[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PUBLIC-SECTOR
RESPONSES
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
MARCH 28, 2012
__________
Serial No. 112-134
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
78-432 PDF WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas HENRY A. WAXMAN, California
Chairman Emeritus Ranking Member
CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York
MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas
Vice Chairman DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma LOIS CAPPS, California
TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California TAMMY BALDWIN, Wisconsin
CHARLES F. BASS, New Hampshire MIKE ROSS, Arkansas
PHIL GINGREY, Georgia JIM MATHESON, Utah
STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio JOHN BARROW, Georgia
CATHY McMORRIS RODGERS, Washington DORIS O. MATSUI, California
GREGG HARPER, Mississippi DONNA M. CHRISTENSEN, Virgin
LEONARD LANCE, New Jersey Islands
BILL CASSIDY, Louisiana KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky JOHN P. SARBANES, Maryland
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia
_____
Subcommittee on Communications and Technology
GREG WALDEN, Oregon
Chairman
LEE TERRY, Nebraska ANNA G. ESHOO, California
Vice Chairman Ranking Member
CLIFF STEARNS, Florida EDWARD J. MARKEY, Massachusetts
JOHN SHIMKUS, Illinois MICHAEL F. DOYLE, Pennsylvania
MARY BONO MACK, California DORIS O. MATSUI, California
MIKE ROGERS, Michigan JOHN BARROW, Georgia
MARSHA BLACKBURN, Tennessee DONNA M. CHRISTENSEN, Virgin
BRIAN P. BILBRAY, California Islands
CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York
PHIL GINGREY, Georgia FRANK PALLONE, Jr., New Jersey
STEVE SCALISE, Louisiana BOBBY L. RUSH, Illinois
ROBERT E. LATTA, Ohio DIANA DeGETTE, Colorado
BRETT GUTHRIE, Kentucky JOHN D. DINGELL, Michigan
ADAM KINZINGER, Illinois HENRY A. WAXMAN, California (ex
JOE BARTON, Texas officio)
FRED UPTON, Michigan (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 1
Prepared statement........................................... 3
Hon. Lee Terry, a Representative in Congress from the State of
Nebraska, opening statement.................................... 5
Hon. Anna G. Eshoo, a Representative in Congress from the State
of California, opening statement............................... 5
Hon. Doris O. Matsui, a Representative in Congress from the State
of California, opening statement............................... 6
Hon. Mary Bono Mack, a Representative in Congress from the State
of California, opening statement............................... 7
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 7
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 8
Hon. Henry A. Waxman, a Representative in Congress from the State
of California, opening statement............................... 12
Prepared statement........................................... 14
Witnesses
Fiona M. Alexander, Association Administrator, Office of
International Affairs, National Telecommunications and
Information Administration, Department of Commerce............. 16
Prepared statement........................................... 19
Answers to submitted questions............................... 77
James A. Barnett, Jr., Chief, Public Safety and Homeland Security
Bureau, Federal Communications Commission...................... 24
Prepared statement........................................... 26
Answers to submitted questions............................... 82
Robert L. Hutchinson, Senior Manager for Information Security
Sciences, Sandia National Laboratories......................... 33
Prepared statement........................................... 35
Answers to submitted questions............................... 87
Gregory E. Shannon, Chief Scientist, Computer Emergency Response
Team, Software Engineering Institute, Carnegie Mellon
University..................................................... 37
Prepared statement........................................... 39
Answers to submitted questions............................... 90
Roberta Stempfley, Acting Assistant Secretary, Office of
Cybersecurity and Communications, Department of Homeland
Security....................................................... 47
Prepared statement........................................... 50
Answers to submitted questions............................... 92
Submitted Material
Article, published March 28, 2012, ``U.S. Outgunned in Hacker
War,'' Wall Street Journal, submitted by Mr. Stearns........... 9
CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PUBLIC-SECTOR
RESPONSES
----------
WEDNESDAY, MARCH 28, 2012
House of Representatives,
Subcommittee on Communications and Technology,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:05 a.m., in
room 2322 of the Rayburn House Office Building, Hon. Greg
Walden (chairman of the subcommittee) presiding.
Members present: Representatives Walden, Terry, Stearns,
Shimkus, Bono Mack, Blackburn, Bass, Latta, Guthrie, Kinzinger,
Eshoo, Matsui, Barrow, Dingell, and Waxman (ex officio).
Staff present: Carl Anderson, Counsel, Oversight; Ray Baum,
Senior Policy Advisor/Director of Coalitions; Nicholas Degani,
FCC Detailee; Andy Duberstein, Deputy Press Secretary; Neil
Fried, Chief Counsel, Communications and Technology; Debbee
Keller, Press Secretary; Katie Novaria, Legislative Clerk; and
David Redl, Counsel, Communications and Technology; Shawn
Chang, Democratic Senior Counsel; Jeff Cohen, FCC Detailee;
Roger Sherman, Democratic Chief Counsel; and Kara van Stralen,
Democratic Special Assistant.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. Good morning. The Subcommittee on
Communications and the Internet will come to order. The title
of today's hearing is ``Cybersecurity: Threats to
Communications Networks and Public-Sector Responses.''
Heeding the call of the House Republican Cybersecurity Task
Force appointed by the Speaker, this subcommittee has embarked
on a series of hearings, as most of you are aware, to get a
complete picture of the cybersecurity challenges that face our
Nation. Today is the third of our hearings on this topic,
having already heard from witnesses in our previous hearings on
the concerns of the private-sector security firms helping to
secure communications networks from cyber threats as well as
the network operators that must protect their networks while
providing the broadband services that have become the fuel of
our economy. Those hearings provided us with a lot of very,
very valuable information. We appreciate the witnesses who
testified. This hearing continues our subcommittee's review of
cybersecurity issues with a focus on the public sector.
In order to further investigate the complex issues that
surround any discussion of cybersecurity, I recently asked a
number of my subcommittee colleagues to serve on a bipartisan
working group tasked with gathering additional information. My
vice chairman, Mr. Terry, and Ranking Member Eshoo have
graciously served as co-chairs of the working group for the
last few weeks, and I am very appreciative of their work. The
group also included Representatives Doyle, Matsui, Kinzinger,
and Latta. The members of the working group and their staffs
have met with a number of industry stakeholders, and throughout
their discussions a consistent theme has emerged: the need for
the government and the private sector to work together to
address cybersecurity. The findings of the working group are
consistent with the message we have heard in our hearings on
this matter from the private=sector perspective.
Today, we hear from some of the agencies within our
government that are working to meet these threats, both in
terms of what is being done to promote cybersecurity as well as
how we can better secure our Nation's communications networks.
In this hearing, we are privileged to have five witnesses that
represent parts of the government that work to address the
complex cybersecurity issues our country faces every day. The
work being done by these government agencies to help address
cybersecurity is just the tip of the iceberg of what we can
achieve when our private-sector innovation and public-sector
resources are put to a common task. That is why I am a co-
sponsor of H.R. 3523, which is the Cyber Intelligence Sharing
and Protection Act. This bipartisan bill introduced by my
Communications and Technology colleague and chairman of the
House Permanent Select Committee on Intelligence, Mike Rogers.
H.R. 3523 makes commonsense changes to the way our government
and the private sector share cyber intelligence without
compromising either the commercial broadband providers or the
integrity of the intelligence community.
Similarly, the good work being done by industry
stakeholders at the FCC on the Communications Security,
Reliability and Interoperability Council, or CSRIC, to bring
voluntary best practices to bear on the security of commercial
networks is another example of the type of public-private
cooperation that I think will achieve results without mandates.
It looks very similar to the Australian model that received
favorable reviews at one of our previous hearings. To remain
nimble and effective, codes of conduct like these should remain
voluntary and should involve all stakeholders in the Internet
ecosystem, not just the ISPs.
In addition to hearing from these agencies on the good work
that they are doing, I also expect to hear how you think we can
improve the cooperation between the Federal Government and
private industry as they work to combat cyber threats. Having
heard from the private sector, today's public-sector
perspective will give the members of the subcommittee a more
complete picture of the cybersecurity landscape.
I thank the panelists for your testimony today. I look
forward to a lively discussion of these issues.
[The prepared statement of Mr. Walden follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. With that, I would yield the remainder of my
time to the gentleman from Nebraska, Mr. Terry.
OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEBRASKA
Mr. Terry. Thank you, Mr. Chairman, and it is certainly
quite a learning curve from both the Speaker's task force and
the task force that Anna and I have been lucky enough to
oversee.
But this is a real threat to our economy and to our
country, and we need to really start thinking seriously about
ways of securing our communications networks, and in that
discussion, not only how but who should be part of that
process, and first I want to commend the Communications
Security and Reliability Interoperability Council, or CSRIC,
for its recent report outlining voluntary best practices that
industry has agreed to implement and ISPs engaging in the Anti-
Bot Code of Conduct and Domain Name System best practices as
well as working to develop a framework to prevent IP route
hijacking is a great start to improving our overall health and
safety of our Nation's networks and limiting access for
attacks. I am confident that this collaboration will continue
to improve.
I will state for the record that I have some reservations
concerning giving government agencies like Department of
Homeland Security authority for overseeing or implementing the
standards. A, I think we need to focus on flexibility, and
secondly, that department hasn't provided me the level of
confidence that I would want to turn over our cybersecurity to
them. All we have to do is walk into our airports and visualize
my lack of confidence in them.
So at this point I will yield back, and I am anxious to
hear from the witnesses.
Mr. Walden. I now recognize the gentlelady from California,
my friend, Ms. Eshoo, for an opening statement.
OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Ms. Eshoo. Thank you, Mr. Chairman, and good morning to all
of my colleagues on the subcommittee, and welcome to our
witnesses. Thank you for being willing to be here today to
instruct us even further on this whole issue of cybersecurity
that we have had a very important series of hearings and they
have been very, very helpful. They have been outstanding
hearings, and both sides of the aisle, I think, have agreed on
that.
As has been stated, I am part of the Cybersecurity Working
Group with Congressman Terry, and through the process that we
have followed, our collective staff have gathered information
from key stakeholders and have been focusing on issues such as
supply chain integrity, information sharing, consumer
education, and it is obviously our subcommittee's jurisdiction
in these areas. We have learned that Advanced Persistent
Threats, the APTs, pose a significant risk to our
communications infrastructure, and these sophisticated threats
are often either state-sponsored or pursued by criminal
enterprises and they have the potential to lead to significant
theft or manipulation of data and other malicious activities.
So we have our hands full, most frankly, about how to go at
this. Fortunately, there are experts like each one of you that
are working hard, really diligently to protect our country from
cyber threats, so we really look forward to hearing what you
can instruct us on this, and I want to especially welcome Mr.
Hutchinson from Sandia National Labs Adaptive Network
Countermeasures--these are real mouthfuls, I will tell you--the
ANC, the DHS efforts concerning domain name server security
extension and the FCC's recent recommendations from CSRIC. All
of these need to be stitched together. We can't afford to go
into an enlightened endeavor and end up with silos all over
again. I am very sensitive about that, having been a veteran of
the House Intelligence Committee.
So I think to deter cyber criminals, we need to have a
really well-coordinated, comprehensive effort that is going to
promote R&D, consumer education, supply chain integrity and
information and yet ensure at the same time that we speak to
privacy and civil-liberties protections.
I think it is also important that we don't take any actions
that would inadvertently hinder the private-sector development
of cybersecurity technology or create new network
vulnerabilities, and that is why I am pleased to see that both
public and private sectors are working together on these issues
and that the FCC's CSRIC unanimously endorsed voluntary
industry-wide best practices to address the whole issue of
botnets and domain name fraud and Internet route hijacking. So
I think that they have done very good work and it is something
that we need to take advantage of.
So today's hearing is really yet another opportunity for us
to look at this slice that you can teach us about and that we
weave that together all under the umbrella of really
safeguarding some of the most important parts of our national
infrastructure both public and private relative to
cybersecurity.
Ms. Eshoo. With the time that I have remaining, I will
yield it to Congresswoman Doris Matsui.
OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Ms. Matsui. Thank you very much, Ranking Member Eshoo, for
yielding me time, and I would like to welcome our witnesses
today, and I want to thank the chairman very much for having
this hearing today and having explored some of these issues for
the last month or so.
Communications networks are one of the many areas our
Nation must protect to ensure safety and soundness. It will be
important that data is protected in transit to cloud storage. A
number of government agencies are using cloud services, so it
is my hope that we can learn more from the early experiences.
I also believe that our subcommittee will have the ability
to further promote information sharing on cyber threats. I will
be interested in hearing from witnesses how information is
being shared within the government and between the government
and industry. There also seems to be a number of clearinghouses
that are used to store information related to cyber threats. I
will also be interested in hearing the relationship between
those silos and industry and government sharing. Securing the
supply chain will be of high importance.
We also need to consider that there might be some economic
incentives that could encourage industry to explore ways to
better address and defend against malware and botnets, and
again, I welcome you all here today and I am looking forward to
the testimony. Thank you very much.
Mr. Walden. Thank you, and thanks for your service on the
working group.
Now I recognize Representative Bono Mack for a minute, and
then we will have Mr. Barton and Ms. Blackburn.
OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Mrs. Bono Mack. Thank you, Mr. Chairman.
In our two previous hearings on this issue, we have heard
from representatives of the private sector and the
communications industry who expressed real concern about the
effects of heavy-handed new government regulation in this realm
of cybersecurity. Onerous new regulations they say will likely
fall haplessly behind existing technology and divert valuable
resources away from security and towards regulatory compliance.
Indeed, with so much information out there about the
sophisticated and constantly evolving nature of cyber attacks,
what the experts in the field have said they need most is the
ability to better share information about existing cyber
threats and the freedom to respond quickly to those threats.
Yesterday, Congresswoman Blackburn and I introduced the
House companion to Senator John McCain's Secure IT Act, which
first removes legal hurdles which prevent information sharing
across the spectrum so that victims of cyber attacks can better
work with each other to respond to cyber threats. I believe
that this approach, which empowers security experts to
proactively address threats rather than reactively respond to
them, is the best path forward.
I look forward to hearing from our witnesses today. I thank
them for appearing before us, and I would like to yield back
the balance of my time.
Mr. Walden. And I would recognize the gentlelady from
Tennessee for a minute.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Mrs. Blackburn. Thank you, Mr. Chairman, and I want to
thank your witnesses for being here.
You have heard us talk about the two previous hearings that
we have done with industry, and of course, what they have
pointed out is that there is no cookie-cutter approach that we
can follow as we deal with what are very dangerous issues. One
of the things that also has come out is that the Federal
Government needs to be leading by example. If we want to
provide assurance that there is going to be a pattern of
security, this is going to be important for us to do, to lead
by example.
Another thing that as we discuss this and how we are going
to lead by example, I also want to hear about what you are
doing to prioritize your R&D and how we are going to be able to
work with the private sector in that vein. As Representative
Bono Mack introduced, we introduced the Secure IT Act
yesterday. This is going to focus on strong info-sharing
components, making certain that we are addressing some
increased penalties for criminals and priority and coordination
of the Federal research.
So thank you all, welcome, and yield back.
Mr. Walden. I now recognize Mr. Stearns for a minute.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. Stearns. Thank you, Mr. Chairman.
Yesterday, Shawn Henry, the FBI's top cyber cop, told the
Wall Street Journal that the current public and private
approach to fending off hackers is unsustainable as computer
criminals are simply too talented and defensive measures are
too weak to stop them. He also expressed that companies need to
make major, major changes in the way they use computer networks
to avoid further to national security, and Mr. Chairman, I ask
that the Wall Street Journal article be part of the record by
unanimous consent.
Mr. Walden. Without objection.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Stearns. Today's hearing focuses on public-sector
responses to threats to communications networks. I am
interested to hear our witnesses' reaction to Mr. Henry's bleak
outlook on our unsustainable model to cybersecurity, as he
says, ``unsustainable in that you never get ahead, never become
secure, never have a reasonable expectation of privacy or
security.''
As chairman of the Oversight and Investigations
Subcommittee, I have held three cybersecurity hearings. Through
these hearings and the ones held by our chairman today, I hope
our committee can learn what we can do to make sure the good
guys are winning again.
Thank you, Mr. Chairman.
Mr. Walden. I thank the gentleman from Florida. Is anybody
else seeking recognition here? I know Mr. Barton had wanted
time, but he is not here.
Now I will go to you, Mr. Waxman. We will return the
balance of our time on this side and I now recognize the
chairman emeritus, Mr. Waxman, for 5 minutes.
OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Mr. Waxman. Thank you very much, Mr. Chairman, for holding
this hearing on cybersecurity.
It is important that we understand the government
perspective. I am especially interested to learn the steps
government agencies are taking to advance cybersecurity and
secure the supply chain. I also welcome our expert from
Carnegie Mellon.
The FCC, under the leadership of Chairman Genachowski and
Admiral Barnett, has established a Communications Security,
Reliability and Interoperability Council, or CSRIC, and today
we can learn about CSRIC's recent recommendations promoting
cybersecurity, as well as what other agencies are doing to
promote best practices and information sharing. Efforts like
CSRIC can help lead to adoption of best practices and voluntary
codes of conduct by Internet service providers, software
companies, manufacturers and security vendors.
But we also need to address the question of accountability.
For example, what if one company fails to be as diligent as
others in following best practices and, as a result, causes a
cyber breach that rises to the level of a national concern? We
need to explore whether reliance solely upon the private sector
to ensure the security of communications networks across the
country is sufficient, and what additional steps we might need
to achieve enough accountability to best protect critical
communications networks from cyber attacks.
We are hearing from industry that they want statutory
exemptions from privacy and antitrust laws in order to
facilitate information sharing. I have an open mind as we
consider these issues. But this should be a two-way street. If
industry wants exemptions from consumer protection laws, we
have a right to ask for accountability that companies actually
end up sharing information important for cybersecurity, do not
abuse their privileges, and are held accountable.
There is a stronger case to be made for enabling sharing
between the Federal Government and private industry, but we
need to balance information sharing with sufficient privacy and
civil-liberties protections. Further, we need to make sure that
the Federal agencies that engage in direct information sharing
with the private sector are civilian agencies, not intelligence
or defense agencies.
I hope we will also discuss securing the communications
supply chain. This is a growing potential threat, especially as
we are now witnessing thousands of applications being loaded
onto smart devices that connect to the public Internet. We
should examine the best ways to address this.
I want to thank our panel of witnesses for their
participation today and I look forward to hearing your
testimony. I yield back the time.
[The prepared statement of Mr. Waxman follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. The gentleman yields back the balance of his
time. We will now proceed with our witnesses. We thank you all
for being here and look forward to your comments.
We will start with Ms. Fiona Alexander, Associate
Administrator, Office of International Affairs, National
Telecommunications and Information Administration, NTIA, U.S.
Department of Commerce. That is a mouthful. We are glad you are
here today and we look forward to hearing from you. And just a
heads-up for everybody, these microphones, you have to get
pretty close to for people to hear, and make sure it is lit.
STATEMENTS OF FIONA M. ALEXANDER, ASSOCIATE ADMINISTRATOR,
OFFICE OF INTERNATIONAL AFFAIRS, NATIONAL TELECOMMUNICATIONS
AND INFORMATION ADMINISTRATION, DEPARTMENT OF COMMERCE; JAMES
A. BARNETT, JR., CHIEF, PUBLIC SAFETY AND HOMELAND SECURITY
BUREAU, FEDERAL COMMUNICATIONS COMMISSION; ROBERT L.
HUTCHINSON, SENIOR MANAGER FOR INFORMATION SECURITY SCIENCES,
SANDIA NATIONAL LABORATORIES; GREGORY E. SHANNON, CHIEF
SCIENTIST, COMPUTER EMERGENCY READINESS TEAM, SOFTWARE
ENGINEERING INSTITUTE, CARNEGIE MELLON UNIVERSITY; AND ROBERTA
STEMPFLEY, ACTING ASSISTANT SECRETARY, OFFICE OF CYBERSECURITY
AND COMMUNICATIONS, NATIONAL PROTECTION AND PROGRAMS
DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY
STATEMENT OF FIONA M. ALEXANDER
Ms. Alexander. Thank you very much. It is a very long name.
So good morning, Chairman Walden, Ranking Member Eshoo and
members of the subcommittee. Thank you for this opportunity to
testify on behalf of the Department of Commerce's NTIA
regarding cybersecurity.
NTIA, as you know, is the President's principal advisor on
telecommunications and information policy matters and is the
executive branch expert on issues relating to the Internet's
Domain Name System, a critical component of the cyber
infrastructure. NTIA supports a multi-stakeholder approach to
the coordination of the DNS to ensure long-term viability of
the Internet. Working with other stakeholders, NTIA develops
policies and takes actions to preserve an open, interconnected
global Internet that supports continued innovation and economic
growth, investment and the trust of its users. This multi-
stakeholder model of Internet policymaking convening the
private sector, civil society and government to address issues
in a timely and flexible manner, has been responsible for the
past success of the Internet and is critical to its future.
The authenticity of DNS data is essential to the security
of the Internet as it is vital that users reach their intended
destinations and are not unknowingly redirected to fraudulent
and malicious Web sites. This is one of the primary objectives
motivating NTIA's efforts to secure the DNS and what I will
specifically address today.
The early DNS, while exceptional in many ways, lacked
strong security mechanisms. Over time, hackers and others have
found more and more ways to exploit vulnerabilities in the DNS
protocol. That put the integrity of DNS data at risk. These
vulnerabilities increase the likelihood of certain DNS-related
cyber attacks which can lead to identify theft and other
security compromises.
In response to these risks, the Internet Engineering Task
Force developed a suite of specifications for securing
information provided by the DNS called Domain Name System
Security Extensions, or DNSSEC. DNSSEC provides an additional
layer of security to DNS by authenticating the origin of the
DNS data and verifying its integrity while it moves across the
Internet.
In 2008, NTIA undertook a multi-stakeholder public
consultation process regarding whether and how DNSSEC should be
deployed at the authoritative route, the top level of a DNS
hierarchy for which NTIA continues to have historical
oversight. In response to the public notice, NTIA received
overwhelming support from the international Internet community
to move forward as soon as possible. Over the next year and a
half, NTIA, drawing upon the input and expertise of technical
experts from around the world, and working close with NIST, our
sister agency at Commerce, as well as our root zone management
partners, VeriSign and ICANN, moved to fully deploy DNSSEC at
the root in July 2010.
DNSSEC essentially gives a tamper-proof seal to the address
book of the Internet, similar to a wax seal on an envelope. For
example, I can send you a letter in an envelope, but when you
receive the envelope, you don't know if it was tampered with,
but if I use my seal on some wax across the envelope's closure,
then you know two things: the letter wasn't tampered with in
transit, which means there is data integrity, and that I was
the one who sent it, because you recognize my stamp, which is
data origin authentication. If you know that I always seal my
letters and you receive a letter from me that isn't sealed or
the seal is broken, you know that a bad guy or a man in the
middle could have opened the sealed envelope and replaced the
contents. You can throw it away because you know it is a fake.
DNSSEC information is like the letter in the envelope. DNSSEC
gives that information a seal that verifies and authenticates
it.
DNSSEC deployment at the authoritative root was an
important step toward protecting the integrity of DNS data and
mitigating attacks such as cache poisoning, which allows the
hacker to redirect traffic to fraudulent sites and other data
modification threats. This effort marks significant progress in
making the Internet more robust and secure as it provides a
tool to facilitate greater user confidence in the online
experience so that when someone visits a particular Web site,
whether it be a bank, a retailer or a doctor, they are not
seeing a spoofed copy that cyber criminals can use to
perpetuate identify theft or other crimes using the DNS.
In helping to deploy DNSSEC at the root zone, NTIA sought
to facilitate greater DNSSEC deployment throughout the
Internet. If we are to maintain trust in the Internet, then we
must support further DNSSEC deployment. Governments as well as
other stakeholders must continue to support the deployment and
development of DNSSEC-related software, tools and other
products and services. As we explore issues affecting Internet
space, we should take all appropriate steps to ensure that
DNSSEC use and adoption continues to grow.
In the coming months, NTIA, working as a part of the
Department of Commerce's Internet Policy Task Force, will be
looking for opportunities to launch further multi-stakeholder
processes aimed at enhancing the security and stability of the
DNS as well as broader cybersecurity efforts.
Thank you again for the opportunity to testify, and I will
be happy to answer any questions.
[The prepared statement of Ms. Alexander follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. Ms. Alexander, we appreciate your comments and
we look forward to the questions.
Admiral, we are delighted to have you here today, Admiral
James Barnett, Jr., Retired, Chief, Public Safety and Homeland
Security Bureau, Federal Communications Commission, the FCC.
Welcome, and we look forward to your comments.
STATEMENT OF JAMES A. BARNETT, JR.
Mr. Barnett. Thank you, Chairman Walden, Ranking Member
Eshoo and all the distinguished members of the subcommittee. I
really appreciate the opportunity to come and talk to you on
this important topic of cybersecurity, and I am particularly
pleased to be able to testify with these experts and especially
my colleagues from DHS and Commerce with whom we work very
closely on cybersecurity matters.
Cybersecurity threats are a real and present danger to our
current economy and wellbeing. No one would tolerate the level
of criminality, thievery, vandalism or invasion of privacy that
we experience today if it were done in the physical world, and
we really can no longer afford to tolerate it in cyber space.
The approximately 40,000 autonomous systems or networks on
which the Internet is built are largely commercial or privately
owned. Commercial communications providers are therefore the
first line of defense against cyber threats and always will be.
Earlier this month, on March 7th, the subcommittee heard from
cybersecurity experts in the communication industry about how
hard they are working against those threats, yet if those
efforts alone were sufficient to thwart cyber threats, I don't
think we would be here today. To be successful in battling
cyber threats, we must work together collectively, industry and
the public sector.
As the Nation's expert agency on communications, we have
always been concerned with the security and reliability of
networks. The FCC has a long history of working on network
reliability and security with the companies that operate the
core of the Internet. We have constituted a Cybersecurity and
Communications Reliability Division in the Public Safety and
Homeland Security Bureau. These are our cyber experts who among
other duties coordinate the work of our current Federal
advisory committee, the Communications Security, Reliability
and Interoperability Council, CSRIC which you mentioned before.
CSRIC is now made up of over 50 industry leaders from the
private sector and the Federal Government including cyber
experts from DHS and NIST and a veritable all-star cast of
Internet pioneers and world-class cybersecurity experts that
are working on the council and the working groups.
And I am pleased to report that last week, CSRIC approved
voluntary industry-based recommendations addressing three
crucial problems. These recommendations are not simply a set of
reports that will adorn bookshelves. Numerous ISPs including
Comcast, Verizon, AT&T, Time Warner, Sprint, Cox, T-Mobile,
Frontier and CenturyLink have already pledged to implement the
CSRIC recommendations as they apply to their respective
networks. This means that these new cybersecurity measures will
soon be protecting a significant majority of American Internet
users.
First, CSRIC recommended that ISPs adopt a voluntary code
of conduct to provide critical security to Internet users to
fight botnets, which can steal personal information. We refer
to it as the anti-bot code, a code that specifically addresses
privacy of the end user.
Second, CSRIC examined Internet route hijacking, which can
occur due to the lack of verification between networks.
Internet route hijacking can endanger valuable intellectual and
private property and jeopardize our national security. In 2010,
traffic to 15 percent of the world's Internet destinations was
diverted through Chinese servers for approximately 18 minutes.
CSRIC recommended that ISPs embark upon a path toward
implementation of secure routing protocols, or secure BGP, to
minimize route hijacking. This would include the establishment
of a secure, authoritative database of Internet address blocks
to be used and checked by ISPs
CSRIC's third area of action is the Domain Name System,
DNS, which Ms. Alexander just mentioned. DNS can be thought of
as the telephone book for the Internet, one that can be spoofed
and can lure exposure of private information. DNSSEC can
correct this problem. It was designed with privacy in mind.
CSRIC endorsed DNSSEC implementation by ISPs and industry-wide
adoption of the standard to help prevent unsuspecting Internet
users from being sent to fraudulent Web sites.
These voluntary initiatives stand as an example to the
world of how to promote cybersecurity while preserving the core
characteristics of the Internet, which have fueled the
broadband economy's growth and success. These efforts focus on
ISPs but they dovetail into broader cybersecurity efforts by
NIST and DHS which must address the larger information
technology community. We will continue to work with industry,
the multi-stakeholders and Federal partners on voluntary
industry-based solutions. We will carefully guard the
reliability and security of all communications networks. Thank
you.
[The prepared statement of Mr. Barnett follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. Admiral, thank you very much. We appreciate
your testimony, even if it is ever more disturbing the more we
hear.
With that, we will now go to Mr. Hutchinson, Senior Manager
for Information Security Sciences at Sandia National
Laboratories. Thanks for all the work you and your team do out
there at Sandia, and we appreciate your being here today to
further enlighten us about the threat that we face and how we
might deal with it appropriately, so please go ahead.
STATEMENT OF ROBERT L. HUTCHINSON
Mr. Hutchinson. Good morning. Chairman Walden and Ranking
Member Eshoo and the distinguished members of the committee,
thank you for inviting me to testify before you today. I am Bob
Hutchinson, Senior Manager for Information Security Sciences at
Sandia National Laboratories. Sandia is a federally funded
research and development center for the Department of Energy.
DOE makes its significant investment in Sandia's cybersecurity
capabilities available to the Departments of Defense and
Homeland Security as well as other government agencies and non-
Federal entities.
I have been working to secure critical government
communications systems both as a researcher and as an
implementer for over 25 years, and today's testimony is based
on that experience. The most important lesson that I have
learned in my career is that computer systems can never be
fully trusted and can never be proven free of compromise, so we
must focus on finding ways to conduct business, even critical
business, on machines that are presumed to be infected. Our
focus should be on accomplishing our goals and not on building
and maintaining perfect computers and computer networks.
I would like to suggest four specific shifts in current
national approach to cybersecurity. Each of these suggestions
implies a role for the government and a role for the private
sector. My intention is to highlight the strengths of each of
these communities and to find ways that they can reinforce each
other's interests.
Number one: In recent years, the Nation's cybersecurity
approach has shifted to an almost exclusive focus on data
theft. While this trend has been going for a number of years it
understandably worsened in the aftermath of the Wikileaks
intelligence theft. Our best security analysts are being taught
to focus their attention on indications that sensitive data is
leaving our networks headed into enemy hands. While data theft
is a critical problem for the government and for the private
sector, I believe that our Nation has diverted too many
resources away from an equally, if not more important issue:
malicious data modification. As much as I worry about the theft
of sensitive data and U.S. intellectual property, my greater
fear is that an attacker will alter our data and affect our
decision processes. This form of attack has not only economic
consequences but can also impact public safety and confidence.
My staff and I focus much of our research on these scenarios.
The security community must continue to worry about data theft
but not to the detriment of other cyber attack goals. The
government should increase focused research and development
investment on preserving data integrity.
Number two: We tend to view the stacks of mobile devices
and networking components that arrive in U.S. ports as
pristine. When we discover a compromise, we strive to return
these devices to their original settings. This is a
fundamentally flawed security model. We don't have any idea
whether our devices have been precompromised during design,
manufacture or distribution. We call this a supply chain
attack. As an unclassified example, a few years ago a major
hard-drive manufacturer was discovered to have shipped brand-
new hard drives with malware preinstalled. The government, in
part through Sandia, has been addressing these supply chain
attacks for over three decades. The commercial companies share
this risk with the government. The government can help industry
by informing commercial companies of our lessons learned and
helping those companies use their existing supply relationship
to begin addressing this problem where it will have the
greatest impact directly within the company's own supply
chains.
Number three: It is not enough that the government shares
details of cybersecurity incidents with the community of
interest. It also needs to develop and share strategies.
Cybersecurity is more like a game of poker than a reaction not
a natural disaster. Simply sharing data without rules and
strategies prevents us from working together effectively. For
instance, careful coordination of our activities can cause an
adversary to reveal his identity.
Finally, number four: The most consistent cybersecurity
message across government and industry is that our Nation has a
profound shortage of qualified cybersecurity experts. There are
many efforts to educate, train and certify. Degrees and
certifications are not enough. Cybersecurity is a new field
that lacks scientific and engineering rigor. The best people in
this field learn through practice and apprenticeship. They use
judgment that is based on years of experience. The Department
of Energy began to address this issue over 10 years ago when
they asked Sandia to build a program that is more like a
medical residency than a trade certification. Many of the
people who have participated in this program have become
national leaders in securing emerging technologies such as
mobile device networks and cloud services. This investment has
yielded greater returns than any other program in which I have
been involved. Expanding this model so that all U.S.
cybersecurity professionals learn through a residency would
result in enormous gains for national security.
I would like to thank you for this opportunity to testify,
and I look forward to your questions.
[The prepared statement of Mr. Hutchinson follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. Thank you, Mr. Hutchinson. We appreciate your
disturbing testimony.
Now we are going to go to Mr. Greg Shannon, the Chief
Scientist, Computer Emergency Readiness Team, Software
Engineering Institute at Carnegie Mellon University. Dr.
Shannon, thank you for being here. We look forward to your
testimony.
STATEMENT OF GREGORY E. SHANNON
Mr. Shannon. Thank you, Chairman Walden, Ranking Member
Eshoo and distinguished committee members. I am honored to
testify before you today on cybersecurity and communication
networks. I am the Chief Scientist for the CERT cybersecurity
program at the Software Engineering Institute, which is a
Department of Defense FFRDC operated by Carnegie Mellon
University.
CERT was created in 1988 by DARPA in response to the
moratorium incident and now we are a national asset for
cybersecurity with 250 staff tackling our Nation's technical
cybersecurity challenges. At CERT, we recognize the long-term
challenges as we confront the threats, deliver pragmatic
solutions and consider the technical roles for the private and
public sectors. We see two important policy opportunities with
long-term benefits.
First is to broadly promote the use of scientifically and
operationally validated policies, best practices, technologies,
standards, products, etc. Validated capabilities should trump
unvalidated ones.
Second is to actively enable controlled access to real
high-fidelity operational data for research. Good results
require good data as part of a long-term solution. Rigor and
data are the foundations of many successful technical public-
private partnerships such as National Centers for Disease
Control, the National Highway Transportation Traffic Safety
Administration and the National Transportation Safety Board.
Trusted public-private collaborations represent our mature
adoption of technology and are an important step for
cybersecurity to become a distinguishing capability for our
Nation.
Understanding today's cyber threats to our communications
networks is about more than war stories, anecdotes and scare
tactics. Adversaries can combine supply chain and operational
vulnerabilities in hardware, software, data and humans to
create multitudes of attack strategies. Policies should address
the root causes of our cyber threats and not just the immediate
symptoms. Otherwise our adversaries will merely use another
combination of what we haven't yet explicitly blocked, which is
a continuously losing battle for cybersecurity.
For decades, the public sector, often in partnership with
CERT, has addressed the technical symptoms and root causes of
cybersecurity threats and attacks together. At CERT, we help
millions of programmers write secure software to address the
root cause of vulnerable software. We help agencies protect
critical information, critical infrastructure operated by
hundreds of private companies to address the challenges of
responding to active attacks with potentially serious
consequences. Using our decade-long work on resiliency
management and smart grid maturity models, we are helping the
Department of Energy, DHS and the White House with the
Electricity Sector Cybersecurity Risk Management Maturity
Project. Such work will remove core vulnerabilities and
decrease the impact of attacks.
To better understand cybersecurity problems and solutions,
the science of cybersecurity is now broadly endorsed and funded
by key Federal science and technology agencies including the
Department of Energy. Policymakers can assist the research
community by explicitly requesting cybersecurity innovations
and practices that are scientifically and operationally valid.
Furthermore, policymakers can request data owners, public or
private, and the research organizations who can diligently use
the data to provide appropriate access to high-fidelity
operational data. Only with such data can cybersecurity
researchers learn leading attack indicators, identify
underlying principles and evaluate solutions.
Another role for the public sector is to improve the trust
required for effective cyber attack preparation and response by
clarifying public and private roles in cybersecurity,
especially with respect to information sharing. Consider
establishing one or more national repositories of operational
cybersecurity data for research purposes. Access to such a
repository would enable cyber research to reach new levels.
Sharing cyber data with strong privacy controls would engender
research that can look more globally and more predictably at
the problem, especially in the long term.
In conclusion, every day we at CERT see the value of trust,
rigor and data in helping mitigate cyber vulnerabilities,
threats and attacks. We look forward to the day when our Nation
can handle cybersecurity threats and attacks with the same
efficiency and effectiveness as our Nation's response to the
H1N1 health crisis. Then cybersecurity will truly be a
distinguishing national capability alongside others such as our
ability to innovate. Thank you.
[The prepared statement of Mr. Shannon follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. Doctor, thank you. We appreciate your
testimony.
And our final witness on the panel is Roberta Stempfley,
Acting Assistant Secretary for Cybersecurity and
Communications, Department of Homeland Security. We are
delighted to have you here this morning and we look forward to
your testimony.
STATEMENT OF ROBERTA STEMPFLEY
Ms. Stempfley. Thank you very much, Chairman Walden and
Ranking Member Eshoo. As you said, I am with the Department of
Homeland Security. I have two decades of experience as a public
servant working both in the Defense Department for 18 years and
now almost two years at the Department of Homeland Security,
and it is certainly a privilege for me to have the opportunity
to come and speak to you today about the efforts that the
Department of Homeland Security has that support the
cybersecurity of our important communications networks.
As you know, the private sector owns most of the national
infrastructure in the communications environment and as such,
protecting the communications networks is not something the
Federal Government can or should do alone. There is no silver
bullet to cybersecurity, as my esteemed panel colleagues have
indicated. There is not a single tool, a single technique nor a
single organization who is capable or accountable or
responsible for delivering cybersecurity to the communications
networks. But access to reliable and consistent communications
is essential to maintaining the Nation's health, safety,
economy and public confidence.
Protection of communications infrastructure from this range
of threats, national disasters, terrorism and cybersecurity, is
of the highest priority to the Department of Homeland Security,
and this communications infrastructure is complex. It is a
system of systems with multiple ownerships and multiple
interconnection points. It involves wireline, wireless,
satellite, broadcast capabilities and serve the transport and
enable this Internet that we live, play and function on.
The Office of Cybersecurity and Communications in the
Department's National Protection and Programs Directorate is
designated the federal entity to lead the coordination with
both the communications and information technology sectors of
critical infrastructure. We work closely with these partners
and ensure robust and resilient communications throughout the
Nation.
Within this Office of Cybersecurity and Communications, we
have an organization called the National Communications System,
which is the lead for the communications sector. It leads
government-industry coordination critical in the planning,
initiation, restoration and reconstitution of national security
emergency preparedness service and facilities. The National
Cybersecurity Division is responsible for leadership in the
information technology sector and responsible for major
cybersecurity programs that we will be speaking of today.
Additionally, we have the Office of Emergency
Communication, which supports and promotes the ability in
emergency responders and government officials to communicate in
the event of a disaster. The Office of Emergency
Communication's focus is on that interoperable and operable
emergency communications nationwide.
All of these organizations and others come together in an
operation center called the National Cybersecurity
Communication and Integration Center. It houses the National
Coordinating Center for Communications, a part of the National
Communications System, the U.S. Computer Emergency Readiness
Team, a part of the National Cybersecurity Division, as well as
other partners from industry and across the Federal Government
including members of the Communications, Information Sharing
and Analysis Center. Our collective efforts tie into the DHS-
wide collaboration and extend our partnership with Federal,
State, local governments and the private sector, and together
we work under orchestration to negate threats to the
communications infrastructure and to build strategies for
future success.
Protection of that communications infrastructure is
conducted in this holistic fashion and encompasses physical and
cyber threat strategies. Partnerships are key and very
important as is two-way information sharing. We have this
information sharing real time on the floor, as I indicated,
where 5,200 alerts were released by U.S. CERT to our partners
over the course of the last year. The Department employs
mechanisms to ensure that the sensitive propriety information
shared with us from industry is protected and that privacy and
civil liberties are upheld. It is industry's willingness to
share this information on a voluntary basis that speaks to the
strong trust between DHS and its private-sector partners as we
work forward in this situation.
I spoke to that Communications Information Sharing and
Analysis Center. There are information sharing and analysis
centers within each sector. They are sector specific. And in
that sector, we have 56 private-sector partners that were the
first operations entity from the private sector on the floor of
the National Cybersecurity Communications Integration Center.
In addition, in the Department, the Secretary serves as the
executive agent supporting the President's National Security
Technology Advisory Committee. This committee is comprised of
up to 30 chief executives from industries like network service
providers, telecommunications, information technology, finance
and aerospace companies. The NSTAC makes recommendations to the
President on strategies and practices to secure vital
communications links through events and crises. We also have
worked in partnership on communication sector supply chain
threats, an item of interest to the committee today.
Given the increasing use of technologies such as
smartphones by first responders, there are real innovations
available in that situation and the Public Safety Broadband
Network that this committee was so integral in establishing
must be secure and reliable so that emergency responders can be
assured that sensitive information is protected and accurate.
DHS is committed to working with all of our public- and
private-sector partners today including NTIA and the FCC, who I
am pleased to be with on the panel today, to ensure we secure
the National Public Safety Broadband Network through this
holistic approach with equal emphasis on protecting
confidentiality, integrity and availability.
Thank you again for this opportunity to testify, and I am
pleased to answer your questions.
[The prepared statement of Ms. Stempfley follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Walden. Thank you, Ms. Stempfley. We appreciate your
comments. We were just talking here about, as you described,
the center out here, about maybe the subcommittee coming out to
take a look at some point.
Ms. Stempfley. We welcome you. Any time you would like, we
would more than honored to have you out there and show you the
span of activity that goes on in that center. As I said in my
comments, it is a place where government and industry come
together. We have representative not just from the
communications sector but from the information technology
sector, from the financial sector and from other partners on
that floor as well as partners across government from the
intelligence community and others.
Mr. Walden. All right. Thank you.
My first question would be to you. The Department of
Commerce's Economic Development Administration recently
suffered a cyber attack that has left the agency without
network connectivity for several weeks, I am told. Could you
elaborate on that situation and what DHS has been doing to
address it, and has it been resolved?
Ms. Stempfley. The Department of Homeland Security has
responsibility for protection and defense of the Federal
executive civilian branch including the Department of Commerce
includes responsibilities for supporting the Department when
they had a compromise of the nature that you are describing at
the EDA. We have individuals on the ground with Commerce to
support EDA in the reconstitution of their network and are
building it in a way that is supportive of increased security
and the meeting of the Federal standards that are initiated
both by the Department and the Federal Information Security
Management Act.
Mr. Walden. So are they still offline?
Ms. Stempfley. I am personally not sure, sir, at the moment
but we would be happy to follow up with you on that.
Mr. Walden. Any idea where the attack came from?
Ms. Stempfley. I don't know attribution in this situation.
Attribution is generally the responsibility of law enforcement
and the intelligence community. We are responsible for
protection and mitigation measures, and I am happy to come back
with our partners from Commerce.
Mr. Walden. That seems pretty major if it has been offline
for several weeks.
There has been a resounding call for increased consumer
education when it comes to cybersecurity, and this is kind of
for everybody here. However, a report released earlier this
month by Trust Wave showed that after studying more than 300
data breaches in 2011, nearly 5 percent of the passwords on the
compromised networks were variations of the word ``password.''
So if end users cannot even wrap our heads around not using the
word ``password'' as a password, how can we as policymakers
form a better understanding of a complex topic like route
hijacking? Does anybody want to take that one quickly?
Mr. Shannon. At Carnegie Mellon University, there is a
large number of researchers studying how to make security and
privacy usable and it is turning out to be very daunting. The
password research has shown that people do reuse passwords.
When you get populations of passwords together, it creates a
vulnerability. So it becomes clear that individuals--it is
difficult for us to rely on individuals to be the foundation of
security.
Mr. Walden. I want to ask a different question of you, Dr.
Shannon. Some of the vulnerabilities in compromised systems
persist despite common knowledge among computer programmers of
the problem. For example, ``SEQUEL,'' the Structured Query
Language injection, has been one of the most common vectors for
database attacks for years, I am told. How do we change the
culture at coding to ensure the security is more of a focus?
Mr. Shannon. One is by providing explicit guidelines, which
we have been doing for the last 10 years. ``SEQUEL'' is not a
language that we have tackled. We have been focused on C++ and
Java and the C programming language. Part of the challenge is
that we do not control where the programs are written so they
may be written offshore under economically stressed and time
constraints. So it is a challenge of improving the general
practice and by providing coding standards is our step in that
direction.
Mr. Walden. All right. Thank you.
Mr. Hutchinson, you recommended, I think, four points of
things we should look at and talked about the supply chain
issues and this notion of precompromises of hardware with
malware installed. Are there more examples of that we should be
aware of in this setting?
Mr. Hutchinson. In this setting, I can't cover. The
examples I am aware of are classified. But, you know, I would
very much welcome a classified discussion on that topic.
Mr. Walden. Could you speak more about the malicious data
modification issues in this setting? What does that mean? What
are we seeing as examples?
Mr. Hutchinson. So just for context, when you--when an
event occurs on a network, the most normal thing for an analyst
to do is to look for the exfiltration of data from that
network, to analyze malicious code to determine whether it is
stealing data from the network and pointing it in the direction
of the adversary. The malicious modification would be something
that the compromise leaves behind that alters the data, changes
the nature of the data, changes emails, things like that.
Mr. Walden. I see. OK. And a question I have asked all the
panels we have had before, sort of in with the Hippocratic
oath, first, do no harm. Do you each, could you real quickly
just say what is the one caution you could offer as we
promulgate legislation? Ms. Alexander, what shouldn't we do?
Ms. Alexander. I think it is important that as you consider
ways to deal with this important issue, there is a grounding
and understanding of how the network actually works so that the
rules that are developed don't inadvertently undercut some of
the other activities.
Mr. Walden. All right. Admiral Barnett?
Mr. Barnett. So I think it is important to make sure that
we don't cut off this engine of innovation, that as we move
forward that we continue to have that openness. But I would
also say that as you do it, you have to look at the performance
metrics. Are the things that we are doing actually having some
effect? We have to have data driven to make sure that we are
actually doing some good.
Mr. Walden. Mr. Hutchinson?
Mr. Hutchinson. So there are some very strong relationships
in helping this problem like the relationship between DHS and
NSA. Anything that would harm that relationship I think would
be hurtful to the government.
Mr. Walden. Keeping open communication?
Mr. Hutchinson. Yes, that communication and the
relationship between the NSA and applying classified approaches
to this otherwise unclassified problem I think is
extraordinarily valuable.
Mr. Walden. OK. Dr. Shannon?
Mr. Shannon. I think we need to protect innovation, as the
admiral mentioned. There is a balance between too little
security that allows for the loss of intellectual property and
then onerous security that imposes a tax on innovation in the
long term and makes us no better than other countries that are
more restrictive in how their citizens behave, so I think there
is a real balance to maintain there to promote innovation.
Mr. Walden. All right. Ms. Stempfley?
Ms. Stempfley. As several individuals have identified,
there are relationships and partnerships and multiple
organizations that are involved, and those relationships must
equally be sustained and we must continue to empower the
multiple organizations that are involved here.
Mr. Walden. Thank you all very much.
Now I turn to Ms. Eshoo for questions.
Ms. Eshoo. Thank you, Mr. Chairman, and to each of the
witnesses, thank you. Excellent testimony. There was a group of
students that were here, and you are facing this way, but I
couldn't help but notice that they all left en masse, and I
thought we have either scared the hell out of them or bored
them. I don't know. I think that that might apply to us as well
because there are so many moving parts to this.
I have a whole list of very specific questions but I want
to set those aside. I will put them in writing to you, and I
don't think we need to ask for unanimous consent, no, because
members can ask questions in writing of the witnesses.
When we look at the whole issue of cybersecurity, it is my
understanding that 5 percent responsibility in the public
sector, the government. Ninety-five percent of this rests with
the private sector. Now, CSRIC has come up with some
recommendations. Both the chairman and myself and I think that
other members have referenced it. Maybe some of you did in your
testimony. But I want to ask you the following question, and I
appreciate the rather deep dives that you have done on your
specific area of expertise and what your observations are. But
for each one of you, on the 5 percent, which is the government,
what is the top recommendation that you would make to us that
we need to take into consideration that will help remake the
landscape into a very smart one to address the threats that
come to us relative to cybersecurity in the government. Ms.
Alexander, I don't have a lot of time. We have got, like, 3
minutes for five of you.
Ms. Alexander. Sure. I think in addition to this idea of
continuing innovation and voluntary codes of conduct,
government is very powerful as a user and so we can set
examples and we influence procurement patterns. I think that is
one of the most powerful things that we can do as government.
Mr. Eshoo. Excellent. Thank you very much.
Admiral, thank you for your wonderful work.
Admiral Barnett. Thank you, ma'am. So I think continuing to
seek voluntary and industry-based solutions is the bedrock,
incentivizing that and looking for that, and then obviously as
almost every person mentioned in your openings, we really have
to tackle the supply chain.
Ms. Eshoo. Thank you.
Mr. Hutchinson. So maintaining opt-in alternatives for
industry to seek government's help in incentivizing those I
think is critical, and the supply chain is an area that will
become increasingly problematic, and I think we need to work
hard with industry to take the government know-how.
Mr. Shannon. I would say trust is----
Ms. Eshoo. Excuse me. I am sorry, Dr. Shannon. Let me get
back to you, Mr. Hutchinson. Are you suggesting that practices
on the public side is something that the private side can gain
a great deal from, or is it the other way around?
Mr. Hutchinson. Yes, this is a problem that the private
side does not understand well and the government understands
very well yet the private side has the problem to the same
degree that the government does, so this is a great opportunity
for the government to inform.
Ms. Eshoo. Thank you.
Dr. Shannon?
Mr. Shannon. Since the public is the hands that carries,
you know, as you mentioned, carries out the most activity, it
is the public sector's opportunity to promote trust, and that
is really one of the distinguishing capabilities of our
society, and as Jim Lewis has said in our venues, it is
something that distinguishes us from our adversaries may
approach things. So promoting trust I think is the real
opportunity on the government side.
Ms. Eshoo. Thank you.
Ms. Stempfley. Continue refinement in statute of the
authorities of the government in a situation----
Ms. Eshoo. Excuse me. What?
Ms. Stempfley. Continue refinement in statute of
authorities of organizations such as the Department of Homeland
Security.
Ms. Eshoo. What does that mean?
Ms. Stempfley. Excuse me?
Ms. Eshoo. What does it mean?
Ms. Stempfley. So what that means, ma'am, is what you find
in the Department is that our authorities are spread across
multiple statutes and multiple directives, and it is a bit of
patchwork landscape for us and provides great----
Ms. Eshoo. Well, that is the story of DHS.
Ms. Stempfley. Yes, ma'am. So if we refine that relative to
statute, that will put some clarity in terms of this and enable
stronger information sharing and information sharing in action.
Ms. Eshoo. Let me ask you something about this--it sounds
to me like a mini NSA with the center. Do you deal with things
after the fact and then you can advise Federal agencies about
how a cyber threat has affected them or do you defend the
workings of agencies so that they don't experience it? I am not
so sure what this group does. We would like to come out and see
it. Can you answer that for us? I am trying to picture it and
what you do.
Ms. Stempfley. I certainly can, ma'am. We do--we provide
prevention information and standards for Federal executive
civilian branches to follow that are about raising the security
of their branch so items they must do in order to be--in order
to meet the standard, and then we provide response actions when
something goes wrong as well as detection and prevention
activities at the boundary.
Ms. Eshoo. Well, I am over my time, and I thank all of you
for not only the work you do but making that come alive here in
your testimony. Thank you.
Thank you, Mr. Chairman.
Mr. Walden. Thank you.
We will now turn to Mr. Terry, the vice chair of the
subcommittee, for questions.
Mr. Terry. Thank you, Mr. Chairman, and I want to follow up
on both of the sets of questions.
Admiral Barnett, I want to commend you for the job in
CSRIC, and could you just briefly go over the main principles,
the five main principles that are outlined by CSRIC?
Mr. Barnett. There are actually major things, and I am very
pleased to have with me Jeff Goldthorpe, who is our Associate
Bureau Chief for Cybersecurity, who really led and put together
this incredible team. So the first one was the anti-bot code of
conduct for ISPs. All of these address ISPs. They are all
voluntary industry based. And basically the five tenets under
the anti-bot thing is education of the public so they
understand what the problems are, and that obviously goes to
prevention; detection when they are infected; providing notice
to them that their computer is infected because most of the
time they don't realize that their computer is infected, and
then giving them some tools or some resources in order to get
their computer cleaned and in collaboration to make sure that
that information is spread across other ISPs so we're refining
all this together.
And with regard to DNSSEC, it is encouragement to move
forward on implementation so to make all DNSSEC servers DNSSEC
aware, and on the Internet route hijacking, which as the
chairman mentioned is a little bit arcane and hard to
understand, but the main thing is, is establish a secure,
authoritative database in which addresses can be registered so
this would probably be with the American Registry of Internet
Numbers. And then ISPs can actually check their routes against
it and it will be authoritative. They will know where it is
going. We think this will get rid of all of the misrouting and
will do a lot to help us detect malicious routing. So those
would be the three main things.
Mr. Terry. All right. You mentioned a key phrase in there,
voluntary and industry based. Can you tell us why it is
important that standards and ways of implementing what you
stated should be voluntary and industry based?
Mr. Barnett. The FCC as a regulator actually has a long
history of working with industry to come up with best
practices. As a matter of fact, the FCC's NRIC, a predecessor
of CSRIC, came up with the first cybersecurity best practices
back in 2002. So by getting the experts together in the same
room and coming up with best practices with codes like this, we
think we can get a lot of things done. And it is also important
as CSRIC's work continues to make sure that we have the metrics
to understand, are those voluntary measures actually having the
effect we want to so CSRIC's work actually continues.
Mr. Terry. All right. Starting with you, Ms. Alexander, do
you agree with those principles?
Ms. Alexander. Yes. At NTIA we would very much support a
multi-stakeholder approach to Internet policymaking, and it is
really important that the breadth of stakeholders that are
involved in the ecosystem be part of these processes.
Mr. Terry. How about voluntary and industry does their own
standards?
Ms. Alexander. Yes, sir.
Mr. Terry. Mr. Hutchinson, what do you think?
Mr. Hutchinson. I agree with the voluntary nature of the
standards. One thing that we need, though, is better
experimentation around what constitutes best practices rather
than just a declaration. We need to be able to conduct
experiments.
Mr. Terry. Good point.
Mr. Shannon, you are the one non-Federal Government
employee at this panel.
Mr. Shannon. Yes. I actually participated in the 2002 NRIC
discussions, so I understand the value of that collaboration.
As the admiral mentioned, I agree that putting metrics on place
to determine if they are being effective is appropriate. You
know, take the lightest weight approach first. If voluntary
compliance works, then that is excellent, and it would be
wonderful to have metrics that confirm that.
Mr. Terry. Very good.
And Ms. Stempfley?
Ms. Stempfley. Thank you, sir. I believe that the
innovations that industry provides and the best practices they
provide are incredible useful and very vital in our success in
this environment and bringing them together in a voluntary
nature is very important. As we go forward with the metrics
associated with those, their effectiveness and their use I
think is the place where we need to----
Mr. Terry. There is some effort by some Senators and
members that state that Homeland Security should be the one
developing with industry the standards for cybersecurity in the
private sector. Do you agree with that?
Ms. Stempfley. I believe that Homeland Security's
responsibilities are building standards across critical
infrastructure and working with the sector experts in each
sector for standards for cybersecurity.
Mr. Terry. How would you develop those standards?
Ms. Stempfley. We would develop----
Mr. Terry. And how would you enforce them? By rule?
Ms. Stempfley. I am sorry, sir. I didn't hear you.
Mr. Terry. Would that include developing rules then?
Ms. Stempfley. I believe that we need to bring industry
together in order to determine within each sector what is
important and then identify where we need to put in place best
practice and rules or other mechanisms for assurance of
compliance with best practices.
Mr. Terry. I would respectfully state that I disagree, and
I think, frankly, putting an agency in charge of developing
rules, even with collaboration, is dooming that industry. Yield
back.
Mr. Walden. The gentleman yields back his time.
I now recognize the gentlelady from California, Ms. Matsui.
Ms. Matsui. Thank you, Mr. Chairman.
An integral part of how the government is asking agency
reform to IT purchasing involves greater use of the cloud. As
the government's Chief Information Officer has said, last year
agencies successfully migrated 40 services to the cloud and
were able to eliminate more than 50 legacy systems in order to
save taxpayer dollars while expanding capabilities. I have a
question for Admiral Barnett, Ms. Alexander and Ms. Stempfley.
Some of the government agencies here today are using cloud
services. What can you share with us from your early
experiences with regard to cyber protections and threats? Ms.
Alexander?
Ms. Alexander. I am actually not the Department's expert on
cloud issues but I would be happy to make sure we get you an
answer for the record.
Ms. Matsui. Admiral Barnett?
Mr. Barnett. Thank you, ma'am. So cloud services, my former
colleague at FCC, Steve VanRoekel, has highlighted how valuable
cloud services can be. It does emphasize the need to make sure
that the transport between the user agency or company and that
cloud is secure and reliable. It is another thing that we and I
think the people that you see at this table are considering is
what happens for continuity of operations, continuity of
government, and so there is some considerations we need to make
sure on that, but really it emphasizes some of the very same
things that we have talked about today is the network
reliability and security.
Ms. Matsui. OK. Ms. Stempfley?
Ms. Stempfley. Cloud presents some really good
opportunities to get your arms around configuration management
and architecting opportunities so to get at the root cause. It
also has some particular threat opportunities as well, as
Admiral Barnett indicated, and you have to look at it in that
holistic lens as we move forward, and it is certainly a part of
the government's program to do so.
Ms. Matsui. OK. But as the private sector moves
increasingly to the cloud, what challenges do you foresee?
Ms. Stempfley. So I think as Admiral Barnett indicated,
bringing all of the content together into a single place
presents a route diversity requirement and a continuity
requirement. Cloud also presents the opportunity to overcome
that within the way the cloud is architected. So it is a
wonderful capability for us but it is one of those where it is
both a challenge and an opportunity simultaneously.
Ms. Matsui. OK. Thank you.
Dr. Shannon, it is my understanding that there are a number
of clearinghouses, area clearinghouses, that are used to store
information relating to cyber threats. U.S. CERT acts as one of
these clearinghouses. What is the relationship between those
silos and industry and government sharing? Can any company
access your clearinghouse or do they need to be a member of
some sort?
Mr. Shannon. CERT is part of an FFRDC collaboration along
with NIST to create vulnerability databases, and that is a
public resource that is widely available. Of course, we also
participate in government-focused ones, and that is part of the
policy decisions that need to be made that are part of the
discussions about how to share that more broadly.
Ms. Matsui. OK. So with multiple clearinghouses, does it
make sense to have a streamlined process for information
sharing for any stakeholder who is threatened with attack or at
risk?
Mr. Shannon. Anyone who is under threat or under attack
needs to know where to turn to, and I think providing that
clarity is part of what policymakers can help resolve. There
has been times when CERT has served that purpose, U.S. CERT has
served that purpose, and as Ms. Stempfley indicated, there is
confusion.
Ms. Matsui. OK. Admiral Barnett, I am pleased to hear you
already have commitments from major ISPs to implement CSRIC
recommendations. How do we share that with smaller companies
with likely much fewer resources have the ability and
incentives to do the same?
Mr. Barnett. It is a great question, ma'am. One of the
things I think you will see is that these things are going to
start becoming the industry standard, reviewing a lot of
flexibility for companies and how they implement them and over
what time. Hopefully they can do them along with their normal
business processes working with the American Cable Association
or maybe the smaller systems to figure out what are the best
ways, and one of the major things, as I mentioned, CSRIC's work
continues. The next things that we set them on is, what are the
barriers to implementation, how do we get over those. So these
same great experts are going to come back together and start
working on those very things.
Ms. Matsui. So there is a concerted effort to reach out to
some of the smaller companies?
Mr. Barnett. Yes, ma'am.
Ms. Matsui. OK. That is great. Good.
Let me see. Dr. Shannon, in your testimony, you stress the
importance of secure coding so initiatives such as addressing
root causes of cyber threats. Is this concept applicable to
apps that are downloaded to mobile devices that connect to the
Internet such as smartphones and our tablets?
Mr. Shannon. Yes. It is highly applicable. I mean, there is
two parts of the app's development environment. One is the
infrastructure and that needs to be coded securely. Fortunately
for the app developers, there is a more constrained environment
so it is a possibility for the ecosystem owner to help protect
the users and to ensure that the app developers are developing
appropriate apps. But part of it is, is that, you know, we will
find vulnerabilities there and that is how you train, you know,
the teenagers that are writing the apps to write them
correctly. I mean, it is a serious challenge but, you know, it
is that balance with innovation.
Ms. Matsui. Sure. OK. Thank you very much.
Mr. Walden. You hire them at Sandia Labs.
We will go now to the gentlelady from California, Ms. Bono
Mack, for questions.
Mrs. Bono Mack. Thank you, Mr. Chairman.
Ms. Stempfley, I can't see you over there, but my first
question is directed to you. Since Congress created the
Chemical Facility Antiterrorism Standards, or what we call
CFATS, program in 2007, there have been ongoing problems with
the way DHS has managed the program. These problems include DHS
improperly tiering 600 chemical facilities, wasteful spending
and the inability of DHS to properly train the workforce
responsible for carrying out the chemical security program.
Hundreds of millions have been spent on CFATS. We find
ourselves with a program that has been mismanaged, wasted
taxpayer dollars, and no assurance that our chemical facilities
are in fact secure.
Can you tell me with these significant problems in the
instance of CFATS how you could possibly assert to this
committee that DHS will not mismanage cybersecurity?
Ms. Stempfley. Ma'am, thank you very much for the
opportunity to address that. The differences between chemical
facilities and information technology and communication are
fairly profound in that situation, and so as we work as a
department of experts brought together and engage in these
discussions with industry about what are the basic standards
that are necessary, we envision building those basic standards
in that scenario and then learning lessons across the
Department from areas where we have worked through issues. We
want to ensure that we don't make the same mistakes a second
time.
Mrs. Bono Mack. With all due respect, I didn't really hear
an answer in your answer, but I would say to you that perhaps
there are differences between chemical facilities and
cybersecurity yet I think from the American people's point of
view, it is the bureaucracy, and I think you have rattled off
quite a list of acronyms but I don't know that my constituents
would feel safer by the list of acronyms that you have used. In
fact, to me, did I mishear you? The example of the EDA's Web
site or network being down for weeks when you were asked a
question by the chairman, you know, what do you and you are
responsible for prevention and mitigation. Is that not an
example, though, of failure of all of these bureaucracies to in
fact work together well?
Ms. Stempfley. The example presented by the chairman,
ma'am, with Commerce is an example where we in the Department
and the Department of Commerce have joint action that must be
taken. So in that scenario, the Department of Commerce has the
responsibility for the management and security of their systems
in building them and in operating them following the standards
set by the Department of Homeland Security.
Mrs. Bono Mack. Thank you.
To Admiral Barnett, you know, I agree that the Federal
Government should be involved in our country's cybersecurity
efforts, absolutely, but they should be enhancing cooperation
and they should be the facilitator, not a regulator. Can you
elaborate a little bit on your thoughts on the value of a
cooperative relationship with the private sector versus a
regulatory one?
Mr. Barnett. Yes, ma'am. So certainly the CSRIC actions
last week are an example of that, but there are many, many
others. CSRIC also addresses cooperation in the
telecommunications industry on next-generation 911, on
emergency learning, and as Dr. Shannon mentioned, we have done
this for years and years. I think it is helpful when you have
the regulator who is the expert in the United States to be
involved with this. They will sit down with industry, just like
the experts that I mentioned that I brought with me today. We
have experts in other areas like the ones I have mentioned in
next-generation 911, to be able to sit down with industry to
pull them together, and quite frankly, that is one of the
reasons that we were able to pull together these experts to
come up with voluntary industry-based solutions.
Mrs. Bono Mack. Thank you. I think my biggest concern is
recognizing how quickly the cyber world knows and the bad guys
are by nature one step ahead of the good guys, so the question
really is, with all of the regulatory hurdles potentially, how
do we really keep pace with the threat?
Mr. Barnett. Yes, ma'am. So recognizing that the large
majority of telecommunications cybersecurity are in private
hands, there is a couple things to that. They are the first
lien of defense. Our actions, and I think what you have heard
mostly from these panelists, is to enhance those but we also
have to recognize something else. It is not working. We
wouldn't be here concerned about this if that was enough, and
so as Dr. Shannon mentioned, we have to have metrics to make
sure that the voluntary methods that we are employing work, and
then beyond that to look at whatever else. Hopefully there
would be other things that we could do, so information sharing
is one thing. There may be other best practices that we can do.
But the thing that is an absolutely prerequisite on this is, we
have to make sure that they are effective because we cannot go
on any longer the way we are now.
Mrs. Bono Mack. Thank you. My last question, and then I am
out of time. To any of you, are government agencies able to
effectively combat cyber agitators that we are very well aware
of right now like Anonymous and WILSEC and what are we doing to
stop their attacks. To anybody I will pose that question and
then I am out of time.
Ms. Stempfley. Government departments and agencies every
day are working to defend against threats as you indicated both
in terms of Anonymous and WILSEC, and in the instance where
they have been unsuccessful, we work in partnership to help
them overcome the impacts of those attacks in that situation
through a layered defense strategy which includes things like
the Einstein program and things like the establishment of
standards through the Federal network security programs.
Mr. Shannon. I would say just briefly, I would encourage
you to talk to the law enforcement community. I think they have
been doing a very effective job given some of the recent
arrests in that area.
Mrs. Bono Mack. All right. Thank you, Mr. Chairman, for the
time and I yield back.
Mr. Walden. The gentlelady yields back, and Admiral
Barnett, we agree with you on the accountability and matrix and
all that.
Mr. Dingell for 5 minutes.
Mr. Dingell. Thank you, Mr. Chairman. I hope you are not
still smarting from yesterday's handling of that legislation.
Good morning. This first question will be to all witnesses
yes or no. Ladies and gentlemen, industry witnesses told this
subcommittee on March 7, 2012, that the Federal Government
would facilitate better interindustry and public-private
information sharing. Do you agree with that opinion? Yes or no,
starting with Ms. Alexander.
Ms. Alexander. Yes.
Mr. Dingell. Admiral?
Mr. Barnett. Yes, information sharing can be a government
role.
Mr. Dingell. Just yes or no, because I am running out of
time.
Mr. Hutchinson. Yes.
Mr. Shannon. Yes.
Mr. Dingell. Ma'am?
Ms. Stempfley. Yes.
Mr. Dingell. Good. Again, to all witnesses, again, yes or
no. Senator Lieberman's cybersecurity bill, S. 2105, requires
the Secretary of Homeland Security to promulgate risk-based
cybersecurity performance requirements for owners of critical
infrastructure. Do you believe the promulgation of such
requirements is wise? Yes or no.
Ms. Alexander. Yes.
Mr. Dingell. Admiral, they don't have a nod button. You
have to say yes or no.
Mr. Barnett. Yes.
Mr. Dingell. All right. Next witness.
Mr. Hutchinson. Yes.
Mr. Shannon. No comment.
Ms. Stempfley. Yes.
Mr. Dingell. Thank you. Now, this is for all witnesses.
Similarly, do you believe promulgation of such performance
requirements would stifle innovation and harm industry's
ability to protect consumers from cyber threats? Yes or no. Ms.
Alexander?
Ms. Alexander. No.
Mr. Dingell. Admiral?
Mr. Barnett. No.
Mr. Dingell. Next witness.
Mr. Hutchinson. Yes.
Mr. Dingell. Next witness.
Mr. Shannon. It is a risk.
Mr. Dingell. Next witness.
Ms. Stempfley. No.
Mr. Dingell. All right. Now, Admiral Barnett, you mentioned
in your testimony the Communications Security, Reliability and
Interoperability Council--that is CSRIC--recommendations about
preventing domain name spoofing, route hijacking and botnet
attacks. These recommendations are voluntary, are they not?
Mr. Barnett. Yes, sir.
Mr. Dingell. Now, again, Admiral, how many Internet service
providers--ISPs--have adopted CSRIC's recommendations?
Mr. Barnett. There are nine Internet service providers that
have pledged to implement those recommendations.
Mr. Dingell. Out of how many?
Mr. Barnett. Well, there are literally thousands, I guess,
when you start talking about the small cable operators, and we
are working with the various associations----
Mr. Dingell. So what you are telling me is, you have a
penetration of nine out of thousands?
Mr. Barnett. Well, we have a penetration that will cover 80
percent of American Internet users right from the beginning and
we will continue to go towards 100 percent.
Mr. Dingell. Of course, if they can shut down your banking
industry, they can shut down your electrical utility industry,
your handling of your net, they could shut down the natural gas
pipeline system in this country, refineries, auto companies,
God knows what else they can shut down with that kind of
opportunity available.
Mr. Barnett. That is why we are going to continue to work
for 100 percent.
Mr. Dingell. When will you hit 100 percent? Do you have any
idea?
Mr. Barnett. We don't at this particular point but I felt
pretty good about getting 80 percent commitment from the
beginning, and we are going to continue work on the barriers to
implementation so that we can get even the smaller Internet
service providers as soon as possible.
Mr. Dingell. All right. Now, to all witnesses, similarly,
can and should CSRIC's recommendations be adopted by the FCC or
other Federal agencies and thereby be made mandatory? Please
answer yes or no, but I would very much appreciate a written
submission explaining your comment, starting with you, Ms.
Alexander.
Ms. Alexander. No.
Mr. Dingell. Admiral?
Mr. Barnett. No, sir.
Mr. Dingell. Next witness.
Mr. Hutchinson. No.
Mr. Shannon. Only when there is supporting data.
Mr. Dingell. Next witness.
Ms. Stempfley. No, sir.
Mr. Dingell. Thank you. And please submit that. I am sorry
to do that to you but the time here is rather limited.
Ms. Alexander, your testimony focused largely on domain
name security extensions. As you know, Internet Corporation for
Assigned Names and Numbers, ICANN, has signaled its intention
to increase by many fold the number of generic top-level domain
names. Is NTIA concerned that such expansion may complicate
efforts to deploy DNSSEC as well as compromise DNSSEC's future
effectiveness? Yes or no.
Ms. Alexander. No, sir, it is a requirement.
Mr. Dingell. Would you submit an appropriate further
response on that matter?
Ms. Alexander. Absolutely.
Mr. Dingell. Now, other witnesses, do any of you, starting
with you, Admiral, care to comment on Ms. Alexander's comments?
Mr. Barnett. No, sir.
Mr. Dingell. Next witness.
Mr. Hutchinson. No comment.
Mr. Dingell. Next witness.
Mr. Shannon. Any technology that hasn't been deployed for
decades may potentially have vulnerabilities, and that is
always a fundamental challenge in the age of the Internet.
There are unforeseen uses decades down the road. Leading
academics have contributed to DNSSEC. It is one of our best
efforts to try and tackle these issues, so I am confident that
it will stand the test of time.
Mr. Dingell. Ms. Stempfley?
Ms. Stempfley. No comment.
Mr. Dingell. Thank you.
Thank you, Mr. Chairman, for your courtesy.
Mr. Walden. Thank you.
We will now go to Ms. Blackburn for 5 minutes for
questions.
Mrs. Blackburn. Thank you, Mr. Chairman, and I want to
thank all of you for your time and for being here.
Mr. Hutchinson, I want to come to you first and ask you
about the program that you all have that you liken to a medical
residency in cybersecurity. So what I would like to know is how
that is structured, if you could give us a little bit more
detail. Is it public-private partnership? And the reason I ask
this is because in the area that I represent in Tennessee,
there around Nashville, we have so many individuals that
started working on the entertainment industry platforms and
they have moved to defense informatics or over to health care
informatics and then some of them are in financial service
informatics, and we see so much sharing on the skills that are
there to keep the backbone of the Internet safe, if you will,
and I think it is fascinating that you all have done something,
but as we talk about having a trained workforce who is able to
handle this, it sounds like a good idea and I would love a
little detail if you are able to share that.
Mr. Hutchinson. Yes. Thank you for that question. What we
realized is that technology is nowhere near ready to protect
our networks, that it really requires people and it requires
creative people who can adapt to lots of technology and tools.
When we built this program, we focused on bringing the
participants together in a common environment, to carefully
pair those individuals and team them with mentors, and to
create----
Mrs. Blackburn. Let me stop you right there. How do you
select individuals for this program? How do you pick them out
and select them?
Mr. Hutchinson. OK. So in the early days, we selected them
through an application and resume and interview process. Today,
there is a lot of referrals, so we get referrals from people
who understand this program, and so we place them in this
environment. They work together on teams. They work on actual
national security problems. They learn security through that
experience. They learn all the balances and the gives and takes
and what makes cybersecurity particularly difficult, and as
they build these projects out and make these tradeoffs, they
just gain the type of instinct that a medical student must also
gain in a residency program.
Mrs. Blackburn. OK. That sounds great. Now, any of the
graduates of your program, if you will, and I use that just as
a term to kind of look at those that have come through, how
many have come through the program?
Mr. Hutchinson. So I can provide an exact number for the
record but it is about 500.
Mrs. Blackburn. OK. That sounds wonderful. Have any of them
been helpful going forward in identifying risk or threats to
the system or maybe writing programs that help to foil any of
the threats? What kind of participation and results are you
seeing?
Mr. Hutchinson. So the people who have been through this
program are distributed to industry, they are in government
service, they work for national labs and other FFRDCs, and
there are many cases where they have developed tools that were
able to identify a particular breach of a network or to develop
algorithms that can provide things like directions toward
attribution and criminal investigation, digital forensics
capability. There is a long list of achievements.
Mrs. Blackburn. So you are seeing solid results?
Mr. Hutchinson. Solid results from these individuals.
Mrs. Blackburn. OK. That sounds great.
This is something I would like to hear from each of you,
and I only have 1 minute left. As I mentioned earlier, we are
working on cybersecurity legislation, and the question that
always come up is, how narrow do you make it or how broad. And
I have appreciated hearing your testimonies today. So how
narrowly or broadly should Federal legislation define what can
or cannot be shared between governments and private entities
and should there be specific requirements on PII about innocent
consumers being taken out of data packets before it can be
shared with any other government agencies?
Mr. Shannon. I encourage you to consider legislation that
is broad in the sense of supporting people who need to do the
right thing in response to incidents. In terms of more
prescriptive approaches, I encourage you to use data-driven,
you know, pilots essentially to verify that a policy that is
being considered that may be prescriptive is actually going to
be effective.
Mrs. Blackburn. OK.
Ms. Stempfley. I would like the opportunity to come back to
you via technical assistance or others and describe the
processes we use in the Department today for how to protect
privacy and other considerations where what we are mostly
focused on are indicators, the specific technical pieces of
information that are useful. While it is not possible to always
avoid in that indicator selection of some things that may be of
concern, we have strong protection measures in place to ensure
as we are working to get to the indicators the malicious code,
so I would like to follow up.
Mrs. Blackburn. Thank you. I appreciate that. I yield back.
Mr. Walden. I thank the gentlelady and now I turn to Mr.
Stearns for final questions.
Mr. Stearns. Thank you, Mr. Chairman. I think maybe you
heard my opening statement talking about Shawn Henry, the FBI's
top cyber cop, and so I was going to ask each of you starting
with you, Ms. Alexander, Mr. Henry told the Wall Street Journal
that we are not winning the cybersecurity battle. He went on to
say ``We have been playing defense for a long time, and you can
only build a fence so high, and what we found is that the
difference that the offense outpaces the defense and the
offense is better than the defense. Do you agree or disagree
with the assessment of Shawn Henry?
Ms. Alexander. Thank you very much, Congressman. I am not
familiar with the article or what he said but I would say he
just points to the reason why we are here today and why we are
all working so closely across the Federal Government to be
vigilant dealing with these issues.
Mr. Stearns. Admiral?
Mr. Barnett. Yes, sir, I would agree with him. We cannot
sustain the way it is going right now. We have too much of our
economy that is now invested in ones and zeros. There are so
many other things, verticals, critical infrastructures, that
depend on our communication infrastructure to impact it. So we
have to take action, and so I think what you have heard here
today is a call for that. And in answer to your response, we
appreciate this hearing to focus on it.
Mr. Stearns. Mr. Hutchinson?
Mr. Hutchinson. Attackers do have an easier job than a
defender has, and that is problematic, and it is resource-
depleting. I completely agree with the assessment that the
defenders are on the wrong side economically. I mean, it is
very easy for an attacker to attack a system and cause a lot of
money to be spent in defending that system. But the solution is
to accept that our networks will never be free of compromise
and to find ways that we can operate in the face of compromise,
and that is an open research challenge. There is certain
progress in that direction and I would encourage additional
support for those forms of research objectives.
Mr. Stearns. Dr. Shannon?
Mr. Shannon. It is a dramatic article. I have not read it.
It is certainly the sort of articles that we have seen for many
decades in the area of cybersecurity. They just tend to get
more press these days.
You know, I would encourage you to remember that it is
about root causes versus innovation. You know, we all received
email this morning, the sky isn't falling. There are serious,
serious challenges but it is easy to get a little carried away,
in my view.
Mr. Stearns. So would you agree with him or not?
Mr. Shannon. I don't think it is just going to be so
dramatic.
Mr. Stearns. OK.
Mr. Shannon. That is my personal opinion.
Mr. Stearns. I appreciate your honesty here.
Mr. Shannon. After being with colleagues who were dramatic,
you know, 20 years ago about these issues.
Mr. Stearns. OK. Ms. Stempfley?
Ms. Stempfley. Thank you, sir, and thank you for the
opportunity with this hearing because I think the thematics of
that article are certainly what we are talking about today, and
as I said, there is no single solution in this situation, and
so if the premise of the article is that we need to make
changes in order to increase awareness and importance of the
cybersecurity challenges, then I would agree with that.
Mr. Stearns. OK. Admiral Barnett, I think you told Ms.
Eshoo earlier that we need to focus on supply chain
vulnerabilities. I had a hearing as chairman of the Oversight
and Investigations Subcommittee yesterday just on that with the
Department of Energy, and frankly, they are doing catch-up. CBO
had a report that came out mentioning that the Department of
Defense and the DOE admit that they just started looking at
ways to look at cybersecurity in the supply chains. So I just
wonder if you had anything you would like to elaborate on on
the supply chain vulnerabilities.
Mr. Barnett. Well, at the FCC we have been looking at this
for the 2 years that I have been there, and I know we have been
working with other governmental partners on this. One of the
things that is apparent as we look across the authorities for
whatever else you can say about it is the authorities that we
have right now were not designed to address the supply chain
challenges we have right now, so additional work needs to
continue. There are a couple of approaches that I hear going
on. One is a kind of a transactional approach. One I think I am
intending to favor better right now is a supply chain risk
management where it is a tiered approach, and the most critical
elements of our communications network are provided the most
protection. That allows a little bit more flexibility as you go
down to the other tiers. There are a lot of tools that are
available to us that may include various supply chain
standards. The government needs to work together on this to
pull together and we can't start soon enough.
Mr. Stearns. Mr. Hutchinson, according to your president
and director, Paul Hommert, Sandia National Laboratories have
been attacked up to 30,000 times per hour. Do some of these
attacks get through your safety net? Does Sandia National
Laboratories currently have supply chain checks in place with
equipment that you buy?
Mr. Hutchinson. OK. The attacks that lab Director Hommert
is referring to are not supply chain attacks per se but just
operational attacks against our cyber networks and they are
measured that way because we have successfully identified that
as an attack and stopped it before it affected our systems. And
that said, we have instances where we detect compromises that
occurred on our systems and we investigate and address those as
we discover them. And yes, we do have very careful supply chain
processes that we follow because our prime mission of building
weapons has been a victim or has been a target, not a victim, a
target of supply chain attacks for many years. So we have
developed our end-sharing and science capabilities to address
those issues.
Mr. Stearns. Thank you, Mr. Chairman.
Mr. Walden. I thank the gentleman for his questions.
Seeing no other members to ask questions, thank you very
much for your testimony, for your answers to the questions, and
the good work you are doing to make America safer and more
secure. We appreciate it in this role and in other roles that
you have had. And I thank the subcommittee members for their
participation. We will continue on this topic, although I don't
see future hearings at the moment planned, but we will be in
contact with you, and I know some of our colleagues have
questions for you to follow up on, so we appreciate your
written responses to those and any other suggestions you have
for us. We want to get this right, and there is too much at
stake not to.
So we appreciate your help and I appreciate the
participation of the committee, and with that, we stand
adjourned.
[Whereupon, at 11:38 a.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�