militarisation of Cyberspace: how the global 
power struggle moved online,'' The Guardian, April 16, 2012. Accessed 
4/17/12. http://m.guardian.co.uk/technology/2012/apr/16/militarisation-
of-cyberspace-power-struggle?cat=technology&type=article; and http://
m.guardian.co.uk/technology/2012/apr/16/us-china-cyber-war-
games?cat=technology&type=- article.
    \31\ See Bryan Krekel et al., Occupying the Information High 
Ground: Chinese Capabilities for Computer Network Operations and Cyber 
Espionage (Report, U.S.-China Security and Review Commission, 2011); 
Office of the National Counterintelligence Executive, Foreign Spies 
Stealing U.S. Secrets in Cyberspace: Report to Congress on Foreign 
Economic Collection, 2009-2011 (Washington, DC: NCIX, 2011) for the 
espionage activities of China and Russia in particular.
---------------------------------------------------------------------------
    Sometimes, however, the best defense is a good offense. Yet the 
U.S. cyber offense to defense ratio, at least as represented in the 
public domain, has skewed overwhelmingly to defense.\32\ There are some 
signs of late that this may be changing, including newspaper reports 
suggesting that rules of engagement regarding cyber attacks are being 
developed, and that the Department of Defense is seeking to bolster its 
arsenal of cyber weapons.\33\ These are encouraging developments, if 
true, because having a full complement of instruments in our toolkit, 
and publicizing that fact (minus the details), will help deter 
potential adversaries--provided that we also signal a credible 
commitment to enforcing compliance with U.S. redlines. Again history 
provides guidance, suggesting two focal points upon which we should 
build our efforts. One is leadership--we must find the cyber 
equivalents of Billy Mitchell or George Patton, leaders who understand 
the tactical and strategic uses of new technologies and weapons. The 
other is force protection--not only must we develop offensive 
capabilities, but we ought to make sure we develop second-strike 
capabilities. We cannot simply firewall our way out of the problem. 
U.S. Cyber Command must both lend and receive support, if our cyber 
doctrine is to evolve smartly and if our cyber power is to be exercised 
effectively.
---------------------------------------------------------------------------
    \32\ For comments by GEN James Cartwright, USMC, to this effect, 
see Julian E. Barnes and Siobhan Gorman, ``Cyberwar Plan Has New Focus 
on Deterrence,'' The Wall Street Journal, July 15, 2011. Accessed 4/23/
12 http://online.wsj.com/article/SB100014240527023045213045764- 
46191468181966.html
    \33\ Cheryl Pellerin, ``DOD Develops Cyberspace Rules of 
Engagement,'' American Forces Press Service, March 20, 2012. Accessed 
4/23/12 http://www.defense.gov/news/newsarticle.aspx?id=67625; Zachary 
Fryer-Briggs, ``U.S. Military Goes on Cyber Offensive,'' Defense News, 
March 24, 2012. Accessed 4/23/12 http://www.defensenews.com/article/
20120324/DEFREG02/303240001/U-S-Military-Goes-Cyber-Offensive. See also 
Testimony of GEN Keith Alexander, USA, before the U.S. House of 
Representatives Committee on Armed Services, Fiscal Year 2013 Budget 
Request for Information Technology and Cyber Operations Programs, March 
20, 2012. Accessed 4/23/12 http://armedservices.house.gov/index.cfm/
hearings-display?ContentRecord_id=92823c77-38f0-4c20-a3ee-36729e8e19a3.
---------------------------------------------------------------------------
    While it is up to the Government to lead by example by getting its 
own house in order, cybersecurity and infrastructure protection do not 
constitute areas where Government can go it alone. With the majority of 
U.S. critical infrastructure owned and operated privately, robust 
public-private partnerships are essential, as is a companion commitment 
by the private sector to take the steps necessary to reinforce national 
and homeland security. Government and industry must demonstrate the 
will and leadership to take the tough decisions and actions necessary 
in this sphere.
    Lest the incentives to do so not be clear to all by now, consider 
the words of the FBI's then-executive assistant director responsible 
for cybersecurity, Shawn Henry, who said: ``We're not winning.'' He 
illustrated his conclusion by citing a company that, due to hackers, 
lost 10 years of effort (R&D) and the equivalent of $1 billion.\34\ 
While we cannot expect the private sector to defend itself alone from 
attacks by foreign intelligence services, we need to do a better job 
(as a country) of making the business case for cybersecurity. Failure 
to shore up our vulnerabilities has National security implications. Yet 
crucial questions remain open, such as how much cybersecurity is 
enough, and who is responsible for providing it?
---------------------------------------------------------------------------
    \34\ Devlin Barrett, ``U.S. Outgunned in Hacker War,'' The Wall 
Street Journal, March 28, 2012. Accessed 4/18/12 http://online.wsj.com/
article/SB100014240527023041771045773077- 73326180032.html
---------------------------------------------------------------------------
    The facts in this case support the need for standards, as 
identified and self-initiated (along with best practices) by the 
private sector, across critical industries and infrastructures, 
together with an enforcement role for Government, to raise the bar 
higher--in order to protect and promote, not stifle, innovation. The 
economic and intellectual engines that made this country what it is 
today are, arguably, our greatest resource. They will power us into the 
future too, so long as we act wisely and carefully to foster an 
environment in which they can continue to thrive and grow. To be blunt, 
legislation of the type described is needed, and it is needed now, in 
order to remedy crucial gaps and shortfalls, and hold critical 
infrastructure owners and operators accountable, by focusing on 
behavior rather than regulating technology.
    At the same time, a mix of incentives is needed, to include tax 
breaks, liability protections, and insurance premium discounts, for 
private owners and operators of critical infrastructure to take the 
steps needed to help improve our overall level of security. These 
measures must also be accompanied by a mechanism to enable and 
encourage information sharing between the public and private sectors. 
In addition, as former director of national intelligence, Admiral Mike 
McConnell, has suggested, the information exchanged must be 
``extensive, . . . sensitive and meaningful,'' and the sharing must 
take place in ``real-time'' so as to match the pace of the cyber 
threat. There must be ``tangible benefits'' for those yielding up the 
information.\35\
---------------------------------------------------------------------------
    \35\ VADM J. Michael McConnell, USN (Ret.), remarks given February 
22, 2012 at Homeland Security Policy Institute, The George Washington 
University, Washington, DC. Transcript and video accessed 4/23/12 
http://www.c-spanvideo.org/program/CyberSecurityL.
---------------------------------------------------------------------------
    In conclusion, now is the time to act. For too long, we have been 
far too long on nouns, and far too short on verbs. Again, I wish to 
thank both subcommittees and their staff for the opportunity to testify 
today, and I would be pleased to try to answer any questions that you 
may have.

    Mr. Meehan. Thank you, Mr. Cilluffo. That might be 
something you want to develop further in your--in your response 
to questions. Mr. Berman, we now recognize you for 5 minutes. 
Thank you.

  STATEMENT OF ILAN BERMAN, VICE PRESIDENT, AMERICAN FOREIGN 
                         POLICY COUNCIL

    Mr. Berman. Thank you, sir, and let me start by thanking 
you, Mr. Chairman, and thanking Chairman Lungren for holding 
this hearing. Like my colleague, I am appreciative of the fact 
that this is a synergistic problem and it is one that lends 
itself to a synergistic solution rather than simply holding 
one-off events. Let me also say by way of starting, that I am a 
subject-matter specialist in Iran, rather than infrastructure 
protection or cybersecurity, so I am going to focus my remarks 
on the political and the strategic aspects of the emerging 
Iranian cyber threat.
    Let me start by saying that I think the question that is 
being posed increasingly here within the Washington Beltway is 
whether or not Iran poses a real and immediate cyber threat to 
the United States, and the conventional wisdom here is that it 
doesn't because Iran is squeezed by increasingly harsh economic 
sanctions from the United States and the European Union and 
others, and also because Iran, as a result, is weathering 
significant domestic socioeconomic malaise. But for those very 
same reasons, I would make the argument that Iranian action 
against the United States, particularly asymmetric action 
against the United States, is more rather than less likely. If 
you look at the Iranian--the way the Iranians approach cyber 
space, they are essentially looking at two geopolitical drivers 
that are animating their focus and their attention. The first 
has to do with domestic repression. The Iranian regime is 
erecting what President Obama recently called an electronic 
curtain around its population and it is doing so through the 
construction of a National intranet to essentially supplant and 
cordon off Iranian access to the world wide web. It is doing so 
through the passage of new restrictive regulations and rules 
governing internet usage, public internet usage. It is doing so 
through the passage of penalties relating to content that is 
deemed inappropriate by the Iranian regimes--Iranian regime, 
and is doing so through the installation, acquisition, and 
installation of technologies, foreign origin technologies, such 
as Chinese origin technologies for the monitoring, filtering, 
and limiting of access to the internet.
    This focus on the part of the Iranian regime, began in 
earnest after June 2009, when the fraudulent re-election of 
Iranian President Mahmoud Ahmadinejad catalyzed a groundswell 
of opposition from the Iranian street. The Iranian opposition 
elements at the time leveraged the internet extensively in 
their protests, and as a result, the Iranian regime responded 
in that domain as well.
    It has been successful. If you look over the last year or 
so, it is very clear that the Iranian Green Movement as it is 
called, has migrated into the ether. It has migrated into the 
internet, and the regime has followed them there. If you look 
at the new restrictions that are being passed by the Iranian 
regime in terms of access to Facebook, and Twitter, and other 
accounts, it is very clear that the competition and contest 
between Iran and its opposition is much more virtual now than 
it is actually on the streets, but it is still there.
    This focus, though, has been confirmed by what has happened 
in the Middle East over the last year. The Arab Spring has been 
touted by Iran as a victory for the Ayatollah Khomeini Islamic 
Revolution, but in practical terms, the anti-regime sentiment 
that is embodied by the turmoil that has taken place in 
Tunisia, and Libya, and Egypt is taking place now in Syria and 
elsewhere, poses a mortal threat to the Iranian regime on a 
number of levels. As a result, the Arab Spring has confirmed to 
them the need to clamp down domestically and isolate their 
population from these outside sources.
    The second, and for the purposes of this committee, I think 
more important geopolitical driver of Iran's interest has to do 
with the asymmetric conflict that is already occurring over 
Iran's nuclear program. We heard earlier in the opening 
statements about the application of Stuxnet, and Stuxnet is one 
of at least three, possibly more, cyber attacks against--
discrete cyber attacks that have taken place against the 
Iranian nuclear program over the last 2 years or so.
    In policy circles in Washington the question of 
attribution, where Stuxnet and these other malwares came from, 
who has deployed them, is still an open question. But from the 
Iranian perspective, it is not. It is very clear for Iran, that 
the west writ large has launched an asymmetric attack on the 
Iranian nuclear program and it is mobilizing as a response, 
mobilizing through the creation of a $1 billion program to ramp 
up its cyber defense and cyber offense capabilities, the 
construction of a cyber army of sympathetic hacktivists, and 
leveraging attacks against entities such as Twitter, such as 
the Chinese search engine Baidu, such as the BBC. This all 
shows a very clear pattern of increasingly aggressive behavior, 
and it underscores, I think, a fundamental point, which is that 
Iran appears to be moving increasingly from defense to offense 
in terms of how it thinks about cyber space.
    In the opening remarks, Chairman Meehan, you referenced the 
assessment of General Clapper, about how Iran has become 
increasingly bold in its strategy. I would make the argument 
that this represents nothing less than a seismic shift in terms 
of how Iran thinks about the U.S. homeland. In his testimony, 
General Clapper talked about the fact that Iranian officials, 
probably including the Supreme Leader Ali Khamenei himself, 
have changed their calculus and are now willing to conduct an 
attack on the United States. This has salience with regard to 
the attempted foiled attack in October 2001 against the Saudi 
Ambassador in Washington, but increasingly, it is likely to 
manifest itself in other ways as well, including in the cyber 
realm. Here Iran has significant capability, and significant 
intent.
    Last summer, for example, a hard-liner Iranian newspaper 
affiliated with the Revolutionary Guard, warned the United 
States, that America no longer has the ``exclusive capability 
in cyber space and it has underestimated the Islamic 
Republic,'' and now needs to worry about ``an unknown player 
somewhere in the world attacking a section of its critical 
infrastructure.''
    Are we ready for this? This is, I think, the most salient 
question of all. The past year has seen a dramatic expansion on 
the part of the United States in terms of Governmental 
awareness of cyber space as a domain for conflict. But this 
attention is still uneven, I would argue. It focuses largely on 
network protection and resiliency, particularly in the military 
arena, and on threat capabilities from China, and from Russia. 
Serious institutional awareness of the threat from Iran and the 
cyber warfare potential of Iran, has lagged behind the times 
and so has the Governmental response to it.
    So why does this matter? I would argue that it matters for 
three reasons: First of all, it matters because operationally, 
an Iranian cyber attack may look similar to a Chinese cyber 
attack, or a Russian cyber attack, but there are key 
differences. The first is with regard to targeting objects. 
Iran has, in both its public statements and its writings, 
talked extensively about U.S. critical infrastructure.
    Mr. Meehan. Mr. Berman, can I do this? I am going to pursue 
that specific line of questioning with you as soon as I have an 
opportunity. I want you to articulate more on that. Allow me to 
move with Mr. Caslow at this point in time, and we will return 
to that.
    Mr. Berman. Absolutely, thank you, sir.
    [The prepared statement of Mr. Berman follows:]
                   Prepared Statement of Ilan Berman
                             April 26, 2012
    Congressman Lungren, Congressman Meehan, distinguished Members of 
the subcommittees: Thank you for the opportunity to appear before you 
today to address the cyber warfare capabilities of the Islamic Republic 
of Iran, and the threat that they pose to the U.S. homeland.
    Conventional wisdom suggests that the Iranian regime, now being 
squeezed significantly by sanctions from the United States and Europe 
and grappling with significant domestic socio-economic malaise, is far 
from an imminent threat to the American homeland (even if it does 
present a vexing foreign policy challenge for the United States and its 
allies). Yet, over the past 3 years, the Iranian regime has invested 
heavily in both defensive and offensive capabilities in cyber space. 
Equally significant, its leaders now increasingly appear to view cyber 
warfare as a potential avenue of action against the United States.
              iranian capabilities in geopolitical context
    Iran's expanding exploitation of cyber space can be attributed to 
two principal geopolitical drivers.
    The first are the Iranian regime's efforts to counter Western 
influence and prevent the emergence of a ``soft revolution'' within its 
borders. In his March 2012 Nowruz message to the Iranian people, 
President Obama alluded to the growing efforts of the Iranian regime to 
isolate its population from the outside world when he noted that an 
``electronic curtain has fallen around Iran.''\1\ That digital barrier 
has grown exponentially over the past 3 years, as Iran's leadership has 
sought to quell domestic dissent and curtail the ability of its 
opponents to organize.
---------------------------------------------------------------------------
    \1\ White House, Office of the Press Secretary, ``Remarks of 
President Obama Marking Nowruz,'' March 20, 2012, http://
www.whitehouse.gov/the-press-office/2012/03/20/remarks-president-obama-
marking-nowruz.
---------------------------------------------------------------------------
    The proximate cause of this effort was the fraudulent June 2009 
reelection of Mahmoud Ahmadinejad to the Iranian presidency, which 
catalyzed a groundswell of domestic opposition that became known 
colloquially as the ``Green Movement.'' In the months that followed, 
Iran's various opposition elements relied extensively on the internet 
and social networking tools to organize their efforts, communicate 
their messages to the outside world, and rally public opinion to their 
side. In turn, the Iranian regime utilized information and 
communication technologies extensively in its suppression of the 
protests--and thereafter has invested heavily in capabilities aimed at 
controlling the internet and restricting the ability of Iranians to 
access the world wide web.\2\
---------------------------------------------------------------------------
    \2\ See, for example, Saeid Golkar, ``Liberation or Suppression 
Technologies? The Internet, the Green Movement and the Regime in 
Iran,'' International Journal of Emerging Technologies and Society 9, 
no. 1 (2011), 50-70, http://www.swinburne.edu.au/hosting/ijets/journal/
V9N1/pdf/Article%204%20Golkar.pdf.
---------------------------------------------------------------------------
    This focus has only been reinforced by recent revolutionary fervor 
throughout the Middle East and North Africa. For while Iranian 
authorities have sought to depict the so-called ``Arab Spring'' as both 
the start of an Islamic awakening and an affirmation of their regime's 
worldview,\3\ the anti-regime sentiment prevalent in the region 
actually represents a mortal threat to their corrupt, unrepresentative 
regime. As a result, the past year has seen a quickening of the 
regime's long-running campaign against ``Western influence'' within the 
Islamic Republic. These efforts include:
---------------------------------------------------------------------------
    \3\ ``Khamenei Credits Iranian Revolution With Fuelling Egyptian 
Revolt,'' Reuters, February 4, 2011, http://www.thenational.ae/news/
world/middle-east/khamenei-credits-iranian-revolution-with-fuelling-
egyptian-revolt; Robert F. Worth, ``Efforts To Rebrand Arab Spring 
Backfires In Iran,'' New York Times, February 2, 2012, http://
www.nytimes.com/2012/02/03/world/middleeast/effort-to-rebrand-arab-
spring-backfires-in-iran.html?pagewanted=all.
---------------------------------------------------------------------------
   The construction of a new, ``halal'' national internet. This 
        ``second internet,'' which will effectively sever Iran's 
        connection to the world wide web by routing web users to pre-
        approved, Iranian-origin sites, is currently expected to come 
        on-line by late summer 2012.\4\
---------------------------------------------------------------------------
    \4\ See Steven Musil, ``Iran Expected To Permanently Cut Off 
Internet By August,'' CNET, April 9, 2012, http://news.cnet.com/8301-
1023_3-57411577-93/iran-expected-to-permanently-cut-off-internet-by-
august/.
---------------------------------------------------------------------------
   Installation of a sophisticated Chinese-origin surveillance 
        system for monitoring phone, mobile, and internet 
        communications.\5\
---------------------------------------------------------------------------
    \5\ Steve Stecklow, ``Special Report: Chinese firm helps Iran spy 
on citizens,'' Reuters, March 22, 2012, http://www.reuters.com/article/
2012/03/22/us-iran-telecoms-idUSBRE82L0B8- 20120322.
---------------------------------------------------------------------------
   The passage of new, restrictive governmental ``guidelines'' 
        forcing internet cafes to record the personal information of 
        customers--including vital data such as names, national 
        identification numbers, and phone numbers--as well the 
        installation of closed-circuit cameras to keep video logs of 
        all customers accessing the world wide web.\6\
---------------------------------------------------------------------------
    \6\ Radio Free Europe, January 4, 2012.
---------------------------------------------------------------------------
   Movement toward the formation of a new government agency to 
        monitor cyber space. Once operational, this ``Supreme Council 
        of cyber space,'' which will be headed by top officials from 
        both Iran's intelligence apparatus and the Revolutionary 
        Guards, will be tasked with ``constant and comprehensive 
        monitoring over the domestic and international cyber space,'' 
        and be able to issue sweeping decrees concerning the internet 
        that would have the full strength of law.\7\
---------------------------------------------------------------------------
    \7\ Ramin Mostaghim and Emily Alpert, ``Iran's Supreme Leader Calls 
for New Internet Oversight Council,'' Los Angeles Times, March 7, 2012, 
http://latimesblogs.latimes.com/world_now/2012/03/iran-internet-
council-khamenei.html.
---------------------------------------------------------------------------
    The second geopolitical driver of Iran's interest in cyber space 
relates to the expanding conflict with the West over its nuclear 
ambitions. Since the fall of 2009, Iran has suffered a series of 
sustained cyber attacks on its nuclear program. The most well-known of 
these is Stuxnet, the malicious computer worm that attacked the 
industrial control systems at several Iranian nuclear installations, 
including the uranium enrichment facility at Natanz, between late 2009 
and late 2010. At the height of its effectiveness, Stuxnet is estimated 
to have taken 10 percent or more of Iran's 9,000 then-operational 
centrifuges off-line.\8\
---------------------------------------------------------------------------
    \8\ David Albright, Paul Brannan, and Christina Walrond, ``Stuxnet 
Malware and Natanz: Update of ISIS December 2, 2010 Report,'' Institute 
for Science and International Security ISIS Reports, February 15, 2011, 
http://www.isis-online.org/isis-reports/detail/stuxnet-malware-and-
natanz-update-of-isis-december-22-2010-reportsupa-href1/.
---------------------------------------------------------------------------
    Stuxnet has been followed by at least two other cyber attacks aimed 
at derailing Iran's nuclear development. ``Stars,'' a software script 
targeting execution files, was uncovered by the Iranian regime in April 
2011.\9\ Subsequently, ``Duqu,'' a malware similar to Stuxnet and aimed 
at gaining remote access to Iran's nuclear systems, was identified in 
October/November 2011.\10\
---------------------------------------------------------------------------
    \9\ ``After Stuxnet: Iran Says It's Discovered 2nd Cyber Attack,'' 
Reuters, April 25, 2011, http://www.jpost.com/IranianThreat/News/
Article.aspx?id=217795.
    \10\ ``Iran Says Has Detected Duqu Computer Virus,'' Reuters, 
November 13, 2011, http://www.reuters.com/article/2011/11/13/us-iran-
computer-duqu-idUSTRE7AC0YP20111113.
---------------------------------------------------------------------------
    Publicly, the origins of these intrusions are still an open 
question. Israel has steadfastly denied any role in the authorship of 
Stuxnet or other cyber attacks, despite widespread speculation to the 
contrary. The United States, too, has remained silent on the subject, 
although suspicions abound that the CIA played at least some part in 
putting together and deploying Stuxnet (and perhaps other malware as 
well).\11\
---------------------------------------------------------------------------
    \11\ Ralph Langner, ``Cracking Stuxnet, a 21st Century Cyber 
Weapon,'' TED Talks, March 2011, http://www.ted.com/talks/
ralph_langner_cracking_stuxnet_a_21st_century_- cyberweapon.html.
---------------------------------------------------------------------------
    For the Iranian regime, however, the conclusion is clear. War with 
the West, at least on the cyber front, has been joined, and the Iranian 
regime is mobilizing in response. In recent months, it reportedly has 
launched an ambitious $1 billion governmental program to boost national 
cyber capabilities--an effort that involves acquisition of new 
technologies, investments in cyber defense, and the creation of a new 
cadre of cyber experts.\12\ It has also activated a ``cyber army'' of 
activists which, while nominally independent, has carried out a series 
of attacks on sites and entities out of favor with the Iranian regime, 
including social networking site Twitter, Chinese search engine Baidu, 
and the websites of Iranian reformist elements.\13\
---------------------------------------------------------------------------
    \12\ Yaakov Katz, ``Iran Embarks On $1b. Cyber-Warfare Program,'' 
Jerusalem Post, December 18, 2011, http://www.jpost.com/Defense/
Article.aspx?id=249864.
    \13\ Farvartish Rezvaniyeh, ``Pulling the Strings of the Net: 
Iran's Cyber Army,'' PBS Frontline, February 26, 2010, http://
www.pbs.org/wgbh/pages/frontline/tehranbureau/2010/02/pulling-the-
strings-of-the-net-irans-cyber-army.html; Alex Lukich, ``The Iranian 
Cyber Army,'' Center for Strategic & International Studies, July 12, 
2011, http://csis.org/blog/iranian-cyber-army.
---------------------------------------------------------------------------
                     cyberwar and iranian strategy
    In his testimony to the Senate Select Committee on Intelligence 
this past January, General James Clapper, the director of national 
intelligence, alluded to what amounts to a seismic shift in Iranian 
strategy. In response to growing economic sanctions and mounting 
pressure from the United States and its allies, he noted, ``Iranian 
officials--probably including Supreme Leader Ali Khamenei--have changed 
their calculus and are now willing to conduct an attack in the United 
States.''\14\
---------------------------------------------------------------------------
    \14\ James Clapper, testimony before the Senate Select Committee on 
Intelligence, January 31, 2012.
---------------------------------------------------------------------------
    Gen. Clapper was referring, most directly, to the foiled October 
2011 plot by Iran's Revolutionary Guards to assassinate Saudi Arabia's 
envoy to the United States in Washington, DC. But, as the international 
crisis over Iran's nuclear ambitions continues to deepen, Iran's cyber 
capabilities should be a matter of significant concern as well. Experts 
have warned that, should the standoff over Iran's nuclear program 
precipitate a military conflict, Iran ``might try to retaliate by 
attacking U.S. infrastructure such as the power grid, trains, airlines, 
refineries.''\15\
---------------------------------------------------------------------------
    \15\ Brian Ross, ``What Will Happen to the US if Israel Attacks 
Iran?'' ABC News, March 5, 2012, http://abcnews.go.com/Blotter/israel-
attacks-iran-gas-prices-cyberwar-terror-threat/
story?id=15848522#.T4g5tqvY9Ll.
---------------------------------------------------------------------------
    The Iranian regime appears to be contemplating just such an 
asymmetric course of action. In late July 2011, for example, Kayhan, a 
hardline newspaper affiliated with Iran's Revolutionary Guards, issued 
a thinly-veiled warning to the United States when it wrote in an 
editorial that America, which once saw cyber warfare as its ``exclusive 
capability,'' had severely underestimated the resilience of the Islamic 
Republic. The United States, the paper suggested, now needs to worry 
about ``an unknown player somewhere in the world'' attacking ``a 
section of its critical infrastructure.''\16\
---------------------------------------------------------------------------
    \16\ ``STUXNET has Returned Home,'' Kayhan (Iran), July 27, 2011. 
(Author's collection).
---------------------------------------------------------------------------
    In keeping with this warning, over the past year infrastructure 
professionals in the United States have noted that Iran's ``chatter is 
increasing, the targeting more explicit, and more publicly 
disseminated.''\17\ The Islamic Republic, in other words, increasingly 
has begun to seriously contemplate cyber warfare as a potential avenue 
of action against the West.
---------------------------------------------------------------------------
    \17\ Author's personal communication, August 17, 2011.
---------------------------------------------------------------------------
    Iran has significant capacity in this sphere. A 2008 assessment by 
the policy institute Defense Tech identified the Islamic Republic as 
one of five countries with significant nation-state cyber warfare 
potential.\18\ Similarly, in his 2010 book Cyber War, former National 
Security Council official Richard Clarke ranks Iran close behind the 
People's Republic of China in terms of its potential for ``cyber-
offense.''\19\ These capabilities, moreover, are growing. In his 
January 2012 Senate testimony, General Clapper alluded to the fact that 
Iran's cyber capabilities ``have dramatically increased in recent years 
in depth and complexity.''\20\
---------------------------------------------------------------------------
    \18\ Kevin Coleman, ``Iranian Cyber Warfare Threat Assessment,'' 
Defense Tech, September 23, 2008, http://defensetech.org/2008/09/23/
iranian-cyber-warfare-threat-assessment/.
    \19\ Richard A. Clarke and Robert K. Knake, Cyber War: The Next 
Threat to National Security and What to do About It (New York: Harper 
Collins, 2010), 148.
    \20\ Clapper, testimony before the Senate Select Committee on 
Intelligence.
---------------------------------------------------------------------------
                   preparing for cyber war with iran
    Where does the United States stand with regard to a response? The 
Obama administration has made cybersecurity a major area of policy 
focus since taking office in 2009, and the past year in particular has 
seen a dramatic expansion of Governmental awareness of cyber space as a 
new domain of conflict. But this attention remains uneven, focused 
largely on network protection and resiliency (particularly in the 
military arena), and on the threat capabilities of the People's 
Republic of China and, to a lesser extent, of the Russian Federation. 
Serious institutional awareness of, and response to, Iran's cyber 
warfare potential has lagged behind the times.
    Indeed, personal conversations with a range of experts inside and 
outside of Government reveal a troubling lack of clarity about the 
Iranian cyber threat--and the absence of serious planning to counter 
it. While some parts of the Federal bureaucracy (namely U.S. Strategic 
Command and the State Department's Nonpoliferation Bureau) have begun 
to pay attention to Iran's threat potential in the cyber realm, as yet 
there exists no individual or office tasked with comprehensively 
addressing the Iranian cyber warfare threat. The U.S. Government, in 
other words, has not yet even begun to get ready for cyber war with 
Iran.
    It should. After all, it is not out of the question that the 
Iranian regime could attempt an unprovoked cyber attack on the United 
States. As the foiled October 2011 plot against Saudi Arabia's 
ambassador to the United States indicates, Iran has grown significantly 
bolder in its foreign policy, and no longer can be relied upon to 
refrain from direct action in or against the U.S. homeland. Far more 
likely, however, is a cyber warfare incident related to Iran's nuclear 
program. In coming months, a range of scenarios--from a renewed 
diplomatic impasse to a further strengthening of economic sanctions to 
the use of military force against Iranian nuclear facilities--hold the 
potential to trigger an asymmetric retaliation from the Iranian regime 
aimed at vital U.S. infrastructure, with potentially devastating 
effects.
    At the very least, it is clear that policymakers in Tehran are 
actively contemplating such an eventuality. Prudence dictates that 
their counterparts in Washington should be doing so as well.

    Mr. Meehan. Mr. Caslow, I now want to recognize you for 
your 5 minutes.

STATEMENT OF ROGER L. CASLOW, EXECUTIVE CYBER CONSULTANT, SUSS 
                           CONSULTING

    Mr. Caslow. Good morning, and thank you for inviting me to 
share my testimony today. I do want to emphasize that my 
background is primarily in the realm of cybersecurity as it 
relates to computer and network defense. I am not an Iranian 
subject-matter expert, but I do know how to secure something 
and lock it down. It is an honor to appear before the joint 
subcommittee to testify about the Iranian cyber threat to the 
U.S. homeland, and I do hope that my testimony is of benefit to 
create a better defensive posture against this stated threat.
    My colleagues here have already identified the threat. They 
scoped it out for us. That is good. Looking from a pure 
vulnerability perspective and how we go forward and how we 
attack that, according to the 2012 Data Breach Investigations 
Report from Verizon, 97 percent of all reported data breaches 
were avoidable through basic level security controls 
implementation. Now, let me just state, that in order to 
protect our way of life, we must be prepared to return to the 
basics of security, not the flashing glitz of a Duqu or a 
Stuxnet, which I could talk if we wanted to about that, but 
rather the foundational aspects of cybersecurity.
    Once we have secured the basics across all sectors, then 
and only then can we have the greater certainty that the 
weakest link is not as exploitable by those who seek to do us 
harm. Within the field of cybersecurity, this requires ensuring 
the foundation is secure by knowing what is on and connected to 
our networks, what our basic security posture is, and what it 
should be, and ensuring the right people with the right skill 
sets are building, maintaining, and protecting these assets and 
data. Furthermore, within the cybersecurity discipline, we 
require a strong governance structure. Governance is far from 
the most exciting area of cybersecurity, but it is foundational 
to ensure better management of our vulnerabilities against our 
threats. For this to work, we must have clearly defined 
language, write what is meant, and leave little room for 
negotiation as possible.
    Good governance is required for best performance of our 
National, State, local, and industrial activities. Good 
governance supports better integration of cybersecurity and 
information technology architectures, building in the security 
requirements up front. Good governance supports the adoption of 
risk-management-based decisions, which are only as good as the 
information available to the decision makers responsible for 
the defense of our interconnected networks, both public and 
private. I am going to mention Executive Order 13587, which was 
the structural reforms to improve the security of classified 
networks. That was a good start, however, I believe it required 
more teeth, but it also required better integration across all 
levels to include our industrial partners, less the bureaucracy 
overrun the implementation.
    Another not-too-exciting area, is the emphasis on 
education, training, and awareness. Education emphasis, not 
merely on the hard technology engineering skills, but also on 
the basic critical thinking skills which are lost in many 
technology disciplines. With respect to training as a Nation, 
our standards need to be fully matured and established across 
all sectors.
    We can make improvements by leveraging the private-sector 
security-based and -focused training organizations which are 
aware of the threats, vulnerability, and respective 
countermeasures. Basic awareness of the threats posed to all 
sectors and elements to our society is also important. We still 
have too many people who are ignorant of the threats, and 
become caught in phishing, spear phishing, social engineering, 
and other types of manipulation, exploitation, and exfiltration 
schemes.
    Again, all sectors are important and require some level of 
targeted awareness campaigns. I consider it more of an op-sec, 
or an operational security against a cyber attack. Now, there 
is a National initiative for cybersecurity education which 
evolved from the Comprehensive National Cybersecurity 
Initiative, was intended to address many of these education 
training and awareness issues, but has not taken root. I fully 
understand the concept of measure twice and cut once, but when 
we face the threats we do as a Nation, the 85 percent solution 
should be enough to start. More focus on results and 
accomplishments, less talking, will better serve this 
initiative in our overall cybersecurity posture regardless of 
the threat vector.
    Finally, when to seek out and leverage by name, when and 
where possible, specific people, tailorable process, 
integratable security technology solutions. We must allow the 
security--the subject-matter experts to research, propose, 
implementable processes and technology solutions and then put 
them in place with minimal delay. Bureaucracy is not our friend 
in this arena.
    Now, there are no easy solutions, and we have been speaking 
to these topics for a number of years, but if we are serious 
about protecting our Nation's interests, we must first secure 
the basics before moving into more advanced methods and 
techniques. Thank you again. I look forward to any questions 
you might have for me.
    [The statement of Mr. Caslow follows:]
                 Prepared Statement of Roger L. Caslow
                             April 26, 2012
    Good morning and thank you for inviting me to share my testimony 
today. My name is Roger Caslow \1\ and I am an executive consultant 
with Suss Consulting. My background is primarily in the realm of 
cybersecurity as it relates to computer and network defense. It is an 
honor to appear before this joint subcommittee to testify about the 
``Iranian Cyber Threat to the U.S. Homeland'' and I hope that my 
testimony is of benefit in to creating a better defense posture against 
this stated threat.
---------------------------------------------------------------------------
    \1\ Roger Caslow Bio.
---------------------------------------------------------------------------
    According to the 2012 Data Breach Investigations Report,\2\ 97% of 
all reported data breaches were avoidable through basic levels security 
controls implementation. Allow me to state that in order to protect our 
way of life we must be prepared to return to the basics of security. 
Not the flashy and glitzy but rather the foundational aspects of 
cybersecurity. Once we have secured the basics, across all sectors, 
then and only then can we have greater certainty that the ``weakest 
link'' is not as exploitable by those who seek to do us harm. Within 
the field of cybersecurity this requires ensuring that the foundation 
is secure by knowing what is on or connected to our networks, what our 
basic security posture is and what it should be, and ensuring that the 
right people with the right skill sets are building, maintaining, and 
protecting these assets and their data.
---------------------------------------------------------------------------
    \2\ 2012 Data Base Investigations Report, Verizon.
---------------------------------------------------------------------------
    Furthermore, within the cybersecurity discipline we require a 
stronger governance structure. Governance is far from the most exciting 
area in the field of cybersecurity but it is foundational to ensure 
better management of our vulnerabilities against our threats. For this 
to work we must have clearly defined language, write what is meant and 
leave as little room for negotiation as possible. Good governance is 
required for best performance of our National, State, local, and 
industry activities. Good governance supports better integration of 
cybersecurity and information technology architectures, building in the 
security requirements up-front. Good governance supports the adoption 
of risk-management-based decisions, which are only as good as the 
information made available to the decision makers responsible for the 
defense of our interconnected networks, both public and private. 
Executive Order 13587,\3\ Structural Reforms to Improve the Security of 
Classified Networks and the Responsible Sharing and Safeguarding of 
Classified Information, is a good start but it requires more ``teeth'' 
and better communication across all levels, to include our industry 
partners, lest the bureaucracy overrun the implementation.
---------------------------------------------------------------------------
    \3\ Executive Order 13587, Structural Reforms to Improve the 
Security of Classified Networks and the Responsible Sharing and 
Safeguarding of Classified Information, Signed October 7, 2011.
---------------------------------------------------------------------------
    Another, not-too-exciting area, is the emphasis on education, 
training, and awareness (ETA). Education emphasis, not merely on the 
hard technology engineering skills but also on basic critical thinking 
skills, which are all but lost in many technology disciplines. With 
respect to training, as a Nation our standards need to be fully matured 
and established across all sectors. We can make improvements by 
leveraging the private-sector security-based and -focused training 
organizations, which are aware of the threats, vulnerabilities, and 
countermeasures. Basic awareness of the threats posed to all sectors 
and elements of our society is also important. We still have too many 
people who are ignorant of the threats and become caught in phishing, 
spear phishing, social engineering, and other types of data 
manipulation, exploitation, and exfiltration schemes. Again, all 
sectors are important and require some level of targeted awareness 
campaigns. Consider it as operational security against the cyber 
attack. The National Initiative for Cybersecurity Education (NICE)\4\ 
which evolved from the Comprehensive National Cybersecurity Initiative 
was intended to address many of the ETA issues but it has not taken 
root. I fully understand the concept of ``measure twice and cut once'' 
but when we face the threats we do as a Nation, the 85% solution should 
be enough to start. More focus on results and accomplishment, with less 
talking; will better serve this initiative, and our overall 
cybersecurity posture.
---------------------------------------------------------------------------
    \4\ National Initiative for Cybersecurity Education Strategic Plan, 
August 2011.
---------------------------------------------------------------------------
    Finally, we must seek out and leverage, by name when and where 
possible, specific people, tailorable processes, and integratable 
security technology solutions. We must allow the subject matter experts 
to research and propose implementable process and technology solutions 
and then put them in place with minimal delay; bureaucracy is not our 
friend in this arena. Also, we must not be afraid to embrace the hacker 
community, but in order to do so we must leverage a different type of 
recruiter. Our talent recruiters going to this community via to the 
major hacker conferences, also known as ``CONS'', will have little 
success in three-piece suits. They must be people who have the look, 
feel, and knowledge to speak with this community at the social and 
technical levels. This is critical to securing the skill sets and 
knowledge base from a community with a greater knowledge of the 
offensive side of the battle. It's a known fact in sports, combat, and 
security that knowledge of the offensive tactics, techniques, tools, 
and procedures are of utmost importance in further bolstering our 
defensive posture, and in the case of cybersecurity, securing our 
networks.
    There are no easy solutions, and we have been speaking to these 
topics for a number of years, but if we are serious about protecting 
our Nation's interests we must first secure the basics before moving 
onto more advanced methods. Thank you again and I look forward to any 
questions you might have for me.

    Mr. Meehan. Thank you, Mr. Caslow. Thanks to each of the 
panelists. The Chairman will now recognize the other Members 
for questions. The Chairman will recognize Members for 
questions in the order in which they were here today. I now 
recognize myself for 5 minutes of questioning.
    I thank all of the panelists for your compelling testimony 
and I believe as we work together as a panel, will explore a 
number of these areas. I could jump in with anybody, but let me 
begin with you, Mr. Berman, because you were touching on some 
issues that I think are important to develop. First, that was a 
pretty strong statement to say that we have experienced a 
seismic shift in how Iran not only views the United States, but 
its willingness to carry out actions against the United States.
    So I would like to have you tell me how you have come to 
that conclusion, and then where you see our cyber capacity as 
being a likely target. Then if you have a moment, I am 
interested as well in the idea of what we have talked about in 
which, you know, we spent our time with Russia, and China, and 
so worried--this concept that we don't even know what is coming 
from Iran; the use of proxies, which is part of the MO. I think 
I have given you a little bit to jump with, so I would love you 
to just take off.
    Mr. Berman. Well, thank you, sir, that is a little bit of a 
tall order. I am going to try to do my best to address it. The 
question first of the seismic shift. I think it is very clear, 
and I don't know if you recall, but I was a witness before this 
panel last summer looking at Hezbollah activity in the Western 
Hemisphere, and at the time, myself, and a number of the 
panelists that were with me, made the point that Latin America, 
and the Western Hemisphere generally, is seen as a staging 
area, an area of opportunity for the acquisition of funding for 
illicit activity that provide revenue to the Iranian regime.
    Mr. Meehan. I note this testimony was prior to the point 
where we were aware of what happened in Mexico.
    Mr. Berman. Exactly right. What you see--or at least what I 
have seen in the months since has been an evolutionary approach 
that Iran has taken towards how it positions itself, vis-a-vis, 
the U.S. homeland. Previously, it would have been very 
difficult to imagine a scenario where the Iranian regime, in 
any part, would authorize such a brazen attack as it did in 
October--tried to carry out in October 2011. There have been 
many commentaries that have cast aspersions on that account 
with regard to the complexity of the plot, the amateurishness 
of its execution, but the folks that I have spoken to, maintain 
that this was a credible plot. It was one that was, perhaps not 
executed properly, but it is one that signaled intent. That 
intent is, I think, key to this discussion here today. Because 
when you look at the potential for an Iranian cyber attack, you 
have to marry capability and intent. With regard to intent 
specifically, I would argue that Iran has more potentially.
    Mr. Meehan. But you are talking about intent. In fact, 
capability here, that required that they had to penetrate the 
United States physically. Here we are talking about a global 
network which they can access, not only from Iran, but from 
anywhere the world.
    Mr. Berman. I think that is exactly right, and when you 
look at cyber space, as Mr. Cilluffo said, cyber space is, you 
know, it is flat. It has the advantage being sticky. It is a 
field that advantages asymmetric actors. Iran can reach out and 
touch us in the U.S. homeland via cyber space much more easily 
than it could via, say, Latin America. As a result, the 
capabilities are an issue, but the intent, I would argue, is 
more of an issue. Here, Iran has an overabundance, because 
unlike the scenario in our foreign policy that we have with 
China, and with Russia now where conflicts do exist, where we 
have a stable diplomatic relationship, we have a series of 
scenarios that are potentially coming down the pike, a renewed 
diplomatic impasse over Iran's nuclear program as a result of 
the negotiations, new economic sanctions, potentially even a 
military conflict that could trigger an attack on the part of 
the Iranian regime as an asymmetric retaliation.
    Mr. Meehan. Mr. Cilluffo, do you agree that that the United 
States is now the cyber network, as was identified by Mr. 
Leiter, is a traditional terrorist attack target right now?
    Mr. Cilluffo. Unequivocally, when you are looking at Iran, 
and a couple of other points that make cyber space unique. Mr. 
Chairman, you had just asked a question along those lines of 
Mr. Berman. But anonymity, who is behind that clickety-clack of 
the keyboard breaking into your system? Are you dealing with a 
pimply kid, or are you dealing with a foreign intelligence 
service, an organized crime, an economic competitor? You simply 
don't know much of the time at the breach itself. So 
attribution, while we are making progress, smoking guns are 
hard to find in the counterterrorism environment; smoking 
keyboards are that much more difficult. I would also note that 
cyber space is made, I mean, it is made for plausible 
deniability.
    So what we have seen, and the reason I am concerned about 
the Russias and the Chinas is we have seen a sophistication 
level that is very high. But they are in the business right now 
of CNE, computer network exploits to steal secrets. If their 
intent changes, they could just flip the switch and it becomes 
an attack tool. I might note that what we have seen that I 
think is most concerning, and certainly to Mr. Lungren's 
subcommittee is, we have seen adversaries map critical 
infrastructures.
    I don't see what the value of that, the cyber equivalent of 
intelligence preparation in the battlefield. I don't see what 
that intent could be other than to potentially use in a time of 
crisis.
    Mr. Meehan. So there is a lot of presence within the 
network right now. It is just that they haven't flipped the 
switch. Right now it is obtaining information, but they haven't 
turned it in a proactive sense into delivering some kind of an 
attack.
    Mr. Cilluffo. I might note that we tend to look at this 
only through a tech lens. The more sophisticated actors realize 
that it is the convergence of human intelligence, and technical 
intelligence, and that is where we should be worried.
    Mr. Meehan. Well, my time has expired. At this point, I 
would like to open it to questions to the Ranking Member Mr. 
Higgins.
    Mr. Higgins. Thank you, Mr. Chairman. You know, I sense 
from both the substance and the tone of your testimony, there 
is an underlying frustration that perhaps we are not doing as 
much as we need to do in order to defend ourselves against a 
potential threat. So let me start with Mr. Caslow. According to 
the former director of the National Counterterrorism Center, 
Michael Leiter, the United States, he says, can likely defend 
itself against the types of cyber attacks of which Iran is 
capable. Given what you know about the vulnerabilities of both 
the governments, and the private sector cyber infrastructure in 
the United States, do you agree with the former director that 
the United States is capable of handling a cyber threat from 
Iran?
    Mr. Caslow. If I might say, that at the time this statement 
was made, there may have been certain assumptions made as well, 
about the understanding of our networks. The vulnerabilities, 
as technology shifts, vulnerabilities shift. Also, the threat 
vectors shift. I don't say that I disagree with him, but at the 
time he was probably correct. As of today, I would believe that 
it would be less correct, only because, as my colleagues here 
have already mentioned, the capability and intent is important. 
Those feed into the risk equation of what threat is. But the 
other parts of that are equally important. They are not 
weighted of one more important than the other. The other parts 
of that are the big V of vulnerability, the likelihood, or 
probability of those things happening, and ultimately, the 
impact of those occurring.
    My personal viewpoint from the years I have been doing this 
is that we can't consider ourselves looking at one threat 
vector unless we understand our own vulnerabilities. We have to 
know ourselves first and foremost. I do know with certainty 
from speaking with my colleagues across industry and across the 
Government that it is not all boats rising at the same. 
Unfortunately with the interconnection of our networks from the 
TS all the way through that we have the--be careful here--we 
have the known vulnerabilities for a boat that is not as high 
in the water as the others could negatively impact some of the 
higher-level boats, to take that analogy further. Again, I 
frequently use analogies with my colleagues who aren't on the 
technical side, of a house. You have a house, you build your 
structure. You are considered--sir, I am sure you are 
considered with the furniture, or the paint of the color or the 
varnish on the trim, or how the chair rails go in the dining 
room or what type of appliances are inside your home. How often 
do we investigate how deep the footer has been dug. Or is the 
footer the appropriate depth or width, is it maybe the right 
construction material. All these other things are actually 
ultimately more important in many aspects of you having a home 
that will keep you secure and your family secure over the 
lifetime. The United States of America is my home. So I want to 
make sure that we do secure the foundation, the foundation and 
the building materials and everything that goes into that.
    Mr. Higgins. I think the other thing that is often missed 
in terms of counterterrorism is the importance of remaining 
agile. It seems as though, first of all, no technology advances 
more quickly in our society than the technology of killing. 
Every day new weapons of mass destruction are being created to 
kill more people more quickly, and it is a big problem. I just 
think that there is a tendency to think terrorism 10 years ago 
is the same terrorism we have today. What you have is a new 
generation of terrorists that are more aggressive, that are 
more technologically savvy and thus more dangerous to their 
potential targets. As has been stated here, when you consider 
the testimony that was been given several months ago about the 
Hezbollah, which acts as a proxy for Syria, for Venezuela, for 
Iran, having not only a presence in the 20-country region of 
Latin America but also having a presence in American cities. 
Their activities we are told is limited to fund-raising. Well, 
I don't make that distinction. Fund-raising is a component of 
terrorist activity. What are you raising funds to do? It 
doesn't have a beneficial impact on society.
    So I think this is a threat obviously that is very 
important that all of you have emphasized the importance of it, 
and I appreciate your testimony here today. Thank you, I yield 
back.
    Mr. Meehan. Thank you, Mr. Higgins. The Chairman now 
recognizes the Chairman from California, Mr. Lungren.
    Mr. Lungren. Thank you very much. Mr. Berman, only a few 
weeks ago a former director of National Counterterrorism 
Center, Michael Leiter, said or indicated that because of 
strict financial sanctions facing the Iranian regime they might 
target international financial systems in a cyber attack. Would 
you agree that our financial institutions would be a prime 
target for Iran based on motivation?
    Mr. Berman. That is an interesting question, sir, and I 
think I would have from what I know about how Iran is 
weathering the international financial sanctions regime, my 
answer would be ``not yet''. If you look at what Iran is doing, 
the attack that Iran has allegedly carried out against 
financial institutions such as Israel's Banque Poaley, 
signaling Iranian's ability to reach out and touch and affect 
and manipulate these financial institutions. Iran as a result 
of the sanctions that have been levied since the start of the 
year by the Obama administration and more recently by the 
European Union is increasingly dependent on utilizing that 
financial system in places like Venezuela, for example, to 
circumvent, to skirt, to attain another avenue to access 
international markets as these sanctions truly begin to bite. 
As such Iran at least for the moment doesn't have the incentive 
or the motivation to attack in a catastrophic fashion and take 
down financial institutions. Will it later? Perhaps. If there 
is an all-out military conflict over its nuclear program. But 
as of right now I don't think that threat is mature.
    Mr. Lungren. Mr. Cilluffo, I have heard it said that with 
Stuxnet or the public recognition of Stuxnet we have crossed 
the Rubicon; that is, we now have seen expressed in a prime 
example of the ability not only to enter into another's 
computer system or network but to control it in such a way to 
cause physical destruction. Would you say that is a fair 
statement?
    Mr. Cilluffo. Absolutely. I do think it did cross a Rubicon 
and certainly serves as a harbinger of what we are going to be 
looking to in the future. I might note that I personally feel 
it was the right thing to do. Let me suggest though that those 
that may have been hit may not be as discriminate as perhaps 
Stuxnet was to affect centrifuges. I think the same 
vulnerabilities that were exploited through our various systems 
could have catastrophic effect on some of the various critical 
infrastructure in the United States. So I think we need to 
inoculate ourselves from a whole host.
    Mr. Lungren. When we talk about asymmetric warfare it is 
interesting because one way of looking at it is that the 
``underdog'', the small guy, the one that is less powerful has 
an opportunity to do harm to the stronger adversary at lesser 
capital investment, lesser requirement for manpower, et cetera. 
At the same time it seems to me we ought to look at asymmetric 
warfare in the terms of the war on terror; that is, asymmetric 
warfare with the purpose of doing what? Not just destroying 
property but causing psychological damage to the adversary.
    So when we talk about critical infrastructure, one of the 
things that comes to mind with me is our health system is a 
critical infrastructure. If I were to attack the United States 
one of the things it seems to me that would be very effective 
in an asymmetric way would be to attack the health system. If 
you could invade the information systems of several health 
systems of the United States such that no one could depend on 
the accuracy of the information contained therein, someone 
lying on the surgical table and getting the wrong blood type, 
information indicating that you ought not to take certain 
medications and it indicating that you ought to take them. If 
you did that in a series of attacks, you wouldn't have to be 
successful with too many of them to cause a psychological 
damage to the United States.
    So, I would ask both Mr. Cilluffo and Mr. Caslow whether 
that kind--do we need to appreciate that kind of a difference 
in terms of perhaps the target and the impact? As opposed to 
our sense of conventional warfare view of asymmetric warfare, 
if that makes sense.
    Mr. Cilluffo. Chairman Lungren, I think it does make sense. 
I mean cyber has extended and expanded the battlefield to 
incorporate all of society. So what we used to look through in 
a more traditional targeting kind of sense, vis-a-vis the 
military C4ISR now has potential to be against us from a 
critical infrastructure perspective.
    Let me just note though that I feel we have nearly limited 
vulnerabilities, limited resources and let's not forget we have 
a thinking predator and actor that bases their actions on our 
actions. So the best we can really do is get to the point where 
we are managing risk. I very much agree with Mr. Caslow's view, 
let's get to the 80 percent solution and then focus on specific 
actors, because Iran is not China. You have got different sets 
of tools that need to be brought to bear. Russia is not DPRK, 
or North Korea.
    So I feel that one biggest missing element of our strategy 
is we don't have a cyber deterrent strategy. We need to clearly 
articulate one, we need to identify bright red lines in the 
sand or maybe in the silicon more apt and we need to identify 
what is unacceptable. Oh, by the way, we can't firewall our way 
out of this problem. We need to start talking about offensive 
cyber capabilities and capacities.
    Mr. Lungren. Mr. Caslow.
    Mr. Caslow. I fully agree. Your analogy of the health care 
system brings to light a scenario that we tried to scheme out 
where the health care system connected at one point. If I were 
to target a hospital near a major military installation, let's 
take Jacksonville, North Carolina, and maybe I was able to 
target with something like either a Duqu, which they believe to 
be the precursor for Stuxnet, we are not quite sure about yet, 
something that has the ability to attack the SCADA, you tell 
people it is terminator, it really is because now you actually 
have computers telling machines what to do. We have had that 
capability a long time but now we have the adversaries trying 
to use it in different areas, and granted it was a good thing 
it was used against someone who means us well, but the minute 
it is flipped around on us that is a bad thing. They target 
that hospital with the basic generator backup, they take out a 
power grid around that area as well. They are also able to take 
and attack the water system, parts per million of chlorine goes 
up down depending, and again the read-out says it's right 
because that is what Stuxnet does. All of a sudden now we have 
hundreds of thousands people sick in an area where we have 
troops who are deployed overseas. The ultimate end-game here is 
not to make those people sick. The ultimate end-game is to 
terrorize our troops overseas so that our Marines who are 
deployed in combat zones can no longer do their mission because 
they are worried about their children, their wives, their 
grandmothers, whatever, who are now ill back on the home front 
because they are communicating with them and now they know they 
are sick.
    Now that does deplete and impact our ability to carry the 
war out in a physical and kinetic manner overseas. So you are 
right on target, sir, we do have to be worried about that, but 
again we do have to ratchet things down to make sure we do have 
that strong defense, because the tactics, techniques, 
procedures, a strong defense is necessary in sports and 
necessary in the cyber world, but in order to do strong defense 
we have to have the offensive capabilities together as one.
    Mr. Cilluffo. And linebackers in between.
    Mr. Meehan. An appropriate analogy for draft day. The 
Chairman now recognizes the gentlewoman from New York, Ms. 
Clarke.
    Ms. Clarke. Thank you very much, Mr. Chairman. My first 
question goes to Mr. Caslow. There are reverse engineering 
possibilities associated with the downing of U.S. drones in the 
advent of the Stuxnet virus that presents a possibility of 
advanced cyber weaponry being developed in Iran. In your 
opinion, is Iran close to developing the cyber attack 
capabilities that present a threat to U.S. critical 
infrastructure? Do you believe that other countries with 
already well-developed cyber weaponry capabilities are aiding 
Iran?
    Mr. Caslow. Again, ma'am, I am not an Iranian expert, I am 
a pure computer network cybersecurity person.
    Ms. Clarke. Right.
    Mr. Caslow. However, to answer your question as best as I 
possibly can, any number of countries, we will go back to the 
P-3 downing in China, the reverse engineering capability with 
their inability to fully discharge all of the equipment on that 
platform and a number of other areas. Any time that we can get 
someone who has a knowledge base to reverse engineer something 
that could potentially create a threat. Now that threat is 
against a specific targeted area, it could foreseeably do that. 
I would never take away that possibility, but it is the art of 
the probability because there are a lot of technical aspects 
involved with the downing of that Pacific platform as well as 
downing of a lot of other platforms. So not only that, but also 
the back chatter and how organizations station--the state 
actors and non-state actors share data and information. We do 
know this--it was quoted, I guess, the axis of evil and 
previous administration quoted that, used that term. The 
reality is it is beyond an axis, the data streams everywhere, 
the data flows, the internet can go everywhere. I can still go 
to a dark reading room on the internet and download any number 
of very bad, nasty little critters that are out there and then 
use those same critters to attack a network or system. I can 
buy those capabilities, I can download some of them for free.
    So I say, yes. But again this stuff keeps me up at night, 
it doesn't have to keep you up at night.
    Ms. Clarke. Thank you. Let me just sort of put this in 
context because this week the House is considering several 
cybersecurity bills, including the Cybersecurity Intelligence 
Sharing and Protection Act. I believe that none of these bills 
that are being considered will provide the country with a 
comprehensive cybersecurity strategy, vesting cybersecurity 
authority in a single domestic Federal agency and include 
robust privacy protections.
    Given the testimony here today on the cyber threat from 
Iran, what would you recommend as the basis for real 
cybersecurity legislation that addresses these concerns?
    Mr. Caslow. Thank you for asking that, ma'am, I have been 
doing a lot of reading on CISPA, and as I mentioned before in 
my testimony we do have to ensure that we have the governance 
piece in place. That is important. Integration with industry is 
exceptionally important. I do believe I also mentioned the fact 
that we require some level of emphasis on education, training, 
and awareness, which CISPA is lacking in a lot of areas.
    To get away from the privacy aspect, I came from a world 
where it was about the data--the security and the sharing, now 
I am in a world where it is about the privacy and the security. 
So I understand those areas fairly well.
    Putting it all in one person's plate, integrating it, it 
all depends on how it is executed. The old adage goes, the best 
plan in the world poorly executed is not as good as the worst 
plan in the world executed with superiority. So we really need 
to make sure it comes down to the execution. Again as I 
mentioned, we need to specifically state what the intent is. 
What do we need to get across, not allow others to try to 
misarticulate the intent as in some laws and some Executive 
Orders, it gets down to the actual tactical level at the 
implementation and they are going it must have been 10 of this 
and my experience is it is this far away, it is not even close 
to what the intent is. So we need to make sure that that is 
clearly stated. Here is exactly what we need. I know that may 
take longer, I understand that, but I think that is what is 
needed.
    Ms. Clarke. Let me just ask Mr. Berman, over the past 
decade have been proposals within the United Nations and other 
international forums for treaties and convention that would ban 
the development and use of information weapons. Critics counter 
that as a form of cyber arms control and would stifle 
innovation and favor an international norm building approach 
and code of conduct.
    What international internet governance regime would you 
recommend for countering the Iranian cyber threat? Along those 
same lines how are the State Department's global internet 
freedoms initiatives deconflicted with NSA and USCYBERCOM's 
intelligence gathering and warfighting mission?
    Mr. Berman. Well, ma'am, thank you for the question. Since 
it is draft day I may mercilessly punt this over to my 
colleagues. But let me just point out again I am not a 
cybersecurity specialist. I am not in the position to speak 
about that. I can tell you very that parenthetically in my 
understanding of how the cyber community has dealt with the 
Iran threat specifically, not the cyber threat writ large, 
there is a gap in understanding between the operational, what 
Iran may do, and the political and strategic, what Iran is 
likely to do if something happens in the real world. That seems 
to me to be a gap that needs to be closed.
    Beyond that in terms of what rules, what standards need to 
be applied, I would like to turn it over to my colleagues.
    Mr. Cilluffo. Ms. Clarke, thank you for the question. I am 
pretty vocal in terms of my views on this. I would vehemently 
not support a U.N. arms control approach to deal with cyber. If 
you think back to nuclear and it is not a perfect analogy, but 
as Ronald Reagan said, trust but verify. Given some of the 
attribution challenges here and given that the two countries 
advocating this approach, China and Russia, have been known to 
be active in this space, I think we should be very cautious in 
terms of what their intentions are. We are not obviously not 
going to compromise our sources and methods even if we get to 
100 percent verification. So I would push back on some of those 
proposals.
    Now, the flip side is that the Council of Europe has a 
cyber crime treaty. Here I think you have got the behavioral 
level that everyone can agree when you are dealing with child 
predators, you are dealing with child pornography, some of the 
tools that we have used in other confines and environments can 
be brought to bear in this environment, and I think we ought to 
consider some of those, but I have very little confidence in 
the U.N. approach. Quite honestly I feel we need to get more 
proactive in some of our offensive capabilities because we are 
not going to firewall--at least to demonstrate a capability to 
signal that we are serious and we will respond.
    Ms. Clarke. Thank you, Mr. Chairman.
    Mr. Meehan. Thank you, Ms. Clarke. At this point in time 
the Chairman recognizes Mr. Cravvack from Minnesota.
    Mr. Cravaack. Thank you, Mr. Chairman. I appreciate it. 
Being an old Navy helicopter pilot, this is a brand-new 
battlefield, a virtual battlefield if you will. But some of the 
things that can go back to the basics is the best defense is 
probably a good offense.
    So my question would be: How can we not only as a 
Government agency but unleash the private sector as well and be 
able to go proactive on if they receive a cyber attack, how can 
they have a counter offense in identifying where this comes 
from and beat these back. Can you give me a comment on that?
    Mr. Caslow. Is this punt the football again? If I could I 
have actually in my written testimony something along those 
lines.
    Mr. Cravaack. I apologize I was late. I was in another 
meeting.
    Mr. Caslow. No, I didn't actually speak to that part, it 
was just purely written. So I am glad. I wanted to cut my time 
down and make sure I was within the 5-minute window.
    Mr. Cilluffo. Which was amazing by the way.
    Mr. Caslow. Thank you. I tried to get that right.
    Your point is 100 percent correct. We in our community, 
both the Federal and the industrial side, do have to take a 
better effort towards embracing the hacker community. Now there 
is a lot of places I could send you to and hopefully you have 
your firewall set up the right way so you don't take any nasty 
critters out with you. But lots of places that we have to 
leverage those. But in order to leverage those properly we have 
to send in a different type of recruiter. This recruiter cannot 
be looking like us in a 3-piece suit or in a suit and tie, walk 
in there and go, ``Hey, guys, how are you doing? I am from the 
Government, I am from Boeing, let's give you a job.'' No. These 
types have to understand the people, they have to have the 
look, the feel, they have to have the knowledge to speak to 
this community at the social and technical levels. Again I 
emphasize the word ``social'' because they do think 
differently. These people understand the hacker community more 
than anything. This is everything from the 13-year-old kid 
sucking down Mountain Dew and eating Hot Pockets in their 
parents' basement to some of the more astute ones like--I will 
give a name like Dark Tangent who is out there and who is known 
inside the cyber community, but we have to be able to leverage 
those as resources. Many of these people are patriots, I will 
tell you that right now, as was seen when it came to the 
Anonymous attack. A lot of Americans, United States American 
hackers came and said, ``wait a second, you can't do that to 
us, only we can do that to us.'' So we do need to--only my dog, 
only I can kick it, right? But the reality is we need to 
embrace those more.
    So on that side, again you are right about the offensive 
nature of the game. As a former fleet Marine Force Navy 
Corpsman, I have a grunt mentality towards a lot of these 
issues. I believe in warheads on foreheads. That is a great way 
to solve a lot of problems. This way we do have to embrace the 
people who actually are able to pull the trigger. In this case 
those people, acknowledged as the snipers so to speak, are this 
hacker community and some of these others. But again we are not 
going to go in recruiting them looking like this.
    Mr. Cravaack. My Dad was a Navy guy, 3rd Battalion, 3rd 
Marines.
    You know it is so important what you are saying is that at 
the United States Naval Academy now they have major, 
cybersecurity. I mean that is how important that the Government 
is finally getting this. To be honest with you, if you told me 
about cybersecurity 5 years ago I would have said, huh? So I am 
slowly coming around. This is a new virtual battlefield. The 
implications of which are so massive, providing with the right 
attack, that the ramifications are unbelievably massive, 
shutting down grids, you name it.
    Now I look at it from a National security aspect that we 
really have to start focusing on this effort. So I commend you 
for what you are doing. I am schooling myself up quickly on 
jumping on this bandwagon saying that we definitely have to do 
this.
    Now I am very concerned about Iranians. A small force can 
overpower just like you said and overcoming a Nation and that 
concerns me greatly. So the bottom line, I have got 18 seconds, 
but the bottom line is: Do you believe in that philosophy, a 
better offense is probably the best defense?
    Mr. Cilluffo. I wrote that in my testimony. So yes, I 
dissuade----
    Mr. Cravaack. Great minds think alike then.
    Mr. Cilluffo. I also think, not to take away from the Navy 
is fine service, but we need the equivalent of Billy Mitchell 
to work at cyber. We have a lot of tactics masquerading as 
strategy. We have to be confident to be able to take these 
issues in a strategic kind of way, and that includes the 
computer network attack. We need to demonstrate capabilities, 
we need to be visible. What good is having a doomsday weapon if 
no one knows you have it? At the end of the day to me it is 
part of the solution, it is by no means the end-state, we still 
need to build up our defensive capabilities but recognize that 
the attacker has the advantage here, and we need to always be 
in the front edge of this.
    Mr. Cravaack. Thank you, sir. I yield back, Mr. Chairman.
    Mr. Meehan. Thank you. The Chairman recognizes the 
gentlelady, Ms. Richardson.
    Ms. Richardson. Thank you, Mr. Chairman and both of our 
Chairmen for having this hearing today. First of all, I would 
like to ask the question, back in 2008 the CSIS Commission for 
Cybersecurity for the 44th Presidency made 25 recommendations 
for a National cybersecurity strategy. To my knowledge, those 
have not been implemented to this point or at least from a 
legislative perspective. Do you have any thoughts on that or 
where you would suggest that we go first?
    Mr. Caslow. I am glad you mentioned that because I did 
reference CNCI and we do have the inability to pull the 
trigger. In my previous position, and again I do not represent 
those opinions of the Office of Director National Intelligence. 
I am a civilian, make sure I am perfectly clear on that, but in 
a previous edition I did have a lot of discussion on those. 
Unfortunately it was a lot of discussion. Again we are too busy 
about trying to measure twice, cut once versus trying to just 
pull the trigger in an 80 to 85 percent solution. A lot of 
those efforts should be, I believe, my personal opinion, that 
they should be enforced from CNCI, 4, 5, 6, 7, 8, all the way 
through and we should take a better look at those again, bring 
in a group of subject matter experts, find out how we are going 
to get it done, potentially craft the legislation that makes it 
happen, and then fund that activity, because while we have got 
a lot of other battles on our front this is very important. It 
is not just important for us but it is important for our 
children and grandchildren, lest we don't have an 
infrastructure American way of life to share with them later.
    Ms. Richardson. Would either of you other gentlemen like to 
comment on the specifics of the 25 recommendations?
    Mr. Cilluffo. I don't remember all the recommendations, but 
it is fair to say in a sound bite, long on nouns, short on 
verbs. I mean, we have talked a lot about the challenge. It is 
about implementation and execution and I don't want to sound 
overly dramatic, but in 1862 President Lincoln came before 
Congress with further storm clouds on the horizon and claimed 
as our time is anew we must think anew and ultimately act anew. 
We are there now. We know what some of the challenges are. 
There are great pieces of legislation, many others have put 
forward pieces of legislation. Now is the time to actually get 
into that, identify what really needs to be done and pass 
legislation. This can't be done through the private--first, the 
Government has to act to get its own house in order first and 
foremost. Then we have to look at what is the right incentive 
and other approaches to get the private sector in.
    Ms. Richardson. I understand. My question was were there 
any specific points that you wanted to make regarding the 
recommendations in particular that you felt should have more of 
a priority or address?
    Mr. Cilluffo. Act.
    Ms. Richardson. Okay, got it.
    Mr. Caslow. If I could, I'm sorry, but if I could, CNCI 8 
which was the education, training, and awareness which I did 
speak to, that to me is of the utmost importance. Because if we 
are not communicating and training and we are not making sure 
we have the right skill sets in place, all the technology in 
the world doesn't matter for anything.
    Ms. Richardson. My last question for the three of you 
gentlemen, are any of you working with any stakeholder groups 
within the Department of Homeland Security or any other Federal 
agency?
    Mr. Caslow. No, ma'am.
    Ms. Richardson. So you do your work completely from the 
outside? So you are not being sought after to share your 
thoughts and ideas of what should be considered?
    Mr. Berman. Ma'am, not at the moment, no.
    Ms. Richardson. Sir.
    Mr. Cilluffo. I stand where I sit, I am not formally 
involved, but of course we share our ideas with every entity, 
including Congress and the Executive branch.
    Ms. Richardson. No, my question is: Is there a specific 
stakeholder group that you participate in sharing your ideas 
and the information and knowledge that you have?
    Mr. Cilluffo. Not anymore.
    Mr. Caslow. Not since leaving the Government on February 27 
of this year.
    Ms. Richardson. Thank you, gentlemen. I yield back.
    Mr. Meehan. Thank you, Ms. Richardson. The Chairman would 
be delighted to ask Mr. Green and thank him for his attendance 
and his continuing interest in this area and would be delighted 
to accommodate any questions you might have if you do.
    Mr. Green. Thank you, Mr. Chairman, I thank you for 
allowing me to continue to participate. I am an interloper but 
I do have great interest in what is going on. While I cannot 
``Roger'' what my colleague from the Navy said, I would like to 
as a veteran of the ghetto wars ``Right On'' what he said. I 
totally agree. I would like to focus if I may for just a moment 
on the phrase ``we can't firewall our way out of this.'' I do 
understand botnet. I understand Zombie Armies, Trojan horses 
programs, and I have done some reading on Stuxnet, but I would 
hope that you are saying that while we can't firewall our way 
out of it, we can at least use the firewall to get us to that 
80 percent that you are talking about and perhaps maybe more at 
some point in the future because firewalls are an absolute 
necessity in doing whatever we can to prevent this.
    So let me just hear more on this question of how firewalls 
will help us to produce some degree of salvation.
    I would also add this, with reference to the plausible 
deniability, I would like someone to give me a comment on how 
we will at some point have to use as much empirical evidence as 
available to us. I am trying to do as my friend did earlier, 
select my words carefully. I want my diction to be superb 
because as we move closer and closer to having to deal with 
Iran in what may become an unpleasant way, plausible 
deniability cannot become a barrier to acquiring enough 
empirical evidence to act.
    So would you please start with the firewall concept and how 
we have to deal with that and then plausible deniability as a 
means of preventing us from acting.
    Mr. Cilluffo. Sure, and I didn't intend to pick on 
firewalls in particular. It was more meant to suggest that 
defensive measures alone, while important and we need to get to 
that 80 percent solution, in itself you can't expect a 
corporation to defend itself against foreign intelligence 
services, for example, that are going to use a mix of technical 
means, with human means, and an insider. Those are the sorts of 
challenges. Technology, while important, is agnostic but won't 
take us all the way. Ultimately the people connection is 
important and we need to be able to share that information.
    So I did not mean to say don't use your firewall. Please 
use your firewall. But that in itself is not going to take us 
where we need to go. If you think in a counterterrorism 
environment, Homeland Security critical, we needed to work the 
various issues but if we didn't have that pointy end of the 
spear, if we didn't have the days like we had in Abbottabad or 
other sorts of actions, we would never be able to ultimately 
prevail in some of these sorts of challenges.
    So I simply meant to suggest that we need to get, raise the 
bar, raise it high, but recognize that anything above and 
beyond that you can't incent, you can't expect the corporations 
to be able to defend themselves against that. So that was the 
purpose of my point.
    Also to suggest that we need to start investing and 
publicly discussing our offensive capabilities because they are 
there.
    In terms of plausible deniability, that just makes one of 
the challenges in terms of the attacks we are seeing. If I were 
to suggest one technical area to invest in, attribution, 
attribution, attribution.
    Mr. Green. Yes, sir.
    Mr. Berman. Sir, if I may jump in quickly, again I am not a 
cybersecurity specialist but to sort of to revert back to the 
topic of the hearing, I think what is interesting is something 
that Mr. Cilluffo alluded to in one of his answers, which is a 
cyber deterrent strategy, a strategy that marries concepts of 
deterrence with the idea that if someone reaches out and 
touches us it wouldn't be good for them, it wouldn't be healthy 
for them.
    I would point out that over the last 8, 9 years as the 
international community has grappled with the Iranian issue we 
have had an abject lack of a deterrent strategy for dealing 
with Iran in terms of nuclear acquisition, in terms of its 
actions asymmetrically in places like Iraq and Afghanistan, and 
I would argue that we are now facing an area also that is 
crying out for the need for a more robust deterrent strategy so 
the Iranian regime understands very clearly that there are red 
lines that if they cross in the cyber realm would rebound to 
their profound detriment.
    Mr. Caslow. If I could, too, the concept of firewalls, 
let's go to the technical side of this now, unfortunately you 
can say you have a firewall. When he said we can't firewall our 
way out of this, I understood exactly what he meant. A firewall 
is only good as how you establish the firewall. Me, I believe 
we should put across the main solutions all over the place 
because they are much more active. A firewall is a passive 
mechanism and if not established appropriately and properly, 
then you can say you have a firewall but I will tell you right 
now more than likely if you had a home network I will hack you, 
I will get you. If I can't get you, someone else will, 
especially if you are not maintaining your firewall and 
ensuring the right security controls are in place the right 
way.
    So it is not only the technologies which you speak of but 
it is also the implementation of those technologies to ensure 
they are properly implemented and secured in accordance with 
the standards that we have to put in place. So again they are 
only as good as you use them. Just like a gun, it is only as 
good as the person shooting it, right?
    Mr. Green. Thank you, Mr. Chairman. I am over my time. 
Thank you and I yield back.
    Mr. Meehan. Thank you, Mr. Green, and for your presence 
here. I know that the panel is ready to conclude, but I am 
going use my prerogative as the Chairman to ask one follow-up 
which is you have both--all three of you at separate times have 
developed this concept of an offensive not just capability but 
I am also interpreting if I am getting it correctly as the 
utilization of some kind of offensive action in this 
environment. I certainly recall the days of assured mutual 
deterrence with the nuclear threat, but of course we never 
really used a nuclear weapon. So what is the predicate that 
would allow us to in a country like ours where we are hesitant 
to deliver some kind of an aggressive offensive action unless 
and until we believe we have been attacked? So how do we--would 
you develop this concept of offense in this world where the 
conclusion seems to be we are not going to be able to 
exclusively simply defend ourselves from the consistent probes 
that may turn into an actual attack from Iran or China or 
Russia. What is offense?
    Mr. Cilluffo. Mr. Chairman, that is an excellent set of 
points, and I think before we lean too forward in this 
direction we do need to have the tough doctrinal sets of 
questions. We have a lot of strategy, we have a lot of tactics, 
but there is nothing pulling these pieces together. In the 
midst of that you also need to clearly define rules of 
engagement, which have not been done thus far. But I might 
suggest there are ways to demonstrate capability, such as 
nuclear tests, short of actually delivering such a capability 
through various platforms on a particular actor.
    I might also note that we do need to start thinking of the 
homeland implications. I mean, one of the challenges with cyber 
weapons, you use them, you use them once, they can be used 
against you. A, you can reverse-engineer it and use it against 
you; B, you are compromising your golden bullet potentially 
that you may want to use when you really need it. So ultimately 
we have got to start embedding computer network attack and 
cyber thinking into traditional National security and military 
thinking. Right now we treat it a bit as a black art, ooh, ah. 
At the end of the day if we start discussing it as we do every 
other platform system and TTP that can be deployed, then it 
takes some of that out and we are going to want to play to our 
strengths, because ultimately the greatest threat is not cyber 
unique, it is cyber as a force multiplier to kinetic or 
whatever else it may be. That is also what we need to be 
worried about defensively in terms of higher-end actors.
    My whole point is if we don't create these bright lines in 
the silicon or in the sand, there is nothing to dissuade, 
deter, or compel people from engaging in the space. We need to 
start finding the critical infrastructures. If people are 
mapping that there should be consequences. What other reason 
could they use to map that other than to potentially use that 
as part of a broader attack plan? To me that is where the line 
needs to be crossed. In the exploit business, we are all in the 
exploit business, so that is a little more difficult, but once 
it starts going to some of these critical infrastructures we 
need to be thinking about that.
    I might also note your committee I think has an obligation 
and the responsibility to be involved in these discussions 
because there are homeland implications if we start moving 
proactively that we need to be ready for defensively. Before we 
engage in certain military activities, I want to make sure our 
homeland is protected from some of those.
    So these are tough questions, cuts across all committee 
structure, all Executive branch, and truth is we don't have the 
doctrine right now. We need to start developing it and I would 
argue discussing it, because right now we are kind of in the 
worst of both places.
    The Office of Director of National Intelligence, the 
National Counterintelligence Executive, NCIX, recently came out 
naming names, calling out Russia and China, stealing billions 
and tens of billions of dollars of our intellectual property. 
Now we are saying: They are doing it, what is the disincentive 
for them to continue doing that? What would an Iran interpret 
if they see we say it is happening and we are not doing much to 
visibly defend ourselves. So I think we need to start having 
these conversations.
    Mr. Berman. Sir, one parenthetical point, sort of going 
back to the topic of the hearing, I think it is important and 
both of my colleagues alluded to it as part of their remarks, 
is that not all threat actors are created equal. In this 
context, specifically in the Iranian context, politics matter. 
In fact they matter a lot. In order for us to have a predictive 
cyber strategy that marries defense and offense, that includes 
deterrence, we have to not only think about the operational 
capabilities of these threat actors but also what is happening 
in the real world that might incentivize them to act whereas 
others would not. I think whether you look at, specifically 
thinking about the military, when you look the at the 
Pentagon's recent work on developing something resembling a 
cybersecurity blueprint, they have been grappling with 
precisely this question: At what point do you draw a red line 
that would activate sort of a cascading series of events that 
might end up in a real military conflict? This may be a 
peripheral issue or a conceptual issue for dealing with Russia 
or China, at least at the moment, it may be a much more actual 
one with regard to Iran because of what is going on in the real 
world.
    Mr. Caslow. Sir, if I might add to that, let's go to the 
establishment of U.S. Cyber Command, darn good idea, great 
function. DIRNSA, its great leader, I have much respect for the 
man. Unfortunately, there is one bad aspect of that, something 
called posse comitatus. The U.S. military cannot exert their 
arm over domestic United States. Right? We all know this, this 
is the law, that is the way it is. The Department of Homeland 
Security has that purview. Homeland Security and NSA as U.S. 
Cyber Command have integrated in some aspects, but that is a 
relationship integration, it is not a formal integration. To my 
knowledge there is no area where this thing has been crossed. 
While we can do all we can to defend the National security 
systems, both unclassified all the way to the TS/SCI, the fact 
still remains it is our partners who are outside of those 
realms that are sitting on the regular networks, our friends of 
Boeing, Lockheed, wherever all this intellectual property is 
being stolen from, Microsoft, Google, you name it, they are 
just as at risk. There is no way for Cyber Command to exert 
their force and what their ideas are to help that other than 
the fact that if the Google SISO, Information Security Officer, 
goes to NSA and says: Hey, we would like your input on this, 
how do you recommend we do it? But there is no massive, as my 
colleagues stated, this strategy, this deterrent strategy could 
articulate some of these things and put those in place so we 
could show these relationships. We could make sure we put 
things out, that we enforce these to make sure.
    Again we can protect the U.S. Government's infrastructures. 
I have no doubt about that. However, they are going to get us 
somewhere else. They are going to get us on the back side, they 
are going to get us on our weak spot. You don't--you attack the 
bear from the belly, you don't attack it from the teeth, and 
that is what is going to happen. So I would encourage the look 
at, and not too long of a dialogue, as in some cases have 
occurred, but the look at and the discussion with subject 
matter experts in all relevant arenas, not just the Government 
personnel and CEO and SISOs of these companies, to get together 
to try to dialogue and discuss how to do it. Again not just one 
vector, we need to address all the potential vectors. Because 
it very well may come from another side that we are not 
looking. We are treating against termites and all of a sudden 
it is those darn little fire ants from Florida that gets us 
instead. Oh, what do we do now? So we need to ensure that we do 
take precautious action to ensure that we address as many as 
possible. In order to do that we have to dialogue, we have to 
put it in writing, put it down, tap it down, and to discuss it. 
Then we start moving the flag. Once we put the flag in the 
sand, then we can start moving it around to somewhere we all 
can agree on and then we take action.
    Mr. Meehan. Your testimony has been compelling. I thank you 
not only for your presence here today and the work you have 
done but for your continuing work of each of you in this 
critically important area. I think I speak for all of my 
colleagues on both sides of the aisle by virtue of the 
attention that we are trying to pay into this issue too that we 
value and gain a great deal from your perspective and look 
forward to working with you in the midst of what is a very real 
and a very genuine, not just challenge, but threat to the 
safety and security of the United States and its interests.
    Thank you so much. I thank the witness for their testimony 
and the Members for their questions. The Members might have 
some follow-up additional questions and if they do and they 
forward those, I will ask if you could be responsive within the 
10 days.
    So without objection, the committee stands adjourned. Thank 
you.
    [Whereupon, at 11:45 a.m., the subcommittees were 
adjourned.]


                            A P P E N D I X

                              ----------                              

    Questions From Chairman Michael T. McCaul for Frank J. Cilluffo
    Question 1a. Although Iran is the world's largest state sponsor of 
terrorism, it is difficult to fully assess Iran's ability to carry out 
attacks on-line. However, over the last 5 years it has become 
increasingly clear that Iran's cyber capabilities are becoming more 
sophisticated and rank among the best in the world.
    How likely is it that Iran's leaders would collaborate and/or fund 
their developing cyber capabilities with foreign states like North 
Korea that are antagonistic to the United States, or pass on offensive 
cyber capabilities to terrorist proxies like Hezbollah?
    Answer. Those countries that have the United States in their cross-
hairs--including Iran, Cuba, North Korea, and Venezuela--and their 
proxies (notably Hezbollah, in the case of Iran) are assuredly of 
concern in the cyber context. However, there is a need to think 
differently about cyber, instead of simply invoking traditional frames 
of reference for military cooperation. Models for joint or combined 
defense planning and cooperation must be adjusted to the cyber context. 
Where cyber is concerned, tools and techniques, exploits, lessons 
learned, reconnaissance results, and information on targets and 
vulnerabilities may be (and are) shared frequently between and among 
states and groups--but that does not necessarily signal formal 
sanctioned cooperation. Nevertheless, this type of informal 
collaboration, particularly among parties whose posture is antagonistic 
to the United States, is an issue of significant concern.
    By contrast, formal cooperation in the stricter sense of the term 
is a less likely prospect. Indeed, there are several reasons that Iran 
may not seek that type of cooperation to develop their cyber 
capabilities jointly with other states hostile to the United States. 
Perhaps the most compelling is that there is little need to do so 
because there is a convenient alternative: The equivalent of a cyber 
arms bazaar already exists. Many individuals and organizations stand 
ready to rent or sell sophisticated cyber attack capabilities, 
including bots that could be used to steal information or shut down key 
elements of physical infrastructure. Moreover, the type of 
collaboration proposed would require a level of trust between the state 
parties that would seem difficult to achieve, if not unattainable. (The 
most sensitive information is unlikely to be shared though sharing in 
more general terms is likely, as outlined above). Keep in mind that 
each party could potentially turn the capabilities in question on or 
against the other. Further, neither party could prevent the other's use 
of the capabilities against a third entity, and once used the value of 
the weapon drops or may even evaporate, as targets will be able to 
craft defenses. The significance of each of these potential hurdles 
should not be underestimated.
    Sharing capabilities with proxies like Hezbollah is an even more 
likely scenario. The exchange could also run in both directions, as 
Hezbollah has shown itself to be an innovative organization, and 
because cyber capabilities are of special interest to sub-state actors, 
since these tools can help level the playing field. In June 2011, 
Hezbollah established the Cyber Hezbollah organization; and Hezbollah 
is deftly exploiting social media tools such as Facebook to gain 
intelligence and information. It is worth underscoring that Iran has a 
long history of demonstrated readiness to employ proxies for terrorist 
purposes, drawing on kinetic means. There is little, if any, reason to 
think that Iran would hesitate to engage proxies to conduct cyber 
strikes against perceived adversaries.
    Question 1b. A hacker group identified as the Iranian Cyber Army 
(ICA) has received credit for a number of hacking incidents over the 
last few years. According to reports, the Iranian Cyber Army has used 
social engineering techniques to obtain control over internet domains 
and disrupt the political opposition in Iran.
    What is the command-and-control relationship between the Iranian 
Revolutionary Guards Corps and this Iranian Cyber Army?
    How does the Iranian Cyber Army fund, train, and recruit hackers?
    Answer. Certainly there is a desire, as manifested in attempts 
referenced and seen in recent reporting and trends, to assert a degree 
of centralization. However Iran is not monolithic. Command-and-control 
there is somewhat murky, even within the Iranian Revolutionary Guard 
Corps (IRGC), let alone what is outsourced. The attribution challenge 
associated with cyberspace--a domain made for plausible deniability--is 
therefore all the more complicated where Iran is concerned. Yet, 
elements of the IRGC have openly sought to pull hackers into the fold; 
and the Basij, who are paid to do cyber work on behalf of the regime, 
provide much of the manpower for Iran's cyber operations. There is 
evidence that at the heart of IRGC cyber efforts one will find the 
Iranian political/criminal hacker group Ashiyane. The high visibility 
of attacks seen to date (including the Iranian Cyber Army's strike 
against Twitter, the Chinese search engine Baidu, and websites managed 
by the opposition Green Movement) suggests that the Iranian Cyber Army 
and similar groups might be used as proxies by the IRGC. Though fluid, 
hacker groups are being cultivated and guided, if not always directly 
controlled, by the IRGC.
    Question 2a. The Iranian government recently held a conference in 
Tehran announcing the creation of the Iranian Cyber Defense Center 
within their military forces. The head of Iran's Passive Defense 
Organization, Brigadier General Gholam Reza Jalali, indicated that the 
new center may be responsible not only for defensive cybersecurity, but 
also for offensive cyber attacks.
    How likely is it that this center will begin to coalesce the 
various hacking groups (such as the ICA) into a single entity 
controlled by the IRGC? What are the known priorities of the new 
Iranian Cyber Defense Center and how are they developing their cyber 
workforce?
    Answer. As outlined in my prepared remarks, we have seen efforts on 
the part of elements of the IRGC to pull hackers into the fold to do 
work on behalf of the Iranian regime. The likelihood of these expedient 
partnerships coalescing into a (single) cohesive, coherent, and 
effective unit is questionable, however, particularly if Iran's history 
offers any guide to the country's future.
    Open source reporting on the Iranian Cyber Defense Center is quite 
scant. Stated priorities include countering threats (of cyber attack), 
training, ``controlling access to computer networks and establishing 
cyber defense centers in institutions.''\1\ Workforce development in 
the cyber domain could prove challenging for Iranian authorities. 
Monetary inducements have proved useful for enlisting the skills of the 
Basij, but the supply of talent within the country may well have 
important limits. The young, clever, creative people that truly thrive 
in this domain may, on balance, not be sympathetic to the regime or its 
aims. This problem is exacerbated by the fact that Iran simply does not 
have the numbers (population base and potential recruitment pool) that 
say, China does.
---------------------------------------------------------------------------
    \1\ http://forum.internet-haganah.com/showthread.php?399-The-woods-
are-lovely-dark-and-deep and http://www.mehrnews.com/en/
newsdetail.aspx?NewsID=1472234.
---------------------------------------------------------------------------
    Question 2b. Iran's leaders have made concerted efforts to develop 
friendships with other foreign leaders antagonistic to the United 
States. What is the likelihood that foreign countries such as Cuba, 
Venezuela, North Korea, and others, might collaborate with Iran in 
developing cyber warfare capabilities?
    Answer. Cuba, Venezuela, and North Korea undoubtedly constitute a 
troika of concern. As detailed above in my reply to Question 1, 
however, there are several reasons that Iran may not seek to formally 
develop their cyber capabilities jointly with other states antagonistic 
to the United States--but friendships between and among these parties 
could increase the likelihood of cooperation or coordination, designed 
to execute attack(s). As detailed in my written testimony, press 
reports have alleged ``that Iranian and Venezuelan diplomats in Mexico 
were involved in planned cyber attacks against U.S. targets, including 
nuclear power plants.'' U.S. officials are investigating, but media 
reports have indicated that the hackers who briefed the Iranian and 
Venezuelan diplomats on the planned attacks ``sought support and 
funding from the diplomats,'' who in turn pledged ``to pass information 
to their governments.'' Iran has also shown itself to be ready and 
willing to partner with non-state entities on kinetic plots, such as 
the recently thwarted one to assassinate Saudi Arabia's ambassador the 
United States, drawing on the assistance of a Mexican drug cartel. 
Given this history, it would not be a stretch for Iran to collaborate 
with other parties hostile to the United States, whether state or non-
state entities, with the intent of causing harm to the United States. 
Even a limited goal, meaning an attack intended to inflict harm short 
of defeat of the United States, could still have serious repercussions. 
For example, a cyber attack (or worse, multiple cyber attacks) executed 
against U.S. targets at the same time as one or more of our adversaries 
make a move in the physical world, such as a push to seize key land or 
shipping lanes, could slow or complicate U.S. response so that we are 
unable to marshal our power fully and effectively. The result could be 
``a fait accompli'' in the adversary's favor.
    The ability to achieve synergy between the physical and cyber 
dimensions, and to embed that capability into political/military 
strategic planning, would take Iran to the next level. Moving forward, 
therefore, the United States should pay special attention to discerning 
and appreciating developments in this area.
       Questions From Chairman Michael T. McCaul for Ilan Berman
    Question 1a. Although Iran is the world's largest state sponsor of 
terrorism, it is difficult to fully assess Iran's ability to carry out 
attacks on-line. However, over the last 5 years it has become 
increasingly clear that Iran's cyber capabilities are becoming more 
sophisticated and rank among the best in the world.
    How likely is it that Iran's leaders would collaborate and/or fund 
their developing cyber capabilities with foreign states like North 
Korea that are antagonistic to the United States, or pass on offensive 
cyber capabilities to terrorist proxies like Hezbollah?
    Answer. The full extent of Iranian capabilities is, by its nature, 
difficult to ascertain. So, too, is the question of whether the Islamic 
Republic is currently actively collaborating with foreign partners on 
the development of its cyber potential. However, it is worth noting 
that Iran has in the past worked with countries such as North Korea on 
a number of strategic programs (to include nuclear testing and the 
development of ballistic missiles). As well, Iran's efforts to isolate 
its population from the world wide web are consonant with China's 
attempts to limit access to internet content on the part of its 
citizenry. As such, at least some degree of cooperation in the cyber 
arena can be expected to be taking place between Iran and its strategic 
partners.
    Similarly, Iran is the chief sponsor of Hezbollah, and has aided 
the Lebanese militia in its armament, its political activities, and its 
expansion beyond the Middle East. Iranian assistance to Hezbollah in 
the development of cyber capabilities thus cannot be ruled out, 
although little is as yet known about Hezbollah's cyber warfare 
potential.
    Question 1b. A hacker group identified as the Iranian Cyber Army 
(ICA) has received credit for a number of hacking incidents over the 
last few years. According to reports, the Iranian Cyber Army has used 
social engineering techniques to obtain control over internet domains 
and disrupt the political opposition in Iran.
    What is the command-and-control relationship between the Iranian 
Revolutionary Guards Corps and this Iranian Cyber Army?
    How does the Iranian Cyber Army fund, train, and recruit hackers?
    Answer. The command-and-control relationship between the Iranian 
Cyber Army (ICA) and the IRGC is not presently clear. Formally, the ICA 
has depicted itself at least in part as a self-organizing group--akin 
to patriotic ``hacktivists'' present in places such as China. However, 
the ICA's operations closely mirror regime objectives, and its targets 
are overwhelmingly those out of favor with the Iranian regime, 
suggesting tacit official sanction and possibly direction.
    I do not have knowledge about the methods with which the ICA 
carries out its training or recruitment. With regard to funding, 
however, the connections with official regime entities (such as the 
IRGC) suggests that at least a portion of the ICA's funding is derived 
from governmental sources.
    Question 2a. The Iranian government recently held a conference in 
Tehran announcing the creation of the Iranian Cyber Defense Center 
within their military forces. The head of Iran's Passive Defense 
Organization, Brigadier General Gholam Reza Jalali, indicated that the 
new center may be responsible not only for defensive cybersecurity, but 
also for offensive cyber attacks.
    How likely is it that this center will begin to coalesce the 
various hacking groups (such as the ICA) into a single entity 
controlled by the IRGC? What are the known priorities of the new 
Iranian Cyber Defense Center and how are they developing their cyber 
workforce?
    Answer. Such organization is a real possibility. To the extent that 
the Iranian regime would see benefit to uniting various hacker groups 
and exerting even greater control over their activities, a 
``consortium'' may be the logical end-result. Such a grouping would, by 
its nature, lend itself most closely to the activities and direction of 
the IRGC.
    Question 2b. Iran's leaders have made concerted efforts to develop 
friendships with other foreign leaders antagonistic to the United 
States. What is the likelihood that foreign countries such as Cuba, 
Venezuela, North Korea, and others, might collaborate with Iran in 
developing cyber warfare capabilities?
    Answer. Such collusion is already taking place, at least on a low 
level. A documentary by the Spanish-language television channel 
Univision late last year exposed efforts by the former Venezuelan 
consul to Miami, Livia Antonieta Acosta Noguera, to recruit hackers for 
attacks on U.S. targets--an initiative that was carried out at least 
partly with Iranian assistance. The incident suggests that Iran's 
efforts to find common cause with anti-American regimes (including in 
the Americas) extend to the cyber realm--and that Tehran and its allies 
are actively contemplating cyber attacks on targets within the U.S. 
homeland.
       Questions From Chairman Michael T. McCaul for Roger Caslow
    Question 1a. Although Iran is the world's largest state sponsor of 
terrorism, it is difficult to fully assess Iran's ability to carry out 
attacks on-line. However, over the last 5 years it has become 
increasingly clear that Iran's cyber capabilities are becoming more 
sophisticated and rank among the best in the world.
    How likely is it that Iran's leaders would collaborate and/or fund 
their developing cyber capabilities with foreign states like North 
Korea that are antagonistic to the United States, or pass on offensive 
cyber capabilities to terrorist proxies like Hezbollah?
    Question 1b. A hacker group identified as the Iranian Cyber Army 
(ICA) has received credit for a number of hacking incidents over the 
last few years. According to reports, the Iranian Cyber Army has used 
social engineering techniques to obtain control over internet domains 
and disrupt the political opposition in Iran.
    What is the command-and-control relationship between the Iranian 
Revolutionary Guards Corps and this Iranian Cyber Army?
    How does the Iranian Cyber Army fund, train, and recruit hackers?
    Answer. The likelihood of the nation-states collaborating could be 
measured by the current analysis available through the intelligence 
community assessments on proliferation. While most counter-
proliferation has been focused on CBRNE efforts this could be used as a 
gauge for overall technology transfer. With respect to the non-state 
actors such as Hezbollah, the best litmus for this may reside in HUMINT 
reporting. Computer network attack capabilities are for the most part 
known, within one circle or another. To gain a better understanding of 
these I would highly recommend that further discussions, behind closed 
doors, be had with organizations such as the Open Information Security 
Foundation.
    I have no unclassified knowledge of the command-and-control, 
funding, training, or recruiting for the Iranian Cyber Army.
    I wish that I could be of more assistance but given that I still 
maintain a TS/SCI I am reluctant to discuss any of these issues via 
this media.
    Question 2a. The Iranian government recently held a conference in 
Tehran announcing the creation of the Iranian Cyber Defense Center 
within their military forces. The head of Iran's Passive Defense 
Organization, Brigadier General Gholam Reza Jalali, indicated that the 
new center may be responsible not only for defensive cybersecurity, but 
also for offensive cyber attacks.
    How likely is it that this center will begin to coalesce the 
various hacking groups (such as the ICA) into a single entity 
controlled by the IRGC? What are the known priorities of the new 
Iranian Cyber Defense Center and how are they developing their cyber 
workforce?
    Question 2b. Iran's leaders have made concerted efforts to develop 
friendships with other foreign leaders antagonistic to the United 
States. What is the likelihood that foreign countries such as Cuba, 
Venezuela, North Korea, and others, might collaborate with Iran in 
developing cyber warfare capabilities?
    Answer. Response was not received at the time of publication.

                                 
