[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]







  IT SUPPLY CHAIN SECURITY: REVIEW OF GOVERNMENT AND INDUSTRY EFFORTS

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 27, 2012

                               __________

                           Serial No. 112-131





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]






      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

77-892 PDF                WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001











                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas
  Vice Chairman                      DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma              LOIS CAPPS, California
TIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         TAMMY BALDWIN, Wisconsin
CHARLES F. BASS, New Hampshire       MIKE ROSS, Arkansas
PHIL GINGREY, Georgia                JIM MATHESON, Utah
STEVE SCALISE, Louisiana             G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio                JOHN BARROW, Georgia
CATHY McMORRIS RODGERS, Washington   DORIS O. MATSUI, California
GREGG HARPER, Mississippi            DONNA M. CHRISTENSEN, Virgin 
LEONARD LANCE, New Jersey            Islands
BILL CASSIDY, Louisiana              KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky              JOHN P. SARBANES, Maryland
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                 _____

              Subcommittee on Oversight and Investigations

                         CLIFF STEARNS, Florida
                                 Chairman
LEE TERRY, Nebraska                  DIANA DeGETTE, Colorado
SUE WILKINS MYRICK, North Carolina     Ranking Member
JOHN SULLIVAN, Oklahoma              JANICE D. SCHAKOWSKY, Illinois
TIM MURPHY, Pennsylvania             MIKE ROSS, Arkansas
MICHAEL C. BURGESS, Texas            KATHY CASTOR, Florida
MARSHA BLACKBURN, Tennessee          EDWARD J. MARKEY, Massachusetts
BRIAN P. BILBRAY, California         GENE GREEN, Texas
PHIL GINGREY, Georgia                CHARLES A. GONZALEZ, Texas
STEVE SCALISE, Louisiana             DONNA M. CHRISTENSEN, Virgin 
CORY GARDNER, Colorado                   Islands
H. MORGAN GRIFFITH, Virginia         JOHN D. DINGELL, Michigan
JOE BARTON, Texas                    HENRY A. WAXMAN, California (ex 
FRED UPTON, Michigan (ex officio)        officio)

                                  (ii)













                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     1
    Prepared statement...........................................     4
Hon. Diana DeGette, a Representative in Congress from the State 
  of Colorado, opening statement.................................     6
Hon. Tim Murphy, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................     7

                               Witnesses

Gregory C. Wilshusen, Director of Information Security Issues, 
  Government Accountability Office...............................     9
    Prepared statement...........................................    11
Mitchell Komaroff, Director, Trusted Mission Systems and 
  Networks, Department of Defense................................    24
    Prepared statement...........................................    26
Gil Vega, Associate Chief Information Officer for Cybersecurity 
  and Chief Information Security Officer, Department of Energy...    39
    Prepared statement...........................................    41
    Insert for the record........................................    60
Lawrence Castro, Managing Director, The Chertoff Group...........    64
    Prepared statement...........................................    66
Dave Lounsbury, Chief Technology Officer, The Open Group.........    71
    Prepared statement...........................................    73

                           Submitted Material

Report, dated March 2012, ``IT Supply Chain: National Security-
  Related Agencies Need to Better Address Risks,'' Government 
  Accountability Office, submitted by Mr. Stearns \1\............

----------
\1\ The report is available at http://www.gao.gov/products/GAO-
  12-361.

 
  IT SUPPLY CHAIN SECURITY: REVIEW OF GOVERNMENT AND INDUSTRY EFFORTS

                              ----------                              


                        TUESDAY, MARCH 27, 2012

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:04 a.m., in 
room 2123, Rayburn House Office Building, Hon. Cliff Stearns 
(chairman of the subcommittee) presiding.
    Present: Representatives Stearns, Terry, Myrick, Murphy, 
Bilbray, Gingrey, Scalise, Griffith, Barton, DeGette, and 
Green.
    Staff Present: Carl Anderson, Counsel, Oversight; Sean 
Bonyun, Deputy Communications Director; Karen Christian, Deputy 
Chief Counsel, Oversight; Andy Duberstein, Deputy Press 
Secretary; Andrew Powaleny, Deputy Press Secretary; Krista 
Rosenthall, Counsel to Chairman Emeritus; Alan Slobodin, Deputy 
Chief Counsel, Oversight; Lyn Walker, Coordinator, Admin/Human 
Resources; Alex Yergin, Legislative Clerk; Alvin Banks, 
Democratic Investigator; Tiffany Benjamin, Democratic 
Investigative Counsel; and Brian Cohen, Democratic 
Investigations Staff Director and Senior Policy Advisor.
    Mr. Stearns. Good morning, everybody. I call to order this 
subcommittee's third hearing on cybersecurity.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    With the growing reliance on the global economy for our 
goods and services, we are faced with the challenge that 
ensuring the security of those items has become even more 
difficult. As the global economy grows, so does the complexity 
of the global supply chain. The U.S. Government is increasingly 
reliant on commercially available products for information 
technology, IT services, and components. This reliance forces 
the U.S. Government to depend on the trustworthiness of the 
global commercial supply chain. Cyber or state-sponsored actors 
are capable of secretly inserting malicious code into both 
hardware and software during the manufacture of those items. 
Let me give you some specific examples:
    In July 2010, Dell announced that some of its PowerEdge 
motherboards contain malicious spyware that gathered 
information about a victim's Internet browsing habits and 
collected personally identifiable information.
    During a security conference in May 2010, IBM gave 
complimentary USB drives to attendees that contained two kinds 
of malware, including a keylogger program.
    In March 2010, the Spanish cell phone company Vodafone 
released a new version of a popular smartphone infected with a 
version of the Butterfly botnet in addition to other malicious 
software.
    These, my colleagues, and many other instances of supply 
chain poisoning are capable of causing damage to, allowing a 
cyber criminal unauthorized access to, or allowing the 
exfiltration of sensitive or personally identifiable 
information from a victim's computer system.
    Now, last week, the Government Accounting Office released a 
report examining the risk and threats to the supply chains of 
both commercial and Federal IT systems. The GAO studied four 
agencies involved in national security: Department of Defense, 
Energy, Homeland Security, and Justice and their ability to 
access the risk to their own IT supply chains and the steps 
they have taken to mitigate them. We are joined by the GAO 
today to discuss their findings and recommendations.
    While DOD and DOE and DHS and Justice each participated in 
interagency efforts to address supply chain security, some of 
these agencies had been more progressive than others in 
addressing IT supply chain security risks. In particular, I was 
troubled to find that the GAO concluded that the Department of 
Energy had not--had not developed clear policy that defined 
what security measures it needed to protect against supply 
chain threats. Clearly defined security measures with 
comprehensive implementing procedures are necessary and vital 
to the protection of Federal IT.
    One additional comment about the report, as a whole, is 
that there appears to be no integrated response amongst the 
Federal IT enterprise to address supply chain risks. Agencies 
are left to their own devices to address this risky and complex 
threat. I find this very troubling.
    Today, we will hear testimony from two panels of witnesses. 
On our first panel, we are joined by Mr. Gregory Wilshusen, 
Director of Information Security Issues at GAO and his staff 
who assisted in drafting this report. We are also joined by 
representatives of two agencies who are the subject of the 
report, Mr. Mitchell Komaroff, Director of the Trusted Mission 
Systems and Network at the Department of Defense, and Mr. Gil 
Vega, Associate CIO for Security and Chief Information Security 
Officer at the Department of Energy.
    I look forward to their testimony and getting a much better 
understanding of the work they do to ensure the integrity of 
their agency's IT supply chain.
    I also want to welcome our second panel of witnesses who 
will provide us with an overview of the private-sector approach 
to identifying IT supply chain risk and using industry's best 
practices to mitigate them.
    We are joined by Mr. Larry Castro, Managing Director at the 
Chertoff Group and former National Security Agency Central 
Security Services representative to the U.S. Department of 
Homeland Security. Also joining us is Dave Lounsbury, Chief 
Technological Officer at The Open Group and International IT 
Standards Board.
    We welcome all of the second panel, also.
    As I mentioned previously, this is the subcommittee's third 
hearing in this Congress on cybersecurity. The purpose of this 
hearing in particular is to understand the threats and 
vulnerabilities to Federal IT supply chains and how best to 
ensure their integrity. I have enjoyed working with the ranking 
member on this matter and the minority in particularly and look 
forward to our continuing cooperation on cybersecurity issues; 
and I yield to the distinguished ranking member, Ms. DeGette 
from Colorado.
    [The report is available at http://www.gao.gov/products/
GAO-12-361.]
    [The prepared statement of Mr. Stearns follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you very much, Mr. Chairman. I also 
appreciate the work that you have done on this issue and 
working with the minority.
    Ensuring the integrity of our information technology supply 
chain is critical to protecting our Federal systems against 
terrorists, counterfeiters, hackers, and other enemies. In 
1997, the Government Accountability Office made government-wide 
information security part of its biannual high-risk series. 
Since then, the government, like the private sector, has become 
more and more technology dependent and more and more reliant on 
private-sector hardware and software.
    Just to think of one example, think about how the census 
worked 2 years ago. What used to be collected versus pad and 
paper is now collected and transmitted electronically.
    And with every new technology our Nation's infrastructure 
becomes more exposed to new threats and vulnerabilities. As 
more components are manufactured outside of this country, our 
technology systems become more vulnerable to infiltration by 
our foreign enemies. A few malicious lines of software code, 
cleverly hidden in a larger program, counterfeit hardware or 
software, and even malicious or unqualified service providers 
all present risk to the technology that drives our supply 
chain.
    In January of this year, President Obama launched the 
National Strategy for Global Supply Chain Security. I commend 
the President for taking supply chain issues seriously, but we 
as Congress also have an important role to play in ensuring the 
security and safety of these systems.
    Last month, as the chairman mentioned, this subcommittee 
held a hearing on cybersecurity threats to our electric grid. 
During that hearing, I asked our witnesses about the potential 
risk to the supply chain associated with devices connected to 
the grid. Richard Campbell, testifying on behalf of the 
Congressional Research Service, agreed if the wrong people were 
able to get improper access to these devices, they could do any 
number of dangerous things, including implanting a software bug 
in a smart meter's firmware and control its functions and the 
functions of the devices attached to it. A meter could be set, 
for example, to control the thermostat for a room containing 
servers, and a hacker could increase the temperature to destroy 
the servers.
    We know that counterfeit circuitry can cause critical 
devices or systems to malfunction. Logic bombs can be inserted 
into devices. These are systems that will lie dormant until a 
device engages in a certain activity, at which point they can 
overtake the device and any system associated with it.
    Our Federal Government, including the military, and the 
Department of Homeland Security is heavily reliant on the 
private sector to provide these devices and to vet them to 
ensure they are safe and secure. GAO's findings suggest that 
some of the agencies like the Department of Defense are on the 
right track to safeguarding their information systems from 
external threats, but other agencies, like the Department of 
Energy, still need to define supply line chain protection 
measures and develop implementing procedures and monitoring 
capabilities.
    However, this isn't just an issue for Federal agencies. 
Private companies also struggle to develop plans to prevent and 
respond to supply chain disruptions. That is why I am pleased 
to have the second panel here today to talk about how the 
private sector is addressing these issues. I look forward to 
learning about the threats and vulnerabilities they see in the 
hardware and the software systems companies purchase and sell 
and also what private companies are doing to ensure the 
products they provide to their customers are protected.
    In the cybersecurity context, we know that companies are 
not required to report these threats and vulnerabilities to the 
Federal Government, and we are aware that in certain instances 
companies have chosen not to do so, leaving Federal agencies in 
the dark about how widespread a problem is or whether it has 
been resolved. We need to hold everybody accountable for 
ensuring that our supply chain is safe, and that starts with 
ensuring that those who build and sell key supply chain 
hardware and software components are properly safeguarding 
their devices from threats.
    We must find ways to ensure that U.S. Suppliers are 
responsible for the security of their foreign-made devices and 
systems. We must make sure that manufacturers are reporting 
threats, vulnerabilities, and cyber attacks quickly so that the 
government and the private sector can take appropriate actions. 
And, finally, we must make sure that the Federal Government is 
carefully vetting the information technology products they 
purchase.
    Mr. Chairman, I look forward to hearing from both of the 
panels about what work we can do to ensure our Federal 
technologies are as secure as possible; and I yield back the 
balance of my time.
    Mr. Stearns. Thank you, gentlelady; and I recognize Mr. 
Murphy. The gentleman from Pennsylvania is recognized for an 
opening statement.

   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Murphy. Yes, thank you, Mr. Chairman.
    On December 11, 1941, despite some warnings of what was to 
come and despite seeing clear planes flying towards Pearl 
Harbor, we slept. As the Korean war started, an intelligence 
lapse also meant that South Korea was overwhelmed. And when the 
Marine barracks in Lebanon were bombed, it occurred in the 
midst of dozens, perhaps hundreds of warnings that something 
was about to occur. We are now facing similar threats in the 
area of cybersecurity, and it is important that we do not sleep 
as this dawn is upon us.
    When we look at a measure of cybersecurity, such things as 
resilience, an ability to send out an alert, defending against 
an attack, being able to launch a counterattack and recover 
from an attack, unfortunately, many of the sectors that we know 
of, inagriculture and food, military, transportation, health, 
finance, banking, telecommunication, and energy, are all 
woefully inadequate in how they can act.
    Our country is at war with an enemy we cannot see, but the 
battle has the potential to inflict an incalculable amount of 
damage on our economy, our national defense, and families. A 
looming terrorist attack may not come in the form of a hijacked 
plane hitting a building but from a terrorist cell lurking 
inside of our computers at work and at home, ready to strike 
our banks or energy grid and other sectors.
    Cyber terrorists and hackers are not just unaffiliated 
rogue actors. They are highly trained special operations agents 
being employed by foreign countries.
    These startling developments and how the cyber war is 
evolving were revealed to me this past summer when I sat on a 
special cybersecurity task force formed by Speaker Boehner. 
These threats from abroad can manifest themselves in mysterious 
ways. Consider the potential weaknesses in our national 
security when the Marine Corps, Air Force, Federal Aviation 
Administration, and Federal Bureau of Investigation purchased 
counterfeit Cisco products that originated in China. Or that 
Beijing's military apparatus is tightening its reign over the 
country's technology sector, when we realize the People's 
Liberation Army has formed IT workers into so-called cyber 
militias within thousands of companies across China.
    The threat of foreign nations waging cyber warfare against 
the United States is so real that the Defense Department is 
raising red flags about Huawei Technologies, the world's 
largest manufacturer of computer hardware, acquiring Symantec, 
a security company whose software is installed on computers at 
homes, business, and Federal agencies across the country.
    We have to make sure that we are on alert for all levels of 
cybersecurity and following the IT purchasing line all the way 
through as well as monitoring software and people's access to 
our computers. This threat is very real, and it is very active 
in our country and around the world. Failure to act means, once 
again, at dawn we sleep.
    And with that I yield back.
    Mr. Stearns. The gentlemen yields back.
    I don't see anyone on the minority side, so we will go 
right to the first panel.
    As you know, the testimony that you are about to give is 
subject to Title 18, Section 1001 of the United States Code. 
When holding an investigative hearing, this committee has a 
practice of taking testimony under oath. Do you have any 
objection to testifying under oath?
    Panel. No.
    Mr. Stearns. The chair then advises you that under the 
rules of the House and rules of the committee you are entitled 
to be advised by counsel. Do you desire to be advised by 
counsel during your testimony today?
    Panel. No.
    Mr. Stearns. In that case, will you please rise and raise 
your right hand, and I will swear you in.
    [Witnesses sworn.]
    Mr. Stearns. We now welcome each of you to give your 5-
minute summary of your written statement. Start with you.

  STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR OF INFORMATION 
  SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; MITCHELL 
   KOMAROFF, DIRECTOR, TRUSTED MISSION SYSTEMS AND NETWORKS, 
     DEPARTMENT OF DEFENSE; AND GIL VEGA, ASSOCIATE CHIEF 
  INFORMATION OFFICER FOR CYBERSECURITY AND CHIEF INFORMATION 
             SECURITY OFFICER, DEPARTMENT OF ENERGY

                 STATEMENT OF GREGORY WILSHUSEN

    Mr. Wilshusen. Chairman Stearns, Ranking Member DeGette, 
and members of the subcommittee, thank you for the opportunity 
to testify at today's hearing on IT supply chain security.
    Mr. Stearns. I think you have to--do you have the mic on?
    Mr. Wilshusen. Yes, I do.
    Mr. Stearns. Just move it a little closer. That would be 
good.
    Ms. DeGette. You need to put it close.
    Mr. Wilshusen. OK.
    Thank you for the opportunity to testify at today's hearing 
on IT supply chain security.
    IT systems and the products and services that support them 
are essential to the operations of the Federal Government. 
These products and services are created and delivered through a 
complex global supply chain that involves a multitude of 
organizations, individuals, activities, and resources.
    My testimony today summarizes the contents of our recently 
issued report on IT supply chain risks and the extent to which 
the Departments of Energy, Homeland Security, Justice, and 
Defense have addressed these risks. But if I may first, Mr. 
Chairman, recognize some members of my team whose dedication 
and professionalism were instrumental to the development of 
this report.
    And this is Mike Gilmore.
    Mr. Stearns. What is Mike Gilmore's title? Can you give the 
title?
    Mr. Wilshusen. He is an assistant director for IT.
    Mr. Stearns. OK.
    Mr. Wilshusen. R.J. Hagerman, who is an analyst, and Kush 
Malhotra, who is also the analyst in charge for our engagement.
    Mr. Stearns. Thank you.
    Mr. Wilshusen. In addition, there are two members who are 
not here, Brad Becker and Lee McCracken, who are back in their 
offices, who also played a key role.
    Mr. Chairman, the exploitation of IT products and services 
through the supply chain is an emerging threat. IT supply 
chain-related threats can be introduced in the manufacturing, 
assembly, and distribution of hardware, software, and services. 
These threats include the insertion of harmful or malicious 
software and hardware, installation of counterfeit items, 
disruption in the production or distribution of critical 
products, reliance on unqualified or malicious service 
providers, and installation of software and hardware containing 
unintentional vulnerabilities.
    These threats can be exercised by exploiting 
vulnerabilities that could exist at multiple points in the 
supply chain. Examples of such vulnerabilities include 
acquiring products or parts from unauthorized distributors, 
using insecure transportation, storage, or delivery mechanisms, 
and installing hardware and software without sufficiently 
inspecting or testing them.
    These threats and vulnerabilities can potentially lead to a 
range of harmful effects, including allowing attackers to take 
control of systems or decreasing the availability of critical 
materials needed to develop or operate systems.
    The Departments of Energy, Homeland Security, Justice, and 
Defense varied in the extent to which they have addressed 
supply chain risks. Each of the four agencies participated in 
one or more interagency efforts to address supply chain 
security, such as developing technical and policy tools, 
collaborating with the intelligence community, and 
participating in the Comprehensive National Cybersecurity 
Initiative on supply chain risk management. These efforts are 
key to understanding and addressing global supply chain risk.
    However, with respect to establishing supply chain 
protection measures for their internal departmental systems, 
three of the agencies had not fully addressed Federal 
guidelines. These guidelines recommend that agencies, for their 
high-impact systems, define supply chain-related protection 
measures, develop procedures for implementing them, and monitor 
their effectiveness.
    However, Energy and Homeland Security had not yet taken 
these steps; and while Justice has defined supply chain 
protection measures, including a foreign ownership, control, 
and influence review, it had not yet developed implementing 
procedures or monitoring capabilities.
    The Department of Defense, on the other hand, has made 
greater progress. It has defined policies, requires program 
protection plans, issued a key practices and implementation 
guide, conducted pilot programs, and implemented a monitoring 
mechanism to determine the status and effectiveness of its 
supply chain protection pilots.
    In our recently issued report, we recommended that the 
Departments of Energy, Homeland Security, and Justice take 
steps as needed to develop and document policies, procedures, 
and monitoring capabilities that address IT supply chain risk 
to their internal systems. The departments generally agreed 
with our recommendations.
    In summary, Mr. Chairman, the global IT supply chain 
introduces risk that, if realized, could jeopardize the 
confidentiality, integrity, and availability of Federal 
information systems and adversely impact an agency's 
operations, assets, and employees. This risk highlights the 
importance for Federal agencies to take appropriate actions to 
develop, document, and implement the policies, procedures, and 
controls necessary to cost-effectively manage the associated 
risk.
    Mr. Chairman, Ms. DeGette, this concludes my statement. I 
would be happy to answer any questions at the appropriate time.
    [The prepared statement of Mr. Wilshusen follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Stearns. I thank you.
    Mr. Komaroff, you are welcome. Opening statement.

                 STATEMENT OF MITCHELL KOMAROFF

    Mr. Komaroff. Good morning, Mr. Chairman and distinguished 
members of the subcommittee. Thank you for this opportunity to 
testify regarding the efforts of the Department of Defense 
pertaining to supply chain risk management.
    My name is Mitchell Komaroff, and I am the Director of 
Trusted Mission Systems and Networks within the office of the 
DOD Chief Information Officer. I provided a written statement 
for the record but would like to give you a brief overview of 
the globalization challenge facing the Department and to 
highlight----
    Ms. DeGette. Can you move your microphone a little closer?
    Mr. Komaroff [continuing]. To highlight key elements of our 
strategy for managing the risks presented by it.
    The Department relies heavily on custom and commercial off-
the-shelf software, integrated circuits, computers, 
communication equipment, and other ICT, information 
communications technology, to stay on the cutting edge of 
technology development and to fulfill mission-critical 
operations. With increasing frequency, the Department and its 
commercial supplier base rely on foreign companies to produce 
the most advanced technology solutions.
    Although the globalization of the ICT sector has 
accelerated the pace of technical innovation, it has raised 
national security concerns. Through the increased globalization 
of the ICT supply chain, adversaries have more opportunities to 
introduce malicious code into the supply chain and to gain 
access or disrupt military systems. To address this challenge, 
DOD is implementing its trusted defense system strategy to 
improve the way we engineer and acquire systems and to reduce 
an adversary's ability to disrupt national security missions.
    For years, the Department has worked to better understand 
and manage the risk that DOD hardware and software may contain 
malicious code. We were first confronted with this problem in 
connection with the supply of trusted application-specific 
integrated circuits which we addressed through the Trusted 
Foundry program in 2003.
    The Department's strategy for achieving trustworthy systems 
in the face of supply chain risk contain the following core 
elements: one, prioritizing scarce resources based on mission 
criticality; two, planning for comprehensive program protection 
by identifying critical components and protecting them from 
supply chain risk informed by all-source intelligence; three, 
improving our ability to detect and respond to vulnerabilities 
in programmable logic elements; and, four, partnering with 
industry.
    I want to briefly highlight the importance of 
prioritization of our strategy. The difficulty of mounting and 
defending against supply chain exploitation focuses supply 
chain risk management on sensitive mission-critical systems. 
Accordingly, DOD policy levies additional supply chain risk 
management processes and practices on national security 
systems.
    Supply chain risk management represents a sea change in the 
acquisition process. It requires new institutional 
relationships between the acquisition and intelligence 
community and the application of operational security to the 
processes that historically we have sought to make transparent. 
It also requires engineering and test and evaluation 
capabilities that are still the subject of ongoing research.
    Recognizing these challenges would take time to implement, 
former Deputy Secretary Lynn directed an incremental 
implementation of supply chain risk management beginning with 
pilots in fiscal years 2009 and 2010, and requiring full 
operational capability by fiscal year 2016 for all national 
security systems.
    DOD is currently incorporating lessons learned during the 
piloting phase into permanent policy and practice. First, the 
Defense Intelligence Agency mission to support DOD acquisition 
with a supply chain threat analysis has been made permanent in 
DOD policy. To date, the Defense Intelligence Agency has 
performed approximately 520 analyses for DOD acquisition 
programs.
    Other key tenets have been institutionalized as well, such 
as directing that programs integrate criticality analysis, use 
of supply chain threat information, supply chain risk 
management key practices, and hardware and software assurance 
into program protection.
    DOD actively collaborates with industry on supply chain 
risk. One of our key goals is to facilitate the development of 
commercial global sourcing standards. DOD has been 
collaborating with other 20 government and industry 
organizations towards the development of standards under the 
umbrella of ISO, the International Organization for 
Standardization. DOD is also actively engaged in The Open 
Group's Trusted Technology Forum.
    Within DOD, we have made a significant start to 
institutionalizing supply chain risk management but still have 
a long way to go. Our key objective for fiscal year 2012 is 
fully incorporating these concepts into information assurance 
and acquisition policies and expanding these new processes from 
the military departments to defense agencies. DOD has 
collaborated on these issues within our agency regarding 
proposed policies and best practices, such as the NIST 
interagency report and the Committee on National Security 
Systems Directive 505, both entitled Supply Chain Risk 
Management.
    In conclusion, mitigating risk to U.S. Government missions 
arising out of the global supply chain from information and 
communications technology is vital to our national security. 
The Department looks forward to continuing the collaboration 
with our interagency and industry partners to manage this risk.
    Thank you for the opportunity, and I look forward to 
answering any questions you may have.
    [The prepared statement of Mr. Komaroff follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Stearns. Thank you very much.
    Mr. Vega.

                     STATEMENT OF GIL VEGA

    Mr. Vega. Good morning, Chairman Stearns, Ranking Member 
DeGette, and members of the subcommittee. My name is Gil Vega, 
and I am the Associate Chief Information Officer for 
Cybersecurity at the Department of Energy. I also serve as the 
Department's Chief Information Security Officer. Thank you for 
this opportunity to testify today on the GAO report that is the 
subject of today's hearing.
    The Department of Energy appreciates the work performed by 
the GAO to identify opportunities to improve mission 
effectiveness by reducing IT supply chain risks. DOE shares 
GAO's concerns for these risks, which not only impact our 
missions but those of all Federal agencies and the private 
sector.
    DOE actively supports the goals outlined in the 
administration's recently released National Strategy for Global 
Supply Chain Security, and by leveraging the exceptional talent 
of the people in DOE we are committed to addressing these 
challenges.
    It is clear that supply chain, including IT supply chain, 
vulnerabilities threaten the missions of DOE and other 
agencies. As the Department's Chief Information Security 
Officer, I am briefed daily on the active and persistent nature 
of threats directed at DOE. One of my primary roles is to 
evaluate these threats to our unique full-spectrum mission from 
open science to energy research, to nuclear security, and 
establish effective agency-wide programs to mitigate the 
associated risks in a cost-effective manner.
    In my short time at DOE, I have been privileged to work 
with cybersecurity leaders in our National Laboratories and 
with interagencypartners who are committed to addressing this 
national-level challenge by partnering and sharing information 
and best practices with each other. Aligned with the 
Secretary's goals related to energy, economic, and national 
security, we are leveraging the expertise of our National 
Laboratories to develop processes and technology to effectively 
secure DOE's IT assets and to protect the Nation's critical 
infrastructure.
    To address cybersecurity threats, you must first build 
sound foundational components and by recognizing that no single 
organization can eliminate all risk. Recently, DOE has been 
successful in developing and delivering several key 
foundational elements to properly address the broader 
cybersecurity threats that we face while strengthening our 
ability to meet the wide range of mission goals.
    For example, DOE has developed and is implementing an 
agency-wide NIST-based risk management approach that raises 
corporate threat analysis and risk decision-making to senior 
management levels of DOE and serves as a corporate foundation 
for managing our mission and investments with acceptable levels 
of risk.
    DOE is also implementing the Joint Cybersecurity 
Coordination Center, which is delivering a new cybersecurity 
ecosystem based on consolidated monitoring and reporting, 
information sharing and analysis, and coordinated incident 
response capabilities across the Department. This is critical 
to the effective monitoring of mitigation strategies meant to 
address advanced cyber threats.
    As I previously stated, DOE recognizes the value and timing 
of the GAO review and concurs with GAO's recommendations. 
Specifically, we are already addressing these in a coordinated 
manner as follows: by actively participating in the national-
level policy discussions on supply chain risk management; by 
developing a supply chain cybersecurity strategy and policy 
that will foster DOE's interagency relationships and support 
the unified approach described in the administration's 
strategy; by developing a plan to implement the requirements of 
the recently released Committee on National Security Systems 
Directive 505; by working closely with the National 
Counterintelligence Executive and the broader national 
intelligence and national security communities to stay abreast 
of and counter new and growing threats to the Nation's IT 
infrastructure; and, finally, by partnering with both DHS and 
DOD, industrial control system manufacturers, and energy-
critical infrastructure operators to identify and mitigate 
risks to industrial control systems.
    We must also recognize the importance of the role played by 
DOE's National Laboratories, which have been at the forefront 
of identifying and mitigating vulnerabilities in the supply 
chain. DOE's National Laboratories have developed and are 
actively involved in improving capabilities in software and 
hardware assurance to mitigate risks, particularly to our 
national security systems and to the safety, security, and 
reliability of the Nation's nuclear weapons stockpile. DOE 
works closely with other agencies on these emerging 
capabilities.
    In conclusion, we believe that GAO understands the national 
challenge that IT supply chain risks pose to all Federal 
agencies as well as to the private sector and believe further 
congressional support for a nationally coordinated response is 
required.
    Again, DOE strongly supports the goals of the President's 
strategy, which seeks to align Federal activities across the 
United States Government, including in our partnerships with 
industry. DOE believes that this unified approach is the right 
approach and that policies and standards to address IT supply 
chain risk management must be coordinated at the national 
level.
    Thank you for this opportunity to discuss the report's 
findings.
    Mr. Chairman, this concludes my statement, and I look 
forward to answering all of your questions.
    [The prepared statement of Mr. Vega follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Stearns. Thank you, Mr. Vega.
    Let me just open up with just sort of a general statement 
when we are talking about IT supply chain. And this is a 
question for each of you. Would you think that the biggest 
emerging threat to the government and consumers is this IT 
supply chain? Just yes or no.
    Mr. Wilshusen. No.
    Mr. Stearns. No, OK.
    Mr. Komaroff? Yes or no?
    Mr. Komaroff. For some systems, yes.
    Mr. Stearns. Mr. Vega?
    Mr. Vega. I would say no.
    Mr. Stearns. No, OK.
    And when you talk about supply chain, I just want to define 
it. Are we talking about smartphones, computers, TPS devices, 
smart grid devices? Have I missed out anyone of the list I gave 
you?
    Mr. Wilshusen. It could be any--the whole--the whole slew.
    Mr. Stearns. A panoply of many devices.
    Mr. Wilshusen. So there are additional types of devices and 
components of those devices, to include servers----
    Mr. Stearns. Of the four I mentioned, you think there could 
be more.
    Mr. Wilshusen. Yes.
    Mr. Stearns. OK, and--I am just trying to get a general, 
what we are talking about, if I can.
    Mr. Komaroff. Yes, sir. So----
    Mr. Stearns. More than those four devices we could be 
looking at.
    Mr. Komaroff. Yes, there is a huge number.
    Mr. Stearns. OK, huge number. Can you give me maybe an 
ancillary one that we haven't thought about?
    Mr. Komaroff. Well, there are just dozens, and dozens of 
varieties of integrated circuits that----
    Mr. Stearns. Oh, OK.
    Mr. Komaroff [continuing]. Some systems integrators go out 
into the commercial marketplace to acquire.
    Mr. Stearns. OK, Mr. Vega?
    Mr. Vega. I am not sure if I heard you say, but the 
underlying telecommunications infrastructure is another one 
that we are concerned about.
    Mr. Stearns. OK. Mr. Wilshusen, this question is for you. 
You have identified risk to unprotected systems including 
malicious code on hardware and software, counterfeit hardware 
or software, reliance upon malicious or unqualified service 
provider. What do you see as the two greatest threats to our IT 
supply chain?
    Mr. Wilshusen. I would say first, one would be the 
introduction or insertion of malicious code to hardware and 
software and also, presently, counterfeits. Counterfeit items 
have been on the increase, and certainly they can have a 
debilitating effect on systems that are currently in operation.
    Mr. Stearns. Can you give the committee a list of specific 
examples?
    Mr. Wilshusen. Sure.
    Mr. Stearns. Examples of threats, I mean.
    Mr. Wilshusen. Well, threats and also incidents, if you 
will. You know, there is--back in 2010, the Department of 
Commerce issued a report that identified, did a survey of 
companies that participated in the DIB, Defense Industrial 
Base; and of the 387 companies that participated in the survey, 
39 percent of them encountered counterfeit electronics during a 
4-year period. And what's more, the number of incidents of 
those counterfeit items increased 140 percent over the 4-year 
period, from about 3,800 items in 2005 to over 9,000 in 2008.
    Mr. Stearns. All right. Mr. Komaroff, yesterday the GAO 
released a different report on counterfeit military parts 
manufactured overseas showing the prevalence of counterfeit 
parts in the DOD's Internet purchasing system. Has the work you 
have done led to a similar conclusion?
    Mr. Komaroff. Yes, sir. So I don't want to speak to the 
exact conclusions contained in that report, but within the 
report that we submitted to the Congress in 2010 in response to 
the 2009 Defense Authorization Act, the report entitled Trusted 
Defense Systems where we outlined our strategy, we did 
identify, you know, risks during the sustainment and, in 
particular, counterfeits as a strategic gap in our strategies. 
And since that time immediately began working it within the 
Department and then more recently in collaboration with the 
intellectual property coordinator. And policy has been issued 
within the Department identifying the Assistant Secretary for 
Supply Chain Integration as the lead for the Department on 
counterfeit issues, and the Department is pressing forward to 
work those issues.
    Mr. Stearns. What is the common specific threat to DOD 
supply chain that you have identified?
    Mr. Komaroff. The common threat, sir?
    Mr. Stearns. What is the most common threat to the 
Department of Defense's supply chain?
    Mr. Komaroff. The most common occurring threat, presumably, 
would be in the realm of the counterfeit issue because of its 
prevalence. Again, that is a different--typically, a different 
sort of threat actor and is more of a threat to the 
effectiveness of reliability engineering than the kind of 
threat that would be presented, for instance, with a--you know, 
an attempt by a foreign intelligence service to insinuate 
itself into a national security system of great importance.
    Mr. Stearns. Mr. Vega, can you specifically give me actual 
cyber attacks or threats to the Department of Energy's systems 
because of vulnerability? Can you give any specific examples?
    Mr. Vega. If I could----
    Mr. Stearns. Or are you aware of any cybersecurity threats, 
attacks to the Department of Energy? You don't have to get into 
detail, but, I mean, are you aware of any specific threats?
    Mr. Vega. Absolutely, and I would say, Chairman, that our 
number one concern at the Department of Energy are the 
coordinated efforts by some adversaries whose capabilities in 
the arena of computer hacking are world class. We have all read 
about these advanced persistent threats. We have had experience 
at the Department of Energy with incidents involving these 
threat actors, and that continues to be a major area of concern 
for us.
    Mr. Stearns. All right, my time is expired. The gentlelady 
from Colorado.
    Ms. DeGette. Thank you very much, Mr. Chairman.
    I am glad to see again Mr. Wilshusen. When you were last 
here, you talked about cybersecurity risks for the electric 
grid, and we talked then about the risk of cyber attacks on the 
electric grid supply chain. So now I am happy to have you back 
to talk about the threats and vulnerabilities in the IT supply 
chains.
    What are the key IT supply chain threats to Federal 
agencies?
    Mr. Wilshusen. Well, we would say that it would include the 
insertion of malicious or harmful software and hardware into 
the environment. The installation of counterfeit items 
certainly would be key to that and also any potential 
disruption in the production or distribution of these key 
items. Certainly, that would also have a role in the key 
threat.
    And also I would finally say, too, in terms of the 
installation of software, hardware that contains unintentional 
vulnerabilities, and these would be, for example, like design 
flaws in the equipment or software defects and coding defects 
into the software.
    Ms. DeGette. That could be taking advantage.
    Mr. Wilshusen. Yes. And indeed we often find that such 
defects are indeed taken advantage of once the software is in 
fact placed into operation at agencies.
    Ms. DeGette. And do you think most of the threats come 
through commercial items that are purchased by the Federal 
Government?
    Mr. Wilshusen. Yes, in some form or manner.
    Ms. DeGette. So why then are the Federal agencies relying 
so heavily on these commercial components? Are there incentives 
in place for them to purchase these commercial items versus 
developing IT products in-house?
    Mr. Wilshusen. Certainly. And I think it is the 
administration's policy to take full advantage of those 
commercial off-the-self products, both from cost savings as 
well as the functionality that they provide. It always gets 
back to kind of a risk management decision on whether or not we 
should use commercial products or potentially develop inside.
    Ms. DeGette. And, in fact, there is an OMB circular that 
encourages agencies to purchase the off-the-shelf items 
wherever possible, is that correct?
    Mr. Wilshusen. That's correct.
    Ms. DeGette. Mr. Komaroff, you are nodding your head yes, 
too.
    Mr. Komaroff. As I understand the matter, it has been a 
long-term Federal policy for so many years.
    Ms. DeGette. It is not just new under this administration.
    Mr. Komaroff. That's correct.
    Ms. DeGette. It has been in place for a long time.
    And even independent of the statutory incentives, is it 
even conceivable that Federal Government agencies would rely on 
noncommercial IT components for the majority of the source, Mr. 
Wilshusen?
    Mr. Wilshusen. For the majority of its equipment?
    Ms. DeGette. Right.
    Mr. Wilshusen. Probably not, but there certainly would be 
instances, they may want to do something in a trusted 
environment in terms of developing a system or components of 
systems, particularly for those that have a great deal of 
sensitivity and criticality to potential----
    Ms. DeGette. So we are talking today about addressing the 
IT supply chain threats, and that is important, but we 
shouldn't forget that these threats impact more than the 
Department of Defense and the Department of Energy. It is fair 
to say, isn't it, Mr. Wilshusen, that the threat you just 
described can also impact private-sector commercial purchasers 
of IT products, correct?
    Mr. Wilshusen. Absolutely.
    Ms. DeGette. And the issue of commercial impact is 
important, too, because much of our critical infrastructure, 
like the electric grid, for example, is run by private 
companies, and that is a network of private and public. So as 
the systems become more interoperable the repercussions of one 
single flawed component piece becomes more powerful, is that 
right?
    Mr. Wilshusen. I would agree.
    Ms. DeGette. So not all companies have the ability to 
closely vet IT supply chain threats to the product components 
they purchase, do they?
    Mr. Wilshusen. No.
    Ms. DeGette. And let me just give you an example. If there 
is a small business who is a contractor and they have one or 
two employees, they might not be able to make sure that the 
software they purchase isn't counterfeit or hasn't been 
infected with some kind of malware, is that right?
    Mr. Wilshusen. That is very likely.
    Ms. DeGette. So can you give us some advice about what the 
right balance is here? You know, the Federal Government can't 
always ensure the security of every single purchase by even 
every single one of their contractors or their subcontractors. 
So what is the best way for us to use Federal resources to try 
to, as best we can, achieve the goal of a secure supply chain?
    Mr. Wilshusen. Well, I think there are a couple of things. 
First of all, the Federal agencies and under the Comprehensive 
National Cybersecurity Initiative, which is led by DHS and DOD, 
and they have developed a working group to look at different 
activities, threat assessment tools, and other best practices 
that could potentially be used to assess and to try to mitigate 
the risk associated with supply chain. And certainly, to the 
extent--I should say a key focus of that initiative is to 
partner with the private sector. And certainly the private 
sector is a key part of the whole IT supply chain. And working 
with the private sector and using some of the tools developed 
by these agencies could be of benefit to others.
    Ms. DeGette. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Stearns. Mrs. Myrick is recognized for 5 minutes.
    Mrs. Myrick. Thank you, Mr. Chairman.
    I appreciate you all being here, and I appreciate your GAO 
report. It is an issue I have been spending a lot of time on 
lately. I am especially concerned about foreign, state-owned 
governments and militaries who are providing equipment, trying 
to get a foothold into this area. China is the main one that I 
have spent time on.
    And my concern is twofold. One, of course, with our 
government agencies, and I agree that the working groups are 
doing a much better job of trying to look over the whole 
spectrum of what is needed within the government.
    But going back to the question of the private sector and 
how we relate, because a lot of what we buy we buy from the 
private sector as well, and they maybe don't know that they are 
either buying a piece of equipment or a router or something 
that is not good. Do we--I know we work with them, but how are 
we looking at, across the industry, is there anything else that 
you think we can do relative to putting more certainty into the 
fact that they know what they are doing and what they are 
providing to us?
    That is one question.
    Mr. Wilshusen. OK, I would say certainly, you know, with 
the interagency working groups that are looking at this, and 
indeed the administration just came out in January with its 
National Strategy for Global Supply Chain Security, and one of 
the focuses of that particular strategy is to work with the 
private sector and State and local governments as well----
    Mrs. Myrick. Right.
    Mr. Wilshusen [continuing]. And other stakeholders to look 
across the entire spectrum in looking at the threats, the 
vulnerabilities, getting a better awareness of those, and then 
to work collaboratively and develop the tools and techniques 
try to mitigate that. So that certainly is a goal of this 
strategy.
    One of the things that we noted in looking at this 
strategy, however, is that it seems to focus on the movement of 
goods and services from point A to point B----
    Mrs. Myrick. Right.
    Mr. Wilshusen. --to point C and not really address the 
manufacture or the assembly and integration of those products 
and components into supply--or into full systems. And that's 
something that should probably be--something that we just 
notice in looking at it.
    Mrs. Myrick. Well, part of that also is price. Because 
everybody is looking at price today, and they want to buy 
cheap. And the foreign governments or the foreign militaries or 
the people who are part of these companies are literally 
dropping their price so low that our companies can't compete 
with them, and so people will buy it just because it is 
cheaper. And we see that over and over and over again. And it 
is very frightening to me, because we are at such high risk 
from the things that they can do to us.
    And so, you know, I just encourage all of you, I know you 
do it every day, but anything that you can do, you know, to 
look at this and your supply chain of what you buy and how you 
work with the private sector to help them, I would sure 
appreciate. Because it is not going to get better. It is going 
to get worse. The ways that they are trying to get equipment 
into here are frightening to me.
    So I yield back, Mr. Chairman.
    Mr. Stearns. Mr. Scalise is recognized for 5 minutes.
    Mr. Scalise. Thank you, Mr. Chairman. I appreciate you 
having this, and I appreciate the panelists who are here with 
us on the GAO report on supply chain.
    I apologize if this was already brought up. Mr. Vega, on 
the Department of Energy, there were some issues that they had 
brought up. I think they--you know, on DOD, they had a pretty 
good assessment there, but on DOE they had raised some issues. 
And, you know, especially when you look at some of the 
sensitive nature of some of the things that the Department of 
Energy has and, of course, management of our nuclear weapons 
stockpile, among other things. If you could just kind of give 
me your take on the issues that were brought up in that GAO 
report.
    Mr. Vega. Sure. I thank you for the question.
    I think the report brings up some very good 
recommendations, and I think there is some room at the 
Department of Energy to be more explicit about the policy 
relating to supply chain risk management and also about the 
processes and also the controls to the systems to monitor the 
implementation of those processes.
    But I will tell you that the Department of Energy is very 
active in delivering some very foundational elements that are 
associated with detecting, mitigating, and responding to many 
different types of threats targeted at the Department of 
Energy. We have many threats that we are concerned about. 
Supply chain risk management is certainly one of those. You 
heard me talk about the organized attackers that target 
government agencies. There is also trusted insiders that we are 
focused on detecting and responding to, a whole litany of 
different threats are pointed at not only to the Department of 
Energy but other Cabinet agencies as well.
    Our focus on supply chain, however, is in the broader sense 
related to the risk-management approach that the Department of 
Energy is embarking upon. Recently, in the past year, the 
Department of Energy has implemented this new risk-management 
approach which is mission-focused and allows--and directs those 
business owners to direct limited resources at the things that 
are most important to the mission and the most sensitive--the 
most sensitive data.
    My office has issued architectural frameworks that actually 
direct these business and system owners to account for supply 
chain risk management as part of their overall risk-assessment 
process.
    Mr. Scalise. In the last year, have you all had any 
reported incidents--and I open this up to everybody--you know, 
what kinds of things that have happened and, you know, have 
you--we hear in the private sector all the time a lot of high-
profile examples of systems that were violated, breaches that 
occurred; and, in some cases, we have identified back to 
specific countries where this is happening, you know.
    Have you had any of those experiences as you encounter some 
of the things that are happening, in some cases possibly 
government-led, by foreign governments? Do you all talk to the 
State Department, you know, to try to get--to get some of those 
problems addressed at the State level where we know there's 
some foreign countries that are trying to break into our 
systems, both government and private sector?
    Mr. Vega. Without getting into too many specifics, the 
Department of Energy has experienced recent events that have 
been widely publicized in the past year at some of our National 
Laboratories. Without speaking directly to the nation-state 
implications of those events, I will tell you that the 
Department of Energy is engaged at the interagency level with 
the White House on a government-wide response to these advanced 
threats, and I would be more than happy to talk to you more in 
a closed session about what some of those discussions entail.
    Mr. Scalise. Sure. Mr. Komaroff?
    Mr. Komaroff. I would defer, you know, to others on the 
broad spectrum of cyber-related exploitation that could be 
affecting the Department's systems and networks. I think that 
that shades into the presence of counterfeits and components 
and what have you that have been identified within the 
Department. I don't think that there is strong enough evidence 
to present a no-kidding instance of what I would call a true 
supply chain exploitation accounting for any one of them.
    Malicious code account--malicious code, so-called, accounts 
for, which is generally code injected into systems, typically 
remotely, frequently exploits the kinds of weaknesses and 
security defects in devices that we acquire. That is kind of a 
different problem and is the basics of information assurance 
and cybersecurity.
    Supply chain risk, as we address it, represents a much 
smaller set and much more difficult to discern. There will be 
instances where we put two and two together, see a threat 
actor, and examine equipment and find weaknesses associated 
with it. Those weaknesses frequently could be explained as 
either security related defects or the failure to close 
engineering-type back doors and what have you.
    Ultimately, it is a subtle matter trying to discern whether 
or not a particular instance is the case of an explicable--an 
otherwise explicable defect or a no-kidding supply chain 
exploitation.
    Mr. Scalise. I see my time is up.
    Mr. Stearns. I appreciate it.
    The gentleman from Texas, Mr. Green, is recognized for 5 
minutes.
    Mr. Green. Thank you, Mr. Chairman.
    American manufacturers rely heavily on the global supply 
chain to build products and hardware, for the devices can be 
made and assembled in any country in the world. Software code 
can be written everywhere. This means that foreign governments 
can have access to these components at several entry points, 
and these components can make their way into any number of 
places via government entities or private-sector uses through 
critical infrastructure components and controls and even 
through personal electronics.
    Mr. Wilshusen, are most IT product components manufactured 
in the U.S.?
    Mr. Wilshusen. I would say no.
    Mr. Green. Do you know where a lot of these components are 
manufactured?
    Mr. Wilshusen. It could be anywhere--anywhere on the 
planet, generally.
    In the report we just issued, we have a diagram of a 
laptop, and from that we identified various different 
components of your basic laptop like the LCD, the motherboard, 
circuits, memoryS storage and hard drives, and each of those 
products could come from any number of multiple different 
countries, except for the motherboard. I think we only found 
that coming from Taiwan, but----
    Mr. Green. Oftentimes, the purchaser of the ultimate 
product isn't aware of where all the components are from. 
Because, again, even an individual, if you buy your cell phone 
or your--you know, BlackBerry or whatever. So a government 
entity could purchase a product from an American brand and not 
be--and be unaware of where all the component pieces in it were 
manufactured or assembled.
    Mr. Wilshusen. Yes, I would say definitely so.
    Mr. Green. This leaves government purchases heavily 
exposed, and right now companies are not obligated to inform 
the government in commercial or individual purchases of where 
the products they sell come from.
    Mr. Wilshusen, do government entities currently track where 
all of their components come from?
    Mr. Wilshusen. No, they don't. And particularly one of the 
objectives that we had in our report that we issued dealt with 
the extent to which the four agencies that we went to--Energy, 
Homeland Security, Justice, and DOD--on the extent to which 
they tracked the foreign location of these components, and none 
of them actually tracked those.
    But then again they weren't required to track it either, 
and there is a thought that trying to do so would be cost-
prohibitive and that perhaps a more indicative--or an 
indication of the threat and risk would be not so much location 
of a facility where a component is prepared but more it is the 
influence that an either foreign intelligence service or some 
other organization may have over the entity, not its direct 
location.
    Mr. Green. So the obstacle is just the cost and the time 
frame. But is there a way that those four agencies have 
identified that they can make sure what they are purchasing has 
not been either compromised--or to the point of maybe even the 
quality, not to the point--I am not saying sabotaged but the 
quality would not be to the level we expect.
    Mr. Wilshusen. Well, one of the activities that these four 
agencies are conducting to an extent are threat assessments on 
certain level of acquisitions. Typically, these may be for the 
most highly sensitive acquisitions, and these threat 
assessments are for a particular product or service on a 
particular acquisition. And those threat assessments are then 
considered and, in some instances, are being provided to a 
database or repository that is being kept by the Office of the 
National Counterintelligence Executive.
    Mr. Green. OK, Mr. Komaroff and Mr. Vega, what are your 
agencies doing to address some of these obstacles on the 
quality or the concern of the products we are using?
    Mr. Komaroff. Do you want to go first?
    Mr. Vega. Sir, so at the Department of Energy, we rely on 
most of our competitively purchased IT commodity items. We rely 
on the General Services Administration through their 
contracting process to deliver those to the Department of 
Energy. While there is some assurance, I believe, in the 
processes at GSA to validate pedigree of some of these devices 
and technologies, we understand that there is more we can be 
doing.
    I will tell you that we are very much engaged with the 
Office of the National Counterintelligence Executive in some 
piloted procurement working groups to help--to better help 
understand what the actual threat to the Department of Energy 
is when dealing with some of these manufacturers.
    Mr. Green. Mr. Chairman, given our Nation's reliance on 
components manufactured outside the U.S., I think it is 
important that we do everything in our power to ensure that, at 
the very minimum, we know where the threats may lie. It is 
important for manufactures to be up front about where the 
products they sell come from. It is also important for Federal 
agencies to carefully vet the products they purchase. Securing 
our supply chain is not simply a private-sector problem or 
Federal Government agency problem, because it really affects 
all of us. And so I appreciate the chance to have this hearing.
    Mr. Stearns. I thank the gentleman.
    And the gentleman from Georgia is recognized for 5 minutes.
    Mr. Gingrey. Mr. Chairman, thank you.
    Mr. Vega, last year, Bruce Held, the DOE's Director of 
Intelligence and Counterintelligence, noted that if a malicious 
actor controls your hardware or software, they control your 
system. Held went on to explain that the military does check 
the hardware and software in these systems to security 
vulnerabilities and possibly malicious code but that this would 
be very costly for the private-sector companies. Do you agree 
with Mr. Held?
    Mr. Vega. I do agree with Mr. Held.
    Mr. Gingrey. Are the IT products and service providers that 
you deal with checking their products?
    Mr. Vega. Sir, I would have to answer that I believe some 
of our vendors have programs to vet their supply chains, and 
some do not.
    Mr. Gingrey. And are you attempting to verify that they do? 
Is that part of what you are doing?
    Mr. Vega. I think what we are doing, sir, is we are 
embarking on the process of developing explicit direction to 
our IT purchasers across the Department to do exactly that.
    Mr. Gingrey. Has DOE ever identified a cyber incident or 
control systems incident that could be attributed to corrupted 
hardware or software linked to a supply chain vulnerability?
    Mr. Vega. Sir, I would have to say in my short time at DOE 
I have not been made aware of any confirmed supply chain threat 
that has been realized at the Department. Doesn't mean there 
isn't. I am just not aware of one.
    Mr. Gingrey. And you told us in your opening testimony you 
have been with DOE in this position for how long?
    Mr. Vega. A little bit more than 8 months, sir.
    Mr. Gingrey. And before that?
    Mr. Vega. I was the Chief Information Security Officer at 
Immigration and Customs Enforcement in the Department of 
Homeland Security.
    Mr. Gingrey. Thank you, Mr. Vega.
    Mr. Vega. Thank you.
    Mr. Gingrey. I want to direct the next question, Mr. 
Chairman, to Mr. Wilshusen.
    To what extent will your report, the GAO's report work, 
shed light on critical infrastructure security? What role does 
the Department of Homeland Security, for example, have in 
coordinating information over supply chain challenges?
    Mr. Wilshusen. Well, with regard to your first question, 
with regard to the critical infrastructure protection in that, 
it would address it to the extent that as it relates to IT 
supply chain, the threats and vulnerabilities. What we found 
with regard to the supply chains that affect Federal systems 
and Federal agencieswould also likely affect private sector, 
because it is generally coming from the same global supply 
chain area.
    Mr. Wilshusen. And so in that respect it would be similar.
    Mr. Gingrey. Well, you know, it is one thing to ensure 
standards for off-the-shelf software used by U.S. Government, 
but how do you communicate supply chain risk to the purchases 
of specialized control systems software made internationally 
for use in very critical infrastructure?
    Mr. Wilshusen. Well, in terms of standards, the Federal 
Government is pretty much just setting up for what its agencies 
need to do in terms of securing its software, but if a 
particular agency needs a particular security requirement on 
its products and it is acquiring those from a private sector 
organization, it would typically identify what those are in the 
contractual mechanisms that exist with that particular company 
to determine we need these particular security requirements in 
our software, in our hardware, in our systems, and then assure 
that the private sector organization is able to deliver.
    Mr. Gingrey. What metrics do you have in measuring progress 
on this front?
    Mr. Wilshusen. I am not sure there are that many metrics in 
that particular area that exist.
    In terms of percentage of contracts that have security 
requirements, I don't know of that.
    Mr. Gingrey. Mr. Chairman, that's all the questions that I 
have, and I yield back the last minute.
    Mr. Stearns. I thank the gentleman. I think Mr. Gingrey 
made a good point, Mr. Vega. Will the Department of Energy 
finish its process of giving guidance to your suppliers for 
them to promote their supply chain's integrity? When is that 
date going to be?
    Mr. Vega. Sir, it is hard to predict how long it will take 
for the Department.
    Mr. Stearns. Isn't DOE in charge of our nuclear stockpiles?
    Mr. Vega. Yes, they are, sir.
    Mr. Stearns. OK. It seems like you should have an answer. I 
mean that's a strategic area that we want to be sure that you 
are protecting, and yet I would just like to actually get a 
date of when you are going to do something.
    Mr. Vega. Absolutely, our current----
    Mr. Stearns. This whole process.
    Mr. Vega. I am sorry. Our current risk management policy 
requires our under secretary organizations to account for 
supply chain risks within their risk management.
    Mr. Stearns. So you don't have a date then? Huh? That's OK, 
I understand. How long has this been going on then.
    Mr. Vega. I'm sorry, how long has what been going on, sir?
    Mr. Stearns. This whole process of trying to figure out, to 
give guidance to your suppliers. You can't give a date when you 
are going to complete it. Have you started it?
    Mr. Vega. We have started engaging the various programs----
    Mr. Stearns. Engaging? You started engaging.
    Mr. Vega. We have started engaging.
    Mr. Stearns. And how long has this process been going on?
    Mr. Vega. It has been going on since we were first 
contacted by GAO.
    Mr. Stearns. Which is when, how long ago?
    Mr. Vega. Since March of this year.
    Mr. Stearns. OK. So you have only started this month--this 
month you just started the whole process of guiding guidance to 
your suppliers to promote the supply chain integrity. So you 
have only being doing it for 2 weeks, is that true?
    Mr. Vega. With regard to the findings for the GAO report, 
that is true. However, there are a lot of other activities 
ongoing within the Department.
    Mr. Stearns. Because I think many of us are concerned that 
the GAO report shows that DOE is the furthest behind in 
developing IT supply. You have confirmed it today that it is 
only the last couple weeks that you've even thought about 
giving guidance to your suppliers dealing with supply chain 
integrity.
    Let me ask this question.
    Ms. DeGette. Can I just follow up?
    Mr. Stearns. Well, you can take your own time. You can have 
a second time on this.
    Ms. DeGette. But I just want to----
    Mr. Stearns. The gentlelady will suspend. I am involved 
with a question here.
    For example, DOD is in the process of using its 
intelligence authority in its procurement process. Does the 
Department of Energy have enough information, enough 
information to evaluate its vendors or could you benefit from 
more information?
    Mr. Vega. We can always benefit from more information, and 
we could always benefit from better collaboration. I will tell 
you that we are engaged in the interagency very actively with 
DOD, DHS, and the White House to share information and best 
practices, not only internally with DOE but also with our 
Office of Electricity Delivery and Energy Reliability.
    Mr. Stearns. OK. I think what happened is Mr. Gingrey had 
time and they kept my time, so I still have more time in the 
original 5 minutes which I was taking. So I assume I have 
another 2 minutes or so.
    Let me ask you this, Mr. Vega. Are you aware of any cyber 
attacks or threats to DOE systems that were because of a 
vulnerability a supply chain?
    Mr. Vega. I am unaware of any.
    Mr. Stearns. OK. What types of supply chain threats has the 
DOE ever faced?
    Mr. Vega. Well, I think we faced supply chain risk to our 
nuclear surety program.
    Mr. Stearns. To your what program?
    Mr. Vega. To our nuclear surety program.
    Mr. Stearns. How about your nuclear stockpile program, have 
you--yes or no.
    Mr. Vega. Yes, which is why the Department actually 
operates two trusted foundries at both Kansas City and Sandia 
to provide for the surety of that mission.
    Mr. Stearns. Well, based upon this I think you should have 
been ahead of curve instead of just the last 2 weeks giving 
guide against to the suppliers.
    What specifically is DOE doing to partner with industrial 
control system manufacturers and energy critical infrastructure 
operators to identify and mitigate risk to industrial control 
systems?
    Mr. Vega. Our organization has been working closely with 
the Office of Electricity Delivery and Energy Reliability to 
share lessons learned and best practices at the Department with 
the sector on control systems. However, that organization is 
led by an assistant secretary, Assistant Secretary Hoffman. I 
would be glad to take your questions back for the record to get 
more information on the lessons learned.
    Mr. Stearns. All right. What is the one risk or threat to 
Federal IT supply chains you are most concerned about and what 
are you doing to address it?
    Mr. Vega. I'm sorry, I couldn't hear the beginning of your 
question.
    Mr. Stearns. What is the one risk or threat to Federal IT 
supply chains you are most concerned about at DOE?
    Mr. Vega. I can't say that I am concerned more about a 
specific IT supply chain risk. I think we have heard many from 
our panelists here. There are many that can be manifested in 
our environment if we are not careful. As I said in my remarks, 
we have spent a lot of time and energy developing foundational 
elements to help us detect, mitigate and respond to that threat 
as well as many other threats we are facing.
    Mr. Stearns. I think we will recognize Ms. DeGette.
    Ms. DeGette. Mr. Chairman, I was just trying to follow up 
on the question you were asking of Mr. Vega. Mr. Vega, you said 
that you guys have just started this process with the 
contractors this month, correct?
    Mr. Vega. In response to the GAO report, that is correct.
    Ms. DeGette. And so when do you expect that process to be 
completed?
    Mr. Vega. We have--we expect that process to follow our 
internal----
    Ms. DeGette. Yes, I understand that, but when do you expect 
it to be completed? You wouldn't give the chairman a date, but 
perhaps you have a time frame.
    Mr. Vega. I would say, Ms. DeJette----
    Ms. DeGette. It's DeGette.
    Mr. Vega. I'm sorry, I apologize.
    Ms. DeGette. That's OK.
    Mr. Vega. Beginning of next calendar year we would have 
some good progress made.
    Ms. DeGette. Well, OK. What does that mean, ``good progress 
made''?
    Mr. Vega. The Department of Energy is a very diverse 
organization with varying missions and varying threats of 
varying appetites for threat and risk. The idea that the 
Department can quickly issue policies, procedures, and 
monitoring systems for that entire complex in a short amount of 
time is probably not a good assumption.
    Ms. DeGette. But Mr. Vega, here's our concern, and I think 
I can say the chairman shares this concern, is we understand 
all the complexities of the DOE, and this is what I was talking 
to Mr. Wilshusen about earlier, is that if there are threats we 
need to identify them, we need to identify the severity and 
where they occur so that we can begin addressing them. And 
vague answers like this are very disconcerting to people on 
both sides of this panel because, after all, it is the 
Department of Defense.
    So I think my suggestion--I am sorry, the Department of 
Energy. And so what I would suggest is that you folks, now you 
have got this GAO recommendation and you are putting a process 
into place, I would suggest that you put a clear timeline into 
place about goals and results culminating at the earliest 
possible convenience. We don't want corners to be cut or 
anything like that. But we think--and then work with this 
committee to inform us about what the plan is. I think our 
concern is that the plan seems a little vague just sitting here 
today.
    And with that, I will yield back.
    [The information follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Stearns. I thank the gentlelady. And Mr. Terry is 
recognized for 5 minutes.
    Mr. Terry. Thank you, Mr. Chairman. And Mr. Vega, I 
apologize that I was in--to all three of you--in an anteroom in 
a quick meeting that lasted a few minutes more. I walked in 
during your answer and didn't really hear what Mr. Gingrey's 
question is, so it piqued me, I was really interested.
    Just very bluntly then so I am clear in regard to having a 
cybersecurity plan for a critical infrastructure nuclear power 
plant, who is best to oversee that cyber plan, DOE or Homeland 
Security?
    Mr. Vega. Who is best to oversee a cybersecurity plan for a 
privately owned power generator, is that the question?
    Mr. Terry. OK, let's say a public power nuclear facility. I 
don't care, it is nuclear.
    Mr. Vega. Right.
    Mr. Terry. And it is under DOE.
    Mr. Vega. It is DOE. I have to say, sir, that my focus on 
cybersecurity is internal to the Department of Energy and the 
Federal M&O contractors that operate our National Labs. I am 
not that familiar to offer an informed opinion about who would 
be better overseeing the implementation of a cybersecurity 
plan.
    Mr. Terry. I was hearing that you were saying that perhaps 
Department of Homeland Security was better prepared to do that, 
and I am trying to figure out where their nuclear power plant 
expertise would be.
    Mr. Vega. I am not sure what you heard, sir.
    Mr. Terry. OK. I just want to clarify that.
    Evidently--were you suggesting, Mr. Wilshushen? I'm sorry.
    Mr. Wilshusen. That's OK, Wilshusen.
    Mr. Terry. Wilshusen, just like it is written, I am sorry. 
Did you suggest that Homeland Security would be better 
supervising overseeing cybersecurity techniques and plans for 
nuclear power plants which would obviously, because they are 
nuclear, would probably be defined as critical?
    Mr. Wilshusen. I did not suggest that, but I will mention 
that, and it is not part of this report on IT supply chain, but 
DHS does have a role in terms of being the sector under the 
National Infrastructure Protection Plan and program, DHS does 
have a role in providing guidance and overseeing the--I think 
it is the nuclear power industry. Also, Nuclear Regulatory 
Commission would be a member and would have insight into that 
since they are regulators of these nuclear power plants.
    Mr. Terry. Is the Nuclear Regulatory Commission under 
Homeland Security's umbrella or another agency's like DOE?
    Mr. Wilshusen. It is a separate, independent agency of 
Federal Government.
    Mr. Terry. Independent agency.
    Mr. Wilshusen. It is separate. And so they also specify 
some of the security requirements in its role as a regulator of 
nuclear power plants to give security. They do conduct certain 
reviews over that.
    Mr. Terry. Well, I am going to ask you one follow-up 
question that stood out to me during your testimony, but 
quickly, Homeland Security under my personal view has been a 
disaster. And to put them in charge of cybersecurity of any 
critical infrastructure scares the hell out of me frankly. And 
every time I go through an airport I think of how incompetent 
they are. So that's just my statement for the record. I am 
sorry I was looking at you when I said that.
    But you mentioned in the chain, supply chain that we are 
concerned about the unauthorized, which then led me to the 
question of how--what needs to be authorized? What parts of the 
supply chain, is it the individual parts at the assembly? Who 
is going to be able to have the authority to say that they are 
authorized to approved that this chip can go into this 
computer, that can be sold then to the Defense Department. I 
can't get my mind around who would have that level of 
authority, and you have 28 seconds.
    Mr. Wilshusen. First of all, when I mentioned the word 
``unauthorized'' it dealt with acquiring products or parts 
components if you will from unauthorized distributors as 
opposed to those companies or entities, either the original 
component manufacturer or their other approved, if you will, 
suppliers to provide it. So if an agency were to go to some 
other, through some other distributor that's not authorized to 
sell a particular product that was the vulnerability to which I 
was referring.
    Mr. Terry. All right. Thank you.
    Mr. Stearns. All right, we will let the first panel be 
dismissed and we will have the second panel come up. Thank you 
very much for your time.
    Mr. Stearns. Welcome the second panel. We have Mr. Larry 
Castro, Managing Director of the Chertoff Group, and we have 
Dave Lounsbury, Chief Technical Officer of the Open Group. 
Welcome each of you. And at your convenience, Mr. Castro, we 
will let you start with your opening statement.
    First we have to swear you in.
    As you know, the testimony that you are about to give is 
subject to Title 18, section 1001 of the United States Code. 
When holding an investigative hearing this committee has a 
practice of taking testimony under oath. Do you have any 
objection to testifying under oath?
    Mr. Castro. I do not.
    Mr. Lounsbury. No.
    Mr. Stearns. The chair then advises you that under the 
rules of the House and the rules of the committee you are 
entitled to be advised by counsel. Do you desire to be advised 
by counsel during your testimony today?
    Mr. Castro. I do not.
    Mr. Lounsbury. No, sir.
    Mr. Stearns. In that case will you please rise, raise your 
right hand and I will swear you in.
    [Witnesses sworn.]
    Mr. Stearns. Now if you would be so kind as to give your 5-
minute opening statement. Mr. Castro, we will start with you. 
Welcome.

STATEMENTS OF LAWRENCE CASTRO, MANAGING DIRECTOR, THE CHERTOFF 
 GROUP; AND DAVE LOUNSBURY, CHIEF TECHNOLOGY OFFICER, THE OPEN 
                             GROUP

                   STATEMENT OF LARRY CASTRO

    Mr. Castro. Good morning, Chairman Stearns, Ranking Member 
DeGette, and members of the subcommittee. I appreciate the 
opportunity to speak with you today regarding the important 
role of IT supply chain security and our Nation's approach to 
cybersecurity. I am appearing today in my personal capacity 
although for the record I am currently a Managing Director at 
the Chertoff Group, a firm that provides strategic advisory 
services on security matters, including cybersecurity.
    While my work at Chertoff Group informs much of my current 
insight into the cybersecurity threat environment, my basic 
understanding of information assurance in cybersecurity is 
drawn from my 44 years of Federal service at the National 
Security Agency. It is thus from these two perspectives that I 
offer my views for your consideration today.
    I commend the subcommittee for addressing this topic today 
as the GAO report well describes securing the supply chain is a 
challenging and complex task with many moving parts and 
dependencies. I would suggest, however, that it is not an 
intractable problem and it is one that can be addressed in the 
risk management framework.
    The GAO report documents that there's ample policy 
direction and implementing guidance from which one can start to 
build supply chain defenses. What is needed, however, is a 
framework that can build on that policy base and also support 
the implementation detail. Risk management offers such a 
framework. Risk management approaches security from the aspects 
of threats, vulnerabilities and consequences and can be used to 
unwrap some key supply chain issues.
    Let's first consider the threat actors who might both be 
able to benefit from and execute an infiltration of the supply 
chain, perhaps by inserting a modified component into the 
supply chain of a critical U.S. Government IT enterprise. To do 
so of course the adversary must be capable of penetrating the 
production process at a point far enough downstream to ensure 
that the right target has been infiltrated.
    In addition to performing the adversary's desired covert 
function, the modified component must also execute the 
component's function as originally designed. I would submit to 
you that across the spectrum of threat actors in cyberspace 
today the most likely players to have the motive and the 
capability to successfully accomplish such a deception would be 
nation-states.
    So who then would be the nation-states that might have the 
necessary qualifications and motives? The GAO report notes as 
you have heard already in testimony today about an outstanding 
organization on point within the Federal Government for 
identifying such threat actors. That organization is the Office 
of the National Counterintelligence Executive, or NCIX, within 
the Office of the Director of National Intelligence.
    In October 2011 NCIX published this eye opening report to 
the Congress, entitled Foreign Spies Stealing U.S. Economic 
Secrets in Cyberspace. The report convincingly presents the 
case that both the People's Republic of China and the Russian 
state apparatus have both the intent and capability to 
undertake economic espionage enhanced by cyber means. These are 
the key threat actors against whom our supply chain defenses 
should be aligned.
    What consequences do they seek to achieve by infiltrating 
the U.S. supply chain? The scope of objectives spans the full 
range of results achievable from malicious activity in 
cyberspace, some of which you all have already addressed this 
morning. They include the compromise of confidentiality leading 
to the loss of sensitive data and intellectual property, the 
loss of availability of critical national security systems, and 
the corruption of data residing in these critical systems.
    As has already been discussed today, there are numerous 
vulnerabilities in the supply chain that can be exploited. 
There are, however, well documented best practices and tools 
that may be implemented to address some of these 
vulnerabilities, and I believe the next speaker on the panel 
will address some of those. The use of these tools and 
resources, however, must be considered in the context of likely 
threat actors and the consequences that they seek to achieve.
    Finally, I would like to comment about a section of the GAO 
report again that you already discussed this morning dealing 
with the lineage of equipment used in U.S. Government networks. 
While the report concluded that emphasis is not given to 
determining if such networks contained foreign developed 
components, the intelligence community representatives quoted 
in the report offered the view that determining if a 
relationship exists between the supplier company and a foreign 
military or intelligence service, that would be a more reliable 
indicator of a potential security risk than simply ascertaining 
whether a specific product was manufactured or provisioned 
outside the United States. I strongly endorse this conclusion 
and note that the practice of conducting such due diligence 
audits of supplier sponsor links is well established in the 
private sector.
    For maximum effectiveness, however, this due diligence 
requires a good conduit to move high fidelity threat actor 
information between the U.S. Intelligence community and those 
in the private sector who would benefit from the intelligence 
community's insights. It is encouraging that many of the cyber 
bills under consideration by you all this session address the 
need for such improved information sharing.
    Again, thank you for the opportunity to address this topic, 
and I would be pleased to answer your questions at the 
appropriate time.
    [The prepared statement of Mr. Castro follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Stearns. I thank you. Mr. Lounsbury, your opening 
statement, please.

                  STATEMENT OF DAVE LOUNSBURY

    Mr. Lounsbury. Chairman Stearns, Ranking Member DeGette, 
and distinguished members of the committee. On behalf of the 
Open Group and the Open Group Trusted Technology Forum, I want 
to thank you for the opportunity to speak at this IT supply 
chain security hearing to discuss how the Open Group's Trusted 
Technology Forum plans to address some of the challenges in 
securing the global supply chain that have been discussed 
today.
    A little background: The Open Group is a global consortium 
that enables the achievement of business objectives through IT 
standards. We have more than 400 members, spanning all sectors 
of the IT community from customers to vendors, to integrators 
and consultants as well as academics and researchers. And staff 
works with them to capture, understand, and address their 
current and emerging requirements and establish the policies, 
shared best practices, to facilitate interoperability and 
develop consensus around evolving and integrating standards. 
And to back this we operate an industry premier certification 
service operating a variety of certification programs over 20 
years.
    In 2008, the then current Under Secretary for the 
Department of Defense Acquisition Technology and Logistics 
posed the follow challenge to the Open Group members: How can 
the DOD safely procure IT technology from an increasingly 
global and sometimes unpredictable supply chain in a rapidly 
changing threat environment? The discussion focused on the 
challenges associated with an increased reliance on commercial-
off-the-shelf information communication technologies in 
commercial and government enterprise, including the defense 
industry. The parties formalized those discussions in an 
initiative under the Open Group that we call the Open Trusted 
Technology Forum. And that is a forum, it is a global 
initiative that brings in government industry and other 
interested participants to work to develop an open technology, 
open trusted technology provider standard that's a public-
private partnership to address this very clear cybersecurity 
challenge in a shared, multi-stakeholder risk environment like 
the global supply chain.
    Member organizations contributing to the work include a 
broad range of global suppliers, buyers of products and third 
party test labs. The open trusted technology provider standard, 
which is currently published as a snapshot, provides 
organization commercial best practices that when properly 
adhered to will enhance the security of the global supply chain 
and the integrity of COTS ICT products throughout the entirety 
of the product lifecycle. That is from the design phase through 
the sourcing of the components, build, fulfillment, 
distribution, sustainment and all the way to the disposal 
phase.
    Snapshot was released in March and is intended to become an 
Open Group standard which will be available to everyone, and 
this provides a set of best practice requirements and 
recommendation on two types of risk inherent in the acquisition 
and use of COTS ICT products. First is tainted product risk, 
and that is a product is produced by the provider and is 
acquired through legitimate reputable channels but has been 
tampered with maliciously.
    The second is the counterfeit product risk where a product 
is produced other than by or for the provider or is supplied by 
other than a reputable channel and is presented as being 
legitimate.
    The standards based on best practices have been contributed 
from the experience of very mature industry providers and the 
results rigorously reviewed through an open consensus process, 
standards sufficiently detailed and prescriptive enough to be 
useful in raising the bar for all the technology suppliers, and 
it really lends itself to an accreditation process that will 
provide assurance that it's being followed in a meaningful and 
repeatable manner. And by adopting the standard and committing 
to conform to these best practices, technology providers, 
whether it be hardware or software component suppliers and 
integrators, will help ensure the integrity of the COTS ICT 
products.
    Now given the very fast pace changes of technology and risk 
landscape, the OTPF plans to evolve the OTPF standard over 
time, and so as specific threats emerge or the market needs 
evolve then the forum will update the standard to address these 
threats or changes.
    It takes a very comprehensive view about the practices a 
provider should follow in order to be considered to be a 
trusted technology provider that builds with integrity allowing 
its customers to buy with confidence.
    Chairman Stearns, Ranking Member DeGette, and members of 
the committee, thank you again for the opportunity. I want to 
offer up the expertise of the Open Trusted Technology Forum to 
the subcommittee and other congressional committees as they 
continue to examine supply chain issues. We look forward to 
working together to address the critical problem of improving 
global supply chain security.
    Thank you.
    [The prepared statement of Mr. Lounsbury follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Stearns. And I thank you. And I will start with my 
first set of questions. I will ask you the first question that 
I am trying to get an answer to, which I asked the first panel, 
to each of you. Is the biggest emerging cybersecurity threat to 
consumers and government agency the cybersecurity threats to 
the supply chain, IT supply chain? Yes or no. Do you want me to 
repeat the question? Is the biggest emerging cybersecurity 
threat to consumers and government agencies the cybersecurity 
threats to the IT supply chain? Yes or no.
    Mr. Castro. My answer would be no.
    Mr. Stearns. And yours?
    Mr. Lounsbury. My answer would be no as well.
    Mr. Stearns. If not, what is? In the first panel one person 
said yes and two said no, but I forgot to ask them what is. 
What is, Mr. Castro, that preempts this in your opinion?
    Mr. Castro. The threat is the----
    Mr. Stearns. Could you have your mic on?
    Mr. Castro. The threat is the remote access threat enabled 
by poor practices on the intended victims either not having 
adequate defense in-depth and protection of critical data, and 
also quite frankly increasingly folks are just succumbing to 
pfishing attacks that are very well constructed. But those 
pfishing attacks are the entry point for remote access attack 
attempting to acquire mostly intellectual property.
    Mr. Stearns. Not in the supply chain?
    Mr. Castro. No, I would not put the supply chain in that.
    Mr. Stearns. OK, that's interesting. Mr. Lounsbury?
    Mr. Lounsbury. I believe the supply chain is part of the 
problem. I think the actually immediate risk is from external 
attack, whether from outsiders or people who have been placed 
inside organizations.
    Mr. Stearns. So you are not worried about malware or all 
these other things, you are worried about somebody externally, 
either through pfishing or some kind of overt action getting in 
and then having the piece of software placed there?
    Mr. Lounsbury. Malware is part of that problem. Malware 
takes advantage----
    Mr. Stearns. But you are not worried about the supply chain 
per se as you are worried about somebody overtly coming in?
    Mr. Lounsbury. Supply chain encompasses many phases.
    Mr. Stearns. OK, it gets complicated. All right. Each 
member, what are the current supply chain practices and 
processes that could prevent or detect corrupt, compromise or 
counterfeit components in the supply chain? Mr. Castro?
    Mr. Castro. Well, I mentioned the one that we observe most 
frequently with the clients that we support, and that is a very 
aggressive due diligence program, not quite frankly on every 
component that a company might buy but the identification of 
where the critical paths are, the tasks that lead to a 
company's crown jewels. And then ensuring that every component 
that might by compromised in that path has been vetted, not 
only in terms of the pedigree of the component but knowing who 
are the people responsible for servicing it and the other 
support structure around it.
    Mr. Stearns. Mr. Lounsbury?
    Mr. Lounsbury. There are many steps in the development and 
furnishing of a product. And what we look at is the 
organizational best practices to make sure that a supplier is 
using the best practices during their processes throughout the 
supply chain to make sure that they are doing everything they 
can to prevent those vulnerabilities from being there so they 
can't be exploited later.
    Mr. Stearns. Who in the supply chain should ensure tighter 
chain of custody controls, Mr. Castro?
    Mr. Castro. The question again is who in----
    Mr. Stearns. Who in the supply chain should ensure tighter 
chain of custody controls?
    Mr. Castro. Well, again, I would just go back to the simple 
thing that we practice every day in each of our lives and that 
is buyer beware. If there is a purchasing order that's cut on 
behalf of an engineer and a company, then we would look to the 
engineer to make sure that it is to the best extent possible 
that they have been able to vet the pedigree of the product.
    Mr. Stearns. Mr. Lounsbury?
    Mr. Lounsbury. I would concur with Mr. Castro. Each link in 
the chain has to look up to its suppliers and also downstream 
for its responsibility for the fulfillment, delivery, 
sustainment and eventual retirement of the products that it 
sells.
    Mr. Stearns. What can government do to create or 
incentivize the deployment of those additional capabilities 
that some of you folks would think is necessary? What can we 
do?
    Mr. Castro. Well, again, going back to my testimony, I 
think the biggest thing that the government provides is 
information with regard to the source of potential threats and 
activity that's seen in this space. Again the Office of the 
National Counterintelligence Executive Program has been 
commended as exemplary in this case. They have a very vigorous 
outreach to industry to try to provide both at the classified 
level and to the unclassified level an understanding of where 
the problems are.
    Mr. Lounsbury. Focusing on the ease of COTS ICT, the most 
important thing the government can do is in fact as said just a 
moment ago, is to make sure that it is using best practices 
when it does procurement to make sure that they have identified 
trusted technology partners.
    Mr. Stearns. My time has expired. The gentlelady from 
Colorado.
    Ms. DeGette. Thank you, Mr. Chairman. As we continue our 
reliance, to increase our reliance on technology, we need to 
really look at all the implications of its use and include any 
vulnerabilities and threats presented by new technologies. So 
Mr. Castro, I wanted to ask you, do you think that the threats 
due to the new technologies are increasing in scope and 
sophistication?
    Mr. Castro. I am sorry the threats are what?
    Ms. DeGette. The threats due to the new technologies are 
increasing.
    Mr. Castro. Oh, no question about it. An example would be 
smartphones and the applications that go on them. The 
application industry has just exploded. Some suppliers and some 
maintainers of application super supply stores do do some 
vetting, but quite frankly that is an area that we all should 
be concerned about as we buy a very cheap app to put on our 
phone, but yes, I agree with you.
    Ms. DeGette. Almost two-thirds of U.S. Firms report that 
they have been victims of cybersecurity incidents or 
information breaches. And as you allude to, the volume of 
malicious software on American networks has more than tripled 
since 2009. And so I am wondering in specific about the 
challenges the Federal Government faces in responding to those 
rapidly evolving threats.
    Mr. Castro. Well, again the role of the government in my 
view is education. There's a tremendous amount of information 
that the government holds, both open source and classified, 
that should be made available to the private sector through 
properly vetted information channels.
    Ms. DeGette. OK. Now James Clapper, who's the Director of 
National Intelligence, was talking to the Senate committee 
about a year ago and he talked about a new phenomenon known as 
convergence. Are you familiar, Mr. Castro, with network 
convergence?
    Mr. Castro. Yes, ma'am.
    Ms. DeGette. And can you talk about what that is?
    Mr. Castro. Well, I think in terms that we would understand 
it is where we rely upon each of the devices in an integrated 
way.
    Ms. DeGette. Right.
    Mr. Castro. So it may be that your BlackBerry might be 
linked or synched to your home personal PC or to your laptop. 
So the problem there is a vulnerability in one part of that 
chain is easily introduced into the other part.
    Ms. DeGette. Into the other parts. So it is because video, 
data, voice, everything are all converging on one common 
network, and that's part of this new technology that has 
developed that you talk about like with the iPhones and things 
like that, right?
    Mr. Castro. Right.
    Ms. DeGette. And I am wondering if both of you could talk 
about the risks of that type of convergence technology, the 
increased vulnerabilities if they are put into cyberterrorist 
hands.
    Mr. Castro. Briefly, although I will be repeating myself a 
little bit. But an example would be if you bought an app for 
whatever smartphone, mobile device you have that is corrupted, 
it is quite possible that that can be the front door that 
allows someone to have access to your own home personal machine 
where you might have some more sensitive data stored or you 
might have the keys to being able to get to your financial 
accounts and things of that nature.
    Ms. DeGette. And that can be extrapolated to problems on 
the government networks, too, right?
    Mr. Castro. Well, yes, but fortunately in most places in 
the government this whole notion of how to deal with mobile 
devices is undergoing quite a bit of scrutiny. Policies are 
being adopted that would provide some partitioning between 
mobile users and the enterprise that they support.
    Ms. DeGette. Well, I am thinking about--- I am glad they 
are putting policies into place, but I am thinking about like 
if there's a National Lab and there's a smart device being used 
to collect and process information for research at a National 
Lab, if somebody was able to get in there, that could cause 
significant harm, correct?
    Mr. Castro. Well, there is some potential for that, but 
since you talk about the National Labs, I will tell you that in 
my time and experience in government that they are some of the 
most very, very far in front, as Gil mentioned, with regard to 
constructing the kind of policies and actual hardware 
limitations to prevent that, particularly in dealing with some 
of the more sensitive things that the labs do.
    Ms. DeGette. That's good to know.
    Mr. Castro. But it's a point very well taken, the threat of 
mobile devices is one that has really mushroomed onto the 
landscape and it is one that we are all scrambling to find the 
right balance between providing the individual user the 
flexibility that the mobile device provides but also protecting 
the integrity of our data.
    Ms. DeGette. Mr. Lounsbury, do you want to comment on that 
briefly?
    Mr. Lounsbury. I think there are a couple of comments. 
First, the issue about the growth and capabilities of computer 
systems and networks is a coin with two sides. Of course the 
increase in complexity does come with an increase in 
vulnerability, yet it also adds the ability of the additional 
processing power and the additional awareness of what is going 
on to actually recognize attacks and proactively create 
defenses. I.
    I concur with the issue of convergence, sometimes we hear 
it called as, you know, bring your own device where there are 
new devices coming in that may bring their own vulnerabilities. 
And so this is why it is in fact essential to have not only 
policies of course beyond the supply chain but also in the 
supply chain to make sure that those devices that are coming in 
have undergone the scrutiny and correct practices to make sure 
that they are safe.
    Ms. DeGette. Thank you. Thank you very much, Mr. Chairman.
    Mr. Stearns. The gentlelady's time has expired. The 
gentleman from Nebraska, Mr. Terry, is recognized for 5 
minutes.
    Mr. Terry. Thank you, Mr. Chairman. And you're here as a 
different perspective from the first panel, kind of non-
governmental perspective. And so I kind of want to follow 
through with your unique position here for today's hearing. And 
we heard the gentleman from GAO talk about unauthorized 
materials or whatever, computers, devices. And I want to work 
through that because I am still very concerned about how loose 
the authorizations may be. It seems to me the best practice 
that's being recommended here for any, for Department of 
Defense or DOE or whatever government agency that is dealing 
with critical issues is that they should only be allowed to 
purchase from an authorized vendor, of which evidently the 
vendor then has certified everything back, that they can then 
trust the individual parts, whether it is software, chips, 
hardware, have not been compromised in any way. So my question 
to you is, is that a best practice? Do we need to add more 
definition to it? And do we need further authorizations down 
the supply line? Mr. Castro and then Mr. Lounsbury.
    Mr. Lounsbury. I guess, if I may start, I would concur with 
what you say there. Ultimately people, use of COTS implies that 
an agency, in this case a government agency, purchases from a 
commercial marketplace. And so the question is what are the 
standards that your supplier uses to demonstrate that they can 
be trusted. Part of that would be the processes they have for 
themselves throughout their product development and fulfillment 
lifecycle, but also are they imposing those standards on those 
suppliers as well? You think about first you design a product, 
then you get sources for components, those components have to 
undergo the same standards or be held to the same standards 
that you would hold yourself to as a trusted vendor.
    Mr. Terry. And do you think that is sufficient, that they 
just--I don't have the confidence that the supplier actually 
has any level of control in India or China or manufacturing 
facilities. How do they have a level of surety that something's 
not being compromised way down the assembly line?
    Mr. Lounsbury. In the commercial world typically we look to 
some sort of a conformance program where a supplier would 
submit evidence, either through a third-party lab and certainly 
to an independent certification authority, to make sure that 
they have in fact given some evidence of those best practices 
before they are, you know, recognized as a trusted partner. And 
then, yes, there is the burden of everybody in the supply chain 
for making sure that their partners are trusted. It is a very, 
you know, fast branching supply chain, and it is really--you 
have to pick a scalable way of doing that.
    Mr. Terry. Mr. Castro, do you have anything to add?
    Mr. Castro. I would offer quite frankly, and this may be 
out of skew with the thrust of your question but I can't 
diverse my 44 years in government service either. I think this 
has to be approached with a really sensible sense of scale and 
scope, in that you are not going to test every resistor that 
goes into every motherboard of every computer. And I think the 
DOD program is exemplary in this in that they have started, 
they have prioritized those systems that they believe should 
have this extra scrutiny.
    The other thing that the customer can always do, that is to 
say the person at the end, is you pick every fifth Dell 
computer that comes out of the box and you really run it 
through its paces to the greatest extent you can. And there are 
folks who are very, very good at that, including looking for 
signs of tampering and things of that nature. So some random--I 
said every fifth, but it would be a random sampling of the 
devices that you get, but the point being that unless you are 
willing to authorize extraordinary amounts of money in this 
area it has to be done with some reasonable balance involved.
    Mr. Terry. Thank you.
    Mr. Stearns. I thank the gentleman. The gentleman from 
Georgia, Mr. Gingrey, is recognized for 5 minutes.
    Mr. Gingrey. Mr. Chairman, thank you. Mr. Lounsbury, how 
can the government and the private sector benefit from a 
public-private partnership in developing international 
standards?
    Mr. Lounsbury. I think there are a couple of ways that that 
can happen. First, the government quite often brings a unique 
set of needs and perspectives and set of requirements to the 
party. And of course, on the other hand, any provider who 
values their reputation wants to make sure that their products 
will meet those needs so they can frankly sell into that 
sector. Of course they have do it in a way that still keeps 
them in a commercial business. So there's that match of buyer 
need and supplier response.
    The other part is we have to recognize then, as we have 
heard many times, the supply chain is global. It says on some 
of our devices designed in California, made in China. Right? 
And so these have to be international standards so that the bar 
can be raised on a global basis so that if you know that you 
have seen a trusted technology provider here, and I do want to 
emphasize that when we look at this we talk about the 
organization, not a specific product. So we look at is that 
organization following these best practices in a verifiable and 
certified way. And you can look----
    Mr. Gingrey. Well, let me interrupt you just for a second 
because of the limitation of my time and I will cut right to 
the chase. More importantly, how do you envision other 
countries implementing the international standards of the Open 
Group?
    Mr. Lounsbury. The Open Group--first we--our standards are 
principally commercial standards. These are ones where 
companies voluntarily comply with them and enter into 
certification programs. We do, however, have liaison with ISO, 
the international standards body and specifically the working 
group within ISO that will take these standards and make them 
international. We are very active in making sure that that 
happens. So they are both de facto standards that can be 
adopted by industry and de jure standards that can be 
implemented by----
    Mr. Gingrey. If standards such as these are implemented 
internationally, should the United States refuse to do business 
with countries that don't implement those standards?
    Mr. Lounsbury. I think that when the United States procures 
things they should procure from suppliers that have taken the 
time to do the job right by following the international 
standards.
    Mr. Gingrey. Thank you. Mr. Castro, the current approach to 
IT supply chain risk is a patchwork of varying policies and 
procedures that are not coordinated across the government. What 
can be done to facilitate a coordinated approach that 
reasonably and adequately addresses the risk while avoiding 
excessive cost, burdensome regulation or marginal results?
    Mr. Castro. That's a tough one, Congressman. I think it 
begins with the fact that my sense from where I sit is that 
within the government there has been a very, very succinct 
wakeup call. It is evidenced in the testimony that General 
Clapper and others have provided to you and other committees.
    The other thing is that it is increasingly becoming threat 
based, and that was part of the essence of my oral statement, 
is that we simply can't go down every road, but we know where 
there are two very big roads that we have to watch. But clearly 
all the things that you asked for in that question represent 
the Nirvana at the end of the process. I am not sure we are 
anywhere close.
    Mr. Gingrey. Let me follow up on that with this. For 
example, the GAO report, it highlighted deficiencies of DOE, 
DHS, DOJ, I am sorry, Department of Justice, and rightly 
recommends corrective action. Their recommendations for 
executive action is directed at each department individually, 
if I understand the report.
    How should the government coordinate this solution for the 
entire Federal Government?
    Mr. Castro. Well, again I think that the way the Federal 
Government is organized that there's no doubt somebody in OMB 
who has this in their portfolio to coordinate across, but the 
other thing I think that's recognized in the report is that one 
size does not fit all. As the committee members have already 
pointed out, you have concerns about DOE because they have such 
a critical part of not only our national security structure, 
but our energy provision structure. The report also singled out 
DHS, but quite frankly DHS is not a big component in terms of 
driving the IT enterprise.
    Mr. Gingrey. Well, let me real quickly because my time is 
running out, I really respect the fact that you have got 44 
years of experience at the Federal level, but, you know, it 
would seem to me that lack of coordination would be more 
advantageous let's say to a company like the one that you 
currently work for, the Chertoff Group, whereas from the 
Federal Government perspective coordination would be better, 
more coordination. So where do you draw the line in regard to 
that?
    Mr. Castro. Well, again I think it is a balance. You want--
there definitely needs to be a common set of standards, a 
common set of government regulations that OMB would administer 
and see just like they do FISMA and report in the same way as 
FISMA compliance is reported, but I think also that Mr. Vega at 
DOE has a set of problems, the DOD program has a different set 
of problems. As long as they meet the common standard then they 
can in their directions.
    Mr. Gingrey. OK, thank you. Thank you both and thank you, 
Mr. Chairman.
    Mr. Stearns. I thank you. The gentleman from Virginia is 
recognized for 5 minutes.
    Mr. Griffith. I don't think I will take the whole 5 
minutes, so if anybody else has other questions I would be 
happy to yield. But I do have one. I have been listening to the 
testimony and bringing myself a little education on this, which 
I like coming to these hearings. Thank you, Mr. Chairman, for 
holding it.
    You indicated, Mr. Castro, that one of the things we need 
to do is have the Department of Defense working with private 
industry and I agree with that. But my question is at what 
point do they step in? And do they need to be taking an active 
role in defending our private industries? Here is the dilemma 
I've got. In World War II the Allies broke the German code, 
they had to make some very tough choices and history looks back 
on some of the choices very critically. But they had to make 
some tough choices because they knew some things the Germans 
were doing, but they knew if they stopped it there might be the 
possibility that the Germans would figure out that they had 
broken the code and then that would endanger all kinds of other 
operations. So now we are faced in a slightly different 
situation. If the defense folks know that somebody is stealing 
our private information because they have tapped into it by 
their defensive measures in trying to protect our national 
security on the defense side, how do they work out balancing 
that out? And how do they tip off or do they just take measures 
on behalf of the private industry to defend our economic system 
without tipping off X, Y, Z country that we are on to them? 
That's the basic gist of my question. If you could help me on 
that.
    Mr. Castro. OK, very well founded. The difference where the 
analogy isn't quite possibly in synch is that the time frame 
that we are operating with regard to the breaking of Ultra and 
things like that you refer to in World War II, we had a much 
greater time frame, duty cycle. Today it moves much, much more 
quickly and therefore I do come very much into the direction 
that your question was going and that there needs to be greater 
transparency between what the intelligence community within the 
DOD sees and making that information available to the private 
sector. And again very, very--I think well spoken is the fact 
that there are bills before the House, particularly the one out 
of the HPSCI, the Rogers-Ruppersberger bill, that does attempt 
to address that issue and put quite frankly the DOD 
intelligence assets into the game, properly supporting through 
the DHS front door the private industry. So your analogy is 
very, very well taken and I understand and totally agree.
    Mr. Griffith. Thank you very much. Mr. Chairman, unless 
somebody wants me to yield time to them, I would yield back.
    Mr. Stearns. The gentleman yields his time back, and I will 
ask two questions and the gentlelady is welcome to offer her 
questions. A question for both of you, who should be the 
innovator in this place in developing a common criteria 
network; should it be the government or the private sector?
    Mr. Lounsbury. Mr. Chairman, I actually believe that the 
public sector does need to lead in this area.
    Mr. Stearns. The government should.
    Mr. Lounsbury. Pardon me, excuse me, the commercial sector. 
Sorry to be unclear.
    Mr. Stearns. The commercial sector, OK, and you, Mr. 
Castro?
    Mr. Castro. I would agree.
    Mr. Stearns. OK are there advantages basically because the 
private sector is more innovative?
    Mr. Lounsbury. I think it is a question----
    Mr. Stearns. It is closer to their bailiwick?
    Mr. Lounsbury. I think it is a question of market pressure, 
sir. I think the pace of innovation forces them to respond very 
quickly, and frankly they need to innovate and respond at the 
speed that is driven by the market and by the emerging threats.
    Mr. Stearns. Mr. Castro, do you agree?
    Mr. Castro. I agree.
    Mr. Stearns. Mr. Castro, if one begins from the premise 
that a supply chain vulnerability has already been exploited 
and currently exists within an IT enterprise, what should a 
supplier or that matter an agency do to mitigate this risk?
    Mr. Castro. OK, well, this in fact is the topic of the 
moment. It is called presumption of breach or operating under 
attack.
    Mr. Stearns. Presumption of----
    Mr. Castro. That your system has been breached and that's 
the way you go about constructing the defense.
    Mr. Stearns. OK.
    Mr. Castro. DOD put out their strategy for operating in 
cyberspace last summer. That is at the heart of it. What you 
then have to do, however, is to say if in fact the assumption 
is that the adversary is in my system, I need to identify very, 
very precisely what are my crown jewels that I hold in that 
system and I need to protect those to the maximum extent 
possible and I need to make sure that those who have 
authorization to be able to access those crown jewels, that 
their activity is very, very well accounted for. We call that 
data centric defense.
    Mr. Stearns. Mr. Lounsbury, you might want to comment on 
what Mr. Castro said.
    Mr. Lounsbury. Thank you. I would agree with the spirit of 
what Mr. Castro says, but I think one of the essential pieces 
of this is that you make the best practices commonplace. I 
think that everybody understands that there are issues about 
how you do security development and engineering, things like 
threat analysis, threat mitigation, how you respond to those 
threat analysis through a design, one-time protection 
techniques, vulnerability analysis, all those tings in the 
development phase, and then you actually must extend them to 
the supply chain, but it can't be treated as a product by 
product activity. It has to be something you internalize to 
your company's processes in order to not have to do it every 
single time, that you can look to a provider and say yes, we 
can deal with them and know their products are trustworthy.
    Mr. Stearns. All right, thank you, Ms. DeGette.
    All right, at this point, it appears our questions for the 
second panel are complete.
    I want to thank the witnesses for coming today and for 
their testimony and members for their devotion to this hearing. 
The committee's rules provide that members have 10 days to 
submit additional questions for the record to the witnesses.
    And, with that, the subcommittee is adjourned. Thank you.
    [Whereupon, at 12:02 p.m., the subcommittee was adjourned.]

                                 
