[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]






  CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PUBLIC-SECTOR 
                               RESPONSES

=======================================================================

                                HEARING

                               BEFORE THE

             SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 28, 2012

                               __________

                           Serial No. 112-134



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

78-432 PDF                WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001














                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas
  Vice Chairman                      DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma              LOIS CAPPS, California
TIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         TAMMY BALDWIN, Wisconsin
CHARLES F. BASS, New Hampshire       MIKE ROSS, Arkansas
PHIL GINGREY, Georgia                JIM MATHESON, Utah
STEVE SCALISE, Louisiana             G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio                JOHN BARROW, Georgia
CATHY McMORRIS RODGERS, Washington   DORIS O. MATSUI, California
GREGG HARPER, Mississippi            DONNA M. CHRISTENSEN, Virgin 
LEONARD LANCE, New Jersey            Islands
BILL CASSIDY, Louisiana              KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky              JOHN P. SARBANES, Maryland
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                 _____

             Subcommittee on Communications and Technology

                          GREG WALDEN, Oregon
                                 Chairman
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
  Vice Chairman                        Ranking Member
CLIFF STEARNS, Florida               EDWARD J. MARKEY, Massachusetts
JOHN SHIMKUS, Illinois               MICHAEL F. DOYLE, Pennsylvania
MARY BONO MACK, California           DORIS O. MATSUI, California
MIKE ROGERS, Michigan                JOHN BARROW, Georgia
MARSHA BLACKBURN, Tennessee          DONNA M. CHRISTENSEN, Virgin 
BRIAN P. BILBRAY, California             Islands
CHARLES F. BASS, New Hampshire       EDOLPHUS TOWNS, New York
PHIL GINGREY, Georgia                FRANK PALLONE, Jr., New Jersey
STEVE SCALISE, Louisiana             BOBBY L. RUSH, Illinois
ROBERT E. LATTA, Ohio                DIANA DeGETTE, Colorado
BRETT GUTHRIE, Kentucky              JOHN D. DINGELL, Michigan
ADAM KINZINGER, Illinois             HENRY A. WAXMAN, California (ex 
JOE BARTON, Texas                        officio)
FRED UPTON, Michigan (ex officio)

                                  (ii)





























                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     1
    Prepared statement...........................................     3
Hon. Lee Terry, a Representative in Congress from the State of 
  Nebraska, opening statement....................................     5
Hon. Anna G. Eshoo, a Representative in Congress from the State 
  of California, opening statement...............................     5
Hon. Doris O. Matsui, a Representative in Congress from the State 
  of California, opening statement...............................     6
Hon. Mary Bono Mack, a Representative in Congress from the State 
  of California, opening statement...............................     7
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................     7
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     8
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................    12
    Prepared statement...........................................    14

                               Witnesses

Fiona M. Alexander, Association Administrator, Office of 
  International Affairs, National Telecommunications and 
  Information Administration, Department of Commerce.............    16
    Prepared statement...........................................    19
    Answers to submitted questions...............................    77
James A. Barnett, Jr., Chief, Public Safety and Homeland Security 
  Bureau, Federal Communications Commission......................    24
    Prepared statement...........................................    26
    Answers to submitted questions...............................    82
Robert L. Hutchinson, Senior Manager for Information Security 
  Sciences, Sandia National Laboratories.........................    33
    Prepared statement...........................................    35
    Answers to submitted questions...............................    87
Gregory E. Shannon, Chief Scientist, Computer Emergency Response 
  Team, Software Engineering Institute, Carnegie Mellon 
  University.....................................................    37
    Prepared statement...........................................    39
    Answers to submitted questions...............................    90
Roberta Stempfley, Acting Assistant Secretary, Office of 
  Cybersecurity and Communications, Department of Homeland 
  Security.......................................................    47
    Prepared statement...........................................    50
    Answers to submitted questions...............................    92

                           Submitted Material

Article, published March 28, 2012, ``U.S. Outgunned in Hacker 
  War,'' Wall Street Journal, submitted by Mr. Stearns...........     9

 
  CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PUBLIC-SECTOR 
                               RESPONSES

                              ----------                              


                       WEDNESDAY, MARCH 28, 2012

                  House of Representatives,
     Subcommittee on Communications and Technology,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:05 a.m., in 
room 2322 of the Rayburn House Office Building, Hon. Greg 
Walden (chairman of the subcommittee) presiding.
    Members present: Representatives Walden, Terry, Stearns, 
Shimkus, Bono Mack, Blackburn, Bass, Latta, Guthrie, Kinzinger, 
Eshoo, Matsui, Barrow, Dingell, and Waxman (ex officio).
    Staff present: Carl Anderson, Counsel, Oversight; Ray Baum, 
Senior Policy Advisor/Director of Coalitions; Nicholas Degani, 
FCC Detailee; Andy Duberstein, Deputy Press Secretary; Neil 
Fried, Chief Counsel, Communications and Technology; Debbee 
Keller, Press Secretary; Katie Novaria, Legislative Clerk; and 
David Redl, Counsel, Communications and Technology; Shawn 
Chang, Democratic Senior Counsel; Jeff Cohen, FCC Detailee; 
Roger Sherman, Democratic Chief Counsel; and Kara van Stralen, 
Democratic Special Assistant.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. Good morning. The Subcommittee on 
Communications and the Internet will come to order. The title 
of today's hearing is ``Cybersecurity: Threats to 
Communications Networks and Public-Sector Responses.''
    Heeding the call of the House Republican Cybersecurity Task 
Force appointed by the Speaker, this subcommittee has embarked 
on a series of hearings, as most of you are aware, to get a 
complete picture of the cybersecurity challenges that face our 
Nation. Today is the third of our hearings on this topic, 
having already heard from witnesses in our previous hearings on 
the concerns of the private-sector security firms helping to 
secure communications networks from cyber threats as well as 
the network operators that must protect their networks while 
providing the broadband services that have become the fuel of 
our economy. Those hearings provided us with a lot of very, 
very valuable information. We appreciate the witnesses who 
testified. This hearing continues our subcommittee's review of 
cybersecurity issues with a focus on the public sector.
    In order to further investigate the complex issues that 
surround any discussion of cybersecurity, I recently asked a 
number of my subcommittee colleagues to serve on a bipartisan 
working group tasked with gathering additional information. My 
vice chairman, Mr. Terry, and Ranking Member Eshoo have 
graciously served as co-chairs of the working group for the 
last few weeks, and I am very appreciative of their work. The 
group also included Representatives Doyle, Matsui, Kinzinger, 
and Latta. The members of the working group and their staffs 
have met with a number of industry stakeholders, and throughout 
their discussions a consistent theme has emerged: the need for 
the government and the private sector to work together to 
address cybersecurity. The findings of the working group are 
consistent with the message we have heard in our hearings on 
this matter from the private=sector perspective.
    Today, we hear from some of the agencies within our 
government that are working to meet these threats, both in 
terms of what is being done to promote cybersecurity as well as 
how we can better secure our Nation's communications networks. 
In this hearing, we are privileged to have five witnesses that 
represent parts of the government that work to address the 
complex cybersecurity issues our country faces every day. The 
work being done by these government agencies to help address 
cybersecurity is just the tip of the iceberg of what we can 
achieve when our private-sector innovation and public-sector 
resources are put to a common task. That is why I am a co-
sponsor of H.R. 3523, which is the Cyber Intelligence Sharing 
and Protection Act. This bipartisan bill introduced by my 
Communications and Technology colleague and chairman of the 
House Permanent Select Committee on Intelligence, Mike Rogers. 
H.R. 3523 makes commonsense changes to the way our government 
and the private sector share cyber intelligence without 
compromising either the commercial broadband providers or the 
integrity of the intelligence community.
    Similarly, the good work being done by industry 
stakeholders at the FCC on the Communications Security, 
Reliability and Interoperability Council, or CSRIC, to bring 
voluntary best practices to bear on the security of commercial 
networks is another example of the type of public-private 
cooperation that I think will achieve results without mandates. 
It looks very similar to the Australian model that received 
favorable reviews at one of our previous hearings. To remain 
nimble and effective, codes of conduct like these should remain 
voluntary and should involve all stakeholders in the Internet 
ecosystem, not just the ISPs.
    In addition to hearing from these agencies on the good work 
that they are doing, I also expect to hear how you think we can 
improve the cooperation between the Federal Government and 
private industry as they work to combat cyber threats. Having 
heard from the private sector, today's public-sector 
perspective will give the members of the subcommittee a more 
complete picture of the cybersecurity landscape.
    I thank the panelists for your testimony today. I look 
forward to a lively discussion of these issues.
    [The prepared statement of Mr. Walden follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Walden. With that, I would yield the remainder of my 
time to the gentleman from Nebraska, Mr. Terry.

   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEBRASKA

    Mr. Terry. Thank you, Mr. Chairman, and it is certainly 
quite a learning curve from both the Speaker's task force and 
the task force that Anna and I have been lucky enough to 
oversee.
    But this is a real threat to our economy and to our 
country, and we need to really start thinking seriously about 
ways of securing our communications networks, and in that 
discussion, not only how but who should be part of that 
process, and first I want to commend the Communications 
Security and Reliability Interoperability Council, or CSRIC, 
for its recent report outlining voluntary best practices that 
industry has agreed to implement and ISPs engaging in the Anti-
Bot Code of Conduct and Domain Name System best practices as 
well as working to develop a framework to prevent IP route 
hijacking is a great start to improving our overall health and 
safety of our Nation's networks and limiting access for 
attacks. I am confident that this collaboration will continue 
to improve.
    I will state for the record that I have some reservations 
concerning giving government agencies like Department of 
Homeland Security authority for overseeing or implementing the 
standards. A, I think we need to focus on flexibility, and 
secondly, that department hasn't provided me the level of 
confidence that I would want to turn over our cybersecurity to 
them. All we have to do is walk into our airports and visualize 
my lack of confidence in them.
    So at this point I will yield back, and I am anxious to 
hear from the witnesses.
    Mr. Walden. I now recognize the gentlelady from California, 
my friend, Ms. Eshoo, for an opening statement.

 OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Eshoo. Thank you, Mr. Chairman, and good morning to all 
of my colleagues on the subcommittee, and welcome to our 
witnesses. Thank you for being willing to be here today to 
instruct us even further on this whole issue of cybersecurity 
that we have had a very important series of hearings and they 
have been very, very helpful. They have been outstanding 
hearings, and both sides of the aisle, I think, have agreed on 
that.
    As has been stated, I am part of the Cybersecurity Working 
Group with Congressman Terry, and through the process that we 
have followed, our collective staff have gathered information 
from key stakeholders and have been focusing on issues such as 
supply chain integrity, information sharing, consumer 
education, and it is obviously our subcommittee's jurisdiction 
in these areas. We have learned that Advanced Persistent 
Threats, the APTs, pose a significant risk to our 
communications infrastructure, and these sophisticated threats 
are often either state-sponsored or pursued by criminal 
enterprises and they have the potential to lead to significant 
theft or manipulation of data and other malicious activities.
    So we have our hands full, most frankly, about how to go at 
this. Fortunately, there are experts like each one of you that 
are working hard, really diligently to protect our country from 
cyber threats, so we really look forward to hearing what you 
can instruct us on this, and I want to especially welcome Mr. 
Hutchinson from Sandia National Labs Adaptive Network 
Countermeasures--these are real mouthfuls, I will tell you--the 
ANC, the DHS efforts concerning domain name server security 
extension and the FCC's recent recommendations from CSRIC. All 
of these need to be stitched together. We can't afford to go 
into an enlightened endeavor and end up with silos all over 
again. I am very sensitive about that, having been a veteran of 
the House Intelligence Committee.
    So I think to deter cyber criminals, we need to have a 
really well-coordinated, comprehensive effort that is going to 
promote R&D, consumer education, supply chain integrity and 
information and yet ensure at the same time that we speak to 
privacy and civil-liberties protections.
    I think it is also important that we don't take any actions 
that would inadvertently hinder the private-sector development 
of cybersecurity technology or create new network 
vulnerabilities, and that is why I am pleased to see that both 
public and private sectors are working together on these issues 
and that the FCC's CSRIC unanimously endorsed voluntary 
industry-wide best practices to address the whole issue of 
botnets and domain name fraud and Internet route hijacking. So 
I think that they have done very good work and it is something 
that we need to take advantage of.
    So today's hearing is really yet another opportunity for us 
to look at this slice that you can teach us about and that we 
weave that together all under the umbrella of really 
safeguarding some of the most important parts of our national 
infrastructure both public and private relative to 
cybersecurity.
    Ms. Eshoo. With the time that I have remaining, I will 
yield it to Congresswoman Doris Matsui.

OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Matsui. Thank you very much, Ranking Member Eshoo, for 
yielding me time, and I would like to welcome our witnesses 
today, and I want to thank the chairman very much for having 
this hearing today and having explored some of these issues for 
the last month or so.
    Communications networks are one of the many areas our 
Nation must protect to ensure safety and soundness. It will be 
important that data is protected in transit to cloud storage. A 
number of government agencies are using cloud services, so it 
is my hope that we can learn more from the early experiences.
    I also believe that our subcommittee will have the ability 
to further promote information sharing on cyber threats. I will 
be interested in hearing from witnesses how information is 
being shared within the government and between the government 
and industry. There also seems to be a number of clearinghouses 
that are used to store information related to cyber threats. I 
will also be interested in hearing the relationship between 
those silos and industry and government sharing. Securing the 
supply chain will be of high importance.
    We also need to consider that there might be some economic 
incentives that could encourage industry to explore ways to 
better address and defend against malware and botnets, and 
again, I welcome you all here today and I am looking forward to 
the testimony. Thank you very much.
    Mr. Walden. Thank you, and thanks for your service on the 
working group.
    Now I recognize Representative Bono Mack for a minute, and 
then we will have Mr. Barton and Ms. Blackburn.

 OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mrs. Bono Mack. Thank you, Mr. Chairman.
    In our two previous hearings on this issue, we have heard 
from representatives of the private sector and the 
communications industry who expressed real concern about the 
effects of heavy-handed new government regulation in this realm 
of cybersecurity. Onerous new regulations they say will likely 
fall haplessly behind existing technology and divert valuable 
resources away from security and towards regulatory compliance. 
Indeed, with so much information out there about the 
sophisticated and constantly evolving nature of cyber attacks, 
what the experts in the field have said they need most is the 
ability to better share information about existing cyber 
threats and the freedom to respond quickly to those threats.
    Yesterday, Congresswoman Blackburn and I introduced the 
House companion to Senator John McCain's Secure IT Act, which 
first removes legal hurdles which prevent information sharing 
across the spectrum so that victims of cyber attacks can better 
work with each other to respond to cyber threats. I believe 
that this approach, which empowers security experts to 
proactively address threats rather than reactively respond to 
them, is the best path forward.
    I look forward to hearing from our witnesses today. I thank 
them for appearing before us, and I would like to yield back 
the balance of my time.
    Mr. Walden. And I would recognize the gentlelady from 
Tennessee for a minute.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. Thank you, Mr. Chairman, and I want to 
thank your witnesses for being here.
    You have heard us talk about the two previous hearings that 
we have done with industry, and of course, what they have 
pointed out is that there is no cookie-cutter approach that we 
can follow as we deal with what are very dangerous issues. One 
of the things that also has come out is that the Federal 
Government needs to be leading by example. If we want to 
provide assurance that there is going to be a pattern of 
security, this is going to be important for us to do, to lead 
by example.
    Another thing that as we discuss this and how we are going 
to lead by example, I also want to hear about what you are 
doing to prioritize your R&D and how we are going to be able to 
work with the private sector in that vein. As Representative 
Bono Mack introduced, we introduced the Secure IT Act 
yesterday. This is going to focus on strong info-sharing 
components, making certain that we are addressing some 
increased penalties for criminals and priority and coordination 
of the Federal research.
    So thank you all, welcome, and yield back.
    Mr. Walden. I now recognize Mr. Stearns for a minute.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Thank you, Mr. Chairman.
    Yesterday, Shawn Henry, the FBI's top cyber cop, told the 
Wall Street Journal that the current public and private 
approach to fending off hackers is unsustainable as computer 
criminals are simply too talented and defensive measures are 
too weak to stop them. He also expressed that companies need to 
make major, major changes in the way they use computer networks 
to avoid further to national security, and Mr. Chairman, I ask 
that the Wall Street Journal article be part of the record by 
unanimous consent.
    Mr. Walden. Without objection.
    [The information follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Stearns. Today's hearing focuses on public-sector 
responses to threats to communications networks. I am 
interested to hear our witnesses' reaction to Mr. Henry's bleak 
outlook on our unsustainable model to cybersecurity, as he 
says, ``unsustainable in that you never get ahead, never become 
secure, never have a reasonable expectation of privacy or 
security.''
    As chairman of the Oversight and Investigations 
Subcommittee, I have held three cybersecurity hearings. Through 
these hearings and the ones held by our chairman today, I hope 
our committee can learn what we can do to make sure the good 
guys are winning again.
    Thank you, Mr. Chairman.
    Mr. Walden. I thank the gentleman from Florida. Is anybody 
else seeking recognition here? I know Mr. Barton had wanted 
time, but he is not here.
    Now I will go to you, Mr. Waxman. We will return the 
balance of our time on this side and I now recognize the 
chairman emeritus, Mr. Waxman, for 5 minutes.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you very much, Mr. Chairman, for holding 
this hearing on cybersecurity.
    It is important that we understand the government 
perspective. I am especially interested to learn the steps 
government agencies are taking to advance cybersecurity and 
secure the supply chain. I also welcome our expert from 
Carnegie Mellon.
    The FCC, under the leadership of Chairman Genachowski and 
Admiral Barnett, has established a Communications Security, 
Reliability and Interoperability Council, or CSRIC, and today 
we can learn about CSRIC's recent recommendations promoting 
cybersecurity, as well as what other agencies are doing to 
promote best practices and information sharing. Efforts like 
CSRIC can help lead to adoption of best practices and voluntary 
codes of conduct by Internet service providers, software 
companies, manufacturers and security vendors.
    But we also need to address the question of accountability. 
For example, what if one company fails to be as diligent as 
others in following best practices and, as a result, causes a 
cyber breach that rises to the level of a national concern? We 
need to explore whether reliance solely upon the private sector 
to ensure the security of communications networks across the 
country is sufficient, and what additional steps we might need 
to achieve enough accountability to best protect critical 
communications networks from cyber attacks.
    We are hearing from industry that they want statutory 
exemptions from privacy and antitrust laws in order to 
facilitate information sharing. I have an open mind as we 
consider these issues. But this should be a two-way street. If 
industry wants exemptions from consumer protection laws, we 
have a right to ask for accountability that companies actually 
end up sharing information important for cybersecurity, do not 
abuse their privileges, and are held accountable.
    There is a stronger case to be made for enabling sharing 
between the Federal Government and private industry, but we 
need to balance information sharing with sufficient privacy and 
civil-liberties protections. Further, we need to make sure that 
the Federal agencies that engage in direct information sharing 
with the private sector are civilian agencies, not intelligence 
or defense agencies.
    I hope we will also discuss securing the communications 
supply chain. This is a growing potential threat, especially as 
we are now witnessing thousands of applications being loaded 
onto smart devices that connect to the public Internet. We 
should examine the best ways to address this.
    I want to thank our panel of witnesses for their 
participation today and I look forward to hearing your 
testimony. I yield back the time.
    [The prepared statement of Mr. Waxman follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Mr. Walden. The gentleman yields back the balance of his 
time. We will now proceed with our witnesses. We thank you all 
for being here and look forward to your comments.
    We will start with Ms. Fiona Alexander, Associate 
Administrator, Office of International Affairs, National 
Telecommunications and Information Administration, NTIA, U.S. 
Department of Commerce. That is a mouthful. We are glad you are 
here today and we look forward to hearing from you. And just a 
heads-up for everybody, these microphones, you have to get 
pretty close to for people to hear, and make sure it is lit.

  STATEMENTS OF FIONA M. ALEXANDER, ASSOCIATE ADMINISTRATOR, 
 OFFICE OF INTERNATIONAL AFFAIRS, NATIONAL TELECOMMUNICATIONS 
 AND INFORMATION ADMINISTRATION, DEPARTMENT OF COMMERCE; JAMES 
  A. BARNETT, JR., CHIEF, PUBLIC SAFETY AND HOMELAND SECURITY 
     BUREAU, FEDERAL COMMUNICATIONS COMMISSION; ROBERT L. 
 HUTCHINSON, SENIOR MANAGER FOR INFORMATION SECURITY SCIENCES, 
    SANDIA NATIONAL LABORATORIES; GREGORY E. SHANNON, CHIEF 
    SCIENTIST, COMPUTER EMERGENCY READINESS TEAM, SOFTWARE 
ENGINEERING INSTITUTE, CARNEGIE MELLON UNIVERSITY; AND ROBERTA 
STEMPFLEY, ACTING ASSISTANT SECRETARY, OFFICE OF CYBERSECURITY 
     AND COMMUNICATIONS, NATIONAL PROTECTION AND PROGRAMS 
          DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY

                STATEMENT OF FIONA M. ALEXANDER

    Ms. Alexander. Thank you very much. It is a very long name. 
So good morning, Chairman Walden, Ranking Member Eshoo and 
members of the subcommittee. Thank you for this opportunity to 
testify on behalf of the Department of Commerce's NTIA 
regarding cybersecurity.
    NTIA, as you know, is the President's principal advisor on 
telecommunications and information policy matters and is the 
executive branch expert on issues relating to the Internet's 
Domain Name System, a critical component of the cyber 
infrastructure. NTIA supports a multi-stakeholder approach to 
the coordination of the DNS to ensure long-term viability of 
the Internet. Working with other stakeholders, NTIA develops 
policies and takes actions to preserve an open, interconnected 
global Internet that supports continued innovation and economic 
growth, investment and the trust of its users. This multi-
stakeholder model of Internet policymaking convening the 
private sector, civil society and government to address issues 
in a timely and flexible manner, has been responsible for the 
past success of the Internet and is critical to its future.
    The authenticity of DNS data is essential to the security 
of the Internet as it is vital that users reach their intended 
destinations and are not unknowingly redirected to fraudulent 
and malicious Web sites. This is one of the primary objectives 
motivating NTIA's efforts to secure the DNS and what I will 
specifically address today.
    The early DNS, while exceptional in many ways, lacked 
strong security mechanisms. Over time, hackers and others have 
found more and more ways to exploit vulnerabilities in the DNS 
protocol. That put the integrity of DNS data at risk. These 
vulnerabilities increase the likelihood of certain DNS-related 
cyber attacks which can lead to identify theft and other 
security compromises.
    In response to these risks, the Internet Engineering Task 
Force developed a suite of specifications for securing 
information provided by the DNS called Domain Name System 
Security Extensions, or DNSSEC. DNSSEC provides an additional 
layer of security to DNS by authenticating the origin of the 
DNS data and verifying its integrity while it moves across the 
Internet.
    In 2008, NTIA undertook a multi-stakeholder public 
consultation process regarding whether and how DNSSEC should be 
deployed at the authoritative route, the top level of a DNS 
hierarchy for which NTIA continues to have historical 
oversight. In response to the public notice, NTIA received 
overwhelming support from the international Internet community 
to move forward as soon as possible. Over the next year and a 
half, NTIA, drawing upon the input and expertise of technical 
experts from around the world, and working close with NIST, our 
sister agency at Commerce, as well as our root zone management 
partners, VeriSign and ICANN, moved to fully deploy DNSSEC at 
the root in July 2010.
    DNSSEC essentially gives a tamper-proof seal to the address 
book of the Internet, similar to a wax seal on an envelope. For 
example, I can send you a letter in an envelope, but when you 
receive the envelope, you don't know if it was tampered with, 
but if I use my seal on some wax across the envelope's closure, 
then you know two things: the letter wasn't tampered with in 
transit, which means there is data integrity, and that I was 
the one who sent it, because you recognize my stamp, which is 
data origin authentication. If you know that I always seal my 
letters and you receive a letter from me that isn't sealed or 
the seal is broken, you know that a bad guy or a man in the 
middle could have opened the sealed envelope and replaced the 
contents. You can throw it away because you know it is a fake. 
DNSSEC information is like the letter in the envelope. DNSSEC 
gives that information a seal that verifies and authenticates 
it.
    DNSSEC deployment at the authoritative root was an 
important step toward protecting the integrity of DNS data and 
mitigating attacks such as cache poisoning, which allows the 
hacker to redirect traffic to fraudulent sites and other data 
modification threats. This effort marks significant progress in 
making the Internet more robust and secure as it provides a 
tool to facilitate greater user confidence in the online 
experience so that when someone visits a particular Web site, 
whether it be a bank, a retailer or a doctor, they are not 
seeing a spoofed copy that cyber criminals can use to 
perpetuate identify theft or other crimes using the DNS.
    In helping to deploy DNSSEC at the root zone, NTIA sought 
to facilitate greater DNSSEC deployment throughout the 
Internet. If we are to maintain trust in the Internet, then we 
must support further DNSSEC deployment. Governments as well as 
other stakeholders must continue to support the deployment and 
development of DNSSEC-related software, tools and other 
products and services. As we explore issues affecting Internet 
space, we should take all appropriate steps to ensure that 
DNSSEC use and adoption continues to grow.
    In the coming months, NTIA, working as a part of the 
Department of Commerce's Internet Policy Task Force, will be 
looking for opportunities to launch further multi-stakeholder 
processes aimed at enhancing the security and stability of the 
DNS as well as broader cybersecurity efforts.
    Thank you again for the opportunity to testify, and I will 
be happy to answer any questions.
    [The prepared statement of Ms. Alexander follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Walden. Ms. Alexander, we appreciate your comments and 
we look forward to the questions.
    Admiral, we are delighted to have you here today, Admiral 
James Barnett, Jr., Retired, Chief, Public Safety and Homeland 
Security Bureau, Federal Communications Commission, the FCC. 
Welcome, and we look forward to your comments.

               STATEMENT OF JAMES A. BARNETT, JR.

    Mr. Barnett. Thank you, Chairman Walden, Ranking Member 
Eshoo and all the distinguished members of the subcommittee. I 
really appreciate the opportunity to come and talk to you on 
this important topic of cybersecurity, and I am particularly 
pleased to be able to testify with these experts and especially 
my colleagues from DHS and Commerce with whom we work very 
closely on cybersecurity matters.
    Cybersecurity threats are a real and present danger to our 
current economy and wellbeing. No one would tolerate the level 
of criminality, thievery, vandalism or invasion of privacy that 
we experience today if it were done in the physical world, and 
we really can no longer afford to tolerate it in cyber space.
    The approximately 40,000 autonomous systems or networks on 
which the Internet is built are largely commercial or privately 
owned. Commercial communications providers are therefore the 
first line of defense against cyber threats and always will be. 
Earlier this month, on March 7th, the subcommittee heard from 
cybersecurity experts in the communication industry about how 
hard they are working against those threats, yet if those 
efforts alone were sufficient to thwart cyber threats, I don't 
think we would be here today. To be successful in battling 
cyber threats, we must work together collectively, industry and 
the public sector.
    As the Nation's expert agency on communications, we have 
always been concerned with the security and reliability of 
networks. The FCC has a long history of working on network 
reliability and security with the companies that operate the 
core of the Internet. We have constituted a Cybersecurity and 
Communications Reliability Division in the Public Safety and 
Homeland Security Bureau. These are our cyber experts who among 
other duties coordinate the work of our current Federal 
advisory committee, the Communications Security, Reliability 
and Interoperability Council, CSRIC which you mentioned before. 
CSRIC is now made up of over 50 industry leaders from the 
private sector and the Federal Government including cyber 
experts from DHS and NIST and a veritable all-star cast of 
Internet pioneers and world-class cybersecurity experts that 
are working on the council and the working groups.
    And I am pleased to report that last week, CSRIC approved 
voluntary industry-based recommendations addressing three 
crucial problems. These recommendations are not simply a set of 
reports that will adorn bookshelves. Numerous ISPs including 
Comcast, Verizon, AT&T, Time Warner, Sprint, Cox, T-Mobile, 
Frontier and CenturyLink have already pledged to implement the 
CSRIC recommendations as they apply to their respective 
networks. This means that these new cybersecurity measures will 
soon be protecting a significant majority of American Internet 
users.
    First, CSRIC recommended that ISPs adopt a voluntary code 
of conduct to provide critical security to Internet users to 
fight botnets, which can steal personal information. We refer 
to it as the anti-bot code, a code that specifically addresses 
privacy of the end user.
    Second, CSRIC examined Internet route hijacking, which can 
occur due to the lack of verification between networks. 
Internet route hijacking can endanger valuable intellectual and 
private property and jeopardize our national security. In 2010, 
traffic to 15 percent of the world's Internet destinations was 
diverted through Chinese servers for approximately 18 minutes. 
CSRIC recommended that ISPs embark upon a path toward 
implementation of secure routing protocols, or secure BGP, to 
minimize route hijacking. This would include the establishment 
of a secure, authoritative database of Internet address blocks 
to be used and checked by ISPs
    CSRIC's third area of action is the Domain Name System, 
DNS, which Ms. Alexander just mentioned. DNS can be thought of 
as the telephone book for the Internet, one that can be spoofed 
and can lure exposure of private information. DNSSEC can 
correct this problem. It was designed with privacy in mind. 
CSRIC endorsed DNSSEC implementation by ISPs and industry-wide 
adoption of the standard to help prevent unsuspecting Internet 
users from being sent to fraudulent Web sites.
    These voluntary initiatives stand as an example to the 
world of how to promote cybersecurity while preserving the core 
characteristics of the Internet, which have fueled the 
broadband economy's growth and success. These efforts focus on 
ISPs but they dovetail into broader cybersecurity efforts by 
NIST and DHS which must address the larger information 
technology community. We will continue to work with industry, 
the multi-stakeholders and Federal partners on voluntary 
industry-based solutions. We will carefully guard the 
reliability and security of all communications networks. Thank 
you.
    [The prepared statement of Mr. Barnett follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Walden. Admiral, thank you very much. We appreciate 
your testimony, even if it is ever more disturbing the more we 
hear.
    With that, we will now go to Mr. Hutchinson, Senior Manager 
for Information Security Sciences at Sandia National 
Laboratories. Thanks for all the work you and your team do out 
there at Sandia, and we appreciate your being here today to 
further enlighten us about the threat that we face and how we 
might deal with it appropriately, so please go ahead.

               STATEMENT OF ROBERT L. HUTCHINSON

    Mr. Hutchinson. Good morning. Chairman Walden and Ranking 
Member Eshoo and the distinguished members of the committee, 
thank you for inviting me to testify before you today. I am Bob 
Hutchinson, Senior Manager for Information Security Sciences at 
Sandia National Laboratories. Sandia is a federally funded 
research and development center for the Department of Energy. 
DOE makes its significant investment in Sandia's cybersecurity 
capabilities available to the Departments of Defense and 
Homeland Security as well as other government agencies and non-
Federal entities.
    I have been working to secure critical government 
communications systems both as a researcher and as an 
implementer for over 25 years, and today's testimony is based 
on that experience. The most important lesson that I have 
learned in my career is that computer systems can never be 
fully trusted and can never be proven free of compromise, so we 
must focus on finding ways to conduct business, even critical 
business, on machines that are presumed to be infected. Our 
focus should be on accomplishing our goals and not on building 
and maintaining perfect computers and computer networks.
    I would like to suggest four specific shifts in current 
national approach to cybersecurity. Each of these suggestions 
implies a role for the government and a role for the private 
sector. My intention is to highlight the strengths of each of 
these communities and to find ways that they can reinforce each 
other's interests.
    Number one: In recent years, the Nation's cybersecurity 
approach has shifted to an almost exclusive focus on data 
theft. While this trend has been going for a number of years it 
understandably worsened in the aftermath of the Wikileaks 
intelligence theft. Our best security analysts are being taught 
to focus their attention on indications that sensitive data is 
leaving our networks headed into enemy hands. While data theft 
is a critical problem for the government and for the private 
sector, I believe that our Nation has diverted too many 
resources away from an equally, if not more important issue: 
malicious data modification. As much as I worry about the theft 
of sensitive data and U.S. intellectual property, my greater 
fear is that an attacker will alter our data and affect our 
decision processes. This form of attack has not only economic 
consequences but can also impact public safety and confidence. 
My staff and I focus much of our research on these scenarios. 
The security community must continue to worry about data theft 
but not to the detriment of other cyber attack goals. The 
government should increase focused research and development 
investment on preserving data integrity.
    Number two: We tend to view the stacks of mobile devices 
and networking components that arrive in U.S. ports as 
pristine. When we discover a compromise, we strive to return 
these devices to their original settings. This is a 
fundamentally flawed security model. We don't have any idea 
whether our devices have been precompromised during design, 
manufacture or distribution. We call this a supply chain 
attack. As an unclassified example, a few years ago a major 
hard-drive manufacturer was discovered to have shipped brand-
new hard drives with malware preinstalled. The government, in 
part through Sandia, has been addressing these supply chain 
attacks for over three decades. The commercial companies share 
this risk with the government. The government can help industry 
by informing commercial companies of our lessons learned and 
helping those companies use their existing supply relationship 
to begin addressing this problem where it will have the 
greatest impact directly within the company's own supply 
chains.
    Number three: It is not enough that the government shares 
details of cybersecurity incidents with the community of 
interest. It also needs to develop and share strategies. 
Cybersecurity is more like a game of poker than a reaction not 
a natural disaster. Simply sharing data without rules and 
strategies prevents us from working together effectively. For 
instance, careful coordination of our activities can cause an 
adversary to reveal his identity.
    Finally, number four: The most consistent cybersecurity 
message across government and industry is that our Nation has a 
profound shortage of qualified cybersecurity experts. There are 
many efforts to educate, train and certify. Degrees and 
certifications are not enough. Cybersecurity is a new field 
that lacks scientific and engineering rigor. The best people in 
this field learn through practice and apprenticeship. They use 
judgment that is based on years of experience. The Department 
of Energy began to address this issue over 10 years ago when 
they asked Sandia to build a program that is more like a 
medical residency than a trade certification. Many of the 
people who have participated in this program have become 
national leaders in securing emerging technologies such as 
mobile device networks and cloud services. This investment has 
yielded greater returns than any other program in which I have 
been involved. Expanding this model so that all U.S. 
cybersecurity professionals learn through a residency would 
result in enormous gains for national security.
    I would like to thank you for this opportunity to testify, 
and I look forward to your questions.
    [The prepared statement of Mr. Hutchinson follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Walden. Thank you, Mr. Hutchinson. We appreciate your 
disturbing testimony.
    Now we are going to go to Mr. Greg Shannon, the Chief 
Scientist, Computer Emergency Readiness Team, Software 
Engineering Institute at Carnegie Mellon University. Dr. 
Shannon, thank you for being here. We look forward to your 
testimony.

                STATEMENT OF GREGORY E. SHANNON

    Mr. Shannon. Thank you, Chairman Walden, Ranking Member 
Eshoo and distinguished committee members. I am honored to 
testify before you today on cybersecurity and communication 
networks. I am the Chief Scientist for the CERT cybersecurity 
program at the Software Engineering Institute, which is a 
Department of Defense FFRDC operated by Carnegie Mellon 
University.
    CERT was created in 1988 by DARPA in response to the 
moratorium incident and now we are a national asset for 
cybersecurity with 250 staff tackling our Nation's technical 
cybersecurity challenges. At CERT, we recognize the long-term 
challenges as we confront the threats, deliver pragmatic 
solutions and consider the technical roles for the private and 
public sectors. We see two important policy opportunities with 
long-term benefits.
    First is to broadly promote the use of scientifically and 
operationally validated policies, best practices, technologies, 
standards, products, etc. Validated capabilities should trump 
unvalidated ones.
    Second is to actively enable controlled access to real 
high-fidelity operational data for research. Good results 
require good data as part of a long-term solution. Rigor and 
data are the foundations of many successful technical public-
private partnerships such as National Centers for Disease 
Control, the National Highway Transportation Traffic Safety 
Administration and the National Transportation Safety Board. 
Trusted public-private collaborations represent our mature 
adoption of technology and are an important step for 
cybersecurity to become a distinguishing capability for our 
Nation.
    Understanding today's cyber threats to our communications 
networks is about more than war stories, anecdotes and scare 
tactics. Adversaries can combine supply chain and operational 
vulnerabilities in hardware, software, data and humans to 
create multitudes of attack strategies. Policies should address 
the root causes of our cyber threats and not just the immediate 
symptoms. Otherwise our adversaries will merely use another 
combination of what we haven't yet explicitly blocked, which is 
a continuously losing battle for cybersecurity.
    For decades, the public sector, often in partnership with 
CERT, has addressed the technical symptoms and root causes of 
cybersecurity threats and attacks together. At CERT, we help 
millions of programmers write secure software to address the 
root cause of vulnerable software. We help agencies protect 
critical information, critical infrastructure operated by 
hundreds of private companies to address the challenges of 
responding to active attacks with potentially serious 
consequences. Using our decade-long work on resiliency 
management and smart grid maturity models, we are helping the 
Department of Energy, DHS and the White House with the 
Electricity Sector Cybersecurity Risk Management Maturity 
Project. Such work will remove core vulnerabilities and 
decrease the impact of attacks.
    To better understand cybersecurity problems and solutions, 
the science of cybersecurity is now broadly endorsed and funded 
by key Federal science and technology agencies including the 
Department of Energy. Policymakers can assist the research 
community by explicitly requesting cybersecurity innovations 
and practices that are scientifically and operationally valid. 
Furthermore, policymakers can request data owners, public or 
private, and the research organizations who can diligently use 
the data to provide appropriate access to high-fidelity 
operational data. Only with such data can cybersecurity 
researchers learn leading attack indicators, identify 
underlying principles and evaluate solutions.
    Another role for the public sector is to improve the trust 
required for effective cyber attack preparation and response by 
clarifying public and private roles in cybersecurity, 
especially with respect to information sharing. Consider 
establishing one or more national repositories of operational 
cybersecurity data for research purposes. Access to such a 
repository would enable cyber research to reach new levels. 
Sharing cyber data with strong privacy controls would engender 
research that can look more globally and more predictably at 
the problem, especially in the long term.
    In conclusion, every day we at CERT see the value of trust, 
rigor and data in helping mitigate cyber vulnerabilities, 
threats and attacks. We look forward to the day when our Nation 
can handle cybersecurity threats and attacks with the same 
efficiency and effectiveness as our Nation's response to the 
H1N1 health crisis. Then cybersecurity will truly be a 
distinguishing national capability alongside others such as our 
ability to innovate. Thank you.
    [The prepared statement of Mr. Shannon follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Walden. Doctor, thank you. We appreciate your 
testimony.
    And our final witness on the panel is Roberta Stempfley, 
Acting Assistant Secretary for Cybersecurity and 
Communications, Department of Homeland Security. We are 
delighted to have you here this morning and we look forward to 
your testimony.

                 STATEMENT OF ROBERTA STEMPFLEY

    Ms. Stempfley. Thank you very much, Chairman Walden and 
Ranking Member Eshoo. As you said, I am with the Department of 
Homeland Security. I have two decades of experience as a public 
servant working both in the Defense Department for 18 years and 
now almost two years at the Department of Homeland Security, 
and it is certainly a privilege for me to have the opportunity 
to come and speak to you today about the efforts that the 
Department of Homeland Security has that support the 
cybersecurity of our important communications networks.
    As you know, the private sector owns most of the national 
infrastructure in the communications environment and as such, 
protecting the communications networks is not something the 
Federal Government can or should do alone. There is no silver 
bullet to cybersecurity, as my esteemed panel colleagues have 
indicated. There is not a single tool, a single technique nor a 
single organization who is capable or accountable or 
responsible for delivering cybersecurity to the communications 
networks. But access to reliable and consistent communications 
is essential to maintaining the Nation's health, safety, 
economy and public confidence.
    Protection of communications infrastructure from this range 
of threats, national disasters, terrorism and cybersecurity, is 
of the highest priority to the Department of Homeland Security, 
and this communications infrastructure is complex. It is a 
system of systems with multiple ownerships and multiple 
interconnection points. It involves wireline, wireless, 
satellite, broadcast capabilities and serve the transport and 
enable this Internet that we live, play and function on.
    The Office of Cybersecurity and Communications in the 
Department's National Protection and Programs Directorate is 
designated the federal entity to lead the coordination with 
both the communications and information technology sectors of 
critical infrastructure. We work closely with these partners 
and ensure robust and resilient communications throughout the 
Nation.
    Within this Office of Cybersecurity and Communications, we 
have an organization called the National Communications System, 
which is the lead for the communications sector. It leads 
government-industry coordination critical in the planning, 
initiation, restoration and reconstitution of national security 
emergency preparedness service and facilities. The National 
Cybersecurity Division is responsible for leadership in the 
information technology sector and responsible for major 
cybersecurity programs that we will be speaking of today.
    Additionally, we have the Office of Emergency 
Communication, which supports and promotes the ability in 
emergency responders and government officials to communicate in 
the event of a disaster. The Office of Emergency 
Communication's focus is on that interoperable and operable 
emergency communications nationwide.
    All of these organizations and others come together in an 
operation center called the National Cybersecurity 
Communication and Integration Center. It houses the National 
Coordinating Center for Communications, a part of the National 
Communications System, the U.S. Computer Emergency Readiness 
Team, a part of the National Cybersecurity Division, as well as 
other partners from industry and across the Federal Government 
including members of the Communications, Information Sharing 
and Analysis Center. Our collective efforts tie into the DHS-
wide collaboration and extend our partnership with Federal, 
State, local governments and the private sector, and together 
we work under orchestration to negate threats to the 
communications infrastructure and to build strategies for 
future success.
    Protection of that communications infrastructure is 
conducted in this holistic fashion and encompasses physical and 
cyber threat strategies. Partnerships are key and very 
important as is two-way information sharing. We have this 
information sharing real time on the floor, as I indicated, 
where 5,200 alerts were released by U.S. CERT to our partners 
over the course of the last year. The Department employs 
mechanisms to ensure that the sensitive propriety information 
shared with us from industry is protected and that privacy and 
civil liberties are upheld. It is industry's willingness to 
share this information on a voluntary basis that speaks to the 
strong trust between DHS and its private-sector partners as we 
work forward in this situation.
    I spoke to that Communications Information Sharing and 
Analysis Center. There are information sharing and analysis 
centers within each sector. They are sector specific. And in 
that sector, we have 56 private-sector partners that were the 
first operations entity from the private sector on the floor of 
the National Cybersecurity Communications Integration Center.
    In addition, in the Department, the Secretary serves as the 
executive agent supporting the President's National Security 
Technology Advisory Committee. This committee is comprised of 
up to 30 chief executives from industries like network service 
providers, telecommunications, information technology, finance 
and aerospace companies. The NSTAC makes recommendations to the 
President on strategies and practices to secure vital 
communications links through events and crises. We also have 
worked in partnership on communication sector supply chain 
threats, an item of interest to the committee today.
    Given the increasing use of technologies such as 
smartphones by first responders, there are real innovations 
available in that situation and the Public Safety Broadband 
Network that this committee was so integral in establishing 
must be secure and reliable so that emergency responders can be 
assured that sensitive information is protected and accurate. 
DHS is committed to working with all of our public- and 
private-sector partners today including NTIA and the FCC, who I 
am pleased to be with on the panel today, to ensure we secure 
the National Public Safety Broadband Network through this 
holistic approach with equal emphasis on protecting 
confidentiality, integrity and availability.
    Thank you again for this opportunity to testify, and I am 
pleased to answer your questions.
    [The prepared statement of Ms. Stempfley follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Walden. Thank you, Ms. Stempfley. We appreciate your 
comments. We were just talking here about, as you described, 
the center out here, about maybe the subcommittee coming out to 
take a look at some point.
    Ms. Stempfley. We welcome you. Any time you would like, we 
would more than honored to have you out there and show you the 
span of activity that goes on in that center. As I said in my 
comments, it is a place where government and industry come 
together. We have representative not just from the 
communications sector but from the information technology 
sector, from the financial sector and from other partners on 
that floor as well as partners across government from the 
intelligence community and others.
    Mr. Walden. All right. Thank you.
    My first question would be to you. The Department of 
Commerce's Economic Development Administration recently 
suffered a cyber attack that has left the agency without 
network connectivity for several weeks, I am told. Could you 
elaborate on that situation and what DHS has been doing to 
address it, and has it been resolved?
    Ms. Stempfley. The Department of Homeland Security has 
responsibility for protection and defense of the Federal 
executive civilian branch including the Department of Commerce 
includes responsibilities for supporting the Department when 
they had a compromise of the nature that you are describing at 
the EDA. We have individuals on the ground with Commerce to 
support EDA in the reconstitution of their network and are 
building it in a way that is supportive of increased security 
and the meeting of the Federal standards that are initiated 
both by the Department and the Federal Information Security 
Management Act.
    Mr. Walden. So are they still offline?
    Ms. Stempfley. I am personally not sure, sir, at the moment 
but we would be happy to follow up with you on that.
    Mr. Walden. Any idea where the attack came from?
    Ms. Stempfley. I don't know attribution in this situation. 
Attribution is generally the responsibility of law enforcement 
and the intelligence community. We are responsible for 
protection and mitigation measures, and I am happy to come back 
with our partners from Commerce.
    Mr. Walden. That seems pretty major if it has been offline 
for several weeks.
    There has been a resounding call for increased consumer 
education when it comes to cybersecurity, and this is kind of 
for everybody here. However, a report released earlier this 
month by Trust Wave showed that after studying more than 300 
data breaches in 2011, nearly 5 percent of the passwords on the 
compromised networks were variations of the word ``password.'' 
So if end users cannot even wrap our heads around not using the 
word ``password'' as a password, how can we as policymakers 
form a better understanding of a complex topic like route 
hijacking? Does anybody want to take that one quickly?
    Mr. Shannon. At Carnegie Mellon University, there is a 
large number of researchers studying how to make security and 
privacy usable and it is turning out to be very daunting. The 
password research has shown that people do reuse passwords. 
When you get populations of passwords together, it creates a 
vulnerability. So it becomes clear that individuals--it is 
difficult for us to rely on individuals to be the foundation of 
security.
    Mr. Walden. I want to ask a different question of you, Dr. 
Shannon. Some of the vulnerabilities in compromised systems 
persist despite common knowledge among computer programmers of 
the problem. For example, ``SEQUEL,'' the Structured Query 
Language injection, has been one of the most common vectors for 
database attacks for years, I am told. How do we change the 
culture at coding to ensure the security is more of a focus?
    Mr. Shannon. One is by providing explicit guidelines, which 
we have been doing for the last 10 years. ``SEQUEL'' is not a 
language that we have tackled. We have been focused on C++ and 
Java and the C programming language. Part of the challenge is 
that we do not control where the programs are written so they 
may be written offshore under economically stressed and time 
constraints. So it is a challenge of improving the general 
practice and by providing coding standards is our step in that 
direction.
    Mr. Walden. All right. Thank you.
    Mr. Hutchinson, you recommended, I think, four points of 
things we should look at and talked about the supply chain 
issues and this notion of precompromises of hardware with 
malware installed. Are there more examples of that we should be 
aware of in this setting?
    Mr. Hutchinson. In this setting, I can't cover. The 
examples I am aware of are classified. But, you know, I would 
very much welcome a classified discussion on that topic.
    Mr. Walden. Could you speak more about the malicious data 
modification issues in this setting? What does that mean? What 
are we seeing as examples?
    Mr. Hutchinson. So just for context, when you--when an 
event occurs on a network, the most normal thing for an analyst 
to do is to look for the exfiltration of data from that 
network, to analyze malicious code to determine whether it is 
stealing data from the network and pointing it in the direction 
of the adversary. The malicious modification would be something 
that the compromise leaves behind that alters the data, changes 
the nature of the data, changes emails, things like that.
    Mr. Walden. I see. OK. And a question I have asked all the 
panels we have had before, sort of in with the Hippocratic 
oath, first, do no harm. Do you each, could you real quickly 
just say what is the one caution you could offer as we 
promulgate legislation? Ms. Alexander, what shouldn't we do?
    Ms. Alexander. I think it is important that as you consider 
ways to deal with this important issue, there is a grounding 
and understanding of how the network actually works so that the 
rules that are developed don't inadvertently undercut some of 
the other activities.
    Mr. Walden. All right. Admiral Barnett?
    Mr. Barnett. So I think it is important to make sure that 
we don't cut off this engine of innovation, that as we move 
forward that we continue to have that openness. But I would 
also say that as you do it, you have to look at the performance 
metrics. Are the things that we are doing actually having some 
effect? We have to have data driven to make sure that we are 
actually doing some good.
    Mr. Walden. Mr. Hutchinson?
    Mr. Hutchinson. So there are some very strong relationships 
in helping this problem like the relationship between DHS and 
NSA. Anything that would harm that relationship I think would 
be hurtful to the government.
    Mr. Walden. Keeping open communication?
    Mr. Hutchinson. Yes, that communication and the 
relationship between the NSA and applying classified approaches 
to this otherwise unclassified problem I think is 
extraordinarily valuable.
    Mr. Walden. OK. Dr. Shannon?
    Mr. Shannon. I think we need to protect innovation, as the 
admiral mentioned. There is a balance between too little 
security that allows for the loss of intellectual property and 
then onerous security that imposes a tax on innovation in the 
long term and makes us no better than other countries that are 
more restrictive in how their citizens behave, so I think there 
is a real balance to maintain there to promote innovation.
    Mr. Walden. All right. Ms. Stempfley?
    Ms. Stempfley. As several individuals have identified, 
there are relationships and partnerships and multiple 
organizations that are involved, and those relationships must 
equally be sustained and we must continue to empower the 
multiple organizations that are involved here.
    Mr. Walden. Thank you all very much.
    Now I turn to Ms. Eshoo for questions.
    Ms. Eshoo. Thank you, Mr. Chairman, and to each of the 
witnesses, thank you. Excellent testimony. There was a group of 
students that were here, and you are facing this way, but I 
couldn't help but notice that they all left en masse, and I 
thought we have either scared the hell out of them or bored 
them. I don't know. I think that that might apply to us as well 
because there are so many moving parts to this.
    I have a whole list of very specific questions but I want 
to set those aside. I will put them in writing to you, and I 
don't think we need to ask for unanimous consent, no, because 
members can ask questions in writing of the witnesses.
    When we look at the whole issue of cybersecurity, it is my 
understanding that 5 percent responsibility in the public 
sector, the government. Ninety-five percent of this rests with 
the private sector. Now, CSRIC has come up with some 
recommendations. Both the chairman and myself and I think that 
other members have referenced it. Maybe some of you did in your 
testimony. But I want to ask you the following question, and I 
appreciate the rather deep dives that you have done on your 
specific area of expertise and what your observations are. But 
for each one of you, on the 5 percent, which is the government, 
what is the top recommendation that you would make to us that 
we need to take into consideration that will help remake the 
landscape into a very smart one to address the threats that 
come to us relative to cybersecurity in the government. Ms. 
Alexander, I don't have a lot of time. We have got, like, 3 
minutes for five of you.
    Ms. Alexander. Sure. I think in addition to this idea of 
continuing innovation and voluntary codes of conduct, 
government is very powerful as a user and so we can set 
examples and we influence procurement patterns. I think that is 
one of the most powerful things that we can do as government.
    Mr. Eshoo. Excellent. Thank you very much.
    Admiral, thank you for your wonderful work.
    Admiral Barnett. Thank you, ma'am. So I think continuing to 
seek voluntary and industry-based solutions is the bedrock, 
incentivizing that and looking for that, and then obviously as 
almost every person mentioned in your openings, we really have 
to tackle the supply chain.
    Ms. Eshoo. Thank you.
    Mr. Hutchinson. So maintaining opt-in alternatives for 
industry to seek government's help in incentivizing those I 
think is critical, and the supply chain is an area that will 
become increasingly problematic, and I think we need to work 
hard with industry to take the government know-how.
    Mr. Shannon. I would say trust is----
    Ms. Eshoo. Excuse me. I am sorry, Dr. Shannon. Let me get 
back to you, Mr. Hutchinson. Are you suggesting that practices 
on the public side is something that the private side can gain 
a great deal from, or is it the other way around?
    Mr. Hutchinson. Yes, this is a problem that the private 
side does not understand well and the government understands 
very well yet the private side has the problem to the same 
degree that the government does, so this is a great opportunity 
for the government to inform.
    Ms. Eshoo. Thank you.
    Dr. Shannon?
    Mr. Shannon. Since the public is the hands that carries, 
you know, as you mentioned, carries out the most activity, it 
is the public sector's opportunity to promote trust, and that 
is really one of the distinguishing capabilities of our 
society, and as Jim Lewis has said in our venues, it is 
something that distinguishes us from our adversaries may 
approach things. So promoting trust I think is the real 
opportunity on the government side.
    Ms. Eshoo. Thank you.
    Ms. Stempfley. Continue refinement in statute of the 
authorities of the government in a situation----
    Ms. Eshoo. Excuse me. What?
    Ms. Stempfley. Continue refinement in statute of 
authorities of organizations such as the Department of Homeland 
Security.
    Ms. Eshoo. What does that mean?
    Ms. Stempfley. Excuse me?
    Ms. Eshoo. What does it mean?
    Ms. Stempfley. So what that means, ma'am, is what you find 
in the Department is that our authorities are spread across 
multiple statutes and multiple directives, and it is a bit of 
patchwork landscape for us and provides great----
    Ms. Eshoo. Well, that is the story of DHS.
    Ms. Stempfley. Yes, ma'am. So if we refine that relative to 
statute, that will put some clarity in terms of this and enable 
stronger information sharing and information sharing in action.
    Ms. Eshoo. Let me ask you something about this--it sounds 
to me like a mini NSA with the center. Do you deal with things 
after the fact and then you can advise Federal agencies about 
how a cyber threat has affected them or do you defend the 
workings of agencies so that they don't experience it? I am not 
so sure what this group does. We would like to come out and see 
it. Can you answer that for us? I am trying to picture it and 
what you do.
    Ms. Stempfley. I certainly can, ma'am. We do--we provide 
prevention information and standards for Federal executive 
civilian branches to follow that are about raising the security 
of their branch so items they must do in order to be--in order 
to meet the standard, and then we provide response actions when 
something goes wrong as well as detection and prevention 
activities at the boundary.
    Ms. Eshoo. Well, I am over my time, and I thank all of you 
for not only the work you do but making that come alive here in 
your testimony. Thank you.
    Thank you, Mr. Chairman.
    Mr. Walden. Thank you.
    We will now turn to Mr. Terry, the vice chair of the 
subcommittee, for questions.
    Mr. Terry. Thank you, Mr. Chairman, and I want to follow up 
on both of the sets of questions.
    Admiral Barnett, I want to commend you for the job in 
CSRIC, and could you just briefly go over the main principles, 
the five main principles that are outlined by CSRIC?
    Mr. Barnett. There are actually major things, and I am very 
pleased to have with me Jeff Goldthorpe, who is our Associate 
Bureau Chief for Cybersecurity, who really led and put together 
this incredible team. So the first one was the anti-bot code of 
conduct for ISPs. All of these address ISPs. They are all 
voluntary industry based. And basically the five tenets under 
the anti-bot thing is education of the public so they 
understand what the problems are, and that obviously goes to 
prevention; detection when they are infected; providing notice 
to them that their computer is infected because most of the 
time they don't realize that their computer is infected, and 
then giving them some tools or some resources in order to get 
their computer cleaned and in collaboration to make sure that 
that information is spread across other ISPs so we're refining 
all this together.
    And with regard to DNSSEC, it is encouragement to move 
forward on implementation so to make all DNSSEC servers DNSSEC 
aware, and on the Internet route hijacking, which as the 
chairman mentioned is a little bit arcane and hard to 
understand, but the main thing is, is establish a secure, 
authoritative database in which addresses can be registered so 
this would probably be with the American Registry of Internet 
Numbers. And then ISPs can actually check their routes against 
it and it will be authoritative. They will know where it is 
going. We think this will get rid of all of the misrouting and 
will do a lot to help us detect malicious routing. So those 
would be the three main things.
    Mr. Terry. All right. You mentioned a key phrase in there, 
voluntary and industry based. Can you tell us why it is 
important that standards and ways of implementing what you 
stated should be voluntary and industry based?
    Mr. Barnett. The FCC as a regulator actually has a long 
history of working with industry to come up with best 
practices. As a matter of fact, the FCC's NRIC, a predecessor 
of CSRIC, came up with the first cybersecurity best practices 
back in 2002. So by getting the experts together in the same 
room and coming up with best practices with codes like this, we 
think we can get a lot of things done. And it is also important 
as CSRIC's work continues to make sure that we have the metrics 
to understand, are those voluntary measures actually having the 
effect we want to so CSRIC's work actually continues.
    Mr. Terry. All right. Starting with you, Ms. Alexander, do 
you agree with those principles?
    Ms. Alexander. Yes. At NTIA we would very much support a 
multi-stakeholder approach to Internet policymaking, and it is 
really important that the breadth of stakeholders that are 
involved in the ecosystem be part of these processes.
    Mr. Terry. How about voluntary and industry does their own 
standards?
    Ms. Alexander. Yes, sir.
    Mr. Terry. Mr. Hutchinson, what do you think?
    Mr. Hutchinson. I agree with the voluntary nature of the 
standards. One thing that we need, though, is better 
experimentation around what constitutes best practices rather 
than just a declaration. We need to be able to conduct 
experiments.
    Mr. Terry. Good point.
    Mr. Shannon, you are the one non-Federal Government 
employee at this panel.
    Mr. Shannon. Yes. I actually participated in the 2002 NRIC 
discussions, so I understand the value of that collaboration. 
As the admiral mentioned, I agree that putting metrics on place 
to determine if they are being effective is appropriate. You 
know, take the lightest weight approach first. If voluntary 
compliance works, then that is excellent, and it would be 
wonderful to have metrics that confirm that.
    Mr. Terry. Very good.
    And Ms. Stempfley?
    Ms. Stempfley. Thank you, sir. I believe that the 
innovations that industry provides and the best practices they 
provide are incredible useful and very vital in our success in 
this environment and bringing them together in a voluntary 
nature is very important. As we go forward with the metrics 
associated with those, their effectiveness and their use I 
think is the place where we need to----
    Mr. Terry. There is some effort by some Senators and 
members that state that Homeland Security should be the one 
developing with industry the standards for cybersecurity in the 
private sector. Do you agree with that?
    Ms. Stempfley. I believe that Homeland Security's 
responsibilities are building standards across critical 
infrastructure and working with the sector experts in each 
sector for standards for cybersecurity.
    Mr. Terry. How would you develop those standards?
    Ms. Stempfley. We would develop----
    Mr. Terry. And how would you enforce them? By rule?
    Ms. Stempfley. I am sorry, sir. I didn't hear you.
    Mr. Terry. Would that include developing rules then?
    Ms. Stempfley. I believe that we need to bring industry 
together in order to determine within each sector what is 
important and then identify where we need to put in place best 
practice and rules or other mechanisms for assurance of 
compliance with best practices.
    Mr. Terry. I would respectfully state that I disagree, and 
I think, frankly, putting an agency in charge of developing 
rules, even with collaboration, is dooming that industry. Yield 
back.
    Mr. Walden. The gentleman yields back his time.
    I now recognize the gentlelady from California, Ms. Matsui.
    Ms. Matsui. Thank you, Mr. Chairman.
    An integral part of how the government is asking agency 
reform to IT purchasing involves greater use of the cloud. As 
the government's Chief Information Officer has said, last year 
agencies successfully migrated 40 services to the cloud and 
were able to eliminate more than 50 legacy systems in order to 
save taxpayer dollars while expanding capabilities. I have a 
question for Admiral Barnett, Ms. Alexander and Ms. Stempfley. 
Some of the government agencies here today are using cloud 
services. What can you share with us from your early 
experiences with regard to cyber protections and threats? Ms. 
Alexander?
    Ms. Alexander. I am actually not the Department's expert on 
cloud issues but I would be happy to make sure we get you an 
answer for the record.
    Ms. Matsui. Admiral Barnett?
    Mr. Barnett. Thank you, ma'am. So cloud services, my former 
colleague at FCC, Steve VanRoekel, has highlighted how valuable 
cloud services can be. It does emphasize the need to make sure 
that the transport between the user agency or company and that 
cloud is secure and reliable. It is another thing that we and I 
think the people that you see at this table are considering is 
what happens for continuity of operations, continuity of 
government, and so there is some considerations we need to make 
sure on that, but really it emphasizes some of the very same 
things that we have talked about today is the network 
reliability and security.
    Ms. Matsui. OK. Ms. Stempfley?
    Ms. Stempfley. Cloud presents some really good 
opportunities to get your arms around configuration management 
and architecting opportunities so to get at the root cause. It 
also has some particular threat opportunities as well, as 
Admiral Barnett indicated, and you have to look at it in that 
holistic lens as we move forward, and it is certainly a part of 
the government's program to do so.
    Ms. Matsui. OK. But as the private sector moves 
increasingly to the cloud, what challenges do you foresee?
    Ms. Stempfley. So I think as Admiral Barnett indicated, 
bringing all of the content together into a single place 
presents a route diversity requirement and a continuity 
requirement. Cloud also presents the opportunity to overcome 
that within the way the cloud is architected. So it is a 
wonderful capability for us but it is one of those where it is 
both a challenge and an opportunity simultaneously.
    Ms. Matsui. OK. Thank you.
    Dr. Shannon, it is my understanding that there are a number 
of clearinghouses, area clearinghouses, that are used to store 
information relating to cyber threats. U.S. CERT acts as one of 
these clearinghouses. What is the relationship between those 
silos and industry and government sharing? Can any company 
access your clearinghouse or do they need to be a member of 
some sort?
    Mr. Shannon. CERT is part of an FFRDC collaboration along 
with NIST to create vulnerability databases, and that is a 
public resource that is widely available. Of course, we also 
participate in government-focused ones, and that is part of the 
policy decisions that need to be made that are part of the 
discussions about how to share that more broadly.
    Ms. Matsui. OK. So with multiple clearinghouses, does it 
make sense to have a streamlined process for information 
sharing for any stakeholder who is threatened with attack or at 
risk?
    Mr. Shannon. Anyone who is under threat or under attack 
needs to know where to turn to, and I think providing that 
clarity is part of what policymakers can help resolve. There 
has been times when CERT has served that purpose, U.S. CERT has 
served that purpose, and as Ms. Stempfley indicated, there is 
confusion.
    Ms. Matsui. OK. Admiral Barnett, I am pleased to hear you 
already have commitments from major ISPs to implement CSRIC 
recommendations. How do we share that with smaller companies 
with likely much fewer resources have the ability and 
incentives to do the same?
    Mr. Barnett. It is a great question, ma'am. One of the 
things I think you will see is that these things are going to 
start becoming the industry standard, reviewing a lot of 
flexibility for companies and how they implement them and over 
what time. Hopefully they can do them along with their normal 
business processes working with the American Cable Association 
or maybe the smaller systems to figure out what are the best 
ways, and one of the major things, as I mentioned, CSRIC's work 
continues. The next things that we set them on is, what are the 
barriers to implementation, how do we get over those. So these 
same great experts are going to come back together and start 
working on those very things.
    Ms. Matsui. So there is a concerted effort to reach out to 
some of the smaller companies?
    Mr. Barnett. Yes, ma'am.
    Ms. Matsui. OK. That is great. Good.
    Let me see. Dr. Shannon, in your testimony, you stress the 
importance of secure coding so initiatives such as addressing 
root causes of cyber threats. Is this concept applicable to 
apps that are downloaded to mobile devices that connect to the 
Internet such as smartphones and our tablets?
    Mr. Shannon. Yes. It is highly applicable. I mean, there is 
two parts of the app's development environment. One is the 
infrastructure and that needs to be coded securely. Fortunately 
for the app developers, there is a more constrained environment 
so it is a possibility for the ecosystem owner to help protect 
the users and to ensure that the app developers are developing 
appropriate apps. But part of it is, is that, you know, we will 
find vulnerabilities there and that is how you train, you know, 
the teenagers that are writing the apps to write them 
correctly. I mean, it is a serious challenge but, you know, it 
is that balance with innovation.
    Ms. Matsui. Sure. OK. Thank you very much.
    Mr. Walden. You hire them at Sandia Labs.
    We will go now to the gentlelady from California, Ms. Bono 
Mack, for questions.
    Mrs. Bono Mack. Thank you, Mr. Chairman.
    Ms. Stempfley, I can't see you over there, but my first 
question is directed to you. Since Congress created the 
Chemical Facility Antiterrorism Standards, or what we call 
CFATS, program in 2007, there have been ongoing problems with 
the way DHS has managed the program. These problems include DHS 
improperly tiering 600 chemical facilities, wasteful spending 
and the inability of DHS to properly train the workforce 
responsible for carrying out the chemical security program. 
Hundreds of millions have been spent on CFATS. We find 
ourselves with a program that has been mismanaged, wasted 
taxpayer dollars, and no assurance that our chemical facilities 
are in fact secure.
    Can you tell me with these significant problems in the 
instance of CFATS how you could possibly assert to this 
committee that DHS will not mismanage cybersecurity?
    Ms. Stempfley. Ma'am, thank you very much for the 
opportunity to address that. The differences between chemical 
facilities and information technology and communication are 
fairly profound in that situation, and so as we work as a 
department of experts brought together and engage in these 
discussions with industry about what are the basic standards 
that are necessary, we envision building those basic standards 
in that scenario and then learning lessons across the 
Department from areas where we have worked through issues. We 
want to ensure that we don't make the same mistakes a second 
time.
    Mrs. Bono Mack. With all due respect, I didn't really hear 
an answer in your answer, but I would say to you that perhaps 
there are differences between chemical facilities and 
cybersecurity yet I think from the American people's point of 
view, it is the bureaucracy, and I think you have rattled off 
quite a list of acronyms but I don't know that my constituents 
would feel safer by the list of acronyms that you have used. In 
fact, to me, did I mishear you? The example of the EDA's Web 
site or network being down for weeks when you were asked a 
question by the chairman, you know, what do you and you are 
responsible for prevention and mitigation. Is that not an 
example, though, of failure of all of these bureaucracies to in 
fact work together well?
    Ms. Stempfley. The example presented by the chairman, 
ma'am, with Commerce is an example where we in the Department 
and the Department of Commerce have joint action that must be 
taken. So in that scenario, the Department of Commerce has the 
responsibility for the management and security of their systems 
in building them and in operating them following the standards 
set by the Department of Homeland Security.
    Mrs. Bono Mack. Thank you.
    To Admiral Barnett, you know, I agree that the Federal 
Government should be involved in our country's cybersecurity 
efforts, absolutely, but they should be enhancing cooperation 
and they should be the facilitator, not a regulator. Can you 
elaborate a little bit on your thoughts on the value of a 
cooperative relationship with the private sector versus a 
regulatory one?
    Mr. Barnett. Yes, ma'am. So certainly the CSRIC actions 
last week are an example of that, but there are many, many 
others. CSRIC also addresses cooperation in the 
telecommunications industry on next-generation 911, on 
emergency learning, and as Dr. Shannon mentioned, we have done 
this for years and years. I think it is helpful when you have 
the regulator who is the expert in the United States to be 
involved with this. They will sit down with industry, just like 
the experts that I mentioned that I brought with me today. We 
have experts in other areas like the ones I have mentioned in 
next-generation 911, to be able to sit down with industry to 
pull them together, and quite frankly, that is one of the 
reasons that we were able to pull together these experts to 
come up with voluntary industry-based solutions.
    Mrs. Bono Mack. Thank you. I think my biggest concern is 
recognizing how quickly the cyber world knows and the bad guys 
are by nature one step ahead of the good guys, so the question 
really is, with all of the regulatory hurdles potentially, how 
do we really keep pace with the threat?
    Mr. Barnett. Yes, ma'am. So recognizing that the large 
majority of telecommunications cybersecurity are in private 
hands, there is a couple things to that. They are the first 
lien of defense. Our actions, and I think what you have heard 
mostly from these panelists, is to enhance those but we also 
have to recognize something else. It is not working. We 
wouldn't be here concerned about this if that was enough, and 
so as Dr. Shannon mentioned, we have to have metrics to make 
sure that the voluntary methods that we are employing work, and 
then beyond that to look at whatever else. Hopefully there 
would be other things that we could do, so information sharing 
is one thing. There may be other best practices that we can do. 
But the thing that is an absolutely prerequisite on this is, we 
have to make sure that they are effective because we cannot go 
on any longer the way we are now.
    Mrs. Bono Mack. Thank you. My last question, and then I am 
out of time. To any of you, are government agencies able to 
effectively combat cyber agitators that we are very well aware 
of right now like Anonymous and WILSEC and what are we doing to 
stop their attacks. To anybody I will pose that question and 
then I am out of time.
    Ms. Stempfley. Government departments and agencies every 
day are working to defend against threats as you indicated both 
in terms of Anonymous and WILSEC, and in the instance where 
they have been unsuccessful, we work in partnership to help 
them overcome the impacts of those attacks in that situation 
through a layered defense strategy which includes things like 
the Einstein program and things like the establishment of 
standards through the Federal network security programs.
    Mr. Shannon. I would say just briefly, I would encourage 
you to talk to the law enforcement community. I think they have 
been doing a very effective job given some of the recent 
arrests in that area.
    Mrs. Bono Mack. All right. Thank you, Mr. Chairman, for the 
time and I yield back.
    Mr. Walden. The gentlelady yields back, and Admiral 
Barnett, we agree with you on the accountability and matrix and 
all that.
    Mr. Dingell for 5 minutes.
    Mr. Dingell. Thank you, Mr. Chairman. I hope you are not 
still smarting from yesterday's handling of that legislation.
    Good morning. This first question will be to all witnesses 
yes or no. Ladies and gentlemen, industry witnesses told this 
subcommittee on March 7, 2012, that the Federal Government 
would facilitate better interindustry and public-private 
information sharing. Do you agree with that opinion? Yes or no, 
starting with Ms. Alexander.
    Ms. Alexander. Yes.
    Mr. Dingell. Admiral?
    Mr. Barnett. Yes, information sharing can be a government 
role.
    Mr. Dingell. Just yes or no, because I am running out of 
time.
    Mr. Hutchinson. Yes.
    Mr. Shannon. Yes.
    Mr. Dingell. Ma'am?
    Ms. Stempfley. Yes.
    Mr. Dingell. Good. Again, to all witnesses, again, yes or 
no. Senator Lieberman's cybersecurity bill, S. 2105, requires 
the Secretary of Homeland Security to promulgate risk-based 
cybersecurity performance requirements for owners of critical 
infrastructure. Do you believe the promulgation of such 
requirements is wise? Yes or no.
    Ms. Alexander. Yes.
    Mr. Dingell. Admiral, they don't have a nod button. You 
have to say yes or no.
    Mr. Barnett. Yes.
    Mr. Dingell. All right. Next witness.
    Mr. Hutchinson. Yes.
    Mr. Shannon. No comment.
    Ms. Stempfley. Yes.
    Mr. Dingell. Thank you. Now, this is for all witnesses. 
Similarly, do you believe promulgation of such performance 
requirements would stifle innovation and harm industry's 
ability to protect consumers from cyber threats? Yes or no. Ms. 
Alexander?
    Ms. Alexander. No.
    Mr. Dingell. Admiral?
    Mr. Barnett. No.
    Mr. Dingell. Next witness.
    Mr. Hutchinson. Yes.
    Mr. Dingell. Next witness.
    Mr. Shannon. It is a risk.
    Mr. Dingell. Next witness.
    Ms. Stempfley. No.
    Mr. Dingell. All right. Now, Admiral Barnett, you mentioned 
in your testimony the Communications Security, Reliability and 
Interoperability Council--that is CSRIC--recommendations about 
preventing domain name spoofing, route hijacking and botnet 
attacks. These recommendations are voluntary, are they not?
    Mr. Barnett. Yes, sir.
    Mr. Dingell. Now, again, Admiral, how many Internet service 
providers--ISPs--have adopted CSRIC's recommendations?
    Mr. Barnett. There are nine Internet service providers that 
have pledged to implement those recommendations.
    Mr. Dingell. Out of how many?
    Mr. Barnett. Well, there are literally thousands, I guess, 
when you start talking about the small cable operators, and we 
are working with the various associations----
    Mr. Dingell. So what you are telling me is, you have a 
penetration of nine out of thousands?
    Mr. Barnett. Well, we have a penetration that will cover 80 
percent of American Internet users right from the beginning and 
we will continue to go towards 100 percent.
    Mr. Dingell. Of course, if they can shut down your banking 
industry, they can shut down your electrical utility industry, 
your handling of your net, they could shut down the natural gas 
pipeline system in this country, refineries, auto companies, 
God knows what else they can shut down with that kind of 
opportunity available.
    Mr. Barnett. That is why we are going to continue to work 
for 100 percent.
    Mr. Dingell. When will you hit 100 percent? Do you have any 
idea?
    Mr. Barnett. We don't at this particular point but I felt 
pretty good about getting 80 percent commitment from the 
beginning, and we are going to continue work on the barriers to 
implementation so that we can get even the smaller Internet 
service providers as soon as possible.
    Mr. Dingell. All right. Now, to all witnesses, similarly, 
can and should CSRIC's recommendations be adopted by the FCC or 
other Federal agencies and thereby be made mandatory? Please 
answer yes or no, but I would very much appreciate a written 
submission explaining your comment, starting with you, Ms. 
Alexander.
    Ms. Alexander. No.
    Mr. Dingell. Admiral?
    Mr. Barnett. No, sir.
    Mr. Dingell. Next witness.
    Mr. Hutchinson. No.
    Mr. Shannon. Only when there is supporting data.
    Mr. Dingell. Next witness.
    Ms. Stempfley. No, sir.
    Mr. Dingell. Thank you. And please submit that. I am sorry 
to do that to you but the time here is rather limited.
    Ms. Alexander, your testimony focused largely on domain 
name security extensions. As you know, Internet Corporation for 
Assigned Names and Numbers, ICANN, has signaled its intention 
to increase by many fold the number of generic top-level domain 
names. Is NTIA concerned that such expansion may complicate 
efforts to deploy DNSSEC as well as compromise DNSSEC's future 
effectiveness? Yes or no.
    Ms. Alexander. No, sir, it is a requirement.
    Mr. Dingell. Would you submit an appropriate further 
response on that matter?
    Ms. Alexander. Absolutely.
    Mr. Dingell. Now, other witnesses, do any of you, starting 
with you, Admiral, care to comment on Ms. Alexander's comments?
    Mr. Barnett. No, sir.
    Mr. Dingell. Next witness.
    Mr. Hutchinson. No comment.
    Mr. Dingell. Next witness.
    Mr. Shannon. Any technology that hasn't been deployed for 
decades may potentially have vulnerabilities, and that is 
always a fundamental challenge in the age of the Internet. 
There are unforeseen uses decades down the road. Leading 
academics have contributed to DNSSEC. It is one of our best 
efforts to try and tackle these issues, so I am confident that 
it will stand the test of time.
    Mr. Dingell. Ms. Stempfley?
    Ms. Stempfley. No comment.
    Mr. Dingell. Thank you.
    Thank you, Mr. Chairman, for your courtesy.
    Mr. Walden. Thank you.
    We will now go to Ms. Blackburn for 5 minutes for 
questions.
    Mrs. Blackburn. Thank you, Mr. Chairman, and I want to 
thank all of you for your time and for being here.
    Mr. Hutchinson, I want to come to you first and ask you 
about the program that you all have that you liken to a medical 
residency in cybersecurity. So what I would like to know is how 
that is structured, if you could give us a little bit more 
detail. Is it public-private partnership? And the reason I ask 
this is because in the area that I represent in Tennessee, 
there around Nashville, we have so many individuals that 
started working on the entertainment industry platforms and 
they have moved to defense informatics or over to health care 
informatics and then some of them are in financial service 
informatics, and we see so much sharing on the skills that are 
there to keep the backbone of the Internet safe, if you will, 
and I think it is fascinating that you all have done something, 
but as we talk about having a trained workforce who is able to 
handle this, it sounds like a good idea and I would love a 
little detail if you are able to share that.
    Mr. Hutchinson. Yes. Thank you for that question. What we 
realized is that technology is nowhere near ready to protect 
our networks, that it really requires people and it requires 
creative people who can adapt to lots of technology and tools. 
When we built this program, we focused on bringing the 
participants together in a common environment, to carefully 
pair those individuals and team them with mentors, and to 
create----
    Mrs. Blackburn. Let me stop you right there. How do you 
select individuals for this program? How do you pick them out 
and select them?
    Mr. Hutchinson. OK. So in the early days, we selected them 
through an application and resume and interview process. Today, 
there is a lot of referrals, so we get referrals from people 
who understand this program, and so we place them in this 
environment. They work together on teams. They work on actual 
national security problems. They learn security through that 
experience. They learn all the balances and the gives and takes 
and what makes cybersecurity particularly difficult, and as 
they build these projects out and make these tradeoffs, they 
just gain the type of instinct that a medical student must also 
gain in a residency program.
    Mrs. Blackburn. OK. That sounds great. Now, any of the 
graduates of your program, if you will, and I use that just as 
a term to kind of look at those that have come through, how 
many have come through the program?
    Mr. Hutchinson. So I can provide an exact number for the 
record but it is about 500.
    Mrs. Blackburn. OK. That sounds wonderful. Have any of them 
been helpful going forward in identifying risk or threats to 
the system or maybe writing programs that help to foil any of 
the threats? What kind of participation and results are you 
seeing?
    Mr. Hutchinson. So the people who have been through this 
program are distributed to industry, they are in government 
service, they work for national labs and other FFRDCs, and 
there are many cases where they have developed tools that were 
able to identify a particular breach of a network or to develop 
algorithms that can provide things like directions toward 
attribution and criminal investigation, digital forensics 
capability. There is a long list of achievements.
    Mrs. Blackburn. So you are seeing solid results?
    Mr. Hutchinson. Solid results from these individuals.
    Mrs. Blackburn. OK. That sounds great.
    This is something I would like to hear from each of you, 
and I only have 1 minute left. As I mentioned earlier, we are 
working on cybersecurity legislation, and the question that 
always come up is, how narrow do you make it or how broad. And 
I have appreciated hearing your testimonies today. So how 
narrowly or broadly should Federal legislation define what can 
or cannot be shared between governments and private entities 
and should there be specific requirements on PII about innocent 
consumers being taken out of data packets before it can be 
shared with any other government agencies?
    Mr. Shannon. I encourage you to consider legislation that 
is broad in the sense of supporting people who need to do the 
right thing in response to incidents. In terms of more 
prescriptive approaches, I encourage you to use data-driven, 
you know, pilots essentially to verify that a policy that is 
being considered that may be prescriptive is actually going to 
be effective.
    Mrs. Blackburn. OK.
    Ms. Stempfley. I would like the opportunity to come back to 
you via technical assistance or others and describe the 
processes we use in the Department today for how to protect 
privacy and other considerations where what we are mostly 
focused on are indicators, the specific technical pieces of 
information that are useful. While it is not possible to always 
avoid in that indicator selection of some things that may be of 
concern, we have strong protection measures in place to ensure 
as we are working to get to the indicators the malicious code, 
so I would like to follow up.
    Mrs. Blackburn. Thank you. I appreciate that. I yield back.
    Mr. Walden. I thank the gentlelady and now I turn to Mr. 
Stearns for final questions.
    Mr. Stearns. Thank you, Mr. Chairman. I think maybe you 
heard my opening statement talking about Shawn Henry, the FBI's 
top cyber cop, and so I was going to ask each of you starting 
with you, Ms. Alexander, Mr. Henry told the Wall Street Journal 
that we are not winning the cybersecurity battle. He went on to 
say ``We have been playing defense for a long time, and you can 
only build a fence so high, and what we found is that the 
difference that the offense outpaces the defense and the 
offense is better than the defense. Do you agree or disagree 
with the assessment of Shawn Henry?
    Ms. Alexander. Thank you very much, Congressman. I am not 
familiar with the article or what he said but I would say he 
just points to the reason why we are here today and why we are 
all working so closely across the Federal Government to be 
vigilant dealing with these issues.
    Mr. Stearns. Admiral?
    Mr. Barnett. Yes, sir, I would agree with him. We cannot 
sustain the way it is going right now. We have too much of our 
economy that is now invested in ones and zeros. There are so 
many other things, verticals, critical infrastructures, that 
depend on our communication infrastructure to impact it. So we 
have to take action, and so I think what you have heard here 
today is a call for that. And in answer to your response, we 
appreciate this hearing to focus on it.
    Mr. Stearns. Mr. Hutchinson?
    Mr. Hutchinson. Attackers do have an easier job than a 
defender has, and that is problematic, and it is resource-
depleting. I completely agree with the assessment that the 
defenders are on the wrong side economically. I mean, it is 
very easy for an attacker to attack a system and cause a lot of 
money to be spent in defending that system. But the solution is 
to accept that our networks will never be free of compromise 
and to find ways that we can operate in the face of compromise, 
and that is an open research challenge. There is certain 
progress in that direction and I would encourage additional 
support for those forms of research objectives.
    Mr. Stearns. Dr. Shannon?
    Mr. Shannon. It is a dramatic article. I have not read it. 
It is certainly the sort of articles that we have seen for many 
decades in the area of cybersecurity. They just tend to get 
more press these days.
    You know, I would encourage you to remember that it is 
about root causes versus innovation. You know, we all received 
email this morning, the sky isn't falling. There are serious, 
serious challenges but it is easy to get a little carried away, 
in my view.
    Mr. Stearns. So would you agree with him or not?
    Mr. Shannon. I don't think it is just going to be so 
dramatic.
    Mr. Stearns. OK.
    Mr. Shannon. That is my personal opinion.
    Mr. Stearns. I appreciate your honesty here.
    Mr. Shannon. After being with colleagues who were dramatic, 
you know, 20 years ago about these issues.
    Mr. Stearns. OK. Ms. Stempfley?
    Ms. Stempfley. Thank you, sir, and thank you for the 
opportunity with this hearing because I think the thematics of 
that article are certainly what we are talking about today, and 
as I said, there is no single solution in this situation, and 
so if the premise of the article is that we need to make 
changes in order to increase awareness and importance of the 
cybersecurity challenges, then I would agree with that.
    Mr. Stearns. OK. Admiral Barnett, I think you told Ms. 
Eshoo earlier that we need to focus on supply chain 
vulnerabilities. I had a hearing as chairman of the Oversight 
and Investigations Subcommittee yesterday just on that with the 
Department of Energy, and frankly, they are doing catch-up. CBO 
had a report that came out mentioning that the Department of 
Defense and the DOE admit that they just started looking at 
ways to look at cybersecurity in the supply chains. So I just 
wonder if you had anything you would like to elaborate on on 
the supply chain vulnerabilities.
    Mr. Barnett. Well, at the FCC we have been looking at this 
for the 2 years that I have been there, and I know we have been 
working with other governmental partners on this. One of the 
things that is apparent as we look across the authorities for 
whatever else you can say about it is the authorities that we 
have right now were not designed to address the supply chain 
challenges we have right now, so additional work needs to 
continue. There are a couple of approaches that I hear going 
on. One is a kind of a transactional approach. One I think I am 
intending to favor better right now is a supply chain risk 
management where it is a tiered approach, and the most critical 
elements of our communications network are provided the most 
protection. That allows a little bit more flexibility as you go 
down to the other tiers. There are a lot of tools that are 
available to us that may include various supply chain 
standards. The government needs to work together on this to 
pull together and we can't start soon enough.
    Mr. Stearns. Mr. Hutchinson, according to your president 
and director, Paul Hommert, Sandia National Laboratories have 
been attacked up to 30,000 times per hour. Do some of these 
attacks get through your safety net? Does Sandia National 
Laboratories currently have supply chain checks in place with 
equipment that you buy?
    Mr. Hutchinson. OK. The attacks that lab Director Hommert 
is referring to are not supply chain attacks per se but just 
operational attacks against our cyber networks and they are 
measured that way because we have successfully identified that 
as an attack and stopped it before it affected our systems. And 
that said, we have instances where we detect compromises that 
occurred on our systems and we investigate and address those as 
we discover them. And yes, we do have very careful supply chain 
processes that we follow because our prime mission of building 
weapons has been a victim or has been a target, not a victim, a 
target of supply chain attacks for many years. So we have 
developed our end-sharing and science capabilities to address 
those issues.
    Mr. Stearns. Thank you, Mr. Chairman.
    Mr. Walden. I thank the gentleman for his questions.
    Seeing no other members to ask questions, thank you very 
much for your testimony, for your answers to the questions, and 
the good work you are doing to make America safer and more 
secure. We appreciate it in this role and in other roles that 
you have had. And I thank the subcommittee members for their 
participation. We will continue on this topic, although I don't 
see future hearings at the moment planned, but we will be in 
contact with you, and I know some of our colleagues have 
questions for you to follow up on, so we appreciate your 
written responses to those and any other suggestions you have 
for us. We want to get this right, and there is too much at 
stake not to.
    So we appreciate your help and I appreciate the 
participation of the committee, and with that, we stand 
adjourned.
    [Whereupon, at 11:38 a.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                                 
