[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
IT SUPPLY CHAIN SECURITY: REVIEW OF GOVERNMENT AND INDUSTRY EFFORTS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
MARCH 27, 2012
__________
Serial No. 112-131
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
77-892 PDF WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas HENRY A. WAXMAN, California
Chairman Emeritus Ranking Member
CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York
MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas
Vice Chairman DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma LOIS CAPPS, California
TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California TAMMY BALDWIN, Wisconsin
CHARLES F. BASS, New Hampshire MIKE ROSS, Arkansas
PHIL GINGREY, Georgia JIM MATHESON, Utah
STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio JOHN BARROW, Georgia
CATHY McMORRIS RODGERS, Washington DORIS O. MATSUI, California
GREGG HARPER, Mississippi DONNA M. CHRISTENSEN, Virgin
LEONARD LANCE, New Jersey Islands
BILL CASSIDY, Louisiana KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky JOHN P. SARBANES, Maryland
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia
_____
Subcommittee on Oversight and Investigations
CLIFF STEARNS, Florida
Chairman
LEE TERRY, Nebraska DIANA DeGETTE, Colorado
SUE WILKINS MYRICK, North Carolina Ranking Member
JOHN SULLIVAN, Oklahoma JANICE D. SCHAKOWSKY, Illinois
TIM MURPHY, Pennsylvania MIKE ROSS, Arkansas
MICHAEL C. BURGESS, Texas KATHY CASTOR, Florida
MARSHA BLACKBURN, Tennessee EDWARD J. MARKEY, Massachusetts
BRIAN P. BILBRAY, California GENE GREEN, Texas
PHIL GINGREY, Georgia CHARLES A. GONZALEZ, Texas
STEVE SCALISE, Louisiana DONNA M. CHRISTENSEN, Virgin
CORY GARDNER, Colorado Islands
H. MORGAN GRIFFITH, Virginia JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California (ex
FRED UPTON, Michigan (ex officio) officio)
(ii)
C O N T E N T S
----------
Page
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 1
Prepared statement........................................... 4
Hon. Diana DeGette, a Representative in Congress from the State
of Colorado, opening statement................................. 6
Hon. Tim Murphy, a Representative in Congress from the
Commonwealth of Pennsylvania, opening statement................ 7
Witnesses
Gregory C. Wilshusen, Director of Information Security Issues,
Government Accountability Office............................... 9
Prepared statement........................................... 11
Mitchell Komaroff, Director, Trusted Mission Systems and
Networks, Department of Defense................................ 24
Prepared statement........................................... 26
Gil Vega, Associate Chief Information Officer for Cybersecurity
and Chief Information Security Officer, Department of Energy... 39
Prepared statement........................................... 41
Insert for the record........................................ 60
Lawrence Castro, Managing Director, The Chertoff Group........... 64
Prepared statement........................................... 66
Dave Lounsbury, Chief Technology Officer, The Open Group......... 71
Prepared statement........................................... 73
Submitted Material
Report, dated March 2012, ``IT Supply Chain: National Security-
Related Agencies Need to Better Address Risks,'' Government
Accountability Office, submitted by Mr. Stearns \1\............
----------
\1\ The report is available at http://www.gao.gov/products/GAO-
12-361.
IT SUPPLY CHAIN SECURITY: REVIEW OF GOVERNMENT AND INDUSTRY EFFORTS
----------
TUESDAY, MARCH 27, 2012
House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:04 a.m., in
room 2123, Rayburn House Office Building, Hon. Cliff Stearns
(chairman of the subcommittee) presiding.
Present: Representatives Stearns, Terry, Myrick, Murphy,
Bilbray, Gingrey, Scalise, Griffith, Barton, DeGette, and
Green.
Staff Present: Carl Anderson, Counsel, Oversight; Sean
Bonyun, Deputy Communications Director; Karen Christian, Deputy
Chief Counsel, Oversight; Andy Duberstein, Deputy Press
Secretary; Andrew Powaleny, Deputy Press Secretary; Krista
Rosenthall, Counsel to Chairman Emeritus; Alan Slobodin, Deputy
Chief Counsel, Oversight; Lyn Walker, Coordinator, Admin/Human
Resources; Alex Yergin, Legislative Clerk; Alvin Banks,
Democratic Investigator; Tiffany Benjamin, Democratic
Investigative Counsel; and Brian Cohen, Democratic
Investigations Staff Director and Senior Policy Advisor.
Mr. Stearns. Good morning, everybody. I call to order this
subcommittee's third hearing on cybersecurity.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
With the growing reliance on the global economy for our
goods and services, we are faced with the challenge that
ensuring the security of those items has become even more
difficult. As the global economy grows, so does the complexity
of the global supply chain. The U.S. Government is increasingly
reliant on commercially available products for information
technology, IT services, and components. This reliance forces
the U.S. Government to depend on the trustworthiness of the
global commercial supply chain. Cyber or state-sponsored actors
are capable of secretly inserting malicious code into both
hardware and software during the manufacture of those items.
Let me give you some specific examples:
In July 2010, Dell announced that some of its PowerEdge
motherboards contain malicious spyware that gathered
information about a victim's Internet browsing habits and
collected personally identifiable information.
During a security conference in May 2010, IBM gave
complimentary USB drives to attendees that contained two kinds
of malware, including a keylogger program.
In March 2010, the Spanish cell phone company Vodafone
released a new version of a popular smartphone infected with a
version of the Butterfly botnet in addition to other malicious
software.
These, my colleagues, and many other instances of supply
chain poisoning are capable of causing damage to, allowing a
cyber criminal unauthorized access to, or allowing the
exfiltration of sensitive or personally identifiable
information from a victim's computer system.
Now, last week, the Government Accounting Office released a
report examining the risk and threats to the supply chains of
both commercial and Federal IT systems. The GAO studied four
agencies involved in national security: Department of Defense,
Energy, Homeland Security, and Justice and their ability to
access the risk to their own IT supply chains and the steps
they have taken to mitigate them. We are joined by the GAO
today to discuss their findings and recommendations.
While DOD and DOE and DHS and Justice each participated in
interagency efforts to address supply chain security, some of
these agencies had been more progressive than others in
addressing IT supply chain security risks. In particular, I was
troubled to find that the GAO concluded that the Department of
Energy had not--had not developed clear policy that defined
what security measures it needed to protect against supply
chain threats. Clearly defined security measures with
comprehensive implementing procedures are necessary and vital
to the protection of Federal IT.
One additional comment about the report, as a whole, is
that there appears to be no integrated response amongst the
Federal IT enterprise to address supply chain risks. Agencies
are left to their own devices to address this risky and complex
threat. I find this very troubling.
Today, we will hear testimony from two panels of witnesses.
On our first panel, we are joined by Mr. Gregory Wilshusen,
Director of Information Security Issues at GAO and his staff
who assisted in drafting this report. We are also joined by
representatives of two agencies who are the subject of the
report, Mr. Mitchell Komaroff, Director of the Trusted Mission
Systems and Network at the Department of Defense, and Mr. Gil
Vega, Associate CIO for Security and Chief Information Security
Officer at the Department of Energy.
I look forward to their testimony and getting a much better
understanding of the work they do to ensure the integrity of
their agency's IT supply chain.
I also want to welcome our second panel of witnesses who
will provide us with an overview of the private-sector approach
to identifying IT supply chain risk and using industry's best
practices to mitigate them.
We are joined by Mr. Larry Castro, Managing Director at the
Chertoff Group and former National Security Agency Central
Security Services representative to the U.S. Department of
Homeland Security. Also joining us is Dave Lounsbury, Chief
Technological Officer at The Open Group and International IT
Standards Board.
We welcome all of the second panel, also.
As I mentioned previously, this is the subcommittee's third
hearing in this Congress on cybersecurity. The purpose of this
hearing in particular is to understand the threats and
vulnerabilities to Federal IT supply chains and how best to
ensure their integrity. I have enjoyed working with the ranking
member on this matter and the minority in particularly and look
forward to our continuing cooperation on cybersecurity issues;
and I yield to the distinguished ranking member, Ms. DeGette
from Colorado.
[The report is available at http://www.gao.gov/products/
GAO-12-361.]
[The prepared statement of Mr. Stearns follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF COLORADO
Ms. DeGette. Thank you very much, Mr. Chairman. I also
appreciate the work that you have done on this issue and
working with the minority.
Ensuring the integrity of our information technology supply
chain is critical to protecting our Federal systems against
terrorists, counterfeiters, hackers, and other enemies. In
1997, the Government Accountability Office made government-wide
information security part of its biannual high-risk series.
Since then, the government, like the private sector, has become
more and more technology dependent and more and more reliant on
private-sector hardware and software.
Just to think of one example, think about how the census
worked 2 years ago. What used to be collected versus pad and
paper is now collected and transmitted electronically.
And with every new technology our Nation's infrastructure
becomes more exposed to new threats and vulnerabilities. As
more components are manufactured outside of this country, our
technology systems become more vulnerable to infiltration by
our foreign enemies. A few malicious lines of software code,
cleverly hidden in a larger program, counterfeit hardware or
software, and even malicious or unqualified service providers
all present risk to the technology that drives our supply
chain.
In January of this year, President Obama launched the
National Strategy for Global Supply Chain Security. I commend
the President for taking supply chain issues seriously, but we
as Congress also have an important role to play in ensuring the
security and safety of these systems.
Last month, as the chairman mentioned, this subcommittee
held a hearing on cybersecurity threats to our electric grid.
During that hearing, I asked our witnesses about the potential
risk to the supply chain associated with devices connected to
the grid. Richard Campbell, testifying on behalf of the
Congressional Research Service, agreed if the wrong people were
able to get improper access to these devices, they could do any
number of dangerous things, including implanting a software bug
in a smart meter's firmware and control its functions and the
functions of the devices attached to it. A meter could be set,
for example, to control the thermostat for a room containing
servers, and a hacker could increase the temperature to destroy
the servers.
We know that counterfeit circuitry can cause critical
devices or systems to malfunction. Logic bombs can be inserted
into devices. These are systems that will lie dormant until a
device engages in a certain activity, at which point they can
overtake the device and any system associated with it.
Our Federal Government, including the military, and the
Department of Homeland Security is heavily reliant on the
private sector to provide these devices and to vet them to
ensure they are safe and secure. GAO's findings suggest that
some of the agencies like the Department of Defense are on the
right track to safeguarding their information systems from
external threats, but other agencies, like the Department of
Energy, still need to define supply line chain protection
measures and develop implementing procedures and monitoring
capabilities.
However, this isn't just an issue for Federal agencies.
Private companies also struggle to develop plans to prevent and
respond to supply chain disruptions. That is why I am pleased
to have the second panel here today to talk about how the
private sector is addressing these issues. I look forward to
learning about the threats and vulnerabilities they see in the
hardware and the software systems companies purchase and sell
and also what private companies are doing to ensure the
products they provide to their customers are protected.
In the cybersecurity context, we know that companies are
not required to report these threats and vulnerabilities to the
Federal Government, and we are aware that in certain instances
companies have chosen not to do so, leaving Federal agencies in
the dark about how widespread a problem is or whether it has
been resolved. We need to hold everybody accountable for
ensuring that our supply chain is safe, and that starts with
ensuring that those who build and sell key supply chain
hardware and software components are properly safeguarding
their devices from threats.
We must find ways to ensure that U.S. Suppliers are
responsible for the security of their foreign-made devices and
systems. We must make sure that manufacturers are reporting
threats, vulnerabilities, and cyber attacks quickly so that the
government and the private sector can take appropriate actions.
And, finally, we must make sure that the Federal Government is
carefully vetting the information technology products they
purchase.
Mr. Chairman, I look forward to hearing from both of the
panels about what work we can do to ensure our Federal
technologies are as secure as possible; and I yield back the
balance of my time.
Mr. Stearns. Thank you, gentlelady; and I recognize Mr.
Murphy. The gentleman from Pennsylvania is recognized for an
opening statement.
OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA
Mr. Murphy. Yes, thank you, Mr. Chairman.
On December 11, 1941, despite some warnings of what was to
come and despite seeing clear planes flying towards Pearl
Harbor, we slept. As the Korean war started, an intelligence
lapse also meant that South Korea was overwhelmed. And when the
Marine barracks in Lebanon were bombed, it occurred in the
midst of dozens, perhaps hundreds of warnings that something
was about to occur. We are now facing similar threats in the
area of cybersecurity, and it is important that we do not sleep
as this dawn is upon us.
When we look at a measure of cybersecurity, such things as
resilience, an ability to send out an alert, defending against
an attack, being able to launch a counterattack and recover
from an attack, unfortunately, many of the sectors that we know
of, inagriculture and food, military, transportation, health,
finance, banking, telecommunication, and energy, are all
woefully inadequate in how they can act.
Our country is at war with an enemy we cannot see, but the
battle has the potential to inflict an incalculable amount of
damage on our economy, our national defense, and families. A
looming terrorist attack may not come in the form of a hijacked
plane hitting a building but from a terrorist cell lurking
inside of our computers at work and at home, ready to strike
our banks or energy grid and other sectors.
Cyber terrorists and hackers are not just unaffiliated
rogue actors. They are highly trained special operations agents
being employed by foreign countries.
These startling developments and how the cyber war is
evolving were revealed to me this past summer when I sat on a
special cybersecurity task force formed by Speaker Boehner.
These threats from abroad can manifest themselves in mysterious
ways. Consider the potential weaknesses in our national
security when the Marine Corps, Air Force, Federal Aviation
Administration, and Federal Bureau of Investigation purchased
counterfeit Cisco products that originated in China. Or that
Beijing's military apparatus is tightening its reign over the
country's technology sector, when we realize the People's
Liberation Army has formed IT workers into so-called cyber
militias within thousands of companies across China.
The threat of foreign nations waging cyber warfare against
the United States is so real that the Defense Department is
raising red flags about Huawei Technologies, the world's
largest manufacturer of computer hardware, acquiring Symantec,
a security company whose software is installed on computers at
homes, business, and Federal agencies across the country.
We have to make sure that we are on alert for all levels of
cybersecurity and following the IT purchasing line all the way
through as well as monitoring software and people's access to
our computers. This threat is very real, and it is very active
in our country and around the world. Failure to act means, once
again, at dawn we sleep.
And with that I yield back.
Mr. Stearns. The gentlemen yields back.
I don't see anyone on the minority side, so we will go
right to the first panel.
As you know, the testimony that you are about to give is
subject to Title 18, Section 1001 of the United States Code.
When holding an investigative hearing, this committee has a
practice of taking testimony under oath. Do you have any
objection to testifying under oath?
Panel. No.
Mr. Stearns. The chair then advises you that under the
rules of the House and rules of the committee you are entitled
to be advised by counsel. Do you desire to be advised by
counsel during your testimony today?
Panel. No.
Mr. Stearns. In that case, will you please rise and raise
your right hand, and I will swear you in.
[Witnesses sworn.]
Mr. Stearns. We now welcome each of you to give your 5-
minute summary of your written statement. Start with you.
STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR OF INFORMATION
SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; MITCHELL
KOMAROFF, DIRECTOR, TRUSTED MISSION SYSTEMS AND NETWORKS,
DEPARTMENT OF DEFENSE; AND GIL VEGA, ASSOCIATE CHIEF
INFORMATION OFFICER FOR CYBERSECURITY AND CHIEF INFORMATION
SECURITY OFFICER, DEPARTMENT OF ENERGY
STATEMENT OF GREGORY WILSHUSEN
Mr. Wilshusen. Chairman Stearns, Ranking Member DeGette,
and members of the subcommittee, thank you for the opportunity
to testify at today's hearing on IT supply chain security.
Mr. Stearns. I think you have to--do you have the mic on?
Mr. Wilshusen. Yes, I do.
Mr. Stearns. Just move it a little closer. That would be
good.
Ms. DeGette. You need to put it close.
Mr. Wilshusen. OK.
Thank you for the opportunity to testify at today's hearing
on IT supply chain security.
IT systems and the products and services that support them
are essential to the operations of the Federal Government.
These products and services are created and delivered through a
complex global supply chain that involves a multitude of
organizations, individuals, activities, and resources.
My testimony today summarizes the contents of our recently
issued report on IT supply chain risks and the extent to which
the Departments of Energy, Homeland Security, Justice, and
Defense have addressed these risks. But if I may first, Mr.
Chairman, recognize some members of my team whose dedication
and professionalism were instrumental to the development of
this report.
And this is Mike Gilmore.
Mr. Stearns. What is Mike Gilmore's title? Can you give the
title?
Mr. Wilshusen. He is an assistant director for IT.
Mr. Stearns. OK.
Mr. Wilshusen. R.J. Hagerman, who is an analyst, and Kush
Malhotra, who is also the analyst in charge for our engagement.
Mr. Stearns. Thank you.
Mr. Wilshusen. In addition, there are two members who are
not here, Brad Becker and Lee McCracken, who are back in their
offices, who also played a key role.
Mr. Chairman, the exploitation of IT products and services
through the supply chain is an emerging threat. IT supply
chain-related threats can be introduced in the manufacturing,
assembly, and distribution of hardware, software, and services.
These threats include the insertion of harmful or malicious
software and hardware, installation of counterfeit items,
disruption in the production or distribution of critical
products, reliance on unqualified or malicious service
providers, and installation of software and hardware containing
unintentional vulnerabilities.
These threats can be exercised by exploiting
vulnerabilities that could exist at multiple points in the
supply chain. Examples of such vulnerabilities include
acquiring products or parts from unauthorized distributors,
using insecure transportation, storage, or delivery mechanisms,
and installing hardware and software without sufficiently
inspecting or testing them.
These threats and vulnerabilities can potentially lead to a
range of harmful effects, including allowing attackers to take
control of systems or decreasing the availability of critical
materials needed to develop or operate systems.
The Departments of Energy, Homeland Security, Justice, and
Defense varied in the extent to which they have addressed
supply chain risks. Each of the four agencies participated in
one or more interagency efforts to address supply chain
security, such as developing technical and policy tools,
collaborating with the intelligence community, and
participating in the Comprehensive National Cybersecurity
Initiative on supply chain risk management. These efforts are
key to understanding and addressing global supply chain risk.
However, with respect to establishing supply chain
protection measures for their internal departmental systems,
three of the agencies had not fully addressed Federal
guidelines. These guidelines recommend that agencies, for their
high-impact systems, define supply chain-related protection
measures, develop procedures for implementing them, and monitor
their effectiveness.
However, Energy and Homeland Security had not yet taken
these steps; and while Justice has defined supply chain
protection measures, including a foreign ownership, control,
and influence review, it had not yet developed implementing
procedures or monitoring capabilities.
The Department of Defense, on the other hand, has made
greater progress. It has defined policies, requires program
protection plans, issued a key practices and implementation
guide, conducted pilot programs, and implemented a monitoring
mechanism to determine the status and effectiveness of its
supply chain protection pilots.
In our recently issued report, we recommended that the
Departments of Energy, Homeland Security, and Justice take
steps as needed to develop and document policies, procedures,
and monitoring capabilities that address IT supply chain risk
to their internal systems. The departments generally agreed
with our recommendations.
In summary, Mr. Chairman, the global IT supply chain
introduces risk that, if realized, could jeopardize the
confidentiality, integrity, and availability of Federal
information systems and adversely impact an agency's
operations, assets, and employees. This risk highlights the
importance for Federal agencies to take appropriate actions to
develop, document, and implement the policies, procedures, and
controls necessary to cost-effectively manage the associated
risk.
Mr. Chairman, Ms. DeGette, this concludes my statement. I
would be happy to answer any questions at the appropriate time.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Stearns. I thank you.
Mr. Komaroff, you are welcome. Opening statement.
STATEMENT OF MITCHELL KOMAROFF
Mr. Komaroff. Good morning, Mr. Chairman and distinguished
members of the subcommittee. Thank you for this opportunity to
testify regarding the efforts of the Department of Defense
pertaining to supply chain risk management.
My name is Mitchell Komaroff, and I am the Director of
Trusted Mission Systems and Networks within the office of the
DOD Chief Information Officer. I provided a written statement
for the record but would like to give you a brief overview of
the globalization challenge facing the Department and to
highlight----
Ms. DeGette. Can you move your microphone a little closer?
Mr. Komaroff [continuing]. To highlight key elements of our
strategy for managing the risks presented by it.
The Department relies heavily on custom and commercial off-
the-shelf software, integrated circuits, computers,
communication equipment, and other ICT, information
communications technology, to stay on the cutting edge of
technology development and to fulfill mission-critical
operations. With increasing frequency, the Department and its
commercial supplier base rely on foreign companies to produce
the most advanced technology solutions.
Although the globalization of the ICT sector has
accelerated the pace of technical innovation, it has raised
national security concerns. Through the increased globalization
of the ICT supply chain, adversaries have more opportunities to
introduce malicious code into the supply chain and to gain
access or disrupt military systems. To address this challenge,
DOD is implementing its trusted defense system strategy to
improve the way we engineer and acquire systems and to reduce
an adversary's ability to disrupt national security missions.
For years, the Department has worked to better understand
and manage the risk that DOD hardware and software may contain
malicious code. We were first confronted with this problem in
connection with the supply of trusted application-specific
integrated circuits which we addressed through the Trusted
Foundry program in 2003.
The Department's strategy for achieving trustworthy systems
in the face of supply chain risk contain the following core
elements: one, prioritizing scarce resources based on mission
criticality; two, planning for comprehensive program protection
by identifying critical components and protecting them from
supply chain risk informed by all-source intelligence; three,
improving our ability to detect and respond to vulnerabilities
in programmable logic elements; and, four, partnering with
industry.
I want to briefly highlight the importance of
prioritization of our strategy. The difficulty of mounting and
defending against supply chain exploitation focuses supply
chain risk management on sensitive mission-critical systems.
Accordingly, DOD policy levies additional supply chain risk
management processes and practices on national security
systems.
Supply chain risk management represents a sea change in the
acquisition process. It requires new institutional
relationships between the acquisition and intelligence
community and the application of operational security to the
processes that historically we have sought to make transparent.
It also requires engineering and test and evaluation
capabilities that are still the subject of ongoing research.
Recognizing these challenges would take time to implement,
former Deputy Secretary Lynn directed an incremental
implementation of supply chain risk management beginning with
pilots in fiscal years 2009 and 2010, and requiring full
operational capability by fiscal year 2016 for all national
security systems.
DOD is currently incorporating lessons learned during the
piloting phase into permanent policy and practice. First, the
Defense Intelligence Agency mission to support DOD acquisition
with a supply chain threat analysis has been made permanent in
DOD policy. To date, the Defense Intelligence Agency has
performed approximately 520 analyses for DOD acquisition
programs.
Other key tenets have been institutionalized as well, such
as directing that programs integrate criticality analysis, use
of supply chain threat information, supply chain risk
management key practices, and hardware and software assurance
into program protection.
DOD actively collaborates with industry on supply chain
risk. One of our key goals is to facilitate the development of
commercial global sourcing standards. DOD has been
collaborating with other 20 government and industry
organizations towards the development of standards under the
umbrella of ISO, the International Organization for
Standardization. DOD is also actively engaged in The Open
Group's Trusted Technology Forum.
Within DOD, we have made a significant start to
institutionalizing supply chain risk management but still have
a long way to go. Our key objective for fiscal year 2012 is
fully incorporating these concepts into information assurance
and acquisition policies and expanding these new processes from
the military departments to defense agencies. DOD has
collaborated on these issues within our agency regarding
proposed policies and best practices, such as the NIST
interagency report and the Committee on National Security
Systems Directive 505, both entitled Supply Chain Risk
Management.
In conclusion, mitigating risk to U.S. Government missions
arising out of the global supply chain from information and
communications technology is vital to our national security.
The Department looks forward to continuing the collaboration
with our interagency and industry partners to manage this risk.
Thank you for the opportunity, and I look forward to
answering any questions you may have.
[The prepared statement of Mr. Komaroff follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Stearns. Thank you very much.
Mr. Vega.
STATEMENT OF GIL VEGA
Mr. Vega. Good morning, Chairman Stearns, Ranking Member
DeGette, and members of the subcommittee. My name is Gil Vega,
and I am the Associate Chief Information Officer for
Cybersecurity at the Department of Energy. I also serve as the
Department's Chief Information Security Officer. Thank you for
this opportunity to testify today on the GAO report that is the
subject of today's hearing.
The Department of Energy appreciates the work performed by
the GAO to identify opportunities to improve mission
effectiveness by reducing IT supply chain risks. DOE shares
GAO's concerns for these risks, which not only impact our
missions but those of all Federal agencies and the private
sector.
DOE actively supports the goals outlined in the
administration's recently released National Strategy for Global
Supply Chain Security, and by leveraging the exceptional talent
of the people in DOE we are committed to addressing these
challenges.
It is clear that supply chain, including IT supply chain,
vulnerabilities threaten the missions of DOE and other
agencies. As the Department's Chief Information Security
Officer, I am briefed daily on the active and persistent nature
of threats directed at DOE. One of my primary roles is to
evaluate these threats to our unique full-spectrum mission from
open science to energy research, to nuclear security, and
establish effective agency-wide programs to mitigate the
associated risks in a cost-effective manner.
In my short time at DOE, I have been privileged to work
with cybersecurity leaders in our National Laboratories and
with interagencypartners who are committed to addressing this
national-level challenge by partnering and sharing information
and best practices with each other. Aligned with the
Secretary's goals related to energy, economic, and national
security, we are leveraging the expertise of our National
Laboratories to develop processes and technology to effectively
secure DOE's IT assets and to protect the Nation's critical
infrastructure.
To address cybersecurity threats, you must first build
sound foundational components and by recognizing that no single
organization can eliminate all risk. Recently, DOE has been
successful in developing and delivering several key
foundational elements to properly address the broader
cybersecurity threats that we face while strengthening our
ability to meet the wide range of mission goals.
For example, DOE has developed and is implementing an
agency-wide NIST-based risk management approach that raises
corporate threat analysis and risk decision-making to senior
management levels of DOE and serves as a corporate foundation
for managing our mission and investments with acceptable levels
of risk.
DOE is also implementing the Joint Cybersecurity
Coordination Center, which is delivering a new cybersecurity
ecosystem based on consolidated monitoring and reporting,
information sharing and analysis, and coordinated incident
response capabilities across the Department. This is critical
to the effective monitoring of mitigation strategies meant to
address advanced cyber threats.
As I previously stated, DOE recognizes the value and timing
of the GAO review and concurs with GAO's recommendations.
Specifically, we are already addressing these in a coordinated
manner as follows: by actively participating in the national-
level policy discussions on supply chain risk management; by
developing a supply chain cybersecurity strategy and policy
that will foster DOE's interagency relationships and support
the unified approach described in the administration's
strategy; by developing a plan to implement the requirements of
the recently released Committee on National Security Systems
Directive 505; by working closely with the National
Counterintelligence Executive and the broader national
intelligence and national security communities to stay abreast
of and counter new and growing threats to the Nation's IT
infrastructure; and, finally, by partnering with both DHS and
DOD, industrial control system manufacturers, and energy-
critical infrastructure operators to identify and mitigate
risks to industrial control systems.
We must also recognize the importance of the role played by
DOE's National Laboratories, which have been at the forefront
of identifying and mitigating vulnerabilities in the supply
chain. DOE's National Laboratories have developed and are
actively involved in improving capabilities in software and
hardware assurance to mitigate risks, particularly to our
national security systems and to the safety, security, and
reliability of the Nation's nuclear weapons stockpile. DOE
works closely with other agencies on these emerging
capabilities.
In conclusion, we believe that GAO understands the national
challenge that IT supply chain risks pose to all Federal
agencies as well as to the private sector and believe further
congressional support for a nationally coordinated response is
required.
Again, DOE strongly supports the goals of the President's
strategy, which seeks to align Federal activities across the
United States Government, including in our partnerships with
industry. DOE believes that this unified approach is the right
approach and that policies and standards to address IT supply
chain risk management must be coordinated at the national
level.
Thank you for this opportunity to discuss the report's
findings.
Mr. Chairman, this concludes my statement, and I look
forward to answering all of your questions.
[The prepared statement of Mr. Vega follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Stearns. Thank you, Mr. Vega.
Let me just open up with just sort of a general statement
when we are talking about IT supply chain. And this is a
question for each of you. Would you think that the biggest
emerging threat to the government and consumers is this IT
supply chain? Just yes or no.
Mr. Wilshusen. No.
Mr. Stearns. No, OK.
Mr. Komaroff? Yes or no?
Mr. Komaroff. For some systems, yes.
Mr. Stearns. Mr. Vega?
Mr. Vega. I would say no.
Mr. Stearns. No, OK.
And when you talk about supply chain, I just want to define
it. Are we talking about smartphones, computers, TPS devices,
smart grid devices? Have I missed out anyone of the list I gave
you?
Mr. Wilshusen. It could be any--the whole--the whole slew.
Mr. Stearns. A panoply of many devices.
Mr. Wilshusen. So there are additional types of devices and
components of those devices, to include servers----
Mr. Stearns. Of the four I mentioned, you think there could
be more.
Mr. Wilshusen. Yes.
Mr. Stearns. OK, and--I am just trying to get a general,
what we are talking about, if I can.
Mr. Komaroff. Yes, sir. So----
Mr. Stearns. More than those four devices we could be
looking at.
Mr. Komaroff. Yes, there is a huge number.
Mr. Stearns. OK, huge number. Can you give me maybe an
ancillary one that we haven't thought about?
Mr. Komaroff. Well, there are just dozens, and dozens of
varieties of integrated circuits that----
Mr. Stearns. Oh, OK.
Mr. Komaroff [continuing]. Some systems integrators go out
into the commercial marketplace to acquire.
Mr. Stearns. OK, Mr. Vega?
Mr. Vega. I am not sure if I heard you say, but the
underlying telecommunications infrastructure is another one
that we are concerned about.
Mr. Stearns. OK. Mr. Wilshusen, this question is for you.
You have identified risk to unprotected systems including
malicious code on hardware and software, counterfeit hardware
or software, reliance upon malicious or unqualified service
provider. What do you see as the two greatest threats to our IT
supply chain?
Mr. Wilshusen. I would say first, one would be the
introduction or insertion of malicious code to hardware and
software and also, presently, counterfeits. Counterfeit items
have been on the increase, and certainly they can have a
debilitating effect on systems that are currently in operation.
Mr. Stearns. Can you give the committee a list of specific
examples?
Mr. Wilshusen. Sure.
Mr. Stearns. Examples of threats, I mean.
Mr. Wilshusen. Well, threats and also incidents, if you
will. You know, there is--back in 2010, the Department of
Commerce issued a report that identified, did a survey of
companies that participated in the DIB, Defense Industrial
Base; and of the 387 companies that participated in the survey,
39 percent of them encountered counterfeit electronics during a
4-year period. And what's more, the number of incidents of
those counterfeit items increased 140 percent over the 4-year
period, from about 3,800 items in 2005 to over 9,000 in 2008.
Mr. Stearns. All right. Mr. Komaroff, yesterday the GAO
released a different report on counterfeit military parts
manufactured overseas showing the prevalence of counterfeit
parts in the DOD's Internet purchasing system. Has the work you
have done led to a similar conclusion?
Mr. Komaroff. Yes, sir. So I don't want to speak to the
exact conclusions contained in that report, but within the
report that we submitted to the Congress in 2010 in response to
the 2009 Defense Authorization Act, the report entitled Trusted
Defense Systems where we outlined our strategy, we did
identify, you know, risks during the sustainment and, in
particular, counterfeits as a strategic gap in our strategies.
And since that time immediately began working it within the
Department and then more recently in collaboration with the
intellectual property coordinator. And policy has been issued
within the Department identifying the Assistant Secretary for
Supply Chain Integration as the lead for the Department on
counterfeit issues, and the Department is pressing forward to
work those issues.
Mr. Stearns. What is the common specific threat to DOD
supply chain that you have identified?
Mr. Komaroff. The common threat, sir?
Mr. Stearns. What is the most common threat to the
Department of Defense's supply chain?
Mr. Komaroff. The most common occurring threat, presumably,
would be in the realm of the counterfeit issue because of its
prevalence. Again, that is a different--typically, a different
sort of threat actor and is more of a threat to the
effectiveness of reliability engineering than the kind of
threat that would be presented, for instance, with a--you know,
an attempt by a foreign intelligence service to insinuate
itself into a national security system of great importance.
Mr. Stearns. Mr. Vega, can you specifically give me actual
cyber attacks or threats to the Department of Energy's systems
because of vulnerability? Can you give any specific examples?
Mr. Vega. If I could----
Mr. Stearns. Or are you aware of any cybersecurity threats,
attacks to the Department of Energy? You don't have to get into
detail, but, I mean, are you aware of any specific threats?
Mr. Vega. Absolutely, and I would say, Chairman, that our
number one concern at the Department of Energy are the
coordinated efforts by some adversaries whose capabilities in
the arena of computer hacking are world class. We have all read
about these advanced persistent threats. We have had experience
at the Department of Energy with incidents involving these
threat actors, and that continues to be a major area of concern
for us.
Mr. Stearns. All right, my time is expired. The gentlelady
from Colorado.
Ms. DeGette. Thank you very much, Mr. Chairman.
I am glad to see again Mr. Wilshusen. When you were last
here, you talked about cybersecurity risks for the electric
grid, and we talked then about the risk of cyber attacks on the
electric grid supply chain. So now I am happy to have you back
to talk about the threats and vulnerabilities in the IT supply
chains.
What are the key IT supply chain threats to Federal
agencies?
Mr. Wilshusen. Well, we would say that it would include the
insertion of malicious or harmful software and hardware into
the environment. The installation of counterfeit items
certainly would be key to that and also any potential
disruption in the production or distribution of these key
items. Certainly, that would also have a role in the key
threat.
And also I would finally say, too, in terms of the
installation of software, hardware that contains unintentional
vulnerabilities, and these would be, for example, like design
flaws in the equipment or software defects and coding defects
into the software.
Ms. DeGette. That could be taking advantage.
Mr. Wilshusen. Yes. And indeed we often find that such
defects are indeed taken advantage of once the software is in
fact placed into operation at agencies.
Ms. DeGette. And do you think most of the threats come
through commercial items that are purchased by the Federal
Government?
Mr. Wilshusen. Yes, in some form or manner.
Ms. DeGette. So why then are the Federal agencies relying
so heavily on these commercial components? Are there incentives
in place for them to purchase these commercial items versus
developing IT products in-house?
Mr. Wilshusen. Certainly. And I think it is the
administration's policy to take full advantage of those
commercial off-the-self products, both from cost savings as
well as the functionality that they provide. It always gets
back to kind of a risk management decision on whether or not we
should use commercial products or potentially develop inside.
Ms. DeGette. And, in fact, there is an OMB circular that
encourages agencies to purchase the off-the-shelf items
wherever possible, is that correct?
Mr. Wilshusen. That's correct.
Ms. DeGette. Mr. Komaroff, you are nodding your head yes,
too.
Mr. Komaroff. As I understand the matter, it has been a
long-term Federal policy for so many years.
Ms. DeGette. It is not just new under this administration.
Mr. Komaroff. That's correct.
Ms. DeGette. It has been in place for a long time.
And even independent of the statutory incentives, is it
even conceivable that Federal Government agencies would rely on
noncommercial IT components for the majority of the source, Mr.
Wilshusen?
Mr. Wilshusen. For the majority of its equipment?
Ms. DeGette. Right.
Mr. Wilshusen. Probably not, but there certainly would be
instances, they may want to do something in a trusted
environment in terms of developing a system or components of
systems, particularly for those that have a great deal of
sensitivity and criticality to potential----
Ms. DeGette. So we are talking today about addressing the
IT supply chain threats, and that is important, but we
shouldn't forget that these threats impact more than the
Department of Defense and the Department of Energy. It is fair
to say, isn't it, Mr. Wilshusen, that the threat you just
described can also impact private-sector commercial purchasers
of IT products, correct?
Mr. Wilshusen. Absolutely.
Ms. DeGette. And the issue of commercial impact is
important, too, because much of our critical infrastructure,
like the electric grid, for example, is run by private
companies, and that is a network of private and public. So as
the systems become more interoperable the repercussions of one
single flawed component piece becomes more powerful, is that
right?
Mr. Wilshusen. I would agree.
Ms. DeGette. So not all companies have the ability to
closely vet IT supply chain threats to the product components
they purchase, do they?
Mr. Wilshusen. No.
Ms. DeGette. And let me just give you an example. If there
is a small business who is a contractor and they have one or
two employees, they might not be able to make sure that the
software they purchase isn't counterfeit or hasn't been
infected with some kind of malware, is that right?
Mr. Wilshusen. That is very likely.
Ms. DeGette. So can you give us some advice about what the
right balance is here? You know, the Federal Government can't
always ensure the security of every single purchase by even
every single one of their contractors or their subcontractors.
So what is the best way for us to use Federal resources to try
to, as best we can, achieve the goal of a secure supply chain?
Mr. Wilshusen. Well, I think there are a couple of things.
First of all, the Federal agencies and under the Comprehensive
National Cybersecurity Initiative, which is led by DHS and DOD,
and they have developed a working group to look at different
activities, threat assessment tools, and other best practices
that could potentially be used to assess and to try to mitigate
the risk associated with supply chain. And certainly, to the
extent--I should say a key focus of that initiative is to
partner with the private sector. And certainly the private
sector is a key part of the whole IT supply chain. And working
with the private sector and using some of the tools developed
by these agencies could be of benefit to others.
Ms. DeGette. Thank you very much.
Thank you, Mr. Chairman.
Mr. Stearns. Mrs. Myrick is recognized for 5 minutes.
Mrs. Myrick. Thank you, Mr. Chairman.
I appreciate you all being here, and I appreciate your GAO
report. It is an issue I have been spending a lot of time on
lately. I am especially concerned about foreign, state-owned
governments and militaries who are providing equipment, trying
to get a foothold into this area. China is the main one that I
have spent time on.
And my concern is twofold. One, of course, with our
government agencies, and I agree that the working groups are
doing a much better job of trying to look over the whole
spectrum of what is needed within the government.
But going back to the question of the private sector and
how we relate, because a lot of what we buy we buy from the
private sector as well, and they maybe don't know that they are
either buying a piece of equipment or a router or something
that is not good. Do we--I know we work with them, but how are
we looking at, across the industry, is there anything else that
you think we can do relative to putting more certainty into the
fact that they know what they are doing and what they are
providing to us?
That is one question.
Mr. Wilshusen. OK, I would say certainly, you know, with
the interagency working groups that are looking at this, and
indeed the administration just came out in January with its
National Strategy for Global Supply Chain Security, and one of
the focuses of that particular strategy is to work with the
private sector and State and local governments as well----
Mrs. Myrick. Right.
Mr. Wilshusen [continuing]. And other stakeholders to look
across the entire spectrum in looking at the threats, the
vulnerabilities, getting a better awareness of those, and then
to work collaboratively and develop the tools and techniques
try to mitigate that. So that certainly is a goal of this
strategy.
One of the things that we noted in looking at this
strategy, however, is that it seems to focus on the movement of
goods and services from point A to point B----
Mrs. Myrick. Right.
Mr. Wilshusen. --to point C and not really address the
manufacture or the assembly and integration of those products
and components into supply--or into full systems. And that's
something that should probably be--something that we just
notice in looking at it.
Mrs. Myrick. Well, part of that also is price. Because
everybody is looking at price today, and they want to buy
cheap. And the foreign governments or the foreign militaries or
the people who are part of these companies are literally
dropping their price so low that our companies can't compete
with them, and so people will buy it just because it is
cheaper. And we see that over and over and over again. And it
is very frightening to me, because we are at such high risk
from the things that they can do to us.
And so, you know, I just encourage all of you, I know you
do it every day, but anything that you can do, you know, to
look at this and your supply chain of what you buy and how you
work with the private sector to help them, I would sure
appreciate. Because it is not going to get better. It is going
to get worse. The ways that they are trying to get equipment
into here are frightening to me.
So I yield back, Mr. Chairman.
Mr. Stearns. Mr. Scalise is recognized for 5 minutes.
Mr. Scalise. Thank you, Mr. Chairman. I appreciate you
having this, and I appreciate the panelists who are here with
us on the GAO report on supply chain.
I apologize if this was already brought up. Mr. Vega, on
the Department of Energy, there were some issues that they had
brought up. I think they--you know, on DOD, they had a pretty
good assessment there, but on DOE they had raised some issues.
And, you know, especially when you look at some of the
sensitive nature of some of the things that the Department of
Energy has and, of course, management of our nuclear weapons
stockpile, among other things. If you could just kind of give
me your take on the issues that were brought up in that GAO
report.
Mr. Vega. Sure. I thank you for the question.
I think the report brings up some very good
recommendations, and I think there is some room at the
Department of Energy to be more explicit about the policy
relating to supply chain risk management and also about the
processes and also the controls to the systems to monitor the
implementation of those processes.
But I will tell you that the Department of Energy is very
active in delivering some very foundational elements that are
associated with detecting, mitigating, and responding to many
different types of threats targeted at the Department of
Energy. We have many threats that we are concerned about.
Supply chain risk management is certainly one of those. You
heard me talk about the organized attackers that target
government agencies. There is also trusted insiders that we are
focused on detecting and responding to, a whole litany of
different threats are pointed at not only to the Department of
Energy but other Cabinet agencies as well.
Our focus on supply chain, however, is in the broader sense
related to the risk-management approach that the Department of
Energy is embarking upon. Recently, in the past year, the
Department of Energy has implemented this new risk-management
approach which is mission-focused and allows--and directs those
business owners to direct limited resources at the things that
are most important to the mission and the most sensitive--the
most sensitive data.
My office has issued architectural frameworks that actually
direct these business and system owners to account for supply
chain risk management as part of their overall risk-assessment
process.
Mr. Scalise. In the last year, have you all had any
reported incidents--and I open this up to everybody--you know,
what kinds of things that have happened and, you know, have
you--we hear in the private sector all the time a lot of high-
profile examples of systems that were violated, breaches that
occurred; and, in some cases, we have identified back to
specific countries where this is happening, you know.
Have you had any of those experiences as you encounter some
of the things that are happening, in some cases possibly
government-led, by foreign governments? Do you all talk to the
State Department, you know, to try to get--to get some of those
problems addressed at the State level where we know there's
some foreign countries that are trying to break into our
systems, both government and private sector?
Mr. Vega. Without getting into too many specifics, the
Department of Energy has experienced recent events that have
been widely publicized in the past year at some of our National
Laboratories. Without speaking directly to the nation-state
implications of those events, I will tell you that the
Department of Energy is engaged at the interagency level with
the White House on a government-wide response to these advanced
threats, and I would be more than happy to talk to you more in
a closed session about what some of those discussions entail.
Mr. Scalise. Sure. Mr. Komaroff?
Mr. Komaroff. I would defer, you know, to others on the
broad spectrum of cyber-related exploitation that could be
affecting the Department's systems and networks. I think that
that shades into the presence of counterfeits and components
and what have you that have been identified within the
Department. I don't think that there is strong enough evidence
to present a no-kidding instance of what I would call a true
supply chain exploitation accounting for any one of them.
Malicious code account--malicious code, so-called, accounts
for, which is generally code injected into systems, typically
remotely, frequently exploits the kinds of weaknesses and
security defects in devices that we acquire. That is kind of a
different problem and is the basics of information assurance
and cybersecurity.
Supply chain risk, as we address it, represents a much
smaller set and much more difficult to discern. There will be
instances where we put two and two together, see a threat
actor, and examine equipment and find weaknesses associated
with it. Those weaknesses frequently could be explained as
either security related defects or the failure to close
engineering-type back doors and what have you.
Ultimately, it is a subtle matter trying to discern whether
or not a particular instance is the case of an explicable--an
otherwise explicable defect or a no-kidding supply chain
exploitation.
Mr. Scalise. I see my time is up.
Mr. Stearns. I appreciate it.
The gentleman from Texas, Mr. Green, is recognized for 5
minutes.
Mr. Green. Thank you, Mr. Chairman.
American manufacturers rely heavily on the global supply
chain to build products and hardware, for the devices can be
made and assembled in any country in the world. Software code
can be written everywhere. This means that foreign governments
can have access to these components at several entry points,
and these components can make their way into any number of
places via government entities or private-sector uses through
critical infrastructure components and controls and even
through personal electronics.
Mr. Wilshusen, are most IT product components manufactured
in the U.S.?
Mr. Wilshusen. I would say no.
Mr. Green. Do you know where a lot of these components are
manufactured?
Mr. Wilshusen. It could be anywhere--anywhere on the
planet, generally.
In the report we just issued, we have a diagram of a
laptop, and from that we identified various different
components of your basic laptop like the LCD, the motherboard,
circuits, memoryS storage and hard drives, and each of those
products could come from any number of multiple different
countries, except for the motherboard. I think we only found
that coming from Taiwan, but----
Mr. Green. Oftentimes, the purchaser of the ultimate
product isn't aware of where all the components are from.
Because, again, even an individual, if you buy your cell phone
or your--you know, BlackBerry or whatever. So a government
entity could purchase a product from an American brand and not
be--and be unaware of where all the component pieces in it were
manufactured or assembled.
Mr. Wilshusen. Yes, I would say definitely so.
Mr. Green. This leaves government purchases heavily
exposed, and right now companies are not obligated to inform
the government in commercial or individual purchases of where
the products they sell come from.
Mr. Wilshusen, do government entities currently track where
all of their components come from?
Mr. Wilshusen. No, they don't. And particularly one of the
objectives that we had in our report that we issued dealt with
the extent to which the four agencies that we went to--Energy,
Homeland Security, Justice, and DOD--on the extent to which
they tracked the foreign location of these components, and none
of them actually tracked those.
But then again they weren't required to track it either,
and there is a thought that trying to do so would be cost-
prohibitive and that perhaps a more indicative--or an
indication of the threat and risk would be not so much location
of a facility where a component is prepared but more it is the
influence that an either foreign intelligence service or some
other organization may have over the entity, not its direct
location.
Mr. Green. So the obstacle is just the cost and the time
frame. But is there a way that those four agencies have
identified that they can make sure what they are purchasing has
not been either compromised--or to the point of maybe even the
quality, not to the point--I am not saying sabotaged but the
quality would not be to the level we expect.
Mr. Wilshusen. Well, one of the activities that these four
agencies are conducting to an extent are threat assessments on
certain level of acquisitions. Typically, these may be for the
most highly sensitive acquisitions, and these threat
assessments are for a particular product or service on a
particular acquisition. And those threat assessments are then
considered and, in some instances, are being provided to a
database or repository that is being kept by the Office of the
National Counterintelligence Executive.
Mr. Green. OK, Mr. Komaroff and Mr. Vega, what are your
agencies doing to address some of these obstacles on the
quality or the concern of the products we are using?
Mr. Komaroff. Do you want to go first?
Mr. Vega. Sir, so at the Department of Energy, we rely on
most of our competitively purchased IT commodity items. We rely
on the General Services Administration through their
contracting process to deliver those to the Department of
Energy. While there is some assurance, I believe, in the
processes at GSA to validate pedigree of some of these devices
and technologies, we understand that there is more we can be
doing.
I will tell you that we are very much engaged with the
Office of the National Counterintelligence Executive in some
piloted procurement working groups to help--to better help
understand what the actual threat to the Department of Energy
is when dealing with some of these manufacturers.
Mr. Green. Mr. Chairman, given our Nation's reliance on
components manufactured outside the U.S., I think it is
important that we do everything in our power to ensure that, at
the very minimum, we know where the threats may lie. It is
important for manufactures to be up front about where the
products they sell come from. It is also important for Federal
agencies to carefully vet the products they purchase. Securing
our supply chain is not simply a private-sector problem or
Federal Government agency problem, because it really affects
all of us. And so I appreciate the chance to have this hearing.
Mr. Stearns. I thank the gentleman.
And the gentleman from Georgia is recognized for 5 minutes.
Mr. Gingrey. Mr. Chairman, thank you.
Mr. Vega, last year, Bruce Held, the DOE's Director of
Intelligence and Counterintelligence, noted that if a malicious
actor controls your hardware or software, they control your
system. Held went on to explain that the military does check
the hardware and software in these systems to security
vulnerabilities and possibly malicious code but that this would
be very costly for the private-sector companies. Do you agree
with Mr. Held?
Mr. Vega. I do agree with Mr. Held.
Mr. Gingrey. Are the IT products and service providers that
you deal with checking their products?
Mr. Vega. Sir, I would have to answer that I believe some
of our vendors have programs to vet their supply chains, and
some do not.
Mr. Gingrey. And are you attempting to verify that they do?
Is that part of what you are doing?
Mr. Vega. I think what we are doing, sir, is we are
embarking on the process of developing explicit direction to
our IT purchasers across the Department to do exactly that.
Mr. Gingrey. Has DOE ever identified a cyber incident or
control systems incident that could be attributed to corrupted
hardware or software linked to a supply chain vulnerability?
Mr. Vega. Sir, I would have to say in my short time at DOE
I have not been made aware of any confirmed supply chain threat
that has been realized at the Department. Doesn't mean there
isn't. I am just not aware of one.
Mr. Gingrey. And you told us in your opening testimony you
have been with DOE in this position for how long?
Mr. Vega. A little bit more than 8 months, sir.
Mr. Gingrey. And before that?
Mr. Vega. I was the Chief Information Security Officer at
Immigration and Customs Enforcement in the Department of
Homeland Security.
Mr. Gingrey. Thank you, Mr. Vega.
Mr. Vega. Thank you.
Mr. Gingrey. I want to direct the next question, Mr.
Chairman, to Mr. Wilshusen.
To what extent will your report, the GAO's report work,
shed light on critical infrastructure security? What role does
the Department of Homeland Security, for example, have in
coordinating information over supply chain challenges?
Mr. Wilshusen. Well, with regard to your first question,
with regard to the critical infrastructure protection in that,
it would address it to the extent that as it relates to IT
supply chain, the threats and vulnerabilities. What we found
with regard to the supply chains that affect Federal systems
and Federal agencieswould also likely affect private sector,
because it is generally coming from the same global supply
chain area.
Mr. Wilshusen. And so in that respect it would be similar.
Mr. Gingrey. Well, you know, it is one thing to ensure
standards for off-the-shelf software used by U.S. Government,
but how do you communicate supply chain risk to the purchases
of specialized control systems software made internationally
for use in very critical infrastructure?
Mr. Wilshusen. Well, in terms of standards, the Federal
Government is pretty much just setting up for what its agencies
need to do in terms of securing its software, but if a
particular agency needs a particular security requirement on
its products and it is acquiring those from a private sector
organization, it would typically identify what those are in the
contractual mechanisms that exist with that particular company
to determine we need these particular security requirements in
our software, in our hardware, in our systems, and then assure
that the private sector organization is able to deliver.
Mr. Gingrey. What metrics do you have in measuring progress
on this front?
Mr. Wilshusen. I am not sure there are that many metrics in
that particular area that exist.
In terms of percentage of contracts that have security
requirements, I don't know of that.
Mr. Gingrey. Mr. Chairman, that's all the questions that I
have, and I yield back the last minute.
Mr. Stearns. I thank the gentleman. I think Mr. Gingrey
made a good point, Mr. Vega. Will the Department of Energy
finish its process of giving guidance to your suppliers for
them to promote their supply chain's integrity? When is that
date going to be?
Mr. Vega. Sir, it is hard to predict how long it will take
for the Department.
Mr. Stearns. Isn't DOE in charge of our nuclear stockpiles?
Mr. Vega. Yes, they are, sir.
Mr. Stearns. OK. It seems like you should have an answer. I
mean that's a strategic area that we want to be sure that you
are protecting, and yet I would just like to actually get a
date of when you are going to do something.
Mr. Vega. Absolutely, our current----
Mr. Stearns. This whole process.
Mr. Vega. I am sorry. Our current risk management policy
requires our under secretary organizations to account for
supply chain risks within their risk management.
Mr. Stearns. So you don't have a date then? Huh? That's OK,
I understand. How long has this been going on then.
Mr. Vega. I'm sorry, how long has what been going on, sir?
Mr. Stearns. This whole process of trying to figure out, to
give guidance to your suppliers. You can't give a date when you
are going to complete it. Have you started it?
Mr. Vega. We have started engaging the various programs----
Mr. Stearns. Engaging? You started engaging.
Mr. Vega. We have started engaging.
Mr. Stearns. And how long has this process been going on?
Mr. Vega. It has been going on since we were first
contacted by GAO.
Mr. Stearns. Which is when, how long ago?
Mr. Vega. Since March of this year.
Mr. Stearns. OK. So you have only started this month--this
month you just started the whole process of guiding guidance to
your suppliers to promote the supply chain integrity. So you
have only being doing it for 2 weeks, is that true?
Mr. Vega. With regard to the findings for the GAO report,
that is true. However, there are a lot of other activities
ongoing within the Department.
Mr. Stearns. Because I think many of us are concerned that
the GAO report shows that DOE is the furthest behind in
developing IT supply. You have confirmed it today that it is
only the last couple weeks that you've even thought about
giving guidance to your suppliers dealing with supply chain
integrity.
Let me ask this question.
Ms. DeGette. Can I just follow up?
Mr. Stearns. Well, you can take your own time. You can have
a second time on this.
Ms. DeGette. But I just want to----
Mr. Stearns. The gentlelady will suspend. I am involved
with a question here.
For example, DOD is in the process of using its
intelligence authority in its procurement process. Does the
Department of Energy have enough information, enough
information to evaluate its vendors or could you benefit from
more information?
Mr. Vega. We can always benefit from more information, and
we could always benefit from better collaboration. I will tell
you that we are engaged in the interagency very actively with
DOD, DHS, and the White House to share information and best
practices, not only internally with DOE but also with our
Office of Electricity Delivery and Energy Reliability.
Mr. Stearns. OK. I think what happened is Mr. Gingrey had
time and they kept my time, so I still have more time in the
original 5 minutes which I was taking. So I assume I have
another 2 minutes or so.
Let me ask you this, Mr. Vega. Are you aware of any cyber
attacks or threats to DOE systems that were because of a
vulnerability a supply chain?
Mr. Vega. I am unaware of any.
Mr. Stearns. OK. What types of supply chain threats has the
DOE ever faced?
Mr. Vega. Well, I think we faced supply chain risk to our
nuclear surety program.
Mr. Stearns. To your what program?
Mr. Vega. To our nuclear surety program.
Mr. Stearns. How about your nuclear stockpile program, have
you--yes or no.
Mr. Vega. Yes, which is why the Department actually
operates two trusted foundries at both Kansas City and Sandia
to provide for the surety of that mission.
Mr. Stearns. Well, based upon this I think you should have
been ahead of curve instead of just the last 2 weeks giving
guide against to the suppliers.
What specifically is DOE doing to partner with industrial
control system manufacturers and energy critical infrastructure
operators to identify and mitigate risk to industrial control
systems?
Mr. Vega. Our organization has been working closely with
the Office of Electricity Delivery and Energy Reliability to
share lessons learned and best practices at the Department with
the sector on control systems. However, that organization is
led by an assistant secretary, Assistant Secretary Hoffman. I
would be glad to take your questions back for the record to get
more information on the lessons learned.
Mr. Stearns. All right. What is the one risk or threat to
Federal IT supply chains you are most concerned about and what
are you doing to address it?
Mr. Vega. I'm sorry, I couldn't hear the beginning of your
question.
Mr. Stearns. What is the one risk or threat to Federal IT
supply chains you are most concerned about at DOE?
Mr. Vega. I can't say that I am concerned more about a
specific IT supply chain risk. I think we have heard many from
our panelists here. There are many that can be manifested in
our environment if we are not careful. As I said in my remarks,
we have spent a lot of time and energy developing foundational
elements to help us detect, mitigate and respond to that threat
as well as many other threats we are facing.
Mr. Stearns. I think we will recognize Ms. DeGette.
Ms. DeGette. Mr. Chairman, I was just trying to follow up
on the question you were asking of Mr. Vega. Mr. Vega, you said
that you guys have just started this process with the
contractors this month, correct?
Mr. Vega. In response to the GAO report, that is correct.
Ms. DeGette. And so when do you expect that process to be
completed?
Mr. Vega. We have--we expect that process to follow our
internal----
Ms. DeGette. Yes, I understand that, but when do you expect
it to be completed? You wouldn't give the chairman a date, but
perhaps you have a time frame.
Mr. Vega. I would say, Ms. DeJette----
Ms. DeGette. It's DeGette.
Mr. Vega. I'm sorry, I apologize.
Ms. DeGette. That's OK.
Mr. Vega. Beginning of next calendar year we would have
some good progress made.
Ms. DeGette. Well, OK. What does that mean, ``good progress
made''?
Mr. Vega. The Department of Energy is a very diverse
organization with varying missions and varying threats of
varying appetites for threat and risk. The idea that the
Department can quickly issue policies, procedures, and
monitoring systems for that entire complex in a short amount of
time is probably not a good assumption.
Ms. DeGette. But Mr. Vega, here's our concern, and I think
I can say the chairman shares this concern, is we understand
all the complexities of the DOE, and this is what I was talking
to Mr. Wilshusen about earlier, is that if there are threats we
need to identify them, we need to identify the severity and
where they occur so that we can begin addressing them. And
vague answers like this are very disconcerting to people on
both sides of this panel because, after all, it is the
Department of Defense.
So I think my suggestion--I am sorry, the Department of
Energy. And so what I would suggest is that you folks, now you
have got this GAO recommendation and you are putting a process
into place, I would suggest that you put a clear timeline into
place about goals and results culminating at the earliest
possible convenience. We don't want corners to be cut or
anything like that. But we think--and then work with this
committee to inform us about what the plan is. I think our
concern is that the plan seems a little vague just sitting here
today.
And with that, I will yield back.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Stearns. I thank the gentlelady. And Mr. Terry is
recognized for 5 minutes.
Mr. Terry. Thank you, Mr. Chairman. And Mr. Vega, I
apologize that I was in--to all three of you--in an anteroom in
a quick meeting that lasted a few minutes more. I walked in
during your answer and didn't really hear what Mr. Gingrey's
question is, so it piqued me, I was really interested.
Just very bluntly then so I am clear in regard to having a
cybersecurity plan for a critical infrastructure nuclear power
plant, who is best to oversee that cyber plan, DOE or Homeland
Security?
Mr. Vega. Who is best to oversee a cybersecurity plan for a
privately owned power generator, is that the question?
Mr. Terry. OK, let's say a public power nuclear facility. I
don't care, it is nuclear.
Mr. Vega. Right.
Mr. Terry. And it is under DOE.
Mr. Vega. It is DOE. I have to say, sir, that my focus on
cybersecurity is internal to the Department of Energy and the
Federal M&O contractors that operate our National Labs. I am
not that familiar to offer an informed opinion about who would
be better overseeing the implementation of a cybersecurity
plan.
Mr. Terry. I was hearing that you were saying that perhaps
Department of Homeland Security was better prepared to do that,
and I am trying to figure out where their nuclear power plant
expertise would be.
Mr. Vega. I am not sure what you heard, sir.
Mr. Terry. OK. I just want to clarify that.
Evidently--were you suggesting, Mr. Wilshushen? I'm sorry.
Mr. Wilshusen. That's OK, Wilshusen.
Mr. Terry. Wilshusen, just like it is written, I am sorry.
Did you suggest that Homeland Security would be better
supervising overseeing cybersecurity techniques and plans for
nuclear power plants which would obviously, because they are
nuclear, would probably be defined as critical?
Mr. Wilshusen. I did not suggest that, but I will mention
that, and it is not part of this report on IT supply chain, but
DHS does have a role in terms of being the sector under the
National Infrastructure Protection Plan and program, DHS does
have a role in providing guidance and overseeing the--I think
it is the nuclear power industry. Also, Nuclear Regulatory
Commission would be a member and would have insight into that
since they are regulators of these nuclear power plants.
Mr. Terry. Is the Nuclear Regulatory Commission under
Homeland Security's umbrella or another agency's like DOE?
Mr. Wilshusen. It is a separate, independent agency of
Federal Government.
Mr. Terry. Independent agency.
Mr. Wilshusen. It is separate. And so they also specify
some of the security requirements in its role as a regulator of
nuclear power plants to give security. They do conduct certain
reviews over that.
Mr. Terry. Well, I am going to ask you one follow-up
question that stood out to me during your testimony, but
quickly, Homeland Security under my personal view has been a
disaster. And to put them in charge of cybersecurity of any
critical infrastructure scares the hell out of me frankly. And
every time I go through an airport I think of how incompetent
they are. So that's just my statement for the record. I am
sorry I was looking at you when I said that.
But you mentioned in the chain, supply chain that we are
concerned about the unauthorized, which then led me to the
question of how--what needs to be authorized? What parts of the
supply chain, is it the individual parts at the assembly? Who
is going to be able to have the authority to say that they are
authorized to approved that this chip can go into this
computer, that can be sold then to the Defense Department. I
can't get my mind around who would have that level of
authority, and you have 28 seconds.
Mr. Wilshusen. First of all, when I mentioned the word
``unauthorized'' it dealt with acquiring products or parts
components if you will from unauthorized distributors as
opposed to those companies or entities, either the original
component manufacturer or their other approved, if you will,
suppliers to provide it. So if an agency were to go to some
other, through some other distributor that's not authorized to
sell a particular product that was the vulnerability to which I
was referring.
Mr. Terry. All right. Thank you.
Mr. Stearns. All right, we will let the first panel be
dismissed and we will have the second panel come up. Thank you
very much for your time.
Mr. Stearns. Welcome the second panel. We have Mr. Larry
Castro, Managing Director of the Chertoff Group, and we have
Dave Lounsbury, Chief Technical Officer of the Open Group.
Welcome each of you. And at your convenience, Mr. Castro, we
will let you start with your opening statement.
First we have to swear you in.
As you know, the testimony that you are about to give is
subject to Title 18, section 1001 of the United States Code.
When holding an investigative hearing this committee has a
practice of taking testimony under oath. Do you have any
objection to testifying under oath?
Mr. Castro. I do not.
Mr. Lounsbury. No.
Mr. Stearns. The chair then advises you that under the
rules of the House and the rules of the committee you are
entitled to be advised by counsel. Do you desire to be advised
by counsel during your testimony today?
Mr. Castro. I do not.
Mr. Lounsbury. No, sir.
Mr. Stearns. In that case will you please rise, raise your
right hand and I will swear you in.
[Witnesses sworn.]
Mr. Stearns. Now if you would be so kind as to give your 5-
minute opening statement. Mr. Castro, we will start with you.
Welcome.
STATEMENTS OF LAWRENCE CASTRO, MANAGING DIRECTOR, THE CHERTOFF
GROUP; AND DAVE LOUNSBURY, CHIEF TECHNOLOGY OFFICER, THE OPEN
GROUP
STATEMENT OF LARRY CASTRO
Mr. Castro. Good morning, Chairman Stearns, Ranking Member
DeGette, and members of the subcommittee. I appreciate the
opportunity to speak with you today regarding the important
role of IT supply chain security and our Nation's approach to
cybersecurity. I am appearing today in my personal capacity
although for the record I am currently a Managing Director at
the Chertoff Group, a firm that provides strategic advisory
services on security matters, including cybersecurity.
While my work at Chertoff Group informs much of my current
insight into the cybersecurity threat environment, my basic
understanding of information assurance in cybersecurity is
drawn from my 44 years of Federal service at the National
Security Agency. It is thus from these two perspectives that I
offer my views for your consideration today.
I commend the subcommittee for addressing this topic today
as the GAO report well describes securing the supply chain is a
challenging and complex task with many moving parts and
dependencies. I would suggest, however, that it is not an
intractable problem and it is one that can be addressed in the
risk management framework.
The GAO report documents that there's ample policy
direction and implementing guidance from which one can start to
build supply chain defenses. What is needed, however, is a
framework that can build on that policy base and also support
the implementation detail. Risk management offers such a
framework. Risk management approaches security from the aspects
of threats, vulnerabilities and consequences and can be used to
unwrap some key supply chain issues.
Let's first consider the threat actors who might both be
able to benefit from and execute an infiltration of the supply
chain, perhaps by inserting a modified component into the
supply chain of a critical U.S. Government IT enterprise. To do
so of course the adversary must be capable of penetrating the
production process at a point far enough downstream to ensure
that the right target has been infiltrated.
In addition to performing the adversary's desired covert
function, the modified component must also execute the
component's function as originally designed. I would submit to
you that across the spectrum of threat actors in cyberspace
today the most likely players to have the motive and the
capability to successfully accomplish such a deception would be
nation-states.
So who then would be the nation-states that might have the
necessary qualifications and motives? The GAO report notes as
you have heard already in testimony today about an outstanding
organization on point within the Federal Government for
identifying such threat actors. That organization is the Office
of the National Counterintelligence Executive, or NCIX, within
the Office of the Director of National Intelligence.
In October 2011 NCIX published this eye opening report to
the Congress, entitled Foreign Spies Stealing U.S. Economic
Secrets in Cyberspace. The report convincingly presents the
case that both the People's Republic of China and the Russian
state apparatus have both the intent and capability to
undertake economic espionage enhanced by cyber means. These are
the key threat actors against whom our supply chain defenses
should be aligned.
What consequences do they seek to achieve by infiltrating
the U.S. supply chain? The scope of objectives spans the full
range of results achievable from malicious activity in
cyberspace, some of which you all have already addressed this
morning. They include the compromise of confidentiality leading
to the loss of sensitive data and intellectual property, the
loss of availability of critical national security systems, and
the corruption of data residing in these critical systems.
As has already been discussed today, there are numerous
vulnerabilities in the supply chain that can be exploited.
There are, however, well documented best practices and tools
that may be implemented to address some of these
vulnerabilities, and I believe the next speaker on the panel
will address some of those. The use of these tools and
resources, however, must be considered in the context of likely
threat actors and the consequences that they seek to achieve.
Finally, I would like to comment about a section of the GAO
report again that you already discussed this morning dealing
with the lineage of equipment used in U.S. Government networks.
While the report concluded that emphasis is not given to
determining if such networks contained foreign developed
components, the intelligence community representatives quoted
in the report offered the view that determining if a
relationship exists between the supplier company and a foreign
military or intelligence service, that would be a more reliable
indicator of a potential security risk than simply ascertaining
whether a specific product was manufactured or provisioned
outside the United States. I strongly endorse this conclusion
and note that the practice of conducting such due diligence
audits of supplier sponsor links is well established in the
private sector.
For maximum effectiveness, however, this due diligence
requires a good conduit to move high fidelity threat actor
information between the U.S. Intelligence community and those
in the private sector who would benefit from the intelligence
community's insights. It is encouraging that many of the cyber
bills under consideration by you all this session address the
need for such improved information sharing.
Again, thank you for the opportunity to address this topic,
and I would be pleased to answer your questions at the
appropriate time.
[The prepared statement of Mr. Castro follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Stearns. I thank you. Mr. Lounsbury, your opening
statement, please.
STATEMENT OF DAVE LOUNSBURY
Mr. Lounsbury. Chairman Stearns, Ranking Member DeGette,
and distinguished members of the committee. On behalf of the
Open Group and the Open Group Trusted Technology Forum, I want
to thank you for the opportunity to speak at this IT supply
chain security hearing to discuss how the Open Group's Trusted
Technology Forum plans to address some of the challenges in
securing the global supply chain that have been discussed
today.
A little background: The Open Group is a global consortium
that enables the achievement of business objectives through IT
standards. We have more than 400 members, spanning all sectors
of the IT community from customers to vendors, to integrators
and consultants as well as academics and researchers. And staff
works with them to capture, understand, and address their
current and emerging requirements and establish the policies,
shared best practices, to facilitate interoperability and
develop consensus around evolving and integrating standards.
And to back this we operate an industry premier certification
service operating a variety of certification programs over 20
years.
In 2008, the then current Under Secretary for the
Department of Defense Acquisition Technology and Logistics
posed the follow challenge to the Open Group members: How can
the DOD safely procure IT technology from an increasingly
global and sometimes unpredictable supply chain in a rapidly
changing threat environment? The discussion focused on the
challenges associated with an increased reliance on commercial-
off-the-shelf information communication technologies in
commercial and government enterprise, including the defense
industry. The parties formalized those discussions in an
initiative under the Open Group that we call the Open Trusted
Technology Forum. And that is a forum, it is a global
initiative that brings in government industry and other
interested participants to work to develop an open technology,
open trusted technology provider standard that's a public-
private partnership to address this very clear cybersecurity
challenge in a shared, multi-stakeholder risk environment like
the global supply chain.
Member organizations contributing to the work include a
broad range of global suppliers, buyers of products and third
party test labs. The open trusted technology provider standard,
which is currently published as a snapshot, provides
organization commercial best practices that when properly
adhered to will enhance the security of the global supply chain
and the integrity of COTS ICT products throughout the entirety
of the product lifecycle. That is from the design phase through
the sourcing of the components, build, fulfillment,
distribution, sustainment and all the way to the disposal
phase.
Snapshot was released in March and is intended to become an
Open Group standard which will be available to everyone, and
this provides a set of best practice requirements and
recommendation on two types of risk inherent in the acquisition
and use of COTS ICT products. First is tainted product risk,
and that is a product is produced by the provider and is
acquired through legitimate reputable channels but has been
tampered with maliciously.
The second is the counterfeit product risk where a product
is produced other than by or for the provider or is supplied by
other than a reputable channel and is presented as being
legitimate.
The standards based on best practices have been contributed
from the experience of very mature industry providers and the
results rigorously reviewed through an open consensus process,
standards sufficiently detailed and prescriptive enough to be
useful in raising the bar for all the technology suppliers, and
it really lends itself to an accreditation process that will
provide assurance that it's being followed in a meaningful and
repeatable manner. And by adopting the standard and committing
to conform to these best practices, technology providers,
whether it be hardware or software component suppliers and
integrators, will help ensure the integrity of the COTS ICT
products.
Now given the very fast pace changes of technology and risk
landscape, the OTPF plans to evolve the OTPF standard over
time, and so as specific threats emerge or the market needs
evolve then the forum will update the standard to address these
threats or changes.
It takes a very comprehensive view about the practices a
provider should follow in order to be considered to be a
trusted technology provider that builds with integrity allowing
its customers to buy with confidence.
Chairman Stearns, Ranking Member DeGette, and members of
the committee, thank you again for the opportunity. I want to
offer up the expertise of the Open Trusted Technology Forum to
the subcommittee and other congressional committees as they
continue to examine supply chain issues. We look forward to
working together to address the critical problem of improving
global supply chain security.
Thank you.
[The prepared statement of Mr. Lounsbury follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Stearns. And I thank you. And I will start with my
first set of questions. I will ask you the first question that
I am trying to get an answer to, which I asked the first panel,
to each of you. Is the biggest emerging cybersecurity threat to
consumers and government agency the cybersecurity threats to
the supply chain, IT supply chain? Yes or no. Do you want me to
repeat the question? Is the biggest emerging cybersecurity
threat to consumers and government agencies the cybersecurity
threats to the IT supply chain? Yes or no.
Mr. Castro. My answer would be no.
Mr. Stearns. And yours?
Mr. Lounsbury. My answer would be no as well.
Mr. Stearns. If not, what is? In the first panel one person
said yes and two said no, but I forgot to ask them what is.
What is, Mr. Castro, that preempts this in your opinion?
Mr. Castro. The threat is the----
Mr. Stearns. Could you have your mic on?
Mr. Castro. The threat is the remote access threat enabled
by poor practices on the intended victims either not having
adequate defense in-depth and protection of critical data, and
also quite frankly increasingly folks are just succumbing to
pfishing attacks that are very well constructed. But those
pfishing attacks are the entry point for remote access attack
attempting to acquire mostly intellectual property.
Mr. Stearns. Not in the supply chain?
Mr. Castro. No, I would not put the supply chain in that.
Mr. Stearns. OK, that's interesting. Mr. Lounsbury?
Mr. Lounsbury. I believe the supply chain is part of the
problem. I think the actually immediate risk is from external
attack, whether from outsiders or people who have been placed
inside organizations.
Mr. Stearns. So you are not worried about malware or all
these other things, you are worried about somebody externally,
either through pfishing or some kind of overt action getting in
and then having the piece of software placed there?
Mr. Lounsbury. Malware is part of that problem. Malware
takes advantage----
Mr. Stearns. But you are not worried about the supply chain
per se as you are worried about somebody overtly coming in?
Mr. Lounsbury. Supply chain encompasses many phases.
Mr. Stearns. OK, it gets complicated. All right. Each
member, what are the current supply chain practices and
processes that could prevent or detect corrupt, compromise or
counterfeit components in the supply chain? Mr. Castro?
Mr. Castro. Well, I mentioned the one that we observe most
frequently with the clients that we support, and that is a very
aggressive due diligence program, not quite frankly on every
component that a company might buy but the identification of
where the critical paths are, the tasks that lead to a
company's crown jewels. And then ensuring that every component
that might by compromised in that path has been vetted, not
only in terms of the pedigree of the component but knowing who
are the people responsible for servicing it and the other
support structure around it.
Mr. Stearns. Mr. Lounsbury?
Mr. Lounsbury. There are many steps in the development and
furnishing of a product. And what we look at is the
organizational best practices to make sure that a supplier is
using the best practices during their processes throughout the
supply chain to make sure that they are doing everything they
can to prevent those vulnerabilities from being there so they
can't be exploited later.
Mr. Stearns. Who in the supply chain should ensure tighter
chain of custody controls, Mr. Castro?
Mr. Castro. The question again is who in----
Mr. Stearns. Who in the supply chain should ensure tighter
chain of custody controls?
Mr. Castro. Well, again, I would just go back to the simple
thing that we practice every day in each of our lives and that
is buyer beware. If there is a purchasing order that's cut on
behalf of an engineer and a company, then we would look to the
engineer to make sure that it is to the best extent possible
that they have been able to vet the pedigree of the product.
Mr. Stearns. Mr. Lounsbury?
Mr. Lounsbury. I would concur with Mr. Castro. Each link in
the chain has to look up to its suppliers and also downstream
for its responsibility for the fulfillment, delivery,
sustainment and eventual retirement of the products that it
sells.
Mr. Stearns. What can government do to create or
incentivize the deployment of those additional capabilities
that some of you folks would think is necessary? What can we
do?
Mr. Castro. Well, again, going back to my testimony, I
think the biggest thing that the government provides is
information with regard to the source of potential threats and
activity that's seen in this space. Again the Office of the
National Counterintelligence Executive Program has been
commended as exemplary in this case. They have a very vigorous
outreach to industry to try to provide both at the classified
level and to the unclassified level an understanding of where
the problems are.
Mr. Lounsbury. Focusing on the ease of COTS ICT, the most
important thing the government can do is in fact as said just a
moment ago, is to make sure that it is using best practices
when it does procurement to make sure that they have identified
trusted technology partners.
Mr. Stearns. My time has expired. The gentlelady from
Colorado.
Ms. DeGette. Thank you, Mr. Chairman. As we continue our
reliance, to increase our reliance on technology, we need to
really look at all the implications of its use and include any
vulnerabilities and threats presented by new technologies. So
Mr. Castro, I wanted to ask you, do you think that the threats
due to the new technologies are increasing in scope and
sophistication?
Mr. Castro. I am sorry the threats are what?
Ms. DeGette. The threats due to the new technologies are
increasing.
Mr. Castro. Oh, no question about it. An example would be
smartphones and the applications that go on them. The
application industry has just exploded. Some suppliers and some
maintainers of application super supply stores do do some
vetting, but quite frankly that is an area that we all should
be concerned about as we buy a very cheap app to put on our
phone, but yes, I agree with you.
Ms. DeGette. Almost two-thirds of U.S. Firms report that
they have been victims of cybersecurity incidents or
information breaches. And as you allude to, the volume of
malicious software on American networks has more than tripled
since 2009. And so I am wondering in specific about the
challenges the Federal Government faces in responding to those
rapidly evolving threats.
Mr. Castro. Well, again the role of the government in my
view is education. There's a tremendous amount of information
that the government holds, both open source and classified,
that should be made available to the private sector through
properly vetted information channels.
Ms. DeGette. OK. Now James Clapper, who's the Director of
National Intelligence, was talking to the Senate committee
about a year ago and he talked about a new phenomenon known as
convergence. Are you familiar, Mr. Castro, with network
convergence?
Mr. Castro. Yes, ma'am.
Ms. DeGette. And can you talk about what that is?
Mr. Castro. Well, I think in terms that we would understand
it is where we rely upon each of the devices in an integrated
way.
Ms. DeGette. Right.
Mr. Castro. So it may be that your BlackBerry might be
linked or synched to your home personal PC or to your laptop.
So the problem there is a vulnerability in one part of that
chain is easily introduced into the other part.
Ms. DeGette. Into the other parts. So it is because video,
data, voice, everything are all converging on one common
network, and that's part of this new technology that has
developed that you talk about like with the iPhones and things
like that, right?
Mr. Castro. Right.
Ms. DeGette. And I am wondering if both of you could talk
about the risks of that type of convergence technology, the
increased vulnerabilities if they are put into cyberterrorist
hands.
Mr. Castro. Briefly, although I will be repeating myself a
little bit. But an example would be if you bought an app for
whatever smartphone, mobile device you have that is corrupted,
it is quite possible that that can be the front door that
allows someone to have access to your own home personal machine
where you might have some more sensitive data stored or you
might have the keys to being able to get to your financial
accounts and things of that nature.
Ms. DeGette. And that can be extrapolated to problems on
the government networks, too, right?
Mr. Castro. Well, yes, but fortunately in most places in
the government this whole notion of how to deal with mobile
devices is undergoing quite a bit of scrutiny. Policies are
being adopted that would provide some partitioning between
mobile users and the enterprise that they support.
Ms. DeGette. Well, I am thinking about--- I am glad they
are putting policies into place, but I am thinking about like
if there's a National Lab and there's a smart device being used
to collect and process information for research at a National
Lab, if somebody was able to get in there, that could cause
significant harm, correct?
Mr. Castro. Well, there is some potential for that, but
since you talk about the National Labs, I will tell you that in
my time and experience in government that they are some of the
most very, very far in front, as Gil mentioned, with regard to
constructing the kind of policies and actual hardware
limitations to prevent that, particularly in dealing with some
of the more sensitive things that the labs do.
Ms. DeGette. That's good to know.
Mr. Castro. But it's a point very well taken, the threat of
mobile devices is one that has really mushroomed onto the
landscape and it is one that we are all scrambling to find the
right balance between providing the individual user the
flexibility that the mobile device provides but also protecting
the integrity of our data.
Ms. DeGette. Mr. Lounsbury, do you want to comment on that
briefly?
Mr. Lounsbury. I think there are a couple of comments.
First, the issue about the growth and capabilities of computer
systems and networks is a coin with two sides. Of course the
increase in complexity does come with an increase in
vulnerability, yet it also adds the ability of the additional
processing power and the additional awareness of what is going
on to actually recognize attacks and proactively create
defenses. I.
I concur with the issue of convergence, sometimes we hear
it called as, you know, bring your own device where there are
new devices coming in that may bring their own vulnerabilities.
And so this is why it is in fact essential to have not only
policies of course beyond the supply chain but also in the
supply chain to make sure that those devices that are coming in
have undergone the scrutiny and correct practices to make sure
that they are safe.
Ms. DeGette. Thank you. Thank you very much, Mr. Chairman.
Mr. Stearns. The gentlelady's time has expired. The
gentleman from Nebraska, Mr. Terry, is recognized for 5
minutes.
Mr. Terry. Thank you, Mr. Chairman. And you're here as a
different perspective from the first panel, kind of non-
governmental perspective. And so I kind of want to follow
through with your unique position here for today's hearing. And
we heard the gentleman from GAO talk about unauthorized
materials or whatever, computers, devices. And I want to work
through that because I am still very concerned about how loose
the authorizations may be. It seems to me the best practice
that's being recommended here for any, for Department of
Defense or DOE or whatever government agency that is dealing
with critical issues is that they should only be allowed to
purchase from an authorized vendor, of which evidently the
vendor then has certified everything back, that they can then
trust the individual parts, whether it is software, chips,
hardware, have not been compromised in any way. So my question
to you is, is that a best practice? Do we need to add more
definition to it? And do we need further authorizations down
the supply line? Mr. Castro and then Mr. Lounsbury.
Mr. Lounsbury. I guess, if I may start, I would concur with
what you say there. Ultimately people, use of COTS implies that
an agency, in this case a government agency, purchases from a
commercial marketplace. And so the question is what are the
standards that your supplier uses to demonstrate that they can
be trusted. Part of that would be the processes they have for
themselves throughout their product development and fulfillment
lifecycle, but also are they imposing those standards on those
suppliers as well? You think about first you design a product,
then you get sources for components, those components have to
undergo the same standards or be held to the same standards
that you would hold yourself to as a trusted vendor.
Mr. Terry. And do you think that is sufficient, that they
just--I don't have the confidence that the supplier actually
has any level of control in India or China or manufacturing
facilities. How do they have a level of surety that something's
not being compromised way down the assembly line?
Mr. Lounsbury. In the commercial world typically we look to
some sort of a conformance program where a supplier would
submit evidence, either through a third-party lab and certainly
to an independent certification authority, to make sure that
they have in fact given some evidence of those best practices
before they are, you know, recognized as a trusted partner. And
then, yes, there is the burden of everybody in the supply chain
for making sure that their partners are trusted. It is a very,
you know, fast branching supply chain, and it is really--you
have to pick a scalable way of doing that.
Mr. Terry. Mr. Castro, do you have anything to add?
Mr. Castro. I would offer quite frankly, and this may be
out of skew with the thrust of your question but I can't
diverse my 44 years in government service either. I think this
has to be approached with a really sensible sense of scale and
scope, in that you are not going to test every resistor that
goes into every motherboard of every computer. And I think the
DOD program is exemplary in this in that they have started,
they have prioritized those systems that they believe should
have this extra scrutiny.
The other thing that the customer can always do, that is to
say the person at the end, is you pick every fifth Dell
computer that comes out of the box and you really run it
through its paces to the greatest extent you can. And there are
folks who are very, very good at that, including looking for
signs of tampering and things of that nature. So some random--I
said every fifth, but it would be a random sampling of the
devices that you get, but the point being that unless you are
willing to authorize extraordinary amounts of money in this
area it has to be done with some reasonable balance involved.
Mr. Terry. Thank you.
Mr. Stearns. I thank the gentleman. The gentleman from
Georgia, Mr. Gingrey, is recognized for 5 minutes.
Mr. Gingrey. Mr. Chairman, thank you. Mr. Lounsbury, how
can the government and the private sector benefit from a
public-private partnership in developing international
standards?
Mr. Lounsbury. I think there are a couple of ways that that
can happen. First, the government quite often brings a unique
set of needs and perspectives and set of requirements to the
party. And of course, on the other hand, any provider who
values their reputation wants to make sure that their products
will meet those needs so they can frankly sell into that
sector. Of course they have do it in a way that still keeps
them in a commercial business. So there's that match of buyer
need and supplier response.
The other part is we have to recognize then, as we have
heard many times, the supply chain is global. It says on some
of our devices designed in California, made in China. Right?
And so these have to be international standards so that the bar
can be raised on a global basis so that if you know that you
have seen a trusted technology provider here, and I do want to
emphasize that when we look at this we talk about the
organization, not a specific product. So we look at is that
organization following these best practices in a verifiable and
certified way. And you can look----
Mr. Gingrey. Well, let me interrupt you just for a second
because of the limitation of my time and I will cut right to
the chase. More importantly, how do you envision other
countries implementing the international standards of the Open
Group?
Mr. Lounsbury. The Open Group--first we--our standards are
principally commercial standards. These are ones where
companies voluntarily comply with them and enter into
certification programs. We do, however, have liaison with ISO,
the international standards body and specifically the working
group within ISO that will take these standards and make them
international. We are very active in making sure that that
happens. So they are both de facto standards that can be
adopted by industry and de jure standards that can be
implemented by----
Mr. Gingrey. If standards such as these are implemented
internationally, should the United States refuse to do business
with countries that don't implement those standards?
Mr. Lounsbury. I think that when the United States procures
things they should procure from suppliers that have taken the
time to do the job right by following the international
standards.
Mr. Gingrey. Thank you. Mr. Castro, the current approach to
IT supply chain risk is a patchwork of varying policies and
procedures that are not coordinated across the government. What
can be done to facilitate a coordinated approach that
reasonably and adequately addresses the risk while avoiding
excessive cost, burdensome regulation or marginal results?
Mr. Castro. That's a tough one, Congressman. I think it
begins with the fact that my sense from where I sit is that
within the government there has been a very, very succinct
wakeup call. It is evidenced in the testimony that General
Clapper and others have provided to you and other committees.
The other thing is that it is increasingly becoming threat
based, and that was part of the essence of my oral statement,
is that we simply can't go down every road, but we know where
there are two very big roads that we have to watch. But clearly
all the things that you asked for in that question represent
the Nirvana at the end of the process. I am not sure we are
anywhere close.
Mr. Gingrey. Let me follow up on that with this. For
example, the GAO report, it highlighted deficiencies of DOE,
DHS, DOJ, I am sorry, Department of Justice, and rightly
recommends corrective action. Their recommendations for
executive action is directed at each department individually,
if I understand the report.
How should the government coordinate this solution for the
entire Federal Government?
Mr. Castro. Well, again I think that the way the Federal
Government is organized that there's no doubt somebody in OMB
who has this in their portfolio to coordinate across, but the
other thing I think that's recognized in the report is that one
size does not fit all. As the committee members have already
pointed out, you have concerns about DOE because they have such
a critical part of not only our national security structure,
but our energy provision structure. The report also singled out
DHS, but quite frankly DHS is not a big component in terms of
driving the IT enterprise.
Mr. Gingrey. Well, let me real quickly because my time is
running out, I really respect the fact that you have got 44
years of experience at the Federal level, but, you know, it
would seem to me that lack of coordination would be more
advantageous let's say to a company like the one that you
currently work for, the Chertoff Group, whereas from the
Federal Government perspective coordination would be better,
more coordination. So where do you draw the line in regard to
that?
Mr. Castro. Well, again I think it is a balance. You want--
there definitely needs to be a common set of standards, a
common set of government regulations that OMB would administer
and see just like they do FISMA and report in the same way as
FISMA compliance is reported, but I think also that Mr. Vega at
DOE has a set of problems, the DOD program has a different set
of problems. As long as they meet the common standard then they
can in their directions.
Mr. Gingrey. OK, thank you. Thank you both and thank you,
Mr. Chairman.
Mr. Stearns. I thank you. The gentleman from Virginia is
recognized for 5 minutes.
Mr. Griffith. I don't think I will take the whole 5
minutes, so if anybody else has other questions I would be
happy to yield. But I do have one. I have been listening to the
testimony and bringing myself a little education on this, which
I like coming to these hearings. Thank you, Mr. Chairman, for
holding it.
You indicated, Mr. Castro, that one of the things we need
to do is have the Department of Defense working with private
industry and I agree with that. But my question is at what
point do they step in? And do they need to be taking an active
role in defending our private industries? Here is the dilemma
I've got. In World War II the Allies broke the German code,
they had to make some very tough choices and history looks back
on some of the choices very critically. But they had to make
some tough choices because they knew some things the Germans
were doing, but they knew if they stopped it there might be the
possibility that the Germans would figure out that they had
broken the code and then that would endanger all kinds of other
operations. So now we are faced in a slightly different
situation. If the defense folks know that somebody is stealing
our private information because they have tapped into it by
their defensive measures in trying to protect our national
security on the defense side, how do they work out balancing
that out? And how do they tip off or do they just take measures
on behalf of the private industry to defend our economic system
without tipping off X, Y, Z country that we are on to them?
That's the basic gist of my question. If you could help me on
that.
Mr. Castro. OK, very well founded. The difference where the
analogy isn't quite possibly in synch is that the time frame
that we are operating with regard to the breaking of Ultra and
things like that you refer to in World War II, we had a much
greater time frame, duty cycle. Today it moves much, much more
quickly and therefore I do come very much into the direction
that your question was going and that there needs to be greater
transparency between what the intelligence community within the
DOD sees and making that information available to the private
sector. And again very, very--I think well spoken is the fact
that there are bills before the House, particularly the one out
of the HPSCI, the Rogers-Ruppersberger bill, that does attempt
to address that issue and put quite frankly the DOD
intelligence assets into the game, properly supporting through
the DHS front door the private industry. So your analogy is
very, very well taken and I understand and totally agree.
Mr. Griffith. Thank you very much. Mr. Chairman, unless
somebody wants me to yield time to them, I would yield back.
Mr. Stearns. The gentleman yields his time back, and I will
ask two questions and the gentlelady is welcome to offer her
questions. A question for both of you, who should be the
innovator in this place in developing a common criteria
network; should it be the government or the private sector?
Mr. Lounsbury. Mr. Chairman, I actually believe that the
public sector does need to lead in this area.
Mr. Stearns. The government should.
Mr. Lounsbury. Pardon me, excuse me, the commercial sector.
Sorry to be unclear.
Mr. Stearns. The commercial sector, OK, and you, Mr.
Castro?
Mr. Castro. I would agree.
Mr. Stearns. OK are there advantages basically because the
private sector is more innovative?
Mr. Lounsbury. I think it is a question----
Mr. Stearns. It is closer to their bailiwick?
Mr. Lounsbury. I think it is a question of market pressure,
sir. I think the pace of innovation forces them to respond very
quickly, and frankly they need to innovate and respond at the
speed that is driven by the market and by the emerging threats.
Mr. Stearns. Mr. Castro, do you agree?
Mr. Castro. I agree.
Mr. Stearns. Mr. Castro, if one begins from the premise
that a supply chain vulnerability has already been exploited
and currently exists within an IT enterprise, what should a
supplier or that matter an agency do to mitigate this risk?
Mr. Castro. OK, well, this in fact is the topic of the
moment. It is called presumption of breach or operating under
attack.
Mr. Stearns. Presumption of----
Mr. Castro. That your system has been breached and that's
the way you go about constructing the defense.
Mr. Stearns. OK.
Mr. Castro. DOD put out their strategy for operating in
cyberspace last summer. That is at the heart of it. What you
then have to do, however, is to say if in fact the assumption
is that the adversary is in my system, I need to identify very,
very precisely what are my crown jewels that I hold in that
system and I need to protect those to the maximum extent
possible and I need to make sure that those who have
authorization to be able to access those crown jewels, that
their activity is very, very well accounted for. We call that
data centric defense.
Mr. Stearns. Mr. Lounsbury, you might want to comment on
what Mr. Castro said.
Mr. Lounsbury. Thank you. I would agree with the spirit of
what Mr. Castro says, but I think one of the essential pieces
of this is that you make the best practices commonplace. I
think that everybody understands that there are issues about
how you do security development and engineering, things like
threat analysis, threat mitigation, how you respond to those
threat analysis through a design, one-time protection
techniques, vulnerability analysis, all those tings in the
development phase, and then you actually must extend them to
the supply chain, but it can't be treated as a product by
product activity. It has to be something you internalize to
your company's processes in order to not have to do it every
single time, that you can look to a provider and say yes, we
can deal with them and know their products are trustworthy.
Mr. Stearns. All right, thank you, Ms. DeGette.
All right, at this point, it appears our questions for the
second panel are complete.
I want to thank the witnesses for coming today and for
their testimony and members for their devotion to this hearing.
The committee's rules provide that members have 10 days to
submit additional questions for the record to the witnesses.
And, with that, the subcommittee is adjourned. Thank you.
[Whereupon, at 12:02 p.m., the subcommittee was adjourned.]
�